All too often we see organizations receive information on threat actors only to point-and-shoot when it comes to collection. There is little to no structure in this critical task that drives all intelligence production, analysis, and analytic writing.


This course prepares the organization’s designated intelligence professional as the person in charge of managing collection planning, staffing, targeting, ensuring integrated, synchronized, and deconflicted collection actions. As information is received from internal requests for information, analysis of existing data, information, and intelligence on the subject in question, the collection manager correlates and determine gaps in preparing the collection plan. This course prepares students in the development of collection requirements, designed to maximize the effectiveness of your limited resources covering what may seem as vast areas of online targets. The course assists the collection manager in determining where to look when to look, and what to look for. We provide students with situation and event templates, how to fill them out, how to manage the ever-changing problem iteratively, and how to establish collection priorities base on the courses of action the threat actor may likely adopt.

The collection manager works with the intelligence and priority intelligence requirements to develop the collection plan translating these into specific information requirements used to provide targeting while managing the availability and capabilities of the collection/research team.

The course prepares the collection manager with the following non-inclusively:

  • Collection Planning Screening Sources
  • Interpretation of Stakeholder Needs Data Segmentation and Prioritization
  • Intelligence Requirements Establishing a program of record
  • Essential elements of information Targeting
  • Analysis of requirements against the existing knowledge base Open Source Collection
  • What do you have? Tools, Methods, Resources
  • What do you not have? Using the TIP
  • What is the gap? Vendor Report Reviews
  • Where and how will you acquire that data? Threat Intelligence Platform Use and Data Extraction
  • How much time do you have? Tagging strategies
  • STEMPLES Plus – Strategic Analysis
  • What skills do you have to accomplish the task? Rules of Engagement
  • What skills do you not have? Escalation Guidelines and Rules
  • Mission and Requirements Management Passive Collection
  • Convert RFI’s to collection requirements Observables
  • Data Provenance
  • Collection Manager Communications and Sharing
  • Support to Leadership
  • Purpose of Stakeholder Analysis
  • Questions used to organize your products
  • Know your customer checklist
  • Getting started checklist
  • High-level process overview
    • How to Communicate Up
  • Steps to follow
    • Sample Invitation Letter
  • Strategic Questioning and Listening
    • Active and Empathic Listening
  • Stakeholder Collection and Tracking Model
    • Reporting formats for real-time interaction
    • Choices of visual support materials
    • Stakeholder Impact and Influence
  • Stakeholder Tracking
  • Priority Intelligence Requirements (PIR) – What are they?
    • Intelligence Requirements
  • Common Adversaries
  • Information Requirements Process Flow
    • Intelligence Requirements
    • Essential Elements of Information
    • Specific Information Requirements
    • Indicators
    • The Overall IR Process Flow
  • Targeting – Intelligence Collection
  • Information Required Prior to Intelligence Requirements
  • Prioritization
    • What is an Intelligence Requirement
    • What is a Priority Intelligence Requirement
    • Prioritization continued
  • Collector/Analyst Need to Understand
  • Stakeholder knowledge of their systems and data
  • Intelligence Team Priority Intelligence Requirements Examples
  • Collection – Research RACI
  • Indicators and Warnings
  • Intelligence Requirements Tracking
  • Get them to requirements
  • What is D3A?
  • D3A Targeting Requirements
    • Adversary Identification
    • Breakdown
  • Bring in Stakeholder Requirements
  • What is F3EAD?
  • The D3A/F3EAD Integrated Process
    • Aligned to the Cyber Threat Intelligence Lifecycle
    • Integrated Lifecycle Breakdown
    • The Full Lifecycle
    • The Treadstone 71 D3A and F3EAD Diagram and Intel Lifecycle
  • Logical Adversaries to Intelligence Requirement Development
    • Building Threat Matrices
    • Simple to Complex
    • Inclusion of ATT&CK Groups aligned to Nation-States
  • Threat Matrices
    • Simple to Complex
  • Wrap-up // Q&A
  • The Six Categories – ASCOPE
    • Area
    • Structures
    • Capabilities
    • Organizations
    • People
    • Events
  • D3A Targeting F3EAD
    • Social
    • Technical
    • Economic
    • Military
    • Political
    • Legal/Legislative
    • Educational
    • Security
    • PLUS
    • Religion
    • Demographics
    • Linguistics
    • Psychological
    • Other
  • Indicators of change
    • Motive thru Capabilities
      • Levels of Concern
      • Examples
  • Hofstede Principles
    • Power and Distance
    • Individualism and Collectivism
    • Masculinity and Femininity
    • Uncertainty Avoidance
    • Long Term and Short Term
    • Indulgence and Restraint
    • Hofstede Country Comparison Exercise
  • Strategic Analysis with STEMPLES
  • Indicators – Indicators of Change Matrices
  • STEMPLES Plus Template and Example
  • Definition
  • Requirements Management
  • Mission Management
    • Mission Analysis
    • Gaps
  • Collection Planning
    • Simplified Process
  • Collection Strategy
    • Intelligence Collection Synchronization
    • Red Team Support
    • Collection Tasking
  • Collection Operations
    • Principles
  • Collection Manager Tasks
    • Bringing in Intelligence Requirements
    • A Multidisciplinary Approach
    • Prioritization of Requirements
    • Available Assets
    • Iterative re-tasking Continuous monitoring of collection results
    • Anticipate collection requirements Meeting SIR requirements
  • Operational Security Rules (OPSEC)
    • Laptops and Access
    • Like a SCIF
    • The anonymity of your passive collection
    • List of items to consider
    • Standards and words to follow
    • Browser plug-ins / extensions
    • Recommended Software
    • Standard Desktop
  • Rules of Engagement (RoE)
    • Purpose
    • Pre-conditions required for RoE
    • Team Roles and Responsibilities
    • Use of Cyber Personas
    • Rules for the Rules
    • Internal and External Threats
    • Tools and Resources – High-Level
    • Escalation Cycle
  • Cyber Persona Methods and Techniques
    • Concepts – Logline
      • Establish the Logline – Create the Plot
    • Persona Archetypes
      • Archetype Review and Understanding
      • 16 Persona Motivations
      • Persona Perception
      • Persona Link Analysis
        • Types of Links to Consider
      • Persona Characterization
      • Persona Profile Sketch
      • Persona Tracking – Standard Fields
      • Persona First Steps
        • Memorable or not?
        • Dimensions
    • Twelve Essential Questions
    • Clandestine Cyber HUMINT - Screenplay
  • Request for Information
    • RFI Template
    • Request for Support
    • Data/Information dissemination
    • Coordinate with other internal and external sources
    • Validate preplanned collection tasks
    • Awareness of production and analysis status
    • Update adaptive collection plans
    • Redirects and information reporting to
    • Collection Planning Forms and Tracking Collection plan effectiveness
    • The Collection Manager’s Matrix Feedback loop
  • Complete a Plan
    • The Collection Plan Templates
    • Breakdown of the templates
      • PDF Form
      • Spreadsheet Collection Plan
      • Collection Tasking Worksheet
      • Intelligence Synchronization Matrix
    • Collection Manager Tasks Redux
    • Example completed plan
    • Iterative feedback – Constant communication
      • The Collection Manager’s Matrix Feedback loop
      • Converting intelligence-related information requirements into collection requirements Strategic, Tactical, Technical
  • Data Provenance - Dates/Times Collection Planning Process Flow and Metrics
  • Credibility / Validity / Relevance After-action reviews – at any time
    • Skimming / Speed Reading
    • Data Verification
    • Admiralty Scoring
      • Use and structure
    • Types of Evidence Collection Manager Oversight
    • Pitfalls in Evaluating Evidence
  • Intelligence Risk
  • Confidence Levels for your findings
  • Collection Plan Templates
  • Case Study Finals
  • Review
  • Q&A

Lecture, Hands-on, Apprenticeship, in-class exercises, student presentations, templates, course material—24 CPEs 3-days

Event Date 06-05-2020
Event End Date 12-29-2025
Registration Start Date 05-20-2020
Capacity 999
Individual Price $5,299.00

We are no longer accepting registration for this event

Washington, DC (Arlington, VA) - Analytic Writing in Cyber Intelligence


The Treadstone 71 Analytic Writing, Reporting, and Dissemination course covers 2 days of intensive writing training, exercises, peer reviews, briefings and reviews, report types and dissemination techniques.  We follow the intelligence community and proven academic methods validated and verified through years of execution. Students will learn through lecture and hands-on exercises following analytic writing exercises that follow intelligence community and academic standards.

Book your group rate for Treadstone 71 Room Block

You will find the information for your online reservation link below. If you have questions or need help with the link, please do not hesitate to call hotel Sales directly at 703 312 2100. We appreciate your business and look forward to a successful event.
Event Summary:
Treadstone 71 Room Block
Start Date: Thursday, October 8, 2020
End Date: Friday, October 9, 2020
Last Day to Book: TBD
Hotel(s) offering your special group rate:
Residence Inn Arlington Courthouse for 249 USD per night
Book your group rate for Treadstone 71 Room Block

Validated and registered students will receive course information 1 week prior to the course start at a minimum. Prospective students must send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. from a corporate or government account to validate course eligibility before registration. (Corporate accounts are not Gmail, Hotmail, Yahoo, Mail, Hushmail, Protonmail, and the like). Treadstone 71 reserves the right to restrict course registration based upon certain risk factors.

Interested in Bundle Pricing? Contact Treadstone 71 at info AT treadstone71 DOT com

Treadstone 71 delivers intelligence community validated training. Our courses follow standards only taught in the US Intelligence Community fully adapted to the cyber environment. Our class have been taught since 2008 and are taught intelligence community professionals 

All Treadstone 71 courses include:

  • Hands-on case studies using cyber OPSEC methods for passive collection against adversaries
  • Certified Cyber Threat Intelligence program
  • 24 CPEs
  • Courseware and materials
  • High-quality instruction
  • Instructors who continue to do the job
  • Access to cyber intelligence program templates and forms
Event Date 10-08-2020
Event End Date 10-09-2020
Registration Start Date 12-14-2019
Capacity 20
Cut off date 10-06-2020
Individual Price $3,990.00

Contact Treadstone 71 Today for all your Cyber Intelligence needs.