INTELEST Global, LLC

5 Critical Questions to Ask Before Creating a Report from the Dark Web

Threat analysts and collectors, especially those working in the field of cybersecurity, constantly scan underground forums and platforms. In fact, there are numerous security products developed specifically to scan forums to automate and simplify this process. However, browsing these forums and platforms is not intelligence in itself, and considering that thousands of posts can be shared within a 24-hour period, it is a very time-consuming challenge for analysts/collectors. Furthermore, sharing every finding creates information overload for the decision-makers; the accumulation of conflicting, erroneous, and incomplete information causes them to lose confidence in the intelligence provided.
To avoid such a situation and to answer the question of "how should we filter information before sharing it with an intelligence customer?", we have prepared 5 critical parameters for you.

Question 1: Who is our intelligence customer and what do they need?

Regardless of its field of application, the intelligence production process always begins with one of the following three conditions:
  • The intelligence requirements in our collection plan, which are derived from the key intelligence questions of the decision-maker and the individuals to whom you are responsible for providing intelligence (in the jargon, we call them the "intelligence customer").
  • On-demand information and intelligence needs created by your intelligence customer that are not in your collection plans.
  • Your own findings on forums and platforms that you believe could be important for the intelligence customer.
These three conditions have one thing in common: The intelligence customer does not want to know everything you find. Your intelligence customer always wants more specific information that is directly valuable to them.
So, how do we determine what is requested, what is expected, and what is important to them?
The most comprehensive and professional method for this is the doctrinal process known as Intelligence Preparation of the Operational Environment (IPOE). This analysis consists of four stages:
  1. Defining the operational environment.
  2. Evaluating the effects of the operational environment.
  3. Evaluating the threat elements.
  4. Determining the course of action of the threat elements.
This method outlines the scope of the operational area that your intelligence customer is interested in. This allows you to understand their priorities and know which variables and developments you must evaluate urgently. Additionally, you must conduct this analysis to understand the customer's key intelligence questions and to create an intelligence collection plan.

Question 2: Is your finding consistent with the intelligence customer's Area of Interest or Area of Responsibility?

To put it simply, it is not the intelligence customer's only job to review what you provide and make a decision to act. While our job is solely to produce intelligence, they have dozens of different decisions to attend to, and these decisions affect the populations they manage. Therefore, we must provide them with intelligence on matters that are directly within their Area of Responsibility. Information related to their Area of Interest, however, should be presented to raise awareness of potential changes that could affect their Area of Responsibility.
The Area of Interest (AOI) refers to the area encompassing the current operational zone and surrounding regions where potential threats, opportunities, or events could affect ongoing or planned operations. The AOI is broader than the Area of Responsibility and is defined based on its potential impact on the mission.
The Area of Responsibility (AOR) is the specific operational area where a decision-maker or organization is responsible for conducting operations and achieving mission success. The AOR is more defined and limited compared to the AOI.
Therefore, while understanding the AOI aids in situational awareness, threat forecasting, and strategic planning, clearly defining the AOR ensures command authority, operational efficiency, and accountability within a specific area.

Question 3: Is the source reliable, and can we verify the information?

A large part of our job is to provide decision support by processing information that is often conflicting, incomplete, and manipulated. In doing so, we must evaluate every piece of information/finding we obtain within the framework of:
  • Source/Platform reliability,
  • Information accuracy.
In professional intelligence systems, we use the evaluation matrix (Admiralty Code) specified in NATO's STANAG 2511 for this purpose. However, to use this system, you must have a strong baseline of intelligence data, a properly configured source inventory management system, and the capability to produce All-Source Intelligence. If you do not have such a structure, you can alternatively perform an OPVL or a CRAAP Test. This is because the Admiralty Code is not designed for making an instinctive evaluation. In other words, we cannot assign codes like B1 or C4 based on our feelings.
NOTE: The information's evaluation grading should never be shared with the decision-maker in its raw Admiralty code format. You must convey it in prose. Additionally, if you are using the Admiralty Code, A1 is rarely used. A1 signifies that the source always provides accurate information and that every piece of information provided is definitively correct.

Question 4: Does this information exist in our historical records, or are we dealing with something new?

Intelligence structures are built on recording everything that is identified—related or unrelated, true or false. This data allows us to scan the past to identify trends, anomalies, and indicators for change. Therefore, even if we identify a piece of false information, we must record it in our system, noting that it is false. 
If the current information we have found contains nothing new, has no change in its accuracy, and still has unconfirmed elements, it is pointless to report it to the intelligence customer. By re-communicating something you have reported in the past, you only create intelligence fatigue. 

 Question 5: If the information is correct, what is its potential impact? 

Even if it is correct, not every piece of information qualifies as intelligence. Intelligence is the final product. That information needs to be processed, analyzed, and interpreted. Information relayed without performing these actions is merely raw data for the intelligence customer.  Intelligence structures are built on recording everything that is identified—related or unrelated, true or false. This data allows us to scan the past to identify trends, anomalies, and indicators for change. Therefore, even if we identify a piece of false information, we must record it in our system, noting that it is false. 
For this reason, the last thing we must do before conveying information to a decision-maker is to answer the "so what?" question for the intelligence customer. At this point, it is essential to produce a quality output by using a series of systematic methods such as risk assessment models and predictive analysis techniques.
In conclusion, before you communicate a finding, you must evaluate it in terms of need, relevance, reliability, novelty, and impact. Any information relayed without this evaluation creates information overload for the intelligence customer and unintentionally has a negative impact on their processes. As a result, they will tend to ignore your notifications in the long run. 

Structured Intelligence Training

Develop analytical capability through structured courses, practical exercises, and professional learning pathways designed for intelligence and security practitioners.

The Analyst's Desk

Designed for professionals who want to think deeper, stay informed, and continuously sharpen their analytical capability through expert analysis, professional insights, and developments from across the worlds of intelligence, security, defense, and geopolitics.
Created with