Why Threat Intelligence

So I've been a cyber research analyst for over 2 years (as of December 2025), and I essentially cover the ecosystem of how managed cyber services start with the vendors and reach the end user (enterprise/SMB/SoHo) through the channel (GSI, MSP/MSSP, Telco, etc.). It has not been an easy journey and I wouldn't have made it this far without some brilliant, patient, and generous folks guiding and teaching me.

However, I'm masochistic and nosy, so I decided that I should also be privy to how threat actors are organizing themselves and writing malware.

In the most current case of threat intel/malware analyst interest, there are 3 general drivers and we’ll look at them going from a specialized and technical view to a broader global view:

i) Effective technology and service assessment.

My role involves me assessing both the service (aka the analysts/engineers) and technology (aka DR tools). Initially a lot of it was about understanding the business side of the house and identifying industry trends like proactive security which focuses on TI, but I am also interested in better understanding the technology platforms on which these services are delivered.

I need to understand how detection is done in modern EDR/XDR, and how threat intelligence feeds into building more robust detection platforms.

ii) Understanding threat actors, industry, and segment targets as folks are moving to proactive security.

But I soon realized I need to understand how threat actors work. This doesn’t just mean what industries they target, but all the way down to how are they crafting campaigns and the custom malware. This allows me to have more in-depth conversations with vendor product teams. So I started to look at how do DR technologies work (Suricata, Snort) and how does the malware evade detection (obfuscation). It’s also a way for me to differentiate myself from established industry analysts. Next I need to see what are the threats that each industry and market segment faces. What are the cyber-crime and APTs targeting individually. Whether that’s for-profit (those with spider names) or APTs from the RIC unholy trinity (bear, kitten, panda, and chollima).

iii) Geopolitics/macroeconomics and cybersecurity in hybrid and asymmetric warfare.

Naturally, as we examine cyber-crime groups and APTs, we drift into the murky territory of nation-state sponsored threat actors and how they collaborate and specialize.

Another way I differentiate my research is that I include geopolitical and macroeconomic angles. Naturally, I started to look into how these 2 factors influence threat actor decisions.

— Geopolitics example: increase in EU cyber attacks during RU-UK conflict.

— Macroeconomic example: increase in cyber-crime during economic downturns.

— This is also how I wound up in AC’s MLP.

Full disclosure, the resources I've used in this threat intel journey:

— folks kind enough to answer my questions without having flashes of the movie Idiocracy

— Paul Chin's Beginners course on reverse engineering and malware analysis on Udemy

— TryHackMe's SOC2 Learning Path

— TI/malware books such as Practical Malware Analysis by Michael Sikorski & Andrew Honig

— Google-fu and Gemini/ChatGPT-prompting-fu (to learn, you bet I write every sentence, paragraph, and article myself)