Threat Intelligence
What is Threat Intelligence?
Threat IntelligenceEvidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
Threat intelligence is the structured collection, processing, analysis and dissemination of information about adversaries, their motivations, capabilities and infrastructure. It transforms raw data (malware samples, IPs, domains, leaked credentials, dark-web chatter, vulnerability reports) into actionable intelligence by adding context, confidence and a relevant audience. Organizations consume threat intelligence through feeds (STIX/TAXII, MISP), platforms (TIP), vendor reports and ISAC sharing to enrich SIEM and EDR detections, guide patching and inform executive risk decisions. Intelligence is typically classified by audience and time horizon into strategic, operational and tactical levels.
● Examples
- 01
An ISAC sharing IoCs associated with a new ransomware affiliate hours before it hits members.
- 02
A TIP enriching SIEM events with actor attribution, MITRE ATT&CK techniques and confidence scoring.
● Frequently asked questions
What is Threat Intelligence?
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection. It belongs to the Defense & Operations category of cybersecurity.
What does Threat Intelligence mean?
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
How do you defend against Threat Intelligence?
Defences for Threat Intelligence typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Threat Intelligence?
Common alternative names include: TI, Threat Intel.