The SANS Institute’s newly released SANS 2025 CTI Survey report reveals a major surge in use of cyber threat intelligence (CTI) by senior executive and business leaders to mitigate risk in strategic decisions, investments, and mergers and acquisitions.
Based on responses from nearly 500 CTI professionals around the world, 52% of executives now decide intelligence requirements, up from just 33% in 2024, while 39% of business units drive CTI requirements — almost double the 23% that steered CTI requirements last year.
Notably, despite the increasing influence executives have over intelligence planning, CTI teams appear to be struggling more than ever with funding. This year, 62% reported a lack of funding as a key blocker to their work, up from 52% in 2024 and 40% in 2023. The SANS authors note that lack of management buy-in was also high, at 47.3% — the second biggest inhibitor. This strongly suggests CTI programs need to show their organization’s leadership measurable outcomes and return on investment (ROI).
Source: SANS CTI Survey 2025
What’s behind these apparently conflicting trends at a time when cyberattacks have grown in frequency and impact? Why are CTI budgets strained at a time new cybersecurity regulations reinforce proactive cyber risk management at the board and executive level?
Just as the digital threat landscape is enormous, the stakeholder concerns that CTI professionals are responsible for are multi-faceted, vast, and growing. CTI teams, the CTI community, and the stakeholders they support are undergoing rapid change. After years of accelerated digital transformation across all sectors, including critical infrastructure, executives have quickly realized that cyber is no longer just about proactively mitigating digital and operational risks. Supply chains and systems underpinning finance, health, technology and other sectors are highly interconnected. Rising geopolitical tensions, armed conflicts, and the reality of cyber warfare have transformed cybersecurity into a core business concern.
As Cybersecurity and Infrastructure Security Agency (CISA) former director Jen Easterly recently noted, “corporate leaders have begun to see cyber risk for what it is: a strategic, enterprise risk, which they — not their Chief Information Security Officer (CISO) — own.”
“Boards and company leadership must consider the critical role they play in national security and ensuring systemic resilience,” Easterly added.
Source: SANS 2025 CTI Survey
Leaders at large organizations realize the strategic importance of not just digital infrastructure but also the importance of in-house and third-party ‘software as a service’ secure application development. These trends are changing how cybersecurity risk and CTI is viewed and operationalized.
These trends are reflected in growing calls from leaders for secure-by-design, like JP Morgan Chase’s CISO Patrick Opet, who recently warned that the ‘software as a service’ (SaaS) delivery model is quietly enabling cyber attackers and creating vulnerabilities that are weakening the global economic system. In an open-letter to third-party providers following several incidents affecting its SaaS providers, Opet said software providers must prioritize security and modernize security architectures.
In other words, the rise of SaaS and the growing interconnectedness of customers and suppliers are creating unprecedented levels of third-party risk, particularly as attackers target enterprise access credentials, trusted IT partners in what the industry calls software supply chain attacks that often blur the lines between nation-state and cybercrime, and trusted tools such as remote monitoring and management (RMM) software. Intel 471 CTI analysts study these active threats in-depth, providing the adversary and malware tactics, techniques, and procedures (TTPs) our threat hunters use to create threat hunting packages for organizations to defend themselves against techniques that routinely evade reactive detections.
As boards and executives take on more ownership of cybersecurity, there is a growing need for a common language between their cybersecurity teams and CTI teams. CISOs will play a critical role translating business requirements into intelligence priorities that ultimately inform strategically important defenses like threat hunting.
Indeed, threat hunting in the SANS 2025 CTI survey was, for the second time in a row, the top use case for CTI at 71%. Intelligence-driven threat hunting serves two key functions that benefit executive goals: measuring the value of CTI, and independently validating their biggest investments in security software, such as endpoint detection and response (EDR). Executives can reevaluate their investments if intelligence-driven hunt teams consistently see controls are not detecting things seen in the threat landscape.
As the SANS CTI Survey authors report, metrics and measuring effectiveness of a proactive and analytic capability such as CTI are inherently difficult. How do you measure the value of threat intelligence that helped you proactively avoid an incident? It’s much harder than putting a value on a role like incident response and fraud detection, where impact is obvious and visible but reactive.
The survey found that 55% of respondents measure the effectiveness of their CTI program, while 31.5% do not, and 14% don’t know whether any efforts are made to measure effectiveness.
However, the survey also found some organizations are using custom maturity models aligned with the NIST Cybersecurity Framework, regular gap assessments, while others have implemented the relatively new CTI Capability Maturity Model (CTI-CMM)—a CTI community-driven framework that helps align CTI efforts with organizational and stakeholder goals. Version 1.2 of the model introduced over 100 metrics that leaders can use as a guide to ask the right questions to measure and drive continuous improvements using CTI across cybersecurity architecture, assets, third-party risk, and workforce management.
Two key questions leaders can ask are “How many geopolitical or macroeconomic factors analyzed within CTI threat modeling?” and “How many security technology investments were justified, prioritized, or otherwise impacted by CTI-informed risk modeling?”
If adopted, CTI-CMM metrics — or simply questions relevant to stakeholder priorities — put executives at an advantage when defining intelligence priorities to reduce their risk priorities. CISOs play a critical role here in translating these requirements.
The threat landscape is always evolving. Cybersecurity, cyber risk management, and technology departments are too, which means CISOs and CTI programs need to adapt to stakeholder risk priorities. Want to read more about Intel 471’s perspective on this SANS CTI Survey and discover a few key insights? Click here.
Initial access brokers (IABs) sell access to compromised organizations on underground forums. Here's an analysis looking at whether these offers can be correlated to ransomware attacks.
The disruption of the XSS cybercrime forum and arrest of its administrator in Ukraine in July 2025 has shook Russian-speaking cybercriminal communities to their core and raised questions if the forum can recover.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.