Today’s enterprises receive a myriad of new threat intelligence from multiple feeds and sources. Most organizations highly value threat intelligence as essential to a strong security posture and fulfilling their security mission. It can be challenging, however, to make threat intelligence actionable.

With the plethora of new threats added daily to the cyber ecosystem, security leaders need to determine which of new threats are relevant to their organization. Moreover, they also need to quantify what potential risk or impact the relevant threats may bring upon the organization if realized. Which is why more than 80% of CISOs and other security executives actively read their organization’s threat intelligence feeds.[1] However, with the volume and complexity of such reports, the majority of threat intelligence recipients believe the feeds themselves cannot provide actionable intelligence.

Organizations Turn to Pen Testing

Currently, organizations study the applicability of new threats through penetration testing. While pen testing does serve as a means by which organizations can objectively evaluate the relevance of new threats, there are several prominent drawbacks:

  • Pen testing could cost from $1,200[2] – $5,000 per application, depending on various factors.[3]
  • Multiply the per-application pen testing cost by the number of critical and high-risk applications an enterprise may have and the cost of determining if new threats are relevant and what their potential impact may be could run as high as $600,000 or more.
  • Due to the high cost of pen testing, organizations may choose not to pen test all the applications – it just would not be financially feasible. The downside to this, of course, is that organizations are unable to determine what their comprehensive attack surface is.
  • Getting the results of pen testing can take between 1 – 5 weeks; in the meantime, the threat landscape is continuing to evolve.
  • After receiving the results of the pen testing, organizations still need to develop and prioritize their response to the new threats.

Actionable Threat Intelligence with ThreatModelerTM

There is a better way to make threat intelligence actionable. Threat modeling with ThreatModeler™ can accomplish in minutes what it takes pen testers weeks to do.

External or internally generated threat intelligence can feed directly into the ThreatModeler™ central threat library. Then, with just a click of a button, all threat models across the entire portfolio are automatically updated. In just minutes, the CISO and security team can determine the relevance of new threats as well as the potential impact and risk of relevant threats.

Related: Automated Threat Intelligence Framework

The CISO and other stakeholders will maintain a complete, real-time understanding of the organization’s comprehensive attack surface, even with the volume and complexity of newly added threats. It has never been easier or more efficient to make threat intelligence actionable. With ThreatModeler™ organizations can:

  • Understand where relevant threats apply to their entire application portfolio;
  • Quantify the impact of new threats to the organization; and
  • Prioritize where to focus their mitigation resources – ThreatModeler™ even provides how to mitigate new and existing threats.

ThreatModeler™ is more Cost Effective than Pen Testing

ThreatModeler™ provides objective, consistent, and quantifiable outputs for all organizational stakeholders – including the ability for CISOs to analyze their comprehensive attack surface in real-time. Moreover, gaining superior real-time outputs is significantly more cost-effective than pen testing.

Consider the annual cost difference between creating and maintaining 100 threat models in real-time with ThreatModeler™ versus pen testing the same applications quarterly.

Schedule a live demo to learn how to make threat intelligence actionable in real-time, cost-effectively for your organization.


[1] “The Value of Threat Intelligence: A Study of North American & United Kingdom Companies.” Ponemon Institute: Tucson. November 1, 2016.

[2] “Rate Card, Standard Pen Test.” HighBit Security, LLC: Port Sanilac. 2017.

[3] Acharya, Srimant. “The Cost of Pen Testing a Web Application.” TATA Consultancy Services, LLC: Phoenix. December 2016.