top of page

Threat Intelligence: A CISO ROI Guide - Automate to Increase Productivity

Updated: Jul 20, 2023

Automate Threat Intelligence to Stay Ahead of the Pack


In our last several entries we talked about how threat hunting capabilities pays for itself in terms of reducing the cost of data breaches, sunsetting overlapping threat intelligence sources and preventing supply chain and third party compromises before attackers pivot to reach your core systems. We also discussed the importance of having visibility into the external attack surface of M&A targets and subsidiaries and how that can pay off in identifying difficult to detect APTs.

Financial and Productivity gains from Cyber Threat Intelligence Automation

No ROI or cybersecurity budget discussion would be complete without discussing the productivity gains that analysts and other experts receive from automation. Being able to save a single, or two, or five FTE analysts time from performing the tedious work of updating block lists is payback enough. But imagine the huge win of being able to show how the organization saved more than $600K over three years by automating phishing block lists with real-time data. Keep reading and find out how they realized new areas of cost saving and productivity in just under six months, including:

  • Reallocation of 5 FTE security analysts from the soul-crushing work of manually updating a wide range of block lists for core services, networks, VPNs, and proxies

  • Vanquishing almost all email cleanup tasks required after a compromise, saving months in people hours and reducing disruption to business operations

  • Gaining efficiency and improving perimeter security by automating the updating of block lists in response to changes in attacker infrastructure

  • Equipping the IR team with the most relevant data to look at the right firewall log to determine if a malicious communication was attempted

The Payback of Proactive Security

This Fortune 10 organization has a sophisticated security team, with tools that most security teams would envy, but, their value far exceeds the funding they require.

A key component of Pure Signal Recon feed is that if [threat actors] get in, it doesn’t

mean that they can get anything out.” Lead security analyst

Year on year, the security team increases in strategic importance, making a sound financial business case to continue applying the appropriate level of budget to achieve the strategic outcomes.

Integrating Pure Signal™ Recon into an effective Cyber Threat Program is non-trivial. What it does enable though, is a seismic shift from reactive to proactive defense.

This means Pure Signal Recon is just one part of a strategic transformation to bring about a proactive security program, and move away from a reactionary security response of the past. The senior security leaders at our client knew they could start to get ahead of the attackers, but only if they could transition the team from performing reactive security processes to taking on more proactive security measures.

Everyone in the security team knows that the threat actors they deal with are determined to achieve their objectives, and are unlikely to go away soon. The team needed to make a shift and automate most of their reactionary security practices like the manual updating of block lists. At the same time, they needed to equip their team of elite threat hunters with the ability to scope out the wider, external threat landscape. This would allow them to undertake the more strategic work of understanding the origin of outside threats, and monitoring threat actor infrastructure to record how it evolves. Pure Signal™ Recon offered the team the ability to understand changes in infrastructure, and automate the changes in their block-lists in real time.

Automating Real Time Security Intelligence pays off, fast

First, they needed to onboard Pure Signal™ Recon into their environment. Unlike many solutions they have implemented, it did not involve the customary heavy lifting. Within days they were ingesting Pure Signal™ Recon data into their insight engine with a simple modification of existing scripts.


In a month or less, the team was able to use Recon’s APIs to complete significant data extractions.


Let’s look at one example of how they got quickly off the ground. A lead analyst took a good hard look at the external network telemetry data and was able to say with confidence, “‘Okay, this pattern right here looks like an exfiltration” and send it over to their IR team. With the nugget of data, they looked at the inside firewall logs to see which machine was involved with those communications. The endpoint was identified and remediation work could start immediately, not when it was already too late.

Prior to using Recon, the team was able to avoid most email cleanup processes due to effective rules and customized block lists. Soon after implementation, the arduous process of email cleanup pretty much disappeared from the list of things no one wants to do.

When it comes to automating block lists, what makes the threat intelligence from Pure Signal™ Recon unique is that it continually improves the fidelity of block lists with frequent movements of attacker infrastructure and their typical dynamic changes as they take place, not updating you a week later. If you haven’t already, check out how often malicious actors move their infrastructure in our blog here.

“We 100% trust the data we get from Recon. For other sources, we would have to vet new feeds to make sure they are clean and to monitor existing feeds. Monitoring would take at least 4 hours per month.” Lead security analyst

This supports automating custom block-lists on real-time processes for the core network, VPNs, proxies, and outbound proxies with real-time information.

In addition, this unique visibility that Recon provided helped them to trim down the number of intelligence feeds needed from 15 to five without missing anything as we’ve previously detailed. When speaking to Forrester analysts, security leaders said they were able to reallocate five FTE analysts due to a combination of Recon’s continued assistance to improving security rules and block lists.

The financial gains

For the purposes of determining labor cost savings, 50% of financial benefit was due to their usage of Recon reducing wasted labor time associated with tackling and cleaning up phishing attacks.

The result? $600K cost savings to the budget over three years.

CISO Tools:

Learn more about how you can get started on the path towards reducing data breaches and utilizing real-time threat intelligence, request a free copy of the full financial analysis of Threat Reconnaissance here.

Engage your analysts directly with our Security Architects and expert practitioners via our Sales Team, starting here.

1 Comment

Because of efficient rules and personalized block lists, the team was able to circumvent most email cleansing procedures before utilizing Recon. geometry dash world

bottom of page