After this lesson, you will be able to: Design intelligence collection plans and integrate TI into security operations.
Building a TI program means deciding what to collect, where to source it, how to disseminate, and to whom. It's a pipeline from raw data to actionable defender intelligence.
Direction, what stakeholders need (CISO, SOC, IR, Eng). Collection, feeds, OSINT, internal IR, ISAC. Processing, dedup, enrich, score. Analysis, strategic/operational/tactical reporting. Dissemination, right format to right consumer. Feedback, was it useful? Iterate.
1. Reactive, we react when things happen.
2. Reactive + free feeds, block known bad.
3. Subscribed, commercial feeds drive blocks.
4. Analyst-driven, we contextualize per incident.
5. Program, full collection plan, multiple consumers, ROI tracked.
Buying expensive feeds with no consumer. Drowning the SOC in low-value IoCs. Not measuring 'was this useful?' Not closing the loop with IR (who has the gold data).
Sign in and purchase access to unlock this lesson.