Description

This curriculum spans the design and execution of intelligence operations across legal, technical, and human domains, comparable in scope to an enterprise-wide security intelligence program integrated across risk management, incident response, and executive decision cycles.

Module 1: Defining Intelligence Requirements and Stakeholder Alignment

Selecting which business units require tailored intelligence reporting based on exposure to geopolitical, cyber, or insider threats
Establishing thresholds for escalation when intelligence indicates potential executive risk or supply chain disruption
Documenting legal boundaries for intelligence collection to prevent overreach in employee monitoring or competitive intelligence
Negotiating access to internal data sources such as access logs, travel records, or procurement data for correlation
Creating formal intelligence request templates to standardize input from legal, operations, and executive teams
Mapping intelligence deliverables to risk appetite statements in the enterprise risk management framework

Module 2: Open-Source Intelligence (OSINT) Collection and Validation

Configuring automated web crawlers to monitor dark web forums for leaked corporate credentials without violating terms of service
Verifying the provenance of leaked documents or screenshots by cross-referencing metadata and historical posting patterns
Assessing the credibility of anonymous sources on social media platforms using historical accuracy and network analysis
Archiving dynamic web content using timestamped, tamper-evident methods for potential legal proceedings
Integrating commercial OSINT feeds with internal watchlists while managing data redundancy and false positives
Implementing access controls on collected OSINT to prevent unauthorized dissemination within the organization

Module 3: Human Intelligence (HUMINT) Engagement Protocols

Designing non-coercive interview protocols for departing employees to extract security-relevant information
Establishing rules for indirect sourcing through third-party consultants or industry contacts without creating liability
Training security liaisons to recognize verbal and nonverbal cues during facility visits or partner meetings
Determining when to escalate informal tips from employees into formal intelligence investigations
Documenting interactions with external sources to maintain audit trails and avoid entrapment perceptions
Enforcing strict compartmentalization when using intermediaries to gather information in high-risk regions

Module 4: Technical Surveillance and Data Fusion

Integrating physical security logs (badge swipes, CCTV metadata) with network authentication events to detect insider threats
Deploying network sensors in regional offices to detect beaconing behavior from compromised devices
Configuring SIEM rules to prioritize alerts based on geolocation, user role, and time-of-day anomalies
Assessing the operational risk of deploying covert monitoring in shared workspaces or joint ventures
Validating the integrity of telemetry from third-party cloud providers before inclusion in intelligence assessments
Managing retention policies for raw surveillance data to comply with jurisdiction-specific privacy laws

Module 5: Threat Actor Profiling and Attribution Analysis

Correlating TTPs (tactics, techniques, procedures) across incidents to determine if attacks originate from the same group
Weighing the risks of attributing an attack to a nation-state actor without diplomatic or law enforcement confirmation
Using linguistic analysis to assess whether phishing emails originate from native speakers or translation tools
Updating adversary profiles based on observed shifts in infrastructure, such as domain registration patterns
Differentiating between financially motivated actors and ideologically driven groups in reporting
Deciding when to share attribution conclusions with external partners or law enforcement

Module 6: Intelligence Dissemination and Decision Support

Formatting threat briefings for C-suite audiences by focusing on business impact over technical detail
Scheduling intelligence updates during M&A due diligence to highlight target company vulnerabilities
Using secure collaboration platforms to distribute time-sensitive alerts without email traceability
Version-controlling intelligence products to track changes in assessments over time
Establishing read-receipt and acknowledgment protocols for critical threat notifications
Archiving decision logs showing how intelligence influenced security posture changes or travel restrictions

Module 7: Legal and Ethical Governance of Intelligence Operations

Conducting quarterly audits to ensure intelligence activities comply with GDPR, CCPA, and local surveillance laws
Obtaining legal counsel review before initiating monitoring of employees in unionized environments
Documenting justification for collecting intelligence on competitors to avoid industrial espionage allegations
Implementing oversight committees to review high-risk intelligence collection activities
Training investigators on prohibited methods such as pretexting or unauthorized access to personal devices
Responding to internal audit or regulatory inquiries about intelligence program scope and controls

Module 8: Crisis Intelligence and Real-Time Response

Activating pre-defined intelligence collection plans during active ransomware incidents to identify negotiation risks
Monitoring social media in real time during physical security incidents to assess threat spread or copycat risks
Coordinating with external threat intelligence providers to validate emerging indicators during fast-moving attacks
Deploying mobile OSINT collection teams during executive protection details in high-threat countries
Adjusting collection priorities hourly based on evolving crisis developments and stakeholder needs
Preserving raw intelligence data from crisis events for post-incident legal or regulatory review