Assumptions and Gaps
Purpose
Define how to document assumptions and intelligence gaps so they improve analysis instead of weakening it invisibly.
Practitioner-Level Explanation
An assumption is something the analyst accepts temporarily to reason forward. A gap is information needed to answer the requirement but not currently available. Both must be visible.
A mature CTI product does not hide gaps. It explains whether the gap blocks the judgment, limits confidence, or creates a collection task.
CTI Relevance
Assumption and gap handling is essential for attribution, threat prioritization, infrastructure clustering, and detection engineering. It tells downstream teams what can be trusted and what still needs validation.
Common Mistakes
- Treating assumptions as facts.
- Using gaps as excuses to avoid judgment.
- Failing to distinguish blocking gaps from nice-to-have gaps.
- Not assigning owners or collection paths to gaps.
Practical Workflow
- List assumptions before writing the judgment.
- Identify gaps during source extraction.
- Classify gaps as blocking, confidence-limiting, or contextual.
- Assign collection options.
- Update the judgment if a key assumption fails.
Example / Mini Case
A report describes an actor targeting telecom providers. The analyst assumes similar exposure may exist in a local telecom environment. That assumption is acceptable only if labeled. The gap is whether the local environment has the same exposed service, telemetry, or supplier relationship.
Analyst Checklist
- Are assumptions explicitly named?
- Are gaps classified by impact?
- Is there a collection path?
- Does the confidence statement reflect the gaps?
- Are stale assumptions reviewed?
Output Artifact
Assumption ID:
Statement:
Why Needed:
Risk if Wrong:
Gap ID:
Gap Type:
Collection Path:
Owner:
Due Date:
Effect on Confidence: