Threat-Informed Defense: Turning Intelligence into Decision Confidence

There’s a fundamental shift taking place in cybersecurity planning and operations, that has been gathering pace in recent years. Security leaders are finding themselves at a tipping point, where attackers can now move faster than incident response can react, and a greater importance is placed on being able to track emerging threats and ensure that defences are prepared for the specific attacks that may well eventuate.

Different frameworks can come handy in this pursuit, and one that’s gaining prominence these days is Threat-Informed Defense (TID): a proactive, evidence-based approach that optimises the resources you have to the threats you face. Proactive security is not about buying more tools, it’s about disciplined operations and this is what TID emphasises on. It means using threat intelligence to rationalize your existing security stack, improve signal quality, and focus your team on the threats that actually matter to your business. The goal? A continuous process of identifying and closing security gaps by connecting what’s happening outside (threat intelligence) with what’s happening inside (your defenses).

But how do you actually implement TID? At Filigran, we don’t just talk about it, we’ve built it into our DNA. Our open-source eXtended Threat Management (XTM) platform operationalizes TID through a five-stage pipeline that breaks the framework into practical, actionable steps for security leaders. Want to see it in action? Our new guide, Threat-Informed Defense for the Technology Sector, walks tech companies through real-world implementation from start to finish.

TL;DR

• Prioritize current trending attacker techniques: Map relevant adversary TTPs with MITRE ATT&CK and focus on risks that impact your environment.
• Operationalize intel and make it actionable to test your defenses: Get started with open-source tools like OpenCTI and OpenAEV to connect intelligence, testing, and control improvements in one loop. Improve your threat visibility and map it against your attack surface.
• Prove your security control effectiveness: Continuously simulate adversary behaviors to find gaps before attackers do. Test your security controls and also your human-side of defenses.
• Make smarter security investments: Use coverage trends and simulation results to direct remediation and budget. Ensure that you optimize your existing investments before making any new.

What is Threat-Informed Defense?

Threat-Informed Defense (TID) recognizes a simple reality: security is a continuous game of move and countermove between defenders and adversaries. First advocated by MITRE, Threat-Informed Defense (TID) leverages MITRE ATT&CK framework to understand adversaries’ tactics and movements. Implementing TID means understanding which threats actually target your organization, deploying defensive measures tailored to stop them, and rigorously testing whether those defenses hold up against real-world attack techniques. By continuously assessing your security posture against known threats, you identify and close gaps before attackers find them. TID rests on three foundational pillars:

• Cyber threat intelligence: First gather, ingest and process all of your threat intelligence to make it contextual and relevant for you. Go beyond IOCs to understand adversary behaviors and intent, which are more durable and more costly for attackers to change.
• Defensive measures: Translate prioritized threat intelligence into detections, hardening, response playbooks, and configurations; utilize it properly and make it do the work for you. Adapt controls to the threats most likely to target you.
• Testing and evaluation: Plan adversary emulation and run continuous breach-and-attack simulations to verify coverage and avoid regressions. Gain granular level visibility into the effectiveness of your security programs. Automate and scale for continuous security posture validation and improvement.

Security budgets are tight and resources are scarce. CISOs are realizing that instead of chasing every new tool, its more valuable to extract full value from what they already own. This is helping drive the mindset shift from reactive to proactive, where CISOs are constantly asking questions around, ‘who’s my adversary?’, ‘what’s their tradecraft?’, ‘how will my security controls and processes hold up?’, and ‘what happens when something goes wrong?’. Adoption of TID approach requires security teams to collaborate together and share information, going beyond the siloes of blue, red, SOC, TI teams.

Threat-Informed Defense vs. Traditional Security

From Idea to Execution: Threat-Informed Defense Pipeline

Similar to Continuous Threat Exposure Management (CTEM), TID is a concept, a cybersecurity strategy, not delivered via a single tool or product. Understandably, there would be different ways organizations can adopt and deliver on it, especially given how they acquire, process and operationalize threat intelligence would be depending on their threat intelligence maturity phase. At Filigran, TID underpins our product strategy and roadmap, our XTM platform is the only, open-source platform that unifies threat intelligence (OpenCTI) with continuous exposure validation (OpenAEV)

At Filigran, we have broken TID into a five-stage pipeline for its easier interpretation and implementation:

Stage 01: Strategic threat landscape assessment

Goal: Identify which adversaries, malware, and campaigns are most relevant to your business model, stack, and region.

How: Threat assessment in threat-informed defense involves systematically evaluating and prioritizing the specific threat actors, their capabilities, tactics, techniques, and procedures (TTPs) that are most likely to target your organization’s critical assets. A threat intelligence platform, which allows you to gather, analyze, refine and share prioritized threat intelligence is a crucial component here. You can use OpenCTI to structure analysis for APTs, supply chain threats, cloud-native exploits, and sector/geopolitical context. OpenCTI helps you focus resources on threats that actually target you. OpenCTI ingests from 300+ sources (OSINT, commercial feeds, ISACs, custom intelligence, internal telemetry etc).

Outcome: A prioritized watchlist with clear inclusion criteria and analyst annotations.

Stage 02: Actor and malware tracking

Goal: Keep pace with evolving TTPs and indicators while filtering noise.

How: Maintain adaptive watchlists; triage incoming reports; tag IOCs and TTPs and distribute them to SIEM/EDR/SOAR. Focus on adversaries actively targeting your industry. OpenCTI is built on MITRE ATT&CK framework, a globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks. OpenCTI’s knowledge graph model provides powerful visualizations to link actors, campaigns, malware, techniques, and exploited vulnerabilities. You can provide confidence scoring and relationship mapping surface the most critical threats and Collaborate across teams with shared intelligence workflows

Outcome: Continuously updated views of active threats and automated, stakeholder-ready reporting to show program progress.

Stage 03: TTP and report mapping

Goal: See where attacker behaviors outpace your defenses, especially across cloud, containers, CI/CD, and identity.

How: Advanced Persistent Threats (APTs) and opportunistic attackers increasingly target the expanded attack surface created by cloud-native architectures, leveraging misconfigurations in multi-cloud environments, exploiting container escape vulnerabilities, poisoning CI/CD pipelines with malicious code, and conducting identity-based attacks through stolen credentials and API keys. But, not all vulnerabilities are equally dangerous to your organization so you need to focus on threats actively exploited by adversaries targeting you. Platforms like OpenCTI serve as a critical enabler for risk assessment driven by threat intelligence, not just CVE scores.

Outcome: A prioritized TTP list ready for adversary emulation and detection engineering.

Stage 04: Adversarial exposure validation

Goal: Prove whether your security controls detect and respond as designed.

How: Testing security controls in TID moves beyond generic vulnerability scanning and compliance checks to validate whether your defenses actually stop the specific adversary behaviors targeting your organization. OpenAEV receives threat intelligence directly from OpenCTI via STIX 2.1 and generates attack scenarios based on your actual threat landscape, not generic playbooks. You can utilize OpenAEV to design and execute purple team exercises, breach and attack simulations, and atomic red team tests that emulate the exact techniques your most likely threat actors employ. Furthermore, you can test not only your security tools but also your processes and people as OpenAEV combines technical testing with table-top and crisis management exercises also.

Outcome: A continuous feedback loop that catches regressions, validates detections, and informs engineering fixes.

Stage 05: Control validation and investment

Goal: Translate intel and testing into targeted remediation and budget decisions.

How: Even when gaps are identified, remediation is siloed, however, TID requires continuous cycles to track progress and security posture improvement overtime. You can use OpenAEV’s time-series and historical snapshots to show coverage trends and risk reduction. Apply remediation guidance from OpenAEV to tune configs, update rules, and plan upgrades or replacements. The continuous validation using the combination of OpenCTI and OpenAEV creates a feedback loop that informs strategic investments and architectural decisions with unprecedented precision. The quantifiable nature of these insights enables CISOs to justify budget requests with specific risk reduction metrics, prioritize engineering efforts based on actual adversary impact

Outcome: Evidence-based prioritization that improves day-to-day resilience and informs quarterly planning.

Quarterly review

To recalibrate strategy and maintain executive alignment, our recommendation is to make this as a quarterly exercise to share with your key stakeholders. This creates a closed-loop system where threat intelligence directly drives security validation priorities. Revisit tracked threats, business priorities, and risk appetite as part of a broader CTEM rhythm.

Outcome: A living program that stays aligned to business risk and adversary reality.

Are you ready for TID?

TIP makes perfect sense conceptually, but operationalizing it requires:

• A centralized threat intelligence platform like OpenCTI
• Integration between intelligence and security tools
• Continuous, threat-driven validation capabilities with tools like OpenAEV
• Collaboration across CTI, SOC, and security engineering teams

Utilize TID to shift the conversation from traditional security life cycle (protection/detection/response) to proactive finding the gaps in your security controls and reducing cyber risks. The empirical approach of TID provides metrics that matter, from ‘we blocked 10 million attacks’ to ‘we can detect and stop 85% of the techniques used by the ransomware groups actively targeting our sector and here is what we are going to do to fill our gaps for the rest 15%’.

Would you like to assess your security team’s readiness for TID? MITRE provides an online self-assessment, where you can select select each component where you have established capabilities, including the necessary people, processes, and technology. Try it today!

We will be happy to discuss our take on TID and how we can help.