Threat Intelligence

Evidence-based knowledge about existing or emerging threats that informs decisions about how to respond to or mitigate cyber risks.

What Is Threat Intelligence?

Threat intelligence (TI) — also called cyber threat intelligence (CTI) — is actionable, evidence-based knowledge about existing or emerging threats. It answers who is attacking, what techniques they use, what they target, and when they're active — enabling organisations to make informed, proactive security decisions rather than reactive ones.

Good threat intelligence turns raw data (IP addresses, malware hashes) into insights (this ransomware group targets healthcare companies using RDP — here's how to block them).

Types of Threat Intelligence

Strategic: High-level, business-focused intelligence about threat trends, attacker motivations, and geopolitical context. Audience: executives and board members.

Tactical: Intelligence about attacker techniques, tactics, and procedures (TTPs) based on frameworks like MITRE ATT&CK. Audience: security architects and programme managers.

Operational: Intelligence about specific, planned attacks — campaigns, actors, and targets. Audience: security operations centres.

Technical: Indicators of Compromise (IOCs) — IP addresses, domains, file hashes associated with known threats. Audience: security tools and analysts.

Indicators of Compromise (IOCs)

IOCs are artefacts observed in a network or system that indicate a potential security incident:

Malicious IP addresses or domains communicating with internal systems
File hashes of known malware
Unusual registry modifications or file paths
Known malicious email addresses

IOC feeds are used to block known threats automatically in firewalls, email gateways, and endpoint protection tools.