Ismael Valenzuela
About
Bridging Offense
and Defense
With more than two decades of international cybersecurity experience, Ismael Valenzuela has helped governments, Fortune 500 companies, and critical infrastructure providers defend against some of the world's most advanced adversaries. He is the creator of the Think Red, Act Blue philosophy — the framework behind SANS SEC530: Defensible Security Architecture and Engineering — which challenges defenders to adopt the adversary's perspective in order to build security architectures that actually hold. As a Senior Instructor at SANS and author of SEC530, he channels those lessons into hands-on training for students worldwide, while serving as Vice President of Labs, Threat Research & Intelligence at Arctic Wolf, where he leads detection engineering, intelligence, and security innovation for one of the largest commercial SOCs in the world.
Today, much of his work focuses on the intersection of zero trust and artificial intelligence — from securing autonomous AI agents and non-human identities to operationalizing threat-informed defense at machine speed. He is the author of SANS resources including the Agentic AI Threat Map and Zero Trust for AI Agents: The Security Checklist, and co-publishes The Monday Brief, a weekly newsletter on security, strategy, and threat intelligence. Ismael currently serves as co-chair of a new advisory panel under the international Counter Ransomware Initiative (CRI), focused on enhancing public-private collaboration to combat ransomware through intelligence sharing, joint disruption efforts, and policy innovation.
One of a select few to hold the prestigious GIAC Security Expert (GSE #132) certification and featured in Wiley's Tribe of Hackers Blue Team alongside the industry's leading defenders, he fosters a global community of 'All Around Defenders' through his blog, open-source tools, and frequent talks at conferences such as RSA, Black Hat, and SANS Summits.
Speaking & Media
Featured Interviews & Presentations
A selection of spotlight interviews and talks.

From Building Defenders to Commanding Cyber Labs — Ismael Valenzuela
Open
▶AI, Automation & Threat Modeling: Lessons Learned from Hacking the Planet
Open
▶AI-Powered BladeRunners, Part 2: Threat Intelligence Meets Zero Trust
Open
▶The Replicant Problem: Zero Trust in the Age of Autonomous AI Agents
Open
▶Lightning Talk: Detection Engineering with AI & Deception
Open
▶Hacktics & Telemetry, E9: Mythos Mania, Thinking Red, and Acting Blue
OpenLatest Videos
Hacktics & Telemetry, E9: Mythos Mania, Thinking Red, and Acting Blue
The Replicant Problem: Zero Trust in the Age of Autonomous AI Agents
Lightning Talk: Detection Engineering with AI & Deception
AI, Automation & Threat Modeling: Lessons Learned from Hacking the Planet
Secure Communications in Embedded Systems
A Conversation With Ismael Valenzuela About AI and Threat Intelligence
Threat Researcher Insights: A Day with Ismael Valenzuela
Zero Assumptions: Expert Threat Intel Roundtable on Emerging Cybersecurity Threats
Hybrid Fortresses: How a Defensible Security Architecture Raises the Bar Against Modern Attacks
A Conversation on Maritime Security with BlackBerry Threat Intelligence
Meet SANS Senior Instructor: Ismael Valenzuela
Adopting Zero Trust With Ismael Valenzuela: Less Trust
In the Press
Loading press…
Conference Talks
The Replicant Problem: Zero Trust in the Age of Autonomous AI Agents
Vibe Detection Engineering: Accelerating Defense with Compound AI and Decepticon
AI, Automation & Threat Modeling: Lessons Learned from Hacking the Planet
What Hacking the Planet Taught Us About Defending Supply Chain Attacks (w/ Douglas McKee)
macOS: Tracking High Profile Targeted Attacks, Threat Actors & TTPs (w/ Dmitry Bestuzhev)
Think Red, Act Blue: Hacking Proprietary Protocols (w/ Douglas McKee)
Architecting for Security Operations: Divide and Conquer!
How to 'Hack' Your Career in Cybersecurity
Intelligence Driven Defense: Successfully Embedding Cyber Threat Intel in Security Operations
rastrea2r (reloaded!): Collecting & Hunting for IOCs with Gusto and Style
Hunting Adversaries with Investigation Playbooks & OpenCNA
Hunting Threats Inside Your Network with rastrea2r
rastrea2r
Podcasts & Audio
From Building Defenders to Commanding Cyber Labs: Ismael Valenzuela's Journey
The Day I Found an APT Group in the Most Unlikely Place
Secure Communications in Embedded Systems
A Conversation With Ismael Valenzuela About AI and Threat Intelligence
Threat Researcher Insights: A Day with Ismael Valenzuela
Arctic Wolf Labs Threat Intelligence Expert Roundtable on Emerging Threats
AI is Changing the Cybersecurity Threat Landscape
Cyber and Business are Becoming One with Ismael Valenzuela
Adopting Zero Trust with Ismael Valenzuela: Less Trust
On Cyber Security Interviews — Episode 009
Ismael Valenzuela, SANS Institute — Enterprise Security Weekly #70
Equipos de Respuesta a Incidentes de Seguridad Informática
Publications & Resources
CRI Advisory Panel Communiqué: Public-Private Sector Advisory Panel Welcomes New Members
The Agent Identity Problem: Applying Zero Trust to AI Agents
Agentic AI Threat Map
Zero Trust for AI Agents: The Security Checklist
Vibe Detection Engineering: Accelerating Defense with Compound AI & Decepticon
Token Bingo: Don't Let Your Code Be the Winner
Assessing the Role of AI in Zero Trust
Top 5 Mistakes Businesses Make When Implementing Zero Trust
Overall Product Security Assessment Process
Zero Trust Blog Series: Operating for Zero Trust
Zero Trust Blog Series 3: Instrumenting for Zero Trust
Zero Trust Blog Series 2: Architecting for Zero Trust
Zero Trust Blog Series 1: Adopting a Zero Trust Mindset
Tribe of Hackers Blue Team: Tribal Knowledge from the Best in Defensive Cybersecurity
Mac OS Forensics How-To: Simple RAM Acquisition and Analysis (Part 2)
SANS Webcasts & Virtual Events
Fall Cyber Solutions Fest 2026: Identity Security & Zero Trust Track
SANS 2026 Government Security Forum
CTI Summit Solutions Track: CTI in the AI Arms Race (Day 1)
Fall Cyber Solutions Fest 2025: Threat Track
SANS 2025 Government Security Forum
Secure Your Fortress: Building Robust and Resilient Defenses for 2025
Fall Cyber Solutions Fest 2024: Zero Trust Track
Secure Your Fortress: 2024's Top Defense Strategies and Trends
2024 Government Security Forum
Secure Your Fortress: Cutting-Edge Defense Techniques for 2024
Do You Trust Your Hardware Appliances? Should You? (w/ Douglas McKee)
Cyber Threat Intelligence Summit Solutions Track 2024
Cyber Solutions Fest 2023: Threat Hunting & Intelligence
Combating Supply Chain Attacks with Product Security Testing (w/ Douglas McKee)
Open Source Projects
View all on GitHub →attck-lens
Think Red. Act Blue. | A MITRE ATT&CK v18 Intelligence Dashboard
rsac2025
AI, Automation, & Threat Modeling: Lessons Learned from Hacking the Planet
jupyter-notebooks
My Jupyter Notebooks — threat hunting, data science for cybersecurity
blueteam_homelabs
Great List of Resources to Build an Enterprise Grade Home Lab
rastrea2r
Collecting & Hunting for IOCs with gusto and style
Talks-and-Presentations
Slides and other resources from my latest talks and presentations
Latest News
Fetching latest press…
The Framework
Think Red.
Act Blue.
As the creator of the Think Red, Act Blue philosophy — the foundational framework behind SANS SEC530: Defensible Security Architecture & Engineering — I've spent my career bridging the gap between offensive threat understanding and defensive security operations. Think Red, Act Blue challenges security teams to adopt the adversary's perspective not to attack, but to architect smarter, more resilient defenses. This approach has shaped how thousands of security professionals worldwide design detection strategies, build zero-trust architectures, and operationalize threat intelligence — moving the industry away from checkbox compliance toward continuous, threat-informed defense. As a SANS course author and instructor, I bring this philosophy to life through hands-on labs and real-world scenarios that equip defenders to stay ahead of evolving threats.
Credentials
GIAC Certifications
15 active certifications · GIAC certified since 2007.
GSEGIAC Security Expert
GSPGIAC Security Professional
GX-CSGIAC Experienced Cybersecurity Specialist
GX-IAGIAC Experienced Intrusion Analyst
GX-IHGIAC Experienced Incident Handler
GDSAGIAC Defensible Security Architect
GMONGIAC Continuous Monitoring
GSNAGIAC Systems and Network Auditor
GCIHGIAC Certified Incident Handler
GREMGIAC Reverse Engineering Malware
GCWNGIAC Certified Windows Security Administrator
GWAPTGIAC Web Application Penetration Tester
GPENGIAC Penetration Tester
GCIAGIAC Certified Intrusion Analyst
GCFAGIAC Certified Forensic AnalystThe Ecosystem
Where the Work Lives
Think Red. Act Blue.
The philosophy and framework site — adversary-perspective defense methodology for security practitioners.
www.thinkredactblue.comThe Monday Brief
Weekly signals-to-decisions newsletter on security, strategy, and threat intelligence.
themondaybrief.comATT&CK Lens
Interactive MITRE ATT&CK coverage and gap analysis tool built on the Think Red, Act Blue framework.
lens.thinkredactblue.comAll Around Defender
Practitioner school for security defenders — hands-on training for the modern security operations team.
SANS Institute
Upcoming Courses
Let's Connect
Get In Touch
Follow the work across platforms or reach out directly.
Newsletter
Get The Monday Brief
Weekly signals to decisions — curated intelligence, threat trends, and practitioner insights delivered every Monday.
Subscribe on Substack →