As threat environments grow increasingly complex — accelerated by the rise of generative AI and the rapid commercialisation of cybercrime — organisations are discovering that traditional cyber threat intelligence programmes often fall short of delivering meaningful, actionable value. While data volumes continue to rise, translating that data into intelligence that drives effective decision-making remains a persistent challenge.
To bridge this gap, ISACA has released a new white paper, Building a Threat-Led Cybersecurity Programme with Cyberthreat Intelligence. The paper provides a practical, step-by-step blueprint to help organisations either establish or strengthen a modern threat intelligence programme and shift towards a more holistic, threat-led security strategy. Whether practitioners are laying the foundations of a new capability or looking to fine-tune a mature intelligence function, the guidance places strong emphasis on developing a sound threat model, defining priority intelligence requirements, and aligning intelligence outputs closely with broader enterprise risk management objectives.
A key theme of the paper is the importance of improving operational impact. When determining how to effectively operationalise a threat intelligence programme, organisations must carefully consider their existing technology stack, the tools they select, and the potential for automation. Some enterprises may choose to invest in multiple platforms to minimise blind spots and reduce the likelihood of missing critical threats, while others — with more constrained budgets — may opt for a single, highly optimised platform to manage costs and complexity. In both cases, success depends on clearly identifying intelligence requirements from the outset, engaging stakeholders across departments such as security, fraud and governance, risk and compliance, carefully evaluating vendors not only on technical capability but also on usability and responsiveness, and finally embedding the chosen platform into everyday operations through robust processes, workflows and automation.
Once the foundational elements of an intelligence programme are in place, automated and AI-enabled approaches can significantly enhance its maturity. These capabilities are particularly effective in reducing Mean Time to Detection (MTTD) and Mean Time to Response (MTTR), while enabling teams to deal with the sheer scale of today’s threat landscape. However, integrating AI into a threat intelligence programme is not purely a technical exercise. It requires a cross-functional operating model, well-defined decision rights and appropriate controls to ensure that automated processes remain aligned with business objectives and risk tolerance.
ISACA identifies several powerful ways in which AI can be applied to elevate threat intelligence efforts. Automated parsing of breached identities, for instance, allows organisations to prioritise large volumes of ‘stealer logs’ that contain corporate credentials. By using rules-based logic, each log can be classified according to the relative risk posed to specific domains and assets, enabling security teams to focus immediately on the most critical exposures. Large Language Models can also support the analysis of Initial Access Broker (IAB) activity by identifying and processing unstructured data from dark web marketplaces, hacker forums and other underground sources. This dramatically accelerates the ability to detect early-stage access threats that often precede major security incidents.
In addition, organisations can strengthen their defences by establishing relationships with trusted threat intelligence providers who can deliver timely alerts when employee credentials or corporate email addresses appear in criminal marketplaces. This enables faster verification, remediation and containment before such credentials can be weaponised. Curated, high-fidelity Indicators of Compromise (IoC) feeds further enhance proactive threat hunting, improving detection accuracy while preventing analysts from becoming overwhelmed by low-quality or false-positive data.
According to Carlos Portuguez, Senior Director BISO at Concentrix and a member of the ISACA Emerging Trends Working Group, an effective threat intelligence programme must be seen as a foundational element of any strong cybersecurity governance framework.
“An effective threat intelligence programme is the cornerstone of a cybersecurity governance programme. To put this in place, companies must implement controls to proactively detect emerging threats, as well as have an incident handling process that automatically prioritises incidents based on feeds from multiple sources. This needs to correlate a massive amount of data and provide automatic responses to strengthen proactive action,” he explains. “In order to achieve this, organisations must first overcome challenges such as data overload, integration with existing cybersecurity products, knowledge and experience gaps within their teams, lack of automation initiatives, and the slow adoption of best practices and security frameworks.”
Ultimately, ISACA’s message is clear: intelligence is only as valuable as the action it enables. By embracing an AI-powered, threat-led approach, organisations can move beyond reactive defence and towards a more predictive, resilient and strategically aligned cybersecurity posture — one capable of keeping pace with the evolving tactics of an increasingly sophisticated adversary.
