How Intelligence Actually Works
What This Section Is About
The Foundations section exists to clarify something that is often assumed, rarely examined, and frequently misunderstood:
What intelligence actually is, and what it is for.
In cyber threat intelligence, many problems are treated as technical or operational. In practice, most failures are conceptual. Teams collect the wrong data, optimise the wrong outputs, and measure the wrong things because the underlying idea of “intelligence” is unclear.
The articles in this section focus on fixing that problem.
They are not introductory in the traditional sense.
They are foundational in the practitioner sense.
Why Foundations Matter
If you misunderstand the foundations of intelligence:
- Analysis becomes reporting
- Collection becomes indiscriminate
- The Intelligence Cycle becomes a delivery pipeline
- Metrics reward activity instead of impact
- Trust erodes quietly
No amount of tooling, automation, or frameworks will compensate for this.
Strong intelligence work starts with clear thinking about:
- Decisions
- Judgment
- Uncertainty
- Relevance
What You Will Find Here
Articles in Foundations explore topics such as:
- The difference between information and intelligence
- Why common CTI models are misused in practice
- How decision support should shape intelligence work
- The role of judgment, estimation, and uncertainty
- Why many CTI programs fail before analysis even begins
These pieces focus less on how to do CTI and more on how to think about it.
How These Articles Are Written
Most Foundations articles are written as reflective essays drawn from practice.
They:
- Challenge common assumptions
- Deconstruct familiar models
- Focus on reasoning rather than prescription
- Trade completeness for clarity
You will not find step-by-step instructions heres.
You will find ideas meant to change how you approach your work.
Some discomfort is intentional.
Who This Section Is For
This section is especially relevant if you are:
- A CTI analyst trying to move beyond collection and reporting
- A CTI lead struggling to explain the value of intelligence
- A practitioner sensing that “something isn’t working,” but unsure why
- Someone building or fixing a CTI program
If you are early in your CTI journey, this section will feel challenging.
If you are further along, it will feel familiar and hopefully clarifying.
How to Use This Section
These articles are best read slowly.
Revisit them as your role evolves.
Many ideas here become clearer with experience.
If you are new to CTITradecraft, a good starting sequence is:
- Intelligence Is Not Information — And That Difference Matters
- The Intelligence Cycle Was Never Meant to Be a Workflow
- Most CTI Answers the Wrong “So What”
- Certainty Is Comforting. Intelligence Rarely Is.
Each builds on the last.
How This Connects to the Rest of CTI Tradecraft
The Foundations section underpins everything else on this site.
- Tradecraft builds on these ideas to explore judgement, bias, and analysis
- Threat Analysis applies them in real-world contexts
- CTI Programs examines how these concepts succeed, or fail, inside organisations
If the Foundations are weak, everything above them eventually cracks.
A Note on the Long View
This section forms the conceptual base of the CTITradecraft Academy.
Before analysts learn techniques, tools, or playbooks, they need a shared understanding of what intelligence work is meant to achieve.
That work starts here.
Start with one article. Read it carefully.
That’s how this section is meant to be used.