Intelligence notes

Independent Intelligence Analysis — Part 05: Analysis Without Institutional Support

28 min read

Part 05 — Analysis Without Institutional Support

The institutional analyst’s first protection against bias is not their training. It is the colleague in the next chair who has read the same cable and reached a different conclusion. The independent analyst has no such colleague. They must build that colleague into their own workflow, or they will not have one.

Previous part: Part 04 — Source Evaluation Without Institutional Context Next part: Part 06 — Adversarial Review Without a Peer Team

1. The Solo Analyst’s Cognitive Challenge

Institutional intelligence analysis is not better than independent analysis because the analysts are smarter. They are, in the median case, no different. Institutional analysis is structurally better because the institution distributes the burden of cognitive bias across more than one mind.

The mechanisms of bias — Confirmation Bias, anchoring, satisficing, availability bias, Mirror Imaging — operate identically in the institutional analyst and in the independent practitioner. What differs is the topology of the safeguards.

In an institutional setting, the analyst writes a first draft. A peer reads it and says “you’ve buried the alternative hypothesis.” A branch chief reads it and says “your sourcing on paragraph three is thinner than your confidence language suggests.” A red team is convened on the most consequential judgments. Six weeks later, when the assessment proves wrong, an after-action review documents the error and feeds a corpus of recurring failure modes that trains the next cohort. The system has a memory. The system has antibodies.

The independent analyst writes a first draft. Then they publish it.

The cognitive risk has not gone away. It has been concentrated. Specifically, the independent practitioner faces:

  • No colleague who will notice when you are anchored on the first hypothesis. The first plausible explanation that arrives in your inbox at 03:00 will retain disproportionate weight throughout the analysis unless something forces it to compete.
  • No devil’s advocate protocol unless you implement it yourself. The institutional red team exists because organizations learned that voluntary self-criticism is unreliable. You will not spontaneously generate a thorough counter-case to a thesis you find satisfying.
  • No organizational memory that corrects recurring errors. Your last twelve assessments contain the same systematic mistake. You have not noticed because there is no archivist reviewing your track record.
  • No senior analyst review to flag the moment your confidence language drifted out of alignment with your evidence base.
  • No collection officer pushback to identify the question you should have asked but did not.

This makes disciplined application of Structured Analytic Techniques not just helpful but structurally necessary. SATs are externalized cognition. They take judgments that would otherwise occur silently inside your head — where biases operate freely and unobserved — and force them onto paper where they can be inspected.

The independent analyst who claims they “don’t need a process because they’re careful” is unintentionally describing exactly the condition under which cognitive bias operates most freely: an analyst with no external check, confident in their own carefulness, working alone on a deadline.

The proposition of this chapter is uncomfortable but operational: the discipline of the institutional process is recoverable by a solo practitioner, but only if the practitioner accepts that they personally are the failure mode the process is designed to catch.

2. Structured Analytic Techniques for the Solo Practitioner

This section does not re-introduce SATs from first principles. For ACH foundations, see Analysis of Competing Hypotheses. For confidence terminology, see Intelligence Confidence Levels. The focus here is how SATs change when there is only one analyst applying them.

2.1 Analysis of Competing Hypotheses (ACH) — Solo Adaptation

ACH was designed by Richards J. Heuer Jr. as an antidote to the analyst’s tendency to identify the most likely hypothesis first and then accumulate confirming evidence. The institutional version of ACH assumes a small team building the hypothesis set together. The solo version requires four discipline points the team version does not.

Discipline 1 — Generate hypotheses before reviewing evidence; write them down and date them. The act of writing hypotheses before immersion in the evidence base is the only protection against the post-hoc hypothesis: the one you “had all along” but cannot prove because you never wrote it down. Date-stamp the hypothesis list. This converts a vague memory (“I considered that option early”) into a verifiable record.

Discipline 2 — Build the matrix honestly. The test of honesty is whether the hypothesis set includes options that would embarrass you if confirmed. Solo analysts unconsciously prune the hypothesis set to options consistent with their analytical brand or prior published work. If your published thesis is that Actor X is a strategic peer competitor and the alternative hypothesis is that Actor X’s behavior is dominated by domestic instability, the latter must appear in the matrix. If it would force a published retraction, that is a signal it belongs in the matrix, not a signal to omit it.

A working rule: for any consequential assessment, one of your hypotheses should be one you actively hope is false. If none of them are, you have not enumerated the space.

Discipline 3 — The time-lag trick. Build the ACH matrix. Set it aside for at least 24 hours. Return to it before finalizing. Anchoring on the lead hypothesis is invisible in the moment it is happening; a time gap allows you to read your own matrix as a stranger would.

For weekly publication cycles this is operationally feasible. For breaking-news assessments where 24 hours is unavailable, compress to a 2-hour gap and a different physical location (write the matrix at the desk, review it after a walk; the change of physical context partially substitutes for the time gap).

Discipline 4 — Document the discarded hypotheses. In your analytical notes (not in the published assessment, unless space permits), preserve every hypothesis you eliminated and the specific evidence that eliminated it. Two protections follow:

  • Protection against retroactive rationalization: if events later contradict your published assessment, you can return to the matrix and reconstruct exactly where the analysis broke. Without the discard log, you will reconstruct your own reasoning unreliably.
  • Protection against unconscious re-elimination: in a follow-on assessment six months later, the same hypothesis may reappear. The discard log tells you whether the prior elimination still holds or whether new evidence reopens the question.

2.2 Key Assumptions Check (KAC) — As Solo Discipline

KAC is the single most important SAT for the independent analyst, because the assumptions an analyst doesn’t notice are precisely the ones a team would have surfaced.

Procedure for solo KAC:

  1. List every assumption the assessment rests on. Not just the explicit ones. The implicit ones — “the regime is rational,” “the central bank will defend the currency,” “the unit identifications I made from social-media imagery were accurate.” Aim for a list that initially feels excessive; pruning is easier than generation.

  2. Classify each assumption into one of three tiers:

    • Stated fact: confirmed by independent sourcing, traceable to primary documentation.
    • Assessed probability: a judgment the analyst has explicitly made, with confidence level attached.
    • Unexamined background assumption: a proposition the analyst has been using without examining.

  3. Challenge the unexamined ones. Convert each background assumption into an explicit assessment with a confidence level. The example from the chapter brief is canonical: “I assume the regime will prioritize regime survival over confrontation — is that assumption calibrated against the actor’s actual track record, or is it a habitual frame inherited from prior analysis?”

  4. Test the brittleness. For each assumption, ask: if this assumption is wrong, does the assessment survive? Assumptions that, if reversed, collapse the assessment are load-bearing. Load-bearing assumptions deserve the highest scrutiny and should be flagged explicitly in the published product.

KAC is the primary solo countermeasure against Mirror Imaging. Mirror imaging is not a single error; it is a family of unexamined assumptions about how adversaries calculate, what they value, and what risks they accept. KAC forces those assumptions into the open.

2.3 Devil’s Advocacy — Self-Directed

The institutional devil’s advocate is a designated person whose job is to make the strongest possible counter-case. The solo equivalent is harder because the same mind must hold both positions in succession.

Procedure:

  1. Set aside the draft assessment entirely. Close the document. Open a new one.
  2. Write a 500-word brief arguing the opposite conclusion with equal vigor. Same evidence base. Different conclusion. Marshal the strongest version of the counter-argument; the goal is not a strawman but the case a serious analyst working from the same sources could plausibly write.
  3. The quality test. If you cannot write a cogent counter-argument, one of two things is true: either (a) the evidence is genuinely overdetermined and the original hypothesis is robust, or (b) your hypothesis is not well-formed enough to test — it is a frame, not a falsifiable claim. The second is more common than analysts admit.
  4. The asymmetric-risk test. Identify which error would be more consequential:
    • Type I (false positive): you assess that X will happen, it does not.
    • Type II (false negative): you assess that X will not happen, it does. Assign greater analytical scrutiny to the hypothesis whose error is more consequential. For warning intelligence (will the invasion happen? will the bank fail? will the coup be attempted?), Type II errors typically carry asymmetric downside; the threshold for asserting “unlikely” must be correspondingly higher.

2.4 What-If? Analysis

For any future-oriented assessment, the central-case judgment must be accompanied by 2–3 alternative scenarios. Each scenario requires three structural elements:

  • Explicit trigger conditions. What specifically must happen for this scenario to begin developing? Not “if conditions change” but “if Actor X moves the 76th Air Assault Division south of the Sumy axis.”
  • Observable indicators. What would the analyst see in OSINT collection that would confirm this scenario is developing? These are the indicators that should be monitored in subsequent collection cycles.
  • Policy/behavioral implications distinct from the central case. If the scenario implications are identical to the central case, it is not a meaningfully alternative scenario.

The What-If procedure pairs with Indicator Monitoring (Section 3.1) to convert published assessments into living documents: when an indicator fires, the assessment updates.

3. Domain-Specific Analytical Modules

The SATs above are domain-agnostic. The domain modules below specify how the techniques are applied at practitioner depth in the four domains an independent OSINT analyst is most likely to work in: geopolitics and conflict; cyber threat intelligence; financial crime and corporate due diligence; and fact-checking.

3.1 Geopolitics and Conflict Analysis

ORBAT Reconstruction from OSINT

The Order of Battle (Order of Battle) is the foundational analytical product for conflict analysis. It answers: which forces, of what size, with what equipment, under whose command, are deployed where? Institutional ORBAT is built from SIGINT, IMINT, and HUMINT collection that the independent analyst does not have. OSINT-based ORBAT is built from four substitution streams:

  1. Visual confirmation of unit insignia and equipment in geolocated imagery and video — primarily social media uploaded by deployed personnel, civilian bystanders, and the opposing force.
  2. Command post identification from pattern-of-life analysis — recurring vehicle assemblies, antenna farms, security perimeters visible in commercial satellite imagery (Planet, Maxar via news partners, Sentinel-2 for lower-resolution monitoring).
  3. Unit identification from unencrypted communications, monitoring traffic on radio frequencies, and social-media indiscretion by deployed personnel.
  4. Cross-reference against the known pre-war ORBAT documented in IISS Military Balance, national defence ministry publications, and academic open-source military analysis (Conflict Intelligence Team, Rochan Consulting, Janes open content where available).

Worked methodology:

  1. Establish baseline ORBAT from pre-conflict reporting. IISS Military Balance (annual), national MoD publications, RAND/IISS/RUSI monographs. This is the ground state.
  2. Track confirmed changes:
    • Unit identification from visual media (insignia visible on uniforms, vehicle bort numbers, distinctive equipment).
    • Geolocation of deployments via GeoConfirmed-style chronolocation work.
    • Casualty notices on regional social-media channels (often the most reliable indicator that a specific unit was committed to a specific sector).
  3. Track attrition indicators using the Oryx methodology: visually confirmed equipment losses, photographically documented, with each loss assigned to a category (destroyed, damaged, abandoned, captured). The Oryx methodology is the OSINT gold standard for attritional analysis because the source images can be independently re-verified by anyone.
  4. Map to geographic deployment using ACLED, LiveUAMap, or GeoConfirmed for geo-tagged event databases. Each event in the database is a node; clustered events identify operational sectors.
  5. Label inference levels rigorously:
    • Fact: unit identification confirmed by multiple independent images of insignia and equipment.
    • Assessment (High): inferred sector assignment from corroborating casualty notices, imagery, and social-media patterns.
    • Assessment (Moderate): inferred unit assignment to sector from single-source imagery without independent corroboration.
    • Assessment (Low): assumed unit roles derived from pre-war doctrine where wartime evidence is absent.

Worked example: Tracking the 76th Guards Air Assault Division between February 2022 and present in a hypothetical Eastern European conflict.

  • Baseline (Fact): IISS confirms 76th GAAD garrison at Pskov; subordination to Russian Airborne Forces.
  • Initial deployment (Fact): Geolocated convoy imagery dated 24 Feb 2022 confirms BMD-4M vehicles bearing 76th GAAD markings near Kherson.
  • Sector reassignment (Assessment, High): Casualty notices clustering in Pskov Oblast obituaries between March–May 2022 reference units consistent with 76th GAAD ORBAT structure; combined with geolocated imagery in the Izium sector, supports reassignment from Kherson to Izium axis.
  • Current strength (Assessment, Moderate): Cumulative Oryx-methodology vehicle losses suggest combat-effective strength at approximately 40% of TO&E; this estimate carries moderate confidence because vehicle losses are only one component of unit effectiveness and casualty data is incomplete.
  • Gap: No OSINT confirmation of replacement personnel inflows; cannot assess the rate of unit reconstitution.

Event Sequence Analysis

For escalation ladders, coup dynamics, or crisis chronologies, build an event timeline with source grading for each entry. The timeline is the analytical instrument, not a narrative scaffold. Each entry has three fields beyond date and event: source(s), source grading per the Admiralty Code, and inference level.

The analytical work is in the questions the timeline forces:

  • Which events are independently confirmed by sources with different access and motivation?
  • Which events are single-source? What is the source’s grading?
  • Where are the gaps that the published narrative bridges with assumed continuity? Those gaps are where the analysis is most vulnerable.

For coup analysis specifically, the diagnostic events are not the visible ones (troops in the street) but the precursors: changes in palace-guard rotation, unusual movements of armored units toward the capital, military communications going dark on monitored frequencies, key officials disappearing from public schedule. The timeline forces enumeration of which precursors are confirmed.

Indicator Monitoring

Each scenario from the What-If procedure has been assigned observable indicators. The Indicator Monitoring discipline is to maintain an active watchlist of those indicators and check them against the collection cycle. When an indicator fires:

  1. Record the trigger event and source.
  2. Cross-check the indicator against the scenario it was assigned to.
  3. Update the assessment: is the central case now less probable? Is an alternative scenario now developing?
  4. If the assessment changes, publish an update. The willingness to update on indicator triggers is the operational difference between living analysis and one-shot assessment.

3.2 Cyber Threat Intelligence

Attribution under OSINT constraints is a fundamentally harder problem than institutional CTI. The OSINT analyst does not have victim telemetry, endpoint detection logs, classified IC attribution reporting, or the human-source corpus that allows institutional CTI vendors to assert with confidence “this is APT29.” Pretending otherwise is the most common failure mode in open-source cyber analysis.

This module specifies what OSINT can establish, what it cannot, and how to label attribution honestly.

Infrastructure Analysis

The most tractable OSINT-accessible layer of a cyber operation is its infrastructure: the domains, IP addresses, and certificates used by command-and-control nodes and phishing operations.

  • Domain and IP registration history.
    • WHOIS historical records via DomainTools or WhoisXML (paid) or RiskIQ Community Edition (free, limited).
    • Passive DNS (pDNS) via SecurityTrails, DomainTools, RiskIQ; resolves the time-series of which domains pointed to which IPs.
    • Censys and Shodan for live and historical scan data of exposed services on identified IPs.
  • Certificate transparency logs.
    • crt.sh provides searchable access to public CT logs.
    • Certificate reuse across multiple domains is a strong infrastructure-clustering signal.
  • ASN mapping.
    • BGP route lookup (bgp.he.net, RIPEstat) identifies the autonomous system hosting the infrastructure and its jurisdiction.
    • Bulletproof hosting providers (BPH) appear repeatedly as the upstream for known-malicious infrastructure; the BPH list is a useful prior.
  • Hosting pattern analysis.
    • Specific hosting providers are disproportionately used by specific threat clusters. This is pattern-of-life analysis applied to infrastructure: not deterministic, but probabilistically informative.

TTP Mapping to MITRE ATT&CK

From public malware analysis (VirusTotal, MalwareBazaar, Hybrid Analysis, any.run public sandbox runs) and vendor threat reports, the analyst extracts the techniques used and maps them to the MITRE ATT&CK matrix.

Critical analytical caveat: OSINT-based TTP attribution is technique-level, not actor-level. The same technique (e.g., T1566.001 — Phishing: Spearphishing Attachment) appears across dozens of unrelated actors. Technique convergence is necessary but not sufficient for actor attribution.

What ATT&CK mapping does enable, even at the technique level:

  • Comparison across reports: are the techniques in this campaign consistent with techniques previously reported for a candidate actor?
  • Detection engineering: techniques map to detections that defenders can deploy.
  • Trend analysis: which techniques are rising across the OSINT corpus?

Attribution Floor and Ceiling

The honest analyst publishes their attribution at the floor — the level of specificity the evidence actually supports — and identifies the ceiling — the level beyond which OSINT alone cannot reach.

What OSINT can establish with high confidence:

  • The techniques used (with caveats on technique-level resolution).
  • Infrastructure patterns and overlaps.
  • Targeting selection (which sectors, which geographies, which language localizations).
  • Malware family classification and its lineage where source code or compiled artifacts are available for analysis.

What OSINT can establish with moderate confidence:

  • The state-nexus, when multiple indicators converge: infrastructure jurisdictionally aligned with a candidate state, targeting that aligns with that state’s known intelligence priorities, language artifacts in malware, working-hours patterns consistent with a specific timezone, public attribution by sovereign CERTs or by reputable industry vendors with disclosed methodology.
  • The campaign clustering (these intrusions are likely the same actor as those intrusions).

What OSINT almost never can establish with high confidence:

  • Specific unit attribution at the APT29-vs-APT28 level without victim telemetry, classified corroboration, or formal IC/CERT attribution.
  • Individual actor identity within a cluster.

Operational rule: if the only evidence for a state-actor attribution is “the targeting aligns with State X’s interests and the infrastructure is in State X,” the floor is “state-nexus assessed, moderate confidence,” not “attributed to State X.” Targeting alignment plus jurisdictional infrastructure is consistent with many alternative hypotheses, including false-flag operations and unaffiliated criminal actors operating opportunistically within that jurisdiction.

Campaign Correlation

Linking two campaigns to the same actor cluster relies on overlap analysis across multiple dimensions:

  • Shared infrastructure. IP reuse, domain naming convention reuse, SSL certificate reuse, hosting-provider reuse.
  • Code similarity. Same malware family indicators (YARA rules, import hashes, compiler artifacts), shared code segments identified by tools like BinDiff.
  • Targeting overlap. Same victim sectors, same victim geographies, same language localizations in phishing lures.
  • Timing patterns. Working-hours patterns and operational tempo.

Each overlap is a data point, not confirmation. Convergence across multiple overlap dimensions is what raises attribution confidence. A single overlap (shared IP) is consistent with infrastructure recycling by a bulletproof host serving multiple unrelated actors; four overlaps (shared IP, shared TLS certificate, identical malware family, identical victim sectoring) makes the alternative hypothesis (coincidence) implausible.

3.3 Financial Crime and Corporate Due Diligence

Corporate Structure Unraveling

Shell-company stacking, beneficial-ownership concealment, and nominee-director structures are the primary analytical challenges in financial-crime OSINT. The objective is to trace formal corporate structure outward from a target entity until the beneficial owner is identified or the trace exhausts available evidence.

Methodology:

  1. Enumerate registered entities. Pull all directly observable corporate records:

    • UK: Companies House (free, comprehensive, including filings and beneficial-ownership disclosures under the PSC regime).
    • US federal: SEC EDGAR for public companies and certain filings.
    • US state: Delaware Division of Corporations (limited free access; LLC structures notoriously opaque), New York DOS, others variable.
    • International: OpenCorporates aggregates many jurisdictions but coverage and freshness are uneven.
    • National registries: BVI (limited public access post-FATF reforms), Cayman (very limited), Cyprus (paid access via Department of Registrar of Companies), Liechtenstein (very limited).

  2. Map directorship networks. Who is a director in multiple companies in the structure? OpenCorporates graph queries surface “shared director” relationships. Manual cross-reference is often necessary because of name variations and transliteration.

  3. Identify nominee-indicator patterns. A small set of professional registered agents appears as director or shareholder across hundreds or thousands of companies. The pattern is diagnostic: a director listed at 400+ companies, registered to a corporate-services office address, is functionally certain to be a nominee.

  4. Trace shareholder chains. Identify each layer of ownership and its jurisdiction. Flag the high-opacity layers: BVI, Cayman, Delaware LLCs, Liechtenstein foundations, Marshall Islands, Seychelles, Anjouan. A chain that passes through three of these in sequence is signaling deliberate opacity.

  5. Apply beneficial-ownership leak databases.

    • ICIJ Offshore Leaks (Panama Papers, Paradise Papers, Pandora Papers, FinCEN Files, Dubai Unlocked).
    • OpenOwnership (consolidated beneficial-ownership data from participating jurisdictions).
    • Aleph (OCCRP) for combined sanctions, leaks, and registry data with cross-referencing.

  6. Cross-reference against sanctions lists. OpenSanctions is the best single source: free API, consolidated across OFAC, EU consolidated list, UK OFSI, UN, Canada, Australia, and PEP (politically exposed person) databases. Use the Aleph search to find connections that are not direct sanctions hits but are network-adjacent.

Worked example: Investigating beneficial ownership behind a Cypriot trading entity:

  • Layer 1 (Fact): Cypriot Registrar shows registered shareholder is a BVI company.
  • Layer 2 (Assessment, High): BVI company has no public disclosure, but Pandora Papers references match the entity name to a UK SLP (Scottish Limited Partnership) as partner.
  • Layer 3 (Fact): UK SLP filings (Companies House) show two partners, both Seychelles IBCs.
  • Layer 4 (Gap): Seychelles IBCs have no public ownership data. Trace exhausts here on direct evidence.
  • Pivot (Assessment, Moderate): The named UK SLP partner address matches a corporate-services provider previously identified in OCCRP reporting as facilitating Russian beneficial-ownership concealment. This raises the prior for a Russian beneficial owner but does not confirm identity.
  • Gap labeled in published product: Beneficial ownership of underlying Seychelles entities cannot be confirmed from public sources; a collection path forward would be acquisition of any leaked data from the corporate-services provider in question.

Sanctions Analysis

Sanctions analysis is not list-checking. The list-check is the trivial first step. The analytical work is in the relationships:

  • Is the subject directly on any list (OFAC SDN, EU consolidated, UK OFSI, UN, sectoral)?
  • Are the subject’s affiliates, counterparties, directors, beneficial owners, or family members on any list?
  • Does the corporate structure connect to a sanctioned entity at one or two degrees of separation?
  • Do the transaction patterns show indicators of sanctions evasion?

Sanctions-evasion indicator patterns:

  • Transshipment geography: goods routed through jurisdictions with no plausible commercial reason for inclusion (a flow that goes Russia → Kyrgyzstan → Turkey → EU for goods that would normally go direct).
  • Commodity substitution and HS-code manipulation: dual-use goods classified under benign HS codes; military components shipped as “industrial machinery, other.”
  • Financial structure inconsistent with stated business: a company claiming to be a regional retail importer that handles annual flows of tens of millions of dollars across opaque jurisdictions.
  • Newly incorporated counterparty entities with no prior trading history but immediate large-value transactions.
  • Common addresses, common directors, common bank accounts across nominally independent entities.

Tooling Stack for Financial Crime OSINT

  • Aleph (OCCRP) — combined search across registries, leaks, and sanctions.
  • OpenSanctions — sanctions and PEP database, free API.
  • OpenCorporates — corporate registry aggregator, free tier with rate limits.
  • ICIJ Offshore Leaks Database — Panama, Paradise, Pandora, FinCEN Files.
  • Companies House (UK) — fully free; the most usable major registry in the world.
  • OpenOwnership — beneficial-ownership data where disclosed.
  • Sayari Graph (paid) — premium product; not strictly OSINT given proprietary data integration but commonly used at the boundary.

3.4 Fact-Checking

Fact-checking and intelligence analysis converge methodologically: both rest on source triangulation, claim decomposition, and explicit confidence calibration. The independent analyst often produces work that is fact-checking in genre even when labeled as analysis.

Claim Decomposition

Break the claim under examination into atomic sub-claims, each verifiable independently. The canonical example: a composite claim of the form “Country X bombed hospital Y, killing Z civilians” decomposes into four atomic claims:

  1. Did an airstrike occur at the location and time alleged?
  2. Was the structure struck a hospital (as opposed to a building near a hospital, a former hospital, a dual-use facility)?
  3. Was the structure occupied at the time of the strike?
  4. What was the actual death toll, and what proportion were civilians vs. combatants?

Each sub-claim requires independent verification. The composite claim is true only to the extent every sub-claim is independently confirmed. A common journalistic and analytical failure is to confirm sub-claim 1 and then treat sub-claims 2–4 as inheriting confirmation by association.

Source Triangulation

Each sub-claim must be independently confirmed by sources with demonstrably different access, motivation, and collection method. Three sources that all derive from the same original wire report do not constitute triangulation — they are one source repeated three times.

Diagnostic questions for genuine triangulation:

  • Does Source A have access to information Source B does not? (Different collection method.)
  • Does Source A have a motivation to err in a different direction than Source B? (Different motivation.)
  • Has Source A independently produced its own primary observation, or is it relaying Source B?

When applied rigorously, this test eliminates the majority of apparent multi-source confirmations in fast-moving news cycles.

The SIFT Framework

Mike Caulfield’s SIFT framework is the most operationally useful fact-checking heuristic for independent practitioners:

  • Stop. Do not share or act before verification. The urge to share is the bias the framework exists to interrupt.
  • Investigate the source. Before reading the content, investigate who produced it. Source assessment precedes content assessment.
  • Find better coverage. Is this the best available source for the claim, or is there a more authoritative or closer-to-primary source? Trace upward.
  • Trace claims to their original source. Many “widely reported” claims trace back to a single weak origin.

Verdict Language

Fact-checking verdicts must be tiered with explicit evidentiary standards. The canonical scale:

VerdictStandard
TrueAll atomic sub-claims independently confirmed by high-grade triangulated sources; no plausible alternative reading.
Mostly TrueCore claim confirmed; minor sub-claims uncertain or contested without affecting central conclusion.
MixedSome sub-claims confirmed, some refuted; the composite claim is partially supported.
Mostly FalseCore claim refuted but a related element is true.
FalseCore claim refuted by independent sources.
UnverifiableInsufficient evidence in either direction to render a verdict at the current standard of proof.

“Unverifiable” is a complete verdict, not a hedge. It is the analytically honest position when a claim cannot be confirmed or refuted with available evidence. It is also the verdict most often miscoded by analysts uncomfortable with admitting an open question; many published “false” verdicts are properly “unverifiable.”

4. Confidence Calibration Across Domains

Confidence language is the analyst’s contract with the reader. Calibration discipline is uniform across domains: the same probability bands apply whether the assessment is geopolitical, cyber, financial, or fact-checking.

For the underlying framework, see Intelligence Confidence Levels. The operational rules below are the working summary the independent analyst applies at the desk.

PHIA Yardstick application — universal rules for solo analysis:

Confidence bandProbabilityEvidentiary standard
Almost Certain95%+Multiple independent, high-quality sources converge. No plausible alternative explanation.
Highly Likely85–95%Multiple sources with strong corroboration. Minor alternative hypotheses remain.
Likely55–75%Balance of evidence favors this conclusion. Meaningful alternative hypotheses exist.
Realistic Possibility25–50%Evidence supports but does not favor over alternatives.
Unlikely<25%Evidence argues against. More likely alternatives exist.
Remote Chance<10%Residual probability only. Would require unexpected evidence to revise upward.

Hard rules:

  • Never use “may,” “could,” “might,” or “possible” without an attached PHIA qualifier. The unqualified hedge is the analyst’s most damaging habit: it transfers the analytical work onto the reader, who is invited to assign whatever probability they wish.
  • Confidence bands must be load-bearing. “Almost Certain” should appear only when you would defend the judgment under after-action review with the evidence you have published.
  • Confidence inflation is the failure mode of weekly publication cadence. Under deadline pressure, “Likely” drifts to “Highly Likely” because the latter sounds more authoritative. The discipline is to publish “Likely” when the evidence supports “Likely” and to accept that some readers will mistake calibration for hedging.
  • Confidence and consequentiality are independent. “Realistic Possibility” of a low-consequence event and “Realistic Possibility” of a high-consequence event use the same band. Differentiation is in how prominently the assessment is published, not in confidence inflation.

5. Intelligence Gaps as First-Class Outputs

The independent analyst’s assessment is only as valuable as its transparency about what it does not know. Intelligence gaps are not admissions of failure. They are analytical claims that structure the reader’s uncertainty and, in well-formed analysis, are as important as the central judgment.

A properly specified gap has four fields:

  • Gap. What specific information is missing? Not “we don’t know enough about Actor X” but “we cannot identify whether the 76th GAAD has been reconstituted to combat strength since its withdrawal to Pskov in November.”
  • Impact. How does the gap affect the assessment? Specifically: does it bound the confidence level, restrict the scope, or undermine a load-bearing assumption?
  • Collection path. What source, event, or future disclosure would resolve the gap? “Casualty notices in Pskov Oblast obituaries over the next 60 days; satellite imagery of the Strugi Krasnye training area; lateral acquisitions of leaked Russian MoD personnel data.”
  • Threshold. If the gap is resolved in the positive direction, how would the assessment change? Stating the threshold explicitly forces the analyst to think through what evidence would update the judgment, which is itself a check on whether the judgment is properly formed.

Worked gap statement (cyber):

Gap: We cannot establish whether the C2 infrastructure overlap between Campaign Alpha and Campaign Beta reflects a single actor cluster or shared use of a bulletproof hosting provider serving multiple unrelated actors. Impact: The current campaign-correlation assessment is moderate confidence. If the gap is resolved against shared-actor attribution, confidence falls to low. Collection path: Acquisition of further malware samples from either campaign; comparison of working-hours patterns from any new operational indicators; disclosure by industry vendors with victim telemetry. Threshold: Identification of code similarity beyond the family-classification level, combined with timing-pattern overlap, would raise correlation confidence from moderate to high.

Explicitly labeled gaps serve four operational functions:

  1. Signal to other analysts what collection to prioritize. A well-formed gap is a collection requirement statement.
  2. Protect against false-precision criticism. If a reader objects to the assessment on the grounds of an unstated uncertainty, the gap statement demonstrates the analyst was aware of and bounded that uncertainty.
  3. Provide the audit trail when the assessment is later revised. “The gap was resolved by [event]; the assessment now reads [revision]” is a clean update; “we have changed our mind” is not.
  4. Discipline the analyst. Specifying gaps in the form above is harder than waving at uncertainty in prose. The discipline of specification catches the analyst’s own fuzzier thinking.

Independent analysts often resist explicit gap statements because they feel like admissions of weakness in a competitive publishing environment. The reverse is true. Among serious readers — the audience this manual is written for — the willingness to specify gaps is the strongest single signal of analytical rigor. The assessment that admits what it does not know is the assessment that earns trust on what it does.

6. Solo Analytical Workflow — Operational Synthesis

The disciplines specified above compose into a workflow. The independent practitioner working a consequential assessment should run something close to the following sequence:

  1. Hypothesis generation before deep evidence review. Date-stamp the list.
  2. Collection plan keyed to the hypotheses, with native-language sourcing where the principal actor’s primary language is not English.
  3. Source evaluation per Part 04: Admiralty grading, motivation analysis, triangulation check.
  4. Draft assessment with OSINT-derived evidence labeled Fact / Assessment / Gap.
  5. ACH matrix built against the dated hypothesis list. Time-lag, then return.
  6. Key Assumptions Check on the load-bearing assumptions. Convert background assumptions to explicit assessments.
  7. Devil’s advocate brief — 500 words, opposite conclusion, equal vigor.
  8. What-If scenarios — 2–3, with trigger conditions, observable indicators, distinct implications.
  9. Confidence calibration pass — every probabilistic word checked against the PHIA yardstick.
  10. Gap specification — every gap rendered in the four-field format.
  11. Adversarial review per Part 06 — peer simulation, cold-read, or LLM-assisted red team.
  12. Publish. And when an indicator fires, update.

This is more disciplined than the workflow most working journalists and many institutional analysts actually run. That is the point. The independent analyst’s structural disadvantage — no team — is recoverable only by making the workflow more rigorous than the institutional default, not less.

Key Connections

Graph View

Backlinks