2.1.1.

1
Stakeholder(s) 2.1.1.2.1
Who
1.1.3.3.2.1
Long-Term 2.1.1.2.2
Who the What
1.1.3.3.2 1.1.3.3.2.2
Stakeholder(s) are
Focus Medium-Term
6.x.x
2.1.1.2.3
Clear 1.1.3.3.2.3
Short-Term
Where
1.1.3.1 2.1.1.2
Define 5W+H
6.x.x
1.1.1 Personas 2.1.1.2.4
1.1.3.3.1.1
6.1.1.1
Measurable Identify Why
Strategic
Product / Stakeholders
Service 1.1.3.3.1
Level
1.1.3.3.1.2
Operational
2.1.1.2.5
6.x.x
6.x.x When
Correlated to Who they are
6.1.1.2 Decision(s) Good 1.1.3.1.3

The Mind Map of Intelligence Architecture

6.x.x 6.1.1 Tactical / Technical 2.1.1.2.6
CSIRT Intel Learning what the How
Program Related to 1.1.2 Stakeholder(s) really
6.x.x 1.1.3.2.1 wants to know
6.x.x
Vulnerability Frictionless Access Role & Function
Management 6.1.1.3 Management
Author: Freddy Murre
1.1.3.2.2
2.1.1.3.1
Process Experience
Strategic
6.x.x
6.x.x Do we
Risk Meaningful have access 1.1.3.2.3
Professional Qualifications
Management

6.x.x 6.x.x
Version: 0.7.24 July 2021 1.1.3
1.1.3.2
Create Profile
1.1.3.2.4
Cyber Security Focus
Stakeholders
or their focus
2.1.1.3
Level
2.1.1.3.2
Operational

Anti-Fraud 6.x.x What we Creating and Analysing Cards Changed? 2.1.1.3.3

Internal can Count Stakeholder Profiles 1.1.3.2.5

Intelligence Requirements
Tactical
6.1.4.1 6.x.x (Why? and What?)
HR 6.x.x 1.1.3.2.6 Their Priority
Revenue Saved / Lost 6.x.x
Product Requirements and Focus
2.1.1.3.4
6.1.4.2.1 Output, Not 6.x.x 2.1.1 Technical
Downtime 6.x.x
Impact Bad
Process & 1.1.3.3
Direction
Directors / Map / Track 1.1.3.2.7

6.1.4.2.2
6.1.4.x
New Intel from cases Managers
Procedures Requirements Intelligence Ingestion
Resources to 6.x.x 2.1.1.4

Address Breach Too Tactical / Decision(s)

6.x.x The concerns we 2.1.1.5.1.1
6.1.4.2 Technical for need to address
Mean Cost of Breach C-Suite 1.1.3.4 1.1.3.4.1
Product Type
6.1.4.2.3
your boss' boss 1.1 Stakeholder Attitude / Impact
Customers Lost
6.1.4.4
6.x.x
Board
6.1.x Stakeholder Matrixes 1.1.3.4.2
Decision(s)
Supported 2.1.1.5.1.2
Feedback 6.x.x Power / Interest 2.1.1.5.1
Time
6.1.4.2.4
Incident Criticality Impacted by CTI
Source
Measures of
6.x.x
Management Explicit
Reputational Effect Performance 1.1.4.1

Types Planning 2.1.1.5 2.1.1.5.1.3

6.1.4.5 6.x.x Boundaries OR
1.1.4 Format
Mean time to Detect (MTTD) Government 6.x.x

Entities Measures of Planning the 1.1.4.2 2.1.1.5.2

Effectiveness Engagement Info package Implicit 2.1.1.5.1.4

6.1.4.6 Language
Mean time to Respond (MTTR) 6.x.x (When? How?)
Vendors 6.x.x
1.1.4.3

MOST VALUE/ Suggestions 2.1.1.5.1.5

6.1.4.x External How we will engage, for IRs Policies, Regulations & Laws
DIFFICULT Leadership Initiated Change 6.x.x x.x
who will lead the engagement,
Sector / Technical when, and to whom, with what
Industry key messages and channels
6.1.4.x
Risk Reduced by CTI x.x 2.1.2.1.1
6.x.x 6.1.2.1 Analytical Email
Collaborative 1.1.5 2.1.2.1.2.1
6.1.4.x
Physical Engaging Analogue
Networks 6.x.x
Inform New/Existing Risks Meeting x.x 6.x.x 6.x stakeholders (Do)
2.1.2.1.2
People/Networking Skills & Product
Competencies People Resources 2.1.2.1.2.2
6.1.4.x 6.1.2.2 What difference is the Digital
Impact to Reputation Email x.x
engagement making?
5.1.1.x
Communication Feedback with 2.1.2.1

6.1.2.3 Format
Approaching 6.1.4.x
Level of Preparedness Call x.x 6.x.x Adjustments 1.1.6
Stakeholders Organizational Feedback Develop Criteria 1.1.6.1 2.1.2.1.3.1

6.1.4.x 6.1.2.4 Structuring & and Improvements for Effectiveness

Identify Value What format 2.1.2.1.3
Individual(ly) or Groups(s)
the product should Briefing
5.1.1.x Overall Intelligence Program Value Chat 6.1.2 Process Tracking
x.x be disseminated 2.1.2.1.3.2
Dissemination 5.1.1 Feedback Survey Tools Online or Oflline
Policy 6.1.4.x 6.1.2.5 6.x.x
Process & Non-Sec projects Supported by CTI Product Type Feedback
Who the Stakeholders
are and what
1.2.2.1.1 2.1.2.2 2.1.2.1.4
x.x 1.2.1.1 Technical Latest Time Information Feed
x.x Procedures Spreadsheet Generation they Care About
Procedures is Of Value
Technical 5.1.1.x 6.1.2.6 6.x.x 1.2.1
Templates Survey Process 1.2.2.1.2
x.x Technology 1.2.1.2 Analytical When the
x.x 6.1.4.8 Statistical SW 6.x.x Process Maturity
Analytical 5.1.1.x False Positive Ratio 6.1.2.7 product should 2.1.2.3.1
Feedback 1.2.2.1.3 be delivered Direct
Feedback IRM Data Store People / Networking
x.x Routines 6.1.4.8 System 2.1.2
People / % of Incorrect Intel 1.2.2.1 2.1.2.3 2.1.2.3.2

Networking Skills & 1.2.2.1.4 Dissemination Dissemination Delivery Liaison

6.1.2.8 6.x.x Competencies Knowledge Management
5.1.x 6.1.4.9
API
x.x Countermeasures Enacted
Feedback 2.1.2.3.3
Knowledge
Skill & Analysis 1.2.2 1.2.2.2 1.2.2.1.5 Technological /
Management Competencies 5.1.x 5.1 People Skills Matrix & Contextual Domain Integration
6.1.4.10 How the
Gaps analysis
People Resources New IOCs Detected 6.1.x.x Product should
x.x Measure of 1.2.2.1.6 be Delivered
Communication 1.2.2.3 Communication & Organizational
5.1.x 6.1.4.11 Performance Available 2.1.2.4.1
Available New Incidents Discovered from TI (MoP) 6.1 Senitivity
x.x
Organizational
MOST VALUE/ 6.1.4.xx
6.1.x Actively gather 1.2.3.2.1 2.1.2.4 2.1.2.4.2
Intelligence Accuracy Measure 1.2 1.2.3.1 TIP TLP / Classification Recipients
EASY
Type Feedback & Intel Mgmt
6.1.4.xx
6.1.x.x
Measure of Metrics
6.x.x
...
Resource 1.2.3.2.1
Analysis Tool 2.1.2.4.3
Mitigation Effect 1.2.3 What Classification Tearline
5.1.x
Effectiveness 6.x Management
1.2.3.2
Analysis the product should
5.2.1
Sharing Technology be Disseminated with
Background
System 5.1.x 6.1.4.xx
(MoE) 6.x.x
... Feedback 1.2.3.3.1 1.2.3.3.1.1
Intelligence Usability 1.2.3.3 IOC's MISP
5.2.2
Expectations 5.1.x
Technology Plan Sharing
1.2.3.3.2 2.1.3.1.1.1.1
6.x.x
Tracking 6.1.4.xx 6.1.5.1 TTP's & Insights 2.1.2.5 Who?
Intelligence Impact Communicate Time vs Resource vs
Yearly
5.2.3 5.x.x System Results 1.2.3.3.3.1
Quality
Interests Stakeholder(S) How did 1.2.3.3.3 Wiki 2.1.3.1.1.2
6.1.4.xx 6.1.5.2 6.1.5 we do? Knowledge & Intelligence What?
5.2.4
% of Alerts Created from TI Quarterly
Cadence Refining existing IRs, Available
Resources
1.2.4.1
Internal
1.2.3.3.3.x
Database
Agenda 1.2.4 2.1.3.1.1.3
6.1.4.xx 6.1.5.3 developing new ones, Sources & Access 1.2.4.2.1
Liaison
2.1.3.1.1
Descriptive When?
% of Incidents initiated based on TI Per Release 1.2.4.2
5.2.5
Capability
5.2.1
Strategic
or re-tasking External
2.1.3.1.1.4
6.1.5.4 1.2.5 1.2.4.2.2 Where?
Risk Ad-Hoc Funding Procurement
5.2.2 5.x.x 2.1.3.1
Operational Stakeholder 6.1.4.12
Analytical Spectrum 2.1.3.1.1.5

Levels # of Incidents Identified 6.2.3 1.3 How?

5.2.3 5.x.x Constructive? 6.2 Intelligence 1.3.1 1.3.2.1
Tactical Audience 6.1.4.12
IR Overview Stakeholders
Operations
# of Incidents Worked
6.2.4 Evaluate Requirements 1.3.2.2
2.1.3.1.2
Explanatory
2.1.3.1.2.1
Why?
5.2.4 1.3.2 Resources
Technical 6.1.4.13 6.2.5.1 Useful? Feedback Management Map IRs 1.3.2.3
# of GW, FW & AV Detections Action
6.2.5 6 1 (IRM) 1.3.3
Timeline 2.1.3.1.3
Evaluative
2.1.3.1.3.1
What Does it Mean?
6.1.4.14 6.2.5.2 Actionable? Prioritize IRs 1.3.2.4
5.3.1
High
# of Products Created Inaction How well
did we do?
Feedback/ Intelligence Quality
Type of
Prioritized analysis 2.1.3.1.4 2.1.3.1.4.1

5.3.2
Medium
5.x.x
Stakeholder
6.1.4.15
# of IOC Generated Tasking Management Intel Requirements
1.4.1
Estimative What Happens Next?

Priority 6.3.1 Services

Knowing your audience/stakeholders will help you answer these questions:
6.1.4.16 New
- Stakeholder(s) Capacity to Process # of Control Gaps Identified
1.4 1.4.2
5.3.4 5.x.x
6.3 2.1.3.2.1

- How does the audience take in and absorb information? Low Internal / 6.3.2 Production Product Portfolio Eploration

- How much time does your primary audience have to digest your product?
External LEAST VALUE/ 6.1.4.16 Adjust Immediate
EASY # of Feeds Ingested Requirements 1.4.3 2.1.3.2.2
- Should the output be a short, focused article for a senior decision maker or a longer piece with more detail that will serve a more operational audience? Tasking Templates / Style Guides Diagnostic
6.3.3
- Is there more than one primary customer? 5.x.x 6.1.4.18 What we
Meeting # of RFI's Answered 6.4.1.1 Stop will be producing 1.4.3 2.1.3.2 2.1.3.2.3
- Is there a need to develop different products in different formats? Intelligence Too Late Reporting Matrix SATs Reframing
5.x.x 5.x.x
- What is the appropriate language and vocabulary? Requirements
Issue AIMS 6.1.4.18
# of Fulfilled IRs 6.4.1.2
1.5 2.1.3.2.4
- Outputs
- How many and what types of products do you need to plan for?
5.x.x
Providing On Time Analysis 2.1.3
Foresight
Value 6.1.4.18

- What exactly will be available to your end user?s? # of New IRs Generated 6.4.1.3 6.4.1
What can
Management Analysis 2.1.3.2.5
Too Early Timeliness Combination Decision Support
- Do your audience need the raw data? we do better? 1.6.1
of SATs
5.x.x 6.1.4.17
How we will Coverage
- Where and how will you store them after they are released? Clarity 5.x.x
Summarize
# of Views 6.4.1.4
Analyse
Not at All
- Format of key message in one 5.x.x
5.x.x
Message 6.1.4.18 1.6.2 2.1.3.3.1
- What is the likely format of the main message and its storyline? Relevance Sentence Adapt
# of Downloads 1.6 Gaps
- How can you adapt your narrative into a format or structure the end users are accustomed to (PowerPoint, briefs, large reports, etc.)? 5.x 6.4.2.1 6.4.2 Long-Term
5.x.x
5.x.x
Quality
5.x.x
Storyline 6.1.4.19 Correct? Accuracy Collection 2.1.3.3 2.1.3.3.2
- Will the message be clearest through a map, a briefing or a report? Brevity Control Dissemination Survey Medium-Term Tool(s) Build
- Is the customer more likely to use a hard or soft copy of a product? Management 1.6.3
Plan Short-Term Risk Type of
- Should it be colour or black and white? 5.x.x
Security 5.x.x
6.4.3.1
Tool(s)
2.1.3.3.3

- Should the product be short or long, in paragraphs or bullets, with few or many visuals? Timely
Fit for Purpose 6.4.3
6.4 Intelligence & How and What
we will Collect
Buy
Content 2.1.3.4
- Is it possible to capture the essence of your message in one or a few graphics? 5.x.x
Ease of 5.x.x
6.4.3.3
Relevance Define Production Skills / Knowledge
- Should your findings be summarized in an executive summary? Tied to IRs
Assimilation 5.x.x
Threat
Relevant 5.x.x
6.4.4 Necessary Requirements 1.7 2.1.3.5.1
- Communicate Uncertainty Actionable 2.1
Hunters
5.x.x Format Changes Expectation 1.7.1
Success Criteria
Intel cycle
- How will you communicate uncertainty in your graphics and your narrative? Accurate RFI/Task Dialogue
- What is the best way to report and communicate on the limitations of your analysis? 5.x.x 5.x.x
6.4.5 Management 2.1.3.5 2.1.3.5.2
SOC Blue Team
5.x.x
5.x.x
6.4.6.1 Delivery (Internal AND External) Intel Model(s) Cyber Kill Chain
- Is your audience accustomed to statistical terms or do you need to use more qualitative terms to reflect on confidence and probability levels? Pull vs What Good
Consumable Streamline Combination
- How will you differentiate between facts and assumptions? 5.x.x
IRT
5.x.x
Red Team Push looks like
of Intel Model(s)
2.1.3.5.3
Diamond Model
6.4.6
- Dissemination strategy 6.4.6.2
Workflow &
1.8.1
Update Prepare for Unexpected
- How will your end users access your outputs? 5.x.x
5.x.x Process 1.8 1.8.2.1

- How will you share and document data and methods to ensure transparency and the possibility to verify or reproduce result?
Purple Team
CSIRT / CDC .. Measures of Performance
6.4.6.3
Automate
What can Metrics 1.8.2
Standards 2.x.1.1 2.1.4.1
- Do you need to attach raw data, reference documents and other supporting evidence to your document and presentation? 5.x.x
Improve?
1.8.2.2 Dissemination Intel Gaps
- What are the protective measures you need to implement and communicate in case of sensitive information? Forensics Management 1.8.3
Measures of Effectiveness
6.4.7.1
- Who needs to receive the final output? 5.x.x Scales 2.x.2.1
Production
Data, information, or

White Team Doable 6.4.7

How and What
Intelligence needed
- Who else needs to be aware it exists? 5.x.x Decipher we will Measure
2.1.4.2.1
Internal
2.x.1
- Branding Security 6.4.7.2
Process / Procedures
2.x.1.3 2.1.4.2

Engineers 5.x.x Undoable 1.9.1 1.9.1.1

Who's asking Analysis Sources
- How the final product will be branded? IT Security Staffing Skills Matrix for what,
2.1.4.2.2
1.9 External
- Will names or logos be included in the end-product? 5.x.x by when, 2.x.2.4 2.x.2.1.1

- How do you want the document to be further quoted?

Security 5.x.x
Risk Mgmt 6.5.1
Program 1.9.2 etc Collection Technical
Architects Funding & Budgets 2.1.4 How and Where
- How will you acknowledge external support from specific organisation or people? Lessons Management 2.x.2.5 2.x.2.1.2 Collection
to get it
2.1.4.3.1

ACAPS - The Analysis Canvas 5.x.x Identified 6.5 1.9.3 Tracking Analytical Build
Vulnerability Roadmap & Development
Mgmt 6.5.2
Implement 2.x.2.1.3 2.1.4.3 2.1.4.3.2
1.9.4 People / Networking Access Develop
Lessons Integrations 2.x.2.1
5.x.x Skills &
Anti-Fraud Learned 1.10 Competencies 2.x.2.1.4 2.1.4.3.3

5.x.x 2.x Knowledge Management 2.1.4.4 Buy

Internal Maturity Processing
5.x.x
Insider Management Resources 2.x.2
People
2.x.2.2
Skills Matrix 2.x.2.1.5
Contextual Domain
Threat Mgmt 2.1.4.5
2.x.2.2 Time
Available 2.x.2.1.6
5.x.x Communication & Organizational
HR 2.x.3.1
Ticketing & 2.x.3.2.1 2.1.5.1
5.x.x Tracking system Manual Question(s) Rephrased
PR
2.x.3.2 2.x.3.2.2 2.1.5.2
5.x.x Collection Semi-Automatic
5.x.x Decision(s) Supported
CFO Directors /
5.x.x Managers 2.x.3.2.3 2.1.5.3
CRO What resources Automatic Time
we have available
5.x.x 5.x.x
CISO C-Suite 2.1.5.4
2.x.3 Product Type
5.x.x
CIO 5.x.x
Technology 2.x.3.3.1
2.1.5
Spreadsheet
Board Read-Back 2.1.5.5
5.x.x Quality
CEO
5.x.x
Shareholders
5 Intelligence 2
2.x.3.3
Data Store
2.x.3.3.2
TIP
2.1.5.6
Expectation Management
NCSC
5.x.x 5.x Dissemination Architecture Direction 2.x.1
2.x.3.3.3
DataBase
5.x.x 5.x.x
Recipients Specific 2.1.6
2.1.5.7
Metrics
Law 2.x.3.3.4 Adjust if needed
Government 2.x.2 Ticketing / Tracking
Enforcement
Entities Measurable 2.1.5.8

5.x.x 2.x Write-up of the agreed

5.x.x 2.x.3.3.5
point
Intelligence 5.x.x
External Intelligence 2.x.3 Wiki
Services Vendors Actionable
Requirements 2.x.4
5.x.x
ISACs
5.x.x Relevant 2.x.3.4.1
Spreadsheet
Sector /
5.x.x
Industry 2.x.4
ISAOs Timely 2.x.3.4.2
5.x.x Link Charting
..
Collaborative 2.x.3.4
Networks 2.2.1 Analysis 2.x.3.4.3

Known Knowns TIP

What we Know
we Know 2.x.3.4.4
5.5.1 Analysis Tool
5.4.x.1
Direct 2.2.2
Analogue Known Unknowns 2.x.3.4.5
5.4.x What we know
5.5.2 Production
Product Liaison we don't know
5.4.x.2 2.2
Digital
5.4.x 5.5.3 5.x.x Intelligence Gaps 2.2.3
Unknown Unknowns
Phone Collborative Delivery x.x x.x 2.x.3.5.1
Workspace Analytical Analysis What we don't know IOC's
5.4.x Type Standards we don't know
Messaging 5.5.4 x.x 2.2.4 2.x.3.5.2
Service Database x.x
Process & Unknown Knowns
2.x.3.5
TTP's & Insights
Templates Dissemination
Procedures What we don't know
5.4.x 5.5.5 x.x we know 2.x.3.5.3

Email API x.x

Production Knowledge & Intelligence
5.4.x.1 Style Guides
Personal
5.4.x
IRs - Basic Int
Briefing x.x
= Intel gaps 2.3.1
5.4.x.2 Estimative
Group 5.x.x Language Organize & Prioritize 2.3.1.1.1
5.4.x 5.x Decision Support
Newsletter Delivery List of all 2.3.1.1

Format Delivery Intelligence

Requirements
Stakeholder(s)
2.3.1.1.2
5.4.x Stakeholder(s) Topic(s) of
2.3.2
Website / Concern
Page
x.x
Prioritized Intelligence
Technical
Requirements (PIR)
5.x.x
5.4.x x.x

Blog Delivery Analytical Broken down Into

Variance 2.3 2.3.3

2.3.1.2.1
One Question
5.4.x
Social People /
x.x
Intelligence Specific Intelligence
Networking Requirements (SIR) 2.3.1.2 2.3.1.2.2
Networks
5.6.1
Requirements Questions and Topics Focused
x.x Broken down Into
5.4.x Long-Term / Knowledge
x.x
Skills & Development 2.3.1.2.3

Conferences, Annually Management Competence 2.3.4 Single Decision

forums, Essential Elements
x.x x.x x.x Answers we
of Intelligence (EEI)
events 5.6.2
Contextual
Need to
Medium-Term / People Resources Find
5.4.x
Domain
Quarterly x.x
Feed
x.x Availability
Communication
5.4.x 5.6.3
Flat Files 2.3.1
Short-Term / x.x Type of Product / Service
Monthly / 5.x.x Organizational
Weekly / Delivery 2.4
.. 2.3.2
Daily Cadence Product(s) & Service(s) Timeline
5.6.4 x.x Management 2.3.3
On-Demand Concepts & Work Order
Ideas What we will
5.6.5 x.x
Spreadsheet Organizer produce by when, etc
Ad-hoc
x.x
5.6.5 x.x
Analysis 2.5
Near Link Charting
Real-Time
Tools Analysis Management
x.x
Analysis Tools x.x
Word What we type of
analysis we will use
Processing
5.7.1 4.x.x
TLP Issue Definition /
x.x
Grammar &
x.x 2.6
5.7.2
Technology Terms of Reference
NATO 5.7 Language Collection Management
5.7.3 Classification / x.x
4.x.x
FOUO / Source & Concept Paper Who, What, Where, Where and how

SBU
Restrictions Reference
we will find

x.x Management 4.x.x 4.x

When, Why, How Answers

5.7.4 Political Research Methods

Encryption x.x x.x Analysis Plan / 3.1.3.1
2.7
Visualization Presentation
x.x 4.x.x Road Map 3.1.1
PIRs, SIRs, EEIs
Tracking of IRs, ICPs,
Military Qualitative vs Background &
x.x x.x
Quantitative
3.1.3.2 Prod plans,
5.x.1 Intelligence Analysis Justification Sources
Automated x.x
Sharing
Disseminations, etc.
Feedback Economic x.x 4.x.x 3.1.3.3

5.x Knowledge & Insights 3.1.2 Technique / Technology

Research Plan Basic Intelligence
5.x.2
Hybrid
Enable x.x x.x 3.1 & Knowledge Gaps 3.1.3.4
How we will Manage &
Direct the Process
Social PMESII Resources
Feedback Feedback / (ICP) Intelligence
Metrics x.x Collection Plan 3.1.3 3.1.3.5
Product(s)
5.x.3
Infrastructure Activity Plan
Manual
Feedback 3.1.3.6 3.2.1.1.1

x.x Stakeholder(s) Case/Incident Handling

5.8 Information
x.x 3.1.3.7 3.2.1.1.2

Deliver Disorder Influencing Factors

3.2.1.1
Red Teaming
Internal Investigations
4.1.1.1 x.x 3.1.3.8 3.2.1.1.3

5.9 Reconnaissance Simple / Obvious Timeliness Purple Teaming

3.2.1.2
Security Solutions
Integrate 4.1.1.2 4.1.2.1 x.x
x.x
3.2.1.1.4

Weaponization Adversary Complicated Cynefin Threat Hunting

3.1.4.1 3.2.1.3
3.1.4
Tracking, Updating Logs
4.1.1.3 4.1.2.2 x.x 3.2.1 3.2.1.1.3
Collection Manager
Delivery Capability 4.1.x Complex Systems & Re-Tasking Internal Insider Threat
3.2.1.4
Diamond Model How & What Apps / Programs Physical Security
4.1.1.4 4.1.2.3 x.x to Collect
Exploitation Infrastructure Chaotic Systems Merges & Acq
3.2.1.5
Users HR
4.1.1.5 4.1.2.4
Installation Victim 3.2.2.2.1 Governance Risk Compl
Sharing Groups
4.1.x.1 4.1.x
4.1.1.6 3.2.2.1

Command & Control Intelligence Log Logging / Registration Vendors 3.2.2.2.2

Chat Rooms
4.1.1.7 4.1.x 4 3.2.2.2

Actions on Objectives Systematization 3 3.2.2

Cooperative Networks 3.2.1.1.3
Industry Contacts
Processing / External
4.1.x Collection 3.2.2.3
OSINT 3.2.1.1.4

4.1.3.1
Categorization Analysis 3.2.2.4
Trusted Non-public
Relationships
4.1.x
Initial Access Government Entities
Cyber Kill Chain 4.1.x
4.1.3.2 Grouping
Execution 3.2.3.1
4.1.x Reporting Entity
4.1.3.3
Selection 4.1 3.2
Persistence 3.2.3.2.1
Author's knowledge
4.1.x
Collation Sources 3.2.3.2
Reporting Author of the topic
4.1.3.4
Privelege Escalation Entity Recognition
4.1.3.5
4.1.x .. 3.2.3 3.2.3.3.1
Methodology Described?
Defense Evation Source Reliability
Structuring
4.1.3.6 3.2.3.3 3.2.3.3.2

Credential Access 3.2.4 Methodology Methodology Robust?

4.1.x Source Relevance
4.1.3.7 New Intelligence / 3.2.3.3.3

Discovery Collection / Technology Reporting Selective?

3.2.5

4.1.3.8
Requirements Source Prioritized
Lateral Movement 3.2.3.4.1
4.1.x Where to
Collect From 3.2.6 To inform
4.1.3.9 Mitre Source Development
Collection 3.2.3.4 3.2.3.4.2
3.3.2.1.1 Agendas or Purpose Media/Marketing Effort
4.1.3.10 Technical
Command & Control x.x 3.3.1.1
4.3.3.2.1.1 Induction 3.3.1 Analysis 3.2.3.4.3
Sorting x.x 4.2.1.1
Process & 3.3.2.1.2 (Geo)Political
4.1.3.11 Observation Admiralty Scale Analytical
Exfiltration x.x
4.2.1 Procedures 3.3.1.2
4.3.3.2.1.2 Deduction Models
Ranking, Scoring & x.x x.x 4.2.1.2 Source / Info Evaluation 3.3.2.1.3

Prioritizing 4.1.3.12 Hypothesis Reasoning 5x5x5 People / Networking 3.2.3.5.1

Impact x.x Admiralty Scale

4.3.3.2.1 Abduction 4.2.2 4.2 3.2.3.5
4.3.3.2.1.3 Getting x.x 3.3.2.1 3.3.2.1.4 Source Evaluation
Matrices Organized Prediction Levels of Confidence Evaluation Skills & Knowledge Management 3.2.3.5.2
x.x
Competencies 5x5x5
4.3.3.2.1.4 Scientific Method 3.3.2
Process Maps x.x
4.2.3 People 3.3.2.1.5
Experiment 3.3.2.2 Contextual Domain
4.3.3.2.1.5
Initial Deception Detection Available
Gantt Charts x.x
Analysis
3.3 3.3.2.1.6
Communication &
Resources Organizational
Pivoting and
x.x 4.3.1.1
New Collection
4.3.3.2.2.1 Conclusion Descriptive
Simple Brainstorming Requirements
4.3.1.2 3.3.3.2.1
4.3.3.2.2.2
Explanatory 4.3.1 3.3.3.1 Manual
Cluster Brainstorming Ticketing &
x.x Analytical Spectrum Tracking system
Search & Filter 4.3.1.3 3.3.3.2.2 3.3.3.2.2.1
4.3.3.2.2.3
Evaluative Semi-Automatic Hunchly
CircleBoarding
x.x 3.3.3.2

4.3.3.2.2
Read & Extract x.x 4.3.1.4 Collection 3.3.3.2.3 3.3.3.4.7
4.3.3.2.2.4
Exploration SAT Bottom-Up Estimative Automatic IntelOWL
Starbursting
x.x
Schematize 3.3.3.2.4
4.3.3.2.2.5 Processing
MindMaps
x.x x.x
Build Case SenseMaking 4.3.2.1
4.3.3.2.2.6
Traditional Analysis 3.3.3
Concept Maps Technology 3.3.3.3.1
Spreadsheet
4.3.2.2
4.3.3.2.2.7 x.x
Available Knowledge
Venn Analysis Re-Evaluate 3.3.3.3.2
4.3.3.1.1
4.3.2 TIP
Key Stakeholder(s) & 4.3.2.3
Intelligence Requirement(s) x.x
Past Experience System 1 Thinking 3.3.3.3
Search for Support Data Store 3.3.3.3.3
DataBase
4.3.3.2.3.1 4.3.3.1.2 4.3.2.4
Key Assumptions Check (KAC) Finding and Assessing Evidence 4.3.3.1 x.x x.x
Mental Models
Critical Thinking / Search for Evidence Top-Down 4.3 3.3.3.3.4
Ticketing / Tracking
4.3.3.2.3.2 4.3.3.1.3 Expert Judgement 4.3.2.5
Analysis
Multiple Hypothesis Generation Building an Argument x.x
Cognitive Bias
Search for Relations 3.3.3.3.5
Wiki
4.3.3.2.3.3 4.3.3.1.4
Diagnostic Reasoning Communicating your Message x.x

Effectively Search for Information

Mirror Imaging Bias 4.3.3.2.3.4 3.3.3.4.1
4.3.3.2.3
Analysis of Competing Hypothesis Spreadsheet
Diagnostic SAT
(ACH)
Confirmation Bias 4.3.3.2.3.6.1 Which Resources
MOM to Collect with 3.3.3.4.2
4.3.3.2.3.5 Link Charting
Inconsistencies Finder 3.3.3.4
Vividness Bias 4.3.3.2.3.6.2 Collection Analysis
POP 3.3.3.4.3
4.3.3.2.3.6 TIP Platform
Evidence Deception Detection
Acceptance 4.3.3.2.3.6.3

Bias MOSES 4.3.3.x 3.3.3.4.4

4.3.3.2.3.7
Slow Strategic Analysis Tool
Chronologies and Timelines
Hindsight Bias 4.3.3.2.3.6.4
EVE 4.3.3.x
4.3.3.2
Structured Analytical Deliberate 3.3.3.5.1 3.3.3.5.1.1
4.3.3
IOC's MISP
4.3.3.2.4.1 Techniques (SAT) 4.3.3.x System 2 Thinking
Outside-in Thinking Conscious Reasoning 3.3.3.5
Collection Sharing 3.3.3.5.2
TTP's & Insights
4.3.3.2.4.2 4.3.3.x
Structured Analogies Analytic 4.4 3.3.3.5.3 3.3.3.5.3.1

4.3.3.2.4.3 Integration Knowledge & Intelligence Wiki

High Impact /
Anchoring Effect Low Probability 4.5.1 Synthesis
Analysis GAP Analysis
Desire for Coherence and x.x
Uncertainty Reduction 4.3.3.2.4.4 Report 4.5

Mental Shotgun
"What If?" Analysis 4.3.3.2.4
Reframing SAT
4.3.3.3.1
Computer-Based tools using
4.3.3.3
Quasi-Quantitative 4.5.1
Interpretation
x.x
4.3.3.2.4.5 expert-generated data Analysis Presentation " So What?"
Classic Quadrant Crunching
Associative Memory 3.4.1.1
x.x Validity / Accuracy of
4.3.3.2.4.6 Email x.x Information
Premature Closure Premortem Analysis 4.3.3.4.1
Strategic
Data-Based Computer Tools 3.4.1
x.x x.x Source & 3.4.1.2
4.3.3.4
4.3.3.2.4.7 Blog Post Type x.x Reliability of Source
Groupthink Structured Self-Critique Empirical Analysis Operational Information Validity
4.3.3.4.2
Visualization Techniques x.x x.x 3.4.1.3
Groupthink 4.3.3.2.4.8 Article x.x Date & time
Red Hat Analysis Tactical Meet Intelligence
x.x Requirements
Availability Heuristic x.x Conversation x.x
Reported Information Technical 3.4.2.1
x.x Technology Based
Satisficing 4.3.3.2.5.1
Key Uncertainties Finder x.x Stakeholder
Analysis 3.4.2 3.4.2.2
x.x x.x Normalize Hybrid
4.3.3.2.5.2
Stakeholder's Terms x.x
Key Drivers Generation x.x x.x Format & Template
Key Takeaways BLUF / Executive Summary Detail Level 3.4.3 3.4.2.3

3.4 Enrich Human Based

4.3.3.2.5.3
Multiple Scenarios Generation
4.3.3.2.5
x.x
Objectives / Intent
x.x
Introduction Processing 3.4.7

4.3.3.2.5.4 Foresight SAT Send to Analysis

Indicators Generation and x.x x.x x.x

Validation Risk Analysis Business Impact Discussion & Analysis 3.4.4

Structure &
4.3.3.2.5.5 x.x x.x x.x x.x Deduplicate
Indicators Evaluation Capabilities Conclusion Structure x.x
Product
x.x
Production Combine & Link
3.4.5

Reccomendations x.x
x.x
4.3.3.2.6.1 Threat Level Service 3.4.6
Opportunities Incubator x.x x.x
New / remaining
Broad Threat Context Legend & Methodology
x.x Gaps
4.3.3.2.6.2 Assessment &
SWOT Analysis x.x
Estimation Language x.x
How to counteract Attachments x.x

4.3.3.2.6.3 x.x
Length
Impact Matrix Confidence x.x
4.3.3.2.6 References
Decision
x.x.x.x 4.3.3.2.6.4
Team A/B Analysis Support SAT
Decision Matrix

x.x.x.x
4.3.3.2.6.5 x.x x.x
Devil's Advocacy Terminology Clear
Force Field Analysis

x.x.x.x
4.3.3.2.6.6 x.x x.x
Multiple Pros-Cons-Faults-and-Fixes Focus Concise
Scenario
Generation
x.x x.x
Assessments & Correct
Estimative Language
x.x x.x
Customized Language
x.x
Complete

x.x
Coherent

x.x
Conversational
x.x
Cyber Kill Chain

x.x x.x
Diamond Model Models & Graphs
x.x
Mitre ATT&CK x.x.x
TLP
x.x.x
NATO 4.x
x.x.x Classification
x.x
FOUO / SBU
Compelling
x.x
x.x x.x Tear-Line
Tied to VALUE Telling a Story
x.x
Call to Action