Threat Intelligence: Why Most Organizations Get It Backwards Artwork

Plaintext with Rich

Cybersecurity is an everyone problem. So why does it always sound like it’s only for IT people?

Each week, Rich takes one topic, from phishing to ransomware to how your phone actually tracks you, and explains it in plain language in under ten minutes or less. No buzzwords. No condescension. Just the stuff you need to know to stay safer online, explained like you’re a smart person who never had anyone break it down properly. Because you are!

All Episodes

Plaintext with Rich

Threat Intelligence: Why Most Organizations Get It Backwards

April 24, 2026 • Rich Greene • Season 1 • Episode 22

0:00 | 9:28

A dashboard lights up with indicators of compromise. The analyst copies the top five into a ticket, tags it "actionable," and sends it to the SOC. Nobody reads it not because they don't care, but because it didn't tell them what to do or why it mattered. That's not an intelligence failure. That's a confusion about what intelligence actually is.

This episode breaks down threat intelligence from the ground up, drawing on Rich's military experience as a case officer in special operations. It separates data, information, and intelligence into three distinct layers, explains why most CTI programs skip the step that actually matters. Connecting analysis to a specific decision and introduces the concept of Priority Intelligence Requirements as the questions that should drive everything a security team collects and analyzes. The episode covers the intelligence cycle, why feeds alone aren't intelligence, and why organizations that never close the loop are publishing, not protecting. It closes with a five-step starter kit for building a threat intelligence function that actually changes decisions.

Whether you're standing up a CTI program, evaluating one that isn't delivering, or just trying to understand what threat intelligence should look like, Plaintext with Rich cuts through the noise.

Is there a topic/term you want me to discuss next? Text me!!

YouTube more your speed? → https://links.sith2.com/YouTube
Apple Podcasts your usual stop? → https://links.sith2.com/Apple
Neither of those? Spotify’s over here → https://links.sith2.com/Spotify
Prefer reading quietly at your own pace? → https://links.sith2.com/Blog
Join us in The Cyber Sanctuary (no robes required) → https://links.sith2.com/Discord
Follow the human behind the microphone → https://links.sith2.com/linkedin
Need another way to reach me? That’s here → https://linktr.ee/rich.greene

When Threat Data Gets Ignored

SPEAKER_00 0:00

A dashboard lights up with threat data. Indicators of compromise scroll past, country of origin tags, malware family names, severity scores in red, amber, and green. The analyst copies the top five indicators into a ticket, tags it actionable, sends it to the SOC. Nobody reads it. Not because they don't care, because it didn't tell them what to do or why it mattered. That's not an intelligence failure. That's a confusion about what intelligence actually is. Welcome to Plain Text with Rich. Today we're talking about threat intelligence, what it is, what it isn't, and why most of the industry gets it backwards. I'll tell you up front, I am not a career CTI analyst, right? My experience with intelligence comes from the military. I served on the DOD side, specifically in special operations, as the equivalent of a case officer. That meant working within the intelligence community directly, collecting, evaluating sources, and making sure what got passed up the chain was actually useful to the decision makers. Now that role didn't just teach me what intelligence is, it taught me what intelligence is not. And we're gonna start there. In plain text, intelligence is information that has been collected, evaluated, and analyzed so that it can inform a specific decision and disseminate it. That's it. Not data, not a feed, not a PDF with flag icons and heat maps, right? Intelligence answers a question someone actually needs answered. If it doesn't connect to a decision, it's just information. And information without context is noise. Now let me ground this in where I learned it because it changed how I think about everything. In the military, especially on the soft side, intelligence isn't a department you you check in with occasionally, right? It kind of is, but not really. It's it's the engine that drives the operation. As a case officer, your job is to be close to the collection. You're evaluating sources. You're asking, is this person reliable? Is this information consistent with what we're seeing elsewhere? Does this actually answer the question we were asked? Or is it just interesting noise? And the questions always came first. Who is in the area? What have they done before? What are they likely to do next? What does this mean for how we move, when we move, and what we prioritize? That's the intelligence cycle in its simplest form, right? Requirements drive collection, collection feeds analysis, and analysis informs action. Notice what's at the center of that loop: a decision. Not a report, not a dashboard, not a score, a decision. Now translate that into cybersecurity. Cyber threat intelligence, or CTI, is supposed to do the same thing. Help defenders make better decisions about what to protect, what to watch, and how to respond. But somewhere along the way, the industry turned intelligence into a product instead of a process. Here's what I see in a lot of organizations. They subscribe to threat feeds, they receive indicators of compromise or IOCs, right? IOP addresses or IP addresses, file hashes, domain names. They pipe those indicators into a SIM or a firewall and they call it threat intelligence. Again, that's not intelligence. That's data delivery. In military terms, that's like handing a commander a list of coordinates with no context, no assessment, no judgment, no recommendations. Raw data without analysis isn't intelligence. It's a to-do list with no priorities. And let's separate those layers. Data is raw facts, an IP address, a hash, a timestamp, okay, as data. Information is data with some context, right? That IP was seen in a phishing campaign last week. Now intelligence is information analyzed against your specific environment that tells you something you can act on. That IP is targeting your particular industry, right? Using techniques your detections don't cover, and the campaign is accelerating. Do you see the difference? Data tells you what exists, information tells you what happened, intelligence tells you what it means for you. And that last step, the for you part, is what most threat intelligence programs skip. In the military, we had a concept that kept intelligence honest. And that's the priority intelligence requirement or PIR. Now, a PIR is a specific question tied to a specific decision. Something like, is there an adversary presence in this corridor that would affect our route? Okay. Everything flows from that question. What you collect, what you analyze, what you report. If it doesn't help answer a PIR, it's not a priority. Now again, bring that into a security team. What if your CTI program started with questions instead of feeds, right? Which threat actors are actively targeting our sector? What initial access techniques are most likely against our environment? What should we be hunting for this quarter? Those are PIRs for cybersecurity. And when you have those, the feeds become useful, not because they change, but because you know what you're looking for. Here's another lesson that translates directly, right? Again, intelligence is a cycle, not a deliverable. The intelligence cycle has been taught the same way for decades, right? Direction, collection, processing, analysis, dissemination. The labels change, the loop doesn't. Okay. You ask a question, you go find information, you make sense of it, you deliver an answer, then you ask a better question. Most CTI programs I've seen are linear. Feed comes in, report goes out, nobody closes the loop. Nobody asks, did that report change a decision? Did the team act on it? Did it matter? If you're not closing the loop, you're not doing intelligence, now you're doing publishing. Here's an uncomfortable part. A lot of organizations buy threat intelligence because it feels like diligence. It checks a box, it shows up in board reports, it sounds serious. But if the intelligence doesn't change what your SOC watches, what your red team tests, or what your leadership prioritizes, what is it doing? Right? Intelligence that doesn't influence action is decoration, okay? The feeds are easy to buy, the dashboards are easy to stand up. The hard part is connecting the output to real decisions made by real people in your organization. That connection is the whole game. As a case officer, you learn fast that your job isn't just to collect, it's to understand what the decision maker actually needs. If you don't understand the mission, you end up collecting everything and prioritizing nothing. The best CTI analysts I've worked with operate the same way. They don't just track threat actors, they understand the business. They know which risks keep leadership up at night. Again, intelligence without understanding the mission is just research. Maybe even good research. But research doesn't protect anything until it connects to a decision that does. If we look at your plaintext starter kit, right, we're gonna look at five moves. First, start with questions, not feeds, right? Before you subscribe to anything, write down three to five questions your security team needs answered, okay? Those are your PIRs. Everything you collect should trace back to one of them. Second, separate data from intelligence. Indicators of compromise are data. They're not telling or they're not intelligence until someone analyzes them against your environment. If your team is just forwarding IOCs, you're running a mailroom, not an intelligence function. Third, close the loop, right? After every intelligence product goes out, ask, did it change anything? Did a detection get tuned? Did a decision get made? If the answer is consistently no, the product needs to change, not the audience. Four, make intelligence consumable, right? A 10-page report that nobody reads isn't intelligence, it's another file. The best military briefs I ever received were short, specific, and ended with there's what this means for your decision. Your CTI products should do the same. Fifth, treat intelligence as a discipline, not a tool. You can't buy your way into intelligence. A threat feed is a tool, a platform is a tool. Intelligence is the skill of turning ambiguity into clarity under pressure, and that takes people, process, and reps. One more thought, right? I told you at the top that I'm not a career CTI analyst. That's true. But the fundamentals of intelligence don't change based on the domain, right? Whether you're deciding where to send a team in a combat zone or which vulnerabilities to patch this sprint, the process is the same. Ask the right question, collect with purpose, analyze with context, deliver something someone can act on, then ask a better question. That's intelligence. Everything else is just data with a logo on it. Our recap intelligence is not a feed, it's information analyzed to inform a decision. Data, information, intelligence are three different things. Start with questions, not subscriptions. Close the loop. If it didn't change a decision, it didn't work. Intelligence is a discipline. You build it, you don't just buy it. Now, if there's a concept in security or tech that feels like it's been overcomplicated by the industry, send it my way. Email me, DM me, drop it in the comments. Dead drops are accepted. Just make sure I can find them. I do read everything I can and I will respond to who allows me to respond to them. If this episode helped and you enjoyed it, please share it with someone else who would actually benefit. This has been plain text with rich. 10 minutes, one topic, no panic. See you next time.