The Methodology
Nine interdependent phases. A continuous feedback loop. Built from military intelligence doctrine and applied to enterprise security — because the adversary has a plan, and most organizations don't know what it is.
Adversary profiling · IR data mining · Attack surface mapping · Third-party risk · ISAC intelligence
Intelligence-led security starts with a single question: who are the adversaries most likely to target your organization, and what does your environment look like from their perspective? Most programs skip this step and instrument broadly against generic threats — then discover their specific adversary's techniques only after an incident. By then, the education has already cost them.
Threat landscape analysis produces a prioritized adversary profile — objectives, preferred initial access vectors, documented TTPs mapped to ↗ MITRE ATT&CK, and most likely course of action against your specific environment. Attack surface mapping then answers what the adversary can see from outside. Your own IR data — pivot rates, dwell times, initial access vectors — is the most accurate threat intelligence you have, because it is validated in your specific environment. Third-party and supply chain risk belongs here too: the adversary does not always come through your front door.
ISAC participation gives you sector-specific intelligence about what is actively happening to organizations like yours right now — not generic threat reports, but validated, current intelligence from organizations that share your adversary set.
Log source inventory · Field-level analysis · Adaptability framework · Pipeline integrity · Agent health
Most organizations manage logs as a cost problem. The question is always how to reduce ingestion to fit the SIEM budget. That framing misses what logs actually are: intelligence. Every log source is a collection asset. Every field within a log either supports detection, supports investigation, or holds future value. Managing logs as a cost without understanding their intelligence value is like cutting reconnaissance assets before an operation to save budget.
Three distinct problems get conflated: do you have the log source, do you have the right fields within it for behavioral detection, and are your systems actually sending what they are supposed to send? Pipeline integrity — agent health monitoring, expected versus actual log volume, automated alerting when a source goes silent — is where most programs have their most dangerous blind spots. Sophisticated adversaries kill logging before moving laterally. An unexpected drop in log volume is itself a detection signal.
Before recommending any source be cut, a proper adaptability analysis weighs detection value today, investigation value today, and potential future value if the threat landscape shifts. The cost conversation comes after the intelligence conversation — not instead of it.
Read the full deep dive →MITRE ATT&CK mapping · Summiting the Pyramid · Gap analysis · SOAR automation · SIEM migration · Bespoke tooling
Detection engineering in an intelligence-led program starts from the adversary, not the tool. For each technique in your primary adversary's documented playbook: can you detect it, and how robustly? ↗ MITRE ATT&CK provides the framework. ↗ Summiting the Pyramid (CTID, Dec 2024) provides the scoring methodology — evaluating the behavioral dependencies inside each detection rule and scoring them by how resistant they are to adversary evasion. A detection built on a specific hash fires once and is bypassed tomorrow. A detection built on behavioral patterns regardless of tooling survives adversary evolution.
Gap analysis across four types — data, tool, process, and posture — produces a prioritized engineering roadmap. Automation closes the analyst fatigue gap: the adversary uses automation at every phase of their operation, and a program that depends on humans to do what automation can do is structurally disadvantaged. When off-the-shelf tools cannot address the specific gap — field-level log analysis at scale, coverage scoring against a specific adversary's TTP set — bespoke tooling fills it, built with transparent, auditable logic that can be explained to leadership.
Additional frameworks that inform this phase: ↗ MITRE D3FEND · ↗ MITRE ATLAS · ↗ MITRE ENGAGE
Read the full deep dive →Intel-led hypothesis building · Adversary course of action models · Hunt outputs feeding detection and logs
Threat hunting driven by calendar cadence is a periodic assessment with a hunting label. The adversary does not operate on your quarterly schedule. Intelligence-led threat hunting starts from a specific question built from adversary analysis: given what we know about our primary adversary's techniques and their most likely course of action against our environment, what behavioral indicators should we be looking for right now that our current detections would not catch?
Hypotheses are built from adversary course of action models — specific TTPs, documented behavioral signatures, your own IR data. The ↗ Diamond Model supports analysis by mapping adversary, capability, infrastructure, and victim relationships. Every hunt produces one of three outputs: a confirmed threat, a detection gap, or a data gap — and each feeds directly back into the program.
Read the full deep dive →Executive threat profiling · Digital footprint · Continuous monitoring · OPSEC · Surveillance awareness · Foreign travel
It does not matter how well your systems are protected if the people who operate them are not. The adversary understood this before enterprise security did. Social engineering remains the most reliable initial access vector not because technical defenses have failed, but because the human layer is almost never treated with the same rigor as the technical layer.
The complete program: executive threat profiling using TRAP-18 behavioral assessment criteria, digital footprint assessment from open sources alone, continuous surface and dark web monitoring, OPSEC and surveillance awareness training, physical advance work, foreign travel protocol, persons of concern tracking, family protection, and incident response protocol built before it is needed — not improvised during one.
Read the full deep dive →Purple team · Breach and Attack Simulation · Red team · Summiting the Pyramid applied to results
An annual penetration test answers a narrow question about a point in time. It does not tell you whether your detections fired, whether your analysts executed their playbooks, or whether your primary adversary would have been stopped. Purple teaming answers the question the annual pentest cannot: given our specific adversary's documented techniques, do our detections fire and where exactly does our visibility fail? ↗ Summiting the Pyramid scores the output. Breach and Attack Simulation provides continuous automated validation between exercises. ↗ MITRE ENGAGE maps the adversary engagement layer.
Read the full deep dive →Forensic readiness · Scope of compromise · Evidence preservation · DFIR feeding the program
DFIR capability is built before you need it. The most costly DFIR mistake — made repeatedly — is restoration before investigation. Restoring without understanding the scope of compromise means restoring into a compromised environment. Every adversary technique confirmed during investigation is ground truth about how that adversary operates in your specific environment. Every gap in visibility that allowed them to operate undetected is a detection engineering requirement. DFIR is not just crisis response — it is the most accurate intelligence collection event your program will ever experience.
Read the full deep dive →Crown jewel identification · Adversary-specific DR · Backup isolation · Root cause before restoration
Traditional disaster recovery planning is built around RTO and RPO. Intelligence-led recovery starts with the adversary's most likely destructive course of action and builds around that. Crown jewel identification determines recovery prioritization. Backup architecture is evaluated against adversary TTPs — ransomware operators go after backups first. Root cause must be established before restoration begins. Restoring without closing the door means the adversary walks back in.
Read the full deep dive →The Executive Officer equivalent · Synthesizing across disciplines · Translating between technical and leadership
Nine interdependent disciplines must be continuously synchronized. Threat intelligence feeds detection engineering. Detection gaps feed log strategy. DFIR findings feed hunting hypotheses. This program requires someone who understands all nine disciplines well enough to synthesize across them, recognize when one discipline's output should change another's priorities, and translate between technical teams and leadership. The CISO is too far from the operational detail. A senior analyst is too deep in a single discipline. The integrator is the role that sits between them — and it is the rarest capability in enterprise security.
Read the full deep dive →