As geopolitical tensions increasingly spill into cyberspace, a growing number of cybersecurity professionals are beginning to look beyond technical indicators to understand the strategic forces behind cyber threats. One of them is Robin Dimyanoglu, a seasoned cybersecurity expert with years of hands-on experience in red teaming and threat intelligence.
In recent years, he has focused on predictive cyber defense, drawing from military frameworks and intelligence analysis to explore how geopolitical events shape cyber operations. His 2024 book, Geopolitical Cyber Threat Intelligence, reflects this interdisciplinary approach — bridging technical insight with strategic forecasting.
For The Recursive Defense and Cybersecurity Report we had an interview, in which we explored intersection between cybersecurity and traditional intelligence disciplines, the frameworks that help translate politics into probabilities, and how Security Operations Centers (SOC) teams can prepare for increasingly complex, cross-border incidents.
Cyber intelligence meets geopolitics
Dimyanoglu argues that modern cybersecurity still operates in two largely separate worlds: on one side, the technical domain dominated by engineers and analysts focused on code, logs, and infrastructure; and on the other, the traditional security domain, shaped by military, intelligence, and geopolitical thinking.
“Most cybersecurity professionals, including myself, come from engineering backgrounds and naturally have a technical approach to the problems we face.”
That technical lens brings rigor and precision to areas like malware analysis, vulnerability detection, and incident response. But Dimyanoglu warns it also creates a kind of tunnel vision — one that overlooks the strategic motives and geopolitical dynamics that increasingly drive cyber operations.
“Cyber has long been an operational domain for militaries and intelligence agencies around the world, used to advance national political and economic interests. So, when we approach this domain purely through a technical lens, we miss a significant part of the picture.”
To build a more complete understanding of the threat landscape, Dimyanoglu advocates for what he calls a socio-technical approach to cybersecurity — one that actively incorporates political science, military doctrine, behavioral analysis, and international relations into the daily work of cyber threat intelligence.
This shift isn’t about abandoning technical skills, but rather enhancing them with strategic context. Whether the data comes from signals intelligence (SIGINT), human intelligence (HUMINT), or open-source intelligence (OSINT), what matters most is not the source itself but the analyst’s ability to interpret that data through a geopolitical and operational lens.
Dimyanoglu notes this doesn’t mean turning every security analyst into a geopolitical strategist, but he believes we do need to foster environments where different ways of thinking are brought into conversation. “For instance, a cyber threat intelligence team might benefit greatly from understanding how a military analyst interprets escalation dynamics, or how a political analyst reads state intent. These kinds of cross-domain insights can add significant depth to our understanding of cyber threats,” he explains.
“In many cases, it’s not just about the data we collect, but how we connect the dots across disciplines. Threats don’t occur in isolation but they’re part of larger systems. And to anticipate them effectively, we need the knowledge that reflects that complexity.”
Training security teams for complexity
As cyber threats increasingly operate across national borders, the pressure on Security Operations Centers (SOCs) to respond with both speed and coordination has never been higher. In terms of preparing SOCs for transnational threats, Dimyanoglu points to realism and stress-testing as key training pillars. “The most effective training modules are the ones that simulate end-to-end incident response,” he explains. “Drills that go beyond isolated technical scenarios and instead stress-test full procedures are key.”
He also emphasizes that traditional tabletop exercises and siloed threat detection labs, while useful, fall short in preparing teams for the full operational complexity of modern cyber incidents — especially those that ripple across organizational, national, or jurisdictional lines. Instead, he advocates for immersive, scenario-driven training that reflects how threats actually unfold: often in real time, with unclear attribution, and involving a host of interdependent actors.
At the core of this approach is wargaming — not in the abstract, but in applied form. Dimyanoglu sees these simulations as critical tools for revealing the hidden weaknesses in cross-functional and transnational coordination.
“Wargaming exercises are extremely valuable for exposing weaknesses in coordination, communication, and interoperability across teams and borders,” he says. “These simulations reveal friction points early — who talks to whom, what information gets lost in translation, which tools don’t work well across systems, and so on.”
According to Dimyanoglu, one of the most critical yet underdeveloped skills for SOC analysts is the ability to think beyond the event, to see the broader campaign behind the indicator. “Another area we need to train more deliberately is pivoting from indicators to broader campaign patterns,” he says.
“SOC analysts should be comfortable asking: Is this a standalone incident, or part of a wider operation?”
This mindset shift — from reactive containment to strategic recognition — is what allows local incidents to be interpreted within a wider geopolitical or operational context. And that, in turn, is what enables a pivot from a single organization’s response to a coordinated, EU-level or multi-agency reaction. Without it, opportunities for early warning and collective defense may be missed.
How to forecast geopolitical cyber threats
Forecasting cyber threats that stem from geopolitical tensions is a task many aspire to — but few approach with the structured, multi-layered methodology. In Dimyanoglu’s view, predictive intelligence is not a matter of clairvoyance, but of disciplined thinking, historical pattern recognition, and rigorous framing.
When asked which analytical techniques are most effective for forecasting threats rooted in geopolitical conflict, Dimyanoglu resists the idea of silver bullets. “Imaginative techniques are the engine for generating future scenarios, but I wouldn’t single out any one group of techniques,” he points but elaborates them further. “Diagnostic techniques are essential for ensuring the quality and reliability of the information, while Contrarian techniques challenge our assumptions and surface alternative perspectives.”
Dimyanoglu emphasizes that effective forecasting hinges not just on choosing the right method, but on layering techniques strategically. In his words, “the groundwork leading up to the forecasting stage represents about 80% of the work, , and the actual forecasting is the remaining 20%.”
The greatest difficulty, he points out, is identifying and interpreting the key variables that shape a complex, geopolitical threat environment. These variables — whether political decisions, military movements, economic signals, or shifts in public sentiment — often interact in nonlinear and cascading ways. In long-range analysis especially, the relationships between variables can become unstable, even contradictory.
This is where structured frameworks come in. Dimyanoglu draws on a blend of tools often used in military and intelligence planning, such as PMESII/ASCOPE, DIMEFIL, and STEMPLES. These models help deconstruct complex environments into components — Political, Military, Economic, Social, Informational, Infrastructure — allowing analysts to map how changes in one area might create ripple effects across others. “They all aim to map out the same thing,” he says: “the broader operational environment… and how shifts in any of those layers might trigger a certain course of action.”
The goal is to reduce the window of uncertainty
To generate meaningful predictions, Dimyanoglu combines frameworks analysis with pattern recognition from historical data. In the case of the Russia–Ukraine conflict, for example, he examines documented cyber incidents over time — sorting them by attack type, targeted sectors, and regional focus — and overlays them onto framwork like PMESII. This cross-referencing, he explains, “helps draw clearer lines between geopolitical objectives and how cyber operations might have been used to support them.”
In such cases, temporal analysis — focusing on patterns in timing, recurrence, and opportunistic windows — becomes more useful than geopolitical modeling. Understanding target exposure is also key: some entities are simply more vulnerable, and attackers often follow the path of least resistance regardless of political motive, Dimyanoglu explains.
The line between prediction and misattribution, however, is thin. Overstating a state’s involvement — or ignoring it entirely — can send analysts down the wrong track. That’s why, to Dimyanoglu, the most valuable forecasting tool is still analyst discipline. “That’s where the analyst’s judgment, context awareness, and discipline in distinguishing signal from noise really matter.”
At the end of the day, forecasting isn’t about locking in the future. It’s about making it more legible. Frameworks and techniques, when used responsibly, help analysts frame the right questions, pressure-test assumptions, and how Dimyanoglu concludes…
“The goal isn’t to predict the future with 100% precision, but to reduce the window of uncertainty enough to inform meaningful action.”
