Intelligence for the C-Suite and Stakeholders

This is a one-day course designed to educate corporate leadership and stakeholders in cyber and threat intelligence.  There is a general awareness of the need to establish intelligence functions. Many organizations do not have a fundamental understanding of what intelligence is, where the function should reside, how it is different from business and competitive intelligence while understanding the overlaps and natural points of integration. This one day course targets corporate leadership delivering a clear and coherent training that equips stakeholders with the understanding and tools they need to assist in building a successful intelligence program.

Registration Information – Dates and Times TBD

Course High-Level Outline

  • Using Strategic Intelligence
  • Organization and Focus of the Class
  • Background on Strategic Intelligence and Analysis
  • Approaches and Processes
  • Strategic Plan development, acceptance, and dissemination
    • Mission
    • Vision
    • Guiding Principles
    • Roles and Responsibilities
    • Threat Intelligence Perspective
    • Business Intelligence Perspective
    • Competitive Intelligence Perspective
    • Intelligence Strategic Challenges
    • Goals and Initiatives
    • Next Steps
    • Roadmap
  • Stakeholder checklist and stakeholder management groups with strategic and tactical activities definition for intelligence, description of needs and products. This will include:
  • The Future Use of Strategic Intelligence
  • Intelligence: Role, Definitions, and Concepts
  • Basic Concepts Concerning Intelligence
  • The Strategic Intelligence Process – Operations to Tactics
  • The Role of Strategic Intelligence and Its Impact on Stakeholders
    • Operational, Technical, Tactical
  • Why Stakeholders and Executives Need Strategic Analysis:
  • Strategic Analysis Leading to Strategic Decisions
  • Implementing Intelligence Programs
    • The Treadstone 71 Method (Experience with several program builds globally)
  • Challenges for Stakeholders to Accept Intelligence
  • Stakeholder Views: Impact on Intelligence
  • Intelligence as Catalyst for Stakeholders
  • Integrating Analytical Support and the Stakeholder Thought Process
  • Stakeholders and Self-Directed Strategic Processes, Procedures, Methods
  • The Role of Intelligence Management
  • Issues, Tactics, Techniques, Methods, and Principles
  • Managing Intelligence Projects
  • Providing Focused Leadership
    • Leading the Team
    • Understanding Issues and the Process
    • Analysis Overview
    • Collection Management
    • Production Management
      • Evaluation
      • Analysis
      • Integration
      • Interpretation
    • Types of Analysis
      • 14 Types of Analysis
    • Analytic Writing
      • ICD 203, 206, 208
      • Organization, Evidence, Argument, Sources, Pitfalls
      • Use the Title
      • Who/What, Why Now, So What, Impact so far, Outlook, Implications
      • BLUF and AIMS
      • Supervisory Actions
      • Summary Paragraphs
      • Alternative Analysis
      • Clarity and Brevity
      • Peer review
      • Reports and Reporting
        • Feedback
    • Pre-Mortem
    • Post-Mortem
    • Know your professor, get an A – Communicating Up
      • Relevance, Timeliness, Completeness, Accuracy, Usability
    • Briefing Rules
  • Intelligence Analysts and Self-Management
    • High-Level Tasks
  • Analyst Activities
    • Rules for developing analysts – Alignment and as collectors
    • The Role, Responsibilities, and Functions of the Analyst
    • The Analyst’s Roles and Responsibilities – RACI(s)
    • What the Analyst will face
    • Job Descriptions
  • Conclusion
    • The Executive / Stakeholder’s Roadmap
Corporate stakeholders risk investing large amounts of time and money with little positive effect their security, corporate strategies, and business direction. The C-Suite and Stakeholders participating in this course ensures their understanding of the discipline required to build a successful program. The course helps align information security, incident response, security operations, threat and cyber intelligence with the business.

Full Suite of Cyber-Threat Intelligence and Counterintelligence Courses Ready for Global Delivery

Treadstone 71 today announced a full suite of Cyber and Threat Intelligence and CounterIntelligence training courses. The courses drive the expansion of Treadstone 71’s accelerated, academically validated, intelligence training to global markets. Treadstone 71 delivers courses in California, Virginia, Canada, the United Kingdom, and the Netherlands and is set to expand to the Middle East and Asia later this year. (

Treadstone 71 offers a compelling business model that delivers rapid cyber and threat intelligence strategic planning, program build, and targeted training in sectors such as financial services, government, healthcare, energy, and other critical infrastructure verticals. Treadstone 71’s format, curriculum, and instruction model are helping meet critical global demand for cyber and threat intelligence and analysis expertise. Treadstone 71 training provide graduates with an attractive pathway to compensation increases, career progression, and much-needed attention to intelligence. The organization has been teaching cyber intelligence at the Master’s level and commercially for seven years. New courses include a focus on campaign management, the use of Tor, Tails, I2P, and Maltego as well as covering persona development and management. Students create a series of identities, character development, and dimensions, storyline, plot synopsis, story drive and limit, story weaving, applicability, scope, tools to be used, methods of interaction with other identities, engaging secondary characters, refining targeting while developing a campaign to gain street credentials.

“Our courses provide academic instruction combined with real-world, hands-on collection, analysis, analytic writing, dissemination, and briefings that many liken to an apprenticeship,” said Jeff Bardin, Chief Intelligence Officer for Treadstone 71. “Our curriculum follows the teachings of Sherman Kent and Richards Heuer giving students the tools necessary to perform targeted collection, structured analysis while authoring reports modeled after intelligence community standards. We teach methods of cyber infiltration, information and influence operations, counterintelligence strategies, mission based counterintelligence, denial and deception, and counter-denial and deception.”

Treadstone 71 courses are validated and proven by intelligence professionals creating job-ready threat intelligence professionals for global organizations suffering a talent shortage. “Intelligence analysis as an inherently intellectual activity that requires knowledge, judgment, and a degree of intuition,” continued Bardin. “Treadstone 71’s intelligence, counterintelligence, and clandestine cyber HUMINT training and services help organizations transform information into intelligence pertinent to their organization.”

Analysis includes integrating, evaluating, and analyzing all available data — which is often fragmented and even contradictory — and preparing intelligence products. Despite all the attention focused on the operational (collection) side of intelligence, analysis is the core of the process to inform corporate stakeholders. Analysis as more than just describing what is happening and why; identifying a range of opportunities… Intelligence Analysis is the key to making sense of the data and finding opportunities to take action. Analysis expands beyond the technical focus of today providing organizations with core capabilities for business, competitive, cyber, and threat intelligence.

Treadstone 71’s Cyber Intelligence Tradecraft Certification is the gold standard in the industry today derived from both academia and from Treadstone 71’s experience in building cyber intelligence programs at Fortune 500 organizations worldwide.

Treadstone 71

888.714.0071 – osint@treadstone71.com

The 12 Days of Cyber Christmas

…or What I want for Cyber Security and Intelligence Christmas 2016

  1. All CIOs must have served as a CISO for at least 4 years before being allowed to be a CIO.
  2. All CIOs must have a CISSP, CISM, and at least 2 technical information security certifications and have been thoroughly trained and qualified to be a CIO. No more cronyism.
  3. CISOs will never report to the CIO – conflict of interest and a recipe for … what we have now.
  4. If you are the administrator for a device, you secure that device (servers, routers, appliances, etc.). You are responsible and accountable – Secure what you own. Secure what you manage.
  5. CIOs and their leadership will be held liable for deploying vulnerable systems.
  6. All new products (IoT and beyond) must be certified secure before public release. No more figure it out as we go and bolt it on after we have consumers hooked.
  7. All root access / administrative rights for production, critical, supporting, etc., systems and devices are removed and granted only for approved changes and incidents.
  8. All written code and script must be written properly. There is no such thing as secure code, only code the works correctly and does not create vulnerabilities.

Treadstone 71 2017 Intelligence Training Courses – Sign up now or inquire about how to have us come onto your site to training.

    9. All operating systems will be shipped closed and installed closed with a risk rating system for each port, protocol, and/or service. Each modification reduces the security posture of the operating system providing a risk score while automatically offering advice on how to remediate that score with other controls. 

    10. New regulations to enforce security and privacy, demanding disclosure of breaches,    fining companies and individuals for negligence are put in place, at once.

    11. Vendors posting adversary IoCs, TTPs, and other methods that would normally be seen as ‘telling the enemy what we know, i.e., sedition’ will be fined for such activity.

  12. You will tell yourselves over and over again that contracting with Treadstone 71 to build your cyber intelligence strategy and program is the absolute right thing to do (repeat after me …).

Merry Cyber Christmas from Treadstone 71


Treadstone 71 Cyber Intelligence, Counterintelligence, and Target-Centric OSINT Course Overviews

The below information provide non-inclusive overviews of Treadstone 71 Courses.  The courses are listed in order of suggested training. Courses may be taking separately or as a package. Course requests and modifications acceptable. These are high-level outlines. The courses teach intelligence tradecraft with a focus upon intelligence analysis, methods, tactics, techniques, procedures, and operational security (OPSEC).

Upcoming Classes

For more information: or 888.714.0071

Cyber Intelligence Tradecraft Certification

This course is highly specialized following intelligence community tradecraft. If you want purely technical, then this is not the course for you. If you want tradecraft that lays the foundation for a solid program, education that creates a lasting impact, then this is the course for you.

Your enemies scour blogs, forums, chat rooms and personal websites to piece together information that used to harm the government and commercial organizations. Learning about cyber intelligence, OSINT, and Cyber-OPSEC effectively equips students with the tools to gather data points, transform these data points into actionable intelligence that prevents target attacks.

The course includes:

CYBINT1 – Collection Methods and Techniques, Collection Planning, PIRs, Collection Process Flow, Collection Tools and Targeting, Alignment with Hunt and Detect Needs, Ties to CSIRT, TTPs, IoCs, Threat Intelligence, Open Source Intelligence, All-Source Intelligence, Standard Glossary and Taxonomy – (Case Study 1)

CYBINT2 – Organization, Production, and Structured Analytic Techniques, Use of Techniques, Production Management, Critical Thinking, Process Flow, Metrics, Intake forms, and templates – (Case Study 2)

CYBINT3 – Types and Methods of Analysis, Decomposition, Recomposition, Methods for Fusion, Case Studies in Analysis, Cognitive Bias, Credibility and Reliability of Sources, Confidence Levels, Analysis of Competing Hypothesis, Flow into Hunt, Detect, CSIRT, TTPs, IoCs, Inductive/Abductive/Deductive Reasoning, Historic trending and campaign analysis, Intelligence for organizational resilience.

CYBINT4 – Table Top Exercises (TTXs), Identifying Your Consumers, Stakeholder Identification, and Analysis, Standing Orders from Leadership, Analytic Writing, BLUF, AIMS, Types of Reports, Product Line Mapping / Report Serialization, and Dissemination, Cyber and Threat Intelligence Program Strategic Plan, Goals, Objectives. Case Study Presentations

Lecture, Hands-on, Apprenticeship, in class exercises (3 Live Case Studies), student presentations, analytic products, templates, course material—40 CPEs (5-days – 40 hours)

All Case Studies use all methods, techniques, and tools referenced in the course material. The Case Studies used are straight from the headlines giving students real world experience during the class.

Cyber Counterintelligence

This course presents the student with foundational concepts and processes in the discipline of cyber counterintelligence with a focus on cyber counterintelligence missions, defensive counterintelligence, offensive counterintelligence, and counterespionage as these realms apply to traditional tradecraft, and how they are or will evolve into the cyber domain. By starting with traditional counterintelligence and progressing to cyber counterintelligence, the student will develop an appreciation for collection efforts, exploitation of potential threats, insider concerns, and the risks and benefits of counterintelligence.

With the expanding importance on the comprehensive and timely need for intelligence for nations as well as businesses, the student will explore the essential elements that make up the intelligence cycle with a focus on how these pivotal points are exploited. As part of this class, the exploration of the continued importance of critical thinking as well as out-of¬the-box analysis will be heavily leveraged to improve the critical-thinking skills of the students.  As cyber topics continue to evolve, the increased importance of cyber intelligence is growing and as such the protection of our intelligence cycles will expand as well; emphasizing the growing need to ensure our processes are not compromised in a cyber-dominated landscape.  Cyber counterintelligence is one aspect and possibly one of the most crucial topics at the core of protecting our collection efforts. The potential for active defense or offensive cyber counterintelligence operations will be covered. The course will rely heavily on individual research and group discussion to explore the world of cyber counterintelligence, and where applicable, make use of the student’s ability to do independent thinking and analysis of in-class problems assigned through weekly discussion threads.

Cyber CI Team Presentations: Cyber Infiltration, Information Operations, Information Support Operations

  • National Counterintelligence Strategy
  • Standard Glossary and Taxonomy
  • Mission Based Counterintelligence
  • Counter Collection and Anticipation
  • Denial and Deception
  • Counter-Denial and Deception
  • Cyberspace
  • The Cyber Persona Layer
  • Perception as Deception
  • Social Psychology
  • Differences in Culture
  • Hofstede Dimensions
  • Includes open source tool usage
  • Persona creation, establishment, maintenance, expansion (depending upon taking Cyber Intelligence Course)
  • Data collection – recycle for Cyber CI updates/improvements
  • Authoring of blogs and articles for influencing
  • Placement of specific concepts and phrases
  • Target profiles – dossiers
  • Target gap analysis
  • Clearly define the mission so that it aligns with organizational objectives
  • Clandestine Collection
    • Operation
    • Surveillance
    • Counter Surveillance
    • CI Activities
    • CI Analysis and Production
    • CI Analysis Reporting
      • Support Brief
      • Source Evaluation
      • Operational analysis report
      • Asset Evaluation
      • Support Package
      • CI Assessment
      • CI Campaign
        • Mission
        • Mission Management
        • Operations
      • Effects-Based Operations
      • Functions and Services
    • CI Insider Threat
      • Investigations
    • Prepare an estimate of the situation
      • Prepare the plan
        • Support Plan
      • Cyber Media selection
      • Snuggling
      • Internet OPSEC
      • Product development
      • Pretesting – determines the probable impact on the target audience
      • Production and dissemination of material
      • Implementation
      • Post-testing evaluation of audience responses
      • Feedback
    • Ten Commandments of Cyber Counterintelligence
      • Be offensive
      • Honor your profession
      • Own the street
      • Know your history
      • Do not ignore analysis
      • Do not be parochial
      • Train your people
      • Do not be shoved aside
      • Do not stay too long
      • Never give up
    • Research and analyze methods of influencing adversaries from a variety of information sources
    • Team/Individual Presentations

Lecture, Hands-on, Apprenticeship, in class exercises (Live Case Studies), student presentations, templates, course material—30 CPEs 4-days

All Case Studies use all methods, techniques, and tools referenced in the course material. The Case Studies used are straight from the headlines giving students real world experience during the class.

Target-Centric Open Source Intelligence

This course focuses on open source intelligence and adversaries while creating online personas to assist in data collection and information extraction. This introductory course examines open source intelligence collection as well as the availability and use of OSINT tools. Students will be able to understand the use methods of only anonymity, the fundamentals behind cyber persona development, enrollment in various social media sites and applications, and how these current methods can be employed in their organizations to assist in cyber operational security, their defense against adversaries, and passive data collection.  The establishment of cyber personas takes patience and time in order to create a credible resource. Parallel activities occur through the outline above. Treadstone 71 maintains separation from the client as required maintaining confidentiality of methods and processes. Sitreps and current intelligence may redirect activities. The intent is to establish a program of cyber and open source intelligence that creates data streams for analysis. Data streams take time to develop in order to establish links, trends, tendencies and eventually, anticipatory and predictive analysis. The desire is to move from a detective approach to one that is preventive while moving too predictive.

Adversaries scour blogs, forums, chat rooms and personal websites to piece together information that used to harm the government and commercial organizations. Learning about cyber intelligence, OSINT, and Cyber-OPSEC effectively equips students with the tools to gather data points, transform these data points into actionable intelligence that prevents target attacks. Students will learn methods to create and manage personas while passively gathering information leading to cyber street credentials.

The course covers (non-inclusively):

  • Open Source Intelligence
    • Methods of collection
    • Specific tools
    • Social media sites and enrollment
  • Methods of Social Media Research
    • Tools and techniques
    • Social media demographics
    • Cyber Criminals
  • Social Psychology
    • Reciprocity
    • Consistency
    • Social validation
    • Liking
    • Authority
    • Scarcity
  • Differences in Culture
    • Diversity
    • What is …
  • Hofstede Dimensions
  • Big 5 Theory of Personality
  • Information Warfare and Cyber Psychological Operations
    • Target analysis and message manipulation where applicable
  • Establish Priority Intelligence Requirements
    • Establish Information Requirements
  • Persona creation and implementation
    • Cyber Persona Development and Maintenance
      • Leverage existing
      • Create new
      • Establish the storyline
      • Establish the plot synopsis
      • Storyline and plot synopsis
    • Story weaving and management
    • Snuggling
    • Collection
      • Linkages, trends, tendencies
    • Cyber Target Acquisition and Exploitation
      • Validation of target
      • Identify active adversary campaigns
      • Intent, Motivation, Goals, & Requirements.
    • Passive data collection
      • Campaign development
      • Target sites
        • Enrollment
      • Tactics, techniques, and procedures
      • Intent, motivation, goals, and requirements
      • Vectors of approach – Courses of action
      • Elicitation and exfiltration

Lecture, Hands-on, Apprenticeship, in class exercises (Live Case Studies), student presentations, templates, course material—30 CPEs 4-days

All Case Studies use all methods, techniques, and tools referenced in the course material. The Case Studies used are straight from the headlines giving students real world experience during the class. 888.714.0071

The most dangerous thing in the world is a Second Lieutenant with a map and a compass.

The recent excuse by FireEye and other technology firms that their stock is tanking due to China, not hacking is largely an unsupported and completely self-serving hypothesis. They offer no other hypothesis other than the one that gives them an excuse for selling products that do not work, for appeasing their stockholders and investors, and for delivering services steeped in see, detect, and arrest methods. FireEye bet the farm on typical perimeter sensors used to drive detection after the adversaries are in the client’s environment. They doubled down by buying Mandiant,wsj1 an organization focused on putting ‘butts in seats’ for incident response. That would be seats in your organization at a very high cost. Incident response, another function based upon a defeatist mentality using a “kill chain” that kills the adversary and/or the malware that has already penetrated the environment. Much like letting an armed burglar into your home out of fairness and then starting a shootout. Now we see a CEO change over that will surely drive the focus to more incident response marketing. Add that to the latest purchase of an overpriced iSight, a threat research firm that creates once and delivers many and you have a recipe for poor stock performance. Congratulate Mr. Waters on getting out when he did and seeing that an IPO was not in the cards. iSight has even been asked by some firms to build threat intelligence capabilities. Something completely anathema to iSight’s strategy and something they are not capable to deliver in the first place. // We know. We have cleaned up what they have left behind. // They are a research firm.  They create reports. They sell the same report to everyone.

The second part of their complete market arrogance is the statement (WSJ) that none of the 22 Chinese APT groups it tracks are actively attacking U.S. companies. So FireEye has wsj2.png


built this huge capability across the globe yet only tracks 22 Chinese groups? // If a tree falls in a forest and no one is around to hear it, does it make a sound? //  FireEye, CrowdStrike, Trend Micro, Checkpoint, Cylance, Palo Alto, HP, Symantec, and others continue to release reports on various groups they track. Do you really believe these groups will continue the same modes of operation once discovered? Is it not possible that the adversaries changed their protocols and tactics in response to the release of intelligence data on their actions? Is it possible that the archaic methods being used by these vendors will not pick up new methods laced with advanced tactics of denial and deception?  Is it possible that these vendors is not seeing activity because they are not as good as they claim they are? The absence of evidence does not mean the activity does not exist. Keep publishing reports on adversaries, tipping your hand on what capabilities you do have and they are bound to make some changes. I guess that is why you call them advanced. Actually, -advanced- this is cyber espionage so let us call it what it is.  Persistent only in the arrogance of such companies selling solutions that truly do not come close to solving the problem. Chest thumping and marketing reports serve to tip-off the adversary forcing them to become more devious instituting wholesale changes in their approaches.  Possibly to the point where you are not seeing the activity since you have not changed along with the adversary. // The enemy diversion you’re ignoring is their main attack. // We are at war. Who in war tells the enemy that their code has been cracked? That their tactics and methods have been discovered? Did the British divulge that fact they had cracked the enigma code? Of course not. They understood the value of intelligence and intelligence exploitation. They understood what was at stake. The cyber security market today is only interested in generating revenue.

Many organizations continue to purchase the perimeter tools and sensors of the FireEyes and Crowdstrikes. The company’s purchasing these products continue to lose data. Until we stop buying carpetbagger solutions we will not force change. We need to demand solutions that are truly preventive and predictive not based upon malware reverse engineering, or methods (kill chain) based upon see, detect, and arrest. // Professional soldiers are predictable; the world is full of dangerous amateurs. // We need to stop believing that companies with leadership trained only in law enforcement tactics truly understand intelligence tradecraft. We need to stop believing that companies with a pedigree in anti-virus understands intelligence tradecraft and offensive methods. We need to understand that stopping the adversary starts with not tipping them off.  We need to stop believing that just because they are a big company, they actually know what they talk about. They don’t. They are just tasked with selling product.

Understand the latest focus on ‘hunt and detect’ is merely an enhancement to the failed attempts at event correlation in SIEMs. Log aggregation and then analysis of the content for tactics, techniques, and procedures is but an improved method of finding adversaries and malware already in your environment. This is not proactive. This is not preventive no matter what the vendors tell you. It is necessary but  not new.

The adversary has changed yet the security technologies used to stop them are rooted in old and failed methods. Time to wake up and invest in something better.

One more area that needs attention are the actual reports coming out of these companies. They are not written in analytic form and format. They do not provide confidence levels. Most importantly, the market takes them on face value without citation of sources, reliability of sources, and credibility of the information. Even news organizations take them at face value. These are journalists who live and die by source and information validation. Actually, they should not be publishing these openly at all but if they must, then we must demand validation of sources. Otherwise, we run the risk of another Norse. It is always interesting when revenues drop and market share suffers, then suddenly a new discovery is made on an adversary resulting a new, unsubstantiated report.

“Never interrupt your enemy when he is making a mistake.”

― Napoléon Bonaparte

“Always interrupt your vendor when they try to sell you snake oil.”

― T71



Treadstone 71 Head of Threat / Cyber Intelligence Services

Treadstone 71 provides threat intelligence leadership service that is designed to assess and benchmark your organization’s cyber intelligence program examining incident response, cybercrime, hunt groups, red/blue/purple teams, threat intelligence, leadership/stakeholder issues and needs, reporting, integration, and communication. The Interim Head of Threat Intelligence Service is customized and scaled based on the size of your organization and industry type. Treadstone 71 provides a structured approach used to measure and develop your intelligence direction.  for organizations using internationally recognized information security standards. Our services help you:

  • Support the management of cybercrime risks within your organization entities through the effective delivery and continuous operation of cybercrime defense capabilities and an effective cyber intelligence practice
    • Establish strategic plans, program development, standard operating procedures, priority intelligence requirements, product line mapping (reporting), and passive intelligence collection methods and rules of engagement.
      • Vision, mission, guiding principles, roles, responsibilities, goals and initiatives
  • Provide thought leadership while relying on extensive experience and judgment to plan and accomplish
  • Continually enhance organizational cybercrime and cyber intelligence capabilities to effectively identify and respond to emerging threats
    • Improve workflow through well-defined roles and responsibilities
    • People, process and technology enhancements
    • Integrate structured analytic techniques
  • Plan for and support the establishment and expansion of new cybercrime and cyber intelligence services for your organization with changing threat profiles and organizational context
    • Adversaries
    • Who are they?
    • Motivation, intent, capabilities,
    • Dossiers – Baseball cards
    • Virtual HUMINT
    • Behavioral Analysis
  • Attack surface awareness
    • Situational awareness of your attack surface – digital footprint
    • Internet Exposure Assessment – Attack Surface Analysis – Perception Management – Sentiment Analysis
    • Competitive Intelligence Assessment and Program Analysis
    • Campaign Analysis with Recommendations and Opportunities
    • Darknet / Deep Web exploration
  • Analyze collected strategic intelligence and determine factors such as confidence, relevance, likelihood, and potential impact to business services, functions, and products
    • Build into analytic writing with intelligence and critical thinking checklists
  • Work with CSIRT to improve and provide feeds for automation and interfaces / iterative points of integration with intelligence functions
    • Improve detection and response
    • Solidify the Intelligence Lifecycle
    • Feeds for automation and remediation
  • Assist/Contribute to situational awareness activities or processes within intelligence and the business, providing business context to active or emerging threats
  • Provide leadership and strategic direction for the Cybercrime and Cyber Intelligence team, ranging from planning and budgeting to motivational and promotional activities and collaborate with all stakeholders to deliver exceptional results
  • Provide meaningful metrics and reporting to inform decisions based on accurate, up-to-date measurements of threat and risk
  • Create and maintain relationships with law enforcement and security agencies to provide effective and ongoing information sharing
  • Inspire, mentor and motivate staff to attain goals and pursue excellence

Treadstone 71 is currently working with several organizations to build their threat intelligence programs. Contact us now for more information: – 888.714.0071 – 

The Treadstone 71 Difference

Treadstone 71 is nothing like our competitors who are rooted in defensive posture actions with a pedigree in reverse engineering malware and providing defensive solutions for that malware. Most come from anti-virus and law enforcement backgrounds where ‘see, detect, and arrest’ is their mantra. They offer technology solutions based upon this method of protection – technology biased // sales focused. Although they do provide information on adversaries, the information is based on the technology. Most are VC funded and need to sell product and do so as a lead requirement. Technology is not the solution, only a tool. Treadstone 71 is profitable without VC overhead and have only your best interests at hand. We are not an MSSP. Treadstone 71 does not sell product. We are independent of technology companies and not beholden to venture capital overhead.  are not cyber carpetbaggers.

Treadstone 71 is not a carpetbagger organization.

Interestedinyour success

What Treadstone 71 provides is a full-spectrum solution that takes the information you provide in your SOC and incident response functions combining that with complete political, economic, social, technological, environmental, legislative, industrial, educational, and religious aspects of the adversary as well as adversary dossiers and organizational structures. What you receive from Treadstone 71 is detailed information and intelligence on your adversary that far surpasses the technical realm. Where Treadstone 71 service excels is in the ability to provide you with techniques, methods, capabilities, functions, strategies, and programs to not only build a fully functional intelligence capability, but a sustainable program rooted in stakeholder requirements and needs.  Treadstone 71 is rooted in strong military and intelligence community backgrounds.

Sample areas of the Treadstone 71 difference:

– we help you improve your incident detection, prevention, and response developing feedback to improve your cyber defenses

– we assist you in using you threat intelligence to help automate security operations and remediation actions enhancing your operational tradecraft

– we guide you in the building of a centralized threat intelligence service that guides cybersecurity activities of other organizational units

– we drive efficiencies and effectiveness in risk management

– we operationalize your threat intelligence from little to no processes to mature procedures, standard operating procedures, and workflows

– we ensure integration between all things PESTELI +R+E+ and existing technologies in your SOC

– we ensure you understand how to define credibility and relevance of your threat intelligence feeds that leads to truly actionable intelligence

– we assist you in understanding your attack surface and online footprint from websites to social media to the darknet creating new opportunities for targeted intelligence collection

– we help identify, infiltrate, and track adversaries providing information where and when possible to prevent attacks

-we understand geopolitical factors that helps prepare your cyber environment for current and future contingencies

we learn the priorities of your adversaries and help you define a more assertive cyber posture for your organization

– we tailor strategies and programs based upon your organizational needs and the needs of leadership

– we teach and embed cyber intelligence tradecraft in your organization that is lasting following structured techniques proven in the intelligence community

– we educate and drive situational awareness through table top exercises based upon proven military methods adopted for commercial organizations

– we identify adversary front companies, their means, motives, and targets

– we look at adversary’s skills, motivation, maliciousness, types of adversaries, level of automation and rate, informational impacts, targets, defensive measures, adversary course(s) of action, operational impact, line of business impact, and attack vectors

– we create and maintain a presence on their virtual soil using virtual HUMINT methods to help identify your attack surface, your digital footprint

– we know methods of collection, organization/production, structured analytic techniques, how to determine source credibility, communicate gaps and confidence levels, analyze using standard methods of inference, deductive and inductive reasoning, apply clear process for critical thinking, and deliver product in standard analytic writing methods that is clear and concise

– we have been penetrating adversary sites, forums and social media since 2004 using both active and passive methods of cyber engagement – we have been in business since 2002

– we listen

The above is but a sampling the Treadstone 71 differences with most other vendors. Our desire is to build a lasting relationship not based on technology but rooted in the foundational elements of your success.

Contact Treadstone 71 today to see where we may help you succeed. 888.714.0071 Office –

The Treadstone 71 Cyber Intelligence Program

Treadstone 71 Cyber Intelligence Program – Align with the needs of leadership

Years ago, Treadstone 71 crafted a series of training classes at the Master’s level for students eager to learn about cyber intelligence. Since then, Treadstone 71 continued to hone the courses to current events and organizational needs.  Organizations need training in cyber intelligence. All too often we find a dire lack of understanding outside of collection. Most organizations have staff that are proficient at collecting data well. But the next steps in the cyber intelligence lifecycle is lacking. Our training solves that problem providing students with the tools necessary to organize, produce, analyze and deliver recommendations and opportunities to leadership.

We also found a desire of organizations to assist in the build out of their programs. On several occasions, Treadstone 71 provided oversight and guidance to companies looking to build their own capabilities. Most see significant dollars going to vendors who provide regular reports, but the reports are from a create once –  sell many paradigm. Treadstone 71 teaches you how to fish.

The Treadstone 71 Cyber Intelligence Program includes:

  • Strategic Plan development, acceptance, and dissemination
    • Vision, mission, guiding principles, roles, responsibilities, goals & initiatives
  • Program Plan development, acceptance, dissemination, and implementation
  • Standard Operating Procedures
  • Priority Intelligence Requirement development
    • Passive Intelligence Collection
      • Collection and analysis methods and techniques
    • Organization, Production, Processing – Decomposition
    • Structured Analytic Techniques – Analytic Writing and Dissemination
  • Incident Response
    • Improve and provide feeds for automation
    • Improve detection and response
  • Intelligence Lifecycle Development
  • Threat Intelligence Program Development
      • Improve and provide feeds for automation and remediation
      • Security operations
      • Enhance and improve remediation actions
      • Centralize threat intelligence – Intelligence as a Service – Analysis as a Service
      • Drive improvements to risk management
        • Effective
        • Efficient
    • Improve workflow through well-defined roles and responsibilities
      • People, process and technology enhancements
    • Drive the quality improvements of your intelligence
      • Credibility and relevance
  • Adversaries
    • Who are they?
      • Motivation, intent, capabilities,
      • Dossiers – Baseball cards
  • Attack surface awareness
    • Situational awareness of your attack surface – digital footprint
      • Web – Social Media – Darknet
  • Virtual HUMINT Creation and Management
  • Internet Exposure Assessment – Attack Surface Analysis – Perception Management – Sentiment Analysis
    • Deep Web, Forums, Social Networking, Closed Sites, Darknet
    • Deception Detection and Credibility Analysis
    • Pattern, Trends and Tendency Analysis
  • Competitive Intelligence Assessment and Program Analysis
  • Campaign Analysis with Recommendations and Opportunities
  • Darknet / Deep Web exploration

We also see analysis in organizations, security operations centers and CERTS being performed on a very simplistic level. That level is usually given to the most experienced and most technical person on the team. A method that leads to inherent cognitive bias, a lack of critical thinking and a focus on technology only. This leads to inaccurate information being provided to leadership or information that is very short term and tactical at best – not even actionable intelligence.

Since launching the Cyber Intelligence course, many have asked for the follow-on courses. These courses have been sitting in the wings waiting for organizations to reach the need. That need of moving from a purely defensive posture to a enterprise posture with the proper operational tempo, situational awareness, and targeting. In response to this, Treadstone 71 is now releasing the complete series of courses (Anonymity – Cyber Personas – Social Networking Intelligence – Cyber Intelligence – Cyber Counterintelligence – Cybercrime) wrapped with an opportunity to engage us for full program development.  Treadstone 71 works jointly with your staff to fully understand your priority intelligence requirements, educational needs, strategic and programmatic requirements, and staffing needs to create a program that fits you time frame and needs.  We teach you how to fish.


Most organizations have expend scores of thousands of dollars in security operations 2016-01-26_9-38-51centers, CERTs and other such organizations. This effort needs to be matured into a well-rounded organization moving from purely technical and tactical to a strategic arm providing daily actionable intelligence and methods to counter adversaries in early stages of planning and preparation.

Treadstone 71 Cyber Intelligence Training

Cyber Intelligence Tradecraft Certification (click on the image to the left)

Contact Treadstone 71 now to find out more about this evolutionary model. The program is sound, the training proven and now in its 5th year of use.  888.714.0074

Blog at

Up ↑

%d bloggers like this: