Cyber threat intelligence, in the past, has primarily focused on extracting, preparing, and analyzing indicators of compromise for digital forensics and incident response, the security operations center, and other teams. This talk proposes that cyber threat intelligence analysts extract indicators of emulation and include them in their threat reports for red team operations, adversary emulation, and purple team exercises. Learn how to extract Indicators of Emulation in Windows-based malware for high-value adversary emulation and purple team exercises based upon org specific data. Cyber threat intelligence plays a pivotal role in collecting and analyzing data to produce intelligence for an organization. Most of the cyber threat intelligence reports include indicators of compromise that various teams, such as incident response, hunt, and security operations, consume; however, there is limited intelligence in most threat reports geared towards adversary emulation. As cyber threat intel teams mature through using their internal attack data to produce intelligence, it becomes necessary to determine how to build out existing capabilities and provide additional value to other teams in the organization. Cyber threat intelligence analysts can contribute to adversary emulation and purple team exercises through extracting indicators of emulation to include in their threat intelligence reports for a realistic emulation of the adversary.