Cyber Threat Intelligence Division CSFI · CTI Division

Decision-Quality Cyber Threat Intelligence

For proactive defense, operational clarity, and executive confidence.

CSFI delivers tailored, evidence-based Cyber Threat Intelligence that helps leaders, SOC teams, incident responders, and security programs understand threats, prioritize action, and defend decisions with confidence.

Request an Intel Briefing Explore Services
Platform-free CTI Evidence-based Framework-driven Dissemination governance
Security leaders reviewing threat intelligence together
Intelligence that drives decisions CSFI · CTID
The CTI Division

Trusted intelligence products, without platform lock-in

The Cyber Security Forum Initiative Cyber Threat Intelligence Division provides platform-free CTI reporting, maturity assessments, framework-driven enrichment, defensive threat-hunting support, and structured dissemination governance.

The model is built for organizations that need trusted intelligence products, clear recommendations, and operationally useful outputs, without unnecessary platform lock-in.

Platform-free reporting

Finished products you own, not another console to license.

Maturity assessments

Know where your CTI program stands and where to invest.

Framework-driven enrichment

Reports mapped across the major intelligence frameworks.

Dissemination governance

Defensible release decisions, documented before you share.

CSFI Cyber Threat Intelligence Division seal The Cyber Security Forum Initiative Cyber Threat Intelligence Division
Core Services · Strategic

Strategic intelligence

Finished intelligence for the decisions leadership has to make: what the threat means, who is behind it, and where to put the next dollar of defense.

Executive RFI and Decision Intelligence

Tailored finished intelligence aligned to a specific executive question, board decision, sector risk, incident concern, or strategic requirement.

  • Executive-forward key judgments with clear operational implications
  • RFI-driven scope based on sector, geography, threat profile, and decision need
  • Concise recommended actions designed for leadership and security execution
Built for

CISOs, executives, boards, risk leaders, legal teams, and public-sector leaders.

Sector, Geography and Threat Profile Assessment

Focused intelligence that explains how changing threat activity affects a specific industry, region, partner ecosystem, or mission environment.

  • Sector-specific and geography-specific threat analysis
  • Adversary capability, intent, and targeting relevance
  • Decision support for meetings, investments, operational shifts, and risk posture
Built for

CISOs, risk committees, government partners, associations, SMEs, and critical infrastructure leaders.

Adversary Intent and Geopolitical Context Analysis

Analysis that bridges raw technical indicators with adversary motivation, strategic objectives, cultural context, and likely operational behavior.

  • Actor intent, targeting rationale, and threat impact assessment
  • Geopolitical and cultural context beyond technical artifacts
  • Strategic implications mapped to organizational exposure and mission risk
Built for

Executives, intelligence teams, national security stakeholders, strategic planners, and critical infrastructure operators.

CTI Posture Assessment and Maturity Roadmap

A structured CTI capability and maturity evaluation that identifies gaps, benchmarks current posture, and defines a practical improvement path.

  • Assessment across governance, requirements, collection, production, dissemination, technology, integration, sharing, and metrics
  • Maturity scoring using RED, ORANGE, YELLOW, and GREEN bands
  • Roadmap outputs for investment prioritization and program improvement
Uses CSFI CTI Posture Assessment
Built for

CISOs, CTI managers, security program owners, risk leaders, and advisory clients.

Core Services · Operational

Operational intelligence

Intelligence that moves at the speed of an incident, connects an adversary's behavior into a usable picture, and helps a CTI program run with discipline.

Incident, Campaign and Vulnerability Surge Reporting

Rapid intelligence reporting for active incidents, adversary campaigns, vulnerability surges, or fast-changing threat developments.

  • Client-specific analysis after an incident, campaign, or vulnerability spike
  • Key judgments, implications, and recommended defensive actions
  • Optional appendix with IOCs, TTPs, references, and technical context
Built for

Incident responders, SOC teams, vulnerability management teams, CISOs, and crisis response leaders.

Threat Actor, Campaign and Infrastructure Analysis

Operational intelligence that connects adversary behavior, infrastructure, tools, malware, victimology, and campaign timelines into a usable threat picture.

  • Threat actor profiles and campaign timelines
  • Infrastructure, malware, tool, and TTP correlation
  • MITRE ATT&CK-aligned behavior mapping and defensive relevance
Built for

CTI analysts, SOC leads, threat hunters, incident responders, and intelligence shops.

CTI Program Calibration and Product Taxonomy Design

Advisory support that aligns CTI products, reporting depth, cadence, and dissemination channels to the client's actual stakeholders and maturity level.

  • Stakeholder mapping and Priority Intelligence Requirement alignment
  • Tactical, operational, and strategic product taxonomy design
  • Reporting cadence, format, technical depth, and distribution model calibration
Built for

CTI program managers, CISOs, SOC leadership, and security operations leaders.

CTI to SOC and IR Operational Integration Advisory

Advisory support that helps CTI directly improve SOC triage, incident response, threat hunting, and vulnerability prioritization.

  • CTI enrichment for SIEM, EDR, NDR, SOAR, and alert workflows
  • Actor attribution and TTP context for incident response
  • Intelligence-led hunt hypotheses and risk-based patch prioritization
Built for

SOC teams, IR teams, threat hunters, vulnerability managers, and security engineers.

CTI Sharing Compliance and Release Readiness

A structured review process that helps analysts determine whether a CTI product is ready to share, hold, revise, or escalate before dissemination.

  • Seven-gate review for strategic alignment, source validation, CI review, incident context, vulnerability risk, sharing authorization, and dissemination
  • Blocker identification with CLEARED, N/A, OPEN, or BLOCKED determinations
  • Audit-grade release record with after-action review and posture visualization
Uses MUSTER
Built for

CTI teams, intelligence release authorities, compliance teams, DIB partners, and government-facing security teams.

Core Services · Tactical and Technical

Tactical and technical intelligence

Where reporting becomes detection: indicators, techniques, framework mappings, and read-only hunting that defenders can act on directly.

IOC and TTP Technical Annex and Hunt Package

Technical intelligence packages that convert threat reporting into actionable indicators, ATT&CK techniques, hunt leads, and defensive validation artifacts.

  • IOCs organized by analytic value and operational use
  • TTPs mapped to adversary behavior and defensive controls
  • Optional YARA, STIX, JSON, TAXII, or hunt-ready output where applicable
Built for

SOC analysts, threat hunters, detection engineers, and incident responders.

Framework Mapping and CTI Enrichment

Report-to-framework enrichment that maps a source report across ATT&CK, D3FEND, Cyber Kill Chain, Diamond Model, DISARM, and STIX 2.1 outputs.

  • Automated extraction of techniques, actors, countermeasures, indicators, malware, and tools
  • Evidence-backed confidence scoring with traceable source passages
  • Export-ready ATT&CK Navigator layers, D3FEND CAD graphs, STIX bundles, and PDFs
Powered by RAVEN
Built for

CTI analysts, SOC teams, intelligence shops, threat hunters, and incident responders.

Endpoint Threat Hunting and Defensive Situational Awareness

Read-only defensive hunting that helps identify suspicious endpoint activity, network exposure, IOC matches, and posture weaknesses.

  • Continuous host inspection for persistence, processes, network activity, authentication, file integrity, and security posture
  • IOC and APT hunt workflows using JSON, STIX, YARA, TAXII, and optional external threat intelligence lookups
  • SNORT-backed network visibility, endpoint posture scoring, JSON export, and local-first operation
Powered by CSFI HUNT +OPFOR
Built for

Threat hunters, technical analysts, security practitioners, and executives needing endpoint-level visibility.

Products and Platforms

The engines behind the services

CSFI-CTID tooling powers the finished products: framework enrichment, defensive hunting, release governance, and maturity assessment.

RAVEN, Report Analysis, Visualization and ENrichment
Framework Engine

RAVEN

Report Analysis, Visualization & ENrichment

One threat report in, every major framework out. RAVEN ingests a PDF, live URL, HTML page, JSON file, or STIX bundle, then extracts the intelligence and maps it across six frameworks at once, fully grounded and fully cited.

ATT&CKMITRE ATT&CK
D3FENDMITRE D3FEND
Kill ChainCyber Kill Chain
DiamondDiamond Model
DISARMDISARM
STIX 2.1STIX 2.1 Bundle
01 Ingest02 Map03 Ground04 Visualize05 Export

Grounded by design. Every technique, countermeasure, actor, and indicator is validated against the real catalogs, scored for confidence, and traceable to the source passage it came from.

Defensive Hunting Console

CSFI HUNT +OPFOR

A read-only defensive threat-hunting console for macOS. It inspects endpoint posture, monitors network activity, supports IOC and APT-focused hunts, maps local network exposure, flags CVEs, and uses SNORT for real-time IDS visibility.

  • Endpoint posture scoring
  • SNORT-backed IDS visibility
  • IOC and APT hunt workflows
  • Local network exposure mapping
  • CVE flagging by host
  • Local-first, JSON export
CSFI HUNT +OPFOR
$ hunt run --posture --net
[ok] endpoint posture score 92 / 100
[!] ioc match: 2 (hash, domain)
[snort] ids rules active: 1,284
[net] exposed services mapped: 17
[cve] flagged: 4 high
export › hunt_findings.json

Representative console output

Release Governance

MUSTER

Mission Unified Standards for Threat Exchange & Release

A CTI sharing compliance and release-readiness framework. Disciplined dissemination, defensible decisions.

7
Gates
53
Controls
280
Criteria
Maturity Assessment

CTI Posture Assessment

Ten capability domains, scored

A structured CTI maturity instrument: domain comparisons, radar views, heatmaps, and an improvement roadmap.

Maturity bands
Red Orange Yellow Green
Hunt Workflows

Indicator, STIX, TAXII and YARA

Connect reporting to detection

Indicator workflows that validate threat reports against endpoints and hunt pipelines.

Hashes IPs Domains YARA STIX 2.x JSON IOC TAXII
Service Packages

Engage at the level you need

From a single tailored report to a fully custom CTI operating model. Start anywhere, scale when it makes sense.

Tier 1

Ad Hoc Finished Intelligence Report

Best for

Organizations that need one tailored CTI product without a platform purchase, annual contract, or standing retainer.

  • One tailored CTI report aligned to a defined RFI or decision requirement
  • Executive summary, key judgments, client-specific analysis, and recommended actions
  • Optional appendix with IOCs, TTPs, references, or technical evidence
  • Visual-first presentation with timelines, matrices, maps, and actor graphics
  • Optional executive audio brief and one clarification discussion
Discuss this tier
Tier 2

CTI Posture Assessment and Program Calibration

Best for

Organizations that need to understand CTI maturity, capability gaps, stakeholder requirements, and investment priorities.

  • CTI maturity assessment across ten functional domains
  • RED, ORANGE, YELLOW, and GREEN maturity band scoring
  • Domain breakdown, radar profile, heatmap, and improvement roadmap
  • Stakeholder, PIR, GIR, collection, dissemination, and reporting calibration
  • Practical recommendations for CTI program improvement
Discuss this tier
Tier 3

Managed Intelligence Support and Enrichment

Best for

Teams that need recurring or surge-based analyst support without losing flexibility.

  • Recurring or on-demand finished intelligence products
  • Threat actor and campaign briefs
  • Framework-mapped outputs produced with RAVEN
  • ATT&CK Navigator layers, STIX bundles, D3FEND graphs, and PDF deliverables
  • Analyst clarification sessions and stakeholder feedback loops
Discuss this tier
Tier 4

Enterprise and Custom CTI Operations

Best for

Mature teams, intelligence shops, DIB partners, critical infrastructure operators, and organizations requiring custom workflows.

  • Custom CTI operating model and product architecture
  • Self-hosted or controlled RAVEN workflow support
  • CTI release governance with MUSTER-enabled sharing readiness
  • Endpoint hunt validation with CSFI HUNT +OPFOR where appropriate
  • Custom executive, operational, and tactical intelligence formats
Discuss this tier
How We Work

The intelligence cycle, applied

Every engagement follows the same disciplined path, from the question you need answered to a product you can act on and improve.

01

Scope the Requirement

We start with the client's RFI, decision need, sector, geography, threat profile, stakeholder structure, and priorities, so the product answers the question that actually needs answering.

02

Collect and Validate

Analysts gather relevant threat information from appropriate sources, evaluate reliability, and assess credibility before analysis: OSINT, commercial intelligence, trusted communities, internal context, indicators, vulnerability data, and client material.

03

Analyze and Enrich

We apply structured analytic tradecraft to develop key judgments, adversary context, operational implications, and recommended actions. Where useful, RAVEN maps the source across six frameworks at once.

04

Review, Govern, and Prepare for Release

Reports are refined for accuracy, clarity, audience fit, handling, and dissemination readiness. For controlled release, MUSTER supports a documented review across sharing gates and a final determination.

05

Deliver, Brief, and Improve

The final product arrives in a format the client can act on: report, dashboard, technical appendix, STIX bundle, Navigator layer, audio brief, or clarification session. Feedback then informs future reporting and posture improvement.

Get in Touch

Request an intelligence briefing

Tell us the decision you are facing or the capability you want to build, and a CTI analyst will follow up to scope the right product.

Notice
The Cyber Security Forum Initiative (CSFI) is an independent nonprofit advancing cyber security capacity across the public and private sectors. RAVEN, CSFI HUNT +OPFOR, MUSTER, and the CTI Posture Assessment are products of the CSFI Cyber Threat Intelligence Division. References to external frameworks, standards bodies, and authorities indicate alignment with publicly available doctrine only and imply no endorsement or affiliation.