Select your country

Belgium

China

Denmark

France

Germany

Global

Maghreb & West Africa

Netherlands

Norway

South Africa

Sweden

Switzerland

United Kingdom

Not finding what you are looking for, select your country from our regional selector:

Search

  1. Orange Cyberdefense
  2. Insights
  3. Blog
  4. Cyber Threat Intelligence
  5. ThreatMap Part 3: From data and information to intelligence

ThreatMap Part 3: From data and information to intelligence

Intelligence-led Security

Share

Erik Van Dijk
Product Manager Orange Cyberdefense

Introduction

In Cyber Threat Intelligence (CTI), we often use certain words interchangeably. That might feel harmless, but it can blur what we’re actually doing - and sometimes even cause misunderstandings that could lead to bigger problems.

One of the most common examples is the mix-up between data, information, and intelligence. These are three very different things, yet in CTI we often hear them used side by side, for example: 

  • threat intelligence data feed
  • threat intelligence information

To get real value out of CTI, it’s important to draw the line between the three. Let’s break it down.

Data: Raw and Unfiltered

At its most basic, data refers to raw, unprocessed facts. In the context of cybersecurity, data could be anything from an IP address to logfiles or system alerts. It’s like a huge pile of unpolished gems - there’s a lot of it, but alone, it doesn’t tell you much.

For example, a logfile might show you every time a device connects to the network, but it doesn’t tell you whether that connection is normal or suspicious. Data by itself is often of limited utility - it can be just noise without context.

Information: Connecting the Dots

When you start to organize and collate that data into something more meaningful, you get information.

For example, imagine you have a series of logfiles showing a spike in failed login attempts from multiple IPs in a short period. When combined, these individual data points create a pattern, suggesting potential malicious activity, like a brute-force attack.

This is where you’re moving beyond individual facts into something that begins to tell a story. Information provides value because it gives you insights into what might be happening - but it still doesn’t tell you the full picture.

Intelligence: Actionable Insights for Decision-Making

Now, intelligence is where things get serious. Intelligence is derived from the analysis and processing of information. It’s the part that turns raw data into something actionable - and actionable is key as we referred to in our first blog.

Using our example: once you've identified that suspicious spike in log activity, intelligence comes when you contextualize that information with previous incident reports, identify patterns, and add expert analysis. You now know that this type of activity matches previous ransomware attacks.

This is where CTI makes the real impact: you can now make informed decisions about how to respond. Perhaps you block certain IP addresses, alert your team, or even initiate a broader investigation. This is intelligence - not just data, not just information, but insight that drives action.

The Journey: Data → Information → Intelligence

To recap, here’s how this progression works: 

  • Data: Raw, unprocessed facts that, by themselves, don’t tell you much. 
  • Information: When data is organized and turned into something useful - patterns or trends emerge and storytelling begins. 
  • Intelligence: The final step, where analysis of information provides insights that help you make decisions and take action, the full story is visible now. 

Without this clear journey from data to information to intelligence, your CTI efforts would be like trying to navigate with a map that’s missing half the streets. The value of CTI lies in how it turns raw data into intelligence that helps your organization stay ahead of threats.  

Why It Matters

Getting this distinction right is more than just semantics. It shows your stakeholder that you know what you are doing and determines whether your CTI program produces noise or value 

  • If you stop at data, you drown in details. 
  • If you stop at information, you see patterns but might not act. 
  • If you reach intelligence, you can make informed, timely decisions that protect your organization. 

That’s why this journey is the heart of CTI: it makes sure your team isn’t just collecting facts, but shaping them into insights that help your organization reach its goals. 

It also helps us professionalize CTI - step by step, bit by bit - because these are often the low-hanging wins we can deliver quickly so we can focus on the hard(er) parts.

What’s Next

But of course, this transformation we discussed in this blog - from data, to information, to intelligence - doesn’t just happen on its own. It needs to be guided by a structured process. As for example: the intelligence cycle. And that’s exactly what we’ll cover in our next blog. 

Let us know what you think or if you had a topic, you would like us to discuss! 

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT