Security 101

What is Cyber Threat Intelligence?

14 min read
Last updated March 2026

Cyber threat intelligence (CTI) is the practice of collecting, processing, and analyzing information about current and emerging cyber threats to produce actionable insights that drive security decisions. Unlike raw threat data, which consists of unprocessed indicators like IP addresses and file hashes, threat intelligence adds context: who is attacking, what they are after, how they operate, and which organizations they target. The result is a knowledge product that helps security teams anticipate adversary behavior, prioritize defensive investments, and respond to incidents faster and more effectively.

Every organization generates or consumes threat data in some form, whether through firewall logs, vulnerability scanner output, or news about the latest ransomware campaign. What separates a mature security program from a reactive one is the ability to transform that data into intelligence, and then operationalize that intelligence across detection engineering, incident response, risk management, and offensive security testing. This is where a cyber threat intelligence program becomes essential. It is also why Praetorian Guard embeds threat intelligence as a core input to every testing engagement, ensuring that assessments focus on the adversaries and techniques that actually matter to your organization.

What Makes Threat Data Different from Threat Intelligence

A common misconception is that subscribing to a threat feed equals having a threat intelligence capability. In reality, raw data and finished intelligence sit at opposite ends of a maturity spectrum.

Threat data includes machine-readable artifacts: IP addresses flagged as malicious, file hashes associated with known malware, domain names linked to phishing campaigns, and vulnerability disclosures from CVE databases. This data is high-volume, often noisy, and lacks the context needed to drive decisions. A list of 50,000 suspicious IP addresses tells a SOC analyst very little without knowing which ones are relevant to the organization’s environment, which campaigns they are associated with, and how urgently they need blocking.

Threat intelligence takes that raw data and enriches it with analysis. An intelligence analyst might correlate a cluster of malicious domains with a specific threat actor, identify that the actor targets financial services companies in North America, link their tactics to documented MITRE ATT&CK techniques, and assess the likelihood of the actor shifting focus to adjacent industries. That finished product is something a CISO can act on: adjusting security budgets, briefing the board on risk, or directing the red team to emulate the identified adversary.

The progression from data to intelligence follows a well-established methodology called the intelligence lifecycle, and understanding it is key to building or evaluating any CTI program.

The Threat Intelligence Lifecycle

The intelligence lifecycle is a six-phase process adapted from military and government intelligence frameworks. Each phase feeds into the next, creating a continuous loop that keeps intelligence current and relevant.

1. Planning and Direction

Every intelligence effort begins with defining what needs to be answered. Security leaders work with stakeholders to identify priority intelligence requirements (PIRs), the specific questions the organization needs answered. Examples include: “Which ransomware groups are actively targeting healthcare organizations?” or “Are there active exploits for the vulnerabilities in our externally-facing applications?”

Good planning prevents the most common CTI failure mode: producing intelligence that nobody uses. When requirements are vague or disconnected from business objectives, intelligence teams generate reports that sit unread. Effective planning ties intelligence production directly to decisions that security teams, executives, and operational staff need to make.

2. Collection

Collection involves gathering raw data from a wide range of sources. The quality and breadth of collection directly determine the quality of finished intelligence. Major source categories include:

Open-Source Intelligence (OSINT): Publicly available information from security blogs, vendor threat reports, government advisories (CISA, FBI, NCSC), academic research, and social media. OSINT forms the foundation of most CTI programs because of its accessibility and volume.
Human Intelligence (HUMINT): Insights gathered through relationships with industry peers, law enforcement contacts, information sharing communities, and trusted threat researchers. HUMINT often provides early warning of emerging threats before they appear in automated feeds.
Technical Intelligence: Data collected from sensors, including network telemetry, endpoint detection logs, malware sandboxes, honeypots, and DNS sinkholes. This source provides ground-truth data about attacks targeting the organization directly.
Dark Web and Underground Forums: Monitoring of criminal marketplaces, paste sites, and private forums where threat actors trade stolen data, sell access to compromised networks, and discuss targeting plans.
Information Sharing and Analysis Centers (ISACs): Industry-specific organizations like FS-ISAC (financial services), H-ISAC (healthcare), and E-ISAC (energy) that facilitate threat intelligence sharing among member organizations.
Commercial Threat Intelligence Feeds: Curated data from vendors like Mandiant, CrowdStrike, Recorded Future, and others who aggregate and analyze threat data at scale.

3. Processing

Raw collected data must be normalized, deduplicated, and structured before analysis can begin. Processing transforms unstructured data, such as a PDF threat report, a JSON feed of indicators, or a dark web forum post in Russian, into a consistent format that analysts can work with. Automation plays a critical role here. Threat intelligence platforms (TIPs) ingest data from multiple sources, parse it into standardized formats like STIX (Structured Threat Information Expression), and enrich it with additional context such as geolocation, WHOIS records, or historical sighting data.

4. Analysis

Analysis is where data becomes intelligence. Analysts evaluate processed data, identify patterns, assess adversary intent and capability, and produce assessments that answer the organization’s priority intelligence requirements. This phase requires human judgment, domain expertise, and structured analytic techniques to avoid cognitive biases.

Effective analysis addresses the “so what?” question. Rather than reporting that a new malware variant has been observed, analysis explains that the variant is used by a specific threat group known to target the organization’s industry, uses initial access techniques the organization’s current defenses may not detect, and represents an elevated risk requiring specific defensive actions.

This is exactly the kind of contextualized analysis that drives Praetorian Guard’s testing priorities. When intelligence reveals that a specific adversary group is pivoting to target your sector with a particular set of TTPs, Guard’s adversary emulation capabilities translate that intelligence into real-world testing, validating whether your defenses can actually detect and stop the identified threats.

5. Dissemination

Finished intelligence must reach the right people in the right format at the right time. Strategic intelligence reaches executives and board members as briefings and risk assessments. Tactical intelligence reaches detection engineers as MITRE ATT&CK mappings and detection rule recommendations. Technical intelligence reaches security tools as machine-readable IoCs pushed to SIEMs, firewalls, and endpoint detection platforms.

The best intelligence program in the world fails if its products don’t reach decision-makers or arrive too late to matter. Effective dissemination requires understanding each consumer’s needs, technical capabilities, and decision timelines.

6. Feedback

The final phase closes the loop. Intelligence consumers provide feedback on whether products answered their questions, arrived in time, and were actionable. This feedback refines collection priorities, adjusts analytic focus, and improves the relevance of future intelligence production. Without feedback, intelligence programs gradually drift away from organizational needs.

Types of Cyber Threat Intelligence

Threat intelligence is commonly categorized into four types based on the audience it serves and the level of detail it provides.

Strategic Intelligence

Strategic intelligence provides high-level analysis of threat trends, geopolitical risks, and industry-wide threat landscapes for executive decision-makers. It answers questions like “How is the ransomware threat evolving?” and “What geopolitical developments could increase cyber risk for our organization?” Strategic intelligence informs budget decisions, risk management strategies, and board-level reporting. It is typically delivered as written reports, briefings, or risk assessments and does not contain technical indicators.

Tactical Intelligence

Tactical intelligence describes adversary tactics, techniques, and procedures (TTPs) in enough detail for security architects and detection engineers to take action. Mapped to frameworks like MITRE ATT&CK, tactical intelligence identifies how specific adversaries gain initial access, move laterally, escalate privileges, and achieve their objectives. Security teams use tactical intelligence to build detection rules, design network segmentation, and prioritize security control investments.

Operational Intelligence

Operational intelligence delivers timely, actionable details about specific, imminent attacks or active campaigns. It might include information about a threat actor preparing a targeted phishing campaign against the organization’s industry, active exploitation of a newly disclosed vulnerability, or indicators suggesting pre-attack reconnaissance against the organization’s infrastructure. Operational intelligence drives immediate defensive actions such as blocking specific infrastructure, heightening monitoring for particular TTPs, or accelerating patching of targeted vulnerabilities.

Technical Intelligence

Technical intelligence consists of machine-readable indicators of compromise (IoCs), including malicious IP addresses, file hashes, domain names, email addresses, URLs, YARA rules, and Snort signatures. This intelligence integrates directly into security tools for automated detection and blocking. While technical intelligence is the most perishable type (attackers frequently rotate infrastructure), it provides the automated first line of defense that allows security tools to block known-bad activity without human intervention.

Indicators of Compromise vs. Tactics, Techniques, and Procedures

Understanding the distinction between IoCs and TTPs is fundamental to building effective threat intelligence programs, and it directly affects how organizations approach security testing.

Indicators of Compromise (IoCs) are specific, observable artifacts left behind by malicious activity. Examples include a file hash (SHA-256) associated with a known malware sample, an IP address hosting a command-and-control server, a domain name used in a phishing campaign, or a registry key created by a persistence mechanism. IoCs are useful for immediate detection and response, but they sit at the bottom of the “Pyramid of Pain” framework developed by David Bianco. Attackers can change IoCs easily and often, creating new domains, rotating IP addresses, or recompiling malware to produce new hashes. Defenders who rely exclusively on IoC-based detection are engaged in a continuous, losing race against adversary agility.

Tactics, Techniques, and Procedures (TTPs) describe how adversaries behave at a fundamental level. A tactic is the adversary’s goal (such as initial access or lateral movement). A technique is how they achieve that goal (such as spearphishing or pass-the-hash). A procedure is the specific implementation of a technique (such as using a particular tool or command sequence). TTPs sit at the top of the Pyramid of Pain because they are extremely difficult for adversaries to change. An attacker can rotate IP addresses in minutes, but fundamentally changing how they gain access to networks, move laterally, or exfiltrate data requires significant retooling and retraining.

This distinction is why Praetorian Guard’s security testing focuses on TTP-based validation rather than IoC matching. Testing whether your SIEM blocks a specific malicious IP address verifies a single, perishable indicator. Testing whether your detection stack identifies the behavioral patterns of credential dumping, lateral movement via remote services, or data staging for exfiltration validates your defenses against durable adversary behavior, regardless of which specific tools or infrastructure the attacker uses.

MITRE ATT&CK and Threat Intelligence

The MITRE ATT&CK framework has become the universal language for structuring and communicating threat intelligence. ATT&CK catalogs adversary behavior observed in real-world intrusions, organizing techniques into 14 tactical categories that span the full attack lifecycle from reconnaissance through impact.

For threat intelligence, ATT&CK provides several critical capabilities. It offers a standardized taxonomy so that when different organizations, vendors, and government agencies describe adversary behavior, they use the same technique identifiers. When CISA publishes an advisory about a threat group using T1566.001 (Phishing: Spearphishing Attachment) and T1003.001 (OS Credential Dumping: LSASS Memory), any security team worldwide can immediately understand the adversary’s methods and check their detection coverage.

ATT&CK also maintains threat group profiles that document the TTPs historically used by known adversary groups. These profiles enable intelligence-driven security testing: if threat intelligence identifies APT41 as a relevant adversary, security teams can pull APT41’s ATT&CK profile and systematically validate detection coverage for each documented technique. This is a core capability of Praetorian Guard’s adversary emulation program, which maps testing scenarios to ATT&CK-documented TTPs for the threat actors most relevant to each client’s risk profile.

Organizations increasingly use ATT&CK Navigator, an open-source visualization tool, to create heat maps showing detection coverage across the technique matrix. These heat maps reveal defensive blind spots, showing which adversary techniques the organization can detect and which remain invisible to current security controls.

How Threat Intelligence Drives Security Testing

One of the most valuable applications of threat intelligence is focusing offensive security testing on the threats that matter most. Without intelligence-driven prioritization, security teams risk spending time and resources testing against generic vulnerability lists or outdated attack scenarios while leaving defenses untested against the adversaries actively targeting their sector.

Adversary Emulation

Threat intelligence identifies which adversary groups target the organization’s industry and geography. Adversary emulation exercises then replicate those specific adversaries’ TTPs in controlled testing environments, validating whether defensive controls can detect and respond to realistic attack scenarios. This intelligence-to-testing pipeline ensures that security assessments directly address the organization’s actual threat landscape rather than theoretical risks.

Prioritized Penetration Testing

Intelligence about actively exploited vulnerabilities and trending attack techniques helps penetration testing teams focus on the most impactful attack vectors. Rather than methodically testing every possible vulnerability, intelligence-driven penetration tests prioritize the attack paths that real adversaries are currently using. This approach, often described as “All Signal, No Noise,” ensures that every finding represents a validated, relevant risk. Praetorian Guard’s Human + Machine approach combines automated discovery with human-verified exploitation, using threat intelligence to direct both the automated scanning layer and the expert manual testing that follows.

Breach and Attack Simulation

Breach and attack simulation (BAS) platforms execute thousands of attack techniques against production environments to measure detection coverage. Threat intelligence informs which technique sets to prioritize in BAS campaigns, ensuring that continuous validation focuses on the TTPs of adversaries relevant to the organization. Without threat intelligence input, BAS testing can devolve into undifferentiated coverage measurement that treats all techniques as equally important.

Attack Path Mapping

Threat intelligence about adversary objectives and preferred lateral movement techniques enables realistic attack path analysis. Rather than mapping every theoretically possible path through the environment, intelligence-driven attack path mapping focuses on the routes that relevant adversaries would actually take. Guard maps these attack paths based on documented threat actor behavior, showing organizations the specific chains of vulnerabilities and misconfigurations that a targeted adversary could exploit to reach critical assets.

Threat Intelligence Platforms and Integration

A Threat Intelligence Platform (TIP) is the technology backbone of a CTI program. TIPs aggregate data from multiple sources, normalize it into standard formats, automate enrichment and correlation, and distribute finished intelligence to consuming tools and teams.

Leading TIPs include platforms like Anomali ThreatStream, Recorded Future, ThreatConnect, MISP (open source), and OpenCTI (open source). These platforms provide several core capabilities:

Multi-source ingestion: Collecting indicators and reports from commercial feeds, OSINT, ISACs, and internal sources into a single repository.
Automated enrichment: Adding context to raw indicators by querying external databases for WHOIS data, geolocation, historical sightings, and related indicators.
Correlation and deduplication: Linking related indicators into clusters, identifying patterns, and eliminating duplicate data across sources.
STIX/TAXII support: Using Structured Threat Information Expression (STIX) for standardized data formatting and Trusted Automated Exchange of Intelligence Information (TAXII) for automated distribution.
Integration with security tools: Pushing indicators to SIEMs, SOAR platforms, firewalls, endpoint detection tools, and vulnerability management systems for automated detection and response.

The effectiveness of a TIP depends less on the platform itself and more on the processes built around it. A TIP that ingests millions of indicators but never produces actionable analysis is an expensive data lake, not an intelligence program.

Building vs. Buying a Threat Intelligence Program

Organizations face a fundamental choice: build an internal CTI capability, subscribe to external services, or pursue a hybrid approach.

Building an Internal Program

Building an internal program requires dedicated threat analysts, collection infrastructure, analytic tools, and processes for intelligence production and dissemination. The advantages include intelligence products tailored to the organization’s specific environment, deeper integration with internal security operations, and the ability to develop proprietary intelligence sources. The disadvantages are significant: qualified threat analysts are expensive and difficult to hire, building collection infrastructure takes time, and maintaining a comprehensive program requires sustained investment.

Internal programs make the most sense for large enterprises with dedicated security operations, organizations in highly targeted sectors like defense and financial services, and companies with unique threat profiles that generic intelligence services do not address.

Buying External Services

External threat intelligence services provide curated intelligence without the overhead of building internal capabilities. Commercial providers offer threat feeds, analyst reports, and platform access that cover broad threat landscapes. Many managed security service providers (MSSPs) and managed detection and response (MDR) vendors include threat intelligence as a component of their services.

The advantage of external services is speed to value. Organizations gain immediate access to intelligence produced by teams of experienced analysts with global visibility. The disadvantage is that external intelligence may lack the organizational specificity needed for optimal prioritization. A commercial report about ransomware trends is valuable but may not address the specific threat actors targeting your particular technology stack or business vertical.

The Hybrid Approach

Most organizations benefit from a hybrid approach that combines external intelligence services for broad coverage with internal processes for tailoring intelligence to organizational context. This is the model that Praetorian Guard embodies: Guard integrates threat intelligence from multiple sources, including Praetorian’s own offensive security research, to inform continuous testing that is specific to each client’s environment, industry, and threat profile. Rather than delivering generic threat reports, Guard operationalizes intelligence through real testing, validating whether the identified threats can actually compromise the client’s defenses.

How Praetorian Helps

Praetorian Guard integrates cyber threat intelligence directly into its unified managed offensive security service, closing the gap between knowing about threats and validating defenses against them. Guard combines attack surface management, breach and attack simulation, continuous penetration testing, vulnerability management, and adversary emulation, all informed by real-time threat intelligence.

Guard’s approach to threat intelligence is operational, not theoretical. Rather than delivering reports and leaving organizations to interpret the implications, Guard translates intelligence into action:

Intelligence-driven testing priorities. Guard continuously updates testing scenarios based on emerging threat intelligence. When new adversary campaigns target your industry, Guard adjusts its testing focus to validate your defenses against those specific threats.
Adversary emulation grounded in real TTPs. Guard’s red team operators emulate the actual tactics, techniques, and procedures of threat actors relevant to your risk profile, mapped to MITRE ATT&CK. This ensures that testing reflects how adversaries actually operate, not how they might theoretically attack.
Attack path mapping based on adversary behavior. Guard maps the specific paths through your environment that real threat actors would exploit, based on documented adversary behavior patterns and your unique infrastructure.
Human + Machine fusion. Guard combines AI-powered automation for continuous discovery and initial analysis with expert human verification for every finding. The result is zero false positives, or as Praetorian describes it, “All Signal, No Noise.” Every finding represents a validated, exploitable risk informed by current threat intelligence.
Continuous feedback loop. As Guard’s operators test and validate, the findings feed back into the intelligence process, refining the understanding of which threats are most relevant and which defenses are most effective for your specific environment.

For organizations that lack the resources to build a dedicated threat intelligence team, Guard provides the intelligence-driven security testing capability that would otherwise require significant headcount and infrastructure investment.

Frequently Asked Questions

What is cyber threat intelligence?

Cyber threat intelligence (CTI) is the process of collecting, processing, and analyzing data about current and emerging cyber threats to produce actionable insights that inform security decisions. CTI goes beyond raw data like IP addresses or malware hashes by adding context about who is attacking, why they are attacking, how they operate, and what assets they target. The goal is to help organizations anticipate threats, prioritize defenses, and respond faster to incidents. Effective CTI programs integrate intelligence into security operations, detection engineering, incident response, and offensive security testing to ensure that defensive investments address the most relevant and pressing threats.

What are the four types of threat intelligence?

The four types of threat intelligence are strategic, tactical, operational, and technical. Strategic intelligence provides high-level analysis of threat trends and risks for executive decision-makers, informing budget and policy decisions. Tactical intelligence describes adversary tactics, techniques, and procedures (TTPs) used by security architects and detection engineers to build and tune defenses. Operational intelligence delivers actionable details about specific, imminent attacks or active campaigns that require immediate response. Technical intelligence consists of machine-readable indicators of compromise (IoCs) such as malicious IP addresses, file hashes, and domain names used for automated detection and blocking in security tools.

What is the difference between IoCs and TTPs?

Indicators of Compromise (IoCs) are specific, observable artifacts left behind by an attack, such as malicious IP addresses, file hashes, domain names, or registry keys. They are easy to detect but also easy for attackers to change. Tactics, Techniques, and Procedures (TTPs) describe how adversaries behave, including their methods for gaining access, moving laterally, and exfiltrating data. TTPs are far more difficult for attackers to change because they reflect fundamental operational patterns and tradecraft. On the Pyramid of Pain framework, IoCs sit at the base (trivial for attackers to rotate) while TTPs sit at the apex (costly to change). This is why intelligence-driven security testing focuses on validating detection of adversary behaviors rather than individual indicators.

How does threat intelligence improve security testing?

Threat intelligence improves security testing by focusing assessments on the threats most relevant to the organization. Instead of testing against generic vulnerability lists, intelligence-driven testing emulates the specific tactics and techniques used by adversaries actively targeting the organization’s industry and geography. This approach ensures that penetration tests, red team exercises, and breach and attack simulations validate defenses against real-world threats rather than theoretical risks, making remediation efforts more impactful. Threat intelligence also helps prioritize which vulnerabilities to test first, directs attack path analysis toward realistic adversary objectives, and provides the basis for adversary emulation scenarios grounded in documented threat actor behavior.

Should an organization build or buy a threat intelligence program?

The decision depends on the organization’s size, security maturity, and resources. Large enterprises with dedicated security operations centers and threat analysts often benefit from building internal threat intelligence capabilities augmented by commercial feeds. Small and mid-sized organizations typically get better results from partnering with a managed security provider that integrates threat intelligence into their services. Many organizations take a hybrid approach, subscribing to commercial threat intelligence platforms for baseline coverage while relying on a managed offensive security partner like Praetorian to operationalize intelligence through continuous testing and adversary emulation. The most important factor is not whether intelligence is produced internally or externally, but whether it is actually used to drive security decisions and testing priorities.