The Defender's Advantage Podcast

Episode: Using GTI to Hunt Adversaries on the Dark Web

Date: March 23, 2026
Host: Luke McNamara
Guests:

• Jose Nazario (Senior Principal, Google Threat Intelligence Group)
• Brandon Wood (Product Manager, Google Threat Intelligence Group)

Episode Overview

This episode explores the new dark web monitoring and threat intelligence capabilities now available in Google Threat Intelligence (GTI), with a particular focus on how Gemini AI is leveraged to provide highly accurate, context-rich alerts to defenders. The conversation delves into the problems with older approaches (false positives, lack of context), the importance of understanding threat actors across global underground communities, and how AI can empower defenders to keep pace with changing adversarial tactics.

Key Discussion Points & Insights

1. The Challenges with Traditional Dark Web Monitoring

• Noisy Alerts:
  Traditional tools often relied on regular expressions (regex) or rudimentary machine learning to trigger alerts for brand mentions or keywords, resulting in a deluge of irrelevant noise.

  • “We create monitors largely based on regex... as a threat actor says something on the underground, we create an alert for it. Unfortunately, with this approach... it creates a ton of noise for threat intel teams and SOC teams.”
    — Brandon (03:09)

• Evasion Tactics:
  Threat actors deliberately obscure references to organizations, using vague language, misspellings, or euphemisms that bypass basic keyword monitoring.

  • Example: Instead of "Coca Cola," they'd say "large soda manufacturing company not the blue one." (05:20)

• False Positives:
  Existing systems (including previous GTI tools) struggled to differentiate between words with multiple meanings (e.g., “Apple” the company vs. “apple” the fruit), leading to even more false alerts.

2. Gemini AI: A Step Change in Threat Detection

• AI-Powered, Contextual Understanding:
  Gemini processes tens of millions of dark web posts daily, analyzing them in context rather than through isolated keyword triggers.

  • “We process every single one of those posts using Gemini… Gemini to make each of the alerts very relevant for them.”
    — Brandon (02:53)

• Personalized Intel at Scale:
  The system profiles organizations and uses Gemini to tailor alerts to their specific context and risk profile, reducing manual setup.

  • “We actually... create a profile of the customer to get them started and create personalized intelligence for them.”
    — Brandon (03:23)

• Multilingual and Cultural Nuance:
  Gemini understands subtle cues, idioms, and dialects across dozens of languages, outperforming traditional monitors and giving rich, actionable insight.

  • “Gemini understands that cleanly and understands it across dozens of different languages.”
    — Brandon (05:33)

3. Combining Human Expertise with AI

• Expert-Led Training and Validation:
  Years of Mandiant and GTI experience in cybercrime, geopolitics, and language nuances enhance Gemini’s effectiveness.

  • “The system does a pretty good job of codifying the knowledge and expertise that we've... built over the years, over the 10, 15 years, I think of Mandiant expertise.”
    — Jose (12:09)

• Human Layer for Deep Context:
  Analysts still contribute by assessing subtle social cues and underground marketplace dynamics (credibility, reputation, disputes).

  • “One of my common workflows has been, hey, this looks interesting. Is this person for real? Let's see what people say about them. What else have they done?”
    — Jose (13:14)

4. Understanding the Underground Economies

• Marketplace Dynamics:
  Underground forums operate like any other market, with reviews, reputation-building, and cliques.

  • “There’s a fantastic paper... nobody sells gold for the price of silver… people will sort of call that out, don’t do business with this person, because they’re a liar.”
    — Jose (14:11)

• Global and Platform Variance:
  Russian and English-speaking actors prefer bulletin boards and Telegram, while Latin American actors may use platforms like Twitter or dedicated websites.

  • “Russian and English [use] classic bulletin boards and now Telegram increasing, whereas Latin American ones will use other social media platforms… Twitter is really popular in Latin America.”
    — Jose (16:54)

5. Making Threat Intel Actionable and Integrated

• Insightful Alerts and Guidance:
  The new system provides detail on the personas, their tools, TTPs (tactics, techniques, procedures), and historical patterns, making it faster to act upon alerts.

  • “You’re now... starting your journey when you’re getting this alert off in a full sprint...”
    — Brandon (21:10)

• SIEM and SOC Integration:
  Because Gemini drastically reduces noise, dark web intelligence can now be integrated into SIEM tools and existing SOC workflows.

  • “We’re now able to integrate this into tools like SecOps and other third-party sims... and tying in TTPs to really look and feel like... on network detection.”
    — Brandon (22:36)

• Defender Focus:
  Prioritization and context allow defenders to focus investigation and mitigate threats more efficiently than before.

  • “Giving them… specific guidance on where to begin that investigation, I can see being incredibly helpful.”
    — Luke (22:01)

6. Evolving Threats and the Importance of Agility

• Continuous Actor and Community Churn:
  The landscape shifts rapidly — threat groups rebrand after takedowns, new technologies emerge, and actors constantly adapt.

  • “There’s this constant churn... we know we’re dealing with.”
    — Luke (24:15)

• AI for Both Sides:
  Adversaries are also experimenting with AI, but so far, defender AI appears more mature and robust.

  • “You’re seeing an explosion of sort of tinkering and research... The good news is... a lot of their stuff falls apart really quickly, or doesn’t even compile... But they’re getting there.”
    — Jose (27:08)

• Future-Proofing the System:
  The new platform is built to swap in improved models as they are developed, to keep pace with threat evolution.

  • “We’ve built the system to... be able to take the next model when it’s ready... replace in a short amount of time.”
    — Brandon (25:51)

Notable Quotes & Memorable Moments

| Timestamp | Speaker | Quote | |-----------|---------|-------| | 03:09 | Brandon | “We create monitors largely based on regex... Unfortunately, with this approach... it creates a ton of noise for threat intel teams and SOC teams.” | | 05:20 | Brandon | “Instead of saying Coca Cola, they’ll say, you know, large soda manufacturing company. That’s not the blue one, right? Us as humans, when we read that... we get it. And what we found, Gemini understands that cleanly.” | | 13:14 | Jose | “Is this person for real? Let’s see what people say about them. What else have they done? ...Maybe there’s a prolific access broker... you can spot that trend pretty quickly.” | | 14:11 | Jose | “There’s a fantastic paper... nobody sells gold for the price of silver... don’t do business with this person, because they’re a liar.” | | 16:54 | Jose | “Russian and English [actors use] the classic bulletin boards and now Telegram increasingly, whereas Latin American ones will use other social media platforms... Twitter is really popular in Latin America.” | | 21:10 | Brandon | “You’re now... starting your journey when you’re getting this alert off in a full sprint on being able to... understand what are some of the leads you need to go chase and make it more actionable.” | | 22:36 | Brandon | “We’re now able to integrate this into tools like SecOps and other third-party sims... and tying in TTPs to really look and feel like... on network detection.” | | 27:08 | Jose | “A lot of [threat actors’] stuff falls apart really quickly, or doesn’t even compile in some cases. But they’re getting there... the pace of things is going to be crucial for a long time.” |

Important Segments & Timestamps

• [01:46] Introduction to New GTI Capabilities (Brandon explains the new Gemini-powered system)
• [05:06–07:30] Overcoming Vague References and False Positives
• [10:57] Human Expertise in Training AI (Luke brings Jose in to elaborate)
• [12:00–15:19] Real-World Analyst Workflows and Insights (Jose on applying the new system to threat hunting)
• [16:45] Variances Across Underground Communities
• [21:10] Making Intel Actionable – Persona & TTP Context
• [22:34] Integration into SOC/SEIM Workflows
• [24:58] Future-Proofing and Pacing Adversary Evolution
• [26:42] Adversaries and AI – State of Play
• [28:52] Closing Thoughts and Calls to Action

Conclusion

This episode highlights a major step forward in threat intelligence: Google’s integration of Gemini AI into dark web monitoring, drastically reducing noise and improving context for defenders. The conversation underscores how combining bleeding-edge AI with deep human expertise enables both scale and nuance, allowing defenders not just to detect threats, but to understand—and stay ahead of—rapidly evolving adversaries.

Further Resources

• The official blog post announcing these capabilities (see show notes)
• Past Mandiant and GTI intelligence reports on AI, cybercrime, and hacktivist trends