Trends, facts, and figures of Cyber Threat Intelligence users


Over 1,000 of peers came together to build a collective understanding of Cyber Threat Intelligence (CTI) programs around the globe. In the 2020 SANS Cyber Threat Intelligence Survey, we see how a new maturity around CTI programs is leading to increased effectiveness across multiple teams:

  • Formal processes for gathering CTI requirements increased from 13% in 2019 to almost 44% in 2020.
  • CTI requirements are being developed with input from across the organization, including security operations, incident response teams, and vulnerability management teams.

Compared to other types of feeds, open source, CTI-Specific, and IR feeds are being used more than ever before.


  • Collaboration is key.

While the number of organizations with dedicated threat intelligence teams is growing, we continue to see an emphasis on partnering with others, whether through a paid service provider relationship or through information-sharing groups or programs. In addition, collaboration within organizations is also on the rise, with many respondents reporting that their CTI teams are part of a coordinated effort across the organization.

  • Not all processes require the same level of automation.

Semi-automation may be the gold standard when it comes to data processing, even for some tasks that are often considered redundant, such as data deduplication, because such information is sometimes useful to analysts.

  • The necessary data and tools change as CTI teams evolve.

As more organizations begin to produce their own intelligence, the nature of information that CTI analysts require is also shifting from primarily threatfeed or vendor-provided information to data from internal tools and teams. While many of the same tools and processes can be used to handle this type of information, organizations also must determine how this changes their need for tools handling this data.

  • Requirements are taking hold and are a staple of mature teams.

Requirements are a key part of the intelligence process and help to ensure a focus on collection and analysis efforts by analysts as well as proper production of intelligence. This makes the intelligence process more efficient, effective and measurable—keys to long-term success. Last year, a minority of organizations reported that they had clearly defined and documented intelligence requirements, which was highlighted as a key recommendation for organizations. This year, nearly half of respondents

answered that they have defined and documented intelligence requirements. This is a fantastic jump in the data and is an encouragement to anyone who is seeking to add defined and documented intelligence requirements into their CTI program.

  • A community of consumers and producers contribute to CTI.

More organizations consume intelligence than produce it (as we would expect), but more than 40% of respondents both produce and consume intelligence. This is a great indicator of the growing maturity and professionalization of the cyber threat intelligence field. Organizations that have trouble satisfying a majority of their intelligence requirements—because they are only consuming intelligence or are missing any of their priority intelligence requirements—should consider moving to both generating and consuming intelligence. Those considering generating cyber threat intelligence should review the SANS CTI Summit videos2 on the topic and/or attend a CTI course.