Threat Analysis

The Devil is in the Detail

Countering threats through data

We provide independent and evidence-based insights on how vulnerable communities are targeted and harmed by malicious activities in cyberspace. Our assistance to NGOs and our legal and policy contributions are intrinsically linked with our ability to deliver unique data-driven analysis. We make our  data and analysis freely accessible to raise awareness of the harm of cyberattacks and to be used in further research.




We undertake analysis across the three levels of cyber threat intelligence:

  • Tactical analysis – micro-level data analysis in which we detect and monitor cyber threats to vulnerable communities.
  • Operational analysis investigations in which we seek to identify how attacks have unfolded.
  • Strategic analysis  – macro-level research and analysis  to identify who is behind cyberattacks targeting vulnerable communities, the motive(s) behind them and the harm they cause. 

Our diversity is our strength. Our in-house intelligence and information security team is made up of colleagues from many walks of life who come together to build innovative solutions. From cybersecurity experts to threat intelligence analysts, social scientists to software developers, seasoned law enforcement professionals to highly motivated students, we come together to better understand the threats in cyberspace.

Our data is the backbone of the work of the CyberPeace Institute. We process data from our partners, open sources, proprietary sources and that produced through our own collection processes. Our data pipeline processes data from its raw form to information suitable for analysis. It capitalizes on the use of scalable cloud-based technologies. Our processes put data privacy and security at the forefront of decision-making and we build increasingly automated data flows to reduce processing errors, increase data recency and reduce time to analysis. 

In 2023 we have been selected to take part in the Patrick McGovern Data and Society Accelerator Program in which we will begin our machine learning journey to further help us in processing our large datasets into actionable insights.

Different data-centric projects call for different analytical approaches. Our portfolio of analysis activities includes but is not limited to problem profiling, Open Source Intelligence (OSINT), Social Network Analysis, technical analysis including log, malware and forensic analysis, Geotemporal analysis, financial asset tracing and victim profiling. We also have a network of trusted partners, whose expertise we can call-upon for other specific types of analysis. 

We take data privacy and security very seriously. We adopt a zero-trust approach to system and data management. All of our analysis-related data is encrypted at rest and in transit. We have also developed our own products and tools for secure data exchange between us, our partners and our beneficiaries.

As the volume type and sophistication of cyberattacks are increasing year on year, it is important that vulnerable communities are able to access expert support to analyze threats against them and to receive data-driven insights to mitigate risks. We offer this capability for free to humanitarian NGOs, as one of a range of services.

tactical analysis

Detect to protect

We conduct micro-level data analysis in which we detect and monitor threats to vulnerable communities. 


By aggregating data shared with us by our cybersecurity and technology partners and by mapping the digital assets of our beneficiaries we are in a better position to protect them. We detect these threats using technical data points such as indicators of compromise (IOCs) and telemetry data. Building detection rules and alerts we provide our beneficiaries with triaged information and practical recommendations to help them protect their data and systems.


the digital assets of our beneficiaries


new threats and vulnerabilities


and prioritize 

identified issues


information through timely allerts


risks and secure

digital assets 



Investigate Cyberattacks

We conduct investigations in which we seek to identify how attacks have unfolded.


We identify the tactics, techniques and procedures (TTPs) used by threat actors against our beneficiaries through in-depth investigations, malware analysis and forensics investigations, including with support from our partners. We produce bespoke investigation reports and threat intelligence for our beneficiaries, accompany them in reaching out to relevant investigative bodies and publish public blogs to raise awareness amongst vulnerable communities.

Data Acquisition

Following an assessment of the case brought to us by a beneficiary or partner, we ensure the secure transfer of case data to our analysts.

Log & Transaction Analysis

We review and analyze computer-generated event logs to proactively identify information related to the case.

Malware & Forensic Investigation

We collect evidence from devices and analyze malware to determine the root cause of an attack.

Threat Intelligence

We develop knowledge on threats, vulnerabilities and the actors behind them to mitigate future risks.

Advice & guidance

Getting to the root cause of an attack allows us to provide actionable recommendations to a specific organization or the wider community.

Practical Assistance

We provide technical and cybersecurity support to help NGOs implement the recommendations.

strategic analysis

Research the Threat Landscape

We conduct macro-level research  to identify who is behind cyberattacks targeting vulnerable communities, the motive(s) behind them and the harm they cause. Through our analysis, we map the threat landscape of the vulnerable communities we seek to protect, identifying trends and emerging issues. Our approach to analysis keeps the human at the center of research as we seek to understand the effects of cyberattacks on people and society. We present our findings through data visualization platforms and strategic analysis reports.   Our work contributes to efforts to advance respect for international law and norms in cyberspace.

Our Intelligence Cycle
  • Direction

    every research project begins with the setting of clear intelligence requirements and the definition of research questions that need to be answered. This ensures our research stays within scope, respects ethical research principles and avoids mission creep.

  • Data collection

    manually, automatically or somewhere in between, we collect data from primary data sources, open sources and closed sources which when combined together gives us a more comprehensive understanding of the cyber risks faced by vulnerable communities.

  • Processing

    using data pipelines we clean and normalize data and evaluate its relevance and reliability to transform it from its raw form to exploitable information usable for analysis. This step of our intelligence cycle requires close collaboration between our analysts and technical engineers.

  • Analysis

    from data discovery, statistical analysis, Social Network Analysis to geotemporal analysis, we find hidden connections within large datasets. Using data visualization and analysis tools, including dashboards and graphical link analysis software, our analysts can connect information from disparate sources to find the answers to our research questions.

  • Disseminate & Share

    complex analysis must be accompanied by simple storytelling. Developing data-visualization platforms tailored to each research project and publishing clear reports and infographics allow us to communicate our findings with our community.

  • Feedback

    we learn from every project we deliver on. Taking on feedback from our community, our governance bodies and our partners we strive to produce improved analytical products in the future.

We produce data-driven insights to assess impact.

To actively contribute to understanding the true scale and nature of the cyber threats to vulnerable communities, please support the CyberPeace Institute

Sharing our findings with the community

Our Cyber Incident Tracers provide data-driven insights on the cyber threat landscape of the vulnerable communities we serve. They are developed in-house by our developers with data sourced through the regular monitoring of open sources by our experienced team of researchers. The information is made publicly available for use by policymakers, journalists, academic researchers and others.

Cyber Incident Tracers

Data-driven insights on the cyber threat landscape of vulnerable communities presented through publicly accessible data visualization platforms.

Research & Investigations

Independent and in-depth findings on the emerging and ongoing threats to vulnerable communities published through analytical reports and technical blog posts.

Our technical and cybersecurity partners