• Seeing is not always believing
    Seeing is not always believing
  • Cyber Intelligence Maturity
    Cyber Intelligence Maturity Cyber Intelligence Maturity Management Cyber Intelligence Common Body of Knowledge
  • Information Sharing through your own ISAC
    Information Sharing through your own ISAC
  • Maskirovka - Non-Linear Warfare
    Maskirovka - Non-Linear Warfare Cyber Maskirovka - Non-Linear Warfare
  • Middle Eastern Cyber Warfare Assessments - Analysis
    Middle Eastern Cyber Warfare Assessments - Analysis Middle Eastern Cyber Warfare Doctrine
  • Cyber Influence Operations
    Cyber Influence Operations Treadstone 71 Cyber Counterintelligence and Clandestine Cyber HUMINT
  • To win at non-linear warfare you must first understand what it is
    To win at non-linear warfare you must first understand what it is
  • Patterns, trends, information inside data, intelligence created to prevent
    Patterns, trends, information inside data, intelligence created to prevent
  • Analysis as a Service - Light the fire for targeted analysis
    Analysis as a Service - Light the fire for targeted analysis
  • High-Value Target - Know Your Customer Risk and Attack Surface Assessment
    High-Value Target - Know Your Customer Risk and Attack Surface Assessment

Statement of Cyber Counterintelligence

At Treadstone 71, we view cyberspace as a global domain within the information environment consisting of the independent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, embedded processors, controllers -- anything connected, or connected devices. It is a fifth domain of warfare that is under attack daily -- by nation states, nongovernment organizations, terrorists, criminals, and hacktivists.


Since cyberspace is a decentralized domain characterized by increasing global connectivity, ubiquity, and mobility, where power can be wielded remotely, instantaneously, inexpensively and anonymously, the threats to global critical infrastructures is [sic] enormous, the challenges unprecedented. 

The United States, NATO, the United Kingdom, and other friendly governments and organizations are inextricably linked to the cyberspace domain, where conflict is not limited by geography or time. Cyberspace crosses geographic and jurisdictional boundaries. The expanded use of cyberspace places our interests at greater risk from cyber threats and vulnerabilities; and cyber actors can act globally with[in] their own borders, within the borders of our allies and adversaries.

The complexity and amount of activity in this evolving domain make it difficult to detect, interdict, and attribute malicious activities. Our approach for several years has been that of a defensive posture, one that is reactive and focuses on a "see, detect, and arrest" capability, where the adversary has already emptied the coffers of our most critical information.

This needs to change.

Threats to cyberspace pose one of the most serious economic and security challenges of the 21st century. On the flip side, cyberspace offers us unprecedented opportunities to shape and control the battle space to achieve strategic objectives.

One of the key factors to meeting these challenges iscyber counterintelligence(or CCI). CCI covers the measures to identify, penetrate, or neutralized adversarial operations that use cyber means as a primary tradecraft methodology.

CCI includes activities in cyberspace such as forensics, examinations of information systems, and other approved virtual or online activities to identify, disrupt, neutralize, penetrate, or exploit hostile adversaries.

CCI is composed of both offensive and defensive elements. Offensive CCI includes a cyber penetration and deception of adversary groups, while defensive CCI includes protecting vital information and information systems from being obtained or manipulated by an adversary's cyber intelligence organizations, activities, and operations. This two-pronged approach forms a comprehensive CCI strategy that is informed by collection results, and feeds more comprehensive CCI operations.

Treadstone 71 strongly advocates for a more progressive approach to CCI. Our doctrine, and we hope that of the United States, includes a collection and processing of technical and intelligence information derived from adversaries by other than an intended recipient. The CCI doctrine expands upon traditional cyber intelligence collection, while pursuing the offensive exploitation and defeat of adversarial intelligence activities directed against our interests.

Not only does our doctrine protect the integrity of the government and commercial information and information systems, we believe in the use of incisive, actionable intelligence provided to decision makers at all levels that serve to protect vital assets from adversarial intelligence activities, while neutralizing and exploiting their cyber intelligence capabilities.

We believe that CCI operational activity should:

#1 - Manipulate, disrupt, neutralize, and/or destroy the effectiveness of adversary cyber activities.

#2 - Recruit or induce defection of adversary personnel using cyber personas.

#3 - Leverage denial, deception, counter-denial, counter-deception, information warfare, psychological operations and online media to manipulate, direct, and redirect our adversaries, creating advantages and influencing events that lead to desired outcomes.

#4 - Collect cyber threat information on adversary operations, modus operandi, intelligence requirements, targeting objectives, personalities, communications capabilities, limitations, linguistic focus, efforts to modify, attributable hosting locations, and vulnerabilities.

#5 - Provide information and operations databases to support decision makers.

#6 - Provide CCI support to clandestine human and cyber intelligence operations.

#7 - Identify past, ongoing, or planned cyber espionage.

#8[a] - Leverage all open-source signals, geo-spatial, imagery, measurement, human, financial, and technical intelligence.

#8[b] - Support cyber force protection operations, including, and other than, war and peacekeeping.

#9 - Acquire adversary cyber espionage capabilities for analysis, and countermeasures development.


#10 - develop operational data, threat data, and espionage leads for future CCI operations, investigations and projects, and develop the potential of these leads to enhance cyber security overall.

A direct component of CCI is cyber espionage. It is the act or practice of obtaining secrets via cyber capabilities without the permission of our adversaries. This includes information -- personal, sensitive, proprietary, or of a classified nature -- from individuals, competitors, rivals' groups, governments, and enemies for personal, economic, political, or military advantage, using cyber exploitation methods.

The use of cyber espionage to actively gather information from computers, information systems or networks, or manipulate, disrupt, deny, degrade, or destroy targeted adversary computers, information systems or networks, must be woven into our cyber security strategic plans and operational tactics.

Cyberspace has become a main front -- the fifth domain of warfare in both irregular and traditional conflicts. Adversaries in cyberspace include both states and non-states that range from the unsophisticated amateur to highly trained professional hackers using virtual small arms that are proliferating, while growing enhanced payload and delivery capabilities.

Through cyberspace, our adversaries are targeting industry, academia, government, as well as the military, and the sea-air-land and space domains. In much the same way that air power transformed the battlefield of World War II, cyberspace has fractured the physical barriers that shield us from the attacks on our critical infrastructures. Indeed, adversaries have taken advantage of computer networks and the power of information technology to not only plan and execute savage acts of terrorism, but also to influence directly the perceptions and will of our governments and population.

In closing, CCI activities, as a component of strong cyber security practices, must be examined, strategically deployed, and operationally delivered -- while being continuously enhanced as a method of both active defense and offense.

It is time we expanded our reactionary approach from see, detect and arrest, to one that is proactive and aggressive.

Treadstone 71

Search Our Site

Treadstone 71 YouTube Channel 



The Cyber Intelligence Training adds rapid returns to both Cyber Intel Analysts, and Security Ops Centers.  Each student receives quality instruction and hands-on experience with today’s OSINT tools and intelligence tradecraft.  This is necessary for anyone new to Cyber Intelligence and complimentary to any Security Operations within your enterprise. This 4.5-day class provides the student with the resources and fundamentals needed to establish cyber intelligence as a force as both a proactive offensive step and a counter intelligence-contributing arm of your larger team.  – Antonio 

Online Cyber Intelligence Training Center for online courses

Jan 14-18, 2019 Cyber Intelligence - Amsterdam, NL

Cyber Intelligence Tradecraft Certification - Reston, VA March 4-8, 2019           

Cyber CounterIntelligence Tradecraft Certification - Reston, VA March 11-14, 2019

Intelligence Tradecraft - CounterIntelligence - Clandestine Cyber HUMINT  - Cyber Psyops - Persona Creation and Management - Cyber Influence Operations - Middle Eastern Cyber Warfare Tradecraft

Blended courses - Courses on demand - Courses developed per your needs, quietly and quickly

Students and organizations taught (non-inclusively): AIB, American Express, Capital One, NATO, Belgian Military Intelligence, Commonwealth Bank, Bank of America, ING, NCSC NL, Defense Security Services, PNY, Dell Secureworks, HPE Security, EclecticIQ, Darkmatter (AE), General Electric, General Motors, PNC, Sony, Goldman Sachs, NASA, DoD, East West Bank, Naval Air Warfare Center, VISA, USBank, Wyndham Capital, Egyptian Government, DNB Norway, Euroclear, Malaysian Cyberjaya, People's United Bank, Baupost Group, Bank of North Carolina, Fidelity Investments, Citi, Citigroup, T. Rowe Price, Wells Fargo, Discover, Blackknight Financial Services, Intercontinental Exchange (ICE), Citizens Financial Group, Scottrade, MetLife, NY Life, Synchrony Financial, TD Ameritrade, National Reconnaissance Office, FBI, Stellar Solutions, Lockheed Martin, Harvard Pilgrim, State of Florida, Deloitte, Ernst and Young, Mitsubishi, Tower Research, Geller & Company, KeyBank, Fannie Mae, BB&T, Aviation ISAC, JP Morgan Chase, Barclays, Nomura International, ING, Finance CERT Norway, BBVA, PenFED, Santander, Bank of America, Equifax, BNY Mellon, OCC, Verizon, Vantiv, Bridgewater Associates, Bank of Canada, Credit Suisse, HSBC, International Exchange, Vista Equity Partners, Aetna, Betaalvereniging Nederland, Dutch Police, non-inclusively (as well as several other firms by proxy as they hire qualified intelligence professionals trained by Treadstone 71).

Terms of Use - Privacy Policy - Course EULA



"Fantastic class that gets to the foundational aspects of traditional tradecraft. We studied hard examining recent attack campaigns. The analysis training prepared me for real-world efforts. Have to say this is one of the best classes I have ever taken having taken many from SANS.  SANS does not compare. They are more of a class mill today.  The Treadstone 71 course material is unique, focused, and timely."

“This is one of the best, if not the best, Cyber Threat Intelligence training course I've attended.”


Ironically, said Bardin, it was Stuxnet that led Iran to enhance its offensive capability: ‘If Stuxnet had happened to the US or UK, it would have been seen as an act of war. In Iran, it made them invest heavily in offensive cyber operations.’

He revealed that 18 percent of Iranian university students are studying computer science – a cyber warfare talent pool.

Treadstone 71 Interview - Daily Mail on Industrial Control System Hacks



Treadstone 71 Cyber Intelligence Services

Treadstone 71 at Blackhat


Treadstone 71 New Services - Analysis as a Service

Cyber Jihad - 2008-2011 Compilation Part 1

Cyber CoiunterIntelligence Doctrine

Iran Cyber Proxies and Capabilities 

The Irari Report

Gaming as a Method of Jihadist Training

Treadstone 71 Keynote

Treadstone 71 Fox News

Treadstone 71 Hacktivity