Cyber Threat Intelligence (CTI) has always carried a certain mystique. Analysts explore telegram channels and dark web forums, vendors portray it as the key to proactive defense, reports are created with polished charts and detailed IOCs, and surveys highlight growing adoption rates and trends.

On paper, CTI seems like a discipline that is steadily professionalizing. But speak with practitioners on the ground, and the picture is different. Quite different indeed.

The day-to-day work of CTI is more fragile, more improvised, and more dependent on context than smooth reports suggest. As one analyst told me bluntly: “Tactical CTI is the most useful for SOCs, but it’s the most avoided. Organizations rely on recycled rules from public sources or improvise without risk-based prioritization.”

Through this article we are going to explore the opinions and views from 10 analysts across Europe, North America and Latin America, contrasting it with what surveys and frameworks say about where CTI stands in 2025. As with the previous piece about AI & Threat Hunting, the difference is striking.

This edition of Cybersecurity & Business is supported by:

The regular CTI survey conducted by SANS is one of the main sources to have a quantitative view of what is happening in this field.

According to data from their latest edition (2025), 93 % of organizations are now maintaining some form of in-house CTI capability, and more than a half of them (52 %) have dedicated CTI teams, up ten points from 2018. However, teams remain small: 62 % have fewer than four full-time CTI analysts.

Based on the survey, the dominant use case for CTI is Threat Hunting, with 77 % of respondents citing it, while MITRE ATT&CK has become the shared language of the field (86 % adoption).

As everywhere else, AI adoption is growing: more than one-third of teams are already using it to enrich and score intelligence.

There are multiple challenges referenced by the respondents. 62 % mention lack of funding, as an obstacle to provide more value through CTI. Integration, automation and skill gaps remain top blockers.

Once you go through the survey, CTI feels like a field gradually moving from artisanal to a more professional stage. Formal processes, reporting structures seem to be more common, and maturity frameworks such as CTI-CMM and initiatives like the FIRST CTI SIG are, theoretically, gaining traction.

However, while the SANS CTI survey is probably one of the few global of its kind, the demographics are heavily skewed toward US-based respondents, and when we turn to the voices of analysts in other parts of the world, as I did through my interviews, the overall state of CTI feels less polished, despite the depth of knowledge.

Role Diversity in CTI

One common theme across the interviews is how rarely CTI is practiced exclusively. Only a minority of analysts work only in CTI, with most wearing multiple hats.

Just 2 of the 10 consulted analysts are fully dedicated to CTI, with the rest combining it with other functions, like Threat Hunting, DRPS, engineering, incident response, automation and external comms.

“I am fortunate to work in a highly-focused Cyber Threat Intelligence (CTI) team…”, said one of the interviewees, highlighting how uncommon this can be.

Across all conversations, CTI seems to be a starting point to achieve something somewhere else, internally or externally. For instance, it was not unusual to hear how the work of the analysts could span across multiple other functions depending on the type of company they work for.

An analyst working at a major cybersecurity vendor needs to do malware research, identify TTPs, improve automation pipelines, to not only improve detections and the product itself, but also to support marketing, PR and sales.

Another one, working on a service provider, dedicates part of his time to CTI, but also participates actively in incident response and in managing and improving internal processes.

This diversity illustrates CTI’s hybrid identity. Rather than its own thing, it often acts as a connective tissue between prevention, detection, response, product development, executive decision-making, and even corporate communications.

Measuring Value: More Art than Science

“What is the impact of CTI and how it is measured?” was one of the questions asked to the professionals I interviewed.

The SANS survey respondents said they mostly measure effectiveness through feedback meetings or indirect metrics. The interviews I conducted echoed this, but with very different flavors.

The answers show different types of metrics, formal and informal, that go from outcome-based impact and process maturity to subjective feedback.

One of the analysts working in a cybersecurity vendor had a product-driven angle: “The real test is how findings are used. If they lead to earlier detections, stronger defenses, or features that make our product more valuable, then I know the work is having an impact.”

The other respondents working in vendors and service providers had similar comments. One of them highlighted the metric is anchored in how CTI helps MDR or DFIR teams, even though it is not something they quantify in a specific performance indicator.

On the other side, a professional working for a service provider mentioned that the success often comes down to “the valuation of supervisors or clients”, while another analyst mentioned “cross-team feedback”.

CTI can be part of so many processes depending on the organization where they sit, so as another one of the respondents pointed out, the metrics can be various, like hunts initiated, credentials reset, domain takedowns, vulnerabilities remediated, and more.

Even PR or marketing results were mentioned as indicators, as some of the analysts are part of companies that are basing their value proposition and differentiation on the threat landscape knowledge of their teams.

Together, their answers show a field where measurement is still improvised, even if some of the maturity frameworks were mentioned. Some CTI teams are indeed tracking hard outcomes, but others are more focused on subjective measures that can span from client feedback to a company’s reputation and positioning.

Daily Struggles

Analysts across the board complain about data volume, tool limitations, and stakeholder alignment. But one of them is warning us of something more subtle: the erosion of human critical thinking.

“The greatest challenge is the bias that creeps into teams when technologies like GenAI advance. Doubt and validation are being exercised less. Doubt is a skill we must maintain, otherwise we risk outsourcing responsibility to the tools.”

The increasing usage of AI in CTI is leaving less space to analysts to apply critical thinking, he emphasised, as the output of the tools is not second-guessed as much as it should.

This gets worse, he pointed out, when we take into account resource shortages. Insufficient staff to adapt CTI into automated processes slows adoption and leaves service providers less agile to respond to attacks and to their competitors.

Other challenges are more familiar. As another analyst described, there is a difficult and delicate balance in filtering vast data streams without missing the critical bits. Also, there were common concerns about how tactical CTI is systematically neglected, either replaced by generic recycled rules or improvised without risk studies.

Stakeholder engagement and expectation management were brought up by several respondents.

“If you just ask, ‘What are your PIRs?’ you’ll get vague answers. You need to ask what they do daily, what they protect, what they’re afraid of.”

Stakeholders sometimes think frameworks like ATT&CK map neatly onto all threat activity, when underground forums, where many analysts spend their time, don’t provide that kind of structured intel. “CTI is often misunderstood”, one of them noted, and analysts need to face that misinterpretation as much as they need to battle threats.

That’s not all. There are more challenges that were brought up during the interviews. For instance, thefundamentals gap.

“Everybody tries to have the ‘next super-AI solution,’ but they don’t have good firewalls, network segmentation, password management, or a comprehensive SOC.” For this analyst, the challenge isn’t only volume or expectations but that too many organizations neglect basic security hygiene while chasing hype.

Prioritization was mentioned by other respondents, but at a different level: “Threat actors use a huge number of TTPs, and it’s critical to identify which ones actually represent a risk for our customers.”

As it was pointed out by one of the interviewees, the problem might not be having too much data, but figuring out which behaviors deserve the most attention and how to translate findings into actionable detections and clear business value.

What Opportunities are Ahead?

Despite frustrations, every analyst pointed to areas where CTI could deliver more value. There are plenty of views regarding what lies ahead.

For some, especially MSSP practitioners, the answer is prevention and early detection. “As MSSPs, we try to know adversaries and their TTPs so that if a client hasn’t implemented all defenses, we can still detect and mitigate quickly.”

When it comes to corporate CTI teams, the blind spot is internal intelligence. External feeds are plentiful, but too many organizations neglect their own SIEM logs or phishing data. Combining internal telemetry with external sources creates the most relevant threat picture.

An analyst working for a cybersecurity vendor highlighted that the opportunity is exposing actors earlier and prioritizing threats based on who is active and what they are doing. But he also stresses democratization: “We need automation and scale, but also to make CTI available to more teams for less money.”

The involvement of the executive layer of the organization was also mentioned as a key opportunity: “CTI is key for executive decision-making that improves the organization’s security posture.”

As expected, technology itself was mentioned several times and in different flavors, like how it can support automation, deeper analysis and integration (where intelligence can accelerate efficiency and resilience), and not only in IT, but also with legacy and industrial environments.

“Enterprise and industrial sectors need dedicated, trained professionals, combining blue teams with CTI analysts. There is so much to do with security solutions from ten years ago that were not applied and understood. We don’t need the AI revolution; we need people that understand security.”

The common thread, among many answers, is proactivity: CTI has its biggest impact when it reduces analyst workload, prioritizes what matters, informs executive choices, secures overlooked or obscure systems, and even strengthens a company’s business positioning.

The Various Voices of AI

No topic splits the field like AI.

The SANS survey notes that AI is already being used for enrichment and scoring, but adoption is uneven and many applications remain underexplored.

Our interviewees agree in general that AI will be transformative, but they describe it in far more human terms.

There are some that see it very positively. “AI will be key to faster detection and anticipation”, is a clear expectation from many of the analysts, with clustering behaviour and automating analysis as areas where AI is seen with good eyes by the respondents.

Another area that was mentioned with enthusiasm was predictive intelligence. Moving from “what happened”to “what might happen” as one of the interviewees put it. Some models can already anticipate attacker TTPs before they are deployed, and this is a very positive application of AI for CTI analysts overall.

However, not everybody shares the same enthusiasm and expectations. “AI, in its current state, cannot replace human initiative”, is the opinion of one of the analysts that is echoed across other answers, in one way or the other. “We don’t need the AI revolution; we need people that understand security”, adds another.

The bottom line, as it happens with AI in many sectors, is that while it might help with some processes and make the CTI function stronger overall, there are still concerns about how much it can really do, and the risks it might bring, from false positives and negatives, to over-confidence in its outcomes.

And of course, AI will also help the attacker, as one of the analysts pointed out, especially accelerating hybrid operations, where cyberattacks combine disinformation, deepfakes, and media manipulation.

There’s clearly not a common view on the topic, as we can see from very different views across everyone that was consulted. The only thing that is shared by the majority is that the adoption of AI is growing and it will be transformative, one way or another.

Between survey charts, maturity models, and analyst voices, some clear opportunities emerge.

1. Professionalization and Structure
   Frameworks such as CTI-CMM, the FIRST CTI SIG, and the Mandiant Competencies Model give CTI programs a way to mature. One respondent suggested CTI will eventually resemble “classic intelligence services”, only in digital form.

2. Integration of Internal and External Intelligence
   It was stressed that the overreliance on external feeds needs to be corrected. Combining internal telemetry with vendor and community-driven intel is a chance to make CTI truly contextual.

3. Automation and AI
   From enrichment to predictive analysis, automation is no longer optional. But as many warned, automation must be balanced with human oversight and critical thinking, and it should not distract from fundamentals. There is, though, a clear need for automation pipelines and TIPs to handle massive telemetry and OSINT, where AI can be key.

4. Geopolitics and Hybrid Operations
   The SANS survey shows growing pressure from geopolitical and regulatory shifts. Analysts see the same. Russia-Ukraine and Israel-Iran conflicts were cited as shaping CTI priorities, while disinformation was pointed as a persistent reputational threat.

5. Prevention, Early Detection, and Industrial Resilience
   CTI’s greatest value remains in stopping attacks early. Whether through actor exposure, TTP tracking, or internal hunting, the role of CTI is clearest when it prevents or shortens an incident. One perspective reminds us that industrial and legacy environments (often still running on end-of-life systems) stand to gain immensely from CTI paired with blue-team fundamentals.

If there is something that is shared across survey results, frameworks and the voices of the analysts is that CTI, both as a function but also the tools they use, still has space to evolve and become a key part of the security strategy of any organization.

When it comes to the tools, they clearly need to evolve as well. Some vendors, like EclecticIQ are taking the hint and working on initiatives that integrate CTI and SOC platforms.

Even more, we can see how specialized platforms are appearing to address the very trends that the consulted analysts mentioned, like predictive intelligence, disinformation and hybrid operations. BforeAI and LetsData are clear examples of companies working in that space.

These and other evolving tools can help analysts to filter the noise, communicate relevance, and deliver insights and outcomes that prevent damage.

In any case, the voice of the analysts is clear: more professional approach to CTI is needed, and the human experience and knowledge, as well as critical thinking, are what matter the most, in their opinion.

As one of them put it:

“Professional analysts: don’t trust the source. Trust yourself and your analysis.”

That, beyond any survey result or vendor promise, is what CTI truly comes down to: not frameworks or feeds, but the ability to question, interpret, and act.

*** This is a Security Bloggers Network syndicated blog from Cybersecurity & Business authored by Ignacio Sbampato. Read the original post at: https://cybersecandbiz.substack.com/p/the-reality-of-cti-voices-from-the