Ask the security director of a mid-size enterprise whether they have threat intelligence capability and the answer is almost certainly yes. They subscribe to one or more commercial threat intelligence feeds. Those feeds deliver indicators of compromise — IP addresses, domain names, file hashes, URLs — that are ingested by the SIEM and matched against network logs. When a match fires, an alert is generated.
Ask them what threat actors are actively targeting their industry, how those actors gain initial access, and what their tactics look like after the initial foothold, and the answer becomes significantly less confident. The organisation has threat data. It does not have threat intelligence.
What Intelligence Actually Is
The distinction matters. Raw threat data — IOCs, malware samples, vulnerability disclosures — is the input to an intelligence process. Intelligence is the output: assessed, contextualised information that drives decisions. The same data, processed by analysts who understand the organisation’s specific threat profile, produces different decisions than the same data matched automatically against logs and surfaced as alerts.
The intelligence community developed a framework for this — the intelligence cycle: direction, collection, processing, analysis, dissemination, feedback. The commercial threat intelligence industry sells a product that covers collection and processing. Analysis, dissemination, and feedback — the parts that require human judgement and organisational context — are largely absent from the standard product offering. Organisations mistake the collection capability for the full cycle.
The IOC Problem
IOCs are a useful tactical tool with well-understood limitations that are frequently ignored in how organisations describe their threat intelligence capability.
Most commercial IOC feeds contain millions of indicators. The average analyst reviewing a SIEM dashboard cannot meaningfully triage that volume. SOC teams respond by implementing aggressive threshold scoring — only alerting on IOCs that appear in multiple high-confidence feeds, or that match specific threat actor attribution. This is reasonable practice. It also means a large proportion of the indicator data the organisation is paying for is never actioned.
More fundamentally, IOCs are retrospective. By the time a domain or IP address appears in a commercial feed, the threat actor has typically already moved on. Nation-state groups and sophisticated ransomware operators rotate infrastructure faster than feed publication cycles. The IOCs being matched against your logs today describe yesterday’s attack infrastructure. For the threat actors you most need to detect, you are reliably behind.
The Report Nobody Opens
Many threat intelligence subscriptions include monthly or weekly threat landscape reports. These describe major threat actor groups, notable campaigns, sector targeting trends, and emerging techniques. They are genuinely well-researched documents produced by experienced analysts.
They are also, in most organisations, forwarded to the security team unread. The CISO sends the summary to the board as evidence of the threat intelligence programme. The SOC manager skims it. Nobody draws an explicit connection between the report’s content and a specific operational change.
This is not a laziness problem. It is a process problem. For a threat report to change operational behaviour, there must be a defined pathway from report to decision: who reads it, what questions they apply to it, which findings get escalated to what decision-makers, and what changes to controls, monitoring, or response playbooks result. In most organisations, that pathway does not exist. The report is a product with no defined consumer and no mechanism for producing change.
Three Tiers, One Budget
The intelligence discipline distinguishes three levels of threat intelligence, each serving different consumers and decision horizons.
Strategic intelligence describes adversary motivations, geopolitical context, and long-term capability development. Its consumers are executive and board level. It informs multi-year security investment decisions and sector-level risk assessments.
Operational intelligence describes specific campaigns, actor TTPs (tactics, techniques, and procedures), and emerging attack methodologies. Its consumers are security architects and SOC leadership. It informs control design, playbook development, and detection engineering.
Tactical intelligence is IOCs and malware signatures. Its consumers are SOC analysts and automated detection tools. It informs real-time alerting and incident triage.
Most commercial threat intelligence products are primarily tactical, with some operational coverage. Most organisations spend their threat intelligence budget on a single product that delivers predominantly tactical data, then present it to the board as a full intelligence capability. This is a misrepresentation with real security consequences.
What a Real Programme Looks Like
Building a genuine threat intelligence capability does not require doubling the threat intelligence budget. It requires redirecting effort from data acquisition to analysis.
Start with requirements. The most important question in intelligence is: what decisions does this information need to inform? Identify the two or three questions that, if answered, would change how your security team operates — the sectors being targeted, the initial access techniques being used against similar organisations, the post-compromise TTPs of the ransomware groups most likely to target your industry. Build collection tasks around those questions rather than ingesting everything available.
Assign analysis ownership. Someone — a person, not a process — must be responsible for reading threat reports, applying them to the organisation’s specific context, and producing a finding that either changes something or explicitly documents why it should not. This does not require a dedicated threat intelligence analyst team in every organisation. It requires that the function is named, staffed at some level, and connected to decision-making.
Review the IOC posture honestly. If the current SIEM integration is generating more noise than signal, reducing the indicator set to a smaller, higher-confidence collection is a better outcome than maintaining the subscription volume for its own sake. Intelligence is about quality of decision support, not quantity of data.
The organisations that do this well are not the ones with the largest threat intelligence budget. They are the ones that have been honest about the gap between buying data and running a programme — and have closed it with process rather than spend.