Threat Intelligence

Threat intelligence (TI) is the collection, analysis, and contextualization of information about threats targeting an organization or sector. It encompasses data about threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise, and the infrastructure they operate. Intelligence is produced at strategic, operational, and tactical levels to serve different audiences — from executive risk decisions to analyst-level detections.

Raw security data is not intelligence. Threat intelligence adds context — who is attacking, how, why, and what assets are at risk — enabling proactive defense rather than reactive response. Organizations that consume and produce threat intelligence can prioritize vulnerabilities relevant to their sector, anticipate attacker behavior based on known TTPs, and share findings with the broader community to improve collective defense.

The intelligence cycle involves direction (defining requirements), collection (gathering data from open sources, commercial feeds, dark web monitoring, honeypots, and ISACs), processing (normalizing and deduplicating), analysis (adding context and attribution), dissemination (sharing in structured formats such as STIX/TAXII or MISP), and feedback. Intelligence is classified by type: strategic (trends, nation-state activity), operational (specific campaigns), and tactical (IOCs, signatures).