Intel Fusion
by Progredi Systems
Request Demo

Platform

CTI source overlap analysis

Pairwise correlation of every cyber threat intelligence source in your portfolio. Intel Fusion quantifies redundancy across 990+ source pairs so you can see which feeds are restating intelligence you already have — and which are unique.

Why pairwise overlap is the right unit of analysis

A CTI portfolio is not a single source — it is a population. Two sources can each look high-value in isolation while contributing almost identical indicators, technique coverage, and adversary tracking when combined. Looking only at per-source quality metrics hides this. Pairwise overlap measures the operational truth: for every pair of sources, how much of source A is restated by source B?

Intel Fusion computes overlap across the indicator, technique, and actor dimensions. Indicator overlap measures shared IOCs across the observable horizon you care about. Technique overlap measures shared MITRE ATT&CK technique mappings. Actor overlap measures redundancy in adversary group coverage. Each dimension is surfaced separately so you can keep a feed that is redundant on indicators but unique on techniques.

How the correlation engine works

For a portfolio of n sources, Intel Fusion evaluates n × (n − 1) / 2 pairs. A 45-source portfolio produces 990 pairs — every one of them scored, ranked, and explained. Indicator sets are normalized before comparison (defanging, type alignment, validity windows) so cosmetic differences do not inflate uniqueness. Technique sets are derived from per-source ATT&CK mappings and weighted by enterprise relevance.

The output is a sortable matrix of overlap percentages, accompanied by directional breakdowns: when source B covers 92% of source A but source A only covers 30% of source B, that asymmetry tells you which feed is subsumed and which is unique. This is the difference between a recommendation to drop a feed and a recommendation to keep both.

What the analysis surfaces

  • Redundant pairs that can be consolidated without losing operational coverage.
  • Asymmetric pairs where one source is effectively a subset of another.
  • Low-overlap, high-cost feeds that are pulling weight no other source covers.
  • Open-source and government feeds that already cover paid commercial intelligence.
  • Coverage adjacency: feeds whose strengths sit next to your existing gaps.

From overlap to action

Overlap is a measurement, not a decision. Intel Fusion pairs the correlation matrix with prioritized intelligence recommendations so analysts can move from "these feeds overlap by 73%" to "drop feed X, renew feed Y, and pilot feed Z to close the ICS gap." Recommendations cite the underlying overlap and ATT&CK coverage evidence so program managers can defend the decision in budget review.

Related

See what your sources actually overlap on.

Request a demo and we will walk through your overlap matrix on real CTI data.

Request DemoLaunch Analysis