Intelligence Tradecraft - Sharpen your analytic edge

Lessons from a Former US Navy Collector - Joe Slowik on intelligence tradecraft and AI in CTI (S02E06)

In this episode of Intelligence Tradecraft, host Freddy Murre sits down with Joe Slowik, a threat intelligence veteran whose career spans the US Navy, Los Alamos National Laboratory, MITRE, and the vendor world (Dragos, DomainTools, Gigamon, Huntress, and now DataMinr). In the conversation, Joe makes the case that intelligence is fundamentally about decision support, not raw data feeds or research written for other analysts. He and Freddy dig into what separates good reporting from bad, why stakeholder alignment and rigor (ICD 203, clear separation of fact vs. assessment) matter, and when a "flash report" beats a polished deep-dive. They also tackle the attribution debate — how-centric vs. who-centric attribution, the mess of overlapping naming schemas (APT10 vs. APT31, the Visma case), and why "trust us, we're Microsoft" isn't tradecraft. Joe explains the thinking behind his Applied Threat Intelligence training and the gap it was built to fill. The back half turns to AI: where LLMs genuinely help (research, scripting), where they're dangerous (cognitive offloading, model decay, drying up the junior-to-senior pipeline), who's accountable for AI-generated output, and how threat actors are using these tools, from better phishing to voice cloning. Joe's bottom line for newcomers: critical thinking, communication, and curiosity come before any prompt-engineering skill. Resources Joe Slowik's LinkedIn - https://www.linkedin.com/in/joe-slowik/ [https://www.linkedin.com/in/joe-slowik/] Joe Slowik's Blog and Courses - https://paralus.co/ [https://paralus.co/] Freddy' Structured Analytic Techniques (SAT) Training - https://inteltradecraft.com/sat-certifications [https://inteltradecraft.com/sat-certifications ] Los Alamos National Laboratory - https://www.lanl.gov/ [https://www.lanl.gov/] NIST Cyber Threat Intelligence definition - https://csrc.nist.gov/glossary/term/cyber_threat_intelligence [https://csrc.nist.gov/glossary/term/cyber_threat_intelligence] CTI used in books (Google Search) - https://books.google.com [https://books.google.com/ngrams/graph?content=Cyber+threat+intelligence&year_start=2000&year_end=2022&corpus=en&smoothing=3&case_insensitive=false ] APT 1 Report - https://services.google.com/fh/files/misc/mandiant-apt1-report.pdf [https://services.google.com/fh/files/misc/mandiant-apt1-report.pdf ] Moonligh Maze on Wikipedia - https://en.wikipedia.org/wiki/Moonlight_Maze [https://en.wikipedia.org/wiki/Moonlight_Maze] SANS FOR578 CTI - https://www.sans.org/cyber-security-courses/cyber-threat-intelligence [https://www.sans.org/cyber-security-courses/cyber-threat-intelligence] ICD 203 - https://www.dni.gov/files/documents/ICD/ICD-203.pdf [https://www.dni.gov/files/documents/ICD/ICD-203.pdf] MLitt in Terrorism and Political Violence - https://cstpv.wp.st-andrews.ac.uk/masters-in-terrorism-and-political-violence/ [https://cstpv.wp.st-andrews.ac.uk/masters-in-terrorism-and-political-violence/ ] Routledge Handbook of Terrorism Research - https://www.routledge.com/The-Routledge-Handbook-of-Terrorism-Research/Schmid/p/book/9780415520997 [https://www.routledge.com/The-Routledge-Handbook-of-Terrorism-Research/Schmid/p/book/9780415520997 ] APT Groups and Operations Rosetta Stone (not mine) - https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit?pli=1&gid=1864660085#gid=1864660085 [https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit?pli=1&gid=1864660085#gid=1864660085 ] Structured Analytic Techniques (SAT) Training - https://inteltradecraft.com/sat-certifications [https://inteltradecraft.com/sat-certifications ] Tradecraft Primer: SATs - https://www.cia.gov/resources/csi/static/Tradecraft-Primer-apr09.pdf [https://www.cia.gov/resources/csi/static/Tradecraft-Primer-apr09.pdf ] An Illustrated Book of Bad Arguments - https://bookofbadarguments.com/ [https://bookofbadarguments.com/ ] Weston's Rulebook for Arguments - https://hackettpublishing.com/philosophy/logic-mathematics/critical-thinking/a-rulebook-for-arguments-group [https://hackettpublishing.com/philosophy/logic-mathematics/critical-thinking/a-rulebook-for-arguments-group ] Joe's Critique of Practical Threat Intelligence - https://pylos.co/2026/05/03/a-brief-critique-of-practical-threat-intelligence/ [https://pylos.co/2026/05/03/a-brief-critique-of-practical-threat-intelligence/ ] Cognitive Offloading - https://sistemasi.ftik.unisi.ac.id/index.php/stmsi/article/view/6180 [https://sistemasi.ftik.unisi.ac.id/index.php/stmsi/article/view/6180 ] OpenAI Research - https://openai.com/research/index/ [https://openai.com/research/index/] Chapters 00:00 Intro and Joe's career path 06:11 The Evolution of Cyber Threat Intelligence and intelligence 15:05 Rigor, reporting, & attribution 29:50 The Relevance of Intelligence in Incident Response and CTI 47:09 Building & measuring a CTI function 01:00:13 Training teams (and why it doesn't stick) 01:07:37 Integrating LLMs in Intelligence Work 01:19:50 Skills for the Future of CTI

From US Army Intelligence to Private Sector Intelligence Advisor - Interview with Jeremy Levin (S02E05)

In this interview, Jeremy Levin shares his journey into US Army intelligence and subsequent move into private sector intelligence. Jeremy has extensive experience in intelligence analysis, training, and management, emphasizing the importance of adaptable skills, continuous learning, and effective team utilization in the field. Jeremy Levin accidentally entered military intelligence in the mid-90s by joining the U.S. Army intelligence. He served nearly 30 years in various government intelligence roles and as a contractor. After moving into the private sector he founded Questimation (“Better decisions discovered”) to teach thinking, analytic methods, and explore more objective calibration of qualitative probabilities. This in-depth interview explores the challenges and opportunities in intelligence analysis, focusing on metrics, training, AI integration, and the mindset needed for future success. Discover how to measure impact, foster analyst development, and adapt to technological advances. Resources and references mentioned Questimation - https://www.questimation.com/ Julia Galef - The Scout Mindset - https://www.amazon.com/Scout-Mindset-Perils-Defensive-Thinking/dp/0735217556 IARPA Reason Project for AI in Analysis - https://www.iarpa.gov/research-programs/reason US Intelligence Standards ICD 203 - https://www.dni.gov/files/documents/ICD/ICD-203.pdf UK Intelligence Standards - https://www.gov.uk/government/publications/phia-common-analytical-standards/phia-common-analytical-standards New Zealand Code of Ethics - https://nziip.org.nz/code-of-ethics/ Chapters 00:00 Meet Jeremy Levin 07:52 Contractor Life and 9/11 22:43 Going Independent and forming Questimation 30:30 What Counts as Intelligence 35:22 Analyst Tasks and Management 41:53 Value of Warning and Training 57:51 Metrics Drive Output 01:02:20 Measuring Intelligence Value 01:12:00 Defining Success Metrics 01:22:18 Analytic Standards Matter 01:25:48 AI and Tradecraft Future 01:48:10 Mentors and Closing This conversation is a compressed edit of an interview Freddy has conducted as part of his PhD research. The interview happened on July 2nd, 2025 in London, UK. #intelligenceagencies #intelligenceanalysis

From UK Defense intelligence, Warning Intelligence, and IEDs, to Private Sector Intelligence - Interview with Will Woodall (S2E4)

Summary Will Woodall shares his 14-year journey through intelligence roles in the UK government and transitioning to private sector intelligence. He explains motivations for leaving government (slow recruitment and limited recognition), contrasts public vs private sector work, and emphasizes core intelligence methodology: the yardstick/estimated probability language, source evaluation and confidence, structured analytical techniques, and clear writing and delivery tailored to customers. In the interview. Will and Freddy debate what distinguishes information from intelligence, how to measure intelligence program value through customer action and feedback, challenges like expert bias and stakeholder alignment, and how AI/LLMs can help with volume and practical tasks but require validation and human questioning. He advises aspiring analysts to pursue analytical subjects, develop domain expertise, and learn core intelligence components. Resources Extrac AI - https://www.extrac.ai/index.html [https://www.extrac.ai/index.html] SANS Admiralty Scale blog post 1 - https://www.sans.org/blog/enhance-your-cyber-threat-intelligence-with-the-admiralty-system [https://www.sans.org/blog/enhance-your-cyber-threat-intelligence-with-the-admiralty-system ] SANS Admiralty Scale blog post 2 - https://www.sans.org/blog/admiralty-code-part-2-ticketmaster-data-breach-claims [https://www.sans.org/blog/admiralty-code-part-2-ticketmaster-data-breach-claims] LinkedIn Post on what makes something intelligence - https://www.linkedin.com/posts/fmurre_in-your-opinion-when-does-something-go-from-activity-7181221399561203712-mV-m [https://www.linkedin.com/posts/fmurre_in-your-opinion-when-does-something-go-from-activity-7181221399561203712-mV-m] King's College London, the Intelligence Studies Program - https://www.kcl.ac.uk/study/postgraduate-taught/courses/intelligence-and-international-security-ma/teaching [https://www.kcl.ac.uk/study/postgraduate-taught/courses/intelligence-and-international-security-ma/teaching] Structured Analytic Techniques (SATs) Training - https://inteltradecraft.com/sat-certifications [https://inteltradecraft.com/sat-certifications] Analytic standards ICD203 - https://www.dni.gov/files/documents/ICD/ICD-203.pdf [https://www.dni.gov/files/documents/ICD/ICD-203.pdf] PHIA UK Analytic Standards - https://www.gov.uk/government/publications/phia-common-analytical-standards/phia-common-analytical-standards [https://www.gov.uk/government/publications/phia-common-analytical-standards/phia-common-analytical-standards] LinkedIn Freddy M - https://www.linkedin.com/in/fmurre/ [https://www.linkedin.com/in/fmurre/] LLMs getting worse - https://royalsocietypublishing.org/rsos/article/12/4/241776/235656/Generalization-bias-in-large-language-model [https://royalsocietypublishing.org/rsos/article/12/4/241776/235656/Generalization-bias-in-large-language-model] Chapters 00:00 Introduction to Intelligence and Personal Journey 07:15 Transitioning from Government to Private Sector 11:53 Understanding Intelligence Methodology and Standards 18:59 Defining Intelligence vs. Information 23:27 The Role of AI in Intelligence 31:02 Training and Methodologies in Intelligence 47:06 Challenges in Implementing Intelligence in the Private Sector 54:16 Measuring Success of Intelligence Programs 58:13 Challenges in Applying Intelligence in Organizations 01:02:06 Advice for Aspiring Intelligence Professionals 01:15:50 Influential People and Career Moments 01:17:28 Closing Remarks and Future Outlook This conversation is a compressed edit of an interview Freddy has conducted as part of his PhD research. The interview happened on July 2nd, 2025 in London, UK.

From GCHQ to Building effective OSINT and Cyber Threat Intelligence (CTI) Functions - Interview with Aaron Roberts (S2E3)

Summary In cybersecurity, understanding the intricacies of intelligence tradecraft can make all the difference. In this insightful interview, cybersecurity expert Aaron Roberts shares his journey from military intelligence to founding Perspective Intelligence. He discusses the evolution of cyber threat intelligence, practical training approaches, the impact of AI, and how to build a successful intelligence function. Aaron’s path into intelligence started with a fascination for intelligence and a local awareness of GCHQ, the UK’s Government Communications Headquarters. He candidly shares, "I always tell people this story and I don't think anyone believes me, but I used to watch a lot of 24." He recalls, "I was always interested in military history and intelligence services, which guided my career path." This foundational knowledge helped him navigate the complexities of cyber intelligence later on. After working at GCHQ, Aaron faced a significant decision: stay in public service or explore opportunities in the private sector. He explains, "I thought I was always going to be there for life," but personal circumstances and the evolving cybersecurity landscape prompted him to make a change. Aaron’s experiences provide valuable insights into cyber threat intelligence (CTI). He emphasizes the importance of adapting to new threats and technologies. "Cybersecurity is an ever-changing landscape, and staying ahead requires constant learning and adaptation," he advises. One key area Aaron focuses on is Open Source Intelligence (OSINT). He finds it fascinating how the internet can be utilized for intelligence investigations. "Using the internet for intelligence work is incredibly powerful," he states. This approach allows organizations to gather insights that are often overlooked in traditional intelligence methodologies. In 2021, Aaron published his book on cyber threat intelligence, a project that began during the early days of the COVID-19 lockdown. He shares, "I decided to write a book because there wasn’t much available for non-analysts looking to understand threat intelligence better." The process was both challenging and rewarding, providing him with a platform to share his knowledge and experiences. Resource Perspective Intelligence - https://perspectiveintelligence.co.uk/ [https://perspectiveintelligence.co.uk/ ] WannaCry - https://en.wikipedia.org/wiki/WannaCry_ransomware_attack [https://en.wikipedia.org/wiki/WannaCry_ransomware_attack] KASE Scenarios OSINT Training Platform - https://kasescenarios.com/ [https://kasescenarios.com/] KASE Scenarios PRoject SandShark - https://kasescenarios.com/project-sandshark [https://kasescenarios.com/project-sandshark] Diamond Model - https://www.threatintel.academy/wp-content/uploads/2020/07/diamond_summary.pdf [https://www.threatintel.academy/wp-content/uploads/2020/07/diamond_summary.pdf] Intel architecture mindmap - https://github.com/Errum/IntelArchitectureMap [https://github.com/Errum/IntelArchitectureMap] The cyber threat intelligence book - https://www.amazon.com/Cyber-Threat-Intelligence-No-Nonsense-Security/dp/1484272196 [https://www.amazon.com/Cyber-Threat-Intelligence-No-Nonsense-Security/dp/1484272196] TCM Security SOC 101 - https://academy.tcm-sec.com/p/security-operations-soc-101 [https://academy.tcm-sec.com/p/security-operations-soc-101] Michael Koczwara's Hunting Adversary Infrastructure Training Course - https://academy.intel-ops.io/courses/hunting-adversary-infra [https://academy.intel-ops.io/courses/hunting-adversary-infra] Intel471 Cyber underground Handbook - https://www.intel471.com/cyber-underground-handbook [https://www.intel471.com/cyber-underground-handbook] Admiralty Scale blog post - https://www.sans.org/blog/enhance-your-cyber-threat-intelligence-with-the-admiralty-system/ [https://www.sans.org/blog/enhance-your-cyber-threat-intelligence-with-the-admiralty-system/] Chapters 00:00 Introduction to Intelligence Careers 04:21 Transitioning from Government to Private Sector 12:23 Becoming a Published Author 20:37 The Importance of Context in Cyber Intelligence 28:08 Challenges in Open Source Intelligence 36:53 Defining Intelligence: What It Is and Isn't 44:47 Critical Thinking in Intelligence Analysis 51:52 Training and Certifications in Intelligence 59:14 Success Criteria for Intelligence Functions 01:05:07 The Future of Cyber Threat Intelligence 01:11:03 The Role of AI in Intelligence 01:18:18 Advice for Aspiring Intelligence Professionals PS! This conversation is a compressed edit of an interview Freddy has conducted as part of his PhD research. The interview happened on July 1st, 2025 in London, UK.

From UK Police Intelligence to academia: Support versus specialist - Interview with Nadia Tuominen (S2E2)

Summary Listen to Nadia Tuominen's path from crime science student to intelligence analyst in London’s Metropolitan Police, where she learned mostly on the job in a changing organization. She explains how austerity and lack of development pushed her to leave for sports integrity in tennis, then into the financial sector to work on economic crime. A later shift into academia and training lets her “close the circle” by teaching police officers and practitioners, creating qualifications she wishes had existed earlier. Across her journey, she emphasizes intelligence as a reasoning process, the importance of frameworks, elevating analysts from “support staff” to specialists, and helping people think better rather than just learn tools. Nadia emphasizes the need for analysts to be proactive, build relationships, and continuously develop their skills to adapt to the changing landscape of intelligence work. Key takeaways * Intelligence is a reasoning process for decision-making, not magic or perfect prediction. * Definitions of intelligence should fit each organization’s mission and context, rather than chasing one universal formula. * Frameworks like the UK National Intelligence Model, though imperfect, become clearly valuable once you work in less-structured private-sector environments. * Analysts should be treated as specialists, not generic “support staff,” to improve respect, pay, and decision quality. * Training should focus on how analysts think (cognition, self-awareness, bias) as much as on tools and structured techniques. * Biases are unavoidable and not inherently bad; the aim is to understand and manage them, not pretend they can be removed. * Many law enforcement analysts lack formal, portable qualifications, so building accessible, practice-based education helps careers and professionalizes the field. Resources and references mentioned * NIM https://library.college.police.uk/docs/npia/NIM-Code-of-Practice.pdf * ICD 203 https://www.dni.gov/files/documents/ICD/ICD-203.pdf * Intelligence Architecture Mind Map - https://github.com/Errum/IntelArchitectureMap * Psychology of intelligence Analysis - https://www.cia.gov/resources/csi/static/Pyschology-of-Intelligence-Analysis.pdf * Analyst & Decision-Maker Conference - https://i2group.com/events/analyst-decision-maker-conference-2026 Chapters 02:59 Journey into Intelligence and Law Enforcement 05:56 Training and Development in Intelligence Analysis 09:12 Transitioning from Law Enforcement to Sports Integrity 12:07 Understanding Intelligence Frameworks 14:51 Exploring Financial Crime and Economic Crime 17:49 The Role of Academia in Intelligence Analysis 20:51 Training and Cognitive Function in Intelligence 23:59 Defining Intelligence: Perspectives and Processes 27:10 The Importance of Forward-Looking Intelligence 29:57 Analysts as Specialists, Not Support Staff 37:13 The Role of Analysts in Decision Making 38:25 Understanding AI and Its Implications 40:30 Critical Thinking in AI Usage 42:35 Explainability and Trust in AI 44:22 Evaluating AI vs Human Intelligence 46:24 The Importance of Input in AI 48:28Training and Experience in Intelligence Analysis 55:33 Measuring the Value of Intelligence 01:01:05 The Dialogue of Intelligence 01:04:17 The Future of AI in Intelligence 01:12:10 Preparing for a Career in Intelligence