SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Cyber Threat Intelligence (CTI).

CTI is valuable and beneficial to cybersecurity, but only if it is complete, accurate, and actionable.

Cyber threat intelligence is cybersecurity’s early warning. It seeks to understand the source and nature of attacks, the adversaries and their targets, the presence of existing attacks, and the likelihood of imminent attacks. Being forewarned allows defenders to be forearmed.

“You cannot overstate the importance of cyber threat intelligence (CTI) as part of a comprehensive security program,” says Pascal Geenens, director of threat intelligence at Radware. “Threat intelligence is crucial in helping organizations gather insights on the threats they are facing and assess the risks so they can prioritize resources and budget to ensure adequate protections.”

Callie Guenther, senior manager of cyber threat research at Critical Start: “CTI will become more critical as organizations pivot from reactive to proactive cybersecurity strategies,” she says. 

“Current cybersecurity strategies are unsustainable for reasons other than the sheer futility of investing endlessly to raise higher ramparts. Simply building higher walls isn’t working,” says Morten Mjels, CEO at Green Raven Limited. “Better threat intelligence, so our practitioners don’t feel like they’re working blindfolded, will be a clear improvement that is already achievable.”

Guenther adds, “Since threats evolve faster than traditional defenses can adapt, CTI will play a vital role in enabling near-real-time situational awareness and informed decision-making.”

Cyber threats are evolving. Everything is getting faster, the attackers are more sophisticated, new threats emerge, and the attack surface grows (see also Cyber Insights 2025: Attack Surface Management). CTI can help defenders get and stay one jump ahead of the attackers, but it must similarly evolve to cover the new threats and deliver intelligence faster, efficiently and actionable – so that defenders can prepare for and prevent attacks rather than simply respond to them.

This is what we’re looking at: how CTI might or should evolve in 2025.

As the use of technology grows and expands, so too do the areas that benefit from increased threat intelligence. Guenther cites the increasing importance of operational technology (see also Cyber Insights 2025: OT Security). “With the growing prevalence of IoT, OT, and 5G networks, organizations need CTI to extend beyond traditional IT environments to protect these emerging domains,” she says. “This expansion will add complexity to CTI, requiring more granular insights and specific intelligence data.”

Chris Risley, CEO at Bastille, is concerned about the growing use of wireless communication, and the lack of relevant threat intelligence. “Fewer people are pulling copper wires these days. That means more and more of an organization’s communications are leveraging wireless,” he notes. “Bad actors know this and are developing attacks to exploit wireless vulnerabilities. In the last 10 years, more than 2000 Critical Vulnerabilities have been reported, and bad actors read these CVEs as a recipe book for creating data exfiltration attacks.”

Chris Risley, CEO at Bastille,

Everything that uses wireless communication, from Wi-Fi and 5G networks to Bluetooth and GPS-enabled devices, is vulnerable to wireless attacks. With a broader attack surface for bad actors, organizations need more robust wireless airspace defense tools to protect their businesses comprehensively in 2025.

“Radio Frequency must be at the top of everyone’s list for new data sources for threat intelligence,” he continues. The Consumer Financial Protection Bureau recently instructed employees to avoid using personal or government-supplied cell phones to conduct government business following the recent spate of China’s telecom hacks. “The CFPB is worried that any cell phones that touched the hacked telecoms may now be compromised themselves. If a channel is potentially compromised, the entire device could be as well, and there’s a strong chance that you won’t know if it is.”

CTI aggregators have not historically included wireless threat intelligence. “With the growing sophistication of phone and cellular hacking – as revealed by the WhatsApp lawsuit against NSO – any wireless device can become a surveillance device. Feeding radio frequency data and wireless threat intelligence into the organization’s existing security systems must be a high priority for everyone.”

 It’s not just the threat target domains that change – the threat intelligence source domains are also fluid. “Everyone talks about the dark web,” says Mjels. “The truth is that most information discussed and sold there has already been discussed on Telegram before someone decides to try to sell it on the dark web. People need to wise up and realize that they need to be looking for threats everywhere and anywhere that people discuss hacking and the means of hacking.”

Geenens expands on the Telegram issue. “The trust in underground markets has been negatively impacted by more frequent exit scams. As a result, in the last few years, we have seen a good amount of threat actors gravitate towards Telegram. Threat actors can leverage Telegram to provide services through Telegram bots, transact encrypted currencies as well as gather attention and followers by posting on public channels.”

The attraction of Telegram has been its privacy policy. Platform owners have neither disclosed information to, nor cooperated with, law enforcement – making it the platform of choice for bad actors of all kinds. This might change in 2025, following the arrest of Pavel Durov, CEO of Telegram, by the French authorities. Since then, the Telegram terms of service have been updated to include sharing IP addresses and phone numbers with law enforcement when accounts are involved in criminal activities. Several European countries have started banning Palestinian hacktivist channels because they violate local laws, making this content inaccessible in most of the EU.

Pascal Geenens, director of threat intelligence at Radware

“These recent policy changes in and around Telegram will result in crime groups and malicious actors migrating to other platforms in 2025,” suggests Geenens. “Where they will go is still unclear, but as authorities and nations clamp down on the content and activities the platform used to allow, users will flee. As migration happens, threat intel sources will have to be updated to follow the bad guys.”

The CTI industry will be complicated in 2025 because of the continually expanding attack surface and the ongoing fluid nature of potential intelligence sources. Just consider generative artificial intelligence. We don’t fully understand where it is going nor how it will be used. We do know however, that it creates both an attack surface that will require CTI, and a tool that will assist in the collection and analysis of CTI.

CTI is only useful if it is accurate. If it is inaccurate, it is of no use. If it is inaccurate in a controlled manner and still used, it could be dangerous. This brings us back to gen-AI. One of the known attacks against gen-AI is data poisoning. If attackers can insert bad data into the AI’s training pool, the AI is likely to provide bad information to its users. Is the same principle likely to be used with CTI? If bad actors can poison the intelligence gathered, will that weaken the value of CTI to defenders?

“Absolutely,” says Rodman Ramezanian, global cloud threat lead at Skyhigh Security, “it’s a very valid concern. In the same way threat actors manipulate and poison LLMs and AI platforms still learning and maturing from data sets, threat intelligence would undoubtedly be in their crosshairs as they look to deceive organizations trying to defend themselves.” He believes it is to see how adversaries could generate convincing fake intelligence indicators and mimic legitimate sources resulting in security teams misinterpreting threats, focusing on the wrong issues, and making poor decisions.

“Adversaries are already experimenting with ways to manipulate CTI, and this will likely escalate in 2025,” says Guenther. “AI-generated content, such as fake alerts, false malware indicators, or fabricated attack campaigns, could be inserted into CTI feeds to mislead defenders. Nation-state actors could exploit this as a means of cyber deception, sowing confusion among target organizations or intelligence-sharing groups.”

Gen-AI could be used to create sophisticated deepfakes and misleading indicators that appear legitimate to automated systems and human analysts alike. “These attacks may target threat-sharing platforms, leading to compromised intelligence that diverts resources or erodes trust in community-shared intelligence,” she adds.

“It is now trivial to produce large quantities of misinformation and to sprinkle it around the Internet to make it more difficult to find the real and credible information. It is also conceivable that malicious actors could try to use generative AI to skew threat intelligence at the point of collection, in an attempt to manipulate the conclusions drawn by automated models,” agrees Daniel Schwalbe, CISO at DomainTools.

“In 2025, adversaries will use AI to create fake threat intelligence at scale, portending the beginning of the end of trusting a threat intel feed simply because it looks legitimate,” says Rich Buractaon, director of AI at Andesite. “We’ll see more ‘poisoning the well’ with nefarious organizations creating fake personas – complete with blogs, research papers, and a social media presence – to push subtly poisoned data into security feeds. These AI-generated ‘insights’ then become training data for the next generation of models, collapsing intelligence quality as models train on bad synthetic data, creating an infinite loop of deteriorating signal-to-noise ratio.”

Concern that adversaries will attack the trust foundation of CTI in 2025 is strong – but not universal. “Adversaries are unlikely to attempt to manipulate or ‘poison’ threat intelligence data in the near term (2025),” says Vivek Ponnada, technology solutions director at Nozomi Networks. “This type of sophisticated manipulation is a longer-term strategy typically associated with state-sponsored APT groups and is less likely to be profitable for ransomware actors focused on more immediate financial gain.”

And hang on – this isn’t exactly a new threat. “Since the beginning of intelligence, sources can be manipulated and falsified,” comments Ngoc Bui, cybersecurity expert at Menlo Security. “Routine vetting of intelligence sources should be standard to guard against manipulation – a practice well-established in the intelligence community. There are documented models available that outline source ratings and reliability.”

Nathaniel Jones, VP of threat research at Darktrace

“We’re witnessing a fundamental shift in threat intelligence, driven by the increasing complexity of attribution and deception in cyberspace,” says Nathaniel Jones, VP of threat research at Darktrace. “While signature-based detection isn’t disappearing, the future lies in hybrid systems that combine behavioral analytics with anomaly detection, operating across multiple infrastructure layers. This evolution is crucial as hacktivism becomes deeply intertwined with nation-state activities, blurring attribution and complicating diplomatic responses. The rising prevalence of false flag operations and poisoned malware is making traditional threat actor profiling increasingly unreliable, forcing a rethink of conventional threat intelligence frameworks.”

Put simply, as the cyber threats become more complex, so our use of threat intelligence must become more effective. Its use must expand and deepen. For the first, Guenther notes, “There is a shift toward using CTI not only for security purposes but also as a key component of enterprise risk management. Executives are beginning to recognize the value of CTI in providing a business-oriented view of cybersecurity risk. TI could evolve to provide insights on potential impacts to specific business operations, aligning security efforts with organizational objectives.”

For the latter, she comments, “Organizations will increasingly integrate TI into their Security Operations Centers (SOCs) to streamline threat detection and incident response. Rather than isolated threat feeds, organizations will rely on CTI-enriched security workflows, where CTI directly informs decisions on incident response, vulnerability prioritization, and risk management.”

Nadav Avital, head of threat research at Imperva, agrees with this. “The main challenge with CTI,” he says, “is that it’s difficult to consume because of its sheer size, so SOC engineers struggle to filter the relevant information.” He believes AI will help. “With AI technology, CTI can become more efficient, either by creating dedicated CTI per use case (by CTI vendors) or by efficiently analyzing it (by CTI consumers).”

More effective integration and use of threat intelligence within the SOC is the most likely development in 2025. “Detection-as-code (DaC) will empower SOCs to rapidly respond to evolving threats, enabling automated and continuous updates to detection rules aligned with the latest threat intelligence,” suggests Michael Freeman, head of threat intelligence at Armis. “Integrating CI/CD principles will allow for continuous testing of detection logic, reducing false positives and enhancing detection accuracy while fostering collaboration between security engineers and developers.” 

Moreover, he continues, “embedding AI within the detection pipeline will enhance the adaptive capabilities of SOCs, allowing for advanced threat detection and response. This approach marks a critical advancement in SOC functionality, providing a proactive, scalable threat detection and response framework.”

As Mjels commented earlier, better intelligence (provided it is used effectively) is more effective than just building higher walls. “Where threat intelligence is already used to help correlate signals, the next wave will involve AI-driven systems that not only detect threats in real time but also autonomously suggest or implement mitigation strategies,” suggests Ramezanian.

“The evolution in 2025 is expected to focus on deepening the integration of CTI with decision-making and operational processes,” he continues. “Today, CTI often supports incident response and detection after an attack has begun, but in 2025, we’re likely to see a shift toward predictive intelligence, using AI and machine learning to anticipate attacks before they occur based on evolving threat patterns and geopolitical triggers.”

Better intelligence used more effectively is the challenge for 2025.

A key element of threat intelligence comes from gathering-by-sharing. But that’s not always as easy as it seems. An important source of intelligence comes from law enforcement and intelligence agencies – but they don’t have a good history of openness. Since information is power, they tend not to be free with it. 

Things are changing, but they could change more and faster. “Efforts to increase and/or improve intelligence sharing have been attempted since the aftermath of the failures to properly share intelligence in the lead-up to 9/11,” comments Schwalbe. 

“This is an extremely complex subject, and there are no easy answers. If this problem were to be solved, it could have a major impact on the fight against malicious actors. But if the last 23 years have been any indication, it may take another quarter century before any major improvements are made,” he adds.

Bui has a similar view: “So many people want to hold on to intelligence or charge a large fee to access a single source of intelligence. And an even larger fee for more than one intelligence source. While I completely understand that sensitivity of intelligence – I come from the intelligence agencies – I think too many have made intelligence sharing inaccessible for smaller companies, let alone researchers. This is a big disadvantage for everyone.”

CTI sharing suffers a double whammy: federal agencies could provide free intelligence (but are not good at it), while private companies charge high fees for different and incomplete information (and are very good at it). Should the agencies increase their own sharing? “They certainly should, and I expect they will because it would significantly boost cybersecurity efforts,” says Risley. “The growing complexity of cyber threats means we need new and, ideally, more collaborative approaches to threat intelligence.”

More intelligence from the agencies might even encourage the security industry to reduce the cost of their own feeds, if only to stay in the game. “Intelligence sharing would speed threat detection and allow for more effective responses. It would enable organizations to stay ahead of emerging threats and adapt their defenses better. Of course, there are privacy concerns to consider, but ultimately, a trend toward greater collaboration would strengthen our collective cybersecurity posture,” continues Risley.

Guenther confirms the privacy issue. “One major barrier remains privacy and data-sharing regulations. To increase the efficacy of CTI, it will be critical to establish trust frameworks and standardized privacy controls that allow sensitive data to be shared while protecting individuals and companies.”

Callie Guenther, senior manager of cyber threat research at Critical Start.

She also recognizes the growing pressure on both agencies and vendors. “Law enforcement agencies, intelligence agencies, and vendors are facing pressure to share intelligence more openly to combat global threats effectively. Enhanced sharing could lead to quicker identification of threats, better attribution, and more unified responses across sectors. If they successfully expand intelligence sharing, this could significantly shorten the response time to emerging threats. Early indicators of an attack could be disseminated rapidly across industries, enabling preemptive defenses.”

We don’t know whether threat intelligence sharing will improve in 2025, but we do know there is a demand for it, and pressure to achieve it.

“As threat landscapes become far more complex, the ability to prioritize threats and determine potential exploitation will become central to the decision-making process. This will be particularly important for security teams that are already stretched thin, as they will need to make rapid, informed decisions on where to focus their resources,” says Raj Samani, SVP and chief scientist at Rapid7.

Cyber threat intelligence can inform decisions but is a complex issue. Where it is complete and accurate it is a huge boon. Where it is incomplete – or worse, inaccurate – and can lead to bad decisions and wasted efforts. “Predicting the efficacy, direction, and implications of threat intelligence is challenging as it’s rarely working as one cohesive entity headed in the same direction. Distinct differences arise between individual organizations, nation-aligned entities, and even industries and regions,” warns Steve Stone, SVP of threat intelligence and managed hunting at SentinelOne.

“The recent US Presidential election included distinct discussions around the politicization of intelligence. Ripple effects of this discussion, as well as particular incoming administration views on geopolitical topics – in particular Ukraine, Iran, China, Israel, and Russia – will impact the cyber intelligence community,” he adds.

“The importance of threat intelligence has been growing in the last few years,” says Geenens. “In 2025, look for it to play an even more critical role as cyberattacks increase in frequency, threat surfaces expand, and threat actors become more sophisticated with the aid of Gen AI.”

The importance of CTI is clear; but whether its value can increase to match its full potential in 2025 remains to be seen.

Related: From Silos to Synergy: Transforming Threat Intelligence Sharing in 2025