From Data to Decision: The Intelligence Cycle in Cyber Threat Intelligence

The intelligence cycle is a progressive refinement of data into intelligence. It’s not a one-time transaction, and it doesn’t begin with information, it begins with questions.

Let’s break it down.

Planning and Direction is the first phase of the intelligence cycle. It involves identifying and prioritising the information needs of an organisation in order to align cyber threat intelligence (CTI) efforts with strategic, operational, or tactical objectives.

At this stage, decision-makers or stakeholders define their intelligence requirements, the critical questions that need to be answered to inform security decisions, reduce risk, or guide response. These requirements form the foundation for all subsequent CTI activities.

In practice, Planning and Direction includes:

• Clarifying what the organisation needs to protect (assets, sectors, geographies).
• Identifying likely threat actors or risks based on industry and region.
• Translating objectives into Essential Elements of Information (EEIs) — specific, actionable questions that intelligence efforts will seek to answer.

In CTI, the equivalent to all of this is your operational context: What are you trying to protect? Who is likely to target you? What do you need to know to defend your organisation?

This is where Arachne Digital begins. We tailor CTI feeds for your industry and geography so you can understand your threat landscape, and risk posture. If you are more mature and what to define your own requirements, you can access our entire database of cybercrime and nation-state threats across regions.

Collection is the second phase of the intelligence cycle. It involves gathering raw data from relevant sources to address the intelligence requirements defined during the Planning and Direction phase.

In cyber threat intelligence, collection spans a range of disciplines, including open-source intelligence (OSINT), technical telemetry, and clear and dark web monitoring. The goal is to collect data that may contain evidence of threat activity, tools, infrastructure, intent, or targeting, all of which help answer questions posed during planning.

Effective collection is:

• Targeted: Focused on sources likely to yield relevant information.
• Timely: Conducted frequently enough to capture emerging threats.
• Scalable: Able to pull in large volumes of data without sacrificing relevance.

Collection for Arachne Digital is driven by our tool Tracery, which automates the process of discovering and retrieving URLs containing relevant cybersecurity content based on pre-defined keywords and intelligence priorities. These sources include:

• Security blogs and advisories
• Cybercrime and breach forums
• Technical writeups and threat reports

The result is a rich body of unstructured free text, raw data that will be processed in the next stage to begin transforming it into actionable intelligence.

This is raw data, unstructured, messy, but valuable.

Processing and Exploitation is the third phase of the intelligence cycle. It involves converting raw, collected data into a structured and usable format, preparing it for analysis.

In the context of cyber threat intelligence, this step includes:

• Filtering irrelevant data and removing duplicates.
• Extracting structured elements from unstructured sources (e.g., identifying malware names, TTPs, threat actor references).
• Standardising formats for consistency and interoperability.
• Tagging and categorisation based on frameworks like MITRE ATT&CK.

The goal is to turn raw data, such as technical blogs, incident writeups, or forum posts, into organised, machine and human-readable information that can be meaningfully analysed.

For Arachne Digital, this step is performed by our analyst dashboard Thread, which processes free-text documents collected via Tracery. Thread:

• Uses machine learning to map sentences to MITRE ATT&CK TTPs.
• Extracts key metadata, including possible dates, threat actors, industries, and geographies.
• Structures the data so that it can be verified, enriched, and analysed by a human analyst.

Processing and exploitation marks the transition from data to information, structured content that is ready to be interpreted and turned into intelligence.

But we’re not done.

Analysis and Production is the fourth phase of the intelligence cycle. It involves evaluating, interpreting, and contextualising the information gathered during collection and processing in order to generate finished intelligence that can support decision-making.

In cyber threat intelligence, analysis is where raw indicators and structured data are transformed into insight. Analysts:

• Assess the relevance and reliability of collected information.
• Identify patterns, trends, and relationships across multiple data points.
• Determine the significance of threat activity in the context of specific industries, regions, or organisations.
• Attribute threat activity, where possible, to specific actors or countries.
• Assign date ranges (first and last seen), and associated victimology (targeted industry and geography).

Production refers to the creation of the final intelligence deliverables, reports, briefings, or machine-readable formats, based on the analysis. These outputs are tailored to the needs of the end user, whether that’s a SOC analyst tuning detections or a CISO planning investments.

Human analysts take the structured output from Thread and apply expert judgment to:

• Confirm and refine MITRE ATT&CK mappings.
• Enrich the data with threat actor names, attribution, victim information, and IOC details.
• Package the intelligence into reports or API-ready data, with the necessary context to support threat-informed defense.

We integrate disparate findings, and use ATT&CK to interpret what the data means. Is this TTP relevant to my organisation? What defensive tooling should I invest in based on the threat landscape? Does my SIEM have the right logs and analytics configured?

This phase turns information into intelligence, a finished product that is assessed, contextual, and actionable.

Dissemination and Integration is the fifth phase of the intelligence cycle. It involves delivering finished intelligence products to the right stakeholders in a format they can use, and ensuring that intelligence is integrated into operational workflows and decision-making.

In cyber threat intelligence, dissemination must be:

• Timely: Delivered while the intelligence is still relevant.
• Targeted: Aligned with the needs of specific users (e.g., SOC analysts, CISOs, incident responders).
• Actionable: Structured in a way that allows for direct use in detection, mitigation, or strategic planning.

Integration is the often-overlooked second half of this phase. It means ensuring the intelligence doesn’t just sit in a report or dashboard, it’s used:

• To inform detections (e.g., SIEM rules, EDR tuning).
• To guide prevention and mitigation (e.g., aligning with MITRE ATT&CK mitigations).
• To support incident response and threat hunting.
• To influence broader cybersecurity strategy and investment.

Arachne Digital delivers intelligence in two key ways:

• Human-readable reports, designed for decision-makers and analysts who need context-rich briefings.
• An API, enabling direct ingestion of structured threat intelligence into security platforms for automated use.

Each piece of intelligence we produce is designed to map cleanly to operational needs, whether that’s an analyst writing a detection rule, a threat hunter investigating anomalies, or a CISO planning for risk.

Need a high-level overview? You’ll get a summary. Need tactical indicators? You’ll get them too, mapped to ATT&CK and enriched with context.

And because our intelligence is structured and dated, you can track trends over time, align detections with threat-informed defence, and prioritise mitigations that matter.

The value of intelligence is only realised when it’s disseminated effectively and integrated seamlessly into the systems and decisions it was built to support.

Evaluation and Feedback is the final phase of the intelligence cycle. It ensures that the intelligence provided is meeting the needs of decision-makers and that the cycle remains dynamic, responsive, and continuously improving.

In cyber threat intelligence, evaluation involves assessing:

• Relevance: Did the intelligence align with the original requirements?
• Accuracy: Was it correct and well-supported?
• Timeliness: Was it delivered in time to inform action?
• Usefulness: Did it support decision-making, detection, or response?

Feedback is the mechanism by which consumers of intelligence, whether SOC analysts, incident responders, or executive leadership, communicate their experience and evolving needs back to the intelligence team. This feedback may include:

• New or updated requirements.
• Requests for deeper context or additional indicators.
• Clarifications or corrections to previous assessments.
• Reports on how the intelligence was used or operationalised.

For Arachne Digital, this phase is essential to maintaining the integrity of our work. We actively seek feedback through:

• Customer interactions and support requests.
• Discussions around what intelligence was helpful, and what was not.

We want to hear from our customers about what is working for them and what is not, so we can make better tools and generate better CTI to serve you.

This closed loop ensures our intelligence stays relevant, focused, and aligned to your mission.

Many CTI providers give you indicators. Few give you intelligence.

We have built the Arachne Digital workflow around the full intelligence cycle, direction, collection, processing, analysis, dissemination, and feedback, because that’s what makes intelligence actionable.

We believe SOCs deserve better than static lists of IPs. Security leaders deserve insights, not noise. And everyone deserves the context to make informed decisions.

If your current CTI isn’t built on the intelligence cycle, ask why.

We’re building threat intelligence the way it’s meant to be: structured, contextual, and decision-ready.

Ready to work with intelligence that informs action?

Get in touch or explore our API to learn more.