Skip to content
← All articles

Threat Intelligence (TI): What Cyber Threat Intel Is

Threat Intelligence (TI) is the process of collecting, processing, and analyzing data about active cyber threats, adversary groups, and their methods, turning scattered signals into contextual, actionable insight. TI helps security teams anticipate attacks, prioritize defenses, and make decisions based on evidence rather than guesswork or assumptions.

What is threat intelligence in simple terms

The word «intelligence» is doing the heavy lifting here: raw data (say, a list of suspicious IP addresses) is not threat intelligence on its own. It only becomes intelligence after passing through an analytical cycle — validated, enriched with context, and connected to a specific threat facing a specific organization. Gartner's classic definition describes threat intelligence as evidence-based knowledge, including context, mechanisms, indicators, and actionable advice about a threat, that can be used to inform response decisions.

The distinction between «data», «information», and «intelligence» is fundamental. Data is a fact (a domain, a file hash, an IP). Information is several connected facts (this domain resolves to that IP and serves this file). Intelligence answers the «so what do I do now» question: this domain belongs to a group targeting your sector, and it must be blocked right now. That final layer is what separates a mature TI program from a mere subscription to indicator feeds.

Threat intelligence is built around the intelligence lifecycle, borrowed from military and government intelligence: defining requirements (what we want to know), collection, processing, analysis, dissemination of finished insight to consumers, and feedback to refine requirements. This cycle makes TI a repeatable process rather than a pile of one-off reports.

Types of threat intelligence (strategic, tactical, operational, technical)

Threat intelligence is commonly divided into four levels by depth, audience, and shelf life. Understanding these levels prevents confusing an «indicator feed» with a «board briefing» — they are fundamentally different products for different consumers.

  • Strategic TI — high-level analysis of threat trends, geopolitics, motivation, and business risk. Audience: executives, CISO, board of directors. Format: analytical reports, briefings. Shelf life: months to years.
  • Tactical TI — description of adversary tactics, techniques, and procedures (TTPs): how exactly they gain access, persist, and move laterally. Audience: defense architects, SOC leads. Anchored in the MITRE ATT&CK framework. Shelf life: weeks to months.
  • Operational TI — intelligence on specific imminent campaigns and groups: who is planning an attack, when, and how. Audience: incident response (IR) and threat hunters. Sources: forums, dark web, infrastructure monitoring. Shelf life: days to weeks.
  • Technical TI — machine-readable indicators of compromise (IOCs): file hashes, malicious domains, IPs, signatures. Audience: security tools (SIEM, EDR, firewalls) and automation. Shelf life: hours to days, since indicators age fast.
LevelAudienceExample productShelf lifeKey question
StrategicCISO, boardSector threat-trend reportMonths–yearsWho threatens the business and why?
TacticalArchitects, SOC leadsTTP breakdown via MITRE ATT&CKWeeks–monthsHow exactly do they attack?
OperationalIR, threat huntersCampaign alert on a groupDays–weeksWhat is being prepared against us now?
TechnicalSIEM, EDR, firewallsIOC feed (hashes, domains, IPs)Hours–daysWhich indicators do we block?

TI data sources (IOC, TTP, OSINT)

The value of threat intelligence depends directly on the quality and diversity of its sources. Relying on one data type creates blind spots, so mature programs combine several categories.

  • Indicators of compromise (IOCs) — concrete technical artifacts of an attack: SHA-256 hashes of malicious files, command-and-control (C2) domains, IP addresses, URLs, phishing email addresses. IOCs are easy to automate but age quickly, because attackers rotate infrastructure.
  • Tactics, techniques, and procedures (TTPs) — durable adversary behavior that is far costlier to change than an IP address. Per David Bianco's «Pyramid of Pain» concept, blocking at the TTP level inflicts maximum pain on the attacker, while blocking hashes inflicts the least.
  • OSINT (open-source intelligence) — data from public sources: researcher blogs, CERT reports, social media, domain and certificate registries, code repositories. OSINT is cheap and abundant, but demands careful validation of reliability.
  • Closed and commercial sources — dark-web forum monitoring, ISAC/ISAO (industry sharing centers), paid vendor feeds, and telemetry from the organization's own network (internal TI is often the most valuable of all).

For standardized indicator sharing, the STIX (Structured Threat Information eXpression) format and the TAXII transport protocol, developed under OASIS, are widely used. They let different platforms and organizations automatically exchange intelligence in a single machine-readable form.

How to use threat intelligence

The classic mistake of early TI programs is hoarding indicators with no clear application. Intelligence delivers value only when it is embedded in specific security processes.

  1. Alert enrichment in the SOC. When a SIEM fires a detection, TI answers instantly: is this IP a known C2 server of a specific group? This sharpens triage accuracy and reduces alert fatigue.
  2. Vulnerability prioritization. TI reveals which CVEs are actively exploited in the wild (for example, via the CISA KEV catalog), so you patch what is truly under attack first, not merely what is abstractly «critical».
  3. Blocking and detection. Technical IOCs are automatically loaded into firewalls, EDR, and email gateways for proactive blocking.
  4. Threat hunting. Tactical TI provides hypotheses: if a group uses a particular persistence technique, hunters search their network for its traces before any alert fires.
  5. Strategic decisions. Leadership uses TI to assess risk, plan budgets, and choose defensive priorities.

Open-source tools also help audit your external attack surface and basic domain hygiene. For instance, routinely checking SIEM correlation and monitoring HTTP headers, DNS, and SSL certificates yields raw material for internal technical TI.

TI and MITRE ATT&CK

MITRE ATT&CK is an open, regularly updated knowledge base of adversary tactics and techniques based on observations of real-world incidents. It has become the de facto common language for describing threat behavior and maps directly to the tactical level of threat intelligence.

The ATT&CK matrix is organized by tactics (the attacker's goals: initial access, persistence, privilege escalation, lateral movement, exfiltration, and so on) and techniques (specific ways to achieve those goals, each with a unique ID such as T1566 for phishing). Threat intelligence mapped to ATT&CK lets you compare groups by their technique arsenal, build detection coverage heat maps, spot defensive gaps, and set priorities for the detection engineering team.

The practical value is that instead of a vague «we might get attacked», the team gets a concrete «group X uses techniques T1566, T1059, and T1053; we detect two of three — let's close the third». This turns threat intelligence from reading reports into a measurable defense-improvement program. Many TI providers and MDR services now map their findings to ATT&CK by default.

TI platforms (TIP)

A Threat Intelligence Platform (TIP) is a system that centralizes the collection, normalization, enrichment, storage, and dissemination of intelligence from many sources. Without a TIP, analysts drown in duplicate indicators arriving from dozens of feeds in incompatible formats.

Key TIP functions:

  • Feed aggregation — pulling data from commercial, open, and internal sources into a single repository.
  • Deduplication and normalization — reconciling indicators from different formats (STIX, CSV, JSON) into a unified shape and removing duplicates.
  • Enrichment — automatically adding context: reputation, geolocation, association with known groups.
  • Scoring and prioritization — assessing the confidence and relevance of each indicator for the specific organization.
  • Integration — automatically pushing vetted IOCs into SIEM, EDR, SOAR, and firewalls via API документацию.

Common solutions include the open-source platforms MISP and OpenCTI, as well as commercial products from Anomali, ThreatConnect, Recorded Future, and other vendors. The choice depends on team maturity, budget, and integration requirements.

Threat intelligence vs threat hunting

These terms are often confused, but they describe different (though related) disciplines. Threat intelligence answers «what is known about threats?» — it is knowledge. Threat hunting answers «is this threat already inside us?» — it is active search within one's own infrastructure.

The relationship is bidirectional. TI feeds hunting with hypotheses: an analyst reads that a group uses a certain technique, and a hunter goes looking for its traces in the logs. Conversely, hunting results generate new internal TI: artifacts discovered in your own network become valuable indicators. Threat hunting assumes preventive controls have already missed an attack and searches for it proactively, without waiting for an alert. Both processes often live inside a mature SOC and reinforce each other.

The key difference is posture: TI looks outward (the external threat landscape), while hunting looks inward (your own network). A security program needs both: intelligence without hunting stays theoretical, and hunting without intelligence strikes blind.

FAQ

How is threat intelligence different from antivirus or a firewall?

Antivirus and firewalls are protective controls that block threats using predefined rules. Threat intelligence is the knowledge that feeds those controls fresh data and helps people make decisions. TI does not block attacks directly, but it makes the rest of your defenses smarter and more timely.

Does a small business need threat intelligence?

A small business rarely needs a full TI program with dedicated analysts, but basic use is available to everyone: subscribing to free feeds, using the CISA KEV catalog for patch prioritization, and heeding sector CERT alerts. Small businesses often receive TI indirectly — through an MDR service or cloud security tools that already leverage intelligence.

What is an indicator of compromise (IOC)?

An IOC is a technical artifact pointing to a possible compromise: a malicious file hash, a C2 domain, an attacker IP address, a suspicious URL. IOCs are machine-readable and easy to automate, but age quickly, so relying on them alone is considered less durable than behavior-based detection (TTPs).

What are STIX and TAXII?

STIX is a standardized language for describing cyber threats in machine-readable form, and TAXII is the protocol for transmitting them automatically between systems. Together they let organizations and platforms exchange intelligence without manual work. Both standards are maintained by OASIS.

How do I start building a threat intelligence program?

Start by defining requirements: which threats are most relevant to your sector and assets. Then connect a few quality sources, set up basic alert enrichment in the SIEM, and map findings to MITRE ATT&CK. Grow maturity gradually — from technical TI toward strategic — adding a platform (TIP) as volumes increase.

EDR uses threat intelligence as a source of fresh indicators and detection rules, and it also generates telemetry that becomes new internal TI. This is a two-way exchange: intelligence makes EDR more accurate, and EDR enriches intelligence with data on real attacks against your infrastructure.

Check your website right now

Check your site's security →
More articles: Security
Security
API Security: Best Practices for Protection
11.03.2026 · 165 views
Security
Rate Limiting Strategies for Web APIs and Applications
16.03.2026 · 181 views
Security
SQL Injection Prevention: Prepared Statements and ORM
15.04.2026 · 211 views
Security
HTTP to HTTPS Migration: Redirects, Mixed Content, HSTS
15.04.2026 · 132 views