Cyber Threat Intelligence Podcast
Welcome to the Cyber Threat Intelligence Podcast—your go-to source for staying ahead in the ever-evolving world of cybersecurity by harnessing the full potential of CTI.
In each episode, we dive into the latest cyber threats, emerging trends, best practices, and real-world experiences—all centered around how CTI can help us defend against cybercrime.
Whether you’re a seasoned CTI analyst, a CTI leader, or simply curious about the digital battlefield, our expert guests and host break down complex topics into actionable insights. From ransomware attacks and insider threats to geopolitical cyber risks and AI-driven security solutions, we cover all things CTI.
Join us biweekly for in-depth interviews with industry leaders and experienced professionals in the Cyber Threat Intelligence space. If, like me, you’re always in learning mode—seeking to understand today’s threats, anticipate tomorrow’s, and stay ahead of adversaries—this podcast is your essential companion.
Stay informed. Stay vigilant. Tune in to the Cyber Threat Intelligence Podcast.
Cyber Threat Intelligence Podcast
How To Turn Stakeholder Needs Into Actionable Threat Intelligence (Marcelle Lee & Pedro Kertzman)
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Most threat intel programs don’t fail because analysts can’t research. They fail because the intelligence isn’t built for a real audience. We sit down with Marcelle Lee, CEO and founder of Fractal Security Group, to get brutally practical about stakeholder-driven cyber threat intelligence and how to turn priority intelligence requirements (PIRs) into outputs people actually use.
We talk through what stakeholder interviews look like in the private sector, why a simple questionnaire beats guessing, and how “they know cyber” still doesn’t mean they understand what CTI can deliver. Marcelle shares how to explain CTI deliverables clearly, how to handle vague requests, and why embedding into team cadence meetings builds trust faster than one-off check-ins. We also dig into MSSP realities: serving many clients, curating emerging threats for broad relevance, and keeping reporting digestible without losing the technical substance that security teams need.
We close with how to tailor threat intelligence products for very different audiences, from SOC and detection engineering to executives and boards, where business impact matters more than indicators of compromise. You’ll also hear concrete examples of CTI supporting red team and purple team exercises, security awareness training, risk calculations, PR and marketing monitoring, and phishing-focused guidance for HR and finance.
Subscribe, share the episode with a CTI teammate, and leave a review. Then join our LinkedIn group, Cyber Threat Intelligence Podcast, and tell us which stakeholder group you struggle to serve most.
Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!
Welcome And Guest Introduction
Marcelle LeeThey know the cyber, but they don't know what you can deliver in terms of threat intelligence.
Rachael TyrellHello and welcome to episode ten of season two of your cyber threat intelligence podcast. Whether you're a seasoned CTI expert, a cybersecurity professional, or simply curious about the digital battlefield, our expert guests and host will break down complex topics into actionable insight. In this episode of season two, I'm hosting currently Marcelle Lee, CEO, and the founder of Capital Security Group. She's a threat researcher, educator, and intel analyst with deep expertise in cyber threat intelligence, digital forensics, and intrusion analysis. She holds four degrees, including a master's in cybersecurity and numerous certifications ranging from CISSP to certified ethical hacker. Over to you, Pedro.
Pedro KertzmanMarcelle, thank you so much for joining the show. I'm really happy to have you here.
Marcelle LeeThanks, Pedro. I'm excited to be here today.
Why Stakeholders Define PIRs
Pedro KertzmanSo we were talking before, and I think it's important, you know, through all the conversations I had on the podcast, often we have like a lot of frameworks, threat actors, this, methodologies that, like a lot of information across the industry. But one thing, it's often uh we get distracted sometimes. But I think it's important always to you know keep the main thing, the main thing. Stakeholders. So we were talking about this, right? The PIRs and the importance uh the of the PIRs for stakeholders. So would you mind just you know uh giving us a little bit of your background again and when it comes to you know, again, PIRs and the importance uh of PIRs for stakeholders, please?
Marcelle LeeYeah, absolutely. So um I have been working in cybersecurity for probably about 14, 15 years now and doing cyber threat intelligence for the vast majority of that. Um I've I've worked in a variety of different spaces from uh US government, department of defense to um MSSPs, managed uh security services providers, and also uh just private companies, well not private, public companies actually, but um, but you know, working more on the InfoSec side of things. And with every single one of those roles, I have had a different set of stakeholders. And this is where PIRs or priority intelligence requirements come into play. Um they're so essential because you can't just write threat and tell, you know, or create threat and tell products for like who, the ether. Like you have to be writing for a specific audience, otherwise it's kind of meaningless. Um, so yeah, so I'm excited to talk about that today. Um, part of my background too is as an educator, so I do teach cyber related courses at um university here in the US where I live. And also um I do private training courses too. So I'm very, very engaged in um, you know, these are also stakeholders, students and and trainees and that kind of thing. So so it's something that's kind of near and dear
Interviewing Stakeholders With Clear Questions
Marcelle Leeto my heart.
Pedro KertzmanOne of the things that sometimes people more anxious just to start producing results, right? Yeah, a very important thing would be to understanding these stakeholders first, and to be to put in you know more lame terms, would be interviewing those stakeholders to begin with. Um any insights around that? Uh and then from your experience, because you had like quite a few different uh uh experiences. If we're talking about private sector, how you go by interviewing your C level or um you name it, VPs, any insights about particular um um getting to know your stakeholders from a private sector standpoint?
Marcelle LeeYeah, so I think it's really helpful to have um sort of like a questionnaire or checklist that you can use for when you're engaging with your stakeholders, and and engagement is an important part of it. I mean, you can guess all day long what's important to them, but you know, that's that's not the same thing as having a conversation or you know, asking them pointed questions. And, you know, for example, like one of my roles, I when I was part of the InfoSec team, we were producing threat intelligence for for all of InfoSec and executive leadership and you know, occasionally other teams too, it was really a pretty broad swath of uh teams that we supported. And what say the security awareness team wants from you in terms of threat intelligence is not going to be the same as what maybe the red team wants or your GRC team. Like they all are going to have different things. And the trick with it, I think too, is that the these groups, you know, they they know cyber, right? But they don't necessarily know what you can deliver in terms of threat intelligence. Like, so you need to come to the table prepared to sort of explain what sorts of things you can offer them and not just expect them to like know off the top of their heads because they won't necessarily. So it's a little bit of like you know, kind of coaching involved with it as well, I would say.
Pedro KertzmanGot it. So education first, so they first have some level of awareness of your possible deliverables, and then to engage on the sort of maybe interviewing, then to have the information you want from from from the um awesome, and what about the other ones?
Serving Many Clients In An MSSP
Pedro KertzmanUh from an MSSP side, uh and public sector side, when necessarily you're not super, you don't have that super connect direct connection with those stakeholders.
Marcelle LeeYeah, no, that's a great question. Um, so from MSSP side, you know, typically you're gonna have a wide variety of clients. Um, you won't necessarily know, say, for example, about their tech stack. Um, so how do you know that they're gonna be interested in XYZ vulnerability that just came out? Um so for that, and like often when I worked in that space, I was I was the person responsible for covering like emerging threats. So there's always lots of emerging threats, right? So how do you decide what is going to be of interest or or relevant to your clients? Um, and I think at that point, like you kind of just have to go with your gut a little bit, like what is going to appeal to the broadest number of clients. And and to be honest, Pedro, I kind of do this now because I I don't know if you've seen my weekly cyber threat bulletin that I publish. Um, but again, you know, my I my stakeholders are the world, whoever reads it. And so I just curate it based on you know what I think are the most impactful type um things that are happening in cyber landscape. So it was the same thing a little bit with the clients, but I think where you get uh sort of a differentiator there is looking at what it is that you're delivering. Um so is are like clients really interested in like say a super long form malware deep dive? I'm gonna say probably not, right? You might get a couple of clients who are interested at that you know level of depth. Um, but I think something a little more digestible is more important. I do think also um, you know, providing mappings, and I know this isn't about frameworks and whatnot, but when you're when you're doing like reporting or or production for you know a wide group of clients, you got to at least have you know actionable things in there. So like mapping TTPs to the MITRETAC framework, providing indicators of compromise with context, because without context, like I personally am not going to do anything with an IOC that somebody gives me with zero context, because I'm like, I don't know where this came from. Um so that's an important piece of it too. So just making that making sure that your um your TI product is pretty robust and and hopefully usable to the maximum number of clients. So that's it's a little bit different there, I think. And then of course, like an important part of it too, which you tend to have varying degrees of this, right? But a feedback loop, like I think a lot of times companies kind of forget that part, but but it's really important to have a feedback loop where you're making sure that what you're producing for clients is what they want to see. Because you might think, oh, this is you know the greatest thing since sliced bread that I'm putting out there. And they might be like, this is not useful to us at all. But if you don't have a dialogue, then how do you know? And and I do think that companies kind of miss the mark on that sometimes.
Pedro KertzmanYeah, no, feedback loop, definitely important. I
Building A Feedback Loop That Works
Pedro Kertzmanwas talking to another government entity last episode, actually, and that that's uh like a fundamental part to improve right the the services and and and all that to the the community they're they're serving.
Marcelle LeeUm yeah, and I will say like when I was in the government space, they did a a pretty good job of that feedback loop. Like there there was a mechanism for people to respond to what you written and um and say, you know, if it was useful, how it was useful. Um so I really liked that, but I haven't seen that so much in uh private sector or MSSP space.
Pedro KertzmanYeah, I think it's part of the maturity, right? Of uh the the industry as a whole. Yeah, that's interesting. And and any any other insights from when it comes to like interviewing stakeholders, regardless then you know, private public uh sectors, like uh on your experience, like how to get deeper into the real um sometimes you know you ask that first question, it comes that automatic answer, but that's not the real uh quote unquote pain, how to encode with that, uh things of that nature.
Marcelle LeeYeah, sure.
Embedding In Team Cadence
Marcelle LeeSo one of the things that I um used to do when I was part of the InfoSec team is I would ask to be invited to like, you know, whatever regular cadence meeting that particular team had. So say, you know, it's uh the risk team meets once a week or whatever. I would ask to be able to come to that meeting so I could talk to everybody on the team and just tell them a little bit about the kind of things that I'm seeing in the industry. And and that way I can get more of a dialogue going and get, you know, you can kind of gauge better what you know is setting off people's antennas or not, right? So they might be like bored about one thing, but then get excited about something else. And so making, you know, that kind of like a regular thing where you periodically dip into their team meetings, I think is super helpful.
Pedro KertzmanGot it. So more like being being part of the day-to-day operations they have, yeah, unless like that um pointy, you know, interviewer that is not actually uh embedded on their day-to-day um operations.
Marcelle LeeRight, because you want to be kind of seen as part of the team, right? And that doesn't necessarily happen like organically. Yep. So um, so just getting, you know, getting the other teams used to the idea of, you know, these threat intel people are here to like help you do your job, right? Um and and depending on the environment, you might have like a ticketing system where people will put in requests for different kinds of threat intel. And and this is another area too where you really need to work with your stakeholders because sometimes you'll get like kind of like a vague request, like tell me everything you know about phishing or whatever. And and then you have to reach back and be like figuring out exactly what it is that they're trying to get at, right? Because uh it's going to be something specific, they just don't maybe know how to like enunciate it.
Pedro KertzmanYeah.
Marcelle LeeSo um I was also gonna say, too, um, knowing what kind of outputs is is an important thing in this scenario, too, with the InfoSec team. So um in the role that I had, just working for a large data center company, and we we had um one type of report basically, but that didn't really meet the needs of all the stakeholders. So we um dreamed up like a bunch of different offerings. So that turned into like a weekly cyber threat landscape report, kind of like what I'm doing now, you know, mainly the newsletters, just like a quick synopsis of just like what's happening in the news. And uh we also had um uh like quarterly webinars where we would go through different intelligence that we'd covered over the past quarter. And that was really useful because people maybe hadn't actually read some of our reporting, but when they come to a webinar and see like a little synopsis of everything, they're like, oh, that's cool. And then we would see like readership would go up after these because people were like, oh, I want to read that report or you know, whatever. So it's also kind of um, you know, reinforcing the work that you're putting out there and and making sure that you're you're producing input that's going to be easily digestible.
Tailoring Intel For Executives
Marcelle LeeUm, and then we could talk about too, like the difference between, say, reporting or doing some kind of TI product for executives, for example. Like if you're asked to brief the board of directors about a particular threat, that's going to be entirely different than like writing uh a threat and tell report for like the security operation center, right? It's the audience is sort of so different. Um, and that's something I think that gets lost a little bit too. Like your your executive or your board do not care about the minutiae, about the threat TTPs, they don't care about indicators of compromise. They care about, you know, what is the bottom line for the company? How is this potentially going to impact us and that sort of thing? Um, so so that's another part of knowing your audience is just making sure you're delivering the right kind of information to each stakeholder.
Pedro KertzmanAbsolutely, absolutely. Yeah, and and uh you touched on a very good point, right? Whenever we're talking about um stakeholders, either uh on the first interactions, right? To interview them, to get uh to know what they care about, and you mentioned bottom line and and and all like the stakeholder-related um uh KPIs and and and things of that nature. But you you I think you put it, and maybe I'll I'll I'll break it down a little bit. I love the way you at least the way I understood you're saying that don't try to interview your stakeholders, but try to be part of their day-to-day operations. Yes, yes, exactly. They will feel that you're not like that consultant that has just come in and out to do your job and produce something, and you're more part of the day-to-day uh part of their life from now on. Yeah, right. So that's for me, I think that's that's more relevant, that's more important. I think that that would be like a good takeaway from people, for people to have like be a part of their day-to-day operations.
Marcelle LeeYeah, no, absolutely. Um I mean, at the end of the day, you want to provide value to, you know, these these are your customers. They might all work for the same company, right? But they're still your your customers. And you want customer satisfaction, you want to be able to deliver what it is that they actually need, and and you can't do that in a vacuum. You have to have, you know, lots of conversations and dialogue and and that kind of thing.
Pedro Kertzman100%, 100%. You you know, and to stitch some of the things together, um being part of that cadence with your internal uh customers, um you will start those quote unquote interviews. You're gonna have the first understandings of their uh requirements or PIRs. Um you might not get things 100% right. So then on the next interactions you're gonna have with them, you're gonna fine-tune them a little bit. And then you're gonna fine-tune them again, you're gonna produce more output, and then you're gonna fine-tune them again. It's gonna be a constant, constant loop, and then you're gonna get things way better, way better, into a point where you know the flow will make things naturally closer to uh quote unquote ideal, right? Where they will r really see value on the intelligence you're producing to your internal um stakeholders. And uh, you know, if you're doing things right, um, you know, to your internal customers, uh it's not gonna be one customer only. Right, exactly. A lot of internal customers.
Marcelle LeeYeah, for sure. Um word gets around, right? And you know, I I look at it kind of like being in the role of a trusted advisor. That's kind of what it feels like to me. Um and and I think also an important piece of this too is is making other folks comfortable with asking questions or, you know, because maybe they don't know as much about say threat and told topics and whatnot, you don't want them to be afraid to ask because they're gonna look silly or something like that, right? So again, it's it's that relationship building and building trust and and just making people feel comfortable that they can come to you and ask you anything, right? Like explain to me what's the difference between snitching and fishing and quishing and all the fishes, you know. Um, because we know that kind of stuff. We work in it all the time, but not everybody else does.
Pedro KertzmanSo yeah, no, I I love that the the the no, it's a safe space to ask, you know, whatever questions they they feel like asking. I I love it.
Marcelle LeeFor sure. Yeah, for sure.
How CTI Helps Red Teams
Marcelle LeeUm yeah, so I mean, I I think people maybe don't even think about all the ways that Threat Intel can inform different teens, but just some examples, like so with the red team, um, you can share with them like what are the latest tools that threat actors are using. So um, like everybody knows cobalt strike, right? Um, but then there's other ones that came about, like Sliver, for example. And if you can provide information about how threat actors are using Sliver, the red team might want to incorporate that into their penetration testing, right? Like, oh, well, here, we'll use this tool and see if it gets picked up. Um, especially if we're like purple team exercises, too, that's really useful. Um, and then on the flip side, you can work with like detection engineering to help them make sure they have coverage to detect new tools that are being used, um, that kind of thing. So that's, I think, you know, just a couple of examples. I will also say, like security awareness. This one company where I worked, we had an in-house security awareness team. So they built all their own um materials. It was fantastic. But we would help uh provide them with like kind of rip from the headlines kind of uh fodder for their their thing. So they might um create a um, you know, a phishing campaign, like a test thing, right? And it would be based on something that we've been seeing lately. Um, so very, very current. And that's different from a lot of uh security awareness training that you get, right? Which is not current at all. And uh and then um let's see, the risk team, they they would base calculations, risk calculations on information we gave them about like just sort of the likelihood of different types of threats occurring. Um yeah, so the list just goes on and on. There was lots of different ways that you can help different stakeholders. And all these things apply, you know, like in MSSP, right? You can think of the different angles for your clients, like the ways that you could help them. You might Have that direct interaction, but you could still be mindful of the possible ways that they could use the information that you're providing.
Pedro KertzmanGot it. No, that that that's an awesome point. Um any like how can I put this? It's quote unquote easier for us to create a direct correlation between the information or assessments that CTI will bring and how to leverage that to, like you mentioned, purple teaming exercises, um, uh technology tools, and how that information can uh be impactful to the technology areas and all that. Any um examples at any point that remember that CTI brought valuable information to known quote unquote um direct-related areas or not so common areas, for example, CTI brought valuable information that were leveraged to um mitigate or help uh like logistics or um you name it, HR or finance, you know, like a non-traditional super direct connected area to technology.
Marcelle LeeNo, not Inposec, but other teams.
Pedro KertzmanYeah, something like that.
Marcelle LeeYeah, no, absolutely.
CTI Value Beyond InfoSec Teams
Marcelle LeeSo there's quite a few examples of that. Um one that comes to my mind is working with like the marketing and PR team, because we might see something um like threat actor chatter, where they're talking about the company and um the marketing team, they they track for sentiment analysis typically, but they might not be looking the same places that we're looking, like threat actor space. So um, so that's been that's been a way that we were able to help that team is just be like, hey, did you see this particular tweet? Or maybe it's a telegram message that they're never going to see with whatever tools they're using, um, just so they're aware that you know, some kind of chatter is out there that might not be good for the company. Um and then I think with um other teams like finance and HR, I see like around phishing being like the more useful thing because we can look at you know different phishing campaigns that are targeting those kinds of groups, right? And and then be like basically give them a heads up that you know, if you see a message or something like this, that you should be like be very leery of it. Um so that was one way. And then another is working with like um like DevOps teams, they they are a pretty unique environment. They're very targeted, even more so like these days with the supply chain and whatnot. So yeah, working with those teams just again, it's kind of more around education, um, but not so much security awareness, more like very specific. This is a campaign that's happening right now, you need to be aware of it. Um, and then obviously, like, you know, of course, like I already talked about, like the detection engineering piece is is really important and and that's gonna protect all your all your employees, hopefully, right? If you're you're just blocking stuff that's gonna be coming down the pike anyway. But yeah, there's it's it's you're you hit the nail on the head, it's not just InfoSec, there's definitely other teams that you can support as well.
Pedro KertzmanGot it, got it. That's that's amazing. Um Marcelli, um, any like final thoughts to the audience?
Marcelle LeeYeah, no, I think just um communication is key. Um, and and you know how it is, a lot of us working in cyberspace are a little maybe on the introverted side. So it's a little, you know, daunting sometimes to have to think about let's let's go talk to all these other people. Um, but it's really important. And at the end of the day, you know, you're you're gonna make yourself more useful to your team, but also to all the other teams too. And and you know, that's what helps us keep our jobs. So there's that. Um, yeah, and then you learn more too, right? Because I I think my interactions with all these different teams really informed my understanding of how those teams work. So, you know, again, it's it's one of those cycle things, right? Like you you learn more and then it just helps you improve what you're doing and educates you further. So it's a win-win, really. Even if it seems a little hard.
Pedro KertzmanCould not agree more. Could not agree more. Marcelle, thank you so much for so many insights. I really appreciate you coming to the show, and I'll hope I'll see you around. Thank you so much.
Marcelle LeeThank you for having me. It was really fun. I love talking with you.
Pedro KertzmanAwesome, thank you.
Subscribe Share And Connect
Rachael TyrellAnd that's a wrap. Thanks for tuning in. If you found this episode valuable, don't forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn group, Cyber Threat Intelligence Podcast. We'd love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure.