Threat visibility gap hampers AI-driven cyber defence

Team Cymru has published survey research that points to a gap between security strategy and day-to-day execution, with many organisations reporting limited real-time visibility of threats beyond their network perimeter.

The company's Voice of Cybersecurity Strategist Report found that 50% of security practitioners said they experienced a major security breach in the past year. Among those respondents, 72% said their threat hunting programme played a key role in preventing or mitigating the breach.

The findings focus on external attack surfaces and threat infrastructure. The survey suggests many security teams still lack comprehensive visibility outside their own networks. Only 38% of respondents said they had comprehensive, real-time visibility into threats beyond the network perimeter. A further 45% said they had "good" visibility.

External visibility

Team Cymru said the difference between "good" visibility and comprehensive, real-time visibility matters for operational readiness. The report describes a "confidence versus capability" gap in security programmes across critical infrastructure, government agencies, and businesses.

Respondents also reported gaps in external threat intelligence. The most cited external threat intelligence gap was insufficient real-time threat intelligence, selected by 45% of respondents. The report also cited challenges integrating external threat data with internal tools, which 42% of respondents identified as an issue.

These results land as organisations increase security spending but still struggle to translate data into operational outcomes. The report frames the issue as one of execution. It describes blind spots where risk materialises outside the network perimeter.

AI concerns

The survey also points to shifting priorities around emerging threats. AI-enabled threats ranked as the top emerging concern among respondents at 22%. Ransomware followed at 20%. Cloud service vulnerabilities ranked third at 17%.

Respondents also said they now weigh AI in threat intelligence decisions. The ability to leverage AI was the top evaluation criterion for threat intelligence investments, selected by 52% of respondents. AI-enhanced threat detection and response ranked as the most critical security capability for an effective security programme, chosen by 61% of respondents.

One context sentence before quote: Joe Sander commented on the link between external visibility, threat hunting, and operational decision-making.

"Security teams are being asked to anticipate faster, address an increasing number of adaptive threats. The data shows many are still operating without the real-time external visibility needed to stay ahead," said Joe Sander, CEO, Team Cymru.

"This report validates what we hear every day from cyber defenders of all types: threat hunting and external intelligence can change outcomes, but only if organizations can translate threat data into action quickly. The path forward is clear: prioritize real-time visibility beyond the perimeter, invest in AI that improves speed and precision, and measuring success by identifying and neutralizing threats, mitigating impact to the business"

Budget shifts

The report outlines how security teams allocate spending on threat intelligence. It found that 60% of respondents allocate 20% to 40% of their threat intelligence budget to external threat intelligence and monitoring. A further 32% allocate more than 40% to that area.

The survey also describes a resourcing shift towards technology-led approaches. It said 44% of respondents reported a mostly technology-focused approach to balancing tools and people. The report links that approach to greater use of automation, orchestration, and integrated workflows, although it also highlights persistent issues around data and tool integration.

Measuring impact

Respondents said they assess external threat intelligence based on outcomes tied to early detection and speed. The primary metric they use to assess external threat intelligence effectiveness was spotting threats before they affect the organisation, selected by 27% of respondents. Faster threat detection followed closely at 26%.

When communicating with boards and executive leadership, respondents most often cited the number of incidents prevented or detected, selected by 50%. The same share cited mean time to detect and respond. The report presents these measures as a reflection of pressure on security leaders to demonstrate operational results.

The survey also asked respondents about obstacles to funding threat intelligence initiatives. The biggest challenge was a focus on compliance requirements over threat-driven investments, cited by 26%. Competing priorities within the security programme followed at 23%. Limited executive understanding of external threats came next at 22%.

Next priorities

The report also captured planned changes over the next 12 to 24 months. The top planned strategic shift was increasing the efficiency of the existing security team, selected by 45% of respondents. Aligning with increasing regulatory compliance ranked second at 40%. Consolidating threat intelligence suppliers ranked third at 39%.

Team Cymru said it surveyed 121 information security, cybersecurity, and risk management leaders who set cybersecurity strategy, approve security technology investments, and manage security budgets and resources. The company conducted the survey online using Pollfish with organic sampling, beginning April 17, 2025. The report said the responses came from multiple industries.

The results point to continued focus on external monitoring, data integration, and the use of AI in detection and response strategies as security leaders revisit budgets and supplier choices.