From GCHQ to Building effective OSINT and Cyber Threat Intelligence (CTI) Functions - Interview with Aaron Roberts (S2E3)

SummaryIn cybersecurity, understanding the intricacies of intelligence tradecraft can make all the difference. In this insightful interview, cybersecurity expert Aaron Roberts shares his journey from military intelligence to founding Perspective Intelligence. He discusses the evolution of cyber threat intelligence, practical training approaches, the impact of AI, and how to build a successful intelligence function.Aaron’s path into intelligence started with a fascination for intelligence and a local awareness of GCHQ, the UK’s Government Communications Headquarters. He candidly shares, "I always tell people this story and I don't think anyone believes me, but I used to watch a lot of 24." He recalls, "I was always interested in military history and intelligence services, which guided my career path." This foundational knowledge helped him navigate the complexities of cyber intelligence later on.After working at GCHQ, Aaron faced a significant decision: stay in public service or explore opportunities in the private sector. He explains, "I thought I was always going to be there for life," but personal circumstances and the evolving cybersecurity landscape prompted him to make a change. Aaron’s experiences provide valuable insights into cyber threat intelligence (CTI). He emphasizes the importance of adapting to new threats and technologies. "Cybersecurity is an ever-changing landscape, and staying ahead requires constant learning and adaptation," he advises.One key area Aaron focuses on is Open Source Intelligence (OSINT). He finds it fascinating how the internet can be utilized for intelligence investigations. "Using the internet for intelligence work is incredibly powerful," he states. This approach allows organizations to gather insights that are often overlooked in traditional intelligence methodologies.In 2021, Aaron published his book on cyber threat intelligence, a project that began during the early days of the COVID-19 lockdown. He shares, "I decided to write a book because there wasn’t much available for non-analysts looking to understand threat intelligence better." The process was both challenging and rewarding, providing him with a platform to share his knowledge and experiences.ResourcePerspective Intelligence - https://perspectiveintelligence.co.uk/ WannaCry - https://en.wikipedia.org/wiki/WannaCry_ransomware_attack KASE Scenarios OSINT Training Platform - https://kasescenarios.com/KASE Scenarios PRoject SandShark - https://kasescenarios.com/project-sandshark Diamond Model - https://www.threatintel.academy/wp-content/uploads/2020/07/diamond_summary.pdf Intel architecture mindmap - https://github.com/Errum/IntelArchitectureMapThe cyber threat intelligence book - https://www.amazon.com/Cyber-Threat-Intelligence-No-Nonsense-Security/dp/1484272196 TCM Security SOC 101 - https://academy.tcm-sec.com/p/security-operations-soc-101Michael Koczwara's Hunting Adversary Infrastructure Training Course - https://academy.intel-ops.io/courses/hunting-adversary-infraIntel471 Cyber underground Handbook - https://www.intel471.com/cyber-underground-handbookAdmiralty Scale blog post - https://www.sans.org/blog/enhance-your-cyber-threat-intelligence-with-the-admiralty-system/Chapters00:00 Introduction to Intelligence Careers04:21 Transitioning from Government to Private Sector12:23 Becoming a Published Author20:37 The Importance of Context in Cyber Intelligence28:08 Challenges in Open Source Intelligence36:53 Defining Intelligence: What It Is and Isn't44:47 Critical Thinking in Intelligence Analysis51:52 Training and Certifications in Intelligence59:14 Success Criteria for Intelligence Functions01:05:07 The Future of Cyber Threat Intelligence01:11:03 The Role of AI in Intelligence01:18:18 Advice for Aspiring Intelligence ProfessionalsPS! This conversation is a compressed edit of an interview Freddy has conducted as part of his PhD research. The interview happened on July 1st, 2025 in London, UK.