The Three Levels of Cyber Threat Intelligence (And Why You Need All of Them)

Tactical CTI is where most CTI programs begin, and often where they stop.

What it is:

Tactical CTI provides observable indicators. Think:

• Malicious IPs
• File hashes
• Suspicious domains
• Signatures for malware or exploits

Who it’s for:

SOC analysts, detection engineers, threat hunters.

Use cases:

• Blocking known threats at the firewall or endpoint
• Speeding up triage during alert investigations
• Writing detection rules for SIEM or EDR
• Automating defences through IOC feeds

Where Arachne Digital fits:

We built Thread to enrich raw text (news articles, threat reports, breach disclosures) with MITRE ATT&CK TTPs. Instead of just telling you “this IP is bad,” Thread helps you understand how it was used, initial access, lateral movement, exfiltration, and allows you to map threat activity directly into your environment.

Operational CTI tells you how attackers work. This is the bridge between raw indicators and strategic decision-making.

What it is:

Operational CTI focuses on campaign patterns and attacker behaviours, such as:

• Common tactics and techniques
• Toolsets used in recent intrusions
• Shifts in targeting or tradecraft
• Infrastructure reuse across campaigns

Who it’s for:

Detection engineers, incident response teams, purple teams, CTI analysts.

Use cases:

• Improving detection through understanding TTPs
• Informing red team simulations
• Building better playbooks
• Prioritising patching and hardening efforts

Where Arachne Digital fits:

Thread helps here too, but so does Spindle. Spindle tracks known threat actors and their aliases, linking them to ATT&CK TTPs, historical campaigns, and public reporting. Combined, these tools let analysts move from “what happened” to “how and why it happened.”

Strategic CTI zooms all the way out. It’s about adversaries, motivations, and risk. This is the type of intelligence that belongs in a boardroom briefing.

What it is:

Strategic CTI answers questions like:

• Who’s targeting our sector, and why?
• Are we at risk due to geopolitical events?
• What threats should we plan for over the next year?

Who it’s for:

CISOs, risk managers, executive leadership, and policymakers.

Use cases:

• Informing security strategy and budgeting
• Supporting business continuity and resilience planning
• Justifying investments in specific capabilities
• Understanding long-term adversary intent

Where Arachne Digital fits:

This is where Spindle and Tracery come in. Spindle organises threat actor attribution across campaigns and countries, while Tracery, our privacy-focused metasearch engine, helps us find the raw reports needed to track global threats in real time. Together, they provide both the source material and the structure for strategic decision-making.

Most organisations think they’re “doing CTI” when they subscribe to an IOC feed. But tactical intelligence on its own is reactive. It only tells you what the attacker did yesterday.

Without operational CTI, you don’t know how attackers adapt.
Without strategic CTI, you don’t know which threats matter most to your business.

If you want to build a threat-informed defence, as popularised by MITRE, you need to align defences against the threats most likely to affect you, and that means understanding the full threat landscape across all three levels.

Threat-informed defence is the practice of aligning your security decisions and controls with real-world threats, based on how adversaries actually operate.

Rather than guessing what might happen or relying solely on compliance checklists, threat-informed defence starts with threat intelligence. It uses data about actual attacks, campaigns, tools, and tactics used in the wild, to shape detection rules, response plans, and long-term strategy.

It’s about moving from reactive to proactive. From generic protection to tailored defence.

Why It’s Useful

• Better resource allocation: You can focus on threats that are relevant to your organisation or sector, rather than trying to defend against everything.
• Improved detection: Understanding TTPs lets you build detections that catch attacker behaviour, not just known indicators.
• Faster response: Playbooks and simulations can be based on real adversary workflows, reducing the time it takes to contain and recover.
• Stronger justification: Strategic CTI helps security teams communicate risks and justify investment to executives and boards.

How CTI Guides the Process

Threat-informed defence is only possible with good CTI. Here’s how the three levels of intelligence feed into the process:

• Tactical CTI provides indicators to detect and block known threats.
• Operational CTI reveals how attackers behave, helping teams build effective detections and playbooks.
• Strategic CTI shapes long-term priorities by showing which threats are most likely to target your business.

When CTI is structured and mapped, such as through frameworks like MITRE ATT&CK, it becomes even more powerful. You can see gaps in your defences, align your security controls with actual threats, and track improvement over time.

Threat-informed defence is at the heart of what Arachne Digital does. Every tool we build, Thread, Spindle, Tracery, is designed to help organisations not just consume intelligence, but apply it meaningfully.

• Am I getting all three levels of CTI from my provider? (Tactical, Operational, Strategic)
• Am I actually using that intelligence to shape detection, response, and strategy?

If the answer to either is no, you’re leaving value on the table.

Start thinking holistically about threat intelligence.