The single most useful skill we teach in the threat-intel track is also the least technical: producing a 2-page brief the duty analyst will read at 03:00.
Threat intelligence courses spend a lot of time on the intelligence cycle and the Diamond Model. That is fine. What they spend less time on, and what makes the difference in the field, is writing for a tired analyst at 03:00 who has nine other tabs open.
Three habits separate briefs that get read from briefs that get filed. First, the lead is the conclusion, not the context. The duty analyst needs to know what action this brief implies before they decide whether to keep reading. We teach the "BLUF" pattern — bottom line up front — and then run two cohorts of brief-writing drills against it. Most learners write a polished narrative on attempt one and a useful brief on attempt three.
Second, source weighting is visible, not implied. If you are confident about an indicator because it came from a high-trust feed, say so. If you are uncertain because the source is one Twitter post and a screenshot, say that too. Confidence language ("we assess with moderate confidence...") is not a stylistic choice, it is a load-bearing piece of communication.
Third, what NOT to investigate gets a paragraph. The hardest skill in CTI is deciding what is not worth the SOC's attention. A brief that explicitly says "we are not pursuing X because Y" earns trust the next time it does recommend pursuit.
Most of this is unteachable in a slide. We learn it through brief writing, mentor review, and arguing about feedback. Six weeks of that is the closest we have to a shortcut.