The most critical components of a threat intelligence program are the intelligence-gathering objectives, data sources, the database used for collection, analysis of the data, the action plans related to specific threats, the distribution of that information, and feedback into the intelligence-gathering objectives. This is often referred to as the intelligence cycle. Threat intelligence objectives focus on potential threats to your organization and define how to monitor for those threats. For example, a pharma company that manufactures a drug with dangerous side effects may decide to monitor the Dark Web and online marketplaces for counterfeit product that would adversely affect patient safety. Gathering various types of data, and managing that data efficiently requires technology to both store the data and to query and visualize that data in a way that leads to insight. The meaning we put to that data in the context of our intelligence objectives that transforms data into information. Knowing the owner of a newly registered domain name (the last few letters of an internet address like .com, .net, .biz) is not very interesting, but if you have a database that shows that the owner of that new domain owns several other domain names associated with phishing scams or counterfeit products is actionable information. You may choose to block that domain at your firewall. To be useful, intelligence must be shared. Intelligence about geopolitical threats can be beneficial to business travelers, but only people traveling to that hotspot are informed. When we deliver that information to intelligence consumers, they often provide feedback used to adjust the collection process. In this way, the intelligence cycle is complete, and we can continue this important activity that helps protect people, assets, and intellectual property.