Threat intelligence spending keeps going up, and so does the number of feeds organizations subscribe to. But a new survey from Malanta suggests that more intelligence hasn’t translated into fewer attacks—and the reasons why are worth paying attention to.
Malanta surveyed 100 security professionals between September and November 2025. Respondents represented a cross-section of security leadership—CISOs, VPs, directors, and managers—from enterprise organizations across more than 35 industries in six countries. The majority came from organizations with 10,000 or more employees. These aren’t teams that lack resources or experience.
The Feed Problem
Most enterprises now operate five to eight threat intelligence feeds, with some managing as many as 53. The logic behind stacking feeds makes sense on its face—more coverage means better visibility. But 71% of survey respondents report significant overlap across those feeds, meaning they’re largely paying for duplicate data.
And when asked where their threat intelligence process breaks down most often, 100% of respondents pointed to the same thing: connecting signals to real threats. Every single respondent. That’s a pretty clear sign that adding more feeds isn’t solving the underlying problem.
One director of IT services surveyed described the situation bluntly: “The challenge is that most feeds overlap heavily, adding volume without truly advancing our ability to predict or prevent attacks. We’re prioritizing intelligence sources that can identify adversary intent and infrastructure earlier.”
Still Largely Manual
The survey found that 84% of organizations rely on manual or reactive approaches to threat intelligence. Only 31% have fully automated ingestion and blocking. The other 69% have manual work somewhere in the process, which means analysts are spending time on validation instead of prevention.
Sixty-eight percent of respondents spend one to two hours per week on indicator validation alone. Seventeen percent spend several hours a day on it. That’s a meaningful chunk of analyst time going toward confirming what the feed already told them, rather than acting on it.
A global head of threat detection at an insurance company noted: “We heavily rely on manual processes such as communicating with our threat intelligence team to retrieve additional insights as cyber incidents are being worked on. This is leading to an extremely inefficient triage and response process.”
A security architect in logistics and supply chain described their setup this way: “We mainly automate the ingestion of standard threat lists and IOCs from our primary vendor directly into our SIEM. It’s a purely reactive process focused on known malicious resources.”
Measuring the Wrong Things
The survey also asked how organizations measure success. Ninety-one percent track Mean Time to Respond (MTTR) and 89% track Mean Time to Detect (MTTD). Those are both response metrics—they tell you how fast you cleaned up after something went wrong.
Only 12% of organizations track prevention-oriented metrics. Zero percent measure pre-attack disruption.
That gap matters because organizations tend to fund and prioritize what they measure. If the only KPIs on the dashboard are about response speed, it’s hard to make the case for investing in earlier-stage prevention.
A VP of cloud engineering at a financial services firm put it plainly: “We would love to have a prevention KPI as well—one that talks about what was prevented, not just how fast we cleaned up.”
Visibility Without Confidence
When asked what’s getting in the way of preventing attacks, 50% of respondents cited detection gaps—they don’t see threats forming until damage has already occurred. Only 33% cited resource constraints. So for most of these organizations, the limiting factor isn’t budget or headcount. It’s early-stage visibility.
Even when organizations do have threat data, only 65% say their feeds provide actionable context. And even then, confidence to act before an attack is in motion is low. The report describes this as a “detection ceiling”—teams have signals but lack the correlation to do anything meaningful with them before it’s too late.
What Enterprises Actually Want
The survey asked respondents what they actually want from their threat intelligence programs. The top five responses were actionable context (82%), earlier visibility into threats forming (78%), reduced noise and fewer duplicates (74%), automated prioritization (68%), and prevention-oriented metrics (65%).
None of that is particularly surprising. What’s notable is the gap between what organizations say they want and how they’re currently set up. They want prevention metrics but measure response speed. They want reduced noise but keep adding feeds. They want automated prioritization, but 84% still rely on manual processes.
A deputy CISO at a financial services firm summed up what the shift would look like in practice: “Success would look like proactive blocks and hunts that actually stop a potentially successful attack before it happens.”
Malanta, which positions itself as a pre-attack prevention platform, has an obvious interest in framing the market this way. But the survey data stands on its own. If every respondent in a 100-person survey identifies the same failure point—and that failure point is connecting signals to actual threats—something is structurally off with how the industry has built threat intelligence programs.
More feeds haven’t fixed it. Better metrics and earlier visibility might.
- The AI Risk Blind Spot Most Organizations Don’t Know They Have - May 13, 2026
- The Attack Surface Changed but the Fundamentals Didn’t - May 7, 2026
- What the Breach Reveals That the Budget Never Did - April 30, 2026
