Predict is our annual, community-led conference where global threat intelligence leaders come together to share insights and work together to solve the most pressing problems in cybersecurity.
At our just-wrapped New York City and London events, presenters drew a sharp line connecting intelligence to impact. They challenged fellow leaders to make precision intelligence the core of their operations so they can both understand the threats that matter and work proactively to outmaneuver them.
“The future of intelligence is not just about seeing more threats,” said Colin Mahony, CEO of Recorded Future. “There’s always going to be more threats. It’s about stopping them. Automatically. Every. Single. Time.”
Read on for our top 10 takeaways from Predict 2025.
Takeaway #1: Proactive defense requires knowing your adversary.
Across Predict sessions led by Jack Watson of Global Payments and Steve Range and Patrick Davey of Mastercard, we saw how organizations are profiling threat actors, tracking campaign evolution, and simulating adversary behaviors to guide defensive strategy.
“Analysts are only as strong as their toolsets,” Watson said. “The Recorded Future Platform increases any analyst’s ability to detect, track, and potentially aid in the mitigation of malicious activity.”
His team uses features like custom Alerts, assessments, and the malware sandbox as well as visualization capabilities to understand threat actors and their TTPs. “When you put all the adversary activity in a single visualization,” he said, “you can start to see some interesting patterns that lead to hypotheses about how adversary activity could be related.”
Range and Davey showcased Mastercard’s adversary emulation program, which is designed to mirror threat actors’ TTPs, assess the efficacy of different security controls, and then take action.
“The important thing is trying to bridge that gap between cyber threat intelligence and an actual improvement in your security posture,” said Davey. In some instances, his team begins by reviewing Recorded Future Insikt Group® research on identified threat actors, and then dives into more granular information to identify TTPs and typical targets. Armed with this information, the team creates and conducts tests to make sure that their security controls work.
”It’s a little easier to play defense if you’ve seen the offense’s plays before,” said Range. “Recorded Future allows us to run a really effective and accurate emulation program, giving us a lot of context on how a TTP might work and allowing us to be really fine-tuned in the way we write our detections.”
How can you go from signal to story? Knowing the actor behind the Alert enables faster triage, more accurate response, and smarter prioritization. Explore Recorded Future Threat Intelligence.
Takeaway #2: Third-party risk management needs to be a living, breathing intelligence workflow.
Gone are the days of annual vendor reviews and static risk scores. As Mastercard’s Kelly White and Recorded Future’s Jerry Hodge made clear, third-party risk exposure now changes daily, driven by software vulnerabilities, cloud misconfigurations, and even geopolitical events. And with 30% of breaches coming from a third-party vendor, the standard compliance-driven, point-in-time approaches aren’t working.
White and Hodge explained that, in order to surface immediate threats across their supply chains, organizations need to take an intelligence-driven approach to third-party risk management.
Want to move from audit to action? Continuous threat intelligence applied to third parties can be the only way to keep up with dynamic digital ecosystems. Explore Recorded Future Third-Party Intelligence.
Takeaway #3: AI isn’t replacing analysts—it’s empowering them.
Another key topic at Predict was the evolution of threat intelligence from manual triage to AI-assisted decision-making. AI copilots, campaign clustering, and natural language querying were on full display—but the consistent refrain was this: Humans still need to lead.
Robert Moody from The Home Depot said that humans can’t match the speed of AI-enabled attacks, so the only way to scale and get in front of AI is to augment ourselves with AI. He explained that vulnerability management and prioritization workflows are ripe for AI automation, but given AI trust issues, the ideal arrangement is for humans to define remediation strategies and scope and then have AI help with risk scoring and compilation.
“Then, when something anomalous pops up, that's where a person comes in and is really useful in re-steering the ship,” he said. ”You want them looking at the data. You want them making the contextualized decision. You want them determining the output of the analysis, the reporting format, and the value that's being created from what's occurring.”
Igor Tarpan and Erich Harbowy of Grammarly described their security organization’s “fundamental shift” to AI-driven tools. “By moving beyond static SOAR playbooks and rigid API calls, we developed systems capable of adaptive reasoning,” Harbowy said. “The real breakthrough came when we integrated Recorded Future not as a lookup service, but as a dynamic intelligence partner.”
The security leaders said their new system can understand context deeply, build attribution intelligently, and hunt proactively. And they said that, “In all cases, humans are still in the loop.”
Ready to shift from automation to augmentation? AI should amplify analysts’ throughput, not override their judgment. Learn more about Recorded Future AI.
Takeaway #4: The “noise” your SOC ignores may be your next breach warning.
Sanjay Kumar of Landis + Gyr highlighted a critical truth: Blocked domains, phishing attempts, and low-severity alerts are often dismissed—yet they can frequently be traced back to coordinated campaigns.
“Together, enrichment and pattern recognition allow us to move beyond reacting to isolated events and instead reveal the bigger campaigns hidden in plain sight,” he said. His team uses Recorded Future Collective Insights and Group by Detection capabilities to connect the dots. “That transformation from random noise to structured intelligence often decides whether we stop an adversary in their tracks or we’re left piecing things together after the fact.”
Of course, in a world where vulnerabilities outnumber the hours in your day, not everything can be patched—and perhaps not everything should be. That was the clear message from Recorded Future’s John Bock and Dr. Jared Smith, who challenged security teams to stop chasing CVSS scores and start focusing on what’s actually being exploited in the wild.
“Recorded Future’s Attack Surface Intelligence simulates an attacker’s reconnaissance to continuously discover and tie assets to your organization, and it pairs that information with 10+ years of structured datasets to create a complete profile of your attack surface,” said Bock. “Then it assesses your assets like a threat actor would, providing real-time exposure scoring and AI-enriched remediation guidance to help you prioritize patching and save time.”
How can you avoid overlooking signals and instead be over-prepared? Don’t ignore the breadcrumbs—investigate them. They may be your first and only warning. Explore Recorded Future Attack Surface Intelligence.
Takeaway #5: Cross-team coordination is critical.
In the Insights to Impact panel and Michelle McCluer’s presentation on Mastercard’s security journey, a common message rang out: Intelligence that doesn’t align to operational workflows is dead on arrival. The most successful organizations are building bridges between threat intelligence and stakeholders across and even beyond their organizations.
When Mastercard recognized that accelerating global threats demanded a unified, intelligence-driven response, the company launched its Nexus program to connect lines of business, industry partners, threat-assessment vendors, governments, customers, and merchants. Nexus leverages real-time, relevant, contextualized intelligence to break down silos, anticipate emerging risks, and directly link threat intelligence to business outcomes.
“Intelligence without context is just information,” McCluer said. “Context without timeliness is just history.”
How can your organization move from silos to sharing? Bring together expert internal and external stakeholders to ensure seamless intelligence sharing and rapid incident response.
Takeaway #6: Cybercriminals’ PR skills can be as dangerous as their hacking skills.
In a breakout session, Recorded Future’s Megan Keeling made it clear that threat actors are now actively managing their external brand reputation and expanding their reach using strategic PR tactics. From direct engagement with media and journalists to sharing exaggerated claims, their goal is to increase their operational effectiveness, influence ransom negotiations, and overcome doubts about whether they'll actually decrypt data or honor agreements.
“A cyber criminal’s reputation can be the difference between a ransom payment in the thousands versus a ransom payment in the millions,” she said. “And this is why…recognizing these tactics is essential to building resilience against these attempts to manipulate and influence you.”
Want to replace hacker hype with data-driven insights? If adversaries are controlling the narrative, they’re controlling your risk. Get a threat researcher’s perspective from the Insikt Group.
Takeaway #7: Collection without context is just more data.
Recorded Futures’s Chris Holden and Kathleen Kuczma gave a thorough overview of the company’s proprietary intelligence collection capabilities, but emphasized that collection is only half the equation. What makes intelligence actionable is how it’s enriched, prioritized, and connected to an organization’s mission: from identifying victims communicating with active command and control (C2) servers via Network Intelligence to leaked API and AWS tokens on GitHub.
“Collective Insights aggregates and enriches detections across your stack—turning fragmented data into prioritized, threat-informed action,” Kuczma said. “One logistics customer used it to respond to a multi-stage intrusion, linking activity to Volt Typhoon and surfacing key insights in real time.”
Want to go from collection to connection? Demand intelligence that comes with attribution, impact scoring, and operational next steps. Learn more about Recorded Future Collective Insights.
Takeaway #8: Threat intelligence isn’t just defense—it’s a business accelerator.
Justin Klein Keane, Assoc. Director Digital Forensics & e-Discovery, Cyber Threat Intelligence & Incident Response at CSL Behring, made a powerful case: When cybersecurity teams align threat intelligence with real-world outcomes like protecting revenue, brand equity, or uptime, they stop being seen by the C-suite as a cost center and start driving strategic value.
“The first part of having a cyber threat intel program is really understanding your business, understanding the drivers, the business risks, and the business goals,” he said. Then, he said, you should develop priority intelligence requirements (PIRs) that map to those risks and goals so you can show the value of your team’s work to the overall business.
His advice to CTI leaders? “Root your program in metrics. Make sure that you have solid governance that ties to observable impact. Make sure that you're collecting data on the impact of your program even if you're not being asked for it. Advertise [your impact] whenever you can. And make sure that you're aligning your goals not only to the business but to other people in cyber security.”
Tobias Calås of SEB also spoke about the opportunity to create business value with threat intelligence. He stressed the importance of working with cross-organization stakeholders—from data scientists to subject matter experts, risk analysts to public relations teams—to understand their key security concerns and how those tie to business plans. Then, he said, focus your threat intelligence on those specific contexts.
“Security is a business enabler,” he said. “Be proactive and actively engage with your organization. Deliver, adapt, and evolve with the threat and your business. And last but not least, threat intelligence can add value everywhere.”
Ready to evolve from perimeter defense to profit protection? Intelligence that’s mapped to business outcomes doesn’t just reduce threats—it builds trust, increases speed, and accelerates decision making at scale. Explore Recorded Future Threat Intelligence with AI reporting.
Takeaway #9: Track your adversary to protect your organization.
Nation-state actors don't announce their arrival—they probe silently, targeting edge devices and network infrastructure to establish footholds for espionage.
Recorded Future's Sveva Scenarelli and Kathleen Kuczma provided a debrief on the latest RedMike (Salt Typhoon) campaigns, demonstrating how Network Intelligence exposed this Chinese state-sponsored group's systematic targeting of telecommunications edge devices and critical infrastructure.
"Our key differentiator is our proprietary dataset, Recorded Future Network Intelligence, which allows us to observe how threat actors are interacting with their own servers, what they are using those servers for, and proactively identify target victims of those threat actors," Scenarelli said. "This is combined with honeypots that Recorded Future runs, and which allow us to capture in real time how threat groups might attempt to exploit or abuse specific technologies."
By observing RedMike's command-and-control infrastructure and monitoring how the group scans for vulnerable edge devices, the analysis revealed targeting of specific organizations and exploitation of zero-day vulnerabilities in network appliances.
Want to understand when nation-state actors are surveilling your infrastructure? Network Intelligence provides visibility into adversary reconnaissance of edge devices, C2 communications, and targeting selection. Network Intelligence is available with Recorded Future’s SecOps and Threat Intelligence Modules.
Takeaway #10: Threats don’t sleep, and neither should your detection.
As supply chains grow more complex, your attack surface can expand beyond your control. Adam Thimons of JPMorganChase shared how his team operationalizes threat intelligence on their third parties, embedding it into vendor workflows to catch compromises early and contain risk before it spreads.
Thimons said that, with over 6,000 suppliers, his team expends significant effort determining which suppliers are most critical, and uses an algorithm to score the potential impact of a cyber incident at each critical supplier. To understand vendors that may be more vulnerable than others, the team overlays data from intelligence vendors like Recorded Future to guide their investigations.
And because attackers operate around the clock, Jon Miller and Laura Hoffman of Recorded Future shared a new blueprint for 24/7 threat hunting. By combining human expertise with autonomous detection, teams can build always-on hunting programs to actively seek out threats instead of waiting for alerts.
They showed how new Autonomous Threat Operations from Recorded Future reduces manual effort by
- Continuously enriching intelligence with real-time updates via dynamic Risk Scores
- Automatically correlating across sources, including external sources like ISACs and commercial feeds
- Applying expert behavioral analysis in the query language your technologies use—no need to spend time translating SIGMA to KQL or YQL
“Autonomous Threat Operations not only shifts your focus from chasing yesterday’s IOCs to proactively identifying malicious behavior patterns, but it also puts today’s most current, validated indicators at your fingertips,” said Hoffman. “This turns even the bottom of the Pyramid of Pain into actionable intelligence, and it empowers analysts to respond faster and with greater precision.”
Need to evolve from limited visibility to continuous defense? Whether managed by your vendors or your own SOC, intelligence-driven detection must run as continuously as the threats you face. Learn about new Recorded Future Autonomous Threat Operations.
Advance your journey with our Threat Intelligence Maturity Assessment.
Our free assessment offers a comprehensive evaluation of your current capabilities, specific next steps to advance, and resources designed for your exact situation. Take the assessment today.
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/blog/top-10-takeaways-from-predict-2025