Twelve real Priority Intelligence Requirements that mature CTI teams maintain — with the decisions they support, the consumers they serve, and the IRs and EEIs that flow out of each. Use them as templates for your own program.
Most teams writing their first Priority Intelligence Requirements end up with something that sounds like "monitor threats to the organization." That is not a PIR. That is a job description.
A real PIR is sharp, scoped, and tied to a decision. To make that concrete, here are 12 PIRs that mature CTI teams actually maintain — drawn from financial services, healthcare, technology, energy, and government programs. For each one, you'll see the requirement, why it exists, who consumes it, and the kind of intelligence requirements (IRs) and essential elements of information (EEIs) that flow out of it.
Use these as templates. Steal liberally. Then adapt them to your own organization's threat model and decision cycle.
How PIRs Are Structured (Quick Refresher)
Every PIR in this list follows the same shape:
- PIR — the decision-linked question senior stakeholders need answered
- Decision it supports — what action changes based on the answer
- Owner / consumer — who writes it, who reads it
- IRs / EEIs — the sub-questions and observable data points that feed it
If you want the full methodology behind this format, see our guide on how to develop Priority Intelligence Requirements.
1. Ransomware Threats to Our Sector
PIR: Which ransomware groups are actively targeting organizations in our sector, and what TTPs are they using in the last 90 days?
Decision supported: Detection engineering backlog prioritization, tabletop exercise scenarios, executive briefings on residual risk.
Consumer: CISO, IR leadership, detection engineering.
Example IRs:
- Which ransomware affiliates have claimed victims in our sector in the last quarter?
- What initial access vectors are they using (phishing, edge appliance exploit, valid accounts)?
- What dwell time and lateral movement patterns have been observed?
Example EEIs:
- Leak site postings naming sector peers
- IR reports and vendor advisories citing specific affiliates
- CVEs being weaponized for initial access (e.g., edge VPN, file transfer appliances)
2. Exposure of Executive and Board Members
PIR: What personal, financial, or operational exposure exists for our named executives and board members that could be leveraged for targeted attacks, extortion, or reputational harm?
Decision supported: Physical security posture, executive protection budget, board communications policy.
Consumer: CSO, executive protection, legal, communications.
Example IRs:
- Are credentials belonging to executives appearing in recent breach corpora?
- Is there doxxing, harassment, or impersonation activity on social or fringe platforms?
- Are personal email or device compromises observable through infostealer logs?
Example EEIs:
- Infostealer log mentions of executive personal emails or domains
- Telegram / forum posts naming executives
- Domain registrations spoofing executive names
3. Third-Party and Supply Chain Compromise
PIR: Which of our critical third parties show indicators of compromise, security degradation, or active targeting that could cascade into our environment?
Decision supported: Vendor risk reviews, contract renewals, segmentation decisions, incident readiness.
Consumer: TPRM, CISO, procurement, IR.
Example IRs:
- Have any tier-1 vendors appeared on leak sites in the last 12 months?
- Are vendors using software with active, unpatched critical CVEs that we depend on?
- Are there signs of credential theft against vendor employees with access to our tenants?
Example EEIs:
- Leak site posts naming named vendors
- SEC 8-K filings disclosing material cyber incidents at vendors
- Infostealer logs containing vendor SSO domains
4. Initial Access Broker Activity Against Our Footprint
PIR: Are initial access brokers advertising or selling access to systems, accounts, or networks attributable to our organization or critical subsidiaries?
Decision supported: Emergency credential resets, IR engagement, threat hunting scope.
Consumer: IR, SOC, identity team.
Example IRs:
- Are listings on Russian-language forums matching our ASN, domains, or named brands?
- Are there infostealer-derived corporate credential bundles being sold or posted?
- What access types are being offered (VPN, RDP, Citrix, cloud admin)?
Example EEIs:
- Forum posts (XSS, Exploit, RAMP) with matching victim fingerprints
- Stealer log corpora containing our SSO or VPN domains
- Telegram channels reselling access
5. Geopolitical Risk to Operations in Sensitive Regions
PIR: How are state-aligned cyber operations evolving in regions where we operate, and what is the likelihood of spillover or direct targeting in the next 90 days?
Decision supported: Travel policy, regional infrastructure hardening, executive briefings, scenario planning.
Consumer: CISO, physical security, regional GMs, legal.
Example IRs:
- Which APTs are active in countries hosting our operations?
- Are there observed campaigns against our sector in those regions?
- What is the escalation trajectory of regional conflicts that could trigger cyber activity?
Example EEIs:
- Government and vendor advisories on regional APT activity
- Sector-specific campaign reporting (e.g., energy, finance, logistics)
- Open-source conflict indicators (mobilization, sanctions, diplomatic escalation)
6. Brand Abuse, Impersonation, and Phishing Infrastructure
PIR: What infrastructure is being created or used to impersonate our brand, products, or staff for phishing, fraud, or social engineering?
Decision supported: Takedown prioritization, customer communications, fraud controls tuning.
Consumer: Fraud, brand protection, marketing security, IR.
Example IRs:
- How many lookalike domains targeting our brand are registered weekly?
- Which are weaponized (MX records, TLS certs, phishing kits) vs. parked?
- Are there active phishing kits or templates targeting our customers or staff?
Example EEIs:
- Newly registered domains matching brand permutations
- Certificate transparency log entries for spoofed subdomains
- Phishing kit samples from open repositories or sandbox feeds
7. Vulnerability Weaponization Affecting Our Stack
PIR: Which vulnerabilities in software we operate are being actively exploited in the wild, and how soon will they be weaponized by opportunistic actors?
Decision supported: Emergency patching, compensating controls, exception revocation.
Consumer: Vulnerability management, IT ops, CISO.
Example IRs:
- Which CVEs in our software inventory have proof-of-concept exploits public?
- Which are being exploited by ransomware affiliates or APTs?
- What is the observed time-to-exploitation since disclosure?
Example EEIs:
- CISA KEV additions matching our inventory
- Vendor advisories noting in-the-wild exploitation
- Exploit code published to GitHub, ExploitDB, or paywalled forums
8. Insider Threat and Recruitment Activity
PIR: Are threat actors actively recruiting insiders at our organization or peer organizations to facilitate access, data theft, or fraud?
Decision supported: Insider risk program scope, monitoring policy, HR awareness training, recruiter screening.
Consumer: Insider threat program, HR, legal, CISO.
Example IRs:
- Are there public recruitment posts on Telegram or forums offering payment for insider access?
- Are peer organizations in our sector publicly reporting insider-enabled incidents?
- What roles are being recruited (call center, sysadmin, telco port-out)?
Example EEIs:
- Telegram channel posts soliciting employees of named companies
- Court filings and indictments citing insider recruitment patterns
- Vendor reporting on insider-as-a-service trends
9. Cloud Tenant and SaaS Abuse
PIR: What techniques are threat actors using to compromise cloud tenants and SaaS environments comparable to ours, and where are our gaps?
Decision supported: Identity hardening roadmap, conditional access policy, SaaS security tooling investment.
Consumer: Cloud security, identity, detection engineering.
Example IRs:
- What MFA bypass techniques (push fatigue, AiTM phishing, SIM swap) are being observed against peers?
- Which OAuth abuse patterns are tied to active campaigns?
- Are there active campaigns against our specific SaaS stack (Microsoft 365, Okta, Salesforce, etc.)?
Example EEIs:
- IR vendor blogs detailing identity-centric intrusions
- ISAC reporting on AiTM and token theft
- Public Microsoft / Okta / Cloudflare incident postmortems
10. Data Exposure on Leak Sites and Marketplaces
PIR: Is data attributable to our organization, customers, or employees appearing on leak sites, breach forums, or data marketplaces?
Decision supported: Breach notification decisions, IR scoping, legal disclosures, customer communications.
Consumer: IR, legal, privacy, communications.
Example IRs:
- Are we or our brands named on ransomware leak sites?
- Are customer datasets matching our schema for sale on forums?
- Is employee PII appearing in combo lists or breach compilations?
Example EEIs:
- Leak site index entries
- Forum posts advertising datasets with matching record counts or schemas
- Sample records validated against internal data shape
11. Pre-Attack Indicators of Targeting
PIR: What pre-attack indicators suggest our organization is being researched, scanned, or actively targeted by capable adversaries?
Decision supported: Threat hunting focus, perimeter hardening, deception placement, executive notification.
Consumer: Threat hunting, SOC, IR.
Example IRs:
- Are our external assets being scanned or fingerprinted from infrastructure tied to known threat actors?
- Are there spear phishing waves targeting specific business units?
- Are there mentions of our organization on forums or in chatter that imply targeting?
Example EEIs:
- Honeypot and external telemetry hits from attributable infrastructure
- Reported phishing samples clustered by theme or sender infrastructure
- Forum chatter, Telegram mentions, paste-site dumps referencing the organization
12. Regulatory and Disclosure-Triggering Threat Activity
PIR: What threat activity could trigger regulatory disclosure obligations (SEC, GDPR, HIPAA, DORA, NIS2) or contractual notification requirements in the next quarter?
Decision supported: Disclosure readiness, legal pre-positioning, board reporting cadence.
Consumer: Legal, compliance, CISO, board.
Example IRs:
- Which ongoing campaigns target controls in scope for our regulatory regime?
- Are peers reporting incidents that match disclosure thresholds we would also hit?
- Are there regulator-issued advisories naming TTPs we are exposed to?
Example EEIs:
- Public 8-K filings from sector peers
- Regulator advisories (SEC, ENISA, CISA, FCA, etc.)
- Vendor reporting on TTPs mapped to specific regulatory control families
How to Use These Examples
Do not adopt all 12. Mature CTI programs typically maintain 6 to 10 active PIRs at any time, with the rest held in reserve or rotated in based on business cycles (M&A, product launches, geopolitical events, regulatory deadlines).
When picking yours:
- Start with decisions, not topics. If you cannot name the decision a PIR supports, cut it.
- Assign a single owner per PIR. Shared ownership produces shared neglect.
- Validate collectability. A perfect PIR you cannot answer is worse than a good PIR you can.
- Review quarterly. PIRs are living artifacts. Retire what is no longer decision-relevant.
If you want the full process for building your own from scratch, start with how to develop Priority Intelligence Requirements or the foundational what are Priority Intelligence Requirements.
Closing Thought
The difference between a CTI team that informs decisions and one that produces wallpaper is rarely talent. It is the quality of the questions they have agreed to answer. These 12 PIRs are starting points — sharpen them against your own threat model, and they will earn their keep.