The 2026 SANS Cyber Threat Intelligence Survey confirms that cyber threat intelligence (CTI) is considered essential at the executive level. But can your CISO see how the CTI program is shaping decisions and measurably reducing risk?
The survey found that 91% of CISOs value CTI, yet only 26% say it significantly influences their decisions. CTI teams at all maturity levels can fix this problem, which largely stems from failing to measure effectiveness and gather structured feedback.
In fact, SANS found 51% of organizations don’t gather feedback on the effectiveness of their CTI and 43% do not track the maturity of their program over time. The price of this, as SANS noted in its report, is: “You can’t defend a budget you can’t measure”.
Measurement could help the 44% of teams that said their top barrier to effective CTI was a lack of funding—a consistent blocker over the years—as demands on CTI teams expand beyond SecOps to risk, M&A, brand and supply chain.
Source: SANS 2026 CTI Survey
Rather than produce more reports to improve influence in the organization, SANS recommends finding out what CTI products inform choices that key stakeholders make on a recurring basis. SANS found that while most teams share insights in written reports, there was no evidence they use these channels to connect intelligence products that informed good decisions.
Building a rapport with people across the organization can help uncover this information. Speaking at the SANS panel, Will Glass, Senior Collection Manager at Intel 471, emphasized speaking in your stakeholders’ language and helping them create wins. “A CTI team should make every other team look as good as they can because when they look good, they’ll come back to you for more—and that creates a virtuous cycle in terms of demand signal,” says Glass. This result can help convince the infrastructure team to disrupt systems and patch a weaponized CVE or persuade incident response to share incident data that provides a new intelligence source.
Stakeholder demand signals are vital for guiding collection. The Collection Management Team pairs each customer with a dedicated practitioner, like Glass, who tracks their requirements and feeds those demand signals to the Adversary Intelligence team, ensuring its collection and threat actor engagements are relevant and scale up the customer’s human intelligence (HUMINT) capability.
Source: 2026 SANS CTI Survey
Scaling up without burning out
CTI teams need to be realistic about what they can deliver. “Make sure that the team’s capabilities are appropriately bounded right from the beginning,” says Glass. “Balance the urge to answer everything with what your team can actually accomplish and do a good job at, without burning the candle at both ends.” This can mean resisting what he calls the “HIPPO” problem—the highest paid person’s opinion. “Even the CISO can be wrong about things. They have CTI teams to challenge their assumptions.”
The test comes when a headline breaks about a breach and executives begin asking: What are we doing about this? The answer doesn’t have to be comprehensive immediately, but teams do need a procedure to validate intelligence, feed it upwards and calm nerves—often in evolving situations.
“Teams need a structure when all of those inbounds are coming in at such a rapid pace, like right now with TeamPCP going after every supply chain,” says Glass.
TeamPCP-linked campaigns have swept through developer ecosystems in several waves of cascading supply chain attacks throughout 2026. The group’s recent release of source code derived from the Shai-Hulud self-replicating malware means attacks on package registries, CI/CD distribution mechanisms and developer credentials will almost certainly continue into the future.
When handling an influx from such a broad and persistent threat, Glass recommends publishing a short bulletin that acknowledges the issue and sets expectations for what comes next. “We take that approach at our organization and I think that’s something that can be replicated in customer organizations facing the same phenomenon,” he says. Intelligence feeds new hunt hypotheses. To validate exposure, CTI teams can hand off TeamPCP and Shai-Hulud hunt packages to go hunt for relevant behaviors in logs and validate that controls provide the necessary visibility.
Validating the source, human or model
The survey found that CTI teams are now broadly operationalizing AI. Some 45% reported using AI, primarily for data summarization and report writing, but also for data usage and workflow automation. The question now is how programs should scale their use of AI and govern it.
As AI scales up intelligence reporting, analysts will need to understand how stakeholders are using the intelligence and validate that what they’re reading is worth acting on, says Glass. “Being able to validate an AI model’s report is super important for us, because the downstream impacts of changing a control or policy are potentially very impactful to users or customers.”
The same discipline applies whether the source is a model or HUMINT since underground threat actors routinely exaggerate or fabricate claims to boost their reputation on underground marketplaces. Glass pointed to the rigorous categorization system the team uses to track source reliability over time and caveat reporting accordingly. “We get to know them for lack of a better term. We understand their reliability over time—what’s their history of providing value or information that is proven to be true or untrue. We have to be very careful that we’re looking at that closely and helping our customers understand whether they can or cannot believe what they’re reading,” he notes.
Putting metrics and measurement into practice
Successful CTI programs measure themselves continuously against what their stakeholders need, ensuring intelligence products are aligned to key decisions and that data is available to demonstrate improvement over time. A small team can scale by being explicit about what it owns and what it doesn’t. This comes back to appropriately defining the program’s capabilities, which requires documenting the program’s scope, its stakeholder commitments and its Priority Intelligence Requirements (PIRs).
SANS respondents cited the CTI Capability Maturity Model (CTI-CMM) as an effective starting point for maturity tracking. The model, which is sponsored by Intel 471 and developed by a volunteer group of CTI industry experts, helps set realistic maturity goals based on where the program stands today versus where it wants to be.
Metrics for CTI products can include reach, utilization and decision impact. The CTI-CMM identifies over 100 metrics across the model’s 11 stakeholder domains (Threat, Risk, Architecture, and more). The highest maturity CTI programs consistently measure leadership decisions shaped by CTI, controls adjusted with measurable improvement and risk reduced.
Intel 471’s free half-day Intelligence Planning Workshop provides a deep dive into operationalizing the CTI-CMM and uses the results to develop a fully traceable stakeholder-driven intelligence plan. The workshop helps you build structured stakeholder interviews to extract PIRs, shape your collection plan, and prioritize collection around your stakeholders’ true needs. It also demonstrates how to prove the program’s ROI by connecting daily analysis across the CTI-CMM’s domains to quantified operational improvements.
For the other half of this picture—what CISOs are asking CTI to deliver—see our companion piece, What CISOs Want from Cyber Threat Intelligence.
Register for the next Intelligence Planning Workshop on September 23, 2026, 9:00 AM–1:00 PM EST. Seats are strictly limited.
