How secure adversary research strengthens an intelligence-driven SOC

An intelligence-driven SOC prioritizes threats based on defined intelligence requirements tied to real business decisions. Most SOCs remain reactive because they collect massive volumes of data without planning and direction: the phase of the intelligence cycle that aligns collection and analysis to organizational priorities. Without this foundation, SOCs drown in alerts while adversaries move faster.

Most security operations centers (SOCs) have made massive investments in collection of internal and external content, including threat feeds, endpoint detection, network sensors, and SIEM platforms that ingest logs from every corner of the enterprise. A suite of impressive tools with beautiful dashboards. And yet, the SANS 2025 SOC Survey found that 85 percent of SOCs still trigger incident response primarily from endpoint alerts rather than proactive detection. Despite all of that collection capability, SOC operations remain fundamentally reactive.

This is because most security organizations — even those with impressive brands and large budgets — are running a decapitated version of the intelligence cycle. They've invested heavily in collection, processing, analysis, and dissemination, but they ignored the phase that makes everyone work proactively: planning and direction. The result is an operation that's collection-rich but intelligence-poor, drowning in data while starving for actionable insight.

The phase nobody talks about enough

Anyone who has spent time in the intelligence community knows that planning and direction is the key to successful intelligence operations. This is the phase where you define who you serve (stakeholders), what they need to know, why they need to know it, and what decisions will be informed by intelligence. It's where intelligence requirements are established, collection plans are created, and resources are allocated against the questions that matter most to the stakeholders.

In military and government intelligence, skipping this phase would be unthinkable. You don't task collection platforms without agreed upon requirements or allocate analysts’ time without documented objectives. Every sensor, source, and hour of analysis ties back to a defined intelligence need that supports a specific decision or operation.

Yet in commercial and even government cybersecurity, organizations routinely skip planning and direction entirely. They subscribe to threat feeds based on vendor sales pitches, deploy sensors because that’s what’s on the architecture diagram, and collect logs because compliance requires retention. But ask most people in security operations what decisions they are supposed to inform and you will get inconsistent answers…if you get answers at all.

Collection without direction is just hoarding

The 2025 ISC2 Cybersecurity Workforce Study found that 48 percent of security professionals feel exhausted trying to stay current on threats and emerging technologies, with 47 percent reporting they feel overwhelmed by their workload. This isn't surprising. When a SOC doesn’t have defined intelligence requirements, everything becomes important…and there is too much “everything” for people to consume, analyze, and act upon.

Every threat feed demands attention. Every alert requires investigation. Every emerging vulnerability needs assessment. If analysts have no framework for prioritization (because leadership never defined and prioritized what matters to the organization) there is no way to push back on whatever leadership is concerned with that day. The loudest, newest, or most alarming threats — what we used to call "shiny objects" in the intelligence community — are the thing most likely to become newsworthy…and that means they are the things most likely to become the CISO’s new #1 priority.

While SOCs are overwhelmed and overworked, slowed down by the need to chase everything, threat actors are getting faster. CrowdStrike’s 2025 Global Threat Report noted that the average eCrime breakout time dropped to 48 minutes, with the fastest recorded at just 51 seconds. When adversaries move that fast, time wasted on collection and analysis that doesn't directly support an organization’s priorities will result in worse security outcomes. Yet, many organizations continue to collect everything, prioritize nothing, and wonder why sophisticated threats slip through while their teams are drowning in noise.

Working backwards from decisions

The fix isn't more tools or bigger teams. The solution is to build the foundation upon which every successful intelligence organization must stand.

Doing the work to define stakeholders and priorities is the only way to empower an intelligence team to stay focused on what matters most to the organization, even if that means telling an executive — including the CISO — that their request for information does not meet the organizational threshold.

To ensure universal understanding and acceptance of organizational priorities, the Intelligence Community builds requirements by starting with decisions and working backwards:

• What decisions does leadership need to make?
• What intelligence is likely to inform those decisions?
• What collection is likely to produce that intelligence?

Without first answering these questions (among others), it’s pointless to attempt to determine the proper tools, accesses, and resources for an intelligence team. Despite that, most security organizations focus primarily on tools and platforms, hoping they'll find something useful in all of the data they collect.

Intelligence-driven SOC framework

To reverse that trend, here is a practical framework any security team can apply to begin the journey towards being an intelligence-driven organization, even without leadership’s buy-in for a formal intelligence program.

1. Start with your organization's actual decisions

Not theoretical decisions or decisions you wish leadership would make. Focus on the current decisions that drive resource allocation, risk acceptance, and operational priorities. These might include which vulnerabilities to patch first, where to focus detection engineering efforts, whether a specific threat actor is likely targeting your sector, or how to allocate limited incident response capacity.

2. Define the intelligence that would inform each decision

For each decision, ask, “What would I need to know to make this decision well?” For example, if the decision is about patch prioritization, intelligence on which vulnerabilities are being actively exploited in the wild, which threat actors target your industry, and which of your assets are most critical to business operations would all be very important to know. This is the beginning of your intelligence requirements.

3. Determine what collection would produce that intelligence

Now (and only now) is the time to think about collection. What sources would give you visibility into active exploitation? What would they tell you about threat actor targeting? This is where threat feeds, dark web monitoring, industry sharing groups, and internal telemetry have the most value. All collection efforts should be in support of defined organizational requirements.

4. Evaluate current collection against actual requirements

When most organizations do this they soon discover a significant mismatch, including collecting enormous volumes of data that don't map to any requirement. Concurrently, intelligence that the organization needs will often be plagued by gaps in required collection coverage. This is the moment of clarity that enables real prioritization.

The prioritization problem

One of the hardest parts of planning and direction is prioritization. In a world of infinite threats and finite resources, you cannot collect against everything. Organizations that skip the requirements process avoid this discomfort by pretending they can monitor everything…but nobody can.

Prioritization requires honest conversations about risk:

• Which threats pose the greatest danger to your specific organization?
• Which assets are truly critical versus merely important?
• What is your actual risk tolerance, not the one in your policy documents?

These are leadership decisions, not technical ones. If the security or intelligence teams are being forced to make these decisions unilaterally, they are being set up to fail.

All of this is happening at a time when most security experts agree that their organizations are short on talent, which translates to time. For example, the SANS 2025 Threat Hunting Survey found that 61 percent of organizations cite skilled staffing shortages as a primary barrier to effective threat hunting. Already short-staffed organizations cannot afford to waste time on work that doesn't tie to requirements. Every hour spent investigating irrelevant alerts is an hour not spent preventing attacks from the threats that matter to an organization.

From requirements to proactive security

Here's where this connects back to the reactive versus proactive problem. A SOC without intelligence requirements can only be reactive because it has no basis for proactive action. You can't hunt for threats if you haven't defined them, or get ahead of adversaries if you don’t know what “ahead” means...or which adversaries to focus on.

Defined intelligence requirements are what make proactive security possible. Knowing the questions to answer before an incident occurs means the intelligence team can task collection against those questions now. Threat hunters with the most timely, accurate, and relevant intelligence on the most likely and most dangerous threats to their enterprise can execute hunt operations that are much more likely to be successful. At the same time, red team operations that have intelligence to emulate the threat actors and groups assessed to be most likely to threaten a given organization will be able to identify vulnerabilities that need to be prioritized because there is a known or suspected threat.

As I've argued before, organizations need to think beyond cyber threat intelligence as a SOC-embedded function and consider intelligence as an enterprise capability. But, even if your organization isn't ready for that transformation, you can start applying intelligence tradecraft at the team level. Define requirements, prioritize ruthlessly, and align collection to the intended outcomes, which is better-informed decisions from stakeholders. Building and leading effective intelligence programs is not the glamorous job portrayed in TV or movies, but these underpinning are the foundation that makes everything else possible.

Reattaching the head

The path to an intelligence-driven SOC doesn't start with new technology or additional headcount. It starts with going back to the Intelligence Cycle phase that most organizations skip: planning and direction. Before buying another intelligence feed or deploying another sensor, ask if you know the answers to the questions:

• “What do we need to know?
• “Why do we need to know it?”
• “What decisions will that knowledge inform?”

Organizations that can’t answer those questions have collection without direction. That isn’t intelligence…it’s hoarding and hoping.

How secure adversary research strengthens an intelligence-driven SOC FAQs

What is a threat intelligence-driven SOC?

A threat intelligence-driven SOC aligns threat detection, analysis, and response to defined intelligence requirements based on business decisions. Instead of reacting to alerts, it focuses resources on the threats and adversaries most likely to impact the organization, enabling more proactive and effective security operations.

What are intelligence requirements in cybersecurity?

Intelligence requirements define the specific questions security leaders need answered to make decisions. They guide what data is collected, which threats are prioritized, and how analyst time is allocated, ensuring intelligence efforts directly support organizational outcomes.

Why are most SOCs still reactive?

Most SOCs remain reactive because they collect large volumes of data without clear intelligence requirements. Without planning and direction, analysts lack prioritization frameworks, forcing them to respond to alerts rather than proactively hunt threats aligned to organizational risk.

How do intelligence requirements improve threat hunting?

Defined intelligence requirements allow threat hunters to focus on known adversaries, likely attack paths, and critical assets. This increases the likelihood of successful hunts and reduces wasted effort on low-risk or irrelevant threats.