Posts

Unless you’ve spent the last 5 years asleep you know that every team, business, and industry is being turned upside down by AI. Every startup is trying to create the newest AI offering, every tech giant is trying to add LLM functionality everywhere, and every business is trying to replace employees with agents. But what does this mean for intelligence analysts? How can we use LLMs to help us with our work? And what are the limitations? Can we overcome them? Or are we just going to end up with a bunch of over hyped tools that don’t really help us at all? ...

Introduction A long time ago, back in 2017 (seriously, how was that 8 years ago), I wrote a post about my security talk development process. I stand by it, but I think it’s time to revisit it. I’ve learned a lot since then, and I think the process has changed a bit. I was lucky enough to be asked to give a talk at SANS Emerging Threats Summit in 2025, and I thought it would be a good opportunity to share my current process. I’ll go into some of the details of the talk itself, but I will share my process for developing it. I think it’s a good example of how I approach talk development in general, and I hope it’s helpful to you. ...

Analysis paralysis occurs when you overthink and underwork. — Orrin Woodward So, you’re playing with Synapse (or it’s commercial version), it’s outstanding, you’ve sorted through lifting, creating data, maybe even added some Power Ups. Chances are, you’ve learned and started seeing the genius between the idea of nodes (which represent facts) and tags (which can be used to represent countless things, but notably assessments). You’ve probably even created a few. Possibly more than a few. It might be you’ve added numerous tags. Chances are even pretty high that now you’ve got a mess of tags. An actual mess. Too many tags, too disorganized, redundant, and difficult to remember and use. That’s not a bad thing, in fact, I’d argue it’s a key Synapse rite of passage. On the other hand, it’s not sustainable, so you need to move back towards sanity. Let’s talk about what that can look like. ...

Like everyone else I’ve been following the tragic war in Ukraine and mourning the loss of life and humanitarian crisis. Professionally as an analyst in the threat intelligence and computer network defense world I’ve been considering what this war and spillover means for defending networks, especially as organizations like CISA keep putting out bulletins regarding threats of Russian nexus adversaries. ...

If you care about intelligence analysis and management tools (and I presume you do) you’ve hopefully heard about the Vertex Project’s Synapse intelligence… thing. Synapse starts as a little abstract, but once you understand you’ll see it’s a powerful intelligence workbench and data fusion system. I’m here to say it’s actually far easier than you think, worth the time you’ll put in, and ultimately you’ll find yourself doing far more accurate, fast, and comprehensive analysis. ...

Special Thanks to Ryan Kovar for the photo & delicious dinner. This is going to be one of those highly metaphor-driven posts I’ve done before (like using Hamilton in Waiting vs Passivity in DFIR). Bail out now or prepare to discuss where threat intel and American BBQ run into each other! What you call something matters in sharing it with others and framing intelligence programs. And lunch orders… ...

I’m back! That means getting things back in order. When I was last writing actively I was using Medium… which was pretty miserable. Medium was great for ease of use with a decent writing interface and app as well as excellent reader acquisition. Unfortunately the upsides had worse downsides. Formatting was limited (no tables?!) and everything was like when I used Jekyll but sort of weird. Then came the lock-in/paywalls and general lack of openness. 👎 ...

This post, my first in quite awhile, is inspired by my good friend Phil. I understand these sorts of changes, and why they give people pause, but I see this as a big step forward. zsh If you haven’t heard of it Z Shell (also known as zsh) it is a modern shell that works in place of a shell like bash (either as a default or in my case post install choice). A shell is a funny thing though: 95% of computer users don’t know about shells at all, 3% know about it but don’t give it much thought (just run what you’re told), and for the last 2% it’s one of the most important parts of a system. ...

I’m a person who loves a good presentation. I love building them, giving them, and watching them. I’m also a person who knows they take time and effort. Like any creative process what that time and effort looks like is different for everyone. Here is my process: Write The Abstract Now I’m very aware step one should of course be doing all the research and then building the presentation, but that never happens. Step one is almost always writing an abstract for most folks I know. ...

Victim Sites & Technology So all of those things were term or bits about generalized grid operations. What about the actual victim in this case. What was the equipment affected? Where was it? Ukrenergo According to Reuters: Kovalchuk said the outage amounted to 200 megawatts of capacity, equivalent to about a fifth of the capital’s energy consumption at night. There’s an interesting piece of data. 1/5 night capacity means one gigawatt (1000 megawatts) of total consumption at night. This got me wondering what the usual ratio of night vs day consumption is. A little Googling got me to eia.gov’s article Demand for energy changes through the day. I’m doing some loose math but: ...