2025-08-04 –, Siena
IOCs produced in 2024: 1.2 trillion. Projected for 2025: 2 trillion. Our ongoing research is one of the most expansive and comprehensive analyses of accessible global threat intelligence data from over 50 commercial providers spanning over 2 years. We will share insights about the CTI ecosystem including the number of CTI producers and their specializations, volume and rate of production of IOCs, and intersections and overlaps between feeds and threat context.
We will then delve into how quickly intelligence providers keep up with vulnerability disclosures and attackers who exploit them. A temporal analysis of IOC coverage for CVEs from 2023 and 2024 reveals the average delays between the time of disclosure and the time of attribution in intelligence, providing insights into how quickly attackers pivot existing infrastructure and TTPs to exploit new vulnerabilities and when they stand up new infrastructure to scale those attempts. A shocking observation is the high accuracy of aged-out IOCS, long thought to be useless, in predicting coverage over 90(!) days in advance.
We will conclude the session with thoughts on the underlying causes of this fragmentation in the CTI industry and how they may unintentionally be setting up defenders for failure.
In pursuing its business, Centripetal has become one of the largest commercial consumers of intelligence in the world. In the spirit of giving back to the community, our Labs research team conducts analysis of this data to provide valuable insights to publish in peer-reviewed academic journals and to share freely with trusted cybersecurity communities - no marketing fluff. This topic is one such endeavour.
The cybersecurity industry emphasizes that CTI is a pivotal component to every cyber defense strategy. CTI has grown to be a $14B industry where the vast majority of critical information about threats are in closed-source, commercial offerings from over 300 providers world-wide. The market claims typically state a uniqueness factor of up to 80% with each provider touting the breadth, depth and speed of their intelligence as competitive advantages over their peers. However, we have yet to find any independent comprehensive competitive analysis to validate or refute those claims. A small number of peer-reviewed articles on this subject matter are dated and limited mostly to open source intelligence and a few commercial sources. But more importantly, any such validation of the uniqueness claim would lead to an obvious conclusion that few seem to acknowledge: if every provider’s data is unique, no single provider can offer complete or even majority coverage for known threats.
We will begin this session with an overview of the CTI ecosystem including the estimated number of total commercial, open source and government/NGO providers, then dive into a comprehensive overlap analysis of threat indicator data that reveals the true overlap to be between 1-5% depending on fidelity. We will then look at the threat categories of each provider to show their specializations that contribute to the lack of duplicity as well as the ~16% conflicting data that can lead to confusion in threat investigations.
We will then explore coverage graphs from retrospective analysis of published CVEs from 2023 and 2024 to show a 6-12 day delay in CTI attributions to those vulnerabilities. We will delve into a historical prediction analysis of unpublished threats that show nearly a 100% coverage of attack infrastructure used to exploit newly published CVEs more than 3-7 days in advance of such publications. This coverage is still respectable at 55% more than 90 days in advance.
The impact of these observations and conclusions may be profound. The tried-and-true approach of leveraging a handful of high quality open source, government and commercial intelligence in a sophisticated SOC may fail not because of poor operations but rather simply because of insufficient data. The overemphasis of the need for confidence and depth in CTI may be contributing to delayed attribution and widening the window of opportunity for attackers who can scale exploit attempts within hours of disclosure. Something must change, and that change can begin with the knowledge of what you didn’t know.
Dave is a technology leader and innovator with a distinguished track record in cybersecurity and healthcare informatics over three decades. He holds numerous patents in these fields, many of which have been successfully commercialized through groundbreaking startups. At his current endeavor, Centripetal, Dave focuses on new ways to leverage global intelligence and analytics to transform cybersecurity defenses, security operations and threat research. He has been honored to share his work on peer-reviewed articles, support steering committees and workgroups, and speak about learned insights at conferences.