Building a Cyber Threat Intelligence Maturity Workbench
I recently found myself revisiting the topic of Cyber Threat Intelligence Program Development.
It is a topic I have revisited frequently over the past two years. But lately, I’ve started to re-examine the foundations with a fresh mindset.
In this industry, we talk a lot about "finding bad guys." But we rarely measure the maturity of the capability that finds them. We tend to obsess over the output (what are the IOCs) while neglecting the engine (the people and processes).
That's when I started taking another deeper look at the CTI-CMM (Cyber Threat Intelligence Capability Maturity Model) which is an excellent piece of work.
A lot of cyber threat intelligence related models focus on and measure "Tradecraft" (how good you are at pivoting or conducting technical analysis), the CTI-CMM measures Value. It asks the hard question: 'How well does CTI actually support the business?'"
It covers 11 Domains which range from technical functions like Threat & Vulnerability Management (THREAT) and Identity & Access Management (ACCESS) to strategic drivers like Risk Management (RISK) and Situational Awareness (SITUATION). It moves the conversation from "Did we collect the data?" to "Did we provide enough value for the stakeholder?"
It stops us from running on vibes and allows us to focus on a proper framework.
The Challenge
The framework comes with a comprehensive assessment tool built in Excel. It's incredibly detailed and objectively does the job well.
However, static spreadsheets have their limits.
While the spreadsheet is functional, manual entry introduces friction. Managing maturity tracking across 11 domains and cross-referencing specific practices becomes an administrative burden rather than a strategic exercise. I wanted to shift the focus from data entry to data analysis.
I decided to engineer a solution to remove that friction. I built the CTI-CMM Workbench to automate the logic, allowing the analyst to focus on the findings, not the formula errors."
The Project: CTI-CMM Workbench
I built a web application that wraps the CTI-CMM logic in a graphical interface.
Crucially, I didn't change the framework. I took the data schema directly from the official CTI-CMM v1.2 documentation. Every domain, practice description, and maturity metric in the app is pulled "as-is" from the source.
What it does under the hood:
-
Strict Scoring Logic: It calculates the "As-Is" maturity based on the strict CMM rules.
-
Visual Gap Analysis: Instead of a table of numbers, it renders a Radar Chart overlaying the "Current State" vs. "Target State". It makes it incredibly obvious where the program is lopsided (e.g., having great "Threat" but zero "Risk" maturity).
-
Automated Roadmapping: This is the part I'm most happy with. Based on the gaps identified, the tool generates a roadmap on what practices to implement.
Exporting to PDF/Excel
Finally, to generate a "Consultant-Ready" report, I created an export engine that parses the assessment state and generates the deliverables:
-
The Executive PDF: A report separating "Quick Wins" (Low-hanging fruit) from "Strategic Goals" (Long-term improvements), complete with a line-by-line gap analysis.
-
The Analyst Excel: Yes, I still export to Excel. Because sometimes you just need the raw data to track remediation tickets. The difference is that now the Excel file is an output, not the workspace.
You can take a look at the Reports here, it uses simulated data:
Next Steps
I am still ironing out some use cases and improving on the backend logic, so I am keeping the repository private for now.
This workbench is built for those who find that complex logic rules are better managed in code than in cells. It swaps the friction of managing spreadsheets for the clarity of measuring value.
I am currently running this against a few test scenarios. If you manage a CTI program and are interested in beta-testing a logic-driven approach, reach out. I would be keen to compare notes on how we can better automate maturity roadmaps.