The Analyst Mind

The Analyst Mind

The Analyst Mind

Most analysts fail not because they lack tools, but because they fail to think clearly under pressure.

This is a publication about the second problem.

The tooling will keep changing. The certifications will keep multiplying. None of it makes an analyst. What makes an analyst is the discipline behind the work: structured reasoning, awareness of cognitive bias, comfort with uncertainty, the deliberate pause before the wrong conclusion, the willingness to challenge a finding that feels right but isn’t.

That discipline can be taught. It can be practiced. It can be sharpened. But almost no one is writing about it seriously.

The Analyst Mind exists to change that.

What you’ll find here

  • Investigation tradecraft: how experienced analysts actually work a case, not how the playbook says they should

  • Cognitive bias in the SOC: the specific failure modes that get incidents missed, escalated wrong, or closed early

  • Structured analytical techniques adapted from intelligence tradition (5W+H, ACH, OODA, SOAP, the Deliberate Pause), applied to cyber problems they were never written for

  • The integration of AI into defensive work, with the judgment to know when it helps and when it harms

  • Long-form pieces on the analyst’s craft as a craft: slow thinking, professional formation, the standards we hold ourselves to

No hot takes. No vendor coverage. No breach-of-the-week commentary.

About the author

Klaus Wunder writes The Analyst Mind.

He came up the hard way: hands on networks before the cloud existed, configuring firewalls when “zero trust” was just good instinct, and protecting industrial control systems when most security professionals had never touched a PLC.

As a Principal Cyber Defence Analyst at an MSSP, he works live investigations, threat hunts across hybrid environments, and incident response in environments where the cost of a missed signal is real. The OT/ICS dimension is not a side interest: defending critical infrastructure is a core part of the practice. Everything written here has been carried through real casework first. The investigator comes before the writer.

Teaching follows the practice. As an Authorised OffSec Instructor, he teaches and mentors working analysts. Closer to the work itself, he coaches new SOC analysts on the floor, runs workshops, and speaks at industry events. The classroom is downstream of the operations floor.

The technical substrate runs deep and deliberately broad: AI and LLM integration into defensive work, OT/ICS and critical infrastructure protection, network forensics at the protocol level, Linux and macOS as native working environments. The tools matter, but the tools are scaffolding for the analyst’s mind, never a substitute for it.

Investigation tradecraft does not stop at the network boundary. As a member of ASIS International, he works at the intersection of cyber and physical security, where structured analytical reasoning travels across domains.

The credentials matter only as evidence that the methodology has been tested against terrain that doesn’t care about opinions.

The analyst works the case. The instructor teaches what the case taught. The Analyst Mind is where the methodology gets written down.

New work lands here when the thinking is done, not on a publishing schedule. If this is the kind of substance you’ve been looking for, subscribe.

User's avatar

Subscribe to The Analyst Mind

How analysts think through chaos — critical thinking, threat detection, and AI-augmented defence for security practitioners protecting critical infrastructure to the convergence of cyber and physical security

People

© 2026 Klaus Wunder · PrivacyTermsCollection notice
Start your SubstackGet the app
Substack is the home for great culture