Skip to main content
Question

Digital Threat Monitoring (GTI): Expected search recall, query best practices, and Monitors vs. Research Tools result divergence

  • July 1, 2026
  • 0 replies
  • 0 views

maxjunker
Forum|alt.badge.img+4

Hi dear community, 

we're an MSSP evaluating the Digital Threat Monitoring (DTM) module in Google Threat Intelligence as the digital-risk / threat-monitoring capability we offer to our customers. As part of the evaluation, we're benchmarking DTM against Intelligence X (intelx.io), which we currently use for this purpose, and we've run into some results we'd like to sanity-check with the community — and ideally with someone from the GTI/DTM team.

 

Observation

Across the topics, brands, and companies we research, DTM returns substantially fewer results than we expected — and consistently fewer than Intelligence X for comparable queries. The gap is large enough that we want to confirm whether this reflects how DTM is designed, or whether we're operating the tool incorrectly.

 

Our questions

1. Scope / design of the corpus Is DTM intended primarily as a curated, entity- and relevance-driven monitoring capability (optimized to reduce noise) rather than an exhaustive surface/deep/dark-web index like Intelligence X? In other words: is comparatively low recall on broad keyword searches expected by design?

2. Query best practices Are there mechanics that materially affect recall which we may be underusing? For example: Free Text Search vs. Lucene Text Query (Advanced), entity-based conditions, proximity operators, or source scoping. Pointers to documentation or real-world examples would be very welcome.

3. Coverage & entitlement Are there constraints on source coverage, historical depth, or regional/language coverage tied to the license tier (Enterprise vs. Enterprise+)? Our customer base is largely German-speaking SMB / mid-market, so German-language and regional (DACH) source coverage is particularly relevant for us.

 

One specific inconsistency we'd like clarified

Alerts produced by our DTM Monitors do not appear to be retrievable through Research Tools, even when we search for the same terms. This surprised us, because the documentation describes Research Tools and Monitors as drawing on the same collected data, and positions Research Tools as the precursor for building a Monitor.

Is the divergence between the two result sets by design (e.g., visibility/redaction rules for certain result types, such as compromised credentials), or does it indicate a misconfiguration on our side?

Has anyone else compared DTM's recall against dedicated deep/dark-web indexes, or can someone from Google shed light on the intended scope and the Monitors vs. Research Tools behavior? Happy to share more specific findings and example queries if that helps.

Thanks a lot!