Solve problems by writing doc first.

The fastest way to threat intel is …

Think about the problem you’re actually trying to solve- not the indicators themselves. Indicators for the sake of indicators is just plain…

Sometimes- you can’t filter for…

If you’re in opsec, you shouldn’t be writing SQL until…

Pretty soon, you find yourself back, staring at this "snort signatures" pattern problem. A small, elegant mathematical formula representing something your sensors should be detecting. All it's missing is a little normalization and a bit of an ever evolving data model behind it, representing the current state of the Internet…

What good is threat intel, if you have to spend time thinking about it?