Cosive Principal Consultant and CTI expert Prescott Pym discusses the how and why of threat sharing communities, including CTIS, the Australian Signals Directorate's national threat sharing program.
Summarised transcript below:
Tash: Hey, I'm Tash and I lead marketing at Cosive.
Prescott: Hi, I'm Prescott Pym, a Principal Consultant at Cosive. I've been with Cosive since November last year, and I really enjoy helping organisations shape their SOC and CTI programs.
Tash: Today we’re going to talk about threat sharing communities. To start, some people may know what that means, others might not. Can you give us a quick summary?
Prescott: A threat sharing community is a group of like-minded people who come together and form a community around the threats they’re seeing. They collaborate and share information to get a kind of herd immunity, complementing each other’s programs and helping reduce risk.
Tash: There’s been a bit of a journey over time with threat sharing, right?
Prescott: Yeah. It used to be a bit more backroom — only people “in the know” would share. There was a lot of hesitation, especially around sharing potential breaches. But in the last five years or so, that’s changed. Organisations are seeing the value. Things like the Cyber Security Act have helped — with provisions around incident reporting and protections for those who share information.
Tash: These communities can take all kinds of forms, can’t they?
Prescott: Definitely. They range from informal Signal groups where people just say, “Hey, I saw this, have you?” — through to Slack groups with international members, and larger formal programs like ASD’s Cyber Threat Intelligence Sharing (CTIS) initiative. That one lets you subscribe to feeds and share information back that might be relevant to others.
Tash: One thing I find really interesting is that you’ll often see fierce competitors — say, two big banks — in the same threat sharing group. Why do organisations that compete in everything else collaborate here?
Prescott: Great question. That’s something I’m passionate about. I’ve always been involved in community, and this is one of those areas where we’ve realised that if we don’t coordinate across sectors and across Australia, we’re worse off. Everyone sees a piece of the puzzle — only by combining it can we get a full picture. Over time, organisations have stopped competing on cyber. People move around between organisations, so those links stay strong, and there’s a high level of professionalism. But it all comes back to trust. You need to be able to trust what others in the group are sharing — and if you break that trust, you’re out.
Tash: So if someone wanted to join a threat sharing community — or wanted their organisation to join — how do they actually get involved?
Prescott: It’s tricky. There’s no public list of groups to join. Some are closed, some are more open. A lot of it is who you know. The best way is through your professional network — building connections in your industry and asking around. Someone might be able to sponsor you into a group, vouch that you're a trusted entity. You also need to be doing it for the right reasons. Threat actors would love access to this information, so it’s important these groups stay secure.
Tash: Let’s say someone gets invited to a group. What kind of organisational maturity do they need to participate?
Prescott: It varies. Some organisations are just reacting — there’s been a breach, and they want indicators to check if they’re affected. Others are doing proactive CTI work, integrating with their SIEM, maybe even automating detection and response. At the high end, you’ve got organisations who can search their whole environment within seconds of receiving a new intel feed. But you don’t need that to start. Think about your objectives first — what are you trying to get out of threat intel? That’ll guide the rest.
Tash: What does participating in a threat sharing group actually look like day-to-day?
Prescott: It depends on the group. Some are a firehose of data — you just take what you need. Others expect contributions back. That’s important because the ecosystem only works if people actually share. Formal sharing can be hard — legal blockers, politics, or just the internal champion leaving. But even sharing once a year helps. If something has impacted you and might affect others, it’s better to share. Even just an IP or file hash can be useful. More mature teams might share TTPs, actor profiles, and confidence levels — but that’s not always consumable by every organisation.
Tash: What if an organisation is hesitant about sharing? Maybe they’re worried about revealing sensitive info?
Prescott: That’s a real concern. It varies a lot depending on the organisation. There could be regulatory limits or internal resistance. You need to approach it at multiple levels — technical, operational, and strategic. Start with a basic system — even a spreadsheet — or go all the way to a full threat intel platform. But you also need buy-in from the CISO and Board. Link it to risk management and strategy. That’s something we help clients with at Cosive.
Tash: You mentioned Cedus earlier — can you explain what that is?
Prescott: Cedus is ASD’s Cyber Threat Intelligence Sharing program. Cosive and Deloitte helped roll it out about four years ago. It now supports 400+ organisations across Australia, helping them consume and contribute to threat intel in a structured way. You can get data in formats like MISP or STIX/TAXII, which integrate into tools like SIEMs and XDRs. We’ve helped a lot of clients set that up and it’s been well-received internationally, too.
Tash: So it’s not just a Slack group — Cedus can pipe data into systems and support automated detection?
Prescott: Exactly. That’s the challenge — not just receiving the data, but operationalising it. What do you do with it? How do you turn it into detections? It’s almost impossible for a human analyst to keep up with everything. Automation, orchestration, and even things like AI can help CTI teams stay on top of the volume of information and keep costs down.
Tash: Let’s say someone’s listening and wants to take the first step toward joining a threat sharing community. What should they do?
Prescott: Do a bit of internal reflection. What do you actually want out of a group? What threats are you trying to defend against? If you know that, you can be more targeted in who you reach out to and what kind of intel will actually help you.
Tash: Thanks Prescott — really insightful conversation. If anyone wants to chat more about CTI or threat sharing or get help joining something like Cedus, feel free to email us at hello@cosive.com.
Prescott: Thanks Tash, great to talk.