The British Royal Navy invented the Admiralty System to stop battleships chasing phantoms. Modern CTI teams use it to stop SOC analysts chasing phantoms. Below is a stripped-down, licence-free implementation that tags every intel record in your (free) MISP instance in under 30 minutes.
- The One-Sentence Cheat-Sheet
Source Letter: A – F (reliability of the provider)
Information Number: 1 – 6 (credibility of this claim)
Never blend the two; an “A” vendor can still hand you a “4” rumour. - Quick-Fire Reference Card (Pin It on the Wall)
Code Plain English Cyber Example
A Always right NSA/CISA joint advisory + you verified hash
B Usually right Tier-1 vendor, history > 6 months
C Sometimes right Reputable researcher on Twitter
D Not usually right Random dark-web handle
E Probably lying Bot pushing “World-ender ransomware”
F Unknown New account, zero historyCode Plain English Cyber Example
1 Confirmed Hash hits your sandbox + two AV engines
2 Probably true One independent confirmation
3 Possibly true Logical, but no second source
4 Doubtful Contradicts known TTPs
5 Improbable Timeline impossible (file compiled after report)
6 Cannot judge No evidence either way - Five-Line Bash Script — Auto-Tag MISP Events
- Fast Calibration Exercise (30 min)
Pull last 20 dark-web posts.
Each analyst grades independently.
Discuss deltas; keep notes in the event.
Re-grade the same posts 30 days later when ground truth is known.
Target: ≥ 80 % inter-analyst agreement within two sessions. - Escalation Rule You Can Automate
Tag ≥ B2 → auto-create high-priority alert.
Tag ≤ C3 → drop into weekly digest.
Tag E/F or 4/5/6 → suppress unless corroborated. - Common Pitfall — “My Vendor Is Always A”
A top-tier feed that mis-calls a CVE impact is downgraded to A4 for that report. Next week they may be A1 again. Dynamic scoring prevents blind trust. - Bottom Line
Admiralty coding turns 500 daily alerts into 12 that deserve human eyes. Implement the taxonomy once, automate the tagging, and your analysts stop drowning in noise—they start hunting adversaries.
