Intelligence is the lifeblood of cyber defense, as it directly feeds into every other function. From providing IOCs that can be used to develop use cases within the Detect function, providing guidance to build Hunt activities, or developing adversary emulation to test security controls within the Validation function, intelligence is critical to every element of the cyber defense ecosystem. Being intelligence-led means aligning organizational defenses to meet the threats that are most likely to impact an organization. It assists with resource allocation and prioritization for the cyber defense organization aligned to the most likely avenues of compromise.

An impactful Intelligence function produces and disseminates actionable intelligence into the hands of the appropriate audience, in a format and language they can understand and use to make decisions. A best practice within the intelligence community is to use an intelligence lifecycle to guide development, production, and consumption of intelligence throughout an organization. The intelligence lifecycle standardizes operating practices to encourage consistent, measurable responses aligned to the threats an organization faces. This allows resources to prioritize actions to identify and handle the most impactful threats to an organization.