Threat intelligence sources — SY0-701
Security+ SY0-701 reference page on threat intelligence sources: what they are, how to distinguish them, and the common misconception the exam exploits.
WHAT IT IS
Threat intelligence is "threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes" (NIST SP 800-150). It is built from threat information, which NIST SP 800-150 defines as "any information related to a threat that might help an organization protect itself against the threat or detect the activities of an actor."
The key distinction baked into both definitions: raw data is not yet intelligence. Intelligence is data that has been processed into context that supports a decision.
Mental model
Think of threat intelligence sources as sitting on a spectrum from widely shared and low-cost to narrowly targeted and high-cost. The further toward targeted you go, the more context the intelligence carries — but the smaller and less accessible the community that produces it.
| Source type | Who produces it | Primary audience | Cost/access |
|---|---|---|---|
| Open-source (OSINT) | Public researchers, vendors, CVE program, government feeds | Anyone | Free or low-cost |
| Closed/proprietary | Commercial threat-intel vendors | Paying subscribers | Subscription |
| ISACs / ISAOs | Sector members sharing with each other | Sector peers | Membership |
| Internal / organizational | The organization's own SOC and logs | The organization itself | Operational cost |
NIST SP 800-150 defines an ISAO (Information Sharing and Analysis Organization) as "an entity or collaboration created or employed by public- or private sector organizations, for purposes of gathering and analyzing critical cyber and related information in order to better understand security problems and interdependencies related to cyber systems."
Major types of threat information include indicators, TTPs (tactics, techniques, and procedures), security alerts, threat intelligence reports, and tool configurations (NIST SP 800-150).
TTPs themselves follow a hierarchy: a tactic is the highest-level description of adversary behavior; a technique is a more detailed description in the context of a tactic; a procedure is an even lower-level, highly detailed description in the context of a technique (NIST SP 800-150, SP 800-172r3, SP 800-61r3).
When to use it
The exam regularly tests whether candidates can match a described scenario to the correct source type. Use this table to distinguish adjacent concepts:
| Scenario | Correct source category | Why |
|---|---|---|
| Security team needs publicly known vulnerability identifiers to patch quickly | Open-source (e.g., CVE records) | Freely published, standardized identifiers |
| Healthcare sector organization wants breach data specific to its industry peers | ISAC / ISAO | Sector-specific sharing entity |
| Analyst needs high-context, curated adversary profiles with attribution | Closed/proprietary vendor feed | Enriched, actionable, subscription-based |
| SOC reviews its own firewall logs for indicators of compromise | Internal / organizational | Generated by the organization itself |
| Red team wants to understand adversary TTPs before a simulation | OSINT plus structured frameworks | Tactics, techniques, procedures are shared openly |
An indicator of compromise (IoC) is "technical artifacts or observables that suggest that an attack is imminent or is currently underway or that a compromise may have already occurred" (NIST SP 800-61r3, adapted from SP 800-150). IoCs are a key output that threat intelligence sources provide.
COMMON MISCONCEPTION
The trap: equating "open source" with "unreliable."
In everyday English, "open source" often implies community-maintained software of variable quality. In threat intelligence, open-source intelligence (OSINT) simply means intelligence derived from publicly available sources — it carries no inherent reliability judgment. A government-published vulnerability feed and a vendor's publicly released indicator list are both OSINT.
The inverse trap also appears: assuming that closed/proprietary intelligence is always more accurate than open-source. Proprietary sources are higher-cost and often more curated, but curation quality varies by vendor, and not every organization needs the depth they provide.
A related misconception: candidates sometimes confuse an ISAC (Information Sharing and Analysis Center, a well-established sector-specific construct) with an ISAO. NIST SP 800-150 grounds the ISAO as the broader, more flexible entity "created or employed by public- or private sector organizations" for cyber information sharing — ISAOs are not limited to a single critical-infrastructure sector.
Finally, candidates sometimes treat threat information and threat intelligence as synonyms. Per NIST SP 800-150, threat intelligence specifically requires the aggregation, transformation, analysis, interpretation, or enrichment step. Raw log data or an unprocessed indicator list is threat information, not yet intelligence.
How it shows up on the exam
The cognitive target for this concept is analysis — candidates must evaluate a described scenario and identify which source type matches the operational need.
Watch for these signal phrases in question stems:
- "sector-specific" or "industry peers sharing" → points toward ISAC/ISAO thinking
- "publicly available" or "no cost" → open-source / OSINT
- "curated," "subscription," or "commercial vendor" → closed/proprietary
- "internal logs," "organizational data," or "our own telemetry" → internal source
Candidates often confuse the source type with the artifact type. A CVE identifier is an artifact (a vulnerability record); the CVE program is an open-source source that produces it. Questions may describe either — read carefully to determine whether the stem is asking about the artifact or the source.
Questions in this domain may also probe whether candidates understand that threat intelligence requires enrichment beyond raw data — a scenario describing an analyst who "collects log data but has not analyzed it" is describing threat information, not threat intelligence, per the NIST SP 800-150 definition.
Related concepts
- Vulnerability Scanning — a technique for discovering the weaknesses that threat intelligence helps prioritize
- Penetration Testing — uses TTPs (a key threat intelligence artifact type) to simulate adversary behavior
- Bug Bounty & Vulnerability Disclosure — a structured channel through which vulnerability information enters public threat intelligence feeds
Sources
Every claim on this page traces to the public exam blueprint and official documentation: