Sitemap
Open in app

Sign in

Medium Logo
Write
Search

Sign in

Cyber Threat Intelligence Communication & Reporting Techniques

Tips and frameworks for writing and briefing actionable Cyber Threat Intelligence reports.

6 min readSep 21, 2025

--

Introduction

Inspired by the excellent article A Short(ish) Guide on Information Security Writing and the book Communicating with Intelligence: Writing and Briefing for National Security, I’d like to share my two cents on writing Cyber Threat Intelligence (CTI) assessments, alerts and reports effectively.

This article aims to outline some of the key principles for structuring and delivering CTI notifications — providing a practical reference not only for junior analysts learning best practices but also for experienced professionals who may benefit from a fresh perspective.

NOTE: This article is intended to complement the accurate content of the previously cited article. To do so, I have occasionally included direct quotations taken from the referenced book. Where appropriate, I have adapted the concepts to align with the CTI context based on my experience; in other instances, I have retained the original phrasing for its clarity and precision.

Effective Communication in CTI

  • Clear and concise writing, along with well-prepared briefings, require time and effort — but they are essential for driving decisions.
  • The components of a good intelligence report or briefing are as easy to remember as ABC: accuracy, brevity and clarity.
  • CTI judgments are often based on partial or conflicting information. Waiting for perfect data isn’t an option.
  • A CTI analyst rarely has the luxury of asking the “consumer” to wait until additional information is available.
  • The CTI analyst’s job is not so much to be clairvoyant as it is to provide the best answer possible given the time and information available.
  • Tailor your writing to the reader and present the most important insight first (BLUF: Bottom Line Up Front).
  • Don’t shy away from making predictions. Accuracy over time matters more than being “always right.”
  • CTI professionals need to be as accurate as possible in the assessments and estimates that form the basis for CTI reports.
  • Go beyond what happened — focus on what the facts mean and what could happen next.

TIP = “Topic Intent Point”

This is a simple writing and speaking framework used to structure clear, concise and focused communication that can also be applied for the CTI reports and analysis:

Topic — What are you talking about?

This is the subject matter or focus of your communication.

Intent — Why are you saying it?

This is the purpose of sharing the information.

Point — What should the audience take away or do?

This is the bottom line or call to action.

TIP ensures the right people get the right message at the right time, without noise.

Probability vs Confidence

The intelligence community’s solution for expressing and explaining the uncertainty of their analytic judgments was the creation of standardized terminology on probabilities and confidence levels. It’s easy to confuse the two.

Probability reflects an analyst’s estimate of the chances that a statement is true, while confidence reflects the degree to which an analyst believes that he or she possesses a sound basis for assessing uncertainty.

Probability: Chance of event happening

Confidence: Reliability of the estimate/prediction

Confidence:

The IC also standardized the terminology on confidence levels made in estimative statements:

  • High Confidence: Generally indicates judgments based on high-quality information and/or the nature of the issue makes it possible to render a solid judgment. A high-confidence judgment is not a fact or a certainty, however, and still carries a risk of being wrong.
  • Moderate Confidence: Generally means credibly sourced and plausible information but not of sufficient quality or corroboration to warrant a higher level of confidence.
  • Low Confidence: Generally means questionable or implausible information was used, the information is too fragmented or poorly corroborated to make solid analytic inferences, or significant concerns or problems with sources existed.”

Probability:

One on the important aspects during the CTI report or notification preparation is to always set and write the correct probability. This is fundamental for the reader because immediately set the expectations of the reader to what is an evidence and is confirmed compared with something that happened or could happen but with no total assurance or evidence. To cover this point the probability yardstick is the perfect tool to use in all your report:

Probability Yardstick:

Press enter or click to view image in full size
https://www.gov.uk/government/news/defence-intelligence-communicating-probability

Online you can find different type of words used as probability but this words should be inserted in all the assessments made by the CTI analyst.

Confidence CTI Example:

  • Assessment: “The CTI team assesses with moderate confidence that APT1 will use phishing emails as an initial attack vector.
  • Meaning: Information is credible and the assessment is reasonable, but it is not fully verified based on available information.

Probability CTI Example:

  • Assessment: “APT1 will likely use phishing emails as an initial attack vector.
  • Meaning: The statement says that is more probable than not that APT1 will use phishing. It sets expectations about the likelihood that the event will occur, without explicitly stating the reliability of your sources.

AFA = Alternative Futures Analysis

It’s natural to assume things tomorrow will look pretty much the same as today, but that’s often a mistake. Author Nassim Taleb uses the example of the Thanksgiving turkey. “Consider a turkey that is fed every day,” he writes. “Every single feeding will firm up the bird’s belief that it is the general rule of life to be fed every day by friendly members of the human race ‘looking out for its best interests,’ as a politician would say. On the afternoon of the Wednesday before Thanksgiving, something unexpected will happen to the turkey. It will incur a revision of belief.

Don’t be the turkey. Instead, use alternative futures analysis (AFA) to systematically explore different ways complex and uncertain scenarios can develop.

Just because something has been true for a long time doesn’t mean it will stay true. Using AFA in CTI helps anticipate surprising developments and avoid being caught off guard by unexpected shifts in attacker behavior or threat landscapes.

AFA CTI Example:

Initial Assessment: Carbanak has historically targeted payment systems on weekends.

Using AFA, analysts consider multiple possibilities: the attacker may stick to weekdays, shift to weekdays, target other systems, or be mimicked by another actor. Considering these scenarios helps the SOC anticipate surprises and strengthen defenses, avoiding the trap of assuming the future will mirror the past.

Avoid Agatha Christie syndrome

It’s often difficult for CTI analysts and researchers to avoid succumbing to the Agatha Christie syndrome. Like the great mystery writer, we want to keep our readers in suspense until we can deliver that punch line — the whodunit, in mystery parlance. Because we have worked hard on this analysis, we want the reader to know all the great facts and analytical methods that have gone into our conclusions.

Don’t be shocked, but most of your readers won’t care. They want the bottom line, and that is what intelligence professionals are paid to deliver.

Admiralty System

The Admiralty System, when adapted for cyber threat intelligence, offers a robust framework for enhancing the reliability of your intelligence.

https://www.sans.org/blog/enhance-your-cyber-threat-intelligence-with-the-admiralty-system

Reliability of sources can be denoted by the letters A–F. Accuracy of information can be represented by numbers 1–6. One of the best writeup about the Admirality system in the CTI space can found here.

Conclusion

Great CTI writing isn’t about showing off your analysis — it’s about getting the right insight to the right people at the right time. Keep it clear, keep it focused, and put the bottom line up front. Use frameworks like ABC, TIP and the probability yardsticks to cut through the noise.

The goal of CTI writing is to empower its audience — whether that’s a SOC analyst, a CISO, or a policymaker — to make informed, timely decisions. Don’t bury your insights under unnecessary detail, don’t wait for perfect data, and don’t be afraid to make well-reasoned predictions. Effective CTI communication is what keeps organizations resilient in the face of evolving cyber threats.

These were my takeaways for improving communication in the CTI field. I believe that every CTI analyst should have a basic understanding of these concepts, so they build trust in their reporting.

References:

The Professional Development Framework for all-source intelligence assessment

The Professional Development Framework describes five technical skills required by those undertaking intelligence…

www.gov.uk

A short(-ish) guide on information security writing

Whether you're compiling incident notes at 3 AM, drafting a post-mortem report for the board or helping the marketing…

bytesandborscht.com

Enhance your Cyber Threat Intelligence with the Admiralty System

The Admiralty System, when adapted for cyber threat intelligence, offers a robust framework for enhancing the…

www.sans.org

Defence Intelligence - communicating probability

Have you ever wondered why Defence Intelligence uses terms like "unlikely" or "realistic possibility" when we assess…

www.gov.uk

Cybersecurity
Cyber Threat Intelligence
Threat Intelligence
Intelligence
Cyber

--

--

TΞLΞMΞTRY
TΞLΞMΞTRY

Written by TΞLΞMΞTRY

1.6K followers
0 following

https://github.com/t3l3m3try https://x.com/t3l3m3try

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech