Threat Intelligence

Threat intelligence is what separates a security team that anticipates attacks from one that only cleans up after them. Every adversary leaves traces: the tools they build, the techniques they reuse, the infrastructure they rent, and the goals they chase. Threat intelligence is the discipline of collecting those traces, analyzing them, and turning them into context that informs real decisions, from which detection to write next to where the business should spend its security budget. Without it, defenders react blindly to whatever alert fires; with it, they know which threats actually matter to them.

Data Is Not Intelligence

A list of malicious IP addresses is data. A feed of file hashes is data. None of it becomes intelligence until someone analyzes it against a question that matters to a specific audience. That analysis is the work of a threat intelligence analyst, who collects from many sources, removes noise, adds context, and produces something a defender can act on.

The most useful way to organize this work is by level:

These levels are different products for different readers. An executive does not need a file hash, and an analyst writing a detection rule does not need a board-level risk summary. Confusing the levels is one of the most common reasons intelligence programs fail to deliver value.

The Common Language: MITRE ATT&CK

Tactical intelligence becomes far more powerful when everyone describes adversary behavior the same way. That is the role of MITRE ATT&CK, a knowledge base of real-world tactics and techniques. Instead of vague notes like "the attacker stole credentials", teams map behavior to precise techniques (for example OS Credential Dumping, T1003), which makes intelligence comparable across reports, tools, and teams.

Collect Sources

→enrich

Analyze and Map to ATT&CK

→produce

Finished Intelligence

→act

Detect and Hunt

A notable shift is that technology vendors now contribute to this picture directly. Anthropic, for instance, published an LLM ATT&CK Navigator that mapped how its models were being misused by attackers, and that intelligence fed into the wider industry record, including the Verizon DBIR. Our breakdown of how attackers are weaponizing AI walks through what this means for defenders in practice.

From Knowledge to Action

Intelligence only matters when it changes what a team does. Inside a security operations center, tactical intelligence tunes detections and prioritizes alerts. It also drives threat hunting: instead of searching systems at random, hunters use intelligence about known TTPs to look in the places attackers actually operate. At the strategic level, the same knowledge shapes where leadership invests, which controls to build first, and which risks to accept.

Threat intelligence is the bridge between knowing your enemy and being ready for them. Collected well and mapped to a common language, it lets defenders move first instead of last.