Back to Glossary

Threat Intelligence

What is Threat Intelligence?

Threat intelligence (TI) is the product of collecting, processing, analyzing, and disseminating information about cyber threats — including threat actors, their motivations, capabilities, tactics, techniques, and procedures (TTPs), and the indicators of compromise (IOCs) they generate. The goal of threat intelligence is to enable security teams to make faster, more informed decisions — anticipating attacks before they occur, detecting them more quickly when they do, and responding more effectively by understanding what the attacker is trying to accomplish. Threat intelligence is classified by type: strategic intelligence for executive decision-making, operational intelligence for security operations, and tactical intelligence (IOCs) for direct detection tool consumption.

Description

Effective threat intelligence programs distinguish between three levels of output. Tactical intelligence — IP addresses, domains, file hashes, YARA signatures — feeds directly into SIEM platforms, endpoint protection, and firewalls as detection signals. This level ages quickly: a malicious IP address may be rotated within hours. Operational intelligence provides context about active campaigns: which threat groups are targeting your industry, what initial access techniques they prefer, and what their attack chain looks like. This intelligence informs threat hunting hypotheses and purple team exercises. Strategic intelligence synthesizes threat trends for CISO and board-level audiences: which adversary groups pose the highest risk to the organization's specific sector and geography, what regulatory changes are coming, and how the threat landscape is shifting. MITRE ATT&CK serves as the universal framework for documenting and sharing threat actor TTPs — enabling organizations to map their detections against known adversary behaviors and identify coverage gaps. Threat intelligence is increasingly powered by AI: automated correlation of massive IOC volumes, natural language processing of threat reports, and predictive models that score vulnerability prioritization signals using current threat actor targeting data. Watch the Evolve Security video on threat intelligence overview for a foundational overview of the intelligence lifecycle.

Usage and Examples

A financial services firm subscribes to a commercial threat intelligence platform that provides sector-specific intelligence. The platform alerts that a threat group known to target financial services is conducting a spear-phishing campaign using AiTM phishing infrastructure and targeting Microsoft 365 tenants. The intelligence includes: specific phishing kit indicators, lookalike domains in use, and TTPS mapped to MITRE ATT&CK. The security team uses this intelligence to: add the identified domains to DNS blocking; tune SIEM detection rules for the specific phishing kit's HTML artifacts; brief employees on the active campaign; and initiate a threat hunting exercise to check whether early-stage activity has already occurred undetected. This proactive response, triggered by intelligence before a successful attack, demonstrates the concrete value of operationalized threat intelligence.

How Does This Relate to Penetration Testing?

Threat intelligence directly informs penetration testing and red team exercises. Intelligence about which threat groups target an organization's sector, what initial access methods they prefer, and what their post-exploitation behavior looks like allows Evolve Security to scope red team engagements as realistic threat simulations rather than generic capability tests. DORA's TLPT (Threat-Led Penetration Testing) mandate explicitly requires that red team scenarios be intelligence-driven, using current threat actor TTPs. Post-engagement, the MITRE ATT&CK techniques used by testers map directly to detection coverage: the client can see exactly which ATT&CK techniques their monitoring detected and which they missed, driving targeted investment in detection engineering. The ATT&CK maturity assessment video from Evolve Security provides a methodology for evaluating ATT&CK coverage. Evolve Security's Red Team engagements use current threat intelligence to simulate the specific adversary groups most likely to target your organization — providing threat-realistic security assurance.

Access control

Advanced Persistent Threat

Adversarial Machine Learning

Adversary-in-the-Middle (AiTM) Attack

Agentic AI Security

AI-Powered Social Engineering

AI Red Teaming

AI Security

API Security

Application Penetration Testing

Assumed Breach

Attack Surface

Attack Surface Management (ASM)

Botnet

Broken Access Control

Business Email Compromise (BEC)

BYOD

CIS Controls

CIS RAM

Cloud computing

Cloud Security

Cloud Security Posture Management (CSPM)

COBIT

Command and Control (C2)

Container Escape

Continuous Threat Exposure Management (CTEM)

Credential Stuffing

Cryptocurrency

Cryptojacking

Cyber Attack

Cyber Maturity Model Certification (CMMC)

Cyber Resilience

Cyber Threat Intelligence

Darknet

Data Breach

Data Loss Prevention

Data Poisoning

DDoS Attack

Declaration of Conformity

Deepfake

Detection Engineering

DMZ

Encryption

Endpoint

Endpoint Detection and Response

Ethical Hacking Tools

Exposure Management

Firewall

Firmware Security

FISMA

Gap analysis

GDPR

Hacker

HIPAA

Hypervisor (VMM)

Identification

Identity Theft

Identity Threat Detection and Response (ITDR)

Incident Response

Infrastructure-as-a-Service (IaaS)

Initial Access Brokers

Insider Threat

Internal Penetration Testing

Intrusion detection system (IDS)

Intrusion Prevention System (IPS)

ISO 27001

Keyboard logger

Lateral Movement

LLM Jailbreak

Macro virus

Malicious Apps

Malware

Managed Detection and Response (MDR)

Managed Detection and Response (MDR)

MCP Security

Memory Safety Vulnerabilities

MTTD and MTTR

Multi-Factor Authentication (MFA)

Network Detection and Response (NDR)

Network Firewall

Network Penetration Testing

Network Security

Network Security Assessment

NIS2 and DORA Compliance

NIST Cybersecurity Framework

Non-Human Identity (NHI) Security

Offensive Security

Operational Technology (OT) Security

Password

Password Cracking

Patch Management

PCI DSS

Penetration Testing

Phishing

Phishing-Resistant Authentication

Platform-as-a-Service (PaaS)

Post-Quantum Cryptography (PQC)

Privilege Escalation

Prompt Injection

Proxy server

Previous term
No previous terms!
Next term
No next terms!

Start Playing Offense to Play Better Defense

Copyright © 2026 Evolve Security. Evolve Security is trademarked in the United States.
312-957-5682
123 N. Waker Dr., Suite: 2125 Chicago, IL 60606
info@evolvesecurity.com
Connect
Contact UsRequest a demo
Services
Services OverviewAI Penetration TestingApplication Penetration TestingCloud Penetration TestingNetwork Penetration TestingEmbedded SystemsRed TeamAdvisory
Platform
Darwin Attack OverviewRisk ScoringAsset & Threat IntelligenceHuman-In-The-LoopDashboards & ReportingPlatform Integrations
Resources
BlogsEventsVideosPodcasts
Company
AboutCareersEvolve AcademyPartner Program
Privacy PolicyTerms of ServiceVulnerability Disclosure PolicyReport Issue
AICPA SOC logo with text 'SOC for Service Organizations | Service Organizations' and website aicpa.org/soc4so.