# Cyber Threat Intelligence Report Template *[Use this template to produce a defensible, structured cyber threat intelligence (CTI) report on observed adversary activity. It draws on established intelligence frameworks but intentionally omits some formal mechanics to keep it practical for day-to-day CTI work.* *The text in square brackets is meant to guide you; remove it before finalizing the report. The title above is generic; rename to match your specific report.]* ## Contents *[Update if you add, remove, or reorder sections.]* - [Executive Summary](#executive-summary) - [Actor Snapshot](#actor-snapshot) - [Methodology](#methodology) - [Activity Overview](#activity-overview) - [Representative Adversary Techniques](#representative-adversary-techniques) - [Indicators of Compromise](#indicators-of-compromise) - [Defensive Implications](#defensive-implications) - [Attribution Analysis](#attribution-analysis) - [Anticipated Activity](#anticipated-activity) - [Strategic Analysis (Optional)](#strategic-analysis-optional) - [Competing Hypotheses (Optional)](#competing-hypotheses-optional) - [About this Report](#about-this-report) - [References](#references) ## Executive Summary *[Provide a short paragraph that states the central claim about the activity or actor. Include both a confidence level and a likelihood as separate dimensions. This is the main takeaway for the reader.]* ### Key Findings *[Decision questions in the table below reflect what readers need to decide; sometimes these are called Priority Intelligence Requirements (PIRs).* *Each finding states a calibrated analytic claim, meaning what you concluded from the evidence. A finding isn't just naming a subject (like "Targeting trends"), and it isn't a raw observation (like "We saw spearphishing emails").* *Each row pairs a decision question with the finding that answers it. Provide confidence (how strong the evidence is) and likelihood (how likely the finding is to be true). Three to five rows is typical.]* | Decision question | Finding | Confidence | Likelihood | |---|---|---|---| | | | | | | | | | | | | | | | ## Actor Snapshot *[Include a quick summary of the actor. Use this section to help readers understand the actor's key facts at a glance. Where evidence is thin, mark a field "Unknown" or leave it blank.]* | | | |---|---| | **Internal designator** | | | **Public aliases** | *[Vendor and government names with citations. For activities with many aliases, expand this field into a structured table.]* | | **Suspected sponsor or affiliation** | | | **Motivation** | *[Espionage, financial gain, destructive intent, hacktivist objective, or unknown.]* | | **Active period** | *[Range from earliest observed activity to most recent, or "to present" if still active.]* | | **Target sectors** | | | **Target regions** | | | **Tradecraft summary** | *[One or two sentences naming the threat actor's signature tradecraft, such as characteristic lures, tooling families, and infrastructure patterns.]* | | **Demonstrated capability** | *[How effective the actor has been at achieving its objectives, based on observed outcomes such as data exfiltrated, persistence achieved, or operational disruption.]* | | **Confidence and likelihood that this characterization is correct** | *[Confidence: High, moderate, or low. Likelihood: The seven-tier ladder, from almost no chance to almost certain; per ICD-203 below.]* | ## Methodology This section documents the report's collection sources, gaps that limited the assessment, and analytic techniques applied. ### Collection *[Sources used: internal telemetry, partner sharing, OSINT, government reporting, vendor reporting, etc.]* *[Gaps: name what you couldn't see and how that limited the assessment.]* ### Analytic Techniques *[Examples: Analysis of Competing Hypotheses (ACH) from Heuer's [Psychology of Intelligence Analysis](https://www.cia.gov/resources/csi/books-monographs/psychology-of-intelligence-analysis-2/); Key Assumptions Check, Quality of Information Check, and link analysis from the [CIA Tradecraft Primer](https://www.cia.gov/resources/csi/static/Tradecraft-Primer-apr09.pdf).]* ### Confidence and Likelihood This report follows [Intelligence Community Directive 203 (ICD-203)](https://www.dni.gov/files/documents/ICD/ICD-203.pdf) in keeping confidence and likelihood separate. We express confidence as high, moderate, or low. Per ICD-203, we express likelihood using the seven-tier ladder: | Likelihood Phrase | Probability Range | |---|---| | Almost no chance | 01-05% | | Very unlikely | 05-20% | | Unlikely | 20-45% | | Roughly even chance | 45-55% | | Likely | 55-80% | | Very likely | 80-95% | | Almost certain | 95-99% | ## Activity Overview ### Victim Profile *[Document who was affected. Targeting may be deliberate or opportunistic. Use the table below to summarize the activity by sector and region when multiple victims are involved. The Victims column can hold a count (e.g., "12"), a share of total (e.g., "~40%"), specific named victim organizations, or a mix.* *Include a narrative description alongside or instead of the table when you need to describe the attacker's targeting style or include context that doesn't fit cleanly in the table.]* | Sector | Region | Victims | Notes | |---|---|---|---| | | | | | ### Activity Date Range *[Date range of observed activity.]* ### Related Reporting *[Cite advisories, vendor blogs, indictments, internal team reports, partner-shared analyses, and other sources covering the same activity.]* ## Representative Adversary Techniques This report uses the [MITRE ATT&CK®](https://attack.mitre.org) framework to characterize adversary behavior. The table below lists the most representative techniques observed. *[Adversary activity often involves dozens of techniques. Pick the ones that most clearly characterize the activity. If useful for purple-team handoffs, supply the full set as an [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/) JSON layer separately.]* | Tactic | Technique ID | Technique name | Procedure observed | |---|---|---|---| | | | | | ## Indicators of Compromise *[Organize indicators by [David Bianco's Pyramid of Pain](https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html), adapted here to include cloud-native activities, ordered by cost to the adversary from lowest to highest.* *Identities cover user accounts, OAuth tokens, service principals, and API keys; cloud resources cover bucket URIs, IAM policies and roles, cloud function IDs, and cloud API endpoints.* *Pick the most informative indicators per tier; leave a tier's row blank if no indicators apply. Supply the full set separately, such as a STIX bundle, when consumers need to ingest it into their tooling.* *Use the Context column to describe each indicator's role in the activity; for example, command-and-control server, phishing infrastructure, exfiltration host.]* | Type | Indicator | Context | |---|---|---| | Hash values | | | | IP addresses | | | | Domain names | | | | Cloud resources | | | | Network artifacts | | | | Host artifacts | | | | Identities | | | ## Defensive Implications *[Write a brief prose summary of the section's defensive takeaways (replacing this bracketed guidance) so the reader has an at-a-glance view across this entire section. Note where readers should evaluate their existing controls against the recommended defenses to identify gaps. If responders need procedures for a live incident, point them to the [Incident Response Report Template](https://zeltser.com/incident-response-report-template) as a companion document.]* ### Defensive Measures *[List defensive actions in the table below, ordered by priority (highest-impact first). Consider using [MITRE D3FEND™](https://d3fend.mitre.org) vocabulary and methodology. In the Addresses column, name the relevant technique from the Representative Adversary Techniques section (by ID or name), or write "Broadly applicable" for defenses not tied to a specific attack technique. Use the Notes column for context or pointers to the detail subsections below.]* | Defensive action | Addresses | Notes | |---|---|---| | | | | ### Detection Engineering Content *[Provide detection rules (Sigma, KQL, Splunk SPL, EQL, etc.) or general guidance about behaviors to monitor. Use the Notes column for false-positive characteristics, log source dependencies (what telemetry the rule requires), or any per-row context.]* | Detection content | Notes | |---|---| | | | *[Include a link to where rule code for the entries above is stored, such as a separate file or repository.]* ### Vendor Detection Coverage *[Name the vendor products or platforms with native detections, and link to the relevant detection content or documentation. Write as prose or use a table or bulleted list when listing multiple products.]* ## Attribution Analysis *[Write the attribution claim based on your analysis of the six signals below (replacing this bracketed guidance), with calibrated confidence and likelihood. Be specific about what your evidence supports, such as a behavior pattern, a campaign, or a sponsor. For example, "Activity is consistent with the TA-2026-04 campaign (publicly tracked as APT99) with high confidence and very likely probability."]* *[Capture the six attribution signals in the following table. See [Six Signals for Threat Attribution](https://zeltser.com/six-signals-for-threat-attribution) for guidance. Use the Finding column for your conclusion for that signal (one sentence). Use the Notes column for the supporting analysis, such as specific evidence, alternative readings considered, and what the signal can't tell you.]* | Signal | Finding | Confidence | Likelihood | Notes | |---|---|---|---|---| | Victim | | | | | | Targeting Intent | | | | | | Tradecraft | | | | | | Tooling | | | | | | Identity Artifacts | | | | | | Infrastructure | | | | | ## Anticipated Activity *[Forward-looking analysis of what may come next and the conditions that would shift the picture.]* **Expected near-term activity:** **Conditions that would expand or contract the activity:** ## Strategic Analysis (Optional) *[This section addresses the broader significance of the activity: what the campaign means at a geopolitical, commercial, or ideological level. Include this section only when such analysis is in scope of the report.]* *[Write a brief prose summary (replacing this bracketed guidance), and capture each strategic implication in the table below. Use the Notes column for the supporting reasoning behind each implication.]* | Strategic implication | Confidence | Likelihood | Notes | |---|---|---|---| | | | | | | | | | | ## Competing Hypotheses (Optional) *[Produce this section internally if more than one hypothesis is viable. Attach it to the distributed report selectively, when readers benefit from seeing the analytic work behind the conclusion. In practice, analysts often keep this kind of analysis in their working file rather than the reader-facing version.]* This section uses the [Analysis of Competing Hypotheses (ACH)](https://www.cia.gov/resources/csi/books-monographs/psychology-of-intelligence-analysis-2/) method to evaluate candidate hypotheses against the evidence. In the matrix below, each cell scores whether the evidence is Consistent (C), Inconsistent (I), or Not Applicable (N/A) for that hypothesis. The leading hypothesis is the one with the fewest inconsistencies. *[List candidate hypotheses as columns (plausible enough to test) and relevant evidence as rows, such as specific observations, technical findings, victim characteristics, attribution signals, or contextual factors. For example, the evidence "Activity timing aligns with Moscow business hours" is Consistent with a Russian-actor hypothesis and Inconsistent with Chinese or Iranian ones.]* | Evidence | Hypothesis A | Hypothesis B | Hypothesis C | |---|---|---|---| | | | | | | | | | | | | | | | | | | | | *[After completing the matrix above, capture the conclusions in the fields below.]* **Leading hypothesis:** *[The hypothesis with the fewest inconsistencies in the matrix above. State your confidence and likelihood. For example, "Hypothesis A (Russian-actor) with high confidence and very likely probability."]* **Alternative hypotheses not ruled out:** *[Other candidate hypotheses from the matrix that still have relatively few inconsistencies. The matrix shows the scoring; this field is the analyst's explicit judgment about which alternatives remain serious enough to disclose.]* **What would change the assessment?** *[Name the specific evidence that would shift the leading hypothesis. This makes the assessment falsifiable.]* ## About this Report | | | |---|---| | **Report title** | | | **Author(s) and organization** | | | **Publication date** | | | **Report classification** | *[Mark the report's sensitivity using your organization's data classification scheme. For external sharing with the security community, [TLP](https://www.first.org/tlp/) is a common option. When recipients need guidance on what to do with the indicators, add a [Permissible Actions Protocol](https://github.com/MISP/misp-taxonomies/tree/main/PAP).]* | | **Follow-up contact** | *[Specify the person to whom the reader should direct follow-up questions and information requests about this report.]* | ### Report Changelog | **Date** | **Author** | **Change Description** | |---|---|---| | | | | ## References *[Include report-specific references (advisories, vendor blogs, indictments, internal reports). Keep primary sources for the frameworks and methodologies cited in the body below that list. ]* ### Report-Specific References *[Add advisories, vendor blogs, indictments, internal reports, and other sources cited in this report's body.]* ### Frameworks and Methodology - Bianco, David J. "[The Pyramid of Pain](https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html)." *Enterprise Detection & Response* (blog), 1 March 2013 (updated 17 January 2014). - Forum of Incident Response and Security Teams (FIRST). *[Traffic Light Protocol (TLP) Version 2.0](https://www.first.org/tlp/).* August 2022. - Heuer, Richards J., Jr. *[Psychology of Intelligence Analysis](https://www.cia.gov/resources/csi/books-monographs/psychology-of-intelligence-analysis-2/).* Washington, D.C.: Center for the Study of Intelligence, Central Intelligence Agency, 1999. Analysis of Competing Hypotheses appears in Chapter 8. - The MITRE Corporation. *[MITRE ATT&CK®](https://attack.mitre.org).* - The MITRE Corporation. *[MITRE D3FEND™](https://d3fend.mitre.org).* - OASIS Cyber Threat Intelligence TC. *[STIX™ Version 2.1](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html).* OASIS Standard, 10 June 2021. - Office of the Director of National Intelligence. *[Intelligence Community Directive 203: Analytic Standards](https://www.dni.gov/files/documents/ICD/ICD-203.pdf).* Signed by DNI James R. Clapper, 2 January 2015. - US Government (Central Intelligence Agency). *[A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis](https://www.cia.gov/resources/csi/static/Tradecraft-Primer-apr09.pdf).* March 2009. - Zeltser, Lenny. "[Six Signals for Threat Attribution](https://zeltser.com/six-signals-for-threat-attribution)." 2026. ## About This Template This cyber threat intelligence report template was created by [Lenny Zeltser](https://zeltser.com). The template is distributed under the [Creative Commons Attribution 4.0 International License (CC BY 4.0)](https://creativecommons.org/licenses/by/4.0/); reports you create with it are yours to keep private.