NEW2CTI | Red Teams with Receipts

NEW2CTI | Red Teams with Receipts: Operationalizing CTI for Real Adversary Simulations 🎙️ Nigel Boston, Senior Cyber Threat Intelligence Analyst, Grainger 🎙️ Ralph Hittell, Offensive Security Lead, Grainger 📍 Presented at SANS CTI Summit 2026 Red teams often rely on generic playbooks that don’t reflect how adversaries truly operate. Meanwhile, CTI produces detailed insights into campaigns and TTPs that too often go unused. This talk will show how to bridge that gap by using CTI as the “receipts” to design red team operations that emulate actual threats. We’ll walk through practical workflows for turning CTI into adversary playbooks, highlight tools for operationalizing intelligence, and share lessons from real-world scenarios, including how intelligence on Black Basta ransomware was operationalized into a red team exercise. This case study will illustrate how threat reporting was mapped to MITRE ATT&CK, converted into testable scenarios, and used to drive realistic adversary emulation that provided value to defenders and leadership alike. Actionable Takeaways: How to transform CTI reports into red team playbooks grounded in real threats Workflows and tools to operationalize CTI in adversary emulation Case study: operationalizing Black Basta intelligence into a red team exercise Metrics to demonstrate business and security value