Confidence Language
Purpose
Explain how to use confidence language in CTI without confusing confidence with probability.
Practitioner-Level Explanation
Confidence communicates the analyst's trust in a judgment based on evidence quality, source access, corroboration, analytic consistency, and known gaps. It does not mean probability. A high-confidence judgment can still be wrong if new evidence appears. A low-confidence judgment can still matter if the potential impact is severe.
This manual uses High, Medium, and Low confidence. Each confidence statement must include the reason. Confidence without a reason is decoration.
CTI Relevance
Confidence language allows CTI teams to be useful without overclaiming. It gives SOC, IR, detection, and executive consumers enough context to decide how much weight to place on a judgment.
Common Mistakes
- Using confidence words as tone rather than analytic method.
- Equating high confidence with certainty.
- Writing probability numbers without calibration.
- Changing confidence to satisfy a stakeholder preference.
Practical Workflow
- State the judgment.
- Identify evidence supporting the judgment.
- Identify evidence weakening or contradicting it.
- Assess source reliability and information credibility.
- Assign confidence.
- Write the confidence reason in plain language.
- Define what evidence would change the confidence level.
Example / Mini Case
Weak: "We assess with high confidence that Actor X is responsible."
Better: "We assess with medium confidence that the activity aligns with Actor X reporting because tooling, targeting, and timing match two reliable vendor reports. Confidence is limited because no unique infrastructure overlap or internal forensic artifact is available."
Analyst Checklist
- Is confidence attached to a specific judgment?
- Is the reason explicit?
- Are gaps and contradictions included?
- Could another analyst challenge the judgment from the evidence record?
- Is confidence separated from probability?
Output Artifact
Judgment:
Confidence: High / Medium / Low
Evidence Supporting:
Evidence Limiting:
Source Reliability:
Information Credibility:
Alternative Hypotheses:
What Would Change Confidence: