Cyber is no longer a supporting capability. It now shapes how defence organisations plan, assess and act.
Across NATO and allied forces, cyber intelligence is increasingly embedded into operational planning, from situational awareness through to targeting and strategic decision-making. At the same time, the threat landscape is becoming more complex. State-aligned actors are more active, campaigns are more coordinated, and the line between cyber and conventional operations continues to blur.
Cyber operations in Ukraine have shown how closely digital and physical domains are now linked. Intelligence derived from cyber activity is being used alongside conventional sources to inform real-time decisions. In this context, delays caused by reformatting or misalignment are no longer acceptable.
This shift is happening alongside a renewed focus on collective defence. Coalition operations are intensifying, interoperability is under scrutiny, and the ability to share intelligence quickly and accurately across partners has become critical.
In this environment, the systems that produce and manage intelligence are no longer just technical tools, they are part of the operational backbone.
Yet many of those systems were not designed with this reality in mind.
The cost of misalignment is now operational, not theoretical
Most cyber threat intelligence platforms in use today originate from the commercial sector. They were built to support enterprise security teams, where priorities centre on speed, automation and scale.
Defence operates differently because military intelligence is governed by doctrine. Frameworks such as NATO’s AJP-2, UK MOD JDP 2-00 and the US JP 2-0 define how intelligence supports operational and strategic decision-making. They establish shared terminology, structured processes and standardised reporting formats that allow forces to operate cohesively across commands and nations.
Crucially, doctrine is not simply theoretical guidance. It provides a common framework for direction, collection, processing and dissemination across the intelligence cycle, ensuring intelligence can move consistently from analyst to commander in support of operational decisions.
When cyber intelligence does not align with these frameworks, friction emerges at the point where speed matters most.
In many defence environments, analysts are already operating under significant pressure, managing high volumes of data from multiple sources. When intelligence must be translated, restructured and reformatted before it can be operationally relevant, that burden increases at exactly the moment clarity and speed are most critical.
The consequences extend beyond delay. Misalignment can lead to duplicated analyst effort, inconsistent terminology across organisations, loss of contextual understanding and difficulty fusing cyber intelligence with HUMINT, SIGINT and GEOINT into a coherent operational picture.
In coalition environments, where multiple organisations must work from a shared understanding, these inconsistencies can reduce confidence in intelligence at the point where it is needed to support planning and command decision-making.
This is no longer simply a question of efficiency. As cyber intelligence becomes more tightly integrated with operational planning, delays and inconsistencies at this stage can have direct mission impact.
Sovereignty, interoperability and scale are raising the stakes
The challenge is compounded by two parallel pressures shaping defence across the UK, Europe and allied nations.
The first is data sovereignty. Governments are placing greater emphasis on where intelligence is stored, how it is controlled and who can access it. Systems must align with national requirements for security and governance, particularly when dealing with sensitive or classified information.
The second is interoperability. Defence operations remain inherently coalition-based. Intelligence must be shared across trusted partners quickly, and in a format that can be immediately understood and acted upon.
Balancing these priorities is not straightforward. Commercially oriented platforms were not designed with this dual requirement in mind. Retrofitting them to meet both sovereign control and coalition interoperability introduces complexity. It creates workarounds that place additional burden on analysts and planners, while increasing the risk of inconsistency across organisations.
Over time, this approach becomes increasingly difficult to sustain in operational environments.
Defence requires intelligence systems built around doctrine
The question facing defence organisations is no longer how to adapt commercial cyber intelligence platforms. It is whether those platforms are suited to the operational reality they now face.
A different approach is required. Intelligence systems must be designed to reflect doctrine from the outset. They must support the structures, processes and standards that define military intelligence, rather than operating alongside them.
This means embedding common language, structured reporting and recognised frameworks into the core of the system. It means enabling cyber intelligence to integrate seamlessly with other disciplines such as HUMINT, SIGINT and GEOINT, contributing to a unified operational picture. It also means supporting both interoperability and sovereignty by design. Intelligence must be shareable across coalition partners while remaining aligned with national requirements for control and security.
When these elements are in place, the impact is clear. Intelligence can move from analysis to decision-making without delay. Collaboration becomes more effective. Analysts are able to focus on generating insight rather than translating outputs.
As cyber intelligence becomes more central to defence operations, the systems supporting it must evolve to reflect the operational realities they are intended to serve.
