Steve Winterfeld, Advisory CISO at Akamai, says the first question is whether the report changes any existing assumptions. Security leaders should scan for data points that require an active decision, not simply confirm what is already known. If the data introduces a new threat pattern or a meaningful shift in attack volume, that finding needs to move immediately into a decision-making process.

“When I get a report like this, I want to understand, first of all, does this change any of my general assumptions? Is there data in here that I need to make a decision on?” — Steve Winterfeld, Advisory CISO, Akamai

Winterfeld recommends using DDoS spike data as a direct trigger for validation testing. If a report shows that attack peaks have risen substantially, the immediate action is to confirm that current DDoS protections are calibrated to handle the new upper bound, not the volumes they were originally scoped for. This is a concrete, testable action that translates threat data into operational readiness.

“Seeing the spike in DDoS attacks may make me want to go validate that my current DDoS protections will meet the level of these new surges, these new peaks.” — Steve Winterfeld, Advisory CISO, Akamai

Winterfeld uses third-party threat reports as evidence in leadership conversations, particularly when seeking budget, headcount, or policy approval. Industry statistics on attack trends carry more weight in executive discussions than internal assertions alone. If a report documents rising attack frequency or new threat categories, that data becomes the foundation for a business case rather than an opinion.

“I have statistics on why I need more money or effort or focus or a policy approved.” — Steve Winterfeld, Advisory CISO, Akamai

Winterfeld is direct: foundational DNS controls remain a critical gap for many organizations despite being a well-understood problem. The business case for getting DNS hygiene right is strengthened by threat report data, which can demonstrate to leadership why foundational controls cannot be deferred in favor of more visible investments. Hygiene still matters, and threat data provides the justification to act on it.

“Hygiene still matters. And I need those foundational DNS controls.” — Steve Winterfeld, Advisory CISO, Akamai

Winterfeld frames agentic AI as something security teams need to understand on both sides of the equation: as a capability they can adopt and as a risk they need to assess. The emphasis is on taking advantage of agentic AI as a new tool while also building the awareness to account for how it changes attacker behavior and enterprise exposure. Neither ignoring it nor treating it as purely a threat is the right posture.

“It’s understanding things like agentic AI and taking advantage of that new tool.” — Steve Winterfeld, Advisory CISO, Akamai

Winterfeld places visibility and situational awareness at the center of effective security operations, regardless of the specific threat category being addressed. Across DDoS, DNS, and emerging AI risks, the common requirement is that security teams maintain clear sight lines into what is happening in their environment. Threat intelligence reports are valuable precisely because they extend that situational awareness beyond the organization’s own telemetry.

“Visibility is still king. Situational awareness is critical.” — Steve Winterfeld, Advisory CISO, Akamai

Winterfeld describes threat intelligence reports as drivers for structured validation testing. When a report surfaces a new attack pattern or a shift in how adversaries operate, the logical next step is to test whether existing controls hold up against that updated threat model. This closes the loop between external intelligence and internal readiness, ensuring that threat data produces measurable security outcomes rather than awareness alone.

“Understanding these reports will drive validation testing exercises.” — Steve Winterfeld, Advisory CISO, Akamai