When people talk about cyber threat intelligence (CTI), what they usually mean is Indicators of Compromise, IOCs.
IP addresses, malware hashes, domains, YARA or Sigma rules. That’s the tactical level. It’s valuable, but it’s also just one part of the picture.
In reality, threat intelligence operates across three levels: strategic, operational, and tactical. And if you’re only using one, you’re not getting the full benefit CTI can provide.
This post will break down each level, give examples of how it’s used, and help you figure out if your organisation is using CTI to its full potential.
Tactical CTI is where most CTI programs begin, and often where they stop.
What it is:
Tactical CTI provides observable indicators. Think:
Who it’s for:
SOC analysts, detection engineers, threat hunters.
Use cases:
Where Arachne Digital fits:
We built Thread to enrich raw text (news articles, threat reports, breach disclosures) with MITRE ATT&CK TTPs. Instead of just telling you “this IP is bad,” Thread helps you understand how it was used, initial access, lateral movement, exfiltration, and allows you to map threat activity directly into your environment.
Operational CTI tells you how attackers work. This is the bridge between raw indicators and strategic decision-making.
What it is:
Operational CTI focuses on campaign patterns and attacker behaviours, such as:
Who it’s for:
Detection engineers, incident response teams, purple teams, CTI analysts.
Use cases:
Where Arachne Digital fits:
Thread helps here too, but so does Spindle. Spindle tracks known threat actors and their aliases, linking them to ATT&CK TTPs, historical campaigns, and public reporting. Combined, these tools let analysts move from “what happened” to “how and why it happened.”
Strategic CTI zooms all the way out. It’s about adversaries, motivations, and risk. This is the type of intelligence that belongs in a boardroom briefing.
What it is:
Strategic CTI answers questions like:
Who it’s for:
CISOs, risk managers, executive leadership, and policymakers.
Use cases:
Where Arachne Digital fits:
This is where Spindle and Tracery come in. Spindle organises threat actor attribution across campaigns and countries, while Tracery, our privacy-focused metasearch engine, helps us find the raw reports needed to track global threats in real time. Together, they provide both the source material and the structure for strategic decision-making.
Most organisations think they’re “doing CTI” when they subscribe to an IOC feed. But tactical intelligence on its own is reactive. It only tells you what the attacker did yesterday.
Without operational CTI, you don’t know how attackers adapt.
Without strategic CTI, you don’t know which threats matter most to your business.
If you want to build a threat-informed defence, as popularised by MITRE, you need to align defences against the threats most likely to affect you, and that means understanding the full threat landscape across all three levels.
Threat-informed defence is the practice of aligning your security decisions and controls with real-world threats, based on how adversaries actually operate.
Rather than guessing what might happen or relying solely on compliance checklists, threat-informed defence starts with threat intelligence. It uses data about actual attacks, campaigns, tools, and tactics used in the wild, to shape detection rules, response plans, and long-term strategy.
It’s about moving from reactive to proactive. From generic protection to tailored defence.
Why It’s Useful
How CTI Guides the Process
Threat-informed defence is only possible with good CTI. Here’s how the three levels of intelligence feed into the process:
When CTI is structured and mapped, such as through frameworks like MITRE ATT&CK, it becomes even more powerful. You can see gaps in your defences, align your security controls with actual threats, and track improvement over time.
Threat-informed defence is at the heart of what Arachne Digital does. Every tool we build, Thread, Spindle, Tracery, is designed to help organisations not just consume intelligence, but apply it meaningfully.
If the answer to either is no, you’re leaving value on the table.
Start thinking holistically about threat intelligence.
“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.
Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”
Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.
This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.
Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.