{“lastseen”:”2025-09-10T16:51:10″,”description”:”* The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making.\\n * The model describes four levels of maturity, guiding teams from basic, ad hoc activities to highly strategic and refined practices through a cycle of continuous improvement.\\n * CTI-CMM builds on earlier capability models and research, offering a practical framework for organizations to benchmark and evolve their CTI efforts.\\n\\n\\n\\n* * *\\n\\n## Overview\\n\\n\\n\\nThe familiar idiom \\”walk before you run\\” summarizes a fundamental truth about skill acquisition: you must master certain foundational capabilities before you can successfully execute more complex activities. This principle applies universally, from learning a new sport to developing highly specialized technical skills. Any area will have foundational skills, activities that anyone competent in the domain can perform, and characteristics that show that an individual (or team) has reached the highest levels of mastery.\\n\\nCapability maturity models (CMMs) outline the hierarchy of skills and activities that may be required within a particular area. The capabilities and characteristics are listed for teams of different levels of maturity operating within a domain. These descriptions can be used to evaluate the current level of a team or to identify the capabilities that must be acquired in order to improve.\\n\\nDespite its importance, the exact function of cyber threat intelligence (CTI) can vary widely across organizations. The community-developed _Cyber Threat Intelligence Capability Maturity Model_ (CTI-CMM) shows how threat intelligence can help an organization and the various levels of capability that cyber threat intelligence teams can achieve.\\n\\n## Details\\n\\nThe CTI-CMM lists 11 domains where CTI can greatly improve decision-making, and also details specific \\”missions\\” CTI can carry out to strengthen each domain.\\n\\nDomain | Abridged Description | Example CTI Mission \\n—|—|— \\nAsset, Change and Configuration Management | Manage the organization’s IT and OT assets. | Rapidly detect at-risk assets. \\nThreat and Vulnerability Management | Detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities. | Reduce risk against new and emerging adversaries, malware, vulnerabilities, and exploits. \\nRisk Management | Identify, analyze and respond to cyber risk the organization is subject to. | Improve risk decisions. \\nIdentity and Access Management | Manage identities for entities that may be granted logical or physical access to the organization’s assets. | Reduce incident detection times, accelerate remediation. \\nSituational Awareness | Establish situational awareness for operational state and cybersecurity state. | Drive threat-informed decision-making based on the current and forecast threat landscape. \\nEvent and Incident Response, Continuity of Operations | Respond to, and recover from cybersecurity events and incidents. | Create an intelligence advantage for incident responders and strengthen the security posture. \\nThird-Party Risk Management | Manage the cyber risks arising from suppliers and other third parties | Monitor, detect, assess and mitigate potential incidents posed by third-party vendors and suppliers. \\nFraud and Abuse Management | Shield organizations from malicious digital scams and attacks. | Share threats and findings with relevant stakeholders. \\nWorkforce Management | Create a culture of cybersecurity and security competence. | Support hardening of the human element. \\nCybersecurity Architecture | Maintain the structure and behavior of the organization’s cybersecurity architecture. | Provide insights into cyber threats that may target the organization. \\nCybersecurity Program Management | Provides governance, strategic planning and sponsorship for the organization’s cybersecurity activities. | Deliver tailored intelligence inputs to inform cybersecurity decision-making. \\n \\n \\nThe missions span a wide spectrum, from proactively monitoring an organization’s attack surface in support of asset management to providing crucial situational awareness of the evolving threat landscape and its direct relevance to organizational activities.\\n\\nThe CTI-CMM also defines distinct levels of maturity for threat intelligence activities, providing a clear progression path:\\n\\nLevel | Characteristics \\n—|— \\nCTI0 (Pre-Foundational) | A placeholder for practices that are not executed. \\nCTI1 (Foundational) | Many threat intelligence activities begin here, characterized by basic, ad hoc and unplanned efforts focused on short-term, reactive results. \\nCTI2 (Advanced) | As an activity matures, it becomes planned, with documented procedures and metrics demonstrating its support for stakeholders. The focus shifts towards proactive and predictive intelligence, delivering short- and intermediate-term results. \\nCTI3 (Leading) | At the highest level, activities are highly refined, focusing on delivering long-term strategic outcomes for the business. This level integrates prescriptive intelligence and recommendations, combined with continuous improvement practices, making practices measurable and aligned directly to business objectives. \\n \\n \\nThe framework espouses an improvement process analogous to the \\”plan, do, check, act\\” management model. In this case, the steps within a cycle of improvement are \\”prepare, assess, plan, deploy, measure.\\” With each rotation through the cycle, the capabilities of the threat intelligence program are incrementally improved, growing the maturity of the program.\\n\\n\\n\\n## History of CTI-CMM\\n\\nThis approach to improving capabilities and benchmarking against defined standards is not new. CMMs originated in the mid-1980s, driven by the U.S. Department of Defense’s desire to compare and evaluate software contractors. Largely thanks to the efforts of the _Software Engineering Institute_ (SEI) at Carnegie Mellon University, CMMs evolved into the widely-applied _Capability Maturity Model Integration_ (CMMI).\\n\\nThe CTI-CMM adopts domains from the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. energy industry and first published in 2012. While the C2M2 acknowledged the importance of threat intelligence as a concept within overall cybersecurity posture, it did not specifically address the maturity of a dedicated threat intelligence program. However, the very first paper describing a maturity model for threat intelligence was published in the same year by the industry vendor Verisign. Thus, the origins of the CTI-CMM can be traced back to these two initiatives of the early 2010s.\\n\\n## Closing\\n\\nIt’s crucial for organizations to understand that aspiring to the highest level of CTI maturity is not always a practical goal. The intelligence program should focus on meeting the real needs of its users and stakeholders rather than seeking to hit a high score on an industry framework. An intelligence team with more resources may produce \\”better\\” intelligence and be more responsive. However, in a world of finite resources, those additional resources may be better spent in delivering \\”good enough\\” intelligence to teams that can use it well, rather than delivering the best intelligence to teams without the capacity or resources to effectively utilize the information.\\n\\nUltimately, the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) provides an invaluable resource for organizations to assess and evolve their CTI capabilities. As threat intelligence solidifies its role as an indispensable component of cybersecurity strategy, maturity models tools will become not only the drivers for internal organizational growth but also key instruments for external entities to benchmark and compare organizations’ overall cybersecurity maturity.”,”published”:”2025-09-10T14:01:28″,”modified”:”2025-09-10T14:01:28″,”type”:”talosblog”,”title”:”Maturing the cyber threat intelligence program”,”source”:””,”references”:””,”id”:”TALOSBLOG:C556D9A4B8E088DF3CE03291DEE0A7CC”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.talosintelligence.com\/maturing-the-cyber-threat-intelligence-program\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-10T16:51:10″,”description”:”* The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,69,11,5],"class_list":["post-17004","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-talosblog","tag-tapic","tag-vulnerability"],"yoast_head":"\n