CTI teams are often asked to provide leadership with metrics that demonstrate their contributions to improving the cybersecurity posture of an organization and reducing its overall risk. Developing effective CTI metrics is challenging and most organizations struggle when trying to create metrics that reflect systemic impact. As a result, most organizations develop metrics that measure level of effort or throughput vice program maturity growth or stakeholder-specific support.
To address this, the CTI-CMM offers a list of domain-specific metrics that help CTI programs track their maturity on a per stakeholder basis. These metrics are designed to be representational and are by no means a definitive set for which every CTI program needs to apply. Rather, they offer a starting point in which CTI programs can adjust as necessary.
Each metric links to a relevant use case within its domain. As CTI programs advance across the maturity levels, measurement may require close collaboration with partners to determine impact. For the purpose of this model, we provide example metrics at each maturity level in a respective domain with plans to refine and focus in future updates based on community feedback.
Beginning in version 1.2 of the CTI-CMM, the team introduced metrics to improve the framework. This spreadsheet is a transposed version of the CTI-CMM's Appendix C on CTI Metrics broken out by CTI-CMM Domain. Since these metrics align to each domain, we recommend cross-referencing against domain purpose and content when using this spreadsheet.
Ok...but this is my first exposure to metrics, especially those focused on CTI, do you have any other resource you can recommend I read in advance of these?
- In early 2025, Gert-Jan Bruggink, John Doyle, Steven Savoldelli, and Callie Guenther published a SANS blog entitled "Beyond Meh-trics" on the topic of CTI metrics, which examines why organizations struggle to conceptualize and develop effective metrics for CTI programs that then provides practical guidance on how organizations should think about metrics generation.
We've created a short Google Form to capture feedback and would kindly ask that you fill it out to systematically allow us to capture and triage feedback.