How to Build a Collection Plan in 5 Steps.
Most CTI teams collect intelligence the same way most people grocery shop without a list — you wander the aisles, grab what looks relevant, and come home with seventeen items you didn't need and none of the items you actually went there for.
A collection plan fixes this. It connects what intelligence your organisation needs (your Priority Intelligence Requirements, or PIRs) to where you'll find it (your sources) with how you'll get it (your collection methods). It sounds simple because it is simple. The hard part isn't the plan — it's having the discipline to follow it.
Here are five steps to build one that works.
Step 1: Start with your PIRs, not your sources
This is where most teams go wrong. They start by listing what sources they have, then figure out what intelligence those sources can produce. This is backwards.
Start with your Priority Intelligence Requirements. What questions does your organisation need answered? We covered PIRs in Post 1of this series — they're the Direction phase of the intelligence lifecycle, and they drive everything else.
If you don't have documented PIRs, stop here and create them. Talk to your CISO, your SOC lead, your vulnerability management team, and your incident response lead. Ask each of them: “What questions about the threat landscape, if answered, would change how you make decisions?”
You'll typically end up with 5–10 PIRs. That's your collection target.
Example PIRs for a mid-market financial services company in the Gulf region:
- What threat actors are actively targeting financial institutions in the GCC?
- What TTPs are being used against our specific technology stack?
- Are any of our critical-severity vulnerabilities being exploited in the wild?
- Is there any indication that our organisation or brand is being discussed on dark web forums?
- What regulatory or compliance changes in the GCC affect our security posture?
- What emerging threats could affect our planned migration to cloud infrastructure?
Step 2: Map source categories to each PIR
For each PIR, identify which source categories can provide relevant information. Not specific products or vendors yet — categories.
This matrix immediately reveals two things: which source categories you need, and where you have gaps. If a PIR has no primary source mapped to it, you either need to acquire a source or acknowledge a blind spot.
For the example PIRs above, the mapping might look like this:
- GCC financial threat actors: OSINT (vendor blogs, CERT advisories), commercial feeds (sector-specific reports), dark web (actor communications), HUMINT (ISAC, peer sharing), internal telemetry (detection data)
- TTPs against our tech stack: OSINT (researcher blogs, CVE databases), commercial feeds (TTP-focused), HUMINT (peers with similar stack), internal telemetry (detection patterns)
- Vulnerability exploitation: OSINT (CISA KEV, exploit databases), commercial feeds (exploit intel), internal telemetry (scan results, WAF logs)
- Brand mentions on dark web: Commercial dark web monitoring, direct dark web sources, law enforcement contacts
- Regulatory changes: OSINT (government publications), HUMINT (industry contacts)
- Cloud migration threats: OSINT (cloud security research), commercial feeds (cloud-focused reports), HUMINT (cloud security peers), internal telemetry (cloud security logs)
Step 3: Select specific sources (fewer than you think)
Now select specific sources within each category. The goal is minimum viable coverage — the smallest number of sources that adequately covers all your PIRs.
OSINT sources(the foundation — free or very low cost):
- 2–3 sector-specific news and blog sources you'll monitor daily
- Government advisory feeds for your region (CISA, regional CERTs)
- Social media monitoring for key researchers and threat actors
- Exploit and vulnerability databases (NVD, Exploit-DB)
Commercial intelligence(the investment — select 1–2 providers):
- Choose based on sector coverage (financial, healthcare, government, etc.) and geographic focus
- Evaluate whether their unique value is in indicators, analysis, or both
- Ask for a trial and measure against your PIRs, not their feature list
Dark web(situational — only if PIR-driven):
- If brand monitoring or threat actor tracking requires it
- Automated monitoring services work for broad brand monitoring
- Manual exploration requires specialised skills and time. You don't want to go there when you start out
HUMINT (the long-term investment):
- ISAC membership active in your sector and region
- Conference attendance and working group participation
- Peer relationships built over time
Internal telemetry(already available — just connect it):
- SOC detection logs and alert summaries
- Incident response findings and post-incident reports
- Vulnerability scan results and patch status
- Email gateway and web proxy logs
For most mid-market organisations, this means roughly 8–15 sources total — a fraction of what many teams actually subscribe to. Each one is there for a reason, mapped to a specific PIR.
Step 4: Define collection frequency and responsibility
Not every source needs daily monitoring. Your collection plan should specify how often each source is checked and who's responsible.
- Government advisories: Real-time automated alerts, analyst triage via RSS/API integration
- Commercial vendor reports: Daily review by rotating CTI analyst via platform dashboard
- OSINT monitoring: Continuous automated collection plus daily analyst review
- Dark web monitoring: Daily automated alerts plus weekly deep review by senior analyst
- Internal telemetry: Weekly CTI-SOC sync via standing meeting and shared dashboard
- HUMINT (ISAC): As received, plus monthly contribution by CTI lead
- Peer relationships: Opportunistic, all analysts, via email, Signal, conferences
The key insight here: most collection should be automated. The analyst's role is to review what automation surfaces, not to manually check fifty sources every morning. This is where collection tools and platforms add genuine value — not by providing more data, but by ensuring you don't miss data from the sources that matter.
Step 5: Review and prune quarterly
A collection plan is not a document you write once and file away. It needs quarterly review, because:
- PIRs change.Your CISO's priorities shift. A new project creates new risks. A business acquisition changes your threat profile.
- Sources decay. A feed you relied on changes its coverage. A key HUMINT contact moves to a different organisation. An OSINT blog goes dormant.
- Threats evolve.The threat landscape a year from now won't look like today's. Your collection should evolve with it.
Every quarter, review:
- Are your PIRs still current? Has your CISO's focus shifted?
- For each PIR, can you still answer it with your current sources?
- Are any sources providing significantly less value than they did last quarter?
- Are there new sources that would address a gap you've identified?
Cancel what doesn't earn its place. Add what addresses a real gap. Resist the urge to accumulate “just in case.”
The meta-lesson
The theme across everything written about intelligence sources comes down to this: collection is a means, not an end. The purpose of collection is to provide raw material for analysis. Every hour an analyst spends on collection plumbing is an hour they're not spending on the analytical work that produces actual intelligence.
The best collection plan is the one that delivers the right data to your analysts with the least friction. Whether that's through a well-curated set of manual sources, a fully automated pipeline, or a platform like Liberty91 that handles collection and processing end-to-end — the goal is the same: free your analysts to think.
Because thinking is where intelligence happens. Everything else is just gathering the ingredients.
This is Part 2 of the “CTI from the Trenches” series. ← Previous: What CTI Actually Is
