Threat intelligence comes in four tiers: strategic (high-level threat landscape), tactical (threat group capabilities), operational (specific campaigns and actors), and technical (indicators like IP addresses and file hashes).
What is threat intelligence
Threat intelligence is evidence-based information about attackers, their tactics, techniques, and procedures (TTPs), the indicators they leave behind (IP addresses, malware hashes, domains), and which vulnerabilities or threats are actively exploited. Actionable threat intelligence enables organizations to prioritize security investments and respond faster to incidents.
Why it matters
Without threat intelligence, you're guessing which threats matter. You might patch obscure vulnerabilities while ignoring critical ones that attackers actively exploit. Threat intelligence answers: which APT groups target our industry? Which vulnerabilities are weaponized? Which indicators appear in our network? Organizations using threat intelligence reduce breach impact by focusing resources on real threats, not hypothetical ones.
Key points
Indicators decay—an attacker IP from 2020 may be inactive; a 2024 C2 IP is relevant. Effective use requires understanding context and recency.
Threat intelligence fuels detection. SIEM and EDR rules tuned with threat intelligence catch real threats; rules without intelligence generate false positives.
Threat intelligence is not just about malware. It includes business intelligence (who is targeting your industry, geographic threats, geopolitical context) that informs long-term strategy.
Threat intelligence improving response
A retail organization's threat intelligence feed reports that a known Chinese APT is targeting US companies in their sector. The organization immediately: (1) increases monitoring for known indicators (C2 IPs, malware hashes), (2) prioritizes patching for the vulnerabilities that APT uses, (3) brief executives on likely attack vectors, (4) activates incident response plan. When the organization later detects one of the known C2 IPs in its network, the IR team already knows the attacker's playbook and can respond with confidence. Without threat intelligence, the intrusion would be generic; with intelligence, response is tailored and faster.
Common mistakes
- Buying threat intelligence but not integrating it—many organizations subscribe to feeds but never connect them to SIEM, EDR, or incident response tools. Intelligence is useful only if it informs your detections.
- Confusing threat intelligence with vulnerability data—knowing that CVE-2024-1234 exists (vuln data) is different from knowing that it's actively exploited by APT-X targeting your industry (threat intelligence). Prioritize the latter.
- Assuming all threat intelligence is current—older feeds contain stale indicators. Validate freshness and context, especially for IP addresses and malware hashes.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
Where do organizations get threat intelligence?
Sources include: commercial feeds (Mandiant, Recorded Future, CrowdStrike), open-source intelligence (OSINT) like exploit databases and forums, government advisories (CISA, Europol), vendor threat reports, industry ISACs (Information Sharing and Analysis Centers), and internal incident data from your own breach investigations.
How do we know if threat intelligence is accurate?
Validate intelligence against your own data: do you see the reported indicators in your network? Does the intelligence match your known threats? Compare multiple sources—if one source reports an APT activity but others don't, be skeptical. Also, assess the source's track record and methodology. Intelligence from law enforcement or reputable security researchers carries more weight than anonymous forums.
What's the difference between threat intelligence and vulnerability scanning?
Vulnerability scanning identifies weaknesses in your systems (unpatched software, misconfigurations). Threat intelligence identifies which vulnerabilities attackers actually exploit and who is targeting you. Together: scanning finds gaps, threat intelligence prioritizes which gaps matter most for your risk profile.