Ismael Valenzuela
GSE #132SANS Senior InstructorVP Labs, Arctic Wolf Networks

Ismael Valenzuela

Creator of the Think Red, Act Blue philosophy | Redefining how defenders think about adversaries — now applying zero trust to AI agents and the agentic era.

New York · New Jersey

Portrait of Ismael Valenzuela

About

Bridging Offense
and Defense

GSE #132
SANS Senior Instructor
VP Labs, Arctic Wolf Networks

With more than two decades of international cybersecurity experience, Ismael Valenzuela has helped governments, Fortune 500 companies, and critical infrastructure providers defend against some of the world's most advanced adversaries. He is the creator of the Think Red, Act Blue philosophy — the framework behind SANS SEC530: Defensible Security Architecture and Engineering — which challenges defenders to adopt the adversary's perspective in order to build security architectures that actually hold. As a Senior Instructor at SANS and author of SEC530, he channels those lessons into hands-on training for students worldwide, while serving as Vice President of Labs, Threat Research & Intelligence at Arctic Wolf, where he leads detection engineering, intelligence, and security innovation for one of the largest commercial SOCs in the world.

Today, much of his work focuses on the intersection of zero trust and artificial intelligence — from securing autonomous AI agents and non-human identities to operationalizing threat-informed defense at machine speed. He is the author of SANS resources including the Agentic AI Threat Map and Zero Trust for AI Agents: The Security Checklist, and co-publishes The Monday Brief, a weekly newsletter on security, strategy, and threat intelligence. Ismael currently serves as co-chair of a new advisory panel under the international Counter Ransomware Initiative (CRI), focused on enhancing public-private collaboration to combat ransomware through intelligence sharing, joint disruption efforts, and policy innovation.

One of a select few to hold the prestigious GIAC Security Expert (GSE #132) certification and featured in Wiley's Tribe of Hackers Blue Team alongside the industry's leading defenders, he fosters a global community of 'All Around Defenders' through his blog, open-source tools, and frequent talks at conferences such as RSA, Black Hat, and SANS Summits.

Speaking & Media

Featured Interviews & Presentations

A selection of spotlight interviews and talks.

Conference Talks

Podcasts & Audio

Publications & Resources

SANS Webcasts & Virtual Events

Open Source Projects

View all on GitHub →

Latest News

Fetching latest press…

The Framework

Think Red.
Act Blue.

As the creator of the Think Red, Act Blue philosophy — the foundational framework behind SANS SEC530: Defensible Security Architecture & Engineering — I've spent my career bridging the gap between offensive threat understanding and defensive security operations. Think Red, Act Blue challenges security teams to adopt the adversary's perspective not to attack, but to architect smarter, more resilient defenses. This approach has shaped how thousands of security professionals worldwide design detection strategies, build zero-trust architectures, and operationalize threat intelligence — moving the industry away from checkbox compliance toward continuous, threat-informed defense. As a SANS course author and instructor, I bring this philosophy to life through hands-on labs and real-world scenarios that equip defenders to stay ahead of evolving threats.

Credentials

GIAC Certifications

15 active certifications · GIAC certified since 2007.

Verify on GIAC
GIAC Security Professional (GSP) certification badgeGSPGIAC Security Professional#107 · 2023
GIAC Experienced Cybersecurity Specialist (GX-CS) certification badgeGX-CSGIAC Experienced Cybersecurity Specialist#107 · 2023
GIAC Experienced Intrusion Analyst (GX-IA) certification badgeGX-IAGIAC Experienced Intrusion Analyst#107 · 2023
GIAC Experienced Incident Handler (GX-IH) certification badgeGX-IHGIAC Experienced Incident Handler#107 · 2023
GIAC Defensible Security Architect (GDSA) certification badgeGDSAGIAC Defensible Security Architect#112 · 2019
GIAC Continuous Monitoring (GMON) certification badgeGMONGIAC Continuous Monitoring#20 · 2015
GIAC Systems and Network Auditor (GSNA) certification badgeGSNAGIAC Systems and Network Auditor#3975 · 2012
GIAC Certified Incident Handler (GCIH) certification badgeGCIHGIAC Certified Incident Handler#20860 · 2012
GIAC Reverse Engineering Malware (GREM) certification badgeGREMGIAC Reverse Engineering Malware#3237 · 2012
GIAC Certified Windows Security Administrator (GCWN) certification badgeGCWNGIAC Certified Windows Security Administrator#2093 · 2010
GIAC Web Application Penetration Tester (GWAPT) certification badgeGWAPTGIAC Web Application Penetration Tester#193 · 2009
GIAC Penetration Tester (GPEN) certification badgeGPENGIAC Penetration Tester#1723 · 2009
GIAC Certified Intrusion Analyst (GCIA) certification badgeGCIAGIAC Certified Intrusion Analyst#3348 · 2008
GIAC Certified Forensic Analyst (GCFA) certification badgeGCFAGIAC Certified Forensic Analyst#2787 · 2007

The Ecosystem

Where the Work Lives

SANS Institute

Upcoming Courses

DateCourseLocation
Jul 13–18, 2026SEC530: Defensible Security Architecture & EngineeringWashington, DC (SANSFIRE 2026)Register ↗
Sep 28 – Oct 3, 2026SEC530: Defensible Security Architecture & EngineeringParis, France (SANS Paris Sep 2026)Register ↗

Newsletter

The Monday Brief

Read all issues →

Let's Connect

Get In Touch

Follow the work across platforms or reach out directly.

Newsletter

Get The Monday Brief

Weekly signals to decisions — curated intelligence, threat trends, and practitioner insights delivered every Monday.

Subscribe on Substack →