6 Key Findings from the SANS CTI Survey: How to Build Influence with CTI

The 2026 SANS Cyber Threat Intelligence Survey is out, and its central finding is a paradox that every security leader can benefit from sitting with: CTI is widely recognized as essential, but it’s not consistently driving the decisions that matter.

91% of CISOs rate CTI as valuable or extremely valuable, but only 26% say it significantly influences their decisions. This gap comes from translating CTI into operational intelligence, and is one of the six findings we’ll explore here. 

For the first time, the SANS CTI Survey includes a dedicated CISO section, capturing responses from security executives alongside its traditional practitioner-focused data. The result is the most complete picture we’ve had of how CTI is experienced from both sides, including the analysts producing intelligence and the leaders acting (or not acting) on it.

The survey collected responses from almost 500 qualified cybersecurity professionals globally between November 2025 and January 2026, spanning financial services, government, technology, healthcare, manufacturing, and more.

Six Key Findings About CTI

1. The Value-Influence Gap Is Real

This is the defining finding. CISOs aren’t questioning whether CTI is accurate, but they’re struggling with what to do with it. Describing a threat accurately isn’t the same as telling an executive which risks require action now, what to tell the board, or where to allocate budget.

• 49% of CISOs rate CTI as “extremely valuable”
• 42% say it only “moderately influences” their decisions
• Only 26% say it “significantly influences” decisions

Intelligence that’s appreciated but not acted upon isn’t achieving its purpose yet.

2. There’s an Increasing Number of CTI Teams, but They are Stretched Thin

56% of organizations now report a formal dedicated CTI team, which is the highest rate in survey history. But most teams remain under four full-time employees, and nearly a quarter rely on a single person or a shared-responsibility model.

Meanwhile, CTI is being asked to support security operations, incident response, threat hunting, vulnerability management, adversary emulation, risk management, executive decision-making, and more. A team of two or three analysts can’t possibly manage all of those areas of security.

The survey puts it bluntly: “Organizations have adopted CTI as a capability faster than they have funded it as a function.”

3. AI Has Crossed from Experiment to Operations

Nearly half of organizations (45%) are using AI in their CTI programs today, with another 32% planning to adopt it. The top use cases are practical, not flashy:

• Data summarization and report writing: 56%
• Data parsing, normalization, and information extraction: 46%
• Automation and workflow enhancements: 45%
• AI embedded in vendor products: 42%

The human-in-the-loop model is holding strong. AI isn’t replacing CTI analysts, and it’s giving them time back to do the analytical work that AI can’t do.

4. The Barriers are Structural, Not Skill-Based

For years, the CTI community debated the “skills gap.” The 2026 data reframes that conversation entirely as survey participants noted these issues hold their organization back from implementing CTI effectively:

• Lack of time to implement new processes: 44%
• Lack of funding: 44%
• Lack of management buy-in: 27%
• Lack of technical skills: 24%

Organizations have made genuine progress developing CTI talent. What’s missing is the time and resources to let that talent do its best work.

On top of that, burnout (38%) and organizational silos (40%) are limiting analyst effectiveness. When CTI loses experienced analysts to burnout, the impact cascades through already-thin teams.

5. Security Operations Reclaimed the Top Spot

For the first time since 2022, security operations (71%) overtook threat hunting as the leading CTI use case. This likely reflects intelligence derived from threat hunting being operationalized into detection rules and playbooks, which is a sign of maturity.

But there’s a risk: when CTI becomes primarily a support function for reactive operations, the capacity for strategic, forward-looking intelligence diminishes. The triage problem becomes self-reinforcing.

6. Governance Is the Forgotten Risk

More than half of organizations (55%) lack legally reviewed CTI sharing processes, even as regulations like NIS2 and the Cyber Resilience Act impose new obligations. The practical consequence: CTI teams facing legal uncertainty tend to share less, undermining the very premise of collaborative intelligence.

What CISOs Actually Want

Executives aren’t asking for more intelligence. They’re asking for intelligence that feeds their decision-making. Their priorities for the next 12 months:

• Information about vulnerabilities being actively exploited: 79%
• Specific adversary TTPs: 77%
• Broad information about attack trends: 64%
• Threat alerts specific to their brand and IP: 62%

The reports they value most: threat landscape reports (89%), incident after-action reports (78%), and periodic cybersecurity news analysis (70%). Business-focused reports rank lowest at 41%, but that almost certainly reflects how rarely they’re produced, not how little they’re needed.

Recommendations for Security Leaders

Based on the survey findings, here are actionable steps security leaders can take to close the gap between CTI recognition and influence:

Support Business Decisions 

Structure CTI outputs around the business decisions executives are making, not the threats that analysts are tracking. Lead with the recommendation, support it with evidence, and make the required action explicit.

Start here: Interview two or three key stakeholders this quarter and ask what decisions they make monthly. Find opportunities to support these decisions with threat intelligence. The opportunities may surprise you. For example, you can brief your HR executives on the prevalence of nation state sponsored  fraudulent hiring operations. You can recommend the emails of all applicants be cross-referenced with relevant intel sources.  

Connect CTI Directly to Vulnerability Prioritization

79% of CISOs want to know which vulnerabilities are actively being exploited, and 63% of CTI teams already support vulnerability management. The capability exists on both sides, and what’s missing is making the connection visible.

Start here: Produce a monthly one-pager that maps actively exploited vulnerabilities to your environment and links each to a recommended remediation priority. Give executives a direct line from intelligence to action.

Take the Reigns on Your CTI Total Cost of Ownership (TCO) 

43% of CTI programs don’t track maturity over time, and nearly half don’t gather systematic feedback on effectiveness. As the survey notes: “You can’t defend a budget you can’t measure.”

Programs that can’t demonstrate improvement can’t make a data-backed case for additional resources. Establishing or updating your program’s TCO: accounting for all license costs, feeds, ingestion costs, and services before moving onto quantifying value and impact is a good approach. Security teams that can point to measurable impact are the ones that sustain investment through budget pressure.

Start here: Define metrics for each major CTI tool (reach, utilization, decision impact), implement a structured feedback mechanism, and adopt a maturity tracking framework like CTI-CMM as a baseline.

Use AI to Create Capacity, Not Complexity

With 45% of organizations already using AI in CTI, the window for competitive advantage from early adoption is narrowing. Focus AI on high-volume, low-insight work that frees analysts for judgment-intensive analysis.

Start here: Identify the three most time-consuming repetitive tasks in your CTI workflow and evaluate where AI-assisted automation with structured data can reduce manual effort.

Design for the Team You Have

Stop designing CTI programs for a future headcount that may never arrive. Three things make the difference between a small team that thrives and one that burns out:

• Automations for low-value, high-volume tasks aggressively
• Definitions for a clear product portfolio with explicit scope boundaries
• Alignment of stakeholder expectations to realistic delivery

Get Legal Review for Sharing Processes

CTI programs without legally reviewed sharing processes face both compliance exposure and a chilling effect on information sharing. Formalizing what can be shared, with whom, and under what conditions gives analysts the confidence to share rather than the instinct to hesitate.

Start here: Schedule a meeting with legal counsel this quarter. Most CTI sharing is already responsible, and formalizing it removes ambiguity.

Pilot Business-Focused Intelligence

Only 41% of CISOs find business-focused intelligence valuable today, but executives can’t ask for something they’ve never seen. Products like M&A risk assessments, executive travel briefings, and supply chain threat profiles represent an entirely new category of influence.

Start here: Identify one upcoming business event, such as a merger, a major executive trip, a new vendor relationship, and produce a single threat intelligence report or briefing tied to it. Use the response to build the case for more.

CTI in 2026: Primed for More Influence

The discipline has achieved broad institutional adoption, proven its technical capabilities, and integrated AI into operational workflows. What it hasn’t done (yet) is consistently translate all of that into the decisions that shape organizational posture.

The gap between recognition and impact isn’t closed by producing better reports. It’s closed by understanding the specific decisions that stakeholders are making and tailoring intelligence to directly inform them. That shift from reporting on threats to recommending actions is where CTI influence gets won or lost.

For security teams looking to operationalize threat intelligence with full context and minimal noise, platforms that surface actionable signals, rather than raw data dumps, can help bridge exactly this kind of gap between information and action.