SANS Threat Analysis Rundown in Review: Identity, Geopolitics, and a Passing of the Torch

This month’s SANS Threat Analysis Rundown was a special one, marking the debut of a new chapter for STAR and the handoff from Katie Nickels, who built the series into what it is today, to me as the new host. I was joined by Katie, along with Rebekah Brown and John Doyle, to explore two of the trends defining the 2026 threat landscape: the continued shift toward identity-based intrusions and the growing intersection of geopolitical conflict with cyber operations.

The format isn’t changing: no vendor pitches, no recycled headlines, and no threat intel theater. The goal is the same one Katie set five years ago, to help CTI teams, SOC analysts, detection engineers, incident responders, and security leaders turn what’s happening in the threat landscape into something they can act on. The blog recap that follows this episode (and every future one) is here to capture the references, reports, and resources that came up in the conversation so you can dig deeper on your own time. You can also catch the full replay on the SANS DFIR YouTube channel.

Passing the Torch: What STAR Should Continue to Be

Katie opened the episode by discussing what STAR became over its first five years and what it should keep being going forward. The value of STAR has always been bringing analysts, incident responders, and researchers into a working-level conversation about how they found things, how they analyzed them, and what defenders could actually do with that work.

A few recurring lessons from her run stood out:

• Don’t overcomplicate reporting. Katie cited an early conversation with Sherrod DeGrippo about how CTI teams sometimes dress up findings in heavy analytic language when the audience just needs a clear answer. Applied indiscriminately, even valuable analytic tools can confuse the audience more than they help. It’s essential to get to actionability as quickly as possible.

• Being first isn’t the same as being right. Another early STAR guest, John Hammond, made the case that the rush to publish during incident response and threat investigations isn’t always the best move. CTI teams should be deliberate about what they publish and when.

• AI is the community’s biggest current challenge. Threat intelligence has matured in many ways, but the rise of generative AI means CTI analysts have to make the case every day for what human judgment adds.

The first two lessons map directly to the rest of the episode. Identity-first intrusions, geopolitical spillover, and the analytic challenges that come with both create constant pressure to publish fast and sound certain. I want to carry forward Katie’s point that STAR exists to help practitioners interpret primary-source reporting, compare it against what they’re seeing in their own environments, and turn threat information into operational advantage.

Katie’s parting advice for me as the new host was to keep an outline, but let the conversation breathe. Ask guests how they found something, not just what they found. The personality and the experience behind the research is what makes STAR different from reading the report, and I’m going to do my best to carry that forward.

Identity Is the New Perimeter

The main threat discussion started with the convergence around identity in 2026 annual reports. Even when the methodologies differ across vendors, adversaries are logging in, not breaking in. A few of the data points we discussed:

• CrowdStrike’s 2026 Global Threat Report found that 82% of detections in 2025 were malware-free.

• Palo Alto Networks Unit 42’s 2026 Global Incident Response Report similarly found identity weaknesses playing a material role in nearly 90% of investigations, with attackers leaning on stolen credentials and tokens to escalate privileges and move laterally.

• Microsoft’s Digital Defense Report 2025 reported identity-based attacks rising 32% in the first half of 2025.

• Flashpoint’s 2026 Global Threat Intelligence Report framed identity as a primary exploit vector, citing billions of compromised credentials and cloud tokens in circulation across underground markets.

Many modern intrusions begin in places that look legitimate at first glance: a valid login, a reused session token, an OAuth grant, a compromised SaaS integration, or an account behaving just slightly off in a way that defenders can rationalize as normal.

John connected this directly to the cybercrime ecosystem. Credential theft, infostealer malware, access brokers, and underground markets are often part of the intrusion chain itself. Infostealer logs routinely expose credentials, session cookies, browser data, and authentication tokens that allow threat actors to bypass controls defenders may assume are protective. This is the kind of underground tradecraft we examine in FOR589: Cybercrime Investigations: understanding how access brokers operate, how infostealer logs lead to initial access, and how analysts can track that activity back to specific intrusion patterns.

Rebekah added that the shift is about user behavior too. Since 2020, remote work, flexible schedules, travel, and cloud-based workflows have made “normal” authentication much harder to define. A login from an unusual location or outside business hours might be malicious, or it might be an employee working from a hotel or a different time zone on a personal device, creating ambiguity that attackers exploit.

Rebekah and John clarified what this actually means for CTI teams day-to-day:

• Identity is now the asset class CTI teams need to inventory. Rebekah said the first thing a CTI team should do this week is to understand what identities exist in your environment. This means user accounts, service accounts, machine identities, and increasingly, AI agent identities. If you don’t know what identities exist, you can’t know which ones an adversary would target.

• The accounts to prioritize are the ones an access broker would price highest. John noted that if an initial access broker would advertise this account, it’s an immediate protection target. Consider domain admins, accounts adjacent to domain controllers, and anything with broad lateral movement potential.

• Help desk identities are a known target. Rebekah called out the wave of attacks against help desk personnel as a specific pattern CTI teams should be modeling. The tradecraft is well-documented now, the impact is severe, and the controls aren’t universally in place yet.

• InfoStealer logs are an underused source of intelligence. When reviewing infostealer log data from a provider, John looks for staging environments (“test,” “staging,” “admin,” or similar language in the URI path), legacy admin accounts, and other obvious tells in the credential dataset. Those artifacts may indicate access to development, administrative, or pre-production environments that attackers can use to pivot, escalate, or identify more valuable targets.

CTI teams need to focus on providing context to SOC analysts and detection engineers. Useful identity intelligence helps answer questions like:

• Which exposed credentials matter most?

• Is this a corporate asset or a personal device?

• Is the account privileged, over-permissioned, or connected to sensitive systems?

• Is there evidence of session token theft?

• Does this exposure connect to an initial access broker, ransomware affiliate, or known intrusion pattern?

• What behavior should detection teams look for next?

Identity intelligence should drive detection, hunting, escalation, and remediation. The CTI tradecraft underneath all of this includes how you map identity-based tradecraft to detection opportunities, how you communicate confidence in your reporting, and how you structure analysis when vendor data converges but conclusions differ. This is the foundation FOR478: Cyber Threat Intelligence Foundations is built on, and the depth of adversary behavior that FOR578: Cyber Threat Intelligence goes into. The 2026 SANS State of Identity Threats & Defenses Survey looks deeper into how organizations are restructuring their detection and response around identity as the primary attack surface.

Geopolitical Flashpoints and Cyber Spillover

The second major topic was the intersection of geopolitical conflict and cyber operations: What happens when organizations that aren’t direct parties to a conflict still end up in the blast radius?

John framed the problem by pushing defenders to move past abstract “cyber war” thinking. When a geopolitical flashpoint occurs, organizations need to ask: why would we be targeted? Defense contractors, telecommunications and satellite communications providers, logistics companies, critical infrastructure operators, and organizations supporting a conflict region have obvious exposure. For others, the risk is less direct but still real. Exposure can come from customer base, business partnerships, third-party suppliers, regional operations, public statements, or even perceived alignment. For mid-sized organizations not directly involved in a geopolitical conflict, the risk can come from supply chain exposure, third-party relationships, and opportunistic actors using the moment for expansion or visibility.

The panel also discussed overreaction. Leadership may ask for broad defensive actions like geoblocking entire regions. CTI teams should help leaders understand the threat, the business impact, and the tradeoffs: blocking entire regions may reduce one kind of risk while simultaneously disrupting critical business operations. The practical strategy is to proactively know who to call, what telemetry exists, and which business units may be affected. FOR478: Cyber Threat Intelligence Foundations is built around this kind of stakeholder mapping and intelligence.

Signal Versus Speculation

Fast-moving geopolitical events also create an analytic challenge that came up throughout the conversation: separating what you know from what you hear or assume.

The discussion centered on a foundational CTI principle: useful intelligence supports decisions. Leadership needs answers even as claims and attributions proliferate on social media, impact gets exaggerated or fabricated, or researchers publish only partial findings. Analysts need to be clear about what is known, what is unconfirmed, what would change the assessment, and what action is recommended now. The CTI team’s job is to produce something useful without overclaiming — using estimative language when warranted, being honest about gaps in collection, and not bending to the pressure to be definitive.

The Admiralty System came up as a useful framework for separately evaluating the reliability of a source and the credibility of information. The follow-up blog that applies the Admiralty framework to the Ticketmaster and Snowflake breach claims is a good walkthrough of how to apply it in practice even when underground claims are getting traction.

I agree with Rebekah’s assessment that analysts are being more deliberate about sourcing in response to the volume of AI-generated content and unverified claims. The 2026 SANS CTI Survey revealed that confidence has dropped in social media and external media reporting as intelligence sources. Open-source feeds, individual researcher accounts, and curated repositories like DeepDarkCTI still hold real value, and vetting and rating those sources before a crisis is what makes them usable when it hits.

Rebekah also highlighted the need to be strategic about confidence ratings. In many executive settings, it’s most effective to say: Here is what we think happened, here is why it matters, here is what would change our assessment, and here is what we recommend doing now. That’s a better way to support decision making than relying on leaders to be familiar with confidence systems, and it’s the kind of pragmatic structured analytic technique covered in FOR578: Cyber Threat Intelligence.

What CTI Teams Should Do Monday

We closed the episode with practical takeaways in the “what to do Monday” segment:

Brief Your Leadership

• Start with impact. When communicating with executives, open with what happened, why it matters, what decision is needed, and what action should happen next. Briefings that lead with the so-what and then walk through the analysis tend to land better than ones that build to a conclusion through 15 minutes of background and technical detail.

• Match the language to the decision. Rebekah noted that wishy-washy briefings and overconfident briefings are both unhelpful in different ways: The goal should be calibrating language to the audience and the decision. Sometimes an executive needs a clear “likely” or “unlikely,” and sometimes they need the underlying evidence.

Conduct Identity-Driven Threat Monitoring on a Budget

• Start with inventory. Know what identities exist in your environment, which accounts are privileged, which accounts touch critical systems, where domain admins and other Tier 0 identities sit, and which identities would be most valuable to an initial access broker or ransomware affiliate.

• Pay attention to what’s already being collected. Rebekah made the point that the telemetry needed to begin identity-driven threat monitoring often already exists, such as authentication logs, directory service logs, or SaaS audit logs. CTI teams should consider what they’re already collecting but not yet looking at through an identity lens.

• For teams without a dedicated dark web analyst, don’t try to monitor everything. Start with the exposures that matter most to your environment: corporate domains, executive accounts, privileged users, remote access services, SaaS applications, developer environments, VPNs, cloud consoles, identity providers, and high-value third parties. Build a small list of trusted public feeds and researchers, vet them ahead of time, and use community resources like DeepDarkCTI as a starting point rather than trying to stand up a full collection program on day one.

• Communities matter as much as feeds. Closed, invite-only CTI sharing communities (within Discord, Slack, and ISAC channels) consistently produce higher-signal intelligence than open feeds. SANS hosts several of these communities, and they’re a good starting point for analysts trying to build sourcing depth.

Even if you accomplish all of this on Monday, the goal isn’t to build the perfect collection program by Friday, but to connect external exposure to internal action. The dark web monitoring and cybercrime ecosystem angle is something we’ll come back to in future episodes, and it’s the same tradecraft you’ll find in FOR589: Cybercrime Investigations.

Links and Reports Shared During the Livestream

The Episode

• Watch the full episode on YouTube — SANS DFIR

• SANS Threat Analysis Rundown (STAR) Livestream Series — SANS

Annual Threat Reports Referenced

• CrowdStrike 2026 Global Threat Report — CrowdStrike

• Unit 42 Global Incident Response Report 2026 — Palo Alto Networks

• Microsoft Digital Defense Report 2025 — Microsoft

• Flashpoint 2026 Global Threat Intelligence Report — Flashpoint

SANS Surveys and Research

• 2026 SANS Cyber Threat Intelligence Survey Insights (White Paper) — SANS

• 2026 SANS CTI Survey Insights Webcast — SANS

• 2026 CTI Survey Press Announcement — SANS

• 2026 SANS State of Identity Threats & Defenses Survey — SANS

Frameworks, Tradecraft, and Community Resources

• Enhance Your Cyber Threat Intelligence with the Admiralty System — SANS Blog

• Admiralty Code Part 2: Ticketmaster Data Breach Claims — SANS Blog

• DeepDarkCTI Repository — GitHub

Bonus Resources

These additional 2026 annual threat reports weren’t called out by name during the livestream, but they cover related ground and are worth a read for analysts pulling together their own view of the 2026 threat landscape:

• 2026 Data Breach Investigations Report (DBIR) — Verizon: Verizon’s annual breach analysis, useful for cross-referencing the identity and credential-abuse trends discussed in this episode.

• M-Trends 2026 — Mandiant / Google Cloud: Mandiant’s incident response data, with details on initial access trends, dwell time, and adversary tradecraft.

• SentinelLabs Annual Threat Report — SentinelOne: SentinelOne’s research perspective on the year’s most consequential adversary activity and tradecraft shifts.

• Dragos 2026 OT Cybersecurity Report: A Year in Review — Dragos: The OT/ICS counterpart to the enterprise-focused reports above, giving important context for anyone whose threat model includes industrial environments.

• Lumen Defender Threatscape Full Report 2026 — Lumen / Black Lotus Labs: Network-layer telemetry and infrastructure-focused threat data that complements the endpoint and IR perspectives covered in the other reports.

Going Deeper with SANS

If you want to keep building on what we covered this month:

• FOR478: Cyber Threat Intelligence Foundations — A new course built around the analytic groundwork this episode kept returning to: stakeholder analysis, intelligence requirements, source evaluation, and translating threat information into decisions that defenders and leaders can act on. A natural starting point for analysts moving into CTI or teams trying to stand up the basics.

• FOR578: Cyber Threat Intelligence — Receiving a major update this year. Covers the structured analytic techniques, campaign analysis, and tradecraft that map directly to the analytic challenges we discussed: separating signal from speculation, applying confidence language correctly, and producing intelligence that supports decisions under pressure.

• FOR589: Cybercrime Investigations — Goes deep on the cybercrime ecosystem we touched on: infostealer markets, access brokers, credential exposure, and how underground tradecraft connects to the intrusions defenders see in their environments.

• 2026 SANS CTI Survey Insights — Useful context on how CTI teams are evolving sourcing, stakeholder engagement, and program maturity, including the data point Rebekah cited on declining confidence in social media as a sourcing channel.

Coming Up Next

Next month on STAR, we’ll be back with another guest and another set of real-world conversations on what’s actually moving in the threat landscape. Catch the replay of this episode and register for upcoming livestreams at the SANS Threat Analysis Rundown page.

Thanks to everyone who joined live or is catching the replay, and a special thanks to Katie, Rebekah, and John for kicking off this next chapter the right way. See you next time.