Reference

Threat Intelligence Glossary

A comprehensive list of key threat intelligence terms (A–Z). Each term is briefly defined to help you speak the language of CTI.

A B C D E F I K L M O P R S T V X Y Z

A

Advanced Persistent Threat (APT)

A well-resourced, determined adversary (often state-sponsored) that conducts long-term, stealthy attacks against specific targets. APTs adapt to defenses and persist over time to steal data or undermine operations.

B

Blacklist / Blocklist

A list of known malicious indicators (IPs, domains, URLs) that are blocked by security controls. Opposite of a whitelist.

C

Cyber Threat Intelligence (CTI)

Actionable evidence-based knowledge about threats (who, why, how) that informs defensive measures.

CISO (Chief Information Security Officer)

Executive responsible for an organization's cybersecurity strategy, often using TI to make risk-informed decisions.

CVE (Common Vulnerabilities and Exposures)

A publicly disclosed security vulnerability ID. CVEs are used in threat intel to link attacks to known software flaws.

D

Dwell Time

The time an attacker stays undetected in a network. Reducing dwell time is a TI goal (early detection).

E

Exploit

Code or technique that takes advantage of a vulnerability. In TI, exploited CVEs are tracked as indicators of emerging threats.

F

False Positive

An alert or IOC that incorrectly signals a threat. High false positives slow analysts; structured TI aims to minimize them via context.

I

Indicator of Compromise (IOC)

Artifacts or evidence suggesting a breach (IPs, hashes, filenames).

Indicator of Attack (IOA)

Behavioral or forensic evidence of an attack in progress (patterns, anomalies). IOAs are more proactive than IOCs.

Incident Response (IR)

The process of identifying, containing, and eradicating attacks. TI feeds IR by providing context (e.g. known TTPs of the attacker).

K

Kill Chain

A model of attack stages (e.g. Reconnaissance, Delivery, Exploitation, etc.). Often integrated with ATT&CK to track TTPs through each phase.

L

Log File

Records of events in systems or network devices. TI platforms often analyze logs to match IOCs or detect anomalies.

M

Malware

Malicious software (virus, trojan, ransomware). Malware names and hashes are key IoCs in threat intelligence.

MITRE ATT&CK

A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real attacks. Used for modeling and detection.

O

OSINT (Open Source Intelligence)

Information from publicly available sources (internet, social media, code repos). Raw OSINT is valuable but requires processing.

P

Phishing

A social engineering technique using deceptive emails or sites to steal credentials. Phishing campaigns are tracked in TI with their IOCs.

R

Ransomware

Malware that encrypts data and demands payment. Ransomware families and their behaviors (TTPs) are high-priority intel topics.

S

SIEM (Security Information and Event Management)

A system that collects logs and security events. TI inputs (IOCs, TTPs) are often fed into SIEM for automated detection.

SOC (Security Operations Center)

The team/department that monitors security alerts. SOCs use TI daily to understand alerts and hunt threats.

STIX (Structured Threat Information eXpression)

A standardized format for sharing threat intel (IOCs, TTPs, relationships) between systems.

TAXII

The transport protocol (API) that carries STIX data between systems.

Supply Chain Attack

Compromising a third-party component/service to breach the primary target. TI tracks indicators like malicious updates or certificate misuse.

T

Threat Actor

An individual or group (hacker, hacktivist, APT group) behind attacks. Profiles of known actors (with their TTPs) are part of CTI.

Tactic, Technique, Procedure (TTP)

The components of adversary behavior as defined by frameworks like ATT&CK.

Threat Feed

A data feed (often commercial or open-source) providing up-to-date IOCs, malware signatures, etc., which can be integrated into security tools.

Threat Hunting

Proactive search for undetected threats. Analysts use TI (especially TTPs and IOCs) to guide hunts.

V

Vulnerability

A flaw in software or hardware. In TI, knowledge of actively exploited vulnerabilities (zero-days) is crucial.

X

XDR (Extended Detection and Response)

A security architecture that correlates data across endpoints, network, cloud, etc. XDR tools often embed TI (e.g., ATT&CK mapping).

Y

YARA

A tool/ruleset language for identifying malware patterns. TI analysts write YARA rules as custom indicators for hunting.

Z

Zero-day

A previously unknown software vulnerability with no available patch. Threat Intel teams maintain close watch on reported zero-days to defend quickly.

Explore More

Learn how these terms apply in practice by reading our in-depth articles.

What is Cyber Threat Intelligence?Indicators of Compromise (IOCs)Tactics, Techniques, and Procedures MITRE ATT&CK Framework

Back to Learn