Any examples you can share of effective use cases for threat intelligence beyond cybersecurity? Have you had success applying threat intelligence beyond IT/cybersecurity to increase its ROI or better justify that investment?

Something I've been working on putting together below to measure ROI. But some key areas are APIs exposed, test & marketing sites that never got taken down, licenses is a big one so if your platform can see licenses for software/etc as well and you find those servers/whatever are still just sitting out there with licenses they don't need well that = COST SAVINGS for business. 

Don't forget the gaps you find, and plug/remediate also contribute to ROI in many ways. IF someone had taken adavantage what could of been the impact and so on! 

Key Measures of Success for Cyber Threat Intelligence

Operational Metrics
• Threat Detection Rate: Percentage of threats identified by CTI that were successfully detected and mitigated before causing harm.
• Time to Detection (TTD): Average time it takes to identify a potential threat after initial exposure or compromise.
• Incident Response Time (IRT): Time taken to respond to and remediate security incidents based on intelligence insights.

Strategic Metrics
• Threat Actor Profiling Accuracy: Percentage of accurate threat actor profiles or attribution reports generated through CTI.
• Threat Intelligence Utilization: Percentage of intelligence reports/actionable insights used by security operations or decision-makers.
• Reduction in False Positives: Decrease in the number of irrelevant alerts provided to security teams due to refined intelligence feeds.

Financial Metrics
• Cost Savings from Threat Prevention: Financial savings resulting from preventing incidents through actionable CTI (e.g., avoiding ransomware payouts or data breach fines).
• Return on Investment (ROI): The financial return gained from investing in CTI tools, training, and services compared to losses mitigated.

Engagement Metrics
• Collaboration Success: Number of successful collaborations with external organizations, such as Information Sharing and Analysis Centers (ISACs) or other industry peers.
• Cross-Team Adoption Rate: Percentage of internal teams (e.g., SOC, risk management, incident response) actively integrating CTI into their workflows.
Capability Metrics
• Threat Feed Coverage: The extent to which CTI tools monitor and cover diverse threat landscapes, including emerging threats, zero-days, and geopolitical risks.
• Enrichment Success Rate: Percentage of raw threat data successfully enriched with context, such as attribution, tactics, techniques, and procedures (TTPs).

Risk Reduction Metrics
• Decrease in Vulnerability Exploits: Reduction in the exploitation of known vulnerabilities due to proactive CTI-driven patch management. So, ALL teams involved in IVM would benefit from prioritization of CVEs/etc. Well most intel threat platforms show you what's exploited in the wild, if you can whittle/prioritize that list for those folks, that is ROI as well. Especially, if you start to tie in potential threat actors who are performing recon/etc on your network. Then those TTPs go into SIEM, IOCs into the security device at the appropriate layer(s), and you should be able to get metrics from SIEM or other security tool showing when those IOCs ARE blocked. Makes it real you know.
• Prevention of Supply Chain Attacks: Number of potential supply chain threats detected and mitigated through CTI insights.
Proactivity Metrics
• Threat Hunting Efficiency: Number of proactive threat-hunting missions conducted based on intelligence findings and the success rate of these operations.
• Emerging Threat Awareness: Percentage of emerging threats or TTPs identified through CTI before being exploited in the wild.

Customer Impact Metrics
• Customer Satisfaction (CSAT): Improvement in customer trust and satisfaction due to reduced cyber incidents or faster response times. (so if a server goes down 4x a month, if threat intel and the SOC team can figure out a technical solution that prevents that (even if it was never caused by security) well that is a WIN for business/cusomters (Avail)
• Reduction in Fraudulent Transactions: Decline in successful fraud attempts or account takeovers due to intelligence-driven security measures. (THIS one I should of said first, we work closely with our Fraud team and believe it or not they have had technical barriers, or were doing something on their end that could be vastly improved with some existing technology and know how. 

AUDIT:
Track ALL your inputs to Audits and Compliance to correlate to benchmarks and ROI as well. 

Wouldn't let me upload the doc and so had to fix some formatting manually, either way I hope you find some great stuff and also SHARE !

Physical-video security monitoring.

Vendor Risk Management (VRM), Third-Party Risk Management (TPRM), and Supply Chain Risk Management (SCRM) are additional areas where threat intelligence can be integrated into risk assessments.  This integration enables organizations to proactively identify potential risks at an early stage, implement effective mitigation strategies, and ensure compliance with regulatory requirements, and protecting their operations and reputation.

Physical/traditional security. My last few career stops experienced folks sneaking in, entire server racks stolen, and social engineering.