Limited Series Podcast

TLDR: Key Takeaways

• Attribution without purpose is noise: Attribution chasing for brand visibility distorts understanding and can do more harm than good.
• Malware doesn't tell the whole story. Context does: Cyber operations don't happen in a vacuum; they're extensions of real-world objectives.
• Trust is the real infrastructure of intelligence sharing: Platforms and frameworks don't drive collaboration; aligned incentives and trusted relationships do.
• Diverse perspectives are good for analysis: Having analysts from different backgrounds will challenge conclusions and directly improve the quality of intelligence work.
• Critical thinking is the one skill you can't shortcut: Technical expertise can be taught, but the ability to challenge your own assumptions, hold competing hypotheses, and defend your conclusions is what separates a good analyst from a great one.

Show Notes

As part of The Vertex Project’s 10-year anniversary limited podcast series, Kali Fencl sat down with Vertex analysts Ryann “reign” Hallback, Jennifer “thesilence” Kolde, and Mary Beth “savage” Lee to reflect on how the industry has changed, what makes a strong analyst, and why diverse perspectives are critical to better intelligence.

The conversation is a reminder that behind every report, investigation, and attribution assessment are analysts constantly questioning assumptions and refining their understanding of the threat landscape.

From Malware-Centric Reporting to Full Threat Narratives

Jennifer Kolde reflected on how much of the industry’s earliest reporting focused heavily on malware itself: what a tool did, how to detect it, and how organizations could defend against it.

“There’s been an ongoing recognition that the threat landscape is a lot more complicated than we thought back in our innocent days,” Kolde explained.

Over time, threat intelligence matured beyond isolated malware analysis into broader operational understanding. Analysts began correlating infrastructure, tracking campaigns across multiple victims, and identifying relationships between actors, tooling, and objectives.

Mary Beth Lee noted that modern reporting increasingly incorporates geopolitical and social context alongside technical findings.

“We’re no longer seeing cyber operations in a vacuum,” Lee said. “This is part of an operation. It might be influenced by other events happening in the world.”

That evolution reflects a larger shift in the field: cybersecurity incidents are no longer treated as purely technical events. They are often connected to broader economic, political, and strategic objectives.

The Lasting Influence of the APT1 Era

The discussion returned to one of the most influential public threat intelligence reports ever released: the APT1 Report.

For many in the industry, the report fundamentally changed expectations around attribution and public threat reporting. Ryann Hallback described it as a blueprint that shaped how organizations approached intelligence disclosures for years afterward.

“It was the first time a nation-state had really been doxxed publicly in that way,” Hallback said. “You started seeing threat actors named, activity sensationalized a little more, and reporting evolve into something bigger than just technical analysis.”

The report’s impact extended beyond the technical community. Public attribution became intertwined with media attention, marketing visibility, and brand recognition for security companies. That created both opportunities and challenges.

Kolde acknowledged that while public reporting raised awareness around nation-state threats, it also introduced pressure to produce “cool, sexy names” for activity - sometimes before enough evidence existed to support strong conclusions.

“Sometimes things are named incorrectly because there’s such a desire to name a thing,” Hallback added.

The analysts emphasized that attribution is valuable when it serves a meaningful purpose, whether informing policymakers, enabling law enforcement action, or helping defenders prioritize risk. But attribution for the sake of visibility alone can create confusion and distort understanding.

Who is Attribution Actually For?

One theme from the discussion was the idea that attribution is not universally useful in every context.

Lee explained that the value of attribution depends heavily on the audience consuming the intelligence.

A policymaker may need deep understanding about the operators, motivations, and state affiliations behind an intrusion campaign. A security team defending a network, however, may care far more about detection opportunities, vulnerabilities, and operational impact than which military unit or criminal group sits behind the keyboard.

This distinction highlights a challenge many threat intelligence teams face today: balancing technical fidelity, operational relevance, and public communication without oversimplifying complex realities.

Intelligence Sharing Still Depends on Trust

The conversation also explored why collaboration in cybersecurity can be more difficult than it appears from the outside.

Cybersecurity as an industry often promotes information sharing and collective defense. But analysts noted that sharing intelligence carries real risks: from disrupting law enforcement investigations to prematurely exposing incomplete analysis.

Hallback pointed out that many analysts come from environments where operational secrecy is deeply ingrained, particularly within government and intelligence communities.

“By our very nature, we don’t just openly share everything,” she said. “There has to be trust.”

At the same time, organizations operate with different incentives. Some prioritize customer protection, others focus on long-term investigations, while commercial pressures can sometimes incentivize publicity and exclusivity over collaboration.

The analysts agreed that meaningful information sharing requires more than technology or platforms; it requires aligned goals and trusted relationships between organizations and individuals.

Women in Cyber Threat Intelligence

The latter half of the conversation shifted toward another important evolution within the industry: representation.

All three analysts reflected on entering a field that was, and in many ways still is, heavily male dominated.

Kolde noted that while the industry has improved over time, it remains unusual in many environments to see women represented broadly across technical and leadership roles.

One unique aspect of the early Mandiant threat intelligence team, the group recalled, was the visibility of women in senior leadership positions. Leaders like Joyce Lin, Laura Galante, Jen Weedon, and Nalani Fraser helped shape not only individual careers, but the development of the broader CTI industry itself.

Representation matters not simply because of visibility, but because diverse perspectives improve analysis itself.

“All of us are subject to confirmation bias,” Kolde explained. “Having somebody with a different background who can ask, ‘Did you consider this?’ makes all of us better.”

Lee echoed that sentiment, emphasizing how subtle cultural signals can influence who feels welcome in the field - from conference environments to hiring practices to the ways analysts are portrayed publicly.

At the same time, the analysts expressed optimism about the future. Conferences now feature more women entering the field, particularly students and early-career professionals, and visibility continues to improve.

What Makes a Great Analyst?

When asked what qualities matter most for analysts entering the field today, the group consistently returned to one theme: critical thinking. Technical expertise is important, but it is not enough on its own.

Lee emphasized the importance of questioning assumptions, evaluating evidence carefully, and considering alternative explanations. Hallback highlighted curiosity, adaptability, and comfort with being wrong, especially in a field where technology and adversary behavior evolve rapidly.

Kolde added another quality that often receives less attention: imagination.

Analysts must constantly explore competing hypotheses, challenge their own conclusions, and think creatively about alternative interpretations of incomplete data.

“It’s easier to teach somebody technical skills than it is to teach them critical thinking,” Kolde said.

That philosophy shaped many of the analysts’ own careers, particularly through mentors who encouraged rigorous debate and intellectual humility.

For Kolde, one of the most influential figures was Joyce Lin, who challenged analysts to defend every conclusion and explain the reasoning behind their assessments.

“If I can’t defend my conclusions, if I can’t explain how I got there, that’s a problem,” Kolde reflected.

Looking Back and Ahead

Ten years into The Vertex Project’s journey, the conversation served as both a retrospective and a reminder of how much the field continues to evolve.

Threat intelligence today is faster, broader, and more interconnected than ever before. Analysts are expected not only to understand technical activity, but also to navigate geopolitics, communication challenges, public narratives, and rapidly changing technologies like AI.

But despite all of those changes, one thing remains constant: good intelligence work depends on people willing to ask hard questions, challenge assumptions, and continuously learn.