Threat Intelligence
CTI lifecycle, MITRE ATT&CK, IOCs/TTPs, threat modeling (STRIDE, PASTA), STIX/TAXII.
What is Threat Intelligence?
Threat intelligence is the evidence-based knowledge about existing or emerging threats that informs security decisions at every level — from SOC analysts triaging alerts to CISOs allocating budget. Cyber Threat Intelligence (CTI) transforms raw data (IP addresses, file hashes, domain names) into actionable context about who is attacking, how they operate, and what they are after.
The CTI lifecycle — direction, collection, processing, analysis, dissemination, and feedback — provides the structured methodology for producing intelligence. At the tactical level, analysts work with Indicators of Compromise (IOCs) to detect known threats. At the operational level, they study adversary Tactics, Techniques, and Procedures (TTPs) mapped to the MITRE ATT&CK framework to understand attack patterns. At the strategic level, intelligence informs leadership about threat trends, geopolitical risks, and industry-specific targeting.
Threat modeling brings intelligence into the design phase, using frameworks like STRIDE and PASTA to identify potential threats before systems are built. Information sharing standards — STIX (Structured Threat Information Expression) and TAXII (Trusted Automated Exchange of Intelligence Information) — enable machine-readable threat data exchange between organizations, ISACs, and government agencies. The field is being transformed by AI-driven threat analysis, automated IOC enrichment, and platforms that correlate internal telemetry with external threat feeds in real time.
Why it matters
Without threat intelligence, security teams are defending blind. CTI provides the adversary context that transforms generic defenses into targeted, prioritized security operations — knowing who is likely to attack you changes everything about how you defend.
Threat intelligence feeds every other security domain. Detection engineering uses it to write rules, incident response uses it to investigate, vulnerability management uses it to prioritize, and leadership uses it to allocate resources. It is the connective tissue of informed defense.
Detect, Test & Respond
Watch, hunt, attack ethically, analyse, and respond — classical and AI.
Other domains in this layer
Standards and frameworks
Roles where this matters
Career paths where this domain shows up as core or recommended.
Monitor, detect, and respond to security threats in a Security Operations Center. The front line of cyber defense.
Analyze adversary behavior, track threat actors, and produce actionable intelligence that drives defensive decisions.
Investigate breaches, contain threats, and perform digital forensics. The first call when an attack is discovered.
Build detection rules, tune SIEM systems, and hunt for threats that evade automated defenses.
Protect critical infrastructure — power grids, water treatment, manufacturing. Where cyber meets the physical world.
A hybrid role growing out of the realisation that SOCs need engineers who understand cloud-native telemetry, IAM-first threat models, and how to instrument AWS/Azure/GCP for detection.
Owns the end-to-end find → prioritize → fix → verify loop at scale, now increasingly AI-driven.
External-first role: inventories what an attacker can see, tracks what's new, and drives closure through the org. The outside-in counterpart to vuln management.
Dissect malicious software to understand capabilities, extract indicators, and produce attribution. A specialist role that powers threat intelligence, detection engineering, and advanced IR.
Certifications that signal this domain
Credentials whose blueprint meaningfully covers this domain. Core means centrally covered; also touched means present in the blueprint but not the primary focus.
Core coverage
CREST Practitioner Threat Intelligence Analyst
CREST Practitioner Threat Intelligence Analyst
CREST Registered Threat Intelligence Analyst
CREST Registered Threat Intelligence Analyst
EC Council Certified Threat intelligence Analyst
EC Council Certified Threat Intelligence Analyst
CompTIA Cybersecurity Analyst+
SOC analyst skills: triage, log analysis, vulnerability management basics.
GIAC Cyber Threat Intelligence
Structured threat intel production, ATT&CK, analytic tradecraft.
GIAC Offensive AI Analyst
GOAA is GIAC's specialized certification for offensive AI techniques and targets red teamers, penetration testers, and SOC analysts who need to understand and simulate AI-enabled attack tools. It is based on SANS course SEC535 and features GIAC's well-known exam structure with optional CyberLive component (practical lab environment). Strength: GIAC certifications enjoy high credibility in the security industry, and the offensive perspective on AI is a differentiating unique selling point. Weakness: The certification does not cover defensive controls, AI supply chain security, or governance frameworks – it is clearly tailored to offensive specialists and thus addresses only a small segment of the market. At 999 USD exam fee plus additional SANS course costs, the financial investment is substantial.
MITRE ATT&CK Defender — Cyber Threat Intelligence
MAD20 track for applying the ATT&CK framework in Cyber Threat Intelligence. 18 lectures, focus on identification, development, analysis and application of ATT&CK-mapped threat intelligence. Badge upon course completion (13 CPE hours).
MITRE ATT&CK Defender — ATT&CK Fundamentals
Introductory course to the MITRE ATT&CK framework. Mandatory prerequisite for all advanced MAD20 tracks. 18 lectures, 1 hands-on lab, 1 range scenario. Covers fundamentals of ATT&CK: tactics, techniques, groups, software and mitigations. Badge upon completion (2 CPE hours).
MITRE ATT&CK Defender — Threat Hunting and Detection Engineering
MAD20 track for Threat Hunting and Detection Engineering with ATT&CK. 28 lectures, complete analytics walkthroughs, 60+ range scenarios. Covers systematic development of detection rules and hunting hypotheses based on ATT&CK techniques. Badge upon completion (9 CPE hours).
Splunk Enterprise Security Certified Admin
Operates and tunes Splunk Enterprise Security — content, correlation searches, notable events, and risk-based alerting.
Also touched
CrowdStrike Certified Falcon Administrator
Day-to-day administration of the market-leading EDR platform — sensor deployment, policy authoring, and detection triage in Falcon.
Elastic Certified Engineer
Stands up and operates Elastic Stack clusters — search, observability, and security-analytics workloads on a real cluster.
GIAC Reverse Engineering Malware
Static + dynamic malware analysis, unpacking, custom RE tooling.
GIAC Security Operations Certified
SOC operations, alert triage, metrics, SOAR.
Splunk Core Certified User
Foundational SPL fluency — search, filter, and report on Splunk data without breaking it.
Browse all certifications → — pick a cert on the interactive map to highlight every domain it covers.
People shaping this field
Researchers and practitioners worth following in this space.
Co-creator of the Diamond Model of intrusion analysis
MITRE ATT&CK threat intelligence lead, SANS instructor
Astronomer turned threat hunter, author of The Cuckoo's Egg
Curated resources
Authoritative sources we ground Threat Intelligence questions in — frameworks, research, guides, and tools.
Mandiant M-Trends Report
Annual IR data: dwell time trends, initial access vectors, detection sources. Empirical data from thousands of engagements. One of the few sources for real-world detection/response metrics.
Verizon Data Breach Investigations Report (DBIR)
Annual analysis of real breach data. The gold standard for empirical questions about attack patterns, threat actor motivations, and time-to-detection. Updated annually.
ENISA Threat Landscape Report
EU-focused annual threat assessment. Covers ransomware, supply chain, disinformation, state-sponsored threats. Useful counterpoint to US-centric sources.
Krebs, B. — KrebsOnSecurity
Investigative journalism on cybercrime, breaches, and network security incidents. Good for real-world scenario questions grounded in actual events.
Mandiant APT Reports
Detailed campaign analyses with TTPs mapped to ATT&CK. APT1, APT28/29, UNC groups. Primary source for threat-actor-specific IR questions. Not marketing — these are original threat research.
MITRE ATT&CK — Threat Groups
Cataloged threat groups with associated TTPs. Good for questions on attribution, TTP overlap, and intelligence-driven detection.
Recorded Future Annual Threat Report
Open-source and dark web intelligence trends. Useful for questions about intelligence sources, collection methods, and the intelligence lifecycle.
Diamond Model of Intrusion Analysis
Four vertices: Adversary, Capability, Infrastructure, Victim. Complements the Kill Chain and ATT&CK. Questions on analytical frameworks and when to apply each model.
Lockheed Martin Cyber Kill Chain
Seven phases from Reconnaissance to Actions on Objectives. Widely adopted but also widely critiqued (assumes perimeter-centric model). Good for compare/contrast with ATT&CK and Unified Kill Chain.
David Bianco — Pyramid of Pain
Indicator hierarchy from hash values (trivial) to TTPs (tough). Foundational concept for detection engineering and threat intelligence questions.
STIX/TAXII Standards
Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII). The standard for sharing cyber threat intelligence.
MISP — Malware Information Sharing Platform
Open-source threat intelligence platform for sharing, storing, and correlating indicators of compromise and threat data.
More in Cybersecurity
Test what you know about Threat Intelligence
38 questions available. Beginner to expert questions, scored against the global leaderboard.