Threat Intelligence Glossary: Key Terms Explained

Cyber threat intelligence has a language of its own — a dense mix of acronyms, frameworks, and jargon. This glossary defines the most important terms in plain English, one sentence each, with links to in-depth guides for every concept. Whether you're new to threat intelligence or just need a quick reference, use it to look up a term or browse the whole field from A to Z.

Core threat intelligence concepts

• Threat Intelligence — evidence-based knowledge about threats that helps organizations make faster, better-informed security decisions.
• Types of Threat Intelligence — the four levels: strategic, tactical, operational, and technical.
• Threat Intelligence Lifecycle — the six-stage process for producing intelligence, from direction to dissemination and feedback.
• F3EAD — Find, Fix, Finish, Exploit, Analyze, Disseminate: a targeting cycle that fuses operations and intelligence.
• OSINT — open-source intelligence gathered from publicly available sources.
• TTPs — the tactics, techniques, and procedures that describe how a threat actor operates.
• Indicators of Compromise (IOCs) — forensic artifacts like IPs, hashes, and domains that signal a possible breach.
• IOC vs IOA — indicators of compromise (evidence of an attack) versus indicators of attack (behavior in progress).
• IOC Enrichment — adding context to raw indicators so analysts can act on them.
• Pyramid of Pain — a model ranking indicators by how much disrupting them hurts an attacker.
• Vulnerability vs Threat vs Risk — a weakness, something that could exploit it, and the resulting potential for loss.

Threat actors

• Threat Actor — any individual or group behind malicious cyber activity.
• Advanced Persistent Threat (APT) — a sophisticated, well-resourced adversary, usually state-sponsored, that maintains long-term access.
• Hacktivism — hacking to promote a political or social cause rather than for profit.
• Insider Threat — a risk from someone with legitimate access, whether malicious, negligent, or compromised.
• Initial Access Broker (IAB) — a criminal who breaches organizations and sells that access to others.
• Ransomware-as-a-Service (RaaS) — a model where operators rent ransomware to affiliates for a share of the profits.
• Cyber Attribution — the process of determining who is behind a cyberattack.

Attacks & malware

• Malware — the umbrella term for any malicious software.
• Ransomware — malware that encrypts data and demands payment for its release.
• Trojan Horse — malware disguised as legitimate software to trick users into installing it.
• Rootkit — stealthy malware that hides itself and grants privileged control.
• Spyware — malware that secretly monitors activity and steals data.
• Computer Worm — self-replicating malware that spreads across networks without human action.
• Fileless Malware — malware that runs in memory using legitimate tools, leaving little on disk.
• Infostealer — malware that rapidly harvests passwords, cookies, and crypto wallets.
• Malware Analysis — studying malicious code to understand what it does and how to detect it.
• Botnet — a network of infected devices controlled remotely by an attacker.
• Phishing — fraudulent messages that trick people into revealing data or running malware.
• Business Email Compromise (BEC) — a targeted email scam impersonating a trusted party to steal money or data.
• Social Engineering — manipulating people into compromising security.
• DDoS Attack — flooding a system with traffic to take it offline.
• Supply Chain Attack — compromising a trusted supplier to reach its customers.
• Data Breach — an incident exposing confidential data to unauthorized parties.
• Man-in-the-Middle (MITM) — secretly intercepting communication between two parties.
• SQL Injection (SQLi) — injecting malicious SQL to tamper with a database.
• Cross-Site Scripting (XSS) — injecting malicious scripts that run in other users' browsers.
• Credential Stuffing — using stolen credentials from one breach against other sites.
• Privilege Escalation — gaining higher access than was granted.
• Lateral Movement — spreading from an initial foothold to other systems.
• Command and Control (C2) — the channel attackers use to remotely control compromised systems.

Vulnerabilities

• CVE — a unique identifier for a publicly disclosed vulnerability.
• Zero-Day — a vulnerability exploited before a patch is available.
• CVSS vs EPSS — severity scoring versus exploitation-likelihood prediction.
• KEV Catalog — CISA's list of vulnerabilities confirmed exploited in the wild.
• Vulnerability Management — the continuous cycle of finding, prioritizing, and fixing weaknesses.
• Attack Surface Management (ASM) — discovering and monitoring all internet-facing assets.

Frameworks & models

• MITRE ATT&CK — a knowledge base of adversary tactics and techniques.
• Cyber Kill Chain — a seven-stage model of an attack's progression.
• ATT&CK vs Kill Chain — how the two leading attack frameworks compare.
• Diamond Model — a framework linking adversary, capability, infrastructure, and victim.
• STIX & TAXII — standards for structuring and sharing threat intelligence.
• Threat Modeling — a structured process to find threats early in design (e.g. with STRIDE).
• Traffic Light Protocol (TLP) — labels that govern how far shared information may travel.

Detection & operations

• SOC — the security operations center that monitors and responds to threats.
• SIEM — a platform that collects and correlates logs to detect threats.
• SOAR — security orchestration, automation, and response via playbooks.
• EDR — endpoint detection and response.
• XDR — extended detection and response across multiple domains.
• EDR vs XDR vs MDR — two technologies and a managed service compared.
• SIEM vs SOAR vs XDR — the core SOC tools compared: see, act, unify.
• ITDR — identity threat detection and response.
• UEBA — user and entity behavior analytics that flag anomalies.
• Threat Hunting — proactively searching for hidden threats.
• Threat Intelligence vs Threat Hunting — knowing about threats versus actively seeking them.
• Detection Engineering — designing, testing, and maintaining high-quality detections.
• YARA Rules — pattern-matching signatures for identifying malware in files.
• Sigma Rules — a generic, portable signature format for log-based SIEM detections.
• Honeypot — a decoy system designed to attract and detect attackers.
• Incident Response — the structured process for handling a security incident.
• Dark Web Monitoring — watching criminal spaces for leaked data and threats.
• Red / Blue / Purple Team — offense, defense, and their collaboration.
• Adversarial AI — how attackers weaponize AI for phishing, deepfakes, and more.
• OT/ICS Threat Intelligence — intelligence focused on industrial control systems.

Tools, platforms & sharing

• Threat Intelligence Platform (TIP) — software for aggregating, enriching, and operationalizing intelligence.
• MISP — the leading open-source threat intelligence sharing platform.
• ISAC — a sector-based hub for sharing threat intelligence.
• Open-Source TI Tools — free tools for working with threat intelligence.
• Free Threat Intelligence Feeds — no-cost sources of indicators and threat data.
• Building a TI Program — how to stand up threat intelligence step by step.
• Threat Intelligence Analyst — the role, skills, and path into the career.

Reference & data

• Ransomware Statistics — key ransomware facts and trends from major reports.
• Biggest Data Breaches — landmark breaches and the lessons they teach.

Keep learning

This glossary is a map of the threat intelligence landscape — each term links to a full guide if you want to go deeper. Threat intelligence is ultimately about turning knowledge into action, so the best way to cement these concepts is to see them in the wild. Watch real threats unfold on our live threat intelligence feed, which aggregates and prioritizes breaking reporting from dozens of authoritative sources, updated continuously.