Operational Threat Intelligence
What is Operational Threat Intelligence?
Operational Threat IntelligenceMid-term intelligence about specific campaigns, threat actors, and their TTPs, used to prepare defenders, hunt threats, and prioritize controls.
Operational threat intelligence sits between strategic and tactical layers. It describes who is operating against the organization, what campaigns are active, which TTPs they prefer, and how their infrastructure is built. Outputs include actor profiles, campaign timelines, kill-chain narratives, MITRE ATT&CK mappings, and hunting hypotheses. It is consumed by detection engineers, threat hunters, incident responders, and CTI leads to drive proactive defense rather than reactive triage. Operational intelligence has a shelf life of weeks to months and is typically produced through OSINT, vendor reporting, incident lessons learned, and dark-web monitoring.
● Examples
- 01
A profile of an extortion group describing initial access via vulnerable VPNs and use of Cobalt Strike.
- 02
A campaign report on phishing waves abusing a specific cloud-storage redirector.
● Frequently asked questions
What is Operational Threat Intelligence?
Mid-term intelligence about specific campaigns, threat actors, and their TTPs, used to prepare defenders, hunt threats, and prioritize controls. It belongs to the Defense & Operations category of cybersecurity.
What does Operational Threat Intelligence mean?
Mid-term intelligence about specific campaigns, threat actors, and their TTPs, used to prepare defenders, hunt threats, and prioritize controls.
How do you defend against Operational Threat Intelligence?
Defences for Operational Threat Intelligence typically combine technical controls and operational practices, as detailed in the full definition above.