Cyber Intelligence Analysis Report
Six structured methods.
One integrated workflow.
ATCRI ranks the threat. ACS models the adversary. DUM grades what you don't know. CARM tests the move before you make it. CRS gates the action against your own resilience. HET tracks how the estimate evolves. Each method feeds the next. Build a single integrated case. Print or email the analysis.
Content prep — have these ready
A complete case takes 30–60 minutes. To work without breaks, gather the source material below before you start. You can skip any method — but each works best with the inputs listed.
- ACS: Adversary identity (group designator or insider profile), recent threat-intel reporting on their objectives and TTPs, list of capabilities you've observed or assess they have.
- DUM: The threat scenario you're decomposing in plain language. Source-reliability ratings on the evidence behind it. An honest read on what you don't know.
- ATCRI: Your live threat list (3–8 threats works well), rough analyst-judgment weights (0.0–1.0), raw-risk scores (0–10) tied to asset value × exposure × known capability.
- CARM: A specific proposed response or containment action under consideration, plus the operational rationale for choosing it. ACS capabilities flow in automatically.
- CRS: Recent BCP/DR test results (backup integrity), SOC coverage matrix (detection breadth), out-of-band comms plan, cyber-insurance policy and regulator notification thresholds (legal).
- HET: Active hypotheses or estimates from prior reporting cycles. Source citations for each so the evolution timeline is auditable.
Acronyms — quick reference
Method names, scoring vocabulary, and the regulatory and operational acronyms used throughout the workspace.
- ACS
- Adversarial Cognitive SimulationModeling the adversary's decision logic on their terms
- DUM
- Decompositional Uncertainty MappingBreaking a threat into dimensions and grading confidence on each
- ATCRI
- Adaptive Threat Calibration & Risk IndexingRanking threats by ARI = Wt × R; queue updates as intel changes
- CARM
- Cyber Adversary Reflex MappingTesting what the adversary does after your proposed action
- CRS
- Capability Resilience ScoreWeighted composite of survivability inputs; gates the action
- HET
- Hypothesis Evolution TrackingTime-stamped trail of how an estimate shifts as reporting arrives
- ARI
- Adversarial Risk IndexThe output of ATCRI: Wt × R, ranked across all threats
- Wt
- WeightAnalyst judgment factor reflecting current intel and campaign posture
- R
- Raw RiskAsset value × exposure × known adversary capability
- ZTA / ZTAM
- Zero Trust Architecture / Analytical MindsetArchitecture verifies; mindset reasons about what verification missed
- SAT
- Structured Analytic TechniqueHeuer-derived methods for disciplined intelligence reasoning
- NIS2 §21
- EU directive · cybersecurity risk-management measuresTen required controls; up to €10M / 2% turnover penalty
- ICD 203
- Intelligence Community Directive 203US analytic standards for sourcing and confidence statements
- RPO / RTO
- Recovery Point / Time ObjectiveMaximum tolerable data loss / downtime for backup integrity
- OT / ICS
- Operational Technology / Industrial Control SystemsThe plant-floor and SCADA networks adjacent to IT
- MSP / MFA
- Managed Service Provider / Multi-Factor AuthenticationCommon supply-chain attack surface / required identity control
- IOC / C2
- Indicator of Compromise / Command & ControlForensic artifacts / the channel an adversary uses to direct implants
The integrated analytic loop
A complete structured-analytic case in your browser. Six methods, designed to feed each other. Skip steps you don't need. Revisit any step. All output stays on this device until you export, print, or email it.
How it Works
Each method captures structured input and produces structured output. Outputs of earlier methods auto-populate the inputs of later ones — you'll see chips marked as imported context.
What It Replaces
Whiteboards. Spreadsheets. Half-finished Word docs. The Tuesday risk-committee meeting. The ranking debate that goes nowhere because no one wrote down the math.
Where Your Data Lives
In your browser only. We never see it. We never store it. Export to JSON to back it up. Email yourself a PDF copy at any time. Clear browser data and your case is lost.
For a full case, work through the steps in order. For quick threat ranking only, skip directly to ATCRI. For an action go/no-go decision on a planned response, do CARM then CRS.
Adversarial Cognitive Simulation
Stop projecting your logic onto the adversary. Build their decision model the way they would. What does success look like to them? What hurts them? What triggers escalation? Outputs of this step feed CARM and HET downstream.
Method
Identify the adversary, model their objectives, define what counts as a win, what counts as pain, and the conditions under which they escalate or contract.
Bias Countered
Mirror Imaging — assuming adversaries reason the way you do. Different goals. Different constraints. Different weekend plans.
What It Feeds
The adversary capability list flows into CARM (response-testing) and the success criteria inform HET (hypothesis updates) when their behavior is later observed.
Decompositional Uncertainty Mapping
Break the threat into intent, capability, access, and supply-chain components. Grade your confidence on each. Critically: write down what you do NOT know. Known unknowns are where adversaries operate.
Method
Decompose each threat into four dimensions. Apply High / Medium / Low / Unknown confidence to each. The pattern of unknowns is the briefing.
Bias Countered
Confirmation Bias — the analyst's instinct to fill in evidence supporting the first hypothesis instead of acknowledging gaps.
What It Feeds
Confidence grades flow into ATCRI as weight modifiers. Low-confidence dimensions reduce ARI; high-confidence dimensions amplify it.
Adaptive Threat Calibration & Risk Indexing
ARI = Wt × R. Each threat carries a weight (analyst judgment, intel-driven) and a raw risk (asset × exposure × capability). Multiply. Rank. New intelligence updates Wt with timestamped rationale. The queue reorders. No committee meeting required.
Method
List your live threats. Apply Wt and R per threat. Compute ARI. When intelligence changes, update Wt with rationale. The queue reorders automatically and the rationale becomes the audit trail.
Bias Countered
Authority Bias — accepting last week's ranking because the right voice signed off on it. ATCRI rebuilds the ranking from current evidence on demand.
What It Feeds
The reordered queue informs which threat CARM tests responses against, and which threat the CRS gate decision applies to.
Cyber Adversary Reflex Mapping
Before you make the move — model what the adversary does next. Will containment break your recovery? Will severing C2 trigger a Dead Man's Switch? Test the move BEFORE it ships.
Method
Pick a proposed response. For each adversary capability identified in ACS, document how the adversary reacts. Identify which reactions break your recovery posture.
Bias Countered
Anchoring — staying with your first response plan even when the adversary's reaction would invalidate it.
What It Feeds
The break-points identified here become inputs into CRS — your resilience score must absorb each adversary counter-move documented here.
Capability Resilience Score
Can you absorb the counterpunch — before you throw the punch? Score four resilience dimensions. Set your threshold. Above threshold: execute. Below threshold: reduce blast radius and wait. Containment is a privilege you earn.
Method
Backup integrity, detection breadth, communication paths, insurance & legal. Weighted composite. Threshold-gated decision. The gate fires Green or Red with the corresponding action set.
Bias Countered
Optimism Bias — the assumption that containment will work cleanly because it has worked before.
What It Feeds
The gate decision (and its rationale) becomes the headline of the case report. HET captures the outcome of the action chosen here.
Hypothesis Evolution Tracking
The estimate is not frozen. New reporting shifts probability. Document the shift, the rationale, the source. HET is the only method designed to span sessions — you'll come back to this case as new intelligence arrives.
Method
For each hypothesis or estimate from this case, log evolution events: date, what changed, what shifted, why. Build a time-stamped trail of analytic judgment.
Bias Countered
Frozen Estimate — the bureaucratic habit of treating last week's analysis as still current. HET makes the staleness visible.
What It Feeds
The HET timeline IS the case's evolving truth. When you return next week with new intel, this is what you update first — and ATCRI weights flow from it.
© 2026 — www.treadstone71.com · Integrated Decision-Support Workspace
Name this case
Cases are saved to your browser only. Use a descriptive name — it appears in printed output and exports.
Load a saved case
Cases stored in this browser. Select one to load — your current case will be saved automatically before switching.
Print or email your analysis
Choose how you want your case output delivered. All options produce the full integrated analysis across every method you've completed.
Send analysis to Treadstone 71
Provide your contact details. We will receive your case analysis with your information attached, and reach out to arrange a deep-dive review.
Email yourself a copy of this case
Treadstone 71 sends the analysis report directly to your address. The case data is included in the email and discarded server-side after sending.