mlab mlab Academy
Threat Intelligence

How to read a CTI report

Deciphering a Cyber Threat Intelligence report: structure, indicators, and recommendations.

1 Introduction

A CTI report (Cyber Threat Intelligence) is a document that analyzes a threat in depth: an attacker group, a malware campaign, an exploited vulnerability. It is the investigative report of cybersecurity.

Imagine a police report about a gang of burglars: it describes their methods, the tools they use, the types of houses they target, and gives advice on how to protect yourself. A CTI report does exactly the same thing, but for digital threats. Knowing how to read one allows you to transform raw information into concrete defensive actions.

Who produces these reports?

Cybersecurity companies: Mandiant, CrowdStrike, Kaspersky, ESET, Recorded Future
Government agencies: CISA, NSA, FBI, NCSC, ENISA
ISACs: sector-specific sharing centers (Financial, Healthcare, Energy)
Independent researchers: security blogs, academic papers, conference talks

2 How It Works

A well-structured CTI report follows a predictable format. Understanding this structure lets you quickly extract the information that matters most to your role.

Anatomy of a CTI report

Executive Summary

A high-level overview for decision-makers. Who is the threat actor? What did they do? Who was targeted? What should you do about it? Usually 1-2 paragraphs.

Threat Actor Profile

Background on the attacker: aliases, attribution (which country or criminal group), motivations (espionage, financial gain, hacktivism), historical campaigns, and known targets.

TTPs (Tactics, Techniques, and Procedures)

The detailed methods used in the attack. Mapped to the MITRE ATT&CK framework, this section describes how the attacker gains access, moves laterally, evades defenses, and achieves their objectives.

Indicators of Compromise (IOCs)

Concrete, technical artifacts: malicious IPs, domains, file hashes, URLs, email addresses, registry keys. These are what you feed into your security tools for detection.

Recommendations

Actionable guidance: detection rules (YARA, Sigma), patches to apply, configurations to harden, monitoring priorities, and incident response steps if compromised.

The MITRE ATT&CK framework

MITRE ATT&CK is a globally recognized knowledge base of adversary tactics and techniques. CTI reports reference ATT&CK IDs to describe exactly how attackers operate. Each technique has a unique ID (like T1566 for Phishing) making it easy to search, compare, and build detections.

TA0001

Initial Access

TA0002

Execution

TA0003

Persistence

TA0005

Defense Evasion

TA0006

Credential Access

TA0007

Discovery

TA0008

Lateral Movement

TA0010

Exfiltration

3 Detailed Analysis

Reading a report by role

Different members of an organization extract different value from a CTI report. Here is what each role should focus on:

Role Focus sections Key action
CISO / Executive Executive summary, strategic impact Assess business risk, allocate resources
SOC Analyst IOCs, detection rules Import IOCs into SIEM, create alert rules
Threat Hunter TTPs, attack chain Proactively search logs for TTP patterns
Incident Responder Full report, forensic artifacts Compare to active incidents, guide investigation
Vulnerability Manager Exploited CVEs, recommendations Prioritize patching based on active exploitation

From report to action: a practical workflow

Relevance check

Does this threat target your industry, geography, or technology stack? If not, file it for awareness but do not act urgently.

IOC extraction

Pull all IOCs (hashes, IPs, domains) and import them into your TIP or SIEM. Automate this where possible using STIX/TAXII.

TTP mapping

Map the described TTPs to your existing detections. Identify gaps where you have no visibility and prioritize building new detection rules.

Retrospective hunt

Search your historical logs for the IOCs and TTPs described in the report. You may discover that the attack has already touched your environment.

Try it on mlab.sh

Put CTI reports into practice by scanning the IOCs they contain -- look up IPs, domains, and file hashes to enrich indicators and validate findings yourself.

Start analyzing on mlab.sh

4 Red Flags

Here are the warning signs of a low-quality or misleading CTI report:

No confidence levels

A good report states its confidence: "We assess with high confidence that..." vs. "We believe..." Reports that present everything as certain fact without caveats should be questioned.

Attribution without evidence

Claiming "this was China" or "this was Russia" without showing the evidence chain (infrastructure overlap, code similarities, operational patterns) is unreliable attribution.

No IOCs or detection guidance

A report that describes a threat in great detail but provides no actionable indicators or detection rules is informative but not operationally useful for defenders.

Sensationalized language

"The most devastating cyberattack ever" or "unprecedented threat." Professional CTI reports use measured language. Marketing hype in a threat report undermines credibility.

No MITRE ATT&CK mapping

Modern CTI reports should map TTPs to ATT&CK. Without this framework, it is difficult to compare threats, assess your coverage, or build systematic detections.

Outdated information presented as new

Recycling old IOCs or repackaging publicly known information as a "new discovery." Check the dates of referenced incidents and compare with previous publications.

Powered by mlab.sh

Related Modules

What is a threat intel feed?

Threat intelligence feeds: how they work and why they are essential.

Major threat families

APTs, hacktivists, cybercriminals, insiders: mapping cyber threat actors.

What is an IOC?

Clues of a cyberattack: learning to recognize indicators of compromise.