The 4 Types of Threat Intelligence, Explained

Not all threat intelligence is created equal. The same intrusion can be described to a board member, a SOC analyst and a firewall — but each needs a completely different level of detail. That's why practitioners divide cyber threat intelligence into four types: strategic, operational, tactical and technical. Understanding the differences is the key to delivering the right intelligence to the right audience.

The four types differ along two axes: how technical they are and how long they stay relevant. Strategic intelligence is the least technical and longest-lived; technical intelligence is the most technical and most perishable. Let's walk through each.

1. Strategic threat intelligence

Audience: executives, board members, CISOs, risk owners.
Shelf life: months to years.

Strategic intelligence is the big-picture view. It is non-technical, narrative analysis of the threat landscape: which adversaries are rising, what motivates them, how geopolitics is reshaping cyber risk, and what that means for the business. It rarely mentions an IP address or a file hash.

Typical strategic products include annual threat landscape reports, briefings on a nation-state's evolving objectives, or an assessment of how a new regulation changes your risk posture. Its purpose is to inform decisions about investment and direction — where to allocate budget, which risks to accept, and how to talk about cyber risk to the board.

Example: "Ransomware groups are increasingly targeting healthcare providers in our region, shifting from encryption to data-extortion. We should prioritize backup resilience and breach-response readiness this fiscal year."

2. Operational threat intelligence

Audience: threat intelligence teams, incident response leads, SOC managers.
Shelf life: weeks to months.

Operational intelligence is about specific, impending or active campaigns. It answers questions like: who is likely to attack us, what is their goal, what infrastructure are they using, and when. It often comes from monitoring threat-actor behavior, leaked communications, or coordinated campaigns observed across many victims.

This is the hardest type to produce because the best operational intelligence often comes from inside closed adversary communities. It directly supports incident response and proactive defense: if you know a particular group is running a phishing campaign against your industry this month, you can warn staff and tune detections before it lands.

Example: "A financially motivated group is conducting a callback-phishing campaign against finance teams in our sector, using a specific lure and a known set of staging domains over the next two weeks."

3. Tactical threat intelligence

Audience: SOC analysts, threat hunters, detection engineers.
Shelf life: weeks to months.

Tactical intelligence describes the adversary's tactics, techniques and procedures (TTPs) — how they operate. It is more durable than a single IP address because attackers change infrastructure constantly, but they reuse techniques. Tactical intel is usually mapped to the MITRE ATT&CK framework, which gives every technique a common name and ID.

This type powers detection engineering and threat hunting. If you know an actor favors a particular living-off-the-land technique for lateral movement, you can build a detection or hunt for that behavior — and it will keep working even after the attacker rotates their servers.

Example: "This actor gains initial access via a malicious OneNote attachment, establishes persistence with a scheduled task, and uses WMI for lateral movement (ATT&CK T1047)."

4. Technical threat intelligence

Audience: SOC tooling, SIEM/EDR/firewalls, automated pipelines.
Shelf life: hours to days.

Technical intelligence is the stream of machine-readable artifacts — the indicators of compromise (IOCs) — that you feed directly into security tools: malicious IP addresses, domains, URLs, file hashes, and email sender addresses. It is the most perishable type because adversaries burn and rotate this infrastructure quickly; an indicator that's hot today may be dead tomorrow.

Technical intel is the workhorse of automated detection and blocking. It's most effective when ingested at machine speed and expired aggressively, rather than treated as a permanent blocklist.

Example: "Block these 12 command-and-control IPs and 5 staging domains; alert on this set of malware file hashes."

How the four types compare

• Strategic → the "why" → for leaders → lasts years → no technical detail.
• Operational → the "who and when" → for IR/CTI teams → lasts months → some technical detail.
• Tactical → the "how" → for hunters and detection engineers → lasts months → technical (TTPs).
• Technical → the "what to block" → for machines → lasts days → highly technical (IOCs).

How the types work together

The four types are not competitors — they're layers of the same picture. A single ransomware operation can be described as a strategic trend ("data-extortion is rising in our sector"), an operational warning ("this group is targeting us now"), a set of tactical TTPs ("here is how they move through a network"), and a list of technical indicators ("block these domains today").

A mature program consumes all four and routes each to the right audience. The most common mistake is over-investing in technical indicators — which are cheap and abundant but perish quickly — while neglecting the strategic and tactical layers that actually change long-term defensive posture.

Which type of intelligence do you need?

The right starting point depends on the role you're supporting and the decision you're trying to make:

• If you need to set security strategy or brief a board, start with strategic intelligence about the trends and actors relevant to your business.
• If you're preparing for a likely campaign against your sector, you need operational intelligence about who is active and how.
• If you're building detections or hunting, you need tactical intelligence — the TTPs to look for.
• If you're feeding tools to block and alert automatically, you need a stream of technical indicators.

Most organizations start at the technical end because indicators are cheap and easy to consume, then mature "up the stack" toward tactical, operational and strategic intelligence as their program grows. A useful sign of maturity is when a team stops asking "how many indicators did we block?" and starts asking "did our intelligence change a decision?" The four types are most powerful when an organization deliberately invests across all of them rather than over-indexing on the easiest one.

Putting the types to work

To get value from all four types:

1. Automate the technical layer. Pipe IOCs into your SIEM and EDR, and expire them on a schedule.
2. Turn tactical intel into detections. Map adversary TTPs to ATT&CK and build coverage for the techniques your likely adversaries use.
3. Use operational intel to get ahead. When you learn a campaign is coming, pre-position warnings and detections.
4. Brief leadership with strategic intel. Translate the landscape into business risk and resourcing decisions.

A good starting point is simply watching what authoritative sources are reporting in real time. Our live threat intelligence feed aggregates strategic reporting, operational campaign warnings, tactical research and fresh technical indicators from dozens of sources — deduplicated and ranked by priority — so you can spot all four types in one place.