Track 1 · Digital Security

Intelligence-led cyber defense: from threat landscape to recovery

The digital track covers seven of the nine phases of the Doctrine Security framework. Each phase is continuous, feeds the next, and is grounded in intelligence about the specific adversaries most likely to target your organization.

Threat Landscape & Attack Surface

Know who is coming, what they can see, and where your real exposure sits — before you build a single detection.

Read deep dive →

Log Intelligence & Infrastructure

Field-level analysis, adaptability framework, pipeline integrity — managing logs as intelligence, not cost.

Read deep dive →

Detection Engineering & Automation

Summiting the Pyramid scoring, four gap types, SOAR automation, bespoke tooling, SIEM migration.

Read deep dive →

Intelligence-led Threat Hunting

Intel-driven hypothesis building — not calendar cadence. Hunt findings feed detection and log strategy.

Read deep dive →

Executive threat profiling, digital footprint, continuous monitoring, OPSEC, surveillance awareness, foreign travel, family protection.

Read deep dive →

Purple team, BAS, red team — continuous validation scored using Summiting the Pyramid methodology.

Read deep dive →

DFIR — Investigation & Forensics

Forensic readiness before you need it. Preservation before restoration. DFIR findings feeding the program.

Read deep dive →

Intelligence-led Recovery

Crown jewel identification, adversary-specific DR, backup isolation, root cause before restoration.

Read deep dive →

The Executive Officer equivalent — synthesizing across all disciplines. The role enterprise security is missing.

Read deep dive →

Referenced frameworks — each linked to the source

Adversary tactics, techniques, and procedures. The shared language for threat-informed defense.

attack.mitre.org ↗

Summiting the Pyramid

MITRE CTID methodology for scoring detection robustness against adversary evasion. December 2024.

ctid.mitre-engenuity.org ↗

Defensive techniques mapped to adversary techniques. Countermeasure framework.

d3fend.mitre.org ↗

Tactics and techniques for adversarial attacks on machine learning systems and AI-enabled threats.

atlas.mitre.org ↗

Adversary engagement framework — denial, deception, and adversary manipulation.

engage.mitre.org ↗

Cyber Kill Chain

Lockheed Martin's intrusion kill chain — reconnaissance through actions on objectives.

lockheedmartin.com ↗

Unified Kill Chain

Extended 18-phase model unifying Kill Chain and ATT&CK for more complete attack modeling.

unifiedkillchain.com ↗

Intrusion analysis framework mapping adversary, capability, infrastructure, and victim relationships.

activeresponse.org ↗

Deep dive articles

The Methodology

Intelligence-led enterprise security: the complete framework

Phase 1

Before you build a single detection, know who is coming for you

Phase 2

Your logs are telling you something. Are you listening?

Phase 3

Close the gap between what you can detect and what you need to

Phase 4

Threat hunting is not a calendar event

Phase 6

Does your defense actually work? Here is how to find out.

Phase 7

You will be breached. The question is whether you are ready.

Phase 8

Recovery is not restore-from-backup. It is a security operation.

Phase 9

The role enterprise security is missing