As threat intelligence becomes an increasing part of daily security operations, one organizational structure that addresses this trend is the CSIRT fusion center. In this case, the CSIRT analysts, SOC analysts, and threat intelligence analysts are teamed up together, within a single team structure. This merges the elements of an SOC- and CSIRT-combined structure with dedicated threat intelligence analysts. In such a scenario, the threat intelligence analysts would be responsible for augmenting incident investigations with external and internal resources related to the incident. They could also be leveraged for detailed analysis in other areas related to the incident. The following diagram shows the workflow from the Fusion Center Director to the various personnel responsible for incident management:

As organizations continue to develop threat intelligence resources within their security operations, this model allows the CSIRT to make use of that capability, without having to create new processes. Chapter 13, Leveraging Threat Intelligence, will discuss threat intelligence in depth, and how this capability may enhance incident investigations.

The CSIRT fusion center is not widely deployed, largely because threat intelligence integration is a relatively new methodology, as well as being resource-intensive. Very few organizations have the resources in either technology or personnel to make this type of structure effective. Pulling in full-time threat intelligence analysts, as well as various paid and open source feeds (and the technology to support them), is often cost-prohibitive. As a result of this, there are not many organizations that can leverage a full-time threat intelligence analyst as part of their CSIRT capability.