Writing effective intelligence reports is one of the most critical skills a CTI analyst can develop. No matter how thorough the analysis or how significant the findings, intelligence that is poorly communicated fails to achieve its purpose — informing decisions. This lesson covers the fundamentals of intelligence writing: understanding your audience, choosing the right report type, structuring content for maximum impact, using confidence language correctly, applying Traffic Light Protocol (TLP) markings, and crafting recommendations that drive action.
Learning Objectives
- Identify different report types and when each is appropriate
- Apply the BLUF (Bottom Line Up Front) writing principle
- Structure intelligence reports for clarity and impact
- Use ODNI ICD 203 confidence language accurately
- Apply TLP markings correctly according to the FIRST.org standard
- Write actionable recommendations that enable decision-making
Audience Analysis: Who Reads This?
Before writing a single word, the analyst must answer: Who is the consumer of this intelligence, and what decisions will they make based on it?
Different audiences need fundamentally different products:
| Audience | What They Need | Language Level | Format Preference |
|---|---|---|---|
| Executive leadership (CISO, CIO, CEO) | Strategic risk context, business impact, resource decisions | Non-technical, business-focused | Brief, visual, BLUF-heavy |
| Security operations (SOC, IR) | Actionable IOCs, detection signatures, response procedures | Highly technical, precise | Detailed, structured, machine-readable IOCs |
| Threat hunters | TTPs, behavioral patterns, hypotheses to investigate | Technical with analytic context | Moderately detailed, ATT&CK-mapped |
| Risk management / compliance | Threat landscape trends, regulatory implications | Semi-technical, risk-framework language | Periodic assessments, trend analysis |
| Partner organizations / ISACs | Shared threat data, coordinated defense | Technical, standardized formats | STIX/TAXII, structured IOC sharing |
A common mistake is writing a single report that tries to serve all audiences. This typically results in a report that serves none of them well. When multiple audiences need the same intelligence, consider producing a tiered product — an executive summary for leadership and a detailed technical appendix for operators.
Report Types
Flash Report / Alert
- Purpose: Immediate notification of an active or imminent threat
- Timeliness: Hours, sometimes minutes
- Length: 1 page or less
- When to use: Active exploitation of a critical vulnerability, ongoing attack campaign targeting your sector, newly discovered compromise within your organization
- Key characteristic: Speed over completeness — get essential information to decision-makers immediately, follow up with details later
Threat Assessment
- Purpose: Evaluate a specific threat to the organization or sector
- Timeliness: Days to weeks
- Length: 2-10 pages
- When to use: New threat group targeting your sector, emerging attack technique, significant change in threat landscape
- Key characteristic: Balanced analysis of threat capability, intent, and opportunity with an assessment of likely impact
Intelligence Summary (INTSUM)
- Purpose: Periodic summary of threat landscape activity
- Timeliness: Weekly, monthly, or quarterly
- Length: 3-10 pages
- When to use: Regular reporting cadence to keep leadership and operations informed of trends
- Key characteristic: Breadth over depth — covers multiple topics with brief analysis of each
RFI (Request for Information) Response
- Purpose: Answer a specific question from a consumer
- Timeliness: Varies (hours to days depending on complexity)
- Length: Varies based on the question
- When to use: A stakeholder has asked a specific intelligence question (e.g., "Are we affected by this campaign?" or "What do we know about this threat group?")
- Key characteristic: Directly addresses the question asked — stays focused and does not drift into tangential topics
Campaign Report
- Purpose: Detailed analysis of a specific adversary campaign or operation
- Timeliness: Days to weeks
- Length: 5-20+ pages
- When to use: After investigating a significant campaign, whether targeting your organization or your sector
- Key characteristic: Comprehensive technical depth with strategic context, typically includes full IOC appendices and ATT&CK mapping
BLUF: Bottom Line Up Front
BLUF (Bottom Line Up Front): A writing principle originating in military communication that places the most important information — the conclusion or recommendation — at the beginning of the document rather than building up to it.
BLUF is arguably the single most important writing principle for intelligence products. Intelligence consumers are busy and may not read the entire report. The first paragraph should tell them:
- What happened (or what is assessed to be happening)
- Why it matters to the consumer
- What they should do (or what the analyst recommends)
Everything that follows the BLUF provides the supporting evidence, analysis, and detail — but the consumer should be able to read only the first paragraph and understand the essential message.
Example of poor opening: "On March 15, researchers at Vendor X published a report documenting a new malware family. The malware uses a novel persistence mechanism involving..."
Example of BLUF opening: "A newly identified malware family is actively targeting the healthcare sector with capabilities that bypass common endpoint detection solutions. Organizations should immediately verify that detection rule X is deployed and monitor for the IOCs listed in the appendix."
Report Structure
While specific formats vary by organization, a solid general structure for CTI reports includes:
1. Executive Summary
One to three paragraphs summarizing the key findings, their significance, and recommended actions. This section should stand alone — a reader who stops here should still walk away with the essential intelligence.
2. Key Findings
Bulleted list of the most important analytic judgments, each prefaced with appropriate confidence language. This section provides a scannable overview of what the analysis concluded.
Example:
- We assess with high confidence that the phishing campaign targeting our organization in February 2026 was conducted by the same threat actor responsible for the November 2025 intrusion at [peer organization].
- We assess with moderate confidence that the threat actor's primary objective is intellectual property theft related to [specific program].
3. Analysis / Discussion
The body of the report where evidence is presented and analytic reasoning is explained. This section should:
- Present evidence systematically, not chronologically (unless a timeline is the most logical structure)
- Clearly distinguish between what is observed (facts/evidence) and what is assessed (analytic judgment)
- Address alternative hypotheses and explain why they were considered less likely
- Reference sources for key claims
4. Indicators of Compromise / Technical Appendix
For technical audiences, include structured IOCs (hashes, domains, IPs, URLs, email addresses) in a format that can be directly ingested into security tools. Tables work well for reports; STIX/JSON exports are appropriate for machine consumption.
5. Recommendations
Specific, actionable steps the consumer can take based on the intelligence. Recommendations should be prioritized and realistic given the consumer's capabilities.
Writing Clearly
For Executive Audiences
- Eliminate jargon or define it on first use
- Focus on business impact, not technical mechanics
- Use analogies when they genuinely clarify (but avoid oversimplification)
- Quantify risk where possible ("affects 3 of our 12 externally facing applications" is better than "affects some of our systems")
For Technical Audiences
- Be precise — specify exact versions, CVE numbers, file paths, registry keys
- Include reproduction steps or detection logic where relevant
- Map findings to MITRE ATT&CK technique IDs
- Provide IOCs in copy-paste-ready formats
General Writing Principles
- Use active voice. "The threat actor deployed Cobalt Strike" not "Cobalt Strike was deployed by the threat actor."
- Be concise. Every sentence should earn its place. Remove filler.
- One idea per paragraph. Dense paragraphs with multiple ideas are hard to scan.
- Distinguish fact from assessment. Use phrases like "we observed," "logs indicate," and "forensic evidence confirms" for facts. Use "we assess," "this likely indicates," and "we judge" for analytic conclusions.
Confidence Language: ODNI ICD 203
Intelligence Community Directive 203 (ICD 203), published by the Office of the Director of National Intelligence, establishes the standard for expressing confidence in analytic judgments. While originally developed for the U.S. Intelligence Community, this framework has been widely adopted across private-sector CTI.
Likelihood / Probability Language
ICD 203 defines specific probability terms to ensure consistent communication:
| Term | Approximate Probability |
|---|---|
| Almost no chance | Remote (1-5%) |
| Very unlikely | Highly improbable (5-20%) |
| Unlikely | Improbable (20-45%) |
| Roughly even chance | Roughly even odds (45-55%) |
| Likely | Probable (55-80%) |
| Very likely | Highly probable (80-95%) |
| Almost certain(ly) | Nearly certain (95-99%) |
Important: Avoid ambiguous terms like "possible," "could," or "may" without probability context. These words mean different things to different readers. If something is "possible" — is it 10% likely or 60% likely? Use the ICD 203 terms to eliminate ambiguity.
Confidence Levels
Separate from likelihood, ICD 203 defines confidence levels that express how solid the underlying evidence and reasoning are:
- Low confidence: Based on fragmentary information, significant intelligence gaps, or questionable sources. The judgment may change substantially with new information.
- Moderate confidence: Based on credibly sourced and plausible information, but insufficient for a higher level of confidence. The information is interpreted in various ways, and alternative interpretations exist.
- High confidence: Based on high-quality information and/or sound analytic reasoning. Still not a statement of certainty — all intelligence involves uncertainty.
A judgment can be both "likely" (probability) and "low confidence" (evidence quality). For example: "We assess it is likely (moderate confidence) that the threat actor will shift targeting to the financial sector based on recent infrastructure registration patterns, though our visibility into the actor's intentions is limited."
TLP Marking: Traffic Light Protocol
The Traffic Light Protocol (TLP) is a set of designations developed by FIRST (Forum of Incident Response and Security Teams) to facilitate the sharing of sensitive information. TLP markings indicate how widely information can be distributed.
| TLP Marking | Distribution |
|---|---|
| TLP:RED | For named recipients only. No further sharing permitted. Used in meetings, conversations, or targeted emails where information must not leave the specific audience. |
| TLP:AMBER+STRICT | Limited sharing within the recipient's organization, on a need-to-know basis. Cannot be shared outside the organization. |
| TLP:AMBER | Limited sharing within the recipient's organization and with clients/customers who need to know to protect themselves. |
| TLP:GREEN | May be shared within the recipient's community (sector, ISAC, partner network) but not via publicly accessible channels. |
| TLP:CLEAR | No restrictions on sharing. May be distributed without limitation. |
Applying TLP in Practice
- Mark every intelligence product with the appropriate TLP designation, prominently displayed
- Default to the most restrictive marking that still allows the information to reach everyone who needs it
- When aggregating information from multiple sources with different TLP markings, the final product must use the most restrictive marking of any source included
- TLP is a trust-based protocol, not an access control mechanism — it works only when participants respect it
- TLP 2.0 (the current version, published by FIRST in 2022) introduced TLP:AMBER+STRICT and replaced TLP:WHITE with TLP:CLEAR
Actionable Recommendations
The recommendations section is where intelligence becomes operational. Poor recommendations waste the analyst's work; strong recommendations drive defensive action.
Characteristics of Good Recommendations
- Specific: "Block the following 12 domains at the proxy" not "Monitor for suspicious network activity"
- Prioritized: List recommendations in order of impact and urgency
- Feasible: Consider the consumer's capabilities and resources — recommending actions the consumer cannot take is unhelpful
- Time-bound: Indicate urgency where appropriate — "within 24 hours," "before the next patch cycle," or "immediately"
- Linked to findings: Each recommendation should clearly connect to a specific finding in the report
Example Recommendations
- Immediate (within 24 hours): Add the IOCs listed in Appendix A to network and endpoint block lists
- Short-term (within 1 week): Deploy the YARA rule in Appendix B to scan endpoints for the identified malware family
- Medium-term (within 30 days): Review and restrict PowerShell execution policies on endpoints where it is not operationally required (addresses T1059.001)
Key Takeaways
- Always identify your audience before writing — different consumers need different products
- Use BLUF to put the most important information first
- Structure reports consistently: executive summary, key findings, analysis, IOCs, recommendations
- Distinguish clearly between observed facts and analytic judgments
- Use ICD 203 confidence and probability language to communicate uncertainty precisely
- Apply TLP markings to every product and respect the markings on products you receive
- Write recommendations that are specific, prioritized, feasible, and linked to findings
Practical Exercise
Write an Intelligence Flash Report:
Using a recent CISA advisory or public vendor report as your source material, write a one-page flash report for a fictional organization in the affected sector. Your report must include:
- A TLP marking (choose and justify the appropriate level)
- A BLUF opening paragraph (3-4 sentences covering what, why it matters, and what to do)
- Three key findings using ICD 203 confidence language
- A brief analysis section (2-3 paragraphs) that distinguishes fact from assessment
- At least three prioritized, actionable recommendations with timeframes
- An IOC table (pull IOCs from the source advisory)
After writing, review your report and ask: Could a SOC analyst act on this within 30 minutes of reading it? Could a CISO brief their leadership using only the BLUF and key findings? If either answer is no, revise.
Further Reading
- ODNI ICD 203: Analytic Standards — the Intelligence Community Directive establishing standards for analytic judgments, including confidence and probability language (https://www.dni.gov/files/documents/ICD/ICD%20203%20Analytic%20Standards.pdf)
- FIRST Traffic Light Protocol (TLP) v2.0 — the official TLP standard including definitions, usage guidance, and examples (https://www.first.org/tlp/)
- Structured Analytic Techniques for Intelligence Analysis by Heuer and Pherson (CQ Press) — includes guidance on communicating analytic uncertainty and writing effective intelligence products
- Joint Publication 2-0: Joint Intelligence (U.S. Department of Defense) — while military-focused, this publication provides foundational doctrine on intelligence product types, formats, and dissemination that has influenced CTI report writing practices