Cybersecurity 101

What Is Cyber Threat Intelligence (CTI)? Types and Use Cases

Cyber threat intelligence (CTI) explained — the four types, the CTI lifecycle, where intelligence comes from, and how organizations turn it into action.

Nicholas Robert

Nicholas Robert

6 min read
Share
Editorial science-poster illustration of cyber threat intelligence symbols — a radar dish, a dossier folder, a pinned bulletin board, a magnifying lens, a signal waveform, and a fountain pen.

Modern cybersecurity is overwhelmed by data. Logs, alerts, scans, and feeds pile up faster than any team can process them. The difference between organizations that drown and organizations that defend successfully is rarely how much information they collect — it is how well they turn that information into decisions. That is the job of cyber threat intelligence.

Cyber threat intelligence — CTI — is the analyzed, contextual knowledge about threats that helps a defender decide what to do next. Done well, it tells security teams which threats matter, which signs to watch for, and which actions to take. Done poorly, it is just another feed nobody reads.

This guide explains what CTI is, the four types security teams work with, where intelligence comes from, the lifecycle that produces it, and the use cases that make it actually valuable. Use the links throughout for deeper context on related topics.

What Is Cyber Threat Intelligence?

Cyber threat intelligence is evidence-based knowledge — including context, mechanisms, indicators, implications, and recommended action — about an existing or emerging threat. The classic definition captures the essential idea: intelligence is what you get when raw information is collected, processed, analyzed, and packaged so a decision-maker can act on it.

That last step matters. A list of malicious IP addresses is data. A briefing that explains which adversary uses those IPs, what their goals are, and how to detect and block them is intelligence. CTI sits at the layer where data becomes operational knowledge.

Why CTI Matters

Without intelligence, security teams treat every threat as equally likely and equally severe. That is not how attackers operate. A ransomware crew targeting healthcare in one quarter is not running the same playbook as a nation-state collecting against government contractors in another. Generic defense addresses neither well.

CTI makes defense specific. It tells executives where to invest. It tells SOC analysts which detections to prioritize. It tells incident responders which adversary they are likely facing and how that adversary tends to behave once inside. That specificity is the difference between scattered effort and focused defense.

The Four Types of Cyber Threat Intelligence

CTI is conventionally divided into four overlapping types, organized by audience and time horizon.

Strategic intelligence is high-level, consumed by executives, board members, and senior leaders. It covers long-term trends, geopolitical drivers of cyber risk, sector-wide threat patterns, and regulatory developments. Its output is usually narrative — briefings and reports rather than data feeds — and its purpose is to inform investment and policy.

Operational intelligence describes specific campaigns and the threat actors behind them. Which group is targeting which industries this quarter, what their objectives are, and how their operations unfold. It is consumed by security leadership and incident response teams to anticipate attacks and prepare playbooks.

Tactical intelligence describes the tactics, techniques, and procedures (TTPs) that adversaries use. It is consumed by defenders building detections, hardening systems, and writing response procedures. The MITRE ATT&CK framework is the most widely used taxonomy for tactical intelligence.

Technical intelligence is the most granular layer — specific indicators of compromise such as malicious IP addresses, domain names, URLs, and file hashes. It is fed into automated detection tools and consumed by SOC analysts hunting known threats. Technical intelligence has the shortest shelf life of the four types; attackers rotate infrastructure constantly.

Editorial quadrant diagram of the four types of cyber threat intelligence — strategic, operational, tactical, and technical.
Quadrant diagram of the four types of cyber threat intelligence — strategic, operational, tactical, and technical.

The Cyber Threat Intelligence Lifecycle

Producing intelligence is a repeating cycle, not a one-time activity. Most CTI programs follow some version of the six-stage lifecycle.

Direction. Define the questions intelligence is meant to answer. Without clear collection requirements, CTI programs default to collecting everything and producing nothing useful.

Collection. Gather raw information from relevant sources — internal telemetry, OSINT, commercial feeds, ISACs, government advisories, partner reporting, and so on.

Processing. Normalize the raw material: deduplicate, translate, enrich, parse, and structure it so it can be analyzed.

Analysis. Turn processed data into intelligence. Analysts evaluate credibility, draw conclusions, and produce findings tailored to specific consumers.

Dissemination. Deliver intelligence to the right people in the right form — a one-line indicator into a SIEM, a brief into an executive's inbox, or a playbook into an IR team.

Feedback. Did the intelligence help? What was missing? Feedback shapes the next cycle of direction and collection.

Where Threat Intelligence Comes From

The raw material of CTI flows from several distinct source types, each with different trade-offs in coverage, freshness, and reliability.

  • Open-source intelligence (OSINT) — public reporting, vendor research, conference talks, public malware repositories, and social media. Broad coverage, variable quality.
  • Commercial threat intelligence feeds — paid feeds and platforms from vendors that aggregate, analyze, and curate threat data. Higher quality and faster than free sources, with significant variation across providers.
  • Information Sharing and Analysis Centers (ISACs) — sector-specific communities where members share threat information among themselves and with government partners. Particularly strong for industry-specific threats.
  • Government sources — advisories and bulletins from agencies such as CISA, the FBI, and equivalent bodies in other countries.
  • Dark web and underground forums — direct observation of criminal marketplaces, leak sites, and discussion forums where attackers operate.
  • Internal telemetry — logs, alerts, and incident data from inside the organization, often the highest-fidelity source available because it describes attacks the organization is actually facing.
Editorial illustration of six threat intelligence sources flowing into a central analyst's desk and dossier.
Illustration of six threat intelligence sources flowing into a central analyst's desk and dossier.

How Organizations Use CTI

CTI is only useful if it gets translated into specific actions. The common use cases include:

Detection engineering. Convert tactical and technical intelligence into detection rules in the SIEM, EDR, or IDS. Every new TTP described by a credible source becomes a candidate detection.

Threat hunting. Form hypotheses about likely adversary behavior based on intelligence about which actors target the organization, then proactively hunt for those behaviors in internal data.

Incident response. During an active incident, intelligence about the suspected adversary informs containment and remediation. Knowing whether you are facing an opportunistic criminal or a patient state actor shapes the response.

Vulnerability prioritization. Intelligence on which vulnerabilities are being actively exploited in the wild is one of the most effective signals for deciding which patches to apply first.

Executive risk decisions. Strategic intelligence informs investment decisions — which controls to build, which insurance to carry, which regions to operate in.

Brand and exposure monitoring. Watching dark web forums and leak sites for mentions of the organization, its employees, or its customers can provide early warning of compromised credentials or planned attacks.

Common CTI Pitfalls

Most CTI programs that fail do so for the same handful of reasons. Recognizing them early is the cheapest way to avoid them.

Collecting without direction. Subscribing to a dozen feeds because they are available, then drowning in volume. Without clear collection requirements, more data makes the problem worse.

Mistaking data for intelligence. Forwarding raw IOC lists to operators as "intelligence" is not intelligence; it is data, and it produces alert fatigue.

Failing to operationalize. Producing excellent reports that nobody actually uses. Intelligence is valuable only if it changes behavior — detections written, patches prioritized, decisions made.

Treating CTI as a tool, not a discipline. Buying a threat intelligence platform does not produce intelligence any more than buying a microscope produces biology. The platform is plumbing; the analysis is the work.

Conclusion

Cyber threat intelligence at its best is unglamorous work: collection requirements written, sources curated, reports written, feedback gathered, repeat. Done well, it shrinks the gap between attackers and defenders — letting security teams anticipate threats specific to them rather than reacting to whatever happens to land in the alert queue.

The organizations that get the most from CTI are not the ones with the biggest budgets or the most feeds. They are the ones with the clearest collection requirements, the tightest links between intelligence and action, and the discipline to drop sources that do not contribute. CTI is a force multiplier when it is treated as a craft, not a subscription.

Frequently Asked Questions (FAQ)

What is cyber threat intelligence (CTI)?

Cyber threat intelligence is evidence-based, analyzed knowledge about existing or emerging cyber threats — including the actors behind them, their motivations, and their techniques — that helps defenders make better security decisions.

What is the difference between threat data and threat intelligence?

Threat data is raw information — a list of suspicious IPs, a feed of malware hashes. Threat intelligence is what you get after that data has been analyzed and contextualized so a decision-maker can act on it.

What are the four types of cyber threat intelligence?

Strategic (high-level, for executives), operational (specific campaigns and actors), tactical (TTPs), and technical (specific indicators of compromise).

Where does cyber threat intelligence come from?

Common sources include open-source intelligence (OSINT), commercial threat feeds, ISACs, government advisories, dark web monitoring, and the organization's own internal telemetry.

Do small organizations need a CTI program?

Yes, but at a scale that fits their size. Most do not need an in-house intelligence team — joining a sector ISAC, subscribing to a few high-quality feeds, and following the threats most relevant to their industry is enough to be meaningfully better defended than going without.

What is a CTI platform?

A CTI platform (or threat intelligence platform, TIP) is software that aggregates, normalizes, enriches, and shares threat intelligence across security tools. It is plumbing for an intelligence program rather than a substitute for the analytical work that produces actual intelligence.

Read more