In cybersecurity, more data doesn’t always mean better security. Many security teams are overwhelmed by a constant stream of feeds, alerts, and indicators, making it harder to identify real threats. Effective threat intelligence prioritises quality information over quantity, focusing on relevant, timely, and actionable insights to improve security outcomes. But how can businesses ensure their threat intelligence program is delivering the quality information they need? Forrester’s CART model, built on extensive research from companies like ESET, offers a framework for evaluating threat intelligence effectiveness and a practical guide for applying it to your specific objectives. Let's dive into these key metrics and how to ensure your threat intelligence provider delivers the high-quality insights needed to stay ahead of evolving threats.
Measuring Effectiveness: Key Metrics That Matter
Many organisations struggle to define what “effective” threat intelligence actually looks like. Too often, success is measured by the amount of data collected rather than its impact on security decision-making. But the reality is that intelligence is only useful if it’s actionable.
Forrester’s CART model outlines four key metrics that organisations should use to evaluate the effectiveness of their threat intelligence programs:
- Completeness – Does the solution provide enough meaningful insight? Effective intelligence should aggregate information from diverse sources while aligning with the original use case requirements. The best programs provide expert curation all the way down to tactical indicators and solutions for resolution.
- Accuracy – How often is the intelligence correct? High false positive rates lead to wasted resources, analyst burnout, and missed real threats. False negatives, on the other hand, create a false sense of security, leaving organisations exposed. Your threat intelligence provider must keep pace with evolving attack techniques and deliver reliable and accurate information.
- Relevancy – Does the intelligence align with your industry, threat landscape, and security goals? Tracking attack detection and prevention rates, as well as indicators of compromise (IOCs) like number of assets found on the dark web or number of rogue accounts taken down can help organisations measure how their intelligence directly enhances their organisational security posture. The relevant information should have a high actionability rate and provide continuous tracking as threats advance.
- Timeliness – Is the intelligence delivered fast enough to prevent or mitigate an attack? Intelligence that arrives too late is no better than hindsight. IOCs need to be delivered in real time to effectively impact security decision-making. Forrester recommends tracking the time spent in each phase of the incident response cycle to ensure it is helping security teams react swiftly and decisively.
The most effective programs don’t rely on a one-size-fits-all approach—they prioritise the metrics that matter most and tailor the solution to fit their specific use case. Security teams challenged with high time-to-detect metrics, for example, would want to prioritise the accuracy and timeliness of their intelligence feeds. By aligning threat intelligence with business objectives and real-world risks, organisations can cut through the noise and maximise security effectiveness.
Choosing the Right Solution
With an overwhelming number of threat intelligence providers on the market, how can you be sure that your chosen vendor will perform once in place? When evaluating solutions, consider these key factors:
- Reputation and third-party validation - Reference independent reviews, analyst recommendations, and third-party testing to assess a provider’s credibility. Forrester, Gartner, MITRE ATT&CK evaluations, and AV-TEST results can offer valuable insights into a company's reliability, detection accuracy, and false positive rates. A strong reputation backed by independent verification signals trustworthy performance.
- Expertise Sources: AI vs. Human Analysis - Many vendors rely solely on AI-driven automation, but the best providers combine AI and machine learning with expert human analysis to filter out noise, add contextual insights, and verify accuracy. Threat intelligence that includes expert curation all the way down to tactical indicators are the most effective at preventing breaches.
When assessing a provider, consider their intelligence sources as well as the size and reputation of their research team. Are they actively involved in discovering new threats and publishing original research? How often do they contribute to the security community at large?
While AI-driven automation shouldn’t be your only line of defence, an AI assistant can be a powerful ally in cybersecurity. It enhances threat detection and response by simplifying data presentation, automating repetitive tasks, and providing valuable insights into APT reports. By bridging the cybersecurity skills gap, AI assistants empower organisations to focus on what matters most—staying ahead of evolving threats. - Detection Accuracy Scores – High false positive rates waste valuable security resources, leading to alert fatigue and operational inefficiencies. Before choosing a solution, review independent test results on false positive handling to determine how well their system will distinguish between real threats and false alarms.
- SLA Commitments: – A strong threat intelligence provider should stand behind their service with clear Service Level Agreements (SLAs) that ensure timely delivery of threat intelligence and defines responsiveness to newly detected threats.
Quality Threat Intelligence: Clarity, Confidence, and Actionable Insights
Staying ahead of evolving threats requires intelligence that is complete, accurate, relevant, and timely. ESET’s threat intelligence service provides clarity and confidence organisations need to act decisively. By combining AI-driven analysis with human expertise, businesses can cut through the noise and focus on intelligence that strengthens their security posture.
- Expert-led intelligence, curated from strategic insights down to tactical indicators for maximum relevance and actionability.
- AI-driven automation enhanced by human expertise and AI assistance ensures real-time intelligence with continuous tracking of historical indicators—long after threats are exposed.
- Industry-leading accuracy with a low false positive rate, delivering accurate intelligence that security teams can act on immediately.
- Proven performance, validated by independent third parties, ensuring high-actionability intelligence that defenders can trust.
Discover how ESET’s research-driven intelligence can keep you ahead of evolving threats.