Analyst Checklist

Purpose

Provide a reusable pre-publication checklist for CTI outputs.

Practitioner-Level Explanation

The checklist is a quality-control tool. It should be used before publishing a report, updating an actor profile, creating a hunt hypothesis, or briefing a decision-maker.

The point is not bureaucracy. The point is to catch unsupported claims, missing confidence reasons, unbounded pivots, and broken links before the output becomes operational guidance.

CTI Relevance

Consistent review improves trust between CTI, SOC, detection engineering, IR, and executive consumers.

Common Mistakes

• Reviewing only grammar and not evidence.
• Failing to check links and dates.
• Not testing whether the output answers the PIR.
• Treating the checklist as optional for urgent work.

Practical Workflow

1. Confirm the PIR or decision.
2. Check every major claim for evidence label and source.
3. Review confidence reasons.
4. Check contradictions and gaps.
5. Verify links and dates.
6. Confirm downstream action is realistic.
7. Record reviewer and review date.

Example / Mini Case

Before sending an executive note about a campaign, the analyst verifies that actor attribution is not based only on ATT&CK overlap, that the source is primary or clearly labeled as secondary, and that the recommendation is feasible for the SOC.

Analyst Checklist

• Does the output answer the requirement?
• Are major claims source-backed?
• Are gaps visible?
• Are cross-links working?
• Is the recommendation within scope and defensive?

Output Artifact

Output ID:
Reviewer:
Review Date:
PIR Answered:
Evidence Check:
Confidence Check:
Gap Check:
Cross-Link Check:
Decision / Action Check:
Approved / Changes Required:

Cross-Links

• Finished Intelligence vs Research Notes
• Evidence Register Template
• Finished Intelligence Report Template

References

• Medium Source Index
• CTI Project Ecosystem