This open source book explores how intelligence and cyber-security analysts can uncover hidden links between threat actor infrastructure and ongoing investigations by pivoting on both classic and unconventional indicators — many of which are often overlooked. The material is grounded in empirical, field-tested strategies used in cyber-security, digital forensics, cyber threat intelligence, and intelligence analysis more broadly.

I released the first version of this book following the FIRST.org CTI Conference 2025 in Berlin, where the initial idea for the project emerged.

Our goal is to provide analysts with a practical toolkit of analytical methods, supported by real-world examples, to enhance investigative workflows without locking them into a single mindset, strict model, or overly rigid technical strategy. Instead, the book encourages creative exploration, data-driven reasoning, and the use of diverse data points — from traditional IOCs to subtle metadata traces — as part of a flexible and repeatable analytical process.

The approach presented throughout this book is intentionally built upon open-source tooling, most notably the MISP threat intelligence platform and the AIL Project. By relying on transparent and widely adopted tools, every technique described here can be reproduced, validated, and reused by analysts, researchers, educators, or incident response teams. This ensures that the methodology is not theoretical or proprietary, but openly verifiable, community-driven, and designed to evolve. The book itself follows the same philosophy: it is an open, living document, publicly versioned, and contributions are welcomed directly via Git. Readers are encouraged to experiment, improve, and extend the content, making the entire workflow repeatable, auditable, and collaborative within the wider defensive security community.

Background Story

This book grew out of an iterative, hands-on process tightly coupled with our day-to-day work. Rather than starting from a fixed theory, it evolved alongside real investigations—tracking threat actors, uncovering infrastructure, and experimenting with unconventional pivoting techniques as new challenges emerged.

Each discovery fed back into our tooling: ideas were tested, adjusted, sometimes discarded, and often refined through repeated use. This constant loop of observation, experimentation, and validation shaped both the content of the book and the evolution of the tools supporting it.

Much of this work happened in motion—on trains during daily commutes, between incidents, or while reviewing fresh data. That constraint encouraged pragmatism: techniques had to be simple enough to apply quickly, yet powerful enough to reveal meaningful connections. The result is a book that reflects continuous learning in practice, grounded in real-world analysis rather than static models.

• 🔗 PDF - The Art of Pivoting
• 🔗 Source of the book in Markdown (if you want to contribute ;-)