Future of Threat Intelligence

Patrick Garrity, Security Researcher at VulnCheck, has a data problem with how the industry prioritizes vulnerabilities, and the data is his own. After manually categorizing roughly 800 exploited vulnerabilities by technology type each year, what he keeps finding is that the CVSS severity distribution of exploited CVEs tracks closely with the overall CVE population. Meaning the scoring system most teams use to decide what gets patched first has no meaningful relationship to what threat actors are actually targeting. He hasn't yet sliced it fully by category, but what's already visible is enough to warrant rethinking your triage logic.
He also walks through VulnCheck's exploitation velocity data: roughly 29% of exploited CVEs already have exploitation evidence on or before the day the CVE is published. His read on that number is direct if you're in that bucket, you're likely already compromised before you've had a chance to prioritize the patch.

Topics discussed:
Why the CVSS severity distribution of exploited CVEs mirrors the overall CVE population

Exploitation velocity data: roughly 29% of exploited CVEs have evidence on or before CVE publish date

How MFA adoption shifted threat actor focus from credential compromise to direct exploitation

Tree map methodology for categorizing 800+ exploited vulnerabilities by technology type annually

Cascading vulnerability research: how one high-profile exploit draws threat actors and researchers to adjacent products

Source validation framework for assessing reliability across 118+ exploitation evidence reporters

Vendor security-through-obscurity blocking defenders from building detections

EU Cyber Resilience Act mandating 24-72 hour exploitation disclosure windows in 2026

How Coalition uses vendor risk indices to set cyber insurance rates based on technology stack

Key Takeaways: 
If your remediation SLAs are gated on CVSS score, you're likely deprioritizing real exposure. Patrick's data shows the severity distribution of what gets exploited tracks the overall CVE population, not a cluster at the critical end.

For any CVE where exploitation evidence predates the publish date, treat it as a probable breach, not a patching event. Patrick's framing: you're "likely already compromised." IR engagement should precede remediation, not follow it.

When a major exploitation event lands on a product, immediately pull your full inventory for adjacent products in the same technology category. Both threat actors and researchers start looking at related products the moment a category gets attention.

Audit your network edge devices for end-of-support and end-of-life status. Many of these products carry 20-30 years of tech debt and were never built with product security as a baseline consideration.

When evaluating or renewing network security products, ask the vendor directly: what does your vulnerability disclosure process look like, and is patching automated? If remediation requires a manual change control window every time, that's a structural liability that compounds under pressure.

Push back on vendors who restrict patch details or technical indicators to paying customers. Threat actors who already reversed the product don't need that information. Defenders who are trying to build detections do.

Look at how insurance carriers like Coalition score your technology stack by vendor risk. If products you're running carry a high-risk rating in those indices, that's worth taking into a vendor conversation or a board briefing it's independent, data-backed validation that your exposure is real.

Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Andrew Rathbun, Senior Consultant at Palo Alto Networks Unit 42, has spent years tearing apart Windows endpoints across ransomware, APT, insider threat, and DPRK IT worker cases. His read on the state of enterprise Windows logging is blunt: most organizations have spent significant money on detection tooling while leaving the native forensic record so truncated that proving an intrusion timeline is nearly impossible. He introduces the "conveyor belt of volatility" as a forensic lens, every second, events fall off the back end of your log, and the default sizes Microsoft ships are a relic of 2002 disk economics. Accepting those defaults in a contemporary environment isn't a configuration oversight; it's a gift to the attacker.
The conversation goes deep on the four artifacts Andrew calls his sysadmin Christmas list of Sysmon, the Security Event Log, Volume Shadow Copies, and the $J USN Journal, and why each is typically either absent, stale, or undersized when he arrives on a case. He also covers what DPRK IT worker cases look like from the endpoint, why EDR alert queues are generating true positives that go ignored for days, and how he actually uses AI on cases, including a specific example of generating a PowerShell script to convert Linux audit log epoch timestamps to human-readable time, a script he's been running in production for years.

Topics discussed:
The "conveyor belt of volatility" framework for understanding Windows event log retention

Why accepting default log sizes actively shortens the forensic timeline available during incident response

Why Sysmon's inclusion in Windows 11 is long overdue, how stale installations with outdated event IDs are a common unforced error in enterprise environments

How volume shadow copies can extend forensic visibility across months of attacker activity

The $J USN Journal as a file system ledger for every file creation, deletion, rename, and size change on a Windows partition

Why EDR is a mandatory but insufficient control, including how alert fatigue causes true positives to be miscategorized as false positives

What DPRK fake IT worker cases look like from the endpoint, including the forensic value of USB artifact timestamps

How AI functions as a genuine force multiplier in DFIR while remaining unreliable as a source of authoritative forensic ground truth

Why GitHub fluency, not tool mastery, is the foundational skill for anyone entering digital forensics

Key Takeaways: 
Size the Windows Security event log to at least 1 GB. The default 32 MB cycles 4624/4625 events fast enough that authentication history from the week before your incident is already gone.

Deploy Sysmon and keep it current. Treat version currency as a security control.

Size the $J USN Journal appropriately on all Windows partitions. It's a file system ledger of every create, delete, rename, and resize.

Enable volume shadow copies and treat retention depth as a forensic asset. 

Alert on event IDs 1102 and System 104. These signal security log and general event log clearing.

Audit EDR queues for true positives closed as false positives.  

Baseline USB artifact timestamps and KVM device registry entries on remote worker endpoints. 

Use AI to parse unfamiliar log syntax and generate one-off scripts — not as forensic ground truth. 

Don't assume EDR coverage eliminates the need for native Windows logging. They capture different visibility layers.

Build GitHub fluency as a foundational DFIR skill.

After 18 years tracking cybercriminal operations at Trend AI, Robert McArdle, Director of Cybercrime Research, has developed a framework for predicting how threat actors adopt new technology: the answer consistently comes down to economics, not capability. He breaks down three rules of thumb his team uses: criminals want an easy life, any new technology must beat the ROI of their current model, and cybercrime is evolutionary rather than revolutionary. Those rules explain why ransomware has actually slowed the adoption of new attack methods and why the lowering technical barrier for attackers creates an asymmetric burden on defenders, who must demonstrate value to an employer rather than simply make a profit.
Robert goes deep on where agentic AI is headed for both offense and defense, including a sobering implication for law enforcement; as criminal operations become increasingly automated, arresting the principals may no longer disrupt the business. His team has already put this to work on the defensive side. Their internal agentic system ACER has discovered 210 zero-days in a matter of months. He also raises a specific concern that practitioners should take seriously: CTI reports containing detailed reverse-engineering write-ups and code samples are essentially training data for malicious LLM prompting, and the industry should reconsider what level of technical detail is actually necessary to publish alongside IOCs.

Topics discussed:
The three-rule framework for predicting criminal adoption of emerging technology

How the lowering technical barrier for entry shifts the entire cybercriminal bell curve upward 

Why embedding AI directly into malware remains rare below 1% of observed cases, and the two structural reasons that limit adoption 

The shift toward jailbreaking non-Western LLMs as criminal operators anticipate that law enforcement coordination is effectively nonexistent

How agentic AI transforms criminal business models from linear service stacks to exponentially scalable operations 

The emerging law enforcement challenge when operations are ~75% autonomous, arrests no longer constitute meaningful disruption 

Why CTI publishing norms need to evolve, specifically how detailed code samples and reverse-engineering screenshots in APT reports can be fed directly into LLMs to accelerate malware development

Practical defensive posture for shadow AI proliferation: treat AI-powered tools as untrusted software under existing vulnerability management frameworks

Key Takeaways: 
When assessing whether adversaries will adopt a new technique or tool, evaluate it through three lenses: ease of operation, return on investment versus current methods, and evolutionary fit with existing business models.

Before publishing detailed reverse-engineering write-ups, code samples, or pseudocode in APT reports, assess whether that level of detail serves defender use cases or primarily serves as a development accelerant for threat actors. 

Audit your organization's shadow AI exposure as a software risk problem, not an AI problem. 

Structure specialist agents to handle discrete tasks rather than relying on a single broad LLM. 

Pressure-test your law enforcement response playbook against autonomous criminal infrastructure. 

Evaluate your AI security tooling for hallucination risk in detection workflows.  

Model romance scam and investment fraud at scale in your threat landscape. 

Monitor for jailbroken non-Western LLM wrappers in criminal marketplaces. 

Factor defender tooling complexity into hiring and onboarding benchmarks. 

Track zero-day discovery velocity as a benchmark for agentic security ROI. 

Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Scott Scher, Cyber Threat Intelligence Lead, makes a distinction that reframes how intel teams should think about their own value: they are forecasters, not predictors. That shift in framing has concrete consequences for how CTI programs justify themselves internally, and Scott argues that the most meaningful metric isn't alert volume or report count, but the decisions intel has actually influenced. 
Scott also addresses where he sees the threat landscape heading, and his read on ransomware cuts against how many teams are still oriented. He argues that encryption-focused ransomware has largely peaked in value for attackers; the real shift is toward pure data exfiltration. He also touches on AI in CTI with a grounded take; it’s useful for accelerating manual analyst tasks like data gathering and link analysis, but only if intelligence teams define how it gets used before the organization does it for them.
Topics discussed:
Why CTI teams operate in the forecasting space rather than the prediction space

The practical implications for how assessments are communicated to stakeholders and leadership

The challenge of quantifying CTI value through decision-driven metrics rather than output volume

Mapping each stakeholder's workflow outputs and the triggers that drive them, then injecting intelligence at the right point in that chain

The evolution of ransomware toward exfiltration-only models, and why this reframes the defensive priority from backup to data loss prevention 

How CTI teams can use strategic intelligence to drive organizational decisions on edge device hardening and third-party risk

The role of AI in intel workflows as a force multiplier for manual analyst tasks, and why teams need to define that use case proactively

The collective defense model emerging at the state and local government level

Why making analytic assessments scientifically defensible is what separates credible CTI from noise

Key Takeaways: 
Reframe your team's value proposition around decisions influenced, not products delivered. 

Map each stakeholder's workflow before defining your intelligence requirements. 

Conduct monthly stakeholder cadences specifically to capture feedback on delivered products. 

Ask stakeholders about their biggest obstacles, not just their intel requirements. 

Reorient ransomware defensive priorities toward data loss prevention.

Use sustained trend analysis to build strategic intelligence cases for resource allocation. 

Get ahead of how AI is used in your CTI workflows before organizational pressure defines it for you.

Treat qualitative stakeholder feedback as a scientific input, not an afterthought. 

Document the reasoning behind every intelligence assessment, not just the conclusion. 

Pursue an interdisciplinary lens when building CTI programs and hiring.

Deepfakes have moved well past the uncanny valley and into active threat operations, and Tom Cross, Head of Threat Research at GetReal, has the client-side case studies to back it up. Tom explains how North Korean IT worker infiltration campaigns have transformed HR and video conferencing from administrative functions into active attack surface, albeit one that most security teams aren't monitoring, logging, or ingesting into their SIEM.
Drawing on a long-running collaboration with a former West Point professor and intelligence officer, Tom also applies the military framework of tactical, operational, and strategic intelligence to cybersecurity, arguing that most CTI programs are really just lists of burned indicators. The actual value of IOCs, he contends, is retrospective: discovering you were communicating with a known-bad actor means you may still be compromised. He makes the case for connecting adversary intent models, red team findings, and vulnerability data into a unified predictive picture. 
YT Thumbnail title: Your Zoom Call Is an Attack Surface
Topics discussed:
How North Korean IT worker infiltration has converted HR processes and video conferencing into an active, unmonitored attack surface

Voice-cloned peer impersonation via messaging apps, followed by deepfaked video calls and malware delivery

Why deepfake audio attacks on IT help desk credential reset processes are among the most likely near-term vectors

Biometric indicators of compromise and the significant false-positive risks that distinguish them from traditional IP or domain IOCs

How the military intelligence framework of tactical, operational, and strategic analysis applies to CTI programs

The strategic importance of retrospective IOC analysis versus forward-looking ingestion

Why DPRK's financial motivation model expands their target set far beyond what traditional nation-state threat modeling would predict

Key Takeaways: 
Ingest video conferencing logs into your SIEM.

Audit your remote credential reset process for social engineering resistance.

Map red team findings and vulnerability data to specific adversary profiles rather than treating them as a generic remediation backlog.

Implement retrospective IOC analysis alongside forward-looking blocking.

Treat DPRK's financial motivation as an equalizer when assessing APT exposure.

Build threat intelligence at the strategic layer by modeling adversary intent and objectives, not just cataloging observed TTPs.

Apply extra care to biometric IOC sharing.

Monitor employee working-hour patterns against claimed time zones as a behavioral indicator of potential employment fraud.

Extend IOC taxonomy to include multimedia and biometric formats.

Listen to more episodes: 
Apple 
Spotify 
YouTube
Website