When enterprise security operations centers receive alerts about obvious true positive detections, they want to quickly understand the severity to determine if it is a critical threat that needs immediate containment. Threat intelligence analysts can provide context about whether the attack is part of a bigger campaign. Although some victim and vendor analysis is still closely held, there has been a clear increase in sharing of threat intelligence within the TLP-white community. Analysts often cannot submit samples to services like VirusTotal due to privacy restrictions, so they cannot take advantage of crowdsourced threat intel. The CARA platform guides analysts through investigative steps without compromising controls. By pivoting on domains, behaviors and code similarities, analysts can connect alerts to related attacks, like BITTER campaigns, to inform response priorities.