Israel Government Threat Actors CTI

This documentation organizes public-source threat intelligence for defensive use by Israeli government and public-sector defenders.

CTI Ecosystem

This knowledge base is the Israel-focused actor and sector layer of a three-book CTI ecosystem. Use CTI Project Ecosystem to navigate between the books.

• CTI Analyst Field Manual provides general CTI tradecraft for evidence, attribution, infrastructure pivoting, and CTI-to-detection work.
• Customer-Driven AI CTI Project provides the gated delivery methodology for turning this intelligence into customer-ready outcomes.

Reading Order

1. Threat Model
2. Source Rating
3. Actor Index
4. Actor Navigation Workbench
5. TTP To Detection Matrix
6. Surface And Capability Matrix
7. Connected TIPs And CTI Feeds
8. VirusTotal Malware Enrichment
9. Intelligence Update Queue
10. Report Index
11. CTI-to-Detection Operating Standard
12. Threat Hunting Workflow
13. Detection Lifecycle
14. Scored source library in sources/
15. Detection examples in detections/sigma/ and detections/kql/

Operating Rules

• Analysts MUST distinguish source facts from analytic inference.
• Analysts SHOULD cite at least one source record for every actor claim.
• Detections MUST be validated against local telemetry before production deployment.
• IOC matches SHOULD be treated as leads, not final attribution.
• Threat hunts SHOULD start from a PIR, scenario, and evidence record.
• Production coverage MUST NOT be claimed below DRL-9.