How to Use AI Tools to Build a Threat Intelligence Brief
AI tools can compress threat intelligence brief production from days to hours. This practical workflow shows CTI analysts how to build structured, actionable briefs faster using Claude, ChatGPT, MISP, ATT&CK mapping, and disciplined verification.
A practical workflow for CTI analysts. From raw sources to actionable brief in under two hours.
A threat intelligence brief that takes three days to produce is useful to the team that commissioned it. The same brief produced in two hours and distributed before the threat actor completes their campaign is useful to the organisation that needs to act on it.
AI tools do not replace the analyst's judgement, source curation, or understanding of the threat landscape. What they do is compress the distance between raw source material and a structured, actionable brief. The analyst who understands how to use them effectively produces better intelligence faster than the one who does not.
This article is a practical workflow. Specific tools are named where relevant. The prompting approach is described at the level of intent rather than verbatim, because effective prompting requires adaptation to the specific sources and threat actor you are working with.
The threat intelligence analyst who masters AI-assisted workflows is not a less skilled analyst. They are the same analyst with the capacity to cover more threat actors, produce more briefs, and respond to emerging threats faster than their peers. Speed and quality are not a trade-off when the methodology is right.
What a Good Threat Intelligence Brief Contains
Before the workflow, the structure. An AI tool can only help produce a good brief if the analyst knows what a good brief looks like. Every section below has a specific purpose. Omitting one weakens the product.
SECTION | WHAT IT CONTAINS |
|---|---|
SUBJECT | One sentence describing the threat actor, campaign, or vulnerability this brief covers. |
TLDR | Three sentences maximum. What happened. Who is affected. What to do. Written for a non-technical executive. |
THREAT ACTOR PROFILE | Name/alias, attribution confidence, known TTPs mapped to MITRE ATT&CK, historical targets, motivation assessment. |
INDICATORS OF COMPROMISE | IP addresses, domain names, file hashes, email addresses, registry keys. Table format. Confidence level per IOC. |
ATTACK CHAIN | Step-by-step description of the attack methodology from initial access to objective. Each step mapped to ATT&CK technique ID. |
AFFECTED SECTORS / GEOGRAPHIES | Which industries and regions are being targeted. Relevance assessment for the reader's organisation. |
CURRENT ACTIVITY STATUS | Is this campaign active, dormant, or attributed to a historical period? Source confidence. |
RECOMMENDED ACTIONS | Prioritised list of defensive actions. Tier 1: immediate. Tier 2: within 30 days. Tier 3: strategic. |
SOURCE REFERENCES | Numbered list of source URLs and publication dates. All sources assessed for reliability. |
The brief that contains all nine sections and is produced in two hours is more valuable than the brief that contains three sections and took three days. The bottleneck is not insight. It is the mechanical work of gathering, organising, and formatting. AI tools address the bottleneck.
The Workflow: Six Stages
This workflow assumes the analyst has identified a threat actor or campaign to brief on. The source gathering and threat actor selection are the analyst's domain. The AI tools accelerate everything that happens after.
01 | Source Gathering and Triage | Browser, MISP, Recorded Future, or open CTI feeds PROMPT APPROACH: Before involving any AI tool, gather your primary sources: vendor reports, ISAC feeds, MISP data, dark web monitoring alerts, open-source research. This step is analyst-driven. Do not ask AI to find your sources for you at this stage. Your source quality determines your intelligence quality. AI cannot compensate for poor source selection. OUTPUT: A set of primary sources, vendor reports, raw IOC feeds, MISP events, threat actor profiles. Assessed for reliability before moving forward. |
|---|
02 | Threat Actor Profiling | Claude or ChatGPT with structured prompt PROMPT APPROACH: For each primary source, extract the key threat actor attributes in a structured prompt: "You are a senior CTI analyst. Based on the following source material, extract and organise threat actor name and known aliases, attribution confidence level and basis, historical targets by sector and geography, primary motivation assessment, known TTPs mapped to MITRE ATT&CK technique IDs, and infrastructure patterns. Present as structured text I can use in an intelligence brief." Paste source content. Review output against source material. OUTPUT: A structured threat actor profile covering all standard fields. Verify every ATT&CK mapping against the source before accepting it. AI occasionally maps techniques to incorrect IDs. |
|---|
03 | IOC Extraction and Formatting | Claude or any capable LLM PROMPT APPROACH: Paste all raw source material containing IOCs. Instruct: "Extract all indicators of compromise from this material. Categorise by type IP addresses, domain names, file hashes (specify SHA-256, MD5, or SHA-1), email addresses, file paths, registry keys, and user agents. For each IOC, note the source it came from and the confidence level (high if from direct analysis, medium if from third-party reporting, low if inferred). Present as a structured table." OUTPUT: A clean, categorised IOC table with source attribution and confidence levels. Verify each IOC against the original source. Check hashes against VirusTotal or your threat intel platform before including in the brief. |
|---|
04 | Attack Chain Narrative | Claude with ATT&CK mapping prompt PROMPT APPROACH: Once the threat actor profile and IOCs are structured, build the attack chain. Instruct: "You are writing a section of a threat intelligence brief. Based on the following threat actor TTPs and campaign indicators, write an attack chain narrative that describes the full attack lifecycle from initial access to objective achievement. For each stage, cite the specific ATT&CK technique ID and name. Write in past tense as if describing confirmed observations. Flag any steps that are inferred rather than directly evidenced." OUTPUT: A step-by-step attack chain with ATT&CK mappings. This is the section that makes the brief actionable for the SOC and detection team. Verify the technique IDs independently. |
|---|
05 | Recommended Actions Generation | Claude with sector-specific context PROMPT APPROACH: Provide the attack chain and the reader's sector context. Instruct "Based on the following attack chain for a threat actor targeting [sector], generate a prioritised list of defensive recommendations in three tiers: Tier 1 (immediate actions within 24 hours), Tier 2 (implement within 30 days), Tier 3 (strategic programme improvements). For each recommendation, specify what it addresses in the attack chain. Write for a technical security team lead who will distribute to their team." OUTPUT: A tiered action plan that connects defensive recommendations directly to specific attack chain stages. Review against your organisation's existing controls before publishing. |
|---|
06 | Executive Summary and TLDR | Claude with full brief draft as input PROMPT APPROACH: Once all sections are drafted and verified, write the executive summary last. Instruct: "You are writing the executive summary of a finished threat intelligence brief. Based on all the sections below, write: a one-sentence subject line describing the threat; a three-sentence TLDR covering what happened, who is affected, and what to do; and a two-paragraph executive summary written for a non-technical CISO. Avoid jargon. Translate every technical concept into business risk language." OUTPUT: The executive summary and TLDR that make the brief accessible to the leadership audience that needs to make resourcing and prioritisation decisions based on it. |
|---|
The Rules That Protect the Brief's Integrity
AI-assisted CTI work has specific integrity risks. These rules are not optional for analysts producing briefs that will inform defensive decisions.
Verify every ATT&CK technique ID the AI generates. Language models occasionally assign plausible but incorrect technique numbers. Check each one against the MITRE ATT&CK website.
Verify every IOC against primary sources before including it. AI tools can conflate IOCs from different campaigns if source material is mixed in a single prompt. Always trace each IOC back to its specific source.
Never include an AI-generated attribution statement without verification. Attribution is the most analytically sensitive element of a CTI brief. AI can generate plausible-sounding but incorrect attribution. Every attribution statement must be traceable to primary evidence.
Label the brief with the date of source material, not the date of production. CTI briefs become stale quickly. Readers need to know when the underlying intelligence was generated, not when the analyst sat down to write it.
Do not paste sensitive organisational data into public AI tools. If your brief is based on internal incident data, internal network information, or data subject to confidentiality obligations, use an enterprise-approved AI tool with appropriate data handling.
An AI-assisted CTI brief that contains a hallucinated ATT&CK mapping or an incorrect attribution is worse than no brief. The analyst who publishes it under their name owns the error. The discipline of verification is not optional for professionals who understand what their reputation is worth.
Build Applied Threat Intelligence Capability Xcademia's XCTI programme covers threat intelligence collection, analysis, structured analytic methods, MITRE ATT&CK operationalisation, and AI-assisted workflow integration. Six instructor-led days. Practitioner-assessed. Verifiable at xcademia.com/verify. Explore XCTI |
|---|
Ready to go deeper?
Professional Training
Hands-on, mentor-led training aligned with industry certifications.
About the Author
Sharper every day
Daily tutorials, analysis, and career playbooks across all 12 Xcademia disciplines, straight to your inbox. No spam.
