What Does a Threat Intelligence Team Do?


Companies in the modern era simply cannot afford to rest on their laurels in the face of ever-increasing cyber dangers. The absence of a major cyber incident does not guarantee the perfection or continued efficacy of an organization’s cyber security safeguards and processes.

Vanson Bourne’s The State of SMB Cyber security in 2021 poll, commissioned by ConnectWise, found that 79% of business leaders are worried about a cyber assault on their company occurring within the next six months. To what extent can businesses reduce their anxiety about the effects of a cyberattack by taking preventative measures?

It’s time to bring in the cyber threat intelligence team (or cyber security research team, depending on your preference). Teams dedicated to threat intelligence constantly monitor the security landscape for new threats, analyze malware data, coordinate with sector counterparts, and disseminate findings. This helps businesses understand the current threat landscape and identify weak spots in their cyber threat intelligence team structure.

What is Threat Intelligence?

We define “cyber threat intelligence” as compiled information about potential dangers from new and old cyber actors. Threats are discovered through various means, including monitoring ransomware leak sites, malicious botnets, and open-source intelligence tools. Automating certain research aspects is crucial to maximizing the effectiveness of a threat intelligence team.

Why Cyber Security and HR teams Must Work Together in a Hybrid Work World?

The CRU team has automated systems that analyze security problems and alert humans for investigation or action. With automation, they download, analyze, and publish the results of hundreds of malware samples daily in our free threat feed. We regularly update the CRU threat feed with years of gathered information, assisting in identifying security risks and eliminating false positives.

Threat intelligence teams are aware of the significance of using technological, behavioral, and environmental aspects to determine the who, what, why, and how of any danger. Our feed’s contextual data generates packet captures (PCAPs) released to the industry, providing insights to analysts and researchers.

Security analysts derive intelligence from various threat information and security sources, correlating and analyzing them to uncover trends, patterns, and relationships. The intelligence gained is organization-centric, focusing on unique vulnerabilities, assaults, and assets within the organization. It offers detailed and contextual information, including potential threat actors, their tactics, techniques, and procedures (TTPs), and indicators of compromise (IoCs). This intelligence is actionable, assisting information security teams in assessing vulnerabilities, prioritizing threats, and evaluating cybersecurity solutions.

Costing victims an average of $4.35 million, detection and escalation expenses make up the bulk of this figure (at $1.44 million) in IBM’s Cost of a Data Breach 2022 report. By providing security teams with actionable threat intelligence, organizations may reduce the time it takes to detect attacks and the expenses associated with doing so.

Who is on a Threat Intelligence Team?

Cybersecurity leaders, threat intelligence analysts, seasoned SOC professionals, reverse engineers, vulnerability researchers, network security experts, and others frequently make up these teams. Nearly 70 years of experience between them are at the disposal of the ConnectWise Cybersecurity Research Unit (CRU).

Producing useful, actionable insights from threat intelligence requires a team of committed, highly skilled cybersecurity specialists with specialized knowledge, training, and abilities. Offensive Security Certified Professional (OSCP) or GIAC Certified Intrusion Analyst (GCIA) are two examples of certificates that can be held by team members to demonstrate their knowledge.

Malware Analysts

Malware analysts have expertise in dissecting malicious software like Trojan horses, viruses, rootkits, worms, and bots to learn their inner workings. They also investigate the methods malware uses to remain persistent and spread laterally within an organization, and they keep an eye on the overall malware landscape and its development. Malware analysts specialize in understanding how malicious software spreads and how it evades detection. They spend much of their time working to stop the spread of malware rather than fixing the problems it causes.

Cyber Security Professionals

To develop efficient detection systems based on network traffic, a network security expert needs a deep familiarity with network-layer assaults. To detect and prevent security breaches, network security professionals need in-depth knowledge of the numerous protocols used in networks.

Reverse Designers

A reverse engineer can disassemble any program, whether it’s Windows or Linux. Security experts reverse-engineer these to learn the specifics of a given exploit. When Microsoft or any other vendor releases a patch, they do not disclose how they fixed a specific vulnerability. For example, they may describe a vulnerability as a buffer overflow without providing any additional information. To demonstrate this, Alert Logic’s researchers successfully reverse-engineered a specific Microsoft SMB vulnerability.


Someone who can write production-ready code and has a security perspective is a security developer. They create new forms of security software and work to build it into existing programs at the same time. A security developer’s expertise is essential for turning theoretical findings and observations into practical applications. The contributions of these people allow scientific findings to be put into practice.

Experts on Weaknesses

Security researchers discover thousands of flaws each year. Vulnerability researchers study new vulnerabilities and explore their real-world exploitation. Multiple methods are used to identify security holes, including environment scanning for vulnerable systems. Techniques like scanning, log detection, and mapping adversaries and their tactics, techniques, and procedures (TTPs) are employed to uncover vulnerabilities.


DevOps, a trendy new term, combines the concepts of program design (Dev) and computer system administration (Ops). SecDevOps is an extension of DevOps that incorporates security into the development process by melding it with operations. SecDevOps is a methodology for managing the stacks of services involved in security detection. Increased automation and the utilization of quality control testing are two of SecDevOps’ advantages when it comes to security effectiveness and quality.

Analysts of Data

Data scientists collect, analyze, process, and model large, mixed-format datasets to inform action plans. In security, they build intrusion identification frameworks and automate specific security analyst services. Understanding key aspects of security breaches is essential for creating effective models, as “garbage in, garbage out” holds true.

Expert Security Architects

The security architecture of an MDR is crucial. It’s the future of the customer’s security data-gathering process. A security architect’s job is to anticipate hacker behaviors by thinking like one. To meet customer security needs and future-proof data architecture, additional skills are required beyond typical system architects.

Once again, the aforementioned positions form the backbone of an ideal MDR team, and Alert Logic has assembled just such a group.


Threat intelligence and cybersecurity research teams help businesses tackle online cyber threats effectively.

SMBs are vulnerable to cyber-attacks due to limited defenses and budgets. Data from “The State of SMB Cybersecurity in 2021” shows that only 23% of business leaders trust their company or IT partner’s ability to defend against an assault.

When it comes to controlled detection and response, threat intelligence is essential. The threat intel team provides crucial insights and information for spotting attack trends and assessing the impact of new threats. However, threat intelligence does not limit itself to a single job description. Delivering actionable threat intelligence and adding value to the overall solution requires a collaborative effort from dedicated specialists.