ISACA’s new resource also provides guidance on selecting a threat intelligence program and developing a holistic, threat-led approach to improve operational impact
Schaumburg, IL, USA (25 November 2025) — Threat environments have become more complex, especially with the rise of generative AI and the rapid commercialization of the cybercrime ecosystem. Enterprises have also long struggled to realize meaningful value from traditional cyberthreat intelligence programs. However, there are steps that cybersecurity professionals can take to improve the effectiveness of their threat intelligence programs, as outlined in ISACA’s new white paper, Building a Threat-Led Cybersecurity Program with Cyberthreat Intelligence, which provides a practical blueprint for building or strengthening a modern threat intelligence program and moving to a holistic threat-led approach.
Whether practitioners are looking to craft the foundations of a mature program or refine their existing program, the ISACA white paper shares steps to develop a threat model, establish priority intelligence requirements and create alignment between intelligence outputs and enterprise risk management objectives.
How to Improve Operational Impact
When determining how to operationalize a threat intelligence program, organizations should consider their technology stack, tool selection, and opportunities for automation.
Whether an enterprise plans to purchase multiple platforms to reduce the chances of missing a critical event, or has a lower security budget and plans to purchase a single platform to optimize costs, organizations should do the following when selecting a threat intelligence platform:
- Capture intelligence requirements – Identify unmet technology needs to begin drafting the list of requirements. Share the list with a potential vendor early in the sales process to avoid wasting time on platforms that will not meet the requirements.
- Engage stakeholders – Confer with teams within security, fraud, or governance, risk, and compliance to identify technical requirements from other parts of the organization.
- Vendor Evaluation – Once potential vendors are identified, evaluate the vendor against technical requirements, how easy they are to work with, and how well they respond to requests.
- Deployment – Integrate the selected platform with the team and operational processes. Build automations, processes, and workflows to leverage specific features and maximize the value derived.
Automated approaches can build upon an already successful program to improve maturity and reduce the mean time to detection (MTTD) and mean time to response (MTTR). Integrating AI into a threat intelligence program demands a cross-functional operating model with clear decision rights and controls. The white paper suggests:
- Parsing of breached identities for prioritization: Apply automation to prioritize stealer logs that contain enterprise credentials, using rules-based detection that classifies each log by the relative risk of the domains and assets it references.
- Large Language Model-Enabled Initial Access Broker (IAB) Analysis: Identify IAB posts and assist in processing and analyzing massive amounts of unstructured text data from the dark web, hacker forums, and other sources.
- Breached Credential Verification and Remediation: Establish a relationship with a trusted threat intelligence provider to receive timely alerts when employee email addresses and credentials appear in criminal marketplaces or stealer logs.
- IoC Feeds for Threat Hunting: Curate high-fidelity feeds that enhance detection capabilities without overwhelming analysts with false positives.
“An effective threat intelligence program is the cornerstone of a cybersecurity governance program. To put this in place, companies must implement controls to proactively detect emerging threats, as well as have an incident handling process that prioritizes incidents automatically based on feeds from different sources. This needs to be able to correlate a massive amount of data and provide automatic responses to enhance proactive actions,” says Carlos Portuguez, Sr. Director BISO, Concentrix, and member of the ISACA Emerging Trends Working Group. “In order for companies to achieve this, though, they need to overcome challenges like data overload, integration with cybersecurity products, knowledge and experience limitations within their cybersecurity teams, lack of automation initiatives and slow adoption of best practices and security frameworks.”
