Threat-Informed Defense

A threat-informed defense is a cybersecurity approach that bases security strategies and controls on specific knowledge of actual threats targeting an organization.

Rather than implementing generic security measures, this methodology uses intelligence about adversary tactics, techniques, and procedures (TTPs) to prioritize defenses against the most relevant and likely attack vectors.

This approach typically involves analyzing threat intelligence from multiple sources, including security vendors, government agencies, and industry groups, to understand which threat actors are actively targeting similar organizations or sectors. Security teams then map these threats against frameworks like MITRE ATT&CK to identify specific techniques adversaries use and design countermeasures accordingly.

Threat-informed defense helps organizations allocate limited security resources more effectively by focusing on the attacks they are most likely to face, rather than trying to defend against every possible threat. For example, a financial institution might prioritize defenses against banking trojans and advanced persistent threat groups known to target financial services, while a healthcare organization might focus on ransomware groups that specifically target medical facilities.

This methodology requires continuous threat intelligence gathering and regular reassessment of the threat landscape to ensure defenses remain aligned with evolving adversary capabilities and targeting preferences.