Glossary

What Is Threat Intelligence?

Threat intelligence is information about cyber threats — the actors, campaigns, tools, and infrastructure behind attacks — that has been collected, analysed, and refined into context defenders can act on. The goal is not raw data; it is helping security teams make faster, better-informed decisions about what to block, what to investigate, and what to ignore.

The Four Types of Threat Intelligence

  • Strategic — high-level trends and adversary motivation; consumed by leadership.
  • Tactical — adversary TTPs (techniques, tactics, procedures); consumed by hunters and detection engineers.
  • Operational — specific imminent campaigns and attacks; consumed by SOC and incident response.
  • Technical — concrete indicators (IPs, domains, hashes); consumed by automation.

The Intelligence Lifecycle

  1. Direction — what questions does the security team need answered?
  2. Collection — gather raw data from feeds, sensors, OSINT, partners, internal telemetry.
  3. Processing — normalize, enrich, deduplicate.
  4. Analysis — turn data into intelligence; add context, confidence, attribution.
  5. Dissemination — get the right intelligence to the right consumer in the right format.
  6. Feedback — measure whether the intelligence actually helped.

Where Threat Intelligence Falls Short

Most commercial threat-intel feeds publish flat lists of IOCs — hashes, domains, IPs. Those rotate quickly. Real defensive value comes from understanding the infrastructure patterns underneath: which ASNs concentrate abuse, how a campaign rotates domains, which registrar/nameserver pairings recur. That is infrastructure intelligence.

Threat Intelligence in Whisper

Whisper aggregates 40+ live threat-intel feeds and joins them to internet infrastructure data in a single graph. A flagged IP is connected to its ASN, its co-hosted domains, and its WHOIS history — so a SOC analyst gets context, not a flat string.

Related Terms