The purchase of malware doesn't necessarily come from those people who are generating the malware. There are organizations, anti-virus companies, who will allow us to purchase that information from their own legitimate analysis and work. We work very closely with that community to understand what the threats are that are being covered by a commercial software and services so that we can focus, then, on those malware threats that are not currently covered, the more sophisticated ones that are not part of the current complement.
On February 13th, 2018. See this statement in context.