Most threat intelligence programs fail the same way: a team buys feeds, fills a SIEM with millions of indicators, and produces no decisions anyone acts on. Intelligence is not a pile of IOCs — it is the process of turning raw data into something that changes what a defender does. A working CTI workflow follows the classic intelligence cycle: define requirements, collect against them, process and enrich, analyse, disseminate to the right consumer, and feed results back in. This guide walks through building that loop in a way a small team can actually sustain, with free sources you can start from today.