TOP Mission TID-D02: Threat Landscape Reporting
Producing actionable threat landscape reports that inform leadership about relevant threats and recommended defensive priorities.
Continue your mission
Producing actionable threat landscape reports that inform leadership about relevant threats and recommended defensive priorities.
# TOP Mission TID-D02: Threat Landscape Reporting
Threat landscape reporting is the structured practice of synthesizing raw threat intelligence into clear, prioritized narratives that help organizational leadership understand which threats are most relevant, most imminent, and most dangerous to their specific environment. It exists because raw intelligence feeds, vendor bulletins, and security alerts do not automatically translate into strategic understanding. Without deliberate synthesis and contextualization, security teams produce noise rather than insight. TID-D02 solves the problem of executive and operational blindness: decision-makers lack the information they need to allocate resources intelligently, and security teams lack a mechanism for communicating risk in terms that drive action. This mission transforms threat data into a repeatable, audience-appropriate output that connects external threat activity to internal defensive priorities.
---
Threat landscape reporting is a formal intelligence product that synthesizes adversary behavior, threat actor profiles, vulnerability trends, and industry-specific targeting data into structured analysis calibrated for specific audiences and time horizons. This mission produces strategic understanding from tactical data, translating the external threat environment into internal defensive priorities.
A threat landscape report is not a log summary, vendor briefing, or real-time alert feed. It is deliberate analysis that answers three fundamental questions: who is targeting organizations like ours, how are they getting in, and what can we do about it. The report connects external threat activity to internal exposure through structured analysis, risk assessment, and actionable recommendations.
This mission operates across three distinct product types. Strategic threat landscape reports target board and C-suite audiences, focusing on business risk, regulatory exposure, and sector-wide trends. Operational threat landscape reports serve security managers and department heads, emphasizing threat actor capabilities, attack scenarios, and defensive gap analysis. Tactical threat reports address security analysts and engineers, providing indicators, techniques, and detection engineering guidance. All three draw from the same analytical foundation but present findings in fundamentally different formats.
The scope includes threat actor activity analysis, vulnerability exploitation trend assessment, sector-specific targeting pattern recognition, and defensive gap identification. The scope excludes incident reporting (which describes what happened internally), vulnerability management reporting (which tracks internal weaknesses), and generic threat intelligence feed consumption (which provides data without analysis). TID-D02 is externally focused first: it examines the threat environment and maps external activity to internal context.
---
Threat landscape reporting follows a six-stage intelligence cycle: collection planning, data gathering, processing, analysis, production, and dissemination with feedback. Each stage has specific inputs, outputs, and quality controls that ensure the final product drives defensive action rather than serving as compliance documentation.
Collection Planning begins with Priority Intelligence Requirements (PIRs) development. PIRs define which threat actors are relevant to the organization's industry vertical, geographic presence, and organizational size. They specify which vulnerabilities in the current technology stack require active monitoring and which emerging attack techniques have not been addressed by existing controls. PIRs are formalized as standing requirements that guide all subsequent collection activity. Without PIRs, data gathering becomes undirected and reports become generic summaries with minimal defensive value. PIRs are updated quarterly or when significant infrastructure changes occur.
Data Gathering follows a structured source methodology. Open-source intelligence includes threat actor blogs, monitored dark web forums, government advisories from CISA and international partners, and sector-specific Information Sharing and Analysis Centers. Technical intelligence sources include malware repositories, sandbox analysis outputs, commercial threat intelligence platforms, and vulnerability databases. Internal telemetry from SIEM, endpoint detection and response platforms, and network monitoring tools provides organizational context needed to assess external threat relevance. Collection is continuous but analysis occurs on defined reporting cycles.
Processing transforms raw data into structured intelligence. All collected information is normalized against common taxonomies, deduplicated to prevent analytical bias, and tagged using MITRE ATT&CK framework identifiers. This stage converts unstructured information into analytical building blocks. A news article about ransomware activity becomes: TA0040 Impact, T1486 Data Encrypted for Impact, actor LockBit 3.0, sectors targeted healthcare and manufacturing, timeline active in six documented incidents over past 60 days. Processing quality directly affects analysis accuracy.
Analysis is the highest-value stage and the one most frequently underfunded or skipped entirely. Analysts assess relevance (does this threat apply to our organization given our profile?), probability (how likely is this threat to target us successfully?), and impact (what would happen to operations, revenue, and reputation if this threat succeeded?). Analysis produces threat actor profiles, attack scenario narratives, and gap assessments that compare threat actor techniques against existing detection and prevention controls. This stage requires analytical judgment, not just data compilation.
Production formats intelligence for target audiences. Board-level reports use business language, avoid technical jargon, and frame findings as operational risk, regulatory exposure, and financial impact. Reports for security operations use ATT&CK technique identifiers, include indicator tables, and recommend specific detection rule modifications. The analytical foundation remains consistent but presentation changes completely based on audience requirements. Production includes executive summary, key findings, threat priority ranking, and specific recommendations with implementation timelines.
Dissemination and Feedback delivers reports through defined channels and collects structured recipient feedback. Dissemination is not distribution. It includes briefing sessions where recipients can ask questions and request clarification. Feedback collection asks whether the report answered relevant questions, whether threat priorities aligned with recipient concerns, and whether recommendations were actionable given resource constraints. This feedback directly updates PIRs for the next cycle, ensuring the reporting process improves continuously.
A regional hospital system demonstrates this process effectively. Quarterly threat landscape reporting identified increased ransomware group targeting of healthcare organizations through Citrix ADC vulnerabilities. Analysis mapped the group's known techniques against hospital control environments, identifying that while patching was current, SIEM lateral movement detection rules did not cover the specific remote service exploitation technique the group used. The operational recommendation was targeted detection rule addition. The board version stated: "A ransomware group targeting regional hospitals can disable electronic health records for 10 to 21 days. We have a specific control gap we can close within two weeks at minimal cost." Both audiences received actionable information calibrated to their role, and a defensive improvement was implemented before an incident occurred.
---
Organizations without structured threat landscape reporting make defensive investment decisions based on vendor sales presentations, peer conversations, and the last incident they remember. This produces security postures that lag behind actual threat activity by months or years, creating systematic defensive drift where controls address outdated threats while current threats exploit undefended attack vectors.
The 2021 Colonial Pipeline ransomware attack exemplifies failure patterns that threat landscape reporting is designed to prevent. Post-incident analysis revealed that DarkSide, the responsible ransomware group, had been actively targeting energy sector organizations for months before the attack. The techniques used, including credential-based access through legacy VPN infrastructure without multifactor authentication, were documented in publicly available threat intelligence from government and industry sources. The failure was not intelligence availability. The failure was organizational process for consuming, contextualizing, and acting on available intelligence.
A functioning threat landscape reporting process would have connected publicly available adversary activity data to the specific control gap that enabled the breach. The process would have produced analysis showing DarkSide's energy sector targeting pattern, identified VPN access without MFA as a known exploitation vector for the group, and recommended specific control improvements with business justification. The gap was analytical process, not raw information.
This failure pattern repeats across sectors and organization sizes. Healthcare organizations invest heavily in compliance-focused controls while ransomware groups exploit basic credential theft techniques. Financial institutions focus on advanced persistent threat protection while cybercriminal groups use simple social engineering to bypass sophisticated technical controls. Manufacturing companies implement industrial control system security while business network compromises provide the access path to operational technology environments.
A common misconception treats threat landscape reporting as exclusively valuable for large organizations with dedicated intelligence teams. This is false. A four-person security team at mid-sized organizations can produce functional monthly threat landscape reports by consuming CISA advisories, relevant ISAC bulletins, and commercial intelligence feeds, then applying structured analysis to answer core questions: who targets organizations like ours, how do they gain access, and do we detect those methods? Effective reports can be two pages with three prioritized recommendations rather than comprehensive documents that recipients ignore.
Without this mission, organizations consistently underfund controls most relevant to their actual threat environment while investing in capabilities that address threats they are statistically unlikely to face. Threat landscape reporting serves as the correction mechanism that aligns defensive investment with demonstrated risk rather than perceived risk or vendor messaging.
---
CDA approaches TID-D02 through the Planetary Defense Model (PDM), which organizes security work across six functional domains designed to create layered, proactive defense. Threat Landscape Reporting sits within the TID (Threat Intelligence and Detection) domain, governed by the Predictive Defense Intelligence methodology. PDI operates on the principle: see the threat before it sees you.
CDA does not treat threat landscape reporting as compliance documentation or quarterly presentation requirements. CDA treats it as command and control: the mechanism by which security programs receive targeting orders from the external threat environment rather than internal politics or vendor relationships. This distinction changes both process and output fundamentally.
CDA's implementation differs from conventional threat reporting in four specific ways. First, every threat landscape report includes direct mapping of identified threats to PDM defensive layers, so reports describe threats and specify which existing defensive layers are most relevant, most stressed, and most requiring attention. This mapping ensures analytical outputs connect to operational defensive work rather than remaining abstract risk descriptions.
Second, CDA requires every operational threat landscape report to include defensive drift assessment: evaluation of whether the security program's current priorities have diverged from actual threat environment since the last reporting cycle. This prevents the common failure mode where programs focus intensely on one threat category for extended periods while different categories become dominant risks. Drift assessment includes priority recalibration recommendations when significant divergence is identified.
Third, CDA treats threat landscape reports as living documents with defined revision triggers. Any significant external event triggers report updates within 72 hours: major public breaches in the same sector, new government advisories affecting organizational technology, or zero-day disclosures impacting in-scope systems. Updated analysis and summary changes are distributed to relevant stakeholders immediately rather than held for next scheduled release.
Fourth, CDA requires that threat landscape reporting feed directly into security architecture and control selection decisions. Reports are not informational products. They are tasking documents that drive specific defensive investment and modification decisions. This operational integration ensures threat landscape reporting functions as continuous intelligence capability rather than periodic reporting exercise.
---
---
---
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by CDA Wiki Team
Found an issue? Help improve this article.