John Hammond on Security Research, Storytelling, and Deception for Defenders

In this Simply Defensive episode, hosts Josh Mason and Wade Wells interview John Hammond, a Huntress security researcher, YouTuber, and educator, about his career path and defensive research. Hammond explains he has never worked as a penetration tester, SOC analyst, or detection engineer, instead “falling into” security research through hands-on Capture the Flag work and building cyber threat emulation course content, earning Offensive Security’s OSCE3 bundle recognition. He discusses why storytelling and communication are critical for translating attacker tradecraft into actionable defenses, emphasizing understanding the attack chain to identify places to break it. He recommends building a public portfolio of write-ups and notes, and says multiple creators covering the same topic can still provide value through different explanations. The conversation also highlights endpoint deception and honeypots, challenges of reversing compiled binaries versus script-based malware, and his advice to document thoroughly in shared organizational knowledge bases.

00:00 S6E2: John Hammond on Security Research, Storytelling, Deception, and Getting Hired in Cybersecurity
01:27 Meet John Hammond
01:57 Security Researcher Life
04:43 OffSec Certs Explained
06:55 From CTF to Research
08:47 Storytelling in Cyber
12:10 Turning Attacks to Defense
15:19 Getting Hired as Researcher
16:48 Portfolio and Honeypots
19:05 Make the Video Anyway
21:40 Alternate Data Streams Nerdout
23:36 CTFs Then and Now
24:28 Life Shifts Priorities
25:44 Beyond CTFs Next Trend
26:52 Deception Meets Detection
28:48 Honeypots and Program Maturity
31:13 Malware Reversing Boss Fights
35:09 Blue Team Advice Document Everything
37:51 Where to Find John and Training
38:49 Wrap Up and Farewell

In this episode of Simply Defensive, Josh Mason and Wade Wells sit down with Jason Haddix — CISO veteran, AI security thought leader, and founder of Arcanum Information Security — for a wide-ranging conversation on where AI is actually headed in cybersecurity, and what blue teamers need to know right now.

Jason shares what he's learned from running AI scaling assessments inside major enterprises, why most organizations are still in the early stages of AI adoption, and how the industry needs to stop thinking about AI security like traditional web app security. He breaks down the stages of AI adoption (from custom bots to agents), explains why input validation is a losing game for LLM security, and makes the case for classifiers, guardrails, and LLM-based routing as the real defense-in-depth play for AI systems.

Wade and Jason also revisit the Red Blue Purple AI course, talk through how RAG and context engineering are transforming what's possible for blue teamers, and discuss why the credential leakage problem is still one of the biggest vectors defenders aren't taking seriously enough.

Topics covered:

• Why CTI struggles to prove value — and where it actually matters most
• Stealer logs, credential leakage, and when rolling an account isn't enough
• AI adoption stages: custom bots → RAG → agents
• Why SOAR skepticism is a preview of AI hesitancy
• Context engineering vs. prompt engineering
• Defending AI systems: prompt-level protections, classifiers, guardrails, and LLM routing
• When does a prompt become IP?
• Jason's advice for blue teamers: embrace AI as a tool, find your annoying tasks, and start chipping away

Connect with Jason Haddix:

• Twitter/X: @jhaddix
• Arcanum Information Security: arcanam-sec.com
• GitHub (free tools & resources): ARCanum Information Security on GitHub
• Newsletter: Executive Offense by Jay Haddix

Resources mentioned:

• Red Blue Purple AI Course (ARCanum)
• Flare (threat intelligence / credential monitoring): flare.io
• Detections.ai

Connect with the Hosts:

• Josh Mason: linkedin.com/in/joshuacmason
• Wade Wells: linkedin.com/in/wadingthrulogs

In this episode of Simply Defensive, Josh Mason and Wade Wells sit down with Josh Stroschein — aka The Cyber Yeti — a former professor turned reverse engineer now working on one of the largest malware analysis teams in the world.

Josh shares his unconventional path through .NET development, credit card processing security, and academia before landing at Google. He opens up about teaching reverse engineering while learning it himself, building educational CTFs, and the realities of making it as a full-time reverse engineer in an industry where those roles are rare.

What you'll hear:

🔹 From pre-law to pilot training to PhD in cybersecurity

🔹 How teaching RE forced him to truly master it

🔹 Life inside Google's FLARE team (via Chronicle → Mandiant)

🔹 Flareon CTF — the RE challenge that's run for 12 years

🔹 A wild Black Hat NOC story involving an infected Mac and Atomic Stealer

🔹 Using AI to build malware samples for training labs

🔹 Why going low-level is the best advice for blue teamers

Chapters:

00:00 Introduction and Welcome

00:50 Josh's Connection to Dr. Gerald Auger

02:00 The Non-Traditional Path: Pre-Law, Pilot Training & .NET Dev

05:00 Getting Into Security at a Credit Card Processor

07:00 Teaching Reverse Engineering at Dakota State

10:00 Flareon CTF and Educational CTF Design

14:00 Is Reverse Engineering Offensive or Defensive?

17:00 How Rare Are Full-Time RE Roles?

21:00 The Path to Google: Chronicle, Mandiant & FLARE

25:00 Learning Through Teaching and YouTube Content

28:00 Black Hat NOC Story: Catching Atomic Stealer Live

33:00 Using AI to Create Malware Training Samples

37:00 Building a Defang Tool (and .NET Nightmares)

40:00 Advice for Blue Teamers: Go Low-Level

🎧 Find Josh Stroschein:

→ Website: https://www.thecyberyeti.com

→ YouTube: The Cyber Yeti

→ Podcast: The Cyber Yeti Podcast

👥 Connect with the Hosts:
→ Josh Mason: https://www.linkedin.com/in/joshuacmason/
→ Wade Wells: https://www.linkedin.com/in/wadingthrulogs/
→ Swimlane: https://www.linkedin.com/company/swimlane

🎙️ Listen on Your Favorite Platform:
→ Spotify: https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4
→ Apple Podcasts: https://podcasts.apple.com/us/podcast/simply-defensive/id1773806182
→ Full Playlist: https://youtube.com/playlist?list=PL4Q-ttyNIRAr6DVrsASx1-Fv-TsooJ3M4

👍 If you enjoyed this episode, don't forget to like, subscribe, and share with your fellow defenders. Every week, Josh Mason and Wade Wells bring you practical, no-fluff conversations with cybersecurity professionals who are doing the work.

=========================
All the ways to connect with Simply Cyber
https://SimplyCyber.io/Socials
=========================
This podcast is presented by Simply Cyber Media Group

In this episode of Simply Defensive, hosts Josh Mason and Wade Wells welcome Yuriy Tsibere, Product Manager at ThreatLocker, for a behind-the-scenes look at how security products actually get built.

Yuriy's path to cybersecurity started in Ukraine, where he worked in telecom during sophisticated APT campaigns that lasted over a year. Now at ThreatLocker, he shapes the tools defenders use daily—from allow listing to compliance automation.

Episode Highlights:

• What product managers actually do at security companies
• APT attack patterns: social engineering meets technical exploitation
• How allow listing, ring fencing, and network control protect endpoints
• Defense Against Configuration (DAC): automating FedRAMP, HIPAA, and NIST compliance
• Why misconfigurations remain one of the biggest security gaps
• Balancing strict security with real-world usability
• Yuriy's top advice for defenders: Educate your personnel

Key Takeaway: Most breaches still come from employees clicking without paying attention. Security products matter, but user education accounts for the largest share of issues. Yuriy also emphasizes that when compliance drift happens—when systems become uncompliant—it should trigger an investigation into what changed and why.

Resources Mentioned:

• ThreatLocker Zero Trust Endpoint Protection
• Defense Against Configuration (DAC) for compliance monitoring
• Zero Trust World Conference

Perfect for blue teamers, SOC analysts, security engineers, and anyone interested in how security products evolve from concept to deployment.

Connect with Yuriy Tsibere (Guest) on LinkedIn: https://www.linkedin.com/in/yuriy-tsibere/

🔗 Links & Resources:
→ ThreatLocker Free Trial: https://www.threatlocker.com/simplydefensive
→ Zero Trust World Conference: https://www.intlcybersec.org/zerotrustworldmain

👥 Connect with the Hosts:
→ Josh Mason: https://www.linkedin.com/in/joshuacmason/
→ Wade Wells: https://www.linkedin.com/in/wadingthrulogs/
→ Swimlane: https://www.linkedin.com/company/swimlane

🎙️ Listen on Your Favorite Platform:
→ Spotify: https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4
→ Apple Podcasts: https://podcasts.apple.com/us/podcast/simply-defensive/id1773806182
→ Full Playlist: https://youtube.com/playlist?list=PL4Q-ttyNIRAr6DVrsASx1-Fv-TsooJ3M4

👍 If you enjoyed this episode, don't forget to like, subscribe, and share with your fellow defenders. Every week, Josh Mason and Wade Wells bring you practical, no-fluff conversations with cybersecurity professionals who are doing the work.

💡 Brought to you by ThreatLocker – Secure your business with zero trust application control. https://www.threatlocker.com/simplydefensive

=========================
Sponsored by @ThreatLocker - Free 30-day trial visit:
https://www.threatlocker.com/simplydefensive
=========================
All the ways to connect with Simply Cyber
https://SimplyCyber.io/Socials
=========================
This podcast is presented by Simply Cyber Media Group

From teaching AP art history to brokering cyber insurance deals. 🎓➡️🛡️

In this episode of Simply Defensive, Josh Mason and Wade Wells sit down with Andy Runyan from Yukon to break down everything blue teamers need to know about cyber insurance — before an incident happens. Andy shares his unconventional journey from fourth-generation educator and baseball coach to becoming a cyber insurance specialist, and explains why understanding your policy is just as important as your incident response plan.

What you'll hear:
🔹 How cyber insurance actually works (and what it doesn't cover)
🔹 Why having an incident response retainer matters — before you need it
🔹 The role of cyber insurance in incident response and recovery
🔹 Third-party contract requirements and state mandates on the rise
🔹 Common mistakes companies make when filing claims
🔹 FTC Safeguard Rules and what they mean for businesses
🔹 How to prepare your organization for cyber insurance requirements
🔹 What lowers premiums (and what should, but doesn't)

Why This Matters for Blue Teamers:
If you're in a SOC or handling incident response, you will interact with cyber insurance at some point. Understanding how policies work, what triggers coverage, and how to prepare can make the difference between a smooth recovery and a catastrophic financial loss. This episode gives you the insider knowledge to help your organization be ready.

⏱️ Timestamps:
00:00 Introduction and Welcome
00:15 Andy's Unique Background: From Teacher to Cyber Insurance
03:00 Getting Into Cyber Insurance in 2019
04:00 The Wild West of Cyber Insurance During COVID
06:00 When Companies Actually Buy Cyber Insurance
08:00 What Blue Teamers Need to Know About Insurance
10:00 The Problem with Incident Response Retainers
12:00 How Insurance Companies Handle IR vs. What You Need
15:00 Multi-Factor Authentication and Premium Discounts
18:00 Why Having an IR Plan Doesn't Lower Your Premium (But Should)
21:00 Third-Party Contract Requirements on the Rise
24:00 State Mandates: What's Coming Next?
27:00 FTC Safeguard Rules and Compliance Reality
30:00 Where to Learn More About Yukon

🔗 Connect with Andy Runyan:
→ Yukon Website: https://www.ukon.com
→ LinkedIn: https://www.linkedin.com/in/andy-runyan
→ Email: andy.runyan@ukon.com

👥 Connect with the Hosts:
→ Josh Mason: https://www.linkedin.com/in/joshuacmason/
→ Wade Wells: https://www.linkedin.com/in/wadingthrulogs/
→ Swimlane: https://www.linkedin.com/company/swimlane

🎙️ Listen on Your Favorite Platform:
→ Spotify: https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4
→ Apple Podcasts: https://podcasts.apple.com/us/podcast/simply-defensive/id1773806182
→ Full Playlist: https://youtube.com/playlist?list=PL4Q-ttyNIRAr6DVrsASx1-Fv-TsooJ3M4

👍 If you enjoyed this episode, don't forget to like, subscribe, and share with your fellow defenders. Every week, Josh Mason and Wade Wells bring you practical, no-fluff conversations with cybersecurity professionals who are doing the work.

=========================
Sponsored by @ThreatLocker - Free 30-day trial visit:
https://www.threatlocker.com/simplydefensive
=========================
All the ways to connect with Simply Cyber
https://SimplyCyber.io/Socials
=========================
This podcast is presented by Simply Cyber Media Group

Josh Mason and Wade Wells sit down with Brian Carrier, the creator of Sleuth Kit and Autopsy, two of the most widely used digital forensics tools in the world. They dig into how Brian got his start in the early days of computer forensics, how open source shaped his career, and what he’s building now with Cyber Triage.

From stories about government funding and tool rewrites to the evolving balance between open source and commercial software, this episode is packed with insight for blue teamers, DFIR pros, and anyone who cares about investigation tooling that actually works.

Watch to hear:

• The 25-year evolution of Sleuth Kit & Autopsy
• How Cyber Triage simplifies investigations for SOCs
• The tradeoffs between open source and commercial tools
• What Brian sees next in AI-driven forensics

⏱️ Timestamps:
00:00 Introduction and Guest Introduction
00:15 Brian Carrier's Journey with Sleuth Kit and Autopsy
02:06 Evolution and Funding of Autopsy
06:52 Open Source vs. Commercial Software
10:16 Future Roadmap and Innovations
14:16 Autopsy and Cyber Triage for Blue Teamers
16:24 Challenges in EDR and SOC Analysis
16:41 Investigative Process and Clues
17:18 Handling Noisy Data in EDR
17:49 Importance of Tracing Malware
18:28 Deploying Additional Collectors
19:25 Feedback from the Community
21:21 Cyber Insurance and Incident Response
23:34 Automation in Forensics
28:41 Advice for Blue Teamers
30:12 Conclusion and Final Thoughts

Links:
🎧 Listen on Spotify: https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4
🍎 Listen on Apple Podcasts: https://podcasts.apple.com/us/podcast/simply-defensive/id1668519478
💻 Learn more about Sleuth Kit: https://sleuthkit.org/
🔍 Try Autopsy: https://www.autopsy.com/
🧠 Explore Cyber Triage: https://www.cybertriage.com/

Connect with Brain:
👤 Brian Carrier on LinkedIn: https://www.linkedin.com/in/brian-carrier-169243/
🏢 Sleuth Kit / Basis Technology on LinkedIn: https://www.linkedin.com/company/basis-technology/
💼 Cyber Triage on LinkedIn: https://www.linkedin.com/company/cyber-triage/

Don't forget to like, subscribe, and hit the bell icon for more blue team content!

🔗 Follow the hosts:
Josh Mason: https://www.linkedin.com/in/joshuacmason/
Wade Wells: https://www.linkedin.com/in/wadingthrulogs/

💡 Brought to you by ThreatLocker – Secure your business with zero trust application control. https://www.threatlocker.com/simplydefensive

🎙️ More Simply Defensive
- Full playlist: https://youtube.com/playlist?list=PL4Q-ttyNIRAr6DVrsASx1-Fv-TsooJ3M4
- Spotify: https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4
- Apple Podcasts: https://podcasts.apple.com/il/podcast/simply-defensive/id1773806182

👍 If you enjoyed this episode, don’t forget to like, subscribe, and share with your fellow defenders. Every week, Josh Mason and Wade Wells bring you practical, no-fluff conversations with cybersecurity leaders.

=========================
Sponsored by @ThreatLocker - Free 30-day trial visit:
https://www.threatlocker.com/simplydefensive
=========================
All the ways to connect with Simply Cyber
https://SimplyCyber.io/Socials
=========================
This podcast is presented by Simply Cyber Media Group

In this episode of Simply Defensive, host Josh Mason and co-host discuss their experiences and challenges in cybersecurity, along with guest Victoria, a student and SOC analyst at UNLV.

The conversation covers the complexities of building a Security Operations Center (SOC) and compares academic learning with real-world applications. Victoria shares insights from her studies and practical work, including developing a SOC program at UNLV and addressing common cybersecurity misconceptions.

The episode highlights the importance of communication, real-world projects, continuous learning, and the balance between technical and business aspects of cybersecurity.

00:00 Introduction and Host Banter
00:20 Guest Introduction: Victoria
01:03 Building a SOC: Challenges and Experiences
01:29 Education vs. Real-World Experience
02:29 SOC Class and Practical Training
03:49 Group Projects and Communication
07:14 Real-Life Incident Stories
10:33 Getting into Cybersecurity: Victoria's Journey
12:54 Business Side of Cybersecurity
16:17 The Cost of MFA and Free Alternatives
16:31 Lock Picking and Security Value
17:30 Teaching Cybersecurity Concepts
18:44 Consulting Experience for Students
19:15 Client Feedback and Confidential Reports
19:52 Challenges in Cybersecurity Projects
20:27 Transitioning into the SOC
22:34 Federal and State Regulations
26:16 Advice for Blue Teamers
28:06 Conclusion and Farewell

Don't forget to like, subscribe, and hit the bell icon for more blue team content!

🔗 Follow the hosts:
Josh Mason: https://www.linkedin.com/in/joshuacmason/
Wade Wells: https://www.linkedin.com/in/wadingthrulogs/

💡 Brought to you by ThreatLocker – Secure your business with zero trust application control. https://www.threatlocker.com/simplydefensive

🎙️ More Simply Defensive
- Full playlist: https://youtube.com/playlist?list=PL4Q-ttyNIRAr6DVrsASx1-Fv-TsooJ3M4
- Spotify: https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4
- Apple Podcasts: https://podcasts.apple.com/il/podcast/simply-defensive/id1773806182

👍 If you enjoyed this episode, don’t forget to like, subscribe, and share with your fellow defenders. Every week, Josh Mason and Wade Wells bring you practical, no-fluff conversations with cybersecurity leaders.

=========================
Sponsored by @ThreatLocker - Free 30-day trial visit:
https://www.threatlocker.com/simplydefensive
=========================
All the ways to connect with Simply Cyber
https://SimplyCyber.io/Socials
=========================
This podcast is presented by Simply Cyber Media Group