Future of Threat Intelligence

Running CTI at a cyber insurance carrier and across more than tens of thousands of companies forces a triage discipline most programs never need to build. Alex Bovicelli, Senior Director of Threat Intelligence at Tokio Marine HCC, describes how his team scaled by narrowing focus to one thing: the initial access vectors threat actors are actually using right now: not CVSS scores, not spray-and-pray alerts, but underground forum activity, access broker behavior, and credential exposure from info stealer logs that most SMBs have zero visibility into. When a detection fires, his team doesn't just notify, they walk the customer through remediation and confirm the issue is closed, because for a company relying on an MSP with no internal security staff, an alert without support is just noise.
The more pointed conversation is about what's not making headlines: thousands of SMBs are getting hit by ransomware every year, and groups like Akira have built a business model specifically around it; high volume, low ransom, staying below the threshold that triggers serious law enforcement attention. Alex explains how those attacks succeed not through sophisticated tradecraft but through SSL VPN brute forcing tools left running unattended, returning thousands of valid credentials against organizations that have no account lockout policies, no MFA on remote access, and no way to know their credentials are already in a log collector somewhere. 

Topics discussed:
Building intelligence-led CTI programs at scale by anchoring detection on initial access vectors, access broker activity, and credential exposure

Using underground forum proximity and info stealer log correlation to identify compromised credentials across thousands of organizations

Operationalizing pre-claim threat intelligence within cyber insurance to eradicate initial access before events generate claims

Closing the alert-to-remediation loop for SMBs by delivering detection, support, and mitigation confirmation as a single workflow

How Akira and similar ransomware groups deliberately target SMBs with high-volume, sub-threshold attacks 

Rethinking CVSS-based patching prioritization by incorporating criminal exploitability and at-scale attack frequency into triage

Separating AI as an intelligence producer from AI as a report summarizer, where automation could realistically drive patching priority

Why most external threat feeds leave CTI teams in a retroactive posture, and how incident response data from insurance claims changes that

Key Takeaways: 
Anchor your CTI program on initial access vectors rather than trying to cover every vulnerability class across your environment.

Monitor access broker activity and underground forums to understand which threat actors are actively buying and selling against your industry or infrastructure.

Integrate info stealer log analysis into your detection pipeline to identify compromised credentials before threat actors use them for lateral movement or ransomware deployment.

Shift your patching prioritization model away from CVSS scores and toward criminal exploitability.

Design alerts for smaller IT teams to be remediation-ready on receipt because an alert without a clear next step will not get acted on.

Close the loop on every detection by confirming mitigation was completed, not just that the alert was acknowledged.

Enforce account lockout policies and MFA on all SSL VPN and remote access entry points as a baseline control.

Assess AI tooling for your CTI program on whether it can produce intelligence rather than just consume it through report summarization.

Use incident response data from post-claim analysis to validate your pre-claim detection signals.

Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Daniel Woods, Principal Security Researcher, and his team at Coalition analyzed forensic reports across their 100,000-policyholder base and found 50% of ransomware incidents begin with VPN or firewall exploits. But here's the twist: 40-60% of those aren't vulnerability exploits at all, they're stolen credentials bypassing perimeter devices entirely. Organizations running Cisco ASA devices show 5x higher claim rates than peers, with similar patterns across Fortinet, SonicWall, and Citrix SSL VPNs. When threat actors do exploit vulnerabilities, they're scanning and deploying shells within 24-48 hours of public disclosure, making your 72-hour patch SLAs dangerously obsolete.
Daniel also surfaces the gap between security control theory and organizational reality. Microsoft claims 99.9% MFA effectiveness for individual Azure accounts, but insurance claims data shows no measurable risk reduction at the organizational level because that one service account without MFA, that legacy API integration nobody knew was enabled, or that exec who refused to enroll gives attackers everything they need. Organizations deploying threat-based training focused on social engineering tactics beyond phishing see measurably lower claim rates, suggesting we've been training for the wrong threat surface.
Topics discussed:
Analyzing cyber insurance claims data from 100,000 policyholders to identify which security controls actually reduce incident rates

Understanding why perimeter security devices like Cisco ASA, Fortinet, and SonicWall VPNs show 5x higher claim rates in insurance data

Examining the 40-60% of edge device breaches caused by stolen credentials rather than vulnerability exploits

Closing the gap between Microsoft's 99.9% individual MFA effectiveness claims and zero measurable organizational risk reduction

Revealing security awareness training effectiveness through a study showing 2% phishing failure reduction versus threat-based training 

Comparing email security platforms where Google Workspace shows lower claims rates than Office365 due to included-by-default security features

Implementing a zero-day alert service that notifies policyholders within hours when vulnerable perimeter devices need immediate patching

Rethinking security awareness training as role-specific, finite courses targeting job risks rather than repetitive generic phishing exercises

Key Takeaways: 
Audit your external perimeter for exposed Cisco ASA, Fortinet, SonicWall, and Citrix SSL VPN devices.

Implement hardware-based MFA enforcement across all services including legacy APIs and service accounts to close credential theft gaps.

Reduce patch SLAs from 72 hours to under 24 hours since threat actors scan and deploy shells within 24-48 hours of vulnerability disclosure.

Migrate email infrastructure to cloud-hosted platforms like Google Workspace that include security features by default.

Replace repetitive generic phishing training with role-specific threat-based courses focused on social engineering tactics.

Scan your policyholder or customer base for vulnerable perimeter devices using external scanning services to notify before exploits occur.

Build identity management architecture around centralized services with hardware token enforcement.

Evaluate security control effectiveness using multiple data sources rather than vendor claims alone.

Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Stripe's 3-person intel team created FT3 (fraud tools, tactics & techniques), a framework modeled after MITRE ATT&CK but purpose-built for financial fraud, to eliminate the communication breakdown where "fraud" required constant reverse engineering. The structured taxonomy now powers both analyst workflows and automated fraud systems operating at transaction-millisecond speeds, with technique-based tagging that gives fraud engines the context to make informed decisions without human interpretation of vague "fraudulent" alerts.
Vincent Passaro, Engineering Manager at Stripe Security, walks through their shift from reactive blocking to building infrastructure targeting packages for law enforcement prosecution. By mapping card testing, account takeovers, and money movement techniques across the full attack chain, the team now produces actionable intelligence packages. The framework drives LLM-powered classification of legacy incident reports, threat-informed red team testing by automatically mapping techniques to API capabilities, and standardized intelligence sharing with financial institutions. 
YT Thumbnail title: Technique Tagging at Scale
Topics discussed:
Creating FT3 framework modeled after MITRE ATT&CK to establish standardized fraud technique taxonomy

Transitioning from AWS tier-3 incident response to financial fraud intelligence while applying cloud security methodologies

Building infrastructure targeting packages that map adversary infrastructure roles for law enforcement prosecution

Scaling small teams through technique-based tagging that enables fraud systems to make decisions at millisecond transaction speeds

Leveraging LLMs for automated classification of historical incident reports and mapping fraud techniques to API endpoint capabilities

Integrating threat intelligence with red team and fraud operations to create threat-informed testing roadmaps prioritized by business impact

Key Takeaways: 
Build fraud-specific taxonomies to eliminate communication gaps where "fraud" requires constant reverse engineering.

Map fraud techniques across the full attack timeline for complete adversary behavior visibility.

Create infrastructure targeting packages that identify adversary server roles and network diagrams for prosecution-ready intelligence sharing.

Leverage LLMs with fraud technique context to automatically classify historical incident reports and identify new techniques.

Use API documentation and fraud frameworks together with LLMs to generate threat-informed red team testing roadmaps.

Prioritize threat actor tracking based on business impact and platform prevalence rather than defaulting to nation-state actors or compliance checklists.

Integrate threat intelligence, red team, and fraud operations under unified leadership to enable rapid validation of observed techniques.

Design fraud frameworks with extensive contextual documentation to enable adoption by non-security teams and facilitate machine-readable intelligence sharing across organizations.

Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Fortinet processes telemetry from 50% of the next-generation firewall market, giving Aamir Lakhani, Global Director of Threat Intelligence & Adversarial AI Research, and his team visibility into a looming shift: threat actors moving from exploiting a small subset of proven CVEs to weaponizing the entire vulnerability landscape through AI automation. While defenders currently concentrate resources on commonly exploited vulnerabilities, Aamir warns AI will soon enable attacks across everything "just as efficiently and as fast," requiring security teams to rethink patch management strategies when they can no longer rely on focused defense. 
Aamir also touches on how The World Economic Forum's Cybercrime Atlas program operates through weekly sessions with 20-40 researchers who deliberately build intelligence packages using only open-source methods. This avoids proprietary data so law enforcement can recreate findings and successfully prosecute cases. He shares how his leadership approach rejects the traditional climb: stay at the bottom of the ladder and push your team up, because their public accomplishments improve both team performance and your career trajectory more than personal competition ever could.
Topics discussed:
A 50% next-generation firewall market share providing visibility into state-sponsored attacks and ransomware-as-a-service operations daily

AI-driven threat evolution from narrow CVE exploitation to automated attacks across vulnerability landscapes requiring new patch strategies

Threat actor professionalization, including recruitment events, training programs, and internal conferences for cybercrime operations

Adversarial AI capabilities using local LLM training with tools like Ollama to bypass jailbroken model dependencies like WormGPT

Network-centric threat hunting using metadata and netflow analysis over full packet capture due to bandwidth and analysis constraints

World Economic Forum Cybercrime Atlas program methodology using open-source intel to build prosecutable law enforcement intel packages

Prioritizing team advancement over personal climbing by publicizing subordinate accomplishments to improve retention and performance

AI alert fatigue emerging from comprehensive attack cycle tracking where 10% incorrect information invalidates 90% accurate findings

Key Takeaways: 
Prepare for AI-enabled threat actors to exploit the entire CVE landscape simultaneously.

Prioritize metadata and netflow analysis over full packet capture for threat hunting due to better manageability and analysis efficiency.

Deploy open-source tools to baseline network behavior and marry telemetry data with threat intel platforms for pattern recognition.

Identify your organization's critical pain points that would force ransom payment rather than focusing solely on perimeter defense tech.

Join collaborative threat research initiatives like World Economic Forum's Cybercrime Atlas.

Build intelligence packages using open-source methods to ensure findings can be recreated and prosecuted.

Conduct CTF-based interviews focused on problem-solving approach and persistence rather than expecting candidates to know all answers.

Spotlight team by publicizing accomplishments and research contributions to improve retention, morale, and your own career advancement.

Mandate regular video check-ins to monitor team mental health and prevent burnout in high-stress roles.

Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

PayPal's fraud team catches credential stuffing before money moves by watching business intelligence signals that most organizations overlook: explosive traffic growth to legacy endpoints, mismatched phone numbers against account creation locales, and anomalies hidden in raw uncleaned data. Blake Butler, Senior Manager & Head of Fraud Threat Intelligence, applies infrastructure analysis techniques from offensive security to fraud investigations. This fills the gap most organizations face: anti-fraud teams understand scam mechanics but lack technical depth, whereas infosec practitioners know infrastructure but not how criminals monetize accounts at scale.
Blake breaks down how phishing kits now bypass MFA through real-time automation. His detection philosophy: counting and explosive growth patterns beat machine learning for uncovering fraud. Data scientists clean away the signal. 
Topics discussed:
Applying offensive security infrastructure analysis methods to fraud threat intelligence investigations

Detecting credential stuffing and account takeover campaigns through anomalies in account creation regions, phone number locales, and explosive traffic growth

Understanding how modern phishing kits automate real-time OTP theft by integrating directly into legitimate platform APIs during password resets

Tracking massive fraud operations emerging from China and South America through business intelligence signals

Identifying fraud indicators in uncleaned data: extra spaces, unrenderable characters, and AI-generated webshop metadata artifacts

Building security communities to enable monthly collaboration with local practitioners on emerging threats and tool development

Bridging the critical talent gap between anti-fraud teams lacking technical infrastructure skills and infosec practitioners without fraud monetization expertise

Evaluating phishing-as-a-service platforms and encrypted communication tools that lower barriers to entry for criminal actors

Key Takeaways: 
Monitor explosive traffic growth patterns to legacy endpoints and unusual account creation regions to detect credential stuffing.

Analyze raw uncleaned data for fraud signals including extra spaces, unrenderable characters, and metadata artifacts.

Apply infrastructure analysis techniques to fraud investigations to identify phishing domains and criminal tooling.

Track mismatches between phone number locales and account creation regions as indicators of automated account generation.

Investigate anomalies in business intelligence metrics through simple counting before deploying MLMs to uncover emerging fraud trends.

Build fraud threat intelligence teams that combine offensive security backgrounds with fraud monetization expertise to fill the critical industry talent gap.

Attend security community meetups to collaborate with local practitioners on emerging threats between annual conferences.

Implement MFA while recognizing that advanced phishing kits now automate real-time OTP theft through direct platform API integration.

Hire candidates with infosec infrastructure knowledge who understand how criminal actors use tooling to automate credential stuffing and account monetization operations.

Listen to more episodes: 
Apple 
Spotify 
YouTube
Website