Threat Intelligence Lessons Learned Post-RSA: Which Basics Still Matter?
This is a div block with a Webflow interaction that will be triggered when the heading is in the view.
Anton Chuvakin from Google Cloud's Office of the CISO posted a question on LinkedIn after RSA that's worth sitting with: Which "security basics" are more relevant today against AI attackers, and which ones don't matter anymore?
It sparked a real conversation. And for threat intelligence teams specifically, the answers point somewhere the industry hasn't fully caught up to yet.
What the Conversation Surfaced
This got me thinking. Coming back from RSA, having met with over 30 security buyers, I wanted to reflect on what I'm actually seeing in the market, and where it's headed.
What struck me across those conversations was how consistently the same issue came up: if you can no longer count on humans catching threats at the point of delivery, your threat intelligence program needs to catch them before they ever get there.
The Operational Stage Problem
Most threat intelligence programs are still calibrated for a threat landscape that doesn't quite exist anymore. They collect IOCs, enrich them, and push them downstream, to SIEMs, firewalls, and blocklists. The architecture was designed around a core assumption: that the signals worth tracking appear at or near the moment of execution.
AI Attackers have changed the math on this. They stage faster, rotate infrastructure more frequently, and increasingly use legitimate resources for initial access. By the time an IOC is processed, confirmed, and distributed, the infrastructure behind it may already be retired. The indicator was accurate. It was just accurate about something that no longer exists.
This is the operational stage problem. Threat intelligence programs are running at the wrong point on the attack timeline, not because the tools are broken, but because the inputs they depend on are structurally late.
The "shift left" conversation in security has a direct analog here. Shifting left for threat intelligence means moving earlier relative to the attacker's timeline, not just optimizing the existing workflow. It means generating signal during the window when adversary infrastructure is being built, before any IOC exists to track.
The Clean vs. Benign Problem Has Gotten Harder
Chuvakin's question also lands on a specific technical problem that AI attackers have made significantly worse: binary classification is no longer a functional operating framework for threat intelligence.
AI attackers are increasingly weaponizing legitimate infrastructure. Standard cloud providers for staging; Domains with clean registration histories; Valid certificates, and reconnaissance conducted through tools that generate normal-looking traffic. The result is an environment where a "clean" reputation score tells you progressively less about whether something is safe, and where the line between benign and malicious has become deliberately blurred.
For IOC-heavy programs, this creates a specific blind spot. If your intelligence architecture depends on reputation scoring and known-bad classification, AI-assisted attackers can move through it largely undetected, until they're not, which is after the attack has started.
Context is what fills that gap. A newly registered domain isn't inherently suspicious. A newly registered domain that shares certificate infrastructure with a known adversary cluster, mimics a financial institution's naming pattern, and resolves to VPS infrastructure with no legitimate organizational tie, well that's a different conversation. The signal isn't in the indicator. It's in the relationship between indicators, evaluated at the right moment.
What "Shift Left" Looks Like in Practice
Indicators of Pre-Attack (IoPAs) operate in the window before adversary infrastructure becomes active, during the attacker's preparation phase. They surface domain registrations that pattern-match against known adversary behavior, certificate issuances on infrastructure with no legitimate organizational history, C2 configurations in setup stages, and phishing kit construction before any lure is deployed.
This changes the lead time available to defenders in a concrete way. Instead of receiving a signal after a compromise has begun, security teams receive validated intelligence while infrastructure is still being assembled. That's the window where something can actually be done: blocking, disruption, tracking before activation.
It also addresses the clean vs. benign problem directly. Because pre-attack intelligence is generated before infrastructure goes live, the classification question isn't "is this known bad?" It's "what does this infrastructure's behavior pattern indicate about intent?" That's a more durable question to ask, and one that doesn't break down when attackers use legitimate resources to stage an attack.
Anton's question - which basics still matter - has a precise answer for threat intelligence teams. The basics that matter are the ones that generate signals before the attack clock starts. The ones losing relevance are those built around catching activity that's already in motion.
AI doesn't change what good threat intelligence looks like. It raises the cost of doing it late.
Malanta's pre-attack intelligence layer gives security teams the lead time to act before attacker infrastructure goes live. Get access today.
