Threat intelligence (CTI) is evidence-based information about adversaries — who they are, what they target, how they operate, and what tools they use — that helps a defender make better security decisions.
The phrase gets thrown around loosely. At its most useful, threat intelligence is the difference between knowing a vulnerability exists and knowing which threat actor is exploiting it against your sector, with which tooling, and what to look for in your own logs to spot it.
The four kinds you'll hear about
CTI vendors and CISA's own guidance break threat intelligence into four broad tiers:
- Strategic — long-horizon, leadership-facing. Geopolitical shifts, sector-wide trends, board-level risk.
- Operational — campaigns, named threat actor activity, expected near-term targeting. Useful for the head of CTI or the SOC manager.
- Tactical — tactics, techniques and procedures (TTPs). Useful for detection engineers and hunt teams.
- Technical — the indicators themselves: IPs, hashes, domains, URLs. Useful for the SIEM and the firewall.
Who actually uses it?
SOC analysts, threat hunters, vulnerability management teams, incident responders, fraud teams, leadership. Most organisations use the same intelligence at different levels of abstraction: a CISO needs to know "are we exposed to this trend?", a SOC analyst needs to know "what should I look for in the logs by close of play?"
The volume problem. The hard part of CTI isn't finding intelligence. It's filtering the firehose. A real-world feed pushes hundreds of articles a day. No analyst can read them all, and most of them won't matter to a given organisation.
Why aggregators and clusterers exist
The same incident gets covered by ten outlets, each with a slightly different angle. Without grouping, an analyst reads the same story ten times. Platforms like ThreatCluster exist to consolidate that automatically, leaving the analyst free to do the work a model can't: judgement, attribution, response planning.
How to use this on your team
- Decide what you care about first — sector, geography, tech stack, supply chain. Filter the feed against that.
- Wire alerts only on things that actually require action. Everything else belongs in a digest, not a page.
- Make every conclusion traceable to a source. The next person to read your write-up should be able to verify it.