Intelligence you do not act on is just news

There is a version of threat intelligence that is genuinely useless to a small business, and it is unfortunately the version most people picture: a subscription to an expensive feed that pumps thousands of indicators and glossy reports into a dashboard nobody has time to read. Buying that and feeling more secure is one of the more common and expensive illusions in this field. The word "intelligence" is doing precise work and most programs ignore it. Intelligence, in the original sense the term comes from, is knowledge that informs a decision. If a piece of threat data does not change something you do — a patch you prioritize, a detection you write, a lure you warn your staff about, a supplier you scrutinize — then it is not intelligence, it is just news about other people's bad days. This article is general education on building the useful, lean version: the small, deliberate habit of letting real knowledge about the threats aimed at businesses like yours sharpen a handful of concrete decisions. Everything else is expensive decoration.

The three altitudes of threat intel

It helps to know that threat intelligence naturally comes at three altitudes, because a lean team uses each one differently and wastes money by buying at the wrong altitude.

  • Strategic intelligence is the high-level picture: which kinds of attackers are targeting your industry and your size of company, what they are after, and how that is shifting over time. For a small business the honest strategic reality is usually not a nation-state — it is opportunistic, financially motivated crime that scans the whole internet for anyone reachable and exploitable. Strategic intel shapes big decisions like where to invest next year and which risks to raise with ownership; it feeds directly into your threat modeling.

  • Operational intelligence is about the how: the specific techniques, tools, and behaviors that active attack campaigns are using right now. When you learn that a wave of attacks is exploiting a particular remote-access product, or that a ransomware crew consistently enters through a specific misconfiguration, that is operational intel — and it tells you where to shore up before the wave reaches you. It sharpens your ransomware prevention playbook and your detection priorities.

  • Tactical intelligence is the granular, machine-consumable layer: specific indicators of compromise — malicious domains, file hashes, sending addresses, IP ranges — that you can feed into your controls to spot or block a known-bad thing. This is the altitude people usually mean by "a feed." It is genuinely useful, but only if you have somewhere to put the indicators, which most small teams do not until they build it deliberately.

The mistake is buying a firehose of tactical indicators when what a lean team actually needs first is a little strategic and operational awareness to know where to point its limited attention.

Start with the questions, not the feeds

The professional practice that rescues intelligence from being noise is to start from your questions rather than someone else's data. Before you subscribe to anything, write down the handful of things you actually need to know — the questions whose answers would change a decision. In the trade these are called priority intelligence requirements, and the fancy name hides a very practical idea. For a small business the list is short and concrete:

  • Are attackers actively exploiting anything in the specific technology we run — our email platform, our remote-access tool, our cloud provider, the software our product depends on?
  • What are the current lures and techniques being used against companies our size, so our people know what this month's scam actually looks like?
  • Has one of our vendors, or a company that holds our data, been breached in a way that puts us at risk?
  • Are our own domains, brand, or credentials showing up in places that suggest we are being set up as a target?

Those questions are the filter. Once they are written down, most of the threat data in the world becomes easy to ignore, because it does not answer any of them — and the small slice that does becomes obviously worth your attention. This is the same instinct that keeps a detection program healthy: a signal is only valuable relative to a decision, which is why finding triage and the fight against alert fatigue is the twin skill to consuming intel well. More data is not more safety; more answered questions is.

Where lean teams get real intelligence for free

The good news is that the highest-value threat intelligence for a small business is largely free and public, because the organizations producing it want defenders to act on it. You do not need a paid feed to start.

  • Government advisories are the anchor. In the United States, the national cybersecurity agency publishes alerts, advisories, and — most usefully — a catalog of vulnerabilities it has confirmed are being actively exploited in the wild. That known-exploited catalog is arguably the single most valuable free intelligence product in existence for a small team, and it plugs directly into how you should already be doing vulnerability prioritization with CVSS, EPSS, and KEV: a vulnerability on that list is not theoretical, it is being used against real companies today, and it jumps the queue.
  • Sector information-sharing groups exist for many industries and pool threat data among peers who share your risk profile. A warning that "attackers are hitting firms in our sector with this specific technique this week" is far more actionable than a generic global feed, because it is pre-filtered to your reality.
  • Your own vendors' security advisories. Every serious software and cloud provider you use publishes notices about vulnerabilities and active threats in their products. Subscribing to those is free, targeted intelligence about the exact technology you run.
  • Reputable open-source and community feeds provide indicators of compromise you can consume as you mature, and there are well-supported free platforms for aggregating and sharing them once you have somewhere to send the data.
  • Signals about you specifically — mentions of your brand, lookalike domains registered against you, or your data appearing in a breach — are a form of intelligence too, and one that overlaps with brand-impersonation and lookalike-domain monitoring, third-party data-breach monitoring, and keeping an eye on your external attack surface.

You will notice attribution is absent from that list. Knowing the clever codename of the group that might attack you is fascinating and, for a small business, almost never actionable. Resist the pull toward attribution theater; the technique and the fix are what protect you, not the villain's name.

Turning a feed into a decision

Intelligence earns its keep only at the moment it changes an action, so the whole design of a lean program should be about shortening the distance between "we learned something" and "we did something." A few concrete conversions turn abstract intel into defense:

  • Feed exploitation intel into patching. When a vulnerability you run appears on the known-exploited list or in a credible advisory, it stops being a routine patch and becomes an urgent one. That single connection — active-exploitation intelligence driving patch urgency — is the highest-return use of threat intel a small business will ever make.
  • Feed indicators into detection. When you have malicious domains or addresses tied to an active campaign, put them where your log monitoring and detection can see them, so a known-bad connection is something you catch rather than something you find out about later.
  • Feed technique intel into awareness. When you know the specific lure making the rounds this month — a fake invoice theme, a particular impersonation pattern — brief your people on that concrete thing through your security awareness training. "Watch out for this exact scam that is hitting companies like ours right now" lands far harder than generic caution.
  • Feed strategic shifts into your risk picture. When the landscape moves, update your threat model and, if the change is material, the way you brief ownership. Intelligence that reaches the people who allocate budget is intelligence that changes your defenses.

The discipline that keeps intel from becoming noise

The failure mode that swallows small threat-intel efforts is volume without filtering: someone signs up for a dozen feeds, the alerts pile up, everything looks urgent, and within a month the whole thing is ignored — the classic alert-fatigue death spiral, now with a bigger firehose. The discipline that prevents it is to treat intelligence as a filter that reduces what you have to worry about, not a source that adds to it. Every incoming item gets measured against your written questions; if it does not answer one, it is discarded without guilt. The small remainder that survives that filter is routed into your normal work — a prioritized patch, a new detection, a training note — through the same findings workflow as everything else, so it becomes tracked, owned action rather than a scary email that gets forgotten.

If this is more than a lean team can sustain, that is a legitimate finding in itself, and the honest answer is often to outsource the consumption. A managed detection and response provider effectively buys you a team that ingests the feeds, filters them against threats relevant to you, and only surfaces the items that warrant your action — which is exactly the filtering discipline, delivered as a service. Knowing when to hand this off is maturity, not failure.

The boundary of what a monitoring platform contributes is worth naming plainly. A tool cannot tell you which questions matter to your business — that judgment is yours — and it does not replace the human sense-making that turns a raw indicator into a decision. What it can do is close the last mile: automatically check your own environment and exposed surface against known-exploited vulnerabilities and public breach data, and surface the handful of items that actually intersect your systems, worst-first, so the intelligence lands as a specific, owned piece of work instead of a report you meant to read.

Threat intelligence is only intelligence if it changes a decision; a feed you never act on is just news. Work at the right altitude — strategic to know where you stand, operational to know what is coming, tactical only when you have somewhere to put the indicators. Start from a short list of written questions, not from someone else's data, and lean on free, targeted sources: government advisories, the known-exploited-vulnerabilities catalog, your vendors' notices, and sector sharing groups. Convert intel into action by driving patch urgency, detections, and awareness, and treat it as a filter that shrinks your worry list rather than a firehose that grows it. When it is too much to sustain, outsourcing the consumption is the mature move.