Threat intelligence programmes cost between $200K and $2M per year when you include feeds, analyst time, and tooling. Yet most CISOs cannot quantify what their programme prevents. When the CFO asks 'what did we get for that?' the answer is usually a volume metric ('we ingested 4 million IOCs') rather than an outcome metric. That needs to change.
Why volume metrics are misleading
The threat intel industry defaults to volume metrics because they are easy to measure: IOCs ingested, feeds integrated, indicators enriched. But a threat intel programme's value lies entirely in what actions it enables. An IOC that never matches anything in your environment provides zero value, regardless of its source.
In our analysis of 15 commercial threat intel feeds, the median hit rate — IOCs that matched actual traffic in customer environments — was 0.003%. Most organisations are paying significant sums for signal that is essentially noise for their specific threat profile.
A four-metric framework for TI ROI
- 1.Hit rate: what percentage of your IOCs matched real traffic in the last 90 days? A hit rate below 0.01% suggests your feeds are misaligned with your threat profile.
- 2.Detection lead time: did your TI detect a threat before it triggered a behavioural alert? If your TI consistently fires after your EDR, you are paying for late confirmation.
- 3.Mean time to block: how long between an IOC being added to your TI platform and it being enforced in your controls (firewall, proxy, EDR)? This should be minutes, not hours.
- 4.Unique coverage: what percentage of your TI detections are not covered by your other detection layers? If 95% of TI hits are also caught by behavioural rules, your TI is mostly redundant.
Aligning TI to your actual threat profile
Start with your industry sector and geography. A financial services firm in the UK has a materially different threat profile from a healthcare provider in the US. Generic global feeds will contain thousands of irrelevant indicators for either. Curate feeds based on threat actor groups known to target your sector, and score every feed quarterly against your four metrics.
Presenting ROI to the board
Board-level ROI conversations require translating technical metrics into financial terms. The most effective framing: 'Our threat intel programme blocked X attempts that matched known attack patterns, with an average industry incident cost of $Y per event, implying $Z in avoided costs.' Pair this with a 3-year trend to show improvement.
Our threat intelligence module automatically tracks all four metrics, generates quarterly ROI reports in board-ready format, and recommends feed additions or removals based on your specific hit rate and coverage data.