Understanding What Actually Matters
What This Section Is About
Threat analysis is often mistaken for threat tracking.
Many CTI teams spend significant time cataloguing threat actors, incidents, and techniques, yet struggle to explain why any of it matters. The result is a steady stream of activity that feels informative but rarely influences decisions.
The Threat Analysis section exists to close that gap.
The articles here focus on interpreting adversary activity rather than merely describing it. They examine campaigns, behaviours, and tradecraft with the goal of understanding intent, relevance, and implications, rather than novelty.
Why Threat Analysis Matters
Not every incident is important.
Not every threat actor deserves attention.
Not every campaign has strategic significance.
Threat analysis adds value when it helps organisations distinguish:
- Signal from noise
- Tactical events from strategic risk
- Interesting activity from decision-relevant insight
Without this distinction, CTI teams often default to:
- Over-reporting
- Over-attribution
- Overconfidence in shallow conclusions
Over time, stakeholders come to treat threat reporting as background information rather than decision support.
What You’ll Find Here
Articles in Threat Analysis explore topics such as:
- Campaign deconstruction and context
- Adversary tradecraft and behavioural patterns
- Strategic versus tactical relevance
- Attribution trade-offs and limitations
- Why certain threats matter more than others
The emphasis is not on who did what, but on why it mattered, and what that means for defenders.
How These Articles Are Written
Threat analysis articles are written with restraint.
They:
- Avoid unnecessary attribution
- Focus on interpretation over enumeration
- Make assumptions explicit
- Resist false certainty
Where possible, they prioritise judgement over exhaustiveness and relevance over completeness.
The goal is not to appear comprehensive.
The goal is to be useful.
Who This Section Is For
This section is especially relevant if you are:
- A CTI analyst responsible for threat reporting or assessments
- A senior analyst reviewing the strategic relevance of incidents
- A CTI lead deciding where to focus limited attention
- A practitioner frustrated by “interesting but irrelevant” analysis
If you find yourself asking, “Why are we spending time on this?”, this section is for you.
How to Use This Section
Read these articles with context in mind.
Pay attention to:
- What is not being analysed
- Where uncertainty is acknowledged
- How relevance is established
Threat analysis is less about knowing more and more about adversaries—and more about knowing what to ignore.
Suggested Starting Points
If you are new to this section, start with:
- Why This Campaign Mattered (And Why Many Missed It)
- Not Every Incident Is Strategically Relevant
- Attribution Is Not the Point, Judgement Is
These articles introduce recurring themes that shape the rest of the section.
How This Connects to the Rest of CTI Tradecraft
Threat Analysis is where ideas from other sections are tested.
- Foundations defines what intelligence is meant to achieve
- Tradecraft shapes how analysts reason and judge
- Threat Analysis applies both under real-world conditions
- CTI Programs examines how organisations consume this analysis
If foundations are weak or tradecraft is flawed, threat analysis becomes noisy, shallow, or misleading.
A Note on the Long View
This section forms the case-study backbone of the CTI Tradecraft Academy.
The goal is not memorisation of actors or techniques, but the development of transferable analytical judgement, skills that apply regardless of which threat group is active next month.
That work begins here.
Read selectively. Think critically.
Relevance matters more than coverage.