Threat Intel is Mostly Noise — A Framework for the 10% That's Signal

The Intelligence Delusion: Why Volume Guarantees Blindness

The global cybersecurity intelligence apparatus has optimised for production, not utility: it generates more indicators, alerts, and TTPs than any human or machine can meaningfully process, which means it generates more false confidence than actual defensive advantage.

The mechanics are obvious in hindsight. A threat intelligence platform ingests millions of IP addresses, domain names, file hashes, and email headers daily. Vendors publish thousands of CVEs annually — the National Vulnerability Database alone catalogues over 29,000 entries per year now, up from 4,700 in 2010. The MITRE ATT&CK framework contains over 900 techniques and sub-techniques across 14 platforms. Security Operations Centres (SOCs) subscribe to feeds from VirusTotal, Shodan, Censys, DShield, abuse.ch, Feodo Tracker, URLhaus, and dozens of commercial providers. Alert fatigue is not a side effect; it is the business model. Yet the enterprises that consume this intelligence most aggressively—large financial institutions, healthcare systems, cloud providers—continue to suffer breaches that consume years to detect, if they are detected at all.

This is not a market failure. It is a structural failure of architecture.

The Industry Narrative: Intelligence Volume as a Substitute for Defence

The canonical cybersecurity narrative places threat intelligence at the centre of an implied security posture. The SOC uses SIEM (Splunk, Elastic, IBM QRadar, Microsoft Sentinel, Datadog), feeds it with intelligence (Mandiant, CrowdStrike, Recorded Future, LookingGlass), enriches alerts using reputation services, correlates against YARA and Sigma rules, and escalates to incident response when signal exceeds threshold. Intrusion Detection Systems (Snort, Zeek, Suricata) consume the same feeds. EDR platforms (CrowdStrike Falcon, Microsoft Defender for Endpoint, Palo Alto Cortex XDR, SentinelOne) use threat intel to tune behavioural detection heuristics. Data Loss Prevention (DLP) tools add URL and domain blocklists. Firewalls (Palo Alto, Fortinet, Checkpoint) block known-bad IPs. The metaphor is clear: more intelligence, faster correlation, better detection.

The regulatory bodies have internationalised this narrative. The Financial Conduct Authority's Senior Managers and Certification Regime (SM&CR) requires senior executives to demonstrate "appropriate" cybersecurity governance. The Prudential Regulation Authority's Cyber Resilience (PRA CP 22/21) mandates "effective cyber threat intelligence" as a control. Australia's APRA CPS 234 requires "current threat and vulnerability information" to inform risk appetite. The EU's Network and Information Security Directive 2 (NIS2) specifies incident notification within 72 hours and implicitly rewards organisations that detect breaches quickly—a premise that assumes detection is achievable if intelligence is sufficiently rich and timely.

Real incidents expose the fiction. The Change Healthcare ransomware campaign (February–March 2024) affected 100 million Americans. The Alphv/BlackCat group used credentials obtained via third-party compromise; no zero-day, no sophisticated payload, no exotic TTPs. The entire attack chain used techniques documented in MITRE ATT&CK since 2016. By the time Change Healthcare detected and disclosed the breach, the attackers had moved laterally for over two weeks, encrypted multiple backup systems, and exfiltrated patient records numbering in the tens of millions. Threat intel feeds contained no actionable signal. The Synnovis Group ransomware incident (June 2024), which crippled NHS blood testing across London, followed an identical pattern: credential compromise, lateral movement, encryption—all detectable only through network segmentation and access control, neither of which threat intelligence influences.

The MGM Grand and Caesars Entertainment breaches (September 2023) were attributed to Scattered Spider, an ALPHV-linked threat actor with no public historical TTPs. Compromised accounts were purchased on the dark web or obtained through social engineering. The initial access vector was entirely orthogonal to threat intelligence. The Optus incident (September 2022) and Medibank incident (October 2022) involved unpatched web application vulnerabilities (CVE-2021-21224 and CVE-2023-39615 respectively); the threat actors used no sophisticated tooling, only publicly documented exploits. CISA's Post-Incident Review confirmed that both organisations subscribed to vulnerability intelligence feeds, patched non-critical systems regularly, and maintained SIEM and IDS infrastructure. Detection and intelligence capability made no difference to breach outcome.

The Snowflake data tenancy cascade (May–August 2024) is the clearest exemplar. Attackers targeted Snowflake customers not because of novel TTPs or zero-days, but because Snowflake's architecture allowed credential compromise on one tenant to compromise peers. The threat actors used publicly documented Snowflake configuration mismanagement (SnowSQL logging, hardcoded credentials in environment variables, overprivileged service accounts). Threat intelligence feeds contained no actionable warning because the vulnerability was not a vulnerability—it was an architectural inevitability. Organisations that consumed Mandiant, Recorded Future, and Censys feeds experienced identical compromise. Intelligence velocity made no material difference.

The pattern across all documented breaches is uniform: initial access relies on credential compromise, social engineering, or architectural misalignment, none of which threat intelligence addresses. Once inside, attackers move laterally using standard (documented, low-sophistication) techniques. The time-to-detection varies from weeks to years. The probability of detection correlates almost entirely with network segmentation, access control, logging infrastructure, and incident response readiness, not with intelligence enrichment.

The Structural Failure: Detection as a Substitute for Prevention

Threat intelligence operates on an implicit assumption: if you know the adversary's techniques, you can detect and disrupt them. This assumption collapses under scrutiny. MITRE ATT&CK formalises 900+ techniques because the domain is so large that any given defender can cover only a tiny fraction. An attacker needs only one path through the environment; a defender must block all paths. The asymmetry is not a resourcing problem—it is a logical problem.

The consequence is that threat intelligence has become a detection tool, not a prevention tool. It tells you what happened after the fact. It enriches alerts. It correlates events. But if the attacker uses only living-off-the-land techniques (Windows built-in utilities, legitimate cloud services, undetectable lateral movement over encrypted channels), threat intel generates noise. If the initial access vector is a stolen password, threat intel is silent. If the target is a poorly segmented network where a single compromised endpoint can reach critical infrastructure, threat intel is irrelevant.

This failure mode has driven a peculiar industry response: the assumption that detection speed is an adequate substitute for prevention. The FCA, PRA, and regulatory bodies globally have emphasised "early detection" and "rapid response" as core security objectives. DORA (Digital Operational Resilience Act) requires "detection and response" to cybersecurity threats within specific timeframes. NIS2 mandates notification within 72 hours. The implicit contract is: you will be breached; the question is how quickly you discover it.

This is not resilience. This is managed resignation. It transfers the cost of breach from the attacker to the organisation, and externalises it to customers, regulators, and shareholders. An organisation that detects a breach in 24 hours has still been compromised. The attacker has had 24 hours to move, exfiltrate, and entrench. The regulatory 72-hour notification window exists because immediate detection is known to be impossible. Threat intelligence accelerates the feedback loop from detection to response, but it cannot eliminate breach-as-default-state.

The PULSE Reframing: Architecture Over Intelligence

The PULSE doctrine inverts the implicit assumption. Instead of assuming breach and optimising detection, assume breach and design the system such that breach causes no material harm. This requires three architectural principles that threat intelligence cannot address and therefore cannot substitute for.

First: Zero-knowledge substrate. An attacker cannot exfiltrate data that is not present on the compromised host. An attacker cannot move laterally to systems for which no credentials are cached, no trust relationships are established, and no discovery mechanisms are available. This is not a detection principle; it is a prevention principle. It requires that sensitive data (cryptographic keys, customer records, intellectual property) be stored in environments physically and cryptographically isolated from general-purpose compute. It requires that authentication tokens be ephemeral, unguessable, and untransferable across trust boundaries. It requires that each host operate under minimal privilege, with credentials held only for the duration of a specific operation, then destroyed. A zero-knowledge substrate means that the surface area for threat intelligence is irrelevant because the attacker has nothing to exfiltrate and nowhere to move to.

Second: Control-plane and data-plane separation. Traditional network architecture conflates the infrastructure used to manage the system (control plane) with the infrastructure used to process customer data (data plane). A compromised endpoint has access to both. Threat intelligence is directed at detecting and responding to compromised endpoints. It fails, as documented, because the attacker's activities blend seamlessly with legitimate administration. Separated architectures mean that the data plane has no egress to the internet, no access to central logging infrastructure, and no exposed management interfaces. Changes to the data plane are made through a distinct control plane, which is itself isolated, monitored, and subject to quorum approval. If the data plane is compromised, the attacker is trapped: exfiltration is impossible, lateral movement is blocked, and persistence is unachievable. Threat intelligence is no longer necessary because the attacker's technical capabilities are irrelevant.

Third: Adaptive active defence. Rather than waiting for threat intel feeds to update with adversary TTPs, the system continuously drifts its attack surface. If an attacker uses process injection (MITRE T1055) against Windows, the environment regenerates without that capability, or shifts to a platform where the technique does not apply. If the attacker relies on DNS resolution (T1018), DNS is disabled by default and available only when explicitly requested by a known-safe process. If lateral movement typically uses SMB (T1570), SMB is disabled and communication occurs over encrypted tunnels with certificate pinning. The system does not await intelligence about which TTPs the attacker prefers; it assumes the attacker will use whatever works and actively makes it not work. This requires domain-specific automation—the capability to re-deploy, re-credential, and reconfigure infrastructure at speed—but it is entirely architectural, not dependent on intelligence freshness or analyst skill.

These three principles are mutually reinforcing and intelligence-independent. They do not require Mandiant reports, Shodan queries, or YARA rules. They require engineering discipline, cryptographic primitives, and infrastructure-as-code tooling that most organisations already possess but deploy for infrastructure management, not security. The PULSE doctrine proposes that the same automation that enables infrastructure elasticity enables security posture drift at speed.

From Detection-Centric to Prevention-Centric: A Concrete Example

Consider a financial institution processing payment transactions. The current architecture consumes threat intelligence at multiple layers: the perimeter firewall blocks IPs from DShield and Shodan; the SIEM correlates logs against Sigma rules and custom detection logic based on Mandiant reports; the EDR platform uses CrowdStrike's threat graph to detect anomalous processes; the DLP tool blocklists URLs from SecurityBrains and Proofpoint. Over 12 months, the institution receives 50,000 alerts, of which 47,000 are false positives, 2,500 are benign configuration drifts, and 500 are potentially malicious. The SOC triages them in batches. False negatives are discovered during quarterly penetration tests or (more often) post-incident analysis.

A prevention-centric architecture works differently. The transaction processing pipeline operates in an isolated data plane—no internet egress, no centralised logging, no SSH access. Transactions are encrypted with keys held in a separate control plane. The processing environment is stateless and regenerated every hour. Credentials used by batch jobs are generated by the control plane, injected into the data plane only at execution time, and revoked immediately after. If a batch job is compromised, the attacker gains access to a single credential with a lifespan of 15 minutes. Lateral movement to other batch jobs fails because each runs in a separate container with separate credentials. Persistence is impossible because the environment is destroyed hourly. Exfiltration is blocked because the data plane has no egress. The attacker's TTPs (credential theft, privilege escalation, lateral movement, data exfiltration) are rendered mechanically impossible. Threat intelligence is not consumed at all.

The operational costs are lower, not higher. The control plane's change approval workflow is more rigorous than the SOC's triage workflow. The infrastructure is more complex, but it is managed through code, not human expertise. The development teams who use the platform understand its capabilities and constraints. The organisation invests in prevention, not detection.

The Productivity of Silence

The final irony: threat intelligence would be most valuable to organisations that need it least. An organisation with zero-knowledge substrate, control-plane separation, and adaptive active defence can afford to consume threat intelligence purely for trend analysis and threat landscape awareness, with no expectation that it will influence their operational security posture. It is noise, freely embraced because it causes no harm. An organisation still relying on detection-as-defence consumes the same intelligence with the desperate hope that it will prevent the next breach, which it will not.

For qualified operators managing critical infrastructure, payment systems, or customer data at scale, the question is no longer whether to rely on threat intelligence—it is whether to persist in the assumption that intelligence can substitute for architecture. The answer to that question is operational, not theoretical. It requires examination of breach outcomes in your own sector, analysis of initial access vectors and time-to-detection, and honest assessment of whether your current intelligence investment has meaningfully changed breach probability or outcome.

If you operate infrastructure that holds or transfers the world's data or currency, and you recognise that threat intelligence has become productivity theatre, we invite you to request a briefing under executed Mutual NDA.