Understanding cognitive biases isn't optional for analysts.
Confirmation bias. Anchoring. Mirror imaging. Groupthink.
If you don't know what these are, you're making analytical errors you can't even see.
That's what theory teaches you.
#cybersecurity#cyberthreatintelligence
We've interviewed analysts who could navigate any platform you put in front of them.
Couldn't explain what an intelligence requirement was. Couldn't articulate confidence levels. Couldn't structure an assessment.
Tools without theory produces technicians, not analysts.
Why does CTI theory matter?
Because when the tool you learned on gets replaced, you're starting from zero.
When you understand the principles behind the work, you adapt. New tool, same tradecraft.
#cybersecurity#cyberthreatintelligence#threatintelligence
Knowing how to query Splunk doesn't make you an intelligence analyst.
Knowing how to formulate intelligence requirements, evaluate sources, apply analytical rigour and communicate findings does.
Tools change. Tradecraft endures.
#cybersecurity#cyberthreatintelligence
Theory without practice is academic.
Practice without theory is just button pushing.
The analysts who understand WHY they're doing something will always outperform those who only know HOW.
#cybersecurity#cyberthreatintelligence#threatintelligence
You can teach someone to use a SIEM in a week.
Teaching them to think like an intelligence analyst takes much longer.
One is a tool skill. The other is a discipline.
Guess which one actually makes you valuable?
#cybersecurity#cyberthreatintelligence#threatintelligence
Genuine question for the CTI community:
What was the inflection point where your programme went from drowning in data to actually producing intelligence?
What changed?
We'd love to hear your experiences.
#cybersecurity#cyberthreatintelligence#threatintelligence
If your analysts spend 80% of their time on collection and 20% on analysis, your ratios are inverted.
The transformation from data to intelligence happens in analysis.
That's where the value is created.
#cybersecurity#cyberthreatintelligence#threatintelligence
You can't protect against what you don't understand.
That's not a slogan. It's why frameworks like CBEST and TIBER-EU mandate threat intelligence before penetration testing.
Context changes everything.
#cybersecurity#cyberthreatintelligence#threatintelligence
Should intelligence requirements come from stakeholders or analysts?
Stakeholders know what decisions they need to make.
But analysts often see threats stakeholders don't know to ask about.
Where do you land?
#cybersecurity#cyberthreatintelligence#threatintelligence
CROSSCAT principles for intelligence:
Centralised
Responsive
Objective
Systematic
Sharing
Continuous review
Accessible
Timely
Which one does your organisation struggle with most?
#cybersecurity#cyberthreatintelligence#threatintelligence
The dark web is not the only source of threat intelligence.
Your own SIEM logs. Phishing reports. Incident data. Public government advisories. Researcher blogs. Industry sharing groups.
Collection sources are broader than most realise.
#cybersecurity#cyberthreatintelligence
Three ways organisations waste money on threat intelligence:
1. Buying feeds nobody analyses
2. Hiring analysts then burying them in alert triage
3. Subscribing to reports nobody reads
Any of these sound familiar?
#cybersecurity#cyberthreatintelligence#threatintelligence
We've seen million-pound threat intelligence platforms that couldn't answer basic questions about who targets the organisation.
We've also seen free tools in the right hands produce genuinely actionable insight.
The tool isn't the differentiator.
#cybersecurity
The best intelligence in the world is worthless if:
→ It arrives too late
→ It's in the wrong format
→ It doesn't reach the right people
→ Nobody acts on it
Production is only half the job.
#cybersecurity#cyberthreatintelligence#threatintelligence
Question for CTI folks:
Do you let threat intelligence drive vulnerability patching priority?
Or is a critical CVE always a critical CVE regardless of who's exploiting it?
Genuinely curious where people land on this.
#cybersecurity#cyberthreatintelligence#threatintelligence
A 50-page threat report is useless if your CISO needed a one-page brief.
Intelligence that doesn't reach decision-makers in usable formats isn't intelligence. It's documentation.
#cybersecurity#cyberthreatintelligence#threatintelligence