Threat Intelligence

Threat intelligence (TI) is actionable, evidence-based knowledge about cybersecurity threats — including context, mechanisms, indicators, implications, and actionable advice — that helps organizations make informed security decisions.

Types of Threat Intelligence

Strategic

High-level intelligence for executives and decision-makers, focusing on threat trends, risk landscapes, and long-term planning.

Tactical

Details about adversary TTPs used by defenders and detection engineers to build specific countermeasures.

Operational

Information about specific, imminent attacks or ongoing campaigns that require immediate defensive action.

Technical

Indicators of compromise (IOCs) such as malicious IPs, domains, file hashes, and email addresses used in automated detection.

Sources of Threat Intelligence

• Open Source (OSINT): Publicly available threat reports, CVE databases, social media
• Commercial Providers: Paid threat feeds and intelligence platforms
• Government/CERTs: National cybersecurity organizations and advisories
• Industry Sharing (ISACs): Sector-specific information sharing groups
• Internal Telemetry: An organization's own security logs and incident data

Applying Threat Intelligence

1. Enrich SIEM alerts with contextual threat data
2. Proactively hunt for indicators of known campaigns
3. Prioritize vulnerability remediation based on active exploitation
4. Inform detection engineering priorities with current threat actor TTPs

Related Terms

• MITRE ATT&CK
• Detection Engineering
• Threat Hunting