A practical guide to building a CTI collection plan that converts approved PIRs into the daily analyst rhythm - source assignments, frequencies, named owners, gap registers, and weekly reviews that keep the plan alive.
Priority Intelligence Requirements tell you what matters. A collection plan tells your team how to find out - every day, from every source, with clear ownership and deadlines. Without one, PIRs become wall art. With one, they become the operating system of your CTI program.
This post walks through how to build a collection plan that turns approved PIRs into the daily work analysts actually execute: source assignments, query schedules, ingestion checks, and the discipline that keeps the plan from rotting on contact with reality.
What a Collection Plan Is — and Is Not
A collection plan is the bridge between strategy (PIRs) and execution (analyst tasks). It maps every Essential Element of Information (EEI) to a specific source, owner, frequency, and method.
It is not:
- A list of threat feeds you subscribe to
- A SIEM rule catalog
- A vendor dashboard
- A spreadsheet of TTPs from last quarter's report
It is:
- A living document tied to current PIRs
- A schedule of who collects what, from where, and how often
- A gap register that flags EEIs no source can answer
- An accountability tool for both analysts and leadership
If your "collection plan" cannot tell you what an analyst should be doing at 9:15 AM on a Tuesday, it is not a collection plan — it is a sourcing inventory.
The Anatomy of a Collection Plan Entry
Every row in the plan should answer the same seven questions. Anything less and the work cannot be assigned or audited.
| Field | Purpose | Example |
|---|---|---|
| PIR ID | Links the work to a stakeholder decision | PIR-03 (Ransomware exposure to financial sector) |
| EEI | The specific data point being collected | New ransomware leak-site posts naming financial services victims |
| Source | Where the data comes from | Ransomwatch + DarkOwl + curated Telegram channels |
| Method | How it gets pulled | API poll → normalize → enrich → tag |
| Frequency | How often collection runs | Every 30 minutes |
| Owner | Who is accountable for the run | SOC analyst on duty; CTI lead on exception |
| Output | Where the result lands | Evidence timeline → PIR-03 working file |
A plan with 40 EEIs and 40 complete rows is more valuable than a plan with 400 EEIs and missing owners.
Step 1: Inventory Your Sources Honestly
Before you assign anything, take a clear-eyed inventory of what you can actually collect from today. Most teams overestimate their coverage because they confuse "we have a license" with "we have a working pipeline."
Categorize by access reality
- Tier 1 - Live, automated: API access, normalized into your platform, queryable today
- Tier 2 - Manual but repeatable: Web portals, RSS feeds, mailing lists — collectable on a schedule by a human
- Tier 3 - Episodic: Vendor briefings, ISAC calls, partner intel — useful but not on demand
- Tier 4 - Aspirational: Sources you wish you had but currently do not (closed forums, HUMINT, premium feeds awaiting procurement)
Map Tier 4 separately. Those entries are your collection gaps, not your collection plan.
The honest source review
For each source, write down:
- Last successful pull - when did this source actually produce usable data?
- Failure modes - what breaks (rate limits, auth expiry, schema drift)?
- Cost per insight - how much analyst time does each answer require?
- Unique contribution - what does this source give you that no other source does?
Sources that fail this review get retired or renegotiated. Sources that pass become the building blocks of the plan.
Step 2: Map EEIs to Sources
This is the core of the plan. For each EEI from your approved PIRs, identify which source (or combination of sources) can answer it.
The mapping matrix
| EEI | Primary source | Secondary source | Confidence |
|---|---|---|---|
| Ransomware leak-site posts naming financial sector victims | Ransomwatch (Tier 1) | Curated Telegram (Tier 2) | High |
| New CVEs affecting our exposed cloud stack | NVD + vendor advisories (Tier 1) | GreyNoise exploitation data (Tier 1) | High |
| Initial-access broker listings referencing our region | DarkOwl (Tier 1) | Flashpoint reporting (Tier 3) | Medium |
| Geopolitical events affecting executive travel | OSINT news APIs (Tier 1) | Regional security partner briefings (Tier 3) | Medium |
| HUMINT on a specific actor's tooling | — | — | None — gap |
The last row matters most. If an EEI has no source, the plan must flag it as a gap and either reassign the work, accept the gap with documented impact, or escalate for new collection capability.
One-to-many is normal
A single EEI often requires multiple sources for confidence. A single source often supports multiple EEIs. Build the matrix so both relationships are visible - when a source breaks, you need to know every PIR that suffers.
Step 3: Set Frequencies Based on Decision Velocity
Not every EEI needs to be checked every hour. Frequency should follow the decision the PIR supports - not analyst habit or feed availability.
The frequency framework
| Decision velocity | Example PIR | Collection frequency |
|---|---|---|
| Real-time | Active incident response, executive protection | Streaming / sub-hourly |
| Daily | SOC tuning, emerging-threat monitoring | Every 1-4 hours |
| Weekly | Sector threat trends, vulnerability prioritization | Daily digest |
| Monthly | Strategic landscape, board reporting | Weekly rollup |
| Episodic | M&A due diligence, market entry | Triggered by decision date |
Over-collecting is not free. It burns analyst attention, fills queues with noise, and trains the team to ignore alerts. Match cadence to the decision, then defend the cadence in reviews.
Step 4: Assign Owners, Not Teams
"The CTI team owns this" is not ownership. It is diffusion of responsibility dressed up as governance.
Two roles per EEI
- Run owner - the named person responsible for the collection executing on schedule. For automated pulls, this is the engineer who maintains the pipeline. For manual collection, this is the analyst who runs the query.
- Quality owner - the named person responsible for the output being usable. They review the data, escalate anomalies, and confirm it answers the EEI.
These can be the same person, but they must be named individuals - not job titles, not rotating roles, not "whoever is on shift." When something breaks at 2 AM, the on-call analyst needs to know exactly who to wake up.
Coverage and backup
Every EEI needs a primary and a backup owner. Travel, illness, and attrition will test the plan. Document the handoff procedure in the plan itself, not in a separate runbook nobody reads.
Step 5: Translate the Plan Into a Daily Battle Rhythm
A collection plan that lives in a SharePoint folder is not a plan — it is a document. The plan becomes real when it produces a daily rhythm analysts execute without thinking about it.
The analyst's day, structured by the plan
Morning (first 60 minutes):
- Review overnight automated collection output for PIR-tagged hits
- Triage flagged items against active PIRs
- Confirm Tier 1 pipelines ran successfully; open tickets for failures
- Update the evidence timeline for each PIR with new material
Midday (90 minutes):
- Execute manual Tier 2 collections (portal queries, forum sweeps, partner exchanges)
- Enrich and tag new material to the correct PIR
- Surface emerging items that may justify a new EEI or revised PIR
Afternoon (variable):
- Produce PIR-aligned analysis from the day's collection
- Update gap register with anything that could not be answered
- Hand off open items to next shift or next-day owner
End of day:
- 15-minute standup: what was collected, what failed, what changed
- Confirm tomorrow's manual collection assignments
- Log gaps for the weekly collection review
This is not a suggestion. It is the discipline that converts a plan into intelligence.
Step 6: Run a Weekly Collection Review
The plan will drift. Sources break, EEIs change, new PIRs land, decisions shift. A weekly review is the maintenance interval that keeps it operational.
The review agenda (30 minutes, every week)
- Pipeline health - which Tier 1 sources failed this week and what was the impact?
- Manual collection completion - were all scheduled Tier 2 collections executed?
- New gaps - what EEIs failed to produce usable data, and why?
- PIR alignment - have any PIRs been added, retired, or revised that change collection?
- Workload check - is the plan still executable with current staff, or are we accumulating debt?
The output of the review is a short list of changes to the plan, owned by named people, with deadlines. No deadline, no change.
Step 7: Treat Gaps as First-Class Citizens
Every collection plan has gaps. Mature programs make them visible; immature programs hide them. The gap register is where credibility is built or lost.
What a gap entry should include
- The EEI that cannot be answered
- The PIRs affected
- Why the gap exists (source unavailable, budget, skill, access)
- The current workaround, if any
- The impact on the decision if the gap is not closed
- The owner responsible for closing it and the target date
Gaps reviewed quarterly with leadership become budget requests. Gaps left in a spreadsheet become next year's incident retrospective.
Common Failure Modes
Even well-designed plans degrade. Watch for these patterns:
- The "set and forget" plan - written once, never reviewed. Within three months it no longer reflects active PIRs or working sources.
- Tool-driven collection - EEIs invented to justify a vendor purchase rather than answer a decision. If the EEI does not trace to a PIR, it does not belong in the plan.
- Heroic individuals - one analyst quietly carries half the plan. When they leave, the program collapses. Cross-training and named backups are not optional.
- No feedback loop to PIRs - collection runs in isolation from the decisions it supports. Analysts deliver reports nobody reads, while stakeholders ask questions the plan cannot answer.
- Confusing volume with value - measuring success by "number of indicators collected" rather than "number of PIRs answered with high-confidence evidence."
A Minimum Viable Collection Plan
If you have nothing today, do not start by writing a 50-page document. Start with this:
- List your three to five active PIRs
- For each PIR, list the EEIs that would answer it
- For each EEI, name the source, the owner, the frequency, and the output location
- For any EEI without a source, mark it as a gap
- Schedule a 30-minute weekly review on a recurring calendar invite
- Run the plan for two weeks before adding anything to it
A one-page plan that gets executed daily is worth more than a comprehensive plan that nobody uses.
Summary: The Collection Plan Checklist
- Every EEI traces to an approved PIR
- Every EEI has a primary source, backup source, and confidence rating
- Every source has a tier classification and a last-successful-pull date
- Every entry has a named run owner and quality owner with a backup
- Frequencies match the decision velocity of the PIR, not feed availability
- Gaps are tracked in a register reviewed at least quarterly with leadership
- A daily analyst rhythm executes the plan without ad-hoc improvisation
- A weekly review updates the plan against current reality
PIRs answer what matters. A collection plan answers who does what, from where, how often, and how we know it worked. Build the plan, run it daily, review it weekly - and your CTI program stops producing activity and starts producing intelligence.