2026 SANS CTI Survey Report: Key Findings on CTI’s Influence Gap
Cyber threat intelligence (CTI) has arrived. It’s embedded in security programs, staffed by dedicated teams, supported by AI, and recognized at the executive level as essential. That’s the good news from the 2026 SANS Cyber Threat Intelligence (CTI) Survey, sponsored by SOCRadar.
The harder news: recognition hasn’t translated into influence. For the first time, this year’s survey included a dedicated module for security executives, capturing responses from 67 CISOs and CSOs alongside 401 practitioners. The result is the clearest picture yet of a discipline that has outgrown the structures built around it.
The Headline: CTI Is Valued, But Not Yet Influential
The defining number in this year’s survey: 91% of CISOs rate CTI as valuable or extremely valuable to their organization’s cybersecurity strategy. Only 26% say it significantly influences their decisions.
That gap isn’t about credibility. CISOs aren’t questioning whether CTI is accurate, they’re questioning whether it tells them what to do next. Describing a threat well isn’t the same as telling an executive what to do about it, and until CTI products answer the questions that drive decisions (which risks require action now, what to tell the board, where to spend), the gap persists.

Figures C1 and C2, 2026 SANS CTI Survey Insights
What CISOs actually want reinforces this. Their top priorities for the next 12 months are vulnerabilities being actively exploited (79%) and specific adversary TTPs (77%), not broader strategic reporting. They’re not asking for more intelligence. They’re asking for intelligence that’s decision-ready. Threat landscape reports (89%) and incident after-action reports (78%) are their most valued formats, while quarterly strategic reports (49%) and business-focused reports (41%) rank lowest, likely because most CTI teams aren’t producing the latter at scale rather than because executives don’t want them.
Small Teams, Expanding Scope
The structural story hasn’t changed much in years, but the stakes have gotten higher. Most organizations (56%) now report a formal dedicated CTI team, the highest rate in the survey’s history. Yet most of those teams remain under four full-time employees, even as CTI is asked to support an expanding list of use cases: security operations, incident response, threat hunting, vulnerability management, security awareness, adversary emulation, risk management, physical security, and executive decision-making.
CTI has been adopted faster than it’s been funded. Small teams end up in triage mode rather than strategy mode, reacting to the loudest immediate demand instead of shaping organizational posture.

Figure 1, 2026 SANS CTI Survey Insights
Security operations reclaimed the top CTI use case in 2026 at 71%, overtaking threat hunting for the first time since 2022. That’s a sign of maturity: hunting insights are being codified into detection rules and playbooks. But it’s also a risk. When CTI becomes captured by daily operations, the capacity for longer-horizon, decision-influencing work shrinks, and the case for more resources gets harder to make.
AI Has Moved from Pilot to Production
Nearly half of organizations (45%) are now using AI in their CTI programs, with another 32% planning to. The leading use cases are data summarization and report writing (56%), data parsing and normalization (46%), and workflow automation (45%), the high-volume, low-insight work that was eating into analyst time.
Importantly, the human-in-the-loop model is holding. Write-in responses consistently stressed that analyst oversight remains essential for high-stakes calls. AI is freeing up time for analytic judgment, not replacing it.
Governance Is the Quiet Risk
More than half of organizations (55%) don’t have CTI sharing processes formally reviewed by legal counsel, even as 50% say regulations are very important to their intelligence requirements. With NIS2 and the Cyber Resilience Act imposing new reporting obligations, that gap between regulatory awareness and legal readiness is a structural risk, not an administrative oversight. Teams facing legal uncertainty tend to share less, which undermines the entire premise of collaborative threat intelligence.
The Barriers Are Structural, Not Skill-Based
Lack of time to implement new processes and lack of funding (both 44%) are the top barriers to effective CTI, well ahead of technical or analytic skill gaps. The field has made real progress developing talent. The bottleneck now is organizational: no defined product portfolio (only 34% report having one), inconsistent feedback loops (51% gather feedback, down slightly from 2025), and limited maturity tracking (57% track it, meaning 43% don’t).
Analysts are also feeling it. Organizational silos and poor cross-team collaboration (40%) and burnout (38%) top the list of challenges limiting analyst effectiveness, ahead of compensation or inadequate DEI investment, both of which have fallen relative to prior years.
Closing the Gap
The survey’s five recommendations point in the same direction: stop designing for the team you wish you had, and start building measurement, portfolio discipline, and legal clarity into the team you actually have. The most important shift, though, is the last one: position CTI as a decision support function. Find out what decisions your stakeholders are actually making each month and quarter, then check whether your current intelligence products inform any of them. If the answer is no, that’s where the influence gap starts to close.
None of this points to a headcount problem. It points to a design problem: small teams doing the work of much larger ones, without the portfolio boundaries, measurement, or tooling consolidation that would make that scale sustainable. Teams that close the influence gap this year will be the ones that treat those constraints as a planning input rather than a temporary state.
SOCRadar’s Response to Critical Operational Challenges
The survey’s sponsor product briefing puts a finer point on the same pattern SOCRadar sees across its own customer base: 90% of surveyed organizations now have dedicated CTI resources, but 60% run those teams with four or fewer FTEs. SOCRadar Extended Threat Intelligence (XTI) is built for that reality, bringing CTI, Attack Surface Management, Dark Web Monitoring, Brand Protection, and Supply Chain Intelligence into one modular platform so small teams aren’t context-switching across five tools to get one picture. The SOCRadar MCP Server connects industry-standard LLMs directly to the platform, embedding automated queries, real-time enrichment, and AI-driven triage into existing workflows, with analysts still accountable for the final call.
Want the complete data set, all 15 figures, and the full set of CISO findings? Download the full 2026 SANS CTI Survey Insights report.
Curious how SOCRadar helps CTI teams turn recognition into influence? Request a demo.
