By Mark MacDonald, Director of Product Marketing
The 2026 SANS CTI Survey of almost 500 security leaders and practitioners confirms that adoption of CTI programs is now robust. What is less clear is how to measure the impact of those programs, and how to put them in a better position to earn influence over time.
This blog proposes some practical ideas and steps for doing exactly that, through the lens of total cost of ownership (TCO). To get the highlights of the SANS CTI Survey, read 6 Key Findings from the SANS CTI Survey: How to Build Influence with CTI.
One CTI Platform. Exactly What You Need. No Headaches.
Complementing Flare’s deep visibility and expertise in identity exposure management and dark web intelligence, Flare CTI delivers what you need to do your job. Browse over 10M+ threat indicators, analyze them for verdicts, report on them for your leadership, and apply IOCs to your security operations.
Start with the Value-Influence Gap
Only 26% of CISOs say CTI significantly influences their decisions, while lack of time and lack of funding tie as the top barriers to effective CTI, each cited by 44% of practitioners. SANS calls this the value-influence gap. Before you can reason about cost, it helps to know where your program sits in terms of this gap.
We’ve drafted a simple way to grade your gap by answering two questions. After you’ve answered them you can plot your maturity on the graph below.
- Value clarity – What are the metrics you track that demonstrate CTI value today?
- None: You know you need CTI, but you could not say how to measure its value.
- Some: If pressed, you could point to a few signs CTI is working, but you do not track them regularly.
- Robust: You can show how CTI moves real metrics: MTTR, dwell time, threat hunting yield, proactive blocks, analyst time saved.
- Leadership influence – How does CTI factor into leadership decisions?
- Minimal: CTI rarely changes a decision. Leadership does not know about it or ask for it.
- Inconsistent: CTI shapes some decisions. Leadership cares occasionally.
- Strong: CTI drives strategic decisions. Leadership values it and asks for it.
high impact
and education
The Core Cost Areas (Minus Labor)
Most CTI programs carry the cost areas below. Cost is the part of the picture that is deceptively hard to measure, because it is assembled from several sources that each sit in a different budget. Added up, the total can be surprising. A TCO lens is the difference between knowing what you pay each vendor and knowing what your program costs.
| Cost Area | What it Generally Covers | Considerations |
|---|---|---|
| CTI vendor license costs | Focused CTI vendors. Typically includes a mix of tactical, operational, and strategic intelligence. | Per-seat limits. Overlapping or redundant capabilities if using multiple CTI vendors. |
| CTI bundled in SecOps platforms | Intelligence features included in EDR, SIEM, or SOAR contracts, often as a tier upgrade or add-on. | Easy to overlook in the TCO count because it’s buried in a larger contract. Worth assessing whether the bundled capability meets your actual requirements or creates a coverage gap. |
| IOC feeds | A mix of paid feeds, intelligence-sharing community perks, and open source feeds. | “Free” feeds are not necessarily without cost. Redundant sources can create signal-to-noise problems if you are not careful. |
| Sandbox, URL, and file analysis | Detonating suspicious files and URLs to confirm intent and extract indicators. | Sometimes purpose-built, sometimes bundled into a larger platform, sometimes upsold from a freemium tier. Public sandboxes work until you must detonate sensitive or regulated material that cannot be submitted publicly. |
| Data ingestion and storage (SIEM, data lake) | The load CTI data places on your SIEM, data lake, and storage bills. | Easy to misjudge in both directions. The feed itself is small. Cost grows with how many sources you run and how much of their output you forward into systems that charge for storage. |
| Services | Onboarding, integrations, custom workflows, advisory engagements, and managed analyst hours. | Basic onboarding is usually included. Advanced integrations and managed hours are where costs quietly compound, and where automation is now applying real downward pressure. |
Defining Value
A TCO model tells you what a program costs, but it doesn’t tell you whether the program is worth it. A CTI program optimized purely for costs can backfire if it fails to deliver the information needed to prevent breaches. The other half of the equation is what the spend returns: risk reduced, incidents caught earlier, and analyst hours given back.
So how do you measure this? Of all the areas CTI touches, we maintain that the identity vector is the clearest place to measure value, because the signal is the most impactful. Stolen and exposed credentials are a leading path to initial access for attackers. They’re also easier to conceptualize and communicate than other IOCs. Your CFO uses credentials and should generally understand account security principles but you risk losing them if you attempt to explain the importance of file hash IOCs for endpoint security. The numbers are easier to explain as well.
The median Flare customer sees roughly 720 credential events per year or about 60 a month. Most of that volume is expected noise: old passwords, former employees, the same account appearing repeatedly. Even at a conservative 1% true-positive rate, that still surfaces over seven real and actionable identity compromises a year. Subjecting these threats to manual processes, less frequent checks, and high mean time to respond represents a serious risk. At roughly 20 minutes per investigation and a blended $75 analyst rate, the median customer’s labor costs related to identity is $18,000 annually.
We host an identity exposure management ROI calculator for testing these assumptions against your own numbers if you’re interested.
The Takeaway for Security Teams
If you are looking to act on some of the findings in the SANS CTI report, getting a clear TCO picture is as good a place to start as any. By understanding your value-influence gap, auditing your core cost areas, and finding clear ways to communicate value on measurable use cases like identity, you put yourself in a stronger position to measure the maturity of your program over time,
Threat Intelligence That Stops Breaches and Lowers TCO
Eliminate the risk of account takeovers, ransomware, extortion, and fraud by acting on the intelligence that matters instead of the noise that doesn’t.
