August 14, 2025

T. Rowe Price’s PJ Asghari’s "What, So What, Now What" Framework for Threat Intel

25 minutes

What does it take to transform a traditional event-driven SOC into an intelligence-driven operation that actually moves the needle? At T. Rowe Price, it meant abandoning the "spray and pray" approach to threat detection and building a systematic framework that prioritizes threats based on actual business risk rather than industry hype.

PJ Asghari, Team Lead for Cyber Threat Intelligence Team, walked David through their evolution from a one-person intel operation to a program that directly influences detection engineering, fraud prevention, and executive decision-making. His approach centers on the "what, so what, now what" framework for intelligence reporting — a simple but powerful structure that bridges the gap between technical analysis and business action.

Topics discussed:

Moving beyond event-based monitoring to prioritize threats based on sector-specific risk profiles and threat actor targeting patterns rather than generic threat feeds.

Focusing on financially-motivated actors, initial access brokers, and PII theft rather than nation-state activities that rarely target mid-tier financial firms directly.

Addressing the cross-functional challenge that spans HR, talent acquisition, insider threat, and CTI teams.

Using mise en place principles from culinary backgrounds to establish clear PIRs that align team focus with organizational needs.

Creating trackable deliverables through ticket systems, RFI responses, and cross-team support that translates intelligence work into measurable business impact.

Maintaining critical thinking and media literacy skills while leveraging automation for administrative tasks and threat feed processing.

Key Takeaways:

Implement the "what, so what, now what" reporting structure to ensure intelligence reaches appropriate audiences with clear business implications and recommended actions.

Build cross-functional relationships with fraud, insider threat, and vulnerability management teams to create measurable value through ticket creation and support requests rather than standalone reporting.

Establish sector-specific threat prioritization by mapping threat actors to your actual business model rather than following generic industry threat landscapes.

Create trackable metrics through service delivery, including RFI responses, expedited patching recommendations, and credential compromise notifications to demonstrate concrete value.

Focus hiring on inquisitive mindset and communication skills over certifications, using interviews to assess critical thinking and ability to dig deeper into investigations.

Map threat actor TTPs to MITRE framework to identify defense stack gaps and provide actionable detection engineering guidance rather than just IOC sharing.

Invest in dark web monitoring and external attack surface management for financial services to catch credential compromises and brand abuse before they impact customers.

Establish regular threat actor recalibration cycles to ensure prioritization remains aligned with current threat landscape rather than outdated assumptions.

Listen to more episodes:

Apple

Spotify

YouTube

Website

...more

View all episodes

By Team Cymru

4.5

1111 ratings