The issue arises from the fragmented nature of these databases, which remain isolated based on the provider-client relationship. This fragmentation forces organizations to make a choice: either continue using threat intelligence providers they are affiliated with and respond to a limited number of alerts, an inefficient approach that inevitably leaves some threats undetected, or allocate substantial resources to expand their security toolset in hopes of capturing more threats. The latter approach risks inflating security budgets and creates unrealistic expectations of resilience, potentially damaging the reputation of the security team if it fails.
Although it is expected to miss unknown attack vectors (by definition, they are unknown), the tragedy of the current relationship between threat intelligence and defensive security is the unnecessary escape of known threats. These known threats should be entirely preventable.
A Broken Internet and the Path to Repair The current threat intelligence ecosystem leaves us with an internet that predominantly serves two groups: security providers, who charge exorbitant fees for access to their threat intelligence tools, knowing they offer incomplete threat coverage, and threat actors who exploit the existing, unworkable system with impunity.
