Thinking

Intelligence-led security — in depth

Deep dives on each phase of the framework. Written for CISOs and security leaders, not for vendors. Every framework reference is cited. Every claim is sourced.

Flagship · The Methodology
Intelligence-led enterprise security: the complete framework
All nine phases explained — from threat landscape through the integrator role — the feedback loop, and why it is never finished. Start here.
Read the full methodology →
Start here
Phase deep dives
Phase 1 · Threat Landscape
Before you build a single detection, know who is coming for you
Adversary profiling, IR data mining, attack surface mapping, third-party risk, ISAC intelligence.
Read → Phase 2 · Log Intelligence
Your logs are telling you something. Are you listening?
Field-level analysis, the adaptability framework, pipeline integrity — managing logs as intelligence.
Read → Phase 3 · Detection Engineering
Close the gap between what you can detect and what you need to detect
Summiting the Pyramid, four gap types, SOAR automation, SIEM migration, bespoke tooling.
Read → Phase 4 · Threat Hunting
Threat hunting is not a calendar event
Intel-led hypothesis building, Indicators and Warnings doctrine, hunt outputs that feed the program.
Read → Phase 5 · Human Security
Your strongest firewall has a LinkedIn profile
Executive threat profiling, TRAP-18, digital footprint, OPSEC, surveillance awareness, foreign travel, family protection.
Read → Phase 6 · Validation
Does your defense actually work? Here is how to find out.
Purple team, BAS, red team — continuous validation scored using Summiting the Pyramid methodology.
Read → Phase 7 · DFIR
You will be breached. The question is whether you are ready.
Forensic readiness before you need it, scope of compromise, preservation before restoration.
Read → Phase 8 · Recovery
Recovery is not restore-from-backup. It is a security operation.
Crown jewel identification, adversary-specific DR, backup isolation, root cause before restoration.
Read → Phase 9 · The Integrator
The role enterprise security is missing
The Executive Officer equivalent — synthesizing across disciplines, translating between technical and leadership.
Read → Use Case · Iran & Adversarial AI
What a real threat actor teaches us about defense
IRGC-CEC, MOIS, cybercrime, AI use documented. Cited: 2025 NSS, CISA, Treasury, Unit 42, OpenAI.
Read →