Search papers, labs, and topics across Lattice.
This paper introduces a large-scale analysis of open-source Cyber Threat Intelligence (CTI) reports over two decades, using an LLM-based pipeline to extract and structure key entities from 13,308 reports. The study quantifies the evolution of CTI information density and specialization, revealing patterns linking threat actors to motivations and victim profiles. The analysis uncovers a fragmented CTI ecosystem with vendor-specific reporting biases and low intelligence overlap, suggesting diminishing returns from multiple sources beyond a few core providers.
Despite the abundance of CTI reports, vendor-specific biases and low overlap mean relying on multiple sources yields surprisingly little additional intelligence.
Despite the high volume of open-source Cyber Threat Intelligence (CTI), our understanding of long-term threat actor-victim dynamics remains fragmented due to the lack of structured datasets and inconsistent reporting standards. In this paper, we present a large-scale automated analysis of open-source CTI reports spanning two decades. We develop a high-precision, LLM-based pipeline to ingest and structure 13,308 reports, extracting key entities such as attributed threat actors, motivations, victims, reporting vendors, and technical indicators (IoCs and TTPs). Our analysis quantifies the evolution of CTI information density and specialization, characterizing patterns that relate specific threat actors to motivations and victim profiles. Furthermore, we perform a meta-analysis of the CTI industry itself. We identify a fragmented ecosystem of distinct silos where vendors demonstrate significant geographic and sectoral reporting biases. Our marginal coverage analysis reveals that intelligence overlap between vendors is typically low: while a few core providers may offer broad situational awareness, additional sources yield diminishing returns. Overall, our findings characterize the structural biases inherent in the CTI ecosystem, enabling practitioners and researchers to better evaluate the completeness of their intelligence sources.
