Cyber Threat Intelligence (CTI) is a discipline that transforms raw data about cyber threats into actionable knowledge that organizations use to make informed security decisions. This lesson introduces the foundational concepts of CTI, explains how it differs from raw security data, and establishes why it has become an essential function in modern cybersecurity operations.
Learning Objectives
- Define Cyber Threat Intelligence using established industry definitions
- Distinguish between data, information, and intelligence
- Identify the key consumers of CTI within an organization
- Understand how CTI differs from traditional cybersecurity approaches
- Recognize common misconceptions about threat intelligence
Defining Cyber Threat Intelligence
Multiple authoritative definitions exist for Cyber Threat Intelligence. Understanding several of them provides a more complete picture of what CTI encompasses.
Gartner's Definition (2014): "Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."
This definition highlights several critical elements: the intelligence must be evidence-based, it must include context, and it must be actionable — meaning it can directly inform decisions.
Other established definitions reinforce these themes:
- SANS Institute describes CTI as the collection, classification, and exploitation of knowledge about adversaries to reduce an attacker's advantage.
- NIST SP 800-150 (Guide to Cyber Threat Information Sharing, 2016) defines threat intelligence as threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
- CISA frames it as information about threats and threat actors that helps organizations identify, assess, and mitigate cyber risks.
The common thread across all definitions is the transformation of raw threat data into something that supports decision-making. Intelligence without a decision it supports is just trivia.
Data, Information, and Intelligence
One of the most important distinctions in CTI is the hierarchy from raw data to finished intelligence. These terms are not interchangeable.
| Level | Definition | CTI Example |
|---|---|---|
| Data | Raw, unprocessed facts without context | A firewall log entry showing a connection to 203.0.113.45 |
| Information | Data that has been organized or structured to provide meaning | That IP address is associated with a known command-and-control server, first reported by a threat feed |
| Intelligence | Information that has been analyzed, contextualized, and assessed to support a specific decision | The C2 server is operated by a financially motivated group targeting healthcare organizations using a specific ransomware variant; your organization matches their targeting profile; here are detection and mitigation steps |
The transformation from data to intelligence requires analysis — a human (or human-guided) process that adds context, assesses relevance, evaluates reliability, and produces judgments. Simply subscribing to a threat feed does not produce intelligence. Feeds produce data and information. The analysis your team performs on that data is what creates intelligence.
Why CTI Matters
Organizations face a volume of threats that no security team can address without prioritization. CTI provides the basis for that prioritization by answering fundamental questions:
- Who is targeting organizations like ours?
- Why are they targeting us (motivation)?
- How do they operate (tactics, techniques, and procedures)?
- What should we look for (indicators and behaviors)?
- When should we expect activity (campaign timelines, geopolitical triggers)?
Without CTI, security teams operate reactively — responding to alerts without understanding whether they represent isolated events or part of a coordinated campaign. With CTI, teams can anticipate threats, prioritize defenses, and allocate resources toward the most likely and impactful risks.
Business Impact
CTI directly supports several business outcomes:
- Reduced mean time to detect (MTTD) by providing detection content based on known adversary behaviors
- Informed risk management by identifying which threats are most relevant to the organization
- Optimized security spending by focusing investment on the threats that matter most
- Regulatory compliance in sectors that require threat-informed defense (e.g., DFARS, CMMC for defense contractors)
- Executive communication by translating technical threats into business risk language
Who Uses CTI
CTI serves multiple audiences within an organization, each with different needs.
| Consumer | What They Need | How They Use It |
|---|---|---|
| SOC Analysts | IOCs, detection rules, alert context | Triage alerts faster, reduce false positives, understand what they are seeing |
| Incident Responders | TTPs, adversary playbooks, forensic artifacts | Scope incidents, identify lateral movement, determine attacker objectives |
| Threat Hunters | Hypotheses, behavioral patterns, TTP-based queries | Proactively search for adversary activity that evades automated detection |
| Vulnerability Management | Exploit intelligence, threat-informed patching | Prioritize patching based on active exploitation rather than CVSS alone |
| Security Leadership (CISO) | Strategic assessments, threat trends, risk context | Make investment decisions, report to the board, align security with business risk |
| Executive Leadership | Business risk summaries, geopolitical threat context | Understand organizational risk posture in plain language |
A mature CTI program produces different products for each audience. Sending raw IOC lists to a CISO is as ineffective as sending a strategic geopolitical briefing to a SOC analyst triaging alerts.
The Intelligence Cycle — A Preview
CTI follows a structured methodology borrowed from traditional intelligence disciplines (military and national intelligence). This methodology is called the Intelligence Cycle, and it consists of six phases:
- Direction and Planning — Define what you need to know (intelligence requirements)
- Collection — Gather raw data from relevant sources
- Processing — Normalize, deduplicate, and structure the collected data
- Analysis — Apply reasoning to produce judgments and assessments
- Dissemination — Deliver finished intelligence to the right consumers in the right format
- Feedback — Evaluate whether the intelligence met the consumer's needs
The Intelligence Cycle is covered in depth in the next lesson. The key point here is that CTI is not ad hoc — it follows a repeatable, structured process.
CTI vs. Traditional Cybersecurity
CTI is not a replacement for traditional security operations — it enhances them. Understanding the distinction helps clarify where CTI fits.
| Traditional Security | Cyber Threat Intelligence |
|---|---|
| Alert-driven, reactive | Threat-informed, proactive |
| Focuses on defending all assets equally | Prioritizes defense based on likely adversaries |
| Relies on signature-based detection | Incorporates behavioral and TTP-based detection |
| Asks "What happened?" | Asks "Who did it, why, and what will they do next?" |
| Measures coverage (% of assets protected) | Measures relevance (are we defending against the right threats?) |
CTI is a force multiplier. It makes SOC analysts more effective at triage, incident responders faster at scoping, and hunters more targeted in their searches.
Common Misconceptions
"CTI is just threat feeds"
Threat feeds provide data — lists of known-bad IPs, domains, and hashes. While feeds are a valuable input to the intelligence process, they are not intelligence by themselves. Intelligence requires analysis and context.
"CTI is only for large organizations"
While large enterprises may have dedicated CTI teams, organizations of any size benefit from threat intelligence. Smaller organizations may consume CTI from ISACs (Information Sharing and Analysis Centers), open-source feeds, or vendor reports rather than producing it internally.
"CTI is about attribution"
While identifying threat actors is one aspect of CTI, attribution is neither required nor always possible. Actionable intelligence can exist without knowing who the adversary is — understanding how they operate is often more valuable than knowing who they are.
"More data means better intelligence"
Volume does not equal quality. A smaller set of well-analyzed, contextual intelligence is far more valuable than millions of unvetted indicators flooding a SIEM. Intelligence quality depends on the rigor of the analysis, not the volume of the data.
"CTI is a technology problem"
Tools and platforms (TIPs, SIEM integrations, enrichment APIs) support CTI, but the core of intelligence work is the analytical process. The best tools in the world cannot compensate for a lack of analytical rigor or unclear intelligence requirements.
Key Takeaways
- CTI transforms raw threat data into contextualized, actionable knowledge that supports decisions
- The data-to-intelligence hierarchy (data → information → intelligence) requires human analysis at each step
- Different consumers (SOC, IR, hunters, leadership) need different types of intelligence products
- CTI follows a structured methodology called the Intelligence Cycle
- Threat feeds are inputs to the intelligence process, not intelligence themselves
- CTI is a force multiplier for existing security operations, not a replacement
Practical Exercise
Build Your Own Data-to-Intelligence Example
- Pick a recent public threat report from any vendor (e.g., Mandiant, CrowdStrike, Recorded Future, Cisco Talos, Microsoft Threat Intelligence).
- Identify the raw data elements (IOCs, timestamps, file names).
- Identify the information layer (what context is added — actor attribution, campaign name, targeted sectors).
- Identify the intelligence layer (assessments, judgments, recommended actions, confidence levels).
- Write a one-paragraph summary: How would this intelligence change a decision at your organization? What would you do differently knowing this information versus not knowing it?
This exercise reinforces the distinction between data, information, and intelligence by applying it to real-world reporting.
Further Reading
- NIST SP 800-150 — Guide to Cyber Threat Information Sharing (2016). Provides foundational definitions and a framework for threat intelligence sharing. Available at csrc.nist.gov.
- "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" — Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin (Lockheed Martin, 2011). The foundational paper introducing the Cyber Kill Chain and intelligence-driven defense.
- "The Threat Intelligence Handbook" — Recorded Future (2018, updated editions available). A practical guide to building and operationalizing a CTI program.
- MITRE ATT&CK — attack.mitre.org. The industry-standard knowledge base of adversary tactics and techniques, essential for TTP-based intelligence.