Against a backdrop of heightened geopolitical tensions, recent years have been marked by an upsurge in cyber threats, illustrated by the strengthening of attackers’ capabilities, the diversification of their tactics and even the enhancement of their operations thanks to artificial intelligence (ANSSI, Cyberthreat Landscape Overview 2025).
In this context, integrating Cyber Threat Intelligence (CTI) into organizations’ cybersecurity strategy and overall posture has become a key asset to anticipating increasingly sophisticated and innovative attacks and their potential operational impacts. Indeed, CTI provides early insight into potential threats and supports proactive posture by strengthening detection, reinforcing defenses, and enhancing incident responses. More than just collecting raw indicators, it constitutes a decision-driven process, aimed at improving the understanding of adversaries by turning data into actionable intelligence capable of answering precise cybersecurity questions.
In general, we distinguish three complementary forms of intelligence to reinforce an organization’s cybersecurity posture:
- Strategic, guiding long‑term decisions and investment priorities,
- Tactical, analyzing attackers’ tools and Tactics, Technics and Procedures (TTPs) to shape defensive posture,
- Operational and technical, providing actionable details such as Indicators of Compromise (IoCs) and Indicators of Attack (IoAs) to counter specific, recent threats.
As CTI spans multiple levels of decision‑making, its effectiveness depends on an organization’s ability to process growing volumes of heterogeneous data, detect weak signals, and produce actionable intelligence across all layers. These capabilities remain highly challenging for traditional CTI tools given data volume and heterogeneity. Throughout this article, we will present several use cases in which the use of enterprise-internal AI acts as a powerful lever to truly enhance CTI. To do so, our analysis is grounded in the CTI‑CMM model, which provides stakeholders with a structured framework for strengthening their CTI maturity. Designed to assess a program’s maturity and capability growth, the CTI‑CMM proposes a comprehensive mapping of CTI use cases across eleven domains, providing a clear and systematic foundation for evaluating where AI can most effectively enhance CTI activities.
Not all AI use cases in CTI deliver the same value or should be approached in the same way. Building on its experience across CTI engagements, Wavestone has developed a three-tier model – Safe Wins, Accelerators, and Frontier Bets – designed to structure use cases based on their AI maturity, impact on decision-making, and alignment with an organization’s CTI maturity.
Safe Wins
“Safe Wins” are use cases where AI can already improve CTI performance with minor changes to a “traditional” CTI governance model (i.e., analyst accountability, validation and dissemination workflows, and control over what is automated versus what remains expert judgment). They are low-regret and easy to implement, delivering fast ROI by automating high-volume tasks such as filtering, enrichment, and correlation. Outputs are reversible, errors are easy to detect, and AI is typically used for triage or processing, making them ideal entry points.
AI to enhance threat detection and preparedness (1a.)
AI has become a powerful ally in processing and correlating unstructured data collected through Threat Intelligence Platforms (TIP) to be transformed into actionable intelligence. While organizations should rely on TIP for data collection on IOCs and IOAs from human-selected qualitative feeds and OSINT sources, the true added value of enterprise-controlled AI for attack prevention and preparedness lies in its capacity to improve the quality of incoming data through confidence scoring. Given its capacity to process vast amount of data quickly (IP, domain, hash, behavior, etc.), AI can be used to correlate features (e.g., similarities to past malware, links to threat actors, unusual behavior) and verify false positives in incoming IOCs to assign a confidence score and avoid blocking relevant information on the Blue Team side.
AI to structure and standardize CTI data analysis and report (1b.)
AI can support CTI teams by assisting in the analysis of raw intelligence data from multiple sources using large language models. It helps restructure reports according to standardized models such as STIX, ensuring that the right information is placed in the appropriate fields. Attacker procedures, techniques, and contextual elements can be extracted and transformed into structured data in a consistent manner. This improves overall data quality, readability, and interoperability with TIPs and downstream security tools. As a relatively simple and low risk use case, it primarily acts as an analyst productivity booster for structuring reports in a standardized format.
AI to operationalize CTI for offensive security operations (1c.)
When it comes to red and purple team activities, AI acts as a strong enabler by helping CTI teams identify recurring TTPs across reports, cluster similar procedures, and consolidate duplicates into exploitable building blocks. AI can support analysts in extracting the most relevant information from threat reports and OSINT to maintain a consistent and actionable threat-driven knowledge base. AI can also help generate macro scenarios based on threat reports and publicly available intelligence, including actor selection and attack patterns. However, to be considered a safe win it must remain a decision-support tool, as end-to-end technical scenario generation would require sensitive data, the adequate responsibility model, and data confidentiality safeguards to avoid improper exposition and misuse.
AI to support strategic alignment of intelligence requirements (1d.)
AI can also support the definition and refinement of priorities and objectives within the threat intelligence function. More specifically, AI participates in accelerating analytical processes by assisting in the drafting and continuous refinement of priority intelligence requirements (PIRs) and proposing stakeholder-tailored reporting frameworks. It also helps distill complex program signals into intermediate insights, enabling analysts to focus on interpretation and decision‑making. Human validation remains essential to ensure alignment with the organization’s broader cyber strategy and performance frameworks. However, failing to account for AI’s inherent limitations, particularly in terms of accuracy, reliability, and explainability, may introduce significant risks, including the generation of misleading insights that could misalign intelligence outputs with enterprise cybersecurity objectives.
These “Safe Wins” illustrate how AI can already strengthen CTI across several operational dimensions: improving the quality and exploitation of intelligence data for defensive activities (a), accelerating the structuring and usability of CTI reporting (b), supporting threat-informed offensive security operations through better TTP extraction and scenario preparation (c), and assisting in the drafting of intelligence requirements and designing of reporting. By enhancing efficiency, consistency, and scalability across these activities, these use cases establish a strong foundation for the next tier of applications, where AI supports more analytical and decision-driven processes requiring greater maturity and governance.
High-Potential Accelerators
“High-potential Accelerators” target more mature CTI teams, where AI acts as a force multiplier rather than a substitute for expertise. They significantly amplify analyst productivity by scaling detection, supporting hypothesis generation, and translating intelligence into actionable outputs. However, these use cases require high-quality contextual data, structured processes, and robust governance (e.g., human-in-the-loop, explainability, feedback loops) to ensure reliable and controlled outcomes.
AI to scale financial fraud and brand impersonation detection (2a.)
AI can enhance CTI by scaling the identification of fraud and brand impersonation assets across large data streams and monitored perimeters. It enables the detection of newly created lookalike domains and cloned websites/logos across domains using NLP[1], computer vision, and behavioral analytics. These assets can be enriched with technical indicators (DNS, hosting infrastructure, registration patterns) and contextual signals (content similarity, redirection flows), then correlated into coherent attack campaigns and ingested into TIPs. The resulting intelligence can be disseminated to blue teams to support detection, blocking, and take-down actions. While the automation of large-scale discovery and triage allows CTI teams to focus on validation, prioritization, and business impact, it requires strong governance and coordination between CTI, fraud/brand protection, legal, and security operations teams to minimize false positives and ensure effective response.
AI to prioritize vulnerability patching (2b.)
AI can support vulnerability management by dynamically prioritizing patching efforts based on threat intelligence, underlying technologies, and the exposure and criticality of business applications. By combining threat context, exploit activity, asset environment, and enterprise-specific constraints, AI can estimate a risk score for each vulnerability. This score is used to raise targeted alerts and guide patching teams toward the most critical remediation actions. The approach embeds all threat-related elements within the organization’s context, allowing AI to act as an intelligent decision-support layer rather than a generic scoring mechanism. This use case complexity arises from the need for AI to access and correlate large volumes of sensitive and critical data across security, IT, and asset management systems.
AI to support threat hunting and penetration testing (2c.)
When it comes to guiding proactive hunt hypotheses and prioritizing them using threat‑actor TTPs, campaigns, and priority intelligence requirements, AI adds real momentum. It can help generating hunting hypotheses from observed TTPs, turning them into queries or playbooks, highlighting which hunts should come first based on PIRs, vulnerabilities, or asset signals, and summarizing the results of ongoing investigations. Paired with an internal knowledge base or RAG[2]‑enhanced context, AI supports hunters move through their environment with greater clarity and focus. Additionally, AI can assist the teams in the execution of penetration testing and adversary simulation activities. By automating offensive workflows and simulating complex, real-world attack scenarios, it enables more scalable, efficient, and realistic testing, helping teams better keep pace with increasingly AI-enabled threats. However, this does not imply that AI can replace CTI and offensive security teams. Success in AI-supported penetration testing relies on expert control, business awareness, and rigorous risk management. Human expertise remains essential for interpreting results and making informed decisions.
Taken together, these High-potential Accelerator cases show how AI amplifies CTI across three core functions: detecting financial fraud and brand impersonation threats (a), prioritizing vulnerability patching (b), and enhancing proactive threat hunting and validation of adversary behaviors (c). Acting as a force multiplier rather than a substitute, AI accelerates intelligence exploitation, improves prioritization, and strengthens decision-making.
Frontiers Bets
“Frontier Bets” represent more complex and experimental AI applications in CTI, requiring significant transformation of operating models and strong governance frameworks. Compared to the two other tiers, they involve higher uncertainty, stronger dependency on data quality, and risks that are harder to detect or control (e.g., bias, hallucination, strategic misalignment). As such, they should be approached through controlled experimentation, with strict guardrails, human oversight, and iterative validation before scaling.
AI to improve situational awareness of the cyber threat landscape (3a.)
AI could help maintain a comprehensive understanding of the cyber threat landscape by serving as a preliminary layer of analysis before CTI experts validate and expand it. More broadly, it could enable the continuous synthesis of the threat landscape from OSINT sources, partners, and vendors, and the detection of emerging trends and correlations for informed strategic decision-making. While the autonomous drafting of CTI reports by large language models raises the risk of biased outputs and AI hallucinations, AI should initially be used to support analysts in drafting activities to help them gain time in the analysis of cyber threats, serving as a pragmatic first step toward broader AI integration in this use case. The market maturity for use cases supporting the full intelligence lifecycle remains limited, with few industrialized and proven solutions available.
AI to enhance identity-based threat detection and response (3b.)
AI could strengthen CTI for identity‑driven use cases by enabling earlier detection of attacker behaviors and supporting deception techniques such as honey accounts[3] or canary tokens[4] to expose and divert adversaries. By treating identities as active sensors, organizations can surface stealthy attacker activity before full compromise. AI could help scale these mechanisms by automating deployment, continuously tuning detection signals, and correlating weak indicators. It could also reduce analyst workload through intelligent alert triage, prioritizing high‑confidence identity‑related threats over noise. Despite its high potential for CTI and IAM teams, this use case remains at an experimental stage due to the limited maturity of identity‑centric deception techniques, integration complexity with IAM and SOC processes, and the need for strong governance to avoid false positives, operational overhead, or unintended exposure of deception assets.
AI is already transforming how organizations produce and use cyber threat intelligence, not by replacing analysts, but by amplifying their ability to process information and enhance decision-making at scale. This article highlights where enterprise-internal AI can deliver value to CTI by focusing on the use cases most relevant in practice. To structure this approach, we introduced a pragmatic three-tier model to help prioritize efforts and adopt AI progressively based on the organization’s maturity, from low-risk “Safe Wins” to more advanced use cases dependent on high-quality data, robust governance as well as human oversight and AI model explainability.
Organizations should therefore focus on applying AI where it creates measurable value and aligns with their level of maturity, reinforcing a key reality: AI does not create CTI maturity, it amplifies it. Recent developments such as Anthropic’s Mythos also illustrate a broader shift in the cyber landscape: AI is beginning to compress the gap between vulnerability discovery and operational exploitation, while significantly reducing the cost and complexity of large-scale offensive operations. While the exact pace and scale of this evolution remain uncertain, it highlights the need for organizations to become “Mythos-ready” by enabling teams to leverage AI for defense while ensuring robust cybersecurity fundamentals.
At Wavestone, we support organizations in navigating this transformation, from identifying high-potential use cases to implementing AI in a controlled, scalable, and value-driven manner across their CTI capabilities.
[1]NLP (Natural Language Processing) : AI techniques used to analyze and understand human language in text or speech
[2]RAG (Retrieval‑Augmented Generation) : AI approach in which a generative model is systematically enriched with relevant contextual information retrieved from curated knowledge sources at query time, allowing it to produce outputs that are better aligned with a given operational or analytical context
[3]Honey account : A decoy user account created to mimic a legitimate identity, used to detect unauthorized access when an attacker attempts to use it
[4]Canary token : A planted digital artifact (e.g., credential, file, or link) that triggers an alert when accessed or used, revealing potential malicious activity
