Not all threat intelligence is the same.
A ransomware group’s tactics and procedures aren’t useful to a CEO planning next year’s security budget. A geopolitical risk briefing isn’t useful to a SOC analyst who needs to block a malicious IP address right now.
The difference isn’t just the content. It’s the audience, the timeframe, and how the intelligence is supposed to be used.
Threat intelligence is divided into four distinct types: strategic, tactical, operational, and technical. Each one serves a different purpose, speaks to a different person in your organization, and operates on a completely different timescale.
Understanding the four types isn’t just academic. It’s the foundation of building a threat intelligence program that actually improves your security posture rather than just adding noise.
This guide breaks down all four types, explains who uses each one, shows how they connect, and maps them to everything else you need to build an effective CTI program.
What Is Threat Intelligence?
Threat intelligence is analyzed, providing contextual information about cyber threats that helps organizations make better security decisions.
The keyword is “analyzed.” Raw data isn’t intelligence. A list of malicious IP addresses isn’t intelligence until someone has verified it, contextualized it, and confirmed it’s relevant to your environment.
Intelligence is data that has been processed, understood, and turned into something you can act on.
Good threat intelligence tells you who is targeting you, how they operate, what they’re after, and what you can do about it. Poor threat intelligence is noise that wastes analyst time and trains security teams to ignore alerts.
The four types of threat intelligence are the framework that helps organizations collect, analyze, and use intelligence correctly for each audience and each decision.
Why the Type of Intelligence Matters
A lot of organizations collect threat intelligence but struggle to get value from it.
The most common reason is a mismatch between the type of intelligence and the person receiving it.
Technical indicators of compromise are invaluable to a SOC analyst blocking an active attack. They’re meaningless to a CFO deciding how much to invest in security next year. A high-level geopolitical risk analysis is exactly what the CFO needs. It’s useless to the analyst who needs to know which file hash to search for right now.
When intelligence reaches the wrong audience, it either gets ignored or misapplied. Either way, it doesn’t improve your security posture.
Getting the type right means intelligence actually drives action at every level of your organization, from the boardroom to the SOC floor.
The Four Types of Threat Intelligence
Here’s how the four types break down at a glance before we go deeper into each one.
| Type | Audience | Timeframe | Output |
|---|---|---|---|
| Strategic | Executives, board, CISO | Long-term (months to years) | Risk reports, trend briefings, budget inputs |
| Operational | Security managers, incident responders | Medium-term (weeks to months) | Campaign profiles, threat actor reports, and attack patterns |
| Tactical | SOC analysts, threat hunters | Short-term (days to weeks) | TTPs, MITRE ATT&CK mappings, behavioral detections |
| Technical | Security tools, automated systems | Immediate (hours to days) | IOCs, IP blocklists, file hashes, domain blacklists |
Each type builds on the others. Together, they give your organization a complete picture of the threat landscape across every relevant timeframe.
1. Strategic Threat Intelligence
Strategic threat intelligence answers the question: what threats should our organization be preparing for over the next year?
It’s designed for executives, board members, and senior leadership. Not for technical teams.
Strategic intelligence takes a broad view of the threat landscape. It covers geopolitical risk, industry-level threat trends, the evolution of threat actor groups, emerging attack technologies, and regulatory changes that could affect your organization’s risk posture.
It’s deliberately non-technical. The output is usually a written report or executive briefing that translates complex threat data into business language: what the risks are, what they could cost, and what decisions need to be made in response.
Who produces it? Senior analysts with backgrounds in intelligence, geopolitics, and enterprise risk management. Sources include industry threat intelligence reports, government advisories, ISAC publications, research papers, and exchanges with similar organizations in the same industry.
Who consumes it? CISOs reporting to their boards, CISOs or CFOs looking to budget for security measures, risk committees looking to assess the organization’s risks, and legal teams wanting to get an understanding of regulatory risk exposure.
Real-world example: A strategic briefing for a healthcare organization might cover the rise in ransomware targeting hospitals, the regulatory enforcement trajectory under HIPAA, and the emerging risk of AI-generated phishing targeting clinical staff. None of that requires a file hash. All of it shapes security investment decisions.
What makes it valuable: The measure of strategic intelligence isn’t the volume of data it contains. It’s the number of material decisions it influences. A budget approval. A policy change. A new vendor assessment requirement. Those are the outcomes strategic intelligence drives.
2. Operational Threat Intelligence
Operational threat intelligence answers the question: which threat actors are actively targeting organizations like ours right now, and how are they operating?
This intelligence exists somewhere between the strategic vision and the day-to-day reaction of executive-level strategic and technical threat intelligence.
Operational threat intelligence deals with specific attacker campaigns; Who is behind these, why are they doing them, which industries are they attacking, which TTPs are they currently using, and how are they evolving? They typically range over a time period of weeks and months.
Who produces it? Analysts who have a high degree of knowledge on a specific actor, campaign analysis, and the ability to detect common patterns between incidents. They come from monitoring dark web forums, malware analysis, actor tracking tools, and law enforcement advisories.
Who consumes it? The security manager is creating an adequate defensive plan. The incident responders are working with an ongoing incident. The threat hunter is looking for the ‘undetected’ adversary in the network. The red team is creating convincing attack simulations.
Real-world example: Operational intelligence might cover a specific ransomware group that has targeted five organizations in your industry in the last 60 days. The report covers their initial access methods, preferred lateral movement tools, typical dwell time before ransomware deployment, and the specific vendor types they’ve exploited for initial access. Your team uses this to prioritize detective controls and hunting hypotheses.
What makes it valuable: Operational intelligence is the bridge between big-picture awareness and technical response. It tells your team not just that threats exist but which specific threats are active and what they look like in practice.
3. Tactical Threat Intelligence
Tactical threat intelligence answers the question: how do attackers actually behave once they’re inside an environment?
It focuses on tactics, techniques, and procedures (TTPs): the specific methods adversaries use to execute attacks. This is the kind of intelligence telling security engineers how an attacker moves laterally within the network, how they evade defense, what tools they use and in what order.
The premier framework in the world of tactical intelligence is MITRE ATT&CK. This framework maps all adversary behavior to specific techniques and sub-techniques. When threat intelligence is mapped to ATT&CK, security engineers can translate it directly into detection rules and hunting hypotheses.
Who produces it? Threat intelligence analysts and malware researchers who perform detailed analysis on tools, perform reverse engineering, and map observed actions against known behavior frameworks. This can also be provided by red teams who attempt to expose which defense gaps exist.
Who consumes it? SOC analysts are building detection rules. Security architects hardening defenses against specific techniques. Threat hunters designing hypotheses. Incident responders understand what an attacker likely did after gaining initial access.
What makes it valuable: Tactical intelligence has a longer useful shelf life than technical indicators. While IP addresses get rotated daily, behavioral patterns tend to persist across campaigns. A group that has always used a specific lateral movement technique rarely changes it overnight.
4. Technical Threat Intelligence
Technical threat intelligence answers the question: what specific artifacts and indicators can we use to detect and block active threats right now?
It’s the most granular type, dealing with specific, machine-readable data that can be fed directly into security tools. The primary unit of technical intelligence is the Indicator of Compromise (IOC): a specific artifact that confirms a system has been or is being compromised.
Technical intelligence has the shortest shelf life of all four types. Attackers rotate infrastructure constantly. An IP address that was serving malware yesterday might be a legitimate service today. IOCs have a half-life measured in hours to days.
Who produces it? Automated threat intelligence platforms, malware analysis sandboxes, honeypot networks, security vendors, and threat sharing communities like ISACs. Much of technical intelligence is machine-generated and machine-consumed without human review.
Who consumes it? Firewalls, SIEM platforms, endpoint detection tools, and DNS filtering systems that can ingest and act on IOC data automatically. SOC analysts investigating specific incidents also use technical intelligence to verify and block threats in real time.
Real-world example: A technical intelligence feed might include a list of 200 IP addresses associated with a specific botnet’s command-and-control infrastructure, 15 file hashes associated with a new malware variant, and 30 domains registered by a phishing campaign targeting your industry. All of these can be ingested directly into security tooling with minimal human processing.
What makes it valuable: Technical intelligence enables immediate, automated response. The trade-off is that it ages quickly and requires careful management to avoid cluttering security tools with stale indicators that generate false positives.
How the Four Types Connect
The four types aren’t independent. They feed each other in a continuous cycle.
Strategic intelligence identifies that ransomware groups are increasingly targeting your industry through third-party vendors. That drives a decision to increase monitoring of vendor-related threat activity.
Operational intelligence reveals a specific group that has hit three companies in your sector in the last 45 days, using compromised MSP credentials for initial access. That tells your threat hunting team exactly what adversary behavior to look for.
Tactical intelligence maps that group’s post-compromise behavior to specific ATT&CK techniques. Your detection engineers use that mapping to write new detection rules targeting those specific behaviors.
Technical intelligence provides the current IOCs associated with that group’s infrastructure. Your firewall and SIEM automatically block and alert on any traffic matching those indicators.
Strategic identifies the why. Operational identifies the who and the how at a campaign level. Tactical identifies the behavioral patterns. Technical identifies the specific artifacts to block.
Each type makes the others more effective. Strategic without technical is directionless at the operational level. Technical without strategic is reactive and context-free. The full program needs all four.
IOCs and IOAs: The Building Blocks of Technical Intelligence
Two terms come up constantly in technical threat intelligence discussions: Indicators of Compromise (IOCs) and Indicators of Attack (IOAs).
They’re related, but they serve fundamentally different purposes.
Indicators of Compromise (IOCs) are evidence that a breach has already occurred or is actively occurring. They’re the digital fingerprints left behind by an attack: specific IP addresses, domain names, file hashes, registry keys, and network signatures that confirm malicious activity.
IOCs answer the question: has this already happened to us?
Indicators of Attack (IOAs) focus on the behavior patterns of an attack in progress, regardless of the specific tools used. Rather than flagging a specific file hash, an IOA flags a behavioral pattern: a process spawning an unusual child process, a script executing in an unusual sequence, a user account accessing systems it’s never accessed before.
IOAs answer the question: Is this happening to us right now, and can we stop it before it completes?
The practical difference matters significantly. IOCs are reactive: you identify them after or during an attack by matching specific known artifacts. IOAs are proactive: they can detect an attack even if the specific tools and infrastructure are brand new and have no known IOCs yet.
The most robust threat detection programs use both. IOCs for known threat matching and IOAs for behavioral anomaly detection that catch novel or zero-day attacks before they appear in any threat feed.
The tension between the two is central to how cyber threat intelligence programs are designed: purely IOC-driven programs miss what they haven’t seen before, while purely IOA-driven programs require careful tuning to avoid alert fatigue from false positives.
Where Dark Web Intelligence Fits
Dark web intelligence is a source that feeds multiple types of threat intelligence simultaneously, and it’s one of the most valuable and underutilized intelligence sources available.
It’s not a fifth “type” of threat intelligence. It’s a collection channel that produces intelligence usable across all four types.
Here’s how dark web intelligence maps to each type:
Strategic: Trends in dark web activity across industries. The growth of Ransomware-as-a-Service. The emergence of new threat actor groups. The pricing and availability of credentials from specific sectors. All of this informs strategic risk assessments and investment decisions.
Operational: Specific activity of various threat actors within the dark web, discussion between groups about which targets they may go after, sale of initial access in various industries, and campaign discussions that indicate imminent threats for specific companies or industries.
Tactical: Learning about and analyzing the latest TTPs, techniques being utilized across various communities, the development of new hacking tools, and other TTPs that have been discovered through analysis but have not yet been seen “in the wild.”
Technical: Credential dumps, stealer log markets, malware samples shared in dark web communities, and IOCs associated with dark web-linked infrastructure. Highly perishable but immediately actionable when fresh.
This cross-type value is exactly why OSINT dark web tools are a core component of professional threat intelligence programs. And it’s why DarkScout’s Dark Monitoring service and Darknet Threat Assessment provide intelligence that feeds your program at every level: from real-time credential exposure alerts to broader darknet trend analysis.
The Threat Intelligence Lifecycle
Threat intelligence doesn’t just appear. It’s produced through a structured process called the intelligence lifecycle.
Understanding this lifecycle matters because intelligence programs that skip steps tend to produce either low-quality outputs or high volumes of data that nobody knows how to use.
The lifecycle has six phases, and the same cycle applies to all four types of intelligence.
Phase 1: Direction
Determine what you need to know and why you need to know it. What decisions will the intelligence inform? Who are the consumers? What questions do you need answered? Collection without direction is indiscriminate, and analysis without direction is unfocused.
Phase 2: Collection
Gather the raw data needed from relevant sources. Sources will vary based on intelligence type; these include technical feeds, honeypots (technical), dark web monitoring, threat actor tracking platforms (operational), industry reports, and ISACs (strategic).
Phase 3: Processing
Raw intelligence data will never suffice on its own. Processing refers to a process that will refine raw intelligence data so it is able to be analyzed by cleaning, normalizing, and structuring the data. For technical intelligence, this means deduplication, validation, and data formatting suitable for security tools. Strategic data is aggregated and organized.
Phase 4: Analysis
This stage will turn raw data into intelligence by using analytical processes; this means interpreting patterns, attributing levels of confidence, and drawing conclusions for your stated intelligence requirement. The analysis is what determines if your intelligence product is informative or noise.
Phase 5: Dissemination
This stage determines if the correct audience is getting the correct intelligence in the right format. Strategic reports to execs, operational briefing to incident managers/security managers, tactical TTPs to detection engineers, technical IOCs to security tools.
Phase 6: Feedback
Consumers of intelligence report back how effective, timely, and actionable their received intelligence was. This feedback informs the direction for the next intelligence cycle and increases collection and analysis quality. If this step is skipped, the intelligence program does not evolve.
The lifecycle feeds itself. Feedback from technical teams detecting an attack using an IOC informs operational analysts updating their campaign profiles, which informs strategic assessments of the evolving threat landscape.
Threat Intelligence Feeds and Platforms
Now that you have understood the four types and the intelligence lifecycle, how does it all come together in practice?
Threat intelligence feeds-a continuous stream of threat data (technical indicators)- are supplied by security vendors, government agencies, and information sharing communities. Feeds can be free or purchased from commercial security vendors.
Free feeds include CISA Advisories, Open Threat Exchange by AlienVault, and trackers provided by abuse.ch. These feeds contain widely available known indicators that are often “low-hanging fruit” with little usable life expectancy.
Premium feeds can provide higher quality, more timely, more targeted, and relevant data, monitor dark web traffic, track sector-specific threats, and report IOCs earlier in the attack life cycle before public exposure. These are often essential for organizations in higher-risk industries.
Threat intelligence platforms (TIPs) are the technology layer that aggregates, normalizes, enriches, and operationalizes intelligence from multiple feeds. They’re the connective tissue between raw intelligence and the security tools that act on it.
A TIP receives intelligence from multiple sources, removes duplicates, validates and scores indicators, enriches them with context from multiple sources, and distributes actionable intelligence to the right tools at the right time. SIEMs receive enriched IOCs. Firewalls receive updated blocklists. Detection engineers receive MITRE-mapped TTP reports.
Without a platform to manage the flow, organizations end up either overwhelmed with raw data or manually processing intelligence that should be automated.
The specific topic of threat intelligence feeds deserves its own deep dive, which is covered in detail in our threat intelligence feeds guide.
AI and Threat Intelligence in 2026
AI has changed threat intelligence in two significant ways in 2026, and both are relevant to how organizations structure their programs.
AI is accelerating attacker capabilities
Threat actors are using AI to generate more convincing phishing campaigns at scale, discover vulnerabilities faster, customize malware to evade specific detection tools, and automate reconnaissance across targets. The volume and sophistication of attacks has increased as a result.
This means the intelligence requirements for organizations have grown: more sources, faster processing, more context, and faster dissemination are all necessary to keep pace with AI-augmented attacks.
AI is improving intelligence processing and analysis
On the defensive side, AI is being applied across the threat intelligence lifecycle. Machine learning models can process vastly larger volumes of raw data than human analysts, identify patterns that manual analysis would miss, score and triage indicators more accurately, and automate the correlation of technical indicators with operational and tactical context.
Natural language processing models can monitor dark web forums, extract structured intelligence from unstructured text, and flag relevant threat actor discussions faster than human analysts manually reading forum posts.
The practical implication: AI doesn’t replace analysts in threat intelligence programs. It handles the high-volume, pattern-recognition tasks that consumed analyst time, freeing human analysts to focus on the judgment-intensive work: understanding context, assessing adversary intent, and translating intelligence into strategic decisions.
The specific implications of AI for threat intelligence programs are covered in our AI threat intelligence guide.
Building a Threat Intelligence Program
Understanding the four types is the foundation. Building a program that produces and uses all four effectively is the goal.
Here’s what a practical threat intelligence program looks like, regardless of organization size.
1. Start with your intelligence requirements
What decisions does your organization need threat intelligence to inform? Which threat actor groups are most relevant to your industry? What compliance obligations do you have that intelligence can support? Which assets and data types are you most concerned about protecting?
These requirements drive every other decision in the program.
2. Match intelligence types to your team’s capabilities
A small security team with limited analyst resources probably can’t produce all four types internally. Start with what you can operationalize. For most organizations, that means prioritizing technical intelligence (what you can automate and feed directly into tools) and operational intelligence (campaign awareness for your industry).
Strategic intelligence is often sourced from external reports and vendor briefings rather than being produced internally. Tactical intelligence is often derived from vendor and community sources and translated into local detection rules.
3. Build your collection sources
Map your intelligence requirements to the sources that serve them. Dark web monitoring for credential exposure and threat actor activity. Technical feeds for IOCs. Industry ISAC membership for sector-specific operational intelligence. Vendor threat reports for strategic context.
4. Automate what should be automated
Technical intelligence should flow automatically from feeds into security tools. TIPs handle aggregation, deduplication, and distribution. Human analysts focus on what requires judgment: analysis, context, and decision support.
5. Close the feedback loop
Ask the people receiving intelligence whether it was useful and accurate. Track which indicators produced true detections versus false positives. Use that data to improve your collection sources and analysis process.
6. Connect intelligence to action
Intelligence that doesn’t change what someone does isn’t intelligence. It’s a report. Every type of intelligence should have a defined action path: a strategic briefing changes a budget decision, an operational report changes a hunting priority, a tactical TTP changes a detection rule, and a technical IOC gets blocked automatically.
The full picture of how to build an effective program from scratch is covered in our threat intelligence program guide.
Conclusion
The four types of threat intelligence work because they address fundamentally different needs within the same organization.
Executives need to understand the threat landscape well enough to make investment decisions. Security managers need to understand which adversaries are actively targeting their industry. Analysts need to understand how those adversaries behave. Tools need specific artifacts to detect and block active threats.
One type of intelligence can’t serve all four needs.
The organizations that build effective threat intelligence programs are the ones that understand this, collect the right intelligence for each level, ensure it reaches the right audience in the right format, and close the feedback loop so the program improves over time.
Dark web intelligence is one of the most valuable sources feeding all four types, providing strategic trend data, operational campaign intelligence, tactical behavioral patterns, and real-time technical indicators in a single continuous stream.
