A cyber threat intelligence (CTI) platform is the software infrastructure through which a security organization collects, processes, enriches, analyzes, and acts on threat intelligence. For defense organizations — military commands, defense ministries, defense contractors — the threat model is fundamentally different from commercial organizations. State-sponsored adversaries, persistent access operations, supply chain compromises, and information operations are not edge cases; they are the baseline threat environment.

A defense-grade CTI platform must be built to operate in this context: handling classified intelligence feeds, correlating cyber indicators with signals and human intelligence, and integrating with both commercial SIEM infrastructure and classified operational networks.

Platform Architecture: Four Processing Stages

Collection. A CTI platform ingests intelligence from multiple source types: commercial threat feeds (ISAC sharing, commercial vendors), open source intelligence (OSINT — Telegram channels, dark web forums, paste sites, domain registration data), internal telemetry (SIEM logs, endpoint detection alerts, network flow data), and classified national intelligence feeds where applicable. The collection layer normalizes these inputs to a common internal format and assigns provenance metadata (source, collection time, confidence, classification level) to each record.

Normalization and enrichment. Raw collected data is highly heterogeneous. An IP address reported as an indicator of compromise (IoC) by one feed is a string in a CSV. In another feed, it is a structured STIX Observable. The normalization stage resolves this: extracting structured indicators (IPs, domains, hashes, URLs, email addresses, CVEs) from unstructured sources and converting everything to the platform's internal schema.

Enrichment augments normalized indicators with additional context: WHOIS and passive DNS for domain/IP indicators; geolocation; ASN attribution; historical SIEM observations; and relationships to known threat actors or campaigns from the platform's knowledge base. A raw IP address that is enriched with "hosted in ASN 12345, historically associated with APT28 C2 infrastructure, first observed 2025-03-14" is an actionable intelligence product. The same IP without enrichment is a data point.

Analysis and correlation. The analysis layer identifies relationships between indicators and attributes them to threat actor profiles. This is where the platform's knowledge graph is central: a graph database (typically Neo4j or a purpose-built threat graph) storing relationships between actors, campaigns, techniques, and indicators enables graph traversal queries — "show me all infrastructure connected to the same actor as this IP, two hops away."

MITRE ATT&CK framework integration is standard in modern CTI platforms. Each observed technique is tagged to the corresponding ATT&CK technique ID, enabling coverage gap analysis (which ATT&CK techniques does our detection coverage not address?) and threat actor profiling (this actor is consistently using T1566 — phishing — as initial access, followed by T1053 — scheduled task persistence).

Distribution. Intelligence is only valuable when it reaches the teams that can act on it. The distribution layer publishes intelligence products in formats appropriate for each consumer: structured IoC feeds (STIX/TAXII for other CTI platforms and SIEM systems), human-readable reports (formatted for analysts), and direct SIEM integrations (pushing IoC blocks and detection rules directly to SIEM rule engines).

STIX and TAXII: The Interoperability Layer

STIX (Structured Threat Information eXpression) is the data model for representing cyber threat intelligence — threat actors, campaigns, indicators, attack patterns, and the relationships between them. TAXII (Trusted Automated eXchange of Intelligence Information) is the transport protocol for exchanging STIX objects between platforms. Together, they enable automated, machine-to-machine intelligence sharing.

For defense organizations, STIX/TAXII implementation is not optional — it is the mechanism through which NATO NCIA, national CERTs, and trusted partner organizations share classified and unclassified threat intelligence. A CTI platform that cannot consume or produce STIX 2.1 bundles is isolated from the broader sharing ecosystem.

Defense-Specific Threat Sources

A commercial CTI platform relying on vendor feeds misses the most operationally relevant intelligence for defense organizations. Defense-specific sources include:

Telegram monitoring. Since 2022, Telegram has become a primary operational security channel for state-aligned threat actors, hacktivist groups, and threat actors supporting kinetic operations. Channels announce targets before attacks, post claimed breaches, and coordinate reconnaissance. Systematic monitoring of relevant channels — with entity extraction and cross-correlation against known actor profiles — provides warning intelligence unavailable in commercial feeds.

Dark web forum monitoring. Criminal infrastructure used by state actors (bulletproof hosting, access brokers, exploit markets) is traded on dark web forums. Monitoring these for mentions of specific organizations, systems, or credentials provides early warning of impending attacks.

Domain and certificate intelligence. State-sponsored actors register domains imitating defense organizations for spear-phishing campaigns. Certificate transparency logs, passive DNS, and new domain registration monitoring can detect these preparations before the campaign is launched.

Key insight: Threat intelligence attribution — assigning a cyber incident or campaign to a specific state actor — requires convergence across multiple evidence types: TTPs, infrastructure, targeting patterns, timing, and where available, signals and human intelligence. A CTI platform built for defense must be capable of integrating all of these, not just cyber indicators in isolation.

SIEM Integration Architecture

CTI platforms deliver value primarily through integration with the SIEM (Security Information and Event Management) system, which is where detection and response happens. The integration takes two forms: IoC-based detection (the CTI platform pushes known bad IPs, domains, and hashes to the SIEM as block lists and detection rules) and TTP-based detection (the CTI platform publishes MITRE ATT&CK-aligned detection logic derived from threat actor profiling).

Modern architectures implement this through SOAR (Security Orchestration, Automation and Response) playbooks that automatically ingest CTI outputs, apply them to the SIEM detection stack, and trigger response workflows for high-confidence alerts. The SIEM-SOAR-CTI triad is the operational backbone of a defense SOC (Security Operations Center).