Safeguard
Best Practices

What is Threat Intelligence

Threat intelligence turns raw indicators into actionable defense. Here's what it actually is, its four types, and how it applies to software supply chains.

James
Principal Security Architect
7 min read

Threat intelligence is the practice of collecting, analyzing, and operationalizing data about active and emerging cyber threats so security teams can make faster, better-informed defensive decisions. It spans everything from a raw indicator of compromise — an IP address, a file hash, a malicious npm package name — to a fully contextualized profile of an adversary group's tools, infrastructure, and motives. The discipline exploded in visibility after incidents like the December 2020 SolarWinds breach and the December 2021 Log4Shell vulnerability (CVE-2021-44228), both of which showed how a single piece of timely intelligence — a compromised build server, a vulnerable logging library — can cascade into thousands of downstream compromises. For software supply chain security specifically, threat intelligence now increasingly means tracking malicious packages published to npm, PyPI, and other registries, not just watching network traffic. This post breaks down what threat intelligence actually is, how it's classified, and how it applies directly to the code and dependencies your teams ship.

What Is Threat Intelligence, Exactly?

Threat intelligence is evidence-based knowledge about existing or emerging threats — including indicators, mechanisms, and implications — that has been collected, processed, and analyzed to support a security decision. The key word is "analyzed." A list of 50,000 malware hashes dumped into a spreadsheet is threat data, not threat intelligence; it becomes intelligence once someone determines which of those hashes are relevant to your environment, why the associated malware family targets organizations like yours, and what action to take. Gartner has used this analyzed/actionable framing since at least 2013, and the definition has held up because it draws a hard line between noise and signal. In practice, a mature threat intelligence function ingests dozens of feeds — CISA's Known Exploited Vulnerabilities (KEV) catalog, vendor advisories, dark web forum scrapes, GitHub Security Advisories — and filters them down to the handful of items that actually affect a given technology stack that week.

What Are the Four Types of Threat Intelligence?

Threat intelligence is generally split into four types — strategic, tactical, operational, and technical — each serving a different audience and time horizon. Strategic intelligence is high-level and forward-looking, the kind a CISO uses to brief a board, such as a 2024 report noting that state-sponsored groups increasingly target open-source package registries as an initial access vector. Tactical intelligence covers adversary tactics, techniques, and procedures (TTPs), often mapped to the MITRE ATT&CK framework's 14 tactic categories, and is used by threat hunters to build detection logic. Operational intelligence focuses on specific incoming campaigns — for example, knowing that a threat actor is actively scanning for unpatched Apache Struts instances this week. Technical intelligence is the most granular tier: concrete indicators of compromise (IOCs) like the SHA-256 hash of a malicious package version, a C2 domain registered three days ago, or a specific typosquatted package name such as reqeusts targeting users who mistype requests. Security teams that only consume technical IOCs without the strategic and operational context around them tend to drown in alerts without understanding priority.

How Is Threat Intelligence Actually Collected and Turned Into Action?

Threat intelligence is produced through a repeatable cycle — direction, collection, processing, analysis, dissemination, and feedback — commonly called the intelligence lifecycle, and skipping any stage is why most feeds go stale on a shelf. Collection pulls from open-source intelligence (OSINT) like security researcher blogs and CVE databases, closed-source feeds from vendors, and internal telemetry such as EDR and SIEM logs. Processing normalizes formats — converting a PDF advisory into a structured STIX 2.1 object, for instance — so machines can correlate it against internal asset inventories. Analysis is where a human or model decides relevance: does this newly disclosed CVE-2024-3094 (the XZ Utils backdoor, discovered March 29, 2024, after a Microsoft engineer noticed a 500-millisecond SSH login delay) actually affect any system in our environment, and if so, which ones are internet-facing versus air-gapped? Dissemination gets that answer to the right team inside minutes, not days — the median time between public disclosure and mass exploitation attempts for high-severity CVEs has shrunk to under 5 days in several 2023–2024 CISA advisories. Feedback closes the loop by telling collectors whether last week's intel actually mattered, which is the step almost every immature program drops.

Why Does Threat Intelligence Matter for Software Supply Chain Security Specifically?

Threat intelligence matters for supply chain security because the attack surface has shifted from your own code to the thousands of open-source packages and build dependencies you don't control. The 2020 SolarWinds Orion compromise inserted malicious code (SUNBURST) into a legitimate software build process, ultimately reaching roughly 18,000 customers before detection. The 2024 XZ Utils backdoor was even more targeted: a maintainer account cultivated over two years planted a backdoor in liblzma versions 5.6.0 and 5.6.1 designed to give an attacker remote SSH access on affected Linux systems, and it was caught only days before landing in stable Debian and Fedora releases. Sonatype's 2023 State of the Software Supply Chain report logged over 245,000 malicious packages discovered that year alone across npm, PyPI, and other ecosystems — more than the combined total of all prior years tracked. Threat intelligence in this context means monitoring registry activity for dependency confusion attacks, typosquats, and maintainer account takeovers in near real time, because a malicious package can be pulled by an automated CI pipeline and into a production build within minutes of publication, long before a traditional vulnerability scanner would ever flag it.

What's the Difference Between Threat Intelligence and Vulnerability Management?

Threat intelligence tells you what attackers are actually doing right now; vulnerability management tells you what weaknesses theoretically exist in your systems — and conflating the two is one of the most common reasons remediation backlogs balloon. The National Vulnerability Database adds roughly 25,000-30,000 new CVEs per year as of 2023-2024, and no team can patch all of them with equal urgency. Threat intelligence is the filter: CISA's KEV catalog, which as of mid-2024 lists over 1,100 vulnerabilities confirmed as actively exploited in the wild, exists precisely to tell defenders which subset of that 25,000+ CVE flood deserves same-week attention. A CVE with a CVSS score of 9.8 sitting in a library your application never actually calls is lower real-world risk than a CVSS 7.5 flaw in a package with a public proof-of-concept exploit and confirmed in-the-wild activity. Effective programs pair vulnerability data (what could be exploited) with threat intelligence (what is being exploited) and reachability data (what's actually callable in your running application) to rank the true handful of issues that matter this sprint.

How Do Security Teams Operationalize Threat Intelligence Day to Day?

Security teams operationalize threat intelligence by feeding it directly into the tools that gate deployments, rather than treating it as a separate report someone reads once a month. That means wiring KEV catalog updates and vendor advisories into CI/CD pipelines so a build fails automatically if a newly-weaponized CVE appears in the dependency tree, and enriching SBOMs (Software Bills of Materials) with live exploitation status rather than static severity scores. NIST's SP 800-161 and the White House's 2021 Executive Order 14028 both push organizations toward this SBOM-plus-intelligence model specifically because static, point-in-time scans miss vulnerabilities that become critical only after public exploitation begins. Teams also track maintainer and registry-level signals — sudden ownership transfers, publish spikes from dormant accounts, packages requesting unusual install-time network access — as leading indicators, since these preceded both the 2022 ua-parser-js npm compromise and multiple 2023 PyPI account-takeover incidents by hours to days.

How Safeguard Helps

Safeguard operationalizes threat intelligence directly inside the software supply chain, rather than leaving it as a separate feed your team has to manually cross-reference. Reachability analysis takes incoming threat intelligence — a newly disclosed CVE or a KEV catalog addition — and determines whether the vulnerable function is actually callable in your application's runtime path, cutting through the noise of theoretical exposure. Griffin AI continuously correlates that intelligence against your live SBOM, generated automatically or ingested from existing tooling, to flag which of your dependencies match active exploitation patterns before they hit a scanner's weekly cadence. When a match is confirmed, Safeguard can open an auto-fix PR with the patched dependency version already resolved and tested against your build, shrinking the gap between "this is being exploited in the wild" and "this is shipped fixed" from days to hours.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.