Generating Threat Intelligence Reports

When to Use

Use this skill when:

Producing weekly, monthly, or quarterly threat intelligence summaries for security leadership
Creating a rapid intelligence assessment in response to a breaking threat (e.g., new zero-day, active ransomware campaign)
Generating sector-specific threat briefings for executive decision-making on security investments

Do not use this skill for raw IOC distribution — use TIP/MISP for automated IOC sharing and reserve report generation for analyzed, finished intelligence.

Prerequisites

Completed analysis from collection and processing phase (PIRs partially or fully answered)
Audience profile: technical level, decision-making authority, information classification clearance
TLP classification decision for the product
Organization-specific reporting template aligned to audience expectations

Workflow

Step 1: Determine Report Type and Audience

Select the appropriate intelligence product type:

Strategic Intelligence Report: For C-suite, board, risk committee

Content: Threat landscape trends, adversary intent vs. capability, risk to business objectives
Format: 1–3 pages, minimal jargon, business impact language, recommended decisions
Frequency: Monthly/Quarterly

Operational Intelligence Report: For CISO, security directors, IR leads

Content: Active campaigns, adversary TTPs, defensive recommendations, sector peer incidents
Format: 3–8 pages, moderate technical detail, mitigation priority list
Frequency: Weekly

Tactical Intelligence Bulletin: For SOC analysts, threat hunters, vulnerability management

Content: Specific IOCs, YARA rules, Sigma detections, CVEs, patching guidance
Format: Structured tables, code blocks, 1–2 pages
Frequency: Daily or as-needed

Flash Report: Urgent notification for imminent or active threats

Content: What is happening, immediate risk, what to do right now
Format: 1 page maximum, distributed within 2 hours of threat identification
Frequency: As-needed (zero-day, active campaign targeting sector)

Step 2: Structure Report Using Intelligence Standards

Apply intelligence writing standards from government and professional practice:

Headline/Key Judgment: Lead with the most important finding in plain language.

Bad: "This report examines threat actor TTPs associated with Cl0p ransomware"
Good: "Cl0p ransomware group is actively exploiting CVE-2024-20353 in Cisco ASA devices to gain initial access; organizations using unpatched ASA appliances face imminent ransomware risk"

Confidence Qualifiers (use language from DNI ICD 203):

High confidence: "assess with high confidence" — strong evidence, few assumptions
Medium confidence: "assess" — credible sources but analytical assumptions required
Low confidence: "suggests" — limited sources, significant uncertainty

Evidence Attribution: Cite sources using reference numbers [1], [2]; maintain source anonymization in TLP:AMBER/RED products.

Step 3: Write Report Body

Use structured format:

Executive Summary (3–5 bullet points): Key findings, immediate business risk, top recommended action

Threat Overview: Who is the adversary? What is their objective? Why does this matter to us?

Technical Analysis: TTPs with ATT&CK technique IDs, IOCs, observed campaign behavior

Impact Assessment: Potential operational, financial, reputational impact if attack succeeds

Recommended Actions: Prioritized, time-bound defensive measures with owner assignment

Appendices: Full IOC lists, YARA rules, Sigma detections, raw source references

Step 4: Apply TLP and Distribution Controls

Select TLP based on source sensitivity and sharing agreements:

TLP:RED: Named recipients only; cannot be shared outside briefing room
TLP:AMBER+STRICT: Organization only; no sharing with subsidiaries or partners
TLP:AMBER: Organization and trusted partners with need-to-know
TLP:GREEN: Community-wide sharing (ISAC members, sector peers)
TLP:WHITE/CLEAR: Public distribution; no restrictions

Include TLP watermark on every page header and footer.

Step 5: Review and Quality Control

Before dissemination, apply these checks:

Accuracy: Are all facts sourced and cited? No unsubstantiated claims.
Clarity: Can the target audience understand this without additional context?
Actionability: Does every report section drive a decision or action?
Classification: Is TLP correctly applied? No source identification in AMBER/RED products?
Timeliness: Is this intelligence still current? Events older than 48 hours require freshness assessment.

Key Concepts

Term	Definition
Finished Intelligence	Analyzed, contextualized intelligence product ready for consumption by decision-makers; distinct from raw collected data
Key Judgment	Primary analytical conclusion of a report; clearly stated in opening paragraph
TLP	Traffic Light Protocol — FIRST-standard classification system for controlling intelligence sharing scope
ICD 203	Intelligence Community Directive 203 — US government standard for analytic standards including confidence language
Flash Report	Urgent, time-sensitive intelligence notification for imminent threats; prioritizes speed over depth
Intelligence Gap	Area where collection is insufficient to answer a PIR; should be explicitly documented in reports

Tools & Systems

ThreatConnect Reports: Built-in report templates with ATT&CK mapping, IOC tables, and stakeholder distribution controls
Recorded Future: Pre-built intelligence report templates with automated sourcing from proprietary datasets
OpenCTI Reports: STIX-based report objects with linked entities for structured finished intelligence
Microsoft Word/Confluence: Common report delivery formats; use organization-approved templates with TLP headers

Common Pitfalls

Writing for analysts instead of the audience: Technical detail appropriate for SOC analysts overwhelms executives. Maintain strict audience segmentation.
Omitting confidence levels: Statements presented without confidence qualifiers appear as established facts when they may be low-confidence assessments.
Intelligence without recommendations: Reports that describe threats without prescribing actions leave stakeholders without direction.
Stale intelligence: Publishing a report on a threat campaign that was resolved 2 weeks ago creates alarm without utility. Include freshness dating on all claims.
Over-classification: Applying TLP:RED to information that could be TLP:GREEN impedes community sharing and limits defensive value across the sector.

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.1 (Monitoring), CC7.2 (Anomaly Detection)
ISO 27001: A.6.1 (Threat Intelligence), A.16.1 (Security Incident Management)
NIST 800-53: PM-16 (Threat Awareness), RA-3 (Risk Assessment), SI-5 (Security Alerts)
NIST CSF: ID.RA (Risk Assessment), DE.AE (Anomalies & Events)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add generating-threat-intelligence-reports

# Or load dynamically via MCP
grc.load_skill("generating-threat-intelligence-reports")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Generating Threat Intelligence Reports

When to Use

Use this skill when:

Producing weekly, monthly, or quarterly threat intelligence summaries for security leadership
Creating a rapid intelligence assessment in response to a breaking threat (e.g., new zero-day, active ransomware campaign)
Generating sector-specific threat briefings for executive decision-making on security investments

Do not use this skill for raw IOC distribution — use TIP/MISP for automated IOC sharing and reserve report generation for analyzed, finished intelligence.

Prerequisites

Completed analysis from collection and processing phase (PIRs partially or fully answered)
Audience profile: technical level, decision-making authority, information classification clearance
TLP classification decision for the product
Organization-specific reporting template aligned to audience expectations

Workflow

Step 1: Determine Report Type and Audience

Select the appropriate intelligence product type:

Strategic Intelligence Report: For C-suite, board, risk committee

Content: Threat landscape trends, adversary intent vs. capability, risk to business objectives
Format: 1–3 pages, minimal jargon, business impact language, recommended decisions
Frequency: Monthly/Quarterly

Operational Intelligence Report: For CISO, security directors, IR leads

Content: Active campaigns, adversary TTPs, defensive recommendations, sector peer incidents
Format: 3–8 pages, moderate technical detail, mitigation priority list
Frequency: Weekly

Tactical Intelligence Bulletin: For SOC analysts, threat hunters, vulnerability management

Content: Specific IOCs, YARA rules, Sigma detections, CVEs, patching guidance
Format: Structured tables, code blocks, 1–2 pages
Frequency: Daily or as-needed

Flash Report: Urgent notification for imminent or active threats

Content: What is happening, immediate risk, what to do right now
Format: 1 page maximum, distributed within 2 hours of threat identification
Frequency: As-needed (zero-day, active campaign targeting sector)

Step 2: Structure Report Using Intelligence Standards

Apply intelligence writing standards from government and professional practice:

Headline/Key Judgment: Lead with the most important finding in plain language.

Bad: "This report examines threat actor TTPs associated with Cl0p ransomware"
Good: "Cl0p ransomware group is actively exploiting CVE-2024-20353 in Cisco ASA devices to gain initial access; organizations using unpatched ASA appliances face imminent ransomware risk"

Confidence Qualifiers (use language from DNI ICD 203):

High confidence: "assess with high confidence" — strong evidence, few assumptions
Medium confidence: "assess" — credible sources but analytical assumptions required
Low confidence: "suggests" — limited sources, significant uncertainty

Evidence Attribution: Cite sources using reference numbers [1], [2]; maintain source anonymization in TLP:AMBER/RED products.

Step 3: Write Report Body

Use structured format:

Executive Summary (3–5 bullet points): Key findings, immediate business risk, top recommended action

Threat Overview: Who is the adversary? What is their objective? Why does this matter to us?

Technical Analysis: TTPs with ATT&CK technique IDs, IOCs, observed campaign behavior

Impact Assessment: Potential operational, financial, reputational impact if attack succeeds

Recommended Actions: Prioritized, time-bound defensive measures with owner assignment

Appendices: Full IOC lists, YARA rules, Sigma detections, raw source references

Step 4: Apply TLP and Distribution Controls

Select TLP based on source sensitivity and sharing agreements:

TLP:RED: Named recipients only; cannot be shared outside briefing room
TLP:AMBER+STRICT: Organization only; no sharing with subsidiaries or partners
TLP:AMBER: Organization and trusted partners with need-to-know
TLP:GREEN: Community-wide sharing (ISAC members, sector peers)
TLP:WHITE/CLEAR: Public distribution; no restrictions

Include TLP watermark on every page header and footer.

Step 5: Review and Quality Control

Before dissemination, apply these checks:

Accuracy: Are all facts sourced and cited? No unsubstantiated claims.
Clarity: Can the target audience understand this without additional context?
Actionability: Does every report section drive a decision or action?
Classification: Is TLP correctly applied? No source identification in AMBER/RED products?
Timeliness: Is this intelligence still current? Events older than 48 hours require freshness assessment.

Key Concepts

Term	Definition
Finished Intelligence	Analyzed, contextualized intelligence product ready for consumption by decision-makers; distinct from raw collected data
Key Judgment	Primary analytical conclusion of a report; clearly stated in opening paragraph
TLP	Traffic Light Protocol — FIRST-standard classification system for controlling intelligence sharing scope
ICD 203	Intelligence Community Directive 203 — US government standard for analytic standards including confidence language
Flash Report	Urgent, time-sensitive intelligence notification for imminent threats; prioritizes speed over depth
Intelligence Gap	Area where collection is insufficient to answer a PIR; should be explicitly documented in reports

Tools & Systems

ThreatConnect Reports: Built-in report templates with ATT&CK mapping, IOC tables, and stakeholder distribution controls
Recorded Future: Pre-built intelligence report templates with automated sourcing from proprietary datasets
OpenCTI Reports: STIX-based report objects with linked entities for structured finished intelligence
Microsoft Word/Confluence: Common report delivery formats; use organization-approved templates with TLP headers

Common Pitfalls

Writing for analysts instead of the audience: Technical detail appropriate for SOC analysts overwhelms executives. Maintain strict audience segmentation.
Omitting confidence levels: Statements presented without confidence qualifiers appear as established facts when they may be low-confidence assessments.
Intelligence without recommendations: Reports that describe threats without prescribing actions leave stakeholders without direction.
Stale intelligence: Publishing a report on a threat campaign that was resolved 2 weeks ago creates alarm without utility. Include freshness dating on all claims.
Over-classification: Applying TLP:RED to information that could be TLP:GREEN impedes community sharing and limits defensive value across the sector.

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.1 (Monitoring), CC7.2 (Anomaly Detection)
ISO 27001: A.6.1 (Threat Intelligence), A.16.1 (Security Incident Management)
NIST 800-53: PM-16 (Threat Awareness), RA-3 (Risk Assessment), SI-5 (Security Alerts)
NIST CSF: ID.RA (Risk Assessment), DE.AE (Anomalies & Events)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add generating-threat-intelligence-reports

# Or load dynamically via MCP
grc.load_skill("generating-threat-intelligence-reports")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

Generating Threat Intelligence Reports

When to Use

Prerequisites

Workflow

Step 1: Determine Report Type and Audience

Step 2: Structure Report Using Intelligence Standards

Step 3: Write Report Body

Step 4: Apply TLP and Distribution Controls

Step 5: Review and Quality Control

Key Concepts

Tools & Systems

Common Pitfalls

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Managing Intelligence Lifecycle

Analyzing Indicators of Compromise

Collecting Open Source Intelligence

Processing STIX Taxii Feeds

Analyzing Campaign Attribution Evidence

Analyzing Certificate Transparency for Phishing

Prerequisites

Generating Threat Intelligence Reports

When to Use

Prerequisites

Workflow

Step 1: Determine Report Type and Audience

Step 2: Structure Report Using Intelligence Standards

Step 3: Write Report Body

Step 4: Apply TLP and Distribution Controls

Step 5: Review and Quality Control

Key Concepts

Tools & Systems

Common Pitfalls

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Managing Intelligence Lifecycle

Analyzing Indicators of Compromise

Collecting Open Source Intelligence

Processing STIX Taxii Feeds

Analyzing Campaign Attribution Evidence

Analyzing Certificate Transparency for Phishing