How CNA Built a Proactive, Data-Driven Threat Intelligence Program with ThreatConnect, Now a Part of Dataminr

Editor’s Note: CNA achieved these results using ThreatConnect, now a core part of Dataminr for Cyber Defense.

About CNA

CNA is one of the largest U.S. commercial property and casualty insurance companies, serving businesses and professionals for more than a century. With global operations and a diverse portfolio, CNA prioritizes a strong cybersecurity posture to protect customer data, business operations, and brand trust across its ecosystem.

• Organization size: 6,500 employees
• Industry/sector: commercial property and casualty insurance
• Headquarters: Chicago, Illinois

To strengthen its threat intelligence (TI) capabilities and streamline collaboration across teams, CNA turned to ThreatConnect’s Threat Intelligence Platform (TIP) (now part of Dataminr for Cyber Defense)—unifying data, workflows, and automation into one connected system.

Ben Keenan, Director of Threat Intelligence at CNA, has been instrumental in building the company’s threat intelligence program from the ground up—leading CNA’s evolution toward a proactive, data-driven, and automated intelligence model.

“ThreatConnect has become the backbone of how we manage, prioritize, and communicate threat intelligence across CNA,” Ben Keenan said. “It’s allowed us to move from reactive analysis to a proactive, measurable program that delivers real value to the business.”

The Challenge

When Keenan joined CNA over three years ago, the company’s threat intelligence function was still in its early stages. The team was piloting ad-hoc tools and manually pushing intelligence into Security Operations, limiting scalability, visibility, and demonstrable business impact. 

Key Challenges:

• No centralized threat intelligence platform or case management system
• Manual, time-consuming intelligence review and prioritization processes
• Difficulty correlating data across multiple tools (e.g., Proofpoint, SIEM, vulnerability scanning)
• Limited visibility into which threats posed the most risk to CNA
• Inability to document or measure analyst workflows and outputs
• Need to integrate diverse data sources and automate workflows

“Before ThreatConnect, everything was manual—from identifying relevant intel to creating reports,” said Keenan. “It was difficult to develop metrics or demonstrate our value to the business.”

Early on, Keenan focused on defining CNA’s Threat Profile and Priority Intelligence Requirements (PIRs)—conducting interviews across departments and establishing 16 clearly defined intelligence priorities to guide data collection and analysis. However, with limited integration and automation in their existing threat intel tech stack, it became clear CNA needed a purpose-built threat intelligence platform to connect its ecosystem and scale operations. 

The Solution: Building a Connected and Efficient Intelligence Cycle

With ThreatConnect, now a part of Dataminr, CNA established an end-to-end, automated intelligence cycle—from collection and analysis to dissemination and continuous improvement. Key capabilities include:

Automated Collection

ThreatConnection integrated seamlessly with CNA’s external intelligence providers, including Silobreaker, StrikeReady, and Proofpoint. Relevant intelligence is automatically mapped to CNA’s 16 PIRs, while custom playbooks tag and categorize data according to CNA’s unique risk criteria.

“Automation lets us cover more ground, faster,” Keenan noted. “Now, when new intel comes in, we can delegate it immediately—turning it into something actionable in minutes instead of hours.”

Case Management

Analysts can document every step of an investigation directly in ThreatConnect, now a part of Dataminr, creating a searchable archive of intelligence that enables accountability, consistency, and measurable metrics across teams.

“I love that we can document every stage of our process within ThreatConnect,” said Keenan. “It’s allowed us to create a reliable archive of our intelligence and a clear framework for collaboration.”

Playbooks

CNA utilizes more than 325 active playbooks to automate enrichment, tagging, scoring, and case creation. Custom scoring models rate threat actors based on intent and capability across six factors, helping prioritize the most relevant threats.

Custom Integrations

Through close collaboration with ThreatConnect engineers Travis, Angel, and John, CNA developed unique integrations tailored to its environment:

• Silobreaker Integration: Automates searches aligned to PIRs, auto-creates cases, tags context, and assigns analysts for review.
• StrikeReady Integration: Enables bidirectional intel sharing with the SOC, accelerating investigations with enriched context.
• Proofpoint Integration: Brings Proofpoint TAP data into ThreatConnect for correlation with other intelligence sources, unifying visibility into phishing telemetry and malware activity.

“Our Proofpoint integration was a game-changer,” Keenan explained. “It brought together all the intel we were collecting in silos, letting us correlate data and prioritize the threats that truly mattered.”

Why CNA Chose ThreatConnect, Now a Part of Dataminr

• Purpose-Built for Threat Intel Analysts: Designed for deep analysis and collaboration—not just feed aggregation.
• Full Intelligence Lifecycle Coverage: Supports every stage from requirement definition to dissemination.
• Unparalleled Customization: Playbooks and APIs allow CNA to tailor workflows to its environment.
• Seamless Integrations: Connects to CNA’s ecosystem, including SIEM, vulnerability management, Proofpoint, and StrikeReady.
• Exceptional Support: Continuous collaboration with ThreatConnect engineers and leadership to develop new capabilities.

“ThreatConnect is a platform that was developed by threat intel analysts for intel analysts,” said Keenan. “It’s not just another feed aggregator—it’s how we collect, analyze, and produce intelligence that matters to our business.”

The Impact: Quality Over Quantity for Smarter Threat Prioritization

With ThreatConnect, now a part of Dataminr, CNA shifted its focus from tracking every threat to tracking the most relevant threats—prioritizing based on intent, capability, and observed activity against CNA’s environment.

“We all have limited resources,” said Keenan. “ThreatConnect helps us focus on the threat actors and vulnerabilities that pose the greatest risk to CNA. That focus has improved both our efficiency and our posture.”

Results at a Glance

• 325+ playbooks automating the intel workflow
• 6.5 million intel items processed
• 17 actionable intelligence items identified
• 190 threat actors actively tracked and prioritized
• Significant reduction in response time and manual analysis
• Improved morale as automation eliminates redundant, low-value work
• Enhanced leadership confidence through measurable, transparent reporting

Demonstrating ROI

ThreatConnect’s automation, documentation, and analytics capabilities have empowered CNA to prove the value of its threat intelligence function across the enterprise. ROI highlights include: 

• Faster time to insight and reduced manual effort
• Clear metrics on case volume, analyst performance, and relevance of intel
• Data-driven investment decisions based on source effectiveness
• Recognition from CNA leadership for program maturity and measurable results

“Our security officers and peers consistently recognize the value we’re delivering,” said Keenan. “We’ve built something that other teams at CNA now point to as a model of how to operationalize intelligence.”

By leveraging ThreatConnect, now a part of Dataminr, CNA transformed its threat intelligence operations from manual and reactive to automated, measurable, and business-aligned. The platform’s flexibility, integrations, and support have enabled CNA to focus on what matters most: protecting customers and the organization with intelligence that drives action.

“The support from ThreatConnect has been phenomenal—from engineers helping us customize integrations, to leadership personally engaging with us,” Keenan said. “ThreatConnect has fundamentally changed the way we approach intelligence. It’s made us more efficient, more confident, and more valuable to the business.”