Building a Cyber Threat Intelligence Program from Scratch
Threat intelligence is information about adversaries that helps you make better security decisions. The operative word is actionable: raw feeds of IP addresses and file hashes are not intelligence, they are data. Real intelligence answers the questions your security program needs answered: which threat actors target organizations like yours, what techniques do they use, and what specific defensive actions will reduce your exposure to those techniques. Building a CTI program means building the capability to produce those answers on a repeatable basis.
The Intelligence Lifecycle
CTI programs use an intelligence lifecycle to ensure intelligence production is driven by requirements rather than data availability:
Direction
Define intelligence requirements: what questions does the CTI program need to answer? Requirements come from stakeholders: the SOC needs detection-relevant TTPs, the vulnerability management team needs threat actor exploitation priorities, and the CISO needs strategic threat landscape for board reporting. Without documented requirements, CTI programs drift toward collecting whatever data is available rather than what is needed.
Collection
Gather data from sources that address your requirements: open-source intelligence (OSINT), commercial threat intelligence feeds, information sharing communities (ISACs), dark web monitoring, and internal telemetry (your own incident data is intelligence). Collection should be targeted at requirements, not comprehensive.
Processing
Normalize and structure raw data for analysis. This includes parsing IOC feeds into your TIP (Threat Intelligence Platform), deduplicating data from multiple sources, and tagging data with relevant context (source reliability, confidence level, applicable techniques).
Analysis
Convert processed data into intelligence products that answer your requirements. Analysis involves correlation (connecting indicators to threat actors and campaigns), assessment (evaluating reliability and relevance), and inference (drawing conclusions that are not explicitly stated in the raw data).
Dissemination
Deliver intelligence to the right consumers in the right format. SOC analysts need operational intelligence (IOCs, detection signatures, alert context). Detection engineers need tactical intelligence (TTPs in MITRE ATT&CK format for rule development). Leadership needs strategic intelligence (threat landscape trends, risk assessments). One report format does not serve all audiences.
Feedback
Collect feedback from intelligence consumers on whether products were useful and acted upon. This closes the loop and refines future collection and analysis.
Intelligence Sources
CTI programs draw from multiple source categories, each with different strengths:
OSINT (Open Source Intelligence)
Public threat reports from vendors (Mandiant, CrowdStrike, Recorded Future), security blogs, CISA advisories, MITRE ATT&CK, and academic research. High volume, variable quality, free. Essential but requires analyst judgment to filter signal from noise.
Commercial feeds
Structured intelligence from vendors including Recorded Future, Intel 471, Flashpoint, and Mandiant Advantage. Provide curated IOC feeds, threat actor profiles, and dark web intelligence. Costs range from $30K to $500K+ annually depending on coverage depth. ROI depends heavily on your ability to operationalize the intelligence.
ISACs and ISAOs
Information Sharing and Analysis Centers (FS-ISAC for finance, H-ISAC for healthcare, E-ISAC for energy) provide sector-specific intelligence sharing. Free or low-cost, highly relevant to your industry, legally protected sharing environment. Join your sector's ISAC before any commercial intelligence purchase.
Government sources
CISA advisories, FBI Flash reports, NSA Cybersecurity Advisories, and MS-ISAC bulletins provide actionable intelligence on active campaigns. Free and authoritative. Set up automated ingestion of CISA KEV and CISA advisories as a baseline.
Internal telemetry
Your own incident data, malware samples, and attacker infrastructure observations are the highest-confidence intelligence you have. Analyze every security incident to extract TTPs, IOCs, and actor characteristics. Internal intelligence is directly applicable to your environment in ways external intelligence is not.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Threat Intelligence Platforms (TIPs)
A TIP provides the infrastructure for collecting, enriching, correlating, and disseminating intelligence at scale. Core TIP capabilities: IOC ingestion from multiple feed formats (STIX/TAXII, CSV, JSON, email), automated enrichment (connecting IOCs to threat actors, campaigns, and techniques), SIEM and SOAR integration for automated IOC blocking and alert enrichment, and analyst workflow for investigation and report creation. Leading TIPs include MISP (open-source, widely deployed in ISACs and government), ThreatConnect (enterprise, strong workflow and integrations), Anomali ThreatStream (large feed library), and OpenCTI (open-source, MITRE ATT&CK native). For organizations starting without a TIP budget, MISP provides professional-grade capabilities at no license cost.
Operationalizing Intelligence
The gap between collecting intelligence and acting on it is where most CTI programs fail. Operationalization means converting intelligence into specific security actions:
IOC blocking and alerting
Feed threat actor IP addresses, domains, and file hashes into your SIEM, EDR, and firewall blocklists. Automate this via TIP-to-SIEM integration. Stale IOCs (more than 30 days old) should automatically expire from active blocklists to reduce false positives.
Detection rule development
Convert threat actor TTPs into SIEM detection rules using MITRE ATT&CK as the linking framework. When a threat actor report describes their lateral movement technique (e.g., WMI for remote execution), translate that into a Sigma rule and deploy it. Track which techniques from your threat model have corresponding detection rules.
Vulnerability prioritization
When threat intelligence identifies that a specific CVE is being actively exploited by threat actors targeting your industry, escalate that CVE to emergency patching status regardless of CVSS score. Intelligence-driven prioritization is more effective than CVSS-only prioritization.
Threat hunting
Use threat actor TTP reports to generate hunting hypotheses: 'If a threat actor using technique X has targeted our sector, what would that look like in our logs?' Run proactive hunts based on intelligence about active campaigns against peers.
Red team scenario planning
Intelligence about threat actors targeting your industry informs red team exercise scenarios. Simulate the specific TTPs used by relevant threat actors rather than generic attack scenarios.
CTI Team Structure and Maturity
CTI program maturity correlates with team size and dedicated resources. At maturity level 1 (reactive): one or two analysts consume OSINT and CISA advisories part-time alongside other SOC duties. IOC feeds are ingested but rarely analyzed for context. At maturity level 2 (developing): a dedicated CTI analyst or small team produces weekly threat briefings for the SOC, operationalizes intelligence into detection rules, and participates in an ISAC. At maturity level 3 (mature): a CTI team of three to six analysts covers strategic, operational, and tactical intelligence, maintains a TIP, produces custom threat actor reports, and integrates intelligence into vulnerability management, red team planning, and board reporting. Most organizations with fewer than 5,000 employees operate at level 1 to 2.
The bottom line
A CTI program is only as valuable as the decisions it improves. Start with documented intelligence requirements from your SOC and vulnerability management teams, join your sector ISAC before buying commercial feeds, and measure program success by how many defensive actions intelligence produces, not by how many feeds you consume.
Frequently asked questions
What is the difference between tactical, operational, and strategic threat intelligence?
Tactical intelligence is short-term and technical: IOCs (IP addresses, domains, file hashes), YARA rules, and detection signatures. Consumed by SOC analysts and detection engineers. Operational intelligence focuses on threat actor TTPs, campaign methodologies, and attack patterns. Consumed by detection engineers, incident responders, and red teams. Strategic intelligence covers broad threat landscape trends, threat actor motivations, and geopolitical context. Consumed by CISOs, risk managers, and board-level stakeholders. A mature CTI program produces all three levels for different audiences.
How do I know which threat actors target my organization?
Start with your sector: MITRE ATT&CK's Groups database tags threat actors by the industries they target. Your sector ISAC publishes sector-specific threat actor profiles. Commercial intelligence vendors (Recorded Future, Mandiant, CrowdStrike) provide industry targeting data. CISA publishes advisories when threat actors actively target specific sectors. Also consider your geography (some threat actors target specific countries), your size (ransomware affiliates have revenue thresholds for targets), and whether you have high-value IP or government contracts that attract nation-state interest.
What is STIX/TAXII and why does it matter?
STIX (Structured Threat Information Expression) is a standardized language for describing threat intelligence objects: indicators, threat actors, campaigns, TTPs, and relationships between them. TAXII (Trusted Automated Exchange of Intelligence Information) is the protocol for sharing STIX data between organizations and platforms. Most commercial threat intelligence feeds and the MITRE ATT&CK framework publish data in STIX format. TAXII enables automated intelligence sharing between your TIP and partner organizations or ISAC feeds. Understanding these standards is essential for building automated intelligence ingestion pipelines.
How do I measure CTI program effectiveness?
Measure CTI effectiveness by defensive outcomes: detection rules created from intelligence (and their detection rate in production), vulnerabilities prioritized based on threat intelligence that were later confirmed as actively exploited, percentage of IOCs in your environment that correlate with known threat actor infrastructure, and incident response time reduction when intelligence pre-positions knowledge of an attacker's TTPs. Avoid measuring input metrics (feeds subscribed to, reports produced) without connecting them to defensive outcomes.
Is commercial threat intelligence worth the cost?
It depends on your team's capacity to operationalize it. A $200K annual threat intelligence subscription that produces five actionable detection rules per year is not good ROI. The same subscription managed by a dedicated CTI analyst who produces weekly hunting hypotheses, monthly detection rule packages, and quarterly threat actor briefings delivers significantly more value. Before purchasing commercial intelligence, assess whether you have the analyst capacity to consume and act on the additional intelligence volume. OSINT and ISAC membership often deliver better ROI for understaffed programs than commercial feeds.
What is diamond model analysis and how is it used in CTI?
The Diamond Model is an analytical framework that describes intrusions using four core features: adversary, capability, infrastructure, and victim. Analysts use the model to characterize threat actors by their consistent tools (capability) and infrastructure patterns, enabling attribution and prediction of future activity. By mapping a new intrusion to the Diamond Model, analysts can determine whether it matches a known threat actor (same infrastructure or capability characteristics) and anticipate what the adversary will do next based on prior behavior. It is complementary to MITRE ATT&CK: ATT&CK classifies technique behavior, the Diamond Model classifies the adversary relationship.
Sources & references
- SANS CTI Summit Proceedings 2025
- Recorded Future Intelligence Methodology Guide
- MITRE ATT&CK CTI Integration Guide
- CISA Cybersecurity Advisory Methodology
- Intel 471 CTI Program Maturity Model
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.
The Mythos Brief is free.
AI that finds 27-year-old zero-days. What it means for your security program.