Name: State of Threat Intelligence 2025 (EMEA) | Bridging the Maturity Gap
Uploaded: 2025-12-09T11:31:26.896Z
Duration: 54 min 52 s
Description: State of Threat Intelligence 2025 (EMEA) | Bridging the Maturity Gap

Transcript for "State of Threat Intelligence 2025 (EMEA) | Bridging the Maturity Gap": Hey, everyone, and welcome to today's State of Threat Intelligence webinar. See everyone, in the chat wishing each other good morning. Great to see. We'll go ahead and get started in just a few moments. So grab a cup of coffee, beverage of choice, find your seat, and we'll get going momentarily. I love to see, so many nice messages in the chat. Great to see this morning. Seems like everyone's excited for this. Well, hello everyone again, and and welcome to our webinar on the 2025 state of threat intelligence. I'm excited to be joined by two exceptional speakers to help us unpack insights from our report and provide their own unique perspective on how they're using threat intelligence. Before we get into it, I've just had a few quick housekeeping notes. So the recording will be available shortly, and that'll be sent around to the email you registered with. We won't be sending around the slides, but to be honest, it's about five slides, and one of them just has our photos on them. So it probably won't be all that helpful. If you do wanna review the slides, you can find them in the recording. Any questions and messages in the chat are strongly encouraged. You're allowed to put your questions in whenever they pop in your head, and I wanna assure you there's no such thing as a bad question. We've got two experts here who would love to help you out. Seen people from Belgium and Morocco all over the place. Awesome. So with that, let's get to our experts. So I'll have each of them introduce themselves and give us a bit about their background. And since we're in the festive season, I'll add on a little icebreaker and ask them for their favorite holiday movie as well. So, Eric, I'll pass it over to you. Great. Hello, everyone. Thanks for being here. I'm Eric. I am with the Superhuman, Security Intelligence team. Superhuman was formerly Grammarly. I've been working Security Intelligence now five or six years. I've worked in The States, so I grew up there. I now live in Germany. So thank you Recorded Future for bringing me on in the, in this time zone. And my favorite holiday well, you kinda put me on the spot because there's so many good ones, but I think, I would have to choose White Christmas simply because that was my grandfather's favorite and my mom's favorite and kind of that family tradition of, yeah, let's let's watch this musical. Let's just have that moment together where we're the family. So, Ryan. Oh, boy. What an act to follow. Well, good morning, good afternoon, good evening, everyone. My name is Ryan Buero, and today I'm coming to you all as a senior customer success manager here at Recorded Future. Do not let my accent fool you. Yes. I am from United States Of America. However, I relocated in transition to The UK EMEA portfolio about two years ago. So this is why the Recorded Future team asked me to kinda jump on and represent this side of the world. My tenure with Recorded Future is not just the four years that I just mentioned. I actually was a Recorded Future user when I was stationed in the military. I used Recorded Future for about four or five years. However, my background does extend to about nine, ten years of United States Military Intelligence. So, trying to decide solutions, put pieces of the puzzle together, I really do enjoy being able to speak with customers and working directly with our clients to really, you know, identify success and what that looks like for you also. When it comes to the Christmas movie, I don't know. I love Christmas, but movies I'm just not a huge fan of. I would have to suggest and say Elf. I think that's just a timeless classic. So thanks, Sam. Appreciate that ice break. I guess I should give you more heads up. That's okay. Also, I didn't realize we have three Americans, in a webinar that was meant for the European, audience. But that's okay. As the slide says, my name is Sam Langrock. I'm a team lead on our product marketing team. I'm actually based in The States, out in Boston, so early morning for me, but excited to be here with you all. I would say my favorite holiday movie is, Charlie Brown Christmas. Love Snoopy. So, that's that for me. But, before we get into our chat with our panelists, I just wanna quickly cover our 2025 state and threat intelligence report, which is the third iteration of this annual report. Now the report was put together using survey response data from 615 cybersecurity executives and practitioners and compiled and analyzed by an external team called user evidence. You know, perhaps someone in this audience was part of that survey data. If you were, let us know in the chat. But if you haven't downloaded the report yet, you can do so, in the doc section. And on the slide are some key stats I pulled out to illustrate how threat intelligence has become a strategic imperative for organizations across the globe. So what we're seeing based on the data in the report is that 76% of organizations are spending over 250 k USD annually on threat intelligence. 91% plan to increase their spending in 2026, and 87% expect to advance their maturity over the next few years. So to help us unpack findings from the port and get their advice on improving threat intelligence maturity, I'll bring in my panelists. And we'll start with why threat intelligence is now mission critical. So according to the report, threat intelligence isn't just a soft tool anymore. 83% now have dedicated threat intelligence teams, and more than three quarters rely on threat intelligence for frequent decision making. So, Eric, I'll open it up with you. What are your primary use cases for threat intelligence in your role, and how does threat intelligence tend to influence decisions daily or weekly? So the the very first use case, I think the most important, and everyone here would probably agree, is immediate contextualization. When we get alerts in, when we get threats in, how do I understand the data at a higher level? How do I turn that data into information? And then for our team, more specifically, we are able to utilize threat intelligence to build proactive tooling. So right now, I am trying not only to keep up with adversaries, I'm trying to get ahead of them. And we have a bunch of in house tooling that we've built based around the threat intelligence that we're receiving from Recorded Future from OSINT. Awesome. And, Ryan, what are you seeing you know, you work with many of our customers. What do you tend to see amongst them, and what are some of the best practices across them? I think it was very interesting that last slide that you depicted through on the screen. You had a lot of statistics talking about what success looks like or where metrics are, you know, sitting with current customer base right now. I think the question we should ask ourselves is what actually is good intelligence or what does good slash great. look like before we can determine what is success, what are good use cases, what are common practices. It's no secret that, I guess, data and information, it comes to each of us at a site look great, but it's how you interpret this information, analyze it, and turn it into intelligence. And then from there, you have to make the decision or sorry, deciding factor what how is this gonna impact your operation? How is this gonna impact your organization for the better? And then from there, you can then truly say, yes. This right here is a success. So that right there answers the first question I wanted to kinda throw out there. I think that to answer yours, Sam, in regards to, I guess, comp use cases best practices, I'm in a really great position here at Recorded Future working both to U US, I guess, market as well as the entire EMEA portfolio. What I've seen over here is a successful organization or successful team isn't just one or two members or one SOC. It really is a defining moment of an entire organization coming together. You have GRC individuals. You have, I guess, physical security. You have vulnerability management, threat intelligence analyst. So it really does determine what the areas of interest are, and then from there determine internally if it actually is, I guess, deemed for success. Now since you do own a slice of North American clients as well as European clients, is there anything you see noticeably different about how the the two kind of areas of the world use their intelligence? Absolutely. So I think over here in the EMEA region, I think the European Union specifically because we have those new standard appliances that we now have to abide by. So we do have DORA in this too. The US, I think The US operates in its own separate entity. They just make sense to work it through whatever it is and whatever sticks that go with it. But over here in the, I guess, EMEA region, there there are certain standards that we have to kind of abide by, and that's why we have to tackle certain type of, certain type of, I guess, key use cases in in by different metrics and and statistics to make it act work for success. Eric, is that something you tend to see as well? I know, you know, obviously, you're from The States, global organization, have to deal with both. Yeah. No. Ryan brings up just it's it's funny that you should say, oh, yeah. We throw it at everything because there was a lot of of that, I mean, it was working intelligence in The States. It was, well, we don't have as much regulation. We don't have as much standard. And here, I have to pay attention to not only state and when I say state, German law. I also have to consider that bigger. Where do we operate outside of Germany in the EU, in other EMEA regions? And what does that mean for the for the intelligence coming in? And how then do I have to disseminate to that to my team? And two, we can kind of flip it like, well, I'm operational. So how do I start talking to leaders differently here than I was in The States? Yes. You know, again, based on regulation, compliance gets into this. I have constant conversations with legal. So intelligence becomes very important and very timely. Right? I have to write more reporting here and more documentation here, which means I have to get ahead of any current investigations to make sure that, hey. This is still good information. This is not stale information. Yeah. Speaking of talking legalese, you know, one surprising takeaway is how broadly threat intelligence has started to be used across the organization. Right, and considering how many clients you work with, what do you think is tends to be driving this broader adoption? It's it's really funny you say that. It's because if you would ask ten years ago, threat intelligence was just an idea, it was a concept, and you look at it today and it looks like it actually is an expectation or requirement within organizations today, to be very honest. So I have my own personal opinion, then I have actual statistics on what I deal with customers. We'll deal with the customers right now and talk about real world examples. If there are any, I guess, any individuals who are interested in what I have to hear after this, feel free to add me on LinkedIn. We can have a further discussion. But when it comes to my customers, it's honestly just certain situations, certain industry or vertical actual, I guess, malicious activities that have occurred. Customers are now concerned, and it's not so much whenever you come to a recorded future or even just a threat intel platform in general, it's not that we're trying to scare you. It's that we're trying to educate you of the actual threat that poses a significant issue towards your organization if certain type of things aren't patched or identified or aren't addressed. And so it really is, you know, the state of the unknown, but what is that? Is the unknown honestly worth the bigger the bigger buck if something does happen towards an organization? Threat intelligence to me, it drives operations. So you can have a situation. You can have a precursor or malicious activity that has occurred, but without threat intelligence, you aren't really there to tell the story or to help paint the picture to deliver to executives, to senior leadership in order to help make the best and informed decisions possible. Great. And, Eric, one one thing I heard from from one of our clients once was the beauty of threat intelligence is the ability to influence. So how has threat intelligence enabled you to influence different outcomes, workflows, or visibility across other teams in the organization? So let me give you just a quick background on my position. Our security intelligence team really wears a lot of hats. And, right, security intelligence is cyclical, so that means not only am I dealing with gathering intel and writing reports, a bigger part of my job is incident response and forensics, and we are also doing offensive operations. So recently, we've had, a lot of reports, on attacks that aren't quite as novel, but the increase of those attacks. So for example, you can look at the news and you can look at referred Recorded Futures, intelligence reports and see, hey. NPM packages are hot right now. So why don't I look at what are we using in our systems? Let me try and attack that, and what can I glean from that? And now I have collected my own intelligence internally that I can show to leadership and the other teams. Hey. At this point, we are using these pieces. I was able to compromise this in an internal investigation. We should fix this. Now, again, we're ahead of the game. We have done it ourselves rather than waiting for, oops, there's another reports of, you know, what got hit last week or what got hit the week before or, you know, what big company's name is out there saying, oh, dear. This happened. How can I stop that ahead of time? And that's, I think, the the critical use of operational threat intelligence. And then Ryan said a great piece about, I think both of us have come back to this, leadership. How does leadership understand our position as security facilitators differently than we do as operators? And how do I present that? So not only am I using this very current news, I am also using the statistics that come along with that. You know, what can I look at as far as how much damage occurred during the first attack that was similar to this? And are they done? Are they coming back? And, you know, Recorded Future has been just great at providing those insights in postmortems, follow ups, and, hey. We were the first one to report this to you, but now we've come back and given additional follow ups to that intel. So I think it's really helpful to quantify why I'm there. You know? Sure. I can attack the system or I can defend the system, but at the end of the day, hopefully, you don't see me do anything. Well, how do I prove my worth? Hey. Give me some intel. Okay. Really fast, Eric. I wanna jump on that. I think what you you mentioned a few times, during this session, you said operational or operational intelligence or your specific type of line of role. I think it's very important to identify that Recorded Future, one thing that we do really well is we're able to work with all factions of a team to include tactical, technical, operational, and strategic. We're able to take the basic information, the the very first and foremost data that we receive, you know, turn it into intelligence from the tactical to operational level as as you just mentioned you do there, but also from operational elevate and mature it into a strategic setting that way we can inform and educate certain type of leaders. So I know going back to your original question, Sam, this is one thing that we really do well here in the EMEA region. We're able to inform leaders. We're able to speak with executives, get them in the room, not so much scare them that a situation could happen or has happened, but ultimately just educate and just let them know this is what Recorded Future, one, is able to do and, two, how we can bring success to the table. Now are there any I'll I'll pose it to both of you. Are there any things if, you know, if I'm in the crowd today and I'm trying to figure out a better way to approach my executives, maybe my board, Any recommendations on on how to use threat intelligence to influence them beyond what we've already covered? Yeah. If we're looking guess for it, go. ahead, Ryan. That's it. So I say if we're looking for, I guess, specifics, I would say the very first thing is just really become comfortable with threat intelligence reporting or just threat reporting in general. With without telling the story or bridging the divide between something that actually matters to something that has occurred, the unknown is still kind of in the air. So I think right now, just really become comfortable writing reports, using AI to kind of help build that narrative, again, bridge that divide and help kinda cross that roads road together. But it's it's important to first understand with when it comes to reporting, what do you what what what do your executives wanna know? What is their importance? What are their key requirements? What are their key takeaways? And why essentially is threat intelligence important to them? Once you have that understanding, then you can tailor the intelligence and tailor the analysis to better fit the narrative and, again, help them inform decisions. Yeah. And I'm gonna jump on that, Ryan. I think a really key piece that has helped us operationally is using intelligence to understand what is important to us and what is our risk. Right? I don't wanna just jump in. Recorded Future has so much. If you look at the terabytes and terabytes of stuff, it's overwhelming. Right? But there are key tools in there that can help look at, well, I'm not part of the finance sector. Mhmm. Can I rule all those things out? Well, great. What is most relevant to our use cases? Again, you know, Ryan said, what is leadership looking to do? I think that's another thing irrespective of where you're getting your intelligence, having those communications open internally to understand where are we moving and why, and then go out from there and understand, okay, what are my key risks and why? And just asking those questions and using that loop, that cycle. And, again, Ryan, you said it earlier. Like, this is not applicable. This intelligence is not just applicable for operations. It's applicable for leaders excuse me, leadership. It's applicable for, you know, all of these other data teams. So how do we keep that cycle moving and learning and educating ourselves? Correct. Awesome. Now going into kind of investment and maturity areas. So I I mentioned in the beginning, you know, 91% of organizations are planning on increasing their threat intelligence budget next year. You know, you guys have been in the space for a little while now and seen how far threat intelligence has come in the last ten years, even the last maybe two to three years. What do you find is driving such strong momentum? And, Eric, I'll I'll kick it over to you to start. I mean, we've been talking about this all day now. Ryan keeps using the word education. I think as an industry, we are more educated, but we also operate out of a bigger necessity because adversaries are more educated. I I love some of the old school, like and I'm talking nineteen sixties social engineering. But if you look at what they were doing back then and very specific actors, who are now on our side, they will also tell you, well, social engineering or adversaries are the same. They're looking for the same things. But what has changed? And how does that become expedited in our day and age. And I think we all understand that there is more of a necessity that even lower level, quote unquote, lower level adversaries are getting better and advancing and maturing themselves, so we need to stay one step ahead. I wanna. add? on that. Hey, Sam. So I know I know you mentioned, the term industry. I would like to focus on the firm community right now. If you look at every attendee and all the people who have said hello and welcome themselves from different parts of the world, different parts of the media, really, we rely solely on each other to also obtain this intelligence. So I can't say or determine how many verticals or industries are actually a part of this, I guess, chat today or this forum. But with that being said, you all decided to show up to learn about threat intelligence, but also talk amongst yourselves to also become very educated, very informed, and also pass the intelligence you may have. Pass the data around because I guarantee you that the three individuals who are here right now are not the smartest individuals in the room, and that goes to say as well on the chat. So definitely rely on each other, but I think the term community goes so much farther than just reliance. We're able to, again, just really uphold, build something bigger, and then, of course, create something better than all of us. So Yeah. Great points. Yeah. And then we also found that half of organizations consider their program advanced. Erica, I'll toss it over to you. How would you describe, you know, high maturity teams as operating differently? What is kind of that, kind of elite organization look like? I think the elite organization is functioning proactively in most circumstances, we're never gonna catch everything. Yep. Nobody in this room will. But if we can understand where that adversary is before the adversary understands that or what they can get to or how they're operating. And I think even to a bigger degree, can we play a little cat and mouse with them? What can we do in that proactive sense to yank information from them? Hey. Maybe I set up a honeypot, and maybe I don't do anything when they get to it instead of alerting and shutting it down immediately. What if? What if? You know? So it's it's again just staying ahead of the game, and working. Ryan, I love that word. Community. We are a community. An elite team is not only a community within their own enterprise or organization. They are functioning in this bigger realm where we are talking to each other. We are hey. You guys, I know you are in the Financial District and we were not, but we saw this thing happen that is applicable to both of us. Let me help you get out of it. Amazing. Now, Ryan, I know you obviously work with the many high maturity teams, but you also I'm sure you work with, some lower maturity teams as well. And for anyone on this on this call who might be thinking, yeah. I probably fall maybe more at the lower end of the scale. What suggestions do you have for how they can take that next step in their maturity I think it's very important to state that it doesn't matter where you are on your maturity journey with threat intelligence, you are able to? define success in your own region. Sam, you're very you're very correct. I work with customers that have thirty, forty people on a team, and those teams have separate different sections, and every section has their own way of work and own responsibilities and own importance of collection of intelligence. And then the opposite side of that spectrum, I work with customers. There are just one or two people doing it all for organizations. I even see a question in the chat here saying the small entities where there's no several teams and it's just members dealing with several roles and projects, that's primarily what I work with. But just to say you are successful in your own way, and again, it really goes back to those key intelligence requirements. That is every foundational discussion that I work with or speak with whenever I would talk with customers or clients. It doesn't matter US, UK, all throughout of EMEA. It really is how can I or sorry? How can I define what is success for you? And And then from there, let's build a journey to get towards that level of maturity that you are looking for. When it comes to the organizations that are just starting, what does threat intelligence do for them? Again, start with the basics. Start with reporting. Start with red teaming, blue teaming, whatnot, and just make sure that you are able to take as much information as possible, analyze it, and then from there, you know, feed it into your leadership to really help inform decisions. When it comes to those higher maturity, and I I don't say higher maturity as in you have more money, you have more skills, but it it is what it is. They have more manpower. They have more investment into threat intelligence because either one, a situation has occurred where they need it, or two, they're just trying to prevent or they're a larger organization that can kind of upfront all this information. But, again, it it goes back to what what we've been saying all along. What does success look like? What are your organization's key requirements? And then how how are we together able to work towards, I guess, that greater good and define success? Sam, can I jump in. on something, Ryan said? I would like to point out, that our team is only four people, and we are operating at a company level that's pretty nuts. So I just want to relay to people that are on those smaller teams that don't have the headcount that if you do lean in, if you do work with people like Ryan to get this intelligence and to find your own success and maturity, there is no need to just have to throw resource after resource. It's very accessible to everybody here. So sorry. I didn't mean to interrupt, but when we talk about headcount and resource, we don't we don't have a lot of headcount, and it's fine. No. I think that's a great point that you can do all this without needing hundreds and hundreds of people. It can just be four people and some smart tools that you guys are invested in and have have learned to use. You're speaking of success. Everyone's favorite question when it comes to threat intelligence is, what are the success metrics you track or look to track? So, Erica, I'll start with you. How do you you know, what well, I guess, what success metrics do you tend to track or look at over time? I so the usuals, you know, time to first response and time to close on alerts when it comes to incident response. Threat intelligence, I feel for us has really helped that time to close. Hey. Once I get this alert, I can look at and say, oh, yeah. This is an IP that is terrible. It is a c two infrastructure. Let's lock that down. And I guess that's the other thing, time to remediation. And then our metrics, we can look at those applicables. How many incidents did we call and what was the time to remediation? And, again, it's that threat intelligence that's helping us push those numbers down. And and, Ryan, when you work with your clients, what are some of the metrics that you tend to try to get them to to look at? Really great question, Sam. That's something that we in the EMEA region have tried to specialize here within the past year or two years. For actual recorded future customers, you may have realized there was a big organizational change, different point of contacts as your technical representation. But one thing that we have, I guess, strived to actually succeed with is developing a customer success plan, which is the customer journey from time of acquisition to, you know, sorry, acquisition of modules to actually defining what this looks like. So for us, we actually have a playbook of actually what success is and how we can actually obtain this and work towards that greater good. But ultimately, it's up towards, I guess, certain use cases or certain requirements. So if you come to us with a vulnerability question and purchase the vulnerability intelligence module, what we're able to do, we're able to, I guess, you know, reduce specific type of, I guess, what's it called, concurrence time. We're able to actually determine the life cycle of a vulnerability going from the zero day up to exploit and able to dissect it from its entire life cycle. So it really determines on the customer, and every single customer and client that comes with us has this tailored experience. But again, for individuals who aren't necessarily customers with Recorded Future, ask the question internally, what is important to you and then what are you trying to achieve and then fill the gaps from there. You don't have to necessarily have the answers today. As long as you have an end game and you have the tools and resources to start, you can get there. It just may look a little bit differently for you. But hopefully that answered the question, Sam. I know I kinda talked around it, but, it like, record a future, I wanna say we have figured out the secret sauce. We figured the recipe for success. It just it it it's broken down into different type of modules. So Based on the kinda your use case that you're looking at, they can have different metrics. Yeah. Perfect. Yeah. That's, that's great. And then wanna jump into maybe what's still hard about threat intelligence for security teams. So in the report, we heard credibility, lack of integrations, information overload were some of the top challenges respondents had with threat intelligence vendors. So, Eric, I'll I'll pose it to you first. What are what are some of the top challenges that you tend to see when working with threat intelligence vendors, and how do you try to overcome them? So I think I already mentioned this a little bit, but overload is one of the big ones. Right? We have this great vendor who has so much data. Where do I even start? And I think that comes down to, again, what Ryan's been saying about assessing your your path and your needs. And that's what we've done is I don't I don't need to look at everything. I don't need to be overloaded if I understand what is my spot in the company, in the industry, in the community. And then the other thing, the how good is this intelligence? Right? There's a lot a lot a lot of intelligence out there, and there's some OSINT that is amazing, and there is some OSINT that is probably already poisoned because adversaries can look at that too. So where is that credibility, and where can I find reliable information and information that's not stale? You know, I read a report recently on an attack that we had mitigated four weeks ago, and it was just becoming popular news. But we had some intel resources that said, hey. Watch out for this. So we did. And by the time it hit everybody else, we didn't have to worry. So I I think the reports that those two key things are coming out across the industry, that's what we're seeing as well. I don't think it's any surprise that those are the the things to look for. I mean, Ryan, what what are you seeing? What's I think I'm gonna choose a different perspective here and say biases. In intelligence in the intelligence community in general, I think coming across political biases, personal opinions, different beliefs, whatnot, we have to be very cognizant and aware that it is out there and how to decipher through this. Coming from The States as we all have eloquently, you know, migrated over and now working in the EMEA region, I will be the first person to say this. But when I moved over, my bubble was popped, and I was then introduced to an entire new region with a whole new set of issues and more so geopolitical issues. So looking at Russia, Ukraine, it didn't really influence America because we are so far away, and it doesn't affect us as it does some of the organizations here. And so coming over here, I was able to, one, look outside of the American biases and all the news agencies and the intel or community reports that are being deciphered out there, depicting a different narrative and able to actually understand how it affects individuals here and throwing the noise away. And so it really is a great opportunity for us, one, to educate ourselves, elevate us all, and determine actually what is true and just and not just what is the right narrative for the right purpose in that given moment in time. And so that right there to me, although it is beautiful whenever individuals do overcome this and acquire this as resources and, you know, sources of truth, but it is such a hard road to identify because we are set in our ways, and we don't wanna necessarily kind of disagree with, I guess, the way forward or what the community has kind of told us what we should be listening to. Going back to you, Eric, how did how does that sound? I mean, do you agree, disagree? I'm interested. Oh, oh my gosh. So I've always thought of myself. You know, growing up, I always thought I was pretty open minded. And as soon as I landed in Germany, it it became the what, you know, the the that matrix of the things that I didn't know that I didn't know. And simply, I'm learning the language and how does that change my perspective on how things work, let alone oh, yes. There are geopolitical differences. There are these major factors that standing around in the states you don't even consider. You know, what does allyship look like between European states, and how does that change in a different way than well, you know, there are 50 states in America, and they're not going to be you you know they will argue with each other, but at the at at the same point, they're just one thing. So how do these factors influence what we need to pay attention to as engineers and what attacks may occur based on my position in the world? Yeah. I agree with Great great point, Ryan. I we'll make sure to add that to the, that. to the. report for next year. I didn't realize Americans had biases either. Oh, say it ain't so. Yeah. Just kidding. We'll get into, kind of our last section on looking ahead in the future of threat intelligence. There's a ton of great questions in the chat we'll get you after. So if you have any more that pop up, you can add those now, and we'll get to them momentarily. But, you know, looking at the report, I talked about how eighty seven percent expect to mature their organization significantly, over the next two years. So for everyone in the audience, and I know we've kinda passed along a lot of advice, but kinda closing advice, what what do you have on where they should focus the threat intelligence initiatives over those next twelve to twenty four months? Is there something new coming down the pipe that you think we should focus on, or is it maybe still continue with the continuing at the basics and making sure that we have those, in place? Eric, I'll start with you. Yeah. I mean, we are always changing. We're we're in computer science. Just the amount of transistors that are placed in your mobile phone is going to change and change how we operate against it. So I said it earlier. A thief is always a thief. But what technology is that thief using to advance their career, and how do we need to pay attention to that? I don't know. Sam, you said a good thing, though. Foundationally, we can build these mechanisms that are basic to everyone that are going to help us utilize the threat intelligence against the outcome. You know, just that learning cycle, that flywheel of what happened today, how can we learn from it. Hey. You know what? This incident did happen to us. So what's our postmortem, and how do we not let that happen again? And then, Ryan, I'm a pick on you a little bit. I I think at one point, you and I were chatting. You were trepidatious to bring up this word, but I heard you use it earlier. Artificial intelligence. Right? Oh, boy. Right? I think it's you had mentioned, you know, such a hot button, such a such a key word in the media, but I think just because of that, it's something we should all keep an eye on and keep thinking. I mean, now I talk to Predict about the systems we are building on AI to really help us. But I think it's worth understanding at a threat level and how our adversary is using that. So, Ryan, go ahead. Argue with me. No. Let's go. I love let's advance her back and forth. We love this for sure. No. But just just to kinda. go on what you were saying in regards to, I guess, Sam's question is, like, what does maturity look like? I guess, again, we're here just to let you all know that maturity and definition of success is ultimately up to you you and your organization. A challenge that I kind of impose in all of you aside from purchasing Recorded Future, essentially is is how are you able to ingest all this information, all this data? What are you gonna do with this data, and how are you going to then analyze it, turn it into intelligence to, again, actually define success and what does it mean to you? With that being said, though, don't just acquire information. Maybe have an integration to enrich IOC data. Maybe have an integration that helps you kind of decipher this IOC, turn it into TTPs, and then from there become very proactive in nature. So it really is up to you as an organization to define what is that next level of maturity for you. But going to what Eric was mentioning in regards to, I guess, AI, it it is a key buzzword, and this is not a threat intelligence webinar if we don't mention, guest AI. But with that being said, what we can utilize instead of, instead of in the future being, I guess, against it, maybe adapt it, incorporate it into our everyday, I guess, life cycle, everyday levels of success to help one write reports, to help us identify certain type of threat actor, to help us kind of understand the maturity of a very mom and pop activist up to a nation state actor, and what does that look like, and how do we better align our internal, I guess, infrastructure network so we don't or or aren't on the receiving end of that, I guess, malicious activity. So, this conversation, we can definitely jump into what does maturity look like, what can. we do to better ourselves. But, honestly, we do one thing and change one thing differently just to, you know, better your security posture, then you're definitely set up for success and better than everyone else who essentially is just sitting there thinking they're okay. Awesome. Great way to to close it out, Ryan. Also, I wanna say, I have not seen a chat or q and a pop up quite this much since we did a webinar on when the US government shut down LockBit. So this is, fantastic to see, and I think kinda goes to Ryan's point about community and and sharing with each other. So wonderful wonderful to see. So we'll take the, the next ten or so minutes, for questions. And what I wanna start out with is, you know, in line with Eric's comments about none of us know slash see everything. How do we address the misconception, especially with leadership, that threat intelligence is an infallible crystal ball that will see and predict everything that is a risk to the business? Either of you wanna start with that one. I'll jump in on how I mean, I have been very fortunate that my leadership has always understood that, and I think that's actually where I got the idea, especially as an early SOC analyst, you know, level one. That first time you see something and you panic, and this has to be something and, well, maybe it isn't, maybe it isn't. Maybe I made a mistake, and my leadership was always under the grace of well, if we make that mistake, we can always fix it. But, I think talking back to what we said earlier, having the communication open and presenting some of those reports as educated community members and saying, hey. Look. One of the biggest companies in the world when it comes to driving monetary gains just got hit with something because they couldn't foresee it. You know, chances are everybody will, but they recovered, and we recover. And if we even just use threat intelligence reports to inform our leadership, we can show, no. We're we are very far away from a crystal ball, but we can do our best to prevent that risk. Yeah. Just to jump on that as well. It's, it threat intelligence to me is going to if if it's not already, it's going to drive operations in the future. And so having the predictive analysis and predictive awareness will then inform your executive individuals to kind of make better decisions internally to invest into threat intelligence overall. And so this again, it's not this crystal ball. It's not this magic weapon. You can wave a wand saying, oh, well, we didn't know about this. I work with many customers who have had unfortunate situations this year, cybersecurity ransomware, different type of phishing attacks, DDoS incidences, and this is stuff that we cannot foresee. We can we can look at precursors and we can make informed intelligence decisions about what could happen, but the actual incident that will occur, that's something that nobody's kind of, I guess, no one can avoid. And so it's how you deal with the situation. How do you work with threat intelligence to better put you in a position to, one, maybe have been informed, or two, how to be very proactive after something does happen. But it's because of Recorded Future and because of what we're able to produce that we were able to kind of work fast after a situation has occurred. And as Eric mentioned from the very beginning earlier on in this conversation, he said one thing we do very well, we're very timely, we're very reliable, and we are able to kind of have all teams on deck to really just make sure that the situation itself doesn't get worse than it may already Awesome. Great answer, guys. be. Different type of question. So the question says, the issue I have with the intelligence is how to map intelligence to our business in scope. Do you have any tips on how to achieve that to get the proactive proactivity you're aiming for? Right? I imagine that's a question you. get asked it. just about. every day. Well, Yeah. everyday. Yes. So, the the way that Recorded Future works with this, we call them key intelligence requirements or priority intelligence requirements. Whatever you call it internally around the world, it's a different term. Just make sure you have those five or 10 different type of key outcomes. So go back to the foundation. What is success and what are we actually looking for? You can say, okay. Are we trying to integrate for, you know, certain type of data enrichment? Are we trying to acquire different IOCs? Are we trying to look for x y zed? It's up to you to make that determining factor. If you want, honestly, use a p sorry. Not APT. Use, ChatGPT. Okay. Use Gemini. Use an AI resource to really help drive and ask that foundational set of questions. Okay. What does success look like in a in a small organization with x y zed or a b c essentially? And have that kind of help inform and help write your priority, I guess, intelligence requirements. Whenever you have those requirements identified, you're then able to go back to that foundation and start putting checks and boxes or identifying intelligence gaps where your organization may not actually have visibility into a certain sector or certain area of of the, you know, the business. And from there, it's up to you all to make that decision and make the best, I guess, informed, I guess, you know, decision to see what more we can do moving forward. And I think from an operational standpoint, two key things in here are business and scope. Right? I would sit down and write those things out. What is my business, and is it that? Can we verbalize that precisely in a way that somebody who is not in your business can understand? Maybe even one sentence. And then again, what is the scope? And I say this I I'm sure you've already sat down and considered this, and then talked to leadership about this. But I say this from my standpoint where there's been a couple projects I've jumped in on and just started going and had to stop them. Well, where am I headed? And it wasn't until I wrote out my parameters or my definition of done on the project for my leadership and said, yeah. This is what I'm doing, that it really I understood what I could tie that project to. And so I take that back to, you know, the question is, how do we understand threat intelligence to that scope? Well, what is what is my exact scope? What is the business exactly? And then sit with Ryan and say, hey. I need a little help. Or get into, I don't know if you have the UI for recorded future. I love playing with the AI question. You know, maybe even just drop those two things right in there and say, this is my business. This is my scope. What are my threats? And then you'll have to iterate. I mean, that's I keep talking about the cycle. Our scope's gonna change. Our our knowledge base and what our companies are trying to do, our organizations are trying to do, or how their influence that changes. So understand that scope to begin with, and then iterate through that. And, again, it's never gonna be perfect. I'm a keep coming back to this. I wish it were. I wish it were. And to jump on what you just mentioned there, Eric, I think it's also safe to say, just challenge your leadership, challenge your bosses, challenge individuals who are actually making the investment with threat intelligence, and keep asking why. Why aren't we doing this? Why aren't we doing this? And just ask them, are they okay if there is a gap, if there is a specific call that were it potentially could, you know, affect the business? You're never really going to move forward unless you actually put yourself in a situation to fight for what you want or fight for essentially what is good for the business. But, yeah, definitely be a a challenge and be a grain against the sand. So Good. And, we'll wrap it up with this last question from the audience. And apologies to anyone whose questions we didn't get to. There are fair amount that have come through. But I think this is a pretty, you know, pertinent question, especially for the region. But how do you guys view the growing convergence between digital and physical threats? And how should threat intelligence be used to provide a complete and integrated picture of this landscape? I think I can jump on this first if that's okay, Eric. So when it comes to digital physical, I think I have a whole new different concept or meaning. So my history back in The States, the physical element and the physical threat was very much there. Being deployed to Iraq, being deployed to, you know, North Korea, fixing operations against ISIS, there was a physical tyranny in the world that had to be stopped, and so we were sent out there to physically do that. Moving in towards the cybersecurity realm, I think everything is digital now. And so, yes, you still have the physical security. You have those threats targeting headquarters, buildings, personnel, colleagues, executives, so on and so forth. That's still very much a part of, I guess, the situation or the equation. But if we look at the digital side, that is the way forward. That is the future. These threat actors who are working outside or halfway across the world are able to actually disrupt our operations to subs sorry. Disrupt services from just just a click of a button. And so I think that right there should definitely be the focus. If there is a need for physical security, then by all means, feel free just to make sure that you're taken care of and your business is kinda set for success. But the future is digital. If we aren't already in the future, it it's very much apparent now. When it comes to threat intelligence, I think we've been saying this all along. It's it's just use your better information, your best judgment to decipher and turn data into actual intelligence to help individuals make informed decisions, but also become aware of the digital threat and what it could pose towards you. So I'm going to answer this question. I've also been reading another question that I think is somewhat applicable to my answer, and I love this. Escar, I know you've posted it twice. But the other question also talks about attribution being kind of up in the air and what do we do about these different pieces of threat intelligence. Well, how I'm going to answer the convergence about digital digital and physical is this. Yes. Like Ryan said, we are in a digital age. I was in San Francisco last week, and, man, Waymo came and picked. me up more often than Uber did, and it was faster. And so we are there. We are in Blade Runner. But to deal with this, threat intelligence, we shouldn't look at it necessarily as only having articles that we're reading and disseminating and understanding. Threat intelligence starts internally. So, right, when I talk about offensive operations, I did a thing. That was my intelligence to know I have to fix that thing. But similarly well, what physicality are we worried about? What IOCs are we worried about? I'm getting to both of these questions. You know, if we're talking about the movement through escalations, parallel movements, we can figure all of those pieces out simply by understanding, has a similar attack occurred previously? And this is applicable to both the physical and to, I believe it was the SMB that Escola is talking about. Right, have similar attacks occurred previously? Do we have that intel already? Yes. Somewhere. There are very few novel attacks that are going to happen to us. We're probably very minimal of us are, being threatened by APT. So what do we do? We take that cycle. We look at when has this occurred, how could it affect us, and where do we sit in line with these attacks, and then how do we remediate ahead of time? How do we mitigate those potential risks? So for example, let's say I'm in a waymo, and we know somebody has been able to break in and drive me away. Well, maybe today I don't go in a waymo. And I don't mean to pick on this company. It was just at the top of my head. But but, right, we have these intelligence pieces that we can collect, we can research on, we can iterate on, and educate ourselves to that greater depth of it's not just news that we're worried about. It is IOCs. It is attack paths. It is attack surface. Each of these things, we can start to think about as, well, what is the chain that could make this attack physical? Why? What is the chain that could make this attack threatening to us at a low level actor? I don't need to make attribution. All of us have been on a VPN at one point or another where our IP address was in a totally different locate location. What I do need to worry about is how do each of these pieces function together and how does threatened intelligence inform me that so I can stop before it starts? Stop before it starts. I think that's a great last line to to leave it with. I'm here for the send, wait, Sam. Yeah. Exactly. We'll make sure to clip that and post it all over social media for you. But thank you so much to our panelists, Eric and Ryan. Thanks to everyone who left questions, who added to the chat. Some great resources shared in the chat. So thank you for everyone, who gave that up and and is working to help build this community. But hope everyone has a great rest of your day, and thank you again for attending our session. Yeah. Thanks, everybody. Absolutely. Thank you for the opportunity, everyone.