Clarifying Threat Intelligence Concepts: Intelligence Analysis

Threat intelligence is often reduced to collecting lists of domains, IPs, or hashes. These data points have value, but they only become intelligence when analyzed, contextualized, and linked to an adversary’s intent, capabilities, and behavior. Relying solely on raw indicators leaves organizations overwhelmed with data but lacking clear insight or actionable direction.

The strength of threat intelligence lies in analysis, structure, and transparency. This is where OpenCTI provides a distinct advantage. By maintaining a clear separation between information and intelligence, and by capturing the reasoning behind every conclusion, OpenCTI enables analysts to produce decision ready intelligence across tactical, operational, and strategic levels.

TL;DR

• Threat intelligence is more than collecting domains, IPs, or hashes; it requires analysis, context, and reasoning to become actionable.
• OpenCTI enforces a structured framework that separates raw information from validated intelligence.
• Analysts connect observables, indicators, entities, and relationships to produce actionable insights.
• Confidence and source reliability add transparency and show the strength of an assessment.
• OpenCTI links tactical, operational, and strategic intelligence to help organizations understand adversary intent and behavior.

Defining the Terms: Information vs. Intelligence

What is Information?

Information is raw, unprocessed data. It is the what that has been observed before any interpretation occurs. On its own, information has limited value because it lacks context, uncertain reliability, and no link to a broader analytical picture.

Examples include:

• A domain name recorded in a proxy log
• An IP address flagged by a firewall
• A file hash detected by an antivirus engine
• A timestamp for a login attempt
• Execution of a PowerShell command

Information shows what happened and when, but not who did it, why it occurred, or how it fits into a larger pattern. Analysts working only with information risk mistaking noise for signal, because benign and malicious data often look alike until analysis is applied.

OpenCTI captures this distinction by treating observables as discrete building blocks. A single domain or IP is stored as an observable, which can later be linked, enriched, or discarded as analysis progresses. This prevents raw inputs from being treated as intelligence prematurely.

What is Intelligence?

Intelligence is assessed, contextualized knowledge. It explains who is behind an activity, why it matters, and how it fits into a broader threat picture. Intelligence is the result of analysis, not the raw material.

Examples include:

• Linking a suspicious domain to an adversary targeting financial data
• Identifying a threat actor’s capabilities such as custom malware or advanced persistence techniques
• Describing consistent targeting of the energy sector across campaigns
• Assessing with confidence that an actor is shifting from phishing to supply chain compromise

Intelligence answers: Who is responsible? What are their capabilities? What are they trying to achieve? How confident are we?

It adds layers of meaning that support decisions, from configuring detection systems to shaping long-term defensive priorities.

OpenCTI supports this process by enabling analysts to record both conclusions and the reasoning behind them. Through relationships, notes, and opinions, analysts link observables to higher level knowledge while documenting assumptions and confidence levels. This keeps intelligence traceable, structured, and defensible.

The Role of Analysis in OpenCTI

OpenCTI organizes analysis around several core concepts:

• Observables: Technical facts such as domains, IPs, and hashes
• Indicators: Patterns derived from observables that suggest malicious activity
• Entities: Actors, malware families, intrusion sets, vulnerabilities
• Relationships: Connections such as “Domain X used in Campaign Y”
• Notes and Opinions: Analyst commentary and confidence assessments

You begin with raw facts and connect the dots to build understanding. Not every data point should carry the same weight of importance. OpenCTI makes sure your conclusions are backed by real evidence. As the knowledge base grows, it becomes richer and more reliable, enabling precise analysis of adversary intent, capabilities, and behavior.

Confidence and Reliability

In intelligence work, knowing which sources and data you can trust is essential. OpenCTI embeds confidence scoring and source reliability directly into the analytical workflow. This prevents unverified claims from being treated as fact and helps decision makers understand the strength of each assessment.

Source reliability measures the trust placed in an information provider based on expertise, capability, and historical accuracy. Reliability is typically evaluated at the organizational level and is often expressed using the NATO Admiralty Code.

Confidence in information reflects how credible the information itself is, regardless of the source. Even a reliable source can produce incorrect data. Confidence considers corroboration, context, and analytical expertise, and may also follow the Admiralty Code.

Tracking both reliability and confidence requires mature processes. Many internal CTI teams benefit from using a single confidence score. OpenCTI merges credibility and confidence into a practical model, while still supporting teams that want a more granular approach.

This approach ensures transparency while keeping assessments practical. Decision-makers can see the strength of the evidence, analysts can track the basis for judgments, and teams can maintain consistency and traceability in their intelligence outputs.

From Tactical to Strategic Intelligence

OpenCTI supports analysis across all intelligence levels, ensuring that intelligence is actionable at every stage:

• Tactical intelligence focuses on indicators of compromise (IOCs) that help detect and respond to immediate threats, such as malicious URLs, IPs, hashes, or commands. It guides operational teams on what to block or monitor.
• Operational intelligence analyzes tactics, techniques, and procedures (TTPs), tooling, and campaigns. It explains how adversaries operate, which sectors they target, and how attacks evolve. Operational intelligence provides context that enables defenders to anticipate and disrupt attacks.
• Strategic intelligence addresses long term trends, actor intent, and business level impact. It informs resource allocation, risk management, and defensive planning.

By connecting these layers, OpenCTI prevents siloed analysis. Observables feed indicators, indicators support campaigns, and campaigns reveal patterns that support strategic insight. This ensures raw data contributes to meaningful, actionable intelligence.

Closing Thought

OpenCTI is more than a knowledge repository. It is a structured analysis framework that guides the transformation of data into decision ready intelligence. It helps analysts separate information from intelligence and clarifies why an assessment can be trusted.

For organizations working to mature their threat intelligence capabilities, this clarity is essential. Analysts work more efficiently, leadership makes informed decisions, and the organization benefits from a consistent, traceable, and strategic view of threats.

Enjoy, and feel free to ask any questions about it on our Slack community channel!