Building a Threat Intelligence Programme from Scratch

Threat intelligence sounds expensive and complex — the domain of nation-state defenders with unlimited budgets. In reality, a practical TI programme is achievable for organisations of any size.

What is Threat Intelligence?

Threat intelligence is evidence-based knowledge about existing or emerging threats that can inform decisions. It answers questions like:

• What threat actors are targeting our industry?
• What TTPs (Tactics, Techniques, and Procedures) are they using?
• What indicators of compromise (IoCs) should we be hunting for?

The Intelligence Cycle

1. Planning — define what questions you need answered
2. Collection — gather raw data from relevant sources
3. Processing — normalise and structure the data
4. Analysis — derive meaning and context
5. Dissemination — share findings with relevant stakeholders
6. Feedback — evaluate effectiveness and refine

Free and Low-Cost Sources

Open Source Intelligence (OSINT)

• MITRE ATT&CK — comprehensive TTPs framework
• AlienVault OTX — community IoC sharing
• CISA KEV — known exploited vulnerabilities (also available in our CVE tools)
• VirusTotal — file and URL reputation
• Shodan — internet-exposed asset discovery

Government Sources

• CISA Advisories
• FBI Flash Reports
• NCSC (UK) Threat Reports
• ASD (Australia) Advisories

Starting Small

You don't need a SIEM or TIP platform to start. Begin with:

1. Subscribe to CISA and vendor security advisories
2. Follow the NVD feed for CVEs affecting your technology stack (use our NVD Live Feed)
3. Set up watchlists for CVEs relevant to your environment (use our CVE Watchlist)
4. Document findings in a simple spreadsheet or the Vuln Tracker

Conclusion

A threat intelligence programme is a journey, not a destination. Start small, be consistent, and gradually mature your capabilities as you demonstrate value to the business.