TI — Glossary
Threat Intelligence
The evidence-based knowledge about existing or emerging cyber threats, including context about threat actors, their motivations, capabilities, and indicators of compromise (IOCs), used to inform security decisions.
Last updated
What Is Threat Intelligence?
Threat intelligence is information about cyber threats that has been collected, processed, and analyzed to provide actionable context for security decisions. It transforms raw data (IP addresses, file hashes, domain names) into intelligence that helps organizations understand who is attacking them, how, and what to do about it.
Levels of Threat Intelligence
| Level | Audience | Content | Example | |---|---|---|---| | Strategic | Executives, board | Threat landscape trends, geopolitical risks | "Ransomware targeting healthcare increased 300% this year" | | Tactical | Security architects | Adversary TTPs (MITRE ATT&CK) | "APT29 uses OAuth app consent phishing for initial access" | | Operational | SOC managers, IR teams | Campaign details, attack timelines | "Active campaign targeting Exchange servers via CVE-2024-XXXXX" | | Technical | SOC analysts, SIEM | IOCs: IPs, hashes, domains, URLs | "Block 192.168.x.x — active C2 server" |
Threat Intelligence Lifecycle
- Direction: Define intelligence requirements based on your threat profile
- Collection: Gather data from open sources (OSINT), commercial feeds, dark web, ISACs, government advisories
- Processing: Normalize, deduplicate, and structure raw data
- Analysis: Add context, assess reliability, determine relevance to your organization
- Dissemination: Deliver intelligence to the right audience in the right format
- Feedback: Evaluate effectiveness and refine requirements
Applying Threat Intelligence
- SIEM enrichment: Automatically correlate logs against IOC feeds
- Firewall/proxy blocking: Block known malicious IPs and domains
- Vulnerability prioritization: Prioritize patching for vulnerabilities with active exploits
- Threat hunting: Search for indicators of adversary presence in your environment
- Risk assessment: Understand which threat actors target your industry
- Incident response: Identify the threat actor and their TTPs during an incident
Key Frameworks
- MITRE ATT&CK: Comprehensive matrix of adversary tactics and techniques
- STIX/TAXII: Standards for threat intelligence sharing
- Kill Chain: Lockheed Martin model of attack phases
- Diamond Model: Framework for analyzing intrusion events
Related Resources
Categories
Enterprise SIEM Platforms
Compare the best enterprise SIEM alternatives to Splunk in 2026. IBM QRadar, LogRhythm, Exabeam — threat detection, UEBA, SOAR, and pricing compared.
Cloud SIEM Platforms
Compare the best cloud SIEM alternatives to Splunk in 2026. Microsoft Sentinel, Sumo Logic, Datadog Security — pricing, cloud integration, and capabilities compared.
Products
CrowdStrike
Cloud-native endpoint protection platform with AI-powered threat detection
Microsoft Sentinel
Cloud-native Azure SIEM with AI-powered detection and automated response
Splunk
Enterprise SIEM and security analytics platform for threat detection and incident response
IBM QRadar
AI-powered enterprise SIEM with automated threat detection and investigation
Sources & References
- NIST Cybersecurity Framework (CSF) 2.0[Government Standard]
- NIST Computer Security Resource Center[Government Standard]
- MITRE ATT&CK Framework[Industry Framework]
- OWASP Foundation[Industry Framework]
- CISA Cybersecurity Best Practices[Government Standard]
- SANS Institute Reading Room[Industry Research]
- Cloud Security Alliance (CSA)[Industry Framework]
- CIS Critical Security Controls[Industry Framework]
- Gartner Magic Quadrant for SIEM 2024[Analyst Report]
- Forrester Wave: Security Analytics Platforms, Q4 2024[Analyst Report]
- IDC MarketScape: Worldwide SIEM 2024[Analyst Report]
- MITRE ATT&CK Evaluations[Industry Evaluation]
- SANS Institute: Best Practices for SIEM Deployment[Industry Research]
- Gartner Peer Insights: SIEM[Peer Reviews]