The Intelligence Layer: What Mature Security Programs Are Adding Next

Most mature security programs aren't short on threat intelligence. As we explored in a recent blog, they're running multiple feeds and adding more all the time. The data flows continuously, and the operations built to receive it work smoothly.  

Yet the existing feed economy, as we call it, is inherently limited. The issue is the timeline. Every feed in that stack is oriented toward the same moment: after an attack has already started. It finds evidence of attack infrastructure that has already been built and deployed – or worse, attackers that have already reached your environment. At that point, detection and containment are your only options.

Existing threat intelligence feeds don’t address the window before the attack - when attackers are still staging infrastructure and prevention is still possible. We call this the pre-attack intelligence layer. It’s threat intelligence that sits above your current intel stack – and it enables your teams to act before the first malicious payload is ever delivered.  

In this blog, we'll examine what the pre-attack intelligence layer does, why mature programs don't have it yet, and what changes when they do.

What the Pre-Attack Intelligence Layer Is

The pre-attack intelligence layer can be understood as a feed built around a specific type of signal. We call these signals Indicators of Pre-Attack, or IoPAs. MITRE ATT&CK defines them as Reconnaissance and Resource Development. They are the earliest stages of the attack lifecycle – those that traditional feeds were never built to address. Yet they are visible signs of attacker setup activity: domain registrations, certificate issuance, command-and-control configuration, scanning behavior, phishing kit development. These signs live outside your environment in the infrastructure attackers build when they’re preparing an operation.  

A feed built on IoPAs does five things. It collects pre-attack telemetry from across the internet and identifies signals tied to attacker staging. It correlates those signals to real enterprise assets - domains, brands, customers, revenue paths – and establishes which exposures are relevant. It validates exploitability to separate credible threats from background noise. It disrupts confirmed threats through automated takedowns that disable or remove attacker infrastructure before it goes operational. And it enriches existing SOC, SIEM, SOAR, and TIP systems with live prevention data.

Why Mature Programs Don't Have It Yet

The feeds running in most mature programs were built for a specific job. They surface known indicators, enrich alerts with context, and give analysts something to act on once attacker activity is visible inside the environment. That's a legitimate and necessary function - and those feeds do it well.

IoPA feeds operate on a different premise. IoPAs appear outside the environment, before any alert exists, during the window when attacker infrastructure is still being staged. That puts them entirely outside what existing feeds were designed to deliver. Mature programs measure what their tools are built to measure - and the pre-attack window simply falls outside the scope of every feed they're already running. The numbers confirm it. In our recent survey, zero percent of organizations measured whether threats were stopped before they became operational, and only 12% tracked any prevention-focused metrics at all.

That includes what most programs consider their external threat intelligence. For a long time, that meant dark web monitoring - tracking stolen credentials, leaked data, and criminal forum activity after it surfaced. This was useful for its era. The problem is that threat actors have moved on. They now operate on purpose-built infrastructure and automate setup at scale. The signals that matter most are no longer found in forums. They're found in the infrastructure attackers build before they strike. And that makes the pre-attack intelligence layer the natural evolution of external threat intelligence.

What Changes When the Pre-Attack Intelligence Layer Is in Place

Adding a pre-attack intelligence layer changes nothing in the existing security stack. Your tools, your workflows, your teams - none of that is replaced or restructured. The pre-attack intelligence layer sits above what's already there, extending coverage into the pre-attack window and feeding validated intelligence back into your existing SOC, SIEM, SOAR, and TIP systems.

This changes your defensive timeline. Defense no longer starts at the first alert. It starts when attacker infrastructure begins taking shape. By the time a traditional feed would have surfaced its first alert, the pre-attack intelligence layer has already identified the relevant IoPAs, confirmed which exposures are real, and taken down the infrastructure.

That matters for every system downstream - including the AI agents security programs are increasingly deploying to automate investigation and triage. Those agents inherit the limitations of the feeds they run on - meaning they process signals of activity already in motion. Remove the infrastructure early enough, and there's no signal to process. That means fewer false positives reaching agents, less hallucination on incomplete context, and AI agents that start from a cleaner picture of the threat environment.

What’s more, the pre-attack intelligence layer changes more than tooling. For threat intelligence teams, the it reframes their function entirely. The job stops being the management of feeds that describe known threats and becomes the disruption of infrastructure that hasn't been activated yet. Directors of Threat Intelligence can finally measure what their function prevents, not just what it processes - with a direct line between their team's work and attacks that never happened.

The Bottom Line

Mature security programs have the feeds, the tools, and the operational discipline to respond when an attack begins. That's both an advantage and a disadvantage. The advantage is operational maturity. The disadvantage is that skillsets and tooling are oriented towards after-the-fact - after attack infrastructure is live, after attackers have reached the environment, after containment is the only option.  

The pre-attack intelligence layer extends these capabilities into the window where mature programs currently have no coverage - and where prevention is still possible. For programs that have built everything else, it's the one piece that isn't there yet - and the only one that stops attacks before they start.

Start preventing attacks before they launch. Get access to Malanta today.

‍