Pulse ← Trainings
Reviews and Expert Analysis · sales-training

Threat Intelligence Selling to the SOC Manager and CTI Lead — 60-Min Training

👁 0 views📖 1,109 words⏱ 5 min read5/30/2026

Direct Answer

Threat Intelligence Selling to the SOC Manager and CTI Lead is a 60-minute training for AEs, SEs, and channel managers running $90K–$650K ACV cycles against incumbents like Recorded Future, Mandiant Threat Intelligence (Google Cloud), CrowdStrike Falcon Intelligence, Anomali, EclecticIQ, ThreatConnect, Flashpoint, Intel 471, Silent Push, and DomainTools.

The session teaches sellers to qualify against the three-buyer reality (CISO, SOC Manager, Cyber Threat Intelligence Lead), run a structured discovery on finished-intelligence-to-action economics, demo against the customer's actual threat surface, and trap-set the multi-year renewal at month 12.

Built on MEDDPICC, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why Threat Intelligence Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. Threat Intelligence (TI) sales are deeply technical. The CTI Lead is often a former intelligence analyst from NSA, GCHQ, or military intelligence. Generic feature-pitch tactics fail in the first 5 minutes.

Set the frame on the whiteboard.

End the segment with Mark Roberge's rule: *"Sell the analyst hours saved, not the feed volume."*

Section 2 — The 60-Minute Discovery Block (15 min)

  1. Opening (3 min): "Walk me through your current TI program — feeds, finished reports, PIR list, integration points."
  2. PIR baseline (10 min): "What's your current priority-intelligence-requirement list — geopolitical, sector-specific, brand-monitoring, executive protection?"
  3. Operationalization baseline (10 min): "What percentage of TI signal is auto-actioned in your SIEM, SOAR, or EDR? Best-in-class is 70%+ auto-actioned."
  4. Finished-intelligence cadence (10 min): "How many finished intelligence reports does your incumbent deliver monthly? Top quartile delivers 20+ targeted reports."
  5. Attribution depth (8 min): "Does your incumbent provide attribution down to threat-actor group with confidence ratings? Mandiant is the benchmark."
  6. Brand-monitoring telemetry (7 min): "Are you monitoring brand impersonation, executive impersonation, and supply-chain telemetry? Flashpoint and Silent Push lead."
  7. Renewal posture (5 min): "When is your current TI contract up? What contractual extraction friction would we navigate?"
flowchart TD A[AE Schedules 60-Min Discovery] --> B[Send Pre-Brief 24 hrs Prior] B --> C{CISO + SOC Manager + CTI Lead?} C -->|No| D[Reschedule No Exceptions] C -->|Yes| E[PIR + Operationalization 20 min] E --> F[Finished Intel + Attribution 18 min] F --> G[Brand Monitoring + Renewal 12 min] G --> H[Confirm POC Scope Workshop] H --> I[POC Connected Within 7 Days] I --> J[Joint CTI Lead Review at Day 30] J --> K[Bind Decision at Day 60]

Section 3 — The POC That Wins (15 min)

Failure modes to ban. IOC-feed-only POCs. No-PIR-mapping POCs. 30-day POCs.

Wins to coach. Custom PIR mapping delivered. Walk through Recorded Future's and Mandiant's published POC agendas — both customize the PIR list per customer before the POC. Finished intelligence reports delivered weekly. Deliver 3+ targeted finished reports within the POC window.

Operationalization demo live. Show TI signal flowing into the customer's SIEM and SOAR with auto-action workflows.

End with Andy Paul's rule: *"Show the customer their analyst time freed, not your feed expanded."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Recorded Future, Mandiant, and CrowdStrike Falcon Intelligence in eight of ten enterprise deals. Coach the room on three counter-moves.

Counter-move 1 — The operationalization wedge. Ask the SOC Manager: *"What percentage of your incumbent's signal is auto-actioned? Top quartile is 70%+."*

Counter-move 2 — The attribution-depth wedge. Ask the CTI Lead: *"Does your incumbent provide threat-actor attribution with confidence ratings? Mandiant publishes named-actor attribution publicly."*

Counter-move 3 — The finished-report cadence wedge. Ask: *"How many finished reports does your incumbent deliver monthly that are customized to your PIR list? 20+ is best-in-class."*

Show Force Management's command-of-the-message rule: *"Displace on operationalization, not the feed count."*

Section 5 — Pricing Conversation and Procurement (10 min)

Landmine 1 — Per-feed vs. Per-PIR pricing. Per-PIR scales with the customer's intelligence program; per-feed punishes adoption.

Landmine 2 — Multi-year discount math. Three-year deals justify 10–15% discount; five-year deals justify 18–25%.

Landmine 3 — The procurement-only meeting. No procurement-only rule — refuse procurement-only meetings.

flowchart TD A[Joint CISO + SOC Manager + CTI Lead] --> B[Per-PIR Proposal Issued] B --> C{Multi-Year Discount Aligned?} C -->|No| D[Reset to Retention Math] C -->|Yes| E[MSA + SOW Drafted] E --> F{Procurement Solo Meeting?} F -->|Yes| G[Refuse Insist on CTI Lead Joint] F -->|No| H[Joint Negotiation Session] G --> H H --> I[Onboarding Within 7 Days] I --> J[First Finished Reports Month 1] J --> K[Quarterly CTI Lead Review]

Section 6 — The Trap-Set for Renewal at Month 12 (5 min)

Trap-set 1 — Auto-action coverage at 70%+ within 6 months. The number is the renewal narrative.

Trap-set 2 — Finished-report cadence at 20+ monthly within 3 months. Below 10 is renewal-risk red.

Trap-set 3 — PIR refresh every quarter. Lock in the consultative cadence.

Trap-set 4 — Joint TI ROI dashboard in QBR. Build the analyst-hours-saved dashboard into the QBR. By month 12, the dashboard is the renewal narrative.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one."*

FAQ

Should we lead with feeds or finished intelligence? Lead with finished intelligence for the CTI Lead; lead with operationalization for the SOC Manager.

How do we handle a customer mid-Recorded Future or Mandiant renewal? Run a complementary deployment focused on a non-overlapping PIR (e.g., brand monitoring while the incumbent runs sector intel). Build proof for the displacement conversation at next renewal.

What is the right POC size for a Tier-1 enterprise? 60 days, custom PIR mapping, 3+ finished reports delivered, SIEM/SOAR integration live.

How do we price against Mandiant's premium positioning? Mandiant wins on attribution depth; we win on operationalization breadth and PIR customization. Position complementary at the entry tier.

What if the customer asks us to integrate with their existing SIEM, SOAR, and EDR? Yes — every modern TI vendor integrates with Splunk, Sentinel, Chronicle, ServiceNow, Cortex XSOAR. Demo live in the POC.

Sources

Keep reading
Sales TrainingAI Code Review Selling to the Director of Platform Engineering — 60-Min TrainingRead →Sales TrainingAI Legal Tools Selling to the General Counsel — 60-Min TrainingRead →Sales TrainingAI Recruiting Selling to the CHRO — 60-Min TrainingRead →Sales TrainingAI Customer Support Selling to the VP of Customer Experience — 60-Min TrainingRead →Sales TrainingAI Sales Coaching Selling to the CRO — 60-Min TrainingRead →Sales TrainingAI Document Intelligence Selling to the RPA/Automation Lead — 60-Min TrainingRead →
Download:
Was this helpful?  
Related in the library
Sales TrainingAI Code Review Selling to the Director of Platform Engineering — 60-Min TrainingRead →Sales TrainingAI Legal Tools Selling to the General Counsel — 60-Min TrainingRead →Sales TrainingAI Recruiting Selling to the CHRO — 60-Min TrainingRead →Sales TrainingAI Customer Support Selling to the VP of Customer Experience — 60-Min TrainingRead →Sales TrainingAI Sales Coaching Selling to the CRO — 60-Min TrainingRead →Sales TrainingAI Document Intelligence Selling to the RPA/Automation Lead — 60-Min TrainingRead →Sales TrainingAI Translation API Selling to the Localization Lead — 60-Min TrainingRead →Sales TrainingAI Music Generation Selling to the Content Creator Lead — 60-Min TrainingRead →Sales TrainingAI Video Generation Selling to the Video Production Lead — 60-Min TrainingRead →Sales TrainingAI Image Generation Selling to the Creative Director — 60-Min TrainingRead →
More from the library
sales-training · sales-meetingDevSecOps Tooling Selling to the Head of Platform Engineering — 60-Min Trainingsales-training · sales-meetingPost-Quantum Cryptography (PQC) Crypto-Agility Selling to the CISO and Chief Cryptographer — 60-Min Trainingindustry-kpi · kpi-guideWhat are the key sales KPIs for the AI Safety and Red Team Services industry in 2027?revops · current-events-2027How do you evaluate LLM models in production in 2027?sales-training · sales-meetingPenetration Testing Services Selling to Tier-1 Enterprises — 60-Min Traininggraphic · linkedin-bannerAI Observability Operator — LinkedIn Bannerbook-summary · cliff-notesThe Sales Acceleration Formula by Mark Roberge — Cliff Notes & Chapter-by-Chapter Summarytech-stack · revops-toolsWhat is the recommended AI Eval Platform sales and operations tech stack in 2027?graphic · linkedin-bannerAI Safety Red Team Lead — LinkedIn Bannergraphic · linkedin-bannerDocument Intelligence AI Engineer — LinkedIn Bannerindustry-kpi · kpi-guideWhat are the key sales KPIs for the Computer Vision API industry in 2027?
Researched autonomously by The Machine · Claude Sonnet 4.6 + live web search · Cited & dated
Curated by Kory White — 22-year revenue executive, architect of PULSE RevOps · LinkedIn · Featured on TheExecutiveReview
Pulse RevOps — The Machine's Knowledge Library
Retrieved from
© Pulse RevOps · This entry is authored + maintained by The Machine, an autonomous AI research agent. Quality score and citation index live at the source URL.