What Is Threat-Informed Defence?
Threat-Informed Defence (TID) is the systematic application of an understanding of adversary tactics, techniques, and procedures (TTPs) that are relevant to your organisation. It uses real-world cyber threat intelligence (CTI) to guide decisions around prevention, detection, and response, ensuring security efforts are focused on the threats most likely to impact the business.
Unlike traditional security approaches that often prioritise compliance requirements or generic best practices, Threat-Informed Defence starts with understanding the specific threats facing an organisation and continuously adapting defences to address them.
A critical aspect of TID is validation. Security controls must be regularly tested through activities such as purple team exercises, simulations, and adversary emulation to assess their effectiveness. The findings from these exercises drive remediation efforts and security improvements. As the threat landscape evolves, new adversaries and attack techniques emerge, requiring organisations to continuously update their intelligence and defensive strategies.
Threat-Informed Defence is not a one-time project—it is an ongoing cycle of intelligence, implementation, testing, and improvement.
Why Relevance Matters More Than Volume
Many cybersecurity vendors promote their access to vast amounts of global threat intelligence. While global intelligence has value, organisations often make the mistake of focusing on distant threats that have little relevance to their specific environment.
Effective Threat-Informed Defence prioritises threats based on factors such as:
- Industry sector
- Geographic location
- Technology stack
- Historical incidents
- Known adversary targeting patterns
If your organisation is concentrating on low-probability global threats while ignoring more relevant local risks, security resources may be directed toward the wrong priorities.
The Three Core Components of Threat-Informed Defence
Threat-Informed Defence can be broken down into three key components:
- Cyber Threat Intelligence (CTI)
- Security Control Implementation
- Control Effectiveness Validation
Together, these components create a continuous improvement cycle that strengthens an organisation’s security posture over time.
Identifying Relevant Threats
The foundation of any Threat-Informed Defence program is understanding which threats are most likely to impact the organisation.
This requires gathering and analysing cyber threat intelligence to understand:
- Adversary objectives
- Attack methods and TTPs
- Targeted industries
- Geographic focus
- Technical capabilities
Predicting future threats begins with analysing past incidents and understanding which threat actors actively target organisations similar to your own.
High-quality CTI goes beyond simply listing TTPs. It provides context that helps determine why a threat is relevant and how it could affect the business. This contextual understanding forms the basis of an organisation’s threat landscape.
Aligning TID with Business Risk
Not every threat presents the same level of risk to every organisation.
An effective Threat-Informed Defence strategy must be aligned with business priorities and focus on the threats most relevant to the organisation’s:
- Industry
- Geography
- Technology environment
- Critical assets
- Business operations
For example, if a ransomware group such as Qilin is actively targeting organisations across Australasia, its TTPs may warrant a higher priority than threats that predominantly affect organisations in other regions.
Threat priorities can also vary significantly between organisations. A common mistake is assuming that risks identified in one organisation automatically apply to another.
For example, phishing may be the dominant threat in one environment, making it a major focus area. However, after assessing another organisation’s threat landscape, supply chain compromise may emerge as the more significant risk. Effective TID requires validating assumptions and regularly reassessing priorities.
Mapping Detections to a Framework
Frameworks such as the MITRE ATT&CK framework provide a structured approach to identifying, prioritising, and detecting adversary behaviours.
Aligning detection use cases to MITRE ATT&CK helps organisations:
- Standardise detection practices
- Focus on real-world adversary behaviour
- Improve communication across teams
- Measure coverage against known threats
A Threat-Informed Defence program should maintain a prioritised list of relevant MITRE ATT&CK TTPs. These TTPs should guide the development of:
- SIEM detection rules
- EDR detection capabilities
- Preventive security controls
- Threat hunting activities
Before pursuing niche or emerging detection use cases, organisations should first ensure adequate coverage of their highest-priority TTPs.
It is easy to be distracted by the latest cyber incident reported in the news and immediately begin creating new detections. However, every new initiative consumes finite resources. The critical question is:
What high-priority threats are being neglected while attention is focused elsewhere?
Assembling the Right People, Processes, and Technology
Successful Threat-Informed Defence requires more than technology alone.
Organisations should be able to clearly demonstrate:
- Why a threat actor or TTP is relevant
- How threats are prioritised
- Which controls address each threat
- How control effectiveness is validated
Maintaining discipline is essential. Teams must avoid constantly shifting focus to the latest cyber headline and instead remain committed to addressing the threats identified in their documented TID strategy.
Regular reviews ensure the threat landscape remains accurate and relevant as business operations and adversary activity evolve.
Continuously Optimising Security
Security optimisation does not need to be complex.
A practical approach includes:
1. Justify Every Threat
Ensure there is evidence supporting the inclusion of a threat or TTP in the TID list.
Consider factors such as:
- Geographic relevance
- Industry targeting
- Historical incidents
- Technology similarities
- Threat actor activity
The more criteria a threat satisfies, the higher its priority should be.
2. Implement Security Controls
Deploy preventive and detective controls that specifically address the prioritised threats identified through CTI.
3. Validate Through Purple Teaming
Conduct structured purple team exercises to test whether controls effectively detect and prevent the identified TTPs.
Expensive tooling is not required. A disciplined and repeatable testing process often provides greater value than sophisticated technology.
4. Remediate and Improve
Use purple team findings to identify gaps and strengthen controls.
This creates a continuous feedback loop that improves security effectiveness over time.
Steps to Implement Threat-Informed Defence
Establish Foundational Security Controls
Before adopting advanced threat-informed practices, ensure basic security fundamentals are in place, including:
- Asset management
- Vulnerability management
- Patch management
- Identity and access management
- Security monitoring
Strong cyber hygiene remains the foundation of effective security.
Develop Cyber Threat Intelligence Capabilities
Establish processes for gathering, analysing, and operationalising CTI.
Threat intelligence should directly influence security priorities and operational decision-making.
Move from Reactive to Proactive Security
Use frameworks such as MITRE ATT&CK to identify priority threats and proactively test defences against them.
Continuous validation helps organisations stay ahead of evolving adversaries.
Foster a Threat-Informed Culture
Threat-informed thinking should extend beyond the security team.
Staff should understand:
- The importance of CTI
- Why threats are prioritised
- How their actions contribute to organisational resilience
A strong security culture supports long-term success.
Measuring Success in Threat-Informed Defence
Traditional compliance metrics often fail to measure real security effectiveness.
Threat-Informed Defence requires metrics that demonstrate how well security controls address actual threats.
Key metrics include:
Coverage of Priority TTPs
What percentage of high-priority TTPs have effective preventive or detective controls?
Detection Effectiveness
Measure:
- True positives
- False positives
- Mean Time to Detect (MTTD)
CTI Review Frequency
How often is threat intelligence reviewed, updated, and incorporated into defensive planning? Ideally once a quarter but at worst twice a year.
Purple Team Findings Resolved
Measure the percentage of identified gaps that have been remediated following testing exercises.
These metrics provide meaningful insight into security maturity and help demonstrate value to leadership.
Conclusion
Threat-Informed Defence is more than a cybersecurity methodology—it is a mindset.
Rather than relying on assumptions, compliance checklists, or vendor presentations, TID enables organisations to focus on the adversaries and attack techniques that are genuinely relevant to their environment.
By identifying likely threats, prioritising relevant TTPs, aligning controls to business risk, and continuously validating defensive effectiveness, organisations can maximise the value of their security investments and make better use of limited resources.
While implementing Threat-Informed Defence requires commitment and discipline, the outcome is clear: a security posture that is measurable, adaptive, and aligned to the threats that matter most.
About the Author
