Campaign Attribution Evidence Analysis is a skill for cyber threat intelligence analysts who need to move from raw incident artifacts to a defensible, structured attribution assessment. It processes CTI reports, incident artifacts, and TTPs to produce a comprehensive attribution profile grounded in industry-standard methodologies.
The skill applies Diamond Model mapping to organize relationships between adversary, capability, infrastructure, and victim. It uses Analysis of Competing Hypotheses (ACH) to test collected evidence against multiple actor profiles, which reduces confirmation bias and forces consideration of alternative explanations. Confidence ratings of High, Medium, or Low are assigned based on source provenance and evidence strength, not on pattern-matching alone. The skill also builds an evidence register that logs indicators, malware overlaps, and timing patterns in a traceable format.
The output is a structured analyst report containing an ACH matrix, a Diamond Model summary, a formal confidence statement, and defensive recommendations directed at SOC and incident response teams. The skill is specifically designed to filter out weak signals — such as publicly available tools or easily fabricated language artifacts — that tend to inflate certainty in unstructured AI-generated summaries.
This skill is the wrong choice when the task is real-time indicator enrichment, log ingestion, or automated blocking. It is an analytical reasoning layer, not a detection or response pipeline.