Threat intelligence — or cyber threat intelligence (CTI) — is the knowledge produced about adversaries, their motivations, capabilities and methods, structured to support defense decisions before, during and after an incident. It is neither a finished product nor a standalone tool: it is a continuous process that turns raw data into actionable understanding, allowing organizations of any size to prioritize resources, detect intrusions earlier and respond with greater precision.
What threat intelligence is and why it matters
Most security breaches are not inevitable. They happen because the defender did not know what the attacker knew — which vulnerability to exploit, which account had a weak password, which third-party supplier was the weakest link. Threat intelligence closes part of that information gap.
According to IBM's Cost of a Data Breach 2024 report, organizations with mature CTI programs identified incidents on average 108 days faster than those without. Each day less that an attacker remains in the network directly reduces the cost of containment, the extent of the breach and the recovery time.
Threat intelligence does not replace technical controls such as firewall, EDR or MFA — it makes them more effective by directing what to monitor, what to block and where to concentrate response capacity.
Levels of threat intelligence
CTI operates at four distinct levels, each aimed at a specific audience and purpose:
| Level | Audience | Question answered | Example deliverables |
|---|---|---|---|
| Strategic | Executive board, CISO, board of directors | Which risks affect my business and sector? | Trend report, sector threat map, executive briefing |
| Tactical | Security managers, architects | Which groups attack me and which TTPs do they use? | Threat actor profile, campaign analysis, ATT&CK controls gap |
| Operational | SOC analysts, response team | Is there an active attack affecting me right now? | Ongoing-campaign alert, incident context, response playbook |
| Technical | Engineers, automated tools | Which malicious artifacts should I block? | IoC feed (hashes, IPs, domains), YARA rules, Suricata signatures |
Mature programs produce and consume all four levels simultaneously. Early-stage programs usually start with the technical level — IoCs in the SIEM — and evolve toward the others as the team grows.
The intelligence cycle
Threat intelligence is not a one-off product: it is an iterative cycle made up of six phases, originally described by the military intelligence model and adapted to the cyber context by the analyst community.
1. Direction
The direction phase defines the Priority Intelligence Requirements (PIRs): the business questions the program must answer. Examples: what is the organization's credential exposure on ransomware forums? Which APT groups have a history of attacking Brazilian fintechs regulated by the Central Bank? Poorly defined PIRs lead to collecting irrelevant data and waste analytical capacity.
2. Collection
With the PIRs defined, the team activates compatible sources: open OSINT (public reports, crt.sh, Shodan, VirusTotal, passive DNS feeds), commercial feeds, dark web and cybercrime forums, internal telemetry (firewall logs, EDR, honeypots) and sector ISACs. Source diversity matters more than volume: one high-quality, low-noise source beats ten uncurated feeds.
3. Processing
Raw data arrives in heterogeneous formats — report PDFs, feed JSONs, forum dumps, SIEM logs. Processing normalizes, enriches (correlation with CVEs, ASNs, known actors) and eliminates duplicates and obvious false positives. Platforms such as MISP, OpenCTI and Anomali facilitate this step with automated parsers and STIX/TAXII integrations.
4. Analysis
Analysis is the central human step of the cycle. Analysts identify patterns, infer the adversary's intent and capability, assess confidence in the information and produce intelligence at each level (technical, operational, tactical, strategic). Structured techniques such as Analysis of Competing Hypotheses (ACH) and the Diamond Model help avoid cognitive biases.
5. Dissemination
Intelligence that does not reach the right hands has no value. Dissemination maps each product to its correct recipient: IoCs go automatically to the SIEM and EDR via STIX/TAXII API; operational alerts reach the SOC via ticket; strategic reports are presented to the CISO and the board in non-technical language. Format, frequency and channel vary by audience.
6. Feedback
The cycle closes when the consuming teams report whether the intelligence was actionable, whether the IoCs produced real detections and whether the PIRs still reflect business priorities. Without feedback, the program drifts into purposeless collection. With feedback, it progressively tunes itself to the reality of the environment and the threats that affect it.
Threat intelligence sources
CTI sources are organized by access type, cost and depth:
- OSINT (Open Source Intelligence): CISA Known Exploited Vulnerabilities (KEV), AlienVault OTX, abuse.ch (Feodo, URLhaus, MalwareBazaar), Shodan, Censys, crt.sh for certificate monitoring, public malware repositories and vendor reports (Mandiant, CrowdStrike, SentinelOne, ESET).
- Commercial feeds: Recorded Future, Flashpoint, Intel 471, VirusTotal Enterprise — offering enriched context, dark web coverage and configurable alerts with an update SLA.
- ISACs (Information Sharing and Analysis Centers): sector organizations such as FS-ISAC (financial), H-ISAC (healthcare), Auto-ISAC (automotive) and MS-ISAC (state/local governments) share confidential intelligence among members of the same sector.
- MISP (Malware Information Sharing Platform): open-source platform created by Luxembourg's CIRCL, used by hundreds of CERTs and SOCs to share threat events in the standardized STIX 2.1 format.
- Internal telemetry: firewall and proxy logs, EDR alerts, Active Directory events, internal DNS records and honeypots positioned in the DMZ provide environment-specific intelligence — impossible to obtain externally.
Threat intelligence frameworks
MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) is the most globally adopted reference for describing adversary behavior. Organized into matrices by platform (Enterprise, Mobile, ICS), it catalogs 14 tactics — from Reconnaissance to Impact — and hundreds of techniques observed in real attacks. Teams use ATT&CK to map detection coverage, plan red team exercises, prioritize SIEM rules and structure incident reports with a common language between vendors and customers.
Diamond Model of Intrusion Analysis
Proposed by Caltagirone, Pendergast and Betz in 2013, the Diamond Model describes each intrusion event as a relationship between four vertices: adversary, infrastructure, capability and victim. The model forces the analyst to see the attack from the adversary's point of view and to identify investigation pivots — for example, the infrastructure used in one incident may reveal other targets of the same group.
Cyber Kill Chain
Developed by Lockheed Martin, the Cyber Kill Chain describes an attack in seven sequential phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. The model is useful for identifying at which phase a campaign was detected and which controls could have interrupted it earlier. Its main limitation is the linear view: modern attacks, especially by APT groups, are iterative and non-linear.
IoC versus TTP: why behavior beats the artifact
Indicators of Compromise (IoCs) — hashes of malicious files, IP addresses of command-and-control servers, phishing domains — are the most common entry point in CTI programs. They are easy to consume, integrate directly with blocking tools and generate measurable results quickly.
The problem is their lifespan: sophisticated attackers rotate infrastructure within hours of public exposure. An IP blocked today is replaced tomorrow. Hashes change with a single altered byte in the binary. Domains are registered by the thousands with automation.
TTPs (Tactics, Techniques and Procedures) operate at another level of abstraction. Changing a technique requires the adversary to redesign their tool or operational workflow — a real cost. The group that uses WMI for persistence, obfuscated PowerShell for lateral movement and exfiltration via HTTPS to legitimate domains will keep using those techniques for months, regardless of which specific IP or hash was blocked. Detecting the behavior, not the artifact, is the goal of a mature CTI program.
In practice, good programs use IoCs for short-term detection and fast triage, while investing in behavioral rules based on TTPs for structural medium- and long-term detection.
Practical applications: where CTI delivers results
Vulnerability prioritization
With more than 29,000 CVEs published in 2024, no team can patch everything. CTI contextualizes each vulnerability: is it being actively exploited? By which group? Against which sector? The CISA KEV is the most objective starting point — vulnerabilities listed there have evidence of real-world exploitation and should be patched before the others.
Detection in the SIEM and EDR
IoC feeds power block lists and correlation rules. TTPs generate detection use cases mapped to ATT&CK — for example, a rule that detects the creation of a scheduled task followed by the execution of a child process with base64-encoded arguments covers technique T1053.005 regardless of the hash of the binary used.
Threat hunting
Threat hunting starts from the hypothesis that the adversary is already in the environment and was not detected by the existing controls. CTI provides the hypotheses: the Scattered Spider group uses social engineering by phone to convince helpdesks to reset MFA — I should look for atypical MFA resets in the last 30 days. Without intelligence about the adversary, hunting is vague; with it, it is targeted.
Incident response
During a response, CTI accelerates attribution and scoping. Identifying that the ransomware found corresponds to the BlackBasta group allows the analyst to anticipate which data was exfiltrated before encryption, which other machines may be compromised and which command-and-control infrastructure to block immediately.
Frequently asked questions
- What is the difference between threat intelligence and antivirus?
- Antivirus reacts to known signatures after the threat reaches the endpoint. Threat intelligence is proactive: it collects, analyzes and distributes knowledge about adversaries before the attack, allowing controls such as EDR, SIEM and firewall to anticipate malicious tactics and infrastructure not yet exploited in the target environment.
- What is an IoC and what is its limitation?
- An Indicator of Compromise (IoC) is an observable artifact — file hash, IP address, domain, URL or registry key — that evidences malicious activity. Its main limitation is volatility: attackers rotate infrastructure in hours, making IoCs obsolete quickly. That is why analysts combine IoCs with MITRE ATT&CK TTPs, which are much more stable over time.
- What are TTPs and why are they more valuable than IoCs?
- TTPs describe the adversary's behavior: how they gain initial access, how they move laterally, which tools they use and how they exfiltrate data. While a blocked IP is swapped in minutes, the technique of phishing with a QR code link or the abuse of WMI for persistence persists for months in a group's repertoire. Detecting the behavior, not just the artifact, raises the cost of the attack for the adversary.
- What is MITRE ATT&CK and how is it used in practice?
- MITRE ATT&CK is an open knowledge base maintained by the MITRE Corporation that catalogs tactics and techniques observed in real attacks against Windows, Linux, macOS, cloud and mobile systems. In practice, SOC teams use it to map detection coverage, identify visibility gaps, prioritize SIEM rules and calibrate red team and threat hunting exercises.
- Which sources feed a threat intelligence program?
- Sources are divided into OSINT (vendor reports, CVE, crt.sh, Shodan, passive DNS feeds), commercial feeds (Recorded Future, VirusTotal Enterprise), dark web and ransomware forums, sector ISACs (FS-ISAC, H-ISAC) and internal telemetry — firewall logs, EDR, honeypots and internal DNS. The quality of a CTI program depends on the diversity and curation of these sources.
- Does every company need threat intelligence, regardless of size?
- Yes, but the consumption model varies. Companies of 1 to 50 employees benefit from curated feeds and automatic alerts for credential leaks and look-alike domains. Medium and large organizations incorporate CTI analysts, MISP platforms, SIEM integrations and strategic reports for the board. Decripte offers layers compatible with each size, from the free Threat Management plan to the managed enterprise SOC.
References and recommended reading
- MITRE ATT&CK — attack.mitre.org: knowledge base of adversarial tactics and techniques, continuously updated with field data.
- MISP Project — misp-project.org: open-source threat intelligence sharing platform used by CERTs and SOCs in more than 100 countries.
- SANS Institute — sans.org/white-papers: whitepapers on CTI maturity models, threat hunting and intelligence operations.
- CISA Known Exploited Vulnerabilities Catalog — cisa.gov/known-exploited-vulnerabilities-catalog: mandatory list of vulnerabilities with confirmed field exploitation.
- Lockheed Martin Cyber Kill Chain — the original 2011 model, a reference for attack-phase analysis.
- Diamond Model of Intrusion Analysis — Caltagirone, Pendergast and Betz (2013): technical document available at activeresponse.org.
How Decripte delivers threat intelligence
Decripte operates threat intelligence integrated with the SOC and the Threat Management platform, serving organizations from 1 to more than 100,000 employees. On the free plan, every company receives automated monitoring of credential leaks and look-alike domains, with actionable alerts on the platform. On the paid plans, the intelligence scales to curated commercial feeds, tactical and strategic reports, hypothesis-driven threat hunting and direct integration with the client's SIEM and EDR via STIX/TAXII.
The Threat Intelligence Diagnostic — the platform's central deliverable — maps the organization's exposure level, identifies compromised credentials, exposed infrastructure and TTPs of groups with a history of attacking the sector, and produces a prioritized action plan. All of this without requiring agent installation or system integration on first access.
To start free or explore the plans suited to your size, visit decripte.com.br/planos or start now at decripte.com.br/free.
