Cyber Threat Intelligence (CTI) Maturing: Results of the 2020 SANS CTI Survey

Bethesda, Md. – In the past few years, CTI has evolved from small, ad hoc tasks performed disparately across an organization to, in many cases, robust programs with their own staff, tools and processes that support the entire organization, according to the SANS 2020 CTI Survey to be released by SANS Institute in a two part webcast series at 1 PM Eastern on Tuesday, February 11 and Thursday, February 13, 2020.

“In the past three years, we have seen an increase in the percentage of respondents choosing to have a dedicated team over a single individual responsible for the entire CTI program,” says survey author and SANS instructor Robert M. Lee.

In fact, survey results indicate that just less than 50% of respondents’ organizations have a team dedicated to CTI, up from 41% in 2019. While the number of organizations with dedicated threat intelligence teams is growing, results also demonstrate a move toward collaboration, with 61% reporting that CTI tasks are handled by a combination of in-house and service provider teams.

“We continue to see an emphasis on partnering with others, whether through a paid service provider relationship or through information-sharing groups or programs,” continues Lee. “Collaboration within organizations is also on the rise, with many respondents reporting that their CTI teams are part of a coordinated effort across the organization.”

Another sign of maturity is the definition and documentation of intelligence requirements. The number of organizations reporting a formal process for gathering requirements increased 13% from last year, to almost 44% in 2020. This makes the intelligence process more efficient, effective and measurable—keys to long-term success.

Full results will be shared during a February 11 webcast at 1 PM Eastern, sponsored by Anomali, DomainTools, EclecticIQ, Infoblox, Recorded Future, Sophos, ThreatConnect, and ThreatQuotient, and hosted by SANS. Register to attend the webcast at

A February 13 webcast will feature a panel discussion on key issues on CTI at 1 PM Eastern, sponsored by Anomali, DomainTools, and ThreatConnect, and hosted by SANS. Register to attend the webcast at

Those who register for these webcasts will also receive access to the published results paper developed by SANS Analyst and cyber intelligence expert, Robert M. Lee.

Tweet This:

SANS 2020 CTI Survey Results Webcast | 2/11 at 1 PM ET | Register @

@RobertMLee discusses the SANS CTI survey and related trends on 2/11 @ 1 PM Eastern | Register today at

Listen in as @RobertMLee and survey sponsors talk about CTI and its implementation | 2/13 @ 1 PM Eastern | Register at

@ RobertMLee and industry veterans discuss key issues related to CTI maturation | 2/13 @ 1 PM Eastern |

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (