TIDO: The Threat Intelligence Decision Ontology

National intelligence agencies have the complex task of investigating threats to the national security within strict legal and policy frameworks. Reconstructing the context of investigative decisions for post-analysis and compliance checks is prone to error and labour-intensive. To address this, we propose to capture decision-making processes and their rationale directly using an OWL-based ontology. This approach overcomes the limitations of traditional data management and existing decision ontologies in handling the intricate data dependencies within threat intelligence (TI) decision-making. The result is the Threat Intelligence Decision Ontology (TIDO), which structures analysts' decision-making while incrementally capturing a decision trace for post-analysis as investigations unfold. The ontology was developed under the complex constraints of safeguarding threat intelligence practices and case information, and validated through competency questions from intelligence experts from the Dutch Defence Intelligence and Security Service (DISS). TIDO offers a novel solution for capturing and understanding decision processes within the sensitive domain of threat intelligence, and evidence-based decision-making in general.