Phase 1 · Threat Landscape & Attack Surface
Security programs that skip this step spend budget defending against threats that aren't targeting them while leaving their actual adversaries uninstrumented. Knowing who is coming for you — specifically, not generically — changes every downstream decision in your security program.
The first question intelligence-led security asks is not "what tools do we have?" or "what does our compliance framework require?" It is a simpler and harder question: who are our adversaries, what do they want, and what does our environment look like from their perspective? Most security programs never formally answer this question. They instrument broadly against generic threats and discover their specific adversary's techniques only after an incident. By then, the education has already cost them.
Threat landscape analysis produces a prioritized adversary profile — not a list of every threat actor that has ever been documented, but the three to five most relevant to your organization specifically, based on your industry, your size, your geopolitical exposure, your technology stack, and your incident history. For each adversary, you need to understand their objectives, their preferred initial access vectors, their documented TTPs mapped to MITRE ATT&CK, and their most likely course of action against an organization with your profile. This is not a threat intelligence subscription — it is a structured analytical product that requires judgment, not just data.
Every organization that has experienced incidents holds validated intelligence that most external threat reports cannot provide: ground truth about which techniques adversaries have successfully used against your specific environment. Pivot rates from past investigations tell you where your log coverage is actually useful versus where it looks complete on paper. Dwell times tell you how long adversaries operated before detection — and by implication, how much of their operation you missed. Initial access vectors tell you where your real exposure is, not your theoretical exposure.
Mining IR data is not a retrospective exercise. It is an intelligence collection activity. The techniques confirmed in your environment tell you more about your actual risk profile than any generic threat report, because they represent adversary behavior that has already been validated against your specific defenses. That data should directly inform your hunting hypotheses, your detection priorities, and your hardening roadmap. Organizations that treat DFIR purely as crisis response and discard the intelligence are leaving the most actionable input to their security program on the table.
Once you know who is coming, you need to understand what they can see. Attack surface mapping answers this question systematically. Internet-facing assets — including cloud resources deployed without security review, forgotten subdomains, vendor portals with access to your environment, and development infrastructure that was never meant to be production-facing. Your identity attack surface — privileged accounts, service accounts, federation trusts, credential reuse exposure. Your data — where your crown jewels actually live, who has legitimate access, and what path an adversary would need to traverse to reach them from an internet-connected foothold.
The adversary does this systematically before they move. Shodan, Censys, and similar reconnaissance tools give them a view of your internet-facing exposure that most organizations have never formally assessed themselves. The asymmetry is striking: your adversary may have a more current picture of your attack surface than your own security team does.
Your adversary does not always come through your front door. They come through your vendors, your partners, your software supply chain — the trusted relationships your organization has established that carry implicit trust past your perimeter controls. Third-party and fourth-party exposure needs to be mapped as part of understanding your attack surface, not assessed separately as a compliance exercise.
This matters in two directions. For threat landscape analysis: understanding which of your vendors have been targeted by the adversaries most likely to target you tells you where your soft exposure sits. For recovery planning: a backup that contains a supply-chain-delivered implant is not a clean restore — it reintroduces the adversary. The supply chain dimension needs to be explicitly considered when building both your threat model and your recovery architecture.
Who specifically targets organizations like yours? Objectives, TTPs, preferred access vectors, documented campaigns. MITRE ATT&CK as the shared language — not the starting point for defense, but the starting point for understanding the adversary.
What can the adversary see from the outside? Internet-facing assets, identity exposure, data location, vendor access paths. The adversary's view of your environment — not your view of your environment.
What has actually worked against you? Pivot rates, dwell times, initial access vectors from past incidents. Your most accurate threat intelligence — validated in your environment, not derived from generic reports.
Where are your trusted relationships? Vendors, partners, software dependencies. Which of these have been targeted by your primary adversaries? Supply chain exposure feeds both threat landscape and recovery planning.
Your organization's incident data is the most specific intelligence you have, but it is limited to what has happened to you. ISAC (Information Sharing and Analysis Center) participation connects your threat landscape assessment to what is actively happening across your sector. Sector-specific adversary techniques being deployed right now. Defensive measures that are proving effective. Indicators from incidents at peer organizations that give you warning before the same technique reaches you.
This is not generic threat intelligence — it is validated, sector-specific, and current. The organizations sharing through your sector's ISAC face the same adversary set you face. Their incident data is the next closest thing to your own. ISAC intelligence belongs at the beginning of your threat landscape process as a continuous input, not as an occasional reference.
The intelligence principle that changes everything: Military intelligence does not study adversaries to compile a report. It studies adversaries to develop their courses of action — to model what the adversary will do next, not just what they have done before. Applied to enterprise security: threat landscape analysis produces adversary course of action templates that drive detection engineering, hunting hypotheses, and validation priorities. The output is a decision framework, not a document.
The output of thorough threat landscape analysis is not a threat report. It is a set of structured adversary profiles — the equivalent of military adversary course of action templates — that answers: for each of our primary adversaries, what are they most likely to do against us, and what terrain do they need to traverse to do it? Those profiles drive everything downstream: which log sources matter, which detections to build first, which hunts to run, which gaps to close urgently. Without this foundation, security investment is undirected. With it, every subsequent decision has a rationale that can be explained to leadership in terms of specific adversary risk — not abstract technical capability.