Process Fast, Act Faster. Explore XTM One, our agentic AI capabilities across the entire XTM platform. Learn more
Close
Adversarial Exposure Validation
Threat Intelligence

Using OpenCTI and OpenAEV to Execute the Intelligence Cycle

May 15, 2026 6 min read
Nate_Huber_Profile Pic

Nate Huber

Senior Customer Success Manager

The intelligence cycle is straightforward in theory: define what you need to know, collect the right data, analyze it, share it with the right teams, then learn from the outcome.
In day-to-day operations, it’s harder to keep that loop connected. Requirements drift away from collection, analysis gets buried in tooling, and feedback arrives informally, if it arrives at all.

This article shows how to run a practical intelligence cycle using OpenCTI to manage priority intelligence requirements (PIRs), collection, enrichment, analysis, and dissemination, then using OpenAEV to operationalize that intelligence and generate structured feedback you can feed back into the next iteration.

TL;DR

  • Use OpenCTI to define PIRs, automate collection, enrich data, and produce finished intelligence aligned to the intelligence cycle.
  • Use OpenCTI live streams and reports to disseminate intelligence to operational and strategic stakeholders.
  • Send prioritized indicators and attack patterns from OpenCTI to OpenAEV to create scenarios and simulations.
  • Use OpenAEV results to measure security coverage and feed actionable feedback back into OpenCTI, closing the loop of the intelligence cycle.

Part 1: Run Direction, Collection, Processing, and Analysis in OpenCTI

OpenCTI is a threat intelligence platform (TIP) where analysts can document, track collection against, and analyze data to address Priority Intelligence Requirements (PIRs).

In the context of the intelligence cycle, OpenCTI supports:

  • Direction through PIR definition and ownership
  • Collection through continuous monitoring and ingestion
  • Processing through enrichment connectors and organization
  • Analysis through investigations, pivots, and relationship mapping
  • Dissemination through live streams and finished intelligence reports

Direction and Collection: Define PIRs and automate monitoring

OpenCTI includes a PIR module where analysts can define requirements and enable automatic monitoring based on criteria such as targeted regions and sectors.

Once configured, OpenCTI continuously monitors for incoming data that matches the PIR criteria and ties it back to the relevant PIR. This keeps collection anchored to direction, which is where many intelligence cycle implementations start to drift.

PIR Module
PIR Module with Scores

Processing: Enrich and organize incoming intelligence

As collection continues through premium feeds, open sources, and manually imported intelligence, analysts can process and enrich incoming data using enrichment connectors.

Because the data is organized through the PIR workflow, analysts can filter to focus on high-score, high-fidelity items and prioritize what deserves deeper investigation. This step is essential to keep the intelligence cycle efficient, not noisy.

Analysis and Dissemination: Turn findings into action

From the enriched dataset, analysts can pivot to identify:

  • malware commonly used by a threat actor or intrusion set
  • additional indicators
  • related attack patterns

From there, they can disseminate intelligence in several ways:

  • Live streams to third-party tools (for example, SIEMs and EDRs)
  • Finished intelligence reports using templates
  • Threat-informed scenarios created in OpenAEV (covered in Part 2)
Live Streams
Establishing a Live Streams
Disseminate Report Using Finished Intelligence Template
Finished Intelligence Report with Custom Template

Part 2: Use OpenAEV for Dissemination and Feedback to Close the Intelligence Cycle

OpenAEV extends the intelligence cycle by making dissemination operational and feedback measurable.

In addition to publishing finished intelligence and integrating with third-party tools, analysts can send prioritized intelligence to OpenAEV to:

  • simulate high-priority threats
  • test detection and prevention
  • measure security coverage against the MITRE ATT&CK framework
  • feed results back into OpenCTI as structured feedback

Feedback is the final step of the intelligence cycle, and it’s often the hardest to systematize. OpenAEV helps turn “we think this will work” into “we validated it,” with results you can track and act on.

Step-by-step: From PIR collection to OpenAEV security coverage

Here’s one workflow that connects OpenCTI and OpenAEV end to end.

1) Create PIRs and track collection in OpenCTI

Analysts define PIRs in OpenCTI and track ongoing collection against them, as described in Part 1.

2) Use playbooks to create a container per PIR

As analysts review what’s collected, they can use OpenCTI playbooks to automate the creation of containers based on PIR collection.

Note: Each playbook run generates a new container.

PIR Playbook to Create a Container
Creating the Container

When the container is created, the collected data and intelligence associated with the PIR is transferred into it. This creates a working set for investigation and later dissemination.

3) Launch an investigation from the container

From the container, analysts can launch an investigation to visualize relationships between:

  • entities in the container
  • entities already present in the OpenCTI database

This is where analysts can pivot to extract additional high-fidelity indicators and attack patterns.

Investigation Tab within a Container
Pivot and Expand on Entities within an Investigation

4) Send selected intelligence back to the container

After expanding the investigation, analysts send the selected intelligence back to the container to prepare it for operationalization.

Send Intelligence from Investigation Back to Container

5) Label high-priority entities to trigger OpenAEV

Next, analysts filter for high-score indicators and relevant attack patterns.

They then bulk-apply a label (for example, send_to-openaev) that triggers another playbook, which launches security coverage validation in OpenAEV.

Bulk Add Label to Send to OpenAEV

6) Run simulations in OpenAEV and send results back to OpenCTI

Once the playbook triggers scenario creation, OpenAEV generates corresponding injects with payloads based on the indicators and attack patterns sent.

The payloads can be dropped on endpoints designated by the analyst. Results are then sent back to OpenCTI as security coverage, mapped to the MITRE ATT&CK framework. This gives analysts and decision makers clear feedback on how well the organization’s security tools detect and prevent the simulated behaviors.

Security Coverage from OpenAEV in OpenCTI
Security Coverage on MITRE Framework
Injects executed in OpenAEV

At this point, you’ve closed the loop of the intelligence cycle with feedback that’s structured, measurable, and directly tied back to the PIR that started the work.

Conclusion

OpenCTI and OpenAEV can support the full intelligence cycle, from direction to feedback.

With OpenCTI, analysts can define PIRs, automate collection, enrich and investigate incoming intelligence, and disseminate outputs through reports, live streams, and workflows that prepare intelligence for operational validation.

With OpenAEV, teams can operationalize that intelligence by running threat-informed simulations and measuring security coverage. Those results then flow back into OpenCTI as actionable feedback, helping teams refine PIRs, improve detections, and strengthen defenses over time.

Enjoy and feel free to ask any questions about it on our Slack community channel !

Read more

Explore related topics and insights

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.