® 
Threat Intelligence
Definition
Threat intelligence is information about cyber threats that has been collected, processed, and analyzed to help organizations make better security decisions.
Threat intelligence is information about cyber threats that has been systematically collected, processed and analysed to enable organisations to make better, faster security decisions. According to Mandiant, organisations with a mature threat intelligence programme reduce average breach detection time by 65%.
How does threat intelligence work?
Threat intelligence follows a six-step cycle: direction (which threats are relevant?), collection (data from diverse sources), processing (structuring raw data), analysis (adding patterns and context), dissemination (sharing information with the right teams) and feedback (evaluating effectiveness). Output ranges from technical indicators such as IP addresses and malware hashes to strategic insights about threat actors and their motivations.
Levels of threat intelligence
Strategic threat intelligence targets management and executives: trends in the threat landscape, geopolitical developments affecting cyber threats and risk profiles by sector. Operational threat intelligence describes the tactics, techniques and procedures (TTPs) of specific threat groups. Tactical threat intelligence contains technical indicators (IOCs) that can be loaded directly into security tools. The combination of all three levels provides a complete threat picture.
Sources of threat intelligence
Open Source Intelligence (OSINT) from public sources such as CVE databases, security blogs and social media. Commercial feeds from specialised providers. Government feeds from national cybersecurity centres. Community sharing via ISACs. Internal intelligence from security logs, incidents and honeypots. Dark web monitoring for leaked credentials and attack plans.
Impact on organisations
Without threat intelligence, security teams operate reactively and are surprised by new threats. With threat intelligence, teams can proactively adjust detection rules, prioritise patching and inform executives about relevant risks. NIS2 requires organisations to collect and process adequate threat information. DORA sets specific threat intelligence requirements for financial institutions.
Protection
Integrate threat intelligence feeds into SIEM, EDR and firewalls for automated detection. Use threat intelligence to formulate threat hunting hypotheses. Share intelligence with sector peers via ISACs. Translate strategic intelligence into concrete security measures.
How DEFION helps
DEFION provides Managed Threat Intelligence as a managed service. The team collects, analyses and processes threat information from diverse sources and translates it into concrete detection rules and recommendations for the specific environment.