The Cyber Threat Intelligence Cycle

The cyber threat intelligence cycle (sometimes called lifecycle) is a cycle of steps CTI analysts use to generate, share, and improve threat intel. It’s based on the intelligence cycle used by the intelligence community for traditional (non-cyber) intelligence.

Photo by Robby McCullough on Unsplash

Planning & Direction

Define the intelligence requirements (IRs); the main goals of the CTI efforts. Define the questions that the intel should answer, so you know the purpose of the intel. Set the timeline and priorities. Define the audience(s) that will receive the intel. Define key performance indicators (KPIs). Define the methods you’ll use.

These tasks will help you know what data to collect.


Gather raw data from a variety of internal and external sources to meet the goals defined in the previous step.

Data sources can include internal logs, IoCs, the surface web, the deep web, the dark web, threat feeds, etc.


Organize the collected data so it’s ready to be analyzed to support the requirements previously defined. Filter out redundant info, false positives, and false negatives. Make data usable using normalization, indexing, translation, enrichment, filtering, prioritization, visualization, deduplication, decryption, etc. Apply metadata tags to aid analysis.

Analysis & Production

Analyze the processed data using structured analytical techniques. Assess the meaning of the data to answer the questions from the Direction step. Add context.

Transform the data to information, then into intelligence that can be used to inform decisions. Make recommendations as warranted. Make the intel ready to share. Based on the intended audience, choose the appropriate format(s) for the intel (feeds, reports, charts, graphs, presentations, dashboards, etc.).

Sometimes you’ll see Analysis and Production shown as a single step, and sometimes you’ll see them shown as separate steps.

Dissemination (or Distribution)

Share the intel with the relevant audience(s), in the appropriate format(s).


Gather feedback from the audience(s), to ensure the intel adequately answered their questions. If it hasn’t, start the cycle over, focusing on the unanswered questions.

Use the feedback to see how you can improve your CTI accuracy, relevance, efficiency, and timeliness for future operations.

Based on the feedback, decide if you should plan future CTI operations around the original intelligence requirements.

Sometimes you’ll see Dissemination and Feedback shown as a single step, and sometimes you’ll see them shown as separate steps.

Applying the CTI Cycle

In the video below, Katie Nickels walks through the CTI cycle, showing how it’s used by CTI analysts. She covers many other CTI concepts, including intelligence requirements, cyber kill chain, ATT&CK, Diamond Model, TIPs, bias, and structured analytic techniques.

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Seeking a cyber threat intelligence (CTI) or OSINT job. I'm a CTI, OSINT, & cybersecurity enthusiast; bookworm; and fan of Tolkien & LEGO.