Structured Analytic Techniques (SATs) are formal methods designed to make analytical reasoning more rigorous, transparent, and less susceptible to cognitive biases. In cyber threat intelligence, where analysts face incomplete information, deceptive adversaries, and pressure to deliver assessments quickly, SATs provide a disciplined framework for thinking through complex problems. This lesson applies several key SATs to realistic CTI scenarios, with a focus on hands-on methodology you can integrate into your daily work.
Learning Objectives
- Perform a complete Analysis of Competing Hypotheses (ACH) applied to a CTI attribution problem
- Apply Key Assumptions Check and Red Team Analysis to challenge your own assessments
- Use Structured Brainstorming and scenario-based analysis for emerging threat problems
- Build and apply confidence assessment matrices to communicate analytical certainty
- Integrate SATs into daily and weekly analytical workflows without creating excessive overhead
Analysis of Competing Hypotheses (ACH)
ACH, developed by Richards Heuer at the CIA, is the most widely used structured analytic technique in intelligence analysis. Its core principle is counterintuitive: instead of looking for evidence that confirms your preferred hypothesis, you systematically evaluate evidence against all plausible hypotheses to determine which ones the evidence is most inconsistent with. You eliminate rather than confirm.
Step-by-Step ACH Walkthrough
The following walkthrough uses a realistic CTI scenario to demonstrate each step of ACH.
Scenario: Your organization has experienced a network intrusion. Initial analysis reveals spearphishing emails targeting your finance department, a custom backdoor communicating via HTTPS to infrastructure hosted in Eastern Europe, and lateral movement using stolen credentials and WMI. Exfiltrated data focused on financial records and merger/acquisition documents. You need to assess which threat actor is most likely responsible.
Step 1: Identify All Plausible Hypotheses
Do not start with your favorite theory. Generate all reasonable hypotheses, including ones you consider unlikely:
- H1: APT group focused on economic espionage (e.g., a state-sponsored group targeting M&A intelligence)
- H2: Financially motivated cybercriminal group (e.g., FIN-type group monetizing stolen financial data)
- H3: Competitor conducting corporate espionage via a hired contractor
- H4: Insider threat with external accomplice staging a data theft to look like an APT intrusion
- H5: Opportunistic attacker who gained access and pivoted to high-value data
Step 2: List All Significant Evidence
Catalog every piece of evidence without regard to which hypothesis it supports:
- E1: Spearphishing emails used lures specific to the target's M&A activity
- E2: Custom backdoor not seen in public malware repositories
- E3: C2 infrastructure hosted on a VPS in Romania
- E4: Lateral movement via WMI and stolen credentials (common TTP)
- E5: Exfiltration focused exclusively on M&A documents
- E6: Attacker operated during UTC+3 to UTC+5 working hours
- E7: No ransomware deployment or financial fraud attempted
- E8: Backdoor uses a C2 protocol similar to known toolkits sold in underground forums
- E9: Dwell time was 47 days before detection
- E10: No evidence of data being posted on criminal forums or extortion sites
Step 3: Build the Matrix
Create a matrix evaluating each piece of evidence against each hypothesis. Use these ratings:
- CC (Consistent and Compelling): The evidence strongly supports this hypothesis
- C (Consistent): The evidence is compatible with this hypothesis
- N (Neutral): The evidence neither supports nor refutes
- I (Inconsistent): The evidence argues against this hypothesis
- II (Inconsistent and Important): The evidence strongly argues against this hypothesis
| Evidence | H1: State APT | H2: Financial Crime | H3: Competitor | H4: Insider | H5: Opportunistic |
|---|---|---|---|---|---|
| E1: M&A-specific lures | CC | C | CC | C | I |
| E2: Custom backdoor | CC | C | C | I | II |
| E3: Romania VPS | C | C | C | N | C |
| E4: WMI/creds (common) | N | N | N | N | N |
| E5: M&A data focus | CC | I | CC | C | I |
| E6: UTC+3-5 hours | C | C | N | I | N |
| E7: No ransomware/fraud | C | II | C | C | C |
| E8: Underground toolkit | I | CC | C | N | C |
| E9: 47-day dwell time | C | C | C | C | I |
| E10: No public data sale | C | I | C | C | N |
Step 4: Analyze the Matrix
Focus on inconsistencies, not consistencies. A hypothesis with even one "II" (Inconsistent and Important) rating deserves serious scrutiny.
- H2 (Financial Crime) has two significant inconsistencies: the exclusive focus on M&A data (E5) and the absence of ransomware or financial fraud (E7). Financially motivated groups typically monetize access.
- H4 (Insider) is inconsistent with the custom backdoor (E2) and the operating hours pattern (E6).
- H5 (Opportunistic) is inconsistent with the targeted M&A lures (E1), custom tooling (E2), and the focused data exfiltration (E5).
- H1 (State APT) has one inconsistency — the underground toolkit similarity (E8) — but this could reflect shared tooling or purchasing from the same vendor.
- H3 (Competitor) has no strong inconsistencies.
Step 5: Assess and Report
After eliminating the least consistent hypotheses, H1 and H3 remain most plausible. The evidence slightly favors H1 due to the custom backdoor and operating hours pattern, but H3 cannot be ruled out. Your assessment might read:
"We assess with moderate confidence that the intrusion was conducted by a state-sponsored group focused on economic espionage (H1). The targeted M&A lures, custom tooling, long dwell time, and absence of financial motivation are most consistent with this hypothesis. We cannot rule out competitor-driven corporate espionage (H3), which shares many of the same characteristics. Further analysis of the backdoor's code lineage and infrastructure registration patterns may help distinguish between these hypotheses."
Key Assumptions Check
A Key Assumptions Check (KAC) identifies the underlying assumptions in your analysis and evaluates whether they are well-supported. Every assessment rests on assumptions — the danger lies in assumptions that are treated as facts without examination.
Applying KAC to the Scenario Above
Identify assumptions embedded in the ACH analysis:
| Assumption | Basis | Strength | Risk if Wrong |
|---|---|---|---|
| The operating hours reflect the attacker's actual time zone | Keyboard activity timestamps | Moderate | Attacker may deliberately work outside normal hours to mislead |
| The backdoor is custom because it is not in public repositories | Absence of VT/sandbox matches | Low-Moderate | It may be custom but shared among multiple actors, or simply new |
| M&A document focus reflects the attacker's primary objective | Files exfiltrated | High | Could be a secondary objective or a distraction |
| The attacker is the same entity throughout the intrusion | Consistent TTPs | Moderate | Initial access could have been sold or handed off |
By explicitly documenting assumptions and their strength, you create transparency in your analysis and highlight where additional collection could strengthen or weaken your assessment.
Red Team Analysis
Red Team Analysis asks: "If I were the adversary, how would I view this situation?" or alternatively, "If my preferred hypothesis is wrong, what would that look like?"
In CTI, Red Team Analysis is applied by:
- Devil's Advocacy: Assign an analyst (or force yourself) to argue the strongest case for the hypothesis you consider least likely. What evidence supports it? What are you dismissing too quickly?
- Adversary perspective: If the attacker knows you are investigating, what deception would they employ? Would they plant evidence pointing to a different actor? Would they change their infrastructure?
- "What if we're wrong?" exercise: Explicitly document the consequences of being wrong about your primary hypothesis. If you tell leadership this is a state actor and it turns out to be a competitor, what decisions were made based on your flawed assessment?
Structured Brainstorming
Structured Brainstorming differs from casual brainstorming by following specific rules:
- Define the question precisely: Not "What threats do we face?" but "What threat actors are most likely to target our M&A activity in the next 6 months?"
- Silent generation: Each participant writes ideas independently before sharing (prevents anchoring on the first idea spoken)
- Round-robin sharing: Each person shares one idea at a time, cycling through the group
- No criticism during generation: All ideas are recorded without evaluation
- Structured evaluation: After generation is complete, evaluate each idea against defined criteria
For solo analysts, structured brainstorming means forcing yourself to generate a minimum number of ideas (e.g., at least seven possible threat actors) before evaluating any of them.
Scenario-Based Analysis
Scenario analysis develops multiple plausible futures to prepare for uncertainty. In CTI, this is applied to questions like:
- How might a threat actor respond if we burn their infrastructure?
- What will the threat landscape for our sector look like in 12 months?
- How could an adversary exploit a specific vulnerability in our environment?
For each scenario, define the key drivers (factors that would cause this scenario to occur), indicators (observable events that would signal this scenario is developing), and implications (what your organization should do differently if this scenario materializes).
Confidence Assessment Matrices
Communicating confidence is as important as communicating conclusions. Vague language ("we believe," "it is possible") is ambiguous. Use a structured framework.
The Intelligence Community Directive (ICD) 203 framework, used by the U.S. Intelligence Community, defines confidence levels based on the quality and quantity of source information:
| Confidence Level | Meaning |
|---|---|
| Low | Based on fragmentary or poorly corroborated information, or significant concerns about source reliability. Analysis may change substantially with new information. |
| Moderate | Based on credibly sourced and plausible information, but insufficient for a higher level of confidence. May have gaps or minor inconsistencies. |
| High | Based on high-quality information from multiple independent, reliable sources. Well-corroborated with few or no gaps. Unlikely to change substantially. |
Additionally, use estimative language consistently. Map words to probability ranges and document the mapping:
| Phrase | Probability |
|---|---|
| Almost certainly | 90-99% |
| Likely / Probably | 65-85% |
| Roughly even chance | 45-55% |
| Unlikely | 15-35% |
| Remote / Highly unlikely | 1-10% |
Documenting and Presenting SAT Results
SAT results should be included in intelligence products, not hidden in working files. Effective documentation includes:
- The technique used: Name the SAT and briefly explain why it was selected
- Key findings: What the technique revealed, especially if it challenged initial assumptions
- Confidence impact: How the technique affected your confidence level
- Residual uncertainty: What questions remain unanswered
When briefing SAT results to non-analysts, focus on outcomes: "We used ACH to evaluate five possible actors and narrowed it to two. Here's why, and here's what we need to distinguish between them." The matrix itself can be an appendix for those who want the detail.
Integrating SATs into Daily Workflow
SATs should not be reserved for major assessments. Lightweight application throughout your daily work builds analytical rigor:
- Daily: Apply mental Key Assumptions Checks to any assessment you write. Ask yourself: "What am I assuming here, and is it justified?"
- Weekly: Use Structured Brainstorming in team meetings to generate collection priorities or analytic questions
- Per assessment: For any attribution or predictive assessment, build at least a simplified ACH matrix (three hypotheses, five key evidence items)
- Quarterly: Conduct Red Team Analysis on your program's highest-confidence assessments to check for drift or blind spots
Key Takeaways
- ACH works by eliminating hypotheses that are most inconsistent with the evidence, not by confirming favored theories
- Key Assumptions Check surfaces hidden beliefs that could undermine your analysis if they prove wrong
- Red Team Analysis forces consideration of alternative perspectives and adversary deception
- Confidence assessments must be explicit — use defined levels (Low/Moderate/High) and consistent estimative language with documented probability ranges
- SATs are most effective when integrated into routine workflows, not reserved for crisis situations
- Document and share SAT results — the transparency they provide is as valuable as the conclusions they produce
Practical Exercise
Conduct a full ACH analysis on the following scenario:
Your threat intelligence team receives a report from a partner organization about a new ransomware strain targeting hospitals. The ransomware uses a novel encryption routine, communicates with C2 servers registered in the past 30 days, and the ransom note is written in fluent English. Three hospitals in your region have been hit in two weeks. The ransomware shares some code with a previously documented strain attributed to a Eastern European cybercriminal group, but the encryption routine is entirely new.
- Generate at least four hypotheses about who is behind this campaign.
- List at least eight pieces of evidence from the scenario.
- Build a full ACH matrix.
- Identify the key assumptions in your analysis using a Key Assumptions Check.
- Write a two-paragraph assessment stating your conclusion, confidence level, and reasoning.
Further Reading
- Heuer, R.J. & Pherson, R.H. (2014). Structured Analytic Techniques for Intelligence Analysis (2nd ed.). CQ Press.
- Heuer, R.J. (1999). Psychology of Intelligence Analysis. CIA Center for the Study of Intelligence. Available free at: https://www.cia.gov/resources/csi/books-monographs/psychology-of-intelligence-analysis-2/
- U.S. Intelligence Community Directive 203: Analytic Standards. https://www.dni.gov/files/documents/ICD/ICD-203_TA_Analytic_Standards.pdf
- MITRE ATT&CK: https://attack.mitre.org/ (for mapping TTPs in ACH exercises)