False Positives, Feed Fatigue, and Intel Burnout: A Day in the Life of a CTI Analyst

CTI WithJay · 24:55 · 2025 · Track 2

threat-intelblue-team

CTI WithJay on false positives, feed fatigue, and intel burnout. A Track 2 session from Simply CyberCon 2025.

Open this segment on YouTube ↗ · jumps to 2:09:14 in the Track 2 livestream

False Positives, Feed Fatigue, and Intel Burnout: A Day in the Life of a CTI Analyst

Jay presents from off-camera for privacy reasons — only his voice and slides reach the room. The talk is part nostalgia trip and part survival manual for anyone drowning in threat feeds. Jay opens with l0pht Heavy Industries, Cult of the Dead Cow, Legion of Doom, Level Seven, and 2600. His point is not that the old days were better. It is that today's financially motivated actors still run on the same curiosity that drove the freakers, and a CTI analyst who lacks that curiosity will not survive the firehose.

The Morning Crisis

Coffee. Feed reader. Another zero day. Another ransomware victim. New Lumma Stealer build. ISAC report in your inbox. Vendor bulletin. Leadership shoulder tap. Jay calls this an unfiltered, uncategorized data stream — the root cause of analyst burnout. The talk is built around four logic values that turn the chaos into actual analysis: contextual scoring, priority intelligence requirements, tiered reporting, and force multiplication.

Contextual Scoring Kills 80 Percent of the Noise

Stop chasing single IOCs. Move from one IP to a CIDR block or ASN. Move from one hash to fuzzy hashing for similarity. The question is whether you can attribute these indicators to a known actor's infrastructure. Jay claims this filter alone removes 80 percent of triage work — and gives you back the hours you currently spend on individual indicators that lead nowhere.

PIRs Decide What's Even Worth Reading

Priority intelligence requirements are Jay's strongest anti-fatigue tool. If intel does not align with a stakeholder's PIR, archive it. A SOC analyst cares about behaviors, lateral movement, and ports — not whether you can name a zero day. A vulnerability manager wants to know the initial access vector, not the CVSS score everyone already saw. Different audiences, different value.

Tiered Reporting Is a Sandwich

Jay sketches the three tiers as a sandwich — strategic on top, operational in the middle, tactical as the unique core. Tactical reports for the SOC: IOCs, IPs, domains, hashes, malware signatures, immediate blocking. Operational for IR teams and mid-level managers: campaigns, TTPs, attacker names, initial access through exfiltration narrative. Strategic for CISOs and executives: threat landscape trends, geopolitical motivations, long-term resource allocation. Same incident, three completely different write-ups. He runs Salt Typhoon as a worked example — telecom targeting and Belt and Road framing for the strategic readers, never that level of geopolitics for a SOC analyst who needs IOCs.

The Force Multiplier and the Diamond Model

When the four values stack — context, PIRs, tiered reporting, audience translation — CTI becomes a force multiplier across SOC, IR, vulnerability management, and leadership. Jay closes by pushing past MITRE. He acknowledges MITRE is taught and important, but argues for operationalizing the Diamond Model instead: actor, infrastructure, capability, victim. You get the full life cycle, real victimology, and a hunting starting point — not just a TTP map. Every report should end with analyst comments. AI can scaffold; the human voice is what makes it actionable intelligence.

Who Should Watch

CTI analysts who are burning out on feeds, SOC analysts thinking about a CTI move, and any security leader trying to understand why their threat intel team feels like it is always behind. Strong on practical filtering and audience-tailored reporting; particularly useful if you are setting up a new CTI function and need a clear operating model.