Back to CTI guides
CTI CLASSIFICATION

CTI Types

Explore the 4 main types of Cyber Threat Intelligence and discover how each serves specific objectives in your security strategy.

StrategicTacticalTechnicalOperational
CTI Models
The 4 pillars of CTI

Classification of Threat Intelligence types

Each type of CTI responds to specific needs and targets different organizational levels with varying time horizons.

#1

Strategic CTI

High-level intelligence for strategic decision-making

Public cible

Executive leadership, strategic decision-makers, CISO

Horizon temporel

Long-term (6-12 months)

Characteristics

Threat landscape overview and trends

Analysis of adversary motivations and capabilities

Long-term risk assessment

Support for strategic decision-making

Concrete examples

Geopolitical threat reports
Cybercriminal trend analysis
Sectoral risk assessment
Security budget forecasts

Benefits

  • Security and business alignment
  • Justification of security investments
  • Anticipation of emerging threats
  • Executive communication

Typical deliverables

Executive briefingsRisk analysis reportsTrend studiesStrategic recommendations
Primary sources
Analyst reports (Gartner, Forrester)
Geopolitical intelligence
Vendor reports
Academic publications
#2

Tactical CTI

Information on adversary tactics, techniques, and procedures (TTPs)

Public cible

SOC teams, security analysts, threat hunters

Horizon temporel

Medium-term (1-6 months)

Characteristics

Analysis of attack methods

Identification of attack patterns

Detection of ongoing campaigns

Improvement of detection capabilities

Concrete examples

MITRE ATT&CK mapping of campaigns
APT TTP analysis
Kill chain studies
Attacker group profiles

Benefits

  • Improved detection
  • SIEM rule optimization
  • More effective threat hunting
  • Understanding of adversaries

Typical deliverables

TTP reportsMITRE ATT&CK matricesAdversary profilesCampaign analyses
Primary sources
Threat intelligence reports
Community sharing (ISACs)
CTI platforms
Malware analyses
#3

Technical CTI

Technical details on attacker tools, malware, and infrastructure

Public cible

Technical analysts, response teams, DFIR

Horizon temporel

Short-term (days-weeks)

Characteristics

Indicators of compromise (IOCs)

Malware analysis

Infrastructure mapping

Attack signatures

Concrete examples

Malicious file hashes
Malicious IP addresses and domains
YARA and Snort rules
Compromise artifacts

Benefits

  • Automated blocking
  • Immediate detection
  • Alert enrichment
  • Reduction of false positives

Typical deliverables

IOC feedsDetection rulesMalware reportsBlocking lists
Primary sources
Sandboxes (VirusTotal, Any.run)
Commercial feeds
Community sharing
Honeypots and sensors
#4

Operational CTI

Information on ongoing or imminent attack campaigns

Public cible

Response teams, 24/7 SOC, CSIRT

Horizon temporel

Real-time (minutes-hours)

Characteristics

Real-time alerts

Detection of active attacks

Incident response

Defense coordination

Concrete examples

Active campaign alerts
Critical vulnerability notifications
Targeting indicators
Ongoing attack coordinates

Benefits

  • Ultra-fast response
  • Prevention of incidents
  • Multi-team coordination
  • Reduced detection time

Typical deliverables

Real-time alertsEmergency bulletinsMitigation recommendationsResponse playbooks
Primary sources
National CERT/CSIRT
Real-time feeds
Sectoral sharing
Dark web monitoring
Comparative overview

Comparative table of CTI types

Quickly understand the differences and choose the right type of CTI based on your needs.

TypePrimary objectiveTarget audienceTime horizonTypical format
Strategic
Business and budgetary decisionsLeadership, CISO6-12 monthsExecutive briefings
Tactical
Improved detectionSOC, Analysts1-6 monthsTTP reports
Technical
Blocking and detectionTechnical analystsDays-weeksIOC feeds
Operational
Immediate responseResponse teamsReal-timeEmergency alerts

How to choose the right CTI type?

Select the type of CTI based on your objectives, your audience, and your time horizon.

For leadership

Strategic CTI

Executive reports, sector trends, business risks

For the SOC

Tactical CTI

Adversary TTPs, detection improvements, threat hunting

For analysts

Technical CTI

IOCs, malware signatures, YARA/Snort rules

For response

Operational CTI

Real-time alerts, active campaigns, fresh IOCs

💡 Expert tip

A mature organization uses all types of CTI in a complementary way: strategic CTI to guide, tactical to optimize, technical to block, and operational to respond quickly.

Continue your learning

Ready to deepen your CTI knowledge?

Explore the models and frameworks to structure your threat intelligence program.

Discover CTI modelsExplore platforms