Managing Intelligence Lifecycle

When to Use

Use this skill when:

Establishing a formal CTI program and defining its operational model
Conducting quarterly intelligence requirements reviews with business stakeholders
Evaluating CTI program maturity against established frameworks (FIRST CTI-SIG maturity model)

Do not use this skill for day-to-day IOC triage or incident-specific intelligence tasks — those use operational intelligence workflows, not lifecycle management.

Prerequisites

Executive sponsorship and defined CTI team structure (1+ dedicated analysts)
Stakeholder map identifying intelligence consumers (SOC, IR, executive team, vulnerability management)
Existing feed subscriptions or ISAC memberships for collection baseline
CTI platform (MISP, ThreatConnect, OpenCTI) for lifecycle management

Workflow

Step 1: Planning and Direction

Define Priority Intelligence Requirements (PIRs) with stakeholders:

Interview SOC leads, IR team, CISO, risk management, and product security
Document PIRs in structured format: "What is the current capability and intent of [threat actor] to attack [critical asset] using [technique]?"
Prioritize 5–10 PIRs for the quarter, reviewed monthly

Example PIR: "Is ransomware group Cl0p currently targeting organizations in our sector using MoveIT or GoAnywhere vulnerabilities?"

Step 2: Collection Planning

Map PIRs to required collection sources:

Technical sources: commercial feeds, TAXII, ISAC data, honeypot telemetry, darkweb monitoring
Human sources: vendor threat briefings, industry working groups, law enforcement partnerships
Internal sources: SIEM logs, EDR telemetry, phishing submission mailbox

Document collection gaps and associated costs to fill them.

Step 3: Processing and Normalization

Implement automated processing pipeline:

Ingest → normalize to STIX 2.1 → deduplicate → enrich → score confidence
Reject unverifiable or duplicate indicators before analysis
Tag all processed data with source, collection date, and expiration

Step 4: Analysis and Production

Produce intelligence at three levels:

Strategic: Quarterly threat landscape report for executives; sector trends, geopolitical context
Operational: Weekly campaign reports for security leadership; active campaigns, adversary activity
Tactical: Daily IOC bulletins for SOC; actionable indicators with block/monitor recommendations

Apply structured analytic techniques: Analysis of Competing Hypotheses (ACH), Key Assumptions Check, Devil's Advocacy.

Step 5: Dissemination

Match product format to audience:

Executives: 1-page PDF with risk ratings, business impact, recommended decisions
SOC analysts: SIEM-ready IOC list, Sigma rules, MISP events
Vulnerability management: CVE lists with EPSS scores and exploitation likelihood
IT/Security leadership: Full intelligence report with technical appendix

Apply TLP classifications and distribution lists per product type.

Step 6: Feedback and Evaluation

Collect feedback within 5 business days of dissemination:

Did the product address the PIR?
Was actionability sufficient?
What data was missing?

Track metrics quarterly: PIR coverage rate, IOC true positive rate, time-to-disseminate, stakeholder satisfaction score (NPS or structured survey).

Key Concepts

Term	Definition
PIR	Priority Intelligence Requirement — specific, actionable question driving intelligence collection and analysis
Intelligence Lifecycle	Six-phase iterative process: Planning → Collection → Processing → Analysis → Dissemination → Feedback
Strategic Intelligence	Long-term threat trend analysis for executive decision-making; time horizon 6–24 months
Operational Intelligence	Campaign-level analysis for security program decisions; time horizon 1–6 months
Tactical Intelligence	Specific IOCs and TTPs for immediate detection and blocking; time horizon hours to days
FIRST CTI-SIG	Forum of Incident Response and Security Teams — CTI Special Interest Group maturity model

Tools & Systems

ThreatConnect: TIP with built-in intelligence lifecycle workflows, PIR tracking, and stakeholder reporting dashboards
MISP: Open-source TIP supporting intelligence lifecycle from collection through sharing
OpenCTI: Graph-based CTI platform with workflow management for intelligence products
Recorded Future: Commercial platform with structured intelligence reports aligned to the intelligence lifecycle

Common Pitfalls

Collection without direction: Ingesting every available feed without PIRs produces data overload and no actionable intelligence.
Missing feedback loops: Without structured feedback, CTI teams produce reports that don't meet stakeholder needs and lose organizational relevance.
Tactical-only focus: Overemphasis on IOC sharing neglects strategic intelligence that informs security investment and risk decisions.
No metrics program: Cannot demonstrate CTI program value without tracking detection contributions, true positive rates, and stakeholder satisfaction.
Underfunded collection: PIRs cannot be answered without appropriate collection sources; document and escalate gaps rather than producing low-confidence estimates.

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.1 (Monitoring), CC7.2 (Anomaly Detection)
ISO 27001: A.6.1 (Threat Intelligence), A.16.1 (Security Incident Management)
NIST 800-53: PM-16 (Threat Awareness), RA-3 (Risk Assessment), SI-5 (Security Alerts)
NIST CSF: ID.RA (Risk Assessment), DE.AE (Anomalies & Events)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add managing-intelligence-lifecycle

# Or load dynamically via MCP
grc.load_skill("managing-intelligence-lifecycle")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Managing Intelligence Lifecycle

When to Use

Use this skill when:

Establishing a formal CTI program and defining its operational model
Conducting quarterly intelligence requirements reviews with business stakeholders
Evaluating CTI program maturity against established frameworks (FIRST CTI-SIG maturity model)

Do not use this skill for day-to-day IOC triage or incident-specific intelligence tasks — those use operational intelligence workflows, not lifecycle management.

Prerequisites

Executive sponsorship and defined CTI team structure (1+ dedicated analysts)
Stakeholder map identifying intelligence consumers (SOC, IR, executive team, vulnerability management)
Existing feed subscriptions or ISAC memberships for collection baseline
CTI platform (MISP, ThreatConnect, OpenCTI) for lifecycle management

Workflow

Step 1: Planning and Direction

Define Priority Intelligence Requirements (PIRs) with stakeholders:

Interview SOC leads, IR team, CISO, risk management, and product security
Document PIRs in structured format: "What is the current capability and intent of [threat actor] to attack [critical asset] using [technique]?"
Prioritize 5–10 PIRs for the quarter, reviewed monthly

Example PIR: "Is ransomware group Cl0p currently targeting organizations in our sector using MoveIT or GoAnywhere vulnerabilities?"

Step 2: Collection Planning

Map PIRs to required collection sources:

Technical sources: commercial feeds, TAXII, ISAC data, honeypot telemetry, darkweb monitoring
Human sources: vendor threat briefings, industry working groups, law enforcement partnerships
Internal sources: SIEM logs, EDR telemetry, phishing submission mailbox

Document collection gaps and associated costs to fill them.

Step 3: Processing and Normalization

Implement automated processing pipeline:

Ingest → normalize to STIX 2.1 → deduplicate → enrich → score confidence
Reject unverifiable or duplicate indicators before analysis
Tag all processed data with source, collection date, and expiration

Step 4: Analysis and Production

Produce intelligence at three levels:

Strategic: Quarterly threat landscape report for executives; sector trends, geopolitical context
Operational: Weekly campaign reports for security leadership; active campaigns, adversary activity
Tactical: Daily IOC bulletins for SOC; actionable indicators with block/monitor recommendations

Apply structured analytic techniques: Analysis of Competing Hypotheses (ACH), Key Assumptions Check, Devil's Advocacy.

Step 5: Dissemination

Match product format to audience:

Executives: 1-page PDF with risk ratings, business impact, recommended decisions
SOC analysts: SIEM-ready IOC list, Sigma rules, MISP events
Vulnerability management: CVE lists with EPSS scores and exploitation likelihood
IT/Security leadership: Full intelligence report with technical appendix

Apply TLP classifications and distribution lists per product type.

Step 6: Feedback and Evaluation

Collect feedback within 5 business days of dissemination:

Did the product address the PIR?
Was actionability sufficient?
What data was missing?

Track metrics quarterly: PIR coverage rate, IOC true positive rate, time-to-disseminate, stakeholder satisfaction score (NPS or structured survey).

Key Concepts

Term	Definition
PIR	Priority Intelligence Requirement — specific, actionable question driving intelligence collection and analysis
Intelligence Lifecycle	Six-phase iterative process: Planning → Collection → Processing → Analysis → Dissemination → Feedback
Strategic Intelligence	Long-term threat trend analysis for executive decision-making; time horizon 6–24 months
Operational Intelligence	Campaign-level analysis for security program decisions; time horizon 1–6 months
Tactical Intelligence	Specific IOCs and TTPs for immediate detection and blocking; time horizon hours to days
FIRST CTI-SIG	Forum of Incident Response and Security Teams — CTI Special Interest Group maturity model

Tools & Systems

ThreatConnect: TIP with built-in intelligence lifecycle workflows, PIR tracking, and stakeholder reporting dashboards
MISP: Open-source TIP supporting intelligence lifecycle from collection through sharing
OpenCTI: Graph-based CTI platform with workflow management for intelligence products
Recorded Future: Commercial platform with structured intelligence reports aligned to the intelligence lifecycle

Common Pitfalls

Collection without direction: Ingesting every available feed without PIRs produces data overload and no actionable intelligence.
Missing feedback loops: Without structured feedback, CTI teams produce reports that don't meet stakeholder needs and lose organizational relevance.
Tactical-only focus: Overemphasis on IOC sharing neglects strategic intelligence that informs security investment and risk decisions.
No metrics program: Cannot demonstrate CTI program value without tracking detection contributions, true positive rates, and stakeholder satisfaction.
Underfunded collection: PIRs cannot be answered without appropriate collection sources; document and escalate gaps rather than producing low-confidence estimates.

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.1 (Monitoring), CC7.2 (Anomaly Detection)
ISO 27001: A.6.1 (Threat Intelligence), A.16.1 (Security Incident Management)
NIST 800-53: PM-16 (Threat Awareness), RA-3 (Risk Assessment), SI-5 (Security Alerts)
NIST CSF: ID.RA (Risk Assessment), DE.AE (Anomalies & Events)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add managing-intelligence-lifecycle

# Or load dynamically via MCP
grc.load_skill("managing-intelligence-lifecycle")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Managing Intelligence Lifecycle

When to Use

Prerequisites

Workflow

Step 1: Planning and Direction

Step 2: Collection Planning

Step 3: Processing and Normalization

Step 4: Analysis and Production

Step 5: Dissemination

Step 6: Feedback and Evaluation

Key Concepts

Tools & Systems

Common Pitfalls

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Generating Threat Intelligence Reports

Processing STIX Taxii Feeds

Analyzing Cyber Kill Chain

Analyzing Indicators of Compromise

Analyzing Threat Intelligence Feeds

Automating IOC Enrichment

Prerequisites

Managing Intelligence Lifecycle

When to Use

Prerequisites

Workflow

Step 1: Planning and Direction

Step 2: Collection Planning

Step 3: Processing and Normalization

Step 4: Analysis and Production

Step 5: Dissemination

Step 6: Feedback and Evaluation

Key Concepts

Tools & Systems

Common Pitfalls

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Generating Threat Intelligence Reports

Processing STIX Taxii Feeds

Analyzing Cyber Kill Chain

Analyzing Indicators of Compromise

Analyzing Threat Intelligence Feeds

Automating IOC Enrichment