Cyberange

Training · Threat Intelligence · Strategic + Operational + Tactical

From IOC list to board briefing. Same evidence, three registers.

A practitioner CTI programme that trains the three levels of intelligence as distinct disciplines. Source evaluation. Diamond Model analysis. Attribution caution. Audience-fit reporting. Twelve weeks of structured analytic tradecraft, on real intel feeds and real engagement telemetry.

Browse tracks Cohort schedule

The CTI training gap

Most "threat intel" courses are IOC management with a different cover sheet.

Real CTI is an analytic discipline. It evaluates sources, applies structured techniques, separates confidence from attribution, and writes for the right audience. Most curricula stop at "subscribe to the feed and import the STIX bundle." That is plumbing, not analysis.

01

Levels conflated

Tactical IOCs, operational TTPs, and strategic posture get mixed in the same report. A board reads what an analyst should have read; an analyst gets language the board needed.

02

No source discipline

A free-tier feed and a partner-shared internal report get treated as equally trustworthy. Without admiralty-style grading, the analyst has no defensible confidence figure.

03

Attribution as marketing

Public reporting routinely conflates "consistent with" with "attributed to". Practitioners absorb the bad habit. We drill the difference until it stops happening.

The three-level structure

Same evidence. Three audiences. Three registers. One pipeline.

The programme drills each level as a distinct discipline with its own consumer, its own tradecraft, its own product format — and the pipeline that connects them so a single evidence base feeds the analyst console, the operations centre, and the boardroom.

CTI three-level funnel: raw signals at the top, tactical intelligence, operational intelligence, and strategic intelligence — each layer with its consumer, its tradecraft, its product format. RAW SIGNAL · FEEDS · OSINT · INTERNAL TELEMETRY · PARTNER INTELunevaluated · ungraded · uncorroboratedTACTICALIOCs · signatures · YARA · Sigma · STIX bundlesconsumer · SOC analyst · detection engineer · TAW workbenchcadence · hours · output · machine-ingestable feedsOPERATIONALcampaigns · adversary profiles · TTP analyses · attribution caveatsconsumer · IR lead · SOC manager · CISO direct reportcadence · days–weeks · output · written intel productsSTRATEGICsector trends · geopolitical posture · regulatory horizonconsumer · CISO · CRO · audit committee · boardcadence · quarterly · output · short briefings · long memosANALYTIC TRADECRAFT APPLIED AT EVERY LAYER · DIAMOND MODEL · ACH · F3EAD12-WEEK PROGRAMME · WEEKLY ANALYTIC PRODUCT SUBMISSION

What you do on the programme

Twelve weeks of analytic work. Twelve intel products in your portfolio.

Evaluate every source

CIA-style admiralty grading on every input. Source reliability and information credibility scored, defended, re-scored as new evidence arrives.

Apply structured analytic techniques

ACH (Analysis of Competing Hypotheses). Key Assumptions Check. Devil's Advocacy. Red-team review. The toolkit professional analysts use to keep themselves honest.

Map every campaign to ATT&CK

TTPs at sub-technique grain. Diamond Model fills for adversary, infrastructure, capability, victim. Confidence figures defensible against peer review.

Separate confidence from attribution

Estimative-language discipline (probable / likely / virtually certain). High-confidence does not mean "attributed". The two concepts live on different axes.

Write to three audiences

A boardroom briefing isn't a longer version of a SOC bulletin. Each register has its own length, vocabulary, structure, and what-not-to-say.

Defend your product under questioning

Every weekly intel product is workshopped in cohort review. Your sources, your confidence, your attribution claims — defended on the record.

Sample week · Source evaluation + analytic tradecraft · week 5 of 12

The week your output gets harder to refute.

A representative tradecraft week. The work shifts from collecting evidence to grading it, weighing competing hypotheses against it, and defending your conclusions in cohort review.

  1. Monday

    Admiralty grading

    Score every source on your desk against the NATO admiralty scale (A–F reliability, 1–6 credibility). Defend the grade you assigned the partner-shared report against the cohort.

  2. Tuesday

    Diamond Model fills

    Take a recent campaign reporting. Fill the Diamond Model — adversary, infrastructure, capability, victim — without conflating "consistent with" and "attributed to". Identify the corners that are weakly supported.

  3. Wednesday

    Analysis of Competing Hypotheses

    Build the ACH matrix for an ambiguous incident. List hypotheses, list evidence, score consistency. The point isn't to pick a winner — it's to make the evidence work harder.

  4. Thursday

    Key Assumptions Check + Red-team review

    Take Wednesday's ACH. Surface every assumption it rested on. Run a red-team review with a different analyst. Watch your high-confidence conclusion become a medium-confidence one.

  5. Friday morning

    Write the weekly intel product

    A short operational-level product on the incident from earlier in the week. Estimative language. Confidence stated. Attribution carefully phrased. Audience: SOC manager.

  6. Friday afternoon

    Cohort review

    Every cohort member presents. Two peers play hostile reader. Your phrasing, your sourcing, your confidence figures are picked apart on the record. The misses are graded harder than the hits.

Tooling coverage

The platforms, formats, and frameworks the practising community runs on.

Intel platforms

MISP, OpenCTI, and the TAW Threat Analyst Workbench. Ingestion, scoring, sharing, and pivot — read and write.

Exchange formats

STIX 2.1 and TAXII 2.1 at byte level. Author bundles. Read other people's bundles. Argue about their indicator-pattern syntax.

OSINT toolchain

Maltego transforms. SpiderFoot. Shodan. Censys. Public dataset triage with command-line tools.

Frameworks

CERT-In / NCIIPC advisory, Diamond Model and MITRE ATT&CK + Navigator. Used to structure analysis, not as marketing labels.

Analytic techniques

ACH. Key Assumptions Check. Devil's Advocacy. Pre-mortem. Outside View. Memorised, drilled, applied weekly.

Grading + tradecraft

CERT-In TLP, NCIIPC CII categorisation. NATO Admiralty grading and ICD 203 estimative language as the international tradecraft baseline. Each used until it is second nature.

Writing tools

A structured intel-product template library covering tactical bulletins, operational briefs, and strategic memos. Audience-specific style guides.

Bibliographic discipline

Citation manager workflow. Source-corroboration matrices. The boring craft that makes an intel product survive a regulator review.

What you walk away with

An analyst who can defend the words on the page they wrote.

Twelve-product portfolio

A tactical bulletin, an operational brief, a strategic memo, and weekly analytic products. Show them at interview.

Defensible analytic practice

You can show the source grades, the ACH matrices, and the key-assumption checks behind every conclusion you reach.

TAW workbench fluency

You enter your first analyst role already fluent in the workbench paradigm (see Products → TAW). One less three-month ramp.

Hiring pipeline access

Direct routes into BFSI threat-intel teams, sector-CSIRT analyst roles, sovereign intel cells, MSSP CTI desks.

Drilled against

  • CERT-In · NCIIPC
  • RBI · SEBI · IRDAI sharing tiers
  • Diamond Model
  • Cyber Kill Chain
  • MITRE ATT&CK · F3EAD
  • NATO Admiralty Code
  • ICD 203 · TLP · STIX 2.1

Practice

"Confidence is a number. Attribution is an argument. The day you stop confusing the two is the day you start writing intel products that survive a regulator review."
Threat Intel Training · analytic principleThe case for separating estimative confidence from attribution claims.

Twelve weeks. Three registers. One defensible analyst.

Weekend and weekday cohorts. Corporate cohorts on request. The weekly intel-product workload is real; budget eight to ten hours per week outside the cohort sessions.

See current cohorts Train a team