Skip to main content

CTI Analyst Field Manual

From threat intelligence research to defensible analytic judgment, hunting hypotheses, and detection-ready outputs.

Start the Manual

Why This Exists

This project turns practitioner CTI writing into a structured field manual. It is designed for analysts who need to move from collection requirements to evidence handling, attribution, infrastructure pivots, actor profiles, hunt hypotheses, detection engineering, SOC handoff, and executive communication.

It is not a blog archive and not a beginner glossary. The manual emphasizes defensible reasoning, explicit uncertainty, reproducible outputs, and operational usefulness.

Main Modules

CTI Foundations

PIRs, evidence labels, source reliability, confidence language, and finished intelligence discipline.

Open module

Analytic Discipline

Assumptions, gaps, alternative hypotheses, contradiction handling, and Sherman Kent-style rigor.

Open module

Frameworks

ATT&CK, Kill Chain, Diamond Model, and Pyramid of Pain as working tools, not decoration.

Open module

Attribution

How to weigh tooling, infrastructure, victimology, timing, language, and competing hypotheses.

Open module

Infrastructure Pivoting

How to move from one IOC to a defensible cluster while preserving limitations and uncertainty.

Open module

CTI to Detection

Convert intelligence into telemetry requirements, hunting hypotheses, detection logic, SOC handoff, and readiness levels.

Open module

Analyst Workflow

Define PIRs and SIRs. Rate sources. Extract claims. Label evidence. Document assumptions and gaps. Build competing hypotheses. Map behavior only when supported. Convert findings into telemetry requirements, hunts, detection candidates, SOC handoff notes, and executive-ready judgments.

Use the role-based reading paths, the authoritative bibliography, and the publication-grade review backlog when reviewing the manual as a professional artifact.

Example Outputs

Source register, evidence register, actor profile, infrastructure pivot log, collection gap register, hunting hypothesis, detection backlog item, SOC handoff note, and finished intelligence report.

Related Projects

This manual complements Customer-Driven AI CTI Project, Israel Government Threat Actors CTI, and HexStrike AI Guide. It focuses on analyst tradecraft rather than one sector knowledge base, one delivery methodology, or one tooling guide.

Defensive Use

All material is public, defensive, and TLP:CLEAR oriented. The project excludes malware source code, exploit instructions, leaked data, credentials, victim-sensitive information, and operational instructions for unauthorized access.