>

Glossary Home

What will I learn?

  1. What is threat intelligence?
  2. What are the four types of threat intelligence?
  3. How does the threat intelligence lifecycle work?
  4. Why is threat intelligence important for organizations?

Related Content

Glossary Home

Threat intelligence

What is threat intelligence? 

Threat intelligence, commonly referred to as cyber threat intelligence (CTI), is actionable, evidence-based knowledge about malicious actors, their motives, tactics, techniques, and procedures (TTPs), and emerging cyber threats. Organizations use CTI to proactively anticipate, detect, and mitigate cyberattacks before they cause damage. 

What are the four types of threat intelligence? 

Threat intelligence is usually grouped into four types, based on who uses it and how. 

1. Strategic threat intelligence 

Strategic threat intelligence is high-level information meant for leadership and decision-makers. It focuses on long-term risks, trends, and motivations behind cyberattacks. 

2. Tactical threat intelligence 

Tactical threat intelligence focuses on how attackers carry out their operations. It provides detailed insights into an adversary’s behaviors, strategies, and methods, including their TTPs, as well as Indicators of Compromise (IOCs) such as malicious IP addresses or malware hashes. Security teams use this intelligence to enhance detection capabilities and strengthen defensive measures. 

3. Operational threat intelligence 

Operational threat intelligence provides insights into specific attacks or campaigns. It looks at who the attackers are, what they’re targeting, and how the attack is being carried out. It’s useful for real-time active threat response. 

4. Technical threat intelligence 

Technical threat intelligence is the most detailed and technical type. It includes indicators like malicious IP addresses, domains, file hashes, or URLs. These are used directly in security tools to block or detect threats. 

How does the threat intelligence lifecycle work? 

Threat intelligence follows a continuous process called the Threat Intelligence Lifecycle. The cycle typically comprises these six stages. 

1. Planning 

Planning sets the direction for all threat intelligence work. The organization clearly defines what it needs to protect and why it matters. This step focuses on identifying critical assets such as customer data, payment systems, or internal networks. Teams also decide what types of threats are most relevant, based on business goals and past incidents. 

Example: An e-commerce company decides to focus on payment fraud, fake checkout pages, and account takeovers because these threats directly affect customers and revenue. 

2. Collection 

During collection, teams gather raw data from many sources. These include system logs, firewall alerts, intrusion detection systems, threat intelligence feeds, security reports, and even social media or dark web monitoring. The goal is to collect sufficient data to spot patterns without overwhelming analysts. 

Example: Security teams monitor login logs for unusual behavior, track failed payment attempts, and review alerts shared by other companies in the same industry. 

3. Processing 

Raw data often contains irrelevant noise and duplicate information. In this step, teams clean, normalize, and organize the data so it becomes usable. They remove repeated alerts, standardize formats, and filter out known safe activity. This saves time and prevents false alarms. 

Example: The team removes duplicate login alerts and excludes trusted IP addresses that belong to company offices or approved vendors. 

4. Analysis 

Analysis turns processed data into useful intelligence. Analysts look for trends, connections, and indicators of malicious activity. They try to answer key questions such as who is attacking, how the attack works, and what impact it may have. This step helps teams move from “what happened” to “what it means.” 

Example: Analysts discover that many failed login attempts come from the same region and use the same automated tool, showing a coordinated brute-force attack. 

5. Dissemination

In dissemination, teams share intelligence with the right audience in the right format. Technical teams receive detailed indicators like IP addresses and attack methods. Management and business leaders receive clear summaries that explain risks and possible business impact. 

Example: The IT team receives technical indicators to block malicious traffic, while management gets a short report explaining the risk to customer accounts. 

6. Feedback 

Feedback helps improve the entire lifecycle. After responding to a threat, teams review what worked and what didn’t. They update detection rules, refine priorities, and improve data sources. This step ensures that the organization responds faster and more accurately in the future. 

Example: After stopping the attack, the team updates security rules so similar login attempts trigger alerts immediately next time. 

Why is threat intelligence important for organizations? 

Threat intelligence transforms raw data into actionable insights, shifting your organization’s defense posture from reactive to proactive. It keeps you one step ahead of attackers. Here’s why it’s vital: 

  1. Proactive defense: Awareness of emerging cyberattacks enables organizations to patch vulnerabilities and update defenses proactively.
  2. Faster incident response: Sufficient knowledge of attackers, attack methods, and evolving threats enables security teams to respond more quickly and with greater accuracy.
  3. Threat prioritization: Security teams can identify routine noise from activity that deserves immediate attention, and prioritize responses to relevant threats based on the organization’s risk exposure.
  4. Informed decision-making: CTI helps leadership determine which threats are most probable, which business assets are most likely to be targeted, and where to invest to strengthen security.
  5. Improved resource utilization: Many security tools such as SIEM platforms, security testing tools, and vulnerability management software integrate with threat intelligence feeds. Even smaller teams can manage larger organizational threats with greater precision.
  6. Reduced damage: Early detection and faster response times reduce the impact of incidents such as data breaches, operational downtime, and reputational harm. Security compliance: CTI enhances compliance by identifying vulnerabilities, informing incident response, and supporting risk management frameworks such as ISO/IEC 27002 and GDPR .