100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Threat Intelligence

IntermediateConcept11.4K learners

Threat intelligence is evidence-based knowledge about existing or emerging cyber threats — including attacker tactics, indicators of compromise, and motivations — that organizations use to inform security decisions and defenses.

Definition

Threat intelligence is evidence-based knowledge about existing or emerging cyber threats — including attacker tactics, indicators of compromise, and motivations — that organizations use to inform security decisions and defenses.

Overview

Raw threat data — a suspicious IP address, a malware file hash, a phishing domain — becomes threat intelligence once it's been analyzed, contextualized, and made actionable for decision-making. Threat intelligence answers questions like who is likely to target this organization, what techniques do they use, and what specific indicators should defenders watch for, rather than simply listing raw indicators without context. Threat intelligence is typically categorized into three tiers. Strategic intelligence is high-level information for leadership about broad trends and risks, informing budget and policy decisions. Operational intelligence describes the tactics, techniques, and procedures of specific threat actors or campaigns, informing how a Red Team or Blue Team prepares for likely attacks. Tactical intelligence consists of specific, actionable indicators of compromise — malicious IPs, domains, file hashes — that can be fed directly into security tools to block known-bad activity automatically. Threat intelligence feeds commonly integrate directly with a Security Information and Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) platform, automatically enriching alerts with context about known malicious infrastructure, and can trigger automated blocking when a match is found. This differs from Threat Hunting, which proactively searches an environment for signs of compromise; threat intelligence instead focuses on gathering and analyzing external knowledge about the threat landscape that informs where and how to hunt or defend. Organizations obtain threat intelligence from commercial vendors, government and industry information-sharing groups (ISACs), open-source feeds, and their own internal incident data, often combining multiple sources to build a comprehensive picture relevant to their specific industry and risk profile.

Key Concepts

  • Analyzed, contextualized knowledge about threats — not just raw indicator data
  • Spans strategic, operational, and tactical tiers of detail
  • Informs decisions from executive strategy down to specific blocking rules
  • Integrates with SIEM and SOAR platforms to enrich and act on alerts automatically
  • Sourced from commercial vendors, ISACs, open-source feeds, and internal incidents
  • Focuses on the external threat landscape, distinct from internal threat hunting

Use Cases

Automatically blocking traffic to known malicious IPs and domains
Informing which attack techniques a red team should prioritize simulating
Enriching SIEM alerts with context about known threat actor infrastructure
Briefing executive leadership on emerging risks relevant to the organization's industry
Prioritizing patching based on vulnerabilities actively being exploited in the wild
Sharing indicators of compromise with industry peers through ISACs

Frequently Asked Questions

From the Blog