What is Cyber Threat Intelligence? [Beginner’s Guide]

3 types of threat intelligence

Threat intelligence comes in varying levels of complexity and detail, each catering to different audiences and offering distinct advantages. The three primary types are Tactical, Operational, and Strategic threat intelligence, representing a maturity curve in cyber threat intelligence (CTI). As you progress from tactical to strategic intelligence, the depth of analysis and context increases, making each type progressively more resource-intensive.

1. Tactical Threat Intelligence

• Challenge: Many organizations focus only on immediate threats without understanding the bigger picture.

• Objective: Broaden the perspective on threats to address underlying security issues.

Tactical intelligence is technical and focused on the immediate future. It deals primarily with indicators of compromise (IOCs) such as malicious IP addresses, URLs, file hashes, and domain names. This type of intelligence is often automated and machine-readable, meaning it can be integrated into security tools via data feeds or API integrations.

However, IOCs have a short lifespan, as threat actors frequently change their infrastructure, rendering these indicators obsolete in a short time. While tactical intelligence is easy to obtain from open-source feeds, it is prone to false positives and lacks strategic analysis. Simply subscribing to a feed may overwhelm a team with data without clear guidance on how to use it.

• Questions to ask:

  • Do you have an IOC feed in place?

  • Are the IOCs you’re using timely and relevant?

  • Is malware analysis automated?

2. Operational threat intelligence

• Challenge: Threat actors employ techniques that are effective, opportunistic, and low-risk, making it difficult to predict their next moves.

• Objective: Engage in tracking campaigns and threat actor profiling to gain insight into the adversaries’ tactics, techniques, and procedures (TTPs).

Operational threat intelligence provides a deeper understanding of the “who,” “why,” and “how” behind an attack. This intelligence focuses on attribution (the “who”), motivation (the “why”), and the TTPs (the “how”). Operational intelligence provides context that helps security teams understand how attackers plan and sustain campaigns.

Unlike tactical intelligence, operational intelligence is not automated. It requires human analysis to convert data into actionable insights. Operational intelligence has a longer lifespan than tactical intelligence because adversaries cannot easily change their TTPs as quickly as they change specific tools or malware.

• Questions to ask:

  • Is your SOC using threat actor TTPs to create actionable use cases?

  • Are you prioritizing vulnerabilities based on CTI?

  • Are you using CTI-derived rules (e.g., Yara or Snort) for threat hunting?

3. Strategic threat intelligence

• Challenge: Poor business decisions often result from a lack of understanding of the broader context surrounding adversarial actions.

• Objective: Use threat intelligence to inform business decisions and long-term cybersecurity strategies.

Strategic intelligence offers a high-level perspective on how cyber threats intersect with global events, geopolitical conditions, and organizational risks. For example, nation-state attacks may be linked to geopolitical events, and financially motivated cybercrime groups adapt their techniques based on broader economic trends.

This type of intelligence is typically used by executive leadership (CISOs, CIOs, CTOs) to understand the impact of cyber threats on the organization and guide cybersecurity investments that align with the company’s strategic priorities.

Strategic intelligence is the most difficult to generate, requiring human expertise in both cybersecurity and geopolitics. It typically comes in the form of detailed reports that inform long-term decision-making.

• Questions to ask:

  • How do global and local events affect the organization’s cybersecurity?

  • Is your leadership using strategic intelligence to make informed decisions about cybersecurity investments?