The escalation of geopolitical tensions specifically focused on the Iranian Conflict over the last days of February 2026 has intensified the significant cyber and physical security risks to organizations globally. 

With threat activity emanating from advanced Iranian state-sponsored actors, aligned hacktivist collectives, and opportunistic criminal groups, security teams must remain agile, informed, and proactive. 

The Iranian Conflict Intelligence Dashboard has been updated to equip defenders with timely, high-fidelity intelligence that specifically reflects the dynamic threat environment shaped by this high-profile regional conflict with a heightened focus on Iran-linked activity.

Key Threat Actor Groups & Campaign Themes Tracked Include:

• IRGC-affiliated Cyber Units (e.g., APT33, APT34, APT39, APT42): Tracking activity from primary state-sponsored groups.
• Proxies and Ideological Hacktivist Actors: Monitoring activity from groups like CyberAv3ngers, APT IRAN, Handala Hack, Lulzsec, Dark Storm Team, GhostSec, Cyber Islamic Resistance, and others aligned with Iranian strategic interests.
• Coordinated Influence and Disinformation Campaigns.
• OT and Critical Infrastructure Targeting Efforts, particularly those targeting Israeli and Western assets.

Rather than tracking isolated threats, the –Iranian Conflict Intelligence Dashboard dashboard provides strategic context and operational detail across the broader cyber conflict spectrum, enabling faster detection, response, and mitigation.

Key Benefits:

• Conflict-Centric Intelligence Aggregation – Centralized indicators of compromise (IOCs), TTPs, and threat insights related to Iranian-linked campaigns, sourced from open source intelligence (OSINT), premium threat feeds, and internal telemetry.
• Live Threat Environment Tracking – Monitors shifts in activity across major adversary groups, cyber incidents, defacements, DDoS campaigns, and geopolitical events fueling escalation.
• Accelerated Incident Response – Enriched and correlated intelligence to support triage, prioritization, and response activities during periods of elevated tension or retaliatory operations.
• Custom Visualization & Analysis – Interactive dashboards featuring timeline analysis, actor overlap matrices, infrastructure clustering, and geographic threat origination maps.
• ThreatConnect Automation Integration – Seamless correlation with existing ThreatConnect adversary profiles, intrusion sets, and signature-based alerts to identify high-risk overlaps with organizational environments.

Leveraging this dashboard allows security teams to anticipate conflict-related threats, understand attacker motivations, and tailor defenses to emerging risks as the Iranian cyber conflict evolves.

Specific Intelligence Focus: Iranian Malware List

• APT42: tamecat, tabbycat, vbrevshell, powerpost, brokeyolk, chairsmack, asyncrat
• APT34: powbat, powruner, bondupdater
• APT33: shapeshift, dropshot, turnedup, nanocore, netwire, alfa shell
• Other Related Malware: Gh0st Rat, quasarrat, amadey, bittersweet, cointoss, lateop

Specific Intelligence Focus: Iranian ICS Targets

ICS Systems Likely to be targeted by Iranian threat actors (based on analysis like the Censys report):

• “Unitronics” or (“Vision” AND (PLC OR HMI))
• “Tridium” or “Niagara”
• “Orpak” or “SiteOmat”
• “red lion”

Dashboard Components Include:

1. Indicators linked to state-sponsored and proxy cyber operations.
2. Threat groups aligned to Iranian strategic cyber interests.
3. Reports and advisories referencing the conflict, regional escalations, or actor-attributed activity.
4. Campaign tracking with attribution timelines, victimology insights, and strategic objectives.
5. MITRE ATT&CK techniques used by affiliated groups, mapped to known incidents.
6. Keyword and tag intelligence trends across conflict-related reporting.
7. Infrastructure associations (e.g., shared IPs, domains, malware hashes).
8. Actor and alias mapping, including cross-reference to public and private sector intelligence.
9. Vulnerabilities linked to recent Iran intelligence activity.

Screen Capture of Iranian Conflict Intelligence Dashboard

To gain access to the Iranian Conflict Intelligence Dashboard, please reach out to your Customer Success team or reach out to us through our contact form.

The dashboard is also available here, and can be added manually to your ThreatConnect instance.

The post Iranian Conflict Intelligence Dashboard Immediately Available for ThreatConnect appeared first on ThreatConnect.

A Practical Guide for MSSPs to Turn Alert Noise into Defensible Security Outcomes

Managed Security Service Providers (MSSPs) generate an enormous volume of alerts every day. Yet many MSSP customers still ask the same question: “What did this actually protect us from?”

This gap between alert activity and perceived security value has become one of the biggest challenges facing modern MSSPs. As environments grow more complex and adversaries more targeted, detection strategies built on generic signals and static rules increasingly fall short.

The issue isn’t a lack of data. It’s a lack of context.

The Detection Value Gap Facing Modern MSSPs

Most MSSPs are not struggling because they lack detections. They’re struggling because those detections don’t consistently map to real-world risk.

Common symptoms of this include:

• High alert volume with low investigative confidence
• SIEM dashboards that show activity, but not threat intent
• Off-the-shelf threat intelligence feeds that surface indicators without explanation
• Detection tuning performed without visibility into customer-specific threats

In many cases, alerts fire without answering the questions customers care about most:

• Who is likely behind this activity?
• Is this attacker relevant to my industry?
• Does this behavior indicate a real attack path?
• Why should this alert take priority over others?

When those questions go unanswered, MSSPs end up delivering noise instead of signal — undermining trust and obscuring the true value of their services.

What is Threat Intelligence-Informed Detection?

Threat intelligence-informed detection is the practice of engineering and prioritizing security alerts based on a deep, systematic understanding of real-world adversary behavior.

Rather than relying on indicators — such as file hashes, domains, or IP addresses that attackers can quickly change — this approach focuses on the Tactics, Techniques, and Procedures (TTPs) adversaries use to achieve their goals. While indicators expire, attacker behavior tends to remain consistent over time.

For MSSPs, this shift is critical. Customers don’t benefit from alerts that simply confirm something happened. They need detections that explain what an attacker is trying to do, why it matters, and how likely it is to impact their environment.

Threat intelligence–informed detection prioritizes alerts that reflect real attacker intent, enabling MSSPs to deliver clearer signals, stronger prioritization, and more defensible security outcomes.

Traditional Detection vs. Threat-Informed Detection 

Traditional Detection	Threat-Informed Detection
Reactive: Responds to any generic suspicious activity.	Proactive: Engineers detections to stop known adversary methods.
Volume-Focused: Alerts on all known bad indicators (IOCs).	Context-Focused: Alerts on high-fidelity behaviors tied to risk.
Tool-Centric: Relies on whatever rules come “out of the box.”	Intelligence-Driven: Customizes rules based on current threat intel.

 

The Threat-Informed Detection Operating Model
In practice, threat intelligence–informed detection relies on a structured operating model that connects intelligence, detections, and validation. Most threat-informed detection programs use the MITRE ATT&CK framework to map detection coverage against known adversary techniques.

This allows MSSPs to:

• Identify which attacker behaviors are covered
• Highlight gaps in detection
• Communicate detection strategy clearly to customers and stakeholders

ATT&CK provides a shared vocabulary that ties intelligence, detections, and reporting together.

Common Detection Methodologies Used by MSSPs

Most MSSPs rely on a combination of detection methodologies, each with distinct strengths and limitations.

Threat Intelligence–Informed Detection
TI-informed detection is anchored in adversary tradecraft and real-world TTPs. It’s proactively aligned to known attack patterns and enables clear prioritization and explanation of alerts. It’s advantageous for MSSPs, because it scales across customers while preserving contextual relevance.

Alert-Driven Detection
Alert-driven detection is triggered by individual events or signatures and is focused on incident response and alert closure. However, it provides limited visibility into attacker intent or campaign context — often results in high alert volume with inconsistent value.

Behavioral Detection
Behavioral detection identifies anomalies based on deviations from baseline behavior and is commonly powered by machine learning. It’s an effective methodology for unknown threats, but it can be difficult to explain and tune at scale.

Exposure-Led Detection
Exposure-led detection prioritizes structural weaknesses and misconfigurations by modeling potential attack paths and choke points. It’s a valuable methodology for prevention and risk modeling, but it’s less effective for detecting active adversary campaigns.

Methodology	Focus	Approach
Threat-Informed	Adversary TTPs	Proactive; uses frameworks like MITRE ATT&CK
Alert-Driven	Isolated signals	Reactive; focuses on incident closure
Behavioral	Internal anomalies	Baseline-driven; uses ML to spot deviations
Exposure-Led	Structural weakness	Logical; models paths and configuration “choke points”

 

Why Threat-Informed Detection is the Most Effective Approach for MSSPs

Threat intelligence–informed detection is widely considered the gold standard for mature security programs because it aligns detection coverage with how breaches actually occur.

Key advantages include:

• Focus on tactics most commonly used against a given industry
• Reduced noise through relevance-based prioritization
• Stronger links between detections and business risk
• More defensible allocation of security resources

For MSSPs, this approach ensures that time, tooling, and analyst effort are invested where they matter most — without overreacting or underinvesting.

Operationalizing Threat Intelligence–Informed Detections at Scale

To deliver threat-informed detections consistently, MSSPs need intelligence that is:

• Curated, not raw
• Risk-weighted, not flat
• Tailored to each customer’s industry and environment

This requires:

• Feeding SIEMs with intelligence aligned to active adversary campaigns
• Maintaining consistent detection logic across customers
• Scaling personalization without increasing analyst workload
• Preserving clear explanations for every alert generated

How ThreatConnect Enables Intelligence-Informed Detection

ThreatConnect helps MSSPs operationalize threat intelligence–informed detection by aligning intelligence, detections, and customer context.

With ThreatConnect, MSSPs can:

• Deliver curated, risk-weighted indicators tailored to each customer
• Align SIEM detections with adversary TTPs and active campaigns
• Provide clear rationale behind every alert
• Reduce irrelevant alerts while improving detection fidelity

Rather than adding more data, ThreatConnect helps MSSPs deliver actionable intelligence that supports confident decisions.

MSSP Business Outcomes

• Reduce False Positives — 43% information technology (IT) professionals say that more than 40% of their alerts are false positives. Intelligence-informed detections reduce noise by prioritizing indicators tied to real attacker behavior.
• Stronger QBR and Executive Conversations — Demonstrate that you flagged an attack campaign targeting their industry, before impact.
• Improved SIEM ROI — Customers gain higher signal-to-noise ratios, greater confidence in detections, and clear evidence that their SIEM investment is delivering value.

Moving from Alert Volume to Security Value

Detection effectiveness is no longer defined by how many alerts fire, but by how clearly those alerts map to real-world threats. Threat intelligence–informed detection allows MSSPs to prioritize the threats that matter most, communicate security value with clarity and confidence, and build long-term trust with customers.

For a deeper look at how modern MSSPs are scaling intelligence-driven services, explore Modern MSSP Services Powered by ThreatConnect.

The post From Noise to Signal: Crafting TI-Informed Detections for Real Security Value appeared first on ThreatConnect.

Why Vulnerability Prioritization Breaks Down for MSSPs — and How the Best Are Fixing It

When 95% of organizations are falling short of response time best practices, MSSPs who can consistently reduce mean time to respond (MTTR) don’t just improve security outcomes — they win and retain customers.

But faster response doesn’t come from more alerts, feeds, or dashboards alone. It comes from operationalizing how MSSPs prioritize vulnerabilities that actually matter.

The real differentiator for modern MSSPs is not how many vulnerabilities they detect. It’s how effectively they surface, prioritize, and justify the vulnerabilities that pose real risk right now.

And that’s where many providers struggle. Vulnerability prioritization is uniquely difficult for MSSPs — and most traditional approaches were never designed with service providers in mind.

What Vulnerability Prioritization Actually Means for MSSPs

For MSSPs, vulnerability prioritization is the process of deciding which vulnerabilities across many client environments should be addressed first to reduce real risk, not just theoretical severity.

Unlike internal security teams that prioritize for one environment, MSSPs must prioritize:

• Across multiple clients
• At massive scale
• With incomplete business context
• Under contractual, SLA, and liability constraints

And the data reflects the strain:

• 62% of SOC alerts are disregarded
• 55% of teams have missed critical alerts due to poor prioritization (Mandiant Global Perspectives on Threat Intelligence)
• 97% of analysts worry about missing a relevant security event because it is buried under a flood of alerts

When prioritization breaks down, the impact is immediate. MTTR increases. Analysts drown in noise. And customers lose confidence that their MSSP understands what truly puts their business at risk.

Why Strong Vulnerability Prioritization Is a Force Multiplier for MSSPs

When done well, vulnerability prioritization becomes more than a security function — it becomes a business advantage.

Real Risk Reduction (Not Just Cleaner Dashboards)
Strong prioritization shifts the focus away from raw vulnerability counts and toward attack likelihood and impact. Instead of chasing every high-severity CVE, MSSPs can focus remediation on:

• Vulnerabilities that are actively exploited
• Exposed attack paths that increase breach likelihood
• Assets attackers actually care about

The result? Fewer “we patched everything and still got breached” moments and more meaningful risk reduction.

Stronger Client Trust and Retention
Clients can quickly recognize the difference between noise and insight. Well-prioritized findings are relevant, actionable, and clearly grounded in the client’s environment. 

Good prioritization signals maturity. It tells customers, “This MSSP understands our risk — not just our tools.” That credibility is hard to win, and easy to lose.

Defensible, Explainable Remediation Focus
MSSPs are constantly asked to justify why certain vulnerabilities were escalated or deprioritized. Strong prioritization creates: 

• Audit-friendly decision trails
• Clear narratives for executives and boards
• Confidence that remediation efforts were focused where they mattered most

Where Vulnerability Prioritization Most Often Fails for MSSPs

Vulnerability prioritization is essential to reducing MTTR, yet for MSSPs it frequently collapses in execution. Time and again, two common pitfalls derail prioritization and turn urgency into noise.

Overreliance on CVSS
CVSS scores are easy to automate, scale and explain, which is why they’re so widely used. But on their own, they ignore:

• Exploit availability
• Asset exposure
• Business impact
• Compensating controls

The result is high-severity noise, misaligned urgency, and growing client fatigue.

Missing or Broken Context
You can’t prioritize effectively without knowing: 

• What an asset does
• Who owns it
• Whether it’s internet-facing
• How it fits into an attack path

Many MSSPs inherit bad CMDBs, incomplete inventories, or inconsistent tagging. When context collapses, prioritization collapses with it — no matter how good your tooling looks on paper.

The Core Challenges of Vulnerability Prioritization for MSSPs

• Alert Overload and Noisy Data
  MSSPs operate under a constant firehose: thousands of vulnerabilities, duplicate findings from overlapping tools, and CVEs that look critical but pose little real risk. Most prioritization frameworks assume clean, normalized data. MSSPs rarely have that luxury. Analysts spend more time sorting noise than reducing risk.
• Lack of Business Context at Scale
  MSSPs often lack visibility into revenue-critical systems, crown-jewel assets, and existing compensating controls. Without this context, prioritization defaults to severity scores, and decision-making becomes defensive rather than risk-based.
• One-Size-Fits-All Scoring Doesn’t Work
  MSSP clients can vary dramatically:
  • Regulated vs. unregulated
  • Cloud-native vs. legacy environments 
  • Security-mature vs. security-constrained teams

One-size-fits-all scoring might be scalable, but it doesn’t capture the context of your client base. MSSPs are constantly forced to choose between accuracy and efficiency.

• Exploit Intelligence Is Hard to Operationalize
  Even with good threat intel, exploitability changes rapidly and correlating intel to specific environments is messy. Without environmental context, threat intel becomes just another feed — not a prioritization signal.
• Client Remediation Capacity Is Limited
  The uncomfortable truth is that clients can’t fix everything. Patch windows are narrow, ops teams are stretched thin, and downtime is expensive. MSSPs must prioritize not only what is most risky, but what is realistically fixable. Most tools ignore this reality.
• Proving Value to Clients
  Clients don’t care that you reduced “critical vulnerabilities by 43%.” They do care about what would have hurt them, what they avoided, and what actually changed their risk posture. Poor prioritization makes value invisible — even when teams are working hard.

Rethinking Vulnerability Prioritization: What MSSPs Actually Need

MSSPs don’t need another severity score or raw feed. They need correlation, context, and clarity. Effective prioritization must connect:

• CVEs → exploitability
• Exploits → threat actor behavior
• Threats → customer exposure

Only then can MSSPs confidently answer the question customers care about most: “What should we fix first — and why?”

How ThreatConnect Approaches Vulnerability Prioritization Differently

ThreatConnect takes a fundamentally different approach to vulnerability prioritization — one purpose-built for MSSPs.

From Generic Scores to Business-Relevant Insight
ThreatConnect goes beyond CVSS to deliver vulnerability insights tailored to each customer’s environment. Each CVE is correlated with:

• Real-world exploitability
• Active threat actor behavior
• Known exposure within the customer’s environment

From Volume to Precision
Instead of overwhelming customers with lists of hundreds of vulnerabilities, MSSPs can deliver prioritized precision: “Here are the 3 you need to patch now — and why”. This shift enables faster MTTR, more confident remediation, and clearer client communication.

Built for MSSP Scale
ThreatConnect is designed to support:

• Repeatable prioritization logic
• Context-aware insights without manual tuning
• Multiple customers environments without sacrificing quality or margin

Vulnerability Prioritization Is the Difference Between Noise and Value

MSSPs don’t win by finding more vulnerabilities. They win by helping customers fix the right ones. For MSSPs looking to modernize services, reduce MTTR, and scale without burning out analysts, vulnerability prioritization isn’t optional — it’s foundational.

Download Modern MSSP Services Powered by ThreatConnect to learn how leading MSSPs are evolving beyond detection into true risk reduction.

The post Prioritizing Vulnerabilities That Actually Matter appeared first on ThreatConnect.

Mustang Panda—also known in industry and government reporting as BASIN, BRONZE PRESIDENT, CAMARO DRAGON, EARTH PRETA, FIREANT, G0129, HIVE015, HoneyMyte, LUMINOUS MOTH, Polaris, RedDelta, STATELY TAURUS, TA416, TANTALUM, TEMP.HEX, TWILL TYPHOON, or UNC6384—is a highly active, state-sponsored Chinese cyber-espionage group assessed to operate under the People’s Republic of China (PRC). Active for over a decade, the group is distinguished by its high operational tempo and “volume over stealth” approach to espionage.

Mustang Panda has consistently targeted entities that intersect with Beijing’s geopolitical priorities, particularly government and diplomatic institutions, maritime logistics organizations, and religious institutions. Their campaigns demonstrate a persistent focus on intelligence collection related to foreign policy, trade routes, and sensitive diplomatic engagements.

Multiple cybersecurity vendors and government agencies assess with high confidence that Mustang Panda operates in alignment with PRC strategic objectives, based on victimology patterns, infrastructure choices, and activity timing that aligns with Chinese working hours (UTC+8).

The new Mustang Panda Dashboard in ThreatConnect offers security teams centralized visibility into this highly active and adaptable adversary.

Key Benefits:

• Centralized Intelligence: Aggregates Mustang Panda-related IOCs, TTPs, malware families, and campaign telemetry from open sources, commercial feeds, and internal data.
• Continuous Threat Tracking: Monitors real-time updates on actor infrastructure, targeting patterns, and evolving tradecraft.
• Accelerated Incident Response: Provides enriched, contextual intelligence to reduce detection-to-response timelines.
• Visual Reporting & Executive Insights: Interactive charts, timelines, and executive-ready dashboards support risk prioritization and communication.
• Automated Correlation: Leverages ThreatConnect’s automation engine to map Mustang Panda indicators across intrusion sets, malware families, and victim profiles.

Mustang Panda’s consistent targeting of government, diplomatic, and maritime entities underscores the ongoing risk to sensitive political and economic interests worldwide. 

The Mustang Panda Dashboard equips defenders with the ability to visualize campaigns, correlate activity, and act decisively—directly within the ThreatConnect platform.

Note: To maximize the value of this dashboard, organizations may benefit from integration with premium threat intelligence sources such as Dataminr, Mandiant, Recorded Future, or CrowdStrike.

To gain access to the Mustang Panda Dashboard, please connect with your Customer Success team or reach out to us through our contact form.

Further Resources

For more detailed information and resources on Salt Typhoon, please refer to the following:

Resource	Description	Link
MITRE	As a not-for-profit organization, MITRE acts in the public interest by delivering objective, cost-effective solutions to many of the world’s biggest challenges.	MITRE Article
The Hacker News	THN Media Private Limited, the parent organization behind The Hacker News (THN), stands as a top and reliable source for the latest updates in cybersecurity. As an independent outlet, we offer balanced and thorough insights into the cybersecurity sector, trusted by professionals and enthusiasts alike.	THN Article
Reuters	Reuters is the leading global source of news coverage. We have been licensing content and information to media organizations, technology companies, governments and corporations since 1851.	Reuters Article

We urge all organizations to remain vigilant and proactive in their cybersecurity efforts. By implementing these recommendations, you can significantly reduce your risk and protect your critical assets.

Mustang Panda Known Exploited Vulnerabilities

CVE ID	Product	Description
CVE-2025-55182	IoT / Web Apps	React2Shell: Critical flaw exploited by the RondoDox botnet (associated with Mustang Panda) to compromise IoT devices.
CVE-2025-14847	MongoDB	MongoBleed: Active exploitation allowing unauthenticated attackers to coerce servers into leaking sensitive memory data.
CVE-2025-9491	Windows UI	LNK Bypass: Confirmed extensive exploitation by Mustang Panda to deliver PlugX via malicious shortcut files
CVE-2025-41244	VMware Tools	Exploited alongside Windows flaws for privilege escalation and persistence.
CVE-2024-21893	Ivanti Connect Secure	Authentication bypass used to deploy MetaRAT (PlugX variant) targeting shipping companies in Japan.
CVE-2024-0012	Palo Alto PAN-OS	Exploited for authentication bypass, often leading to ransomware-like behavior or espionage.
CVE-2025-10585	Google Chrome	Zero-day in the V8 engine, patched but actively exploited.
CVE-2023-4966	Citrix NetScaler	Citrix Bleed: Session hijacking vulnerability used to bypass authentication.
CVE-2025-6202	DRAM (Hardware)	Rowhammer Variant: Advanced hardware-level attack bypassing DDR5 protections.

The post Mustang Panda Intelligence Dashboard Immediately Available for ThreatConnect appeared first on ThreatConnect.

The Advanced Persistent Talent series profiles ThreatConnect employees and explores how their work impacts products and offerings, how they got here, and their views on the industry at large. Want to know more about a particular team? Let us know!

As a seasoned marketer in the cybersecurity space, Dan Cole has heard all of the old product narratives before — from “attackers are outpacing security teams faster than ever” to “alert fatigue is overwhelming analysts.” In an industry where the work is both complex and, to some, a little dry, it can be tricky to come up with new, flashy ways to tell a brand story. That’s why Cole always starts with what matters most: helping analysts do work with real impact.

“We’re really trying to help these analysts prioritize work that actually helps them feel like they are making a difference,” Cole says. Sometimes that means explaining ways to use tools like ThreatConnect’s Risk Quantifier to attach real dollar figures to the results threat intelligence provides. And other times, it means finding new ways to share best practices — like, say, by comparing them to Star Wars. 

Whatever he might be working on, Cole wants to make sure ThreatConnect’s products solve the biggest real-world problems facing clients. And as for when he’s outside of work? You’ll probably find him outside photographing and, sometimes, rescuing wild foxes.

The following conversation has been edited for clarity and length.

How did you get into threat intelligence, and what does your role look like day to day?

Dan Cole: I was a product manager for almost 15 years in a variety of industries, but then I was hired at ThreatConnect 10 years ago as part of their series B to lead and build out their product management team. I’ve kind of shifted roles since then, but it involves spending a lot of time with customers to understand their pain points, understand where they’re running into roadblocks, and make sure that our roadmap is prioritized to remove those roadblocks. Since then my role has shifted to help educate the market on some of the best ways to remove those roadblocks – ideally with our products!

Pretty much everything I learned about threat intelligence, I learned from our customers and the challenges that they are actively facing every single day.

What is the most challenging part of your job?

The most challenging part of my job is ensuring that what we are doing helps people feel like they matter. We all want to feel like the work we’re doing is making some kind of impact and moving some kind of needle. Like it’s not just busy work that’s going to end up in the trash. 

Every vendor talks about alert fatigue and how overwhelming it can be. Studies clearly show the impact that those sorts of things have on the emotional well being of these analysts. But our goal isn’t just to help analysts feel less overwhelmed. We’re really trying to help these analysts prioritize work that actually helps them feel like they are making a difference.

I saw you’ve used Star Wars as an analogy for the threat gap in a webinar before. What gave you the idea to do that?

We want to stand out in the industry and make things a little fun. Considering the toll that this work takes on the mental health of these analysts, if we can give them a break with something a little entertaining, great. It’s better than another dry corporate webinar where someone is just pitching their product. It’s about evangelizing not just our products, but the different approaches to cyber defense that can make analysts more effective in their roles.

You’ve also written about how cybersecurity professionals can use AI as a teammate. How would you describe the potential and the risks associated with AI? 

The way one customer put it to me was that AI is kind of the world’s smartest intern. I might trust an intern to do research, but I’m not going to let them push the big red button or handle something that might blow up our security stack. 

One big risk is that AI can be a black box; you might not be able to really understand how it reached its conclusion. It’s very easy to add an LLM to an existing security product, but it can be hard to know if the underlying data that that LLM uses is any good. But at ThreatConnect, we have the DNA of being a data company. We have billions of records and 1.2 million different sources of data. So the LLMs that we put on top of our products have access to data that is vetted and high fidelity and reliable, and we can be transparent and provide receipts. So when you hire that “intern,” you can trust the data that they are running out to gather is solid.

That would make a huge difference. And how do you spend your time outside of ThreatConnect?

I am an amateur wildlife photographer. I also do wildlife rescue, including volunteering at a rescue focused on saving foxes from fur farms. I enjoy all things food — from gardening, to actually growing the food, to cooking, to actually making the food, to going out to restaurants to enjoy food without having to do dishes. I also love backpacking and being outdoors.

Which rescue organization do you work with, and what’s that like as a hobby? 

It’s called the Wildlife Rescue League. I also work with Save a Fox out of Minnesota. And it’s not easy. When wild animals are injured or sick, they don’t want to be trapped. But we have an entire network of rescuers, transporters, vets, and rehabilitators. 

Just this past Sunday, I picked up a raccoon that had pneumonia, put him in the back of my car, and drove him to a rehabilitator where he’s going to get some antibiotics, get some rest, and eventually be released back into the wild.

What other types of animals have you rescued?

Foxes are my favorite, but I’ve also gotten to release a one-eyed owl back into the wild. I’ve done turkey vultures, which are super cool. And one time, I had a red shouldered hawk, which spent the entire car ride screaming at the top of its lungs. It was still super fun.

Do you have some sort of enclosure in your backseat to transport these animals?

Sometimes it’s just a cardboard box, and sometimes a cage. Luckily, I’ve never had an escapee, but it has happened to others.

I’d wondered about that. Why are foxes your favorite?

Gosh, I’m trying to think of a way to loop them back to the theme of threat intelligence. 

If you could do that, it would be great for this article!

I’ll start a sentence, and eventually I’ll find my way there. First of all, they’re beautiful. They are misunderstood. And just like I like to stand up for the intelligence analysts, I’m a fan of the underdog. I want to stand up for the little guy. But foxes are extremely clever. They’re this perfect mix of curiosity and bravery and caution, and they’re very adaptable.

When I think about threat intelligence and cybersecurity, I do think good analysts also have a healthy mix of curiosity, bravery and caution. You want to be bold, because the attackers certainly are, but you also want to be cautious and not make mistakes when you’re taking a blocking action or promoting a new strategy. And certainly, you have to be extremely clever and extremely adaptable. For example, as adversaries start leveraging AI more and more, we need to adapt the way we do cyber defense so that we can stay ahead of those threats.

Nicely done with that metaphor. And has wildlife rescue also made you better at wildlife photography?

Yeah, 100%. Foxes, especially, have such varied personalities. You can just tell they let the intrusive thoughts win. Now that I’ve gotten to know their personalities, it’s helped me not only work with them but also figure out what I want to bring out in my photos. If I’ve got a fox that is particularly spicy, I want to find an opportunity to showcase that.

The post Why ThreatConnect’s VP of Product Marketing Spends His Off Hours Rescuing Wild Foxes appeared first on ThreatConnect.

The Advanced Persistent Talent series profiles ThreatConnect employees and explores how their work impacts products and offerings, how they got here, and their views on the industry at large. Want to know more about a particular team? Let us know!

Angel Salcedo radiates energy even through a computer screen. The warmth in his smile and the confidence in his voice help explain why he thrives as a customer success engineer: he  knows that the work begins with careful, empathetic communication. 

“Customer success is not about knowing all the answers,” Salcedo says. “It’s about starting a dialogue where everyone’s expertise carries equal weight. That’s how you problem-solve in a field that’s always changing.”

“In tech, what was yesterday is not today, and what’s today is not tomorrow,” Salcedo says. “The more we allow that opportunity to be collaborative rather than feeling we have to know it all, the more we can deliver.” Read on to learn how he helps ThreatConnect clients reach their goals.

The following conversation has been edited for clarity and length.

How did you get into threat intelligence?

Angel Salcedo: It’s a funny story. I graduated with my master’s in information technology from Kennesaw State University in 2019. I held a few jobs after graduation before I found myself in a Tier 2 developer role during the pandemic. My interest in technology and systems continued to grow. I found myself constantly asking questions, questioning solutions, and ultimately became curious about other roles in information technology.

I stayed at that company until 2022, when I landed a role as a cybersecurity analyst. I then had the opportunity to coordinate with a recruiter at ThreatConnect. The recruiter I met with was not only welcoming but also made me feel like ThreatConnect could be my place to grow tremendously. My first round interview felt fate-fueled. It was an interview where the interviewer and interviewee just clicked. I answered the questions confidently while expressing my curiosity and desire to grow. It was welcomed, and I was told I would grow tremendously. That is still true to this day. 

What does your role look like day to day?

Threat intel is, in and of itself, a beast with many facets and complexities that can be challenging for our clients to understand when they first work within ThreatConnect. I work as a conduit to successfully deploy automations, develop workflows, and create visualizations that help leadership understand the actions to take to improve their businesses’ security posture. I tackle meetings, work with different organizations and people, and constantly ask, “What are ways we can further mature your cybersecurity program? What’s our next big mountain to climb?”

What is either the most challenging or maybe interesting part of your job?

I like to say I’m a jack-of-all-trades because of the vast number of tools ThreatConnect integrates with. My engineering colleagues and I are like puzzle pieces that come together to form a really great picture. We all bring different skills and different tools that work together to develop a successful threat intelligence program. Not only do I feel like a whiz at ThreatConnect, but, thanks to what my colleagues with expertise in other areas have taught me, I also feel pretty sharp when it comes to different tools that integrate with ThreatConnect. 

How do you set customers up for success with these tools?

It’s about putting your hand out and saying that we’re going to do this together. That’s the beauty of customer success: you’re not alone, and I’m not alone. We’re going to get to the other side together. I love working through that dialogue and letting them know, “Hey, your idea is just as important as my idea, and our ideas together are going to get us where we want to go.” It’s an opportunity for us to learn from each other, and that’s just as important as being the one who knows all the answers, because new things pop up every day. 

In tech, what was yesterday is not today, and what’s today is not tomorrow. The more we allow that opportunity to be collaborative rather than feeling we have to know it all, the more we can deliver.

What’s been the most interesting thing you’ve worked on this past year?

In 2024, ThreatConnect acquired Polarity, so one thing I’ve been able to do is connect that tool to ThreatConnect more cohesively. Previously, Polarity interacted with ThreatConnect to gather intel and present it from Polarity’s perspective. This year, I worked with some of the engineers and developers on the Polarity side to get a successful integration with ThreatConnect underway. Since demonstrating the capability, a few organizations I worked with before the acquisition have told me, “This capability is how I envisioned Polarity being integrated into ThreatConnect from the very beginning!” That’s been a challenge that I have learned tremendously from.

How do you like to spend your time outside of ThreatConnect? 

I love to spend time with my family and friends. I am a community-oriented person. I enjoy bringing great people together. I am also someone who uses a wheelchair. I call it sitting down, and it’s driven me a lot, no pun intended. It’s been really cool to see how that part of my life has provided me with adventurous opportunities. I’m one of the ambassadors for the Kyle Pease Foundation, a really great national organization based here in Georgia. It allows people with disabilities who sit down, like me, to participate in 5K runs, 10Ks, half marathons, and marathons around the country. I completed a half-marathon in two hours and 10 minutes at about 5 a.m. on Thanksgiving Day. I also volunteer and am a member of Phi Beta Sigma Fraternity, Incorporated, so that’s a big part of my life, too. 

The beautiful thing about what my life has taught me is that I’m never afraid of a challenge. I love doing hard stuff, and so it’s brought me to this place of wondering, “What’s the next hard thing I can do, and what’s the next hard thing after that?” My circumstances have definitely made me think outside the box, but they’ve also, in some ways, made me create my own shape, and that’s been a really, really beautiful thing. I don’t know if this is a quote from someone else; I hope it’s just me, but I live by it and think it will guide me for the rest of my life: “See the man before the chair.”

It takes a lot of work to complete a half-marathon. How do you apply that discipline to your job?

I always think that people have a fire inside that burns regardless of their circumstances. I call them “core fires”. If I had everything today and nothing tomorrow, my core fire would still burn. Mine is that I love to help people. I’ve had a really excellent upbringing from people who wanted to help me and who saw beauty in my spirit and my light. I feel like I’m here on purpose. I love to give back; in work, that translates to both creating solutions and authentically engaging with our clients. It’s being able to talk to someone who might need that extra little conversation about how their dog is doing, even if it’s just that small. 

I love that about my job; it’s not just about engineering great things. I love the challenge of that, but more than anything, I really do love to help. This year, two of the organizations I work with reached 100% of their goals, and that really makes me happy. It is our success and hard work that allowed us to achieve 100%. For them to be on the other side and say, “That engineer is doing great things for us.” That is what truly excites me every day at my job.

The post ThreatConnect Customer Success Engineer Angel Salcedo Makes Success a Team Sport appeared first on ThreatConnect.

The hard reality for Managed Security Services Providers (MSSPs) is that customers today expect faster answers, higher visibility into threats, and total confidence that their provider can separate signal from noise. Meanwhile, alert volume continues to surge across SIEM, EDR, XDR, and cloud telemetry while SOC teams remain understaffed and overwhelmed. 

This perfect storm of constraints drives mean time to respond (MTTR) higher, which can erode customer trust, limit scalability, and eat directly into MSSP margins.

The True Cost of High MTTR for MSSPs

When analysts are drowning in alerts, the business impact is immediate:

• Slow triage leads to missed SLA misses and customer dissatisfaction.
• More escalations lead to higher labor hours and reduced margins.
• The economic challenge: you can’t scale headcount linearly with customer growth.

And the data reflects the strain:

• 62% of SOC alerts are disregarded
• 55% of teams have missed critical alerts due to poor prioritization (Mandiant Global Perspectives on Threat Intelligence)
• 97% of analysts worry about missing a relevant security event because it is buried under a flood of alerts

This is not just inefficiency — it’s operational and reputational risk.

Why Traditional Triage Fails: The Context Gap

Triage is a critical function of MSSPs, and is supposed to help analysts quickly evaluate, prioritize, and act on alerts — separating genuine threats from false positives, and determining the appropriate response.

However, if alerts pop up without meaningful intelligence or context, analysts are left with a noisy signal, lacking actor info, TTPs, or historical sightings. Analysts must jump between tools, browsers, APIs, and spreadsheets just to understand what they’re looking at. Tool sprawl forces constant context switching and rework. Even a few extra minutes per alert, multiplied across thousands of alerts, creates massive operational drag.

This leads to:

• Disorganized enrichment
• Inconsistent outcomes
• Burnout
• False positives piling up
• Customers questioning the value of the service

The root problem: alerts don’t come with enough intelligence to support fast, defensible decisions.

The Missing Link: Threat-Informed Response

Threat-informed response embeds intelligence directly into the alert workflow, so analysts don’t have to hunt for answers. No guesswork. No tab sprawl. No manual lookup. The right intel appears exactly when and where analysts need it.

With threat-informed response, MSSPs can:

• Accelerates triage decisions
• Improves accuracy
• Reduces escalations
• Standardizes how analysts evaluate alerts
• Instantly raises the performance of junior analysts

Threat-informed response turns raw alerts into actionable intelligence.

How ThreatConnect Operationalizes Threat-Informed Response

ThreatConnect delivers real-time enrichment directly into the tools analysts already use. As soon as an alert fires, analysts can instantly see:

• Associated threat actors
• Relevant TTPs
• Whether it’s been seen in the customer environment
• Whether it’s been observed across ThreatConnect’s intelligence community
• Related indicators, attributes, and confidence scores

All without leaving their SIEM, EDR, ticketing system, or email. Unlike traditional TI portals — which require slow, repetitive manual lookup — ThreatConnect brings intelligence to the alert.

The result is consistent, defensible triage every time. Analysts not only see that something is risky — they understand why.

How Threat-Informed Response Becomes a Profit Multiplier for MSSPs

Before Threat-Informed Response
Alerts wait in the queue for enrichment. Senior analysts are pulled into escalations. MTTR inflates and false positives waste cycles. SLA misses increase eroding customer trust.

After Threat-Informed Response with ThreatConnect
Analysts make first-touch triage decisions in seconds, not minutes. Fewer alerts escalate to costly Tier 2 and Tier 3. MTTR drops across the board and false positives get closed rapidly. True threats get flagged faster giving customers clearer, more trustworthy answers.

The Impact On Your Bottom Line

Faster triage not only protects MSSP margins  — it improves them. 

Lower unplanned labor hours, less analyst burnout and turnover, and improved SLA performance reduce churn and allow MSSPs to scale customers without linear headcount growth.

• Reduces the cost to respond to every alert. Real-time context eliminates unnecessary analysis cycles, so analysts focus on threats that actually matter.
• Improves SLA performance and compliance. Lower MTTR boosts SLA reliability. Reporting becomes more robust and defensible.
• Delivers clear, contextual answers that customers understand. Analysts can explain “what’s happening” without diving into technical jargon. Customers feel protected, and they see clear value.
• Improves retention and opens doors to higher-margin services. Threat-informed response becomes a differentiator. Enables upsell opportunities (threat hunting, premium tiers, custom intel feeds). Customers stay longer and spend more.

Threat-informed response becomes both an operational advantage and a revenue driver.

The Future of MSSP Operations: Threat-Informed Response as a Competitive Advantage

Threat intel is no longer optional — it’s an operational requirement. Customers are increasingly choosing MSSPs based on their ability to respond quickly and confidently.

MSSPs who adopt threat-informed response gain a defensible, performance-based edge. Those who don’t will struggle to keep pace as threats grow in sophistication.

Why ThreatConnect Is Positioned as the Future Standard

ThreatConnect is purpose-built for MSSPs, offering:

• Embedded intelligence where analysts work
• Unified view across tools
• Adaptive, continuously evolving intelligence engine
• Designed for repeatable, scalable service delivery 

ThreatConnect turns intelligence into action — instantly.

Slash MTTR and Boost MSSP Margins with ThreatConnect

MSSPs won’t win by throwing more bodies at the alert problem. They’ll win by empowering analysts with better context.

Threat-informed responses transform alert overload into a high-confidence, scalable workflow. ThreatConnect is the engine that makes it possible. 

With ThreatConnect, MSSPs can:

• Slash MTTR
• Reduce operational costs
• Strengthen customer trust
• Drive higher margins
• And scale without burnout

Learn more about how ThreatConnect’s threat-informed response can slash MTTR and improve margins for MSSPs. 

The post How Threat-Informed Response Slashes MTTR and Boosts MSSP Margins appeared first on ThreatConnect.

The Advanced Persistent Talent series profiles ThreatConnect employees and explores how their work impacts products and offerings, how they got here, and their views on the industry at large. Want to know more about a particular team? Let us know!

How does a biochemistry diplomate wind up working in cybersecurity? For ThreatConnect Senior Security Engineer Matt Brash, it was all about being in the right place, and talking to the right person, at the right time. 

Brash had been working part-time in a suit shop after graduating from university as he planned his next moves when he met a customer who worked in cybersecurity. While he sold the man on the suit, the client sold him on the field. “It was really that one conversation in a suit shop that sort of shaped my career,” he says. It’s turned out to be a perfect fit. 

Analytical by nature, Brash relishes the problem-solving that goes into his work as a security engineer, taking complex problems and transforming them into an actionable game plan. “The intelligence problems that our customers have can often feel overwhelming to them,” Brash says, “and sometimes they need guidance in taking that big problem and breaking it down into small, tangible improvements that we can add over time.” 

That, for Brash, is the most rewarding part of the job — “when you can step back and actually see that a team is working more efficiently and leveraging the data we provide in a meaningful way.” Here’s how he gets it done.

The following conversation has been edited for clarity and length.

What does your job at ThreatConnect entail on a day-to-day basis?

Matt Brash: My job is to help understand customers’ technical needs when it comes to using threat intelligence data, and to then turn those needs into real-world capabilities in our platform. 

ThreatConnect is an automation platform that centralizes lots of different intelligence data into one place, so I help customers understand what types of intelligence they can access and what formats that data is available in. Then, the question becomes, “What do we do with the data?” And that’s about understanding who is going to be able to make decisions based upon that intelligence, so we dig into specific pain points within the rest of the security team to understand how they can use curated intelligence to work more efficiently.

Which side of that equation would you say is more challenging?

Definitely the latter. I think threat intelligence teams sometimes struggle to justify their value. They provide huge value to security organizations, but it’s not always easily quantifiable. We help customers capture key metrics to demonstrate the performance improvement that intelligence provides.

I also find that intelligence teams are often positioned as sort of a side team for the rest of the security, whereas at ThreatConnect, we’re trying to empower them to feel that actually, no, intelligence is really the heart and knowledge base that should inform all of the security teams. That’s the mentality change we’re trying to drive.

What excites you most about this work?

It sounds really cliche, but it’s probably solving complex problems — being able to tangibly see that we’ve improved a customer’s business processes through automation, or by making data more accessible to the right security stakeholders. That’s really the most enjoyable part of the job, when you can step back and actually see that a team is working more efficiently and leveraging the data we provide in a meaningful way.

What’s the most interesting challenge you’ve worked on this year?

The one that stood out for me was helping an organization really operationalize their data. We work with lots of clients from different industries, and a lot of the time, it’s not a data problem. They already have access to lots of threat intelligence data, but they don’t, perhaps, know how to prioritize what is relevant to them and then automate feeding this data into their existing processes. 

That’s really the type of problem I like to solve, because cyber as an industry has a big burnout problem. Most security teams we speak to say, “We have too many alerts. We’re always working outside of our normal working hours.” If we can help those analysts work more efficiently, they’re going to get greater job satisfaction.

How has cybersecurity changed in the time you’ve worked in this space?

AI has completely flipped the narrative for most organizations in the last 18 months. For example, it’s being used to produce deepfakes, so organizations can no longer trust who they are potentially communicating with. Malware engineers are also using AI to constantly produce new strains of malware. Just like adversaries use AI to target us, we need to know how to use AI to better detect these things. 

At the same time, every organization in the world is adopting AI in their main technologies. Whether you work in marketing, sales, or HR, you’re probably using a product today that has some underlying generative or agentic AI capabilities. So the question is, how are we going to make sure that the models that underline those systems can’t be tampered with by adversaries? All of this, I think, is the new frontier of cyber war.

How do you like to spend your time outside of work?

I made a big lifestyle move a few years ago. I’ve been a West Londoner most of my life; I was born in West London and always sort of stayed around the area, but my wife and I moved to a farm in the west of Ireland three years ago.  I really like the outdoors. I love treks. I love cold water swims and go swimming all year round — December, January, February. I love just being out in the water. 

Golf is my other passion. I’m very bad at it; I don’t have a good handicap, but still, I think golf is a good way of mentally unwinding, especially when you’re in a high-stress job like we are. You’re always on when you work in a sales engineering role, always thinking about, “How can I improve this for a customer?” When I’m golfing, I can just completely switch off.

Cold water swimming sounds like a mental challenge as well as a physical one. What makes it rewarding for you?

My sales guys and I have a sort of inside joke about winners’ mentality: you’ve got to push through pain to get what you want in life. Maybe it’s got a little bit to do with that. If you can master your reaction to cold water, you come out, and you feel very relaxed. It’s almost like you pushed yourself through an endurance test, and whenever you actually go through that barrier, you feel like you’ve achieved something.

The post How ThreatConnect Senior Security Engineer Matt Brash Rescues SOC Teams from Burnout appeared first on ThreatConnect.

A smarter, faster way for security teams to share context, reduce friction, and accelerate action.

Security teams are drowning in alerts, overwhelmed by disconnected tools, and constantly scrambling to get the right information to the right people. Incident response, threat intel, vulnerability management, procurement, and HR all work in different tools — often with zero shared context — creating blind spots and friction that directly impact risk.

RFIs (Requests for Information) are supposed to bridge those gaps, but traditional methods through email threads, DMs, tickets, and manual hand-offs lead to more task switching, duplicate work, and delayed decisions.

• 84% of analysts worry about missing threats in oceans of data, according to Crowdstrike Global Security Attitude Survey. 
• 70% say alert volume hurts their personal well-being, according to CISO Magazine. 
• 55% of teams miss critical alerts due to ineffective prioritization, according to Mandiant Global Perspectives on Threat Intelligence. 

There has never been a greater need for security collaboration that’s fast, contextual, and frictionless.

Polarity by ThreatConnect delivers a unified search, enrichment, and collaboration layer that sits on top of your entire security stack. Now, with RFI integration, collaboration happens instantly, in-context, and without friction.

Breaking Down Knowledge Silos

Polarity overlays real-time context, threat intel, and AI summaries into any tool — no integrations required. Instead of hunting through different consoles, portals, and documents, Polarity delivers a unified search and enrichment layer that sits on top of your security stack. So when you need to ask for more intel, flag an IOC, validate a vendor, or check the status of a CVE, you can do it instantly, without leaving the workflow you’re in.

This is the power of Polarity — and the RFI integration brings collaboration directly into that overlay.

What Makes Polarity Different

Most tools promise “better visibility.” Polarity delivers something deeper: real-time context wherever you work. Polarity overlays intelligence into any tool. From browsers to SIEMs to ticketing systems, Polarity functions like Ctrl+F for your entire security stack, but with more precision and intelligence. 

Core Capabilities

• Computer vision: Optical Character Recognition (OCR) recognizes indicators and keywords in any window — no API, no setup.
• Federated search across 150+ tools: Highlight any text and instantly see related context from across your environment.
• AI summaries and enrichment scoring: Polarity Assistant — powered by Azure OpenAI — explains threats, identifies priorities, and suggests next steps.
• One-click actions: Share intel, annotate findings, or trigger workflows right from the overlay.

Proven Impact

• Investigation time reduced by 300%.
• One customer cut IR time from 7 hours to 37 minutes.
• Significant decreases in false positives and alert fatigue.

Polarity doesn’t require integration. It simply sees what’s on your screen and gives you the intelligence you need — wherever you are.

Introducing the RFI Integration: Collaboration Without Friction

RFIs are the connective tissue between teams — intel, IR, vulnerability management, procurement, HR, legal, and more. But traditionally, RFIs are slow and manual. Analysts must pause their investigation, switch tools, gather context, write out detailed requests, and hope they reach the right team.

With Polarity’s RFI integration, users can: 

• Send an RFI from any screen — highlight text, right-click, or use the Polarity overlay.
• Configure what the UI looks like — dropdown menus, buttons, or even a fully invisible workflow.
• Route RFIs however you want — email, Jira, ServiceNow, or custom workflows.
• Customize submission flows per use case — intel requests, CVE validation, vendor checks, HR inquiries, etc.
• Layer in AI automation — generate tasks, run scans, summarize intel, or gather data automatically.

RFIs transform from manual overhead to a single effortless action performed in-context.

Real-World Use Cases Across Security and Operations

This integration isn’t just a nice-to-have. It solves real workflow challenges for key security roles — from threat intel to incident response.

Threat Intel Collaboration

Scenario: Analyst highlights an IP address or threat actor name.

What happens next:

• Polarity auto-enriches it with context from ThreatConnect and 150+ other sources.
• Analyst sends an RFI to CTI with one click.
• CTI can respond instantly — no email threads, no lost context, no copy/paste.

Value: More accurate intelligence, faster cross-team coordination, zero workflow disruption.

Vulnerability Management

Scenario: A vulnerability assessor spots a new CVE (common vulnerability and exposure).

What Polarity does automatically:

• Surfaces exploit status, enrichment scoring, and CAL context.
• One-click RFI triggers a scan across the environment or kicks off the VM workflow.
• Automatically routes to Jira/ServiceNow with all fields pre-populated.

Value: Faster patching, better prioritization, immediate alignment between vuln, IR, and IT teams.

Incident Response

Scenario: Responder sees an unfamiliar IOC (Indicator of Compromise) in an alert.

Polarity instantly:

• Enriches the IOC inline using AI summarization.
• Suggests risk score and next steps.
• RFI sends a request to IR leadership or CTI for validation or escalation.

Value: Moves teams from “alert” to “decision” significantly faster.

Procurement & Vendor Assessment

Scenario: Analyst, HR, or legal sees a vendor mentioned in an audit or incident.

Polarity enables:

• Highlight vendor name → send RFI → procurement validates license, relationship, or past issues.
• Documentation is automatically created and trackable across teams.

Value: Cross-functional clarity without time lost to email chains.

Why This Matters: Collaboration That Sticks

Collaboration often fails because the friction outweighs the value. Switching tools, writing long summaries, re-entering data, or tracking down the right person require too much effort to be worthwhile.

Polarity removes each of these barriers with:

• Inline, context-aware actions.
• Instant enrichment and federated search.
• Auto-routing to the right workflow.
• AI assistance that reduces repetitive work.
• Zero duplicate effort across teams.

The result: collaboration becomes effortless — reducing alert fatigue by filtering low-priority events using enrichment scoring. When collaboration is easy, teams are more likely to engage with each other efficiently and effectively. 

Getting Started with Polarity

Polarity by ThreatConnect is easy to deploy and adopt — providing instant value: 

• Works across 100% of tools on Windows, Mac, and Linux.
• Connects to 150+ data sources.
• Cloud or on-prem deployment.
• Out-of-the-box email support.
• Optional ticketing integrations.
• Day-one value with AI-assisted context and RFI workflows.

Ready to see it in action? Book a demo.

The post Empower Seamless Collaboration with Polarity’s RFI Integration appeared first on ThreatConnect.

The map I wish I had in the SOC

I remember a Thursday night at a previous SOC position in FinTech. The alert queue spiked during a credential stuffing incident, and our team had to scramble to keep up with the influx of alerts. We had a SIEM, a SOAR, and a handful of open-source IOCs we continuously retrieved via Google and other search engines. Each analyst grabbed a ticket and went hunting alone, starting their own process from scratch. We could isolate hosts, block domains, and re-image servers, but it was difficult to see the whole picture as we sorted through mountains of data and noise. Speed was the metric that mattered. I knew we were missing critical patterns, but I couldn’t see them or communicate what I thought we might be missing. We were moving fast, but we were still relatively blind. 

Back then, our obstacle wasn’t just the attackers; it was the lack of structure. Our workflows and systems were not supporting each other, creating additional friction. We had no shared language. One teammate would call something a credential dump; another would describe a suspicious PowerShell script. Both were correct, but neither description connected to a consistent technique or pattern. Our triage lived in chat threads, ticket notes, and half-finished handoff docs. Behavior was rarely carried from one incident to the next. We spent hours digging through logs for clues we had already seen in previous incidents, but had no way to link them. Looking back, we weren’t struggling because the attacks were sophisticated; we were struggling because our system wasn’t leveraging pre-established standards and enrichment that would have focused our attention and communications.

Finding True North in Adversary Behavior

Now, I’m a different type of analyst. I research and help design products that help scale SOC and CTI teams via the Collective Analytic Layer (CAL) at Dataminr. CAL is a global intelligence engine with a mission to transform insights into action, embedded throughout ThreatConnect and Polarity to aid analysts throughout the CTI lifecycle.  Now, I can see exactly what was missing in that SOC: A shared intelligence layer that would help our data speak the same language. We needed a living memory, something that linked indicators, patterns, and past activities together, rather than leaving us to reconstruct everything manually. These problems hit home for me as I watched MITRE ATT&CKcon 6.0. Red Canary highlighted that out of nearly 400 ATT&CK techniques, a small group of approximately 30 were “forever techniques” that account for the majority of detections. Novel attacks happen, but they’re rare. Most adversaries rely on the same behavioral building blocks repeatedly. That single insight reframed my years in the SOC. We could have been using established tools and practices to make our work so much easier.

ATT&CK as the Compass, CAL as the GPS

CAL has updated to leverage the latest MITRE ATT&CK Enterprise version 18. This version brings a more transparent structure for describing adversary behavior. Refining tactic categories and grounding updates in what defenders can actually observe across systems provides analysts with a more accurate shared language. The split of “Defense Evasion” into Stealth and Impair Defenses, for example, helps teams distinguish whether an adversary is hiding or actively degrading protections. This was something that used to blur together in my old SOC work. New sub-techniques, such as Python startup hooks, software discovery, and time-based evasion, continue the trend of modeling behaviors in a way that allows analysts to map back to telemetry, not just attacker intention reliably.

CAL takes that clarity and makes it operational. Instead of ATT&CK coverage living in slide decks or internal wikis, CAL applies it automatically to incoming news about breaches and attacks, connecting adversaries to behaviors, and placing isolated artifacts into a broader narrative. ThreatConnect enables quick visualization through ATT&CK visualization and adversary dashboards, which display trends and anomalies, providing a clear view of potential threats. Analysts can quickly apply ATT&CK tags to indicators, ensuring their communication remains aligned with the specific context of investigations. 

In Polarity, analysts can utilize the CAL Integration to quickly reference MITRE ATT&CK Techniques while reviewing reports or conducting investigations.

While ATT&CK Enterprise focuses on traditional systems, MITRE ATLAS focuses on AI-enabled ones. AI is increasingly embedded in automation, decision support, and internal workflows. That means adversaries now attempt to poison models, manipulate prompts, and exploit integration points in AI pipelines. ATLAS documents these real-world and simulated attacks, forming a knowledge base for AI red teaming and defensive planning. Importantly, ATLAS aligns with ATT&CK. This alignment enables CAL to correlate AI-targeted behaviors with traditional techniques, providing analysts with a unified understanding of both. With CAL’s latest 3.14 release, analysts will get more automation to help them extract and leverage ATLAS tactics and techniques.

When Indicators Stopped Being Uncharted Territory

Indicator investigations in my old SOC felt like detective work of scattered feeds, inconsistent metadata, and hours spent deciding whether an IP, hash, or domain was worth our time. CAL Enrichment changes that by unifying intelligence from OSINT, proprietary feeds, analytics, and community signals into a single, unified view. Analysts instantly see observations, scoring, impressions, false positive reports, feed visibility, known-good status, classifiers, and behavioral metadata all in one place. CAL’s classifier ecosystem is powered by analytics, heuristics, and machine-learning models, adding another layer that labels indicators with threat-relevant categories to help analysts quickly understand behavior and intent.  Even routine details, such as ASN mappings, cloud provider ranges, file metadata, or hash relationships, are automatically resolved, eliminating ambiguity and allowing analysts to focus on what matters. 

CAL Would Have Saved Us So Many Wrong Turns

Had we had access to CAL in ThreatConnect or Polarity, those long, chaotic nights would have been far more manageable. Alerts could be quickly mapped to ATT&CK techniques, linked to past incidents, enriched with global intelligence, and placed in broader behavioral patterns. Within five minutes, we would know not only what triggered it, but also why it mattered, whether the indicator had been seen elsewhere, its reputation, and what typically follows based on real-world behavior.

CAL removes the isolation we faced. Polarity lookups and ThreatConnect intel make research that once took hours available in seconds. Automated feed visibility, false-positive reporting, classifier context, and community signals provide instant clarity. Domains are instantly flagged for DGA patterns, hashes are linked to file families, and IPs are quickly identified as benign or suspicious. Behaviorally, scripts tied to T1059.003 no longer stand alone—CAL connects them to kill chain activity we previously missed. Shared technique tags align IR, CTI, and SOC workflows, while prevalence data highlights the behaviors that adversaries use most frequently.

Finally, a Map That Leads to Answers

This matters because defenders don’t just need more information; they need empowerment through reliable best practices. Looking back, much of the stress in my old SOC role came not from the threats themselves, but from the lack of structure around them. CAL provides the collective memory we were missing, while ATT&CK v18 and ATLAS supply a shared grammar that prepares teams for everything from today’s intrusion techniques to tomorrow’s AI-driven attacks. Together, embedded throughout ThreatConnect and Polarity, they transform SOC alerts from isolated events into meaningful stories, providing analysts with a more straightforward, more confident path from detection to action.

The post CAL, MITRE v18 & MITRE ATLAS: The Map I Wish I Had in the SOC appeared first on ThreatConnect.

This blog post is a continuation of our blog post Putting Cyber Risk Quantification Into Action: Moving Beyond Theory.

In part one, we explored how Cyber Risk Quantification (CRQ) has evolved from theory to practice, focusing on the key choice between manual estimates and automated, data-driven approaches. We discussed how CRQ’s real value lies in continuous prioritization – helping you determine what matters most with limited resources. Through examples like MFA rollouts, we saw how use cases interconnect to transform security from the team that says “no” into a strategic business partner. We also covered the cultural shift CRQ creates, with nearly all users wishing they’d started sooner due to benefits like speaking the language of business, double-digit drops in breach rates, and better collaboration across teams. Now, let’s delve into the real-world challenges that hinder organizations from achieving full CRQ operationalization, and explore the practical solutions that can help you move faster.

Addressing Maturity Challenges

The Buyer’s Guide identifies that organizational issues hold back CRQ maturity. Despite CRQ accelerating risk management improvements, customers rated their operationalization maturity at just 3.3 out of 5. Top challenges include:

• Resource constraints
• Education gaps
• Data quality and input collection issues

These challenges describe manual approaches. The solution? Bring data and automation to the problem space, letting organizations critique models rather than create them from scratch.

This means starting with 20+ years of historical loss data, insurance claims data, and industry benchmarks. That’s the really easy, defensible way to get started. At ThreatConnect, we collect more technical data through our continuous controls monitoring to identify risks, such as having PowerShell enabled on endpoints without proper restrictions. Then layer in external threat intelligence to complete the picture.

Here’s the interesting part: while many solutions offer hundreds of tunable variables, most organizations tune them only a handful of times over several years. Once people see data-backed models, they realize they don’t actually need to change much. The data speaks for itself.

Integration Quality and Peer Benchmarking

The Buyer’s Guide research shows overall vendor satisfaction remains high (4.7 out of 5 for likelihood to buy again), but two areas score lower: integration quality (3.2 out of 5) and utility of peer benchmark data (3.5 out of 5).

On Integrations: The question isn’t “How many integrations do you have?” but rather “What do those integrations accomplish?” Organizations should focus on coverage across the MITRE ATT&CK framework – covering the techniques attackers actually use from initial access through data exfiltration. If your existing integrations cover 80-90% of these techniques with appropriate defenses, adding more just creates maintenance overhead without solving additional business problems.

On Benchmarking: Most companies don’t publicly report why they were breached or what controls failed. This makes traditional benchmarking difficult. The more valuable approach? Point to actual breach data from similar organizations, creating trust through real-world examples rather than theoretical comparisons.

The Bottom Line: No Reason to Wait

CRQ has proven itself as more than a risk measurement tool. It’s a complete shift in how security teams operate and communicate value. From choosing between manual and automated approaches to linking threat intelligence with risk data, organizations that implement CRQ gain the ability to prioritize effectively, speak the language of business, and make security an enabling function rather than a roadblock. Security should never say “no”. Security should say “yes, if…” and then explain the risks and trade-offs in business terms. That requires CRQ.

The benefits are measurable: double-digit reductions in breach likelihood and impact, better collaboration across teams, and strategic participation in executive decisions. Yet success requires navigating real challenges like resource constraints, data quality issues, and integration complexity.

The good news? Organizations don’t need to start with perfect data or complete automation. They can begin with data-driven models, critique and refine them, and expand over time. The key is starting the journey from theoretical risk discussions to actionable, continuous risk management that connects the boardroom to day-to-day security operations.

The question isn’t whether to implement CRQ. The question is, why wait another day when the tools, data, and methodologies are ready today?

Request a personalized CRQ demo today!

The post Part 2: Putting Cyber Risk Quantification Into Action: Moving Beyond Theory appeared first on ThreatConnect.

The cybersecurity industry has reached an inflection point. According to the Forrester Buyer’s Guide: Cyber Risk Quantification Solutions, 2025, organizations are moving beyond theoretical discussions about cyber risk quantification (CRQ) and focusing on operationalization. But what does it really mean to put CRQ into action, and why are so many companies wishing they’d started sooner?

From Theory to Action: The Operationalization Challenge

One of the most significant findings from recent CRQ research is that customers are actively working to operationalize their risk quantification efforts better. The question isn’t whether CRQ has value; it’s how to make it work in the real world, day after day.

When organizations consider implementing a CRQ solution, they face a fundamental choice: How much do they want to rely on manual, subject matter expert-driven approaches versus automated, data-driven methods? This decision directly impacts how effectively they can operationalize risk quantification.

The distinction matters. Walking into a board meeting and saying, “These loss estimates come from actual insurance industry data – here are the peers, here’s the methodology,” creates instant credibility. Compare that to saying, “Well, someone on our team told us this number feels right.” Operationalization is fundamentally about trust and data.

What CRQ Really Means: Prioritization, Not Just Numbers

At its core, CRQ addresses a critical problem: assigning a dollar value to every security improvement an organization makes. This enables something every security leader desperately needs, and that is the ability to prioritize what matters most in a world of limited people, limited time, and limited budgets.

CRQ isn’t about producing theoretical reports about once-in-a-million black swan events. It’s about continuous, actionable insights. Today’s top 10 priorities. Tomorrow’s top 10 priorities. This creates the ability to manage risk at executive, strategic, and operational levels simultaneously, linking risk management from the boardroom to the technical implementation.

The Evolution of CRQ Use Cases

The research reveals how CRQ applications have evolved significantly. Initially, organizations used CRQ primarily for basic risk quantification and budget justification. Today, the focus has shifted to dynamic, operational, enterprise-focused use cases, including:

• Executive reporting
• Cyber insurance optimization
• Continuous risk monitoring

These seem like independent use cases, but they’re completely intertwined. Consider this scenario:

A security team discovers that not all business owners have implemented multi-factor authentication (MFA), which increases breach likelihood from 25% to 50%, creating a potential $50 million exposure. Rolling out MFA would cost $500,000 and reduce risk by $25 million. That’s a very strong ROI. But the business declines due to user friction concerns.

The security team can now present the board with clear options: invest $500,000 in MFA, or increase cyber insurance coverage by $5 million to cover the delta. This transforms the conversation from technical controls to business trade-offs, making security an enabling function rather than a blocker. The insurance optimization use case and continuous risk monitoring use cases are intertwined, and quantifiable risk makes these decisions at the operational, strategic, and executive levels informable.

The Cultural Transformation: From Guesswork to Data-Driven Decisions

Perhaps the most exciting finding is that CRQ drives cultural transformation, shifting organizations from qualitative guesswork to data-driven financial insights. This enables genuine cross-team collaboration and proactive decision-making.

Nearly all surveyed CRQ users reported that they wished they had started sooner. What are non-users missing?

Strategic Participation: Traditionally, security does not participate in the same strategic conversations as marketing, sales, or R&D, because security is not what the business does. It is an enabling function. Without CRQ, security reports metrics that don’t matter to the rest of the business. CRQ changes that by enabling security to speak the universal language of business impact, making it a strategic part of helping the organization accomplish its mission.

Better Outcomes: The IBM Cost of a Data Breach report shows that organizations using CRQ experience both lower likelihood and lower impact of breaches by double-digit percentages. They’re tackling the right problems at the right time.

Breaking Down Silos: CRQ forces collaboration between traditionally separate teams. Risk teams often don’t talk to threat teams, despite the fact that threat and risk go together like peanut butter and jelly. You can’t measure threat effectively without understanding the impact and whether compensating controls exist.

Consider this analogy: If you live on a hill and someone tells you to buy flood insurance, the answer is probably no. Your natural defenses against flooding are strong. Similarly, if a vulnerability exists in the wild but you don’t have the affected system, it doesn’t matter to you. If you have the vulnerability but also have appropriate compensating controls, it doesn’t matter. And if two threats exist, but one targets a low-revenue system while the other targets a critical one, you know which demands attention.

Linking risk quantification and threat intelligence at the operational level gives you the data to either say “I have a compensating control and I can ignore this” or “I don’t have a compensating control and it’s high impact.”

The 360-Degree View: Internal Meets External

True security requires understanding both internal and external perspectives. Organizations need to know:

• Internal threats they’re facing
• Controls they have in place
• External threats in the wild
• Whether those external threats have escaped internal detection

With the recent acquisition of ThreatConnect by Dataminr, we will be combining internal monitoring with external data sources – including deep and dark web intelligence, vulnerability databases, and threat intelligence – to enable organizations to achieve a complete 360-degree holistic view of risk and threat with compensating controls factored in. This comprehensive picture enables truly informed decision-making.

The CRQ Advantage: Why Organizations Wish They’d Started Sooner

CRQ represents more than a technical solution. It serves as a catalyst for cultural transformation toward data-driven decision-making. Organizations gain strategic participation in business conversations, achieve double-digit reductions in breach likelihood and impact, and break down silos by combining internal and external threat perspectives. Yet despite these benefits – and nearly all users wishing they’d started sooner – many organizations struggle to operationalize CRQ effectively. In our next post, we’ll tackle the practical challenges holding back CRQ maturity, from resource constraints and education gaps to data quality issues, and explore how automation, pre-built models, and smart integration strategies can help organizations overcome these obstacles and accelerate their journey from theory to measurable results.

The post Putting Cyber Risk Quantification Into Action: Moving Beyond Theory appeared first on ThreatConnect.

Staying ahead of emerging threats requires timely, actionable intelligence – but sorting through endless reports can slow even the best teams down. 

ThreatConnect’s new playbook-driven capability streamlines this process by automatically gathering and summarizing the latest threat intelligence tailored to your team’s interests, such as recent threat actor activity, vulnerability updates, or other areas of focus. Delivered straight to the inbox of your key stakeholders, it provides instant visibility into the latest and most relevant intelligence, as well as pathways to dive deeper into the intelligence that matters most.

Key Benefits:

• Program Visibility: Regular, high-value intelligence updates keep stakeholders informed of current priorities, reinforcing the visibility and relevance of the threat intelligence program while prompting timely feedback on evolving requirements.
• Stay Connected: Ensure your intelligence program remains part of the broader security conversation. Even as stakeholders operate in other platforms or defensive tools, this capability helps maintain alignment with emerging tactics, trends, and threats across the enterprise.
• Stay Informed: Receive daily, curated insights into relevant threat actors, recent campaigns, and emerging trends—helping your team stay ahead of developments that matter most.
• Save Time: Automated data collection and AI-driven summarization eliminate the manual work of reviewing multiple sources, freeing your analysts to focus on higher-value analysis and decision-making.

Whether you want to stay up to date in the CTI team, or help notify your internal stakeholders to help fulfil an RFI – this playbook will enable you to quickly pivot to different intelligence topics. 

By transforming complex intelligence feeds into clear, targeted updates, this capability enables CTI and SecOps teams to maintain situational awareness, enhance decision-making, and stay one step ahead in a constantly evolving threat landscape.

How It Works

The Threat Actor Round-up consists of a generic component playbook, which enables the round-up generation, and a timer trigger playbook, which is tailored to focus on Threat Actor-related Intelligence.

Install The Threat Actor Round-up Playbook

• [Reporting] Daily Threat Actor Round-up: This playbook is a simple one, where you configure the daily time it will run at, as well as a set of fields in the orange step, ‘Threat Actor Round-up Processing,’ to customize this automation for our particular focus: Threat Actor-related Intelligence.

• Threat Actor Round-up Processing: which is represented by the orange Threat Actor Round-up Processing step in the above image, is a playbook component containing the actual logic of the process, which is fed by the fields you configured in the above step. This can include customisations such as:
  • Group TQL query to select what the daily round-up should focus on
  • Enabling AI summarisation using CAL
  • Custom Logo & HTML template locations

How does your Company Access the Daily Threat Actor Round-up?

This can be downloaded via GitHub here

Or by importing it as a Shared Playbook using code: TL4EdEqX

If you need assistance with the installation, please refer to the GitHub README above or contact your Customer Success team.

End Result

On a schedule that fits your team’s rhythm, you can automatically deliver timely notifications highlighting the latest intelligence tied to relevant Threat Actor activity—aggregated from all your trusted sources.

Notifications can be tailored to specific audiences or use cases, ensuring the right insights reach the right people—whether that’s a SOC team tracking adversary behavior, a vulnerability team assessing risk, or leadership maintaining situational awareness.

These communications extend the reach of your threat intelligence program beyond the TI-Ops platform, creating meaningful touchpoints with stakeholders across the enterprise. Each update reinforces awareness, drives engagement, and brings users back to the platform content that matters most—keeping threat intelligence visible, relevant, and connected to the mission of defense.

For additional assistance, please contact your Customer Success team or submit a Contact Us form.

The post ThreatConnect Threat Actor Round-up: A Framework for Automated Reporting and Informing Threat Ops appeared first on ThreatConnect.

The Advanced Persistent Talent series profiles ThreatConnect employees and explores how their work impacts products and offerings, how they got here, and their views on the industry at large. Want to know more about a particular team? Let us know!

When you work in risk quantification, you face two main challenges: helping clients understand the value of what you do, and then helping them implement it. But after working in risk quantification since 2016, with another 10 years of experience in risk management, ThreatConnect’s Senior Solution Architect Tim Wynkoop has become an expert at both.  

Risk quantification can provide actionable data that enables decision-makers to prioritize better and act faster, but only with the right strategy. According to Wynkoop, the key is to know what you need to measure and what you don’t. Without that discernment, he says, “You’re trying to boil the ocean.”

Outside of work, Wynkoop enjoys traveling and putting his strategic mind to use while playing board games. Surprisingly, his favorite is not Risk. Read on to learn how he protects clients even while working from halfway around the world.

The following conversation has been edited for clarity and length.

How did you get into threat intelligence and risk quantification? 

Tim Wynkoop: I’ve been in risk management since about 2006 and worked in a variety of different roles, mostly in the banking world and the financial sector. I’ve held operational risk roles, as well as business continuity and disaster recovery positions. In 2016, I transitioned into risk quantification, leveraging the FAIR model at a predecessor to ThreatConnect. Then, I helped a customer build a risk management program before ultimately coming here.

How did that journey shape how you approach what you do?

There was a little bit of an awakening. Throughout that process, I was using subjective risk measurements like “inherent” versus “likely.” That’s where risk quantification came into play. 

Really, risk quantification is a decision enablement tool. The whole crux of risk quantification is that it should enable me to make better decisions, whatever that decision is: Should I invest in this control? Should I patch this vulnerability versus that vulnerability? Should I invest in these other things? What should I do about this? Is this an acceptable amount of risk to my organization? 

With risk quantification, I’m actually able to say, “Look, if this is the bad thing that you’re worried about happening, here’s how much it’s going to cost you.”

What does your role look like at ThreatConnect?

Officially, I help on the pre-sales side, where I give demos, help people figure out what their problems are, and explain, “Why is risk quantification better than what you do?” However, given my background, I also help out with customer success on the post-sales side. 

A lot of the time, when people get into risk quantification, they want to measure everything. And yes, you can do that, but you’re trying to boil the ocean. You’re trying to do too much, too fast. So when someone does become a customer, I help them identify, “What are you all trying to do? How can we help you get there and also get value out of the platform?”

What, to you, is the top benefit of risk quantification?

Honestly, it goes back to that ability to make an informed decision that’s defensible. If you’re going to go to an executive, or your board, or whoever owns the money organization, and say, “I need $10 million to fix these problems that we’re going to have,” it’s not enough to say, “because I said so.” It makes a difference to actually be able to say, “Look, I need $10 million because it’s going to reduce our risk by $20 million.”

How do you assign a dollar value to a risk?

To quantify risk, you basically need to ask a couple of questions: first, what problem are you trying to solve, and second, what’s the bad thing you’re worried about happening? 

If you’re able to say, “This is the bad thing I’m worried about happening” — meaning, somebody doing something bad to a thing of value  — then the last question is, what are you doing to protect yourself from that? So let’s say you’re trying to protect valuables inside your house. If you’re living in a high-crime neighborhood, are you leaving your door unlocked? 

That’s basically what risk quantification is. It’s saying, “When this bad thing happens, what’s the impact on me if this bad thing were to happen?”

How do you spend your time outside of ThreatConnect?  

My wife is a pediatric ICU doctor and a malaria researcher, so we spend six months out of the year in Africa. I can still work there, but that’s an interesting thing. I enjoy traveling — being able to visit new places and try new things. And then, we have a ten-month-old, so that’s a whole interesting new adventure.

But other than that, I’m a quasi nerd. I’m not as nerdy as other people, but I enjoy playing board games and things like that.

What is your favorite board game? The obvious choice here would be Risk!

Surprisingly, not Risk. I would say, like, Settlers of Catan or Ticket to Ride — those types of strategic games.

And how do you balance working while traveling abroad in a different time zone?

Ultimately, I adjust my schedule. I still basically stay on Eastern hours. Because of my role, I support global, so I don’t usually start my day until the afternoon over there, because it’s six or seven hours ahead, but it’s also more convenient for me to work with some of our international clients because of the time difference.

Have you traveled since welcoming your little one?  

We went last year. That was a little bit more challenging, because she was only three months old at the time. We had somebody who would help watch her a couple of days before that time, and then my wife and I would just switch off, but she didn’t want anybody other than us. It was only for a month, so it wasn’t too bad. We’re hoping that this time around, she’ll be more open to having other people hang out with her.

Does working in risk quantification and risk management shape your approach to problem-solving and prioritization in everyday life? 

I would say yes, mainly because everybody deals with risk. For example, if you’re married, you’re taking a risk telling your spouse that you’re going to be home at 6:00 if you won’t get home until 6:30. If that happens once, OK. But if  you’re consistently wrong, there’s risk management there. 

So, yes, I would say that working in risk quantification has helped me take a logical approach to asking, “Is it worth the outcome in doing things a certain way?” But then again, I am also a risk taker. I’ve gone bungee jumping twice, and I would do that again in a heartbeat. I’ve gone skydiving twice. My wife’s like, “You work in risk. Why do you want to do this?” And I’m like, “Well, because it’s fun!”

The post How ThreatConnect’s Senior Solution Architect Puts a Dollar Value on Risk appeared first on ThreatConnect.

Modern SOCs don’t fail from lack of talent — they fail from tool fatigue. Analysts spend more time context-switching than analyzing.

Polarity by ThreatConnect brings the context to them: federated search across SIEMs, SOARs, TIPs, Ticketing Systems, real-time overlays, and AI-assisted recall that cut cognitive load and improve mission tempo.

Solving SOC Burnout with Real-Time Context: A Polarity-Powered Approach

Security Operations Centers (SOCs) are the nerve centers of modern cyber defense, but also among the most humanly taxing environments. Analysts face an overwhelming volume of alerts, tickets, and logs across unconnected systems. This cognitive overload and context switching drives inefficiency and burnout. Polarity by ThreatConnect’s automated search platform and context overlay technology directly address this challenge by unifying knowledge, automating context delivery, and eliminating redundant effort.

The Problem: Cognitive Overload in Modern SOCs
Analysts operate in multi-SIEM environments such as Splunk, Sentinel, and Elastic, which often require manual correlation. This leads to cognitive fatigue, wasted time, and analytic inconsistency. Polarity reduces these barriers by providing federated search, context overlays, and recall capabilities that unify data into a single mission-relevant view.

Federated Search: One Query, Complete Visibility
Polarity’s Enterprise Search Platform queries hundreds of sources simultaneously, from SIEMs to ticketing systems. Using a reverse data lake model, data remains in place while Polarity securely federates queries across systems, eliminating the need for normalization or duplication.

Context Overlay: Real-Time Awareness Without Switching
Polarity’s heads-up display enriches what analysts see on screen with instant intelligence such as past alerts, tickets, and team notes, without leaving the current view. This reduces repeated searches and human error.

AI-Assisted Summarization and Recall
Integrations with large language models allow analysts to summarize and recall data quickly. Polarity’s AI Assistant condenses large datasets into actionable insights securely within on-premise or air-gapped environments.

Source Analytics for Leadership Insight
Polarity Source Analytics (PSA) visualizes how tools are used, showing blind spots and process bottlenecks. Leadership gains quantifiable insight into tool effectiveness and analyst workload patterns.

Challenge	Polarity Capability	Results
Fragmented data and multiple SIEMs	Federated Search	Unified correlation across tools
Cognitive fatigue and context switching	Overlay HUD	Instant context without leaving the workflow
Manual correlation and note-taking	AI-Assisted Recall	Automated summarization and historical linkage
Leadership blind spots	Source Analytics	Visibility into workflow performance

 

Conclusion
SOC burnout is not inevitable. It stems from fragmented tools and missing context. Polarity merges federated search, AI-driven summarization, and real-time overlays to transform information overload into operational clarity. With unified context, analysts make better decisions, sustain performance, and reduce burnout. Ready to see Polarity for yourself? Tour Polarity now or request a demo!

The post From Data Overload to Decision Superiority — Avoiding SOC Burnout with Polarity appeared first on ThreatConnect.

We’re excited to announce a new release that integrates Wiz Cloud Security Vulnerability Findings to ThreatConnect! This new capability will help customers prioritize vulnerabilities based on assets under the purview of Wiz Cloud Security. The combination of Wiz Cloud Security visibility and the vulnerability data across the numerous sources effectively improves the overall security posture of our customers.

Stop Drowning in Vulnerability Noise

Your security team likely faces thousands of vulnerabilities daily. This integration solves a critical problem: knowing which vulnerabilities actually matter to YOUR cloud environment right now.

This integration directly addresses the need to highlight vulnerabilities based on aggregated Wiz issue findings. By aggregating these issues findings and overlapping them with our vulnerability data, the customer Threat Intelligence (TI) team will be able to prioritize their efforts more efficiently.

Instead of treating all vulnerabilities equally you’ll instantly see which ones affect your actual cloud assets, so your team stops wasting time on theoretical risks and focuses on real exposures in your environment.

We’ve focused on providing key data points that matter most, including:

Correlated Vulnerability Data

We’ve established a one-to-one relationship between a Wiz Vulnerability-Finding and a ThreatConnect Case. You will have a single TC Case for each vulnerability, which will include details such as the CVE (Common Vulnerabilities and Exposures) to leverage the broad set of Vulnerability data across the sources ThreatConnect has access to.

What this means for you:

• A single source of truth – No jumping between Wiz and ThreatConnect trying to connect the dots
• Enriched threat intelligence with all the context you need

Aggregated Severity Metrics: Each TC Case will now include aggregated metrics based on Wiz’s issue severity counts (critical, high, medium, low, and informational). These metrics will include the sum of total issues, the maximum count for each severity, and the average count per severity.

What this means for you:

• Actionable intelligence at a glance
• Faster, smarter prioritization through quick understanding of the scope of a vulnerability
• Understanding the blast radius – how many assets are affected and how severely

Direct Links to Wiz: The TC Case will contain “Source URL” attributes, with each one linking back to the specific finding within the Wiz UI. 

What this means for you:

• A clear and direct path to investigate the details of each vulnerability finding

The Bottom Line

• Reduced Risk: Patch what matters first, based on real-world exposure in your cloud environment
• Time Savings: Your security analysts spend less time correlating data and more time fixing problems
• Better Resource Allocation: Leverage data about vulnerability trends and severity patterns to make informed staffing and tooling decisions
• Compliance & Reporting: Demonstrate that you’re prioritizing vulnerabilities based on actual risk, not just CVSS scores

This isn’t just another integration—it’s about transforming vulnerability management from a reactive checklist into a strategic, risk-based security operation.

It coincides well with the release of ThreatConnect 7.11, which introduces Threat Actor Profiles and Actionable Search v3 to help our customers streamline the vulnerability management process, making it easier to identify, prioritize, and remediate security risks – representing significant step forward in enhancing our customers’ security operations.

You can find the documentation in our public knowledge base.

The post Wiz Integration Helps ThreatConnect Customers Act Faster and Reduce Vulnerability Noise appeared first on ThreatConnect.