The Four Types of Threat Intelligence: Strategic, Operational, Tactical, Technical.

The four types of threat intelligence are strategic, operational, tactical and technical. Strategic intelligence informs leadership decisions about risk and investment. Operational intelligence describes specific threat actors and their campaigns. Tactical intelligence covers the techniques and behaviour attackers use. Technical intelligence is the atomic indicators, such as malicious IP addresses, domains and file hashes, that security tools act on directly.

The most useful way to hold the four in your head is not as four separate products but as the same intelligence seen at four different altitudes. Strategic is the view from orbit; technical is the view through a loupe. Each altitude answers a different question, serves a different audience, and stays useful for a different length of time. The sections below walk through each one, then look at how they fit together and where the common confusion between tactical and technical comes from.

Strategic threat intelligence

Strategic intelligence answers the highest-level question an organisation has about threats: who might come after us, why, and what does that mean for how we manage risk. It deals in trends, motivations, geopolitics and sector-level targeting rather than individual attacks. It is largely non-technical, and its job is to inform decisions about strategy, budget and priorities.

The audience is leadership: the board, executives and the CISO. An example is an assessment that ransomware activity against your sector and region has risen over the past two quarters, with a shift toward data-extortion rather than encryption, supporting a case for investment in backup resilience and detection. Strategic intelligence has the longest shelf life of the four, because the patterns it describes move over months and years rather than hours.

Operational threat intelligence

Operational intelligence is about specific threats: a named threat actor, an active campaign, a particular piece of malware. It describes who is operating, what their intent and capability are, and how they go about an attack. Where strategic intelligence tells you the weather, operational intelligence tells you about a specific storm that is forming.

The audience is the people who plan and run defence: the threat intelligence team, threat hunters and incident responders. A typical product is a profile of an actor known to target your sector, covering their preferred initial-access methods, tooling and objectives, used to prioritise hunts and shape detection coverage. We go deeper on building these in our piece on threat actor profiling for defenders. Its shelf life sits in the middle, useful for as long as the campaign or actor remains active.

Tactical threat intelligence

Tactical intelligence is the attacker's behaviour: the tactics, techniques and procedures they use, usually expressed in the language of MITRE ATT&CK. It answers the question a detection engineer cares about most: how does this adversary actually operate, step by step, so we can catch it. Where operational intelligence says who and what, tactical intelligence says how.

The audience is the SOC and detection engineering. An example is the observation that an actor gains a foothold through spearphishing with malicious shortcut files, then relies on built-in Windows tools rather than custom malware to move quietly. That description translates directly into detection logic. Because changing how you operate is expensive for an attacker, tactical intelligence is more durable than the indicators that sit below it.

Technical threat intelligence

Technical intelligence is the atomic detail of an attack: the indicators of compromise. IP addresses, domains, URLs, file hashes and signatures tied to malicious activity. It is built to be consumed by machines as much as by people, feeding straight into a SIEM, SOAR, firewall or threat intelligence platform so that known-bad things are blocked and detected automatically.

The audience here is as much tooling as it is human. The shelf life is the shortest of the four: an attacker can rotate an IP address or recompile a file in minutes, so a technical indicator can be stale within days. That short half-life is exactly why technical intelligence needs scoring and decay built in, and why it is most valuable when it arrives already assessed for relevance rather than as a raw, undated list.

How the four types fit together

It is tempting to map the four types straight onto the Pyramid of Pain, but the two are different ideas that happen to line up. The pyramid is David Bianco's model of how much it hurts an attacker when you deny them a particular indicator, which is really a measure of how hard that indicator is for them to change. A file hash sits at the bottom because recompiling to a fresh hash is trivial; IP addresses and domains are a little harder; the tactics, techniques and procedures an actor relies on sit at the top, because reworking how they operate is genuinely expensive. For the defender the relationship runs the other way: the artefacts that are cheap for an attacker to swap are the easy ones for you to spot, while the behaviour that is costly for them to change is the harder, and more durable, thing to detect.

Held loosely against the four types, technical intelligence lines up with the base of the pyramid and tactical intelligence with its peak, which is the same durability gradient the sections above describe. Operational intelligence, the named actor and campaign, sits roughly alongside the upper bands. Strategic intelligence sits outside the pyramid altogether: it deals in trends, motivation and geopolitics rather than any artefact or behaviour left behind in a single intrusion, so the pyramid has no rung for it. The point worth keeping is the one the pyramid was built to make. The lower you anchor your defence, the easier it is for an attacker to sidestep, and the higher you push it, the more your work costs them.

A mature intelligence function does not pick one altitude. It produces all four from the same underlying work, then routes each to the audience that can act on it. The same campaign can yield a paragraph in the board's quarterly briefing, an actor profile for the hunt team, a set of detection rules for the SOC, and a scored indicator feed for the firewall. What decides which products you produce, and for whom, is your set of intelligence requirements: the standing questions your organisation needs answered. We cover that connective tissue on our Intelligence Requirements page and, more broadly, in our guide to the intelligence lifecycle.

Why tactical and technical get confused

Of the four types, tactical and technical are the two people mix up most, and the literature does not help: some respected sources use the labels the other way around, and others collapse them into one. The distinction worth holding onto is behaviour versus artefact. Tactical intelligence is the behaviour, the repeatable way an actor works. Technical intelligence is the artefact, the specific indicator left behind on a given day. Behaviour is durable and expensive to change; artefacts are disposable. When you read any threat report, it is worth checking which of the two a section is really describing, regardless of the label it uses.

Where Liberty91 fits

Most teams do not struggle to understand the four types. They struggle to produce all four consistently, because doing so by hand means turning one body of research into a board summary, an actor profile, a set of detections and an indicator feed, over and over. That assembly work is where analyst time goes, and it is the part Liberty91 is built to carry.

From one set of per-organisation Intelligence Requirements, Liberty91 produces output at every altitude: strategic and operational reads for the people who need the narrative, tactical detection content such as Sigma rules, and scored, enriched technical indicators and STIX bundles for the tooling downstream. The same requirement serves the human who reads it, the machine that ingests it, and the automated agent that acts on it, which means a small team can cover all four types instead of choosing which one they have time for. If that is the gap you are trying to close, our platform overview is the place to start.