What is threat intelligence?
Threat intelligence is the systematic collection and analysis of data about current and emerging cyber threats that helps organizations make informed security decisions. This process transforms raw threat data into actionable insights that security teams can use to strengthen their defenses and respond to attacks more effectively.
By analyzing threat actors’ tactics, techniques, and procedures (TTPs), threat intelligence enables organizations to shift from reactive to proactive security. This is a critical move, given that data from Corvus Insurance shows that Q1 2024 ransomware attacks were 21% more common than in Q1 2023, with 1,075 victims present on leak sites.
Instead of waiting for attacks like these to happen, security teams need to anticipate threats, understand business-specific risks, and make strategic investments in the right security controls.
25 AI Agents. 257 Real Attacks. Who Wins?
From zero-day discovery to cloud privilege escalation, we tested 25 agent-model combinations on 257 real-world offensive security challenges. The results might surprise you 👀
Why is threat intelligence important?
Threat intelligence is important because it helps organizations make smarter security decisions. By understanding the tactics and goals of attackers, you can focus your defenses where they matter most.
It also helps you spot new threats early, respond more quickly to incidents, and reduce the risk of costly breaches. And for security leaders, it provides the evidence they need to justify investments and shape security strategy, which is imperative because 2025 research found that cloud security is a “top investment priority for tech leaders.”
The 4 types of threat intelligence
There are four main types of threat intelligence, each with its own use cases and focus. Here’s a closer look:
There are four main types of threat intelligence, each with its own use cases and focus. Here’s a closer look:
1.Strategic threat intelligence
Strategic threat intelligence presents a bird’s eye view that lets C-suite execs, CISOs, and security operations center (SOC) managers see the big picture of their organizations’ threat landscape, including malicious actors, commonly targeted assets, and potential blast radii.
It focuses on revealing how organizations may be vulnerable to cyber threat trends, known vulnerabilities, and threat actors due to geopolitical conflicts. Additionally, strategic threat intelligence drives cybersecurity strategy, defines security investments, and shapes preventive actions.
2. Operational threat intelligence
Operational threat intelligence, which typically comes from the dark web and other hacker sources, provides real-time clues about ongoing or future attacks. With this data, SOC analysts and incident response managers can dig into the names of attackers and attack groups, their motives, timing, and nature of attacks. This allows security teams to design specific countermeasures and tweak security controls to match up with emerging threats.
3. Tactical threat intelligence
Tactical threat intelligence provides more detailed insights on attacker TTPs, tools, and particular vulnerabilities that attackers exploit in specific software. Security teams leverage this type of threat intelligence to understand how attackers operate and how to build effective defense strategies or strengthen existing security controls to mitigate risks.
4. Technical threat intelligence
Technical threat intelligence is time-bound threat data that reveals specific attack vectors and indicators of compromise (IoCs), like IP addresses, malicious links, phishing emails, login anomalies, malware, and file hashes that suggest an ongoing attack. This type of threat intelligence requires quick action to contain attacks and rebuild defenses before the IoCs become full-blown attacks.
Use cases and benefits of threat intelligence
Threat intelligence delivers measurable security benefits across every level of an organization by providing the context that each stakeholder needs for informed decision-making, based on their specific responsibilities. Here’s what each stakeholder needs to know:
CISOs and CTOs leverage threat insights to make strategic decisions about security spending and policies so investments align with real-world threats for maximum ROI.
Security architects use threat intelligence to anticipate attacks and build preventive security controls from the ground up to create more resilient infrastructure.
SOC analysts apply threat intelligence to detect threats and IOCs faster while prioritizing the most critical alerts.
Threat researchers rely on threat intelligence for monitoring, modeling, and profiling threat actors to predict attackers’ moves and develop countermeasures.
Security and incident response teams use threat intelligence to contain attacks more quickly and conduct more effective root cause analysis.
DevOps teams integrate threat intelligence into development processes to build secure-by-design software that’s safe from known threats.
Red teams employ threat actor TTPs to simulate realistic attacks and identify security gaps before malicious actors can exploit them.
Sources of threat intelligence
Reliable threat intelligence relies on information from real data points, feeds, and attacks that are relevant to your specific cybersecurity goals. Below are some top threat intel sources you can use to boost your own threat intelligence:
Internal threat data
This data is security information that you draw from within your own organization to find software design vulnerabilities, attack attempts, and core risks in your stack. Go-to sources for internal threat data include network logs, runtime data, historical security incidents, and security tool reports.
External threat data
Of course, there’s more to grapple with than just internal threats. To fortify against external threats, enterprises must also collect actionable cyber intelligence from sources like these:
Open-source intelligence: This publicly available information comes from websites, social media, news sources, public databases, and domain registries.
Dark web monitoring: This data is what teams collect by tracking dark web forums, chatrooms, markets, and other hacker platforms.
Closed-source intelligence: Private threat intelligence analysts or security firms gather this intelligence (but it’s usually only accessible via a subscription or membership).
Government-sanctioned intelligence: This information comes from government advisories or intelligence feeds, like the CISA Automated Indicator Sharing threat intelligence feed, which shares cyber threat indicators between the US government and the private sector.
Human intelligence: Agents gather these cyber intelligence reports through undercover access to criminal forums, phishing attempts on hackers, or other stealth methods to de-anonymize hackers or fact-check attackers’ data theft claims.
Cloud-specific threat intelligence feeds
These threat intelligence feeds focus specifically on cloud attack trends and contain intelligence reports on potential threats and vulnerabilities in cloud native apps, data, and cloud environments. A prime example of a cloud-specific threat intelligence feed is Wiz’s Cloud Threat Landscape, the first of its kind to focus specifically on cloud risks.
So how do cloud-specific threat intelligence feeds work?
These feeds function as threat intelligence databases, continuously collecting, summarizing, and storing intel on past, ongoing, and future attacks on cloud environments. And unlike generic threat feeds, they focus on cloud TTPs like identity and access control weaknesses, supply chain risks, insecure API calls, and misconfigurations, including those in storage buckets, networks, containers, and other cloud native services.
Cloud intelligence feeds also pick out threats and attack vectors that keep surfacing so organizations can understand attack patterns, malicious actors, and commonly targeted entry points in cloud environments.
How threat intelligence works: The threat intelligence lifecycle
The threat intelligence lifecycle transforms raw security data into actionable insights through a systematic, six-stage process. This structured approach ensures that organizations collect relevant information, analyze it effectively, and use it to strengthen their security posture:
Planning and direction: At this stage, you should define your organization’s threat intelligence requirements, including what information to collect, your threat hunting goals, and which teams will use the intelligence.
Collection: Next, threat hunting teams and analysts gather data from internal sources, external feeds, and cloud-specific threat intelligence sources.
Processing: You’ll then filter and curate the collected threat intelligence to remove noise, leaving only the relevant signals that are necessary for effective threat hunting operations.
Analysis: Afterward, you should examine the processed intelligence to understand its implications for your business, correlate findings with security events, and enrich data for incident triage.
Dissemination: You’ll share your findings with stakeholders, including CISOs, SOC teams, and incident response teams, by following secure information sharing guidelines.
Feedback: Finally, you can collect feedback from stakeholders to improve the intelligence gathering process and help you focus on relevant threats while eliminating unnecessary noise that doesn’t apply to your organization.
What is enrichment in threat intelligence?
Enrichment in threat intelligence is the process of adding context, metadata, and relationships to raw security data to make it actionable.
En savoir plus
The challenges of threat intelligence gathering
Organizations face significant operational challenges when implementing threat intelligence programs, despite understanding their value. The following challenges can undermine the effectiveness of even well-intentioned threat intelligence initiatives:
Information overload and false positives: The massive volume of data that comes from open-source intelligence sources often creates a major bottleneck. As a result, organizations must wade through endless low-yield information and false positives before finding actionable intelligence, then correlate this data with real-time risks in their environments.
Lack of processed intelligence: Most threat databases provide raw threat feeds rather than processed threat intelligence. Threat feeds deliver unprocessed data that requires significant manual work, while threat intelligence feeds provide summarized data with IOCs and actionable insights.
Skills and expertise gaps: Many organizations lack dedicated threat analysts with the specialized skills that are necessary to run intelligence gathering operations, interpret complex threat data, and transform raw information into actionable security insights. According to Wiz’s AI Security Readiness report, 31% of organizations see insufficient AI security expertise as one of their greatest obstacles. And according to 2024 research from BCG, a 28% vacancy rate for cybersecurity positions only impedes companies’ ability to address escalating threats.
Poor internal data collection: Organizations often struggle with the volume and complexity of their cloud-based threat data. Additionally, the cost of storing massive amounts of threat data is prohibitive, and effective collection requires both expertise and specialized tools like SIEM platforms and malware analysis systems.
Wiz cloud threat intelligence
While gathering threat intelligence from several sources can give you more data, more is rarely better. If anything, a high volume of data often comes with even more noise.
That’s why you need Wiz, the only cloud-focused threat intel database on the market. Here are the top reasons to count on our platform:
Cloud Threat Landscape: This cloud-focused threat intelligence feed that shows you specific risks in your cloud environments in context, gives you actionable defenses for resolving various types of cloud threats.
Incorporated threat intelligence: We include threat intel in all our platforms, including Wiz Sensor, Wiz Code, Wiz Cloud, and Wiz Defend. This maximizes protection for your mission-critical assets with new security controls and IoCs as threats and attack TTPs evolve.
Risk correlation: With Wiz, you can correlate risks with threat intel to go threat hunting in your stack. This allows you to create detection rules for Wiz Defend, which automatically detects threats. You can also visualize the results of your risk correlation and threat detection using the Wiz Security Graph to make proactive threat detection much easier.
Additional resources: Aside from our rich threat database, we have a threat podcast, courtesy of our expert threat research team. to help you keep up with the latest threats. You can also explore our threat research repo for breakdowns of attacks, techniques, and root causes.
Ready to see how context-driven threat intelligence can secure your cloud? Request a demo today to see Wiz in action.
Watch 5-Minute Wiz Defend Demo
See how Wiz Defend uses built-in threat intelligence to detect real attacks, map blast radius, and accelerate investigations—so your team can focus on what matters, not false positives.
Watch demo now
