Why You Win This Role

You are the only candidate who already operates inside Resilience and has been the de facto CTI resource for the EDGE team. Every differentiator below is something a cold external candidate cannot replicate.

Already Embedded at Resilience

You know the internal structure β€” ROC, TI team, EDGE β€” and how intel flows between them. You're not guessing at the org chart; you live it. No ramp time, no trust-building from scratch.

You Know What TI Consumers Actually Need

You've been on the receiving end of intel from the ROC and TI team, then adapted it for client delivery. You know precisely where the translation breaks down, which is exactly the problem the TI team needs solved.

Cross-Functional Context No One Else Has

You operate across underwriting, claims, and risk management. Most TI analysts are siloed inside security. You can frame intel in terms of financial risk and loss outcomes β€” a massive differentiator for a cyber insurer.

Nation-State + Geopolitical Depth

You track Mustang Panda, Russian APTs, and Iranian groups with geopolitical context β€” connecting diplomatic events to sector-specific targeting logic. That's strategic intelligence, not just IOC-pushing.

BAS/CTEM at Operational Scale

Only 16% of organizations have an operational CTEM program (2026). You've built and operated one, mapping active attack chains to MITRE ATT&CK and recommending packages against live threat actor activity.

19 Years + Multi-Sector Portfolio

Government, Aerospace, OT/ICS, Healthcare, Finance, K-12 β€” 150+ tabletops, 50+ enterprise clients. The breadth of sector context makes your intel more actionable than a specialist who only knows one vertical.

Anticipated Questions + Talking Points

Walk me through how you produce sector-specific threat intelligence.

Frame: Start with the intelligence requirement, not the data. "I start with what the client or underwriter actually needs to decide β€” that drives collection, not the other way around."

Then walk your workflow: monitor active threat actors targeting that sector β†’ map TTPs to MITRE ATT&CK β†’ anchor to specific attack chains β†’ translate into risk language the client team can act on. Cite your Iranian campaign work against US healthcare (DOD supply chain, Stryker) as a concrete example of geopolitical motivation β†’ sector targeting β†’ client briefing.

Drop the specific example: "When Iranian actors ramped up against US healthcare in the context of US foreign policy shifts, I built a briefing that connected the geopolitical driver to the specific sub-sectors at elevated risk β€” including clients with DOD supply chain relationships β€” so the EDGE team could have an informed conversation, not just a generic alert."
What's your process for tracking a nation-state actor?

Frame: Hit the three layers β€” collection, context, and dissemination cadence. "Tracking an actor isn't just watching IOCs. It's understanding their mission, who funds them, what geopolitical events change their targeting, and what that means for our specific client portfolio."

Use Mustang Panda as your anchor: espionage-focused, PRC-aligned, historically diplomatic/NGO targeting. Walk them through the 2026 shift β€” Middle East government expansion, India banking sector divergence, MSBuild lure technique. Explain how you connect PRC foreign policy posture to targeting decisions.

Mention the alias landscape (TA416, Stately Taurus, Twill Typhoon, Earth Preta, Camaro Dragon) as evidence of your depth β€” knowing the naming conventions across Proofpoint, Unit42, Microsoft, and Mandiant shows you work across multiple vendor intel streams.
How do you connect geopolitical events to cyber threat activity?

Frame: "Geopolitical events are one of the most reliable leading indicators for threat actor targeting shifts. Nation-state actors don't operate in a vacuum β€” their tasking follows the diplomatic and military priorities of their sponsors."

Examples to deploy: (1) Iranian actors escalating against US healthcare following US foreign policy posture changes β€” the Stryker/DOD supply chain angle. (2) APT28 targeting Greek military and NATO Balkans members following specific geopolitical postures. (3) Mustang Panda expanding to Middle East diplomatic targets as PRC deepens Gulf engagement. Each of these is a geopolitical cause β†’ cyber targeting effect you can articulate directly.

This is where you distinguish yourself from purely technical analysts. "I maintain a running geopolitical context layer so that when I see a targeting shift, I can explain WHY to a non-technical stakeholder β€” which is what the underwriting and claims teams need."
Describe your experience with the intelligence lifecycle.

Frame: Use the standard phases β€” Direction, Collection, Processing, Analysis, Dissemination, Feedback β€” but make each one concrete with your Resilience experience.

Direction: RFIs from EDGE team or underwriting β€” "what actors are targeting manufacturing right now?" Collection: OSINT stack (Shodan, Flashpoint, DomainTools, CyberChef), SIEM telemetry, Wazuh/ELK, vendor intel (Proofpoint, Mandiant, Unit42). Processing: Normalizing, correlating, deduplicating across sources. Analysis: TTP mapping to ATT&CK, attack chain reconstruction, sector relevance assessment. Dissemination: Briefings adapted for Security Engineers to deliver to clients; executive briefings for C-suite. Feedback: Client-side signal you surface back to the TI team about what actually resonates β€” and this is your unique loop given your current role.

The feedback loop is your unique angle. "Most TI producers don't have a direct feedback channel from clients. I've been that channel β€” I know which intel drove client action and which got filed away. That's what I'd bring to the TI team."
How would you respond to an RFI from the underwriting team?

Frame: "Underwriting RFIs are time-sensitive and need to be decision-useful, not comprehensive. They need enough to price and structure a policy, not a deep-dive report."

Walk through: Understand the specific client sector and geography β†’ identify which threat actor clusters are actively targeting that combination β†’ pull current TTP data β†’ translate into risk-relevant language (not "APT28 used T1078" but "credential-based access is the dominant vector for this actor against this sector, which means MFA coverage gaps are the most material risk"). Tie it to the claims context β€” what does an incident from this actor actually cost?

Finance/insurance sector ransomware severity averages $731K (2026). Healthcare averages $675K. Having those numbers ready shows you understand the financial stakes behind the intel.
What's the difference between strategic, operational, and tactical intelligence?

Strategic: Long-horizon, decision-maker-level. Nation-state intent, sector targeting trends, policy implications. Audience: C-suite, board, underwriting leadership. Cadence: quarterly, driven by geopolitical events. Example: "Iranian APT programs are increasingly targeting US critical infrastructure as a geopolitical lever during periods of diplomatic tension β€” here's what that means for our healthcare and energy portfolio."

Operational: Campaign-level. Active threat actor TTPs, specific attack chains, current targeting patterns. Audience: security teams, EDGE consulting. Cadence: ongoing, event-driven. Example: "Mustang Panda has shifted to MSBuild lures targeting diplomatic entities β€” here's the updated campaign profile and recommended detection logic."

Tactical: Technical artifacts. IOCs, signatures, YARA rules, CVEs actively being exploited. Audience: SOC, threat hunters, IR teams. Cadence: near-real-time. Example: "CVE-2026-50751 (Check Point VPN) is being actively exploited since May 2026 β€” here's the patch priority and detection recommendation."

Connect this to Resilience's layers: "Resilience needs all three, but the differentiated value of a TI team at a cyber insurer is the strategic-to-operational bridge β€” translating long-horizon threat patterns into underwriting signals and loss control recommendations."
How do you use MITRE ATT&CK in your daily work?

Frame: Not as a compliance checkbox β€” as a living operational framework. "I use ATT&CK as a common language between threat intelligence, security engineering, and client delivery."

Specific examples: (1) Mapping Mustang Panda's current toolchain (PlugX, MQsTTang) to specific techniques β€” T1566 (phishing), T1059 (command interpreter), T1071 (C2 over legitimate protocols). (2) Using technique coverage to evaluate BAS package selection β€” "does this simulation package actually test against the techniques this actor uses against this sector?" (3) Aligning Resilience's risk signals to ATT&CK + NIST CSF 2.0 for underwriting intelligence.

Mention that you've operationally aligned Resilience's proprietary risk signals to ATT&CK β€” that's not a common thing a consultant does; it shows you've already done TI team work from inside EDGE.
Why do you want to move from EDGE to the TI team?

Frame: This is a clarification question, not a "why are you leaving" question. Frame it as a natural progression, not an escape.

"My most valuable contributions at Resilience have come from the intelligence work β€” tracking actors, building briefings, connecting geopolitical context to sector risk. The EDGE role is client-facing delivery; the TI team is where that intelligence actually gets made. I've been doing the translation work for years, and I want to be closer to the source β€” contributing to production, not just adapting it."

Add the feedback loop angle: "I've also been a valuable signal back to the TI team about what resonates at the client level. Moving into the team formalizes that β€” I can help produce intel that I know will land, because I've been on the receiving end of it."

Avoid any implication that EDGE work is beneath you or that you're done with client work. Frame it as additive expertise, not an escape. "I'm not leaving EDGE β€” I'm building on everything I learned there."

Intelligence Lifecycle β€” How CTI Actually Works

The intelligence lifecycle is the systematic process that transforms raw data into finished intelligence decision-makers can act on. It is a continuous cycle β€” not a one-time pipeline. The feedback phase loops back to redefine requirements, which drives the next collection cycle. Most CTI teams are strong at the middle phases (collection, analysis) and weakest at the bookends (direction, feedback) β€” which is exactly where you have an edge.
01
Direction
PIRs & RFIs
β†’
02
Collection
OSINT, feeds, SIEM
β†’
03
Processing
Normalize & correlate
β†’
04
Analysis
ATT&CK mapping, TTP
β†’
05
Dissemination
Briefings & reports
β†’
06
Feedback
Refine & restart
Phase 01

Direction

The foundation of everything. Before collecting a single data point, you define what you need to know and why. This takes two forms: Priority Intelligence Requirements (PIRs) β€” standing questions the organization needs continuously answered (e.g., "Which threat actors are actively targeting the financial sector?") β€” and Requests for Information (RFIs), which are ad hoc questions from specific consumers.

Bad direction produces irrelevant intelligence regardless of how good your collection is. Good direction forces you to articulate the decision the consumer needs to make, then work backwards to what information enables that decision.

At Resilience: EDGE team RFIs, underwriting sector queries ("what actors are targeting manufacturing right now?"), claims support requests
Your edge: you've been a consumer of TI for years. You know exactly which requirements produce actionable intel vs. which produce noise β€” that's rare on a production team.
Phase 02

Collection

Gathering raw data from all available sources in response to defined requirements. Collection disciplines: OSINT (open source β€” public reporting, vendor blogs, dark web), TECHINT (technical indicators from SIEM/EDR telemetry), and commercial threat feeds (Proofpoint, Mandiant Advantage, Recorded Future).

Collection without direction produces signal noise. The requirement drives what you collect β€” not the other way around. More data sources isn't better if they're not relevant to the requirement.

Tools: Shodan, Flashpoint, DomainTools, VirusTotal, Recorded Future, Proofpoint ET, Mandiant Advantage, ISAC feeds, dark web monitoring, Wazuh/ELK SIEM telemetry
Know your source types: raw vs. processed, first-party vs. vendor, real-time vs. periodic. Each has different reliability, timeliness, and bias characteristics.
Phase 03

Processing

Raw data isn't intelligence. Processing transforms collected data into something analysts can work with: parsing, translating, decoding, normalizing, deduplicating, and filtering noise. This is the data β†’ information transformation step.

In a modern CTI stack, processing is heavily automated β€” SIEM ingestion pipelines, threat intel platforms (TIPs like MISP or OpenCTI), and STIX/TAXII feeds handle normalization at scale. Analysts must still quality-check outputs and apply source confidence scoring.

Tools: MISP, OpenCTI, Splunk/ELK normalization pipelines, CyberChef (decode/transform), STIX 2.1/TAXII feeds, deduplication logic
Processing quality directly caps analysis quality β€” garbage in, garbage out. An analyst who understands normalization and source confidence is more valuable than one who only knows the downstream analysis tools.
Phase 04

Analysis

The core intellectual work of a CTI analyst. Analysis transforms processed information into finished intelligence: identifying actor patterns, attributing activity to known groups, assessing intent and capability, mapping TTPs to MITRE ATT&CK, and evaluating sector-specific relevance and impact.

Professional analysis is explicit about confidence levels (High/Medium/Low), distinguishes confirmed facts from analytic assessments, and identifies underlying assumptions. The IC calls this Structured Analytic Techniques (SATs) β€” ACH (Analysis of Competing Hypotheses), key assumptions checks, devil's advocacy.

Frameworks: MITRE ATT&CK, Diamond Model, Cyber Kill Chain, STIX 2.1. Methods: hypothesis testing, ACH, actor profiling, TTP clustering
Your differentiator: geopolitical context layer. Most analysts stop at TTP mapping. You connect diplomatic events β†’ targeting shifts β†’ sector risk β€” that's full-spectrum strategic analysis.
Phase 05

Dissemination

Delivering finished intelligence to the right consumer in the right format at the right time. A perfect analysis in the wrong format to the wrong audience is wasted effort. Dissemination requires understanding your consumer's role, technical depth, time constraints, and the specific decision they're trying to make.

Different audiences need fundamentally different products: a SOC engineer needs IOCs and detection logic; a CISO needs strategic risk framing; an underwriter needs financial risk translation; an executive needs a one-page threat narrative with clear "so what."

Product types: Flash alerts (breaking), Daily/weekly digests, Actor profiles, Sector briefings, Executive summaries, RFI responses, BAS-aligned TTP packages
You've been the last mile β€” adapting TI team output for EDGE client delivery. You know where dissemination breaks down because you've lived the failure modes from the consumer side.
Phase 06

Feedback

The phase that makes the lifecycle a cycle. Consumers provide feedback on whether intelligence answered their questions, whether it was timely and actionable, and what new questions have emerged. This feedback refines the next round of PIRs and collection requirements.

Most TI teams struggle with feedback because they're organizationally separated from consumers. The further a TI team sits from the end consumer, the weaker the feedback loop β€” and the more the team drifts toward producing intelligence that satisfies internal metrics rather than real consumer needs.

At Resilience: Eric surfaces client-side feedback to the TI team β€” which intel drove action vs. what got filed away. This is a live feedback channel most TI teams don't have.
This is your unique interview angle. You've been the feedback channel. The TI team gains institutional client-side signal the moment you join β€” day one value no external candidate can replicate.

Why interviewers ask about this: Reciting six phases in order answers the surface question. Explaining why the feedback loop is the most neglected phase, why bad direction makes good collection irrelevant, and how you've personally operated across multiple phases simultaneously β€” that's the answer of a working TI analyst. Know the phases cold, and connect each one to a concrete Resilience example.

OSI Model β€” Network Fundamentals for CTI

The OSI (Open Systems Interconnection) model is a conceptual framework describing how data travels across a network in 7 distinct layers. As a CTI analyst, knowing which layer an attack targets tells you what controls can detect or stop it β€” and allows you to speak precisely when discussing TTPs with engineers and SOC teams. When someone asks "where does this technique operate," your answer should name the layer.
7
Application
User interface
HTTP/SDNSSMTPFTPSSHRDPLDAP
Where most attacks operate. Web exploits, phishing delivery, C2 callbacks over HTTPS, credential theft, data exfiltration β€” all live here. If you can't identify the L7 protocol, deep-packet inspection can't help you.
6
Presentation
Encoding / encryption
TLS/SSLBase64JPEG/PNGASCII
Encryption terminates here β€” TLS wraps L7 traffic and hides it from inspection. Payload obfuscation (Base64, XOR, hex encoding) and steganography operate at L6. Encrypted C2 uses L6 to defeat content filtering.
5
Session
Connections & tokens
NetBIOSRPCSOCKSOAuth tokensSMB sessions
Session hijacking, OAuth token theft, and pass-the-ticket/hash lateral movement operate here. Scattered Spider/SLH exploits OAuth session tokens at L5 β€” once they own the session token, they bypass all upstream authentication controls.
4
Transport
Ports & reliability
TCPUDP:443:80:22:3389
Port scanning, firewall rules, and C2 beaconing intervals operate here. Volt Typhoon's LOTL traffic uses legitimate ports (443, 80, 22) to blend into normal TCP sessions β€” L4 inspection alone won't catch it. VPN exploitation (73% ransomware entry vector) targets L4 daemons.
3
Network
Routing & IPs
IPICMPBGPIPSecVPN tunnels
IP-based IOC feeds, CIDR blocklists, volumetric DDoS, and IDS/IPS rules operate here. Most IOC sharing (actor IP addresses, infrastructure ranges) is L3 data. BGP hijacking is a sophisticated L3 supply chain attack used by nation-states.
2
Data Link
MAC & frames
EthernetWi-Fi 802.11ARPVLANMAC
ARP poisoning, VLAN hopping, and MAC spoofing live here. Key for lateral movement post-initial access. OT/ICS attacks often traverse L2 IT/OT segment boundaries β€” the Purdue model separation that Volt Typhoon is trying to bridge inside US utilities.
1
Physical
Bits over medium
Ethernet cableFiberRF / Wi-FiUSB
Physical access, USB drop attacks, hardware implants, and wiretapping. Stuxnet targeted L1 PLC controllers (the first confirmed weapon-grade L1 attack). Mustang Panda deployed USB worms specifically to bridge air-gapped networks β€” L1 is the only attack surface for isolated systems.
Layer Groups
Host
Layers
L5–L7
app logic &
user data
Transport
L4
Media
Layers
L1–L3
infrastructure &
transmission
Security-themed acronym (7β†’1):   "Attackers Penetrate Systems, Traversing Networks, Down to Physical" β€” tells the attack story from user-facing down to hardware
Layer β†’ Letter β†’ Word β€” each letter = first letter of that layer
A
Layer 7
Application
Attackers β€” where adversaries strike (HTTP/S, DNS, RDP, email)
P
Layer 6
Presentation
Penetrate β€” they penetrate your encryption (TLS, encoding, obfuscation)
S
Layer 5
Session
Systems β€” compromising sessions and tokens (OAuth theft, session hijack)
T
Layer 4
Transport
Traversing β€” traversing ports (TCP/UDP, VPN, C2 beaconing intervals)
N
Layer 3
Network
Networks β€” across IP networks (routing, DDoS, IP-based IOCs, LOTL)
D
Layer 2
Data Link
Down β€” down to MAC/frames (ARP poisoning, VLAN hopping, lateral move)
P
Layer 1
Physical
Physical β€” the hardware substrate (USB drops, implants, Stuxnet PLCs)
Classic backup (7β†’1): "All People Seem To Need Data Processing"  Β·  Bottom-up (1β†’7): "Please Do Not Throw Sausage Pizza Away"

CTI Attack β†’ Layer Quick Map

  • Phishing / web exploits β†’ L7 Application
  • Encrypted C2 / TLS exfil β†’ L6 Presentation
  • OAuth token theft (SLH/Scattered Spider) β†’ L5 Session
  • VPN exploitation (73% of ransomware entry) β†’ L4 Transport
  • IP blocklists / DDoS / actor IPs β†’ L3 Network
  • LOTL blending β€” Volt Typhoon β†’ L3–L7
  • ARP poisoning / lateral movement β†’ L2 Data Link
  • USB drops / hardware implants β†’ L1 Physical

Print This Reference Card

Print just the OSI section as a clean single-page reference card β€” white background, printer-friendly layout.

Or use your browser's Print (Cmd+P) to print the full page.

OSI vs TCP/IP: Real networks run TCP/IP (4 layers: Network Access, Internet, Transport, Application) β€” not OSI's 7. OSI is a teaching and analysis model. When you say "this operates at the application layer," both models agree on the meaning. Use OSI when precision matters (troubleshooting, TTP discussion). Use TCP/IP when talking to network engineers about production traffic.

Current Threat Landscape β€” June 2026

Breaking: CVE-2026-50751 (Check Point VPN auth bypass, CVSS 9.3) actively exploited in the wild since May 7, 2026. Dozens of organizations compromised. Patch immediately.
31%
Breaches via vulnerability exploitation
First time in 19 years it surpasses credential theft (DBIR 2026)
73%
Ransomware intrusions via VPN compromise
Up from 38% in 2023, 66% in 2024
84
Active ransomware groups in Q1 2026
Highest count ever recorded (Travelers)
22s
Median initial access handoff time
Was 8+ hours in 2022 (M-Trends 2026)
14
Days median global dwell time
Espionage/NK IT workers: 122 days
48%
All breaches involve ransomware
Up from 44% (DBIR 2026). 69% didn't pay.
48%
Breaches involve a third party
Up 60% year-over-year (DBIR 2026)
$508K
Average ransomware severity
+16% YoY. Finance/insurance: $731K
Emerging tactics to know in 2026:
  • Recovery denial ransomware: Attackers destroy backups before encrypting β€” BI coverage triggered in 1 of 3 ransomware claims, averaging $510K vs $168K without BI.
  • Multi-tactic combinations: No longer just encryption or data theft β€” adversaries sequence tactics (encrypt + exfil + BI disruption) to maximize leverage simultaneously.
  • AI-assisted attack acceleration: LLMs used for hyper-personalized phishing, malware that queries LLMs mid-execution to evade detection, faster zero-day weaponization.
  • Division-of-labor intrusions: 9% of 2025 Mandiant investigations involved one cluster gaining initial access and handing off to a second group within seconds β€” up from 4% in 2022.
  • Voice phishing surge: Vishing climbed to #2 initial infection vector (11% of Mandiant investigations) β€” social engineering increasingly bypasses technical controls.

Chinese APTs β€” Current Activity

Mustang Panda

TA416 Stately Taurus Earth Preta Camaro Dragon Twill Typhoon Bronze President

Mission: PRC-aligned cyberespionage. Primary targets: government, diplomatic entities, NGOs, foreign affairs ministries. Collection priority: political intelligence to support PRC foreign policy objectives.

Current Activity 2026: Now

  • March 2026: Resumed European operations after pause since 2023 β€” now targeting Middle East diplomatic and government entities as PRC deepens Gulf engagement
  • Feb 2026: Shifted to archives containing renamed Microsoft MSBuild executables + malicious C# project files (new lure technique)
  • 2026: Renewed attacks on US government/policy organizations using Venezuela-themed spearphishing lures
  • Sep 2025 – Apr 2026: Sustained Asia-Pacific government targeting (observed by Darktrace)
  • New divergence: Indian banking sector targeting β€” a significant departure from typical diplomatic/government focus; geopolitical context: India-PRC border tensions and trade competition

Core TTPs: Spearphishing (T1566), PlugX RAT, MQsTTang backdoor, TONESHELL backdoor, LOLBin abuse (MSBuild), USB worm propagation, C2 over legitimate cloud services

Geopolitical driver: PRC foreign policy priorities drive targeting shifts. Watch diplomatic events β€” Middle East engagement, India tension, Taiwan Strait activity β€” as leading indicators for targeting changes.

The multi-alias landscape (TA416 = Proofpoint, Stately Taurus = Unit42, Twill Typhoon = Microsoft, Earth Preta = Trend Micro) reflects independent vendor attribution β€” same actor, different tracking names. Knowing the cross-vendor mapping shows breadth of intel sourcing.

Volt Typhoon

Bronze Silhouette VANGUARD PANDA Dev-0391

Mission: Pre-positioning inside US critical infrastructure for potential disruption β€” NOT espionage. The IC assesses this is preparation for kinetic conflict scenarios (Taiwan contingency), not intelligence collection. This is the most strategically alarming Chinese actor for Resilience's portfolio clients.

  • Status 2026 Active: Dragos confirms Volt Typhoon remains embedded in US utilities; CISA Feb 2026 advisory confirms intensified activity since mid-2025 with new IOCs in water and communications sectors
  • Confirmed access duration: CISA documented persistent presence for at least 5 years inside US energy, water, communications, and transportation sectors
  • Hallmark β€” LOTL only: Uses exclusively built-in OS tools (wmic, ntdsutil, netsh, PowerShell, certutil) to blend into legitimate admin traffic; no custom malware means signature-based detection fails entirely
  • Entry method: Compromises perimeter edge devices β€” Cisco, Fortinet, NETGEAR, Ivanti VPNs/firewalls β€” then pivots laterally toward OT/ICS environments
  • Resilience portfolio relevance: Energy, water, transportation, and manufacturing clients are inside Volt Typhoon's target envelope. A geopolitically triggered activation (Taiwan Strait escalation, South China Sea incident) could generate simultaneous claims across multiple clients β€” a correlated loss event with no historical precedent for modeling.

Salt Typhoon

FamousSparrow GhostEmperor Earth Estries

Mission: Strategic telecom espionage β€” persistent access to US communications infrastructure to intercept calls, texts, and CALEA lawful intercept systems used by law enforcement and intelligence agencies.

  • Breach scope: Compromised AT&T, Verizon, T-Mobile, Lumen, Spectrum, Consolidated Communications, Windstream β€” 9 US carriers; 397M+ subscriber base potentially affected
  • CALEA access: Gained access to the lawful intercept infrastructure US agencies use for court-ordered wiretaps β€” giving China visibility into who US intelligence was actively surveilling
  • Status 2026: Senate Commerce Committee (Dec 2025) concluded carriers have NOT convincingly evicted the intruders β€” legacy equipment, 7-year-old router vulnerabilities never patched, weak credential hygiene still present across carrier infrastructure
  • Volt vs. Salt: Salt = espionage (communications intercept). Volt = pre-positioned disruption. Different missions, different sponsors within PRC, both active inside US infrastructure simultaneously.
The "Typhoon" family naming is Microsoft's convention. Volt and Salt are distinct actors with distinct missions β€” but together they represent China's two-track strategy: pre-position for disruption (Volt) while maintaining persistent intelligence collection (Salt). Both are inside US infrastructure right now.

Russian APTs β€” Current Activity

APT28 (Fancy Bear)

Forest Blizzard Pawn Storm STRONTIUM Sednit UAC-0001

Sponsor: GRU (Russian Military Intelligence). Mission: Espionage, influence operations, NATO/Ukraine targeting.

  • Jan 2026: CERT-UA attributed attacks against Ukrainian government agencies to APT28 β€” exploiting CVE-2026-21509 (MS Office) within 24 hours of public disclosure
  • Q1 2026: Trellix research: stealthy espionage campaign targeting European maritime and transport organizations β€” Poland, Slovenia, Turkey, Greece, UAE, Ukraine
  • April 2026: 27 Greek military (Hellenic National Defense General Staff) email accounts compromised; 170+ Ukrainian prosecutor/investigator accounts hacked; NATO Balkans targets hit
  • Pattern: Weaponizing zero-days and one-day exploits within hours of disclosure β€” vulnerability patching window is measured in hours, not days

Sandworm

IRIDIUM Voodoo Bear Seashell Blizzard

Sponsor: GRU Unit 74455. Mission: Critical infrastructure disruption, ICS/OT sabotage, destructive attacks aligned to military objectives.

  • Jan 2026: Microsoft + Amazon report sustained targeting of Western critical infrastructure via misconfigured network edge devices, VPNs, and collaboration platforms across North America and Europe
  • 2026: Latvia security agencies warn of significant industrial control system (ICS) threat across European nations β€” intent to disrupt essential services and punish Ukraine support
  • Hallmark TTPs: Edge device exploitation (VPNs, firewalls), wiper malware deployment, ICS-specific targeting (power grids, pipelines), supply chain pre-positioning

APT29 (Cozy Bear)

Midnight Blizzard NOBELIUM The Dukes Dark Halo

Sponsor: SVR (Foreign Intelligence Service). Mission: Long-dwell strategic intelligence collection β€” diplomatic, government, technology targets.

  • Dominant technique 2026: Identity-based access β€” credential theft, cloud account compromise, OAuth token abuse; persistence primarily within email and collaboration platforms
  • Dwell time: Among the longest observed β€” operates for months before detection; consistent with 122-day espionage median in M-Trends 2026
  • Why it matters for Resilience: APT29 targets the same sectors buying cyber insurance β€” government contractors, financial, technology. Long dwell means claims discovery is often months after initial access.

Iranian APTs β€” Current Activity

APT34 (OilRig)

Helix Kitten Hazel Sandstorm Crambus

Sponsor: Iranian MOIS (Ministry of Intelligence). Focus: Government, telecom, energy, financial services β€” Middle East primary, expanding globally.

  • 2025–2026: Multi-stage intrusion campaign against Iraqi government β€” deploying novel Veaty and Spearal backdoors; C# malware masquerading as PDFs with anti-VM checks
  • UAE targeting: StealHook backdoor used to exfiltrate credentials from on-premises Microsoft Exchange servers at Gulf-state government entities
  • AI capability development: Using Google Gemini and similar LLMs to write malicious code, identify vulnerabilities, gather target intelligence β€” AI-enhanced operations confirmed
  • March 2026 Now: CISA advisory β€” Iranian-affiliated APT disrupting PLCs across US critical infrastructure: Government, Water/Wastewater (WWS), and Energy sectors

APT33 (Elfin) + MuddyWater

Refined Kitten Cobalt Trinity

Most active Iran-linked APTs in 2025–2026. Manufacturing and Transportation sectors most targeted.

  • APT33: Focus on aerospace, energy, petrochemical β€” historically linked to destructive Shamoon wiper attacks against Saudi targets; currently elevated against US targets during US-Iran tensions
  • MuddyWater: MOIS-linked; government, telecom, defense targets; spearphishing and living-off-the-land techniques; active against Middle East, Europe, US
  • Geopolitical trigger watch: Iranian APT activity spikes measurably during US-Iran nuclear deal negotiations, sanctions escalations, and Gulf security incidents β€” track diplomatic calendar alongside threat activity
Your Stryker/DOD supply chain angle is a strong interview example: when Iranian actors escalate against US healthcare, companies with DOD medical device supply chain relationships face elevated risk β€” a non-obvious TI insight that directly informs underwriting posture.

North Korean APTs β€” Lazarus, TraderTraitor, Kimsuky

Key differentiator: DPRK cyber is uniquely dual-purpose β€” espionage AND regime revenue generation. 76% of all cryptocurrency stolen globally in 2026 has been traced to DPRK-linked actors. This isn't cybercrime. It's state-sanctioned sanctions evasion funding the nuclear weapons program.

Lazarus Group

HIDDEN COBRA Guardians of Peace Diamond Sleet ZINC Labyrinth Chollima

Sponsor: RGB (Reconnaissance General Bureau) β€” DPRK's primary foreign intelligence service. Active since at least 2009. Responsible for Sony Pictures (2014), WannaCry (2017), Bangladesh Bank heist ($81M, 2016).

Current Focus 2026:

  • Developer targeting: AI-industrialized attacks on developers β€” abusing tools like Cursor and ChatGPT to generate malicious code; OtterCookie malware delivered via fake developer job offers (March 2026 confirmed victim)
  • Crypto targeting: $12M+ in public wallet keys exfiltrated in first 3 months of 2026 alone
  • Supply chain focus: Software supply chain compromises targeting blockchain firms, DeFi platforms, and crypto exchanges β€” long-dwell pre-positioning before financial extraction
  • AI capability: Heavy use of generative AI to scale social engineering volume, refine lure content, and automate initial access β€” lowering the skill floor for individual operators

TraderTraitor (APT38 / BlueNoroff)

Stardust Chollima APT38 BlueNoroff

Mission: Financial theft β€” cryptocurrency heists, DeFi platform attacks, crypto exchange compromises. The DPRK's primary revenue-generation arm. Tracked jointly by FBI, CISA, and US Treasury.

  • ByBit heist (Feb 2025): $1.5B in Ethereum stolen β€” largest single crypto theft in history; social engineering of insider followed by rapid cross-chain laundering
  • Drift platform (April 2026) Now: $285M stolen β€” the culmination of a 6-month social engineering operation that began fall 2025; long-dwell pre-positioning before execution
  • Kelp DeFi (April 2026): $300M stolen from decentralized finance infrastructure
  • Scale: DPRK actors responsible for 76% of all crypto stolen globally in 2026; over $2B stolen in 2025 alone β€” more than half of the $3.4B total worldwide
  • Method: Fake job offers β†’ trojanized code repos β†’ malware deployment β†’ credential theft β†’ financial extraction β†’ rapid cross-chain laundering across mixers

Kimsuky

Velvet Chollima Black Banshee Emerald Sleet TA427

Mission: Espionage β€” policy intelligence on nuclear affairs, sanctions, South Korea/US relations. Targets think tanks, government, academia, NGOs, journalists covering North Korea.

  • Primary technique: Spearphishing with highly personalized lures β€” impersonates academics, journalists, policy researchers; establishes trust over weeks before delivering payload
  • Targets: US/ROK government officials, UN personnel, defense contractors, nuclear policy researchers β€” anyone with insight into DPRK sanctions policy or military positioning
  • 2026 activity: Sustained targeting of think tanks and defense policy organizations; AI-enhanced lure personalization to improve spearphish quality and success rate

DPRK IT Worker Threat β€” The Insider Risk Active

North Korean IT workers using false identities to obtain employment at US companies is a documented, ongoing threat β€” not theoretical. M-Trends 2026 reports a 122-day median dwell time for these cases, with several persisting over a year undetected.

  • How it works: DPRK workers use fabricated identities + AI-generated photos to pass interviews; once hired, they exfiltrate IP, install backdoors, or extort the employer on departure
  • Sectors targeted: Technology, defense, crypto, financial services β€” any sector where remote contractor work is normalized
  • Detection challenge: These are legitimate employees on company systems doing real work β€” traditional threat detection tuned for external intrusion misses them entirely
  • Resilience relevance: A client employing a DPRK IT worker represents an insider risk with nation-state backing β€” categorically different from typical insider threat scenarios; claims and underwriting implications are significant

FIN7 β€” The Chameleon Group

FIN7

Carbon Spider GOLD NIAGARA Sangria Tempest ITG14 GrayAlpha

Origin: Eastern European financially motivated cybercrime group, active since ~2013. Originally a sophisticated POS card-skimming operation targeting restaurant and hospitality chains. Has since evolved into one of the most adaptable and persistent threat actors tracked β€” commercially motivated, not nation-state, but with nation-state-level operational security and tooling.

Evolution arc:

  • 2013–2018: Retail/restaurant/hospitality POS compromise β€” stole millions of payment card records from Chipotle, Arby's, Sonic, Chili's, Red Robin
  • 2018–2020: Pivoted to spearphishing campaigns against broader enterprise; deployed CARBANAK backdoor and Cobalt Strike
  • 2020–present: Big game hunting β€” high-value targeted ransomware operations. Linked to REvil, DarkSide, BlackMatter, and Cl0p operations; currently operating own ransomware infrastructure
  • 2025–2026 Active: SentinelOne documents "FIN7 Reboot" β€” enhanced EDR bypass capabilities, automated attack pipelines, 4,000+ identified domains/IPs (Silent Push research); new infrastructure cluster tracked as GrayAlpha using PowerNet loader + NetSupport RAT

Current TTPs:

  • EDR bypass: Custom tools specifically engineered to evade endpoint detection β€” actively tested against major EDR platforms before deployment
  • Fake update attacks: Malicious browser/software update lures delivering PowerNet loader
  • Malvertising: Paid ad campaigns (Louvre, Meta, Reuters impersonated) delivering malware via search results
  • Scale: 4,000+ active domains across global phishing and malware campaigns β€” infrastructure that dwarfs most cybercrime operations

Current target sectors: Financial services, manufacturing, technology, healthcare, cloud services, utilities β€” well beyond the original retail/hospitality focus. Any Resilience client is a plausible target.

Why it matters for Resilience: FIN7 represents the evolution of financially motivated cybercrime to near-nation-state operational maturity. Despite multiple high-profile arrests of key members (2023–2024), the group has absorbed those losses and continued operations β€” a hallmark of a resilient, professionally organized criminal enterprise rather than a personal crew.

ShinyHunters / SLH Alliance β€” Scattered Spider's Evolution

This is the most important social engineering threat to enterprise environments right now. These are native English speakers using human-layer attacks that technical controls don't catch β€” targeting help desks, MFA fatigue, identity providers. The MGM and Caesars breaches (2023) were the proof of concept. 2026 is the scaled version.

ShinyHunters / SLH Alliance

Scattered Spider UNC3944 UNC6040 LAPSUS$ (merged) Scattered LAPSUS Hunters 0ktapus

Origin: English-speaking cybercrime collective β€” predominantly US and UK teens/young adults. Scattered Spider began as an identity and SIM-swapping crew; ShinyHunters as a data theft/extortion group. By early 2026 they have effectively merged with LAPSUS$ remnants to form the SLH (Scattered LAPSUS Hunters) alliance.

Evolution timeline:

  • 2021–2022: Scattered Spider and LAPSUS$ operate independently β€” Okta breach, Microsoft, Nvidia, EA Games compromised by LAPSUS$; Scattered Spider developing SIM-swap and help-desk social engineering tradecraft
  • 2023: MGM Resorts ($100M+ loss) and Caesars ($15M ransom paid) β€” help-desk vishing attack; Scattered Spider calls IT support, impersonates employee, resets MFA. Proof that human-layer attacks bypass every technical control
  • 2024: Arrests of key Scattered Spider members; group evolves and rebrands operations under ShinyHunters infrastructure
  • 2025–2026 Active: Full SLH alliance operational β€” Salesforce, Google Workspace, Workday, Coinbase, Air France-KLM, Allianz Life, TransUnion, Louis Vuitton, Gucci, Adidas, Jaguar Land Rover all hit. May 2026: 275M records stolen from Instructure (Canvas LMS)

Current TTPs β€” what makes them dangerous:

  • Help-desk vishing: Call IT support impersonating an employee; use OSINT (LinkedIn, leaked data) to answer verification questions; reset MFA and take over identity. Requires zero technical skill β€” pure social engineering
  • MFA fatigue / push bombing: Repeatedly send MFA push requests until the target accepts; often paired with a simultaneous phone call claiming to be IT support
  • SaaS + OAuth exploitation: Target SaaS integrations and OAuth-connected apps rather than core infrastructure β€” abuse trusted app-to-app permissions that security teams don't monitor
  • Identity provider targeting: Go directly for Okta, Azure AD, Google Workspace β€” compromise the identity layer and inherit access to everything downstream
  • Extortion-as-a-service (2026): SLH alliance moving to industrialized model β€” small affiliate crews operating under SLH brand with centralized back-end for ransomware deployment, negotiation, data leak sites, and target recon

2026 target sectors: Technology, financial services, insurance, retail, hospitality, crypto exchanges, higher education. Any organization using Okta, Azure AD, or Google Workspace SSO with human-staffed IT help desks is in scope.

Why it matters for Resilience: SLH attacks almost always trigger cyber insurance claims β€” MGM was one of the largest cyber claims in insurance history. The help-desk social engineering vector is specifically relevant to underwriting: a client with robust technical controls but no help-desk social engineering training or MFA-resistant authentication (passkeys, hardware keys) has a significant control gap that technical scans won't surface.

Ransomware Landscape β€” Q1/Q2 2026

2,405
Victims posted to leak sites Q1 2026
7% increase YoY; slight dip from Q4 2025 all-time high
84
Active groups Q1 2026
Highest ever recorded
$731K
Finance/Insurance average severity
2nd highest sector behind tech ($875K)
$675K
Healthcare average severity
Life-threatening BI disruption risk

Active groups to know β€” be able to name at least 6:

Qilin
VMware ESXi targeting; double extortion
Akira
Manufacturing, healthcare focus; Cisco VPN exploitation
Clop
Mass exploitation; MOVEit successors; financial
INC Ransom
Healthcare + education; Citrix exploitation
Play
Government, legal, finance; RaaS model
DragonForce
Multi-sector; data leak site active
Gentlemen
Emerged Sep 2025; 207 victims Q1 2026 β€” 2nd highest of any group
Sinobi
Emerging; financial sector focus
  • VPN is now the primary ransomware entry vector (73%). Up from 38% in 2023. Any client with aging VPN infrastructure is materially elevated risk.
  • Recovery denial is the new double extortion. Attackers target backups and DR infrastructure before encrypting β€” BI coverage triggered in 1 in 3 claims; average BI severity $510K vs $168K without.
  • 69% of victims did not pay in 2026. Improved backup posture + law enforcement pressure + negotiation leverage have reduced payment rates β€” but the threat actors haven't gone away.
  • RaaS fragmentation continues. LockBit takedown created a vacuum filled by smaller groups β€” harder to track, more unpredictable, less professionalized negotiation = higher claims variability.

Critical CVEs β€” Actively Exploited 2026

Context to own: Only 26% of critical vulnerabilities were fully remediated in 2025 (down from 38%), and median time to remediate rose to 43 days. Vulnerability exploitation is now the #1 breach vector for the first time in 19 years.
CVE Product CVSS Type Status Context
CVE-2026-50751 Check Point VPN / Mobile Access 9.3 Auth bypass (IKEv1) Exploited Active exploitation since May 7, 2026. Unauthenticated VPN session establishment. Dozens of orgs compromised.
CVE-2026-20127 Cisco Catalyst SD-WAN 9.8 Auth bypass (controller) Exploited CISA emergency directive issued Feb 2026. Remote unauthenticated admin access. FCEB patch deadline enforced.
CVE-2026-21509 Microsoft Office 8.8 RCE (one-day exploit) Exploited APT28 weaponized within 24 hours of disclosure. Spearphish documents targeting Ukrainian gov and EU institutions.
CVE-2026-41940 cPanel / WHM 9.1 Auth bypass Exploited ~1.5M internet-exposed cPanel instances. Exploited since at least Feb 2026 before disclosure April 28.
CVE-2026-41091 Microsoft Defender 7.8 Security bypass Exploited Defender bypass allowing malicious code to run without AV detection. Confirmed wild exploitation May 2026.
CVE-2026-45498 Microsoft Defender 7.5 DoS Exploited Causes Defender service disruption β€” used to blind endpoint protection before subsequent payload delivery.

Vulnerability intelligence talking point: "The remediation gap is widening, not closing β€” 43-day median time to patch critical vulns, with only 26% of critical CVEs actually closed. From an underwriting perspective, that means the insured's patch velocity is as important as whether they have a scanner. A scanner that finds everything but patches nothing is a false control."

Key 2026 Reports β€” Talking Points

Verizon DBIR 2026

31,000+ incidents Β· 22,000+ confirmed breaches Β· 145 countries
  • Vuln exploitation = #1 breach vector (31%) β€” first time ever surpassing credential theft
  • Ransomware in 48% of all breaches (up from 44%)
  • Third-party involvement up 60% YoY β€” now 48% of total breaches
  • Only 26% of critical CVEs remediated; median 43 days to patch
  • Shadow AI tripled to 45% of employees using unapproved AI tools
  • Human element in 62% of breaches; mobile social engineering up 40%

Mandiant M-Trends 2026

450,000 hours of incident response Β· Google Cloud
  • Median initial access handoff: 22 seconds (was 8+ hours in 2022)
  • Global median dwell time: 14 days (up from 11 in 2024)
  • Espionage / NK IT workers: 122-day median dwell
  • 9% of investigations: division-of-labor model (initial access β†’ handoff) β€” up from 4% in 2022
  • Voice phishing = #2 initial infection vector (11% of investigations)
  • Exploits remain #1 at 32% of initial access

Munich Re Cyber 2026

Insurance market perspective
  • Main insured loss drivers: Ransomware, Data Breach, BEC, DDoS
  • BI coverage triggered in 1 in 3 ransomware claims ($510K avg)
  • AI-amplified threats: deepfakes, autonomous vuln discovery, LLM-assisted attacks
  • Insurers moving toward rewarding continuous monitoring programs
  • AI coverage migration: pushing AI exposures onto cyber + Tech E&O policies

Resilience 2026 Predictions

cyberresilience.com β€” Feb 2026
  • AI-amplified threats exploiting human vulnerabilities as primary 2026 theme
  • Fundamental shift in ransomware tactics (not just encryption)
  • Blurring line between private enterprise and national security
  • Litigation follows incidents β€” sometimes within days of an event
  • Coverage migration: AI exposures landing on cyber + Tech E&O

BAS / CTEM β€” Your Unique Angle

Market Context

  • Only 16% of organizations have an operational CTEM program (2026)
  • CTEM programs deliver 50% better attack surface visibility
  • BAS market shifting from compliance validation β†’ business risk quantification
  • By 2028: organizations combining CTEM + mobilization expected to see 50% reduction in successful attacks
  • BAS now integrates AI/ML for more realistic threat modeling + SIEM/SOAR integration

Your Operational Reality

  • You don't just know BAS theory β€” you built and operated the program
  • Continuously monitored most active threat actors + mapped attack chains to ATT&CK
  • Selected BAS packages based on which actors actively target a client's sector
  • Mapped attack chains: initial access β†’ privilege escalation β†’ persistence β†’ exfiltration
  • Aligned Resilience's proprietary risk signals to ATT&CK + CIS 8.1 + NIST CSF 2.0

MITRE ATT&CK β€” 14 Tactics (the attack chain)

TA0043
Reconn-aissance
Target research, OSINT
TA0042
Resource Develop-ment
Infrastructure, tooling
TA0001
Initial Access
Phishing, VPN exploit
TA0002
Execution
Script, LOLBin, macro
TA0003
Persistence
Scheduled task, reg key
TA0004
Privilege Escalation
Token impersonation
TA0005
Defense Evasion
Obfuscate, disable AV
TA0006
Credential Access
Mimikatz, MFA fatigue
TA0007
Discovery
Network scan, AD enum
TA0008
Lateral Movement
Pass-the-hash, RDP
TA0009
Collection
Email, file staging
TA0011
C2
Beacon, DNS tunnel
TA0010
Exfiltration
Cloud upload, encrypt
TA0040
Impact
Ransomware, wiper, BI disruption

BAS packages should be selected to test the specific tactics your target actor uses against your client's sector β€” not just generic coverage. Impact (TA0040) is where the insurance claim originates; everything to the left is where prevention and detection can intervene.

The bridge argument for the TI team: BAS/CTEM is where threat intelligence gets validated operationally. A TI team that can say "here's the actor, here are the TTPs, and here's the BAS result that shows whether your controls would actually stop it" is producing a materially higher-quality intelligence product than a team that stops at the briefing. You're the person who closes that loop.

Quick Reference β€” Have These Cold

Intelligence Lifecycle

01
Direction
PIRs, RFIs
02
Collection
OSINT, SIEM, vendor
03
Processing
Normalize, correlate
04
Analysis
ATT&CK mapping, TTP
05
Dissemination
Briefings, reports
06
Feedback
Refine requirements

Actor Aliases β€” China

Proofpoint:TA416
Unit42:Stately Taurus
Microsoft:Twill Typhoon
Trend Micro:Earth Preta
SecureWorks:Bronze President
Recorded Future:RedDelta

Actor Aliases β€” Russia

APT28 (GRU):Forest Blizzard / Fancy Bear
APT29 (SVR):Midnight Blizzard / Cozy Bear
Sandworm (GRU):Seashell Blizzard / Voodoo Bear
APT44:Sandworm (Mandiant rename)

Actor Aliases β€” China (Typhoons)

Volt Typhoon:Bronze Silhouette / VANGUARD PANDA
Salt Typhoon:FamousSparrow / Earth Estries
Volt mission:Disruption pre-positioning (OT/ICS)
Salt mission:Telecom espionage (CALEA access)
Salt carriers hit:AT&T, Verizon, T-Mobile + 6 others

Actor Aliases β€” North Korea

Lazarus (RGB):HIDDEN COBRA / Diamond Sleet / ZINC
TraderTraitor:APT38 / BlueNoroff / Stardust Chollima
Kimsuky:Velvet Chollima / Emerald Sleet / TA427
DPRK crypto stolen:76% of global total in 2026
ByBit heist:$1.5B (Feb 2025 β€” largest ever)
Drift heist:$285M (April 2026, 6-mo op)

Actor Aliases β€” Cybercrime

FIN7:Carbon Spider / Sangria Tempest / GrayAlpha
Scattered Spider:UNC3944 / 0ktapus
ShinyHunters:UNC6040
SLH Alliance:Scattered + LAPSUS$ + ShinyHunters merged
MGM breach vector:Help-desk vishing β†’ MFA reset

Actor Aliases β€” Iran

APT34 (MOIS):OilRig / Helix Kitten / Hazel Sandstorm
APT33 (IRGC):Elfin / Refined Kitten
MuddyWater:Mango Sandstorm / MERCURY

Stats to Know Cold β€” 2026

Vuln as #1 breach vector:31% (first time ever)
VPN = ransomware entry:73%
Ransomware % of breaches:48%
Third-party breach rate:48% (+60% YoY)
Median patch time (critical):43 days
Access handoff speed:22 seconds
Fin/Ins avg ransomware:$731K
Operational CTEM orgs:Only 16%

Resilience Internal Structure

ROC:Risk Operations Center β€” TI producers
TI team:Team you're joining β€” TI producers
EDGE:Client-facing consulting β€” your current role
Your current role:Bridge: TI β†’ EDGE client delivery
Framing:Translate + operationalize, NOT primary producer

Key Acronyms

PIRPriority Intelligence Requirement
RFIRequest for Information
TTPTactics, Techniques, Procedures
IOCIndicator of Compromise
CTEMContinuous Threat Exposure Management
BASBreach and Attack Simulation
LOLBinLiving-Off-the-Land Binary
DORADigital Operational Resilience Act (EU)

Themes

Choose a color theme. Your preference is saved in the browser and restored on next visit.

Dark
Default β€” GitHub-inspired dark. Easy on the eyes for long sessions.
Terminal
Green on black. Maximum hacker energy. Good for focus sessions.
Navy
Dark blue. Professional look β€” good for interview day review.
Light
White background. Best for bright environments and printing.