Gartner's CTI Prediction Is Right. But Operationalizing Bad Intelligence Faster Isn't Progress.

This is a div block with a Webflow interaction that will be triggered when the heading is in the view.

The first Magic Quadrant for our category landed last month, and within a day people were asking whether we were putting out a statement. I didn't want to rush one. I read the report twice before I said anything, because Gartner had written down a sentence I've been making in customer meetings for two years, and I wanted to be sure I understood exactly what they meant before I started agreeing with it in public.
Here's the sentence. Gartner's planning assumption is that by 2028, more than half of organizations adopting cyberthreat intelligence technologies will prioritize platforms that operationalize intelligence - automated detection rule generation, enforcement actions, takedown workflows - over those that mostly deliver enrichment and reporting.
That's a serious call, and I think it's correct. We've staked Malanta on a version of it.
What I want to talk about is the part that gets lost between the prediction and the purchase order.
Operationalization Is the Right Direction. The Question Is What You're Operationalizing.
The industry has spent years getting better at moving intelligence downstream - into the SIEM, into SOAR playbooks, into detection rules, into automated enforcement. The integrations are tighter. The APIs hold up. Agentic AI is starting to close loops that used to need an analyst in the middle. All of that is real progress.
It also quietly assumes the intelligence going into the top of the pipeline is worth sending down it.
Sit with enough security teams and you hear the same workflow described back to you almost word for word: subscribe to commercial IOC feeds, ingest into the SIEM, match traffic against known-bad indicators, fire an alert, enrich it by hand, triage, repeat. The operationalization layer has gotten faster and far more automated. The signal feeding it has not changed. It's still IOC-based. It's still reactive. It still describes infrastructure and malware that was already known somewhere else before it reached your environment.
Gartner is blunt about what that means competitively: vendors leaning on open-source feeds, shallow enrichment, or loosely coupled integrations are having a hard time showing durable advantage as baseline CTI becomes commoditized.
When the underlying signal is commoditized, automating its delivery at higher speed doesn't close a gap. It scales with a limitation.
What Adversaries Are Doing While You're Enriching IOCs
The activity that actually precedes an attack never shows up in an IOC feed.
An adversary standing up infrastructure for a targeted campaign is operating in MITRE ATT&CK's Reconnaissance (TA0043) and Resource Development (TA0042) phases - acquiring domains, staging C2, assembling phishing kits, running passive recon against the target. None of that produces an IOC until the attack has already launched.
By the time a malicious domain or file hash lands in a commercial feed, it has been seen, shared, and written up in someone's threat report. The IOC is a record of something that already happened. Operationalizing it, cleanly, automatically, at machine speed, just means you're running a retrospective workflow faster.
That's the ceiling. You can generate Sigma rules sooner. You can auto-build YARA signatures on a tighter cycle. You can close the SIEM loop with fewer handoffs. And at the end of all of it, you still don't know the attack is coming until it's in motion.
The question operationalization can't answer on its own: what are you operationalizing that exists before the first payload is delivered?
This Is the Part I Actually Care About
IoPAs, Indicators of Pre-Attack Activity, are not a new label for IOCs. They're a different kind of signal, capturing a different phase of the adversary's work.
An IOC tells you a domain is malicious after it's been used against someone. An IoPA surfaces that same domain during staging, when the certificate was provisioned, when it resolved to an IP block tied to known adversary infrastructure, when the registration pattern matches the tooling profile of a specific actor cluster. The attack hasn't started. The preparation is already visible to anyone looking at the right signals.
That's what changes when you put a pre-attack intelligence layer upstream of the SIEM. The rules you generate aren't built from evidence of past attacks; they're built from indicators of preparation for the next one. The enforcement you automate isn't a response to a breach underway; it's disruption of infrastructure that hasn't been switched on yet.
So Gartner's thesis holds. But operationalizing at the level of IoPAs is a structurally different thing from operationalizing at the level of IOCs. One gives defenders time they don't have today. The other confirms they were right to be worried.
What I'd Tell a Buyer Reading the Report
If you're using the Magic Quadrant to shape next year's CTI budget, the operationalization criterion is the right one. Keep it. Just push it one question further before you sign anything.
Don't only ask whether a platform can turn intelligence into rules, actions, and takedowns automatically. Ask what the intelligence is, and when in the attack it becomes visible. A platform that operationalizes yesterday's indicators flawlessly is still pointed the wrong way in time.
We built Malanta left of breach because that's the only place the timing problem actually gets solved, not by reacting faster, but by seeing earlier. Gartner just told the market that operationalization is where the next few years are headed. I agree. The only thing I'd add is that speed without an earlier signal isn't getting ahead of the attacker. It's losing the same race at a higher frame rate.








