Uniting for Collective Defence: How Splunk and ASD Are Strengthening National Cyber Resilience Through CTIS

Australia’s cyber threat landscape continues to evolve rapidly, with increasing volumes of sophisticated and targeted attacks impacting both public and private sector networks. 

According to the latest Australian Signal Directorate (ASD) Annual Cyber Threat Report, over 87,400 cybercrime reports were made in 2023–24—averaging one report every six minutes. Notably, government, healthcare, education, and critical infrastructure sectors remain among the most targeted, highlighting the urgent need for enhanced threat visibility and faster response capabilities across the national ecosystem.

Complementing this, Cisco Talos’ Q2 2025 Incident Response Trends report noted that ransomware remained the top threat, making up half of all Talos IR engagements. Talos 2024 Year in Review also highlights that threat actors are increasingly exploiting valid credentials and employing living-off-the-land techniques to evade traditional defences—demonstrating a trend toward stealthier, more persistent threats that demand a new level of operational readiness.

In response to the evolving cyber threat environment, the Australian Government has taken proactive steps to strengthen national cyber defences—including through the establishment of the Cyber Threat Intelligence Sharing (CTIS) service, operated by Australia’s lead cyber agency ASD.  

About CTIS

CTIS is a secure, automated threat intelligence exchange platform managed by ASD. CTIS facilitates machine-speed sharing of indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), malware signatures, and other threat data between trusted government and industry participants.

Unlike manual or ad-hoc sharing models, CTIS:

• Operates at machine-to-machine speed, enabling real-time intelligence exchange
• Helps organisations anticipate, detect, and respond to threats faster
• Fosters a collective defence ecosystem, where threat data is not siloed but shared for mutual benefit

In short, CTIS turns intelligence into action—quickly, securely, and collaboratively.

Embedding Cyber Resilience Across Government and Industry

Participation in the CTIS program is voluntary and open to a wide range of trusted public and private sector entities that meet defined eligibility and trust criteria. 

Since its launch in 2022, CTIS has seen significant growth— from July 2023 to June 2024 it had enabled the sharing of over 1,372,434 pieces of threat intelligence, with partner participation increasing nearly seven-fold. In late 2024, ASD delivered a new in-house CTIS platform that further enhances government and industry’s ability to share cyber threat intelligence, becoming a cornerstone of Australia’s collective cyber defence ecosystem.  

The Australian Government has significantly raised its expectations regarding cyber threat visibility and intelligence sharing across the public sector. Since the July 2024 Protective Security Policy Framework (PSPF) Direction 003-2024 released by the Department of Home Affairs, CTIS participation has been mandatory for all non-corporate commonwealth entities. This marks a pivotal policy shift—recognising that timely, actionable threat intelligence is no longer a best practice, but a national imperative for both organisational resilience and collective defence.

This shift is underscored by the latest ASD Annual Cyber Threat Report, which revealed that federal, state, and local governments collectively made up nearly half (49%) of the top ten sectors reporting incidents to ASD. CTIS is designed to help close this gap by enabling agencies and trusted partners to see, share, and stop threats earlier—moving from reactive defence to proactive, intelligence-led security.

However, CTIS is not just a tool for the government—it’s a capability with economy-wide relevance. As threat actors increasingly target finance, telecommunications, health, education, and other critical infrastructure sectors, the need for real-time threat intelligence and collaboration across public and private domains has never been greater. By improving visibility into emerging threats and enabling faster, coordinated responses, CTIS strengthens the broader ecosystem and supports the resilience of the services Australians rely on every day.

Splunk and CTIS: Enabling Proactive Threat Detection and Response 

Splunk is proud to have partnered with ASD to develop a CTIS plug-in for Splunk Enterprise Security enabling organisations using our platform to seamlessly connect to CTIS, contribute cyber threat intelligence, and receive timely, validated insights in return.

Splunk Enterprise Security (ES) is a leading Security Information and Event Management (SIEM) solution designed to help organisations detect, investigate, and respond to threats at scale. Built on the Splunk platform, it provides real-time visibility across diverse IT environments, enabling security teams to make informed, data-driven decisions and reduce the time to detect and respond to cyber threats.

At its core, Splunk ES ingests and correlates data from across an organisation’s digital estate—including logs, cloud services, endpoints, firewalls, and identity systems—to deliver real-time insights and security analytics. It leverages a risk-based alerting framework to reduce alert fatigue by assigning contextual risk scores to entities, allowing security analysts to prioritise incidents that pose the greatest threat to the business. Splunk ES also supports a Threat Detection, Investigation, and Response (TDIR) approach, unifying these stages into a streamlined workflow that accelerates incident resolution, improves SOC efficacy, and enhances situational awareness. 

The platform also includes an interactive Investigation Workbench that consolidates relevant events, threat intelligence, and historical context to support efficient triage and collaborative investigation. Native integration with threat intelligence platforms, including Splunk Threat Intelligence Management, enables enrichment of indicators of compromise (IOCs) and enhances detection fidelity.

Splunk ES is aligned with industry-standard frameworks such as MITRE ATT&CK and supports compliance monitoring for regulatory requirements like PCI-DSS, NIST, and ISO 27001. It provides a range of out-of-the-box dashboards, correlation searches, and reports that can be tailored to meet the specific needs of different sectors.

Importantly, Splunk ES is Information Security Registered Assessors Program (IRAP) assessed, providing assurance that it aligns with the Australian Government’s security requirements for handling sensitive and classified information. This helps provide assurances that it is a trusted solution for agencies and critical infrastructure providers seeking to align with national cyber policies and uplift their security operations in line with ASD guidelines.

Splunk ES also integrates seamlessly with Splunk SOAR to automate investigative and response actions—such as threat enrichment, ticket creation, and containment—enabling organisations to improve their operational efficiency and reduce mean time to respond (MTTR).

As governments and critical infrastructure providers face increasingly complex and persistent cyber threats, solutions like Splunk ES are essential to shifting from reactive to proactive cyber defence. By delivering visibility, context, and automation in a single platform, Splunk ES helps public and private sector organisations strengthen their cyber resilience and accelerate their response to emerging threats.

Splunk’s Role: A Seamless Path to Shared Defence 

Our new CTIS plug-in helps customers operationalise threat intelligence. If your organisation is using Splunk ES, this plug-in allows you to:

• Contribute validated threat data into CTIS from your environment
• Receive near real-time alerts and threat intelligence directly from ASD
• Contribute to national visibility by sharing emerging threats and indicators
• Protect your own networks and customers with faster detection and response

Whether you're in the public sector or supporting critical infrastructure, this capability makes it easier to connect to CTIS, leverage ASD’s rich threat intelligence, give back threat intelligence to enhance our collective resilience and—if you're a government agency—align with PSPF obligations while gaining a clear operational security advantage.

CTIS Industry Participation Matters

It’s often said that cyber security is a team sport—and in today’s threat environment, that’s never been more true. We all have a role to play, and the stakes are too high to go it alone. When private sector organisations contribute relevant threat intelligence to CTIS, we enhance national visibility, improve our ability to detect and respond to threats faster, and strengthen Australia’s collective cyber defences.

Splunk is proud to support this critical national capability and to play our part in strengthening Australia’s cyber resilience. By enabling seamless integration with CTIS, we’re helping our customers not only benefit from ASD’s threat intelligence, but also contribute their own insights—enhancing the national threat picture and accelerating collective response. The CTIS plug-in will not only enable Splunk customers who are also ASD partners, to send and receive threat intelligence, it will also enable them to deploy indicators of compromise (IOCs) to their security controls to defend their infrastructure and perform hunt activities. 

If you're already using Splunk ES, we encourage you to use the CTIS Plug-In and become part of Australia’s collective cyber defence. By contributing relevant threat intelligence back to ASD, you’ll be helping to enrich the national threat picture, close visibility gaps, and protect not just your organisation, but the entire ecosystem.

This is your opportunity to give back, help build a stronger national defence, and demonstrate cyber leadership. Together, we can make faster, smarter decisions—and stay ahead of evolving threats.