Threat classification: external (organised cybercriminals, APTs, hacktivists, competitors), internal (employees, contractors with privileged access), technical (malware, zero-days, misconfiguration) and accidental (configuration errors, shadow IT, unintentional exposure).
What is a cyber threat
A cyber threat is any event, action or entity with potential to compromise, damage or disrupt information systems, data or services. Includes: malicious actors (cybercriminals, hacktivists, APTs), attack types (malware, ransomware, phishing, DDoS), exploitable vulnerabilities, and internal threats (malicious or negligent employees). Threat classification and risk analysis is a critical CISO function to prioritise defensive investment. Threat = potential for harm; risk = threat combined with probability and impact; control = defensive measure to mitigate risk.
Why it matters
A CISO who does not know their threat landscape invests blindly. If your sector is a routine target of APTs or strategically motivated groups —defence, energy, aerospace, banking, healthcare, government— controls should lean toward EDR with behavioural analysis, disciplined hardening, Tier 0 segmentation and scheduled threat hunting. If the dominant threat is double-extortion ransomware —very common in industry, retail, logistics and SMBs— priorities shift to immutable backups, network segmentation, and a rehearsed recovery plan. Threat intelligence translates that landscape into concrete tactical decisions: which indicators of compromise (IoCs) to hunt, which MITRE ATT&CK TTPs to detect first, which vulnerabilities are being exploited right now, and which active campaigns target your supply chain. Risk analysis structures the budget: you cannot defend everything, so critical assets are prioritised against the most probable and impactful threats. Regulations require it explicitly: ISO 27001 mandates an annual risk assessment, NIS2 requires sector-level threat-landscape awareness, and DORA demands stress-testing against concrete scenarios in financial services.
Key points
Attack chain: reconnaissance → initial access → persistence → lateral movement → privilege escalation → exfiltration or final objective. Breaking the chain at any link mitigates or contains the breach.
Cyber threat intelligence (CTI) draws on CVEs under active exploitation, APT groups operating in your vertical, ongoing malware campaigns and current TTPs; shared through sector ISACs/ISAOs it reinforces collective defence.
Risk-matrix prioritisation (probability × impact) ranks threats and channels a limited budget toward high-risk items first, rather than toward exotic but remote scenarios.
Threat, vulnerability and risk are not synonyms: a threat is the actor or event that can cause harm, a vulnerability is the weakness that lets it happen, and risk is the combination with business impact.
The landscape is dynamic: new ransomware families, supply-chain campaigns, identity abuse in SaaS and attacks on CI/CD pipelines appear every quarter, so analysis requires continuous refresh rather than static annual exercises.
Example: threat analysis guides control prioritisation
A CISO at an industrial software company with EMEA operations models the threat landscape before closing the annual budget. Four representative scenarios are identified: (1) double-extortion ransomware with phishing-based initial access —high probability and catastrophic impact on continuity and reputation; (2) nation-state APT targeting sensitive intellectual property —medium probability, very high impact on IP and contracts; (3) a malicious or negligent insider with access to customer data —low probability, medium-to-high impact; and (4) DDoS against exposed services —high probability, contained impact with proper contingency. Each scenario is crossed with the critical-asset inventory and the applicable regulatory obligations.
With that map, prioritisation stops being opinion and becomes discipline: first, reinforce ransomware defence with immutable backups, segmentation and phishing-resistant MFA; second, equip the SOC with behavioural EDR, threat hunting and extended log retention to detect APTs; third, activate DLP, privileged-identity controls and access auditing to mitigate insider risk; and finally, anti-DDoS and failover playbooks. Supported by Hard2bit, the conversation with the board is anchored in quantified risks and a defensible portfolio of controls, not in a generic tooling wish-list.
Common mistakes
- Implementing generic controls while ignoring sector threat intelligence; if the dominant threat is ransomware, spend should flow to backups, segmentation and response rather than to an advanced firewall that does not address the real problem.
- Treating every threat as equal: without a probability-and-impact ranking, organisations overspend on remote scenarios and underinvest in daily risks with likely losses.
- Not refreshing the analysis quarterly or after every material incident: the landscape evolves (new vulnerabilities, new groups, new tactics), and a year-old threat map is usually misaligned with current reality.
- Confusing threat with risk and throwing percentages around with no model behind them; boards make poor decisions when the language does not cleanly separate threat, vulnerability and impact.
- Relying exclusively on paid CTI: combining open feeds (CVE, MITRE ATT&CK, CISA KEV, national CERTs), community sources (abuse.ch, VirusTotal) and sector ISACs/ISAOs delivers coverage that a single subscription rarely matches.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between threat, vulnerability and risk?
A threat is the actor or event with potential to cause harm (an APT group, a malware family, a disgruntled insider). A vulnerability is the weakness that lets the threat materialise (an exposed service, a weak password, unpatched software, a poorly designed process). Risk combines both with business impact and probability of occurrence. Without an exploitable vulnerability, even a capable threat may cause no harm; and without valuable assets, a vulnerability may be a minor finding rather than a critical risk.
How do I access useful cyber threat intelligence (CTI)?
By combining several layers: open and reference feeds (CVE, MITRE ATT&CK, CISA's KEV catalogue, ENISA advisories, national CERT bulletins), community sources (abuse.ch, VirusTotal, IoC repositories), sector feeds via ISACs/ISAOs, and commercial CTI platforms when broader coverage and attribution are required. The key is not the feed vendor, but the ability to integrate it with your SIEM and EDR, to prioritise it against your real threat profile, and to operate it with a team that can turn it into detections, hunts and decisions.
What is a risk matrix and how do I use it?
A two-axis matrix —probability (low/medium/high) and impact (low/medium/high)— where each threat is placed according to the combination. Threats in the red quadrant (high probability, high impact) get priority treatment; yellow ones are planned; green ones are accepted or mitigated with light controls. The security budget is allocated from red to green and reviewed at least annually —more frequently in regulated sectors or after material incidents. The matrix is a communication tool as much as an analytical one: it lets you explain to the board what is being spent and why.
Which threats are most relevant to European enterprises today?
The ones observed on a recurring basis: double-extortion ransomware with initial access via phishing or compromised credentials, increasingly personalised phishing and spear phishing, supply-chain attacks through SaaS vendors or MSPs, identity abuse in cloud and hybrid environments, and APTs targeting critical sectors in scope of NIS2 and DORA. The picture shifts every quarter: rely on national CERT bulletins, the relevant sector ISAC reports, and operational CTI embedded inside the SOC.