With the rapid development of artificial intelligence (AI) technology and the popularization of the zero trust architecture concept, the field of cybersecurity is undergoing profound changes. In the AI-driven era, we need to reassess the traditional threat intelligence system: how to reconstruct the cognitive structure, strategic logic, and practical processes of threat intelligence from the perspective of "zero trust." This article will explore this reconstruction process through the methodology presented in the book "Intelligence Analysis—Structured Analytical Methods," which I recently read, using structured analysis thinking.
The article will follow the five stages of the threat intelligence lifecycle as the main thread, embedding reflections on the System 1/System 2 thinking model, analyzing the current shortcomings of threat intelligence in zero trust architecture and AI decision support, and introducing various structured analytical methods (such as problem redefinition, timeline analysis, competitive hypothesis analysis, premortem analysis, red team analysis, decision matrix, etc.) with practical case studies to provide a clear professional strategic perspective. Finally, we will discuss the relationship between structured analysis and security automation (AI, SOAR, model-assisted decision-making) and look forward to new directions for intelligence analysis enhanced by human-machine collaboration in the future.
System 1 and System 2 Thinking: From Intuition to Structured Analysis#
Psychologist Daniel Kahneman's "dual-system" theory divides human cognition into two modes: System 1 thinking and System 2 thinking. System 1 refers to fast, intuitive, and automatic thinking, based on experience and pattern recognition, allowing us to make judgments almost effortlessly. However, while System 1 is efficient, it is susceptible to various cognitive biases, such as overconfidence, anchoring effects, and confirmation bias, which often lead to analytical errors. In contrast, System 2 thinking is slow, deliberate, and logic-driven, involving a conscious analytical process and evidence-based inference methods. System 2 requires more attention and effort but allows for a more rigorous examination and reasoning of information. In the field of intelligence analysis, structured analytical methods are a powerful tool that helps analysts break free from the inertia of System 1 and fully engage System 2 thinking.
The table below outlines the more detailed differences between System 1 and System 2 (source: Wiki):
| System 1 | System 2 |
|---|---|
| Subconscious reasoning (intuition, creativity, subconscious) | Conscious reasoning (deliberative reasoning) |
| Mostly involuntary | Mostly voluntary |
| Often related to emotions ("intuition") | Often unrelated to emotions |
| Implicit | Explicit |
| Automated | Controlled |
| Requires less effort | Requires effort |
| High capacity | Low capacity |
| Fast | Slow |
| Default process (suppressed by System 2, highly focused) | Suppressed (clear thinking, contemplation suppressed) |
| Association (A↔B) | Implication (A→B) |
| Contextualized | Abstracted |
| Domain specificity | Domain generality |
| Subjective, based on values | Objective, based on facts/rules |
| Evolved earlier | Evolved later |
| Non-verbal | Most related to language or images (verbal, visual-spatial intelligence) |
| Includes recognition, perception, orientation | Includes rule-following, comparison, weighing options |
| Modular cognition | Fluid intelligence |
| Independent of working memory | Limited by working memory capacity |
| Implicit memory and learning | Explicit memory and learning, working memory |
| Intuitive, creative | Logical, rational |
| Metaphorical, symbolic | Literal, precise |
| Qualitative | Quantitative |
| Art, design, philosophy, humanities | Natural sciences, technology/formal sciences (mathematics, physics, engineering, programming) |
| Comprehension (Understanding) | Understanding (Comprehension) |
| Artistic, imaginative ("What if..."), philosophical ("Why?") | Realistic ("What is?"), scientific ("How?") |
| Daydreaming, distraction | Work, attention |
| Insightful (Eureka moment, Aha moment), radical, novel | Conventional, incremental, repetitive |
| Parallel, synchronous, non-linear | Serial, sequential, linear |
| Top-down, holistic, macro | Bottom-up, foundational, detail |
| Vision, scope, context, perspective | Purpose, goals, requirements |
| Open-ended, adaptable | Closed, rigid |
| Integrative and separative | Selective, discriminative |
| Metacognitive, reflective | Iterative, recursive |
| Generative (establishing and decomposing) and identifying patterns, concepts, and ideas. | Operating, filtering, and using patterns, concepts, and ideas. |
| Processing data ↔ information. | Processing data → information and messages → messages. |
| Searching and discovering possibilities. | Checking and executing goals. |
| Simultaneously working across multiple abstract levels. | Working at a single abstract level at a given time. |
| Integrative (Bloom's taxonomy) | Analysis (Bloom's taxonomy) |
| Intuitive (Myers-Briggs Type Indicator) | Thinking (Myers-Briggs Type Indicator) |
| Instinct | Expertise |
| "Right brain," "lateral thinking," "empathy" | "Left brain," "vertical thinking," "systematic" |
| Default mode network (neuroscience) | Task-positive network (neuroscience) |
| Connectionism(Cognitive science) | Computationalism(Cognitive science) |
| Neural networks | Comparable to digital logic. |
| Difficult to measure through testing. (See creativity assessment.) | Imperfectly measured by IQ tests. |
| Neural abilities are fundamentally fixed, but can be better utilized through practice. | Neural abilities (IQ) are fundamentally fixed but can be better utilized through learning and exercise. |
| Autism defects, Asperger syndrome, and scholarly syndrome anomalies. | Intellectual disabilities (mental retardation). |
Structured analysis helps intelligence analysts externalize implicit thinking processes into transparent steps, allowing them to decompose complex problems and examine evidence chains in a systematic, repeatable manner, thereby reducing the interference of cognitive biases. It is important to emphasize that structured methods are not intended to replace intuitive judgment (System 1 still has its value in emergencies), but rather to correct and supplement intuition. In the highly dynamic security environment of the AI era, relying solely on intuitive "fast thinking" is insufficient to address advanced persistent threats (APTs) and complex internal risks; only by combining the experiential intuition of human experts with structured, deliberate thought can we build a reliable threat intelligence cognitive model.
Current Status and Shortcomings of Threat Intelligence under Zero Trust Architecture#
The core principle of the "zero trust" architecture is to no longer assume trust in any network node or user identity, requiring all access requests to undergo continuous verification. This security philosophy demands a shift in security protection from perimeter-based to micro, continuous trust assessments, posing new challenges for threat intelligence. However, many organizations' threat intelligence systems currently exhibit significant shortcomings in zero trust and AI decision support:
- Lack of real-time and contextual integration of intelligence: In a zero trust environment, every user action and device request may be part of a potential attack. Traditional threat intelligence often focuses on the collection of external IOCs (such as malicious IPs, domain names, hashes, etc.), with limited update frequency, making it difficult to reflect the latest threat trends in a timely manner. As attackers continuously evolve their strategies, if intelligence cannot be integrated in real-time with context such as identity, devices, and applications, it cannot support fine-grained access decisions under the zero trust architecture.
- Insufficient monitoring of internal threats: Zero trust emphasizes a mindset of "assuming vulnerabilities exist," meaning it not only defends against external intrusions but also remains vigilant against internal threats. However, many current intelligence systems focus on external threat intelligence sources and lack effective intelligence support for internal anomalous behaviors (e.g., credential misuse by internal personnel, devices bypassing controls). APT attacks often combine external infiltration with internal dissemination, and internal threats (such as disgruntled employees or compromised internal accounts) are a key focus of the zero trust model. If the intelligence system fails to cover these internal risk points, the continuous verification mechanism of zero trust will lack intelligence support.
- Lack of integration between structured analysis processes and automation: Currently, many intelligence analyses still primarily rely on manual expert judgment, lacking structured norms and tools to support seamless integration with AI-driven detection responses. On one hand, the transparency of the analysis process makes it difficult to incorporate human analytical judgments into machine decisions; on the other hand, while AI and other automated systems excel at processing vast amounts of data, they lack the experiential judgment and strategic thinking found in human intuition, often resulting in false negatives and false positives. Existing intelligence systems have not fully utilized structured analytical methods to bridge the gap between these two, and thus cannot effectively leverage the power of "human-machine collaboration."
- Inadequate decision support: The value of intelligence work lies in guiding decision-making. However, many current threat intelligence reports merely list intelligence without providing clear action guidance. In the zero trust framework, security decisions need to consider multiple factors (identity trustworthiness, device status, threat level, business impact, etc.), which are often difficult for humans to weigh, and intelligence systems lack mechanisms to translate analytical conclusions into decision strategies, leading to limited effectiveness in guiding dynamic access control and policy adjustments.
In summary, against the backdrop of the AI era, we need to reconstruct the threat intelligence system so that it can efficiently process vast amounts of information with the help of automation while ensuring the depth and reliability of analysis through structured methodologies, thereby meeting the stringent requirements of the zero trust architecture for continuous cognition and decision support.
Reconstruction of the Threat Intelligence Lifecycle Based on Structured Analysis#
To address the above shortcomings, we will start from the five classic stages of the threat intelligence lifecycle (demand definition, collection and processing, analysis and judgment, dissemination and application, feedback and iteration) and introduce structured analytical methods to redesign each stage. Below, we will elaborate on each stage in detail.
Demand Definition Stage: Clarifying Intelligence Needs and Problem Redefinition#
The starting point of intelligence work is to clarify demand: what problems we are trying to solve and what decision questions we need to answer. In a zero trust environment, demands often involve complex security scenarios, such as: "How to identify potential infiltrations by APT organizations exploiting vulnerabilities in the zero trust architecture in advance?" or "How to detect signs of internal employees bypassing security controls to leak data?" These initial questions are often broad and vague, requiring the use of problem redefinition methods to focus and clarify.
Problem redefinition methods are structured thinking tools that encourage analysis teams to rephrase and re-examine the original problem from different angles to discover more core and solvable problem definitions. By repeatedly asking "What do we really need to understand?" and "Are the assumptions correct?", we may refine broad demands into specific intelligence topics. For example, the aforementioned APT question could be redefined as: "Identify the common initial access pathways and strategies used by APT organization X in a zero trust network," while the internal threat question could be redefined as: "Detect patterns of high-privilege internal accounts accessing multiple sensitive resources abnormally within a short time." Through such clarification, the intelligence team can define collection directions and analysis boundaries, avoiding pitfalls of misalignment or misunderstanding of demands. This stage introduces structured methods, laying a solid foundation—only by asking the right questions can the subsequent intelligence cycle be targeted.
At the same time, the demand definition stage should also consider the biases that System 1 thinking may bring. The initial intelligence demands proposed by decision-makers sometimes carry assumptions (for example, assuming that certain types of threats are more important). Through structured questioning and redefinition, analysts can challenge these assumptions to ensure that demands are based on objective risks rather than subjective intuitions. For instance, regarding intelligence demands in a zero trust project, we should verify whether they stem from real threat trends or management's intuitive preferences, thereby avoiding resource misallocation. In this process, analysts utilize the rationality of System 2 to correct the intuitive biases of System 1, setting a good precedent for intelligence work.
Collection and Processing Stage: Multi-source Information Integration and Timeline Analysis#
After clarifying demands, we enter the intelligence collection and processing stage. In a zero trust architecture, the sources of intelligence data are more diverse, including not only external threat data (such as IOCs, vulnerability announcements, APT reports provided by threat intelligence platforms) but also a large amount of internal telemetry and logs (authentication logs, endpoint detection and response data, network traffic, cloud activity logs, etc.). The introduction of AI enables us to mine patterns from vast amounts of data, but only well-structured data can yield meaningful intelligence.
In this stage, introducing timeline analysis can greatly enhance the understanding of complex event data. Timeline analysis refers to compiling collected multi-source events into a chronological "chronicle" or event sequence. By constructing a timeline, analysts can: (1) clarify the development context of attack events, such as the data chain of APT attacks from initial reconnaissance, spear phishing to lateral movement within the internal network; (2) discover temporal associations of anomalous behaviors, such as an employee account logging in from a remote location at midnight and downloading massive amounts of data in a short time, which then triggers a defense alert—linking these originally scattered logs forms a suspicious insider data leakage chain; (3) identify intelligence gaps, i.e., unexplained blanks on the timeline. For example, detecting that a certain malware executed on an endpoint (Execution) and then a long time later data exfiltration (Exfiltration) was discovered may suggest that persistence (Persistence) or command and control (C2) behaviors have not been detected.
Figure: A schematic of the attack chain based on the 14 tactical phases of MITRE ATT&CK (from reconnaissance to impact). The ATT&CK framework breaks down the attack process into a series of tactical steps, helping intelligence analysts identify each phase of the attack chain. In this case's timeline, we can see that the attacker went through reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, data exfiltration, and impact, with each phase corresponding to different TTPs (tactics, techniques, and procedures), providing standardized references for intelligence collection and analysis.
In practice, timeline analysis combined with knowledge bases like MITRE ATT&CK can guide us to collect more comprehensive data: for each phase of potential attack behaviors, we can set log monitoring points, thereby covering the entire attack chain during the collection phase. For example, in a simulated APT attack drill in a zero trust environment, the intelligence team arranged relevant logs chronologically to reconstruct the attacker's action chain: at 9:00 AM, the attacker obtained initial credentials via a phishing email; at 9:30 AM, they gained initial access through a VPN; then silently escalated privileges and moved laterally; at 2:00 PM, they began packaging confidential files in large quantities, and at 2:30 PM, established an external C2 channel to transmit data... The entire chain is clearly presented. This not only allows analysts to have a clear view of the attack process but also provides a basis for subsequent judgments. When AI tools are involved, structured timeline data can also train models to recognize similar sequential patterns, improving the accuracy of automated detection.
In summary, applying structured methods in the collection and processing stage organizes chaotic multi-source data into ordered chronological scenarios, effectively building an information architecture for System 2 thinking, allowing both analysts and AI to understand threat behaviors in the correct context. This lays the data foundation for the subsequent analysis and judgment stage.
Analysis and Judgment Stage: Hypothesis Testing and Adversarial Thinking#
Intelligence analysis and judgment is the most core and intellectually demanding part of the entire lifecycle. Here, analysts need to evaluate the collected information, summarize threat patterns, assess risks, and form conclusions and predictions. In the AI era, this stage is often completed through human-machine collaboration: human experts provide the thinking framework and hypotheses, while machines assist in performing correlation analysis and pattern recognition. To make the analysis process more rigorous and fair, we can comprehensively apply various structured analytical techniques, such as competitive hypothesis analysis, premortem analysis, and red team analysis, to fully validate viewpoints and challenge hypotheses, thereby reducing biases caused by System 1 thinking.
- Competitive Hypothesis Analysis (ACH): Most analysts tend to intuitively select the most likely explanation and then seek evidence to support that hypothesis, a tendency that easily overlooks other possibilities. The ACH method requires analysts to list all reasonable hypotheses and then match existing evidence with each hypothesis, looking for supporting or refuting relationships, and finally comparing hypotheses based on the reliability of evidence and explanatory power. This process forces us to objectively compare multiple explanations, identifying the conclusion that best fits the overall evidence rather than relying on preconceived notions. For example, a zero trust network detects a series of suspicious behaviors: administrator account activity at night, access to and transmission of a large number of sensitive files. Possible hypotheses include: "An external attacker stole credentials," "An internal employee is intentionally leaking information," or even "Abnormalities caused by security devices misreporting or testing." Through ACH, logs and forensic clues are listed in an evidence matrix, revealing that the evidence aligns more with the internal personnel's modus operandi (e.g., the accessed content is highly targeted and the behavior avoids regular monitoring), while there are many contradictions with the external attack hypothesis. Ultimately, ACH helps to lock in the "internal threat" hypothesis. This method effectively avoids the initial bias of analysts who might suspect it was an APT, ensuring that the judgment conclusions can withstand scrutiny.
- Premortem Analysis: This is a forward-looking reverse thinking tool. Before we prepare to release intelligence conclusions or action plans, we first assume that in the future, our analysis/decision is proven to be a failure, and then ask: "What caused the failure?" By preemptively simulating a "failed future," we can identify vulnerable links or hidden assumptions in the current analysis and make timely adjustments. Applied in threat intelligence analysis, premortem analysis prompts the team to reflect: If our intelligence conclusion is ultimately proven wrong, what aspects of information might we have overlooked? Is there a new type of attack method we haven't considered that invalidates our current judgment? For example, the intelligence department asserts that a certain data leakage incident was caused by internal personnel, but during the premortem analysis, someone raises the question: "If it turns out that the real culprit is actually an APT hacker six months later, what might we have overlooked?" Through brainstorming, the team realizes that they have always assumed that the identity authentication in the zero trust architecture cannot be breached, but attackers might have gained control of internal devices directly through malicious code in the supply chain, masquerading as internal personnel. This hypothesis prompts analysts to investigate suspicious program activities on the device side, and indeed new clues are discovered, thereby correcting the previous conclusion. It is evident that premortem analysis adds a layer of "insurance" to intelligence judgment, allowing us to recognize the worst-case scenario in advance and improve plans, rather than waiting for failure to occur and then regretting it.
- Red Team Analysis: Red team analysis introduces adversarial thinking, examining our intelligence and defense hypotheses from the perspective of potential adversaries. In the analysis and judgment stage, inviting experts who did not participate in the original analysis to form a "red team" to act as attackers or competitors challenges the conclusions of the blue team (intelligence analysis group). This method often reveals blind spots in our perspective. For example, the intelligence team may believe that a certain APT organization lacks the capability to bypass the company's zero trust authentication, but after simulating an attack, the red team points out that through social engineering to obtain legitimate certificates or using AI automation to attempt combinatorial attacks, the APT could potentially infiltrate without triggering alarms. The feedback from the red team prompts the intelligence team to reassess the threat level and refine the risk descriptions in the analysis report. Similarly, for internal threat scenarios, red team members may propose different motivation hypotheses or more covert methods of operation, making the analysis more comprehensive. The value of red team analysis lies in breaking cognitive biases, encouraging diverse viewpoints, and avoiding intelligence conclusions that may be erroneous due to groupthink or conformity.
Through the multi-layered, structured methods "refinement" described above, the output of the intelligence analysis and judgment stage will be more reliable and rich: not only clarifying "what happened," but also explaining "why other possibilities were excluded," "how confident we are," and "what uncertainties still exist." Such analysis reports are particularly important for decision-makers under the zero trust architecture—they need to adjust security strategies dynamically based on intelligence, and with the support of these structured judgments, decisions will be more grounded.
Dissemination and Application Stage: Intelligence Communication and Decision Matrix Support#
Once intelligence analysis reaches conclusions, we enter the dissemination and application stage, where intelligence products are provided to relevant audiences (security managers, SOC teams, risk committees, etc.) and guide actual security strategies and actions. In a zero trust environment, the application of intelligence may manifest in various ways: adjusting access control policies based on intelligence, initiating hunting tasks for specific threats, guiding updates to security device policies, or even triggering automated responses through SOAR platforms. To better serve decision-making, we introduce the decision matrix method to enhance the effectiveness of this stage.
The decision matrix method is a structured decision support tool. It lists decision alternatives and evaluation dimensions, assigns weights to each dimension, and then scores each alternative, ultimately calculating a comprehensive score to assist in selection. In the context of threat intelligence, we can use the decision matrix to make the complex security decision-making process explicit, helping decision-makers weigh pros and cons and reduce impulsive decisions. For example, the intelligence report reveals that a critical business application server is suspected of being compromised (potentially due to APT activity), and the security team faces multiple response options: A. Immediately isolate the host to block the attack, but this may impact business; B. Monitor and collect evidence first, gathering more intelligence before handling, but the attack may continue; C. Deploy fake data to lure attackers (honeypots) while strengthening surrounding defenses. Each option carries different risks and benefits. Using the decision matrix, we set evaluation dimensions such as "impact on business continuity," "effectiveness in containing threats," "deterrence/value for future evidence," and "implementation complexity," assigning weights to each dimension (based on organizational priorities, such as business continuity being the highest priority). The team then scores options A, B, and C across each dimension and ranks them based on the weighted total score. If the results show that option C scores the highest, decision-makers can choose C based on evidence, clearly understanding the trade-offs in business impact and risk control. This method makes the recommended actions from intelligence more transparent and objective, and also provides rules for AI decision support systems—decision matrix models can even be pre-embedded in SOAR, automatically calculating the best response strategy when similar events are triggered.
On the other hand, the intelligence dissemination stage also involves appropriate communication and dissemination. No matter how excellent the intelligence is, if it is not understood and adopted by relevant parties, it cannot translate into security value. Structured methods help present intelligence in a form that is easy for the audience to understand and make decisions: for example, clearly displaying threat priorities, recommended measures, and their basis through matrices, charts, etc., avoiding reliance solely on lengthy text. For senior management, intelligence reports should highlight which strategies require decisions; for frontline engineers, technical details and operational suggestions should be provided. This layered dissemination combines strategic perspectives with tactical details, ensuring that intelligence is truly applied within the zero trust architecture.
Feedback and Iteration Stage: Continuous Improvement and Cognitive Evolution#
The final stage of the threat intelligence lifecycle is feedback and iteration. Security countermeasures are a dynamic cyclical process, and each output of intelligence work and practical results should serve as input for the next improvement. This is especially true in the zero trust model: the environment continues to change, new threats emerge, and the intelligence system needs to evolve itself.
Structured analysis also plays a role in the feedback stage. We can regularly conduct structured self-assessments: comparing the methods used and results obtained in previous stages, evaluating which aspects were effective and which had vulnerabilities. For example, after a simulated attack-defense exercise, the intelligence team holds a review meeting, using structured tools to revisit the entire intelligence cycle: Were any key questions missed during demand definition? Was the range of collected data comprehensive? Were there any omitted facts in the analysis and judgment phase that were later confirmed to be true? How effective were the measures recommended by the decision matrix? Through this questioning analysis (such as post-mortem reviews, counterfactual analysis, etc.), the team can identify when System 1 thinking has crept back in (for instance, if a certain analysis overly relied on a single hypothesis) and where AI models need tuning due to poor performance in certain scenarios.
Furthermore, in the feedback stage, we should consider the evolution of human-machine collaboration. Future intelligence analysis is likely to be completed by intellectually collaborative teams: human analysts excel at complex reasoning and strategic innovation, while machines excel at big data computation and pattern discovery. The strengths of both, integrated through structured processes, will greatly enhance threat intelligence capabilities. For example, humans can design more comprehensive decision matrices or sets of hypotheses, while machines can validate the effectiveness of these models based on historical data; human red teams propose novel attack strategies, and machines simulate their impact and generate intelligence prompts. This cycle will form a closed loop of "augmented intelligence": each feedback makes both humans and AI "smarter." The intelligence lifecycle achieves cognitive evolution through iterative improvements—analytical methodologies advance, the quality of intelligence products improves, and the zero trust system becomes increasingly robust.
To summarize the above content more intuitively, the following table presents a comparison of the stages of the threat intelligence lifecycle, the structured analytical methods applied, and typical scenario cases under the zero trust architecture:
| Threat Intelligence Lifecycle Stage | Applied Structured Analytical Methods | Application Scenario Examples under Zero Trust Architecture |
|---|---|---|
| Demand Definition (Planning) | Problem Redefinition Method, Hypothesis Listing | Clarifying the scope of intelligence tasks: refining broad requirements into specific questions. For example, redefining "identify APT threats" to "identify potential initial attack paths of APT in a zero trust environment." |
| Collection and Processing | Timeline Analysis Method, Classification and Organization | Integrating multi-source data to construct event timelines, classifying important intelligence. For example, linking VPN login logs, endpoint alerts, and data transfer records to reconstruct the full picture of the attack chain and identify anomalous patterns. |
| Analysis and Judgment | Competitive Hypothesis Analysis (ACH), Premortem Analysis, Red Team Analysis | Validating and challenging analytical conclusions from multiple angles. For example, simultaneously assessing the hypotheses of "insider leak" and "external intrusion," using red team perspectives to identify blind spots in blue team analysis, and conducting premortem checks for potentially overlooked factors. |
| Dissemination and Application | Decision Matrix Method, Structured Reporting | Supporting decision-making and strategy adjustments: quantifying and comparing response options using matrices, outputting intelligence summaries needed for high-level decisions and operational checklists for frontline personnel. For example, deciding whether to isolate a device or continue monitoring, with the matrix assessing business impact and risks to provide recommendations. |
| Feedback and Iteration | Post-Analysis Review, Model Calibration | Continuously optimizing intelligence processes and tools: regularly reviewing intelligence cases, adjusting AI models and analytical processes. For example, discovering that a certain attack step was not timely identified during a drill, leading to improved detection rules and training SOAR and analytical models with feedback. |
(Table: Overview of "Threat Intelligence Lifecycle × Analytical Methods × Zero Trust Scenarios")
The Synergistic Outlook of Structured Analysis and Security Automation#
In conclusion, it is necessary to discuss the relationship between structured analysis and automated decision support, as well as how future threat intelligence analysis will evolve in terms of intellectual collaboration and machine enhancement. AI and automation technologies are increasingly integrated into the intelligence analysis process, such as using machine learning for anomaly detection, employing SOAR to orchestrate response processes, and generating initial drafts of intelligence reports through large language models. However, even the most powerful AI needs to operate under the guidance of human experts; otherwise, it may make erroneous judgments in pattern recognition or exhibit unexplained decision biases. Structured analytical methods provide a framework and bridge for this human-machine collaboration:
- First, structured methods make human thinking paths explicit, which is precisely the training and reference data needed by AI. For example, documenting the process of analysts weighing multiple hypotheses using ACH could potentially train AI to assist in scoring similar hypotheses in the future; similarly, the weights and scoring criteria of decision matrices can be directly translated into the rule basis for automated decision engines. Machines can thus "understand" the considerations behind human decisions, leading to choices that align more closely with human intentions.
- Second, structured analysis fills the cognitive blind spots of AI. AI excels at inductively finding patterns from historical data but often struggles with new threats and black swan events. Methodological innovations (such as new attack strategies brainstormed by red teams or extreme failure scenarios hypothesized in premortem analysis) can preemptively "synthesize" some previously unseen data for AI reference, enhancing the machine's preparedness for unknown situations. This complementary advantage of human and machine makes the threat intelligence system more robust.
- Furthermore, with technological advancements, we will see structured analytical tools being embedded in AI assistants. Future intelligence analysis platforms may come equipped with ACH algorithms, automatic timeline generators, or even digital red team simulation environments, allowing analysts to invoke these functions with a single click, letting machines handle heavy calculations and generation tasks while focusing on higher-level judgments and creative thinking. This will greatly enhance analysis efficiency and coverage. For example, an AI-driven platform could automatically generate multiple hypotheses, corresponding evidence matching tables, and possible action plans after we input raw intelligence, allowing analysts to review and adjust based on this foundation. Intelligence analysis will shift from being "labor-intensive" to "intellectually intensive," with humans increasingly taking on the roles of supervisors and final decision-makers.
- Finally, at the organizational level, intellectual collaboration will not only occur between humans and machines but also involve deep collaboration among experts from different fields. Structured methods are inherently suitable for team collaboration (due to their transparent and standardized processes), while AI can serve as the knowledge hub and communication medium for the team. For example, personnel from different departments (threat intelligence, risk compliance, IT operations) can discuss intelligence through shared analytical models and data views, with AI providing real-time data support and log organization, ensuring that everyone is brainstorming based on the same information. This fusion of collective wisdom + machine intelligence will elevate threat intelligence to a new level.
In summary, the reconstruction of threat intelligence in the AI era requires "rationality" and "automation" to soar together: on one hand, using structured analytical methods as the framework to build a rigorous and efficient cognitive structure, fully leveraging the power of System 2 thinking; on the other hand, utilizing artificial intelligence technology to expand the breadth and speed of intelligence, achieving real-time perception and response to massive security data. Under the requirements of the zero trust architecture, both are indispensable: rationality ensures we do not lose direction, while automation ensures we do not slow down due to heavy tasks. Looking ahead, threat intelligence analysis work will increasingly reflect the characteristics of human-machine intellectual collaboration—analysts will no longer fight alone but will join forces with intelligent assistants to combat the ever-changing threat landscape. As mentioned earlier, structured analysis lays the methodological foundation for this collaboration, while technologies like machine learning inject strong momentum into it. When cognitive science and artificial intelligence deeply integrate in the security field, we have reason to believe that a smarter, more agile, and more trustworthy era of intelligence analysis is on the horizon.