A pragmatic approach to build a threat landscape
2025-10-22 , Europe

Building an actionable organization-specific threat landscape for an organization is a challenging task. An useful format has to be chosen, information has to be collected and finally meaningful action should be derived from the created product. This talk describes a pragmatic approach to build such a threat landscape that can be used by various stakeholders and is built from openly available information as well as own observations of the operational security teams. Furthermore, possible follow-up actions are discussed as well as disadvantages and shortcomings of the approach.


"What are the threats relevant for us?" is likely one of the most common question the threat intelligence team is asked for by the management as well as technical stakeholders. Answering the question is challenging. Just picking some random insights from recently read threat reports certainly doesn't gives a holistic view. Not all threats that were reported publicly are relevant for the own organization and the other way around, the own sector is possibly underrepresented in public reporting and some threats like ransomware are opportunistic and simply don't care about the sector they attack. There are lots of further questions, e.g. if the usage of a technique that is mentioned in a threat report from ten years ago is still relevant? And what's about the observations of the own operational security teams?

In this talk I will show a pragmatic approach with reasonable-effort for building a technical threat landscape that results in a MITRE ATT&CK map of techniques by utilizing different (open and private) sources and own observations. All techniques are mapped to a relevance that allows to focus further efforts to the most relevant techniques. Furthermore, I will show how this threat landscape can be used to support governance and purple teaming efforts.

The talk will be concluded with some experiences and statistics to answer questions like:

  • How much of the techniques documented in ATT&CK are really relevant?
  • Are there really irrelevant techniques?
  • How often should so a thread landscape be updated?
  • How much value do the used sources provide? Are they possibly biased?

Thomas has almost 20 years experience in information security and has done lots of stuff in this area, from offensive to defensive security topics. Now he is doing incident response, threat hunting and threat intelligence at the Evonik Cyber Defense Team. Furthermore, he is co-founder of the Sigma project and maintains the open source toolchain (pySigma/Sigma CLI).

This speaker also appears in: