What Makes Great Threat Intelligence? - Dark Reading

THREAT INTELLIGENCE CYBER RISK CYBERSECURITY OPERATIONS WHAT IS Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. What Makes Great Threat Intelligence? Anyone can buy or collect data, but the goal must be to realize actionable insight relevant to the organization in question. Richard Thurston,Contributing Writer, Dark Reading July 23, 2025 6 Min Read SOURCE: SLEEPYFELLOW VIA ALAMY STOCK PHOTO Fast-changing geopolitics are constantly altering the nature of threats, so CISOs must quickly adapt how they approach new risks and sources of intelligence. While the need for high-quality threat intelligence is undeniable, it is a discipline that can sprawl uncontrollably. It also requires a targeted response. According to industry analysts at Frost & Sullivan, organizations spent a weighty $1.6 billion on threat intelligence and threat intelligence platforms globally in 2023. They expect this figure to increase by a compound annual growth rate of 32.8% until 2028. CISOs' threat intelligence programs must be continuous and defined. Anyone can buy or collect data across the four threat intelligence domains (strategic, tactical, operational, and technical), but realizing actionable insight that is relevant to the organization in question must be the goal. "I'm struck by how much of the [threat intelligence on the market right now doesn't really offer true threat intelligence but rather automated analysis of security data," says Victoria Baines, professor of IT at Gresham College in London. Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 Continuity, Insight, and Collaboration Whether threat intelligence is insourced or outsourced, security teams must focus on getting the outcomes they need from their threat intelligence, rather than simply the delivery of data. CISOs should ensure their threat intelligence program has defined goals that align with the rest of their cybersecurity strategies and business objectives. The program must address compliance requirements, yet extend beyond. A feedback loop that facilitates ongoing improvements is also essential. "The three questions are: How do I measure the value or ROI? How do I get what is relevant to me? How do I translate that threat into risk?" says Matt Hull, global head of threat intelligence for NCC Group. Where the second and third questions overlap is the point where CISOs will understand the specific threats to their businesses, he adds. Relevance is critical: An operator of critical national infrastructure has very different threat intelligence needs than a retailer or pharmaceuticals manufacturer. "Do some requirements-gathering up front: What are the threats to your sector?" says Ben Radcliff, vice president of security operations for Optiv. "Tailor your requirements to those, pulling in specific threat feeds." This combination of internal and external data is invaluable. Data should include vulnerability information and indicators of compromise, as well as data on threat actors and their tactics, techniques, and procedures (TTPs). Threat intelligence specialists are adept at finding relevant information from the Deep Web and Dark Web, as well as public domain sources like social media and Internet forums. In addition, individual sectors — notably financial services — have their own sector-specific information-sharing groups (ISACs), while national and regional governmental organizations share specific intelligence with groups of businesses that are within their remit to protect. Related:Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Geopolitics: Critically Influential Geopolitics are shaping both the threat landscape and CISOs' responses to these changes. Some organizations will be targeted directly because of political events, while others can be caught in the crossfire. Additionally, physical risks may not be a CISO's responsibility but will affect the organization's security posture, so they should be aware. It is smart to understand how global events can impact an organization, especially if it has global operations, says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. The Russia-Ukraine War is an obvious example that changed threat actors' TTPs and targets, but geopolitics are so complicated that smaller events can still cause significant changes to specific organizations' risk profiles and therefore their optimal responses.  Related:Why a 17-Year-Old Built an AI Model to Expose Deepfake Maps This geopolitical turbulence will "profoundly affect" the cybersecurity industry, changing spending patterns on threat intelligence, according to Martin Naydenov, a cybersecurity analyst at Frost & Sullivan, noting that conflicts such as the war in Ukraine and economic sanctions feed an escalating cycle of tensions and state-sponsored espionage. "This chaos has a dual impact on the threat intelligence industry: Organizations face relentless threats, driving demand for TI solutions, while imposed sanctions and mistrust constrain the industry," he recently explained. Think Two Steps Ahead Although automation is critical in cutting through large volumes of threat intelligence to realize actionable data, human factors remain crucial. Security teams should grow their knowledge of their own organizations and the ability to think faster than threat actors, DeGrippo says. "Have people on your team who are true specialists — not just in threat intelligence but in your business," she says. "When a well-equipped threat actor is targeting a particular enterprise, they know just as much about it, sometimes more than the employees." The ability to think ahead is probably the most important aspect of threat intelligence, followed by "the discipline and rigor to wait — where appropriate — to ensure accuracy and to work out what other intelligence you need," DeGrippo says. CISOs need to evolve their skillsets and knowledge of criminal market dynamics and behavior, Gresham College's Baines adds. But, mostly, they need to develop a more proactive mindset to anticipate and prevent attacks, "rather than constantly firefighting," she says. Overcoming Resource Limitations Organizations are limited from fully leveraging their threat intelligence deployments and monitoring the threat landscape due to a shortage of security professionals, Naydenov warned. Companies struggle with the amount of information TI solutions generate, leaving gaps in threat detection and response, which slows their ability to keep up with emerging threats, he explained.  CISOs with limited internal resources can opt to use vendors' threat intelligence platforms for richer data and vendor services to increase their headcounts and broaden the available skillsets. There is a growing and, at times, bewildering choice of platforms and services, with substantial differences in methodologies. The addition of threat hunters, provided by a number of specialist services companies, can help mitigate risk by providing a very personal and tailored skillset to proactively identify threats.  Avoid Intelligence Pitfalls The Information Security Forum (ISF), an organization that guides CISOs on information security and risk management matters, warns of the danger of irrelevant information and misinformation creeping into threat intelligence feeds. It recommends reducing the reliance on open source intelligence gathered from social media and focusing on threat intelligence from "a smaller number of trusted sources." The ISF suggests that CISOs consider weighting threat intelligence sources based on the level of trust of the source and monitor sources (especially free ones) for changes in behavior. If the CISO believes a source has started to share misinformation, it should be removed. Ask the Right Questions "There is sometimes a tendency to be hyperbolic" about threat models and attack surfaces, DeGrippo adds. CISOs need to get real about what is truly exposed and what they need to know, especially looking for the data they don't have on hand. Find out which threat actors are active in the industry and region, what TTPs they use, and how the organization is prepared for them, she recommends.  "You have to really understand what your particular true threat profile is like. Once you have that information, start drilling down," DeGrippo says. There is no need to separate criminals from nation-state actors in this exercise, she notes: "Security is security." About the Author Richard Thurston Contributing Writer, Dark Reading Richard Thurston is a contributing writer for Dark Reading. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 THREAT INTELLIGENCE Human Digital Twins Could Give Attackers a Dangerous Advantage by Arielle Waldman JUL 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge THREAT INTELLIGENCE Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 MAR 16, 2026 THREAT INTELLIGENCE The Data Gap: Why Nonprofit Cyber Incidents Go Underreported MAR 13, 2026 CYBER RISK Cyberattackers Don't Care About Good Causes MAR 13, 2026 CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans MAR 12, 2026 Read More The Edge Want more Dark Reading stories in your Google search results?