Cybersecurity Threat Intelligence Requirements Framework: IRs, PIRs, and SIRs
- Keith Pachulski
- 1 hour ago
- 19 min read
The threat intelligence lifecycle begins with defining what information you actually need to collect. Intelligence Requirements form a hierarchical framework for organizing and prioritizing information gathering needs within cybersecurity threat intelligence operations. This three-tiered approach—Intelligence Requirements, Priority Intelligence Requirements, and Specific Intelligence Requirements—ensures systematic collection and analysis of relevant threat data throughout the intelligence lifecycle, from broad organizational concerns to specific tactical indicators that drive immediate security actions.
Intelligence Requirements (IRs)
Intelligence Requirements represent the broadest level of information needs, establishing the foundational scope for threat intelligence collection and analysis activities across the organization. Think of IRs as your strategic compass. They define what you care about at the highest level and why intelligence collection matters to your business.
The purpose here is straightforward: define overarching intelligence collection priorities, establish organizational threat landscape awareness, guide strategic security planning and resource allocation, and provide context for more specific intelligence gathering efforts. Without clear IRs, your intelligence program becomes reactive and unfocused.
IRs operate at an organization-wide and industry-focused scope with a long-term strategic perspective. The stakeholders are senior leadership, security executives, and risk management teams, with updates typically happening quarterly or annually. The timeline reflects the strategic nature—these aren't tactical questions that change week to week.
Key examples include external threat identification, where you're monitoring emerging threat actors, attack vectors, and tactics targeting your industry sector. Internal threat assessment covers potential insider threats and vulnerabilities within organizational systems and processes. Industry threat landscape analysis helps you understand cyber threats affecting similar organizations, supply chain partners, and the competitive landscape. Regulatory and compliance threats involve monitoring changes in regulatory requirements that could impact your security posture.
When implementing IRs, align them with business objectives and risk appetite. Consider industry-specific threat vectors, incorporate geopolitical factors affecting the organization, and plan for regular review and updating based on threat landscape evolution. The key is making sure your intelligence efforts actually support business decisions, not just generate reports that sit on shelves.
Priority Intelligence Requirements (PIRs)
Priority Intelligence Requirements represent the mid-level tier, focusing on specific high-impact threats that could significantly affect organizational operations, assets, or strategic objectives. PIRs are where strategic concerns start becoming actionable intelligence needs.
The purpose is to prioritize intelligence collection on critical threats, focus analytical resources on high-impact scenarios, support tactical and operational security decision-making, and bridge strategic concerns with actionable intelligence. PIRs answer the question "Of all the things we could worry about, what should we actually focus on?"
PIRs operate with asset and operation-specific scope on a medium-term operational timeline. The stakeholders include security operations teams, incident response, and business unit leaders, with updates typically happening monthly or quarterly. These requirements need more frequent review than IRs because the operational environment changes faster than strategic direction.
Key examples include critical asset targeting, where you're identifying threats specifically targeting your most valuable systems, intellectual property, or infrastructure. Threat actor motivation analysis involves understanding the specific motivations, capabilities, and likely targets of threat actors relevant to your organization. Targeted entity identification determines which organizational components (people, systems, data) are most at risk. Impact assessment evaluates potential consequences of successful attacks on reputation, revenue, and operations. Control gap analysis identifies areas where existing security measures may be insufficient against identified threats.
Implementation should be based on asset criticality and business impact. Consider threat actor capabilities and historical targeting patterns, integrate with risk assessment processes, and coordinate with incident response and security operations. The goal is turning strategic awareness into focused collection efforts that actually help your security teams make better decisions.
Specific Intelligence Requirements (SIRs)
Specific Intelligence Requirements constitute the most granular level, focusing on immediate, actionable intelligence needs related to current or imminent threats and specific threat actor activities. SIRs are where intelligence becomes immediately useful to the people defending your network right now.
The purpose is to generate actionable intelligence for immediate security response, support real-time threat hunting and detection activities, provide tactical indicators for security tool configuration, and enable proactive defense measures. SIRs answer "What do I need to know today to defend better tomorrow?"
SIRs operate with tactical and immediate scope on a short-term timeline, often daily or weekly. The stakeholders are SOC analysts, threat hunters, and incident responders, with updates happening daily or weekly. These requirements change rapidly because the threat landscape at the tactical level is constantly evolving.
Key examples include reconnaissance activity detection, where you're identifying and analyzing current threat actor surveillance and probing activities. Tactical change monitoring tracks evolution in threat actor tools, techniques, and procedures. Infrastructure analysis maps command and control infrastructure used by specific threat actors. Anomaly investigation analyzes unusual network behavior, system activities, or access patterns. Insider threat indicators monitor for suspicious employee or contractor activities.
Geopolitical intelligence helps understand how current geopolitical events might influence threat actor behavior and targeting.
Implementation requires integration with SIEM and security monitoring tools, clear escalation procedures, focus on indicators of compromise and tactics, techniques, and procedures, and coordination with threat hunting activities. The key is making sure your tactical intelligence actually gets used by the people who need it most.
Framework Integration
The three tiers work together to create a comprehensive intelligence program. IRs establish strategic direction and broad collection priorities, PIRs translate strategic concerns into focused operational requirements, and SIRs provide tactical, actionable intelligence for immediate security response. Without this hierarchy, intelligence programs either stay too high-level to be useful or get lost in tactical details without strategic direction.
For effective stakeholder alignment, ensure each tier addresses appropriate stakeholder needs, maintain regular communication between strategic, operational, and tactical teams, and establish clear escalation paths for critical intelligence. The wrong intelligence going to the wrong people at the wrong time is worse than no intelligence at all.
Resource allocation should distribute collection and analysis resources across all three tiers, prioritize based on organizational risk tolerance and threat landscape, and include regular assessment of resource effectiveness. Most organizations make the mistake of putting all their resources into either strategic analysis or tactical feeds—both approaches fail.
Continuous improvement requires regular review and updating of requirements at all levels, integration of lessons learned from security incidents, and adaptation to evolving threat landscape and business changes. Your intelligence requirements should evolve as your understanding of threats improves.
Technology integration means aligning intelligence requirements with security tool capabilities, automating collection and analysis where possible, and ensuring intelligence feeds effectively support detection and response activities. Technology should serve the intelligence requirements, not drive them.
Measurement and Success Metrics
Effectiveness indicators include threat detection improvement with measurable increases in early threat detection, response time reduction through faster incident response due to better intelligence, false positive reduction via more accurate threat identification and prioritization, and strategic alignment showing clear connection between intelligence activities and business objectives.
Regular assessment involves quarterly review of intelligence requirement relevance and effectiveness, annual strategic realignment with organizational risk posture, and continuous feedback loop from security operations to intelligence requirements. Without measurement, you're running an intelligence program on faith alone.
Building an Intelligence Collection Plan
There is no one right way to implement an Intelligence Collection Plan, and the following principles can be adapted to your needs. The important element is that you have a plan. A structured approach to developing your intelligence collection capabilities ensures systematic coverage of organizational requirements while maximizing the effectiveness of available resources.
Start with the Right Questions
The foundation of any effective intelligence collection plan begins with asking the right questions that align with organizational priorities and risk concerns. Most intelligence programs fail because they start collecting data before they know what questions they're trying to answer.
Key considerations include business alignment. What are the organization's most critical assets, processes, and strategic objectives? Risk assessment asks what are the most significant threats facing the organization currently and in the foreseeable future? Decision support determines what specific decisions do stakeholders need intelligence to support? Gap analysis identifies what intelligence gaps currently exist in the organization's security posture?
The question development process starts with engaging senior leadership to understand strategic concerns, collaborating with business unit leaders to identify operational priorities, working with security operations teams to understand tactical needs, reviewing historical incidents and near-misses for intelligence gaps, and considering regulatory and compliance requirements that may drive intelligence needs.
Example questions by level include strategic questions like "What emerging threat actors pose the greatest long-term risk to our industry?" Operational questions include "Which of our critical systems are most likely to be targeted by ransomware groups?" Tactical questions ask "What specific indicators should we monitor for this week based on current threat activity?"
Prioritize and Determine Sources Available
Usually, resources are limited. Determine what questions most need to be answered and what intelligence sources will be devoted to answering those questions. Once intelligence requirements are established, organizations must prioritize their collection efforts and systematically evaluate available sources to ensure efficient resource allocation and maximum intelligence value.
The prioritization framework starts with top priority assessment. Ask yourself: "What are your top three intelligence questions? Top ten? If you could only answer one intelligence question, what would it be?" This forced ranking exercise helps organizations focus limited resources on the most critical intelligence needs and ensures high-impact questions receive adequate attention.
Source inventory and capability assessment asks "What sources do you have available to answer your intelligence questions? Open source? Intelligence feeds? Data from vendors?" Available sources fall into several categories.
Internal sources include security information and event management systems, network monitoring and intrusion detection systems, endpoint detection and response platforms, vulnerability scanners and assessment tools, and incident response reports and post-mortem analyses.
Commercial sources include threat intelligence feeds and platforms, security vendor reports and analyses, industry-specific threat intelligence services, dark web monitoring services, and brand protection and digital risk platforms.
Open source intelligence includes government and public sector threat advisories, academic research and security conferences, security blogs and researcher publications, social media and public forum monitoring, and public vulnerability databases and disclosures.
Community and partnership sources include information sharing and analysis centers, industry peer networks and consortiums, law enforcement and government partnerships, and security vendor and researcher communities.
Source-to-question mapping asks "Which sources are most likely to answer which questions? Which sources are unlikely to be able to answer a question?" This analysis helps optimize resource allocation by matching the most appropriate sources to specific intelligence requirements, avoiding inefficient collection efforts.
Capacity planning requires you to "plot available data sources against intelligence needs and identify which sources may end up being tasked the most. Can these data sources handle the load?" Understanding source capacity limitations prevents over-tasking valuable intelligence sources and helps identify where additional collection capabilities may be needed.
Officially Task Collection Activities
Formal tasking ensures accountability, resource allocation, and systematic execution of intelligence collection activities. Without formal tasking, collection efforts become ad hoc and unreliable.
Collection assignments should clearly define specific collection responsibilities for team members, establish collection timelines and reporting schedules, assign appropriate tools and access permissions, and define quality standards and validation requirements.
Resource allocation means allocating human resources based on collection complexity and priority, assigning appropriate technology platforms and tools, establishing budget considerations for commercial intelligence sources, and defining training requirements for collection personnel.
Documentation requirements include creating formal collection plans with specific objectives and methodologies, establishing standardized reporting formats and templates, defining metadata requirements for collected intelligence, and implementing version control and change management processes.
Coordination mechanisms should establish regular collection status meetings and updates, define escalation procedures for high-priority intelligence, create coordination protocols between different collection teams, and implement deconfliction procedures to avoid duplicated efforts.
Evaluate Data and Update the Plan Periodically
Continuous evaluation and improvement ensure that the intelligence collection plan remains relevant and effective over time. Intelligence programs that don't evolve become irrelevant quickly.
Effectiveness metrics include collection success rate measuring the percentage of intelligence requirements successfully fulfilled, timeliness tracking average time from tasking to intelligence delivery, accuracy showing validation rate of collected intelligence against known ground truth, and relevance through stakeholder assessment of intelligence value and applicability.
Quality assessment covers source reliability through ongoing evaluation of source accuracy and consistency, intelligence completeness assessing whether collected intelligence fully addresses requirements, analytical value evaluating how well raw intelligence supports analytical products, and actionability measuring how intelligence translates into security actions.
Updating Requirements
Updates may be required due to changes in threat landscape, organization security posture, or business needs. The threat landscape evolves constantly; new threat actors emerge, existing ones change tactics, and vulnerabilities are discovered and exploited. Your organization's security posture changes as you implement new controls, adopt new technologies, or modify processes. Business needs shift with new products, markets, acquisitions, or strategic direction changes.
Requirements should be reviewed on a regular basis, but you also need to be prepared for ad hoc updates when significant changes occur. Regular reviews provide stability and ensure nothing falls through the cracks, but rigid adherence to review schedules can leave you vulnerable when major changes happen.
Ad hoc requirements should be considered carefully. Sometimes what looks like a new requirement is actually a subset of an existing requirement that needs better collection or analysis. Before creating new requirements, ask whether your existing framework can address the need with better tasking or different sources.
Original requirements may need to be more comprehensive or completely rewritten when you discover gaps in coverage or when your understanding of the threat landscape significantly improves. Don't be afraid to scrap requirements that aren't working and start over. It is better than continuing to collect intelligence that doesn't help anyone make better decisions.
Original requirements may require revision outside the normal review cycle when major incidents occur, significant threat landscape changes happen, or business priorities shift dramatically. The key is having a process for emergency updates while maintaining the discipline of regular reviews.
The periodic review process includes quarterly reviews to assess collection effectiveness against established metrics, review and update priority intelligence requirements based on threat landscape changes, evaluate source performance and consider new intelligence sources, and update collection methodologies based on lessons learned.
Annual strategic assessment involves comprehensive review of intelligence requirements alignment with business objectives, evaluation of overall intelligence program maturity and capabilities, assessment of resource allocation and potential investment needs, and strategic planning for intelligence program evolution and growth.
Continuous improvement requires regular feedback collection from intelligence consumers and stakeholders, implementation of process improvements based on operational experience, integration of new collection technologies and capabilities, and training and development programs for collection personnel.
Implementation best practices include starting small and scaling by beginning with a focused set of high-priority requirements and gradually expanding collection capabilities. Stakeholder engagement maintains regular communication with intelligence consumers to ensure continued relevance. Technology integration leverages automation and integration to improve collection efficiency and reduce manual effort. Quality control implements validation and verification processes to ensure intelligence accuracy and reliability.
Documentation maintains comprehensive documentation of collection processes, sources, and methodologies. Security considerations ensure collection activities comply with legal, ethical, and organizational security requirements.
Practical Application Example: Vulnerability Exploitation Intelligence
To demonstrate how the Intelligence Requirements framework operates in practice, consider the following real-world scenario focused on vulnerability exploitation threats.
The stakeholder requirement is simple: "Identify vulnerability actively exploited that cannot be defended or detected." This stakeholder need drives the creation of a comprehensive intelligence collection strategy across all three tiers.
At the Intelligence Requirement level, the strategic requirement is to identify notable risks to the organization, with risk focus on exploitation of unmitigated vulnerability. This strategic-level requirement establishes the organization's need to understand the broader landscape of vulnerability exploitation as it relates to organizational risk. It provides the high-level direction for all subsequent intelligence activities.
The Priority Intelligence Requirements at the operational level include three key areas.
PIR 1 focuses on threat actor capability assessment to identify actors with capability to target the organization. This operational requirement focuses intelligence collection on understanding which threat actors possess the technical capabilities, resources, and intent to exploit vulnerabilities within the organization's specific technology stack and security posture.
PIR 2 covers targeting pattern analysis to identify sectors, verticals, and geographies targeted by the actor. This requirement helps the organization understand whether they fit the targeting profile of specific threat actors based on industry sector, organizational size, geographic location, or other characteristics that influence threat actor selection.
PIR 3 involves threat actor motivation analysis to identify motives of the actor. Understanding whether threat actors are motivated by financial gain, espionage, disruption, or other factors helps predict their likely targets, attack persistence, and potential impact on the organization.
At the Specific Intelligence Requirement tactical level, the requirement is to identify known unmitigated vulnerabilities. This tactical requirement generates immediate, actionable intelligence about specific vulnerabilities that are actively being exploited in the wild and for which the organization may not have adequate defenses.
The collection requirements at the implementation level include three main areas.
Collection Requirement 1 focuses on vulnerability assessment to determine current unmitigated vulnerabilities. Collection activities include automated vulnerability scanning across all organizational assets, manual penetration testing of critical systems, review of vendor security advisories and patches, analysis of security configuration gaps, and assessment of legacy system vulnerabilities.
Collection Requirement 2 targets threat actor intelligence to collect information on actor exploitation discussion. Collection activities include monitoring underground forums and dark web marketplaces, analysis of threat actor communication channels, collection of exploit kit developments and sales, tracking of vulnerability disclosure and weaponization timelines, and social media and public forum monitoring for exploitation discussions.
Collection Requirement 3 covers attack pattern analysis to collect reports with vulnerabilities utilized in cyberattacks. Collection activities include integration with threat intelligence feeds and commercial providers, analysis of incident response reports from industry peers, review of security vendor threat reports and analyses, monitoring of government and CERT advisories, and collection of indicators of compromise related to vulnerability exploitation.
The implementation workflow starts with strategic direction where the stakeholder requirement establishes organizational priority for vulnerability exploitation intelligence. Risk assessment through the IR identifies unmitigated vulnerability exploitation as a notable organizational risk. Operational focus through PIRs breaks down the strategic requirement into specific operational intelligence needs about threat actors and targeting. Tactical collection through the SIR provides specific, actionable requirements for immediate vulnerability identification. Data gathering through collection requirements establishes concrete methods for gathering the required intelligence. Analysis and reporting has intelligence analysts synthesize collected data to address each level of requirements.
Expected outcomes include clear understanding for stakeholders of actively exploited vulnerabilities that pose undefended risks to the organization. Security operations gets a prioritized list of vulnerabilities requiring immediate attention and remediation. Risk management receives quantified assessment of exploitation risk and potential business impact. Incident response gains enhanced preparedness for potential exploitation attempts targeting identified vulnerabilities.
This example demonstrates how a single stakeholder concern flows through the entire Intelligence Requirements framework, ensuring comprehensive collection and analysis that supports both strategic decision-making and tactical security operations.
Conclusion
The Intelligence Requirements framework provides a structured approach to threat intelligence that ensures comprehensive coverage from strategic awareness to tactical response. By implementing IRs, PIRs, and SIRs effectively, organizations can build a robust intelligence capability that supports both proactive defense and reactive response to cyber threats. The key is understanding that intelligence isn't about collecting as much data as possible -- it's collecting the right data to answer the questions that matter most to your organization's security and business objectives.
Appendix A: Cybersecurity Intelligence Collection Plan
The collection plan provides a framework that intelligence managers can use to determine and evaluate cyber threat intelligence needs and then use the plan to meet those needs. Because of the diversity of organizations, capabilities, and requirements, the collection plan has no prescribed format. However, an effective cybersecurity intelligence collection plan should have as its basis the organization's intelligence requirements (PIRs and IRs), help security leadership see as far ahead as possible into emerging threats, cover internal networks, external threats, and supply chain risks, have a multi-dimensional approach covering network layers, geographic regions, threat actors, and time horizons, cover the collection capabilities of partner organizations and vendors, be flexible enough to allow response to changes as they occur, cover only priority requirements, be a working document, and contain precise and concise language.
The selection of a format depends on your organization's requirements and available resources for intelligence management. Regardless of the format selected, it must follow the logical sequence of intelligence collection management and be easily adjustable to changing requirements, situations, and threat landscapes.
Collection Plan Worksheet
The cybersecurity intelligence collection plan worksheet is valuable for planning and directing threat intelligence collection efforts. For many requirements, particularly those concerned with threat actor capabilities and attack vectors, a written collection worksheet is essential. The detail depends on the requirements intelligence managers need to satisfy and the overall coordination needed during the collection effort.
For smaller organizations, the collection plan worksheet can be informal. A list of available collection sources plus brief notes on current intelligence requirements and specific indicators to monitor. For larger organizations or those with complex threat landscapes, collection planning becomes more detailed. The IRs and PIRs of a CISO often require in-depth analysis, and coordinating the overall collection effort across multiple teams and vendors is a major undertaking.
Figure A-1: Cybersecurity Collection Plan Worksheet Format
Priority | SIR ID | Intelligence Requirement | NAI/Target | Threat Actor | TTP Category | Collection Source | LTIOV | Status | Results |
1 | SIR-001 | Ransomware group targeting healthcare | Email systems | Conti | Initial access | Email security logs | 24hrs | Active | Monitoring |
2 | SIR-002 | APT scanning for VPN vulnerabilities | VPN endpoints | APT29 | Reconnaissance | Network logs | 48hrs | Complete | No activity |
Figure A-2: Sample Collection Plan Entries
Priority | SIR ID | Intelligence Requirement | NAI/Target | Threat Actor | TTP Category | Collection Source | LTIOV | Status | Results |
1 | SIR-003 | C2 infrastructure for new malware family | External networks | Unknown | C2 comms | Threat intel feeds | 72hrs | Active | 3 domains identified |
2 | SIR-004 | Insider threat data exfiltration indicators | File shares | Internal | Exfiltration | DLP logs | 12hrs | Escalated | Anomalous access detected |
3 | SIR-005 | Supply chain compromise indicators | Third-party integrations | Nation-state | Supply chain | Vendor assessments | 1 week | Pending | Awaiting vendor response |
Another method for maintaining a collection plan uses visual file management with digital cards or tickets. In this method, a collection requirement is displayed with the following information: priority level, request ID or ticket number, time requested and latest time intelligence of value (LTIOV), additional distribution of results, collection sources tasked and timing, time the intelligence was received, summary of the actual intelligence received, and time the intelligence was disseminated to the requester.
Priorities can be shown using different colored tags or labels. For example, red could indicate highly time-sensitive requests related to active threats, yellow for medium priority ongoing monitoring, and green for background intelligence gathering.
The intelligence manager can organize requirements in several ways: by threat actor, by attack vector, by asset category, by requester, or by collection source. The organization method may change as the threat situation evolves, which is easily done with digital management systems.
When a collection requirement is satisfied, the ticket is moved to completed status. The intelligence manager can then maintain the completed requirements in a searchable database organized by threat type, geographic regions, or asset categories. This enables building a knowledge base on the effectiveness of different collection sources for specific types of intelligence requirements.
If using a visual management method, the intelligence manager should maintain two tracking systems. One depicts the PIRs and IRs driving the collection effort, the other lists available sources and which requirements they're tasked with. This prevents overloading any single collection source and ensures nothing gets overlooked.
Figure A-3: Requirements Tracking Chart
PIR/IR | Description | Supporting SIRs | Status | Review Date |
PIR-1 | Ransomware targeting critical infrastructure | SIR-001, SIR-006, SIR-012 | Active | Weekly |
PIR-2 | Nation-state targeting intellectual property | SIR-003, SIR-008 | Active | Bi-weekly |
IR-A | Emerging attack vectors against cloud infrastructure | SIR-004, SIR-009, SIR-015 | Active | Monthly |
Figure A-4: Source Allocation Chart
Collection Source | Tasked Requirements | Capacity | Current Load | Next Available |
SIEM logs | SIR-001, SIR-004, SIR-007 | 10 concurrent | 75% | Immediate |
Threat intel feeds | SIR-003, SIR-008, SIR-012 | Unlimited | N/A | Immediate |
Vendor assessments | SIR-005, SIR-013 | 3 per month | 100% | Next month |
For smaller security teams, a simplified collection plan format works well. Each column has a letter designator making it easy to quickly assign or modify collection tasks. For example: Column A - Priority, Column B - Target system, Column C - Time window, Column D - Expected threat indicators, Column L - Action required, Column P - Coordination needed, Column Q - Reporting format.
You could tell your SOC team: "Column B - Email servers, Column C - 1800 to 0600, Column D - Suspicious attachments, malicious domains, credential harvesting attempts, Column L - Block and alert, Column P - Coordinate with IT, Column Q - Report by threat type, source IP, and affected users."
This tells the SOC team to monitor email servers from 6 PM to 6 AM, looking for suspicious attachments, malicious domains, and credential harvesting attempts. They should block threats and send alerts, coordinate with IT for any system changes, and report threats by type, source IP, and affected users.
Advanced Prioritization Techniques
When collection capabilities are limited compared to intelligence requirements, carefully prioritize each indicator and SIR in addition to the PIRs and IRs they support. Advanced prioritization techniques help maximize the value of limited collection resources.
Figure A-5: Indicator Priority Worksheet
Indicator ID | Description | Supports PIR/IR | Threat Level | Indicator Priority |
IND-001 | Unusual admin account activity | PIR-1, PIR-3, IR-A, IR-C | High | 1 |
IND-002 | External scanning of critical ports | PIR-1, PIR-2, IR-B | High | 2 |
IND-003 | Anomalous data transfers | PIR-2, IR-A, IR-B, IR-D | Medium | 3 |
After identifying all indicators that satisfy your PIRs and IRs, evaluate each indicator's relative priority based on the priority of the requirements it supports and how many requirements it addresses.
Figure A-6: Prioritization Matrix
A prioritization matrix uses weighted values for each PIR and IR. Assign weighted values based on business impact, with highest priority requirements getting the highest numbers. For example, if you have 5 PIRs and 4 IRs, your highest PIR might get a weight of 9, second highest gets 8, and so on.
Indicators → | IND-001 | IND-002 | IND-003 | IND-004 |
PIR-1 [9] | X | X | X | |
PIR-2 [8] | X | X | ||
PIR-3 [7] | X | X | ||
IR-A [6] | X | X | ||
IR-B [5] | X | X | ||
Total Weight | 22 | 17 | 14 | 16 |
In this example, IND-001 has the highest priority with a total weight of 22, followed by IND-002 with 17, IND-004 with 16, and IND-003 with 14.
Collection Plan Format
Figure A-7: Complete Collection Plan Worksheet
SIR # | Time Window | Target/NAI | SIR Description | PIR/IR | Priority | Collection Sources |
1 | Continuous | Email systems | Monitor for credential harvesting campaigns | PIR-1 | 15 | SIEM, Email security |
2 | 0800-1700 | Executive systems | Detect spear-phishing targeting leadership | PIR-1, IR-A | 20 | Email security, EDR |
3 | Event-driven | Cloud infrastructure | Identify unauthorized access attempts | PIR-2, IR-B | 18 | Cloud logs, CASB |
The time column lists when the corresponding indicator should be monitored. Some SIRs are extremely time-sensitive, like reporting an active breach, while others remain in effect throughout operations, such as monitoring for persistent threats.
The target/NAI column identifies where the SIR should be observed. This could be specific systems, network segments, user groups, or external infrastructure. One target may relate to multiple SIRs or vice versa.
The SIR description column lists the specific intelligence requirements that will confirm or deny particular indicators and help answer PIRs and IRs. It's common to develop several SIRs from one indicator or for each SIR to provide information on multiple indicators and requirements.
The PIR/IR column records which requirements can be answered by each SIR. The priority column ranks each SIR using one of the prioritization techniques discussed above.
The collection sources section lists all available collection capabilities. If a collection source can satisfy a particular SIR, mark it as capable. Then determine which source can best answer the SIR and rank the relative capability.
For example, if you determine that your SIEM, EDR platform, and threat intelligence feeds can all provide information about advanced persistent threat activity, but your SIEM provides the most comprehensive view, rank it as 1, EDR as 2, and threat feeds as 3 for that specific SIR.
In the final step, determine the relative priority of each SIR that each collection source is tasked with. If your threat intelligence platform is tasked with SIR numbers 5, 12, and 23, and SIR 5 has priority 25, SIR 12 has priority 15, and SIR 23 has priority 8, then provide your threat intelligence team with this prioritized tasking: first, monitor for nation-state infrastructure changes (SIR 5), second, track ransomware group communications (SIR 12), third, watch for new exploit kit releases (SIR 23).
Implementation Guidelines
There is no prescribed format for cybersecurity intelligence collection plans. Use whatever format best suits your organization's needs, available tools, and team structure. The examples above can be adapted as needed or completely replaced with your own design. The key is having a systematic approach that ensures nothing falls through the cracks while maximizing the value of your collection capabilities.
Remember that collection plans are living documents that should evolve with your threat landscape, organizational changes, and lessons learned from security incidents. Regular review and updating ensure your intelligence collection efforts remain focused on the threats that matter most to your organization.
Ready to Build a Threat Intelligence Program That Actually Works?
Most organizations collect threat intelligence but struggle to turn it into actionable security improvements. The difference between intelligence that sits in reports and intelligence that prevents breaches comes down to having the right framework and implementation approach.
If you're dealing with any of these challenges, we should talk:
Your threat intelligence feeds aren't reducing your actual risk exposure
Security teams are drowning in alerts but missing the threats that matter
Leadership wants to understand cyber threats but current reports don't support business decisions
You need help building intelligence requirements that align with your specific risk profile
Your organization lacks the expertise to implement a structured threat intelligence program
Red Cell Security specializes in building practical threat intelligence capabilities that deliver measurable security improvements.
We've helped organizations across critical infrastructure sectors develop intelligence programs that actually reduce their attack surface and improve incident response times.
Our threat intelligence services include:
Strategic Intelligence Planning - We work with your leadership team to define intelligence requirements that align with business objectives and risk tolerance, not generic industry reports.
Operational Intelligence Implementation - We help security teams build collection plans, prioritize threats, and integrate intelligence into daily operations.
Tactical Intelligence Integration - We ensure your SOC analysts and threat hunters get actionable intelligence that improves detection and response capabilities.
vCISO Intelligence Advisory - We provide ongoing strategic guidance to help your intelligence program evolve with your threat landscape and business needs.
The organizations seeing the biggest security improvements aren't just collecting more threat data—they're collecting the right data to answer the questions that drive better security decisions.
Keith Pachulski
Red Cell Security, LLC
Comments