Ismael Valenzuela

🔥 Amazing day at the @SANSInstitute #AISummit 2026. I had the chance to join the SANS360 lightning talks. 10 practitioners, 6 minutes each. No fluff. My message was simple: #AI is collapsing prevention time, but time-based security still holds. Speed doesn’t make these attacks smarter. In fact, it often makes them more fragile. To show how #AllAroundDefenders can flip the script, today we introduced #Decipio, our latest community project from the @AWNetworks Labs team. #Decipio injects controlled “lies” into the environment to expose credential theft the moment it begins. It also applies automation and AI-assisted workflows defensively, creating a home-field advantage for defenders. To protect the #cyberdefense community, we decided to release Decipio as a gated, community-driven release. 👉 You can start requesting access today through our website, and learn more about it in our latest blog: 🔹 arcticwolf.com/decipio/ 🔹 arcticwolf.com/resources/blog… #CyberDefense #AI #ThinkRedActBlue

In today's issue of @TheMondayBrief, @aboutsecurity and @fulmetalpackets unpack four signals where adversaries went after the layers defenders use to define trust itself: 1️⃣ A PAN-OS zero-day (CVE-2026-0300) gave suspected state-sponsored actors root on internet-facing firewalls for nearly a month before disclosure. 2⃣MuddyWater dressed an Iranian espionage operation as a Chaos ransomware hit to misdirect IR. 3⃣Russian-linked actors struck Polish water treatment SCADA amid a 144% year-over-year surge in attacks on Poland. 📷 🔗Read the full issue: themondaybrief.substack.com/p/state-sponso… #ThinkRedActBlue #ThreatIntelligence #ZeroTrust #DetectionEngineering #CISO

#ThinkRedAcBlue 🔴🔵

🚨 Two US cybersecurity professionals have been sentenced for moonlighting as ALPHV BlackCat ransomware affiliates. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, deployed BlackCat ransomware against multiple US victims between April and December 2023. They paid the operators a 20% cut for access to the platform, hit medical and engineering firms, leaked patient data to pressure payment, and split a $1.2 million Bitcoin ransom three ways with co-conspirator Angelo Martino. Martino had a second job. He worked as a ransomware negotiator for victims, and used that role to leak confidential victim information to the attackers to push ransom prices up. When Goldberg tried to flee abroad, the FBI tracked him through 10 countries before he was caught. Both men were sentenced yesterday. Martino is sentenced July 9.

MFA isn't enough. Trusted updates became weapons. And AI agents are acting outside expected behavior. Ismael Valenzuela is connecting the dots on The Replicant Problem LIVE at #SecureYourFortress 🤖🔍 Tune in → go.sans.org/vQQO0A #ZeroTrust #AIAgents #CyberDefense

Visibility is the foundation of Zero Trust. 👁️ Ismael Valenzuela dropping wisdom at #SecureYourFortress on governing AI agents in an era where the threats you can't see are the most dangerous ones. 🤖🔍 Watch now → go.sans.org/vQQO0A #ZeroTrust #AIAgents #CyberDefense

Arctic Wolf Labs reports BlueNoroff using fintech-themed impersonation & fake Zoom meetings to target a Web3 company. The victim’s live camera feed was captured for reuse in future lures; the infection chain deployed fileless PowerShell & browser injection arcticwolf.com/resources/blog…

Attackers didn’t break new ground this week. They operated where no one was looking. Four intrusions. Different entry points. Same pattern. - A stolen OAuth token from an AI tool became cross-environment access - A patched firewall stayed compromised for months - Consumer routers became covert relay infrastructure - Teams messages delivered malware outside traditional inspection paths The pattern is clear. The attack surface is not where controls exist. It is where visibility ends. 🔴 Think Red: You don’t need to bypass controls if you can operate outside of them 🔵 Act Blue: Monitor the parts of your environment that fall outside your normal coverage Read the full breakdown by @fulmetalpackets and @aboutsecurity: themondaybrief.substack.com/p/a-stolen-oau… The Monday Brief is written to be shared. #Cybersecurity #ThreatIntelligence #CISO #DetectionEngineering #TheMondayBrief

Arctic Wolf recently observed a large scale device code phishing campaign leveraging the Kali365 phishing‑as‑a‑service platform to obtain initial access and conduct follow-on activity. Learn more here: ow.ly/brHg50YPwrs

📣 Don’t miss the return of SANS360 — starting now! 💥 10 experts. 360 seconds each. = 60 minutes of rapid-fire technical brilliance! We’re closing out the virtual portion of Day 1 of SANS AI Cybersecurity Summit with power-packed AI Cybersecurity talks — featuring practical solutions you can use now to integrate AI/ML into your security workflows. ➡️ It's not too late to Register for Free & Join Us: sans.org/u/1CNB #AISummit #AI #GenAI #cybersecurity

Jacob Klein, head of threat intel at @AnthropicAI, sharing how AI (Claude in this case) is powering and enabling threat actors. Are you thinking the same I am thinking? 🤔💭 #AISummit

Bruce Schneier kicking off the @SANSInstitute #AISummit talking about integrity, trust, manipulation, and our choices when it comes to decision making.

Attackers didn’t bypass defenses this week. They used them. Defender zero-days. MCP flaws. Obsidian plugin abuse. Same pattern: 👉 Weaponizing trusted tools 🔴 Think Red: Inherit trust 🔵 Act Blue: Monitor your controls Read the latest issue by @aboutsecurity and @fulmetalpackets: 🔗open.substack.com/pub/themondayb… #Cybersecurity #ThreatIntel

Friday afternoon @gadievron says "I'm working on a CISO community document for Monday. Want to collaborate? Releasing Monday." I said "Sure." (I have a problem with that word.) @AnthropicAI had dropped Mythos on Monday. @cloudsa is running an emergency CISO Zoom on Tuesday. @SANSInstitute was already building BugBusters this Thursday with Ed Skoudis, Joshua Wright, and Chris Elgee. The entire community was asking the same question: what do we actually DO about this? Three nights later we have a 30-page strategy briefing with 60+ contributors. "Sure" turned into barely sleeping Friday, Saturday, Sunday while @gadievron and @rmogull dragged this thing into existence. (My son checked to see if I was still breathing around hour 40. I think he was mostly concerned about if Uber Eats delivered Five Guys yet.) The contributing authors list reads like someone raided a cybersecurity hall of fame: Jen Easterly, Bruce Schneier, Chris Inglis, @philvenables, Heather Adkins @argvee, @RGB_Lights, @sounilyu, @jimreavis, Katie Moussouris @k8em0, Jon Stewart, Maxim Kovalsky, David Scott Lewis, Joshua Saxe, John Yeoh, Ramy Houssaini and James Lyne. Every single one said yes within hours. Cloud Security Alliance @cloudsa, @SANSInstitute, [un]prompted, @OWASPGenAISec -- four organizations that don't usually build things together at this speed. This is the start. SANS reviewers who showed up: Chris Cochran @chrishvm, @edskoudis, Viswanath S Chirravuri @vchirrav, @bettersafetynet, Ciaran Martin Thursday @edskoudis, @joswr1ght, and @chriselgee stop talking and start showing. Live AI-assisted vulnerability discovery against real code. No slides about the future. Terminals and bugs. (The kind of demo where something breaks and that IS the point.) Full reviewer list is in the doc. If you know someone on it, send them a note. They earned it. But an even bigger thank you -- seriously -- from the entire cyber security community needs to go to @gadievron for once again bringing the avengers together -- like in Endgame (is that what Mythos is?) -- and you all know the scene -- but we need someone to create the meme with Gadi Evron with his shield and Mjölnir saying "Avengers..... assemble!" because that is exactly what he does. A lot it seems. Read it: labs.cloudsecurityalliance.org/mythos-ciso Going to sleep now. Setting my alarm for Thursday. (Not joking.) #CyberSecurity #AISecurity #SANSInstitute

Did you know that @CISAgov's Known Exploited Vulnerabilities (KEV) catalogue includes a "knownRansomwareCampaignUse" field? If you want to pull just the CVEs that have this field set to "Known" (i.e. that have been associated with ransomware activity), I whipped up a 'lil curl command for ya: curl -L for528.com/cves-kev-json | jq -c '.vulnerabilities[] | select(.knownRansomwareCampaignUse == "Known")' Easy peasy! Note: You'll need jq installed (e.g. `sudo apt install jq` in bash). Learn this #ransomware tip and more in our @SANSInstitute | @sansforensics FOR528: Ransomware and Cyber Extortion course -- sans.org/for528

Registration is OPEN for Find Evil! the first hackathon for autonomous AI incident response. Built by the community, for the community. $22K+ in prizes. Mission: Make Protocol SIFT, the framework connecting AI agents to the SIFT Workstation's full toolset, into a fully autonomous incident response agent. SIFT Workstation is a beat to shreds, open-source incident response platform with 200+ tools. 19 years of community development. 60K+ downloads annually. No incident response background required. New to AI? Good. Get your hands on the tools and learn with us. Registration open April 1. Hackathon starts April 15. Submissions due June 15. Register: findevil.devpost.com Read more: robtlee73.substack.com/p/registration… Sponsored by @SANSInstitute

The Monday Brief: Strategic cyber intelligence for leaders who need to make decisions, not just read headlines. By @aboutsecurity and @fulmetalpackets. themondaybrief.substack.com

While You Were Watching Your XDR Alerts, Attackers Took the Pipeline, the Phone, and the Executive 🔴 Attackers optimize for blind spots 🔵 Defenders optimize for visibility Read the latest issue of @TheMondayBrief → open.substack.com/pub/themondayb… by @aboutsecurity and @fulmetalpackets

The threat actor TeamPCP has launched a coordinated campaign targeting security tools and open-source developer infrastructure by pivoting with stolen CI/CD secrets and signing credentials. Learn more in our latest security bulletin: ow.ly/6N5V50YzPGm

So great catching up with our friends and partners at @nextronresearch at @OneRSAC! Thanks @cyb3rops & team for the continued partnership with @AWNetworks Labs. Always a pleasure working with fellow practitioners who keep pushing the #cyberdefense community forward and make life a little more painful for attackers every day 💪🏼 #ThinkRedActBlue 🔴🔵 nextron-systems.com/2025/08/28/adv…