Campaign Attribution Evidence Analysis

Professional CTI analysis skill for structured attribution using ACH, Diamond Model, and confidence scoring.

Install
cmdop skills install agensi-campaign-attribution-evidence-analysis

Campaign Attribution Evidence Analysis is a skill for cyber threat intelligence analysts who need to move from raw incident artifacts to a defensible, structured attribution assessment. It processes CTI reports, incident artifacts, and TTPs to produce a comprehensive attribution profile grounded in industry-standard methodologies.

The skill applies Diamond Model mapping to organize relationships between adversary, capability, infrastructure, and victim. It uses Analysis of Competing Hypotheses (ACH) to test collected evidence against multiple actor profiles, which reduces confirmation bias and forces consideration of alternative explanations. Confidence ratings of High, Medium, or Low are assigned based on source provenance and evidence strength, not on pattern-matching alone. The skill also builds an evidence register that logs indicators, malware overlaps, and timing patterns in a traceable format.

The output is a structured analyst report containing an ACH matrix, a Diamond Model summary, a formal confidence statement, and defensive recommendations directed at SOC and incident response teams. The skill is specifically designed to filter out weak signals — such as publicly available tools or easily fabricated language artifacts — that tend to inflate certainty in unstructured AI-generated summaries.

This skill is the wrong choice when the task is real-time indicator enrichment, log ingestion, or automated blocking. It is an analytical reasoning layer, not a detection or response pipeline.

Use cases

  • Structure raw incident artifacts into a Diamond Model attribution profile
  • Run an ACH matrix to compare evidence across multiple suspected threat actor profiles
  • Assign standardized High/Med/Low confidence ratings to attribution claims before a board briefing
  • Build a traceable evidence register from malware overlaps, TTPs, and timing patterns
  • Generate a formal analyst report with defensive recommendations for SOC and IR teams
  • Identify intelligence gaps that need to be filled before an attribution can be defended

When to use it

  • Preparing a formal threat actor attribution report that must withstand scrutiny
  • Analyzing a cyber campaign where multiple actor hypotheses are plausible
  • Briefing SOC or IR teams on attribution confidence with documented evidence
  • Conducting structured CTI analysis that requires ACH methodology

When not to use it

  • Real-time indicator enrichment or IOC lookup — this skill does not perform live data queries
  • Automated alert triage or SIEM integration — it produces analyst reports, not machine-actionable signals
  • Log ingestion or forensic artifact parsing — raw data processing is outside its scope
  • Tasks requiring a specific tool API or external database connection — no tools are exposed