Security intelligence and analytics are two distinct functions that produce their strongest outcomes when they operate as an integrated program rather than separate disciplines. Security intelligence — the collection, analysis, and production of threat intelligence products — answers the question of who is attacking and how. Security analytics — the application of data analysis, machine learning, and behavioral modeling to telemetry — answers the question of what is actually happening in the environment right now. The gap between these questions is where most security programs fail: organizations that run threat intelligence without analytics struggle to operationalize intelligence into detections; organizations that run analytics without threat intelligence produce detections without adversary context. Integrated security intelligence and analytics programs close this gap by using threat intelligence to direct what the analytics layer looks for and using analytics results to generate new intelligence requirements. The SANS 2025 Threat Hunting Survey found that 58% of organizations now manage threat hunting programs internally — up from 45% in 2024 — while fully outsourced threat hunting dropped from 37% to 30%. That shift from outsourced to in-house reflects exactly the integration trend: organizations that have built security analytics capabilities are extending them with intelligence-led hunting programs that use adversary TTPs as the analytical starting point rather than waiting for alerts. The security analytics market reaching $19.40 billion in 2025 and growing at 20.30% CAGR (Mordor Intelligence) is the commercial measurement of this integration trend — investment in the analytical infrastructure that turns threat intelligence into operational detections at scale.
- Security intelligence + analytics integration: intelligence answers “who/how,” analytics answers “what is happening” — combined programs outperform either alone
- SANS 2025: 58% of organizations manage threat hunting internally (up from 45% in 2024); fully outsourced dropped from 37% to 30%
- AI/ML analytics platforms reduce false positives by 59% compared to legacy rule engines (Markets and Markets)
- 61% of organizations cite staffing shortages as the primary barrier to threat hunting program success
- Intelligence-led analytics: TTP-based detections using MITRE ATT&CK outperform indicator-based IOC matching for detecting advanced adversaries who rotate infrastructure regularly
Intelligence-Led Analytics: How Threat Intelligence Directs Security Analytics Programs
The Two Detection Philosophies: Indicator-Based vs. TTP-Based Analytics
The fundamental tension in security intelligence and analytics programs is between indicator-based detection — matching known-bad IP addresses, file hashes, and domains from threat feeds against observed telemetry — and TTP-based behavioral analytics — detecting the techniques and procedures that adversaries use regardless of what infrastructure they’re using at any moment. Indicator-based detection is fast and produces high-confidence alerts when a match occurs, but advanced adversaries rotate infrastructure constantly: the IP address that delivered phishing emails today will be retired tomorrow, and an indicator-based analytics program that relies on external feeds will miss the same adversary the moment they switch infrastructure. TTP-based behavioral analytics — built on the MITRE ATT&CK framework’s structured taxonomy of adversary tactics and techniques — detects behavior patterns that persist across infrastructure changes because they’re driven by the adversary’s operational methodology, not their tooling choices. Platforms offering AI/ML-based TTP detection achieve a 59% reduction in false positives compared to legacy rule engines (Markets and Markets) precisely because they model behavior rather than matching static indicators that generate alerts on legitimate activity using similar patterns. The integration of security intelligence into analytics programs determines which detection approach dominates: mature programs use indicator feeds for high-confidence automated blocking of known-bad infrastructure while reserving behavioral TTP analytics for detecting the unknown threats that indicator matching misses. IBM’s X-Force team, which monitors over 150 billion security events daily, found in its 2025 Threat Intelligence Index that critical infrastructure accounted for 70% of all incident response engagements in 2024 — a finding that directly informs the TTP analytics priorities for organizations in those sectors, where adversary groups like Volt Typhoon and Lazarus Group use living-off-the-land techniques specifically designed to evade indicator-based detection. Microsoft Sentinel’s threat intelligence integration specifically addresses this: the MDTI (Microsoft Defender Threat Intelligence) feeds enrich SIEM analytics with adversary attribution, campaign context, and TTP mappings that transform individual log events from isolated anomalies into components of recognized adversary behavior patterns. The Microsoft Sentinel threat intelligence documentation details how STIX/TAXII indicator feeds and MDTI integrations wire threat intelligence into analytics rule logic at the platform level.
Building the Integration Layer: From Intelligence Requirements to Analytics Rules
Intelligence-led analytics requires a formal process for converting threat intelligence findings into analytics detection logic — the integration layer that most organizations haven’t built. The process runs in one direction (intelligence → analytics requirements → detection rules) and a feedback direction (analytics results → new intelligence requirements). Intelligence teams that produce a Priority Intelligence Requirement identifying a specific threat actor targeting the organization’s sector create an analytics requirement: build detection rules for the TTPs that actor uses, enrich existing detections with the actor’s known infrastructure, and tune behavioral baselines to be more sensitive to the access patterns the actor favors. The SANS 2025 Threat Hunting Survey finding that 61% of organizations cite staffing shortages as the primary barrier to threat hunting program success describes the resource constraint that automation addresses — platforms that can automatically translate threat intelligence context into analytics rules and hunting queries reduce the analyst time required to operationalize intelligence. Palo Alto’s Cortex XSIAM, CrowdStrike Next-Gen SIEM, and Microsoft Sentinel all provide native threat intelligence integration that automates part of this translation: ingested STIX indicators automatically become analytics rule conditions, and MITRE ATT&CK technique mappings from threat intelligence reports automatically suggest detection rule adjustments. The feedback loop is equally important: when analytics produces an anomaly that doesn’t match known threat actor profiles, that detection becomes an intelligence requirement — understand what caused this anomaly, whether it represents a novel technique, and whether it’s consistent with a threat actor the organization hasn’t previously profiled. This feedback direction is how organizations generate original intelligence from their own analytics programs rather than relying entirely on commercial or government intelligence feeds.
Threat Hunting: Security Intelligence and Analytics in Active Operation
Threat Hunting as the Operational Expression of Intelligence-Analytics Integration
Threat hunting — the proactive, hypothesis-driven search for adversary activity that hasn’t generated automated alerts — is the operational practice where security intelligence and analytics integration produces its most direct security value. A threat hunting program without analytics infrastructure has no data to hunt through; a threat hunting program without intelligence has no hypotheses to drive the hunt. The SANS 2025 survey finding that organizations managing threat hunting internally rose from 45% to 58% in one year reflects the growing recognition that threat hunting requires both capabilities simultaneously and is most effective when the team that runs the analytics also owns the intelligence requirements. Threat hunting programs built on intelligence-analytics integration follow a structured approach: intelligence teams identify the specific threat actors relevant to the organization, map their TTPs to MITRE ATT&CK, convert TTP mappings to hunting hypotheses, run those hypotheses against historical telemetry in the security analytics platform, and document findings as new detection rules or as intelligence about novel techniques. The hypothesis-driven structure keeps hunting productive despite the 61% staffing shortage barrier: analysts hunt against specific TTP targets rather than browsing data without direction, dramatically increasing the likelihood that hunting time produces either a confirmed detection or a validated absence. CrowdStrike’s threat hunting service, for example, provides intelligence about specific eCrime and nation-state actors as hunt hypotheses for Falcon platform customers — direct operational expression of the intelligence-analytics integration model. The analytics infrastructure requirement for effective threat hunting is substantial: hunting requires petabyte-scale historical telemetry retention, sub-second query performance for interactive investigation, and a data model that preserves the full behavioral context of each event. CrowdStrike LogScale’s index-free architecture and Splunk’s SPL query language both serve this use case specifically — they’re designed for the ad-hoc, hypothesis-driven queries that threat hunting requires rather than the scheduled correlation rules that automated SIEM detection uses. Intel 471’s analysis of the SANS 2025 Threat Hunting Survey provides the practitioner-level detail on what separates effective in-house programs from those still struggling with the staffing and tooling challenges that 61% of organizations cite as primary barriers.
Frequently Asked Questions
What is security intelligence and analytics?
Security intelligence and analytics is the combined discipline that integrates threat intelligence (adversary-centric: who is attacking and how) with data analytics (environment-centric: what is actually happening in your systems). Security intelligence answers strategic questions about adversary identity, capability, and intent; security analytics processes telemetry data to detect anomalies, behavioral deviations, and known-bad indicators. Together they produce intelligence-led detection: threat intelligence directs what the analytics layer looks for (specific adversary TTPs translated into detection rules), and analytics results generate new intelligence requirements when detections reveal unknown techniques. Integrated programs outperform either alone because indicator-based detection misses adversaries who rotate infrastructure, while analytics without intelligence context produces detections without adversary attribution or response guidance.
What is intelligence-led detection in cybersecurity?
Intelligence-led detection is the practice of using threat intelligence (specifically adversary TTP mappings to MITRE ATT&CK) to direct analytics detection logic — building behavioral detection rules around the specific techniques known adversary groups use rather than relying primarily on static indicator matching. It works because advanced adversaries rotate infrastructure (IP addresses, domains, file hashes change constantly) but change TTPs rarely — their operational methodology is relatively stable because training new capabilities is expensive. TTP-based behavioral analytics built on intelligence-led hypotheses achieves a 59% reduction in false positives vs. legacy rule engines (Markets and Markets) because it’s modeling specific adversary behavior rather than pattern-matching against indicators that legitimate systems also generate. Intelligence-led detection programs use threat intelligence to generate hunting hypotheses and detection rules; analytics results feed back to generate new intelligence requirements.
How does threat intelligence integrate with security analytics platforms?
Threat intelligence integrates with security analytics platforms through three primary mechanisms: 1) STIX/TAXII indicator feeds — machine-readable threat intelligence format that SIEM platforms (Microsoft Sentinel, Splunk, Chronicle) ingest to automatically match ingested telemetry against known-bad indicators; 2) MITRE ATT&CK TTP mappings — adversary technique descriptions that inform behavioral detection rule design, with platforms like Sentinel and CrowdStrike mapping alerts to ATT&CK techniques for correlation; 3) Commercial TIP platforms (Recorded Future, Mandiant, Intel 471) providing enrichment APIs that analytics platforms call to add adversary context to detection hits. Microsoft Sentinel integrates natively with MDTI (Microsoft Defender Threat Intelligence) for contextual enrichment; CrowdStrike Next-Gen SIEM integrates Falcon Intelligence directly with endpoint telemetry; Splunk connects via threat intelligence framework modules to commercial and open-source feeds. The SANS 2025 survey found 58% of organizations manage threat hunting internally, suggesting the integration is becoming standard SOC capability.
What is the difference between threat intelligence and security analytics?
Threat intelligence is adversary-centric: it answers who is attacking (threat actor attribution), what they’re trying to do (objectives and intent), how they operate (TTPs, tools, infrastructure patterns), and what indicators they produce. It produces finished intelligence products (tactical IOC reports, operational TTP briefings, strategic threat assessments) consumed by security teams for decision-making. Security analytics is data-centric: it answers what is observable in the environment right now, using ML models, behavioral baselines, and correlation rules applied to collected telemetry (logs, network flows, endpoint events). The combination — intelligence-led analytics — uses threat intelligence findings as the analytical hypothesis set (search for behavior matching this actor’s known TTPs) and uses analytics findings as intelligence inputs (this anomaly doesn’t match known patterns, trigger an intelligence requirement). They’re complementary, not competing: intelligence without analytics is context without detection; analytics without intelligence is detection without adversary understanding.
