Many organizations still treat Cyber Threat Intelligence (CTI) as a product: a report, a tool, an indicator feed, or a one-time alert. The problem with this approach is simple: threats are not one-time; they are continuous.

Anticipating attacks requires something more robust: a structured intelligence process, adapted to the organization’s sector, integrated with security teams, and capable of evolving as the threat landscape changes. In this article, we show how to build this process step by step, focusing on relevance, predictability, and real impact.

Why CTI needs to be a process, not a product

Intelligence products age quickly. A technical report can be outdated in weeks; an IoC feed, in hours.

However, a well-defined intelligence process allows you to:

• Quickly adjust the focus as the sector becomes more targeted.
• Turn weak signals into early warnings.
• Prioritize risks based on real context, not data volume.
• In other words: the value of CTI lies in its continuity, not in isolated delivery.

Step 1: Understand your sector and your risk profile

Before collecting any data, fundamental questions must be answered:

• What types of threats most impact my sector?
• Is the main risk financial, operational, regulatory, or reputational?
• Who are the most likely adversaries: cybercrime, fraud, ransomware, espionage?
• Which assets are most attractive to an attacker?
• What are my “crown jewels,” what really matters to my business, and how can my adversary exploit them?

A bank, a retailer, an industry, and a public body do not face the same type of threat, even if they use similar technologies. Without this understanding, CTI runs the risk of being directed to monitor “everything” (such omnipresence is practically impossible) and anticipating nothing. The important thing is to be present in the right channels, continuously moving to identify and establish presence in new relevant channels.

Step 2: Define clear intelligence requirements

Intelligence requirements are the questions that the CTI process needs to answer. Examples:

• Are we being mentioned in clandestine forums?
• Are there active campaigns against companies in our sector?
• What techniques are being used to gain initial access?
• Are there signs of preparation for seasonal attacks (Black Friday, income tax, elections)?

These requirements guide:

• What to collect
• Where to collect
• What to analyze
• To whom to disseminate

Without requirements, the team just becomes a data collector, not an intelligence producer.

Step 3: Structure collection with an external focus

Anticipating threats requires looking outside the organization. The main collection fronts include:

• Open sources (OSINT): technical blogs, social media, public announcements
• Clandestine forums and marketplaces: sale of accesses, credentials, kits
• Closed channels: Telegram, Discord, regional groups
• Data leaks and panels of gangs that extort their victims
• Malicious infrastructure (domains, hosting, certificates)

The central point is not volume, but relevance to the sector.

Step 4: Analysis oriented toward behavior and context

Raw data does not anticipate attacks; patterns do. The analysis should answer questions like:

• Has this been observed before?
• Is this behavior common in my sector?
• What techniques are being combined?
• What is the adversary’s probable next step?

Frameworks like MITRE ATT&CK, Cyber Kill Chain, and Diamond Model help to:

• Structure hypotheses
• Compare campaigns
• Translate intelligence into technical action

Here, CTI stops being descriptive and becomes predictive.

Step 5: Disseminate intelligence to those who can act

Intelligence that does not reach decision-makers anticipates nothing. A mature process provides segmented dissemination:

• SOC receives technical hypotheses and detection priorities
• Red Team receives adversary profiles and real TTPs
• Awareness Teams receive active themes and pretexts
• GRC receives risk and impact assessment
• Leadership receives trends and scenarios

Each audience needs the same intelligence, in different formats.

Step 6: Close the cycle with feedback and adjustment

Anticipation is not static. The process needs to learn from practice:

• Was the threat confirmed?
• Did the detection work?
• Was the alert actionable?
• Was the risk well prioritized?

This feedback fuels:

• Intelligence requirements
• Monitored sources
• Analysis criteria

This is what transforms CTI into a living system, not a repository.

A practical example

A retail company defines anticipating seasonal fraud as a requirement. The CTI observes:

• Registration of domains with promotional terms
• Sale of Portuguese phishing kits
• Increase in customer credential leaks

With this, the company:

• Blocks domains before the attack
• Adjusts email and DNS filters
• Alerts business areas and customers

No incident occurred, and this is the best possible result.

How Resonant helps you with this

Anticipating threats is not guesswork. It’s a method. Here at Resonant, we have spent over 10 years refining an effective intelligence process that offers:

• Clarity about the sector and the risk
• Discipline in defining requirements
• Focus on adversary behavior
• Integration with those who can act

Companies with access to this do not eliminate risk but get ahead of the attacker. The key question is not whether you consume intelligence, but whether you have a process to produce it continuously and relevantly for your sector. If establishing such a process in your organization requires a partner interested in long-term relationships, one that produces context-oriented intelligence for your business, choose Resonant.