Cyber Underground Handbook

Intel 471 General Intelligence Requirements Framework

The Cybercrime Underground General Intelligence Requirements Handbook (CU-GIRH) is a baseline tool to assist security professionals and teams in organizing, prioritizing, and producing cyber underground intelligence.

Central to this handbook are General Intelligence Requirements (GIRs) — a compilation of frequently asked intelligence requirements applicable to the cybercrime underground such as: forums, marketplaces, products, services, and threat actors. Our handbook also contains a list of common intelligence stakeholders and use cases, along with a comprehensive cybersecurity glossary.

The Intel 471 Intelligence Team has been using this framework for years, and we want to share it with the community!


Access to the GIR Handbook includes Intel 471’s intelligence planning workbook - a collection of templates and samples used by intelligence planners to operationalize the GIR framework, gather requirements from stakeholders, and measure success.

Intelligence Planning Essentials

Cyber Underground General Intelligence Requirements Resources

Watch time: 3 minutes

Full introduction and overview into the core concepts of the intelligence planning process using the GIR framework and accompanying worksheets, templates, and samples.

Watch time: 6 minutes

A guide through the first step in the intelligence planning process: PIR selection. You will select, rank, and record all PIRs into a master list known as Collection Guidance.

Watch time: 3 minutes

An overview of the Collection Guidance, which provides a single consolidated list of Priority Intelligence Requirements (PIRs) across the organization.

Watch time: 5 minutes

Step-by-step instructions for building the Collection Plan, which is used to estimate the resources to fulfill the requirements of stakeholders in your organization.

How Does Intel 471 Use Cyber Underground Handbook?

Intel 471 shapes its intelligence collection focus and production based largely on GIRs prioritized by customers. Using the CU-GIRH, each customer identifies and ranks a selection of GIRs which Intel 471 employs as guidance for daily intelligence collection, reporting, and success measurement.

Who Is It For?

Primary users of the CU-GIRH and the corresponding planning workbook are cyber threat intelligence (CTI) planners, analysts, researchers, and collection managers.

How is it used?

The CU-GIRH and workbook can be used or customized in a number of ways.

  • An analyst or researcher can use this as a hip-pocket reference for spotting ad-hoc collection opportunities in the underground.
  • An intelligence planner can use this as a guide to support the development and tracking of intelligence requirements and measuring the intelligence team’s return on investment over time.

The Cyber Underground General Intelligence Requirements Framework

Watch this video to learn about how Intel 471 and customers utilize the GIR framework to enhance the process of cyber threat identification and tracking.