A different cup of TI? The added value of commercial threat intelligence

Xander Bouwman, Harm Griffioen, Jelle Egbers, Christian Doerr, Bram Klievink, Michel van Eeten

Research output: Contribution to conferencePaperpeer-review

13 Citations (Scopus)
276 Downloads (Pure)


Commercial threat intelligence is thought to provide unmatched coverage on attacker behavior, but it is out of reach for many organizations due to its hefty price tag. This paper presents the first empirical assessment of the services of commercial threat intelligence providers. For two leading vendors, we describe what these services consist of and compare their indicators with each other. There is almost no overlap between them, nor with four large open threat intelligence feeds. Even for 22 specific threat actors – which both vendors claim to track – we find an average overlap of only 2.5% to 4.0% between the indicator feeds. The small number of overlapping indicators show up in the feed of the other vendor with a delay of, on average, a month. These findings raise questions on the coverage and timeliness of paid threat intelligence.

We also conducted 14 interviews with security professionals that use paid threat intelligence. We find that value in this market is understood differently than prior work on quality metrics has assumed. Poor coverage and small volume appear less of a problem to customers. They seem to be optimizing for the workflow of their scarce resource – analyst time – rather than for the detection of threats. Respondents evaluate TI mostly through informal processes and heuristics, rather than the quantitative metrics that research has proposed.
Original languageEnglish
Number of pages18
Publication statusPublished - 2020
Event29th USENIX Security Symposium (Virtual/online event due to COVID-19) - Online event, United States
Duration: 12 Aug 202014 Aug 2020


Conference29th USENIX Security Symposium (Virtual/online event due to COVID-19)
Country/TerritoryUnited States
CityOnline event
Internet address

Cite this