In depth
Cyber Threat Intelligence (CTI) is the discipline of gathering, analysing and operationalising information about adversaries — who they are, what they want, what tools they use, what techniques and procedures they prefer, what infrastructure they operate, and which sectors and geographies they target. Useful CTI is not a feed of IP addresses; it is contextual information that drives a defender decision. The standard taxonomy distinguishes strategic CTI (board-level, multi-year horizon: which threat actors target our industry, what is the geopolitical risk picture), operational CTI (planning horizon of weeks to months: which campaigns are currently active, what infrastructure are we seeing reuse), tactical CTI (hours-to-days: TTPs from a current campaign, sigma rules, ATT&CK mapping), and technical CTI (real-time IOCs: file hashes, IP addresses, domain names, certificate fingerprints).
The CTI lifecycle is typically rendered as a six-step loop: planning and direction (what are we asking), collection (where will we get it), processing (deduplication, enrichment, normalisation), analysis (what does it mean), dissemination (who needs to know), and feedback (was it useful). Output formats are standardised through STIX 2.1 (Structured Threat Information eXpression) for the data model and TAXII 2.1 for the transport protocol; mature CTI programmes both consume and produce STIX-formatted intelligence so that downstream tools can ingest it without bespoke parsing.
Sources include commercial vendors (Mandiant, Recorded Future, CrowdStrike Falcon Intelligence, Flashpoint), open-source feeds (MISP communities, OTX, abuse.ch, CIRCL), government sharing (CISA, NCSC, CERT-In, JPCERT), industry ISACs (FS-ISAC, H-ISAC, MS-ISAC, Auto-ISAC), and internal telemetry (your own SIEM and EDR signals enriched and shared back). Mature programmes run a Threat Intelligence Platform (MISP, OpenCTI, ThreatConnect, Anomali) that centralises ingestion, deduplication, scoring, ATT&CK tagging and downstream distribution into SIEM, SOAR, EDR and firewall infrastructure.
The most common failure mode is treating CTI as a feed-buying exercise rather than an intelligence-driven decision support function. The right metric is "how many decisions did our CTI inform this quarter," not "how many indicators did we ingest." See Lazarus Group MITRE ATT&CK techniques.
The CTI lifecycle is typically rendered as a six-step loop: planning and direction (what are we asking), collection (where will we get it), processing (deduplication, enrichment, normalisation), analysis (what does it mean), dissemination (who needs to know), and feedback (was it useful). Output formats are standardised through STIX 2.1 (Structured Threat Information eXpression) for the data model and TAXII 2.1 for the transport protocol; mature CTI programmes both consume and produce STIX-formatted intelligence so that downstream tools can ingest it without bespoke parsing.
Sources include commercial vendors (Mandiant, Recorded Future, CrowdStrike Falcon Intelligence, Flashpoint), open-source feeds (MISP communities, OTX, abuse.ch, CIRCL), government sharing (CISA, NCSC, CERT-In, JPCERT), industry ISACs (FS-ISAC, H-ISAC, MS-ISAC, Auto-ISAC), and internal telemetry (your own SIEM and EDR signals enriched and shared back). Mature programmes run a Threat Intelligence Platform (MISP, OpenCTI, ThreatConnect, Anomali) that centralises ingestion, deduplication, scoring, ATT&CK tagging and downstream distribution into SIEM, SOAR, EDR and firewall infrastructure.
The most common failure mode is treating CTI as a feed-buying exercise rather than an intelligence-driven decision support function. The right metric is "how many decisions did our CTI inform this quarter," not "how many indicators did we ingest." See Lazarus Group MITRE ATT&CK techniques.