TL;DR -Threat intelligence is detective work that uses open source tools like urlScan.io and Censys to map out malicious infrastructure, allowing analysts to pivot from a single clue to uncover entire networks of attacker operations.
Threat Intelligence: From Threats to Tactics
Speakers: Sandro Manzo & Niels Desloover (CCB + Howest)
Date: October 7, 2025
This Tech & Meet provided practical, hands-on insights into modern threat intelligence (CTI) and how to translate raw threat data into tactical intelligence. The speakers from the Centre for Cybersecurity Belgium (CCB) walked through real world methodologies and tools used in active threat hunting.
A major focus was Open Source Intelligence (OSINT) and the tools that enable it. The session demonstrated the significant impact OSINT has on threat discovery and evaluation. Three tools were highlighted in particular:
urlScan.io was described as a “searchable archive of internet behavior.” It’s invaluable for threat hunters and security researchers because it allows for passive reconnaissance into suspicious websites. Analysts can extract domains, JavaScript files, APIs, and behavioral data. Including redirect chains and CMS information. This makes it possible to map out the infrastructure behind malicious campaigns and understand how threat actors operate.
Censys provides internet-wide asset mapping, giving visibility into which IP addresses are associated with particular domains. Combined with other techniques, it helps analysts understand the scale and scope of attacker infrastructure.
JA4S fingerprinting represents an evolution in how we track threat actors. Rather than relying on easily changed artifacts (like domain names or surface-level indicators), JA4S creates persistent fingerprints of attacker infrastructure. Even when threat actors rotate domains, these fingerprints can reveal ongoing operations.
The concept of pivoting tied everything together. By starting with a single indicator (a hash, a certificate, a JavaScript signature) and pivoting through related infrastructure, analysts can uncover sprawling networks of malicious domains and IP addresses. This technique is essential for mapping larger campaigns that might otherwise appear as disconnected incidents.
What made this session particularly valuable was that it wasn’t purely theoretical. Attendees had the opportunity to see these tools in action and understand how they’re actually used in modern threat analysis. Students are getting hands-on experience with these investigative techniques by applying them in classes given by Sandro and Niels.
The session also highlighted how threat intelligence work connects to broader organizational practices, including patch management and incident response. Understanding threats is only valuable if it informs how organizations defend themselves.
For anyone interested in cybersecurity careers, this session demonstrated that intelligence work is detective work, methodical, tool-driven, and requiring both technical knowledge and analytical thinking.