CybersecurityDefense

From Gut to Gold Standard: The Admiralty System in CTI

SANS Digital Forensics and Incident Response
SANS Digital Forensics and Incident ResponseApr 2, 2026

Why It Matters

Transparent source and data scoring reduces speculation, enabling organizations to make faster, more reliable security decisions and allocate resources effectively.

Key Takeaways

  • Adopt Admiralty Scale to rate source credibility systematically.
  • Separate source reliability from information verifiability in CTI reports.
  • Use multi‑source corroboration to elevate information confidence levels.
  • Document source summary statements to improve transparency for stakeholders.
  • Regularly reassess ratings as new evidence alters source or data trust.

Summary

The presentation introduces the Admiralty Scale, a century‑old British Navy framework, as a rigorous method for evaluating source credibility and information reliability in cyber threat intelligence (CTI). Freddy argues that modern CTI suffers from opaque reporting, unverified claims, and bias, making it difficult for analysts and decision‑makers to trust assessments. Key insights include the need to treat source trustworthiness and data veracity as separate dimensions. Sources are graded from A (highly reliable) to F (unverified), while information is scored 1‑6 based on independent corroboration. By applying this dual rating, analysts can transparently convey what they know, what remains uncertain, and why. Freddy illustrates the system with three examples: an A1 rating for a widely‑used vulnerability backed by multiple trusted feeds, an E4 rating for a claim from a historically unreliable source, and a D rating for a new forum user whose credibility is still unknown. He emphasizes documenting source summary statements—a standard in intelligence communities—to justify each rating. Adopting the Admiralty Scale can curb misinformation cascades, improve stakeholder confidence, and embed critical‑thinking habits across security teams. Over time, systematic reassessment of scores will refine threat models and support more informed risk‑management decisions.

Original Description

From Your Gut to a Gold Standard: Introducing the Admiralty System in CTI
🎙️ Freddy Murstad, Senior Threat Intelligence Advisor, Intelligence Tradecraft
📍 Presented at SANS CTI Summit 2026
This presentation introduces the Admiralty System, a time-tested framework originally used for evaluating intelligence. Today, this system offers CTI professionals a robust method for assessing the reliability of Cyber Threat Intelligence (CTI) in an increasingly complex digital landscape.
The presentation will highlight its adaptability for addressing modern cybersecurity challenges and explore the system's historical context.
A key focus will be on understanding the crucial distinction between Source Reliability (the trustworthiness of the origin of the information) and Information Credibility (the trustworthiness of the data itself), two core components of the Admiralty System.
Using a real-world scenario, I will demonstrate how different sources and information are rated, and using QR-codes, enabling participants to develop a practical understanding of the system's application. The presentation will also discuss the benefits of implementing the Admiralty System for CTI professionals, including enhanced threat prioritisation, improved resource allocation, more effective collaboration through a shared language, and potential for automation. Furthermore, the presentation will address potential challenges in applying the Admiralty System, such as the rapid evolution of cyber threats, introduction of AI in CTI analysis, the overwhelming volume of threat data, and the element of subjectivity in assigning ratings. Strategies for mitigating these challenges, like regular calibration sessions and integration of automation, will also be discussed.
By attending this presentation, CTI professionals will gain valuable insights into leveraging the Admiralty System to enhance the reliability and actionability of their cyber threat intelligence.

Comments

Want to join the conversation?

Loading comments...