The lifecycle, in plain language

The intelligence lifecycle as taught in US national-intelligence tradecraft (the CIA Sherman Kent School curriculum, the ODNI Analytic Tradecraft Standards) has six steps. Requirements: the consumer states the question. Collection: analysts gather information against the question. Processing: the information is normalized into a form the analyst can work with. Analysis: the analyst applies tradecraft to produce findings. Dissemination: the findings reach the consumer in the form they need. Feedback: the consumer evaluates whether the answer met the requirement, and the requirement is refined.

Cyber Threat Intelligence inherits this lifecycle directly. A CTI team responding to a Priority Intelligence Requirement (PIR) such as 'which APT groups are most likely to target our financial-services subsidiary in the next 12 months' will follow the same six steps. Requirements clarification with the CISO. Collection from open-source CTI feeds (Mandiant, Microsoft Threat Intelligence, Recorded Future, government advisories from CISA), commercial CTI subscriptions, and internal incident telemetry. Processing into a normalized data model (often STIX 2.1 bundles). Analysis against the Diamond Model and ATT&CK. Dissemination as a strategic intelligence product the CISO can read in 15 minutes. Feedback when the CISO comes back with follow-up questions.

The practical implication is that a CTI analyst's daily work shapes itself to whichever lifecycle step the team is in for the active requirement. New analysts often want to spend all their time on analysis (the most visible step); senior analysts often spend more time on requirements clarification (the step that determines whether the rest of the work matters).