Cyber threat intelligence (CTI) is a part of cybersecurity that focuses on collecting, analyzing, and sharing information about potential or existing cyber threats. It gives organizations the information needed to predict, prevent, and respond to cyberattacks, enabling them to understand attackersâ behavior, tactics, and the vulnerabilities they exploit.
Sources of cyber threat intelligence include open-source data, social media, operational and technical intelligence, device log files, forensic analysis, internet traffic, as well as data from the dark web and deep web.
Modern CTI programs stand out from just using raw security data because they combine technical monitoring, outside intelligence sources, and analysis methods to prepare specific and useful assessments about cyber threats aimed at particular organizations or business sectors.
Analytical interpretation gives context to attackersâ actions, capabilities, and intentions, helping organizations set priorities and allocate security resources effectively. When companies base decisions on intelligence and analysis, they can act proactively instead of just reacting to security incidents, stopping breaches before they happen. This approach has become increasingly important in recent years, as IBM estimates that exploiting vulnerabilities is the most common way companies are breached, making up 47% of all attacks.
The COVID-19 pandemic and the rise in remote work have also contributed to increased vulnerability to threats, making corporate data more exposed. Due to growing threats on the one hand, and increasing analytical demands on the other, many companies have decided in recent years to outsource their threat analytics tasks to a managed security provider (MSSP).
Cyber threat analytics has also become an important component of modern Security Operations Centers (SOCs), where threat intelligence data is used to enrich alerts, identify malicious infrastructure, and support incident response and threat hunting activities.
There are three categorical levels of cyber threat intelligence: tactical, operational, and strategic. Each serves a distinct audience and purpose in building a comprehensive threat assessment.
Technical threat analysis focuses on machine-readable indicators of compromise (IoCs): malicious IP addresses, domain names, file hashes, and command-and-control (C2) servers or infrastructure. This enables automated detection and response. While the conventional distinction is between strategic, tactical, and operational analytics, some large organizations often define technical threat analytics as a separate (fourth) category essential for Security Operations Centers (SOCs).
Some threat analytics platforms also distinguish between indicator-based analytics and behavior-based analytics. Indicator-based analytics focuses on specific technical artifacts: malicious IP addresses, file hashes, etc. Behavior-based analytics analyzes attackersâ tactics and techniques to detect threats that may change their infrastructure or indicators over time.
Information about cybersecurity threats can be obtained from various sources: internal telemetry from security tools, network log data, endpoint system data, malware analysis, dedicated threat intelligence feeds from cybersecurity vendors, open-source intelligence (OSINT), dark web monitoring, and analytical reports from government agencies or private security firms. To obtain effective analytical insights, it is necessary to combine data from internal security tools with external technical and strategic reports to gain a more comprehensive view of the threat landscape.
The process of developing cyber threat intelligence is a circular and continuous process, known as the intelligence cycle, which is composed of five phases, carried out by intelligence teams to provide to leadership relevant and convenient intelligence to reduce danger and uncertainty.
The five phases are: 1) planning and direction; 2) collection; 3) processing; 4) analysis; 5) dissemination.
In planning and directing, the customer of the intelligence product requests intelligence on a specific topic or objective. Then, once directed by the client, the second phase begins, collection, which involves accessing the raw information that will be required to produce the finished intelligence product. Since information is not intelligence, it must be transformed and therefore must go through the processing and analysis phases: in the processing (or pre-analytical phase) the raw information is filtered and prepared for analysis through a series of techniques (decryption, language translation, data reduction, etc.); In the analysis phase, organized information is transformed into intelligence. Finally, the dissemination phase, in which the newly selected threat intelligence is sent to the various users for their use.
The intelligence cycle model in the field of cyber threat analysis is based on traditional intelligence methods used by military and government intelligence agencies, where structured analysis is employed to transform raw data into the insights needed for decision-making.
There are three key elements needed for information or data to qualify as threat intelligence:
Cybersecurity researchers also highlight other factors for good threat intelligence, such as accuracy, completeness, timeliness, compatibility, and relevance to the environment where it will be used.
Cyber threat intelligence provides a number of benefits, which include:
Threat analytics helps improve threat detection mechanisms by identifying attackersâ methods and behavioral patterns that are not yet detected by automated security monitoring systems.
Organizations often deploy specialized software known as threat intelligence platforms (TIPs) to aggregate, analyze, and distribute threat intelligence data.
Threat intelligence platforms gather data from both internal and external sources, including security system telemetry, open-source intelligence feeds, malware repositories, vulnerability databases, and reports from security vendors. By aggregating and correlating indicators of compromise (IoCs) like malicious IP addresses, domain names, file hashes, and command-and-control infrastructure, these platforms help security professionals better understand threat contexts and identify the most significant threats.
TI platforms are commonly integrated with other cybersecurity systems. Integrations with tools such as security information and event management (SIEM) systems, endpoint detection and response (EDR) solutions, and incident response platforms enable automated alert enrichment and faster investigation of security incidents.
Threat intelligence platforms also support threat hunting and incident response by organizing indicators and intelligence reports within searchable repositories, allowing analysts to correlate events and identify patterns associated with specific campaigns or threat actors.
Some threat intelligence platforms use automated data pipelines and machine learning techniques to process large volumes of threat data and generate analytical insights for proactive cybersecurity strategies.
Modern programs for collecting and analyzing cyber threat intelligence rely on standardized formats that enable automated exchange between organizations and security tools, as well as the processing of analytical data.
STIX (Structured Threat Information Expression) is a standardized language for representing analytical information about cyber threats in a machine-readable format, allowing analysts to describe attackers, campaigns, vulnerabilities, and indicators within a structured data model.
Trusted Automated Exchange of Intelligence Information (TAXII) is a protocol for supporting the automated exchange of threat intelligence data, typically used to transmit intelligence in STIX format.
The Traffic Light Protocol (TLP) is widely used in the exchange of threat intelligence to determine how sensitive information is shared among members of trusted communities.
Analysts use structured analytical models to understand the behavior of attackers and implement defensive measures.
The Cyber Kill Chain model, developed by Lockheed Martin, describes the stages of a cyberattack as a linear progression: reconnaissance, weaponization (preparation of attack tools), delivery, exploitation of vulnerabilities, installation, command and control, and actions on objectives. This framework helps defenders identify at which stage an attack can be disrupted.
The Diamond Model of Intrusion Analysis examines the relationships between four core features of any intrusion event: the adversary, their capabilities (tools and techniques), the infrastructure they use (domains, IP addresses, email addresses), and the victim. Using these relationships across multiple events, analysts can pivot between incidents, identify patterns, and attribute activity to specific threat actors or campaigns.
The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations. It organizes attacker behavior into 14 tactics (the "why" of an action - initial access, persistence, privilege escalation, defense evasion, etc.), and hundreds of techniques (the "how" - specific methods used to achieve each tactic). Unlike the linear Cyber Kill Chain, ATT&CK provides a detailed matrix of adversary behaviors that can occur in any order or simultaneously. Security teams use ATT&CK to map threat intelligence to defensive controls, assess coverage gaps, conduct red team exercises, and build detections aligned with actual adversary tradecraft. It has become the de facto standard for describing and sharing operational threat intelligence.
The increasing volume and velocity of cyber threat data have led organizations to automate significant parts of the threat intelligence lifecycle, including data collection, processing, correlation, and distribution. Automated threat intelligence systems typically ingest data from multiple sources, and then process and correlate this information to identify patterns of malicious activity.
Machine-readable standards and transport protocols (STIX and TAXII) are an important component of automated CTI systems.
Integration between threat intelligence platforms and security operations center (SOC) systems enables automated prioritization of alerts and enrichment of security events using intelligence indicators.
The drawback of automated analytics systems is that they can generate false positives or rely on low-quality indicators, which means analysts have to verify the results and provide a contextual interpretation. For this reason, many organizations adopt a hybrid model in which automated systems perform large-scale data processing while human analysts focus on interpretation, attribution, and strategic assessment of cyber threats.
Attribution is the process of identifying who conducted a cyber attack: the individual actors, organized groups, or nation-state sponsors behind an intrusion. In threat intelligence, attribution helps organizations understand adversary intent, prioritize defenses, anticipate future targeting, and inform strategic decisions. It also supports law enforcement investigations and policy responses.
Attribution relies on multiple evidence types: technical indicators (infrastructure, malware code), behavioral analysis (tactics, techniques, and operational tradecraft), linguistic artifacts, targeting patterns (victim selection and geopolitical alignment), and intelligence from human sources or signals intelligence.
However, attribution is inherently difficult and often remains probabilistic rather than definitive. Attackers routinely employ obfuscation techniques: using proxy infrastructure, VPNs, compromised intermediary systems, and stolen or leased tools. Advanced threat actors deliberately plant false flags by mimicking the TTPs, language, or infrastructure patterns of other groups to misdirect attribution efforts.
As a result, different threat intelligence vendors take varying approaches to attribution. Some explicitly attribute threat groups to specific nation-states or sponsoring organizations based on their analysis and confidence thresholds. Others intentionally avoid geopolitical attribution, instead documenting only observable, undisputable facts, such as language artifacts in malware, shared infrastructure, or technical capabilities, and tracking adversary clusters by neutral designators. Attribution assessments are typically expressed with varying levels of confidence (low, medium, high) rather than certainty, and erroneous conclusions can have diplomatic, legal, or strategic consequences.
In 2015 U.S. government legislation in the form of the Cybersecurity Information Sharing Act encouraged the sharing of CTI indicators between government and private organizations. This act required the U.S. federal government to facilitate and promote four CTI objectives:
In 2016, the U.S. government agency National Institute of Standards and Technology (NIST) issued a publication (NIST SP 800âÂÂ150) which further outlined the necessity for Cyber Threat Information Sharing as well as a framework for implementation.
In addition to the United States, the exchange of real-time information on cyber threats is coordinated through international and industry organizations, such as Information Sharing and Analysis Centers (ISACs), which facilitate cooperation among companies in critical infrastructure sectors, including finance, energy, and transport.
Regulatory frameworks increasingly reference threat intelligence as a component of effective security programs. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (45 CFR 164.308(a)(1)(ii)(A)). The December 2024 HIPAA Security Rule NPRM proposed requiring regulated entities to conduct risk analyses that incorporate reasonably anticipated threats, which necessitates consumption of current threat intelligence feeds relevant to the healthcare sector.
The Cybersecurity and Infrastructure Security Agency (CISA) maintains the Known Exploited Vulnerabilities (KEV) catalog as a threat intelligence resource, and Binding Operational Directive 22-01 requires federal agencies to remediate cataloged vulnerabilities within defined timeframes. NIST Special Publication 800-53 includes the RA-5 (Vulnerability Monitoring and Scanning) and PM-16 (Threat Awareness Program) controls, recommending organizations maintain ongoing awareness of emerging threats through intelligence sharing and analysis.