* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [CSO Perspective](https://www2.paloaltonetworks.com/blog/category/cso-perspective/)
* The Cyber Threat Alliance...

# The Cyber Threat Alliance: How Far We've Come and Where We're Going

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2017%2F02%2Fcso-cyberthreat-alliance-far-weve-come-going%2F)  
[](https://twitter.com/share?text=The+Cyber+Threat+Alliance%3A+How+Far+We%E2%80%99ve+Come+and+Where+We%E2%80%99re+Going&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2017%2F02%2Fcso-cyberthreat-alliance-far-weve-come-going%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2017%2F02%2Fcso-cyberthreat-alliance-far-weve-come-going%2F&title=The+Cyber+Threat+Alliance%3A+How+Far+We%E2%80%99ve+Come+and+Where+We%E2%80%99re+Going&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2017/02/cso-cyberthreat-alliance-far-weve-come-going/&ts=markdown)  
\[\](mailto:?subject=The Cyber Threat Alliance: How Far We’ve Come and Where We’re Going)  
Link copied  
By [Rick Howard](https://www.paloaltonetworks.com/blog/author/rick/?ts=markdown "Posts by Rick Howard")  
Feb 15, 2017  
7 minutes  
[CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)  
[CTA](https://www.paloaltonetworks.com/blog/tag/cta/?ts=markdown)  
[Cyber Threat Alliance](https://www.paloaltonetworks.com/blog/tag/cyber-threat-alliance/?ts=markdown)

In 2015, I published a [blog post](https://www.paloaltonetworks.com/blog/2015/10/cryptowall-3-the-cyber-threat-alliance-and-the-future-of-information-sharing/) about the completion of a 90-day proof-of-concept experiment, called Project Redstone. The experiment, conducted by the [Cyber Threat Alliance](http://cyberthreatalliance.org/) (CTA), tested the theory that, if cybersecurity vendors collaborated in their efforts to combat cyberattacks, they'd be more effective as a group than as individual companies.

In that post, I listed four capability gaps that the CTA needed to address to be successful. They included:

1. How do we convert large volumes of indicators of compromise into prevention controls?
2. How do we measure alliance member contributions with more granularity?
3. What is the common set of success metrics for deployed security controls across Alliance membership?
4. What is the right sharing architecture that works at scale?

We knew that, if the CTA were to be successful, these four gaps had to be closed. Frankly, there are numerous threat intelligence sharing platforms, and other cybersecurity groups are actively promoting industry collaboration on cybersecurity issues. What makes the CTA different?

It's a fair question. The tech landscape is littered with industry groups promoting one standard over another or advocating for industry collaboration, and many cybersecurity veterans are quick to dismiss yet another one as a marketing program that's long on promises, short on results.

I believe those same veterans will be pleasantly surprised to learn about the fantastic progress the Cyber Threat Alliance has made. While that progress was detailed in a [press release](https://cyberthreatalliance.org/pr/) the CTA issued yesterday, and a [blog post](https://www.paloaltonetworks.com/blog/2017/02/cyber-threat-alliance-expands-working-together-prevent-cyber-breaches/) from our CEO Mark McLaughlin, I'd like to spend a moment focusing on three characteristics of the CTA that address the capability gaps mentioned above to demonstrate that the CTA's approach to threat intelligence sharing works.

### 1. Everyone Contributes

The ability of a threat intel platform to successfully identify and stop new threats is directly related to the quality and quantity of its intel. This is problematic for many threat intel sharing agreements as the larger companies end up contributing the majority of the intel, because they have the resources to gather it, while the smaller members consume more intel than they provide. It's a lopsided arrangement that can lead to resentment between members and a less robust intel sharing platform. The CTA requires all members to actively contribute to the threat intel pool on a daily basis and holds each member accountable. If a company doesn't contribute, they can't remain in the CTA. This ensures the CTA will collectively have access to the best intel available at the time.

### 2. Exchanges Adversary Playbooks, not one-off Indicators of Compromise

The problem with many threat intel exchanges today is context. While these exchanges can push hundreds of thousands of newly discovered cyberthreats out to members every week, if the threats aren't put in the proper context (Who is attacking? What is their motivation? Are they targeting specific types of organizations? etc.), it's difficult for security teams to determine which present the most risk to their network. Without that context, they have to assume all threats are a significant risk, and very few teams can scale to address the thousands of cyberthreats to which their threat intel platforms alert them every day.

This is why the CTA focuses on adversary playbooks. Adversary playbooks speed up analysis and enable defenders to focus more easily on the real goal: protecting against attackers and the various tools and tactics they use. Adversary playbooks integrate individual indicators of compromise (IoCs) in the cyberattack lifecycle into discrete, actionable threat intelligence that CTA members use to build detection and prevention controls for each of our own products. The end result: no matter which cyberattackers are trying to get onto the network or which CTA member's technology is protecting the network, if they're accessing the target network using methods already identified in the adversary playbooks, they can be stopped at any point in the attack lifecycle.

Let me use a sports analogy to explain. In football, when two teams prepare for a game, the coaches prepare both defensive and offensive playbooks. It is the same in cyberspace. Network defenders prepare the defensive playbook -- how to respond to an ongoing incident for example -- and the cyber adversaries prepare an offensive playbook -- how to navigate through each phase of the cyberattack lifecycle. We know that cyber adversaries do not invent new attack sequences on the fly for every new victim. They reuse attack sequences that have been successful in the past in the attack lifecycle until the network defenders figure out how to defeat them. Those attack sequences are the cyber adversary's playbook.

The idea behind sharing adversary playbooks with Alliance members then is that the act exponentially increases the odds that a network defender can actually stop an attack. Instead of sharing one-off IoCs with little or no context, as most sharing organizations do, we share the entire adversary playbook. If the cyber adversaries manage to find a way around one of the network defender's prevention controls, they will immediately run into the next prevention control in-line in the attack lifecycle. The Alliance aims not to simply prevent a piece of the adversary's attack sequence -- it aims to defeat the entire playbook.

### 3. Automates the Last Mile for Threat Intel

Realizing that the volume of threats inundating organizations can be hard to keep up with, the CTA is the only sharing organization that can automate the delivery and configuration of prevention controls to its members' products and platforms. It's a tremendous help to the CTA members' customers as it relieves them of the burden of analyzing every new threat and installing the appropriate fix on the network or endpoint. The CTA threat intel platform does this automatically, freeing security teams from the tedium of doing it themselves and letting them focus on their real purpose: identifying and preventing more advanced threats that are likely to go undetected.

Even in well-run sharing organizations, like many of the ISACs, members still have to receive the intelligence, decide that it applies to their network, decide what to do about it, and then do it. For many organizations, this takes days to weeks to accomplish, if it happens at all. I call that crossing the last mile with intelligence.

Because Alliance members are security vendors and already have automated mechanisms to install new prevention and detection controls to their products deployed in the field, the Alliance is perhaps the only organization that has the ability to automatically cross the last mile for its collective customer base without the network defender having to do anything. Already, we've seen the CTA Platform succeed in this. In one example, a single shared sample allowed a member to build protections before its customers were targeted, preventing successful attacks against 29 organizations. In another example, shared data allowed a member to identify a targeted attack against its customer and release additional indicators to defend that organization. Further, many of the members find that 40-50 percent of shared data is brand-new to them, and most of that is directly actionable. These are early successes, but it's clear that things will only get better as the CTA grows.

Like [Mark said in his own post](https://www.paloaltonetworks.com/blog/2017/02/cyber-threat-alliance-expands-working-together-prevent-cyber-breaches/), I also believe that, as we continue to expand the CTA, we are stronger together, and I look forward to updating you in the future on the Alliance's continued progress and successes in helping to protect customers.

*** ** * ** ***

## Related Blogs

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### It's Time to Get off the Treadmill: Why You Should Understand Adversary Playbooks](https://www2.paloaltonetworks.com/blog/2018/09/cso-time-get-off-treadmill-understand-adversary-playbooks/)

### [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### Deterrence in Cyberspace: A Greater Role for Industry (Part One of a Three Part Essay Series)](https://www2.paloaltonetworks.com/blog/2017/05/cso-deterrence-cyberspace-greater-role-industry-part-one-three-part-essay-series/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Predictions](https://www.paloaltonetworks.com/blog/category/predictions/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Securing the AI Before Times](https://www2.paloaltonetworks.com/blog/2025/08/securing-ai-before-times/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Predictions](https://www.paloaltonetworks.com/blog/category/predictions/?ts=markdown)

[#### The Challenge of Cybersecurity Frenemies and Collaboration](https://www2.paloaltonetworks.com/blog/2025/08/cybersecurity-frenemies-collaboration/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### The Next Wave of Cybersecurity](https://www2.paloaltonetworks.com/blog/2025/06/next-wave-cybersecurity/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### We Can't Do It Alone: Sharing Threat Intelligence Makes Everyone Safer](https://www2.paloaltonetworks.com/blog/2023/06/sharing-threat-intelligence/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language