Definition
Threat intelligence — sometimes called cyber threat intelligence (CTI) — is the output of collecting, processing, and analyzing data about cyber threats to produce actionable knowledge. Gartner defines it as "evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets." The key word is actionable. Raw data becomes intelligence only when it has been analyzed in context and can inform a specific decision or defensive action.
At its core, threat intelligence answers four questions: Who is attacking (attribution and motivation), what are they after (targets and objectives), how do they operate (tactics, techniques, and procedures), and what can we do about it (detection rules, mitigations, and architectural changes). Without analysis that connects these dots, you have data — not intelligence.
The distinction matters because security teams drown in data. A typical enterprise SOC ingests millions of events per day, receives thousands of indicators from commercial feeds, and processes hundreds of vulnerability disclosures per month. Intelligence is what converts that firehose into a prioritized set of actions. It tells you which vulnerabilities the threat actors targeting your sector actually exploit, which indicators are relevant to your environment, and which detections you should write first.
The 4 Types of Threat Intelligence
Threat intelligence is traditionally categorized into four types based on audience, format, and time horizon. Each type serves a different function within an organization and is consumed by different stakeholders. The best CTI programs produce and consume all four types simultaneously.
Strategic Intelligence
Strategic intelligence is high-level, non-technical analysis designed for executives, board members, and senior leadership. It focuses on broad trends, geopolitical context, and risk to business operations. Strategic intelligence answers questions like: "Is our industry being targeted more than last quarter?" and "What is the risk profile of expanding operations into Southeast Asia?"
Format: Written reports, executive briefings, trend analyses. Timeframe: Months to years. Examples: Annual threat landscape reports from Mandiant, CrowdStrike, or Recorded Future; sector-specific risk assessments; nation-state attribution reports.
Tactical Intelligence
Tactical intelligence describes the tactics, techniques, and procedures (TTPs) that threat actors use. It is consumed by security architects, detection engineers, and red team operators who need to understand how attacks work in order to build defenses against them. Tactical intelligence has a longer shelf life than technical indicators because attackers can change their infrastructure in minutes but changing their methodology takes months or years.
Format: MITRE ATT&CK mappings, technique analyses, detection rule guidance. Timeframe: Months. Examples: An analysis showing that a particular ransomware group consistently uses Cobalt Strike with SOCKS5 proxy tunneling for lateral movement, enabling defenders to build detection rules targeting that specific behavior chain.
Operational Intelligence
Operational intelligence provides details about specific attacks, campaigns, or threat actors. It tells incident responders and threat hunters what to look for during an active campaign and helps them understand the adversary's goals, timeline, and infrastructure. This type is often the hardest to produce because it requires infiltration of adversary communications, analysis of ongoing campaigns, or detailed forensic work.
Format: Campaign reports, threat actor profiles, incident debriefs. Timeframe: Days to weeks. Examples: A report describing an active phishing campaign targeting financial institutions using a specific lure document, infrastructure pattern, and payload delivery chain — enabling SOC teams to search for those exact artifacts in their environment.
Technical Intelligence
Technical intelligence consists of machine-readable indicators of compromise (IOCs) — IP addresses, domain names, file hashes, URLs, email addresses, registry keys, and other artifacts directly associated with malicious activity. Technical intelligence has the shortest shelf life because attackers rotate infrastructure rapidly, but it is the most immediately actionable because it can be ingested directly into SIEM rules, firewall blocklists, and EDR policies.
Format: STIX/TAXII feeds, CSV/JSON indicator lists, YARA rules. Timeframe: Hours to days. Examples: A feed of command-and-control IP addresses associated with a specific malware family, updated every 6 hours.
| Type | Audience | Format | Shelf Life | Example |
|---|---|---|---|---|
| Strategic | Executives, board | Reports, briefings | Months-years | Industry threat landscape |
| Tactical | Security architects, detection engineers | TTP analyses, ATT&CK maps | Months | Ransomware group uses SOCKS5 tunneling |
| Operational | IR teams, threat hunters | Campaign reports | Days-weeks | Active phishing campaign details |
| Technical | SOC analysts, automated tools | IOC feeds, YARA rules | Hours-days | C2 IP blocklist |
The Threat Intelligence Lifecycle
The threat intelligence lifecycle is a continuous, iterative process consisting of six phases. It provides a structured methodology for transforming raw data into finished intelligence that drives defensive action. The model originates from military intelligence doctrine and has been adapted for cybersecurity by organizations including SANS, NIST, and the Intelligence Community.
Phase 1: Direction
Direction sets the intelligence requirements — what questions need to be answered and for whom. This phase is driven by organizational priorities: which assets are most critical, which threat actors are most relevant, and what decisions the intelligence will support. Requirements should be specific and prioritized. "Tell us about APT groups" is a requirement. "Which APT groups have targeted the financial sector with supply chain attacks in the past 12 months, and what detection gaps do we have?" is an intelligence requirement that can actually be answered.
Phase 2: Collection
Collection gathers raw data from internal and external sources. Internal sources include SIEM logs, EDR telemetry, firewall logs, DNS query logs, email gateway logs, and incident reports. External sources include open-source intelligence (OSINT), commercial threat feeds, information sharing communities (ISACs), government advisories (CISA, NCSC), dark web monitoring, and vendor threat reports. The challenge is not finding data — it is collecting the right data efficiently and at scale.
Phase 3: Processing
Processing transforms raw collected data into a format suitable for analysis. This includes normalization (standardizing date formats, IP notations, and naming conventions), deduplication, enrichment (adding geolocation, WHOIS data, passive DNS history, and reputation scores to indicators), translation of foreign-language sources, and structured storage. Automation is critical at this phase — manual processing cannot keep pace with modern data volumes.
Phase 4: Analysis
Analysis is where data becomes intelligence. Analysts correlate indicators, identify patterns, assess adversary intent and capability, and produce findings that answer the requirements defined in Phase 1. This is the most human-intensive phase and the one most difficult to automate. Good analysis requires domain expertise, structured analytical techniques (Analysis of Competing Hypotheses, red teaming), and the discipline to distinguish between what the evidence supports and what you assume.
Phase 5: Dissemination
Dissemination delivers finished intelligence to stakeholders in formats appropriate to their role. Executives receive strategic summaries. Detection engineers receive TTP analyses with rule recommendations. SOC analysts receive IOC feeds formatted for their SIEM platform. The format matters — intelligence that is technically sound but arrives too late, in the wrong format, or to the wrong audience has no operational value.
Phase 6: Feedback
Feedback evaluates whether the intelligence met stakeholder needs and refines requirements for the next cycle. Did the detection rules based on the intelligence actually fire? Did the strategic briefing influence a budget decision? Did the campaign report arrive before or after the attack hit our environment? This phase closes the loop and is what makes the process a cycle rather than a pipeline.
IOCs vs TTPs
The distinction between indicators of compromise and tactics, techniques, and procedures is one of the most important concepts in threat intelligence. David Bianco's Pyramid of Pain illustrates this hierarchy: at the bottom are hash values (trivial for attackers to change), then IP addresses, domain names, network artifacts, host artifacts, tools, and at the top, TTPs (the most difficult for attackers to change).
IOCs are specific artifacts — a SHA-256 hash, an IP address, a domain name — that evidence a compromise. They are immediately actionable (block this IP, flag this hash) but have a short shelf life. An attacker can recompile a binary to change its hash in seconds, register a new domain in minutes, and provision new infrastructure in hours. Chasing IOCs alone puts you on an endless treadmill.
TTPs describe how an adversary operates — their tradecraft. A technique like "using SOCKS5 proxy tunneling for lateral movement" or "creating scheduled tasks with randomized names for persistence" describes behavior that is much harder to change because it requires the attacker to develop new capabilities, retool their operations, and retrain their operators. Detecting at the TTP level forces adversaries to fundamentally change how they operate, which is expensive and slow.
The best intelligence programs work across the full pyramid simultaneously: IOCs for immediate blocking, TTPs for durable detection. If you can only invest in one, invest in TTPs. The detection rules they produce will catch variants of the same attack for months or years, long after every IOC from the original campaign has been rotated.
Key Frameworks
MITRE ATT&CK
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Organized into 14 tactical categories (Reconnaissance through Impact), it catalogs over 200 techniques and hundreds of sub-techniques used by threat actors. ATT&CK serves as a common language for describing adversary behavior and is the de facto standard for mapping threat intelligence to defensive coverage. When a threat report says an actor uses T1572 (Protocol Tunneling), every analyst in the world understands exactly what behavior is described.
The Diamond Model
The Diamond Model of Intrusion Analysis defines four core features of any intrusion event: adversary, capability, infrastructure, and victim. Every intrusion event involves an adversary using a capability over some infrastructure against a victim. The model enables analysts to pivot between these features — given a known adversary, what capabilities and infrastructure do they use? Given an observed infrastructure indicator, what adversary and victims are involved? This pivoting is the foundation of intelligence-driven incident response.
Lockheed Martin Cyber Kill Chain
The Cyber Kill Chain maps the seven stages of an intrusion: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. While criticized for its linear model (modern attacks are often non-linear, and it focuses on perimeter-centric defense), the Kill Chain remains valuable for structuring defensive strategies: if you can break the chain at any stage, you prevent the adversary from achieving their objective. It is particularly useful for communicating defense-in-depth concepts to non-technical stakeholders.
STIX/TAXII
STIX (Structured Threat Information eXpression) is a standardized language for representing threat intelligence, and TAXII (Trusted Automated eXchange of Indicator Information) is the transport protocol for sharing it. Together, they enable automated exchange of threat intelligence between organizations and tools. STIX 2.1 supports objects including Attack Patterns, Campaigns, Indicators, Malware, Threat Actors, and Relationships between them — providing a structured, machine-readable format that goes far beyond simple IOC lists.
How to Consume Threat Intelligence
Receiving threat intelligence is straightforward. Operationalizing it is where most organizations struggle. Intelligence has value only when it drives a defensive action — blocking an indicator, writing a detection rule, patching a vulnerability, or changing an architecture. Here are the primary consumption patterns:
SIEM integration. IOC feeds are ingested into your SIEM (Splunk, Microsoft Sentinel, Elastic) as lookup tables or threat lists. Incoming events are correlated against these indicators in near-real-time, generating alerts when a match is found. This is the most common and most automated consumption pattern, but it is also the most brittle — it only catches known indicators.
Detection rule development. TTP-level intelligence informs the creation of behavioral detection rules in SPL, KQL, or Sigma. Instead of looking for a specific IP address, you write rules that detect the behavior — SOCKS5 proxy establishment on high-numbered ports, scheduled tasks with randomized names, or DLL sideloading from specific directories. These detections survive infrastructure rotation.
Threat hunting. Intelligence provides the hypotheses for proactive hunts. A report about an adversary targeting your sector with a specific initial access technique gives hunters a starting point: search for that technique in historical data, look for related artifacts, and validate that existing detections would have caught it.
Vulnerability prioritization. Not all CVEs are equal. Intelligence tells you which vulnerabilities are actually being exploited in the wild, by which actors, against which sectors. This enables risk-based patching that focuses on the vulnerabilities most likely to affect your organization, rather than chasing every critical CVSS score.
Architecture and policy decisions. Strategic intelligence informs long-term decisions about security architecture, tool investments, and staffing. If intelligence shows that supply chain attacks in your sector have tripled year-over-year, that finding supports investment in software composition analysis and vendor security assessments.
Tools and Platforms
The threat intelligence tooling landscape spans from free community resources to enterprise platforms. Understanding what is available helps organizations build a program appropriate to their size and maturity.
| Category | Examples | Use Case |
|---|---|---|
| TIP (Threat Intelligence Platform) | MISP, OpenCTI, Anomali, ThreatConnect | Aggregating, correlating, and managing intelligence from multiple sources |
| Commercial Feeds | Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intel | Curated intelligence with analyst context and SIEM integration |
| OSINT Tools | Shodan, VirusTotal, URLhaus, AbuseIPDB | Infrastructure reconnaissance and indicator enrichment |
| Sharing Communities | ISACs/ISAOs, FIRST, CISA AIS | Sector-specific intelligence sharing between trusted peers |
| Frameworks | MITRE ATT&CK Navigator, Sigma, YARA | Mapping coverage, writing detection rules, creating file signatures |
| Automation | SOAR platforms, pySigma, Cortex XSOAR | Automating indicator ingestion, enrichment, and response |
For teams just starting their CTI program, free resources provide enormous value. MISP is an open-source threat intelligence platform that can aggregate feeds, correlate indicators, and share intelligence with trusted partners. AlienVault OTX provides a community-driven indicator feed. CISA publishes advisories and indicator packages for active threats. These resources, combined with a disciplined process for converting intelligence into detection rules, can deliver significant security value before any commercial investment.
How Threadlinqs Delivers Threat Intelligence
Threadlinqs Intelligence is a threat intelligence platform that tracks active threats and delivers production-ready detection rules in SPL, KQL, and Sigma formats. Each threat is enriched with MITRE ATT&CK technique mappings, indicators of compromise, threat actor attribution, and a timeline of events sourced from verified reports.
The platform currently tracks over 160 threats with 1,800+ detection rules, 5,500+ IOCs, and coverage across 465 MITRE ATT&CK techniques. Daily intelligence debriefs summarize new and updated threats, and an API with MCP server integration enables automated ingestion into existing security workflows. Detection rules are formatted for direct deployment into Splunk, Microsoft Sentinel, and any SIEM supporting Sigma — no translation required.
Frequently Asked Questions
What is the difference between threat intelligence and threat data?
Threat data is raw, unprocessed information — IP addresses, file hashes, domain names associated with malicious activity. Threat intelligence is the result of analyzing, correlating, and contextualizing that data into actionable knowledge. A single IP address is data. Knowing that IP belongs to a specific APT group's infrastructure targeting your industry sector, was provisioned two days ago, and is being used for initial access via spear-phishing — that is intelligence.
What are the 4 types of threat intelligence?
Strategic (high-level trends for executives), Tactical (TTPs and attack patterns for security architects), Operational (details about specific campaigns for incident responders), and Technical (machine-readable IOCs for SOC analysts and automated tools). Each type serves a different audience and time horizon, and effective CTI programs produce all four.
How does threat intelligence differ from threat hunting?
Threat intelligence is knowledge about threats. Threat hunting is the proactive search for threats in your environment. Intelligence provides the hypotheses, indicators, and behavioral patterns that hunters use to construct their searches. They are complementary disciplines — intelligence tells you what to look for, hunting tells you whether it is in your environment.
What is the threat intelligence lifecycle?
A six-phase iterative process: Direction (setting requirements), Collection (gathering data), Processing (normalizing and enriching), Analysis (producing intelligence), Dissemination (delivering to stakeholders), and Feedback (evaluating effectiveness). The feedback phase is what makes it a cycle — each iteration refines the requirements for the next.
What are the most common threat intelligence frameworks?
MITRE ATT&CK (adversary behavior taxonomy), the Diamond Model (relating adversary, capability, infrastructure, and victim), and the Cyber Kill Chain (mapping intrusion stages). STIX/TAXII are the standard formats for machine-readable intelligence sharing. Most modern CTI programs use ATT&CK as their primary taxonomy for mapping threats to defensive coverage.