Trust is not a boolean
Every CTI practitioner has a contact list. Probably several. What nobody writes down is which contacts you can actually ask what. Trust in this space is layered, context-dependent, and built over years. Get it wrong and you burn a relationship. Get it right and you have something no vendor can sell you.
Here is how I think about it.
The inner circle
These are the people you have met in person, probably shared a beer (probably more than one) with, and have known long enough that you trust them with pretty much anything. You can call them at odd hours during an incident. You can ask them technical questions, strategic questions, and sensitive ones too.
“Someone from your company just applied for a role at mine, what do you think of them?” That is a question you can only ask at this tier. It requires absolute confidence that it stays between you two, that nobody gets burned, and that the answer is honest. If you have to think twice about whether you can ask, this person is not in your inner circle.
These relationships are rare. You might have five of them. Maybe ten if you have been around long enough.
Former colleagues
You worked together. You know how they think, how they handle pressure, and whether they are competent. That kind of trust is earned through shared work, not shared drinks.
The tricky part: it shifts when one of you changes employers. The person is still the same, but the context is different. Their obligations changed. Their employer’s interests might not align with yours anymore. You still trust them personally, but you calibrate what you share and what you ask. A question about their old org is fine. A question about their new org’s internal posture requires more care.
Former colleagues are a strange tier because the trust level is high but the boundaries are in flux. It’s not unlikely that they become inner circle however.
Sharing group members
ISACs, closed sharing groups, sector-specific communities, you know the kind. Membership is vetted. You see the same names in the same channels. You have probably met most of them in person at some event or working session.
These are your go-to people for technical and security questions related to their organizations. “Are you seeing this campaign too?” or “Do you have a detection for this technique?”, perfectly normal. You can ask them for a point of contact at their company if you need to coordinate on something specific.
What you cannot do is cross into personal or sensitive territory. That HR question from earlier? Off-limits here. These relationships are professional, bounded by the group’s norms, and usually governed by some form of sharing agreement like TLP. Respect the boundaries and they will stay useful for years.
National and government CERT contacts
Most countries have a national CERT or CSIRT, and if you work in a regulated sector you probably have a formal relationship with them. These contacts are useful, especially during incidents with national scope or when you need to report something that crosses organizational boundaries.
The trust here is formal. It is defined by mandate, protocol, and sometimes law. You can share IOCs, report incidents, and get situational awareness. What you will not get is the kind of candid back-and-forth you have in a sharing group. The relationship is structured by design. That is not a flaw, it is the point. They serve a coordination function, not a peer-trust function.
Use them for what they are good at. Do not expect them to operate like your inner circle.
Broad sharing groups
Some sharing groups are large. Dozens or hundreds of member organizations. You might not know most participants personally. The signal-to-noise ratio varies.
These groups are best used for quick polls and broad sentiment. “How many of you have migrated off this vendor?” or “Is anyone else seeing a spike in deepfakes this week?”, the kind of questions where aggregate data matters more than deep technical detail. The results are useful when you need to present a data point to your management. “Twelve other organizations in our sector reported the same issue” carries weight in a board meeting.
Do not expect deep trust here. The value is in breadth, not depth. These groups often exists of members you don’t want to deal with personally anyways.
Conference contacts
You met at a conference. Maybe you had a good conversation over coffee. Maybe you ended up at the same dinner. You exchanged details and connected on LinkedIn or wherever.
These people are not trusted in the operational sense. You would not share sensitive indicators with them and you would not ask them about their company’s security posture. But they serve a different purpose entirely: they are door openers. They can introduce you to the right person in their organization. They can vouch for you when you want to join a sharing group. They can point you toward communities you did not know existed.
Never underestimate the value of someone who can make an introduction. Half of the useful relationships in CTI started with “you should talk to this person I met at that conference.”
Vendor and commercial CTI contacts
Vendors sell threat intelligence. Some of them are good at it. The relationship is transactional by nature, and that is fine, just be clear-eyed about it.
They share because it is their business model. The information they give you is shaped by what they want you to buy, what they want to be known for, or what serves their marketing. That does not make it useless. It means you apply a filter. Cross-reference what they tell you. Do not confuse a vendor briefing with peer-to-peer sharing.
Some vendor contacts become genuine peers over time, especially the ones who used to be practitioners themselves. When that happens, they tend to migrate up your trust tiers naturally. But the default starting position is: limited trust, one-directional flow, and a healthy skepticism about their motive (=money).
These tiers are not fixed
People move between tiers. A sharing group contact becomes a close friend after years of working together. A former colleague joins a vendor and the dynamic shifts. Someone from a conference introduction ends up in your inner circle after a joint incident response.
The point is not to put people in boxes permanently. The point is to be intentional about what you share and what you ask, and to recognize that not every relationship in CTI operates at the same level. Most of the damage in this space comes from treating a conference contact like an inner-circle contact, or from never building inner-circle relationships at all.
Build your circles deliberately. Protect the trust you have earned. And when someone trusts you with a sensitive question, treat that as the privilege it is.