How to stop collecting intel like Pokémon cards and start making better security decisions
The Noise
If you’ve been anywhere near a SOC meeting lately, you’ve probably heard the phrase “threat management” tossed around like confetti.
Everyone wants it. Few can define it. Some say it’s about intel feeds. Others think it’s detection engineering. And then there’s that one person who swears it’s “basically IR but with dashboards.”
Let’s be honest, we’ve made threat management sound like pineapple on pizza: everyone has an opinion, nobody agrees on the recipe.
The term shows up in RFPs, job ads (“Head of Threat Management”), and board decks. But when something goes wrong, and the room gets quiet… nobody quite knows who actually owns it.
So, I stopped looking for definitions and started asking better questions.
The Realisation
During one particularly long incident bridge, I caught myself thinking:
“We’re reacting well. But are we really managing the threat?”
The answer, of course, was no. We were responding, not managing. There’s a difference.
Responding is firefighting. Managing is learning how not to rebuild the same house every week. That’s when I started breaking every incident, campaign, or actor report into something simpler something anyone from an L1 to a CISO could understand. And yes of course I leveraged my 5Ws.
The 5W Lens
It started as an idea and I also wrote a blog on it. Then it became my checklist. Now it’s the backbone of how I think about threats. It’s five questions every analyst should be able to answer:
1. What happened?
2. Why did it happen?
3. Why did it happen that way?
4. Who did it?
5. What did we do about it?
Simple? Yes. But simplicity is the most underrated part of threat management.
And here’s where it clicked, every mature threat management function I’ve seen, no matter the tools or the budget, succeeds when those five questions can be answered confidently.
So, let see how that looks like in practice.
The Case of the Salesforce Heist
Remember when the ShinyHunters group targeted multiple companies through Salesforce trial instances?
They didn’t use zero-days. They didn’t break encryption. They used patience, voice calls, and public sign-up portals. A perfect example of why threat management matters.
- What happened?
- Trial tenants were created using free accounts. Threat actors used APIs to quietly exfiltrate CRM data.
- No malware. No alerts. Just logic and timing.
- Why did it happen?
- Because some environments treated “trial” as “harmless.”
- APIs were over-permissioned, and monitoring wasn’t designed for temporary tenants.
- Why that way?
- Because using sanctioned cloud infrastructure (Salesforce) gives credibility perfect for staying below the radar.
- It’s social engineering at a platform level.
- Who did it?
- Attribution pointed to ShinyHunters, a known data-broker group. Their tradecraft fit automation, stealth, resale markets.
- What did we do about it?
- Rotate credentials.
- Lock trial creation behind MFA.
- And more importantly — detection engineering built a rule for “trial tenant API export spikes.”
This isn’t just response. It’s management. We didn’t just fix the hole — we mapped the behaviour.
The Real Lesson
Threat management isn’t about collecting more IOCs. It’s about turning threats into decisions. When analysts see a campaign like this, they shouldn’t just say “we blocked it.” They should be able to say:
“We understand why it worked and we’ve made sure it can’t work that way again.”
That shift from reaction to reflection is what separates alert-handlers from a mature cyber defense function.
Turning Framework into Function
The Thirdeye Threat Management Model (TTMM) grew out of that idea. I will be sharing this to the public as well, some fine tuning pending.
Think of it as a practical loop that turns 5W thinking into operational muscle:
| Stage | Purpose | Output |
|---|---|---|
| Threat Intake | Capture and triage validated detections | Threat Register |
| 5W Analysis | Structured assessment using the 5 questions | Threat Record |
| Fusion Loop | Feed insights into detection, intel, and governance | Dashboard Metrics |
| Confidence Index (TCI) | Quantify quality of response | Score and improvement trend |
It’s not another post-incident report. It’s a decision ledger your SOC’s threat memory.
Over time, you start spotting patterns. You realise 70% of your “new” incidents follow three old ones. That’s when you know you’re managing, not just surviving.
The Next Beginning
But this story doesn’t end here. Once you’ve mastered the 5Ws, a new question appears:
“How do we make sure we never have to ask them manually again?”
That’s the next chapter automating the 5W loop. Connecting detections, enrichment, and dashboards into one living map: the Threat Fusion Loop.
Because threat management isn’t a project. It’s a conversation one we need to keep having, together.
Final Line
Threats evolve every week. But if your ability to learn from them evolves faster, you’re not just managing threats — you’re managing the story.
Because cybersecurity isn’t just a practice it’s a reflection of character. Have a good day.
Thirdeye Intelligence 
Leave a comment