generating-threat-intelligence-reports
Generating Threat Intelligence Reports
When to Use
Use this skill when:
- Producing weekly, monthly, or quarterly threat intelligence summaries for security leadership
- Creating a rapid intelligence assessment in response to a breaking threat (e.g., new zero-day, active ransomware campaign)
- Generating sector-specific threat briefings for executive decision-making on security investments
Do not use this skill for raw IOC distribution — use TIP/MISP for automated IOC sharing and reserve report generation for analyzed, finished intelligence.
Prerequisites
- Completed analysis from collection and processing phase (PIRs partially or fully answered)
- Audience profile: technical level, decision-making authority, information classification clearance
- TLP classification decision for the product
- Organization-specific reporting template aligned to audience expectations
Workflow
Step 1: Determine Report Type and Audience
Select the appropriate intelligence product type:
Strategic Intelligence Report: For C-suite, board, risk committee
- Content: Threat landscape trends, adversary intent vs. capability, risk to business objectives
- Format: 1–3 pages, minimal jargon, business impact language, recommended decisions
- Frequency: Monthly/Quarterly
Operational Intelligence Report: For CISO, security directors, IR leads
- Content: Active campaigns, adversary TTPs, defensive recommendations, sector peer incidents
- Format: 3–8 pages, moderate technical detail, mitigation priority list
- Frequency: Weekly
Tactical Intelligence Bulletin: For SOC analysts, threat hunters, vulnerability management
- Content: Specific IOCs, YARA rules, Sigma detections, CVEs, patching guidance
- Format: Structured tables, code blocks, 1–2 pages
- Frequency: Daily or as-needed
Flash Report: Urgent notification for imminent or active threats
- Content: What is happening, immediate risk, what to do right now
- Format: 1 page maximum, distributed within 2 hours of threat identification
- Frequency: As-needed (zero-day, active campaign targeting sector)
Step 2: Structure Report Using Intelligence Standards
Apply intelligence writing standards from government and professional practice:
Headline/Key Judgment: Lead with the most important finding in plain language.
- Bad: "This report examines threat actor TTPs associated with Cl0p ransomware"
- Good: "Cl0p ransomware group is actively exploiting CVE-2024-20353 in Cisco ASA devices to gain initial access; organizations using unpatched ASA appliances face imminent ransomware risk"
Confidence Qualifiers (use language from DNI ICD 203):
- High confidence: "assess with high confidence" — strong evidence, few assumptions
- Medium confidence: "assess" — credible sources but analytical assumptions required
- Low confidence: "suggests" — limited sources, significant uncertainty
Evidence Attribution: Cite sources using reference numbers [1], [2]; maintain source anonymization in TLP:AMBER/RED products.
Step 3: Write Report Body
Use structured format:
Executive Summary (3–5 bullet points): Key findings, immediate business risk, top recommended action
Threat Overview: Who is the adversary? What is their objective? Why does this matter to us?
Technical Analysis: TTPs with ATT&CK technique IDs, IOCs, observed campaign behavior
Impact Assessment: Potential operational, financial, reputational impact if attack succeeds
Recommended Actions: Prioritized, time-bound defensive measures with owner assignment
Appendices: Full IOC lists, YARA rules, Sigma detections, raw source references
Step 4: Apply TLP and Distribution Controls
Select TLP based on source sensitivity and sharing agreements:
- TLP:RED: Named recipients only; cannot be shared outside briefing room
- TLP:AMBER+STRICT: Organization only; no sharing with subsidiaries or partners
- TLP:AMBER: Organization and trusted partners with need-to-know
- TLP:GREEN: Community-wide sharing (ISAC members, sector peers)
- TLP:WHITE/CLEAR: Public distribution; no restrictions
Include TLP watermark on every page header and footer.
Step 5: Review and Quality Control
Before dissemination, apply these checks:
- Accuracy: Are all facts sourced and cited? No unsubstantiated claims.
- Clarity: Can the target audience understand this without additional context?
- Actionability: Does every report section drive a decision or action?
- Classification: Is TLP correctly applied? No source identification in AMBER/RED products?
- Timeliness: Is this intelligence still current? Events older than 48 hours require freshness assessment.
Key Concepts
| Term | Definition |
|---|---|
| Finished Intelligence | Analyzed, contextualized intelligence product ready for consumption by decision-makers; distinct from raw collected data |
| Key Judgment | Primary analytical conclusion of a report; clearly stated in opening paragraph |
| TLP | Traffic Light Protocol — FIRST-standard classification system for controlling intelligence sharing scope |
| ICD 203 | Intelligence Community Directive 203 — US government standard for analytic standards including confidence language |
| Flash Report | Urgent, time-sensitive intelligence notification for imminent threats; prioritizes speed over depth |
| Intelligence Gap | Area where collection is insufficient to answer a PIR; should be explicitly documented in reports |
Tools & Systems
- ThreatConnect Reports: Built-in report templates with ATT&CK mapping, IOC tables, and stakeholder distribution controls
- Recorded Future: Pre-built intelligence report templates with automated sourcing from proprietary datasets
- OpenCTI Reports: STIX-based report objects with linked entities for structured finished intelligence
- Microsoft Word/Confluence: Common report delivery formats; use organization-approved templates with TLP headers
Common Pitfalls
- Writing for analysts instead of the audience: Technical detail appropriate for SOC analysts overwhelms executives. Maintain strict audience segmentation.
- Omitting confidence levels: Statements presented without confidence qualifiers appear as established facts when they may be low-confidence assessments.
- Intelligence without recommendations: Reports that describe threats without prescribing actions leave stakeholders without direction.
- Stale intelligence: Publishing a report on a threat campaign that was resolved 2 weeks ago creates alarm without utility. Include freshness dating on all claims.
- Over-classification: Applying TLP:RED to information that could be TLP:GREEN impedes community sharing and limits defensive value across the sector.