Join us at Binding Hook Live on October 27 at Underbelly Boulevard Soho in London
Join us at Binding Hook Live
Request an invite
Main Logo Expert commentary on tech and security

Is commercial cyber threat intelligence doomed?

Kritika Roy / Michaela Prucková 8 April 2025
Share On:
Virtual Routes fellows explore the challenges facing commercial CTI, including the expansion of free OSINT and limits on public-private partnerships.
Main Top Image
Image: Markus Spisk/Unsplash

Virtual Routes is pleased to welcome the 2025-2026 cohort of European Cybersecurity fellows to our community. As part of their application, each fellow wrote an essay on one of three set questions addressing some of the biggest issues facing European cybersecurity policy and practice. We are delighted to introduce this group of talented young cybersecurity professionals with a short series of excerpts from their essays, grouped by question.

In our first installment, three fellows tackled the question, What’s the biggest blind spot in our understanding of cyber conflict, and why can’t we afford to ignore it?

In this second installment, Kritika Roy of the German Cyber Security Organisation (DCSO) and Michaela Prucková of the National Cyber and Information Security Agency of the Czech Republic answer the question, Is commercial cyber threat intelligence (CTI) doomed to fail or poised to thrive?

Kritika Roy, senior threat intelligence researcher and analyst at the German Cyber Security Organisation (DCSO)

Cyber threat intelligence has become a significant part of cybersecurity strategies, providing organisations with critical insights to detect, mitigate, and prevent cyber threats. However, the debate persists: is commercial CTI poised to thrive, or is it destined to fail in the face of free and open-source intelligence (OSINT)? With the proliferation of publicly available threat intelligence, some argue that commercial CTI is an unnecessary expense – too costly, lacking transparency, and offering incomplete coverage.

Yet dismissing CTI as redundant ignores a crucial truth: raw data without context is as dangerous as no data at all. OSINT is like an all-you-can-eat buffet, plentiful but often of questionable quality and taste. While one can still find valuable pieces of information, relying on it alone is a gamble. Commercial CTI, on the other hand, offers carefully curated, validated intelligence, helping organizations cut through the noise and focus on real threats rather than getting distracted by high-profile but irrelevant cyber incidents. Additionally, commercial CTI provides essential context, helping organisations avoid unnecessary panic and respond appropriately to threats.

Some may argue that the absence of a ‘cyber Pearl Harbor’ signals CTI’s ineffectiveness. However, perhaps the very reason we have not witnessed a catastrophic digital meltdown is that CTI is working. The success of intelligence is not measured by the number of high-profile breaches but by the countless attacks prevented.

The growing market for threat intelligence, projected to reach $16.4 billion by 2031, underscores its increasing importance. Regulatory pressures and the rising costs of breaches further drive the demand for CTI. Moreover, advancements in AI and machine learning are enhancing threat intelligence capabilities, making them more effective and efficient.

So, is commercial CTI doomed to fail? Only if organisations choose to navigate the cyber landscape blindfolded. The real question is not whether threat intelligence will survive, but rather if businesses will be wise enough to leverage it. 

Michaela Prucková, legal and policy officer for the EU and NATO at the National Cyber and Information Security Agency of the Czech Republic

General estimates say the CTI market will continue to grow in coming years, especially in the EU. There, the single market principle and new cybersecurity regulations such as the NIS 2 Directive, the Cyber Solidarity Act, and the Digital Operational Resilience Act, as well as related national cyber security laws, have opened a window of opportunity for CTI. The question of how states can and should utilise commercial CTI is vital to understanding the future of the field.

The magic term ‘public-private partnership’ occurs increasingly frequently in policy statements and strategic documents. Nonetheless, the practical configuration of such partnerships faces many obstacles. These are just the tip of the iceberg: states rely on classified information and intelligence that cannot be freely handed over to the private sector, and they need to maintain their strategic autonomy, which can become harder if they outsource too much or rely on unreliable providers. As such, states should only choose services from trusted providers, while simultaneously taking measures to prevent vendor lock-in.

Outsourcing CTI is not only a financially beneficial way to avoid the demanding work of building in-house CTI capabilities, but also a way to let in new air and challenge state approaches of ‘doing security’, which can be systematically reluctant to test new ways. 

However, states cannot rely solely on the private sector. Commercial CTI providers are unable to fully understand these customers’ security priorities, the complexity of critical infrastructure, or geopolitical aspects of malicious actors. Even if they could access all the resources needed to fully grasp the threats states face, including classified information, commercial CTI providers cannot offer a threat picture sufficiently complex yet straightforward enough to drive states’ strategic decisions, nor should they attempt to do so.

Finding the right balance of private-public partnership while still developing core internal CTI capabilities should be every state’s priority. A commercial provider of CTI who understands this has a great opportunity to establish a strong collaboration with customers who are not driven by market rules but create them and who will occasionally ask particularly interesting questions with geopolitical impact. In such a collaboration, both the public-private partnership concept and commercial CTI could thrive.

avatar
Kritika Roy
avatar
Michaela Prucková

Related

Featured image
Binding Edge
LGBTQ+ community grapples with hidden wave of digital abuse
Sara Seppanen 6 March 2024
Read more arrow
Featured image
Binding Edge
Predatory Sparrow: cyber sabotage with a conscience?
James Shires / Max Smeets / Hannah-Sophie Weber 9 December 2024
Read more arrow
Featured image
Binding Edge
Why hostage negotiation tactics don’t work on ransomware
Max Smeets 28 November 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.