Tactical Threat Intelligence
What is Tactical Threat Intelligence?
Tactical Threat IntelligenceShort-lived, technical intelligence about adversary tools, indicators, and signatures, consumed by SOC analysts and security tooling to detect and block attacks.
Tactical threat intelligence is the lowest, most technical layer of CTI. It delivers atomic indicators (file hashes, IP addresses, domains, URLs, YARA rules, Sigma rules) and short descriptions of adversary tradecraft that defenders can immediately apply in SIEMs, EDRs, firewalls, and proxies. Because these artifacts are easy for attackers to change, tactical intelligence has a short shelf life and must be continually refreshed. It is primarily consumed by SOC analysts, detection engineers, and automated platforms via STIX/TAXII or commercial feeds. When combined with TTP-level insight, it accelerates triage and rule tuning.
● Examples
- 01
An IoC feed listing C2 domains used by a malware family.
- 02
A YARA rule that detects a specific loader variant in memory.
● Frequently asked questions
What is Tactical Threat Intelligence?
Short-lived, technical intelligence about adversary tools, indicators, and signatures, consumed by SOC analysts and security tooling to detect and block attacks. It belongs to the Defense & Operations category of cybersecurity.
What does Tactical Threat Intelligence mean?
Short-lived, technical intelligence about adversary tools, indicators, and signatures, consumed by SOC analysts and security tooling to detect and block attacks.
How do you defend against Tactical Threat Intelligence?
Defences for Tactical Threat Intelligence typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Tactical Threat Intelligence?
Common alternative names include: Technical threat intelligence.