Build the tradecraft to produce intelligence that drives decisions, not just dashboards.

You’ll find several articles on ThreatIntelReport.com focused on developing your CTI skills, from threat actor profiling through to exploitation tracking and incident analysis. This page pulls those threads together into a practical learning path, with exercises you can apply immediately in a SOC, IR, or threat research role.


What “good” CTI looks like

High-quality cyber threat intelligence is decision support. It helps an organisation prioritise risk, allocate resources, improve detection, and respond faster. The strongest outputs tend to share a few traits:

If you want a simple mental model, aim to move from information (facts and observations) to intelligence (interpreted, contextualised assessment with relevance and confidence).


Core CTI competencies to build

1) Collection and source evaluation

You need to develop an instinct for what is reliable, what is noise, and what is marketing. This includes:

2) Technical fluency

You do not need to be a malware reverse engineer to be effective, but you do need enough depth to avoid “telephone game” reporting.

Focus areas:

3) Analytic tradecraft

Analysis is the skill that turns scattered artefacts into defensible judgement.

Key habits:

4) Production and communication

CTI is only useful if it lands. Learn to write clearly, structure reports, and brief findings.


A practical self-study roadmap

Phase 1: Foundations (2 to 4 weeks)

Goal: build a baseline understanding of intelligence concepts and CTI workflows.

Exercise: take one vendor or CTI write-up and produce a one-page brief: what happened, who is affected, what to do next, what we do not know.

Phase 2: Applied analysis (1 to 3 months)

Goal: turn reading into repeatable output.

Build a weekly routine:

Start producing:

Exercise: map observed behaviours to ATT&CK techniques and maintain your own “coverage map” using ATT&CK tooling such as the Navigator. (attack.mitre.org)

Phase 3: Operational CTI (3 to 6 months)

Goal: make your intelligence measurably useful.

Useful public references for this workflow:


Portfolio-grade exercises (high leverage)

If you are building experience, these artefacts demonstrate real CTI capability:

  1. Threat actor dossier (2 to 3 pages)
    • Targeting, access patterns, tooling, typical objectives
    • ATT&CK mapping
    • Confidence statements and sourcing
  2. Exploitation tracking brief
    • What the vulnerability enables and what is required to exploit
    • Evidence of exploitation (or absence)
    • Mitigation timeline and compensating controls
  3. Campaign timeline
    • A chronological narrative of key events with source links
    • What changed and why it matters to defenders
  4. Detection opportunities list
    • 10 to 20 high-signal detections framed as “If we see X, investigate Y”

Writing, confidence, and analytic hygiene

As you mature, your differentiator is not how much you collect, but how precisely you communicate uncertainty.

On ThreatIntelReport.com, we apply the Admiralty scale where feasible to communicate source reliability and information credibility consistently. See: Intelligence Reliability. (threatintelreport.com)


Recommended learning resources

Katie Nickels’ CTI self-study plan

We strongly recommend Katie Nickels’ CTI self-study series as a structured starting point, particularly for grounding in intelligence concepts, requirements, and foundational frameworks:

SANS DFIR resources (free and high quality)

DFIR is a natural complement to CTI because it teaches you what “good evidence” looks like and how intrusions unfold in real environments. SANS maintains a strong set of freely accessible material, including: