Threat Intelligence: Collection, Analysis, and Operationalization

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Threat intelligence is information about adversaries that helps you make better security decisions. A feed of IP addresses is not intelligence — it is data. Intelligence is knowing which threat actor is targeting your industry, what TTPs they use, and what defensive gaps those TTPs exploit in your specific environment.

Collection

Threat intelligence comes from multiple source types:

Open Source (OSINT): public reports from security vendors, CERT advisories, malware analysis blogs, paste sites, and social media. Free, broad, but requires significant curation to extract signal from noise.

Commercial feeds: paid services like Recorded Future, Mandiant Advantage, or CrowdStrike Intelligence provide curated, analyzed intelligence with context. These reduce the analysis burden but come with significant cost.

Internal telemetry: your own SIEM alerts, EDR detections, firewall logs, and incident data. This is your most relevant intelligence source because it reflects actual attacks against your organization. Most teams underuse this data.

Information sharing communities: ISACs (Information Sharing and Analysis Centers) provide industry-specific intelligence sharing. Financial services, healthcare, energy, and other sectors have established ISACs. MISP (Malware Information Sharing Platform) enables structured sharing between trusted organizations.

Dark web monitoring: monitoring criminal forums and marketplaces for mentions of your organization, leaked credentials, or discussions about targeting your industry. This requires careful OPSEC and often specialized vendors.

Build a collection plan that defines what intelligence you need based on your threat model, not what is available. Collecting everything leads to data overload. Collecting based on defined intelligence requirements produces actionable output.

Analysis

Raw data becomes intelligence through analysis. The structured analysis process:

1. Normalize and deduplicate incoming data. The same IOC will arrive from multiple sources. Consolidate and track provenance. 2. Enrich with context. An IP address alone is minimally useful. An IP address associated with APT29, used as C2 for their latest campaign against government targets, with first-seen and last-seen dates — that is useful. 3. Assess confidence levels. Not all intelligence is equally reliable. A hash from your own sandbox analysis has higher confidence than a hash from an anonymous paste. Use a structured confidence scale (e.g., Admiralty Code). 4. Relate to your environment. Does this threat actor target your industry? Do their TTPs work against your technology stack? If an adversary uses Linux exploits and you are a Windows shop, that intelligence is informational but not immediately actionable.

TTP Mapping with MITRE ATT&CK

Map adversary behavior to the MITRE ATT&CK framework. This transforms a narrative threat report into structured, actionable data.

When a report describes an actor using spearphishing with a macro-enabled document that drops a PowerShell loader, map it: Initial Access via T1566.001 (Spearphishing Attachment), Execution via T1059.001 (PowerShell), and so on through the kill chain.

This mapping lets you compare adversary TTPs against your detection coverage. If your detection matrix has gaps where the actor operates, those become priority detection engineering projects.

IOC Management

Indicators of Compromise (IOCs) have a shelf life. IP addresses rotate, domains get burned, and file hashes change with every recompile. Manage IOCs with expiration dates and confidence scores.

Automate IOC ingestion from trusted feeds into your detection infrastructure (SIEM, EDR, firewall blocklists). But do not blindly block everything — false positives from shared hosting IPs or CDN ranges can take down legitimate services. Validate IOCs against your environment before enforcing blocks.

Next Steps

• Assess your threat intelligence capabilities with the skills assessment
• Explore detection and analysis topics in the skills library
• Check the salary calculator to understand compensation for threat intelligence roles

Related Guides in This Series

• EDR: Endpoint Detection, Response, and Threat Hunting — HADESS | 2026
• Firewall Management: Rules, Zones, and Change Control — HADESS | 2026
• Hardware Security Modules: Key Management and Compliance — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.