Malicious cyber activity continues to evolve rapidly, with an expanding set of tools available to a growing range of threat actors. The public and private sector have yet to fully evolve their threat models, defenses, and courses of action in line with this landscape. While frameworks for indications and warning (I&W) – and “warning intelligence” – have matured in other intelligence domains, cyber I&W remains nascent and ill-defined. The lack of such a framework has resulted in an absence of best practices and lessons learned.