There is a tier system in threat intelligence that almost no vendor will explain to you, because explaining it honestly shrinks their addressable market. So I will. Threat intel comes in four tiers — strategic, operational, tactical, and technical — and most organizations spend six figures on the wrong tier for their actual security program.
The Four Tiers
Strategic intel answers "what is the threat landscape for my industry over the next 12–24 months?" It is written for board members and CISOs. Think Mandiant's annual M-Trends, Verizon's DBIR, CrowdStrike's Global Threat Report, ENISA Threat Landscape. It shapes risk appetite and budget, not Monday-morning tickets.
Operational intel answers "which threat groups are targeting organizations that look like mine, and how?" This is the campaign-level work: APT41 shifting to edge-device exploitation, Scattered Spider pivoting from retail to insurance, LockBit's rebrand splinters. It drives threat-informed defense and detection priorities.
Tactical intel answers "what TTPs are adversaries using right now?" MITRE ATT&CK mappings, command lines observed in breaches, tooling fingerprints, living-off-the-land patterns. This is where detection engineering lives.
Technical intel is the atomic layer — IPs, domains, hashes, JA3 fingerprints, YARA rules. Perishable. Useful only if your pipeline can ingest, deduplicate, age, and retire it on a schedule measured in hours.
The Most Common Mismatches
A mid-market manufacturer buys a $180k premium IOC feed and has no SIEM correlation rules to consume it. They needed operational intel — a quarterly briefing about what's hitting the sector — not another 40,000 indicators per day expiring in their firewall memory.
A Fortune 500 bank with a mature SOC buys glossy strategic reports and ignores operational feeds. They already know the landscape. What they need is the TTP update: that LockBit's post-affiliate diaspora is reusing the same Cobalt Strike watermarks, or that Volt Typhoon's living-off-the-land patterns now include specific PowerShell invocations.
A 50-person startup pays for tactical intel because the sales rep was good. They have two engineers and no detection engineering capacity. A free CISA KEV subscription and a weekly Krebs read would cover 90% of their decision-useful input.
Paid vs. Free
The uncomfortable truth: the delta between free and paid at the technical tier has collapsed. CISA KEV, abuse.ch (URLhaus, ThreatFox, MalwareBazaar), AlienVault OTX, Shodan free tier, Censys community — these cover the base case. Paid feeds matter when you need (a) enrichment (actor attribution, confidence scoring, first-seen timestamps), (b) non-public sources (underground forums, credential marketplaces), or (c) SLAs for takedowns and legal attestation.
At the strategic and operational tiers, the paid/free gap is wider — but much of the best operational work is published for free by Mandiant, CrowdStrike, Microsoft Threat Intelligence, Talos, Unit 42, Red Canary, and government CERTs. If your operational intel budget is zero, you still have plenty to read.
A Practitioner's Reading List, By Tier
Strategic: Mandiant M-Trends (annual), Verizon DBIR (annual), CrowdStrike Global Threat Report, IBM X-Force Threat Intelligence Index, ENISA Threat Landscape.
Operational: Mandiant blog, Microsoft Threat Intelligence, Google TAG, Unit 42 (Palo Alto), Red Canary Threat Detection Report, Cisco Talos, The DFIR Report, Recorded Future blog, Group-IB reports.
Tactical: MITRE ATT&CK updates, Sigma rule repos, Atomic Red Team, Elastic Security Labs, SpecterOps posts, Florian Roth's rules.
Technical: CISA KEV, abuse.ch family, URLhaus, Feodo Tracker, ThreatFox, MalwareBazaar, Shodan, Censys, VirusTotal Intelligence (paid, but the free tier covers a lot).
The Question to Ask Before Buying
Which decision will this intel change? If you cannot name a specific decision — a detection to write, a control to deploy, a vendor to call, a briefing to give — the intel will die in a dashboard nobody opens. Buy the tier that matches the decisions you actually make.