91% of CISOs Value Cyber Threat Intelligence. Only 26% Say It Drives Their Decisions. New SANS Institute Report Reveals the Gap Between Recognition and Influence.

GlobeNewswire | SANS Institute
Today at 3:12pm UTC

Bethesda, MD, May 19, 2026 (GLOBE NEWSWIRE) -- SANS Institute released its 2026 Cyber Threat Intelligence (CTI) Survey Insights report, authored by Rebekah Brown, Senior Researcher and Certified Instructor Candidate, and Andreas Sfakianakis, Certified Instructor, both of whom teach FOR578: Cyber Threat Intelligence. The report draws on responses from 401 qualified cybersecurity professionals globally, collected between November 2025 and January 2026, with a dedicated module capturing responses from 67 CISOs and CSOs. 

The new CISO module gives practitioners and security leaders direct visibility into how the other side experiences CTI. For executives, it offers a look at how peers prioritize and consume intelligence. For practitioners, it provides an unfiltered view of what those executives reported when asked what intelligence they rely on and what would make CTI more central to their decisions. 

"This year we have direct data from both sides of the conversation. CTI programs have spent years proving their value. The 2026 data shows the next challenge is converting that recognition into decisions, budgets, and action," said Rebekah Brown, Senior Researcher at SANS Institute and co-author of the report. 

The survey data is specific about what executives want. Security executives' top priorities for the next 12 months are information about vulnerabilities being actively targeted by attackers (79%) and specific adversary TTPs (77%). Business-focused intelligence ranks last among report types at 41%, a number the report attributes to a production gap rather than lack of demand. 

Delivering on that is complicated by how CTI programs are resourced. Most formal CTI teams remain under four full-time employees, even as the list of use cases they are expected to support expands. Lack of time to implement new processes and lack of funding are the top barriers to effective CTI implementation, each cited by 44% of respondents. 57% of programs do not track maturity over time, and 49% do not gather systematic feedback on effectiveness. Programs that cannot demonstrate improvement cannot defend their budgets with data. 

The structural picture extends beyond headcount. 45% of organizations are using AI in CTI programs today, primarily for data summarization and report writing, with the human-in-the-loop model holding firm. 55% of organizations lack legally reviewed CTI sharing processes, even as NIS2 and the Cyber Resilience Act impose new obligations in 2026. The report characterizes that shortfall as a structural risk, not an administrative oversight. Security operations (71%) has reclaimed the top CTI use case it last held in 2022, overtaking threat hunting, a signal that intelligence is being embedded into daily defensive workflows. 

Brown and Sfakianakis will present the full findings on Thursday, May 21, 2026, from 9:00 AM to 12:00 PM ET. The session qualifies for 3 CPE credits, and attendees may join live or access the recording. 

Register for the 2026 SANS CTI Survey Insights webcast and download the full report at https://go.sans.org/cti-survey-webcast 

The survey was supported by sponsors Broadcom, ESET, Flare, Intel 471, SOCRadar, ThreatConnect (now part of Dataminr), and Wiz. 


Jenn Elston
SANS Institute
301-654-7267
jelston@sans.org