Exam 312-39 Topic 7 Question 196 Discussion

The core problem described is that the SOC is treating raw indicators (IoCs) as if they are actionable intelligence (CTI), without enough context to prioritize. IoCs are often low-context, high-volume, and time- sensitive; many are noisy, shared infrastructure, or already outdated. CTI (cyber threat intelligence) adds context-adversary, campaign, intent, targeting, confidence, and recommended actions-so analysts can decide what matters for their environment. The scenario explicitly states the alerts "lack critical context" and the team "lacks tools and intelligence to correlate IoCs with real-world threats," which is fundamentally a failure to distinguish IoC data from intelligence. Information overload is a symptom, but the underlying challenge is that the organization is ingesting IoCs without intelligence enrichment and prioritization logic.
Budget/skill can contribute, but the question asks for the greatest challenge given the described conditions.
From a SOC perspective, solving this requires enrichment (TI platforms, reputation + context), correlation with internal telemetry, scoring based on relevance, and focusing on behaviors and impact rather than indicator volume alone. Therefore, distinguishing IoC from CTI is the best answer.