Three services deal directly with incidents and events:

• Threat intel:
  • Externally focused on incidents and events that are reported in threat intel feeds
  • May map external threat intel to applicable internal systems to provide enriched cyber intelligence
• Incident response:
  •  Internally focused on incidents and events that are reported
• Continuous monitoring:
  • Both internally and externally focused on evaluating anomalies against established baselines

Through Data Exposure and Sharing, security awareness allows pertinent external threat sources to be communicated to the users, as well as providing the training and support (through formal policies and procedures) to report internal events and incidents through IT ops or InfoSec channels.