C2 Corner: Follow the Money

Follow the Money

by Amyn Gilani

The first months at the financial firm were quiet in a way the Air Force never was. In uniform, the feedback loop was short and the stakes were clear, and you usually knew within days whether the work you had done had mattered. A target package went up the chain, decisions got made, and the thing either happened or it didn’t.

Enterprise intelligence work is slower. Outcomes sit downstream of a dozen other teams, and the hardest adjustment for an analyst coming out of the community is not the tooling or the acronyms but the silence that follows a finished product. You write, you brief, you wait. After a few months you start to wonder whether anyone reads what you write, and whether it would matter if they did.

The instinct that pulled me out of that stretch was to follow the money, which is the oldest move in the tradecraft.

In the intelligence community, following the money is how you map an adversary. The Treasury stood up the Terrorist Finance Tracking Program after 9/11 on exactly that logic, and the FBI’s financial operations work runs on the same premise. Money moves because people and plans move, and if you can see the flow you can see the network. The work is patient, and it is worth doing.

The translation into a financial firm turned out to be more literal than I expected. The money was the institution’s rather than an adversary’s, but the method was the same. Understanding how the business made money told me what was worth protecting, who depended on it, and where a threat would most naturally try to insert itself. Revenue lines became attack surfaces once you looked at them that way. Partnerships became trust relationships an adversary could borrow rather than break, and the software and services a firm depended on were often exposures that sat two or three companies deep in a supply chain nobody had fully mapped. Reputation itself turned out to be an asset that could be drained without a single packet crossing the wire.

Many cyber threat intelligence analysts are not exposed or trained to look at any of that. They are trained to analyze adversary tactics, track campaigns, and make detection recommendations, which is important work but a narrower slice of what intelligence tradecraft can do for a business. The analyst who only sees cyber threats is holding a hammer that works on a hundred other things and has never been told so.

A few years in, the opportunity came to help stand up a red team focused on the firm’s payment platforms, at a moment when the threats against them were high. I had spent enough time understanding those threats and how they would land on the business to be ready when the opening appeared. That readiness was the whole game. Nobody was going to hand the work to the analyst who had kept their head down.

In the years since, the aperture has kept widening. The same tradecraft that maps adversary networks also maps third party exposure, fraud campaigns, brand and reputational risk, executive and physical threats, and the geopolitical currents that move quietly through a firm’s counterparties and supply chain before they show up anywhere else. Practitioners like Chris were naming this territory as business risk intelligence and building the category in real time, and the work is still rarely done well. The territory is open to anyone willing to reach for it.

The structural barrier is real, and most analysts can describe it in their sleep: narrow scope, short reporting lines, a business that does not wake up hoping the threat intel team will weigh in on a vendor decision. The psychological barrier is harder. Going outside the wire feels presumptuous when you are new, and like leaving your lane when you are not. Neither is true, and waiting for someone senior to draw you a broader charter is how careers quietly flatten.

The move is to build relationships with the parts of the business your tradecraft could serve. Corporate development wants to see a target company clearly before the deal closes, because risk uncovered early becomes leverage at the table. Finance wants early signal on counterparty solvency, capital flows, and the geopolitical shifts that eventually show up as numbers on an earnings call. Legal and compliance want early warning on sanctions exposure and the ownership chains of counterparties to prepare for any scrutiny. Risk management is often the most underserved consumer of intelligence in a firm, already thinking in enterprise terms but rarely fed the external signal that would sharpen the picture, whether that signal is a supply chain tremor, a reputational risk building in forums, or a geopolitical shift that changes the firm’s exposure overnight. None of that shows up in a threat feed, and all of it is intelligence work.

You are asking for time from people who do not have any, so show up with sincerity and a clear sense of what your tradecraft could do for them. The goal is not a single meeting. It is a relationship that earns trust slowly, where they come to you before a decision because they know you will bring them something useful. That is the real unlock. Intelligence becomes powerful when the business trusts it enough to let it into the room before the decision gets made, and when it starts showing the business what it could not see for itself. That is what executives actually care about. Predictability, and the confidence that someone is watching the places they cannot.

The hammer is intelligence tradecraft, and it is already yours. The only open question is what you choose to hit with it.

‍

Amyn Gilani is a security and intelligence leader with more than twenty years of experience spanning the U.S. Air Force, the National Security Agency, and senior intelligence roles across financial services and the private sector.

‍

C2 Perspective

by Chris Camacho

Most teams stall at the point Amyn is describing: connecting intelligence to how the business actually operates. They get very good at tracking threats, but the output rarely influences decisions. It’s technically correct, but disconnected from how the company makes money, where it’s exposed, and what actually matters.

The best teams I’ve seen do exactly what Amyn outlines here. They map intelligence to revenue, dependencies, and exposure. Once that connection is made, priorities become clearer very quickly.

What’s changed is the volume and speed of data. There is more intelligence available than ever, but very little of it is tied to business context in a way that drives action. That gap is where most programs lose credibility.

The constraint isn’t just organizational structure. It’s where intelligence shows up. If it lives in reports, it stays external to the business. If it shows up inside workflows, pipelines, detections, or decision points, it starts to matter.

That shift is subtle, but it’s the difference between intelligence being consumed and intelligence being used.

This is also the part most people underestimate. Trust is built when intelligence consistently shows up early and proves useful—not once, but over time. That’s when teams stop being asked for reports and start getting pulled into decisions.

‍