Future of Threat Intelligence

The criminal underground is experiencing its own version of startup disruption, with massive ransomware-as-a-service operations fragmenting into smaller, more agile groups that operate like independent businesses. John Fokker, Head of Threat Intelligence at Trellix, brings unique insights from monitoring hundreds of millions of global sensors, revealing how defenders' success in EDR detection is paradoxically driving criminals toward more profitable attack models. His team's systematic tracking of AI adoption in criminal networks provides a fascinating parallel to legitimate business transformation, showing how threat actors are methodically testing and scaling new technologies just like any other industry. Drawing from Trellix's latest Global Threat Report, John tells David why the headlines focus on major enterprise breaches while the real action happens in the profitable mid-market, where companies have extractable revenue but often lack enterprise-level security budgets. This conversation offers rare visibility into how macro trends like AI adoption and improved defensive capabilities are reshaping criminal business models in real-time.  Topics discussed: The systematic fragmentation of large ransomware-as-a-service operations into independent criminal enterprises, each focusing on specialized capabilities rather than maintaining complex hierarchical structures. How improved EDR detection capabilities are driving a strategic shift from encryption-based ransomware attacks toward data exfiltration and extortion as a more reliable revenue model. The economic targeting patterns that focus on profitable mid-market companies with decent revenue streams but potentially limited security budgets, rather than the headline-grabbing major enterprise victims Criminal adoption patterns of AI technologies that mirror legitimate business transformation, with systematic testing and gradual scaling as capabilities prove valuable. The emergence of EDR evasion tools as a growing criminal service market, driven by the success of endpoint detection and response technologies in preventing traditional attacks. Why building trust in autonomous security systems faces similar challenges to autonomous vehicles, requiring proven track records and reduced false positives before organizations will release human oversight. The strategic use of global sensor networks combined with public intelligence to map evolving attack patterns and identify blind spots in organizational threat detection capabilities. How entropy-based detection methods at the file and block level can identify encryption activities that indicate potential ransomware attacks in progress. The evolution from structured criminal hierarchies with complete in-house kill chains to distributed networks of specialized service providers and independent operators. Key Takeaways:  Monitor entropy changes in files and block-level data compression rates as early indicators of ransomware encryption activities before full system compromise occurs. Prioritize EDR and XDR deployment investments to force threat actors away from encryption-based attacks toward less reliable data exfiltration methods. Focus threat intelligence gathering on fragmented criminal groups rather than solely tracking large ransomware-as-a-service operations that are splintering into independent cells. Implement graduated trust models for AI-powered security automation, starting with low-risk tasks and expanding autonomy as false positive rates decrease over time. Combine internal sensor data with public threat intelligence reports to identify blind spots and validate detection capabilities across multiple threat vectors. Develop specialized defense strategies for mid-market organizations that balance cost-effectiveness with protection against targeted criminal business models. Track AI adoption patterns in criminal networks using the same systematic approach businesses use for technology transformation initiatives. Build detection capabilities that identify lateral movement and privilege escalation activities that indicate advanced persistent threat presence in network environments. Establish incident response procedures that account for data exfiltration and extortion scenarios, not just traditional encryption-based ransomware attacks. Create threat hunting programs that specifically target EDR evasion tools and techniques as criminals increasingly invest in bypassing endpoint detection technologies.

Martin Naydenov shares insights from a recent cybersecurity conference, highlighting the gap between AI marketing hype and real-world implementation. Security teams remain wary of AI features due to trust issues, complicating their integration into daily operations. As threat actors rapidly adopt AI for attacks, the urgency for security professionals to build effective strategies increases. The discussion reveals the dual-edged nature of AI in cybersecurity, emphasizing the need for vendors to develop trust frameworks alongside innovative capabilities.

In our latest episode of The Future of Threat Intelligence, recorded at RSA Conference 2025, AJ Nash, Founder & CEO, Unspoken Security, provides a sobering assessment of AI's transformation of cybersecurity. Rather than focusing solely on hype, AJ examines the double-edged nature of AI adoption: how it simultaneously empowers defenders while dramatically lowering barriers to entry for sophisticated attacks. His warnings about entering a "post-knowledge world" where humans lose critical skills and adversaries can poison trusted AI systems offer a compelling counterbalance to the technology's promise. AJ draws parallels to previous technology trends like blockchain that experienced similar hype cycles before stabilizing, but notes that AI's accessibility and widespread applicability make it more likely to have lasting impact. He predicts that the next frontier in security will be AI integrity verification — building systems and organizations dedicated to ensuring that the AI models we increasingly depend on remain trustworthy and resistant to manipulation. Throughout the conversation, AJ emphasizes that while AI will continue to evolve and integrate into our security operations, maintaining human oversight and preserving our knowledge base remains essential. Topics discussed: The evolution of the RSA Conference and how industry focus has shifted through cycles from endpoints to threat intelligence to blockchain and now to AI, with a particularly strong emphasis on agentic AI. The double-edged impact of AI on workforce dynamics, balancing the potential for enhanced productivity against concerns that companies may prioritize cost-cutting by replacing junior positions, potentially eliminating career development pipelines. The risk of  AI-washing similar to how "intelligence" became a diluted buzzword, with companies claiming AI capabilities without substantive implementation, necessitating deeper verification — and even challenging — of vendors' actual technologies. The emergence of a potential "post-knowledge world" where overreliance on AI systems for summarization and information processing erodes human knowledge of nuance and detail. The critical need for AI integrity verification systems as adversaries shift focus to poisoning models that organizations increasingly depend on, creating new attack surfaces that require specialized oversight. Challenges to intellectual property protection as AI systems scrape and incorporate existing content, raising questions about copyright enforcement and ownership in an era where AI-generated work is derivative by nature. The importance of maintaining human oversight in AI-driven security systems through transparent automation workflows, comprehensive understanding of decision points, and regular verification of system outputs. The parallels between previous technology hype cycles like blockchain and current AI enthusiasm, with the distinction that AI's accessibility and practical applications make it more likely to persist as a transformative technology. Key Takeaways:  Challenge AI vendors to demonstrate their systems transparently by requesting detailed workflow explanations and documentation rather than accepting marketing claims at face value. Implement a "trust but verify" approach to AI systems by establishing human verification checkpoints within automated security workflows to prevent over-reliance on potentially flawed automation. Upskill your technical teams in AI fundamentals to maintain critical thinking abilities that help them understand the limitations and potential vulnerabilities of automated systems. Develop comprehensive AI governance frameworks that address potential model poisoning attacks by establishing regular oversight and integrity verification mechanisms. Establish cross-organizational collaborations with industry partners to create trusted AI verification authorities that can audit and certify model integrity across the security ecosystem. Document all automation workflows thoroughly by mapping decision points, data sources, and potential failure modes to maintain visibility into AI-driven security processes. Prioritize retention of junior security positions to preserve talent development pipelines despite the temptation to replace entry-level roles with AI automation. Conduct regular sampling and testing of AI system outputs to verify accuracy and detect potential manipulation or degradation of model performance over time. Balance innovation with security controls by evaluating new AI technologies for both their benefits and their potential to create new attack surfaces before deployment. Incorporate geopolitical and broader contextual awareness into threat intelligence practices to identify potential connections between world events and emerging cyber threats that AI alone might miss.

In this special RSA 2025 episode of The Future of Threat Intelligence, David speaks with Jawahar Sivasankaran, President of Cyware, about their partnership with Team Cymru to democratize threat intelligence. Jawahar outlines how their CTI program in a box approach enables organizations to implement comprehensive threat intelligence capabilities in weeks rather than months.  Jawahar offers a unique perspective on industry progress and remaining challenges in collaborative defense. This conversation explores the practical realities of operationalizing threat intelligence for organizations beyond the most mature security teams, the current implementation of AI in security operations, and a thoughtful assessment of how automation will reshape security careers without eliminating the need for human expertise. Topics discussed: How Cyware's partnership with Team Cymru creates turnkey threat intelligence solutions with pre-configured use cases and clear outcomes for rapid implementation. The critical gap in threat intelligence sharing between private and public sectors despite overall industry progress in security capabilities. Cyware's work with ISACs to facilitate bi-directional threat intelligence sharing that benefits organizations at varying maturity levels. Current implementation of AI through Cyware's Quarterback module, featuring knowledge bots and NLP capabilities beyond future aspirations. Multi-agent AI approach to threat-centric automation that focuses on enriching and correlating intelligence for actionable outcomes Historical perspective on industry disruption and how AI will transform security careers by automating basic tasks while creating new opportunities in design, architecture, and human-machine collaboration. The evolution of security solutions over two decades of RSA conferences and whether the industry is making meaningful progress against adversaries. Practical strategies for implementing comprehensive threat intelligence programs without months of planning and configuration.   Key Takeaways:    Implement a "CTI program in a box" approach to accelerate threat intelligence adoption, reducing deployment time from months to weeks through pre-configured use cases with clear, measurable outcomes. Establish bi-directional threat intelligence sharing between private and public sectors to strengthen collective defense capabilities against emerging adversary tactics and behaviors. Leverage partnerships with ISACs to gain access to curated threat intelligence that has been validated and contextualized for your specific industry vertical. Deploy AI-powered knowledge bots with NLP capabilities to help your security team more efficiently process and action threat intelligence data without requiring extensive expertise. Adopt a multi-agent AI approach for security operations that enriches threat intelligence, correlates information across sources, and recommends specific defensive actions. Evaluate your organization's cyber threat intelligence maturity honestly, recognizing that even large enterprises and government agencies often struggle with operationalizing intelligence effectively. Streamline threat intelligence implementation through turnkey solutions that provide unified platforms rather than attempting to build capabilities from scratch. Balance AI automation with human expertise in your security operations, recognizing that technology will transform job functions rather than eliminate the need for skilled professionals. Transform basic security workflows into threat-centric processes that focus on actionable outcomes rather than just data collection and processing. Prioritize collaborative defense mechanisms that benefit organizations with varying levels of security maturity, particularly those downstream that lack advanced threat identification capabilities. Listen to more episodes:  Apple  Spotify 

In a world obsessed with cutting-edge security technology, Lonnie Best, Senior Manager of Detection & Response Services at Rapid7, makes a compelling case for mastering the fundamentals. After transitioning from craft beer journalism through nuclear security to cybersecurity, Lonnie witnessed the evolution of ransomware attacks from "spray and pray" tactics to sophisticated credential theft and security tool disablement.  His insights reveal why 54% of incident response engagements still trace back to inadequate MFA implementation, and why understanding "how computers compute" creates better security professionals than certifications alone. Lonnie also shares practical wisdom on building effective security operations, avoiding analyst burnout, and measuring program success. As AI increasingly handles tier-one alert triage, he predicts the traditional junior analyst role will fundamentally change within 5-10 years — though human expertise will always remain essential for validating what machines uncover. Topics discussed: The evolution of attack sophistication from "spray and pray" ransomware to targeted credential theft and security tool disablement, requiring more comprehensive detection capabilities. How managed detection and response (MDR) services have evolved to provide enterprise-grade security capabilities to organizations lacking internal resources or security maturity. The critical components of building an effective internal SOC: centralized logging through SIEM implementation, specialized security expertise across multiple domains, and leadership strategies to combat analyst burnout. Implementing AI and machine learning for tier-one alert triage to reduce analyst fatigue while maintaining human oversight for validation, with predictions that traditional junior analyst roles will transform within 5-10 years. Why traditional metrics like alert closures fail to accurately measure SOC analyst performance, requiring more nuanced approaches focusing on contribution quality rather than quantity. The hiring dilemma of attitude versus aptitude in security analysts, revealing why foundational system administration experience creates more effective investigators than certifications alone. Strategies for preventing analyst burnout through appropriate tooling, staffing levels, and leadership practices that recognize security's 24/7 operational demands. The persistent gap between security knowledge and implementation, as demonstrated by 54% of incident response engagements in 2024 resulting from inadequate MFA deployment or enforcement. Practical fundamentals for effective security: comprehensive asset inventory, attack surface management, vulnerability remediation, and understanding where critical assets reside. Key Takeaways:  Implement multi-factor authentication across all access points to address the root cause behind 54% of incident response engagements in 2024, according to Rapid7's metrics. Build your security operations center with centralized logging through SIEM implementation as the core foundation before expanding detection capabilities. Recruit security analysts with system administration experience rather than just certifications to ensure practical understanding of system behavior and anomaly detection. Deploy AI and machine learning solutions specifically for tier-one alert triage to combat analyst fatigue while maintaining human oversight for validation. Create comprehensive asset inventories that identify and map all crown jewels and their access paths before implementing advanced security controls. Develop leadership strategies that address security's 24/7 operational demands, including appropriate time-off policies and workload management to prevent burnout. Measure security operations performance through nuanced metrics beyond alert closures, focusing on the quality of investigations and genuine threat detection. Structure your security team with specialized roles (threat hunting, cloud detection, malware analysis) to create effective career paths and deeper expertise. Incorporate regular one-on-one meetings with security analysts to assess performance challenges and identify improvement areas beyond traditional metrics. Prioritize attack surface management alongside vulnerability remediation to understand how attackers could gain entry and navigate toward critical assets. Listen to more episodes:  Apple  Spotify  YouTube Website

From cleaning up after an insider theft of the notorious Pegasus spyware to safeguarding billions in payment transactions, Nir Rothenberg brings battlefield-tested security leadership to his role as CISO/CIO at Rapyd, and joins David on this episode of The Future of Threat Intelligence to share all his lessons learned.  In this no-holds-barred conversation , Nir delivers a wake-up call to security leaders still pretending they can defend against everything, offering instead a radical prioritization framework shaped by watching elite hackers routinely break supposedly "unbreakable" systems.  Nir challenges conventional CISO thinking by ruthlessly eliminating theoretical threats from his roadmap, explaining why even Google-level security can't ultimately stop determined nation-state attackers, and providing practical strategies for focusing resources exclusively on threats that organizations can realistically defend against. Topics discussed: The challenges of prioritizing security efforts based on attacker capability tiers, focusing resources on threats that can realistically be defended against rather than top-tier nation-state actors. How working with elite offensive security teams fundamentally transforms a defender's understanding of what's feasible in attack scenarios and reshapes security investment decisions. The evolution of breach disclosure practices and why current placative approaches prioritize shareholder confidence over sharing actionable details that would help other defenders. Strategic approaches to developing security capabilities through partnerships rather than building in-house, particularly for specialized functions like threat intelligence. Why even major crypto breaches often stem from preventable issues like social engineering rather than sophisticated technical exploits, and how to prioritize defenses accordingly. Practical strategies for combating CISO burnout through focused prioritization and avoiding the tendency of boiling the ocean that leads to ineffective security programs. Creating collaborative security ecosystems that leverage the numerical advantage defenders have over attackers when working together effectively. How to extract meaningful intelligence from breaches beyond just indicators of compromise, focusing on understanding attacker methodologies and misconfigurations that can be tested and remediated. Key Takeaways:  Prioritize security resources based on attacker capability tiers, focusing efforts on threats that can realistically be defended against rather than top-tier nation-state actors that will find a way in regardless of defenses. Implement a strategic partnership approach with specialized security vendors instead of building capabilities like threat intelligence in-house, leveraging their decades of experience to enhance your security posture more efficiently. Demand more detailed technical information in breach disclosures from vendors and partners, seeking specific misconfigurations and vulnerabilities that were exploited rather than just indicators of compromise. Position your security leadership role within the management team to enable greater impact, reducing bureaucratic barriers to implementing innovative security controls and technologies. Evaluate emerging security startups as design partners before they become widely known, creating a competitive advantage through early access to cutting-edge security capabilities. Challenge theoretical security risks like AI data exposure by comparing them with documented threats that have caused actual damage, allocating resources proportionally to proven rather than hypothetical dangers. Leverage M&A transitions as opportunities to eliminate technical debt and modernize security practices rather than just viewing them as risk events requiring assessment. Adopt comprehensive breach intelligence sources like the Verizon Breach Report to compensate for the limited technical detail in most public breach disclosures. Combat CISO burnout by focusing exclusively on security elements you can control and impact. Create collaborative security ecosystems with partners, vendors, and internal teams to maximize the numerical advantage defenders have over attackers when working together effectively.

Jill Rhodes, SVP & CISO at Option Care Health, shares her unconventional journey from international development lawyer stationed in Bolivia and Moscow to healthcare leader, where she built the security program from the ground up as the organization's first CISO. Jill outlines for David how a transformative assignment at an intelligence agency sparked her cybersecurity passion before she helped build cloud environments for the intelligence community.  Now, she's leveraging this background to develop what she calls the rainbow of security — a visual security model for board communications — while building a security culture so pervasive that employees discuss security without her team present. Her approach, balancing legal analytical thinking with strategic security vision, demonstrates how healthcare CISOs can navigate a complex regulatory landscape of HIPAA plus 50 different state laws while maintaining the essential visibility needed for comprehensive threat intelligence. Topics discussed: Transforming organizational behavior through the Ambassador Program that deploys 100+ non-technical employees as security advocates. Conducting pre-meeting content reviews with non-technical audiences including family members and business partners to ensure security concepts are translated from technical language into business value propositions. Navigating the complex healthcare regulatory landscape that requires simultaneous compliance with federal HIPAA requirements and 50 distinct state privacy laws versus the unified security framework of intelligence agencies. Implementing the rainbow of security visualization framework that maps security controls from perimeter to internal systems, making complex security architecture understandable to board members while facilitating threat intelligence integration. Building security teams through maturity-based prioritization by conducting comprehensive security maturity assessments before hiring, then strategically filling gaps starting with technical experts to complement leadership's strategic orientation. Measuring security program effectiveness through cultural integration metrics rather than technical KPIs by tracking whether security considerations arise organically in conversations when security personnel aren't present. Applying intelligence community verification methodology to threat intelligence by requiring multiple non-derivative data sources to validate information, particularly crucial as healthcare-specific threat intelligence accessibility has declined. Key Takeaways:  Implement a security ambassador program by recruiting non-technical employees across your organization to meet monthly, discuss security topics relevant to both work and personal life, and serve as security advocates within their departments. Translate technical security concepts for board presentations by testing your content on non-technical family members and business partners first — if they don't understand it, executives won't either. Construct your security team strategically by first conducting a comprehensive security maturity assessment to identify gaps, then hiring for skills that complement leadership's background rather than duplicating existing expertise. Develop a visual security framework that maps controls from perimeter to internal systems, making complex architecture understandable to executives while providing structure for threat intelligence integration. Measure security program effectiveness through cultural indicators rather than just technical metrics, specifically tracking whether security considerations arise organically in conversations when security personnel aren't present. Validate threat intelligence using the intelligence community verification methodology by requiring multiple non-derivative data sources before acting on information, especially important as healthcare-specific intelligence becomes less accessible. Navigate complex healthcare regulations by partnering closely with privacy, compliance, and business teams to create a collaborative approach to security rather than viewing it as a balance between competing priorities. Build security partnerships across departments, especially with finance, privacy, and compliance teams, to frame security risks in business language rather than technical terms and strengthen organizational buy-in. Transform security behaviors by comparing security adoption to the evolution of seatbelt use — initially resisted but eventually becoming automatic — to normalize security practices throughout the organization. Apply intelligence community analytical thinking to private sector security challenges by focusing on asking the right questions rather than having all the technical answers, particularly valuable for CISOs with non-technical backgrounds.

In this episode of The Future of Threat Intelligence, Dmitri Alperovitch, Co-founder & Executive Chairman at Silverado Policy Accelerator and Author of World on the Brink: How America Can Beat China in the Race for the 21st Century, delivers a stark warning about the second Cold War with China that's unfolding, from military and nuclear arms races to space competition and technological rivalry.  Dmitri also shares how the Volt Typhoon intrusions represent deliberate "preparation of the battlefield" for potential conflict. He explains why Salt Typhoon could represent one of America's greatest counterintelligence failures. Topics discussed: The evolution of Chinese cyber operations from noisy, sloppy techniques in 2010 to today's sophisticated threats that represent unprecedented counterintelligence failures. How the Volt Typhoon intrusions into critical infrastructure serve as "preparation of the battlefield" designed to impede America's ability to defend Taiwan during potential conflict. The concrete evidence of China's Taiwan invasion preparations, including specialized bridge barges designed to land armored forces directly onto Taiwan's highways. Why Taiwan's 40% share of global semiconductor manufacturing creates catastrophic economic risk that could trigger a 5% compression in global GDP if disrupted. The fundamental flaw in prevention-focused security models and why CrowdStrike's hunt-focused approach better addresses persistent nation-state threats. Why the concept of "deterrence by denial" fails in cyberspace, unlike in physical warfare where anti-ship capabilities and other tactics can effectively deter invasion. The organizational dysfunction in US government cybersecurity, where even CISA lacks operational control over civilian networks and agencies operate in silos. Key Takeaways:  Implement a hunt-focused security strategy that assumes adversaries will penetrate initial defenses, allocating resources to rapidly detect and eject intruders during their post-exploitation activities before they can accomplish objectives. Evaluate your organization's target value to nation state actors rather than simply comparing your defenses to industry peers, recognizing that highly valuable targets will face persistent campaigns lasting years, regardless of defensive measures. Acknowledge the inherent tension between security and availability requirements in your industry, developing tailored frameworks that balance operational resilience against the risk of catastrophic compromise. Diversify semiconductor supply chains in your technology procurement strategy to reduce dependency on Taiwan-manufactured chips, preparing contingency plans for severe disruptions in global chip availability. Incorporate geopolitical risk analysis into your security planning, particularly regarding China-Taiwan tensions and the projected window of heightened vulnerability identified by intelligence experts. Revise incident response playbooks to address sophisticated nation-state intrusions like Volt Typhoon that target critical infrastructure as "preparation of the battlefield" rather than immediate data theft. Establish clear security governance across organizational silos, addressing the dysfunction that plagues even government agencies where CISA lacks operational control over civilian networks. Shift security metrics from prevention-focused measurements to detection speed, dwell time reduction, and ability to prevent objective completion even after initial compromise. Challenge assumptions about deterrence by denial in your security architecture, recognizing that unlike physical defenses, cyber adversaries have virtually unlimited attack vectors requiring fundamentally different defensive approaches. Prioritize protection of your most valuable digital assets based on adversary objectives rather than spreading resources evenly, recognizing that nation-state actors will specifically target strategic information regardless of general security posture. Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime.  Apply now at http://www.cymru.com/rise.   Listen to more episodes:  Apple  Spotify  YouTube Website

Wes Miller, a seasoned Research Analyst at Directions on Microsoft, sheds light on the security hurdles organizations face amid Microsoft's cloud innovation. He highlights the security gaps left by outdated on-premises systems like Exchange and Certificate Services, which are now vulnerable to attacks. Wes reveals that Microsoft Defender's update notes hold valuable threat intelligence and clarifies misconceptions about Active Directory and Entra ID. His insights urge enterprises to understand synchronization needs for robust identity protection and embrace third-party tools.

In this episode of The Future of Threat Intelligence, Jeffrey Caruso, Senior Analyst at Wikistrat & Author of Inside Cyber Warfare, shares examples of how teams with minimal budgets achieved kinetic effects through OT system manipulation — from destroying missile research facilities to compromising subway systems and burning down FSB-affiliated banks. His findings, based on two years documenting Ukrainian cyber operations, demonstrate how deep supply chain understanding and innovative attack methods are proving more effective than conventional nation-state capabilities.  Through methodical vendor system compromise and strategic engineering documentation exfiltration, he tells with David how these teams have developed techniques for creating cascading physical effects without entering Russian territory. Notably, they've demonstrated that successful cyber-physical attacks don't require massive resources; instead, success comes from understanding system interdependencies and supply chain relationships, combined with the ability to interrogate key technical personnel about specific system behaviors.  This research challenges traditional security models that emphasize tool stacks over team composition and suggests that adversary categorization (nation-state vs. criminal) may be less relevant than previously thought.   Topics discussed: How Ukrainian teams executed cyber-physical attacks by compromising vendor systems to obtain engineering diagrams and documentation, then exploiting OT vulnerabilities to create kinetic effects. Why commercial security tools face limitations in addressing these attack methods due to business model constraints and design approach. Technical examination of supply chain compromise techniques enabling physical infrastructure attacks, with examples of vendor system exploitation. Evidence supporting an "adversary agnostic" approach to defense rather than traditional threat actor categorization. Practical insights on building security teams by prioritizing mission focus and institutional loyalty over technical credentials. Analysis of how OT system trial-and-error testing creates new risks for critical infrastructure protection Key Takeaways:  Implement an adversary-agnostic defense strategy rather than focusing on threat actor categorization, as demonstrated by Ukrainian operations showing how even small teams can achieve nation-state-level impacts. Prioritize supply chain security assessments by mapping vendor relationships and identifying potential engineering documentation exposure points that could enable cyber-physical attacks. Establish comprehensive OT system monitoring to detect trial-and-error testing patterns that could indicate attackers attempting to understand system behavior for kinetic effects. Transform security team building by prioritizing veteran hiring and mission focus over technical credentials alone, focusing on demonstrated loyalty and motivation. Design resilient backup systems and fail-safes for critical infrastructure, operating under the assumption that primary defenses will be compromised. Evaluate commercial security tools against their fundamental design limitations and business model constraints rather than feature lists alone. Document all subsystems and interdependencies in OT environments to understand potential cascade effects that could be exploited for physical impact. Build security team loyalty through comprehensive support services, competitive compensation, and burnout prevention rather than relying on high-paid "superstar" hires. Develop verification checkpoints throughout automated security processes rather than assuming tool effectiveness, particularly for critical infrastructure protection. Create architectural resilience by assuming breach scenarios and implementing multiple layers of manual oversight for critical system changes. Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime.  Apply now at http://www.cymru.com/rise.   Listen to more episodes:  Apple  Spotify