Cyber threat intelligence (CTI) is the collection, processing, analysis, and dissemination of information about current and potential cyber threats. It goes beyond raw data — indicators of compromise, malware hashes, IP addresses — and adds context: who is attacking, why, how, and what it means for your organization.
At its core, CTI exists to help organizations make better security decisions. Whether that means a SOC analyst prioritizing alerts, a vulnerability management team deciding what to patch first, or a CISO briefing the board on risk exposure, threat intelligence provides the foundation for informed action.
Cyber threat intelligence is evidence-based knowledge about an existing or emerging threat that can be used to inform decisions regarding the subject's response to that threat. — Gartner
The Four Types of Cyber Threat Intelligence
Threat intelligence is commonly categorized into four types, each serving a different audience and purpose within an organization. Understanding these categories is essential for building an effective CTI program.
1. Strategic Threat Intelligence
Strategic intelligence provides a high-level view of the threat landscape. It is designed for non-technical audiences — board members, executives, and senior leadership — and focuses on trends, motivations, and geopolitical context rather than technical indicators.
Examples of strategic intelligence include reports on nation-state cyber strategies, analysis of how geopolitical tensions are likely to affect specific industry sectors, and assessments of emerging threat actor motivations. This type of intelligence typically has a longer shelf life and informs decisions about security investment, risk appetite, and organizational strategy.
CyberGeoDigest is a source of strategic threat intelligence, providing daily briefings that connect cyber operations to geopolitical context. It is designed to help security leaders and policy professionals understand not just what is happening, but why it matters.
2. Tactical Threat Intelligence
Tactical intelligence describes the tactics, techniques, and procedures (TTPs) that threat actors use to conduct attacks. It is primarily consumed by security architects, incident responders, and red/blue team operators who need to understand how attacks are carried out in order to defend against them.
Examples include detailed analysis of a specific threat group's preferred initial access techniques, the malware families they deploy, their lateral movement patterns, and their persistence mechanisms. The MITRE ATT&CK framework is the primary taxonomy for organizing tactical intelligence.
3. Operational Threat Intelligence
Operational intelligence provides specific, actionable information about an impending or ongoing attack. It typically includes details about a threat actor's intent, timing, and target. This type of intelligence is the most difficult to produce because it often requires access to closed sources such as dark web forums, private communications channels, or signals intelligence.
Examples include early warning that a specific ransomware group is planning attacks against healthcare organizations in a particular country, or intelligence that a nation-state actor has been observed staging infrastructure for an attack against critical infrastructure in a specific sector.
4. Technical Threat Intelligence
Technical intelligence consists of specific technical indicators that can be consumed by security tools and used for detection, blocking, and alerting. This is the most granular type of intelligence and includes indicators of compromise (IOCs) such as malicious IP addresses, domain names, file hashes, email addresses, YARA rules, and Snort signatures.
Technical intelligence has the shortest shelf life — IP addresses and domains can change within hours — but it is the most directly actionable for security operations. It feeds into SIEMs, firewalls, endpoint detection tools, and threat intelligence platforms.
| Type | Audience | Format | Shelf Life |
|---|---|---|---|
| Strategic | Executives, board, policy | Reports, briefings | Months to years |
| Tactical | SOC, IR, security architects | TTP analysis, ATT&CK mappings | Weeks to months |
| Operational | IR, threat hunters, CISO | Alerts, campaigns, intentions | Days to weeks |
| Technical | SOC, automated tools | IOCs, signatures, rules | Hours to days |
The Threat Intelligence Lifecycle
Effective threat intelligence is not a one-time activity but a continuous process. The CTI lifecycle describes this process in six phases, each building on the last to create a feedback loop that improves intelligence quality over time.
1. Planning and Direction
The lifecycle begins with defining intelligence requirements. What does the organization need to know? What decisions will the intelligence support? This phase involves identifying key stakeholders, understanding their information needs, and establishing priority intelligence requirements (PIRs). Without clear requirements, intelligence programs produce information that no one uses.
2. Collection
Once requirements are defined, analysts gather raw data from relevant sources. These sources typically include open-source intelligence (OSINT) from news outlets, security blogs, social media, and government advisories; commercial threat feeds; information sharing communities (ISACs); dark web monitoring; internal telemetry from security tools; and human intelligence from industry contacts and law enforcement.
3. Processing
Raw data must be organized, normalized, and enriched before analysis. This phase involves deduplication, translation, decryption, formatting data into structured formats, and correlating data points across multiple sources. Automation plays an increasingly important role here, particularly for handling high-volume technical indicators.
4. Analysis
Analysis is where data becomes intelligence. Analysts apply structured analytical techniques to identify patterns, assess threat actor capabilities and intentions, evaluate the reliability of information, and produce judgments. Good analysis always separates what is known from what is assessed, and communicates confidence levels clearly.
5. Dissemination
Intelligence is only valuable if it reaches the right people in a format they can act on. Dissemination involves delivering finished intelligence products to stakeholders through appropriate channels — executive briefings for strategic intelligence, ATT&CK mappings for SOC teams, IOC feeds for automated tools, and alerts for operational intelligence.
6. Feedback
The final phase closes the loop. Stakeholders provide feedback on whether the intelligence met their needs, which refines future collection and analysis priorities. This feedback mechanism is critical for continuously improving the program's relevance and value.
Key Frameworks for Threat Intelligence
Several established frameworks provide structure for organizing, analyzing, and communicating threat intelligence. Understanding these frameworks is fundamental to working effectively in CTI.
MITRE ATT&CK
MITRE ATT&CK is a globally recognized knowledge base of adversary tactics, techniques, and procedures. It catalogs real-world observations of how threat actors operate, organized into a matrix of tactics (the adversary's goal) and techniques (how they achieve it). ATT&CK has become the de facto standard for describing adversary behavior. Security teams use it to map detections, identify gaps in coverage, prioritize defensive investments, and communicate about threats in a common language.
The Diamond Model of Intrusion Analysis
The Diamond Model provides a framework for analyzing individual intrusion events by examining four core features: adversary, infrastructure, capability, and victim. Each intrusion event is modeled as a diamond connecting these four elements. The model helps analysts trace relationships between attacks, pivot from one known element to discover others, and build comprehensive understanding of threat campaigns over time.
Lockheed Martin Cyber Kill Chain
The Cyber Kill Chain describes the stages of a targeted cyber attack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. By understanding where an attack is in the kill chain, defenders can identify the most effective points for detection and disruption. While the kill chain has been criticized for its linear model and focus on perimeter-based attacks, it remains a useful framework for structuring incident analysis and defense planning.
STIX and TAXII
STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Indicator Information) are standards for representing and sharing threat intelligence in machine-readable formats. STIX provides a standardized language for describing threat information, while TAXII defines how that information is exchanged between systems. Together, they enable automated sharing of intelligence between organizations and platforms.
Who Uses Cyber Threat Intelligence?
Threat intelligence serves a wide range of roles across an organization:
- Security Operations Centers (SOCs) use technical and tactical intelligence to prioritize alerts, enrich investigations, and reduce response times.
- Incident Response teams use operational and tactical intelligence to understand the adversary during active incidents and guide containment and remediation.
- Vulnerability Management teams use intelligence about actively exploited vulnerabilities to prioritize patching based on real-world risk rather than CVSS scores alone.
- CISOs and security leaders use strategic intelligence to inform risk assessments, justify security investments, and brief executive leadership and boards.
- Threat hunters use tactical intelligence to form hypotheses about threats that may be present in the environment but undetected by existing tools.
- Government and policy professionals use strategic intelligence to understand the cyber dimensions of geopolitical events and inform policy decisions.
Building Your Threat Intelligence Practice
You do not need a large team or expensive tools to start benefiting from threat intelligence. Begin with these practical steps:
- Define your requirements. What do you need to know to do your job better? Start with three to five priority intelligence requirements.
- Curate your sources. Subscribe to high-quality, relevant intelligence sources. Start with free sources like CISA advisories, open-source threat reports, and curated newsletters like CyberGeoDigest.
- Adopt a framework. Map your detections to MITRE ATT&CK. Use the Diamond Model for intrusion analysis. This creates a shared language across your team.
- Operationalize intelligence. Intelligence that is not integrated into your workflows has no value. Feed IOCs into your security tools, brief your leadership, update your detection rules.
- Measure and iterate. Track how intelligence is used and whether it leads to better outcomes. Use feedback to refine your requirements and sources.
Staying informed about the evolving threat landscape is the foundation of any intelligence practice. Browse our archive to see how CyberGeoDigest covers geopolitical cyber threats every day, connecting nation-state operations to strategic context that security leaders need.
Stay ahead of the threat landscape
CyberGeoDigest delivers strategic cyber threat intelligence to your inbox every morning. Free, curated, and built for professionals.
Subscribe free →