Threat Intelligence
Home /
Glossary Index /
Alphabet T
What is Threat Intelligence?
Threat intelligence (TI) is evidence‑based information about existing or emerging cyber threats. It turns raw, uncontextualized data (like an IP address or file hash) into actionable insights detailing who is attacking, what tactics they use, and how to mitigate the risk.
The Four Levels of Threat Intelligence
|
Level |
Audience |
Purpose |
|
Strategic |
Executives, CISOs |
High-level business risk trends and financial impacts. |
|
Tactical |
IT Architects, Engineers |
Understanding attacker TTPs (Tactics, Techniques, and Procedures). |
|
Operational |
Incident Responders, SOC |
Specific ongoing campaigns and inbound indicators of compromise. |
|
Technical |
Security Tools (Firewalls/SIEM) |
Ingesting machine-readable data (IPs, malicious domains, hashes). |
Threat Intelligence Platforms (TIPs)
A TIP acts as an optimization engine that sits between raw upstream threat data feeds and downstream operational tools. It focuses on four metrics:
- Aggregation: Collecting intelligence from commercial, OSINT, and internal feeds.
- Normalization: Converting disparate data schemas into a standard structure (like STIX/TAXII).
- Enrichment: Adding context (geolocation, threat actor attribution).
- Integration: Pushing enriched intelligence straight to firewalls, EDR, and SIEMs via API.
