# Cyber Threat Intelligence Brief Template

*[Use this template to create an executive brief on threat activity, for leaders and decision-makers who need a fast scan of the situation. The brief works two ways. Distill it from a full Cyber Threat Intelligence (CTI) report your team produced, or synthesize it from vendor advisories, government bulletins, and other open-source reporting on a threat you're tracking. Either way, add your organization's context for scope, significance, and prioritization.*

*If you're working from a report produced with the [companion CTI report template](https://zeltser.com/cyber-threat-intel-report-template), pull the Bottom Line from its "Executive Summary," Quick Facts from "Actor Snapshot," Defensive Actions from "Defensive Implications > Defensive Measures," and What We Don't Know from "Anticipated Activity." Carry your confidence in the assessment as the primary judgment, and treat likelihood as forward-looking, meaning the probability the activity continues or evolves, as separate dimensions per ICD-203. When a source states confidence but no forward likelihood, mark it "Not assessed by source" rather than inferring one. Make the uncertainty visible to the reader.*

*The text in square brackets is meant to guide you; remove it before finalizing the brief. The title above is generic; rename to match your specific brief.*

*This template was [created by Lenny Zeltser](https://zeltser.com/cyber-threat-intel-report-template) and distributed under the [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0/) (CC BY 4.0). The license covers the template; any brief you produce with it is yours.]*

*[Date · Classification · Significance]*

## Bottom Line

*[One paragraph (3-5 sentences) stating what happened and how the organization is affected, if at all. Explain what decisions must be made, if any, and what defensive actions are being planned (e.g., deploy, harden, block, or audit). If requesting a decision from the reader, name the specific question or tradeoff explicitly, so they know whether they're being informed or being asked to weigh a choice.]*

## Quick Facts

|  |  |
|---|---|
| **Actor** | *[Internal designator and any public aliases (e.g., names assigned by vendors or government reporting). If you have no internal designator, lead with the most stable public alias.]* |
| **Significance** | *[High, moderate, or low, with a one-phrase descriptor of why this matters for your organization (e.g., "High because we operate in the targeted sector and have not yet deployed the controls that defeat the actor's technique"). Anchor the rating in your organization's exposure to this actor rather than the actor's profile in isolation.]* |
| **Active** | *[Date range when activity has been observed, or "to present" if still active.]* |
| **Targets** | *[Sectors and regions targeted.]* |
| **Motivation** | *[Espionage, financial gain, destructive intent, hacktivist objective, or unknown.]* |
| **Capability** | *[Effectiveness at achieving objectives, based on observed outcomes.]* |
| **Confidence** | *[Your confidence in the assessment (high, moderate, or low). The likelihood here is forward-looking, meaning the probability the activity continues or evolves. If a source gives confidence but no forward likelihood, mark it "Not assessed by source." Pair this row with What We Don't Know by naming the specific evidence you're still gathering.]* |

## Are We in Scope?

*[One or two sentences explaining why this activity is relevant to your organization. Take your organization's context into account to accurately describe the scope.*

*If the actor's targeting matches your sector, geography, or technology stack, state your exposure. If you've seen related activity in your environment, describe the connection.]*

## Defensive Actions

*[Top three to five defensive actions ordered by priority. Draw from your full report's defensive measures overview, the source advisories, or your own analysis of this activity. Why, When, and Who are organization-specific fields the source material generally doesn't address. For actions that require decision-maker approval, name the decision in the When column (e.g., "Pending CFO approval by Jan 22").]*

| What | Why | When | Who |
|---|---|---|---|
| *[Lead with an action verb, such as Deploy, Harden, Block, or Audit.]* | *[Why this matters for the reader's organization.]* | *[Such as Immediate, Within 30 days, etc.]* | *[The internal owner.]* |
|  |  |  |  |
|  |  |  |  |

## What We Don't Know

*[One or two sentences naming the key intelligence gaps that would change the assessment. Examples include attribution uncertainty, targeting scope, technique evolution, and vendor detection coverage. Be explicit about what evidence would tip your read of the situation. If you distilled this brief from a full report, carry over the report's own stated gaps. If you synthesized it from an outside advisory, name what the advisory left out, such as an uncalibrated likelihood, an unnamed actor, or missing indicators.]*

## More Information

|  |  |
|---|---|
| **Primary Source** | *[Link to your full report if you produced one, or to the principal vendor or government advisory you're synthesizing from.]* |
| **Additional Details** | *[Related reporting, vendor blogs, indictments, partner-shared analyses, and other sources you drew from.]* |
| **Follow-Up Contact** | *[Name and channel for follow-up questions on this brief.]* |