What's the difference between IOCs and TTPs?

Indicators of Compromise (IOCs) are atomic, observable artifacts that signal a breach — IP addresses, file hashes, domain names, email addresses, or registry keys. They are cheap for adversaries to change. Tactics, Techniques, and Procedures (TTPs) describe the behaviors and methods adversaries use to accomplish objectives, such as spearphishing for initial access or using LOLBins for defense evasion. TTPs sit at the top of the Pyramid of Pain because they are expensive for attackers to modify, making TTP-based detection far more resilient than IOC-based blocklists.

// glossary

What is Threat Intelligence?

Q: What are the types of threat intelligence?

Threat intelligence is divided into three primary types: strategic, tactical, and operational. Strategic intelligence provides high-level context for executives about threat trends and risk posture. Tactical intelligence focuses on attacker techniques, tactics, and procedures (TTPs) mapped to frameworks like MITRE ATT&CK. Operational intelligence delivers real-time indicators of compromise (IOCs) and active campaign details for SOC analysts and incident responders.

Q: How is threat intelligence collected?

Threat intelligence is collected from open-source intelligence (OSINT) feeds such as vulnerability databases, malware repositories, paste sites, and dark web forums. Technical collection includes honeypots, sandboxes, network telemetry, and DNS sinkholes. Commercial intelligence providers aggregate data from global sensor networks and human intelligence (HUMINT) operations. The collected data passes through the intelligence cycle — direction, collection, processing, analysis, and dissemination — before it reaches analysts in actionable form.

Threat intelligence is evidence-based knowledge about existing or emerging cyber threats, collected and analyzed to inform decisions that reduce risk to an organization's people, data, and infrastructure.

Threat Intelligence Explained

Cyber threat intelligence (CTI) transforms raw security data into structured, actionable knowledge. Instead of drowning in millions of daily alerts, security teams use threat intelligence to understand who is attacking them, how those attackers operate, what assets are at risk, and why a particular threat matters to their environment.

A single phishing email is a data point. Knowing that the email originated from a campaign by APT28, targeting defense contractors using a known CVE in Microsoft Outlook, and that the group historically pivots to credential harvesting within 48 hours of initial access — that is threat intelligence. The distinction between data and intelligence is the layer of analysis that makes information relevant, timely, and actionable.

The Three Types of Threat Intelligence

Threat intelligence is categorized into three levels based on the audience it serves and the decisions it supports.

Strategic Intelligence

Strategic intelligence provides a broad view of the threat landscape for non-technical stakeholders: CISOs, board members, and executive leadership. It answers questions about who targets your industry, how geopolitical events shift risk, and where to allocate security budgets. Strategic intelligence typically takes the form of trend reports, risk assessments, and industry threat briefings. It operates on timescales of months to years and focuses on business impact rather than technical indicators.

Tactical Intelligence

Tactical intelligence describes the tactics, techniques, and procedures (TTPs) that adversaries use. Mapped to frameworks like MITRE ATT&CK, tactical intelligence helps detection engineers and threat hunters understand attacker behavior patterns. For example, knowing that a ransomware group uses RDP brute-forcing for initial access (T1110.001), then deploys Cobalt Strike for lateral movement (T1021.002), allows defenders to build detections targeting each stage of the kill chain rather than relying solely on IOC blocklists.

Operational Intelligence

Operational intelligence delivers the real-time, technical details that SOC analysts need during active incidents: IP addresses communicating with command-and-control infrastructure, file hashes of malware samples, phishing domain registrations, and vulnerability exploitation timelines. This is the most perishable form of intelligence — an attacker can rotate infrastructure in hours — which is why automation and continuous feed ingestion are essential.

The Intelligence Cycle

Threat intelligence follows a structured lifecycle known as the intelligence cycle. Each phase feeds the next, creating a continuous loop that refines both collection and analysis over time.

Direction

Stakeholders define intelligence requirements: what threats matter, which assets to protect, what questions need answers.

Collection

Raw data is gathered from OSINT feeds, dark web monitoring, honeypots, vendor advisories, malware sandboxes, and internal telemetry.

Processing

Raw data is normalized, deduplicated, enriched with context (geolocation, WHOIS, passive DNS), and stored in structured formats like STIX/TAXII.

Analysis

Analysts correlate processed data to identify campaigns, attribute activity to threat actors, assess severity, and determine relevance to the organization.

Dissemination

Finished intelligence is delivered to consumers in formats they can act on: SIEM detection rules, blocklists, daily briefings, executive summaries, or API feeds.

Types of Threat Data

Threat intelligence is built from several categories of data, each with different detection value and adversary cost to change.

Data Type	Examples	Detection Value	Adversary Cost
Hash Values	SHA-256, MD5 file hashes of malware samples	Low — trivial to bypass with recompilation	Trivial
IP Addresses	C2 server IPs, scanning infrastructure	Low-Medium — useful for short-term blocking	Low
Domain Names	Phishing domains, DGA outputs, fast-flux hosts	Medium — pattern analysis adds value	Low-Medium
Network Artifacts	URI patterns, JA3 hashes, HTTP headers, SNI values	Medium-High — harder for attackers to vary	Medium
Host Artifacts	Registry keys, mutex names, file paths, service names	Medium-High — tied to tooling behavior	Medium
TTPs	MITRE techniques, kill chain stages, behavioral patterns	High — resilient detection foundation	Very High

This hierarchy is often visualized as David Bianco's Pyramid of Pain: the higher on the pyramid, the more painful it is for adversaries to change their approach, and the more durable your detections become.

Why Threat Intelligence Matters

Organizations that operationalize threat intelligence gain measurable advantages across their security program.

Reduced Mean Time to Detect (MTTD)

Pre-built detection rules mapped to known adversary TTPs catch threats before they reach the "dwell time" phase. Without threat intel, SOC analysts depend on generic signatures that miss novel techniques. With curated intelligence, detections are tuned to the specific threat actors and campaigns targeting your industry, reducing MTTD from weeks to hours.

Reduced Mean Time to Respond (MTTR)

When an alert fires, having enriched context — the threat actor, their typical lateral movement patterns, likely objectives, and known persistence mechanisms — allows incident responders to scope the breach faster, prioritize containment actions, and skip the attribution research phase entirely.

Proactive Defense

Threat intelligence enables purple teaming: defenders simulate the exact techniques that real adversaries use against similar organizations, test whether existing detections catch them, and close gaps before exploitation occurs. This shifts security from reactive to proactive.

Prioritized Vulnerability Management

Not every CVE deserves a patch within 24 hours. Threat intelligence provides exploitation context — whether a vulnerability is being actively exploited in the wild, which threat actors are using it, and whether public proof-of-concept code exists. This context-driven prioritization prevents teams from burning cycles on vulnerabilities with no real-world threat.

How Threadlinqs Implements Threat Intelligence

Threadlinqs Intelligence is a threat intelligence platform purpose-built for detection engineering and SOC operations. Every threat is enriched, mapped, and delivered with production-ready rules.

344

Tracked Threats

3,553

Detection Rules

5,575

IOC Indicators

465

MITRE Techniques

Enriched Threat Profiles — Each threat entry includes CVE mappings, CVSS scores, exploitation timelines, attributed threat actors, nation-state associations, and related campaigns.
Three Detection Formats — Every threat ships with SPL (Splunk), KQL (Microsoft Sentinel/Defender), and Sigma (universal YAML) rules ready for deployment.
IOC Feeds — Network indicators (IPs, domains, URLs), file indicators (hashes, paths), and behavioral indicators are categorized, tagged, and exportable via API.
Daily Debriefs — Automated daily intelligence summaries with severity breakdowns, MITRE coverage, IOC distributions, and threat actor attribution delivered to your inbox or dashboard.
Actor Attribution Explorer — Visual mind-map of threat actors showing their tools, techniques, targets, related CVEs, and cross-actor shared infrastructure.
MITRE ATT&CK Coverage — Full technique-level mapping across all threats with gap analysis and detection debt scoring to identify blind spots.

Frequently Asked Questions

What are the types of threat intelligence?

Threat intelligence is divided into three primary types. Strategic intelligence provides high-level context for executives about threat trends, geopolitical risks, and security investment priorities. Tactical intelligence focuses on attacker TTPs mapped to frameworks like MITRE ATT&CK, enabling detection engineering and threat hunting. Operational intelligence delivers real-time IOCs and active campaign details that SOC analysts use to triage alerts, block infrastructure, and respond to incidents. Some frameworks add a fourth category, technical intelligence, which covers raw machine-readable data like STIX bundles, YARA rules, and Snort signatures.

How is threat intelligence collected?

Collection spans multiple disciplines. Open-source intelligence (OSINT) draws from public vulnerability databases (NVD, CVE), malware repositories (VirusTotal, MalwareBazaar), paste sites, social media, and security researcher disclosures. Technical collection uses honeypots, network sandboxes, DNS sinkholes, and endpoint telemetry to observe attacker behavior directly. Dark web monitoring tracks underground forums, ransomware leak sites, and initial access broker marketplaces. Commercial feeds aggregate data from global sensor networks spanning millions of endpoints. The key differentiator is not the volume of data collected but the analysis layer that turns raw data into intelligence with context, confidence scores, and relevance assessments.

What is the difference between IOCs and TTPs?

Indicators of Compromise (IOCs) are specific, observable artifacts that evidence a breach — malicious IP addresses, file hashes, domain names, registry keys, or email addresses. They are concrete and easy to operationalize in blocklists and SIEM rules, but they are also cheap for adversaries to change. A threat actor can register a new domain or recompile a binary in minutes. Tactics, Techniques, and Procedures (TTPs) describe the behavioral patterns adversaries follow: how they gain initial access, move laterally, escalate privileges, and exfiltrate data. TTPs sit at the top of the Pyramid of Pain because changing behavior requires retooling entire operations. Detection strategies built on TTPs — such as monitoring for LSASS memory access patterns rather than a specific Mimikatz hash — remain effective even as adversaries rotate their infrastructure.