The Threat Intelligence Lifecycle: Six Phases Explained.

The threat intelligence lifecycle is the process that turns raw data about threats into finished intelligence that someone can act on. It is most often described as six phases that run in a loop: direction, collection, processing, analysis, dissemination and feedback. Each phase hands its output to the next, and the feedback at the end shapes the direction at the start, which is why it is drawn as a cycle rather than a straight line.

The model is borrowed from the wider intelligence community, where it is usually called the intelligence cycle, and adapted for cyber threat intelligence (CTI). It matters because it is the difference between a team that reacts to whatever lands in the inbox and one that decides in advance what it needs to know, gathers against that, and delivers answers the business can use. This piece defines the lifecycle, walks through each phase, and clears up the common confusion over whether there are five stages or six.

What is the threat intelligence lifecycle?

The threat intelligence lifecycle is a repeatable framework for producing intelligence. It starts from a question worth answering, gathers the data that bears on it, turns that data into an assessment, delivers the assessment to whoever needs it, and uses their response to sharpen the next round. “Intelligence cycle” and “intelligence lifecycle” refer to the same idea, and in a CTI context you will also see “CTI lifecycle” and “intel cycle” used interchangeably.

The point of the framework is discipline. Without it, collection sprawls, analysis chases whatever is loudest, and reports go to people who cannot act on them. With it, every step is anchored to a requirement, so the work stays relevant and the output reaches the right desk.

Intelligence is not the data you collect. It is the judgement you produce from it, delivered in time to change a decision.

The six phases of the intelligence lifecycle

1. Direction

Direction is where the lifecycle begins: deciding what the organisation actually needs to know. These standing questions are usually written as intelligence requirements, and the most important of them as priority intelligence requirements (PIRs). A good requirement is specific enough to collect against and tied to a real decision, for example “which ransomware groups are actively targeting our sector and region, and how do they gain initial access?”

Direction is easy to under-invest in, yet everything downstream inherits its focus from here, so time spent getting the requirements right pays back across the rest of the cycle. We cover how to set and maintain these in our guide to Intelligence Requirements.

2. Collection

Collection is the gathering of raw data against the requirements set in direction. Sources span open-source reporting, commercial and community feeds, internal telemetry, dark-web monitoring and human contacts. The aim is not to collect everything: it is to collect what the requirements call for, from sources you can justify. Disciplined collection follows a plan rather than a reflex, a topic we walk through in how to build a collection plan in five steps.

3. Processing

Processing turns the raw haul into something analysts can actually work with. It covers deduplicating indicators across sources, normalising formats, translating, enriching indicators with context, and scoring and ageing them so stale data does not crowd out fresh signal. On a small team this phase is often invisible, folded into collection or analysis, which is exactly why those teams drown in volume. The work is real whether or not anyone names it.

4. Analysis

Analysis is where data becomes intelligence. The analyst assesses what the processed information means, weighs it against alternative explanations, assigns confidence, and forms a judgement that answers the original requirement. This is the phase that separates intelligence from a longer list of facts. Good analysis is explicit about its reasoning and its uncertainty, and it often draws on structured techniques and frameworks such as MITRE ATT&CK to keep the thinking honest.

5. Dissemination

Dissemination is the delivery of the finished intelligence to the people who need it, in a form they can use. The same underlying assessment may go out as a board-level paragraph, an actor profile for the hunt team, and a scored indicator feed for the firewall, because a CISO and a SOC analyst need different things from the same work. Intelligence that never reaches a decision-maker, or that arrives in a form they cannot read, has failed regardless of how good the analysis was.

6. Feedback

Feedback closes the loop. The recipients tell you whether the intelligence answered their question, what they still need, and what changed as a result. That response feeds straight back into direction, refining the requirements for the next cycle. A lifecycle without feedback is just a production line that never learns. With it, the whole process gets sharper every turn.

Five stages or six?

You will see the lifecycle described as five stages, six stages, and occasionally four or seven. The disagreement is cosmetic, not substantive. The most common five-stage version folds processing into collection or analysis, leaving direction, collection, analysis, dissemination and feedback. Some models also merge feedback into direction, giving four. Others split planning and direction apart to reach seven.

When someone asks “what are the five stages of threat intelligence?”, the honest answer is that the count depends on how finely the source slices the same continuous process. What matters is not the number but that every step happens: requirements are set, data is gathered and prepared, judgement is formed, it is delivered, and the result feeds the next round. We use six here because naming processing separately reflects where a lot of real CTI effort actually goes.

A loop, not a line

The reason the lifecycle is drawn as a circle is that intelligence is never finished. A delivered assessment changes what the organisation knows, which changes what it needs to know next, which resets the requirements and starts the cycle again. Treating it as a one-off line, gather, analyse, report, done, is how programmes calcify around yesterday's questions. The loop is also where speed compounds: a team that completes the cycle quickly can run it many more times, and each pass is better informed than the last. The deeper practitioner view of running it as a high-tempo loop is in our practitioner's guide to the intelligence lifecycle.

The lifecycle also explains why the four types of threat intelligence, strategic, operational, tactical and technical, are not separate processes. They are different outputs of the same loop, each shaped by the requirements that started it.

Where Liberty91 fits

The lifecycle is simple to describe and hard to run, because doing every phase well, for every requirement, every day, is more work than most teams have hours for. Collection sprawls, processing eats analyst time, and the cycle slows to the point where intelligence arrives after the decision it was meant to inform.

Liberty91 runs the lifecycle at machine speed against your own Intelligence Requirements. It collects across open-source, commercial and dark-web sources, does the processing that turns raw feeds into scored and enriched indicators, drafts the analysis, and disseminates finished products tailored to each reader, from a strategic brief to a STIX bundle. The team still sets direction and owns the judgement; the platform carries the assembly so a small function can complete the loop in hours rather than weeks. If that is the gap you are trying to close, our platform overview is the place to start.