█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Threat Intelligence/Writing a Threat Intelligence Report
60 minIntermediate

Writing a Threat Intelligence Report

After this lesson, you will be able to: Write a threat intelligence report on a real publicly-documented threat group, structured the way mature CTI teams deliver to leadership.

The CTI report is the deliverable. This lesson teaches the report structure that gets read by execs, and walks you through producing one on a documented group.

Prerequisites:OSINT Tools for Threat Intel

Why the report format matters

CTI work is judged on the report. A great investigation summarised in a confusing report is useless. A clear, well-structured report on a modest finding gets action and budget. Mature CTI teams (Mandiant, Microsoft Threat Intelligence, CrowdStrike) all use roughly the same structure. Learn it once; use it forever.

The standard CTI report structure

Use this exact outline for every report. Copy + adapt.

tsx
# Threat Profile: <Group Name> (<Aliases>), <Report Date>
## Executive Summary
2-3 sentences. Who they are, what they target, why we care about them now.
## Key Judgements
3-5 bullet points. Confidence-rated assertions an exec can absorb in 30 seconds.
- 'We assess with HIGH confidence that <X>...'
- 'We assess with MODERATE confidence that <Y>...'
## Attribution and Background
Who the group is, suspected origin, history of campaigns. Cite sources (Mandiant, CrowdStrike, CISA, MITRE).
## Targeting
Which industries, geographies, and victim profiles the group prefers.
## TTPs (ATT&CK Mapping)
List of MITRE ATT&CK techniques the group uses. Group by tactic. Include sub-technique IDs.
## Recent Activity
Dated bullet points of campaigns or notable incidents in the last 12 months.
## IoCs
A table: type, value, source, first seen. Hashes / IPs / domains / emails.
## Defensive Recommendations
Concrete, prioritised actions. Map each to an ATT&CK technique you're closing.
## Sources
Footnoted references. Public CTI is built on public sources; cite them.

Write a report on APT29 (Cozy Bear) end-to-end

APT29 is among the most-documented threat groups. Use the public reporting to author your first report.

  1. 1

    Read the MITRE ATT&CK G0016 page for APT29 (canonical TTP list)

  2. 2

    Read CISA's most recent APT29 advisory (cisa.gov, search 'APT29')

  3. 3

    Read Mandiant's APT29 reports (mandiant.com/resources)

  4. 4

    Read Microsoft Threat Intelligence's NOBELIUM / Midnight Blizzard posts (this is APT29's Microsoft tag)

  5. 5

    Fill in each section of the template above using sourced material. Cite every claim.

  6. 6

    In 'Defensive Recommendations', tie each to an APT29 technique. e.g., 'enable PowerShell logging and Constrained Language Mode (defends T1059.001)'

  7. 7

    Length target: 4-6 pages. Anything shorter misses something; longer overwhelms readers.

💡 Confidence language is non-negotiable

Use the ICA (Intelligence Community Assessment) confidence language: HIGH, MODERATE, LOW. An analyst who says 'they will probably attack us in Q3' is making a forecast without quantifying belief; an analyst who says 'We assess with MODERATE confidence that APT29 is shifting tradecraft toward cloud identity providers' invites scrutiny and accountability. Confidence language is what makes CTI a profession rather than a blog.

Common mistakes only experienced CTI analysts catch

Conflating speculation with assessment. If you can't cite it, label it as analyst comment, not a finding. Burying the lede. Every report should answer 'so what' in the executive summary. Sharing PII or victim data without sanitisation. CTI products often circulate widely; treat them as if a reporter will read them. Forgetting the defensive recommendations. CTI without action items is news, not intelligence. Citing tweets as authoritative. Use them as starting points; verify in primary sources before they enter the report.

Quick Check

What's the difference between intelligence and information?

Pick the cleanest answer.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←OSINT Toolkit: Shodan, Censys, VirusTotal, URLscan
Back to Threat Intelligence
Threat Feeds and ISACs→