Cyber threat intelligence analysts produce credible reports by weighing signals at tactical, operational, and strategic levels. A customizable CTI report template helps analysts capture activity, attribute it with calibrated confidence, and translate findings into defensive actions.
Authors of cyber threat intelligence (CTI) reports need to follow the CTI discipline to create well-supported findings, but that’s not enough. They also need to communicate their analysis so stakeholders can make informed decisions. The CTI report template helps with that by providing structured guidance for CTI analysts, incident response teams, and cybersecurity vendors.
Download the template and make it your own; it’s available as Markdown and Word files. A companion brief template helps you share key insights with decision-makers (Markdown, Word).
You can also use my MCP server with your AI agent to improve or generate CTI reports using these templates and my guidance. It’s designed to offer insights without receiving your sensitive data. To use it, add https://website-mcp.zeltser.com/mcp to your AI agent’s config.
At a high level, the CTI report template’s foundation is the Q Model, introduced in Thomas Rid and Ben Buchanan’s Attributing Cyber Attacks. It groups threat intelligence into three analytic levels, each requiring different evidence:
- Tactical: The incident’s technical aspects.
- Operational: The campaign and the actor running it.
- Strategic: Who is responsible and why the operation matters.
The template also follows other CTI frameworks:
| Section | What it captures | Frameworks |
|---|---|---|
| Executive Summary | Bottom-line claim plus a Key Findings table that pairs each finding with a decision question and calibrated confidence. | ICD-203: Calibrated confidence, with likelihood for forward-looking claims |
| Actor Snapshot | Quick-reference profile of the actor or activity cluster. | |
| Methodology | Sources, gaps, analytic techniques, and the calibration framework. | ICD-203: Calibrated confidence, with likelihood for forward-looking claims. Richards Heuer’s Psychology of Intelligence Analysis and the CIA Tradecraft Primer: Structured analytic techniques such as Analysis of Competing Hypotheses. |
| Activity Overview | Date range of observed activity, victim profile (whether targeting was deliberate or opportunistic), and related reporting. | |
| Representative Adversary Techniques | The most representative techniques observed, mapped to a common adversary-behavior framework. | MITRE ATT&CK®: Adversary tactics, techniques, and procedures |
| Indicators of Compromise | A tiered indicator table organized by cost to the adversary, adapted to include cloud and identity artifacts. | David Bianco’s Pyramid of Pain: Indicator tiering by adversary cost. STIX: Machine-readable observable bundle supplied separately. |
| Defensive Implications | Defensive actions tied to the observed techniques, detection content, and vendor coverage. | MITRE D3FEND™: Defensive countermeasure vocabulary |
| Attribution Analysis | An attribution claim supported by six signals examined together. | My Six Signals for Threat Attribution: Convergence-based attribution method |
| Anticipated Activity | Forward-looking notes on what may come next and conditions that would shift the picture. | |
| Strategic Analysis (Optional) | The activity’s broader significance (geopolitical, commercial, or ideological), when such analysis is in scope. | |
| Competing Hypotheses (Optional) | Structured comparison of candidate hypotheses against the evidence, when more than one viable hypothesis remains. | Analysis of Competing Hypotheses: Richards Heuer’s method for evaluating multiple hypotheses |
| About this Report | Title, authorship, classification, follow-up contact, and changelog. | FIRST’s Traffic Light Protocol (TLP): Sharing classification convention. MISP’s Permissible Actions Protocol (PAP): Permitted actions on received indicators. |
For responder guidance related to cybersecurity incidents, use the Incident Response Report Template.
