How do you make your intelligence requirements actionable? How do you go from broad questions about threats to operational tasks your cyber threat intelligence team can complete? You need an intelligence collection plan.
An intelligence collection plan is a systematic way of tracking your intelligence requirements, the data sources that empower your team to fulfill them, and the daily tasks that lead to their completion. It is a key piece of documentation that all cyber threat intelligence teams require to move from the planning stage to the collection stage of the threat intelligence lifecycle.
This guide will teach you how to build an intelligence collection plan. It will start by highlighting the key features a collection plan must include, show you a four-step process for creating it, and conclude with advice on building a collection Wiki to support your plan.
Let’s jump in and start making your intelligence requirements actionable!
What is a Collection Plan?
Intelligence requirements should drive all the intelligence you produce for your organization. They are the foundations on which you build all your cyber threat intelligence (CTI) work and are the output on which your success is measured.
That’s great. I need intelligence requirements. But what are the practical steps to doing this?
This is where a collection plan comes in. Collection planning is the process of systematically tracking your intelligence requirements, breaking them down into actionable Request for Information (RFI) tasks, and mapping these tasks to data sources that you can use to answer them.
Your collection plan is the key piece of documentation created through collection planning and outlines how you plan to fulfill your intelligence requirements. A CTI team’s collection plan answers several key questions:
- What are the intelligence requirements the team has been tasked with fulfilling?
- What individual tasks must the team complete to support the fulfillment of an intelligence requirement?
- What is each intelligence requirement’s cut-off date for when it’s no longer useful (ICOD)?
- What data sources are available to the team?
- What data sources can be used to fulfill each intelligence requirement?
- What are the team’s key data sources (most heavily relied on)?
- What potential intelligence gaps exist where a data source does not support an intelligence requirement?
An Intelligence Cut-Off Date (ICOD) is when the intelligence produced is no longer helpful to the intelligence consumer. For instance, if a stakeholder needs to know about ransomware trends for their 2026 report, an ICOD could be January 2027, before the report is finalized and released.
A collection plan is a type of Collection Management Framework (CMF). A CMF is used to map informational needs to the data sources available. Typically, you list your informational need on the Y axis and the data sources available on the X axis. Then, you fill in the information (or characteristics of that information) that each data source can use to query.
This helps analysts know what questions they can ask of their data sources and the characteristics of this information (e.g., retention period). Using this knowledge, analysts can use CMFs as cheat sheets when answering investigative questions, responding to an incident, or performing threat hunting.
There are various kinds of CMFs, from those that focus on internal data to those that focus on external data sources. A cyber security team may use multiple CMFs during an investigation. The CTI team’s CMF is a collection plan.
| PIR | RFI | Deliverable | ICOD | SIEM | EDR | Dark Web Monitoring | Threat Feed |
|---|---|---|---|---|---|---|---|
| PIR 1 | PIR 1.1 | Weekly report | <date> | Yes | Yes | No | Yes |
| PIR 1.2 | Threat feed | N/A | No | No | Yes | No | |
| PIR 2 | PIR 2.1 | Custom dashboard | <date> | No | No | Yes | Yes |
| PIR 2.2 | One-off report | <date> | Yes | Yes | No | No | |
| PIR 2 | PIR 3.1 | Daily Slack message | N/A | Yes | No | No | Yes |
| PIR 3.2 | One off report | <date> | Yes | Yes | Yes | No |
You can create your collection plan using various types of software. Here are some popular options:
- Spreadsheets: A simple and easy-to-use solution. The biggest challenge is making it available to everyone in a readable format. Examples include Excel or Google Sheets.
- Threat Intelligence Platforms: These are great for linking your intelligence requirements to specific threat events, activities, or investigations. However, there is often a learning curve. Examples are OpenCTI or MISP.
- Project Management Software: This is ideal for larger teams sharing their collection plan with many people. Again, it can allow you to link requirements to specific intelligence activities, but it requires additional learning. Examples include Jira, Notion, or ClickUp
- Custom Databases: Perhaps overkill for creating a collection plan, but by far the most customizable solution. Custom databases offer the flexibility to edit, modify, and share requirements however you like. They are not recommended unless you have development experience or a lot of free time.
Regardless of what tool you use to create your collection plan, it must be available to everyone on your CTI team and the stakeholders whose intelligence requirements you fulfill. This availability provides your CTI team with the big picture and ensures stakeholder expectations are aligned with intelligence tasking.
Now you know what a collection plan is, let’s explore how to create one!
How to Create a Collection Plan
Creating a collection plan is not an intellectually rigorous task like some CTI processes. Instead, strong organizational skills are required to gather intelligence requirements and data sources and create RFIs that connect the two.
You can create a collection in 4 steps:
- Define Priority Intelligence Requirements (PIRs)
- Identify data sources
- Translate PIRs into RFIs
- Put it all together into a collection plan
Let’s walk through these steps to see how to apply them practically.
Step 1: Defining Priority Intelligence Requirements
The first step to creating a collection plan is defining your Priority Intelligence Requirements (PIRs).
When you start the planning stage of the CTI lifecycle, you must establish the information needs of your organization and create a list of intelligence requirements that will satisfy these needs. These requirements are the foundation for all your CTI work, from collection to analysis to dissemination.
There are various methods you can use to create these intelligence requirements:
- Start with a list of General Intelligence Requirements (GIRs) and distill them to match your organization.
- Interview key stakeholders within your business to find out how intelligence can help them.
- Perform an Intelligence Preparation of the Cyber Environment (IPCE) exercise to analyze your business’s cyber environment and create highly relevant intelligence requirements based on crown jewel analysis, threat modeling, and threat profiling.
Unfortunately, not all intelligence requirements you generate will be feasible. Your CTI team will often lack the ability or resources to fulfill every intelligence requirement that could benefit your business. As such, you must prioritize these intelligence requirements to build a list of PIRs your team can realistically accomplish.
Common methods for turning your intelligence requirements into PIRs include:
- MoSCoW: The easiest prioritization method to use. You simply split your requirements into Must-haves, Should-haves, Could-haves, and Won’t-haves based on business needs and return on investment (ROI). It can be challenging to implement when multiple stakeholders are involved.
- A RACI Matrix: A popular tool project managers and consultants use to clarify the roles and responsibilities of completing a project or making a decision. This is good for when multiple stakeholders are involved in the intelligence requirements generation process and all want a say in what becomes a PIR.
- Aggregating, Scoring, and Ranking: Data analysis techniques to fairly “voice” every stakeholder’s opinion based on their level of involvement in the intelligence product. This is the most comprehensive way to create PIRs, but also the most time-consuming.
To learn more about creating Priority Intelligence Requirements (PIRs), read How to Prioritize Customer Needs: Priority Intelligence Requirements.
Using one (or all) of these methods will produce a list of achievable PIRs you can add to your collection plan.
| PIR | RFI | ICOD | <data source> | <data source> | <data source> | <data source> |
|---|---|---|---|---|---|---|
| PIR 1 | PIR 1.1 | |||||
| PIR 1.2 | ||||||
| PIR 2 | PIR 2.1 | |||||
| PIR 2.2 | ||||||
| PIR 2 | PIR 3.1 | |||||
| PIR 3.2 |
Next, you want to identify the available data sources to help you fulfill these requirements.
Step 2: Identifying Data Sources
Step two focuses on identifying your data sources. This could be anything from Endpoint Detection and Response tools (EDR) to threat intelligence collected from the dark web.
To provide some structure for this identification process, you can break down your data sources into several categories:
- Technical: Data collected from a technical control (e.g., log). This includes the technical aspects of cyber threats, such as malware, exploits, hacking tools, attacker infrastructure (domains and IP addresses), and TTPs.
- Human: Information collected from a human source. This could include a cybercriminal on the dark web or someone within your organization (e.g., the IT team providing you with a list of user roles).
- Open: Data that is freely available. This includes intelligence from open-source CTI feeds or news sites and data you can collect from the organization (e.g., logs).
- Closed: Sources behind a paywall or ones with restrictions on who can access them. These could be proprietary threat feeds or restricted cybercrime forums. Access to these data tends to be harder to achieve or more volatile.
These four categories should help you determine what data sources are available to you as a CTI analyst. Here is an example of some data sources that might be available.
| Technical | Human | |
| Open | OS logs Authentication logs Mail transactions Cloud activity logs Antivirus logs Zeek logs VPN access logs Web proxy logs EDR logs Open-source threat feed | User Roles Assets Roles Installed Applications |
| Closed | Proprietary threat feed (malware) Proprietary threat feed (network indicators) | Private message group access (Signal) Private cybercrime forum |
With a list of available data sources, you can begin to group these into categories to make them more manageable for your collection plan. For instance, if your organization has centralized logging, you can group many “logs” identified under SIEM. You can group threat intelligence into categories based on what information it provides (e.g., endpoint indicator threat feed, network indicator threat feed, friendly intel, dark web intel, etc.).
Once grouped, you can add your data sources to your collection plan
| PIR | RFI | ICOD | SIEM | EDR | Dark Web Monitoring | Threat Feed |
|---|---|---|---|---|---|---|
| PIR 1 | PIR 1.1 | |||||
| PIR 1.2 | ||||||
| PIR 2 | PIR 2.1 | |||||
| PIR 2.2 | ||||||
| PIR 2 | PIR 3.1 | |||||
| PIR 3.2 |
The next step is to make your PIRs actionable by breaking them down into RFIs.
Step 3: Translate PIRs into RFIs
Now that you have your PIRs and data sources in your collection plan, you need to move into the operational world of CTI and define the day-to-day tasks to ensure the PIRs are fulfilled.
You do this by breaking down your PIRs into actionable tasks that your CTI can complete. These tasks are called Request for Information (RFIs) and will be what you undertake daily as a CTI analyst. Each PIR comprises one or more RFIs, depending on the scope of the requirement and how many questions are required to encapsulate it fully.
For instance, a PIR may ask: “Which Russian nation-state sponsored APT groups will likely target the organisation?” You could further break this question into several PIRs, such as:
- What Russian APTs are currently actively targeting our organization’s industry?
- What Russian APTs are targeting our demographic?
- What are the capabilities of these Russian APT groups?
- What are the likely objectives of their attacks?
- What socio-economic factors would change Russian APTs targeting our organization?
- What political factors would change Russian APTs targeting our organization?
- Are there relevant technological trends that may impact Russian APTs targeting our organization?
- How do Russian APT groups establish targeting patterns?
- Are there any regulatory changes in our jurisdiction that may impact the Russian state’s APTs targeting us?
You can use techniques like PESTLE analysis to help you break down PIRs into RFIs. This environmental scanning technique provides a framework for assessing the Political, Economic, Social, Technological, Legal, and Environmental factors affecting a PIR. Performing this technique allows you to engage in divergent thinking and better assess how to address the PIR thoroughly.
For example, using the previously stated PIR “Which Russian nation-state sponsored APT groups will likely target the organisation?”, you can use the six PESTLE categories to break down this question further.
| Political | Economic | Social | Technological | Environmental | Legal |
|---|---|---|---|---|---|
| What political factors would change Russian APTs targeting our organization? | What socio-economic factors change Russian APTs targeting our organization? | What are the capabilities of these Russian APTs groups? | What Russian APTs are targeting our demographic? | Are there any regulatory changes in our jurisdiction that may impact the Russian state’s APTs targeting us? | |
| How do Russian APT groups establish targeting patterns? | What are the likely objectives of their attacks? | What Russian APTs currently actively target our organization’s industry? | |||
| Are there relevant technological trends that may impact Russian APTs targeting our organization? |
Here I have mapped our questions into the six PESTLE categories. These individual questions can then be transformed into RFIs that help you fulfill the original PIR.
| PIR | RFIs |
|---|---|
| Which Russian nation-state sponsored APT groups will likely target the organisation? | What changes to the political objectives of the Putin regime would change Russian APTs targeting our organization? |
| How do Russian APT groups establish targeting patterns under the current administration? | |
| What are the capabilities of these Russian APTs groups? | |
| What are the likely objectives of their attacks? | |
| How will the rise of AI over the next five years impact Russian APTs targeting our organization? | |
| What Russian APTs are targeting the UK healthcare sector? | |
| How will recent changes to GDPR impact Russian APTs targeting our organization? |
Notice how some questions have been combined while others have been made more specific as they are turned into RFIs. Your RFIs should follow the same success criteria as your intelligence requirements: singular, atomic, decision-centric, and timely.
This structured approach allows you to produce detailed questions that are still relevant to the overall PIR that you can research. It also gives you a good idea of the overall intelligence effort to fulfill a certain PIR.
In addition, each RFI will have an ICOD that the RFI must be completed before, so the intelligence produced remains relevant. This leads into the two types of RFIs you might see:
- Standing RFIs: These are tied to an organization’s standing areas of concern that don’t often change. They are ongoing and only stop if a major change happens. As they are performed daily, these RFIs may not have an applicable ICOD.
- Non-standing RFIs: These RFIs have a defined beginning and end, including an ICOD by which they must be completed to remain relevant.
| PIR | RFI | ICOD | SIEM | EDR | Dark Web Monitoring | Threat Feed |
|---|---|---|---|---|---|---|
| 1.1) Which Russian nation-state sponsored APT groups will likely target the organisation?” | 1.2) What changes to the political objectives of the Putin regime would change Russian APTs targeting our organization? | <date> | ||||
| 1.3) How do Russian APT groups establish targeting patterns under the current administration? | N/A | |||||
| 1.3) What are the capabilities of these Russian APTs groups? | N/A | |||||
| 1.4) What are the likely objectives of their attacks? | <date> | |||||
| 1.5) How will the rise of AI over the next five years impact Russian APTs targeting our organization? | <date> | |||||
| 1.6) What Russian APTs are targeting the UK healthcare sector? | N/A | |||||
| 1.7) How will recent changes to GDPR impact Russian APTs targeting our organization? | <date> | |||||
| 1.8) What changes to the political objectives of the Putin regime would change Russian APTs targeting our organization? | N/A | |||||
| PIR 2 | PIR 2.1 | |||||
| PIR 2.2 | ||||||
| PIR 2 | PIR 3.1 | |||||
| PIR 3.2 |
You now have all the pieces to create your collection plan. Let’s see how you can assemble them by mapping RFIs to data sources.
Step 4: Putting it all Together
The final step in creating a collection plan is mapping the RFIs you created to the data sources you can use to answer them.
In theory, this is a simple step. You just put a yes or no answer next to the data source under which the RFI falls. However, to do this accurately, you must be able to interpret the data source listed and understand what questions you can ask of it.
These are key cognitive skills analysts must master to use a data source effectively. They can be broken into two components:
- Interpretation: The ability to interpret the data and understand what relationships it represents.
- Capability Comprehension: Knowing what questions can be asked of a data source (e.g., what searchable items does this data source provide?)
These are not the only skills an analyst must master to utilize a data source. They must also be able to collect the data and manipulate it to produce the answer to their question. These are both technical skills that an analyst performs.
In addition to mapping your RFI to a data source, you must map your RFI to an intelligence deliverable that will satisfy its completion.
This could be simple, like a daily update in a Slack channel, a weekly report emailed to the SOC, or a monthly presentation you deliver to executives. However, it could also be part of a more tactical approach, like building a threat profile, investigating executives’ digital footprints, maintaining a threat feed, or building a custom dashboard.
How you decide on your intelligence deliverables will depend on the target audience, agreed-upon cadence, and underlying goal of the RFI.
Once you fully understand the data sources available to you, the relationships they represent, and what questions you can ask of them, you map each of your RFIs to each data source and add the deliverable(s) that will be produced. Here is what that might look like.
| PIR | RFI | Deliverable | ICOD | SIEM | EDR | Dark Web Monitoring | Threat Feed |
|---|---|---|---|---|---|---|---|
| 1.1) Which Russian nation-state sponsored APT groups will likely target the organisation?” | 1.2) What changes to the political objectives of the Putin regime would change Russian APTs targeting our organization? | One-off report | <date> | No | No | Yes | Yes |
| 1.3) How do Russian APTs groups establish targeting patterns under the current administration? | One-off report | N/A | No | No | Yes | Yes | |
| 1.3) What are the capabilities of these Russian APTs groups? | Monthly report | N/A | Yes | Yes | Yes | Yes | |
| 1.4) What are the likely objectives of their attacks? | Quarterly report | <date> | Yes | Yes | Yes | Yes | |
| 1.5) How will the rise of AI over the next five years impact Russian APTs targeting our organization? | One-off report | <date> | No | No | Yes | Yes | |
| 1.6) What Russian APTs are targeting the UK healthcare sector? | Threat feed and dashboard in threat intelligence platform | N/A | No | No | Yes | Yes | |
| 1.7) How will recent changes to GDPR impact Russian APTs targeting our organization? | Annual report | <date> | No | No | Yes | No | |
| 1.8) What changes to the political objectives of the Putin regime would change Russian APTs targeting our organization? | One-off report | N/A | No | No | Yes | Yes | |
| PIR 2 | PIR 2.1 | <date> | |||||
| PIR 2.2 | <date> | ||||||
| PIR 2.3 | <date> | ||||||
| PIR 2 | PIR 3.1 | <date> | |||||
| PIR 3.2 | <date> |
There you have it! A complete collection plan that your CTI team can use to begin fulfilling the intelligence requirements you’ve been tasked with completing. Obviously, yours will be much larger in real life.
To take things one step further, let’s look at how you can create a collection Wiki to complement your collection plan so your CTI analysts don’t need to remember how to use every data source you have.
Building a Collection Wiki for Your Collection Plan
A collection Wiki is a knowledge base that explains how analysts can effectively use each data source listed in your collection plan. It provides detailed guidance on the data sources analysts can use to answer their RFIs by answering key investigatory questions they might have.
You can break your collection Wiki into three sections:
- Data Source Reference: A section that references your data sources. This includes what questions you can ask them, such as how to access it, how it is created, how long it is retained, what coverage exists, what fields exist, and any miscellaneous notes about its implementation at your organization.
- Most Searched Fields: This focuses on where else you can learn more about a certain piece of evidence. For instance, what data sources contain the “username” field? This provides analysts with pivot points to expand their research or investigation.
- Data Acquisition Appendix: This section provides information on what analysts can access and where it is kept, allowing them to understand what data they have to work with. This can save a lot of time when performing research or during an investigation.
Aim to create a collection Wiki to support your collection plan and make both easily accessible to your CTI team. This documentation will save you countless hours when performing CTI work.
Conclusion
An intelligence collection plan is a systematic approach to tracking your intelligence requirements, the data sources that empower your team to meet them, and the daily tasks that contribute to their fulfillment.
It is a crucial piece of documentation that all cyber threat intelligence teams need to traverse the threat intelligence lifecycle and move from the planning stage to the collection stage.
This guide has taught you the importance of having a comprehensive collection plan, how to create one in four simple steps, and how to build a collection Wiki to support your plan. Using this knowledge, you can now create a collection plan for your organization and start making your intelligence requirements actionable!
Frequently Asked Questions
How Do You Write an Intelligence Collection Plan?
An intelligence collection plan is a key piece of documentation for your organization’s cyber threat intelligence team. You can create an intelligence collection plan using four simple steps:
- Define Priority Intelligence Requirements (PIRs): You must turn your intelligence requirements into PIRs by prioritizing the most mission-critical ones your team can fulfill.
- Identify data sources: Locate all available data sources to investigate cyber threats and add them to your collection plan.
- Translate PIRs in RFIs: Break down your PIRs into actionable Request for Information (RFI) tasks that your cyber threat intelligence team can complete daily.
- Put it all together: Map your RFI’s to the data sources that will aid your team in completing them. This lets your team quickly research or investigate their RFI tasks and fulfill PIRs.
How is Cyber Threat Intelligence Collected?
Cyber threat intelligence (CTI) can be collected in various ways, depending on available data sources. You can break data sources into internal and external sources (e.g., internal to your organization or external and held by someone else) and technical and human sources (e.g., data gathered from technical sources or collected from humans).
Cyber security and CTI teams often use Collection Management Frameworks (CMFs) to help organize their data sources and map out what investigatory questions they can answer. One form of CMF is an intelligence collection plan.
What is a Collection Wiki?
A collection Wiki is a knowledge base containing all the data sources available at your organization and how to use them. It includes how you can access the data source, how it’s created, how long it’s retained, what coverage exists, what fields you can query, and any miscellaneous notes specific to your organization’s implementation.
The Wiki is a shortcut for analysts to quickly look up their data sources and understand how to use them effectively. It is a time-saver during investigations or research.
What is a Collection Management Plan?
An intelligence collection management plan, or collection plan, is a document that includes your cyber threat intelligence team’s Priority Intelligence Requirements (PIRs) and your organization’s data sources that aid in fulfilling these requirements. PIRs are mapped to data sources using Request for Information (RFIs) tasks that turn PIRs into actionable activities at the operational level.
This document formalizes PIRs, RFIs, and the data sources available to the cyber threat intelligence team. It also acts as a guide for producing intelligence products that can be shared with key stakeholders.
