Posted
Modern financial threats don’t respect boundaries. Inside a large UK bank’s journey to integrate intelligence and streamline response.
I recently sat down with a top security intelligence analyst at one of the UK’s largest banks to talk about how they’re reshaping their intelligence program with ThreatConnect. What follows is their story, in their own words, of how they went from cyber-only to a truly blended intelligence function that brings together geopolitical, cyber, and physical risks.
Introduction
In today’s interconnected world, the line between geopolitical risk, cyber threats, and physical security has all but disappeared. A regional conflict can lead to nation-state cyberattacks on financial institutions, travel risks for employees, sanctions impacting investments, and fraud campaigns exploiting global uncertainty.
For a bank with operations spanning continents and billions of transactions at stake, treating these domains separately is no longer an option. To stay ahead, this large UK bank has built a blended intelligence team that unites geopolitical, cyber, and physical intelligence into a single mission – powered by ThreatConnect.
From Cyber-Only to Blended Intelligence
Their intelligence function began with a purely cyber focus. However, as the geopolitical climate shifted and threats became more complex, the team realized that cyber intelligence alone couldn’t give the business the answers it needed.
Elections, armed conflicts, disinformation campaigns, and sanctions all created ripple effects across the bank’s operations. Executive impersonation scams on social media weren’t just a cyber risk – they raised fraud concerns, reputational issues, and even physical safety considerations.
The solution was to evolve. Over the last two years, the bank has expanded into a “blending team,” combining specialists in geopolitics, physical security, and cyber intelligence. As one analyst put it:
“We used to be just cyber. Now we’re looking at how physical and geopolitical events create cyber risks – and vice versa.”
How the bank Operationalizes Geopolitical Intelligence
Daily Workflows and Triage
Each morning begins with triage. Analysts review incoming alerts, events, and reports – but what used to take hours can now be done in minutes. Dashboards in ThreatConnect are tuned to specific Priority Intelligence Requirements (PIRs), letting analysts pivot between cyber indicators, geopolitical developments, and physical threats.
For example, the bank tracks specific nation-state actors across multiple domains. A dashboard pulls together cyber threat activity from actors like “Famous Cholima” and “Scattered Spider” as well as physical security data on restricted travel. They also use ThreatConnect’s Workflow feature to track cases related to executive impersonation campaigns. Through ThreatConnect integrations, takedowns of fraudulent social media accounts are now automated and auditable.
Priority Intelligence Requirements (PIRs)
The bank’s PIRs once focused only on malware families and actor groups. Now, they include geopolitical flashpoints such as Russia/Ukraine, China/Taiwan, and global election interference.
Until recently, PIR reviews were quarterly and tracked in Excel spreadsheets. This year, the bank moved the entire process into ThreatConnect, transforming it into a monthly, auditable workflow. Analysts now update their PIRs directly in the platform, mapping each case to the evolving threat landscape. For every PIR, they explain the current threat level and whether it should remain active.
This shift means PIRs are continuously aligned with real-world conditions rather than waiting for quarterly reviews. It also provides a traceable record of why each PIR matters – and ensures nothing falls through the cracks.
For each PIR in ThreatConnect, analysts ask: Do we still need this PIR? Has the threat level changed? What credible scenarios should we model? These auditable workflows improve accuracy and build trust with stakeholders across the bank.
ThreatConnect in Action: The Technical Side
ThreatConnect serves as the backbone for this bank’s blended intelligence program. Analysts use:
- Country profiles and dashboards that centralize reports, indicators, and tags
- Nation-state dashboards mapping activity from known adversaries
- Automated workflows for key use cases, such as:
- ATM security: If an attack occurs near one ATM, nearby ATMs are automatically risk-rated higher
- Executive impersonation: Fraudulent Social Media accounts are flagged and removed through API integrations with takedown providers
This centralization and automation turn intelligence into action.
Example: The team use ThreatConnect as a mechanism to identify high fidelity information from multiple sources which is auto enriched and pushed to perimeter firewall to support proactive mitigation activities. Without this centralized system, the organization would face increased manual workload, and a higher risk of exposure to emerging threats.
The Business Impact
For this bank, intelligence isn’t just about feeds and alerts – it’s about supporting business decisions. The team produces:
- Monthly briefings for 200–300 stakeholders across the bank
- Quarterly forecasts mapping out flashpoints and credible scenarios
- Threat forecasts for the next year and beyond across cyber, geopolitical, fraud, and physical domains
“Tippers” (short threat advisories) can trigger the creation of cross-bank threat management groups, ensuring all stakeholders – from fraud to IR – respond in lockstep. ThreatConnect is used to centralise intelligence used in the response, allowing the bank to track everything from creating an incident to associating relevant intel.
The impact of Tippers and other deliverables, are measured in two ways: through qualitative feedback and quantitative dashboards. Stakeholders provide feedback during monthly calls or in exit polls, helping the team validate relevance. At the same time, metrics dashboards show hard outcomes such as the number of IoCs blocked at the firewall or vulnerabilities escalated to Attack Surface Reduction.
Together, this combination of feedback and metrics demonstrates how intelligence translates into tangible business outcomes.
Looking Ahead: The Future of Blended Intelligence
This bank’s intelligence team is clear: they are only at the beginning of what’s possible. Among their goals:
- Automated country risk ratings tied to physical assets like ATMs
- Expanded API integrations to further streamline workflows
- Deeper automation of reporting to scale forecasting and advisories
As one analyst put it:
“The exciting part is we’re only at the beginning of what’s possible.”
Closing
This bank’s story is a blueprint for the future of financial intelligence. By breaking down silos between cyber, physical, and geopolitical domains – and operationalizing everything in ThreatConnect’s Intel Hub – they’ve built a model of intelligence that is faster, more reliable, and more aligned with business risk.
For other organizations facing similar challenges, the lesson is clear: modern threats don’t respect boundaries, and neither should your intelligence program.