T. Rowe Price’s PJ Asghari’s "What, So What, Now What" Framework for Threat Intel

What does it take to transform a traditional event-driven SOC into an intelligence-driven operation that actually moves the needle? At T. Rowe Price, it meant abandoning the "spray and pray" approach to threat detection and building a systematic framework that prioritizes threats based on actual business risk rather than industry hype.

‍

PJ Asghari, Team Lead for Cyber Threat Intelligence Team, walked David through their evolution from a one-person intel operation to a program that directly influences detection engineering, fraud prevention, and executive decision-making. His approach centers on the "what, so what, now what" framework for intelligence reporting — a simple but powerful structure that bridges the gap between technical analysis and business action.

Topics discussed:

‍

• Moving beyond event-based monitoring to prioritize threats based on sector-specific risk profiles and threat actor targeting patterns rather than generic threat feeds.
• Focusing on financially-motivated actors, initial access brokers, and PII theft rather than nation-state activities that rarely target mid-tier financial firms directly.
• Addressing the cross-functional challenge that spans HR, talent acquisition, insider threat, and CTI teams.
• Using mise en place principles from culinary backgrounds to establish clear PIRs that align team focus with organizational needs.
• Creating trackable deliverables through ticket systems, RFI responses, and cross-team support that translates intelligence work into measurable business impact.
• Maintaining critical thinking and media literacy skills while leveraging automation for administrative tasks and threat feed processing.

‍

Key Takeaways: 

‍

• Implement the "what, so what, now what" reporting structure to ensure intelligence reaches appropriate audiences with clear business implications and recommended actions.
• Build cross-functional relationships with fraud, insider threat, and vulnerability management teams to create measurable value through ticket creation and support requests rather than standalone reporting.
• Establish sector-specific threat prioritization by mapping threat actors to your actual business model rather than following generic industry threat landscapes.
• Create trackable metrics through service delivery, including RFI responses, expedited patching recommendations, and credential compromise notifications to demonstrate concrete value.
• Focus hiring on inquisitive mindset and communication skills over certifications, using interviews to assess critical thinking and ability to dig deeper into investigations.
• Map threat actor TTPs to MITRE framework to identify defense stack gaps and provide actionable detection engineering guidance rather than just IOC sharing.
• Invest in dark web monitoring and external attack surface management for financial services to catch credential compromises and brand abuse before they impact customers.
• Establish regular threat actor recalibration cycles to ensure prioritization remains aligned with current threat landscape rather than outdated assumptions.

‍