Acerca de
I am a Global Cybersecurity Strategic Leader with deep technical background. I am…
Servicios
Artículos de Carlos
Actividad
4 mil seguidores
-
Carlos Valderrama ha compartido estoAnthropic investigates report of rogue access to hack-enabling Mythos AIAnthropic investigates report of rogue access to hack-enabling Mythos AI
-
Carlos Valderrama ha compartido estoIf you've ever responded to a real cyber incident at 3 AM, you know this feeling. Everyone has opinions. Few have scars. This is the "Umarell Effect" in cybersecurity. In Italy, "Umarell" refers to retired men who stand at construction sites with their hands behind their backs, watching and commenting on the work. In cybersecurity, we have our own version: → Market analysts who've never triaged an alert → Influencers who've never contained a breach → Sales reps who've never written a detection rule → Consultants who've never responded at 3 AM All telling SecOps people what they're doing wrong. SecOps people? They're in the trenches: • Responding to Storm-1175 ransomware • Writing detection rules for zero-days • Containing lateral movement • Hunting for persistence mechanisms • Documenting for forensics While the Umarells stand back and critique: "You should use XDR" "This wouldn't happen with Zero Trust" "Our tool would've caught this" "You need a framework" Here's the truth: Theory is cheap. Execution is expensive. The gap between "what should work" and "what actually works at 3 AM during an active breach" is where careers are made. What we need is: ✅ Detection rules that actually work (not vendor marketing) ✅ Playbooks tested in real incidents (not consultant frameworks) ✅ Threat intelligence operationalized (not PDF reports) ✅ Deployment in minutes (not weeks of meetings) Built by practitioners. For practitioners. Can you spot Umarells? #SecOps #CyberSecurity #SOaC #IncidentResponse #ThreatIntelligence #DetectionEngineering #RealTalk
-
Carlos Valderrama ha compartido estoStorm-1175 is moving at breakneck speed — from initial access to Medusa ransomware deployment in under 24 hours. Healthcare, education, finance, and professional services across Australia, UK, and US are being hit hard by this high-velocity threat actor. The problem? Most organizations can't operationalize threat intelligence fast enough to defend against N-day and zero-day exploits at this pace. The solution: SecOps-as-Code (SOaC) — turning threat intelligence into deployable defense artifacts in minutes, not weeks. 📦 Introducing pkg-019: Storm-1175 Defense Package What's inside: ✅ 43 MITRE ATT&CK techniques mapped and detection-ready ✅ Detection rules for MDE, M365, Entra ID, AWS, and CrowdStrike ✅ SOAR playbooks for automated containment and response ✅ Threat hunting queries for proactive defense ✅ Security policies for EDR, network monitoring, and file system hardening ✅ Lab simulation steps to test your defenses before the real attack Target platforms: Windows, Linux, Microsoft Exchange, Ivanti, ConnectWise, JetBrains TeamCity, Oracle WebLogic Deployment posture: Detect + Respond (with Full Enforcement option) + Prevent 🎯 Why This Matters ❌ Traditional threat intelligence reports give you what happened. ✅ SOaC gives you what to deploy right now. ❌ No more manual translation from PDF to production. ❌ No more gaps between intelligence and implementation. ✅ This is defense at the speed of offense. 🔗 Want the package? visit: https://lnkd.in/eJrz_Q6t #SecOps #ThreatIntelligence #SOaC #Ransomware #Storm1175 #MedusaRansomware #CyberDefense #DetectionEngineering #MITRE #BlueTeam
-
Carlos Valderrama ha compartido estoIntelligence-Driven Defense: Automating AI Agent Governance (pkg-018) 🪄🛡️ The 'Mythos Effect' isn't just a research paper; it's a blueprint for the next generation of autonomous cyber attacks. To fight back, I had to upgrade the arsenal. 🔴 The attack chain: → Agent Task Prompt [T1059] → Code Execution [T1059, T1059.004] → Repository Access [T1083, T1565, T1528] → External Resource Access [T1071, T1567] → Governance Review [T1528] 🎯 The goal: establish persistent access and exfiltrate data while evading detection — exploiting gaps between security tools and organizational process. ⚠️ What companies got wrong: • No session token replay detection — attackers bypass MFA undetected • No impossible-travel + credential-access correlation • Detection rules fire on individual events — no attack-chain correlation • Alert triage is manual with no automated enrichment or containment 🛠️ I built this package because the AI Coding Agent (Claude Code / Cursor) (Autonomous) campaign exposed a gap that off-the-shelf detections don’t cover. Every rule, playbook, and policy here comes from mapping the real attack chain end-to-end. 📦 What’s inside: → 5 detection rules (Sigma, KQL, SPL, CrowdStrike, Wazuh) → 2 SOAR playbooks → 3 policy & runbook documents → 1 validated replay scenarios → MITRE: 7 MITRE ATT&CK techniques (71% validated) → Platforms: Sigma, Sentinel Every detection was validated against real attack telemetry in a controlled lab. Replay scenarios prove the rules fire. Coverage: 71% of mapped MITRE techniques exercised end-to-end. 🔗 Full package + evidence: https://lnkd.in/en4dMkcX I deployed the new Intelligence Nexus feature on soacframe.io. For my first test case (pkg-018: AI Agent Governance), I didn't write a single detection rule. Instead, I fed the AI Wizard 3 research URLs (including Anthropic’s Mythos preview). The Result? A high-fidelity, 17-file SecOps-as-Code package that automatically synthesized: 🔍 Deep-Lineage Detections: Mapping parent-agent binaries to unauthorized shell pivots. 🧠 Adaptive Playbooks: Triggering identity-only revocations without killing developer productivity. 🧬 Strict Parity: 23/23 validation points passed on the first run. We are officially moving from static forms to Intelligence-Injected Orchestration. Want to see how the 'Nexus' handles autonomous threat intel? #SOaC #AIGovernance #BlueTeam #CyberAI #MythosEffect #CyberSecurity
-
Carlos Valderrama ha compartido estoUAT-8837 ran a multi-stage campaign against SaaS and Endpoint — and most detection stacks missed every phase. 🔴 The attack chain: → Initial access via vulnerability exploitation [T1190, T1078] → System reconnaissance and discovery [T1082, T1033, T1049] → RDP configuration modification [T1112, T1021.001] → Tool deployment and staging [T1105, T1027] → Network tunneling establishment [T1090, T1572] → Active Directory reconnaissance [T1087.002, T1069.002, T1018] → Credential harvesting and privilege escalation [T1134, T1558, T1550] → Persistence through backdoor accounts [T1136.002, T1098, T1560, T1556, T1005] 🎯 The goal: establish persistent access and exfiltrate data while evading detection — exploiting gaps between security tools and organizational process. ⚠️ What companies got wrong: • BYOVD and reflective DLL loading not in EDR detection scope • Fileless attack patterns missing from endpoint telemetry correlation • Detection rules fire on individual events — no attack-chain correlation • Alert triage is manual with no automated enrichment or containment 🛠️ I built this package because the UAT-8837 campaign exposed a gap that off-the-shelf detections don’t cover. Every rule, playbook, and policy here comes from mapping the real attack chain end-to-end. 📦 What’s inside: → 7 detection rules (Sigma, KQL, SPL, CrowdStrike, Wazuh) → 2 SOAR playbooks → 3 policy & runbook documents → 1 validated replay scenarios → MITRE: 22 MITRE ATT&CK techniques (23% validated) → Platforms: SaaS, Endpoint, Network, Entra Every detection was validated against real attack telemetry in a controlled lab. Replay scenarios prove the rules fire. Coverage: 23% of mapped MITRE techniques exercised end-to-end. 🔗 Full package + evidence: https://lnkd.in/eWVi-p3w #SOaC #ThreatDetection #MITREATTACK #SaaSSecurity #IdentitySecurity #CyberSecurity #DetectionEngineering
-
Carlos Valderrama ha compartido estoThe Patch Window Has Collapsed: Introducing the First Mythos-Aligned Exploit Chain Disruption Package The cybersecurity landscape has fundamentally shifted. Anthropic’s groundbreaking Mythos research reveals a new reality: AI agents can now weaponize vulnerabilities at machine speed, collapsing the traditional patch window. In this era, generic defenses are no longer enough, if your security posture relies on static rules or isolated alerts, you’re already a spectator. Over the past months, I have been deeply researching and developing a new defense paradigm that embraces this challenge head-on. The result is the Exploit Chain Disruption: Web Exploit → Sandbox Escape → AWS Metadata (Mythos Pattern) package—the first Security-as-Code (SOaC) artifact fully aligned with the Mythos autonomous attack model. What Makes This Package a Game-Changer? Architecture-Aware Logic: This package is not just a collection of detection rules. It embodies a strategic, architecture-aware approach that understands the attacker’s multi-stage chain, from initial web exploitation, through sandbox escape, to cloud metadata credential theft. By correlating telemetry across endpoint and cloud domains, it identifies the critical breakpoints where attackers must reveal themselves. Automated Playbooks & Policies: Beyond detection, the package includes automated SOAR playbooks that orchestrate rapid containment actions—such as identity revocation and host isolation—neutralizing threats before they escalate. Complementing this are environment-specific policies designed to harden defenses at the cloud perimeter and identity layers. Validated & Replay-Verified: Every detection rule and playbook action has been validated against real attack telemetry in a controlled lab environment. The package achieves 23/23 parity checks, ensuring it’s production-ready and reliable. Detection Rules: Cover Sigma, KQL, SPL, and Wazuh formats, enabling cross-platform deployment across Microsoft Defender for Endpoint, CrowdStrike, Sentinel, and AWS CloudTrail. Playbooks: Automate response workflows that integrate with existing SOC operations, reducing mean time to detect and respond. Policies: Enforce strict controls on lateral movement, cloud API access, and identity session management. This package is the first concrete instantiation of the broader Mythos Disruption Framework: a modular, extensible defense architecture designed to keep pace with autonomous adversaries. Why This Matters The Mythos threat model demands defense at machine speed. My approach moves beyond isolated alerts to holistic, chain-aware security that anticipates attacker behavior and disrupts it in real-time. Get Involved The package is publicly available and open for community collaboration. Explore the full details, evidence, and deployment guides here: https://lnkd.in/eEMU5Ezc #Mythos #SecOpsAsCode #SOaC #CyberDefense #Automation #CloudSecurity #ThreatDetection #Playbooks #IncidentResponse
-
Carlos Valderrama ha compartido estoEveryone says: “We cover MITRE ATT&CK.” Few can prove it. With SOaC Enterprise Validation, every package is: ✅ Schema validated ✅ MITRE mapped ✅ Detection coverage verified ✅ Replay tested ✅ Production ready Not manually. Automatically. Every package shows: ✅ 100% schema compliance ✅ 100% MITRE alignment ✅ Replay verification status This changes one critical thing: 👉 Trust You no longer ask: “Do we have coverage?” You know: ✅ This attack chain is covered and tested. And if it’s not? It doesn’t ship. This is how we move from: 📊 Fancy & useless dashboards to ✅ Provable security Security without validation is guesswork. Security with validation is engineering. Validate yourself: https://lnkd.in/e_Uq76Nc #MITREATTACK #SOaC #SecurityValidation #DetectionEngineering #CyberSecurity
-
Carlos Valderrama ha compartido estoMost security controls are never tested end-to-end. We assume they work. 👍 We hope they work. 🤞 We report that they work. 🫢 With SOaC Enterprise Lab, we actually test them. Every package includes a real attack simulation chain: ⛓️ Spear-phishing → execution → persistence → C2 → exfiltration ⛓️ Identity pivot → privilege escalation → SaaS abuse ⛓️ OAuth abuse → data exfiltration And you can run it in: 🎯 Solo mode (blue team validation) ⚔️ Team mode (red vs blue exercises) The key difference: We don’t test alerts. We test REAL attack chains. End-to-end Because attackers don’t operate in single events. They operate in sequences. If your detections don’t correlate across stages… you’re blind. The lab closes that gap. 👉 From detection to defense validation under pressure This is where SecOps-as-Code becomes real. Help yourself: https://soacframe.io/lab #BlueTeam #RedTeam #SOaC #CyberRange #DetectionEngineering #SecurityOperations
-
Carlos Valderrama ha compartido estoThreat intelligence today is mostly: ❌ PDFs. ❌ Reports. ❌ Slides. …that never reach production. I decided to break that model. With SOaC Enterprise, every threat report becomes: ➡️ A working defense package ➡️ Mapped to MITRE ➡️ Deployed across tools ➡️ Tested in simulation ➡️ Verified with validation Example: APT37 (Famous Chollima) → becomes: ⏩ Spear-phishing detections (LNK/PDF) ⏩ PowerShell chain detection (RokRat) ⏩ Cloud C2 detection (Dropbox/Yandex) ⏩ Insider threat controls ⏩ Automated response playbooks Not theory. Execution. I now have a growing library of packages that turn: 👉 intelligence → engineering → operations And the best part? It’s repeatable. This is how I close the gap between: Threat Intel ↔ Detection Engineering ↔ SOC Operations If your intel never becomes code, it’s just noise. Check the threat context fully operational on GitHub: https://lnkd.in/ebuWDMR4 #ThreatIntelligence #SOaC #DetectionEngineering #SOC #CyberSecuritySOaC-Enterprise/packages/015_apt37_famous_chollima_operation_hankook_phantom_defense/docs/threat_context.md at main · ge0mant1s/SOaC-EnterpriseSOaC-Enterprise/packages/015_apt37_famous_chollima_operation_hankook_phantom_defense/docs/threat_context.md at main · ge0mant1s/SOaC-Enterprise
Carlos Valderrama ha comentado una publicación
1 semana
Carlos es un profesional excepcional, una persona que me encantaría tener en mi equipo.
-
Carlos Valderrama ha recomendado estoCarlos Valderrama ha recomendado estoPeople increasingly want to use AI agents to interact with security tools. Yet, most vendors don't design their products with this in mind, even when they offer a REST API. Each endpoint's schema consumes the agent's context-window tokens upfront, and simple tasks still require multiple sequential calls. Products that serve agents well provide dedicated interfaces like MCP servers and deliver the right details to the agent at the right time. AI agents are now a real persona alongside SOC analysts, security execs, and GRC managers. When each finds value in its own view of the product, a competitor has to win over all of them to displace it. That advantage comes from understanding how each persona works, not from longer feature lists. https://lnkd.in/e_twi7fpDesigning Security Products for Humans and AI AgentsDesigning Security Products for Humans and AI Agents
-
Carlos Valderrama ha recomendado estoCarlos Valderrama ha recomendado estoEl pasado lunes 13 de abril, Basic-Fit y Booking.com comunicaron brechas de seguridad el mismo día. Un millón de miembros de gimnasio con toda su información personal expuesta. Un número desconocido de viajeros con sus reservas en manos de atacantes que ya las están usando para campañas de phishing por WhatsApp. Una dice qué pasó pero no cómo. La otra no dice prácticamente nada. Cuanto tardarán en salir campañas altamente dirigidas contra los clientes de estos. Como diría Sancho Panza: "¿Qué desatino es éste por Dios?".Dos brechas en un día. Basic-Fit y Booking. ¿Qué desatino es éste?Dos brechas en un día. Basic-Fit y Booking. ¿Qué desatino es éste?
Experiencia y educación
-
Straumann Group
Mira la experiencia completa de Carlos
Mira su cargo, antigüedad y más
Al hacer clic en «Continuar» para unirte o iniciar sesión, aceptas las Condiciones de uso, la Política de privacidad y la Política de cookies de LinkedIn.
Licencias y certificaciones
Experiencia de voluntariado
Proyectos
-
SOaC
-
🔹 WHAT I'M BUILDING
SOaC (Security Operations as Code) - a framework that brings Infrastructure-as-Code principles to security operations.
Think: Git for detection rules. CI/CD for incident response. Terraform for SOC workflows.
Built on FastAPI, React, PostgreSQL+Prisma and AI.
🔹 THE PROBLEM I'M SOLVING
Security operations today:
❌ Tribal knowledge that disappears when people leave
❌ Detection rules with no version control
❌ Manual testing against…🔹 WHAT I'M BUILDING
SOaC (Security Operations as Code) - a framework that brings Infrastructure-as-Code principles to security operations.
Think: Git for detection rules. CI/CD for incident response. Terraform for SOC workflows.
Built on FastAPI, React, PostgreSQL+Prisma and AI.
🔹 THE PROBLEM I'M SOLVING
Security operations today:
❌ Tribal knowledge that disappears when people leave
❌ Detection rules with no version control
❌ Manual testing against production (risky)
❌ Screenshot-based documentation
❌ Audit nightmares
Security operations with SOaC:
✅ Knowledge captured as code
✅ Full Git history and rollback
✅ Automated testing before deployment
✅ Documentation lives with the code
✅ Compliance by default
🔹 WHO THIS IS FOR
SOC teams who:
• Think in code
• Value transparency over black boxes
• Want to own their security logic
• Are tired of vendor lock-in
• Operate (or want to operate) like modern engineering teams
🔹 EARLY RESULTS
• 26 organizations | 2,500+ detection rules deployed
• 81% avg reduction in false positives
• 15-minute mean time to detect
• 94% analyst satisfaction improvement
🔹 MY COMMITMENT
• I respond to every message.
• I onboard early adopters personally.
• I build in public and share everything we learn.
This isn't just a product. It's a movement.
🔹 LET'S CONNECT
→ Trying SOaC: https://github.com/ge0mant1s/soacframe-community
→ Questions: DM me directly (I will get back to you as soon as I can)
→ Following the journey: Hit "Follow" above
Security operations doesn't have to be heroic firefighting.
It can be systematic, reproducible, and sustainable.
Let's build the future together.
Idiomas
-
English
Competencia bilingüe o nativa
-
French
Competencia básica profesional
-
Italian
Competencia profesional completa
-
Spanish
Competencia bilingüe o nativa
Recomendaciones recibidas
-
Usuario de LinkedIn
2 personas han recomendado a Carlos
Unirse para verlo