Ever wonder why your TI platform ingests thousands of new indicators a day and still finds almost nothing useful? We dig into the gap between volume and relevance with Sergio Albea of SWITCH, who built a simple, powerful framework to make IOCs matter for real users in real environments. The idea is direct: score every indicator by system, language, location, and sector so your detections match the way attackers actually operate.

We walk through practical examples that flip the match rate from near-zero to meaningful hits. A URL mentioning Zurich or SBB scores higher for Swiss campuses. German or French lures outrank Spanish in that context. Mac fleets discount Windows-themed bait. Subject lines about research grants and student loans rise to the top. With that context, Sergio operationalizes Match4 using Azure Logic Apps to run KQL collectors, aggregates indicators in MISP, and pushes high-confidence URLs into Microsoft Defender TI Indicators to stop access at the endpoint—vital for students traveling worldwide.

The impact grows as signals are shared. When one university sees a malicious domain, neighbors with similar language and services often see it next, revealing how threat actors campaign by sector. By centralizing across European NRENs, the team builds a living, education-focused threat feed you can’t buy off the shelf. Bonus: the data now surfaces cross-org targeting patterns, extends IOC lifetimes for “golden tickets,” and preserves history for threat hunting long after default telemetry ages out.

If you’re tired of bloated, generic feeds and want precise detections that block real attacks, this conversation lays out the roadmap: prioritize relevance, automate collection, enforce at endpoints, and collaborate across your sector. Grab Sergio’s open-source templates on GitHub, start with a few collectors, and score for your environment—education, healthcare, finance, or beyond. Subscribe for more CTI strategies, share this with your team, and leave a review to help others find the show.

Send us Fan Mail

Support the show

Thanks for tuning in! If you found this episode valuable, don’t forget to subscribe, share, and leave a review. Got thoughts or questions? Connect with us on our LinkedIn Group: Cyber Threat Intelligence Podcast—we’d love to hear from you. If you know anyone with CTI expertise that would like to be interviewed in the show, just let us know. Until next time, stay sharp and stay secure!