Matt Johansen (Mattjay)—longtime cybersecurity practitioner and founder of Vulnerable U—on why LLMs fundamentally change what's possible with threat intelligence, and why teams that aren't building with AI agents are already behind.
Beyond IOCs: Understanding Threat Actor Behavior
Johansen sees Mallory as an opportunity to move past indicators of compromise and into understanding what threat actors are actually doing. Cyber criminals broadcast their MOs—their latest campaigns, techniques, and targets—and Mallory digests that in the context of your environment.
"Until you're in the hot seat at one o'clock in the morning responding to that actual incident, you start to realize what was turned on and turned off."
The key use case: early intelligence that tells you the delta between a threat actor's behavior and your environment—so you know exactly what to fix, right now.
LLMs Change Everything
Johansen has long called threat intelligence "a luxury"—only a small percentage of teams could extract real value from it. LLMs change the equation in two ways:
- Natural language access — you can ask questions like "what do I need to be worried about today?" and actually get an answer.
- Agent-driven consumption — AI agents can consume intel and act on your team's behalf, using knowledge of your environment and the current threat landscape.
"If you're not looking at AI agent detection building right now, you're already behind."