FIRSTCTI Berlin Insights
I recently attended FIRSTCTI, a conference focused on cyber threat intelligence. It's a conference where people share knowledge, discuss new ideas, and consider proactive approaches in relation to threat intelligence. In this blog, I will share three key insights: Stakeholder engagement, the Admiralty System, and Priority Intelligence Requirements (PIRs).
Engaging Stakeholders and Defining Roles Early
Stakeholders were a recurring theme at FIRSTCTI. Early alignment, clear roles, and thoughtful conversations up front will set a project up to succeed. Below are some items that stood out to me most.
→Interview stakeholders thoroughly at the start of a project. Sit down, ask every question you can think of and then ask ten more. Take care not to presume a complete understanding of their viewpoint.
→Drive better adoption by solving the right problem. It will be difficult to build the right solution if you don’t deeply understand the real problem. Putting in just 10% more effort upfront can save you ten times that during reviews, rework, and cleanup at the end.
→Not everyone needs to sign off. Deconflict early by aligning with stakeholders on their roles—clarify who needs to sign off and who simply needs to be informed, so that expectations are shared, buy-in is clear, and the review process stays focused and efficient.
The Admiralty System
When presented with new information, the logical inquiry is: how true is this? Can I trust it? In threat intelligence, being able to clearly represent the accuracy and trustworthiness of information is critical.
Originally developed by the Royal Navy in the 1940s, the Admiralty system is a framework for evaluating sources and the reliability of the information they provide. Sources are ranked from A to F (how reliable they are), and the information itself is rated from 1 to 6 (how credible it is). For a deeper dive, see this SANS article.
For example: if a trusted internal system logs suspicious activity from a server, that source might be rated A1—highly reliable source, highly credible information. But if an anonymous forum post claims the same server is compromised, that might be rated E4—unreliable source, information of doubtful credibility.
The Admiralty System works best evaluating individual items at the tactical level and not broader strategic reports, which are often more subjective. The Admiralty system is gaining traction in the intelligence community because of the clarity and efficiency that it offers.
Priority Intelligence Requirements (PIRs)
Information overload is familiar to all of us. There are endless things that we could be doing at any given moment. One of my favorite authors, Oliver Burkeman, wrote a whole book about this called Four Thousand Weeks: Time Management for Mortals where he makes a case for embracing our limitations and argues that it’s our limitations that give meaning to what we choose.
That idea was on my mind at the conference, where I found myself in a hallway lined with mirrors—a fitting reminder that every choice reflects not just what we do, but what we’ve decided to leave behind.
In the CTI space, Priority Intelligence Requirements (PIRs) help teams focus their attention by defining what matters most. PIRs guide collection efforts, shape analysis, and help identify the most relevant threats. For example, in the open-source platform MISP, you can use keywords or tags aligned with your PIRs to filter threat intel and surface techniques relevant to your organization. Read more about PIRs on this FIRSTCTI page.
Summary
At FIRSTCTI, I kept coming back to a simple idea: better questions lead to better focus. Clear roles, information, and priorities make all the difference when everything feels urgent. If I had to sum up the conference in one word, it would be intention.
And next time you find yourself in Germany, you MUST try the Currywurst and preferably at Curry61. Definitely well-known for a good reason.
