BSides Vancouver 2026

Every year we get faster tools, better dashboards, and more detections. And every year, analysts still miss things. Not because the tools failed, but because the thinking did.

Cybersecurity borrowed heavily from the military: the Kill Chain, MITRE ATT&CK, red teaming, threat intelligence. But we skipped one of the most important things the intelligence community invested in: teaching their analysts how to think. The CIA spent decades studying why smart analysts make bad calls. They built frameworks, published research, and made critical thinking a core discipline. In cybersecurity, we hand someone a SIEM and say good luck.

This talk explores what happens when we apply intelligence community thinking to cybersecurity analysis. Not academic theory, but practical habits that change how you investigate alerts, assess threats, and make decisions under pressure. Why do analysts anchor on the first hypothesis? Why does confirmation bias turn a routine investigation into a missed breach? And what can you do about it starting Monday morning?

Tools change every year. Thinking compounds forever.