Threat Intelligence Providers: Directory

The threat intelligence sector encompasses organizations that collect, process, analyze, and disseminate structured information about adversaries, attack infrastructure, and vulnerabilities — enabling security teams to anticipate and counter threats before they materialize. This directory covers the classification of threat intelligence provider types, the operational mechanisms behind intelligence delivery, regulatory and standards frameworks that govern the space, and the decision boundaries that separate provider categories. Understanding how this sector is structured is essential for any organization evaluating cybersecurity service providers or refining a broader security program.

Definition and scope

Threat intelligence is formally defined by NIST SP 800-150 (Guide to Cyber Threat Information Sharing) as information about threats and threat actors that helps organizations protect themselves. The scope of this service category spans four recognized intelligence tiers:

1. Strategic intelligence — High-level analysis of threat actor motivations, geopolitical drivers, and long-term trend forecasting aimed at executive and board-level decision-making.
2. Operational intelligence — Campaign-level information about specific threat actor tactics, techniques, and procedures (TTPs) used to inform security architecture and incident response planning.
3. Tactical intelligence — Technical details about specific attack methods, malware families, and adversary infrastructure — often mapped to the MITRE ATT&CK framework, a publicly maintained knowledge base maintained by MITRE Corporation.
4. Technical intelligence — Atomic indicators of compromise (IOCs) such as IP addresses, file hashes, and domain names, consumed directly by security tools for blocking and detection.

Providers in this sector range from pure-play intelligence firms and government-affiliated information sharing organizations to the intelligence functions embedded within managed security service providers and security operations center providers. Regulatory frameworks including CISA's sharing guidelines and the Cybersecurity Information Sharing Act of 2015 (CISA 2015, Pub. L. 114-113) govern how threat data is shared, particularly between private entities and federal agencies.

How it works

The intelligence lifecycle follows a structured, repeatable process regardless of provider type. NIST SP 800-150 identifies six discrete phases:

1. Planning and direction — The consuming organization or the provider defines intelligence requirements: which threat actors, sectors, or asset classes are in scope.
2. Collection — Raw data is gathered from open-source intelligence (OSINT), dark web monitoring, honeynets, sensor networks, closed-source feeds, and human intelligence (HUMINT) sources.
3. Processing — Unstructured data is normalized, deduplicated, and formatted — commonly into STIX (Structured Threat Information eXpression) or TAXII (Trusted Automated eXchange of Intelligence Information) formats, both standardized under OASIS Open.
4. Analysis — Analysts apply context, assess confidence levels, and attribute activity to known threat actor groups.
5. Dissemination — Finished intelligence is delivered via API feeds, portal dashboards, structured reports, or ISAC (Information Sharing and Analysis Center) channels.
6. Feedback — Consuming teams report on the utility and accuracy of intelligence to refine collection and analysis priorities.

The technical delivery layer typically uses STIX 2.1 as the data format and TAXII 2.1 as the transport protocol, enabling automated machine-to-machine intelligence sharing that integrates directly with SIEM platforms, firewalls, and endpoint detection tools.

Common scenarios

Threat intelligence providers serve distinct use cases that map to organizational maturity and threat profile:

• Financial services firms regulated under GLBA or NY DFS Part 500 (23 NYCRR 500) engage intelligence providers to monitor for account takeover campaigns, fraud infrastructure, and sector-specific threat actor activity. The Financial Services ISAC (FS-ISAC) coordinates sector-level sharing.
• Healthcare organizations subject to HIPAA Security Rule requirements (45 CFR Part 164) use threat intelligence to track ransomware groups specifically targeting electronic protected health information (ePHI) systems — a use case covered in the HIPAA cybersecurity requirements reference.
• Defense contractors operating under CMMC 2.0 (32 CFR Part 170) are required to consume and act on threat intelligence as part of incident response and media protection controls.
• Critical infrastructure operators receive intelligence through CISA's Automated Indicator Sharing (AIS) program, which distributes machine-readable IOCs at no cost to enrolled participants.
• Organizations managing third-party exposure use threat intelligence feeds to monitor for compromise indicators linked to their supplier ecosystem — a function that intersects directly with third-party risk management.

Decision boundaries

Selecting between provider categories requires distinguishing across four primary dimensions:

Vendor-provided vs. independent intelligence: Security platform vendors (SIEM, EDR) bundle proprietary threat feeds tied to their sensor telemetry. Independent intelligence providers offer multi-source, vendor-neutral analysis — typically with broader adversary coverage but requiring integration effort.

Finished intelligence vs. raw feed: Raw IOC feeds require internal analytical capacity to contextualize and act on. Finished intelligence reports are pre-analyzed and immediately actionable for leadership briefings or architecture decisions, but update more slowly than automated feeds.

Sector-specific vs. general coverage: ISACs — including the Health-ISAC, E-ISAC (energy), and FS-ISAC — provide sector-contextualized intelligence under CISA's ISAC framework that general-purpose providers cannot replicate for regulated industries.

Integration depth: Organizations evaluating providers for SOC integration should cross-reference cybersecurity vendor selection criteria to assess SIEM compatibility, API availability, STIX/TAXII support, and SLA structures before committing to a feed contract.

For organizations building out the broader security function, threat intelligence operates as a dependency layer for incident response firms, vulnerability assessment providers, and penetration testing firms — each of which relies on current adversary context to perform accurately scoped engagements.

References

• NIST SP 800-150: Guide to Cyber Threat Information Sharing
• MITRE ATT&CK Framework
• OASIS CTI Technical Committee (STIX/TAXII Standards)
• CISA Cyber Information Sharing Program
• CISA Automated Indicator Sharing (AIS)
• CISA Information Sharing and Analysis Organizations (ISAOs)
• Cybersecurity Information Sharing Act of 2015, Pub. L. 114-113
• 23 NYCRR 500 — NY DFS Cybersecurity Regulation
• 45 CFR Part 164 — HIPAA Security Rule (eCFR)
• 32 CFR Part 170 — CMMC 2.0 (eCFR)