What is the threat intelligence lifecycle?
The threat intelligence lifecycle is a continuous, six-phase process that transforms raw data about potential cyber threats into refined, actionable intelligence. This structured approach allows security teams to make faster, more informed decisions to protect their organization.
It's not a linear process but an iterative cycle where feedback from one stage informs and improves the others. This ensures the intelligence remains relevant and effective for your specific security needs.
The intelligence cycle provides a formal methodology for managing security information. It helps you move from a reactive to a proactive defense posture by creating a constant feedback loop across six interconnected phases.
A Practical Guide to Cloud Threat Detection
Go beyond theory with this practical guide to detecting, investigating, and responding to threats in complex cloud environments.
Why the threat intelligence lifecycle matters for modern security operations
The threat intelligence lifecycle is critical because it enables you to shift from reactive to proactive security. Instead of just responding to attacks after they happen, a structured intelligence cycle helps you anticipate threats and mitigate exposures before attackers can exploit them. For example, threat intelligence might reveal that attackers are actively exploiting a specific misconfiguration in cloud storage buckets, prompting you to audit and fix similar exposures in your environment.
This is especially vital in today's complex IT environments where the volume of threat data can be overwhelming. A formal lifecycle provides structure for managing this flood of information, turning noisy data into clear, actionable intelligence.
The proactive defense model is essential for protecting dynamic cloud workloads and staying ahead of sophisticated attackers. You need this structured approach to correlate threat feeds with your specific configurations and prioritize risks that pose genuine, immediate threats to your critical assets.
The 6 phases of the threat intelligence lifecycle
The threat intelligence lifecycle is a structured, cyclical framework that guides security teams in converting raw data into finished intelligence. Each of the six phases plays a distinct role in ensuring the final output is accurate, relevant, and actionable for defending your organization.
Phase 1: Direction (Planning)
The direction phase sets the foundation for your entire intelligence cycle. During this stage, you and your stakeholders define the goals and objectives of your threat intelligence program.
This involves identifying your organization's most critical assets and understanding the potential business impact of various threats. You also determine what specific questions your intelligence needs to answer.
Clear direction ensures that your intelligence effort is focused and aligned with business priorities. Key activities include establishing Priority Intelligence Requirements (PIRs), which are the specific questions that stakeholders need answered to make decisions.
Phase 2: Collection
Once you've set the direction, the collection phase begins. This stage involves gathering raw data from a wide array of sources to address the requirements you established in the direction phase.
You need to cast a wide net to capture as much relevant information as possible. Sources for data collection include:
Internal sources: Logs from firewalls and EDR/IDS/IPS systems, SIEM event data, and cloud audit logs (AWS CloudTrail, Azure Activity Logs, Google Cloud Audit Logs), plus runtime telemetry from container orchestration platforms like Kubernetes
External sources: Open-source intelligence from public blogs and news sites, commercial threat feeds, information from security communities, and data from dark web forums
A successful collection strategy balances automated data gathering with targeted human intelligence to ensure comprehensive coverage of the threat landscape.
Phase 3: Processing
Raw data collected in the previous phase is often unstructured, redundant, and not immediately useful. The processing phase is where you transform this raw data into a structured format suitable for analysis.
This crucial step makes the vast amount of collected information manageable and coherent. Processing transforms raw data into structured, analyzable intelligence through several key activities:
Parsing and normalization: Convert diverse log formats into standardized schemas like STIX 2.1
De-duplication: Remove redundant indicators across multiple feeds
Timestamp standardization: Align time zones and formats for accurate correlation
Indicator scoring: Assign confidence levels and expiration dates to IOCs
Enrichment: Augment indicators with WHOIS data, geolocation, threat actor attribution, and historical context
Phase 4: Analysis
The analysis phase is where information becomes intelligence. In this stage, security analysts examine the processed data to identify patterns, trends, and actionable insights.
This is the human-centric part of the cycle where expertise and critical thinking are applied to connect the dots. During analysis, you look for indicators of compromise (IOCs), map observed activity to specific MITRE ATT&CK techniques (for example, T1078 for Valid Accounts or T1496 for Resource Hijacking), and assess threat actor TTPs to understand their capabilities and likely next moves.
The goal is to transform the "what" into the "so what," providing the context needed for security teams to understand the threat, its potential impact, and how to defend against it.
Phase 5: Dissemination
Once the analysis is complete, you must deliver the finished intelligence to the people who need it. The dissemination phase involves distributing tailored intelligence products to the appropriate stakeholders in a format that's easy to understand and act upon.
The format and content of the intelligence should be customized for its audience:
Technical teams may receive alerts with specific IOCs to block on firewalls, web proxies, and EDR platforms, and to detect and alert on in their SIEM or SOAR systems
Incident response teams might get detailed reports mapping attacker TTPs to specific MITRE ATT&CK techniques, along with detection logic and response playbooks to aid in threat hunting and improve defensive coverage
Executives and board members could receive high-level strategic briefs on threat landscape trends and their potential business impact
Effective dissemination ensures that the intelligence is not just produced but also consumed and used to improve your organization's security posture.
Phase 6: Feedback
The final phase of the lifecycle is feedback, which makes the process a true cycle. In this stage, you solicit input from the stakeholders who consumed the intelligence.
This feedback is crucial for evaluating the quality, relevance, and timeliness of your intelligence products. This continuous improvement loop helps refine your entire process.
Based on feedback, you can adjust your intelligence requirements in the direction phase, explore new data sources for collection, or change how you analyze and disseminate information. This ensures your threat intelligence program remains agile and continues to provide value.
Threat intelligence lifecycle in action: A cloud cryptomining example
Here's how the six-phase lifecycle works in practice when detecting and responding to cryptomining in a cloud environment.
Direction: Your security team establishes Priority Intelligence Requirements (PIRs): "Are threat actors exploiting public-facing Kubernetes clusters for cryptomining?" and "What TTPs do cryptomining campaigns use in our cloud environment?"
Collection: You gather data from multiple sources: AWS CloudTrail logs showing API calls, VPC Flow Logs revealing unusual outbound connections, Kubernetes audit logs capturing pod creation events, and external threat feeds reporting cryptomining indicators.
Processing: Raw logs are parsed and normalized into STIX format. You de-duplicate repeated indicators, standardize timestamps to UTC, enrich IP addresses with geolocation and reputation data, and assign confidence scores to each indicator.
Analysis: Analysts correlate the data and discover a pattern: public-facing EKS node groups with overly permissive security groups are being exploited to deploy cryptomining containers. The activity maps to MITRE ATT&CK technique T1496 (Resource Hijacking). The analysis reveals the attack path: internet exposure → initial access (e.g., misconfigured API, vulnerable service) → container escape → cryptominer deployment.
Dissemination: Technical teams receive IOC packages (malicious container images, command-and-control IPs) in STIX format for automated blocking. Incident response gets a detailed report with ATT&CK mappings and response playbooks. Leadership receives a strategic brief on the business impact of exposed Kubernetes clusters.
Feedback: After remediation, the IR team reports that the intelligence was actionable and timely. They request additional coverage for container runtime threats. This feedback updates the direction phase: new PIRs are added for container security, and collection expands to include runtime behavioral monitoring.
Types of threat intelligence and their role in the lifecycle
Threat intelligence comes in different forms, each serving a unique purpose and audience. Understanding these types is essential for building a comprehensive program that addresses security needs at every level of your organization.
Strategic intelligence is high-level intelligence intended for executive leadership. It provides a broad overview of the threat landscape, trends, and potential business impacts, helping leaders make informed decisions about risk management and security investments.
Operational intelligence focuses on the "how" and "who" of cyberattacks. It provides detailed insights into threat actor TTPs, motivations, and campaigns for security managers, incident responders, and threat hunters.
Tactical intelligence is the most immediate and technical form, consisting of IOCs (IP addresses, domains, file hashes, SSL certificates, registry keys). Organizations typically share tactical intelligence using STIX 2.1 format and distribute it via TAXII 2.1 servers for automated ingestion into security tools. SOC analysts and automated security tools use this intelligence for real-time threat detection and blocking.
Threat hunting vs threat intelligence: Key differences
Threat hunting actively searches for hidden threats already inside your network, while threat intelligence gathers external information about potential threats to inform security strategy.
もっと読む
Standards and frameworks for threat intelligence programs
Effective threat intelligence programs align with industry standards and frameworks to ensure consistency, interoperability, and compliance.
MITRE ATT&CK provides a knowledge base of adversary tactics and techniques. Cloud security teams use the ATT&CK for Cloud matrices (covering AWS, Azure, GCP, and containers) to map threat intelligence to specific attack behaviors and measure detection coverage.
NIST SP 800-150 (Guide to Cyber Threat Information Sharing) establishes best practices for sharing threat intelligence between organizations, including governance, legal considerations, and technical implementation.
ISO/IEC 27001:2022 Control 5.7 (Threat intelligence) requires organizations to collect, analyze, and share threat intelligence relevant to their information security risks, making a formal lifecycle essential for compliance.
STIX 2.1 and TAXII 2.1 are the standard formats and protocols for machine-readable threat intelligence sharing. STIX (Structured Threat Information Expression) defines how to represent threat data, while TAXII (Trusted Automated Exchange of Intelligence Information) defines how to exchange it.
Traffic Light Protocol (TLP) provides a simple four-color schema (TLP:CLEAR, TLP:GREEN, TLP:AMBER, TLP:RED) to indicate sharing boundaries for sensitive intelligence, ensuring recipients understand distribution restrictions.
Cloud Attack Retrospective: 8 Common Threats to Watch for in 2025
Attackers are innovating—but they’re still exploiting the basics.
Implementing threat intelligence lifecycle in cloud-native environments
Implementing a threat intelligence lifecycle in cloud-native environments presents unique challenges that traditional security models can't handle. The dynamic and ephemeral nature of cloud infrastructure creates a constantly shifting attack surface. According to a 2024 network security survey, 52% of organizations report limited cloud visibility, making continuous monitoring essential.
Traditional periodic scanning is insufficient because cloud resources are spun up and down in minutes. You need continuous visibility to be effective in the cloud.
Your threat intelligence program must leverage cloud-native tools and approaches:
API-based collection: Use cloud provider APIs to gather rich telemetry directly from the source. In AWS, this includes CloudTrail for API activity, VPC Flow Logs for network traffic, and GuardDuty findings for threat detections. Azure provides Activity Logs, Network Watcher, and Microsoft Defender for Cloud alerts. Google Cloud offers Audit Logs, VPC Flow Logs, and Security Command Center findings. Agentless, API-based collection maintains continuous visibility across ephemeral resources like containers and serverless functions without adding operational friction or performance overhead.
Native threat detection services: Integrate findings from cloud-native detection services (AWS GuardDuty, Azure Defender, Google Security Command Center) that analyze cloud telemetry for known threat patterns
Threat Intelligence Platforms (TIPs): Use platforms like MISP (Malware Information Sharing Platform) to aggregate, normalize, and enrich threat feeds before distributing to security tools
Code-to-cloud context: Correlate threat intelligence with your full cloud stack—from infrastructure-as-code templates to runtime workload behavior—to understand how threats could exploit your specific configurations
This approach ensures complete coverage of all workloads, including short-lived containers and serverless functions. You can visualize potential breach paths across your cloud environments and see how an attacker could move from an exposed resource to a critical asset.
Common challenges and best practices for threat intelligence programs
Even with a well-defined lifecycle, you'll face challenges when building and maintaining a threat intelligence program. Recognizing these hurdles and adopting best practices is key to success.
Alert fatigue occurs when security teams are inundated with high-volume, low-context alerts. This makes it difficult to distinguish real threats from noise and can lead to burnout and missed critical alerts. A 2024 survey found that 67% of cybersecurity teams receive over 2,000 alerts daily, overwhelming human analysis capacity.
Siloed tools create fragmented visibility when you use multiple, disconnected security tools. Correlating data across these silos to get a complete picture of a threat becomes a manual, time-consuming process.
Limited resources affect many security teams that lack specialized staff and budget to manage a full-scale intelligence program from data collection to in-depth analysis.
To overcome these challenges, you should:
Implement risk-based prioritization: Use context like asset criticality, network exposure, and active exploitation to prioritize alerts and focus on threats that pose the greatest risk
Consolidate intelligence into a unified platform: Use a Threat Intelligence Platform (TIP), SIEM, or SOAR solution to ingest feeds from multiple sources, normalize data into standard formats like STIX 2.1, and correlate indicators automatically. A unified security graph connects identities, configurations, network exposure, and runtime telemetry with external threat intelligence to surface toxic combinations—for example, an internet-exposed server running vulnerable software with access to sensitive data—that represent real attack paths
Automate routine tasks: Free up human analysts to focus on high-value activities like threat analysis and strategic planning
Measuring success and optimizing your threat intelligence lifecycle
To ensure your threat intelligence program delivers real value, you must measure its effectiveness and continuously optimize it. Success should be tied directly to security outcomes and business objectives, not just the volume of intelligence produced.
Key metrics for measuring threat intelligence program success:
| Metric | Definition | Target | Lifecycle Phase |
|---|---|---|---|
| Mean Time to Detect (MTTD) | Time from threat emergence to detection in your environment | < 24 hours for critical threats | Collection, Analysis |
| Mean Time to Respond (MTTR) | Time from detection to initial response action | < 1 hour for critical threats | Dissemination |
| Mean Time to Contain (MTTC) | Time from detection to full threat containment | < 4 hours for critical threats | Dissemination, Feedback |
| Detection Precision | Percentage of alerts that are true positives |
| Processing, Analysis |
| ATT&CK Coverage | Percentage of relevant ATT&CK techniques with detections |
| Analysis |
| Intelligence Operationalization Rate | Percentage of intelligence converted into detections or controls |
| Dissemination |
| Indicator Freshness | Percentage of IOCs updated within 30 days |
| Collection, Processing |
| PIR Satisfaction Rate | Percentage of Priority Intelligence Requirements answered |
| Direction, Feedback |
| Dissemination Timeliness | Time from analysis completion to stakeholder delivery | < 2 hours for tactical intel | Dissemination |
Track these metrics monthly and review trends quarterly to identify areas for lifecycle optimization. Map your detections and investigations to MITRE ATT&CK techniques and track coverage deltas as new intelligence is onboarded—this reveals gaps in your defensive posture.
Optimizing the lifecycle relies heavily on the feedback loop. Regularly soliciting input from intelligence consumers helps you identify gaps and areas for improvement.
This feedback can be used to refine intelligence requirements, adjust collection priorities, and improve the clarity of analytical reports. This ensures your program continuously evolves to meet your organization's needs.
How Wiz operationalizes the threat intelligence lifecycle in cloud environments
Wiz transforms the theoretical threat intelligence lifecycle into automated, context-aware intelligence for cloud environments. The platform pairs agentless, multi-cloud visibility with a lightweight runtime sensor to capture both configuration state and real-time behavioral intelligence from workloads—without agents or performance impact.
The Wiz Security Graph processes and normalizes this vast amount of data, correlating internal cloud context with external threat intelligence feeds. This analysis identifies toxic combinations and attack paths, turning raw threat information into a prioritized queue of actionable intelligence tailored to your specific environment.
Dissemination is accelerated through native integrations with SIEM, SOAR, and ticketing systems. Wiz packages indicators and contextual findings—including affected resources, attack paths, and remediation guidance—into workflows that route automatically to the right teams based on severity and asset ownership.
Ready to turn your lifecycle into automated, context-aware intelligence? See how the unified security graph, agentless visibility, and runtime behavioral analysis work together to surface real attack paths and prioritize threats that matter—request a demo today.
Detect active cloud threats
Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.
