What Is Cyber Threat Intelligence (CTI)? Types, Sources, Use Cases

Cyber Threat Intelligence (CTI) is information about adversaries — who they are, what they want, how they operate, and what they're doing right now — that is collected, analyzed and delivered in a form security teams can use to make decisions. Done well, CTI tells you which detections to write next, which patches to prioritize, and which alerts to take seriously. Done badly, it's a firehose of IOCs that buries the SOC. This guide explains both ends.

What is cyber threat intelligence?

Cyber Threat Intelligence (CTI) is evidence-based knowledge — context, mechanisms, indicators, implications and actionable advice — about an existing or emerging threat to assets. It is not a list of bad IPs. It is an analyst saying: this actor, with this motivation, is using this technique against organizations like yours, and here's what you should do about it.

The four types of CTI

Strategic intelligence

High-level, written for executives and board. Trends, geopolitics, adversary motivations, business risk. Time horizon: months to years. Example: "Ransomware affiliates increasingly target managed service providers as initial access into mid-market customers."

Operational intelligence

Campaign-level. Written for SOC management and detection engineers. Specific actor campaigns, TTPs, infrastructure. Time horizon: weeks. Example: "FIN7 is using a new HTA-based loader in invoice-themed phishing against retail."

Tactical intelligence

Technique-level. Written for detection engineers, threat hunters and red teamers. TTPs mapped to MITRE ATT&CK, attack chains, detection opportunities. Time horizon: days to weeks.

Technical intelligence

Indicator-level. Written for tooling. IP addresses, domains, file hashes, YARA rules, Sigma rules. Time horizon: hours to days. Short-lived and only useful when consumed by automation.

The intelligence cycle

CTI is a process, not a feed. The classic cycle: Direction (what do we need to know?) → Collection (gather raw data from sources) → Processing (normalize, de-duplicate, enrich) → Analysis (turn data into intelligence) → Dissemination (deliver to consumers in the right form) → Feedback (was it useful, did anything change?). Skip the Direction or Feedback steps and you get a feed, not a program.

Sources of threat intelligence

• OSINT — open-source: vendor blogs, GitHub, social media, news, paste sites.
• Commercial — Recorded Future, Mandiant Advantage, CrowdStrike Falcon Intel, Intel 471.
• Government / ISAC — CISA, NCSC, MS-ISAC, FS-ISAC, Health-ISAC.
• Community — MISP communities, AlienVault OTX, Twitter/X researcher accounts.
• Internal — your own incident telemetry, the richest and most under-used source.
• Dark web monitoring — leak sites, criminal forums, initial access brokers.

Operationalizing CTI

Intelligence that doesn't change behavior is wasted. The handful of patterns that work in practice:

• Pipe technical IOCs straight into the SIEM/EDR via TIP (ThreatQ, OpenCTI, Anomali).
• Convert TTPs to ATT&CK technique IDs and feed the detection engineering backlog.
• Use strategic intelligence to direct red team engagements toward realistic adversaries.
• Feed brand and credential exposure to fraud / abuse teams, not just security.
• Brief the board quarterly with strategic intel framed in business risk — not IOC counts.

Common CTI mistakes

• Buying feeds without intelligence requirements. You'll drown in data and act on none of it.
• Treating IOCs as durable. Most lose value in 24–72 hours.
• Confusing CTI with threat hunting. Hunting is the activity; CTI is the input that directs it.
• Ignoring internal intelligence. Your own incidents are higher quality than any vendor feed.
• Skipping feedback. If no one tells the analysts what helped, the next report won't be better.