Full Report
Most of what’s sold as “threat intelligence” today isn’t intelligence at all.Instead, it’s data, lists of IP addresses, hashes, and domains, with little to no context. These indicators of compromise (IOCs) are useful, but on their own, they don’t answer the questions defenders need answered: Who is targeting us? Is this IoC recent or historic? What are they after? What else are they likely to do or might have already done?True intelligence isn’t about lists, it’s about decisions. It’s about turning raw data into insights that help organisations act with confidence. That’s what the intelligence cycle is for. It is the core of what Arachne Digital does.In this post, we’ll walk through the classical intelligence cycle, and show how it applies to modern cyber threat intelligence (CTI). If you’re in a Security Operations Centre (SOC), leading a security program, or evaluating threat intel vendors, this is what you should expect from real intelligence.Intelligence as a Process: Not Just a ProductThe intelligence cycle is a progressive refinement of data into intelligence. It’s not a one-time transaction, and it doesn’t begin with information, it begins with questions.Let’s break it down.The Intelligence CycleDirection: Setting the Right QuestionsPlanning and Direction is the first phase of the intelligence cycle. It involves identifying and prioritising the information needs of an organisation in order to align cyber threat intelligence (CTI) efforts with strategic, operational, or tactical objectives.At this stage, decision-makers or stakeholders define their intelligence requirements, the critical questions that need to be answered to inform security decisions, reduce risk, or guide response. These requirements form the foundation for all subsequent CTI activities.In practice, Planning and Direction includes:Clarifying what the organisation needs to protect (assets, sectors, geographies).Identifying likely threat actors or risks based on industry and region.Translating objectives into Essential Elements of Information (EEIs) — specific, actionable questions that intelligence efforts will seek to answer.In CTI, the equivalent to all of this is your operational context: What are you trying to protect? Who is likely to target you? What do you need to know to defend your organisation?This is where Arachne Digital begins. We tailor CTI feeds for your industry and geography so you can understand your threat landscape, and risk posture. If you are more mature and what to define your own requirements, you can access our entire database of cybercrime and nation-state threats across regions.Collection: Finding the Signals in the NoiseCollection is the second phase of the intelligence cycle. It involves gathering raw data from relevant sources to address the intelligence requirements defined during the Planning and Direction phase.In cyber threat intelligence, collection spans a range of disciplines, including open-source intelligence (OSINT), technical telemetry, and clear and dark web monitoring. The goal is to collect data that may contain evidence of threat activity, tools, infrastructure, intent, or targeting, all of which help answer questions posed during planning.Effective collection is:Targeted: Focused on sources likely to yield relevant information.Timely: Conducted frequently enough to capture emerging threats.Scalable: Able to pull in large volumes of data without sacrificing relevance.Collection for Arachne Digital is driven by our tool Tracery, which automates the process of discovering and retrieving URLs containing relevant cybersecurity content based on pre-defined keywords and intelligence priorities. These sources include:Security blogs and advisoriesCybercrime and breach forumsTechnical writeups and threat reportsThe result is a rich body of unstructured free text, raw data that will be processed in the next stage to begin transforming it into actionable intelligence.This is raw data, unstructured, messy, but valuable.Processing and Exploitation: Turning Data into InformationProcessing and Exploitation is the third phase of the intelligence cycle. It involves converting raw, collected data into a structured and usable format, preparing it for analysis.In the context of cyber threat intelligence, this step includes:Filtering irrelevant data and removing duplicates.Extracting structured elements from unstructured sources (e.g., identifying malware names, TTPs, threat actor references).Standardising formats for consistency and interoperability.Tagging and categorisation based on frameworks like MITRE ATT&CK.The goal is to turn raw data, such as technical blogs, incident writeups, or forum posts, into organised, machine and human-readable information that can be meaningfully analysed.For Arachne Digital, this step is performed by our analyst dashboard Thread, which processes free-text documents collected via Tracery. Thread:Uses machine learning to map sentences to MITRE ATT&CK TTPs.Extracts key metadata, including possible dates, threat actors, industries, and geographies.Structures the data so that it can be verified, enriched, and analysed by a human analyst.Processing and exploitation marks the transition from data to information, structured content that is ready to be interpreted and turned into intelligence.But we’re not done.Analysis: Adding Human Context and InsightAnalysis and Production is the fourth phase of the intelligence cycle. It involves evaluating, interpreting, and contextualising the information gathered during collection and processing in order to generate finished intelligence that can support decision-making.In cyber threat intelligence, analysis is where raw indicators and structured data are transformed into insight. Analysts:Assess the relevance and reliability of collected information.Identify patterns, trends, and relationships across multiple data points.Determine the significance of threat activity in the context of specific industries, regions, or organisations.Attribute threat activity, where possible, to specific actors or countries.Assign date ranges (first and last seen), and associated victimology (targeted industry and geography).Production refers to the creation of the final intelligence deliverables, reports, briefings, or machine-readable formats, based on the analysis. These outputs are tailored to the needs of the end user, whether that’s a SOC analyst tuning detections or a CISO planning investments.Human analysts take the structured output from Thread and apply expert judgment to:Confirm and refine MITRE ATT&CK mappings.Enrich the data with threat actor names, attribution, victim information, and IOC details.Package the intelligence into reports or API-ready data, with the necessary context to support threat-informed defense.We integrate disparate findings, and use ATT&CK to interpret what the data means. Is this TTP relevant to my organisation? What defensive tooling should I invest in based on the threat landscape? Does my SIEM have the right logs and analytics configured?This phase turns information into intelligence, a finished product that is assessed, contextual, and actionable.Dissemination: Getting Intelligence into Your HandsDissemination and Integration is the fifth phase of the intelligence cycle. It involves delivering finished intelligence products to the right stakeholders in a format they can use, and ensuring that intelligence is integrated into operational workflows and decision-making.In cyber threat intelligence, dissemination must be:Timely: Delivered while the intelligence is still relevant.Targeted: Aligned with the needs of specific users (e.g., SOC analysts, CISOs, incident responders).Actionable: Structured in a way that allows for direct use in detection, mitigation, or strategic planning.Integration is the often-overlooked second half of this phase. It means ensuring the intelligence doesn’t just sit in a report or dashboard, it’s used:To inform detections (e.g., SIEM rules, EDR tuning).To guide prevention and mitigation (e.g., aligning with MITRE ATT&CK mitigations).To support incident response and threat hunting.To influence broader cybersecurity strategy and investment.Arachne Digital delivers intelligence in two key ways:Human-readable reports, designed for decision-makers and analysts who need context-rich briefings.An API, enabling direct ingestion of structured threat intelligence into security platforms for automated use.Each piece of intelligence we produce is designed to map cleanly to operational needs, whether that’s an analyst writing a detection rule, a threat hunter investigating anomalies, or a CISO planning for risk.Need a high-level overview? You’ll get a summary. Need tactical indicators? You’ll get them too, mapped to ATT&CK and enriched with context.And because our intelligence is structured and dated, you can track trends over time, align detections with threat-informed defence, and prioritise mitigations that matter.The value of intelligence is only realised when it’s disseminated effectively and integrated seamlessly into the systems and decisions it was built to support.Feedback: Closing the LoopEvaluation and Feedback is the final phase of the intelligence cycle. It ensures that the intelligence provided is meeting the needs of decision-makers and that the cycle remains dynamic, responsive, and continuously improving.In cyber threat intelligence, evaluation involves assessing:Relevance: Did the intelligence align with the original requirements?Accuracy: Was it correct and well-supported?Timeliness: Was it delivered in time to inform action?Usefulness: Did it support decision-making, detection, or response?Feedback is the mechanism by which consumers of intelligence, whether SOC analysts, incident responders, or executive leadership, communicate their experience and evolving needs back to the intelligence team. This feedback may include:New or updated requirements.Requests for deeper context or additional indicators.Clarifications or corrections to previous assessments.Reports on how the intelligence was used or operationalised.For Arachne Digital, this phase is essential to maintaining the integrity of our work. We actively seek feedback through:Customer interactions and support requests.Discussions around what intelligence was helpful, and what was not.We want to hear from our customers about what is working for them and what is not, so we can make better tools and generate better CTI to serve you.This closed loop ensures our intelligence stays relevant, focused, and aligned to your mission.The Bottom Line: Most Vendors Stop at Data. We Don’t.Many CTI providers give you indicators. Few give you intelligence.We have built the Arachne Digital workflow around the full intelligence cycle, direction, collection, processing, analysis, dissemination, and feedback, because that’s what makes intelligence actionable.We believe SOCs deserve better than static lists of IPs. Security leaders deserve insights, not noise. And everyone deserves the context to make informed decisions.If your current CTI isn’t built on the intelligence cycle, ask why.We’re building threat intelligence the way it’s meant to be: structured, contextual, and decision-ready.Ready to work with intelligence that informs action?Get in touch or explore our API to learn more.
Analysis Summary
# Best Practices: Implementing the Cyber Threat Intelligence (CTI) Cycle for Actionable Security
## Overview
These practices focus on transitioning from relying solely on raw Indicators of Compromise (IOCs) data to implementing the structured Cyber Threat Intelligence (CTI) cycle. The goal is to transform raw data into contextualized intelligence that directly informs security decision-making, risk reduction, and effective response activities.
## Key Recommendations
### Immediate Actions
1. **Define Organizational Context:** Immediately identify and document the critical assets, business sectors, and geographies the organization needs to protect. This establishes the 'what' for intelligence gathering.
2. **Establish Initial Intelligence Needs:** Draft preliminary, high-level security questions that need answers from threat intelligence (e.g., "Which threat actors target our industry?").
3. **Review Current Data Ingestion:** Scrutinize all current threat data feeds (IOC lists) and determine what context (attribution, timeframe, TTPs) is missing from them.
### Short-term Improvements (1-3 months)
1. **Translate Needs into Essential Elements of Information (EEIs):** Convert high-level needs into specific, actionable questions that CTI efforts must answer, formally documenting these requirements for the intelligence team.
2. **Implement Initial Data Collection Strategy:** Identify and begin collecting raw data from targeted, relevant sources (e.g., security blogs, relevant forums, vendor advisories) to address the defined EEIs.
3. **Begin Data Processing and Standardization:** Start filtering collected raw data to remove noise and duplicates. Implement a basic system to begin extracting structured elements like threat actor names, infrastructure details, and documented TTPs.
4. **Adopt a Framework for Tagging:** Begin mapping extracted technical data (TTPs, malware) to a standardized framework, such as the MITRE ATT&CK framework, to ensure consistency.
### Long-term Strategy (3+ months)
1. **Formalize the Intelligence Cycle Workflow:** Fully integrate all six phases (Direction, Collection, Processing/Exploitation, Analysis, Dissemination, Feedback) into a continuous, documented operational workflow, rather than treating intelligence as a one-time product.
2. **Establish Robust Feedback Mechanisms:** Create formal channels for intelligence consumers (SOC, Incident Response, Leadership) to provide structured feedback on the relevance, accuracy, and timeliness of delivered intelligence.
3. **Integrate Contextual Analysis:** Move beyond simple IOC matching by ensuring all disseminated intelligence includes context regarding actor motivation, likely targeting, and potential next steps (proactive defense planning).
4. **Mature Collection Scalability:** Implement automated tools or processes for scalable, timely collection across a wide variety of relevant sources, balancing breadth with adherence to defined intelligence priorities.
## Implementation Guidance
### For Small Organizations
- **Prioritize Direction:** Focus heavily on Phase 1 (Direction). Since resources are limited, ensure every piece of collected data directly addresses a known, critical security gap or asset vulnerability.
- **Leverage Aggregated CTI:** For collection and processing, rely initially on high-quality, vetted commercial feeds or open-source intelligence (OSINT) aggregators that already perform basic processing, minimizing the need for complex internal tooling.
- **Utilize Simple Processes:** Use spreadsheets or ticketing systems for initial tracking of feedback and essential intelligence elements before investing in dedicated CTI platforms.
### For Medium Organizations
- **Develop Dedicated Roles:** Assign clear responsibility for CTI management (even part-time) to ensure continuous management of the intelligence cycle, especially Direction and Feedback loops.
- **Automate Processing:** Invest in tools or scripts capable of unstructured data ingestion (e.g., blog processing) and initial structured extraction, reducing manual analyst burden during the Processing phase.
- **Standardize Format:** Fully commit to documentation using a recognized standard like MITRE ATT&CK for classifying TTPs to improve analysis and dissemination consistency.
### For Large Enterprises
- **Implement Tooling Orchestration:** Integrate dedicated tools for automated collection (e.g., web scrapers for specific forums), machine learning for processing/exploitation, and a threat intelligence platform (TIP) for full lifecycle management.
- **Tailor Requirements:** Run workshops or continuous dialogue sessions with executive leadership and various operational teams (Security Engineering, IR) to define differentiated intelligence requirements (strategic, operational, and tactical).
- **Build Feedback Control:** Establish formal Service Level Objectives (SLOs) for intelligence providers (internal or external) based on relevance and timeliness, driven by documented consumer feedback metrics.
## Configuration Examples
*Since the article focuses heavily on process rather than specific tool configuration, the following translates process requirements into functional configuration goals:*
**Data Processing Configuration Goal (Mapping to MITRE ATT&CK):**
Configure processing tools (internal scripts or platforms) to ingest unstructured incident reports and automatically assign score/tags based on detected adversarial behavior patterns, aiming for 80% accuracy in mapping to the relevant MITRE ATT&CK tactics and techniques.
**Collection Strategy Configuration Goal (Targeted Collection):**
Define collection parameters (keywords, sources, update frequency) based on the organization's threat profile, ensuring that geographic threat actor monitoring feeds are queried at least hourly, while vulnerability research forums are scraped daily.
## Compliance Alignment
The intelligence cycle itself aligns conceptually with best practices across major domains:
- **NIST SP 800-92 (Guide to Computer Security Log Management):** The entire cycle supports the requirement to analyze security data to inform risk management decisions.
- **ISO/IEC 27001 (Information Security Management):** Specifically aligns with Annex A.12 (Operations Security) and the proactive risk treatment derived from understanding threats.
- **CIA Triad:** The cycle delivers intelligence specifically oriented to maintain the Confidentiality, Integrity, and Availability of protected assets identified in the Direction phase.
## Common Pitfalls to Avoid
1. **The Data Dump Trap:** Treating raw IOC lists (IPs, hashes) as equivalent to intelligence. Always demand context (Who, Why, When).
2. **Skipping Direction:** Starting collection without clearly defined, documented intelligence requirements (EEIs). This leads to collecting noise and wasting resources.
3. **Ignoring Feedback:** Failing to evaluate intelligence output against initial requirements. This results in stale, irrelevant intelligence products that decision-makers will eventually stop using.
4. **One-Time Execution:** Treating the intelligence cycle as a linear task to be completed once, rather than a continuous, iterative loop required for adapting to dynamic threats.
## Resources
- **Official Document for Foundational Cycle:** [JP 2-0, Joint Intelligence (Classical Intelligence Cycle Framework)](https://web.archive.org/web/20160613010839/http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf)
- **TTP Standardization:** MITRE ATT&CK Framework (Use as the standard reference for structuring and categorizing adversarial behavior data extracted during Processing).
- **Automation Example (Conceptual):** Concepts derived from tools like Tracery (for targeted collection) and Thread (for ML-assisted processing).