Zombie PIRs: Why Your Intelligence Requirements Need an Expiration Date
Author's Note: This article presents a theoretical framework for CTI maturity, drawing heavily from the prioritisation methodologies explored in the book "Operationalizing Threat Intelligence." While I offer these arguments as a starting point for discussion, the core classification concepts belong to that text. I acknowledge that every organisation operates under different constraints.
In theory, an Intelligence team is supposed to be a filter. Our job is to block out the noise and highlight what matters. In reality, we often act more like a sponge. Terrified of missing a hidden threat, we try to soak up everything. We say 'yes' to every stakeholder, turn on every alert, and fill our databases with junk, hoping that somewhere in that mess is the answer we need.
I argue that this creates Priority Inflation. When you mark every single threat as "Urgent," it stops meaning anything.
How We Fail
Without a strict cleanup process, Intelligence teams risk becoming digital hoarders. We say "yes" to every request, we add it to our list, and we never delete it.
We stop being an intelligence unit and turn into a generic news feed.
The result is a backlog full of "Zombie PIRs." These are requirements that don't matter to the business anymore, yet still walk around our systems and eat up time that should be spent on new, actual threats.
This stems from two mistakes: treating vague fears as specific orders (Bad Entry) and letting old alerts rot in the queue (Bad Exit).
To fix this, we can use a system to rank things.
The Proposal: Rank It, Don't Reject It
We don't have to say "No" We just have to ask "How important is this?"
Adapting the framework from Operationalizing Threat Intelligence, I suggest sorting requests into these buckets:
| Priority | Description |
|---|---|
| HIGH | Critical. The organisation fails or suffers significantly without this. |
| MEDIUM | Essential. The organisation requires this to succeed. |
| LOW | Sustainability. Required for the continued success of the organisation. |
The Intake Diagnosis
I argue that we need to stop acting like waiters taking orders and start acting like doctors diagnosing problems. To do this, we need to extract two distinct variables from the stakeholder: the Trigger (Importance) and the Expiration (Urgency).
Step 1: The Decision Test (Validating Importance) First, we establish if the request supports a real outcome. We do this by asking for the specific trigger.
- The Script: "To prioritise this, I need to know the trigger. If we confirm APT29 is targeting our sector, will you block their known infrastructure range immediately, or is this just for the monthly landscape report?"
The Verdict:
- ✅ Specific Action ("We will block the IPs") → High Priority
- ❌ General Awareness ("I just want to be aware") → Low Priority
Step 2: The Deadline (Validating Urgency) Once we know the request is valid, we need to know the shelf-life of the data. In intelligence jargon, this is called LTIOV (Latest Time Information is of Value).
Intelligence is like milk. It goes bad. If you need data for a Friday meeting to approve a patch, and I give it to you on Monday, it is useless.
The Verdict:
- ❌ Bad (Vague): "Tell me about this threat as soon as possible."
- ✅ Good (Specific): "We have a Change Advisory Board (CAB) meeting this Friday at 2 PM. I need to know if the VPN is vulnerable by Thursday at Noon so I can file the emergency patch request."
The 90-Day Calibration
Business priorities change overnight.
If we don't talk to our stakeholders often, we work in a Vacuum. We guess they read our reports. We guess they like them. Usually, we are wrong.
I propose using the 90-day mark (Quarterly) as a Mandatory Feedback Trigger.
At the end of the quarter, don't just auto-renew their subscription. Ask them two questions to validate the Utility and the Urgency:
- Utility: "Did you actually use this to make a decision in the last 90 days?"
- Urgency: "If we had missed this, would it have caused a crisis?"
The Conversation
Don't ask "Do you want to keep this?" (They will always say yes). Ask "How did you use this?" to see where it falls on the Important vs. Urgent scale:
- Used for a Crisis (Urgent & Important): They used it to stop an attack or patch a vuln. Verdict: Keep as HIGH Priority.
- Used for Strategy (Important, Not Urgent): They used it for a report or long-term planning. Verdict: Move to LOW Priority.
- Not Used (Neither): They just filed it away "just in case." Verdict: We found a Zombie. Kill it.
Conclusion
Intelligence is about focus.
The difference between a pro team and a "newsletter" is discipline. We must write clear rules and throw out the old trash. Otherwise, we risk 'Strategic Drift'. We force our teams to sift through the ashes of the last fire, instead of spotting the next one.
The 90-Day Rule shifts the burden of proof. It compels every item on your to-do list to fight for its life, so that when the real alarm rings, you are looking at the signal, not the noise.
Disclaimer: This article simplifies formal doctrine to focus on the core behavioural problem. I acknowledge that reality gets a vote. Office politics, compliance mandates, and resource constraints often make a "pure" implementation impossible. Use this framework as a guide, not a straitjacket.