Cyber-threat intelligence teams mint more data than a Vegas slot machine, yet most board decks still open with “1,234 IOCs added this month”. That number dies on the slide. Below is a vendor-neutral recipe forged during the 2025 SANS CTI Summit and battle-tested in three Fortune-500 briefings this summer. It produces metrics senior leadership quotes in the hallway — and funds the next FTE.
1. Start With the Question, Not the Spreadsheet
Before anyone opens a tool, finish this sentence:
“If CTI were gone tomorrow, ___ dollars would be at risk and ___ process would stall.”
Write the answer on a Post-it. Everything that follows must glue back to those two blanks.
2. Pick One Metric From Each Bucket
表格
复制
| Bucket | Purpose | 2025 Example | Free Data Source |
|---|---|---|---|
| Administrative | Prove baseline cost | “Licensed feeds per $1 M revenue” | Invoice CSV + head-count |
| Performative | Show cadence | “Mean time from RFI to deliverable (hours)” | JIRA API |
| Operational | Tie to risk | “% of high-confidence TTPs that became detection logic” | Git blame on Sigma rules |
Drop any indicator that cannot be tied to one of the three within 30 seconds.
3. Kill the Vanity Counts
- IOC volume → replaced by “% of IOCs that fired in production within 14 days”
- Report count → replaced by “% of reports cited in post-incident reviews”
If a metric celebrates effort, not outcome, delete it.
4. Make the Business Save Real
Formula:(Number of prevented incidents) × (Average cost per incident)
Average cost: Use your cyber-insurance retention (e.g., $75 k) — finance already recognises that figure.
Result: A Midwest manufacturer showed a $2.4 M saving in 2025 Q2; the board approved two extra CTI hires on the spot.
5. Keep Collection Overhead Low**
- JIRA Cloud: turn on “Time in Status” native gadget — zero scripting.
- Sigma Git repo: count merged rules tagged “cti-source” — one grep command.
- GreyNoise CLI: flag IPs that later appear in internal firewall blocks — one cron job.
All scripts are in the open-source repo below; no licences, no sales calls.
6. Present in a One-Page Scorecard
Layout:
- Green / Amber / Red traffic light for each of the three bucket metrics.
- Footnote: assumption, data source, owner.
Distribution: PDF for auditors, Confluence page for engineers, 60-second loom video for executives.
No one reads past page one.
7. Iterate Like Software
- Freeze the metric set for two quarters — resist ad-hoc requests.
- After 180 days, retire anything that failed to change a decision.
- Version-control the scorecard in Git; diff view shows maturity over time.
8. Quick-Start Repo
github.com/cti-metrics-2025/beyond-vanity
- JIRA-insight.py → exports RFI cycle time
- sigma-tag-count.sh → counts CTI-driven detection rules
- prevent-calc.xlsx → business-save calculator pre-loaded with US insurance averages
Bottom Line
Boards fund what they can quote. Give them a three-metric story that ends in money saved or risk avoided, and CTI stops being a cost centre—it becomes the team that keeps the lights on.
