AI-Augmented Cyber Intelligence Tradecraft: A Practitioner Brief

Cyber Shafarat · Tradecraft Bulletin · April 2026
—
AI-Augmented Cyber Intelligence Tradecraft — Treadstone 71 5-Day Flagship Course (June 22–26 2026)
—
TRADECRAFT BRIEF
Treadstone 71 has launched a new five-day graduate-level course — AI-Augmented Cyber Intelligence Tradecraft — that integrates the full Anthropic Claude primitive stack (Projects, Artifacts, Claude Code, MCP, Skills, Agent Teams, Computer Use, API, Batch, Prompt Caching, Citations, Contextual Retrieval) around the Adaptive Cyber Intelligence Lifecycle, STEMPLES Plus, Hofstede dimensions, ICD 203, BLUF/AIMS, the Cyber Intelligence CMM, and the thirty-technique Advanced Analytic Dominance arsenal. Two parallel tracks (Greenfield program build, Brownfield modernization). Capstone delivers a working nine-component AI-assisted intelligence stack. First cohort: June 22–26, 2026. NICCS / CISA listed. IAFIE-aligned.
→ Course page · curriculum · pricing: https://www.treadstone71.com/ai-augmented-cyber-intelligence-tradecraft
—
Why this course exists
The cyber intelligence training market is currently saturated with what we will charitably call “AI for cyber” offerings. The pattern is the same across every vendor: bolt a generative model onto an existing SOC playbook, automate the summarization layer, ship the result as “intelligence augmentation.”
It is not. It is faster reporting on tactical indicators. The PIR document — if one exists at all — was never tied to a sponsor decision. The collection plan is implicit, undocumented, and undisciplined. The analytic process is a single-model monologue masquerading as Analysis of Competing Hypotheses. The output never closes back to a refreshed requirement.
That is not an AI problem. That is a tradecraft problem. AI does not fix it. AI wrapped around the right tradecraft does — by an order of magnitude.
This course teaches the wrap.
—
Doctrinal architecture
The week is organized around the six phases of the Adaptive Cyber Intelligence Lifecycle. Unlike linear traditional cycles, the Adaptive Lifecycle places foresight and feedback at Phase One — because adversary OPTEMPO no longer permits a planning-collection-analysis-production-dissemination loop measured in weeks.
Day Lifecycle Focus Tradecraft Layer
Mon Strategic Target Framing ATCRI · ATVA · HWVM · DTTM. PIR Plus elicitation, executive sponsor Socratic interview, first Skill: `pir-author`
Tue Smart Collection Orchestration RMCA · CTCA · AABDA · AARD · BEPA · AGCP. MCP servers (Filesystem, Postgres). pgvector + Anthropic Contextual Retrieval. Persona doctrine (passive-only) with MBTI / Big Five / Seven Radicals / Enneagram + Hofstede legend
Wed Analytical Processing & Insight DUM · MVHT · DBNA · AHTR · HET · CARM · MRA · CIS. Multi-agent ACH workbench (Sonnet/Opus/Haiku as Hypothesis-Generator, Devil’s-Advocate, Evidence-Collector, Matrix-Scorer, Synthesizer). Cognitive Bias Validator gating at ≥ 80
Thu Counterintelligence & Production ITBP · CIDD · EICA · SCIM. Hooks as deterministic CI guardrails (PreToolUse egress block, PostToolUse persona stripping, Stop hook ICD-203 scoring). BLUF / TL;DR report generator. Four-product dissemination fan-out
Fri Cognitive Warfare + Capstone ACS · ACLS · CDM · CWC · CWIA · NCA · IIM · SIPD · PDA · PDM · HTIM · WAACS. Operation Silent Horizon full-spectrum SAT synthesis. 20-minute capstone brief in BLUF — bottom line first 50 words, no exceptions
Heuer SATs are taught as orientation only. The Treadstone 71 Advanced SATs are the operational arsenal.
That distinction is the point.
—
The 30-technique Advanced SATs arsenal
Built over fifteen years of operational engagements against state and non-state actors. Math-based. ICD-203-bounded. Designed for the cyber-AI environment Heuer’s 1999 work could not have anticipated. Inside the course, each is implemented as a Claude Skill, an Agent Team, or a hook chain.
Strategic Framing (Day 1): ATCRI (Adaptive Threat Calibration & Ranking Index) · ATVA (Adversary Total Vulnerability Assessment) · HWVM (Hybrid Warfare Vulnerability Matrix) · DTTM (Disruptive Technology Threat Mapping)
Cyber-AI Tradecraft (Day 2): RMCA (Recursive Malicious Code Attribution) · CTCA (Cyber Threat Convergence Analysis) · AABDA (Adversary AI Behavioral Detection Analysis) · AARD (Adversary AI Reconnaissance Detection) · BEPA (Blockchain Exploitation Pathway Analysis) · AGCP (AI-Generated Cognitive Penetration)
Advanced Analysis (Day 3): DUM (Decompositional Uncertainty Mapping) · MVHT (Minimal Viable Hypothesis Testing) · DBNA (Dynamic Bayesian Narrative Analysis — built as a 7-role agent team) · AHTR (Automated Hypothesis Testing & Refinement) · HET (Hypothesis Evolution Tracking with HEM) · CARM (Cyber Adversary Reflex Mapping) · MRA (Momentum-Reversal Analysis) · CIS (Competitive Intelligence Stratagem with CIM)
Counterintelligence & Economic (Day 4): ITBP (Insider Threat Behavior Profiling) · CIDD (Counterintelligence Deception Diagnostics) · EICA (Economic Influence and Coercion Analysis) · SCIM (Supply Chain Intelligence Mapping with EEI)
Cognitive Warfare Suite (Day 5): ACS (Adversarial Cognitive Simulator) · ACLS (Adversarial Cognitive Linguistic Synthesis) · CDM (Cultural Deception Mapping) · CWC (Cognitive Warfare Countermeasures) · CWIA (Cognitive Warfare Impact Assessment) · NCA (Narrative Coherence Analysis) · IIM (Influence Intent Mapping) · SIPD (Synthetic Influence Propagation Detection) · PDA (Perspective Distortion Analysis with PVRM) · PDM (Perspective Distortion Mapping companion) · HTIM (Human Terrain Influence Mapping) · WAACS (Weaponized Algorithmic Amplification Counter-Strategy)
Offensive techniques (AGCP, AARD, ACLS, SIPD) are taught conceptually only. Live deployment requires sovereign mandate.
—
The 9-component capstone stack
By Friday afternoon, every student walks out with a working stack of nine inspectable, deployable Claude-native components:
PIR Generator & Validator — Skill that elicits, validates, and refactors Priority Intelligence Requirements against the Treadstone 71 PIR Plus rubric (3-tier · decision-tied)
Collection Planner — PIR → SIR → source decomposition emitted as a sponsor-signable DOCX through MCP-wired tooling
Persona Library — Passive-only dossiers with MBTI / Big Five / Seven Radicals / Enneagram scaffolding plus Hofstede-consistent legend and OPSEC SOP
STEMPLES Plus Analyzer — Quarterly assessment generator with Indicators of Change deltas, output as XLSX + DOCX. Pilot cohorts report 50%+ analyst-hour reduction
ACH Workbench — Multi-agent (Sonnet / Opus / Haiku) Hypothesis-Generator → Devil’s-Advocate → Evidence-Collector → Matrix-Scorer → Synthesizer
Contextual RAG Repository — pgvector or Qdrant store with Anthropic’s Contextual Retrieval (chunk-context + BM25 + rerank), Citations API enforced
BLUF / TL;DR Report Generator — Subagent + Stop hook producing ICD-203-compliant reports across the AIMS tailoring spectrum (board, executive, technical lead, SOC), auto-scored by the Cognitive Bias Validator
Dissemination Workflow — Multi-product fan-out: executive micro-brief, board estimative paragraph, STIX 2.1 IOC bundle, RFI response, partner-shareable redacted version
Feedback / AAR Loop — Skill capturing stakeholder signal from Slack, Jira, and meeting transcripts, producing PIR-refresh recommendations on cadence
All inspectable. All deployable. All yours.
—
Two tracks
Greenfield — Charter a cyber intelligence function from zero. AI as founding employee, not bolt-on. Audience: CISOs, founding analysts, intelligence program managers. Capstone scenario: MERIDIAN (fictional fintech). Friday output: chartered cell, mission, governance, 90-day Cyber Intelligence CMM roadmap.
Brownfield — Retrofit AI into a mature program. Audience: heads of intelligence, team leads, senior analysts, intelligence engineers. Capstone scenario: NORTHWIND (simulated Fortune 500 industrial with deliberately introduced tradecraft drift). Friday output: gap memo, refactored PIRs, CI hooks, ROI dashboard.
Same Adaptive Lifecycle. Same SATs. Same writing standards. Different starting condition. Different judging emphasis.
—
Logistics
Format Investment Notes
Public Online $4,995 / seat 5 days · 40 hours · live synchronous · 90-day Slack support · Practitioner Certificate
Onsite Private $59,995 / cohort Up to 15 seats · client site, Fort Myers, or site of choosing · Capstone delivered to your C-Suite · 30-day modernization advisory included
Sovereign / Gov By RFP Air-gapped open-weights (Llama / Qwen) · Claude Gov substitution · multi-week residency option · Cyber Cognitive Warfighter combo (13-week)
Cohort: June 22–26, 2026
Doctrine alignment: NICCS / CISA · IAFIE · ICD 203 compliant outputs
Volume discounts: ≥ 4 seats from same organization
US Federal: GSA / Sole-Source vehicles available on request
—
The bottom line
If you walked into your SOC tomorrow morning and asked the lead analyst to show you the PIR document the team is currently working against, would they have one? If they have one, is it tied to a specific decision and a specific sponsor? If it is, is the dissemination loop closed back to a Cognitive Bias Validator score, an after-action review, and a refreshed requirement?
If any of those answers is no, you do not have an AI problem. You have a tradecraft problem. AI will not fix it. AI wrapped around the right tradecraft will.
Five days. Two tracks. One capstone. A real intelligence stack on Friday.
→ Reserve a seat or commission a private cohort
→ Direct line: (424) 234-3629 · info@treadstone71.com
The discipline is the moat. Claude is the amplifier. You need both.
— Treadstone 71
—