Threat Intelligence
threat intelligence
CTI
intelligence cycle

Threat Intelligence Lifecycle: The 6 Stages of CTI

What the threat intelligence lifecycle (CTI) is and its 6 stages: direction, collection, processing, analysis, dissemination and feedback.

SecraJuly 6, 20269 min read

The threat intelligence lifecycle (also called the CTI lifecycle) is the structured process by which an organisation turns raw data about adversaries into actionable intelligence that reduces risk. It is not a list of sources or a feed of indicators: it is a continuous six-stage programme (direction, collection, processing, analysis, dissemination and feedback) that starts and ends with the questions the business needs answered. This article is the hub of our threat intelligence cluster and the conceptual anchor for the more situational pieces on ransomware, deepfakes or vishing.

The essentials

  • The CTI lifecycle has 6 stages: direction, collection, processing, analysis, dissemination and feedback.
  • It begins with direction, where stakeholders define PIRs (priority intelligence requirements) and RFIs (requests for information).
  • Collection combines OSINT, open and commercial feeds, HUMINT and the organisation's own SOC telemetry.
  • Analysis uses frameworks such as the Diamond Model, MITRE ATT&CK and the Cyber Kill Chain to move from data to intelligence.
  • Dissemination delivers strategic, operational or tactical intelligence in the right format (report, STIX/TAXII, Sigma or YARA rules).

What the threat intelligence lifecycle is

Cyber threat intelligence (CTI) is knowledge about adversaries, their motivations, capabilities and infrastructure, produced to support decisions. The lifecycle is the engine that generates it in a repeatable way. The difference from a plain indicator feed is that the lifecycle starts from a specific business question rather than from whatever data happens to be available.

The table below summarises the six stages with their inputs, activities, outputs and typical owner. It doubles as a reference diagram of the programme.

StageInputsActivitiesOutputsOwner
DirectionBusiness risks, PIRs, RFIsPrioritise questions, assign resourcesIntelligence requirementsCISO, CTI lead
CollectionOSINT sources, feeds, HUMINT, telemetryGather data against the PIRsRaw, unfiltered dataCollection analysts
ProcessingHeterogeneous raw dataNormalise, deduplicate, enrich, translateStructured data (STIX)CTI data engineering
AnalysisProcessed dataPivot, correlate, apply frameworksAssessed intelligenceCTI analysts
DisseminationAssessed intelligenceFormat and deliver by audienceReports, feeds, alertsAnalysts, production
FeedbackReal use of the intelligenceMeasure, collect feedback, adjustRevised PIRs, improvementsCTI lead, stakeholders

The 6 stages of the CTI lifecycle

1. Direction

Everything starts here. Stakeholders (leadership, SOC, incident response, risk management) define what they need to know. The central tool is the PIR, a priority intelligence requirement phrased as a question: for example, "which ransomware groups target the healthcare sector in EMEA, and what techniques do they use for initial access?". Ad hoc requests are channelled as RFIs (requests for information). Without clear direction, the team ends up hoarding indicators nobody uses. A good PIR is specific, has an owner and is tied to a decision.

2. Collection

With the PIRs defined, data is gathered from diverse sources. OSINT (open source intelligence) is one of the main ones, and on its own it has its own cycle, which we explain in what is OSINT. Add to it open feeds (abuse.ch with URLhaus, ThreatFox and Feodo Tracker, AlienVault OTX, the CISA KEV catalogue), commercial feeds, HUMINT (access to closed forums, ISAC communities, sector sharing) and, crucially, your own telemetry: SIEM logs, EDR alerts, malware sandboxes and honeypots. Leaked-credential monitoring fits here as a source, as we detail in dark web monitoring.

3. Processing

Raw data arrives in heterogeneous formats and full of noise. Processing turns it into something usable: normalisation to a common schema (STIX 2.1 is the de facto standard), deduplication of repeated indicators, enrichment (GeoIP, WHOIS, passive DNS, ASN, VirusTotal reputation), false positive filtering, translation and tagging. This stage assigns a confidence level to each piece of data, using scales such as the Admiralty system (source reliability and information credibility), and marks the TLP (Traffic Light Protocol) level that will govern its distribution. An indicator with no context or confidence is close to useless.

4. Analysis

Here processed data becomes intelligence. The analyst pivots on infrastructure (passive DNS, shared SSL certificates, registration patterns) to uncover related adversary assets, and applies analytic frameworks that structure the reasoning:

  • Diamond Model: relates the four vertices of an intrusion (adversary, capability, infrastructure and victim).
  • MITRE ATT&CK: maps observed TTPs to concrete techniques (for example T1566 phishing, T1486 data encryption), which lets you measure detection coverage.
  • Cyber Kill Chain: orders the intrusion into phases, from reconnaissance to actions on objectives.

To reduce bias, analysts use the Analysis of Competing Hypotheses (ACH). Attribution, where warranted, is always expressed with confidence levels, never as certainty. Much of this work overlaps with threat hunting, which consumes the hypotheses that CTI analysis produces.

5. Dissemination

The best intelligence is useless if it does not reach the decision-maker, in the right format and on time. Dissemination adapts the product to each audience: risk reports for leadership, campaign reports for the SOC and incident response, and indicator feeds for the defensive tooling. On the machine-readable side, intelligence is shared as STIX 2.1 over TAXII 2.1, and at the tactical level it materialises as Sigma rules (SIEM detection), YARA rules (malware identification) and Suricata or Snort signatures. TLP marking defines who each report can be shared with.

6. Feedback

The most neglected stage, and the one that turns the process into a cycle. Here you measure whether the intelligence answered the PIRs, whether it was actionable and whether it arrived on time. Useful metrics: PIR coverage, time to produce, adoption rate, detections generated and false positive ratio. Stakeholder feedback adjusts and redefines the requirements, so the cycle returns to the direction stage with better questions. Without this loop, the programme stagnates, producing the same output even as the threats change.

CTI lifecycle versus the OSINT cycle

The two are often confused, but they operate at different scales.

  • The OSINT cycle is a collection discipline focused on open sources (planning, collection, processing, analysis and dissemination). It produces findings from what is publicly accessible.
  • The CTI lifecycle is a broader programme that ingests OSINT as one source among several, alongside closed feeds, HUMINT and internal telemetry, and adds an explicit feedback stage governed by stakeholder PIRs.

Put another way: OSINT is one input to the CTI collection stage, not a replacement for the full lifecycle.

Intelligence levels: strategic, operational and tactical

The intelligence product is delivered at three levels that serve different audiences and horizons:

  • Strategic: aimed at senior leadership. Trends, actor motivations, geopolitical and sector risk. Long horizon, low on technical detail, supports investment decisions.
  • Operational: aimed at the SOC and incident response. Specific campaigns, TTPs of active groups, infrastructure in use. Supports hunting and preparation.
  • Tactical: aimed at the tooling and front-line analysts. Indicators of compromise, detection rules, hashes and domains. Short lifespan and automated consumption in the SOC.

A mature programme produces at all three levels and tunes the cadence of each; an immature one stays only at the tactical level, drowning in indicators with no context.

TIP platforms and feeds

Sustaining the cycle by hand does not scale. A TIP (Threat Intelligence Platform) automates ingestion, STIX/TAXII normalisation, deduplication, enrichment, scoring and delivery to the SIEM, EDR and firewalls. On the open source side, MISP (with its galaxies and taxonomies), OpenCTI and Yeti stand out; on the commercial side, Anomali ThreatStream, Recorded Future, ThreatConnect and EclecticIQ. These platforms connect the processing stage to dissemination and are the operational backbone of the programme. The choice depends on maturity and on how well it fits the rest of the defensive stack.

Frequently asked questions

How many stages does the threat intelligence lifecycle have?

The most widely used model has six stages: direction, collection, processing, analysis, dissemination and feedback. Some variants condense it into five (merging processing and analysis) or four, but the six-stage version is the most useful because it separates processing from analysis and makes the feedback loop explicit.

What is the difference between CTI and OSINT?

OSINT is a collection discipline based on open sources, with its own cycle. CTI is a broader programme that consumes OSINT as one source among several (alongside closed feeds, HUMINT and internal telemetry) and governs it with business requirements and a feedback stage. OSINT feeds the CTI collection stage.

What is a PIR in threat intelligence?

A PIR (Priority Intelligence Requirement) is a key question, defined by stakeholders, that drives the entire cycle. A good PIR is specific, has an owner and is tied to a decision. PIRs prevent the team from collecting data that nobody will use.

Do I need a TIP to do threat intelligence?

Not to get started, but yes to scale. A small team can begin with open feeds and spreadsheets, but as soon as the volume of indicators grows, a TIP such as MISP or OpenCTI becomes essential to normalise, deduplicate and distribute without manual errors.

What are the Diamond Model and MITRE ATT&CK used for in the cycle?

Both are analysis-stage frameworks. The Diamond Model structures each intrusion into four vertices (adversary, capability, infrastructure, victim) and makes pivoting easier. MITRE ATT&CK maps observed techniques to a common catalogue, which lets you measure detection coverage and communicate TTPs unambiguously across teams.

Threat intelligence with Secra

At Secra we run the full CTI lifecycle as a service tailored to your organisation: defining PIRs alongside your stakeholders, multi-source collection, STIX/TAXII processing, analysis with the Diamond Model and MITRE ATT&CK, and dissemination at all three levels with metrics that close the feedback loop. All integrated with your SOC and aligned with NIS2.

Discover our threat intelligence service and let us build your threat intelligence programme.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article