Ten Year Anniversary

Celebrating a Decade of Analyst-Driven Intelligence

10 years of building tools and tradecraft for defenders

Limited Series Podcast

TLDR: Key Takeaways

Show Notes

In this episode of the Vertex Project 10-year anniversary series, Kali Fencl sits down with Tom Hegel, Distinguished Threat Researcher and Research Lead at SentinelOne, alongside Visi Stark to discuss how adversaries have evolved and what that evolution means for defenders, intelligence teams, and organizations trying to keep pace.

The conversation centers around SentinelLabs’ research into DPRK IT workers posing as job applicants, but quickly expands into a broader discussion about modern intelligence workflows, interdisciplinary collaboration, analytical tradecraft, and why traditional cyber threat intelligence (CTI) silos are increasingly insufficient for today’s problems.

From Attribution to Ecosystems

One of the core themes of the discussion is how much threat actor ecosystems have matured in the last decade.

Tom reflects on how early public CTI reporting, including the landmark APT1 Report, helped establish modern threat intelligence practices. But today’s adversaries no longer fit neatly into isolated clusters or static actor profiles.

Nation-state groups borrow techniques from cybercriminal organizations. Criminal operators adopt infrastructure and tradecraft from espionage groups. Hacktivist personas increasingly blur into state-sponsored influence and disruption campaigns.

As Visi points out during the conversation, modern adversary ecosystems are “taking notes and cribbing pages from each other’s playbooks.”

That increasing professionalization has made attribution significantly more complex and has forced analysts to rethink how intelligence itself is modeled and operationalized.

DPRK IT Workers and the Expanding Attack Surface

A major focus of the episode is SentinelOne’s research into North Korean IT worker operations targeting organizations through recruiting pipelines.

Rather than relying solely on traditional intrusion techniques, these operations involve threat actors posing as legitimate job applicants in an attempt to gain trusted insider access to organizations.

Tom explains how these campaigns fundamentally change the way defenders need to think about telemetry, visibility, and detection.

In many cases, the most valuable intelligence artifacts are no longer traditional indicators like malware samples or command-and-control infrastructure. Instead, useful signals emerge from recruiting systems, application metadata, behavioral inconsistencies, payroll details, and operational patterns across HR workflows.

The discussion highlights how recruiting data became an unexpectedly valuable intelligence source:

The result is a compelling example of why modern threat intelligence increasingly requires collaboration outside traditional security teams.

Intelligence Beyond the SOC

Throughout the episode, Tom and Visi repeatedly return to the idea that intelligence should not exist as an isolated CTI function.

Instead, intelligence needs to operate as a business-wide capability that supports recruiting, sales, IT, executive leadership, and operational decision-making.

Tom describes how SentinelOne’s work around DPRK IT workers ultimately expanded beyond security operations into recruiting teams, sales workflows, and customer vetting processes.

Rather than expecting HR teams or recruiters to become intelligence analysts, the goal became embedding intelligence context directly into the workflows those teams already use.

This interdisciplinary approach reflects one of the central philosophies behind Synapse: intelligence becomes significantly more powerful when it is fused with operational context across an organization instead of remaining trapped in isolated systems.

The Importance of Flexible Analytical Platforms

Another major topic in the discussion is the role analytical platforms play in enabling collaboration and intelligence workflows.

Tom emphasizes that the most important capability is not simply storing intelligence data, but allowing organizations to customize ingestion, pivoting, analysis, and operational workflows around their own telemetry and business processes.

The conversation explores why rapid iteration is critical for analysts:

As Visi notes during the episode, “research is essentially the art of failing until you don’t.”

That flexibility becomes even more important as organizations attempt to integrate increasingly diverse data sources spanning recruiting systems, sales telemetry, security infrastructure, OSINT, and operational metadata.

AI, LLMs, and the Limits of Automation

The episode closes with a discussion about AI’s role in cybersecurity research and intelligence analysis.

While both Tom and Visi acknowledge that LLMs are becoming extremely useful for coding assistance and certain automation tasks, they also caution against overstating current AI capabilities in analytical workflows.

The key challenge is that intelligence analysis depends heavily on context, ambiguity resolution, confidence assessment, and iterative reasoning (areas where current LLM systems still struggle significantly).

As Tom explains, AI systems often fail to distinguish between:

For now, the conversation suggests that AI is best viewed as an augmentation tool for analysts rather than a replacement for analytical judgment.

Resources:

Learn More

Connect

Get Started