Cyber threat intelligence analysts produce defensible reports by weighing the same signals at tactical, operational, and strategic levels. A customizable CTI report template helps analysts capture activity, attribute it with calibrated confidence, and translate findings into defensive action.

A cyber threat intelligence (CTI) report template helps analysts produce defensible reports on adversary behavior. It serves CTI analysts writing intel reports, IR teams tracking activity clusters, and other security practitioners consuming attribution claims.

Download the template and make it your own. It’s available in the Markdown format.

The template organizes evidence and conclusions across these sections:

• Executive Summary: Bottom-line claim plus a Key Findings table that pairs each finding with a decision question, confidence, and likelihood.
• Actor Snapshot: Quick-reference profile of the actor or activity cluster.
• Methodology: Sources, gaps, analytic techniques, and the confidence and likelihood framework.
• Activity Overview: Time range, victim profile (whether targeting was deliberate or opportunistic), and related reporting.
• Technical Analysis: Representative adversary techniques and an indicator table organized by cost to the adversary.
• Attribution Analysis: An attribution claim supported by six signals examined together.
• Strategic Analysis: The activity’s broader significance (what the campaign means geopolitically, commercially, or ideologically), when such analysis is in scope.
• Competing Hypotheses: Structured comparison of candidate hypotheses plus a cognitive bias check, when two or more viable hypotheses remain.
• Defensive Implications: Detection coverage and an optional technique-to-countermeasure mapping.
• Outlook: Forward-looking notes, including what we don’t know.
• Appendices: Framework versions, STIX 2.1 observable bundle, optional ATT&CK Navigator layer, and references.

The template draws on established CTI frameworks but doesn’t lead with their names. Section headings use reader-friendly vocabulary. The frameworks shape the analytic discipline behind each section:

• Q Model: Three-level structure that maps to the Technical, Attribution, and Strategic Analysis sections.
• MITRE ATT&CK® and MITRE D3FEND™: Adversary techniques and defensive countermeasures.
• Pyramid of Pain: Indicator organization by cost to the adversary, adapted to include cloud and identity tiers.
• ICD-203: Confidence and likelihood as separate calibrated dimensions.
• Six Signals for Threat Attribution: Convergence-based attribution analysis.
• Analysis of Competing Hypotheses: Structured evaluation of competing attribution hypotheses.
• STIX 2.1: Machine-readable observable bundle in the appendix.

For a deeper overview of the attribution methodology, see Six Signals for Threat Attribution. For responder guidance during a live incident, use the Incident Response Report Template.

This CTI report template is distributed under the Creative Commons Attribution 4.0 International License (CC BY 4.0). The license covers just the template. Any report you produce with it is yours.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.