The SANS Institute has released its SANS 2025 CTI Survey report, an influential pulse-check of cyber threat intelligence (CTI) trends, challenges, and use cases. On May 21, 2025, Ashley Jess, a Senior Intelligence Analyst at Intel 471, joined the SANS 2025 CTI Survey Webcast as a featured panelist to share her insights on critical issues facing CTI teams today.
Below we share the advice that Jess, one of the top “Women to Watch” in cybersecurity, relayed on two of the critical challenges CTI teams currently face: the necessity of geopolitical intelligence in CTI programs to combat convergence of cyber and geopolitical threats, and how CTI programs can overcome challenges in measuring and demonstrating their value.
Issue #1: Geopolitical intelligence is no longer optional
Geopolitical events are increasingly influencing the cyber threat landscape in profound ways. There’s a clear intersection between global politics and cyber operations. State-sponsored actors, hacktivists, and financially motivated threat groups increasingly leverage cyber capabilities, not just for traditional cybercrime, but also for political, economic, and strategic objectives.
All too recently, many organizations viewed the geopolitical landscape as having little bearing on direct cyber threats and risks to their own organization. But as Jess states, it’s “critical for CTI teams to understand the relationship between these events in order to assess and mitigate emerging threats.”
The increasing convergence of geopolitics and cybercrime means that organizations can no longer solely rely on monitoring conventional threat indicators to proactively protect their assets. They must also look to the collection and application of geopolitical intelligence, which offers a deeper, more nuanced understanding of the cyber threat landscape.
“With the increasing convergence of politics and cybercrime, you can't just focus on technical indicators of compromise or attack vectors to make the most accurate and comprehensive assessment anymore,” says Jess.
“You need a nuanced understanding of international relations. It's one thing to understand this geopolitical event is happening, and that hacktivists will then target a specific sector in this region. It's a lot more nuanced than that and it’s still lacking in some CTI programs.”
A new framework for cyber geopolitical intelligence provides the context necessary for analyzing the tactics, techniques, and procedures (TTPs) of threat actors. This enables analysts to trace connections between political events, regional conflicts, and economic instability; and the cyber threat actor methods, timing, and targeting. By linking cyber activity to the broader global context, cyber geopolitical intelligence enhances a CTI team’s ability to identify, predict, and respond to emerging threats more effectively.
Solution: Integrating geopolitical intelligence into a CTI program isn’t as daunting as it may seem
As cyber geopolitical intelligence becomes a necessity, it must be properly integrated into CTI programs.
“It's not cost prohibitive to start integrating geopolitical intelligence, but I do think it requires a comprehensive approach,” says Jess. “From a practical standpoint, maybe you don't need a dedicated, embedded analyst, but it does mean incorporating geopolitical context into your regular threat intelligence reporting.”
As she points out, organizations have many sources of geopolitical information and intelligence. Where one organization may use a vendor, another may establish a dedicated in-house team. Embracing open-source reporting is also a cost-effective way for developing teams to begin familiarizing themselves with geopolitical data as they mature. “I think it just depends on the size of your organization and the resources that you have. Budgets are not infinite. For us, we really looked at our intelligence requirements and addressed those by having collection plans, and addressing it like you would any other aspect of your intelligence requirements.”
Issue #2: CTI teams continue to struggle to measure and demonstrate their value to stakeholders.
The SANS 2025 CTI Survey found that only 55% of respondents measured the effectiveness of their CTI program, compared to 44.5% who did not or didn’t know whether their organization measured CTI effectiveness. For those on the CTI side, it can be really difficult to prove how effective their program is, and therefore their value. They focus on trying to prevent cyberattacks and, as Jess reminds us, “it’s really hard to quantify a negative. How do you quantify something that didn’t happen?"
This is where feedback becomes fundamental to assess the progress of a CTI program. It’s “not just as a tool for tracking your team's progress,” says Ashley, “but as more of a foundational element for long-term planning and refinement of your program,” as well as a strategy to articulate value to stakeholders.
Solution: Use structured frameworks to guide both intelligence efforts and the maturity of CTI programs
Organizations can approach this by adopting a framework that allows teams to measure and guide their growth. Intel 471 created the Cyber Underground General Intelligence Requirements Handbook (CU-GIRH), a guide to an open-source framework we developed to help organizations systematically define and prioritize intelligence requirements in relation to the cybercriminal underground. Using the CU-GIRH, organizations can ensure their intelligence efforts align directly with operational goals. Importantly, it also provides well-defined metrics to demonstrate value.
Organizations should also focus on how they assess and progress the maturity of their cyber threat intelligence program. Jess reassures us that “achieving meaningful progress in your CTI maturity can seem daunting, but it is really attainable with a systematic approach using open source tools like the CTI-CMM,” referring to the CTI-community-driven project, the CTI Capability Maturity Model that was highlighted within the survey.
“As the landscape continues to evolve, you need that structured, proactive, and – most importantly for return on investment – quantifiable cyber threat intelligence.”
The CTI-CMM provides a framework for teams to assess their current maturity levels. The framework covers key domains ranging from data collection and analysis to stakeholder engagement and decision making. By evaluating against a set of defined capabilities, organizations can continuously benchmark their own CTI programs. And because this progress is quantifiable, it gives stakeholders the clear data needed to secure future investment in a CTI program and a defined roadmap to advance towards more sophisticated, proactive practices.
Elevating the role of CTI in today’s threat landscape
Ashley’s insights underscore the evolving pressures placed on today’s CTI teams. But by including cyber geopolitical intelligence and articulating the strategic value of CTI programs, teams can ensure a proactive approach to protecting organizations from cyber threats, and future-proofing their CTI program against the rapidly evolving cybercrime landscape.
To hear Ashley Jess in action and gather further insights from the SANS Survey from other CTI professionals, watch the full webcast.
You can also learn more about Intel 471’s insights from the SANS CTI Survey by reading our Executive Overview. It breaks down what the senior business executives influencing CTI priorities need to know.
