The part where I’m annoyed
Here is what frustrates me about corporate CTI teams: a significant chunk of their daily work is Googling indicators. How do I know? Because I did this for years.
An incident responder finds a suspicious hash or a C2 domain. The CTI team takes it, searches for it, finds a vendor blog post describing the exact campaign, and then writes a summary. The incident responder reads that summary, realizes it lacks the detail they need, and ends up reading the original blog post anyway. The CTI team just added a step to the process without adding value.
This is not an edge case. In many organizations, this is the primary contribution of the CTI function during incidents.
The other major output is reports. Long, formatted, logo-heavy reports that describe threat landscapes, actor profiles, and campaign timelines. Some of them are well-researched. Most of them are neither actionable nor impactful. They land in inboxes, get skimmed by a manager, and gather dust. Nobody changes a firewall rule because of a quarterly threat landscape report.
I know this is uncomfortable. But if we are honest about what the average corporate CTI team actually produces, it is summaries of public information and reports that do not change decisions.
AI is already good at exactly this
The criticism of AI is valid in many areas. Hallucinations are real. Reasoning over novel problems is still shaky. But summarizing known information? Searching across multiple sources and producing a coherent brief? Condensing a 20-page vendor report into three actionable paragraphs? AI is already good at this. Not perfect. Good enough.
Give it two or three more years of iteration and the gap closes further. The kind of work that occupies 80% of a corporate CTI analyst’s day: searching, reading, summarizing, formatting. This is exactly the kind of work large language models handle well. Not because they understand threat actors. Because the task is fundamentally about processing and restructuring text.
An incident responder with a good AI tool will do their own indicator lookups faster than waiting for a CTI team to triage the request. A SOC manager with access to an AI-powered briefing tool will get a better daily summary than what most CTI teams produce manually.
90% is not hyperbole
I genuinely believe that within five years, 90% of people who currently call themselves CTI analysts will either be doing something else or be out of a job. Not because they are bad at what they do. Because what they do is automatable, and the automation is arriving fast.
The remaining 9% will be the ones who do work that AI cannot replicate. And that is the interesting part. 1% will still do the same, just because some regulation requires a company “to do threat intelligence”.
What survives
The CTI work that has actual impact tends to be the work that most teams do not do at all.
Engaging with threat actors directly. Building credible personas on breach forums and dark web marketplaces. Running long-term intelligence operations that require human judgment, cultural awareness, and operational security. Developing sources. Understanding the business context well enough to make a call on what matters and what does not.
This kind of work requires creativity, risk tolerance, and deep domain expertise. It is also the kind of work that most corporate CTI teams have never been staffed or mandated to do. The teams that pivot toward it will survive. The ones that keep writing summaries of arbitrary intel blog posts will not.
Vendors are not safe either
CTI vendors who sell plain indicator feeds are on borrowed time. Not because the industry is finally moving to behavioral detection, people have been claiming that shift for a decade and it still has not happened at scale. The real reason is simpler: indicator feeds are increasingly built into existing tooling.
Cloud providers bundle threat intelligence into their security products. EDR vendors ship their own feeds. SIEM platforms ingest indicators natively. The standalone feed-as-a-product model loses value every year as these integrations mature.
Vendors who survive will be the ones offering something that cannot be commoditized. Human-driven adversary engagement. Takedown services. Infiltration of criminal infrastructure. Bespoke intelligence tailored to a specific organization’s threat model. The kind of work that requires people doing risky, creative things - not a pipeline that parses STIX files. Why is STIX even still a thing, or is it?
This is not doom and gloom
If you are a CTI analyst reading this and feeling defensive, consider what you actually enjoy about the work. If the answer is “researching threat actors and writing reports,” then yes, you should be worried. If the answer is “understanding adversaries deeply enough to anticipate their next move and shape my organization’s defenses accordingly,” then you are probably in the 9% that sticks around.
The shift is an opportunity to stop doing low-value busywork and focus on the parts of intelligence that actually require a human brain. The problem is that most organizations built their CTI functions around the busywork, and restructuring that will be painful.
Five years. Maybe less. The clock is ticking, and the industry is still arguing about TLP colors.