ReddRadar
Agent skill
managing-intelligence-lifecycle
Manages the end-to-end cyber threat intelligence lifecycle from planning and direction through collection, processing, analysis, dissemination, and feedback to ensure intelligence products meet stakeholder requirements and continuously improve. Use when establishing or maturing a CTI program, defining intelligence requirements with business stakeholders, or building feedback loops between intelligence consumers and producers. Activates for requests involving CTI program maturity, intelligence requirements, PIRs, or intelligence lifecycle management.
Install this agent skill to your Project
npx add-skill https://github.com/mukul975/Anthropic-Cybersecurity-Skills/tree/main/skills/managing-intelligence-lifecycle
SKILL.md
Managing Intelligence Lifecycle
When to Use
Use this skill when:
- Establishing a formal CTI program and defining its operational model
- Conducting quarterly intelligence requirements reviews with business stakeholders
- Evaluating CTI program maturity against established frameworks (FIRST CTI-SIG maturity model)
Do not use this skill for day-to-day IOC triage or incident-specific intelligence tasks — those use operational intelligence workflows, not lifecycle management.
Prerequisites
- Executive sponsorship and defined CTI team structure (1+ dedicated analysts)
- Stakeholder map identifying intelligence consumers (SOC, IR, executive team, vulnerability management)
- Existing feed subscriptions or ISAC memberships for collection baseline
- CTI platform (MISP, ThreatConnect, OpenCTI) for lifecycle management
Workflow
Step 1: Planning and Direction
Define Priority Intelligence Requirements (PIRs) with stakeholders:
- Interview SOC leads, IR team, CISO, risk management, and product security
- Document PIRs in structured format: "What is the current capability and intent of [threat actor] to attack [critical asset] using [technique]?"
- Prioritize 5–10 PIRs for the quarter, reviewed monthly
Example PIR: "Is ransomware group Cl0p currently targeting organizations in our sector using MoveIT or GoAnywhere vulnerabilities?"
Step 2: Collection Planning
Map PIRs to required collection sources:
- Technical sources: commercial feeds, TAXII, ISAC data, honeypot telemetry, darkweb monitoring
- Human sources: vendor threat briefings, industry working groups, law enforcement partnerships
- Internal sources: SIEM logs, EDR telemetry, phishing submission mailbox
Document collection gaps and associated costs to fill them.
Step 3: Processing and Normalization
Implement automated processing pipeline:
- Ingest → normalize to STIX 2.1 → deduplicate → enrich → score confidence
- Reject unverifiable or duplicate indicators before analysis
- Tag all processed data with source, collection date, and expiration
Step 4: Analysis and Production
Produce intelligence at three levels:
- Strategic: Quarterly threat landscape report for executives; sector trends, geopolitical context
- Operational: Weekly campaign reports for security leadership; active campaigns, adversary activity
- Tactical: Daily IOC bulletins for SOC; actionable indicators with block/monitor recommendations
Apply structured analytic techniques: Analysis of Competing Hypotheses (ACH), Key Assumptions Check, Devil's Advocacy.
Step 5: Dissemination
Match product format to audience:
- Executives: 1-page PDF with risk ratings, business impact, recommended decisions
- SOC analysts: SIEM-ready IOC list, Sigma rules, MISP events
- Vulnerability management: CVE lists with EPSS scores and exploitation likelihood
- IT/Security leadership: Full intelligence report with technical appendix
Apply TLP classifications and distribution lists per product type.
Step 6: Feedback and Evaluation
Collect feedback within 5 business days of dissemination:
- Did the product address the PIR?
- Was actionability sufficient?
- What data was missing?
Track metrics quarterly: PIR coverage rate, IOC true positive rate, time-to-disseminate, stakeholder satisfaction score (NPS or structured survey).
Key Concepts
| Term | Definition |
|---|---|
| PIR | Priority Intelligence Requirement — specific, actionable question driving intelligence collection and analysis |
| Intelligence Lifecycle | Six-phase iterative process: Planning → Collection → Processing → Analysis → Dissemination → Feedback |
| Strategic Intelligence | Long-term threat trend analysis for executive decision-making; time horizon 6–24 months |
| Operational Intelligence | Campaign-level analysis for security program decisions; time horizon 1–6 months |
| Tactical Intelligence | Specific IOCs and TTPs for immediate detection and blocking; time horizon hours to days |
| FIRST CTI-SIG | Forum of Incident Response and Security Teams — CTI Special Interest Group maturity model |
Tools & Systems
- ThreatConnect: TIP with built-in intelligence lifecycle workflows, PIR tracking, and stakeholder reporting dashboards
- MISP: Open-source TIP supporting intelligence lifecycle from collection through sharing
- OpenCTI: Graph-based CTI platform with workflow management for intelligence products
- Recorded Future: Commercial platform with structured intelligence reports aligned to the intelligence lifecycle
Common Pitfalls
- Collection without direction: Ingesting every available feed without PIRs produces data overload and no actionable intelligence.
- Missing feedback loops: Without structured feedback, CTI teams produce reports that don't meet stakeholder needs and lose organizational relevance.
- Tactical-only focus: Overemphasis on IOC sharing neglects strategic intelligence that informs security investment and risk decisions.
- No metrics program: Cannot demonstrate CTI program value without tracking detection contributions, true positive rates, and stakeholder satisfaction.
- Underfunded collection: PIRs cannot be answered without appropriate collection sources; document and escalate gaps rather than producing low-confidence estimates.
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
mukul975/Anthropic-Cybersecurity-Skills
mapping-mitre-attack-techniques
Maps observed adversary behaviors, security alerts, and detection rules to MITRE ATT&CK techniques and sub-techniques to quantify detection coverage and guide control prioritization. Use when building an ATT&CK-based coverage heatmap, tagging SIEM alerts with technique IDs, aligning security controls to adversary playbooks, or reporting threat exposure to executives. Activates for requests involving ATT&CK Navigator, Sigma rules, MITRE D3FEND, or coverage gap analysis.
mukul975/Anthropic-Cybersecurity-Skills
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.
mukul975/Anthropic-Cybersecurity-Skills
analyzing-malicious-url-with-urlscan
URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content, HTTP transactions, JavaScript behavior, and network connections of web pages in an isolat
mukul975/Anthropic-Cybersecurity-Skills
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
mukul975/Anthropic-Cybersecurity-Skills
implementing-pam-for-database-access
Deploy privileged access management for database systems including Oracle, SQL Server, PostgreSQL, and MySQL. Covers session proxy configuration, credential vaulting, query auditing, dynamic credentia
mukul975/Anthropic-Cybersecurity-Skills
detecting-t1003-credential-dumping-with-edr
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
Didn't find tool you were looking for?