The security intelligence cycle is the structured, iterative process that converts raw data into actionable intelligence — enabling security teams to detect, analyze, and respond to threats with direction rather than noise. The framework derives from military and government intelligence methodology refined over decades and adapted to cybersecurity operations: a six-phase cycle of Direction, Collection, Processing, Analysis, Dissemination, and Feedback that drives threat intelligence programs at organizations ranging from regional SOCs to global intelligence agencies. Mandiant’s M-Trends 2025, based on 450,000+ hours of consulting investigations, puts global median dwell time at 11 days — up from 10 in 2023 — with externally notified organizations averaging 26 days compared to 10 days for those that detected breaches internally. That 16-day gap is the operational case for a functional security intelligence cycle: organizations that run structured intelligence programs detect faster because they know what they’re looking for before the attacker is already inside. The Gartner threat intelligence market projection tells a parallel story: the segment grows from $1.1 billion in 2021 to a projected $2.79 billion by 2027 at 15.6% CAGR, reflecting enterprise security programs formalizing intelligence functions that previously ran informally or not at all. The failure mode Gartner identifies is just as telling: “Many organizations still lack adequate focus and structure to make the best use of the TI they’ve chosen to consume” — a direct description of intelligence cycle failure at the Direction phase, where unclear requirements produce unfocused collection that produces analysis no one acts on.
- Security intelligence cycle: 6 phases — Direction, Collection, Processing, Analysis, Dissemination, Feedback — iterative, not linear; derived from military intelligence methodology
- Mandiant M-Trends 2025: global median dwell time 11 days; externally notified = 26 days, internally detected = 10 days — 16-day gap closes with structured intelligence programs
- F3EAD (Find, Fix, Finish, Exploit, Analyze, Disseminate) — military-origin operational cycle for time-critical binary questions; intersects with the standard lifecycle at the Collection phase
- Priority Intelligence Requirements (PIRs): structured requirements that drive the Direction phase; mature programs maintain a long-term PIR list updated twice yearly
- Three intelligence levels: Strategic (board/executive), Operational (security managers, campaign context), Tactical (SOC analysts, IOCs)
The Six Phases of the Security Intelligence Cycle: Direction Through Feedback
Direction: Priority Intelligence Requirements and What Actually Drives Collection
The Direction phase is where most threat intelligence programs fail — not at the technical layer, but at the requirements layer. Direction means defining what the intelligence program needs to answer: which threats are relevant, which assets are at risk, which adversary capabilities matter to this organization in this sector at this moment. The formal output of a mature Direction phase is a set of Priority Intelligence Requirements (PIRs) — structured statements of the critical intelligence questions decision-makers need answered to reduce risk. According to FIRST’s Cyber Threat Intelligence SIG Curriculum, mature programs maintain a long-term prioritized PIR list that is updated twice yearly, with short-term requirements escalated to the top as conditions change. The gap between organizations that run structured PIR processes and those that don’t shows up in collection efficiency: without PIRs, collection defaults to ingesting whatever feeds are available rather than targeting data that answers specific questions. ISACA’s 2025 guidance, “Threat Intelligence Isn’t Just a Feed,” makes this precise — intelligence without a requirements framework is data management, not an intelligence program. The three levels at which intelligence requirements are set determine what the program produces: Strategic requirements (set by CISO, board, and executive leadership) drive intelligence about industry-level threat trends, regulatory exposure, and geopolitical risk; Operational requirements (set by security managers and threat intelligence leads) drive intelligence about active campaigns, threat actor TTPs, and infrastructure targeting the organization; Tactical requirements (set by SOC team leads and detection engineers) drive intelligence about specific IOCs, malware families, and exploitation techniques that translate directly into detection rules. Organizations that don’t distinguish these levels produce intelligence that doesn’t match the consumer — tactical IOC dumps sent to executives, or strategic threat landscape reports sent to SOC analysts running detection correlation.
Collection, Processing, and Analysis: Converting Raw Data Into Usable Intelligence
Collection is the phase most organizations equate with “threat intelligence” — it’s the subscription layer, the feed ingestion, the telemetry aggregation. The practical collection sources span internal and external: internal network logs, endpoint telemetry, firewall events, and DNS query data; external commercial threat feeds (Recorded Future, Mandiant, Anomali), open-source feeds (SANS ISC DShield, CINS Army List, Abuse.ch URLhaus/MalwareBazaar/ThreatFox), government sharing programs (CISA Automated Indicator Sharing using STIX format), and closed-source sources including dark web forums and vendor-specific intelligence. The FIRST TIQ-Test (Threat Intelligence Quotient Test) framework provides the methodology for evaluating collection quality: the Novelty Test measures how frequently feed indicators change and how quickly stale indicators are aged out; the Overlap Test assesses how much duplicate indicator data exists across feeds; the Coverage Test measures whether a feed contributes independently to detection beyond what other sources already cover; and the Impact Test measures how many actual detections a feed generates in the consuming organization’s environment. IBM X-Force’s 2025 Threat Intelligence Index, based on IBM’s global monitoring of 150+ billion security events daily, found an 84% increase in emails delivering infostealers in 2024 compared to the prior year, and the top five infostealers alone had more than 8 million dark web advertisements in 2024 — the collection scale that commercial platforms aggregate. Processing converts collected raw data into analysis-ready formats through correlation, deduplication, ranking, and enrichment (extracting IP addresses, parsing domains, tagging MITRE ATT&CK techniques). The IBM X-Force finding that critical infrastructure accounted for 70% of all IBM incident response engagements in 2024, and that manufacturing was the most-attacked industry for the fourth consecutive year, are examples of the analytical outputs that emerge from processing large-scale collection — patterns that inform Detection and PIR adjustments for organizations in those sectors. Analysis is the human judgment layer that turns processed data into intelligence: applying structured analytical techniques, assessing adversary intent and capability, correlating observed behaviors against known threat actor profiles, and producing finished intelligence products (tactical IOC reports, operational threat actor briefings, strategic threat landscape assessments) tailored to the appropriate consumer level.
Operationalizing the Security Intelligence Cycle: PIRs, F3EAD, and Intelligence Levels
F3EAD: The Operational Intelligence Cycle for Time-Critical Security Decisions
The F3EAD cycle (Find, Fix, Finish, Exploit, Analyze, Disseminate) originated in US Special Operations Forces targeting methodology and was adapted for cybersecurity operational response. Where the six-phase intelligence cycle is designed for continuous program-level intelligence production, F3EAD is designed for time-critical binary questions — “Is this breach active?”, “Is this IP still serving malware?”, “Has this threat actor moved into our environment?” — that require rapid action rather than deliberate analytical production. The FIRST CTI SIG Curriculum distinguishes F3EAD operation modes: Rigid (original requirements cannot change mid-cycle, appropriate for formal incident response where scope must remain consistent) and Flexible (allows mid-cycle requirement adjustment and phase reversal, appropriate for active threat hunting where early findings redirect collection). The two cycles intersect at Collection: the Find phase of F3EAD corresponds to the Collection phase of the six-phase cycle, with F3EAD providing the operational urgency layer and the intelligence cycle providing the broader analytical context. The Cyber Kill Chain (Lockheed Martin, 2011) and MITRE ATT&CK framework operate at a different level — they are threat models that describe adversary behavior rather than operational cycles, and both are used during the Analysis phase of the intelligence cycle to map observed behaviors to known adversary patterns. The Diamond Model of Intrusion Analysis (adversary, capability, infrastructure, victim) provides a complementary analytical framework for the Analysis phase that structures how intelligence analysts characterize incidents and threat actors. Organizations running mature intelligence cycles use all three — Kill Chain, ATT&CK, and Diamond Model — in Analysis, while reserving F3EAD for operational incident contexts. Mandiant M-Trends 2025’s finding that when adversaries themselves notify (typically ransomware operators), dwell time drops to 5 days, compared to 26 days for external notifications, reflects the F3EAD dynamic: ransomware operators run their own highly efficient operational cycle (Find → Fix → Finish) from intrusion to impact, while defenders whose intelligence cycle isn’t operating effectively don’t detect the intrusion until the attacker completes their cycle first.
Dissemination, Feedback, and the Intelligence Cycle as Continuous Improvement System
Dissemination converts finished analysis into formats that intelligence consumers can act on — tactical IOC lists pushed directly to SIEM detection rules via STIX/TAXII, operational threat briefings for security managers making prioritization decisions, and strategic threat landscape reports for CISO and board-level risk discussions. The Dissemination phase is where intelligence programs fail most visibly: producing intelligence that isn’t consumed because it doesn’t match the consumer’s format, role, or decision-making timeframe. The operational design principle is consumer-centric production — the format and cadence of dissemination is determined by what the consumer needs, not what the analyst finds interesting to produce. Tactical intelligence needs near-real-time delivery into automated systems; strategic intelligence needs quarterly or annual reporting that frames risk in business terms. The Feedback phase closes the cycle by evaluating whether produced intelligence answered the PIRs and drove decisions — and adjusting requirements, collection, and analytical focus accordingly. The iterative nature of the cycle is where its value compounds: each cycle pass improves requirements precision, tightens collection relevance, and refines analytical technique. The Gartner market projection that the threat intelligence segment reaches $2.79 billion by 2027 at 15.6% CAGR reflects the enterprise shift from treating threat intelligence as a feed subscription to running it as a formal program with all six cycle phases staffed and measured. ISACA’s 2025 “Threat Intelligence Isn’t Just a Feed” framing and Intel 471’s guidance on translating PIRs into collection requirements both articulate the same operational requirement: intelligence cycle maturity isn’t about tool capability, it’s about process discipline — knowing what questions you’re trying to answer, collecting against those questions, and measuring whether the answers you produced drove better decisions. Mandiant’s M-Trends 2025 full data is available at Google Cloud’s M-Trends 2025 report, which provides the dwell time and initial infection vector statistics that frame the operational case for structured intelligence cycles. FIRST’s CTI SIG Curriculum at first.org covers the methodology layer for both the six-phase cycle and F3EAD in practitioner-oriented detail.
Frequently Asked Questions
What is the security intelligence cycle?
The security intelligence cycle is the structured, iterative six-phase process that converts raw security data into actionable intelligence: Direction (setting intelligence requirements and PIRs), Collection (gathering data from internal telemetry, threat feeds, and open sources), Processing (deduplication, correlation, enrichment), Analysis (human judgment layer turning processed data into finished intelligence products), Dissemination (delivering intelligence to the right consumers in the right format), and Feedback (evaluating impact and refining requirements). The cycle is iterative — Feedback drives updated Direction requirements, which reorient Collection, creating continuous improvement rather than a one-time analysis. The framework originates from military and government intelligence methodology and has been adapted for enterprise cybersecurity programs. Organizations with structured intelligence cycles detect breaches faster: Mandiant M-Trends 2025 shows internally-detected breaches average 10 days dwell time versus 26 days when external parties notify.
What are the 6 phases of the threat intelligence lifecycle?
The six phases of the threat intelligence lifecycle: 1) Direction — define Priority Intelligence Requirements (PIRs), identify which threats matter to your organization, set collection priorities; 2) Collection — gather data from internal logs, commercial feeds, open-source feeds (SANS ISC, CINS Army List, Abuse.ch), government sharing programs (CISA AIS), and closed-source dark web sources; 3) Processing — deduplicate, correlate, rank, and enrich raw data into analysis-ready formats (STIX normalization, ATT&CK tagging, IP/domain extraction); 4) Analysis — apply structured analytical techniques, map to threat actor profiles, produce finished intelligence products at Strategic/Operational/Tactical levels; 5) Dissemination — deliver intelligence in consumer-appropriate formats (STIX/TAXII for SIEM, briefings for security managers, reports for CISO/board); 6) Feedback — evaluate whether intelligence answered PIRs, drove decisions, and adjust requirements accordingly. The cycle runs continuously; each pass refines requirements precision and collection relevance.
What are Priority Intelligence Requirements (PIRs)?
Priority Intelligence Requirements (PIRs) are structured statements of the critical intelligence questions that decision-makers must answer to reduce organizational risk — they are the formal output of the Direction phase of the intelligence cycle. PIRs translate business risk questions into intelligence collection requirements: “Which threat actors are actively targeting financial services infrastructure in our geographic region?” or “What exploitation techniques are being used against our specific technology stack?” Mature intelligence programs maintain a long-term prioritized PIR list updated twice yearly, with short-term requirements escalated when conditions change (new threat actors emerge, new vulnerabilities are exploited, regulatory landscape shifts). Without PIRs, threat intelligence programs default to collecting whatever feeds are available, producing analysis that doesn’t match organizational risk priorities. FIRST’s CTI SIG Curriculum and Intel 471’s guidance both identify PIR development as the highest-leverage practice in intelligence cycle maturity — it determines the relevance and utility of everything produced downstream.
How does F3EAD differ from the standard intelligence cycle?
F3EAD (Find, Fix, Finish, Exploit, Analyze, Disseminate) and the six-phase intelligence cycle serve different functions: the intelligence cycle is a continuous program-level framework for ongoing intelligence production; F3EAD is an operational cycle for time-critical binary security decisions. F3EAD originated in US Special Operations Forces targeting methodology and was adapted for cybersecurity incident response and active threat hunting. It is designed for questions like “Is this breach still active?” or “Is this threat actor still in the environment?” that require rapid operational action. The two cycles intersect at Collection (F3EAD’s Find phase): F3EAD provides the urgency and operational focus for active-threat situations, while the intelligence cycle provides the broader analytical context and historical intelligence that informs F3EAD’s Find phase. FIRST’s CTI SIG Curriculum describes two F3EAD modes: Rigid (fixed scope, for formal incident response) and Flexible (allows mid-cycle requirement adjustment, for active threat hunting). F3EAD should be deployed sparingly — for questions with direct strategic operational impact — not as a replacement for the standard intelligence cycle.
