Introducing Intelligence Requirements in Flashpoint Ignite

What’s new

For many intelligence teams, Priority Intelligence Requirements (PIRs) have traditionally existed outside the platforms where intelligence work actually happens — managed through spreadsheets, static documentation, ticketing systems, or disconnected analyst workflows.

Flashpoint Ignite now introduces a dedicated Intelligence Requirements experience that brings both General Intelligence Requirements (GIRs) and Priority Intelligence Requirements (PIRs) directly into the platform.

Instead of treating PIRs as static planning exercises, organizations can now connect intelligence priorities to monitoring, investigations, triage, collaboration, and reporting workflows inside Ignite.

This update allows organizations to:

• Create and manage GIRs and PIRs directly inside Ignite
• Use pre-built PIR templates or create custom requirements
• Align alerts directly to PIRs
• Escalate intelligence activity into Investigations
• Measure intelligence activity tied to intelligence priorities and business risk

Together, these capabilities help teams create a more connected and measurable approach to intelligence operations.

Why it matters

Modern intelligence teams face a critical hurdle: translating vast collection efforts into strategic action and measurable business value.

While most CTI programs have internal priorities, execution often becomes fragmented across siloed alerts, spreadsheets, and disconnected tools. This lack of “connective tissue” prevents organizations from aligning technical activity with executive decision-making and business risk.

As programs scale, this friction forces teams to spend more time managing operational noise than addressing high-priority intelligence questions.

Flashpoint Intelligence Requirements help bridge that gap by creating clearer alignment between intelligence priorities, monitoring activity, investigations, and reporting inside Ignite.

In practice, this creates: 

• Strategic Guardrails: Every alert that fires and every investigation that escalates can now be tied back to an operational priority or business risk. If activity does not map to a PIR, it becomes easier to identify where teams may be spending time on low-priority noise.
• Stakeholder Clarity: As intelligence teams support more internal stakeholders — including executive leadership, fraud teams, vulnerability management, or brand protection teams — Intelligence Requirements creates a clearer framework for communicating what is being monitored and why.
• Defensible ROI: By connecting priorities, alerts, and investigations into a measurable workflow, organizations gain stronger visibility into how intelligence operations support broader business and security objectives.

How it works

Intelligence Requirements introduces a structured workflow layer across Ignite.

Rather than beginning with disconnected alerts or investigations, organizations can now start with the intelligence questions they aim to answer — and structure monitoring and investigative activities around those priorities from the outset.

1. Define Intelligence Priorities

Teams begin by creating and organizing both General Intelligence Requirements (GIRs) and Priority Intelligence Requirements (PIRs). GIRs serve as broader intelligence focus areas, while PIRs represent the specific intelligence questions driving operational activity.

Customers can either build custom PIRs from scratch or use pre-built templates to accelerate onboarding and reduce the “blank page” problem many organizations face when formalizing intelligence workflows.

2. Align Monitoring Workflows to PIRs

Once PIRs are established, analysts can map relevant alert rules directly to those intelligence priorities.

This is a foundational part of the workflow. PIRs are designed to give structure and context to intelligence activity by helping organizations clearly understand what is being monitored, why it matters, and which operational objective the activity supports.

To simplify setup, Ignite can surface:

• Existing alert rules already created within the platform,
• As well as AI-recommended alert rules based on the selected PIR and the organization’s existing alert rule library.

This allows organizations to operationalize PIR workflows more quickly while reducing disconnected or ad hoc monitoring efforts.

3. Connect Monitoring to Investigations

As monitoring workflows surface meaningful activity, analysts can escalate findings directly into Investigations workflows within Ignite.

Organizations can optionally connect PIRs to new or existing investigations, helping maintain a clearer operational chain between:

• intelligence priorities,
• incoming signal,
• investigative activity,
• and operational outcomes.

Analysts can filter alerts by PIR directly in the inbox and escalate relevant findings for investigation.

4. Measure Intelligence Activity

Intelligence Requirements also introduces a more measurable operational framework for intelligence teams by providing visibility into monitoring activity, investigative escalations, and operational workflows tied to specific intelligence priorities.

Over time, this helps organizations better understand which priorities generate activity, where teams spend investigative effort, and how intelligence operations support broader business and security objectives.

FAQs

What are the intelligence requirements in cyber threat intelligence?

Intelligence Requirements are the operational questions and priorities that guide intelligence collection, monitoring, investigations, and reporting activities.

Within CTI programs, organizations often structure these priorities through:

• General Intelligence Requirements (GIRs), which represent broader focus areas
• Priority Intelligence Requirements (PIRs), which represent the specific intelligence questions driving operational activity

Flashpoint Ignite operationalizes these requirements directly within monitoring and investigations workflows.

What is the difference between a GIR and a PIR?

GIRs represent broader intelligence focus areas, such as ransomware activity, credential exposure, or vulnerability risk.

PIRs are the specific intelligence questions organizations are trying to answer within those broader categories.

For example:

GIR: Ransomware
PIR: “Are ransomware groups actively targeting organizations in our industry?”

In Ignite, PIRs become operational by connecting directly to monitoring activity, alerts, and investigations.

How do PIRs work in Flashpoint Ignite?

In Ignite, organizations can create and manage PIRs directly within the platform, align alerts and monitoring activity to those PIRs, and connect investigative activity back to operational priorities.

This creates a more structured operational model in which intelligence activity is directly tied to business risk and organizational priorities.

Are Intelligence Requirements only for mature CTI programs?

No. While mature intelligence teams often already use PIR methodologies, Intelligence Requirements can also help newer or growing CTI programs establish more structured operational processes earlier in their maturity journey.

Pre-built PIR templates within Ignite help reduce the barrier to adoption and accelerate operationalization.

How do Intelligence Requirements improve intelligence operations?

Intelligence Requirements help organizations:

• prioritize monitoring activity,
• reduce disconnected workflows,
• organize investigations around operational priorities,
• and create clearer visibility into intelligence operations over time.

This allows teams to move from reactive intelligence activity toward a more intentional and measurable operational model.

Do Intelligence Requirements replace existing alerts or investigations?

No. Intelligence Requirements are designed to connect and structure existing operational activity, not replace it.

Organizations can align existing alerts and investigations with PIRs to create clearer operational context and visibility across intelligence workflows.

Can PIRs be aligned to multiple types of intelligence activity?

Yes. PIRs can support a wide range of intelligence operations, including:

• threat actor monitoring,
• credential exposure monitoring,
• vulnerability tracking,
• fraud investigations,
• operational intelligence reporting,
• and broader CTI workflows.

How does Flashpoint operationalize PIRs differently?

Many organizations still manage Intelligence Requirements through static documents, spreadsheets, or disconnected operational processes.

Flashpoint Ignite operationalizes PIRs directly within monitoring, investigations, and operational workflows, helping organizations connect priorities, incoming signals, investigative activity, and measurable operational outcomes inside the same system.