Threat intelligence glossary, 2026

In CTI, 'adversary' is the formal term for any person, group, organisation, or nation-state conducting hostile cyber operations. The Diamond Model of Intrusion Analysis uses 'adversary' as one of its four core elements. Adversaries are distinguished from opportunistic actors by intent, capability, and persistence. Named adversary groups (e.g. APT28, Lazarus Group, FIN7) are tracked by vendors and government agencies with varying naming conventions. CrowdStrike uses animal names (Cozy Bear, Fancy Bear); Mandiant uses numbered APT designators; Microsoft uses weather-based naming. Cross-referencing names across vendors is a common CTI analyst task.

Agentic SOC describes the emerging pattern where LLM-based agents replace or augment human-initiated workflows across the four standard SOC layers: triage, enrichment, hunting, and response. Unlike SOAR (deterministic playbooks), agentic systems reason about novel situations using LLM inference. ISACA's April 2026 survey found 89% of CISOs were accelerating agentic security investment. Key vendors in 2026: Dropzone AI (triage/investigation), Prophet Security (agent-first architecture), Torq HyperSOC (SOAR-plus-agent), Radiant Security (augmentation). The critical distinction: 'agentic' means the agent initiates tasks; 'augmented' means it assists human-initiated tasks.

APT is both a descriptor (advanced, persistent, threatening) and a naming convention. CISA and the broader intelligence community use 'APT' followed by a number (APT28, APT29, APT41) for formally attributed nation-state groups. The term originated from US military reporting in the mid-2000s. 'Advanced' refers to capability breadth; 'persistent' refers to the long operational dwell times (M-Trends 2026 median: 10 days globally, longer for targeted operations); 'threat' refers to the intentional adversarial posture. Not all APTs are nation-state - some financially motivated groups (FIN7, Scattered Spider) receive APT-style tracking due to capability and persistence.

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is the de-facto standard framework for describing how threat actors operate. It organises adversary behaviour into 14 Tactics (the 'why') and hundreds of Techniques / Sub-techniques (the 'how'). The Enterprise matrix covers Windows, macOS, Linux, Cloud, and Container environments. The ATT&CK Navigator is widely used for coverage visualisation. In 2026, ATT&CK is the standard enrichment output format for LLM-based enrichment pipelines - agents map IoCs and behaviours to ATT&CK technique IDs. The framework updates several times per year; version 15+ covers cloud and ICS more comprehensively.

Brand intelligence (also called digital risk protection) covers a distinct but adjacent domain to technical threat intel. It tracks typosquatted domains imitating the target organisation, fraudulent social media profiles, counterfeit mobile apps, and phishing kits using the brand's assets. Vendors: Recorded Future Brand Intelligence (part of the Core/Pro/Elite tiers), Cyberint (Check Point), ZeroFox, Netcraft. AI accelerates two core tasks: generating typosquat candidate lists and clustering credential dumps for brand-specific leaks. Overlap with dark web monitoring is high - most vendors offer both. Pricing: typically bundled into broader CTI platform subscriptions.

In MITRE ATT&CK and STIX 2.1, a Campaign is a formal object type representing a set of related intrusion activity. Analysts create campaign objects when indicators cluster around shared infrastructure, tooling, or victim targeting that suggests coordinated adversary activity. Campaigns are the key linking concept between individual IoCs and adversary attribution - you link indicators to a Campaign; you link a Campaign to an Adversary. In OpenCTI, Campaign is a first-class STIX object with relationship edges to malware, infrastructure, tools, and threat actors. Mandiant and Recorded Future maintain extensive campaign tracking databases that are central to their intelligence value.

Charlotte AI is available across Falcon tiers from Enterprise upward as of 2025. It enables natural-language queries against Falcon sensor telemetry ('show me all PowerShell executions from this host in the last 48 hours'), generates incident summaries in narrative form, provides response guidance, and - in the 2026 IBM ATOM expansion - supports agentic workflows. Charlotte AI is strongest within the CrowdStrike telemetry boundary and degrades noticeably outside Falcon-sourced data. CrowdStrike has not published false-positive or hallucination rates for Charlotte AI attribution claims. Best suited for Tier 1 triage acceleration in Falcon-centric SOC environments.

CISA KEV (cisa.gov/known-exploited-vulnerabilities-catalog) is published as a machine-readable JSON feed updated weekly. It contains over 1,000 entries as of April 2026, each with a CVE ID, vendor, product, vulnerability name, and remediation deadline (15 days for federal agencies under BOD 22-01). For non-federal organisations, KEV functions as a de-facto patching priority override - if a CVE is on KEV, patch regardless of CVSS or EPSS score. LLM orchestrators can automate KEV correlation in MISP: when a new KEV entry matches an active indicator, auto-promote to a TheHive case. KEV is the fastest-moving signal in vulnerability prioritisation.

CTI uses two main confidence frameworks. The Admiralty Code (NATO scale) rates source reliability (A-F) and information credibility (1-6) separately. The simpler Low/Medium/High/Critical scale is more common in commercial platforms (Recorded Future, MISP). In LLM-based enrichment pipelines, confidence scoring is critical: always require the LLM to output an explicit confidence level with an acknowledgement when data is thin ('Low confidence - single source, unverified'). Never auto-block or auto-escalate based on LLM-generated High confidence attribution without human review. The MISP confidence levels map approximately to Recorded Future's Risk Score bands.

Cortex provides the automation engine for TheHive ecosystems. It runs 200+ analyser modules against indicators on demand: VirusTotal, AbuseIPDB, URLhaus, Shodan, urlscan.io, crt.sh, BGPview, GreyNoise, and many more. Responders execute remediation actions (block an IoC in a firewall, send an alert, isolate an endpoint via API). In the agentic CTI stack, Cortex sits between the IoC ingestion layer (MISP) and the LLM enrichment orchestrator - it runs the lookups, and the LLM synthesises the results. Cortex is free and open-source; TheHive 5 requires a commercial licence for team features, with a Community Edition for small deployments.

Credential dumps are a primary product of data breaches and are monetised on criminal underground markets (Telegram channels, dark web forums, marketplaces). They range from small targeted leaks (a single company's VPN credentials) to mega-dumps containing hundreds of millions of records (RockYou2024). For CTI analysts, credential dump monitoring serves two purposes: detecting own-organisation credential exposure, and tracking threat actor data sources for intelligence pivot. AI accelerates deduplication across overlapping dumps and flags records associated with high-value accounts (admin, executive). Monitoring services: Constella, SpyCloud, HaveIBeenPwned API (free tier for personal, commercial for enterprise).

CTI (sometimes TI, Threat Intelligence) is the practice of collecting, processing, analysing, and disseminating intelligence about cyber threats to support decision-making. The intelligence cycle (direction, collection, processing, analysis, dissemination, feedback) underpins the discipline. CTI is segmented by consumer: strategic (board-level risk, geopolitical), operational (ongoing campaign tracking, TTPs), and tactical (technical IoCs for SIEM/firewall feeds). In 2026, the industry is shifting from tactical IoC-sharing to operational intelligence: understanding adversary intent and adapting defences before a campaign reaches operational stage. Agentic AI is accelerating the tactical layer while human analysts focus on operational and strategic assessment.

CVE (cve.org, maintained by MITRE and sponsored by CISA) is the universal identifier for disclosed software vulnerabilities. Each CVE has a unique ID (CVE-YYYY-NNNNN), a description, and links to advisory sources. CVEs are distinct from CVSS (the severity score) and EPSS (the exploitation probability score). Not all vulnerabilities receive CVEs - vendor-specific advisories sometimes use internal designators. In the CTI workflow, CVE correlation is key: linking an adversary campaign to the specific CVEs they exploit (via KEV, EPSS high-scorers, and CISA advisories) enables proactive patching before a campaign reaches the organisation.

CVSS v3.1 (the current dominant version; CVSS 4.0 launched late 2023 but adoption is gradual) produces a base score from 0.0-10.0 based on exploitability metrics (attack vector, complexity, required privileges, user interaction) and impact metrics (confidentiality, integrity, availability). CVSS is severity, not risk. A CVSS 9.8 vulnerability on an air-gapped system with no public-facing exposure is lower actual risk than a CVSS 7.0 on an exposed authentication endpoint. The industry increasingly combines CVSS with EPSS and KEV for prioritisation. AI-augmented vuln management platforms (Tenable VPR, Qualys TruRisk) use CVSS as one input among many rather than as the primary signal.

The dark web (Tor hidden services, .onion domains) hosts a range of criminal infrastructure: stolen credential markets, initial access brokers, ransomware affiliate panels, drug markets, and threat actor communication channels. For CTI, dark web monitoring serves: detecting stolen credentials and data relevant to the organisation, tracking threat actor tradecraft and operational communications, and identifying initial access offerings targeting specific sectors. Commercial monitoring services (Intel 471, Flashpoint, DarkOwl) maintain human operator presence on major forums and automate collection across thousands of sources. AI adds slang translation, cross-forum actor attribution, and credential-dump deduplication, but human HUMINT collection remains essential for the most restricted forums.

The Diamond Model of Intrusion Analysis (Caltagirone, Pendergast, Betz, 2013) provides a graph-based framework for threat intelligence analysis. Every intrusion event is represented as a diamond with four vertices: Adversary (who), Capability (what tools/techniques), Infrastructure (where), and Victim (against whom). The model enables pivoting: given a known infrastructure node, analysts can link to related adversary activity, campaigns, and victims. OpenCTI's knowledge graph is structurally compatible with the Diamond Model. LLM enrichment agents can use the Diamond Model as a reasoning scaffold for attribution - 'given these infrastructure indicators, what adversary vertices can I infer?'

Dwell time is a key industry benchmark tracked annually by Mandiant (M-Trends). M-Trends 2026 reports a global median dwell time of 10 days - a significant improvement from 24 days in 2022 and 78 days in 2015. The improvement is attributed to broader EDR deployment, improved detection tooling, and external notification (ransomware groups announcing victims, law enforcement notifications). Dwell time varies dramatically by region (APAC tends to be longer) and attack type (destructive attacks have shorter dwell than espionage). Agentic SOC systems target dwell-time reduction as their primary measurable outcome, with AI triage compressing the time between initial alert and escalation to investigation.

EDR platforms (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR) collect process, network, file, and registry telemetry from endpoints and stream it to a cloud-based analytics platform. Detection rules (both vendor-managed and custom) trigger alerts; investigation features enable timeline analysis and threat hunting. EDR is the foundational telemetry source for the agentic SOC - without high-quality endpoint telemetry, AI triage agents have limited signal to work with. In CrowdStrike's architecture, the EDR telemetry is the primary differentiator for Charlotte AI: CTI value drops sharply for organisations without Falcon EDR deployed.

EPSS (exploitprediction.org, maintained by FIRST.org) is the most operationally useful vulnerability prioritisation signal available free in 2026. Each CVE receives a score from 0.00-1.00 updated daily, reflecting threat intelligence signals (dark web chatter, exploit-kit activity, security researcher activity, vendor advisories). Unlike CVSS (which measures theoretical severity), EPSS measures actual exploitation risk. Best practice: treat EPSS above 0.10 as elevated, above 0.30 as high, above 0.70 as critical. Always combine EPSS with CISA KEV - KEV overrides EPSS. EPSS is natively integrated into Tenable (VPR uses it as an input), Qualys (TruRisk), and Rapid7. Free API access with no rate-limit for non-commercial use.

Threat intelligence feeds are the raw material of CTI platforms. They range from free community feeds (CIRCL OSINT feed, abuse.ch URLhaus, MalwareBazaar, ThreatFox, CISA KEV JSON) to premium commercial feeds (Recorded Future Core, Mandiant Threat Intelligence, Intel 471). MISP supports importing feeds in MISP JSON, STIX, CSV, and FreeTAXII formats. Feed quality varies: false-positive rates, indicator freshness (staleness within days is common), and coverage depth (some feeds are excellent for one threat type, poor for others). AI helps with feed deduplication and cross-feed reconciliation when conflicting data arrives about the same indicator.

Gemini-in-TI provides natural-language querying of Mandiant's threat-actor and campaign database, AI-generated summaries of M-Trends data, and investigation assistance within the Advantage portal. It was integrated into Mandiant Advantage from 2025 and is included at no additional cost with Advantage subscriptions. Honest verdict: effective for rapid orientation on known threat actors and campaigns where Mandiant has established intelligence; less capable for novel attribution where Mandiant has no prior data. Gemini-in-TI does not have live OSINT awareness - it reasons from Mandiant's database, not real-time feeds. The quality of responses correlates with the depth of Mandiant's existing intelligence on the subject.

Threat hunting differs from incident response: hunting is proactive (you hypothesise adversary behaviour before an alert fires), while IR is reactive (you respond to a confirmed detection). Hunt hypotheses come from threat intelligence: if a current Recorded Future or Mandiant report describes a specific TTP used by an adversary targeting your sector, a hunt generates SIEM queries to check whether that TTP occurred in your environment, undetected. AI accelerates hunting by generating hunt queries from natural-language threat reports and executing searches across multiple SIEM sources simultaneously. Agentic hunting systems (Prophet Security, Radiant) automate the hypothesis-to-query-to-finding pipeline, with humans reviewing findings.

IABs are a specialised actor category in the ransomware ecosystem. They compromise organisations via phishing, credential stuffing, VPN vulnerabilities, or supply chain attacks, then auction or sell the access on criminal forums rather than conducting ransomware themselves. Ransomware affiliates purchase IAB access to skip the initial intrusion phase. M-Trends 2026 documents the increasing operational separation between IABs and ransomware operators. CTI teams track IAB activity on underground forums (Intel 471 and Flashpoint have the deepest IAB monitoring) to identify whether their sector or organisation is being offered for sale, enabling proactive defensive action before a ransomware affiliate purchases access.

IoCs are the atomic unit of tactical threat intelligence. Types: IP addresses, domain names, URLs, file hashes (MD5, SHA-1, SHA-256), email addresses, registry keys, file paths, certificate fingerprints. IoCs have a freshness problem: IPs and domains are reused by adversaries who rotate infrastructure rapidly; a 30-day-old IP indicator is often worthless. The Pyramid of Pain (Bianco) formalises this: blocking at hash level is easy for defenders but easy for adversaries to evade; blocking at TTP level is hardest for both. Modern CTI prioritises TTP-level indicators over hash/IP. AI enrichment helps with IoC context (adding campaign linkage, actor attribution, MITRE ATT&CK mapping) and deduplication across 50+ feeds.

The Lockheed Martin Cyber Kill Chain (Hutchins, Cloppert, Amin, 2011) describes seven adversary phases: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives. Defenders use kill chain analysis to identify which phase an attack is in and to prioritise controls that break the chain at the earliest stage. The kill chain is linear and has been critiqued as too simple for modern threats (adversaries often loop back through phases, use living-off-the-land techniques that skip weaponisation, etc.). MITRE ATT&CK supersedes the kill chain for technical detail but the kill chain remains useful for executive communication and security control mapping.

KQL (Kusto Query Language) is the detection engineering language for Microsoft's security stack. Analysts write KQL to query Sentinel log analytics workspaces (ingesting Windows events, Azure activity logs, network flows, identity logs) and Defender XDR data. KQL is more readable than Splunk's SPL for analysts familiar with SQL-like syntax. LLMs (Claude, GPT-5) generate plausible KQL from natural-language descriptions with reasonably high accuracy - Microsoft Security Copilot's most useful feature is KQL generation for Sentinel. Failure modes: hallucinated table names and field paths that exist in some Sentinel configurations but not others. Always validate LLM-generated KQL against your actual Sentinel schema before promotion.

LLMs (GPT-5, Claude Sonnet 4.5, Gemini 1.5 Pro, Llama 4) are the reasoning engines behind AI-augmented and agentic CTI systems in 2026. In CTI contexts, LLMs provide: IoC enrichment synthesis (reading 50+ feed outputs and generating a narrative enrichment note), detection rule drafting (Sigma/YARA from natural-language descriptions), threat report summarisation, and investigation narrative generation. LLMs hallucinate - they produce confident incorrect outputs, particularly on adversary attribution with thin supporting data. Mitigations: require cited sources in outputs, use confidence scoring, keep humans in the loop for high-stakes decisions. Model Context Protocol (MCP) is the emerging standard for connecting LLMs to tool APIs in CTI pipelines.

MCP (modelcontextprotocol.io, created by Anthropic, now an open standard) defines how LLM agents discover and call external tools. In CTI pipelines, MCP connectors enable LLM agents to call MISP APIs (query events, create attributes), Cortex analysers, TheHive case management, SIEM query APIs, and threat intelligence feeds - all through a standardised tool-calling interface. As of April 2026, the CTI community has developed MCP connectors for MISP, OpenCTI, TheHive, VirusTotal, and Shodan. MCP is the technical substrate that makes 'LLM orchestrator' more than a concept - it gives the LLM grounded access to real CTI systems.

MDR services (CrowdStrike Falcon Complete, Microsoft Defender Experts, Mandiant Managed Defense, Arctic Wolf, Expel) provide continuous monitoring and response as a managed service, typically targeting organisations lacking 24/7 SOC capability. MDR differs from MSSP (which focuses on managed security controls) by providing active investigation and response, not just alert forwarding. MDR is increasingly AI-augmented in 2026: service providers use agentic triage to handle Tier 1 volume while human analysts focus on escalated investigations. For budget comparison: MDR typically costs $80k-$300k/yr for mid-enterprise vs building and staffing an internal SOC at $1M+.

MISP (misp.org) is the most widely deployed open-source threat intelligence platform, with thousands of organisations running instances globally. Core capabilities: STIX/TAXII native IoC sharing, event/attribute model for structuring intelligence, sharing groups for community collaboration, feed management (pull from 100+ free feeds), and API-first design enabling programmatic access. In 2026, MISP 2.5 adds improved relationship modelling and enhanced STIX 2.1 support. MISP is the IoC exchange layer in the standard OSS CTI stack; OpenCTI is the knowledge graph layer. Sizing: single instance handles mid-sized deployments on 8 vCPU / 32GB RAM. CIRCL Luxembourg is the primary maintainer.

MITRE ATT&CK is maintained by MITRE Corporation and updated several times per year. The framework covers Enterprise (Windows/macOS/Linux/Cloud/Container), Mobile, and ICS environments. Technique IDs (e.g. T1566 for phishing) are the universal reference in CTI reporting, SIEM detection rules, and vendor documentation. For glossary purposes: 'MITRE ATT&CK' and 'ATT&CK' are interchangeable; the ampersand in ATT&CK stands for 'Adversarial Tactics, Techniques, and Common Knowledge'. Navigator (attack.mitre.org/navigator) is the standard tool for coverage visualisation.

MSSPs provide managed security controls (firewall management, SIEM-as-a-service, MDR) to multiple clients under a shared cost model. The MSSP market in 2026 is under margin pressure: clients expect AI-augmented services but vendors are still absorbing the tooling cost. Key MSSP-specific CTI requirements: multi-tenancy (client data isolation), white-label reporting, resale licensing for commercial feeds, and SOC-analyst productivity multipliers that maintain margin as alert volumes grow. The optimal 2026 MSSP CTI stack: OSS core (OpenCTI + MISP + TheHive) with one commercial feed subscription under an MSSP partner agreement, plus LLM enrichment automation.

MTTD (Mean Time to Detect) measures how long an adversary operated undetected - equivalent to dwell time from the detection perspective. MTTR (Mean Time to Respond) measures how long it takes from detection to containment/remediation. Both are primary metrics for SOC effectiveness and are directly impacted by agentic SOC investment. Industry benchmarks (April 2026): Mandiant M-Trends 2026 reports 10-day global median dwell time (MTTD-adjacent). MTTR targets vary by organisation: 1-hour MTTR for Tier-1 incidents is achievable with agentic triage; 24-hour MTTR for complex incidents with human investigation. AI-augmented systems reduce MTTR by 30-40%; agentic systems target 50-60% reduction.

NDR (formerly NTA - Network Traffic Analysis) platforms (Darktrace, ExtraHop, Corelight, Vectra, Cisco Stealthwatch) monitor east-west and north-south network traffic for anomalies and known-bad signatures. In the agentic SOC context, NDR is a telemetry source feeding the enrichment and hunting layers - network evidence correlates with endpoint telemetry from EDR to build complete attack-chain narratives. NDR is less mature for LLM integration than SIEM as of April 2026, but vendors like Darktrace have published agentic response capabilities. NDR's primary advantage over SIEM: it captures adversary activity that occurs below the log/event level (packet inspection, encrypted traffic analysis).

OpenCTI (opencti.io, maintained by Filigran) is the modern OSS alternative to commercial TIPs for organisations that want to build rich knowledge graphs of adversary activity. Core features: STIX 2.1 native (every object and relationship is a valid STIX object), GraphQL API for programmatic access, connector ecosystem for importing from MISP/EclecticIQ/Mandiant/OpenCTI sharing groups, TAXII server and client, rich relationship modelling (actor -> campaign -> malware -> infrastructure -> victim). Community edition is free; Filigran Enterprise adds multi-tenancy and SLA support (key for MSSP use cases). In the standard OSS stack: MISP handles IoC exchange, OpenCTI handles the knowledge graph.

CrowdStrike OverWatch is a human-led managed threat hunting service that operates across the entire Falcon sensor network - over 2 trillion security events processed per week as of 2025. OverWatch hunters proactively look for novel adversary techniques not yet caught by automated detection, leverage cross-customer telemetry patterns, and publish quarterly threat hunting reports. OverWatch Fusion adds SIEM hunting across non-Falcon sources. In 2026, OverWatch is partially augmented by Charlotte AI for hypothesis generation, but remains a human-led service at the hunting layer. OverWatch is typically included with CrowdStrike Falcon Enterprise and above.

Passive DNS databases record DNS query/response pairs observed by sensors (resolver operators, ISPs, security vendors). This enables pivoting: given a malicious domain, analysts query passive DNS to find all IP addresses it has historically resolved to, and then find all other domains that resolved to those IPs. This infrastructure pivot technique is a core skill in phishing infrastructure analysis and C2 tracking. Free sources: Security Trails (limited free tier), CIRCL passive DNS (PDNS). Commercial: DomainTools Iris (most comprehensive), Recorded Future brand/infrastructure intelligence. WhoisXML API provides programmatic passive DNS access. LLM orchestrators automate the pivot sequence but struggle with graph traversals past depth 3.

Pathfinder is Recorded Future's AI layer for analyst productivity. Analysts describe an investigation goal in natural language ('what infrastructure is linked to APT41 campaigns targeting financial sector in 2025?'); Pathfinder queries Recorded Future's intelligence database, synthesises findings, and produces a structured investigation report with source citations. The April 2026 rebrand included making Pathfinder available to Core subscribers (previously Elite-only), significantly broadening access. Honest verdict: Pathfinder is genuinely useful for research acceleration on well-documented threats where Recorded Future has deep intelligence; it is less useful for novel or under-reported actor groups where the underlying data is thin.

Phishing kits are distributed on underground forums and Telegram channels, enabling low-skill adversaries to deploy convincing phishing sites imitating banks, enterprises, or cloud services. A kit typically includes: HTML/CSS replica of the target site, a credential harvesting PHP backend sending stolen data to the operator's email or Telegram, anti-bot cloaking to avoid automated scanning, and often a redirect for legitimate visitors to reduce detection. AI applications: urlscan.io and Google Safe Browsing detect kit-based phishing via visual similarity and DOM analysis; LLM-assisted analysis can classify new kit variants by code similarity to known families. DomainTools Iris and Recorded Future Brand Intelligence track kit deployment infrastructure.

The Pyramid of Pain (Bianco, 2013) ranks indicators from least to most disruptive to adversaries when defenders act on them: Hash values (trivial to change), IP addresses (easy), Domain names (simple), Network/host artefacts (annoying), Tools (challenging), TTPs (tough). Blocking an adversary at the TTP level forces them to change fundamental tradecraft; blocking at hash level costs them minutes. Modern CTI strategy prioritises TTP-level detection over hash/IP blocking, which explains the shift toward ATT&CK-mapped detection engineering and away from pure IoC feed blocking. AI helps move detection up the pyramid by generating ATT&CK-mapped detection rules from threat reports.

RaaS (Ransomware-as-a-Service) is the dominant ransomware business model as of 2026. Developers (LockBit3, Black Basta, ALPHV/BlackCat successors) provide affiliates with: ransomware executable, C2 infrastructure, decryption key management, victim negotiation support, and leak site hosting. Affiliates (often purchasing access from IABs) pay 20-30% of ransom to the developer. M-Trends 2026 documents that 60%+ of financially motivated intrusions involve double extortion (encrypt + exfiltrate and threaten publication). CTI relevance: tracking RaaS affiliate panels, leak site monitoring, and IAB postings targeting specific sectors enables early warning before ransomware execution.

SIEM platforms (Splunk, Microsoft Sentinel, Google SecOps/Chronicle, Elastic Security, IBM QRadar) are the central detection and logging infrastructure for most enterprise SOCs. They ingest log sources (endpoint, network, identity, cloud), apply detection rules (SPL, KQL, YARA-L, EQL), and generate alerts. In 2026, all major SIEM vendors have added AI assistants: Splunk AI, Security Copilot for Sentinel, Google SecOps AI, Elastic AI Assistant, LogScale AI. The honest verdict: AI SIEM features accelerate rule writing and investigation summarisation but do not fundamentally improve detection quality - that still depends on detection engineering skill and rule quality.

Sigma (SigmaHQ, github.com/SigmaHQ/sigma) enables detection engineers to write rules once and transpile to any SIEM using pySigma backends. A Sigma rule defines log source, detection logic, and MITRE ATT&CK tags in YAML. The SigmaHQ rule set contains 3,000+ rules covering common attacker techniques. LLMs handle Sigma better than YARA: the YAML structure is tractable, and Claude Sonnet 4.5 / GPT-5 draft plausible rules from natural-language descriptions. Main failure mode: hallucinated field names in product-specific log schemas. Best pattern: LLM drafts Sigma, CI pipeline validates against schema using pySigma, analyst reviews before promotion. Sigma rules feed directly from detection engineering into the agentic SOC detection layer.

SOAR (Splunk SOAR, Palo Alto XSOAR, Microsoft Sentinel Playbooks, Tines, Torq) automates deterministic response workflows: a phishing alert triggers a playbook that extracts URLs, queries VirusTotal, sandboxes attachments, notifies the user, and updates the ticket - all without human initiation. SOAR is the precursor to agentic SOC; the distinction is that SOAR executes pre-written playbooks while agentic systems reason about novel situations. In 2026, SOAR vendors (Torq HyperSOC, Tines) are adding LLM reasoning layers to handle cases the original playbook author didn't anticipate - bridging SOAR and agentic patterns.

A SOC typically operates 24/7 (or business-hours with on-call coverage), staffed by Tier 1 analysts (alert triage), Tier 2 analysts (investigation), and Tier 3 (threat hunting, incident response). SOC cost is the primary driver of agentic investment: a fully staffed 24/7 SOC for mid-enterprise costs $2-5M+/yr in headcount alone. Agentic SOC systems target Tier 1 automation, enabling smaller analyst teams to handle larger alert volumes. The M-Trends 2026 observation: improved detection tooling has reduced median dwell time from 78 days in 2015 to 10 days in 2026, but the volume of alerts has grown faster than analyst hiring.

STIX 2.1 (oasis-open.org) is the machine-readable standard for expressing CTI. STIX Objects include: Indicators, Malware, Threat Actor, Campaign, Intrusion Set, Attack Pattern, Tool, Vulnerability, Course of Action, Identity, Location, and Relationship objects. STIX 2.1 is the native format for MISP, OpenCTI, and most commercial TIPs. TAXII is the transport protocol for distributing STIX bundles. In LLM-based enrichment pipelines, generating STIX-formatted output (a STIX Indicator or Malware object) ensures enrichment results are machine-readable and can be imported directly into MISP or OpenCTI without additional parsing.

TAXII 2.1 (oasis-open.org) defines a RESTful API for exchanging STIX content. TAXII servers expose 'collections' of STIX objects that clients can poll or receive push notifications from. CIRCL, abuse.ch, ISAC organisations, and commercial vendors all operate TAXII servers. MISP and OpenCTI both function as TAXII servers and clients. For feed integration: configure MISP to pull from TAXII feeds at scheduled intervals, automatically importing new STIX events. The TAXII standard is stable but implementation quality varies - some vendor TAXII servers have schema inconsistencies that cause import failures. Testing against your specific MISP or OpenCTI version before production integration is essential.

TheHive (thehive-project.org) is the case management layer in the standard OSS CTI stack. Analysts create Cases (incidents) containing Tasks and Observables (indicators). TheHive integrates natively with Cortex (automatically triggering analyser runs on new observables), MISP (importing events and exporting cases as MISP events), and various ticketing systems. TheHive 5 requires a commercial licence for team collaboration features; the Community Edition supports small teams (5 users) at no cost. In the agentic SOC architecture, TheHive is the handoff point from automated agents to human analysts - agents create cases with pre-populated enrichment, analysts review and action.

TIP is the category term for platforms (Recorded Future, Mandiant Advantage, Anomali ThreatStream, EclecticIQ, ThreatConnect, MISP, OpenCTI) that centralise threat intelligence management. A TIP ingests feeds from multiple sources, enables analysts to manage and enrich indicators, and distributes actionable intelligence to downstream controls (SIEM, firewall, EDR). The distinction between TIP and SIEM: TIP manages intelligence as the primary function; SIEM manages security events with intelligence as enrichment context. In practice, the line is blurring: Recorded Future integrates directly with Splunk/Sentinel, and SIEM vendors are adding TIP-like intelligence management features.

TLP (FIRST.org/tlp) uses colour-based labels to specify how recipients can share intelligence. TLP:RED - recipients only, do not share further. TLP:AMBER - within the recipient's organisation and defined partners only. TLP:GREEN - within the broader security community, not public. TLP:CLEAR (formerly WHITE) - no restriction, public dissemination permitted. TLP:AMBER+STRICT is a common addition: share only within the receiving organisation. MISP, OpenCTI, and most commercial platforms support TLP tagging natively. TLP compliance is a contractual requirement in many ISAC sharing agreements. In MSSP architectures, TLP tagging enables data segregation across clients on a shared platform.

TruLens was announced by Qualys in March 2026 as an addition to the TruRisk platform. It provides LLM-generated explanations for why specific vulnerabilities received their TruRisk scores - citing the EPSS probability, CVSS base score, exposure context (internet-facing vs internal), and business criticality of the affected asset. The goal is to make AI-driven prioritisation auditable for compliance purposes and to help security teams justify patching decisions to stakeholders. TruLens represents the broader 2026 trend toward explainable AI in security tooling - 'why did the AI flag this?' becoming as important as 'did the AI flag it correctly?'

TTPs (borrowed from military intelligence) describe adversary behaviour at three levels: Tactics (the high-level goal, e.g. 'Initial Access'), Techniques (how the goal is achieved, e.g. 'Spearphishing Attachment'), and Procedures (the specific implementation, e.g. 'using a malicious Word document with macro executing PowerShell'). In MITRE ATT&CK, Tactics map to the 14 categories and Techniques map to the numbered T-codes. TTP-based detection is the gold standard because adversaries can easily change IPs and domains but changing core TTPs requires significant effort (top of the Pyramid of Pain). AI-generated Sigma and YARA rules increasingly target TTP-level behaviour rather than specific indicator values.

Typosquatting (also homograph attacks for IDN-based variants) is a fundamental phishing infrastructure technique. A threat actor registers paypa1.com (digit for letter), paypal-login.com (added word), or xn--pypal-4ve.com (IDN homoglyph) to impersonate paypal.com. Tools for detection: dnstwist (generates all typosquat variants for a given domain), urlcrazy (similar with additional variant types), Netcraft's phishing infrastructure monitoring, DomainTools IRIS for passive DNS pivoting from known typosquats. AI accelerates typosquat generation (LLMs produce comprehensive variant lists faster than rule-based tools) and clustering (grouping registered typosquats by infrastructure to identify coordinated campaigns).

VPR (Vulnerability Priority Rating) is Tenable's proprietary score replacing raw CVSS as the primary prioritisation signal in Nessus, Tenable.io, and Tenable Security Center. VPR ranges 0-10 and incorporates: CVSS base score, EPSS exploitation probability, threat intelligence signals (is the vulnerability being actively exploited in the wild?), and asset context (is this asset internet-facing and business-critical?). VPR scores update daily as the threat landscape changes - a low-CVSS vulnerability can jump to VPR 9+ if a PoC drops and EPSS rises. In practice, VPR is one of the most operationally useful vuln prioritisation signals because it collapses four data streams into one actionable number.

XDR (CrowdStrike Falcon XDR, Palo Alto Cortex XDR, Microsoft Defender XDR, Trend Micro Vision One, Cisco XDR) extends EDR by ingesting telemetry from multiple security controls and correlating across them. Where EDR is endpoint-only, XDR adds network, email, cloud, and identity telemetry into a unified timeline. The agentic SOC benefits from XDR because broader telemetry gives LLM agents more signal for attack-chain reconstruction. Criticism: most XDR platforms work best within their own ecosystem (CrowdStrike XDR is strongest when Falcon EDR is the endpoint sensor); third-party integrations degrade correlation quality.

YARA (yara.readthedocs.io, VirusTotal/Google) is the dominant malware classification language. A YARA rule specifies string patterns and conditions that must match for a file to be classified as a specific malware family. VirusTotal Retrohunt enables scanning the entire VT corpus against new rules. LLMs handle YARA less reliably than Sigma: hallucinated byte-patterns and false-positive rates are high enough that unreviewed LLM-generated YARA rules cause expensive Retrohunt false-positive noise. Best pattern: LLM generates a draft rule skeleton from a malware sample analysis, a human expert reviews the byte-pattern logic, the rule enters a testing pipeline against a clean-file baseline before Retrohunt submission.

Zero-days (0days) represent the highest-value vulnerability category. They are exploited before a patch exists, leaving defenders no patch-based mitigation option. Nation-state actors (NSA, GCHQ, Equation Group, Lazarus) stockpile and use zero-days for targeted operations; cybercriminals occasionally acquire them from exploit brokers (Zerodium, Crowdfex) or through independent research. In CTI, zero-day tracking means monitoring threat intelligence for in-the-wild exploitation reports (Google TAG, Mandiant FLARE, CISA advisories) and applying compensating controls (WAF rules, network segmentation, authentication tightening) within hours of public disclosure. AI does not provide zero-day detection advantage - LLMs have no awareness of unreported vulnerabilities.