Summaries
SANS CTI Survey 2026: From Indicators to Insights — How Practitioners and Executives Use Threat Intelligence
The 2026 SANS Cyber Threat Intelligence Survey, authored by Rebekah Brown and Andreas Sfakianakis, introduces a dedicated executive module for the first time, capturing CISO/CSO perspectives alongside practitioner data on how CTI programs are evolving to address supply chain threats, cloud targeting, and AI adoption.
View on Graph
Summary
The 2026 SANS Cyber Threat Intelligence (CTI) Survey, published May 15 and authored by Rebekah Brown and Andreas Sfakianakis, marks a significant evolution in the survey’s methodology by including a dedicated module for security executives for the first time. The module captures responses from 67 CISOs and CSOs alongside the practitioner-focused data that has historically formed the survey’s core. This dual perspective enables a comparison between how executives and practitioners perceive CTI program effectiveness, priorities, and challenges.
The survey’s framing reflects how the threat landscape has shifted in recent years. Supply chain compromises, targeting of cloud and SaaS environments, and the growing use of AI by both defenders and adversaries define the current operating environment for CTI programs. The report examines how CTI teams are adapting their collection, analysis, and dissemination processes to address these evolving threats.
The authors bring substantial operational credibility to the analysis. Rebekah Brown’s background includes service as a network warfare analyst at the NSA, Operations Chief of a U.S. Marine Corps cyber unit, and training lead at U.S. Cyber Command. Andreas Sfakianakis brings over 15 years of cybersecurity experience with specialization in cyber threat analysis and threat management program building. Their perspectives shape the survey’s emphasis on practical, operationalized intelligence rather than theoretical frameworks.
Why It Matters
The addition of an executive module addresses a persistent gap in CTI research: the misalignment between what intelligence teams produce and what decision-makers need. By capturing CISO and CSO perspectives directly, the survey provides a roadmap for CTI programs to better communicate threat intelligence in terms that drive executive action — resource allocation, risk acceptance decisions, and strategic prioritization.
Defender Takeaways
- Review your CTI program’s alignment between practitioner intelligence products and executive decision-making needs; the survey suggests persistent gaps in how intelligence is communicated upward.
- Evaluate how your CTI program covers supply chain threats — this is identified as one of the defining challenges for the current threat landscape.
- Assess cloud and SaaS intelligence coverage within your CTI program; attackers are increasingly targeting these environments, and intelligence gaps here create blind spots.
- Consider whether your CTI program is incorporating AI-related threat intelligence — both adversary use of AI and AI-powered defense capabilities.
- Benchmark your CTI program maturity against the survey findings to identify areas for investment in collection, analysis, and dissemination capabilities.
Source
Title: 2026 SANS Cyber Threat Intelligence (CTI) Survey Insights — Rebekah Brown, Andreas Sfakianakis, SANS
URL: https://www.sans.org/white-papers/2026-sans-cyber-threat-intelligence-survey-insights/
Related
- Threat Intelligence Fundamentals — detection and response for T1598 techniques
- Supply Chain Attack — detection and response for T1195 techniques
- Indicators: IoC, IoA, and TTP — covers the indicators: ioc, ioa, and ttp concepts
- Cloud Threats — detection and response for T1525, T1552, T1613 techniques