Resources · Guide · CTI · 1 min read

What is Cyber Threat Intelligence (CTI)

In short

Cyber Threat Intelligence (CTI) is the discipline that collects, analyses and contextualises threat information (who attacks, with which techniques and infrastructure) to anticipate and stop attacks. It turns into machine-readable IOCs, threat actor profiles and sector advisories. The difference is made by original intelligence, produced from real incidents, versus feeds that are simply resold.

From information to anticipation

Cyber Threat Intelligence turns raw threat data into actionable knowledge: not “there is malware out there”, but “this actor, with these techniques, is targeting your sector, here are the indicators to block”. It is the difference between reacting and anticipating.

The three levels

CTI breaks down into strategic (for the board: trends and risk), operational (for the SOC: campaigns and TTPs) and technical (for the tools: IOCs). Good CTI serves all three, each to the right audience.

Original, not resold

The real value comes from primary sources: incidents actually handled, direct actor research, monitoring of the criminal underground. That is what enables attributions like Nebula Broker, later confirmed by global vendors.

Comparison

The three levels of CTI

LevelFor whomExamples
StrategicBoard, CISOTrends, actors by sector, business risk
OperationalSOC, threat huntersActive campaigns, TTPs, C2 infrastructure
TechnicalSIEM/EDRIOCs: IPs, domains, hashes, YARA
Field-observed proof · original attribution

Fortgale was the first to attribute the Italian actor Nebula Broker (2023); Mandiant (Google) later confirmed it as UNC4990. Original intelligence, not resold.

Read the research →
FAQ

Frequently asked.

What are IOCs and TTPs?

IOCs (Indicators of Compromise) are observable technical data: IPs, domains, hashes, URLs. TTPs (Tactics, Techniques and Procedures) describe how an actor operates, mapped to MITRE ATT&CK. IOCs tell you 'what to look for', TTPs 'how the adversary moves'.

What is the difference between in-house CTI and commercial feeds?

Many vendors resell feeds aggregated from third parties. In-house CTI generates original intelligence from primary sources: incidents handled, actor research, deep and dark web monitoring. It is more contextual and actionable.

Is CTI only for large companies?

No. Even a mid-sized company benefits from knowing which actors target its sector and from receiving IOCs applicable to its own stack. CTI is available both integrated into the SOC/MDR and standalone.

How is CTI used in defence?

IOCs automatically feed SIEM/EDR/firewall to block known threats; TTPs drive threat hunting; vertical advisories warn in advance when an actor prepares campaigns against a sector.

How Fortgale delivers it

From theory to a real operation.

What you read here, Fortgale runs every day with a European SOC 24·7·365: 287 tools and actors profiled, <30 min median containment. Explore the service: Fortgale CTI service.

Related resources: What is MDR · The role of CTI in defence

Want to go deeper with an analyst?

A technical conversation, not a funnel.

Leave your details: an analyst calls you back within one business day. European SOC, same time zone, proprietary intelligence on the actors active across the EU.

Response time: < 1 business day.