CTI: From Threats to Intelligence · Tech & Meet

I attended a quite insightful Tech & Meet session titled "CTI: From Threats to Intelligence", given by Niels Desloover and Sandro Manzo. As someone leaning into the digital forensics and incident response side of cybersecurity, sessions on the intelligence layer always feel useful: it's the part of the picture that explains why you see the indicators that you see, not just what they are.

What stuck with me

One of the key takeaways for me was learning how phishing emails are countered through initiatives such as the BAPS (Belgian Anti-Phishing Shield), a system that warns internet users when they try to browse to a fraudulent or malicious website by redirecting them to a warning page. The interesting part is where this happens: it's applied at the Belgian DNS level, which means the protection is national-scale rather than per-browser or per-vendor. You don't have to install anything as a user; the country's resolvers are doing the work.

The second tool that caught my attention was BeFish. The mechanism is delightfully simple: users forward suspicious or phishing emails to suspicious@safeweb.be. From there, analysts process the samples, the malicious infrastructure gets blocked, and less attentive users downstream end up protected as a side effect. It's a tidy example of crowd-sourced telemetry feeding into automated defence.

Why this resonated with me

Two things made the session land harder than I expected:

• The collaboration angle. Threat intelligence isn't useful in isolation. BAPS and BeFish only work because telephony operators, DNS providers, CERTs, and end users are all sending signal into the same pipeline. That coordination, more than any single tool, is what actually moves the needle on phishing.
• The country-level posture. Most cybersecurity training material is vendor-shaped — buy X product, deploy Y agent. Seeing what a national infrastructure response looks like was a useful change of frame, especially as Belgium leans further into proactive defence.

What I'm taking away

• Phishing controls work best when they're stacked: education, mail-side filtering, DNS-level blocking, and a feedback loop from real users.
• "Submit suspicious mail to X" is a habit worth promoting outside cyber circles too, because it directly improves the protection everyone else gets.
• The CTI mindset (threats → intelligence → defence) is a mental model I want to apply to my own DFIR work: every artefact I see in an investigation is potentially intelligence for the next one.

Overall, a really informative evening that made it visible how collaborative threat intelligence and proactive defences are quietly strengthening Belgium's cybersecurity landscape.