Comparative Analysis of #CI Maturity Models #CMM

Posted on By Treadstone 71

Want the whole package or just the reactive model?

DATE- September 25, 2025

SUBJECT- Divergent Paradigms in CTI Maturity- CTI-CMM V1.2 vs. Treadstone 71 CI-CMM

As the discipline of Cyber Threat Intelligence (CTI) matures, organizations are increasingly relying on Capability Maturity Models (CMMs) to assess their programs and guide their development. However, not all maturity models measure the same competencies or share the same foundational philosophy. The choice of a maturity model has a significant impact on how a CTI program defines its success and develops its capabilities. This brief provides a comparative analysis of two distinct models: the community-led CTI-CMM V1.2 and the Treadstone 71 CI-CMM, highlighting the fundamental differences in their orientation and measurement criteria.

Analytic Brief

The CTI-CMM V1.2 and the Treadstone 71 Cyber Intelligence Capability Maturity Model (T71 CI-CMM) represent fundamentally divergent paradigms for assessing CTI maturity. CTI-CMM V1.2 is an IT/Cybersecurity-centric model focused on measuring the integration of technical intelligence into established security domains. In contrast, the T71 CI-CMM is an Intelligence Doctrine-centric model focused on measuring the maturity of core intelligence tradecraft required for forecasting, estimation, and strategic analysis.

The Models

  • CTI-CMM V1.2- A community-led maturity model (Copyright 2024-2025) inspired by and structured around the U.S. Department of Energy’s Cybersecurity Capability Maturity Model (C2M2).
  • Treadstone 71 CI-CMM (T71)- A proprietary maturity model (Copyright 2017) based on Intelligence Community (IC) standards, International Association for Intelligence Education (IAFIE) standards, and traditional intelligence tradecraft (e.g., Kent, Heuer).

Foundational Divergence

An analysis confirms a significant divergence in the foundational philosophies, structures, and measurement criteria of the two models.

  • CTI-CMM V1.2 Orientation – Grounded in C2M2, NIST CSF, and NIST SP 800-53, this model is structured around 11 IT/Cybersecurity domains (e.g., Asset, Response, Architecture). It emphasizes the use of technical, often reactive frameworks (MITRE ATT&CK, Kill Chain, Diamond Model) to organize data related to ongoing or past intrusions. It measures maturity by the effectiveness of CTI integration into these technical processes.
  • T71 CI-CMM Orientation- Grounded in IC doctrine, this model is structured around core intelligence functions and cognitive processes (e.g., Critical Thinking, Cognitive Bias Mitigation, Structured Analytic Techniques, Evidence Evaluation, Tiers of Competency, Cyber Intelligence Program Building). The model measures maturity based on the rigor and methodology of the intelligence discipline itself, independent of IT frameworks, yet easily adapted for all such frameworks.

Why do we care?

The models measure different capabilities. CTI-CMM V1.2 measures Technical Intelligence Integration, while T71 measures Intelligence Tradecraft Capability.

While CTI-CMM V1.2 mentions strategic intelligence, it fails to measure the core analytic functions necessary for robust forecasting and estimation. It measures the delivery of intelligence to stakeholders but not the quality, rigor, or methodology used to produce it. Organizations using CTI-CMM V1.2 may achieve high maturity in integrating technical data into security operations while possessing underdeveloped core intelligence capabilities necessary for predictive and strategic analysis.

Why do we care now?

The recent publication of CTI-CMM V1.2 presents organizations with a distinct choice in how they evaluate and develop their CTI programs. As the CTI field matures, the distinction between IT-focused CTI support and doctrine-based intelligence operations becomes critical for organizational strategy and resource allocation.

How will this impact you?

The prevalence of IT-centric models, such as CTI-CMM V1.2, reinforces the view of CTI as a technical support function focused on indicator management and SOC/incident response enrichment. The approach often results in programs that are proficient in reactive cybersecurity but lack the foundational tradecraft—such as the rigorous application of SATs, analytic writing, or bias mitigation—to provide reliable, estimative intelligence that prevents strategic surprise critical to stakeholders at all levels. Conversely, the T71 approach fosters programs built on the enduring principles of the intelligence discipline, prioritizing analytic rigor and strategic forecasting.

What this looks like going forward.

The divergence between these two paradigms will likely intensify.

  • Trajectory for IT-Centric Models (CTI-CMM V1.2)- Organizations focusing solely on this path risk developing highly integrated, yet analytically immature, CTI functions. These programs will excel at optimizing security controls and response times, but will remain vulnerable to novel threats and strategic shifts in the threat landscape that require doctrinal intelligence tradecraft to anticipate. The reliance on technical frameworks may lead to an overemphasis on known TTPs and a failure to develop predictive capabilities.
  • Trajectory for Doctrine-Centric Models (T71) – Organizations adopting this path will build robust analytical capabilities capable of strategic forecasting and estimation. The challenge for these programs will be ensuring effective integration with the technical apparatus while maintaining the integrity of intelligence doctrine. This path provides a higher ceiling for strategic impact and proper prevention through anticipation.
  • Strategic Risk- The most significant risk lies in organizations mistaking high maturity in Technical Intelligence Integration (CTI-CMM V1.2) for high maturity in Intelligence Tradecraft Capability (T71). The miscalculation could lead to a false sense of security regarding their ability to forecast and prevent future threats.

The fundamental divergence between the CTI-CMM V1.2 and the Treadstone 71 CI-CMM lies in their core orientation: IT/Cybersecurity integration versus Intelligence Community doctrine. The CTI-CMM V1.2 provides a framework for ensuring CTI effectively supports technical security operations, relying heavily on reactive cybersecurity frameworks. The Treadstone 71 model, conversely, provides a framework for building the rigorous analytic tradecraft necessary for predictive, estimative, and strategic intelligence. Organizations must recognize that these models measure different paradigms—Technical Integration vs. Tradecraft Capability—and must deliberately choose the path that aligns with their strategic objectives for intelligence-driven defense and prevention.

Treadstone 71

Adaptive Intelligence, Advanced Analytic Dominance, ALL, CICBK, CICMM, Cyber Intelligence, Cyber Intelligence Capability Maturity Model, Cyber Intelligence CBK, Cyber Intelligence Common Body of Knowledge, Cyber Intelligence Lifecycle, Cyber Threat Intelligence, IAFIE, Intelligence Analysis, Intelligence Estimate, Intelligence Training, OSINT, PHIA, Structured Analytic Techniques, Threat intelligence, Tradecraft, Warning Intelligence Tags:, , , , , , ,

Related Posts

Copyright 2024

Discover more from The Cyber Shafarat -

Subscribe now to keep reading and get access to the full archive.

Continue reading