Threat intelligence has a long pedigree dating back to antiquity. As warfare became more complex and armies grew in size from the nineteenth century onwards, so military intelligence grew in importance (Wheeler 2012). The Duke of Wellington (1769–1852), famed as a general during the Napoleonic Wars, recognised the significance of intelligence, remarking that all the business of war was ‘guessing what was at the other side of the hill’ (Ratcliffe 2017). As the years progressed, so the size of the ‘hill’ that needed to be peered over has grown in size, requiring better intelligence and ultimately leading to the development of national intelligence agencies during the second half of the twentieth century.

Since the 1990s the Internet has developed largely within the private sector. The connected autonomous networks that comprise the Internet are, for the vast majority, held and controlled privately (Arnold et al. 2020). The data traversing these networks, the systems receiving and processing these data, and the resulting logs are majoritively held by the private sector.

Cyber threats conducted over the Internet have consequences for national security (Isenberg et al. 2021). Yet it is within the logs and data held privately that much of the evidence of these attacks are located. Hence, the emerging requirement for cyber threat intelligence (CTI) professionals to gather and analyse this information.

The recency of CTI as a notion is illustrated by the fact that ...