Defining Cyber Threat Intelligence

Cyber Threat Intelligence (CTI) is not a new area of cybersecurity, but uncertainty about what CTI is remains a question throughout the community. If you ask ten people to define CTI, you will likely hear eight to ten (8-10) different definitions. It’s very concerning that this is the current state of understanding.

To test the hypothesis stated above, I’ll run an Internet search and dig into the results.

Searching the Internet for “What is Cyber Threat Intelligence” produces a list of numerous sites that appear to answer the question. Let’s look at the top ten results as of January 5, 2022. Included below is the first sentence of each definition.

Center for Internet Security,

Cyber threat intelligence is what cyber threat information becomes once it has been collected, evaluated in the context of its source and reliability, and analyzed through rigorous and structured tradecraft techniques by those with substantive expertise and access to all-source information.


Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors.


Threat intelligence is the analysis of data using tools and techniques to generate meaningful information about existing or emerging threats targeting the organization that helps mitigate risks.


Cyber threat intelligence (CTI) is an area of cybersecurity that focuses on the collection and analysis of information about current and potential attacks that threaten the safety of an organization or its assets.


Cyber threat intelligence refers to a dynamic, adaptive technology that leverages large-scale threat history data to proactively block and remediate future malicious attacks on a network.


Cyber threat intelligence (CTI) involves data that has undergone aggregation, processing, and analysis to help security teams understand threat actor behavior and prevent cyberattacks.

Check Point,

Cyber threat intelligence aims to create and share knowledge about the current state of the rapidly evolving cyber threat landscape and provide users and cybersecurity solutions with the information and context required to identify current threats and make strategic decisions for the future.


Threat intelligence is the practice of collecting, organizing, and making actionable use of information about cyber threats.


Acronis quotes Gartner

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets to that can be used to inform decisions regarding the subject’s response to that menace or hazard.” 

With so many definitions, it’s no wonder why there are many different views on what CTI is.

After reading these definitions, one observation is that it looks like organizations have defined CTI to align with their products and services. Nothing is inherently wrong with this approach. However, doing so can have undesirable effects on the cybersecurity industry. Competing definitions creates confusion and can lead to the following:

  • Customers only considering what aligns with their perspective, what they think CTI is
  • Organizations may face roadblocks internally and externally
  • Organizations may have gaps in knowledge because of a narrow focus
  • Teams across an organization may not be aligned

We can do better as an industry.

Standards and frameworks are essential to our industry and enable us to communicate about networks, devices, software, systems, risk, etc., with a common language and a shared understanding. CTI needs to include such a standard.

While a perfect definition for CTI may never exist, let’s compare these definitions and note their similarities.

Common actions include:

  • Collect
  • Process
  • Analyze
  • Share

The “what” that is being collected, processed, etc. are/is:

  • Data
  • Information

The data and information being collected, analyzed, etc. is related to existing or emerging:

  • Threat actor motivation
  • Threat actor targets
  • Threat actor behavior

The characteristics noted above provide enough information to build a definition. The focus is on:

  • The action being taken (collecting, processing, analyzing, and sharing)
  • What (data and information) is being acted upon
  • The topic (threat actors, their motives, and methodologies) we’re trying to learn more about

After thinking on it and coming up with a few variations, I finally landed on the following definition.

Cyber Threat Intelligence is the knowledge gained and the product produced and shared after collecting, processing, and analyzing data and information about threat actor motives, targets, and attack methodologies.

Additional attributes should be required such as, CTI must be complete, actionable, relevant, and timely. These attributes can be used evaluate a CTI program.

There you have it, a definition based on common language across different definitions.

One thought on “Defining Cyber Threat Intelligence

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s