What good threat intelligence looks like in practice

In this Help Net Security interview, Anuj Goel, CEO of Cyware, discusses how threat intelligence is no longer a nice to have, it’s a core cyber defense requirement. But turning intelligence into action remains a challenge for many organizations. The path forward lies in integration, automation, and collaboration across technical and executive teams. With the right strategy, threat intelligence can become not just a source of awareness, but a driver of speed, precision, and resilience.

How do you define actionable threat intelligence in a CISO’s context, and what does “good” look like?

Actionable threat intelligence is insight that leads directly to a measurable security decision or action. It’s not just about collecting threat data. It’s about translating that data into something meaningful to improve the organization’s unique risk posture.

For a CISO, “good” threat intelligence is timely, relevant, and contextualized to the organization’s assets, data, users, and business operations. It provides clarity on why a particular threat matters, how it relates to the organization’s environment, and what response options exist. That might mean mapping an IOC to known vulnerabilities, assessing the credibility of a threat actor’s campaign, or identifying patterns of behavior across different telemetry sources. Ultimately, actionable intelligence enables faster prioritization and more informed response.

Where do most organizations fall short when trying to operationalize threat intelligence across security operations and risk management?

Many organizations have invested heavily in “acquiring” threat feeds, but far fewer have built the internal processes and integrations needed to contextualize and act on them consistently. The biggest shortcoming is often in the last mile, connecting intelligence to real-time detection, response, and risk mitigation.

Another challenge is organizational silos. In many environments, the CTI team operates separately from SecOps, incident response, or threat hunting teams. Without seamless collaboration between those functions, threat intelligence remains a standalone capability rather than a force multiplier. This is often where threat intelligence teams can be challenged to demonstrate value into security operations. Effective operationalization requires not just good intel, but strong collaboration, automation, and a clear sense of ownership for how intelligence drives positive business outcomes.

How should CISOs think about balancing open-source, commercial, and government threat intel feeds?

Each type of threat intelligence feed brings different strengths — and blind spots. Open-source feeds offer breadth and speed, particularly for fast-moving threats, but they require validation and context to be useful. Commercial feeds tend to deliver higher fidelity and curated intelligence, especially around specific verticals or threat actors. Government feeds are essential for broader situational awareness, compliance obligations, and sector-specific threats.

Rather than picking one over the other, CISOs should focus on blending these sources and correlating them with internal telemetry. The goal is to reduce noise, enhance relevance, and produce enriched insights that reflect the organization’s actual threat surface. Feed selection should also consider integration capabilities — intelligence is only as useful as the systems and people that can act on it. When threat intelligence is operationalized, a clear picture can be formed from the variety of available threat feeds.

What are the most impactful use cases you’ve seen for threat intelligence in mature security programs?

In mature programs, threat intelligence powers several high-value use cases:

• Threat hunting: Intelligence helps hunters proactively search for indicators or behaviors within the environment, often uncovering activity that hasn’t triggered alerts.
• Incident response: During an incident, real-time intelligence gives responders context — attacker motives, tools, or infrastructure — that can guide investigation and containment strategies.
• Vulnerability prioritization: Rather than patching everything equally, mature teams use threat intelligence to prioritize vulnerabilities that are actively exploited or relevant to their industry.
• Exposure management: Intelligence helps continuously identify, assess, and reduce the organization’s attack surface by mapping identities, assets, misconfigurations, and external exposures that adversaries could exploit.

The common thread across these use cases is that intelligence is not treated as an isolated feed or dashboard — it’s embedded into workflows and used to guide actions, not just inform them.

How do you recommend CISOs foster collaboration between their threat intel team and other parts of the organization like SOC, IR, GRC, and the board?

Collaboration starts with shared objectives. The threat intel team should be seen not as another security function, but as a strategic partner in risk reduction and decision support. CISOs can encourage cross-functional alignment by embedding CTI into security operations workflows, incident response playbooks, risk registers, and reporting frameworks.

Regular communication is key, both formal and informal. Weekly syncs between CTI and SOC or IR teams, joint tabletop exercises, and shared incident forensics can all build muscle memory for collaboration. At the governance level, tying threat trends to business impact, such as threats to critical assets or changes in regulatory exposure, helps translate intelligence into something meaningful for board-level audiences. Facilitating this cross-functional collaboration is an automated threat intelligence platform to serve as a central hub.