What it is (plain English)
Feeds external threat data (indicators of compromise, known bad actors, campaigns) into security investigations so analysts can quickly tell whether what they're seeing is a known threat — and automatically enrich security incidents instead of manually looking things up.
Problems it solves
- Analysts manually checking indicators against external sources.
- Security incidents lacking context about the threat behind them.
- Threat feeds subscribed to but not operationalized.
What must exist first
Platform Core Setup. Security Incident Response (SIR) is the primary consumer — threat intel enriches security incidents — so standing up SIR first is the usual path, but threat intelligence can also support broader SecOps patterns (vulnerability prioritization, hunting) independently.
What the customer needs to provide
- Your threat intelligence feeds/subscriptions (commercial and open source).
- Which indicator types matter and how they should trigger action.
- Integration details for feed sources (STIX/TAXII, MISP, vendor APIs).
Where it can go next
Enriches Security Incident Response (SIR) automatically; supports proactive threat hunting; indicators can inform Vulnerability Response (VR) prioritization.