Survey reveals gap between threat intelligence & execution

A new survey has highlighted a disconnect between the importance organisations place on threat intelligence and their ability to implement it effectively.
The research, conducted by Cyware, collected responses from 100 cybersecurity executives and professionals working across enterprises, government agencies, and service providers. Nearly all respondents (92%) described operationalising threat intelligence as either "absolutely crucial" or "very important" in their organisations' efforts to combat cyber threats.
Despite this consensus, only 13% of those surveyed reported satisfaction with their automation between cyber threat intelligence (CTI) and security operations (SecOps) tools. The survey also found that nearly 40% of participants experienced difficulty coordinating data between critical security systems such as Threat Intelligence Platforms (TIPs), Security Information and Event Management (SIEM) tools, and vulnerability management platforms.
Speaking on the findings, Anuj Goel, Co-founder and Chief Executive Officer of Cyware, stated: "The RSAC survey data reveals a serious gap between that belief and the operational reality. Threat intelligence isn't just about collecting data - it's about connecting people, processes, and platforms to act on it. These findings reinforce the need for more unified, automated, and collaborative approaches to security operations."
Internal collaboration and automation maturity were flagged as key areas where organisations fall short. Although almost all those surveyed regard threat intelligence sharing as fundamental, only a small proportion felt their automation systems worked well in practice.
Artificial intelligence (AI) is seen as a promising area for improving threat intelligence processes, with 78% of respondents believing AI will enhance threat intel sharing within their organisations. However, only 43% reported that AI has already made a meaningful impact, pointing to difficulties in implementing AI solutions and integrating them into existing security processes.
The Cyware survey also drew attention to the timeliness of threat intelligence sharing. Only 17% of teams said they disseminate threat intelligence among key roles — such as SecOps, incident response, and vulnerability management - in real time, while another 25% do so on a daily basis. At the same time, 22% indicated that information is shared infrequently or not at all, raising questions about internal communication and responsiveness to emerging threats.
External collaboration with industry peers for the purpose of improving threat intelligence is another area identified for additional growth. According to the survey, while 57% of respondents claimed that their organisation collaborates with other companies in their sector, a significant 30% were unsure if this kind of peer cooperation even exists at their workplace.
Automation challenges remain evident, with more than half (56%) of survey participants reporting significant or moderate obstacles in automating workflows across CTI and SecOps teams. This suggests that technical, procedural, or organisational hurdles are hampering efforts to scale effective threat intelligence practices.
Additionally, participation in Information Sharing and Analysis Centres (ISACs) or similar organisations is relatively low. Only 18% confirmed their organisation is involved with such groups, while 45% were unaware of any such participation. The lack of engagement or awareness about ISACs could be limiting access to valuable, sector-specific threat information, potentially reinforcing the existing silos within the threat intelligence community.
The survey's findings align with a broader trend: as cyber threats evolve and become more complex, organisations face mounting pressure to bridge the gap between recognising the importance of threat intelligence and actually executing it through internal collaboration, real-time sharing, automation, and peer engagement.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

Techday NZ

12-06-2025

• Techday NZ

Red Canary deploys AI agents to slash security investigation times

Red Canary has announced the introduction of a suite of AI agents designed to perform tier 2 security investigations at the pace and calibre of experienced analysts. These AI agents have already conducted over 2.5 million investigations, reportedly reducing the average investigation time by 90%. The agents are trained on a decade's worth of operational data and provide contextual gathering, alert enrichment, and recommended actions for identified threats, with a stated aim to lessen alert noise and assist security teams in managing evolving threats without increased complexity or risk. Reducing manual security tasks The AI agents are described as specialists across every phase of detection, investigation, and response. They cover roles including security operations centre (SOC) analyst, detection engineering, threat intelligence, and user analysis, automating many procedures traditionally undertaken by security experts. For organisations, this means the agents automate both Tier 1 and Tier 2 analyst tasks in various environments such as cloud, identity, Security Information and Event Management (SIEM), and endpoint systems. According to Red Canary, this leads to faster root cause analysis and remediation of security incidents. In addition, a threat intelligence agent compares threats against known profiles, identifying new trends and aiding intelligence operations. Impact and efficiency Red Canary states that, by automating analyst-level workflows, customers have reduced investigation times from over 20 minutes to under three minutes on average, with the company citing a 99.6% customer-validated true positive rate. The system is built to be enterprise-grade, with training on 10 years of real-world data and with continuous oversight by security operators to ensure consistency and reliability. "Several years ago, we introduced automation to replace repetitive Tier 1 work," said Brian Beyer, CEO and Co-founder of Red Canary. "Now, by combining the best of agentic AI with AI agents that are equipped with years of frontline experience, we're taking the next leap—accelerating Tier 2 investigations with the speed of automation and the judgment of experienced security analysts. This shift allows every Red Canary detection engineer to focus on Tier 3-level analysis, delivering deeper insights and stronger outcomes for our customers." Practical use cases Red Canary offered specific examples to illustrate the value of the AI agents. In one scenario, a user behaviour analysis agent flagged an anomalous Salesforce login, missed by other tools. A reputation analysis agent added context by identifying the login as originating from a high-risk IP address. Red Canary's team validated the threat and quickly alerted the customer, allowing for immediate password reset and containment within minutes. Another example involved a compromised account detected through alert enrichment and user behaviour analysis. These agents identified a suspicious application and proxy activity from an unfamiliar ISP and geography. A Red Canary detection engineer confirmed that a user's access token had been compromised and notified the customer's security operations team for swift response. Scope of agent capabilities The suite currently includes agents specialised for specific systems, including Microsoft Defender for Endpoint, Crowdstrike Falcon Identity Protection, AWS Guardduty, and Microsoft Sentinel. These agents are designed to deliver consistent procedures for their respective environments. The response and remediation agent offers concrete steps for both addressing current incidents and hardening systems to reduce future risk, while the user baselining and analysis agent highlights deviations in user activity by comparing real-time behaviour to historical patterns. Red Canary underscores that its agents are not fully autonomous decision-makers; instead, their outputs are subject to the oversight of experienced detection engineers, aiming to balance automation, reliability, and human judgement. This development represents an ongoing trend in the security sector towards applying artificial intelligence to reduce manual workloads, lower incident response times, and support strained security teams. According to Red Canary, its focus remains on reducing noise, accelerating triage, and providing expert analysis for each threat faced by its clients.

Techday NZ

10-06-2025

• Techday NZ

Exclusive: SquareX's Audrey Adeline on why the browser is 'the new endpoint'

The browser is the new battleground. That's the message from Audrey Adeline of cybersecurity company SquareX, who has launched a practical Browser Detection and Response Manual to help organisations understand and defend against attacks in what she calls "the most used app on your device." "Eighty per cent of the time spent on a device is now in the browser," she explained to TechDay during a recent interview. "Yet it's one of the least protected surfaces in cybersecurity." Unveiled at the RSA Conference (RSAC'25) earlier this year, the manual has struck a chord with security leaders worldwide, selling out quickly and prompting strong feedback. The manual, written by Audrey Adeline and Vivek Ramachandran is titled: 'The Browser Security Field Manual'. "We were one of the top-selling books at the RSA bookstore," Adeline said. "A lot of CISOs reached out to us afterwards to say it helped their teams rethink browser security." Originally from Indonesia, Adeline's own path into tech was unconventional. "I grew up in a very traditional economy. Most of my family ran consumer businesses - nobody was in STEM," she said. After studying biochemistry at Cambridge and working in cancer research, she pivoted into consulting, and eventually joined Sequoia to evaluate tech companies, including cybersecurity firms. Her passion for deep tech and research led her to SquareX, where she now leads the Year of Browser Bugs (YOBB) project, uncovering browser-based architectural vulnerabilities each month. These include high-profile exploits like polymorphic extensions, which can impersonate legitimate browser tools like password managers and crypto wallets. "The danger is users don't realise they're entering credentials into a fake extension," Adeline explained. "These are architectural issues that legitimate browser features enable, and they're much harder to detect or patch." That urgency drove the creation of the manual. "We kept seeing the same problem - people using the browser constantly, but having very little visibility or protection," she said. "Existing tools just don't give you a clear picture of how the breach occurred." The manual's first edition is now being followed by a second, set for release at DEF CON and Black Hat in August. It will feature commentary from CISOs at Fortune 500 companies to ground the guidance in real-world enterprise experience. "We didn't want to just make it theoretical," Adeline said. "Each chapter now includes perspectives on actual problems faced by security teams." Access to the manual is currently via request form, though Adeline said digital availability is expected closer to August. Developing the manual was not without challenges. "The biggest hurdle was the lack of consolidated resources," she said. "There's research out there, but it's scattered. We had to pull together a lot of primary sources and make it digestible - from beginner concepts to advanced attacks." Browser-based threats have spiked recently, with attackers targeting the browser as the new endpoint for enterprise data. "Think about it," she said. "We don't download files anymore. Our files, apps, identities - everything is now in the browser. It's where 60 to 70 per cent of enterprise data lives." Adeline warned that the shift in attacker behaviour is permanent. "It's not just a trend. There's a fundamental change in how we work, and attackers are following the data." To help teams assess their own posture, SquareX has also launched a free browser attack testing tool. "Seeing is believing," she said. "You can test against 49 different browser-based attacks and see which ones bypass your current solutions." She sees two main approaches to browser defence: dedicated secure browsers, or solutions like SquareX's browser extension, which converts any existing browser into a secure one. "Most organisations can't migrate everyone to a new browser," she said. "Extensions are more practical, and updates are seamless." SquareX positions itself as the EDR for the browser, focusing on detection and response at a granular level. "We're obsessed with user experience. You can't compromise productivity just to get security," she said. The company's design avoids the risks of dedicated browsers, which often lag behind on security patches. "Every time Chrome issues a patch, those browsers need to be updated manually. That creates a gap where zero-days can thrive," she explained. Future plans include a red team edition of the manual and continuous updates as attacks evolve. "I wouldn't be surprised if there are multiple versions by next year," Adeline said. Her advice to security leaders just waking up to the browser as a threat vector is clear: "You need browser-native security to tackle browser-native threats." Adeline believes the industry must go beyond reacting to breaches and start anticipating them. "The best defence is understanding what attackers are doing," she said. "You can't just play catch-up." For her, the inclusion of peer input in the manual is crucial. "Security leaders want to hear from their peers. They need validation that this is a permanent shift, not a passing concern," she said. Asked what's changed to make browsers such a prime target now, Adeline points to a confluence of technology and behaviour. "Chrome has added countless new features like WebAssembly and WebRTC. These make browsers powerful enough to replace local apps," she explained. "Since COVID, we've seen everything move online. Now attackers are simply going where the data is." "The browser is the new endpoint," she said. "It's where we work - and where we're vulnerable."

Techday NZ

22-05-2025

• Techday NZ

Survey reveals gap between threat intelligence & execution

A new survey has highlighted a disconnect between the importance organisations place on threat intelligence and their ability to implement it effectively. The research, conducted by Cyware, collected responses from 100 cybersecurity executives and professionals working across enterprises, government agencies, and service providers. Nearly all respondents (92%) described operationalising threat intelligence as either "absolutely crucial" or "very important" in their organisations' efforts to combat cyber threats. Despite this consensus, only 13% of those surveyed reported satisfaction with their automation between cyber threat intelligence (CTI) and security operations (SecOps) tools. The survey also found that nearly 40% of participants experienced difficulty coordinating data between critical security systems such as Threat Intelligence Platforms (TIPs), Security Information and Event Management (SIEM) tools, and vulnerability management platforms. Speaking on the findings, Anuj Goel, Co-founder and Chief Executive Officer of Cyware, stated: "The RSAC survey data reveals a serious gap between that belief and the operational reality. Threat intelligence isn't just about collecting data - it's about connecting people, processes, and platforms to act on it. These findings reinforce the need for more unified, automated, and collaborative approaches to security operations." Internal collaboration and automation maturity were flagged as key areas where organisations fall short. Although almost all those surveyed regard threat intelligence sharing as fundamental, only a small proportion felt their automation systems worked well in practice. Artificial intelligence (AI) is seen as a promising area for improving threat intelligence processes, with 78% of respondents believing AI will enhance threat intel sharing within their organisations. However, only 43% reported that AI has already made a meaningful impact, pointing to difficulties in implementing AI solutions and integrating them into existing security processes. The Cyware survey also drew attention to the timeliness of threat intelligence sharing. Only 17% of teams said they disseminate threat intelligence among key roles — such as SecOps, incident response, and vulnerability management - in real time, while another 25% do so on a daily basis. At the same time, 22% indicated that information is shared infrequently or not at all, raising questions about internal communication and responsiveness to emerging threats. External collaboration with industry peers for the purpose of improving threat intelligence is another area identified for additional growth. According to the survey, while 57% of respondents claimed that their organisation collaborates with other companies in their sector, a significant 30% were unsure if this kind of peer cooperation even exists at their workplace. Automation challenges remain evident, with more than half (56%) of survey participants reporting significant or moderate obstacles in automating workflows across CTI and SecOps teams. This suggests that technical, procedural, or organisational hurdles are hampering efforts to scale effective threat intelligence practices. Additionally, participation in Information Sharing and Analysis Centres (ISACs) or similar organisations is relatively low. Only 18% confirmed their organisation is involved with such groups, while 45% were unaware of any such participation. The lack of engagement or awareness about ISACs could be limiting access to valuable, sector-specific threat information, potentially reinforcing the existing silos within the threat intelligence community. The survey's findings align with a broader trend: as cyber threats evolve and become more complex, organisations face mounting pressure to bridge the gap between recognising the importance of threat intelligence and actually executing it through internal collaboration, real-time sharing, automation, and peer engagement.