How to Interpret Your Impact and Metrics Dashboard
A guide to understanding your metrics and turning program activity into business evidence.
Introduction
Security teams have always known that intelligence drives better outcomes. The challenge has been proving it in the language of the business. Boards, CFOs, and CIOs are looking for measurable risk reduction tied to business context, not threat counts.
The Impact and Metrics Dashboard gives every Recorded Future customer a live, continuously updated view of the value their program is generating. It pulls from your environment, your alerts, your integrations, your threat detections, and your analyst activity, and surfaces the metrics that map to the business and security outcomes your leadership cares about.
Today, the dashboard surfaces key metrics across the Platform to start the conversation and give your team something concrete to point to. Over time, the calculations will become more personalized, the benchmarks more specific to your organization, and the integration with your business context deeper.
Use this guide to understand your metrics, the value you are achieving, and how to turn program activity into business evidence that resonates with your organization.
Set Your Priority Intelligence Requirements
The dashboard is only as useful as the intelligence program behind it. Before reviewing your metrics, the most important step is defining your Priority Intelligence Requirements, or PIRs. They define what your team should be monitoring, alerting on, and reporting against. Examples include:
- Which threat actors are actively targeting organizations in our sector?
- Are vulnerabilities being weaponized that affect our technology stack?
- What is our credential exposure footprint?
- Are there active fraud or impersonation campaigns targeting our brand?
The dashboard surfaces metrics based on the PIRs that tailor your alerts and collections to your organization. Your reporting then reflects how well your intelligence program answers the questions the business actually wants to know.
How to set up PIRs
- In the Recorded Future Platform, navigate to Settings and select Intelligence Requirements.
- Define your top PIRs based on your organization's sector, technology stack, and known exposures.
- Align your alerts, monitoring rules, and collections to those requirements.
- Review and update PIRs at least quarterly, or when your threat environment changes.
Your Key Metrics
The sections below explain each metric, how to read it, what good looks like, and what action to take.
Platform-Wide Security Value
This is the aggregate view of risk reduction and intelligence coverage across your environment. It is designed for leadership conversations and business reviews.
| Why it matters | This panel summarizes the impact of your Recorded Future program across detections, prioritized security actions, time saved, and estimated business value. It is the starting point for any executive conversation about the value of your intelligence investment. |
| How to read it | It shows the total number of detections Recorded Future enriched, the prioritized security actions your team drove, the estimated weeks of work saved, and the estimated dollar value of business impact, all calculated across your selected time period. |
| What good looks like | A growing aggregate value over time, with detections and security actions trending upward as your team engages more deeply with the platform. The number should tell a coherent story when paired with your PIRs. |
| Action to take | Use these metrics as the opening slide in your readouts. Pair them with one or two specific examples from other sections of the dashboard to give the number context. |
Threat Prioritization
This section covers Threat Actors and Malware Families and the Recorded Future AI summary. Together they show which threats are relevant to your organization and why.
Threat Actors and Malware Families
| Why it matters | Security lacks relevance, not intelligence. This visual filters global threats to those targeting your organization, ranked by intent and opportunity, turning awareness into operational guidance. |
| How to read it | The visualization reads left to right. The global universe of threats enters on the left. Organizational context filters out the vast majority in the middle. What remains is ranked by attacker intent and their opportunity to target your organization. They are then assigned High, Moderate, or Basic priority. |
| What good looks like | A stable High priority tier indicates genuine, near-term risks. You should be able to see who is targeting you, how, and your mitigation steps. Program success is proven by mitigated threats, while new entries show the intelligence is live. |
| Action to take | For each High and Moderate priority threat, use the Intelligence Cards and evidence details to understand exactly why it is prioritized for your organization. Download associated detection rules and IOCs so teams can deploy and validate rather than manually translate intelligence into action. Use Autonomous Threat Operations to keep the response current as the landscape shifts. |
Recorded Future AI Insights
| Why it matters | An AI-generated summary of your top three priority threat actors and top three malware families, with an explanation of why each is relevant to your organization. These correspond directly to the High priority entries in the threat and malware maps. |
| How to read it | Complements the metrics to its left. Provides narrative context behind the data, making the prioritization defensible in a leadership conversation. |
| What good looks like | Summaries that reference specific organizational context such as your industry, technology stack, or recent peer targeting. |
| Action to take | Use the AI summary as a starting point for briefing leadership or security program owners. The summaries can be copied directly into internal updates or business review decks. |
Threat Detection
This section covers Detected Malware across Internal Telemetry, Connected Integrations, Threat Hunting, and Sandbox. Together they show how intelligence is moving through your security stack and where it is generating operational value.
Detected Malware across Internal Telemetry
| Why it matters | A company-specific look at malware threats found in your own telemetry, answering: what malware have we detected in our environment recently? |
| How to read it | Time-series chart showing detections per malware family over the past 90 days. Lines are color-coded by family. Spikes indicate unique activity that may signal a campaign or active incident. Filter by source to add granularity. |
| What good looks like | Fewer detections over time, with the detections you do have explained and actioned. For example, Cobalt Strike detections during a red team exercise are expected. Unexplained spikes are not. |
| Action to take | For valid detections, confirm that prevention is prioritized for those malware families. Use associated hunting packages for discovered malware to hunt for related threats and add preventions. Access the Intelligence Card Hunting Package directly and check that your integration is set up with Hunting Packages enabled. |
Connected Integrations
| Why it matters | Shows the volume of events from connected systems reporting back to Recorded Future, including Collective Insights®, the Sandbox, and other connections. Can pinpoint integration issues if volume drops unexpectedly. |
| How to read it | The Number of Events column shows valid detections reported back from each integration. Each organization has a different baseline, so trending lines matter more than absolute numbers. |
| What good looks like | Each organization has a different baseline from a pure event generation perspective. Good means understanding what is normal for your environment and what is not. The trending lines help establish that baseline over time. |
| Action to take | Open the Collective Insights® explorer to review recent detections and determine whether a volume increase or decrease can be explained. Pivot to the integration itself to troubleshoot any issues if volume is lower than expected. |
Threat Hunting
| Why it matters | Shows total Hunting Packages downloaded, Auto YARA rules, Auto Sigma rules, and enablement from integrations. Pre-built Insikt packages remove manual steps and improve hunt focus and success rates. |
| How to read it | Each row shows download counts and time saved. Time saved reflects the efficiency gained versus building rules manually. |
| What good looks like | More hunts generally mean a more proactive security posture. Incorporating pre-built hunting packages as a way to run more hunts and minimize the time needed to kick off a high priority hunt. |
| Action to take | Leverage Insikt Hunting Packages directly within the platform for your current priority threats. Use Auto YARA within Malware Intelligence and complete the RFU course to build team fluency. Use Auto Sigma within Malware Intelligence for automated rule generation. |
Sandbox
| Why it matters | A sandbox answers whether a suspicious file or URL is actually malicious and what it does, going beyond what signature-based tools can provide. |
| How to read it | The visualization reads left to right. Total submissions split into websites and files, then categorized as malicious, suspicious, or non-malicious. Band widths reflect volume. Malicious and suspicious categories require the most attention. |
| What good looks like | Low and stable malicious verdicts over time, suspicious verdicts actively resolved, and consistent use embedded in operational workflows rather than ad hoc. |
| Action to take | For every malicious or suspicious verdict, use the Intelligence Cards to surface full context on the malware identified, including behavior, associated threat actors, and known TTPs. Operationalize IOCs from sandbox reports immediately, feeding them into detection and prevention tooling to block related infrastructure and hunt for additional instances across the environment. |
Digital Risk Protection
This section covers your organization's external exposure: fraud, brand impersonation, and credential threats. For organizations with significant brand or customer risk, this is where intelligence ROI becomes immediately tangible and explainable to a CFO.
| Why it matters | The funnel shows not just the number of detections potentially impacting your brand, but the analysis and prioritization Recorded Future applies to ensure high relevance and actionability. |
| How to read it | Left to right, the funnel shows total detections across malicious sites, code repositories, and dark web sources. The blue line indicates those assessed as actionable based on your alert configuration, broken down by High, Moderate, and Informational severity. The vast majority flow to "Not Alerted," meaning noise has already been filtered. |
| What good looks like | Most volume in detections and "Not Alerted," with a smaller portion in Alerts. This means Recorded Future is appropriately triaging brand threats and your team is working a focused, high-relevance alert set. The inversion, where Alerts volume exceeds Not Alerted, suggests misconfiguration or overly permissive alerting. |
| Action to take | Drill into High alerts first. Separate by use case to identify the highest frequency threat type. Review configuration to ensure coverage of brand assets, key executives, and customer-facing properties. Use the CSV export to build a remediation log for legal or compliance teams. |
Account and Credential Monitoring
Compromised credentials are one of the leading causes of breach. See the identity threats your program has surfaced and remediated before they became incidents.
| Why it matters | Link leaked credentials to the specific platforms they affect. These notifications offer a straight path to log data and impacted profile specifics. Mitigation can happen in just a few hours, neutralizing the threat before malicious actors exploit the compromised data. |
| How to read it | Shows total credentials compromised, authorization URLs identified, and credentials identified within 24 hours, broken down by technology exposed. A high number of exposed credentials signals workforce cyber hygiene that can be improved. Authorization URLs indicate the scope of your digital identity footprint. |
| What good looks like | A high percentage of credentials identified within 24 hours, giving your team the earliest possible window to act. Declining credential exposure over time as remediation workflows take hold. |
| Action to take | Timely alerting is often all it takes to mitigate the threat. Streamline remediation through IAM and SOAR integrations to enable automated session revocation, mandatory password resets, and enhanced risk-based authentication challenges. |
Recorded Future AI and Insikt Group® Research
This section covers how your team is leveraging AI-powered automation and expert research to extend analyst capacity to help make the efficiency case for your intelligence program.
Recorded Future AI Reports
| Why it matters | Report creation is one of the most time-consuming activities for any intelligence team. Recorded Future AI can generate highly accurate, tailored reports for stakeholders in significantly less time than manual production. |
| How to read it | Delivered reports are generated and automatically sent to subscribers on a schedule. Downloaded reports are exported as PDFs from the Platform. The bar chart shows report volume over time, broken down by delivery method. The trend indicates whether AI-assisted reporting is becoming more embedded in your team's workflow. |
| What good looks like | A growing number of delivered reports over time, indicating increasing adoption and automation. Good also looks like a balance between delivered and downloaded reports, suggesting intelligence is both proactively pushed to stakeholders and available on demand. Even a small number of well-scoped, well-targeted reports is valuable if they are reaching the right audiences. |
| Action to take | Explore the different report types available by asking Recorded Future AI directly. Tailor reports to specific stakeholders based on their role and technical proficiency. A CISO readout looks different from an analyst briefing. Use scheduled delivery to ensure intelligence reaches stakeholders without requiring manual effort each cycle. |
Insikt Group® Research
| Why it matters | Insikt Group research is curated, expert-authored intelligence within the Platform. They expand your team's effective bench of experts without expanding headcount. |
| How to read it | Shows total Insikt Group Notes read for the selected period, broken down by type including Flash Reports, finished intelligence, and authored detection rules. |
| What good looks like | Increasing Notes read over the previous period, with engagement across multiple note types, particularly Flash Reports and detection rules that can be acted on immediately. |
| Action to take | Identify which note types are most relevant to your current PIRs. Deploy Insikt-authored detection rules directly. Build Flash Report review into your regular workflow during periods of elevated threat activity. |
Getting the Most from the Dashboard
The dashboard is designed to improve over time as your program matures and as Recorded Future adds more in-product data to the calculations. Here is how to get the most value from it now.
Recommended cadence
| Monthly | Review the dashboard to track changes and surface new impact figures to share with your team. |
| Quarterly | Use the dashboard as the foundation for your business review deck. Your TAM can help pull the relevant metrics and contextualize them against your PIRs. |
| At renewal | Use the metrics to demonstrate program value and build the case for continued or expanded investment. |
How to use the dashboard in leadership conversations
Start with the Platform-Wide Security Value metric. This is the starting point for any executive conversation. Then use the other sections to tell the story behind the number: which threats were prioritized, how intelligence moved through the stack, and what was remediated before it became an incident.
How to share feedback
Use the Share Feedback button within the dashboard to tell the product team how you think about outcomes, how you want to calculate metrics, and what would make the dashboard more useful in stakeholder conversations. Your feedback directly shapes how the dashboard evolves.
Resources
- Impact and Metrics Dashboard: navigate to Dashboards > Impact and Metrics in your Recorded Future instance.
- Intelligence Requirements setup: Intelligence Requirements