Threat Intelligence

Threat intelligence is the collection, analysis and application of data about current and potential cyber threats. It enables organisations to make informed security decisions and adapt defences to the current threat landscape.

Back to Dictionary

What is threat intelligence?

Threat intelligence is about understanding who is attacking you, how they do it, and what you can do to protect yourself. It is not merely data about threats. It is analysed, contextualised knowledge that leads to action.

Without threat intelligence, organisations react blindly. They do not know which threats are most relevant to their sector, which attack methods are in use, or which vulnerabilities are being actively exploited. With threat intelligence, defences can be prioritised based on real risks.

Threat intelligence integrates with SIEM systems to improve detection, with firewalls and DNS security to block known threats, and with incident response to understand attacker tactics.

Levels of threat intelligence

Threat intelligence operates on three levels:

Strategic: High-level threat assessments for management. Covers trends, geopolitical risks and sector-specific threats. Example: "Ransomware attacks against the healthcare sector rose 40% in 2025."
Tactical: Attack methods and techniques (TTPs) for the security team. Used to improve detection rules and defence strategies. MITRE ATT&CK is a standard reference framework. Relates to vulnerability scanning and patch management.
Operational: Specific technical indicators (IoCs) for direct use in security systems. IP addresses, domains, file hashes and URLs that can be blocked in firewalls, endpoint security and web filters.

All three levels are important. Strategic intelligence informs budgets and priorities. Tactical intelligence improves defences. Operational intelligence stops concrete attacks.

Application in practice

Threat intelligence can be applied in several ways:

SIEM enrichment: Feed IoCs into the SIEM system to detect communication with known malicious IPs and domains. Correlate with internal log data to identify compromised systems.

Proactive blocking: Update firewall rules, DNS blocklists and web filters with known threats before they reach the organisation.

Vulnerability prioritisation: Use threat intelligence to prioritise patching. A vulnerability that is being actively exploited by threat actors in your sector should be patched before one with a higher CVSS score that is not being exploited.

Incident response: During a security incident, threat intelligence helps to understand attacker tactics and predict next steps. This accelerates incident response.

Security awareness: Share relevant threat assessments with employees to strengthen security awareness. Concrete examples of attacks against similar organisations are more persuasive than general warnings.

Sources include commercial feeds, open-source feeds (OTX, abuse.ch), CERT organisations, sector-specific ISACs and vendor reports.

Regulations and standards

NIS2 requires organisations to share threat intelligence with authorities and other affected parties. This is a central part of NIS2's focus on collective defence.

ISO 27001 and Annex A include control A.5.7 on threat intelligence, requiring organisations to collect and analyse threat data. An ISMS should define processes for threat intelligence.

DORA requires financial institutions to collect and share threat intelligence. CIS 18 recommends using threat intelligence to inform security decisions. Under GDPR, threat intelligence helps meet the requirement for appropriate technical measures based on current risks.

Frequently Asked Questions about Threat Intelligence

What is the difference between data, information and intelligence?

Data is raw facts (an IP address). Information is data with context (the IP address is linked to a malware campaign). Intelligence is analysed information with a recommendation (block this IP because it is used by an active ransomware group targeting your sector).

What are IoCs (Indicators of Compromise)?

IoCs are technical indicators that show a system may have been compromised. Examples include malicious IP addresses, domain names, file hash values, URLs and email addresses. They are used to detect and block known threats.

Do small organisations need threat intelligence?

Yes, but the scope can be adapted. Free feeds from CERT organisations, vendor threat reports and sector-specific sharing groups (ISACs) provide value without large investments. Many security products integrate threat intelligence automatically.