
The modern threat environment doesn't wait for a briefing cycle. Threat actors adapt their tactics within days, share technical knowledge across borders within hours, and exploit the same open, connected world that defence and security organisations operate in every day. For governments, militaries and security departments, the ability to gather, verify and act on credible intelligence, before an adversary can exploit a gap, has become a defining measure of operational advantage. This is where threat intelligence, and specifically open source intelligence (OSINT), earns its place at the centre of modern defence planning. Done well, it turns publicly available information into a genuine tactical edge. Done badly, it becomes noise: unverified, out of date, and a drain on analyst time rather than a support to it.
At EWS, we've spent years building and refining exactly this capability for governments, defence and security customers around the world. It's most visible in our Open Source Threat Database (OSTD), a near real-time repository tracking global improvised explosive device (IED) and radio-controlled IED (RCIED) events. This article sets out what threat intelligence actually is, how OSINT underpins it, and how a disciplined, analyst-led approach to open source data delivers the kind of intelligence that defence and security decision-makers can rely on.
Threat intelligence is the process of collecting, analysing and interpreting information about existing or emerging threats so that decision-makers, analysts and operational teams can act on it with confidence. It isn't raw data. A stream of unfiltered reports, social media posts or incident logs isn't intelligence until it has been assessed, verified and placed in context.
Every credible threat intelligence capability follows a similar path: information is collected from a range of sources, filtered for relevance, cross-checked for accuracy, and analysed by someone who understands the operational environment it relates to. Only then does it become a usable intelligence product, whether that's a single alert, a threat profile, or a wider trend report.
This distinction matters enormously in defence and security contexts, where an unverified or poorly contextualised piece of information can be as dangerous as having no information at all. A single unconfirmed report of a device type or attack method, acted on without proper analysis, can misdirect resources or, worse, create a false sense of security.
For governments, militaries, NGOs and security departments, threat intelligence supports decisions at every level, from shaping long-term policy and procurement, through operational planning for a deployment or campaign, to the tactical detail an analyst needs to brief a patrol before it leaves the wire. Good threat intelligence shortens the distance between an event happening somewhere in the world and that knowledge reaching the people who need it to stay safe, protect assets and complete their mission.
Want to see what analyst-verified threat intelligence looks like in practice? Explore the OSTD or get in touch to discuss a demonstration.
Threat intelligence is rarely a single, uniform product. It's typically understood across four levels, each serving a different audience and purpose.
Strategic intelligence provides the big picture: long-term trends, the motivations and capabilities of threat actors, and how the wider threat landscape is evolving. It's aimed at senior decision-makers shaping policy, budgets and long-term posture, rather than day-to-day operations.
Operational intelligence sits between the strategic and the tactical. It focuses on the who, why and how behind specific campaigns or threat activity, helping planners understand adversary intent and likely courses of action well enough to prepare a targeted response.
Tactical intelligence deals with the immediate and specific: current tactics, techniques and procedures (TTPs), device types, methods and indicators that analysts and operators need right now. This is the intelligence that informs a threat brief, shapes a patrol route, or flags a change in an adversary's method before it causes harm.
Technical intelligence covers the granular detail that supports detection and analysis, such as specific component types, switch mechanisms or signatures associated with a given threat. In a physical threat context, this might include the technical detail of an RCIED trigger mechanism.
Mature threat intelligence programmes draw on all four levels together. A strategic assessment without tactical detail can't inform a patrol brief; a stream of tactical alerts without strategic context can't inform investment or policy decisions.
Open source intelligence, or OSINT, is intelligence derived entirely from publicly available information: no classified access, no covert collection, just disciplined analysis of what's already out there.
OSINT draws on an enormous range of publicly accessible sources: news media, government publications, specialist journals and conference proceedings, social media, imagery and geospatial data, and metadata associated with any of the above. Analysts with the right training can build a remarkably detailed and current picture of a threat, an actor, or an operational environment purely from material that anyone, in theory, could access.
The advantage of OSINT is speed combined with accessibility. Classified intelligence pathways are, by necessity, slow and tightly controlled, which can limit how quickly relevant detail reaches the people who need it most. Open source collection, when properly managed, can move at the pace of the internet itself. An event captured on social media or reported by local media can be identified, verified and turned into a usable intelligence product within hours, sometimes faster, giving analysts and commanders a genuine head start.
This isn't a theoretical benefit. Analysts working on physical, kinetic threats such as IEDs routinely use open source reporting, imagery and social media activity to build situational awareness of an incident as it develops, cross-referencing device type, location and known actor patterns to inform force protection decisions in near real time. The same discipline that lets an analyst track and verify a single incident is what, applied consistently and at scale, produces a genuinely useful open source threat intelligence capability rather than a pile of unverified reports.
OSINT isn't a replacement for classified sources; it's a foundation that complements them. Because it carries no protective marking, open source threat intelligence data can be shared far more widely and quickly, across coalition partners, agencies and departments, without the friction that classification introduces. For many defence and security organisations, this makes OSINT the fastest and most widely distributable layer of their overall intelligence picture, even where classified sources remain essential for the most sensitive detail.
Not all open source threat intelligence feeds are created equal. The market is full of tools and data streams, and the difference between a useful feed and a distracting one comes down to a few consistent factors.
Threats evolve daily, sometimes hourly. A feed that's weeks or months out of date offers historical insight at best and can actively mislead if treated as current. Real-time and near-real-time threat intelligence, verified and entered by trained analysts as events occur, is what allows defence and security teams to track a dynamic threat as it actually develops, rather than reacting to it after the fact.
Threats rarely respect borders, and neither should the intelligence used to track them. Genuinely global threat intelligence coverage, spanning multiple regions, actor groups and device or method types, gives analysts the comparative context to spot emerging trends, not just isolated incidents.
Volume without discrimination is one of the most common failures in this space. A feed that produces large numbers of low-confidence, unverified or stale entries creates more work for analysts, not less, and risks eroding trust in the intelligence altogether. The organisations that get the most value from open source threat intelligence prioritise a smaller number of consistently accurate, well-sourced and properly maintained feeds over a larger volume of unfiltered noise. A credible source with a defined methodology, a named analyst team and a track record of accuracy will always outperform an unattributed feed at scale.
This is precisely the standard the OSTD was built to meet. Read on to see how.
H3: What the OSTD Tracks
The OSTD is a near real-time online repository of global RCIED and IED events, purpose-built for the C-IED (counter-IED) community. It's one of the most comprehensive databases of its kind, tracking tens of thousands of verified entries and continuing to grow daily. Every entry can be searched, filtered and reported on across variables including location, time, device type, switch mechanism, and attributable state or non-state actor, giving analysts a level of granularity that generic open source reporting simply can't match.
The OSTD is populated and maintained by EWS's own Intelligence Team, our human in the loop. Rather than relying purely on automated scraping, our analysts actively monitor publicly available information (PAI) from across the globe, critically assess IED tactics, techniques and procedures as they emerge, and enter verified, standardised data into the database daily. This is the discipline that separates genuine open source threat intelligence from an unfiltered feed of raw reports: every entry has passed through an analyst who understands the operational significance of what they're recording.
For defence and government customers, this translates directly into operational value. Rather than tasking already stretched intelligence analysts with hours of manual open-source collection, the OSTD delivers verified, structured data that can be researched and reported on in minutes. One NATO customer using the OSTD estimated a full day's saving per analyst, per week, freeing intelligence staff to focus on higher-value analysis rather than raw collection. That's time and capacity that can be redirected straight into force protection planning, threat profiling and mission-specific reporting.
Find out how the OSTD could support your team. Arrange a no-obligation OSTD demonstration with our Intelligence Team today.
With so many threat intelligence tools and feeds available, evaluating the right fit for a defence, government or security organisation comes down to a small number of practical questions.
EWS is recognised by governments, defence and security departments worldwide as a trusted supplier of open source threat intelligence data, analysis and reporting. Beyond the OSTD itself, our Intelligence Team also produces tailored reports, including recurring market and incident reports, RCIED threat profiles, threat-led business development reports, and responses to formal requests for information (RFIs), built around the specific requirements of each customer.
Threat intelligence is the process of collecting, verifying and analysing information about existing or emerging threats so that it can be used to inform decisions, from strategic policy down to tactical, on-the-ground action.
Open source threat intelligence is intelligence derived from publicly available information, such as media reporting, social media, imagery and public records, that has been collected, verified and analysed by trained analysts to produce a credible, actionable intelligence product.
OSINT allows defence and security organisations to build situational awareness quickly, without the delays associated with classified collection and dissemination. It's particularly valuable for tracking dynamic, fast-evolving threats such as IEDs and RCIEDs, where timely, verified detail can directly support force protection and operational planning.
OSINT refers specifically to the collection method of gathering information from open, publicly available sources. Threat intelligence is the broader discipline of turning any collected information, open source or classified, into verified, actionable intelligence products.
Threat intelligence is only as valuable as the discipline behind it. In a threat environment that moves as quickly as ours does, defence and security organisations need open source threat intelligence that is current, verified and directly relevant to the threats they actually face, not just a high volume of unfiltered data.
The OSTD has been built by EWS specifically to meet that standard for the global C-IED community, giving governments, defence and security customers a near real-time, analyst-verified picture of the RCIED and IED threats that matter to them.
If you'd like to discuss your intelligence requirements or arrange a no-obligation demonstration of the Open Source Threat Database, get in touch with the EWS team today.
