After this lesson, you will be able to: Write a threat intelligence report on a real publicly-documented threat group, structured the way mature CTI teams deliver to leadership.
The CTI report is the deliverable. This lesson teaches the report structure that gets read by execs, and walks you through producing one on a documented group.
CTI work is judged on the report. A great investigation summarised in a confusing report is useless. A clear, well-structured report on a modest finding gets action and budget. Mature CTI teams (Mandiant, Microsoft Threat Intelligence, CrowdStrike) all use roughly the same structure. Learn it once; use it forever.
Use this exact outline for every report. Copy + adapt.
# Threat Profile: <Group Name> (<Aliases>), <Report Date>## Executive Summary2-3 sentences. Who they are, what they target, why we care about them now.## Key Judgements3-5 bullet points. Confidence-rated assertions an exec can absorb in 30 seconds.- 'We assess with HIGH confidence that <X>...'- 'We assess with MODERATE confidence that <Y>...'## Attribution and BackgroundWho the group is, suspected origin, history of campaigns. Cite sources (Mandiant, CrowdStrike, CISA, MITRE).## TargetingWhich industries, geographies, and victim profiles the group prefers.## TTPs (ATT&CK Mapping)List of MITRE ATT&CK techniques the group uses. Group by tactic. Include sub-technique IDs.## Recent ActivityDated bullet points of campaigns or notable incidents in the last 12 months.## IoCsA table: type, value, source, first seen. Hashes / IPs / domains / emails.## Defensive RecommendationsConcrete, prioritised actions. Map each to an ATT&CK technique you're closing.## SourcesFootnoted references. Public CTI is built on public sources; cite them.
APT29 is among the most-documented threat groups. Use the public reporting to author your first report.
Read the MITRE ATT&CK G0016 page for APT29 (canonical TTP list)
Read CISA's most recent APT29 advisory (cisa.gov, search 'APT29')
Read Mandiant's APT29 reports (mandiant.com/resources)
Read Microsoft Threat Intelligence's NOBELIUM / Midnight Blizzard posts (this is APT29's Microsoft tag)
Fill in each section of the template above using sourced material. Cite every claim.
In 'Defensive Recommendations', tie each to an APT29 technique. e.g., 'enable PowerShell logging and Constrained Language Mode (defends T1059.001)'
Length target: 4-6 pages. Anything shorter misses something; longer overwhelms readers.
Conflating speculation with assessment. If you can't cite it, label it as analyst comment, not a finding. Burying the lede. Every report should answer 'so what' in the executive summary. Sharing PII or victim data without sanitisation. CTI products often circulate widely; treat them as if a reporter will read them. Forgetting the defensive recommendations. CTI without action items is news, not intelligence. Citing tweets as authoritative. Use them as starting points; verify in primary sources before they enter the report.
Pick the cleanest answer.
Sign in and purchase access to unlock this lesson.