Intelligence Analysis — For Cyber Threat Intelligence.

In today’s world, persistent actors and emerging threats are impacting organisations and individuals. If we want to defend against malicious attackers, we must have a firm mental focus reinforced by the ability to think critically with a clear perspective.

This post is a no-fluff process for hunt teams, incident responders, forensic investigators and intelligence analysts that will enhance your methods and give you the mental tools to evaluate, decide and act on information.


You need to truly understand the information if you want others to comprehend you. You must be clear and precise about all data collected, investigated and reported. There are two primary stages of understanding; We need to understand the data, and we need to be able to present said data as intelligence.

Be Precise

When investigating data make sure you understand what you’re looking at and you are decisive in your actions. Define your data, make sure it relates to your end goal, do not have any superfluous information.

Be Clear

Always be clear about your information. Make it so, the reader doesn’t have to think about it, and they can just read and understand. Don’t be ambiguous or vague with any information, whatever information you’re providing someone is going to take action on. Make your point clear! Mind mapping your ideas at this step will result in you understanding what is missing.

Ask this one simple question. Is there anything I don’t know or understand but should know?


Pivoting means exploring information and developing a greater understanding and identifying possible affiliations or connections. Continuous pivots are the key to mapping out intelligence. If it’s an email address if it’s an IP address if it’s a vulnerability, whatever it is, continually links the dots. Think of pieces of information as synapses in the brain, keep connecting synapses to build a complete pathway.

What is the significance?

When pursuing or tracking malicious actors, pieces of information or targets, make sure it has importance to the mission or possible outcomes. Don’t waste your time and efforts on irrelevant data. If you have pivoted on a piece of information and you decide that is negligible stop efforts to pursue it. If you think you’ve put a considerable amount of work into a target and you realise it’s insignificant stop now! Don’t hold onto the information just for the sake of holding on to it, give it the 5-second rule test!

Use your intuition

Intuition and instincts the key to learned wisdom in the intelligence field. If your gut is telling you something, pivot on that something! Your intuition will make the difference between actionable intelligence and red herrings. When examining information if your spider senses are telling you something, act on it. When operating on intuition, it’s always good to have a notepad and pen handy. Write down what you are thinking about and explore all possible outcomes. If anything interesting comes out of that, pivot on it and explore.


Perception is related to how we see adversarial actions and what adversaries might be thinking or doing. Make sure to take the viewpoints of everyone(groups included) involved into consideration when analysing intelligence. Think of your position, the position of the adversary and all associated external parties. This process will enable you to understand your thought processes, actions on and divergent thinking techniques.

Track it!

To effectively track adversaries, people, information and targets, we must focus on the significance of the data you’re ingesting and if it’s significant, how deep you go with pivots. Tracking is where great analysis comes from, being able to build a mental picture, pivot on information and leverage intuition to connect all the dots.


Act means, “Take action now, do what you should when you should do it”. Always be acting on instinct when you think action should be made and do not wait. If your intuition is telling you to pivot on that unique piece of information, do it. Always be acting on information, don’t save it for later do it now!.


If you can’t get your information across what’s the point! I recommend you use the BLUF communication technique. BLUF is an initiative paragraph where the conclusions and recommendations are placed at the beginning, rather than the end, to facilitate *rapid decision* making.

Along with BLUF, there are five golden rules you should follow when producing reports:

Make the entry point to the report have a direct context
Make the explanations easy to read and understand
Give the reader crisp and precise text, *don’t fluff it up*
Tell the reader *the* story; and
People don’t want to hear you’re lousy intelligence, so don’t give them s***.

Disciplined Intelligence