The Cyber Threat Intelligence Cycle

Photo by Robby McCullough on Unsplash

Planning & Direction

Define the intelligence requirements (IRs); the main goals of the CTI efforts. Define the questions that the intel should answer, so you know the purpose of the intel. Set the timeline and priorities. Define the audience(s) that will receive the intel. Define key performance indicators (KPIs). Define the methods you’ll use.


Gather raw data from a variety of internal and external sources to meet the goals defined in the previous step.


Organize the collected data so it’s ready to be analyzed to support the requirements previously defined. Filter out redundant info, false positives, and false negatives. Make data usable using normalization, indexing, translation, enrichment, filtering, prioritization, visualization, deduplication, decryption, etc. Apply metadata tags to aid analysis.

Analysis & Production

Analyze the processed data using structured analytical techniques. Assess the meaning of the data to answer the questions from the Direction step. Add context.

Dissemination (or Distribution)

Share the intel with the relevant audience(s), in the appropriate format(s).


Gather feedback from the audience(s), to ensure the intel adequately answered their questions. If it hasn’t, start the cycle over, focusing on the unanswered questions.

Applying the CTI Cycle

In the video below, Katie Nickels walks through the CTI cycle, showing how it’s used by CTI analysts. She covers many other CTI concepts, including intelligence requirements, cyber kill chain, ATT&CK, Diamond Model, TIPs, bias, and structured analytic techniques.

Additional Resources



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store