When to Use

• Interview SOC leads, IR team, CISO, risk management, and product security
• Document PIRs in structured format: "What is the current capability and intent of [threat actor] to attack [critical asset] using [technique]?"
• Prioritize 5–10 PIRs for the quarter, reviewed monthly

Example PIR: "Is ransomware group Cl0p currently targeting organizations in our sector using MoveIT or GoAnywhere vulnerabilities?"

Step 2: Collection Planning

Map PIRs to required collection sources:

• Technical sources: commercial feeds, TAXII, ISAC data, honeypot telemetry, darkweb monitoring
• Human sources: vendor threat briefings, industry working groups, law enforcement partnerships
• Internal sources: SIEM logs, EDR telemetry, phishing submission mailbox

Document collection gaps and associated costs to fill them.

Step 3: Processing and Normalization

Implement automated processing pipeline:

• Ingest → normalize to STIX 2.1 → deduplicate → enrich → score confidence
• Reject unverifiable or duplicate indicators before analysis
• Tag all processed data with source, collection date, and expiration

Step 4: Analysis and Production

Produce intelligence at three levels:

• Strategic: Quarterly threat landscape report for executives; sector trends, geopolitical context
• Operational: Weekly campaign reports for security leadership; active campaigns, adversary activity
• Tactical: Daily IOC bulletins for SOC; actionable indicators with block/monitor recommendations

Apply structured analytic techniques: Analysis of Competing Hypotheses (ACH), Key Assumptions Check, Devil's Advocacy.

Step 5: Dissemination

Match product format to audience:

• Executives: 1-page PDF with risk ratings, business impact, recommended decisions
• SOC analysts: SIEM-ready IOC list, Sigma rules, MISP events
• Vulnerability management: CVE lists with EPSS scores and exploitation likelihood
• IT/Security leadership: Full intelligence report with technical appendix

Apply TLP classifications and distribution lists per product type.

Step 6: Feedback and Evaluation

Collect feedback within 5 business days of dissemination:

• Did the product address the PIR?
• Was actionability sufficient?
• What data was missing?

Track metrics quarterly: PIR coverage rate, IOC true positive rate, time-to-disseminate, stakeholder satisfaction score (NPS or structured survey).

Key Concepts

Tools & Systems

• ThreatConnect: TIP with built-in intelligence lifecycle workflows, PIR tracking, and stakeholder reporting dashboards
• MISP: Open-source TIP supporting intelligence lifecycle from collection through sharing
• OpenCTI: Graph-based CTI platform with workflow management for intelligence products
• Recorded Future: Commercial platform with structured intelligence reports aligned to the intelligence lifecycle

Common Pitfalls

• Collection without direction: Ingesting every available feed without PIRs produces data overload and no actionable intelligence.
• Missing feedback loops: Without structured feedback, CTI teams produce reports that don't meet stakeholder needs and lose organizational relevance.
• Tactical-only focus: Overemphasis on IOC sharing neglects strategic intelligence that informs security investment and risk decisions.
• No metrics program: Cannot demonstrate CTI program value without tracking detection contributions, true positive rates, and stakeholder satisfaction.
• Underfunded collection: PIRs cannot be answered without appropriate collection sources; document and escalate gaps rather than producing low-confidence estimates.