Recently, Colt Technology Services (CTS) became the latest Critical National Infrastructure (CNI) organisation to be disrupted by a cyber attack.
A multi-billion-pound digital services provider, the company was forced to take some of its internal IT systems down following the incident, disrupting customer support services. According to media reports, a ransomware group called WarLock has since claimed responsibility for the attack, which it says also includes the theft of employee data – a claim CTS disputes.
A glance at the company’s Network Status page gives some insight into how these incidents unfold. First reported by CTS on August 14th, some services were still unavailable a week later, with its teams still in “working tirelessly”, “24/7”, and “around the clock” modes to restore its systems.
So, what are the wider takeaways from this situation and others like it? Firstly, CNI remains front and centre for threat actors, irrespective of their motives. Secondly, even when organisations have strong incident response capabilities, the process of restoring services is rarely swift. In addition, CNI brings a lot of interdependencies, and when a service provider is disrupted, the potential impact extends far beyond its own networks, making resilience as much about supply chains as it is about internal defences.
The role of threat intelligence
Incidents such as these also bring the importance of threat intelligence into sharp focus. This is not a new problem, but the constant escalation between attackers and defenders has made intelligence one of the few areas where organisations can shift the balance in their favour.
In practical terms, threat intelligence integrates the proactive gathering, analysis and dissemination of information about potential cyber threats. It provides organisations with foresight to improve their defences via evidence-based information or knowledge of an existing or emerging threat’s capabilities, techniques, infrastructure, motives, goals and resources.
Yet having intelligence is not the same as being able to use it effectively. The challenge lies less in access to data and more in how well that data is integrated into everyday security operations. In some organisations, core security functions, including threat intelligence, automation, and incident response, remain siloed with limited coordination or shared visibility. In others, strategies are developed in isolation, missing the opportunity to tap into the wealth of experience and insight already available across the broader security community.
These challenges are reflected in how security teams themselves assess their capabilities and the maturity of their threat intelligence programmes. A recent industry survey, for example, revealed that only 20% of IT professionals believe their threat intelligence programmes are fully operationalised. The findings expose critical gaps in the maturity and automation of threat intelligence capabilities, as well as a growing appetite for AI-driven solutions to improve speed, context and response.
While 58% of organisations report using a Threat Intelligence Platform (TIP), most are still grappling with too many feeds and too little context. Over 30% cite this overload as their top challenge, followed closely by the lack of automation/playbooks (28.7%) and insufficient dedicated staff (18%). Only 16% of TIP users are currently sharing intelligence with partners or peers, despite nearly 75% recognising a need to improve sharing practices.
It will come as no surprise that AI integration is seen as having an important role to play, with over half (51.3%) of IT professionals believing AI is best placed to automate triage and prioritisation, while 42% say it can help identify unknown threats. Nearly two-thirds (61.3%) say they would trust AI agents to take limited autonomous actions, such as blocking IOCs or quarantining endpoints, if supported by human oversight.
Among the most in-demand capabilities identified by respondents were better automation (48%), contextual enrichment (37.3%) and more accurate threat scoring (34%). Only 14% of organisations have a defined threat intel sharing process that includes their supply chain, suggesting a missed opportunity for building greater resilience through collaboration.
Closing the capability gap
So, what can be done to close these capability gaps? From the threat intelligence perspective, many organisations are relying more heavily on security collaboration and collective defence, with Information Sharing and Analysis Centres (ISACs) among the most established and effective approaches. Operating across sectors, these groups are designed to collect, analyse and distribute actionable threat intelligence, while also equipping members with the tools and resources needed to strengthen resilience. Today, the National Council of ISACs, for example, includes nearly 30 sector-specific organisations – a clear sign of how far this model has evolved.
The underlying reality is that for CNI and the wider digital economy, cyber attacks are not going away. But with more effective threat intelligence in place, organisations are better positioned to anticipate risks and act decisively – proving that in cybersecurity, being forewarned truly is being forearmed.
About the Author
Dan Bridges is Technical Director – International at Cyware. Cyware is leading the industry in Operational Threat Intelligence and Collective Defense, helping security teams transform threat intelligence from fragmented data points to actionable, real-time decisions. We unify threat intelligence management, intel sharing and collaboration, as well as hyper-orchestration and automation—eliminating silos and enabling organizations to outmaneuver adversaries faster and more effectively.
