Threat Intelligence Cheat Sheet

Updated 2026-04-30

Next Topic: Threat Modeling for Software Developers Cheat Sheet

Threat intelligence is the knowledge-based approach to understanding adversaries, their capabilities, and their intentions through the systematic collection, analysis, and dissemination of threat data. It transforms raw security data into actionable insights that enable organizations to anticipate attacks, prioritize defenses, and respond faster to incidents. Unlike reactive security measures that wait for alerts, threat intelligence builds a proactive posture by mapping the threat landscape to your specific environment. At its core, effective threat intelligence answers three questions: who is targeting you, how they operate, and what you should do about it—making it the bridge between data and decision-making that defines modern security operations.

What This Cheat Sheet Covers

This topic spans 15 focused tables and 107 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Indicator TypesTable 2: Indicator Formats and StandardsTable 3: Intelligence LevelsTable 4: Collection MethodsTable 5: Threat Intelligence LifecycleTable 6: Analytical FrameworksTable 7: Threat Intelligence Platforms (TIPs)Table 8: Traffic Light Protocol (TLP)Table 9: Enrichment and ContextualizationTable 10: Detection and Response IntegrationTable 11: Threat Actor ProfilingTable 12: Sharing and CollaborationTable 13: Measurement and MetricsTable 14: Common Pitfalls and Best PracticesTable 15: Advanced Techniques

Table 1: Indicator Types

Indicators of compromise are the concrete fingerprints a defender watches for — the hashes, addresses, and artifacts that betray malicious activity. They're not all equally valuable: a file hash or IP is trivial for an attacker to swap out, whereas behavioral fingerprints like mutexes, JA3/JA4 TLS signatures, and YARA rules cut deeper into how the malware actually works and are far harder to change.

Type	Example	Description
File Hash (MD5)	`5d41402abc4b2a76b9719d911017c592`	• 128-bit cryptographic hash of a file • fast but collision-prone, widely used for malware identification despite security weaknesses
File Hash (SHA-1)	`aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d`	• 160-bit hash offering better collision resistance than MD5 • still widely seen but deprecated for security-critical use since 2017.
File Hash (SHA-256)	`2c26b46b68ffc68ff99b453c1d304134` `13422d706483bfa0f98a5e886266e7ae`	• Industry-standard 256-bit hash providing strong collision resistance • preferred for modern threat intel and digital forensics
IP Address (IPv4)	192021	• 32-bit network address identifying a host or C2 server • easily rotated by attackers but essential for network-level blocking.
IP Address (IPv6)	`2001:0db8::1`	• 128-bit address space enabling virtually unlimited IPs • adoption growing but less commonly tracked in legacy threat feeds
Domain Name	`malicious-site.example`	• Human-readable DNS name resolving to IP addresses • attackers use domain generation algorithms (DGAs) to evade static blocks
URL	`https://phish.example/login?id=x`	• Full web address including protocol, domain, path, and parameters • high specificity but easy for attackers to change
Email Address	`attacker@evil.example`	• Sender identity in phishing campaigns • spoofable but useful for tracking campaign infrastructure and actor attribution

Table 1: Indicator Types

Type	Example	Description
File Hash (MD5)	`5d41402abc4b2a76b9719d911017c592`	• 128-bit cryptographic hash of a file • fast but collision-prone, widely used for malware identification despite security weaknesses
File Hash (SHA-1)	`aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d`	• 160-bit hash offering better collision resistance than MD5 • still widely seen but deprecated for security-critical use since 2017.
File Hash (SHA-256)	`2c26b46b68ffc68ff99b453c1d304134` `13422d706483bfa0f98a5e886266e7ae`	• Industry-standard 256-bit hash providing strong collision resistance • preferred for modern threat intel and digital forensics
IP Address (IPv4)	192021	• 32-bit network address identifying a host or C2 server • easily rotated by attackers but essential for network-level blocking.
IP Address (IPv6)	`2001:0db8::1`	• 128-bit address space enabling virtually unlimited IPs • adoption growing but less commonly tracked in legacy threat feeds
Domain Name	`malicious-site.example`	• Human-readable DNS name resolving to IP addresses • attackers use domain generation algorithms (DGAs) to evade static blocks
URL	`https://phish.example/login?id=x`	• Full web address including protocol, domain, path, and parameters • high specificity but easy for attackers to change
Email Address	`attacker@evil.example`	• Sender identity in phishing campaigns • spoofable but useful for tracking campaign infrastructure and actor attribution