Hard2bit
Cyber Threat Intelligence · F3EAD · ATT&CK · Diamond · TLP v2.0

Threat Intelligence — that actually changes what you do

We turn threat noise into actionable alerts: tactical for the SOC, operational for the IR team, strategic for the board. One service, three layers, one F3EAD production cycle, every output tagged with TLP v2.0.

Start a 30-day CTI pilot How we work CTI vs Threat Hunting

Tactical

IoCs, Sigma, YARA — mapped to ATT&CK

Operational

Actors, campaigns, brand abuse

Strategic

Trends, risk and scenarios for the board

CTI is a service of analysis and decision — not a feed subscription.

Cyber Threat Intelligence is the structured production of knowledge about threats: who attacks, how, why, and what to do about it. It is not a feed. It is not an annual report. It is not a list of IoCs with no context.

We always start from Priority Intelligence Requirements — the questions the organisation needs CTI to answer. Without clear PIRs, CTI turns into noise and alerts nobody consumes. With PIRs well defined, every output has a named audience, a decision attached and a recommended action.

We work with models the industry has tested hard: MITRE ATT&CK for adversary techniques, the Diamond Model (Caltagirone, Pendergast, Betz — 2013) for event analysis, F3EAD as the production cycle, and TLP v2.0 (FIRST.org) for the controlled distribution of every piece we produce.

The metric that matters:

Not the volume of IoCs delivered — the number of alerts that drove action, and the reduction in time between a threat appearing on the radar and a detection being live in production.

Three levels, one thread

Tactical (IoCs, TTPs), operational (campaigns, actors, infrastructure) and strategic (sector trends, geopolitics). All three live in one service so the SOC, the IR team and the board each get what they need — at the right level of detail.

PIRs drive collection

We start from Priority Intelligence Requirements — what the organisation actually needs to know, about which assets, against which actors, for which decisions. Without PIRs, CTI becomes noise.

Models that hold up under analysis

MITRE ATT&CK for technique mapping, Diamond Model for event analysis, F3EAD for the production cycle. Open, peer-reviewed, industry-proven — not a vendor-invented framework.

Outputs that drive action

No 120-page PDFs nobody reads. TLP-tagged alerts, SIEM/EDR-ready IoC packages, actor cards, and one-page strategic notes that fit a board agenda.

Levels of intelligence

Tactical, operational, strategic — in one service

Each audience gets the right depth. No layer stands alone.

Tactical

Indicators and TTPs

Contextualised IoCs (IPs, domains, hashes, YARA, Sigma) mapped to ATT&CK techniques. Packaged to drop straight into your SIEM, EDR, firewall or proxy.

Operational

Actors, campaigns, kits

Profiles of the APT, e-crime and hacktivist groups that matter to your sector; observed infrastructure, malware kits, infection chains and links to real incidents in the ecosystem.

Strategic

Trends and risk

Sector trends, geopolitical exposure, threat scenarios against critical business processes. Written for the CISO, the risk committee and the board — not for analysts.

Sources we work with

Diverse collection, scored for reliability

What matters is not the number of sources but their complementary coverage and the reliability scoring that happens before analysis begins.

OSINT and technical communities

Open surface, technical forums, specialised channels and tooling to correlate mentions, leaks and emerging infrastructure.

Underground and closed markets

Monitoring of closed forums, Telegram channels and marketplaces tied to cybercrime, ransomware-as-a-service, access brokering and leaked credentials.

In-house technical intelligence

Internal malware analysis, sandboxing, infrastructure pivoting and enrichment using specialised threat-intel platforms.

Commercial feeds and trusted communities

Integration with commercial CTI vendors, sector ISACs and trust groups operating under TLP — to broaden coverage without duplicating spend.

How we work

The F3EAD production cycle

Find, Fix, Finish, Exploit, Analyze, Disseminate. The cycle that turns PIRs into decisions.

01

Define the PIRs

With the CISO, the SOC and the business: which questions CTI must answer, about which assets, for which decisions. The anchor of the whole cycle.

02

Collection plan

Map sources (OSINT, closed, internal technical, commercial feeds, community) against each PIR, with owners, cadence and reliability criteria.

03

Process and enrich

Normalise, de-duplicate, enrich and score for reliability. Nothing enters analysis without passing these filters.

04

Analyse — ATT&CK + Diamond

Model events, actors and infrastructure. Assess intent, capability and opportunity. We separate what we know from what we infer — and we say which is which.

05

Produce and disseminate

Outputs by level (tactical/operational/strategic) with TLP tagging. Every audience receives the right format and the right depth.

06

Feedback and improve

Every alert is scored: did it add value, was it consumed, did it drive action? PIRs are reviewed quarterly and after every meaningful incident.

What you receive

Actionable outputs, not compendiums

Actionable alerts, in useful time

Early warning on sector-targeted campaigns, credential leaks, brand abuse or actively exploited vulnerabilities — with IoCs, context, TLP tag and a recommended action.

Monthly threat report

The cycle's summary: actors observed in your sector, dominant techniques, vulnerabilities in active exploitation, and concrete recommendations per asset or process.

Actor and campaign cards

Group profiles with ATT&CK-mapped TTPs, historical infrastructure, typical targets, links to real incidents and detection signals we would recommend.

IoC / Sigma / YARA packages

Structured indicators (STIX/TAXII where relevant), Sigma rules for SIEM and YARA rules for sandbox/EDR — versioned and deployment-ready.

One-page strategic brief

Short, board-ready note: threat landscape, implications for the business and the decisions we are asking for.

RFI (Request for Information)

Ad-hoc questions from the SOC or leadership (a suspicious IP, a domain seen in logs, an actor in the news) answered in a defined turnaround.

Frameworks we use

Open, peer-reviewed, traceable

Every framework below is public and verifiable. No vendor-invented methodologies, no acronyms designed for a slide.

  • MITRE ATT&CK for adversary techniques and defensive-capability mapping.
  • Diamond Model of Intrusion Analysis (Caltagirone, Pendergast, Betz — 2013) for structured event modelling.
  • F3EAD (Find, Fix, Finish, Exploit, Analyze, Disseminate) as the production cycle — originally a special-operations model, adapted to intelligence work.
  • TLP v2.0 (Traffic Light Protocol, maintained by FIRST.org) for marking and controlled distribution of every output.
  • STIX 2.1 / TAXII 2.1 (OASIS) when structured exchange with the SOC, an ISAC or partners is appropriate.
  • Priority Intelligence Requirements (PIRs) and Standing Information Requirements to steer collection and analysis.

Case snapshots · anonymised

How CTI lands in the real world

Profile, context and outcome. Names withheld out of respect for our confidentiality commitments.

European financial group with LATAM footprint

Context

Small in-house CTI team, outsourced SOC and a once-a-year trend report that never made it into the day-to-day.

What we did

Rewrote PIRs by line of business, merged commercial feeds with our technical intel, and wired CTI output into SIEM rules and a monthly brief for the risk committee.

Outcome

Time from public appearance of a technique to a live detection in production shrank materially. The quarterly strategic note became a formal input to the risk committee.

Public-sector organisation running critical citizen services

Context

Recurring hacktivist exposure and targeted phishing waves. CTI scattered across mailing lists, community channels and raw feeds.

What we did

Centralised collection around F3EAD, added brand-abuse and typosquatting monitoring, and linked findings to the IR retainer so reaction time shrank when a campaign materialised.

Outcome

Several campaigns detected before they reached the end user, coordinated takedowns with registrars, and a targeted-campaign response playbook embedded with the SOC.

Industrial group with a distributed supply chain

Context

Concern around sector-specific ransomware and leaked credentials belonging to employees and third parties.

What we did

Stood up leak monitoring in closed markets, built early-warning alerts on active ransomware targeting the sector, and produced operational profiles of the most relevant groups — focused on the TTPs their stack could actually detect.

Outcome

Leaked credentials rotated before exploitation; sector-specific ransomware response plan refreshed with real TTPs and tabletop-exercised twice in the year alongside the IR retainer.

Common mistakes

What CTI is NOT

Six patterns we see often — and the reason so many CTI programmes produce no real value. We design the service to avoid them.

  • × Buying raw IoC feeds and piping them straight into the SIEM — more alerts, worse signal.
  • × Calling an annual trend report 'CTI'. Without an operating cycle and PIRs, it is not intelligence.
  • × Publishing actor profiles with no TLP tag and no clear distribution owner.
  • × Skipping the strategic layer — leaving the board with no independent read on risk.
  • × CTI disconnected from SOC and IR — nice reports that change no detection, no playbook, no decision.
  • × Using the headline APT name without the evidence to back the attribution. Attribution is hard; serious CTI says so.

FAQ

CTI, in plain English

What is Cyber Threat Intelligence, really — and how is it different from Threat Hunting?
CTI is the structured production of knowledge about threats: who attacks, how, why, and what to do about it. Threat Hunting is the active search for adversary activity inside your own data. CTI feeds hunting (hypotheses, TTPs, IoCs) and the SOC (rules, context, prioritisation); hunting validates CTI against the reality of your environment. Complementary, not interchangeable.
Which models and standards do you use?
MITRE ATT&CK for tactics and techniques, the Diamond Model of Intrusion Analysis for event modelling (adversary–capability–infrastructure–victim), F3EAD as the production cycle, TLP v2.0 from FIRST.org for marking and distribution, and STIX 2.1 / TAXII 2.1 when structured exchange is useful. PIRs and SIRs steer collection.
Why are PIRs so central to the service?
Priority Intelligence Requirements are the questions the organisation needs CTI to answer: which assets to protect, which actors matter, which decisions need to be made. Without clear PIRs, CTI becomes noise — feeds nobody consumes. That is why PIRs are the first deliverable and are revisited at least quarterly.
Do you attribute attacks to named actors? With what bar of evidence?
We do operational attribution with internal activity clusters when the evidence supports it. We are careful with public attribution to named groups: attributing to a specific APT requires multiple corroborating vectors, and when our confidence is not high enough we say so clearly. Overstating attribution misleads decision-makers and damages the credibility of the service.
How does this plug into our SOC and IR?
CTI drives detection rules in SIEM/EDR, prioritises existing alerts, enriches IR cases with actor and TTP context, and gives the hunting team a steady source of hypotheses. We work on top of your SOC (in-house or outsourced) and your IR team; where Hard2bit also runs the Managed SOC/MDR and the IR retainer, the integration is immediate.
How is CTI different from a threat-feed subscription?
A feed is a pipe of data. CTI is an analysis and decision service. A feed gives you a list of IPs; CTI tells you which IPs matter to you, why, and what to do about it. Good CTI consumes feeds — it does not replace them, and they do not replace it.
Can CTI output feed audit evidence for DORA, NIS2 or ISO 27001?
Yes. All three frameworks acknowledge the need for threat intelligence. The service produces evidence that supports detection of emerging threats and informed decision-making: regular reports, records of actioned alerts, integration with the risk-management process and traceability of improvements. It fits with DORA, NIS2 and ISO 27001.
How fast do we see value?
Tactical alerts and the first actor cards tend to land value inside the first few weeks. The strategic layer and the fit with SOC, IR and risk management settles over the first quarter. Quarterly PIR review is what keeps the service from drifting.

Related services

The full defensive loop

CTI provides context; hunting works the data; the SOC runs detection; the IR retainer acts when it matters. Together they close the loop.

Threat Hunting Managed SOC / MDR 24/7 24/7 IR retainer Incident response Digital forensics Adversary simulation / Red Team Vulnerability management Virtual CISO (vCISO) DORA NIS2 Financial sector

CTI that changes what you detect, what you decide, and when you act.

30-day pilot: PIRs, initial collection and first tactical, operational and strategic deliverables focused on your sector — before any recurring commitment.

Book the CTI pilot See Threat Hunting