Rethinking Cyber Threat Intelligence: Strategic and Technical CTI as the New Standard

As a Cyber Threat Intelligence (CTI) analyst, I’ve seen firsthand how organizations struggle to implement the classic four-tier CTI model:

• strategic
• tactical
• operational
• technical

While this framework is useful in theory, in practice, the distinction between operational and tactical intelligence is often blurred—if not entirely nonexistent. This reality has led some to propose simplifying the classification into just two categories: strategic and technical CTI.

At first glance, this simplification may seem reductive, but upon closer inspection, it aligns more closely with how intelligence is consumed and applied in most organizations. Here’s why this approach makes sense and how it could improve the way we handle CTI.

The Challenges with Operational and Tactical CTI

In the traditional model:

• Tactical CTI focuses on short-term threats and defensive measures (e.g., attack patterns, threat actor tactics).
• Operational CTI provides actionable insights for active operations (e.g., actor motivations, campaign timelines).

In theory, the difference lies in the granularity and application of the intelligence. However, in practice:

• Overlap in Content: The same intelligence (e.g., an IOC or a threat actor profile) can serve both tactical and operational needs depending on the audience.
• Audience overlap: Often, the only real distinction is who consumes the intelligence. Tactical CTI is typically shared with SOC analysts and incident responders. Operational CTI is usually shared with threat hunting team, however in most companies all these different teams are part of one team if not even virtual teams only to begin with.
• Limited Resources: Many organizations lack the resources or maturity to develop distinct tactical and operational intelligence. Instead, CTI teams often produce broad reports tailored to their stakeholders’ immediate needs.

As a result, the operational/tactical divide becomes more about presentation than substance.

Strategic and Technical: A Simpler, More Effective Model

Reframing CTI into strategic and technical categories reflects how intelligence is actually used:

• Strategic CTI: Focuses on the broader picture. It informs long-term decision-making by identifying trends, geopolitical risks, and strategic adversaries. The audience includes C-suite executives, board members, and senior decision-makers.
• Technical CTI: Delves into the specifics of how threats operate. This includes indicators of compromise (IOCs), malware analysis, and TTPs (tactics, techniques, and procedures). It supports day-to-day defensive actions, feeding directly into SOCs, detection engineers, and response teams.

By consolidating CTI into these two categories, we eliminate artificial divisions and focus on what matters most: actionable insights for the right audience.

A Pragmatic Way Forward

In an ideal world, every organization would have the resources to fully implement the traditional CTI model. But the reality is different. By focusing on strategic and technical CTI, we can align our work more closely with the way intelligence is consumed, making our outputs more actionable and relevant.

This approach isn’t about abandoning the richness of CTI but rather about making it practical and impactful. As cyber threats continue to evolve, simplifying our frameworks could be the key to staying agile and effective.