SANS 2023 CTI Survey

SANS 2023 CTI Survey
4 minute read

Cyber Threat Intelligence (CTI) is the process of collecting and analyzing information about cyber threats to provide actionable insights for organizations. It helps identify vulnerabilities, threat actors, and their tactics, enabling proactive cybersecurity measures. 

In the past year, our world has undergone significant changes. Remote work has become the norm, workforces have expanded or contracted, and the definition of essential work has been redefined. Against this backdrop, the 2023 SANS CTI Survey stands as a comprehensive examination of the shifting dynamics, capturing the evolving trends both in the global sphere and within the field of CTI.

Increasing Combination of In-house and Service Provider Resources

The SANS CTI report reveals a significant shift in how organizations approach CTI resourcing. While 16% of respondents have a dedicated CTI professional, 21% view CTI as a shared responsibility within their security groups. To supplement limited in-house CTI resources, organizations increasingly rely on external CTI service providers. A majority (47%) use a combination of in-house and service provider resources, while 17% exclusively rely on service providers. This trend highlights the growing recognition of the value and expertise offered by external CTI service providers.

People and Teams: Collaboration and Resource Allocation

The report identifies collaboration and resource allocation as key factors within CTI teams. While the majority of respondents (69%) state that CTI teams contribute to intelligence requirements, only 32% report executive contributions. This presents an opportunity for CTI teams to engage more closely with executive leadership, who both require and desire CTI insights. Expanding the circle of contributors can enhance the value and impact of CTI within organizations.

Requirements and Prioritization: Importance of Intelligence Planning

Effective intelligence planning is crucial to drive successful CTI initiatives. The report emphasizes the significance of defining intelligence requirements during the planning and direction phase of the intelligence cycle. By identifying the questions and needs of an organization, CTI teams can align their efforts and support broader security objectives. The findings suggest an opportunity for CTI teams to further refine their engagement with executive leadership and expand their contribution to meeting organizational goals.

Sources: Leveraging External Intelligence

CTI analysts continue to rely heavily on external sources for intelligence gathering. The report highlights partnerships between CTI vendors and customers as critical, with vendors playing a significant role in the discipline. The consolidation of tools and integration of various sources can address challenges related to cross-team collaboration. External sources such as media reports, news, community or industry groups, and threat feeds from CTI-specific vendors are considered the top three information sources by respondents. Maximizing the value of CTI requires optimizing toolsets and leveraging a mix of internal and external intelligence sources.

Producing Intelligence: A Process and Product

CTI is both a process and a product, encompassing the generation and consumption of intelligence. Organizations analyze their own data to produce intelligence products based on previous breaches or network intrusions. They may also consume intelligence from external sources such as threat intelligence vendors or information-sharing groups, incorporating it into their security processes. Respondents reported consuming raw threat data, contextual alerts, and published threat intelligence. This highlights the importance of leveraging both internal and external intelligence to strengthen security measures.

Impact of CTI: Measuring Effectiveness and Improving Security

According to the report, 50% of respondents measure the effectiveness of their CTI programs. Of those who measure effectiveness, 87% reported that CTI has helped improve security prevention, detection, and response. Common methods of measurement include automated and manual tracking of actions based on CTI, as well as monitoring the time taken to respond to alerts or incidents. The ability to measure CTI effectiveness underscores its importance and the positive impact it can have on overall security posture.

Challenges and Limitations: Automation and Workflow Optimization

While the number of challenges faced by CTI teams has reduced, the lack of automation remains a significant hurdle, ranking as the second most prevalent challenge for CTI personnel. The report suggests that the rise of cybersecurity vendors providing threat intelligence support, with their own platforms and tools, has contributed to a 10% decrease in this challenge. Enhanced tools and improved workflows would greatly benefit the industry and help teams optimize their CTI processes.


In the evolving landscape of CTI, the SANS report provides valuable insight into where CTI as a discipline has matured, as well as opportunities where it still must grow. To learn more about where organizations need to increase their security posture, download the full report here.

See ZeroFox in action