Headline
Maturing the cyber threat intelligence program
The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making.
Wednesday, September 10, 2025 10:01
- The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making.
- The model describes four levels of maturity, guiding teams from basic, ad hoc activities to highly strategic and refined practices through a cycle of continuous improvement.
- CTI-CMM builds on earlier capability models and research, offering a practical framework for organizations to benchmark and evolve their CTI efforts.
**Overview **
The familiar idiom “walk before you run” summarizes a fundamental truth about skill acquisition: you must master certain foundational capabilities before you can successfully execute more complex activities. This principle applies universally, from learning a new sport to developing highly specialized technical skills. Any area will have foundational skills, activities that anyone competent in the domain can perform, and characteristics that show that an individual (or team) has reached the highest levels of mastery.
Capability maturity models (CMMs) outline the hierarchy of skills and activities that may be required within a particular area. The capabilities and characteristics are listed for teams of different levels of maturity operating within a domain. These descriptions can be used to evaluate the current level of a team or to identify the capabilities that must be acquired in order to improve.
Despite its importance, the exact function of cyber threat intelligence (CTI) can vary widely across organizations. The community-developed Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) shows how threat intelligence can help an organization and the various levels of capability that cyber threat intelligence teams can achieve.
**Details **
The CTI-CMM lists 11 domains where CTI can greatly improve decision-making, and also details specific “missions” CTI can carry out to strengthen each domain.
Domain
Abridged Description
Example CTI Mission
Asset, Change and Configuration Management
Manage the organization’s IT and OT assets.
Rapidly detect at-risk assets.
Threat and Vulnerability Management
Detect, identify, analyze, manage, and respond to cybersecurity threats and vulnerabilities.
Reduce risk against new and emerging adversaries, malware, vulnerabilities, and exploits.
Risk Management
Identify, analyze and respond to cyber
risk the organization is subject to.
Improve risk decisions.
Identity and Access Management
Manage identities for entities that may be
granted logical or physical access to the organization’s assets.
Reduce incident detection times, accelerate remediation.
Situational Awareness
Establish situational
awareness for operational state and cybersecurity state.
Drive threat-informed decision-making based on the current and forecast threat landscape.
Event and Incident Response, Continuity of Operations
Respond to, and recover from cybersecurity events and incidents.
Create an intelligence
advantage for incident responders and strengthen the security posture.
Third-Party Risk Management
Manage the cyber risks arising from suppliers and other third parties
Monitor, detect, assess and mitigate potential incidents posed by third-party vendors and suppliers.
Fraud and Abuse Management
Shield organizations from malicious digital scams and attacks.
Share threats
and findings with relevant stakeholders.
Workforce Management
Create a culture of cybersecurity
and security competence.
Support hardening of the human element.
Cybersecurity Architecture
Maintain the structure and behavior of the organization’s cybersecurity architecture.
Provide insights into cyber threats that may
target the organization.
Cybersecurity Program Management
Provides governance, strategic planning and sponsorship for the organization’s cybersecurity activities.
Deliver tailored intelligence inputs to
inform cybersecurity decision-making.
The missions span a wide spectrum, from proactively monitoring an organization’s attack surface in support of asset management to providing crucial situational awareness of the evolving threat landscape and its direct relevance to organizational activities.
The CTI-CMM also defines distinct levels of maturity for threat intelligence activities, providing a clear progression path:
A placeholder for practices that are not executed.
Many threat intelligence activities begin here, characterized by basic, ad hoc and unplanned efforts focused on short-term, reactive results.
As an activity matures, it becomes planned, with documented procedures and metrics demonstrating its support for stakeholders. The focus shifts towards proactive and predictive intelligence, delivering short- and intermediate-term results.
At the highest level, activities are highly refined, focusing on delivering long-term strategic outcomes for the business. This level integrates prescriptive intelligence and recommendations, combined with continuous improvement practices, making practices measurable and aligned directly to business objectives.
The framework espouses an improvement process analogous to the “plan, do, check, act” management model. In this case, the steps within a cycle of improvement are “prepare, assess, plan, deploy, measure.” With each rotation through the cycle, the capabilities of the threat intelligence program are incrementally improved, growing the maturity of the program.
**History of CTI-CMM **
This approach to improving capabilities and benchmarking against defined standards is not new. CMMs originated in the mid-1980s, driven by the U.S. Department of Defense’s desire to compare and evaluate software contractors. Largely thanks to the efforts of the Software Engineering Institute (SEI) at Carnegie Mellon University, CMMs evolved into the widely-applied Capability Maturity Model Integration (CMMI).
The CTI-CMM adopts domains from the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. energy industry and first published in 2012. While the C2M2 acknowledged the importance of threat intelligence as a concept within overall cybersecurity posture, it did not specifically address the maturity of a dedicated threat intelligence program. However, the very first paper describing a maturity model for threat intelligence was published in the same year by the industry vendor Verisign. Thus, the origins of the CTI-CMM can be traced back to these two initiatives of the early 2010s.
**Closing **
It’s crucial for organizations to understand that aspiring to the highest level of CTI maturity is not always a practical goal. The intelligence program should focus on meeting the real needs of its users and stakeholders rather than seeking to hit a high score on an industry framework. An intelligence team with more resources may produce “better” intelligence and be more responsive. However, in a world of finite resources, those additional resources may be better spent in delivering “good enough” intelligence to teams that can use it well, rather than delivering the best intelligence to teams without the capacity or resources to effectively utilize the information.
Ultimately, the Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) provides an invaluable resource for organizations to assess and evolve their CTI capabilities. As threat intelligence solidifies its role as an indispensable component of cybersecurity strategy, maturity models tools will become not only the drivers for internal organizational growth but also key instruments for external entities to benchmark and compare organizations’ overall cybersecurity maturity.