What is threat intelligence?

Threat intelligence is information about potential attacks. Threat intelligence helps organizations take action to defend themselves against these attacks.

Learning Objectives

After reading this article you will be able to:

  • Define 'threat intelligence'
  • List the main types of cyber threat intelligence
  • Learn about threat intelligence feeds

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is threat intelligence in cyber security?

Threat intelligence is information about the potential attacks an organization may face and how to detect and stop those attacks. Law enforcement sometimes distributes "Wanted" posters with information about suspects; similarly, cyber threat intelligence contains information about what current threats look like and where they come from.

In digital security terms, a "threat" is an action with malicious intent that could result in data being stolen, lost, or altered without permission. The term refers to both potential and actual attacks. Threat intelligence enables organizations to take action against threats, rather than merely providing data. Each piece of threat intelligence helps make it possible to detect and prevent attacks.

Some types of threat intelligence can be fed into firewalls, web application firewalls (WAFs), security information and event management (SIEM) systems, and other security products, enabling them to more effectively identify and block threats. Other types of threat intelligence are more general and help organizations make larger strategic decisions.

What are the three main types of threat intelligence?

Most threat intelligence fits into one of these three categories:

  1. Strategic intelligence describes overall trends and long-term issues. It can also include the motivations, goals, and methods of known attackers.
  2. Operational intelligence describes the tactics, techniques, and procedures (TTP) used by attackers — for instance, which malware toolkits or exploit kits attackers use, where their attacks come from, or the steps they typically follow to carry out an attack.
  3. Tactical intelligence is specific on-the-ground details about threats; it enables organizations to identify threats on a case-by-case basis. Malware signatures and indicators of compromise (IoC) are examples of tactical intelligence. Both of these terms are explained further below.

What is a malware signature?

A signature is a unique pattern or sequence of bytes by which malware can be identified. In the same way that fingerprints are used to identify persons suspected of a crime, signatures help identify malicious software.

Signature detection is one of the most common forms of malware analysis. To be effective, signature detection needs to be constantly updated with the latest malware signatures identified in the wild.

What are indicators of compromise (IoC)?

An indicator of compromise (IoC) is a piece of data that helps identify whether or not an attack has taken place or is in progress. An IoC is like an item of physical evidence that a detective might collect to determine who was present at the scene of the crime. Similarly, certain digital evidence — unusual activity recorded in logs, network traffic to unauthorized servers, etc. — helps administrators determine when an attack has occurred (or is currently happening) and what kind of attack it was.

Without IoCs, it can sometimes be difficult to determine if an attack has taken place; it often benefits the attacker to remain undetected (for instance, if they want to use a compromised device in a botnet).

What is a threat intelligence feed?

A threat intelligence feed is an external stream of threat intelligence data. Like an RSS feed for blogs, organizations can subscribe to a threat intelligence feed to provide constant security updates to their systems.

Some threat intelligence feeds are free; others cost money and provide proprietary intelligence not available from open sources.

What is unique about the approach Cloudflare takes to collecting threat intelligence?

Cloudflare is uniquely positioned to collect information about threats on a huge scale. Millions of websites are protected by the Cloudflare network. By analyzing traffic to and from these websites, Cloudflare can identify malicious traffic patterns from bots, vulnerability exploits, and other attacks.

Cloudflare uses this information to better protect customers. For example, Cloudflare creates WAF rules and deploys them for all WAF customers whenever a new threat is detected. Cloudflare Bot Management uses threat intelligence from the billions of requests Cloudflare sees each day to learn to identify malicious bots.

To learn more about cyber threats, see What is web application security?