The sales cycle for a threat intelligence platform tends to go like this: a CSO attends a conference, a vendor demo shows real-time threat actor tracking, automated IOC enrichment, and a global feed of adversary TTPs mapped to MITRE ATT&CK. The demo is impressive. The procurement happens. Eighteen months later there are three analysts looking at a platform with 40,000 unprocessed indicators and an integration to the SIEM that someone built during the initial deployment and nobody has updated since.

The platform didn't fail. The organisation wasn't ready for it. These are different problems with different solutions.

The three types of threat intelligence, and why most organisations only use one

Threat intelligence gets discussed as if it's a single thing. It isn't. There are three distinct types and they require different platforms, different skills, and different operational processes to be useful.

Tactical intelligence is indicators of compromise: IP addresses, domains, file hashes, URLs associated with known malicious activity. It's high volume, short shelf life (an IOC is useful for hours to days before the attacker rotates infrastructure), and immediately actionable. Block the IP, quarantine the hash, take down the domain. Your SIEM can consume this directly via a threat intelligence feed without a TIP sitting in the middle.

Operational intelligence is information about specific campaigns and threat actor activity: who is targeting your sector right now, what TTPs they're using, what the kill chain looked like in the last three incidents attributed to them. This requires correlation across multiple sources, analyst judgment, and context about your specific environment. It's where TIPs genuinely add value because they aggregate, normalise, and allow you to build a picture across sources that would take significant manual effort to build without them.

Strategic intelligence is the long-horizon view: threat actor motivations, geopolitical drivers, emerging technology risks, sector-specific trends. This is what Gartner and Forrester produce. It informs security strategy and investment decisions. It doesn't come from a TIP. It comes from analysts, subscription reports, and sector-specific information sharing communities.

The mismatch in most TIP procurement: organisations buy a platform that promises all three, configure it primarily as a tactical IOC aggregator, and never invest the analyst resource to use the operational intelligence capability. The result is an expensive feed aggregator when a $15,000/year threat intel feed piped directly into Sentinel would have achieved the same operational outcome.
// Threat intelligence data flow
How intel moves from sources through a TIP to consumption points. The integration quality between each layer determines whether the platform adds value or creates overhead. Click any node for detail.
External
Commercial feeds
Recorded Future, Mandiant, CrowdStrike Intel
Open source
OSINT feeds
AlienVault OTX, abuse.ch, MISP communities
Sector
ISAC / NCSC
CISP, FS-ISAC, Energy ISAC, NCSC feeds
ingest + normalise + deduplicate
Core platform
Threat Intelligence Platform (TIP)
MISP · OpenCTI · ThreatConnect · Anomali · EclecticIQ
enrichment + scoring + distribution
Detection
SIEM
Sentinel, Splunk, Chronicle
Response
SOAR
Sentinel Playbooks, Palo XSOAR
Endpoint
EDR
Defender, CrowdStrike, SentinelOne
Network
Firewall / Proxy
Palo Alto, Zscaler ZIA, Fortinet

The integration problem the vendor glosses over

Every TIP vendor will show you a diagram that looks like the one above, with clean arrows connecting sources to the platform to your SIEM and EDR. The arrows imply automated, reliable, low-maintenance data flow. The reality is different.

The SIEM integration is typically the most mature and best-supported connection. Sentinel has a native TAXII connector. Splunk has an ES TIP framework. Chronicle has threat intelligence ingestion built in. This connection usually works reasonably well on day one.

The EDR integration is where it gets harder. Getting IOCs from your TIP into CrowdStrike or Defender for Endpoint as watchlist indicators requires either a supported integration (which exists for major platforms but needs configuration) or custom automation. More importantly, it requires a decision about IOC scoring: you don't want to push every unvalidated IOC from every feed to every endpoint. High-confidence, high-severity indicators only. Building that scoring and filtering logic takes time and analyst judgment that often isn't accounted for in the initial deployment plan.

The firewall and proxy integration is often the weakest. Pushing dynamic block lists to a Palo Alto or to Zscaler ZIA requires either a supported API integration or a script that someone maintains. Scripts that someone maintains become scripts that nobody maintains when that someone leaves.

The integration maintenance reality: TIP integrations are not fire-and-forget. Feed formats change. API versions get deprecated. STIX/TAXII schema updates break parsers. The normalisation rules you built for one feed's IP reputation data don't automatically apply when the feed provider changes their output format. Budget for ongoing integration maintenance, not just initial deployment.

Open source vs commercial: the actual decision

MISP and OpenCTI are both genuinely capable platforms. MISP has been around since 2012 and has a large community. OpenCTI is newer, has a cleaner data model aligned to STIX 2.1, and better graph visualisation. Both are free to run on infrastructure you control. Neither is free in terms of operational overhead.

Running MISP in production means maintaining the deployment, managing the PostgreSQL and Redis backends, keeping the feed synchronisation jobs healthy, and having someone who understands the MISP data model well enough to troubleshoot when something breaks. For an organisation with a small security team, this operational overhead often consumes more analyst time than the platform saves.

Commercial platforms (ThreatConnect, Anomali, EclecticIQ, Recorded Future Intelligence Cloud) solve the operational overhead problem but introduce cost and vendor dependency. The question worth asking before procurement is: are you paying for the platform itself, or are you paying for the feed coverage and curation that comes with it? If it's primarily the latter, a commercial threat intel feed subscription without a full TIP platform may be the more cost-effective path.

// When to use what
Based on analyst capacity and operational maturity. Hover each row to expand.
Small team, limited analyst capacity
Feed only Subscribe to one or two high-quality commercial threat intel feeds (Recorded Future, Mandiant) and ingest directly into your SIEM via TAXII. Skip the TIP entirely. You get tactical IOC coverage without the platform overhead.
Mid-size team, sharing intel across sector or with partners
MISP or OpenCTI Open source TIP gives you the sharing infrastructure (TAXII server, feed aggregation, STIX export) without commercial licensing cost. Worth the operational overhead if you have an analyst who owns the platform. OpenCTI is the better choice for new deployments.
Mature SOC, multiple analysts, active threat hunting
Commercial TIP ThreatConnect or Anomali make sense when you have the analyst throughput to use the operational intelligence capabilities, not just the IOC feeds. The ROI requires active use of the correlation and actor tracking features, not just feed aggregation.
CNI, government, or high-threat sector
Commercial + NCSC/ISAC Prioritise NCSC CISP membership and sector ISAC participation alongside commercial intel. Government threat intel for UK CNI environments often provides more contextually relevant intelligence than commercial feeds. NCSC Malware Information Sharing Platform (MISP) feeds are available to CISP members and should be a baseline input.

The CNI and government angle that most TIP articles miss

If you're running security for a UK CNI operator or a government department, the commercial TIP conversation is secondary to the question of sector intelligence sharing. NCSC's Cyber Security Information Sharing Partnership (CISP) exists precisely to provide government and CNI operators with threat intelligence that is relevant to UK infrastructure specifically. The intelligence sharing that happens through CISP is frequently more operationally relevant than a commercial feed, because it's curated for the UK threat landscape rather than global IOC aggregation.

The practical integration is straightforward: NCSC provides STIX/TAXII feeds that can be ingested into any SIEM or TIP directly. Microsoft Sentinel has a native connector for NCSC feeds. This is the baseline for any UK CNI security architecture and it should be in place before any commercial TIP procurement is considered.

Sector ISACs (FS-ISAC for financial services, Energy ISAC for utilities, the equivalent bodies for other CNI sectors) provide a similar function: sector-specific intelligence from peers who are facing the same threat actors. The value isn't the volume of IOCs. It's the context that comes from "this IP was observed scanning NHS infrastructure yesterday before hitting three financial services firms today."

The questions to answer before you buy

Three questions cut through most TIP procurement conversations.

First: what decision will this platform help you make faster? If you can't name a specific decision (escalating an alert based on threat actor context, prioritising a vulnerability based on active exploitation evidence, blocking a network path based on campaign intelligence), you're buying capability rather than solving a problem.

Second: do you have an analyst who will own the platform's curation? Not a shared responsibility across the team. One person who is accountable for feed quality, normalisation rule maintenance, and the scoring logic that determines which indicators reach your SIEM and EDR. Without this person, the platform degrades from month three onwards.

Third: have you mapped the integrations you need and tested them in a non-production environment before committing? The vendor will confirm that an integration exists. That's not the same as the integration working reliably with your specific SIEM version, your specific EDR tenant configuration, and your specific firewall firmware. Test it before you sign.

The summary position: A well-configured SIEM with one or two high-quality threat intel feeds handles tactical intelligence well without a TIP. Add a TIP when you have the analyst capacity to use its operational intelligence capabilities actively, the integrations to distribute enriched indicators to your security controls, and someone who owns the platform's ongoing curation. In that order, not the reverse.

The organisations running effective threat intelligence programmes have one thing in common with effective FinOps programmes and effective HSM deployments: they started with a specific problem, chose tooling that addressed that problem, and built the operational capability to use the tooling properly before expanding scope. The technology wasn't the hard part.