Asymmetric Cyber Defence
National-level cyber threat analysis coordinating with CERT-EE (Estonia) and CERT-Polska, requiring malware analysis, network forensics, threat intelligence correlation, and incident response protocols under strict disclosure controls.
2
National CERTs
3
Disclosure Tiers
4
Expert Domains
The Problem
National CERT teams operate under severe constraints not present in commercial cybersecurity:
- Attribution claims carry geopolitical consequences and must meet evidentiary standards beyond commercial threat intel
- Sensitive findings require tiered disclosure, with different audiences receiving different detail levels
- Cross-border coordination between CERTs requires standardized finding formats and shared taxonomies
- Threat actors actively evolve techniques during investigation, requiring real-time expert re-evaluation
The challenge for FDRP: how to apply progressive disclosure and cross-model verification to a domain where information sensitivity creates hard boundaries on what can be shared with which verification models.
FDRP Application
Progressive Disclosure Tiers
Findings were classified into three disclosure tiers, with verification processes adapted to each tier's sensitivity constraints.
| Tier | Audience | Content | Verification |
|---|---|---|---|
| Public | General public, media | Threat advisories, general indicators, mitigation guidance | Full cross-model (3 LLMs) |
| Restricted | CERTs, ISPs, critical infrastructure | Specific IOCs, TTPs, network indicators | Dual-model with sanitized inputs |
| Classified | National security, law enforcement | Attribution analysis, source intelligence, active operations | Single-model with human review |
Domain-Specific Expert Expansion
Malware
Binary analysis, packing detection, C2 protocol reverse engineering
Network
Traffic analysis, lateral movement detection, exfiltration patterns
Geopolitical
Attribution frameworks, nation-state TTP correlation, diplomatic context
Legal
EU NIS2 compliance, cross-border evidence handling, disclosure obligations
Key Outcomes
- Cross-Model Attribution Verification
- Threat attribution claims were independently evaluated by multiple models, each prompted as a specialist in the relevant TTP domain. Disagreements between models triggered mandatory human review before any attribution was included in CERT reports.
- Tiered Report Generation
- A single analysis pipeline produced reports at all three disclosure tiers simultaneously, with automated redaction gates preventing classified content from appearing in restricted or public outputs.
- Multi-CERT Coordination Protocol
- Standardized finding format enabled CERT-EE and CERT-Polska to cross-reference findings against their own intelligence, identifying shared threat actors operating across both nations.