What is threat intelligence?

What is threat intelligence?#

Threat intelligence is evidence-based knowledge about existing or emerging threats to an organization's assets, people, or reputation. It goes beyond raw data. A list of suspicious IP addresses is data, but an assessment that a specific actor is registering lookalike domains to target a particular brand next quarter is intelligence. The difference is context, analysis, and relevance to a decision-maker.

The broader discipline is often called cyber threat intelligence (CTI), encompassing network, endpoint, identity, and domain-layer signals. Organizations use threat intelligence to anticipate attacks, prioritize defenses, and inform incident response, turning reactive security into proactive risk management.

Types of threat intelligence#

Threat intelligence is commonly divided into three levels depending on the audience, time horizon, and level of detail required.

Strategic intelligence#

Strategic intelligence addresses long-term trends and risk posture. It answers questions like "Which threat actors target our industry?" and "How is the threat landscape evolving?" Strategic threat intelligence typically reaches executives and board members in narrative reports, risk assessments, and annual threat briefings. It informs budget allocation, policy decisions, and organizational risk appetite.

For example, a strategic intelligence report might identify that domain impersonation attacks against financial services brands have increased significantly year-over-year, driven by cheap domain registration and automated phishing kits.

Operational intelligence#

Operational intelligence focuses on the campaigns and infrastructure behind attacks. It answers "How is this campaign being delivered?" and "What infrastructure does this actor control?" Incident responders and threat hunters use operational threat intelligence to understand attacker playbooks, map campaign timelines, and attribute activity to specific groups.

In a domain threat intelligence context, operational intelligence might reveal that a single actor registered 50 domains across five TLDs using the same registrar, the same name server pattern, and certificates issued within a two-hour window.

Tactical intelligence#

Tactical intelligence is the most granular. It works with specific indicators of compromise (IOCs) such as malicious domains, IP addresses, file hashes, and email headers. Security operations center (SOC) analysts consume tactical intelligence to write detection rules, populate blocklists, and enrich alerts. Tactical indicators have a short shelf life, and attackers rotate infrastructure quickly, so timely delivery matters more than depth.

The intelligence cycle#

Most threat intelligence programs follow some version of the intelligence cycle, a structured process for turning questions into actionable output:

1. Direction. Define the intelligence requirements. What questions need answers? What decisions will the intelligence support?
2. Collection. Gather raw data from relevant sources, including threat feeds, WHOIS records, passive DNS, Certificate Transparency logs, open-source reporting, and internal telemetry.
3. Processing. Normalize, deduplicate, and structure the collected data so it can be analyzed consistently.
4. Analysis. The critical step. Analysts correlate data points, assess confidence levels, identify patterns, and produce findings that answer the original requirements.
5. Dissemination. Deliver finished intelligence to stakeholders in a format they can act on, such as alerts for SOC analysts, reports for leadership, and feeds for automated tools.
6. Feedback. Evaluate whether the output was useful and refine future collection and analysis priorities accordingly.

Skipping analysis is the most common failure mode. Teams that push raw feeds into dashboards without context produce noise, not intelligence. A threat intelligence platform is only as valuable as the analytical rigor applied to its data.

Where domain and brand intelligence fits#

Domain-focused threat intelligence is a critical slice of the broader CTI landscape. It draws on data sources like WHOIS/RDAP records, DNS resolution history, certificate transparency logs, and web content. A newly registered domain that mimics a legitimate brand is tactical intelligence; a pattern of registrations across multiple TLDs by the same actor is operational intelligence; a trend showing rising impersonation of fintech brands is strategic intelligence.

The key value is speed to context. Correlating a suspicious domain with its hosting, certificate, and registration metadata turns a single string into something an analyst can act on or dismiss with confidence. This is where domain threat intelligence intersects directly with brand protection, security teams and brand teams share the same underlying data but approach it from different angles.

Common data sources for threat intelligence#

Effective threat intelligence programs draw from multiple, complementary sources:

• Registration data. WHOIS and RDAP records reveal registrar, creation date, and (sometimes) registrant details.
• DNS data. Active and passive DNS show current and historical resolution, enabling infrastructure pivoting.
• Certificate Transparency. CT logs surface newly issued certificates for suspicious domains within hours.
• Threat feeds. Commercial and open-source feeds provide curated IOCs, often with confidence scores and context.
• Internal telemetry. Logs, email gateway data, and endpoint alerts that correlate with external indicators.

No single source covers every threat. The strongest programs fuse multiple sources and apply analytical judgment to weigh confidence levels and relevance.

Limitations#

Threat intelligence built from feeds and indicator lists goes stale quickly. Campaign infrastructure churns. Domains drop, IP assignments change, and actors stand up new hosts while older IOCs keep circulating in blocklists, security information and event management (SIEM) content, and ticket history. Out-of-date indicators are often the operational pain point. They inflate alert volume, stretch triage, and can drive blocks or escalations that no longer match current activity.

False positives and coverage gaps still appear, and quality depends heavily on where the data originates. Many feeds combine primary observations with indicators republished from other feeds, sometimes stacked several layers deep. The same IOCs then circulate with weak lineage and little new validation or context. That recycled pattern, a feed built largely from other feeds, can add volume without making the output more useful.

What matters is intelligence that is actionable, grounded in sound sourcing, and delivered in time to affect a decision. Age-out rules, confidence metadata, and refresh cadence should align with both freshness and how much trust the collection chain deserves.

Organizations should treat threat intelligence as a continuous process, not a product. The intelligence cycle is iterative. Each round of feedback improves collection priorities, analytical methods, and the relevance of the output to the decisions it supports.