In Cyber Threat Intel, AI is the Tactician. Humans are the Strategists.

I’ll never forget one of the first companies I worked with trying to integrate cyber threat intel into their security operations. They were post breach and, frankly, willing to throw a lot of money at a lot of their problems. At vulnerability management. At security operations. At threat hunting. At incident response. At threat intelligence (from the logs and IOCs to the deep web monitoring and adversary group profiles). It was the tool and consultant equivalent of Hunger Games. It wasn’t until we took a step back to strategically think about how we stitch all the patchwork of automated inputs and outputs across functions and tooling that we were able to build a collaborative and effective approach to cyber defense.  

Platformitization and agentic AI can feel a bit like the new Hunger Games these days. We now can ingest millions (if not more) indicators, cluster related IOCs, detect patterns across logs, and correlate data sources. We have so much data and tooling we’ve created tool sheds we call platforms to house all our tooling in one consolidated place. There’s no question all of this is changing the way threat intel is shaping the way we as human professionals approach cybersecurity in some interesting ways: we’re the strategists moving forward, not the tacticians.

AI as the CTI Tacticians: Precise, Fast, Repeatable

AI is the quintessential specialist. Its strength lies in speed, scale, and precision. It excels at triaging threats, clustering indicators, structuring and enriching information into meaningful patterns, and scanning data continuously without fatigue. AI handles things best when the rules are well defined in environments with clear rules and repeatable patterns. Unlike a tactician on the battlefield, AI can run countless maneuvers faster and with more accuracy than a human ever could. It is brilliant at executing precise, repeatable plays, even predictive ones based on past behavioral analysis based on pattern recognition (again, as long as it’s operating within those clearly defined and repeatable rules). 

Humans are Your Strategists

But CTI isn’t just about execution – it’s about direction. Most of the environments we live and operate in don’t have stable, rule-bound systems. The world of cyber threat adversaries is one with shifting rules, incomplete information, and few obvious playbooks. Unlike specialists, who excel in those stable, rule-bound systems, strategists draw on diverse experiences and cross-disciplinary skills to navigate uncertainty and apply real strategic thinking. AI may flag threats, but humans decide which battles to fight and how intelligence informs our broader security posture. They do this by doing things AI doesn’t do on its own:

• Interpret AI outputs in context – prioritizing based on business risks, regulatory demands, or geopolitical shifts.

• Ensure AI isn’t operating on autopilot: validating, tuning, and avoiding bias or blind spots.

• Bridge the gap between cyber operations and executive leadership.

Ultimately, a strategist is someone vital that needs to guide AI, ensure good governance, oversee identity security, and translate insights into actionable, business aligned intelligence.  

So you want to be a Cyber Threat Intel Strategist? Be a Generalist.

Thinking back to that post breach feeding frenzy experience so many years ago, something I took away was how the specialists in each part of the organization were missing a critical piece of the puzzle because they didn’t understand each other’s experiences or how they could fit together. Everyone was extremely well intentioned, talented and focused on their specific roles and responsibilities, but they were only looking for intelligence that fit their slice of the cybersecurity defense operation. It was after we started taking a real generalist approach pulling from a broad set of domain knowledge and experiences, reframing the problems, and applying solutions from one domain to another that real cyber fusion started to happen.  

Consider the unfamiliar setting of the cyber threat intelligence landscape:

• There is no “fixed game board”. Threat actors change tactics constantly. For example, ransomware groups pivot from encryption to extortion-only models; nation-state adversaries adapt malware or pivot from denial or theft of information to distribution of misinformation depending on their objectives.

• The environment itself is unpredictable. Emerging technologies – from AI-driven phishing to deepfake-enabled fraud – change the attack surface overnight. Some of these campaigns weren’t in the playbook just a few years ago.

• The stakes in the game are dynamic. We live in a world that’s changing as rapidly as our technologies. A CTI report may need to explain not just technical indicators, but how a power grid intrusion ties to geopolitical maneuvering, or how stolen employee data matter more after a change in power in a tenuous foreign corporate relationship.

Now consider the breadth of generalists that helps them thrive in uncertainty:

• They connect dots across disciplines. A strategist with experience in geopolitics, business continuity, and cyber operations can see that a phishing campaign is not just a nuisance, but a potential precursor to a supply chain attack with reputational risk.

• They adapt faster to new, undefined problems. When AI flags an anomaly the system can’t fully explain, a generalist’s diverse perspective helps critically evaluate when it’s worthy of escalation. They don’t freeze because the problem doesn’t look like a past case study.

• They translate complexity into action. Executives don’t want (and can’t make sense of) a list of IOCs. They want to know things like, “Should we halt this merger? How should we handle this vendor? Should we report this to the regulators?” Generalists are skilled communicators, able to frame novel technical problems that don’t have established playbooks in business and policy terms.  

The future of CTI, and fully optimized cyber defense operations, rests on the effective integration of AI as the powerful specialist/tacticians and humans as the adaptable generalist/strategists. AI brings precision and repetition. Humans bring vision, creativity, and adaptability. CTI teams that combine both will be the ones best equipped to outthink adversaries and secure complex systems in this era of rapid change.

Abstract’s Perspective: Turning Intel Into Action with AIG  

By Chris Camacho, Co-Founder & COO, Abstract Security  

This strategist-first approach is exactly why we built the Abstract Intel Gallery (AIG).

Threat intelligence can’t sit on the sidelines as disconnected feeds. It needs to live in the data pipeline, enriching events, prioritizing detections, and cutting  noise before anything reaches the SIEM.  

With AIG, we are:

• Shifting detections left by applying intelligence early in the pipeline, before logs overwhelm downstream analytics

• Making threat intel actionable instead of just “interesting,” bridging the gap between data and real-time defense

• Reducing noise and cost by aligning enrichment with the signals that matter most

Our goal is to eliminate the “Hunger Games” approach to intelligence integration. Instead of piling on more tools and feeds, AIG ensures that AI-driven tactics and human-led strategy align seamlessly inside the pipeline.

This is how organizations move from reactive intelligence programs to proactive defense strategies— and it’s where CTI finally delivers on its promise.

Want to learn more about how Abstract is helping teams shift detections left with AIG? Reach out and let’s talk.

‍