Threat Intelligence Essentials: How to Prioritize Effectively
Rethinking CTI prioritization through business context
In the first post of this series, we argued that the effectiveness of CTI cannot be measured with a single, universal set of success metrics. What “good intelligence” looks like depends heavily on who consumes it. Even when the underlying data set is exactly the same, the expectations of an Analyst, an Engineer, or a Leader differ significantly.
Analysts are focused on shortening investigation cycles, engineers care about improving automation and operational efficiency, while leaders need clarity on where to prioritize security investments. These are very different problems and they require very different forms of intelligence products. Consequently, a CTI analyst must deliberately tailor the output to match these role-specific needs.
This represents a departure from the still-common practice of distributing the same report, built on the same data, to every stakeholder. Modern threat intelligence demands a more targeted, consumer-driven approach rather than a one-size-fits-all delivery model.
You can read the first article in the series at the link below.
In this post, we’ll dive into yet another crucial part of CTI planning: how to prioritize effectively. As you know, defining Priority Intelligence Requirements is key for allocating time and resources. A common mistake in setting PIRs is overlooking the company’s business model, growth projections, and technology strategies.
When determining CTI priorities, the typical approach is to build a threat landscape based on the industry and geographical location of the company, focusing on the threat actors most relevant to that context. Then, prioritization is based on the level of damage these actors could inflict, with the highest-impact threats being addressed first.
Another common strategy involves using SWOT analyses or post-mortems to pinpoint weaknesses and develop a strategy to address them. In these cases, CTI often acts as a complementary layer of defense. For example, if a company’s EDR system isn’t detecting certain types of malware, CTI can be used to fill that gap.
While these approaches aren’t inherently wrong, they miss an important piece of the puzzle. The reality is that businesses don’t stay the same. They almost always grow and change over time. CTI programs that don’t align with the company’s growth plans struggle to stay proactive and fail to deliver long-term ROI. Over time, this makes it even harder to redirect investments where they’re needed most.
The Tale of Two Banks
When doing cyber security planning, the first thing you should ask yourself is: How does the company actually make money? Even if two companies are in the same industry and appear to offer the same services, their revenue models can be drastically different. Let’s explore this with two fictional banks: ClassicBank and DigitalBank.
ClassicBank is a traditional bank with physical branches, offering standard banking services. It then uses the capital from its customers to make direct investments and private equity deals. Unlike typical banks that earn from fees or interest, ClassicBank profits from the returns on these investments. So, its growth strategy is all about attracting high-net-worth individuals (HNWI and UHNWI) to raise capital, and then using that capital to make better, more profitable investments. This means ClassicBank’s customer base won’t grow quickly or through consumer loans. It’s about finding a few high-value clients and expanding through capital investments. As a result, ClassicBank isn’t likely to focus on developing digital products. Its IT infrastructure will expand in line with its physical branch network, and its due diligence operations will be intensive because of the high-risk nature of its investments.
DigitalBank on the other hand, is a fully digital, branchless bank. It targets young professionals, especially those in the tech-savvy white-collar workforce. Its goal is to offer an exceptional user experience while making stock and crypto investments more accessible. DigitalBank earns primarily from consumer loans and transaction fees in the stock and crypto markets. Its growth strategy is centered on constantly increasing its customer base by improving digital products and user experiences. DigitalBank is continuously partnering with new stores and subscription services to offer discounts, cashback, and other benefits to attract customers. Because it has no physical branches, DigitalBank aims to rapidly scale its customer base through digital channels. This means the bank will likely invest heavily in software development and cloud-based infrastructure to keep up with its growing user load.
So, while both ClassicBank and DigitalBank operate in the same industry, their business models and their growth strategies are completely different. ClassicBank focuses on attracting a few high-value customers and growing through capital investments, while DigitalBank expands by offering diverse digital products and targeting a large base of individual consumers.
Translating Growth Strategy to CTI Priorities
We’ll now dive deeper into the cyber security priorities (and by extension the CTI priorities) of these two fictional banks. But first, let’s quickly compare their key characteristics side by side.
Now that we've compared the two banks, let's delve into how their growth strategies translate into cybersecurity and threat intelligence priorities.
1. ClassicBank
ClassicBank’s security priorities primarily focus on protecting the high-net-worth individual client data. This data is not only critical to maintaining the bank’s reputation but also directly impacts high-risk investment decisions. Therefore, ensuring the security of this information is a key element of the bank’s overall strategy.
The second priority is securing the due diligence data of the companies ClassicBank is evaluating for potential investments. During the investment analysis process, safeguarding the trade secrets and financial information of these companies is crucial. A breach here could seriously threaten the bank’s financial interests, making this an area of high focus in their cybersecurity efforts.
Third, managing the cyber risks associated with the bank’s direct investments is important. These investments often involve high-risk financial assets, and protecting them from cyber threats is essential. ClassicBank must have measures in place to protect its investments from external threats like cyber attacks or data breaches.
A significant portion of the attack surface comes from the bank’s IT networks, employee devices, and identity management systems. As the bank’s digital infrastructure expands alongside its physical branches, the risk of vulnerabilities in these systems grows. Network security, endpoint protection, and identity authentication are therefore central to the bank’s cybersecurity strategy.
Additionally, the risk of insider threats is a critical concern for ClassicBank. Attacks or misuse originating from within the bank, whether intentional or accidental, can pose a severe risk to its operations. Therefore, ClassicBank must implement strong security monitoring systems that can detect both internal and external threats effectively.
2. DigitalBank
DigitalBank’s primary security priority is protecting customer accounts and transactional integrity at scale. Unlike ClassicBank, the risk is not concentrated in a small number of high-value clients, but distributed across a massive user base. Account takeovers, credential stuffing, phishing campaigns, and fraud directly threaten revenue, customer trust, and growth. CTI efforts must therefore focus heavily on monitoring threat actors and techniques targeting consumer-facing financial platforms.
The second major priority is securing the bank’s digital products and APIs. DigitalBank’s growth strategy relies on rapid feature development, frequent integrations with third-party services, and constant iteration of its mobile and web applications. This significantly increases the attack surface. Vulnerabilities in APIs, mobile apps, or partner integrations can be exploited at scale, making application-layer threats and software supply chain risks a critical focus for CTI.
Third, DigitalBank must closely monitor threats related to cloud infrastructure and DevOps pipelines. As the bank scales its user base, it will increasingly depend on cloud-native architectures, CI/CD pipelines, and infrastructure-as-code. Misconfigurations, leaked credentials, and attacks targeting cloud service providers or developer tooling represent systemic risks. CTI must therefore track emerging attack patterns targeting cloud environments and developer ecosystems.
Fraud and abuse also play a central role in DigitalBank’s threat landscape. Because the bank earns revenue from consumer loans and transaction fees, fraud directly impacts profitability. Intelligence related to fraud rings, mule networks, synthetic identities, and emerging social engineering techniques is essential.
Why This Matters for CTI Planning
ClassicBank and DigitalBank operate in the same industry, face many of the same regulatory requirements, and are targeted by overlapping threat actors. Yet their CTI priorities differ radically because their growth strategies, revenue models, and attack surfaces are fundamentally different.
CTI is only effective when it is scoped to real decision-making. Threat landscapes, incident history, and control gaps are useful inputs, but they are incomplete on their own. If CTI priorities are not informed by how the business operates and plans to scale, intelligence efforts will skew reactive and gradually lose relevance.
Anchoring CTI planning to business models and growth strategies helps identify where risk is likely to concentrate next, not just where it has appeared before. This makes prioritization more defensible, resource allocation clearer, and CTI outputs easier to operationalize.
In practice, effective CTI is role-specific, business-aware, and deliberately scoped. Anything else is just reporting.