Beyond "Actionable": How Brian Hein and James Shank Want CTI to Actually Hurt Adversaries

A recap from the 2026 FIRST Cyber Threat Intelligence Conference—#FIRSTCTI26, Munich, Germany, 23 April 2026

On Thursday afternoon at the FIRST CTI Conference in Munich, Brian Hein and James Shank (Expel) delivered a talk whose title doubled as a thesis statement: "How NOT to Be Your Adversary's Best Friend—Doing What Matters..."

Their core provocation to the room: the CTI industry has fallen in love with the word actionable, but actionable is not the same as impactful. Tactical indicators, IOC churn, and dashboards can keep teams busy without ever denting an adversary's bottom line. If the criminals keep getting paid, the work does not matter.

The action trap

Brian opened with a question that made the room squirm: "If your company laid off your entire CTI (Cybersecurity Threat Intelligence) staff and shut down the CTI program, would anybody notice? Would the adversary notice?"

The point was not that CTI teams are useless. The point is that many teams measure the wrong things. IOCs ingested, feeds consumed, reports produced, tickets closed. They have built a conveyor belt and are measuring how fast it moves instead of whether something real gets produced.

The result, Brian argued, is "intelligence theater." A team can process hundreds of thousands of IOCs, implement them across a SIEM, and still get breached. Meanwhile, the adversary yawns because there are still victims to exploit and money to collect.

From action to impact

Building on the community's long-running "From Trust Groups to Action Communities" conversation (a thread that started at FIRST Montreal), Brian and James argued that defenders need to evolve yet again. This time, the evolution is from action to impact:

• Influence business decisions, not just SOC alerts. CTI that matters looks like ransomware tactics justifying disaster-recovery investments, or threat-landscape analysis informing M&A risk assessments. If the CTI team cannot get a meeting with the C-suite when the organization is in danger, something is broken.
• Alter adversary cost models until campaigns become economically unattractive. Brian and James proposed a new metric: revenue per attack. Treat threat actors as businesses with customers, satisfaction scores, and profit-and-loss dynamics. Then figure out how to wreck those economics.
• Measure success in dollars denied, not tickets closed. What is the dollar amount of fraud your intelligence program stopped? How many times did adversaries have to retool because of your work? Those are the metrics that matter to a board.

The Emotet lesson: disorganization as a weapon

One of the talk's most striking moments was a counterintuitive case study from the Emotet takedown. James, who participated in the collaborative effort that brought Emotet down along with Brian, explained that the community's disorganization was actually an advantage. Different organizations contributed what they could, when they could. Someone was on vacation; someone else's kids needed attention. That unpredictability made it impossible for Emotet's operators to outmaneuver the defenders.

The takeaway: Formal process is not always the answer. Loosely coordinated communities that move at speed, organized around outcomes rather than procedures, can impose costs that rigid structures cannot.

Stop over-classifying: TLP as a crutch

James issued a direct challenge to the room on information sharing. He and Brian have seen TLP (Traffic Light Protocol) used not as a practical sharing guide, but as a proxy for "how cool is this intel" or "how special does it make me feel to share with only three people."

Their view: The only people who benefit from over-classification and over-restricted sharing are the adversaries. If you have information that could protect victims and you restrict it without a genuinely good reason, you are contributing to the continued victimization of those victims.

A gauntlet for the community

Brian and James closed with a call to action:

1. Kill your vanity metrics. Stop tracking work for work's sake.
2. Become their cost center. Change the adversary's business model so they worry about whether their operation will work tomorrow. Right now, they do not have that thought at all.
3. Build your network today. Find five people you have not talked to. Exchange Signal, Threema, or whatever messenger you prefer. The moment something happens, spread the word.

The Q&A: Where it got real

The audience Q&A surfaced two exchanges worth highlighting.

On breaking into trust groups: An attendee asked how to get into the selective communities where fast sharing happens. James's advice was direct: "Do the work. The groups are looking for people who can contribute, not people who are there to watch." He also pointed to everyone in the room with their hands raised: The people already in those groups are standing right there. Get known, and that becomes your ticket.

On over-sharing risk: Another attendee asked whether lowering TLP restrictions could let adversaries monitor investigations and rotate infrastructure faster. James's response: "Good. Let them have to struggle. Be faster." Brian added that the current default (restricting information) is demonstrably not working, so it is time to try something different and measure the results. A third attendee from an MDR provider shared a gut-punch anecdote: their ISAC membership requires them to pretend they do not know certain threat intelligence when dealing with non-member organizations. "Why do we think it's okay for somebody to be asked to not protect a potential victim?" Brian asked. "The only people benefiting from that are the adversaries."

Get the materials, and share them

In keeping with the collaborative spirit of the talk itself, Brian and James have released the full session materials so the community can distribute them globally:

• PDF of the slides
• Recording of the session
• Full transcript (below)

If this message resonates, the most useful thing you can do is get it in front of people outside your usual trust group: ISAC partners, industry peers, policymakers, and the executive stakeholders whose decisions ultimately shape whether cybercrime stays profitable.

Share widely. Act on what matters. And stop being your adversary's best friend.

About the speakers

Brian Hein is the Principal Threat Researcher at DNSFilter. He is a veteran threat researcher (HP’s Office of the CTO, HP Security Research, Flashpoint, DTAG, Silobreaker) and serves as a Case Lead at the World Economic Forum’s Cybercrime Atlas initiative. He has been championing community-driven disruption for over a decade.

James Shank is Director of Threat Operations at Expel, having joined in 2025 after roles at SpyCloud and Team Cymru. He was part of the collaborative effort that took down Emotet—a textbook example of exactly the kind of impact the talk argued for.

Protect your organization at the DNS layer

DNS is one of the earliest and most effective chokepoints for blocking adversary infrastructure before it reaches your network. If you are rethinking how your organization imposes cost on attackers, start a free trial of DNSFilter and see the difference DNS-layer security makes.

Session details: How NOT to Be Your Adversary's Best Friend—Doing What Matters...—2026 FIRST CTI Conference, 23 April 2026.

Full session transcript

How NOT to Be Your Adversary's Best Friend | FIRST CTI 2026 Day 2 Speakers: Brian Hein and James Shank 26 minutes

[0:00]

All right. Do you want to launch us? Let's go. So I'm James. I'm Brian. And we're here to talk to you about how not to be your adversary's best friend.

[0:12]

We as an industry have a focus problem. And apparently we don't know how a clicker works. You have to push the button hard.

[0:25]

This is you. Okay, that's me. Actionable intelligence—"actionable" became an entire personality of the industry. A lot of people talk about it. We want to change that tremendously. Actionable is a crutch. It's hurting us more than helping us. Actually, it's killing us.

Raise your hand if you ever had to have a conversation about whether the investment in your org's CTI program was actually worth it. How comfortable is that conversation? It's sometimes hard, right? But you're not alone. Everyone, the entire industry, has that as a problem.

[1:10]

So today's roadmap: we're going to look at three different things. We're going to talk about the action trap, we're going to talk about what impact is and how it looks, and how you unleash the community as a weapon.

[1:26]

So to dive in, the action trap is first. And the theme to this part is: are we confusing being busy for having an impact?

I built a factory. I built many factories. You built factories. IOCs ingested, feeds consumed, reports produced, and tickets were closed. That's really, really great. We've built a conveyor belt, but we're measuring how fast the conveyor belt moves, not if something real gets produced.

And where that leads us is the uncomfortable question that nobody wants to have to answer. If your company laid off your entire CTI staff and shut down the CTI program—would anybody notice? Would your company notice? Would the adversary notice? And if you can't answer that question, we have a problem.

[2:29]

Great, we've produced fifty—hundred thousand IOCs. Implemented in our SIEM. Did a lot of work. Same work. It's breached. Fantastic.

And at the end of the day, the adversary yawns. Because there are still victims out there for them to pursue, for them to attack, and for them to still profit.

This isn't success. It is intelligence theater. We're doing action for action's sake, and we need to change that. We need to stop performing security or viewing security as a performative dance. We have to look at ways that we have an impact. Otherwise the adversary—who might be in the room or is online—they're laughing. Validly. Because they're still profiting.

[3:23]

So what impact actually looks like. This is where we reshape the conversation, and we start talking in the language of business, not talking in the language of security. That's how you start having an impact, and that's how you start having the conversation about value.

So to reframe the conversation, to reframe the thinking: you have to look at the question of "Is that intelligence actionable?" and just discard that. We've done that as an industry for over 10 years. We have to look at making an impact. The new question is: so what? What happens with the intelligence? What is the impact we have on adversaries? What happens to organizations? Do we provide actual value? And is our CTI program informing business decisions? Is the business changing what they're doing because we are giving them the guidance they need to change these security outcomes for the organization?

[4:24]

CTI that actually moves businesses. If you look at the fight against ransomware, it is not necessarily just sharing a YARA rule. It is having an impact on the business—protecting the business, or hardening the business.

Breaking this down by various categories: this looks like taking ransomware tactics and using them to justify expenses for how to recover from a ransomware attack. It looks like looking at the threat landscape and deciding how that informs M&A deals. Where is the risk to the business across various business sectors and various acquisition deals?

And it's uncomfortable, but if the CTI team cannot get a meeting with the C-level executives when needed, when the organization is in danger, we might as well just leave it. Because we're not the decision-makers, but we have to have the executives on speed dial—or at least have an alarm bell that is big enough that they wake up in the middle of the night and empower us to help the business and have a good influence.

[5:37]

And so what this looks like is changing the metrics that we talk about to be in the language of business. What is the dollar amount associated with the fraud loss that our intelligence program stopped? Or on the other hand, what is the impact you had on the adversary's program, where they had to retool?

Or even more fun: when they have unhappy customers. Looking at the Emotet takedown, one of the lessons learned afterwards that's really significant is how much Emotet's customers all of a sudden felt leading up to the takedown. A lot of things were done just to screw with the business. It was fun, absolutely.

What was the secret weapon? That we're all in communities—very disorganized. My org, other orgs, did what they could when they could. But having that unpredictability—"Hey, Brian is on vacation, has little kids, can't deal with it right now"—that actually had a measurable impact in a positive way. Because they could not out-tool us. Being disorganized in a very, very positive way.

[6:43]

Right. So it doesn't matter how many reports you produce, right? It's not about feed counts. It's not about report counts. This is about money. It's about informing decisions and changing the risk metrics—having an impact on the risk of the business.

And when we think about this in a more complete way, we need to understand that the way to think about how attackers operate is: they're running businesses. They have customers. They have CSAT scores. They have NPS scores or whatever that acronym is. And they have a profit-and-loss chart that they're tracking. It might not be formal. It might be in startup mode. It might be similar to when you're just getting a business off the ground. But it's still a profit and loss. They care about how they're performing.

So every CTI team should have a big thing on the wall that just focuses on: let's screw up their business. Let's wreck their economics. Because we cannot out-fail ourselves.

[7:46]

So what does that look like, to wreck their economics? First of all, we have to move at the speed that they move at. We have to be rapid in how we share what we know so that it burns down their techniques and changes the fundamental economics that their business operates at. When we do that, we have an impact beyond our own organization—not only in our own organization, but our entire sector.

And James and I came up with a new metric. We'll talk about it a bit more. And that's revenue per attack, which is really, really important. We need to look at it as a business problem.

Key thing is we have to do proactive disruptions. And we have to move at the speed that the threat actors move. They're not inhibited by GRC. They're not inhibited by concerns about liability. Their entire business—they don't care about legal. They're criminals. Their entire business operation is a liability. And that allows them to move faster than we move today.

[8:50]

And unfortunately, I have to say, the FBI gets it. So Brian, this quote—did this come directly from the FBI? "Impose greater cost and risk on cyber criminals." Right. This is what it's really about. The way you start influencing cybercrime economics is you focus on the financials, you focus on the economic activity, and you change their underlying business assumptions.

[9:18]

What teams are really proud of right now: we processed thousands of IOCs, produced reports, great, super cool. The team that did all of those things—they got breached. We have super-capable adversaries. We have lucky adversaries. Capable and lucky together is an evil match.

And what we need to look at, again, is the financial metrics. Turn that around and talk about the impact that you've had on your organization—saving your organization from harm and imposing cost on the adversary so that they're changing techniques, they're forced to cycle through infrastructure, they're forced to do the things that are a little bit more impactful to their operations and can cause places where they slow down, where they're impacted, where they need to reconfigure things, redo things, rethink things. Those are the costs to them in their business operation.

[10:19]

We need to start counting these like flying worlds.

And the way to do this: our biggest asset, our biggest strength, is right here. It's us. Oftentimes in security we talk about the fact that there's a misbalance between the advantage that attackers have versus defenders, because attackers only have to be right once. But the truth is, we have the strength. We are better funded than the attackers. We are more numerous than the attackers. The community is the strength—but we're not using it.

[11:00]

And one reason we're not using it—and I know it's a little cheeky to be on the stage at FIRST and critique TLP—but this talk is also TLP:CLEAR for a reason. We got questions of "Hey, why is your talk TLP:CLEAR?" Because we believe in what we're saying. We believe in us.

TLP—oftentimes when Brian and I have seen it—we've seen TLP used as a proxy for "How cool is this bit of information?" or "How special does it make me feel that I'm sharing this with only three people?" That's not what sharing information is about. That's not what sharing information is for.

And the only people that benefit from over-classification and over-restricted sharing are the adversaries. And to some degree, when we over-classify things, when we restrict the sharing of information that could otherwise be used to protect victims, then we're contributing to the continued victimization of those victims. We're allowing the actors to act with impunity, continue on their game plan of inflicting harm on people, and this needs to stop.

[12:11]

Our strength as a community is only as strong as the way that we rapidly disseminate information that's useful for defensive purposes, that changes the fundamental economics of the attacker business. And this isn't about us. This is about us having an impact, right?

So we need to figure out: how do we take that thing that's red and turn it green? How do you take that thing that's amber and turn it clear? And if you don't have a really, really, really good reason for something being restricted, don't restrict it. Because there are more victims out there that need it to defend.

[12:47]

And this talk is an evolution of a series of talks that have been given at FIRST. The first one was given in Montreal with Tom Miller and myself. We were talking about an evolution to trust groups. Trust groups started many years ago based on this concept of trust. That's not the way it works anymore. The groups evolved to being focused on action. But we need to now evolve to doing the next thing. The next thing is focus on the impact: the impact to our organizations, the impact to other victim organizations, but also the impact to actors. It needs to be all of those things.

[13:32]

The math is brutal. If you look at it from an organization perspective or even from a sector perspective, we have absolute challenges. We're holding ourselves back by over-classification, overly complex legal processes. It's not fun having information for a victim and having to wait for legal to do their stuff. Now, I love the law. I absolutely understand that there is a role for legal in incidents. But we need to find ways how we can uphold the law, uphold data privacy, but have an impact as quickly as possible as a community.

If we get to an area where the adversary burns a dollar for every attack, we can influence that cost model, and we have to.

[14:26]

So what this means is we have to figure out how to move fast, right? We can't be thinking about bylaws. We can't be thinking about NDAs. And please, no attribution debates. And to be very clear: I believe attribution matters. I do work on behalf of Cybercrime Atlas, where we do attribution to help law enforcement get bad guys in jail. There, you need attribution.

But I don't need to have a full attribution done and know all the Fancy Bear Panda code names to get the job done, save an organization, help a lot of people. Yeah, it matters, but it's not the thing that matters most. The thing that matters most is stopping them. Stopping them and interrupting their business.

And how it works is basically to say: "Hey, this works for me. Here's a way how you can also defend yourself." Let's just run. Excuse my language.

[15:22]

So what this looks like when everything is fully enabled: there are communities that exist that are doing fast sharing, sharing at the speed of the adversaries or faster. And it's not restricted. We're not waiting on other people to act. We're not thinking "Who's the slowest link in the chain?"

I've got to now run at—my speed goes from zero to 30 minutes, to zero to maybe 30 days, or zero to nine months, or maybe zero to three years if you've ever dealt with major law enforcement takedowns. That's not helping.

In those periods of time where everybody's just sitting around and waiting, there's more victimization happening and we're just party to it at that point. We're allowing it.

We need to start bringing the entire force of the community and everything we can to the fight, to have an impact on these adversaries and change the dynamics and the fundamental business economics.

[16:21]

And looking at the business—if we act really, really fast, we can build the ability to work, then spend time on investing, speaking to people, building international relationships, having a true impact. And let's just go absolutely nuclear and weaponize that and have a good impact.

The key thing is, there's no single hero. There are certain people that have—you work a lot with Marcus, who's amazing, but he's the most humble person ever, and he was just at the right time, at the right moment, did a thing he's globally known for. Thank you, Marcus. But in the end, it's all of us.

[17:12]

So we propose a gauntlet for evaluation of how we do these things and a path forward.

Kill your vanity metrics. Let's stop tracking work for work's sake. Have an impact.

Become their cost center. Change the model of the business for the adversaries so that they are worried about whether their thing is going to work tomorrow. Right now they don't have that thought at all. That's not the conversations they're having. Which means we are not being effective, because they operate with impunity.

Build your network today. Find five people that you have not talked to. Exchange Signal, Threema, whatever you prefer—whatever your messenger is. And the moment something happens, spread the word among them. And count on us together having weird relationships all over the world where we can truly have an impact.

[18:15]

So as a parting shot: we cannot talk about yesterday's buzzwords anymore. We cannot set the bar at what worked 10 years ago, 15 years ago. The things that every single organization and every single marketing team puts on the table—those are not the things that we need to be thinking about.

We need to be thinking about how do we change the circumstance. We've both been in the industry for quite some time. You have more white hair than I do, my friend. It's not fun and games for us. There are real victims out there that are being victimized over and over again. And we need to change how we think about how we engage with the community and how we instead impose cost on the actors rapidly. And I'm not talking only about handcuffs. Tear it all down. Every single thing we can do is what we need to do—always, and at the fastest speed that we can move to mimic their speed and move quick enough to impact them.

[19:24]

So in essence: we need to fix this. We need to change our thinking. And we need to start measuring the results in terms of how quickly do the actors have to change their techniques? How much success are the actors having? How much harm are we reducing to our business, measured in dollars? And how are we fundamentally changing the underlying economics of how an attack takes place and the impact it causes to victim organizations?

And the key thing is we have to do it. Because we're certainly struggling as an industry, as the entire world. If we work together and if we focus on making life as miserable as possible for the adversarial business case—it's great. They cannot outperform us. We win that game.

One of the things that we proposed earlier already: let's start thinking about this in terms of how much revenue are they generating per attack? What are their costs? What are those dynamics? What are the areas where you can drive the costs up?

[20:34]

With that—thank you. Any questions?

Q&A

Q: How would you recommend breaking into some of these community groups and spaces, especially the ones that are like Signal group chats, Discords, that seem sometimes exclusive and can be hard to break into?

James: I love that question, because this is exactly why we're talking about it. Trust groups, direct action groups, ISACs—they should not be a pay-to-play game, should not be hard to reach into. By exchanging contact details left and right, you give direct action groups the ability to reach out to you on behalf of your org or your competitor in the middle of the night. And then you can have an impact.

Brian: Let me answer with some very practical advice. First, do the work. The groups are looking for people that can do the work. They're not looking for people that are just there to watch what other people are doing.

Secondly—really quick, everybody in the audience, raise your hand if you're part of one of these selective groups, a group that has some sort of trust associated with it or might have some barrier to entry. So look around at the hands. Talk to those people. Because you being known becomes part of the ticket to entry. That's the answer.

Now it adds a complex question for senior management. We believe in nomad trust. We stopped sending more junior people to conferences. How can they fulfill the "meet somebody in real life" requirement? We have to make a difference there. The way to do it is: I travel a lot, and often I pop up in a city and just reach out to my trust groups—"Hey, who is there? Who should I meet?" And it's lovely traveling across the world and always having either existing friends or new friends. That helps to just form trust across the world.

Attendee: Thank you so much. And if you're a part of the North American, European, technology, cyber, corporate space, please come talk to me. I would love to join one of these groups so we can help mature our cyber threat program.

Q: Don't you think that if a community gets too open and you also lower the TLP, you outweigh a little bit the chance that somebody might infiltrate and then check what is happening on ongoing investigations and maybe rotate their TTPs or their infrastructure a bit faster?

James: Good. Let them have to struggle. Be faster. Be my guest.

Brian: I would say I think that's a very common perspective, by the way. I want to mention that I've heard many people say that. I see it differently. We know what we're doing right now isn't working. We know that that's the default right now. Let's try something different. Let's see what the impact is, and let's measure the results.

Attendee (MSSP background): Maybe one thing that I want to add—because I come from an MSSP background—we had a lot of communities, like for example, "these are for healthcare" or "SURF is for schools" and everything. And one thing I never understood: why are they only looking for specific indicators, and you can't share with each other? For example, indicators for healthcare—we couldn't share sightings or things with SURF, just because they're not there. So that's one thing, maybe it's feedback. I don't know if other people have the same struggle.

Brian: So I work for an MDR and I have that same struggle. In the US, we have the ISAC communities, and the ISAC communities have membership. And what I'm asked to do is pretend like I don't know some piece of threat intelligence to the non-members of that ISAC. How did we get here? Why do we think that it's okay for somebody to be asked to not protect a potential victim? That is just broken, and the only people benefiting from that as one of the sharing dynamics are the adversaries.

[End of session]