Most threat intelligence programs start with a feed subscription and a wish. The ones that succeed start with a clear set of intelligence requirements that tie every collection decision, every analysis product, and every dissemination channel to a decision-maker's need.
Building a Threat Intelligence Program Around Intelligence Requirements
Most threat intelligence programs start with a feed subscription and a wish. Someone buys a threat intelligence platform, connects a dozen feeds, and expects value to materialise. Six months later, analysts are drowning in noise, stakeholders are frustrated, and leadership questions the return on investment.
The problem is not the tools. It is the architecture. A mature intelligence program is built around a clear, structured set of requirements that tie every collection decision, every analysis product, and every dissemination channel to a decision-maker's need.
This post explains how to architect a threat intelligence program that uses intelligence requirements as its central organising principle.
Why Programs Fail Without Requirements
Intelligence requirements are not an administrative checkbox. They are the mechanism by which a program separates signal from noise. Without them, a team collects what is available rather than what is needed. Analysts produce what interests them rather than what drives decisions. Dissemination becomes broadcast rather than targeted delivery.
The symptoms are familiar:
- Alert fatigue: Analysts process thousands of IOCs with no criteria for relevance, because no one has defined what relevance means for the organisation.
- Unused reports: Weekly intelligence summaries sit unread because they do not answer questions the audience actually has.
- Reactive posture: The team chases headlines and vendor disclosures instead of monitoring the threats that matter to the business.
- Undefined value: Leadership cannot articulate what intelligence delivers because the program never established what it was trying to achieve.
Requirements fix this by making the program's purpose explicit. They create a contract between the intelligence team and its consumers. Every activity can be traced back to a documented need.
The Intelligence Requirements Lifecycle in Program Design
A program built around requirements treats the intelligence cycle not as a theoretical model but as an operational framework. Each phase has specific deliverables, owners, and metrics.
1. Intake and Consumer Mapping
Before writing a single requirement, understand who consumes intelligence and what decisions they make.
Identify your intelligence consumers across the organisation. Common consumers include:
- Security Operations: Triage, detection engineering, incident response
- Vulnerability Management: Patch prioritisation, exposure assessment
- Executive Leadership: Strategic risk, board reporting, resource allocation
- Incident Response: Threat attribution, scope assessment, recovery planning
- Red Team / Purple Team: Adversary emulation, control validation
- Third-Party Risk: Vendor assessment, supply chain monitoring
For each consumer, document:
- The decisions they make that intelligence could improve
- The time horizons they operate on (tactical hours, operational days, strategic quarters)
- The formats they can absorb (alerts, briefings, written reports, dashboards)
- Their current sources of information and where the gaps are
This mapping becomes the foundation for your requirement set. If a consumer group has no defined intelligence needs, that is valuable information. It means either the program should not serve them yet, or they need help articulating their requirements.
2. Requirement Development
Translate consumer needs into formal intelligence requirements. A good requirement is specific, measurable, and decision-relevant.
Use the hierarchy: Priority Intelligence Requirements (PIRs) at the top, Intelligence Requirements (IRs) beneath them, and Essential Elements of Information (EEIs) as the specific data points needed to answer each IR.
For example, if a consumer's need is "understand whether our industry is being targeted by ransomware groups," the formal requirement structure might look like:
- PIR: What is the ransomware threat to our sector, and how does it affect our risk posture?
- IR: Are ransomware groups specifically targeting organisations in our industry vertical?
- EEI: What ransomware groups have named our sector in leak site posts or victim announcements?
- EEI: What initial access vectors are most commonly used in attacks against our industry peers?
- EEI: What is the average dwell time between initial access and encryption in relevant incidents?
Each EEI should be specific enough that an analyst can say definitively whether the information is collected and what confidence they have in it.
3. Collection Architecture
With requirements defined, design collection to match. This is where most programs go wrong by subscribing to feeds first and asking questions later.
For each EEI, map specific sources:
- Internal telemetry: SIEM logs, endpoint data, network flow, incident case notes
- Commercial intelligence: Subscriptions to CTI vendors, incident response retainers, industry sharing groups
- Open sources: Security research blogs, government advisories, dark web monitoring, social media
- Human intelligence: Industry contacts, conference attendance, law enforcement liaison
The key discipline is to justify every source against a specific EEI. If a source does not directly support a documented requirement, question whether it should be in the program. This is not about minimising sources; it is about ensuring every source has a purpose.
Document collection gaps explicitly. If no source exists for a critical EEI, that is a program risk to escalate, not an embarrassment to hide.
4. Analysis and Production
Analysis turns collected information into intelligence. A requirements-driven program structures analysis around requirement satisfaction, not around what data happens to be available.
Establish production standards:
- Analytical confidence: Every assessment includes a confidence level (high, moderate, low) with explicit reasoning. High confidence requires multiple corroborating sources and direct evidence. Low confidence is honest about uncertainty.
- Source attribution: Analysts document where information came from, including source reliability assessments.
- Alternative analysis: For high-stakes assessments, consider structured techniques like Analysis of Competing Hypotheses to avoid confirmation bias.
- Temporal context: Intelligence products indicate the period covered and the expected shelf life. Threat landscape assessments expire faster than actor profiles.
Match product format to requirement type:
- Flash alerts for operational requirements needing immediate action
- Weekly summaries for tracking requirements that need ongoing monitoring
- Deep-dive reports for strategic requirements needing comprehensive assessment
- Dashboards for metrics and trend visualisation
5. Dissemination and Feedback
The best intelligence is worthless if it does not reach the right person at the right time in the right format.
For each consumer, define:
- Channel: Email, Slack, ticketing system, briefing, dashboard
- Cadence: Real-time, daily, weekly, quarterly
- Format: Length, visual elements, technical depth
- Escalation path: How time-sensitive intelligence bypasses normal delivery
Build feedback mechanisms into the program from day one. After every significant product, ask consumers:
- Did this answer your requirement?
- Was the format appropriate?
- Was the timing useful?
- What is still missing?
Use this feedback to refine requirements, adjust collection, and improve products. Requirements are not static. They evolve as the threat landscape changes and as the organisation's risk posture matures.
6. Measurement and Maturity
A program built on requirements can measure itself. Track metrics that matter:
- Requirement coverage: What percentage of documented requirements have active collection and recent production?
- Consumer satisfaction: Regular surveys or structured feedback sessions with intelligence consumers
- Decision impact: Documented cases where intelligence influenced a security decision
- Collection efficiency: Ratio of collected information to relevant information (are you filtering noise effectively?)
- Analytical accuracy: Retrospective assessment of forecasts and assessments against what actually happened
Use these metrics to drive program maturity. Early programs may have broad requirements and low coverage. Mature programs have precise requirements, high coverage, and demonstrated impact on decisions.
Structuring the Program Team
Intelligence requirements also guide how you structure the team. A requirements-driven program typically needs:
- Requirement managers: Bridge between consumers and the intelligence team. They understand consumer needs, translate them into formal requirements, and validate that products meet the need.
- Collection managers: Maintain the source architecture, evaluate new sources against requirements, and manage collection gaps.
- Analysts: Produce intelligence against specific requirements, maintaining analytical standards and confidence levels.
- Production specialists: Format and disseminate intelligence according to consumer preferences and requirement urgency.
In smaller programs, individuals wear multiple hats. The discipline is to maintain the functions even when the headcount does not allow dedicated roles.
Common Pitfalls
Even with good intentions, programs stumble. Watch for:
- Requirements as decoration: Writing requirements and then ignoring them. Requirements must drive daily activity.
- Over-precision too early: New programs with twenty granular requirements before they have proven collection capability. Start with broad requirements and refine as the program matures.
- Analysts as sole requirement owners: Requirements should be co-owned with consumers. Analysts understand what is collectible; consumers understand what is decision-relevant.
- Static requirements: Setting requirements once and never reviewing them. The threat landscape changes. Consumer needs change. Requirements must be living documents.
- Equating output with value: Measuring success by reports produced rather than decisions influenced. A single flash alert that prevents a breach is more valuable than a hundred unread weekly summaries.
Getting Started
If you are building or rebuilding a threat intelligence program, start here:
- Map your consumers: List every group that could use intelligence. Interview them about their decisions and information gaps.
- Draft initial PIRs: Write 3–5 Priority Intelligence Requirements based on the most critical decisions your consumers make.
- Decompose to EEIs: Break each PIR into specific information needs.
- Audit your collection: List every source you currently have. Map each to an EEI. Identify gaps.
- Publish a requirement set: Document the requirements, sources, and gaps. Share with stakeholders.
- Establish feedback loops: Schedule regular reviews with consumers to validate requirements and assess product utility.
This approach is slower than buying a threat feed and turning it on. But it produces a program that delivers measurable value, justifies its existence, and improves over time.
Conclusion
Threat intelligence is not a technology problem. It is an information problem. The organisations that succeed are those that treat intelligence as a structured discipline with clear requirements, deliberate collection, rigorous analysis, and accountable dissemination.
Build your program around intelligence requirements, and you build it to last. Build it around feeds and tools, and you build it to generate noise.
The choice is yours.