The sales cycle for a threat intelligence platform tends to go like this: a CSO attends a conference, a vendor demo shows real-time threat actor tracking, automated IOC enrichment, and a global feed of adversary TTPs mapped to MITRE ATT&CK. The demo is impressive. The procurement happens. Eighteen months later there are three analysts looking at a platform with 40,000 unprocessed indicators and an integration to the SIEM that someone built during the initial deployment and nobody has updated since.
The platform didn't fail. The organisation wasn't ready for it. These are different problems with different solutions.
The three types of threat intelligence, and why most organisations only use one
Threat intelligence gets discussed as if it's a single thing. It isn't. There are three distinct types and they require different platforms, different skills, and different operational processes to be useful.
Tactical intelligence is indicators of compromise: IP addresses, domains, file hashes, URLs associated with known malicious activity. It's high volume, short shelf life (an IOC is useful for hours to days before the attacker rotates infrastructure), and immediately actionable. Block the IP, quarantine the hash, take down the domain. Your SIEM can consume this directly via a threat intelligence feed without a TIP sitting in the middle.
Operational intelligence is information about specific campaigns and threat actor activity: who is targeting your sector right now, what TTPs they're using, what the kill chain looked like in the last three incidents attributed to them. This requires correlation across multiple sources, analyst judgment, and context about your specific environment. It's where TIPs genuinely add value because they aggregate, normalise, and allow you to build a picture across sources that would take significant manual effort to build without them.
Strategic intelligence is the long-horizon view: threat actor motivations, geopolitical drivers, emerging technology risks, sector-specific trends. This is what Gartner and Forrester produce. It informs security strategy and investment decisions. It doesn't come from a TIP. It comes from analysts, subscription reports, and sector-specific information sharing communities.
The integration problem the vendor glosses over
Every TIP vendor will show you a diagram that looks like the one above, with clean arrows connecting sources to the platform to your SIEM and EDR. The arrows imply automated, reliable, low-maintenance data flow. The reality is different.
The SIEM integration is typically the most mature and best-supported connection. Sentinel has a native TAXII connector. Splunk has an ES TIP framework. Chronicle has threat intelligence ingestion built in. This connection usually works reasonably well on day one.
The EDR integration is where it gets harder. Getting IOCs from your TIP into CrowdStrike or Defender for Endpoint as watchlist indicators requires either a supported integration (which exists for major platforms but needs configuration) or custom automation. More importantly, it requires a decision about IOC scoring: you don't want to push every unvalidated IOC from every feed to every endpoint. High-confidence, high-severity indicators only. Building that scoring and filtering logic takes time and analyst judgment that often isn't accounted for in the initial deployment plan.
The firewall and proxy integration is often the weakest. Pushing dynamic block lists to a Palo Alto or to Zscaler ZIA requires either a supported API integration or a script that someone maintains. Scripts that someone maintains become scripts that nobody maintains when that someone leaves.
Open source vs commercial: the actual decision
MISP and OpenCTI are both genuinely capable platforms. MISP has been around since 2012 and has a large community. OpenCTI is newer, has a cleaner data model aligned to STIX 2.1, and better graph visualisation. Both are free to run on infrastructure you control. Neither is free in terms of operational overhead.
Running MISP in production means maintaining the deployment, managing the PostgreSQL and Redis backends, keeping the feed synchronisation jobs healthy, and having someone who understands the MISP data model well enough to troubleshoot when something breaks. For an organisation with a small security team, this operational overhead often consumes more analyst time than the platform saves.
Commercial platforms (ThreatConnect, Anomali, EclecticIQ, Recorded Future Intelligence Cloud) solve the operational overhead problem but introduce cost and vendor dependency. The question worth asking before procurement is: are you paying for the platform itself, or are you paying for the feed coverage and curation that comes with it? If it's primarily the latter, a commercial threat intel feed subscription without a full TIP platform may be the more cost-effective path.
The CNI and government angle that most TIP articles miss
If you're running security for a UK CNI operator or a government department, the commercial TIP conversation is secondary to the question of sector intelligence sharing. NCSC's Cyber Security Information Sharing Partnership (CISP) exists precisely to provide government and CNI operators with threat intelligence that is relevant to UK infrastructure specifically. The intelligence sharing that happens through CISP is frequently more operationally relevant than a commercial feed, because it's curated for the UK threat landscape rather than global IOC aggregation.
The practical integration is straightforward: NCSC provides STIX/TAXII feeds that can be ingested into any SIEM or TIP directly. Microsoft Sentinel has a native connector for NCSC feeds. This is the baseline for any UK CNI security architecture and it should be in place before any commercial TIP procurement is considered.
Sector ISACs (FS-ISAC for financial services, Energy ISAC for utilities, the equivalent bodies for other CNI sectors) provide a similar function: sector-specific intelligence from peers who are facing the same threat actors. The value isn't the volume of IOCs. It's the context that comes from "this IP was observed scanning NHS infrastructure yesterday before hitting three financial services firms today."
The questions to answer before you buy
Three questions cut through most TIP procurement conversations.
First: what decision will this platform help you make faster? If you can't name a specific decision (escalating an alert based on threat actor context, prioritising a vulnerability based on active exploitation evidence, blocking a network path based on campaign intelligence), you're buying capability rather than solving a problem.
Second: do you have an analyst who will own the platform's curation? Not a shared responsibility across the team. One person who is accountable for feed quality, normalisation rule maintenance, and the scoring logic that determines which indicators reach your SIEM and EDR. Without this person, the platform degrades from month three onwards.
Third: have you mapped the integrations you need and tested them in a non-production environment before committing? The vendor will confirm that an integration exists. That's not the same as the integration working reliably with your specific SIEM version, your specific EDR tenant configuration, and your specific firewall firmware. Test it before you sign.
The organisations running effective threat intelligence programmes have one thing in common with effective FinOps programmes and effective HSM deployments: they started with a specific problem, chose tooling that addressed that problem, and built the operational capability to use the tooling properly before expanding scope. The technology wasn't the hard part.