Meet Cyware at the Health-ISAC 2026 Spring Americas Summit
Blog
Diamond Trail

What Security Professionals at RSAC2026 Told Us About AI and Threat Intelligence

April 28, 2026
Patrick Vandenberg
Patrick Vandenberg

VP, Product Marketing, Cyware

Expert Conversations

TL;DR

  • The Operational Gap: While nearly 80% of organizations rate threat intelligence sharing as absolutely crucial or very important, only 27.5% have fully integrated it into detection and response workflows.

  • Manual Bottlenecks: Approximately 40% of security teams still rely on mostly manual processes for intelligence integration, creating a "noise with good intentions" problem where data arrives too late to be actionable.

  • AI Growth vs. Impact: AI is increasingly used to assist security operations, with 79.6% of respondents reporting measurable improvements. However, the doubling of CTI-to-SecOps automation highlights that the focus is on fixing broken workflows, not replacing human judgment.

  • Rise of Agentic AI: 72.4% of practitioners are likely to build their own custom security AI agents, signaling a preference for purpose-built, workflow-specific tools over generic off-the-shelf solutions.

  • Controlled Autonomy: Security pros prioritize oversight; 77% advocate for AI with analyst control. 

  • The Governance Gap: Policy development is catching up to adoption; 56% of organizations are actively developing AI security guardrails, while 32.1% already have clearly defined policies in place.

  • Collective Defense Momentum: Real-time sharing across internal teams has doubled (17% to 32%), and over 50% of organizations are either participating in or considering industry-wide sharing via ISACs.

Introduction

The RSA Conference is where the gap between aspiration and reality surfaces in honest conversation. This year, we surveyed practitioners on how they apply AI and operationalize cyber threat intelligence (CTI). The results show a clear progress report. Teams are moving away from experimentation and toward infrastructure. The data reveals a significant divide between the demand for intelligence and the manual workflows still holding teams back.

The Mandate for Collective Defense

Threat intelligence sharing is viewed as no longer optional. Nearly 80% of respondents categorized sharing as absolutely crucial or very important. This organizational will is high. However, building the infrastructure to act on that will is a different problem.

One encouraging sign is the rise of real-time collaboration. Real-time sharing across SecOps, IR, and vulnerability management has nearly doubled year-over-year, jumping from 17% to 32%. This progress reflects a commitment to collective defense. Still, nearly a quarter of teams share intelligence only rarely. In a fast-moving threat environment, infrequent sharing is a liability.

The Y/Y Trend: Rapid Operationalization

The most compelling takeaway from this year's survey is the speed at which operational barriers are being dismantled. We are seeing a marked shift in how teams handle intelligence compared to 2025:

  • Real-Time Sharing Maturity: The jump from 17% to 32% in real-time internal sharing suggests that teams are breaking down silos. Collaboration between SecOps and incident response is no longer a goal; it is becoming the standard.

  • Automation Breakthroughs: Effective automation between CTI and SecOps tools has doubled, rising from 13% to 26%. While the "mostly manual" group remains large, the doubling of high-efficacy automation indicates that the early adopters are finding a scalable path forward.

  • Collaborative Momentum: Industry-wide participation or consideration has hit the 50% mark. 

The Integration Bottleneck

Intelligence that arrives late or never reaches the right hands is just noise. The survey shows that integration remains the primary hurdle. Only 27.5% of respondents have threat intelligence fully integrated into their detection and response workflows.

The largest group of security teams still relies on partial or mostly manual processes. About 40% of respondents admitted their integration is mostly manual. Without deep integration, analysts spend their time chasing data instead of mitigating threats. Intelligence is only useful if it reaches the front lines in time to make a difference.

Automation and the AI Infrastructure

Organizations seeing the biggest gains are treating AI as infrastructure. Nearly 80% of respondents say AI has improved their threat intelligence operations. Significant improvements were reported by 40% of the group.

Effective automation between CTI and SecOps tools has doubled since last year. It rose from 13% to 26%. This growth shows that teams are embedding AI into how intelligence flows and how alerts get triaged. The appetite for custom solutions is also growing. Over 70% of practitioners are likely to build their own threat intelligence or security AI agents. They want AI purpose-built for their specific threat context.

Governance and Control Over Autonomy

The preference for AI behavior is clear. Security teams want controlled agents. Over 77% of respondents advocate for AI solutions that prioritize analyst oversight. They are not looking for AI that replaces judgment. They want AI that accelerates it.

Governance is being built in parallel with adoption. About 56% of organizations are currently developing guardrails for AI security tools. Another 32% already have clearly defined policies in place. This is not hesitation but a responsible adoption in high-stakes environments. High-maturity teams want AI that surfaces the right context while leaving consequential decisions to accountable humans.

Closing the Execution Gap

The conversation about whether AI belongs in threat intelligence is over. The focus has shifted to operationalization. This requires tighter workflow integration and clearer governance.

Platforms like the Cyware Intelligence Suite provide the foundation for this shift. They allow teams to operationalize AI across the full threat lifecycle. The organizations investing in this foundation today will be best positioned as agentic AI capabilities mature. The gap between intention and execution is closing. The winners are treating AI as a core part of how security operations run.

Frequently Asked Questions (FAQs)

  1. What is the "Operational Gap" in threat intelligence in 2026?

The Operational Gap refers to the disconnect between the high perceived value of threat intelligence and its actual implementation. While 80% of organizations view intelligence sharing as critical, only 27.5% have successfully integrated it into their automated detection and response workflows. This gap often results in "noise" rather than actionable defense.

  1. Why are manual processes still a bottleneck for SecOps?

Despite the rise of AI, roughly 40% of security teams still rely on manual intelligence integration. In a landscape where the "attack window" (the time from initial access to threat handoff) has collapsed to as little as 22 seconds, manual routing is too slow to be effective, turning threat data into "post-mortem" history rather than proactive defense.

  1. What does "Agentic AI" mean for cybersecurity?

Agentic AI refers to autonomous or semi-autonomous AI agents that don't just "chat" but perform specific tasks within a workflow—such as triaging alerts, hunting for indicators of compromise (IOCs), or updating firewall rules. At RSAC 2026, 72.4% of practitioners expressed a preference for building custom, purpose-built AI agents over generic off-the-shelf tools.

RSAC2026Agentic AIThreat IntelligenceThreat Intelligence ManagementCyber Threat Intelligence

About the Author

Patrick Vandenberg

Patrick Vandenberg

VP, Product Marketing, Cyware

Cybersecurity and product marketing leader with 20+ years of experience building customer-focused solutions. Has led teams to develop strategies, drive growth, and connect technology with real-world security needs.

Discover Related Resources