Threat Intelligence

About this shelf

Cyber Threat Intelligence (CTI) is the discipline of turning raw signals into context that makes defenders better. Done well, CTI tells you who is targeting your sector, what they typically do, what indicators are worth watching, and which vulnerabilities in your environment are being actively exploited in the wild. Done badly, it produces a fire-hose of low-confidence IOCs that drown SOC analysts and never connect to a defensive action.

Articles in this shelf cover the actor side and the technical side. On the actor side: the taxonomy of threat actors (nation-state, financially motivated, hacktivist, insider), the structure of the ransomware ecosystem and Ransomware-as-a-Service economics, initial access brokers as a specialised criminal layer, and the AI/LLM-specific threats that have emerged as adversaries adopt large language models for phishing, code generation, and reconnaissance. On the technical side: the lifecycle of vulnerabilities from disclosure through KEV and EPSS to active exploitation, what makes an IOC actually useful, and how MITRE ATT&CK works as a common language across detection, intelligence, and adversary emulation.

The orientation throughout is practical. Threat intelligence is only valuable if it changes a decision — a patching priority, a detection engineering choice, a threat hunt hypothesis, an executive briefing. Articles are written with that test in mind, and references to source frameworks (MITRE, FIRST, CISA) are explicit so you can dig further when needed.