● ONLINE · SAN DIEGO / 2026.07.01 FT3 · github.com/stripe/ft3 ● UPLINK · TX 38.4 KB/S
// ● online STATUS · 2026.07.01 · SAN DIEGO

f i n d w h a t b r e a k s . b u i l d w h a t h o l d s .

Systems fail when the stakes are real. Passaro’s work follows one pattern: find the failure point, understand it completely, and build what should have existed all along.

Cinematic monochrome portrait of Vincent Passaro in a dark hoodie. Shadows and white technical schematics symbolize the intersection of leadership and systems.
LAT 32.7157° N LON 117.1611° W UPTIME · 25y SECTOR · CYBERSECURITY / ENGINEERING ● CA
// trajectory · 2001 → present hover any node for detail
ORIGIN2001ADVERSARY TRADECRAFT2006OS COMMUNITY2011BUILDER / FOUNDER2014-2018SCALE2018ADVERSARY SYSTEMS2022FRAUD OPERATIONALIZED2024AGENTIC OPS2026
//project spotlight · ft3
repository · open source github.com/stripe/ft3

FT3 is the operational backbone of Stripe's attacker engineering work — open-sourced so defenders everywhere can plan, stage, execute, and triage adversary emulation against the systems they're paid to protect.

Recognized as the first fraud ATT&CK-style framework, FT3 defines the standard for categorizing financial exploitation. By translating established adversary emulation concepts into a specialized fraud taxonomy, it empowers engineers and threat intelligence teams to map complex financial abuse vectors with the same rigor historically reserved for network intrusions.

// receipts — precedence trail four tracks · nine commits · one record
$ git log --graph --decorate --oneline ft3-precedence
FT3 / DARKSHEER · FS-ISAC · RH-ISAC + TARGET · MITRE CTID
$

FT3 authored Feb 2024. Proposal submitted Oct 2024. CFPF launched Apr 2025. FT3 public Jul 2025. Fraud Taxonomy created Aug 2025. F3 public Nov 2025. Precedence is a fact of the record, not a claim in a deck.

//projects · selected work

github.com/darksheer ↗
darksheer/ft3

darksheer/ft3

The bleeding-edge prototype fork of FT3. This is where I experiment with new models for mapping how adversaries plan, stage, execute, and triage fraud activity across the attack chain before they hit the main framework.

Vue MIT 0 updated today
39 commits in the last 12 weeks for darksheer/ft3.
39 commits · last 12 weeks
darksheer/aqueduct // stale

Aqueduct

Aqueduct pioneered open-source STIG compliance automation years before the term 'compliance-as-code' existed — its one-script-per-finding architecture and multi-framework coverage became the blueprint the industry eventually standardized around.

Shell 0 updated 1 month ago
3 commits in the last 12 weeks for darksheer/aqueduct.
3 commits · last 12 weeks
CLOSED · stale
████████████
Acheron powers FT3 by deploying agents that translate live threat intel into a living map of fraud operations. It actively identifies emerging tactics, behaviors, and IOCs, delivering them directly to security teams via open standards.
354 commits in the last 12 weeks .
// activity classified · 354 commits in 12 weeks
FT3 · Fraud · Threat Intel · AI // classified
CLOSED · stale
████████████
Anubis is a STIX-native workspace for building, mapping, and shipping living taxonomies with software-grade integrity. It gives frameworks like FT3 a real operating layer: structured, versioned, machine-readable, and usable by teams and systems.
AI · STIX · MITRE ATT&CK // classified
//signal log

Things worth writing down.

Notes from inside the build: attacker engineering. incident response, fraud intelligence, adversary behavior,
and the language systems defenders use when the facts are still arriving.

/Filter
Type
Topic
2026 · 05 · 27ESSAYFT3 vs MITRE F3: Validation Is Not OperationalizationFT3 built the operating language for fraud defense before the market had one. The next phase is making that language executable.#fraud-defense #FT3 #adversary-engineering #MITRE-F3 #threat-intelligence #detection-engineeringVincent Passaro· 9 min readRead2026 · 06 · 07ESSAYAgentic Commerce Changes the Object of FraudFraud defense now requires language for delegated authority, scoped consent, and machine-speed behavior. Explore the three-axis coordinate model.#agent commerce fraud #attacker engineering #Stripe Agentic Commerce Protocol #Visa Intelligent Commerce #fraud classification framework #FT3 #Delegated Authority abuse #FT3-ABUSE-007Vincent PassaroRead2026 · 05 · 24ESSAYWhy Fraud Frameworks Must Converge: The 18-Month LandscapeFive fraud frameworks like FT3 and MITRE F3 emerged in 18 months. Here is why the industry must move past fragmentation toward operational interoperability.#fraud frameworks #ft3 #mitre f3 #interoperability #threat-informed defenseVincent Passaro· 12 min readRead2026 · 05 · 13ESSAYMission-First LeadershipMission-critical leadership is not about control. It is about creating the clarity, rigor, and trust teams need to move under pressure. Exploring executive leadership, cross-functional alignment, mentorship, and disciplined execution build teams that can change outcomes when the stakes are real. #Executive Leadership #Cross-Functional Alignment #Disciplined Execution #Mentorship & Growth #High-Performance Teams #Talent Density #Change Management #Operational ExcellenceVincent Passaro· 14 min readRead2026 · 05 · 12FIELD NOTEBuilding Adversary-Language SystemsInside every adversarial system, there is a moment when the harm is real but the language is still behind the event. Traces the work of turning messy, high-stakes domains into shared operating language defenders can use to name, map, automate, prosecute, and disrupt.#Adversary Language #Incident Response #Cyber Intelligence #Operational Systems #Taxonomy #Detection #Disruption #Fraud IntelligenceVincent Passaro· 9 min readRead2026 · 05 · 12FIELD NOTEOpen Source as Defensive InfrastructureOpen source is shared defense, which is why FT3 had to be visible, inspectable, and extensible and how open frameworks become defensive infrastructure when defenders can test them, improve them, and build on them.Vincent Passaro· 6 min readRead2026 · 05 · 11ESSAYThe Language Is InfrastructureBefore defenders can automate, disrupt, or prosecute, they need a shared language that survives the handoff.Vincent PassaroRead2026 · 03 · 18TEARDOWNWe Tried to Make STIX Work for Fraud. Here's What Happened.STIX 2.1 is the language of CTI, but it fails at modeling financial fraud like card testing. Vincent Passaro breaks down the architectural gaps and the cost of custom extensions.#stix #fraud #ft3 #ctiVincent Passaro· 6 min readAnalyze2021 · 01 · 21INTERVIEWInside a Tier-3 Incident Response Career.Excerpts from a long-form conversation about Incident Response at scale as not just a test of tools. It is a test of language, memory, trust, and decision-making while the facts are still arriving. Vincent Passaro reflects on Tier-3 IR, AWS-scale response, and the lessons that later shaped FT3.Vincent Passaro· 14 min readRead
blog rss / atom feed // 9 of 9 · indexed 2026.07.01

//media

SEP · 2026
UPCOMING
TRAININGUNDERGROUND ECONOMYStrasbourg4 HOURS

Zero to Hero: Threat intelligence with Claude Code & Scout

A hands-on workshop where defenders will leverage Claude Code + the Pure Signal Scout MCP to conduct a real threat intelligence investigations, using live Team Cymry data in a TLP:RED environment.

SEP · 2026
UPCOMING
HackathonUndergound EconomyStrasbourg4 HOURS

AI Hackathon

A hands-on hackathon for threat hunters and cyber investigators focused on using threat intelligence to track and investigate real-world threat and fraud actors. Participants analyze OSINT to uncover malicious operations and connect intelligence into actionable findings.

// log · descending12 ARCHIVED

//training & collaborations

TRAINING /02 PRIVATE · BY REFERRAL

Agentic CTI // Operationalizing AI in Defense

LVL INTERMEDIATE DUR FULL DAY

Full-day hands-on intensive for TI teams moving past chat interfaces into agentic workflows. Build operational pipelines integrating Claude Code and live telemetry via MCPs. Focus: automating IOC enrichment, mapping adversary infrastructure, accelerating triage at machine speed.

FORMAT Full-day intensive STACK
Claude Code MCP
TRAINING /03 BY REFERRAL · ENTERPRISE

Agentic Engineering // Architecture and Scale

LVL ADVANCED DUR MULTI-DAY

Engineering complex autonomous systems beyond chat interfaces. Build deep-research pipelines for context gathering, translate concepts into machine-enforceable PRDs/ARDs, equip agents with custom execution skills, and design testing harnesses to iterate and deploy agentic workflows reliably.

FORMAT Engineering intensive STACK
Claude Code Codex
MENTOR /ENGAGEMENT PRIVATE · VETTED ONLY

Joint Adversary Analysis // TLP:RED Operations

TLP RED DUR ONGOING

Closed-circle, onsite intelligence fusion. Working with unsanitized telemetry and live campaign data to map adversary infrastructure, classify typologies, and engineer coordinated cross-industry defense.

FORMAT Onsite · closed circle
4 OFFERINGS · INDEXED 2026.07.01

//live signals

polled · last 24h
About

A career spent at the seam of high-pressure security reality and systems defenders rely on.

In the 82nd Airborne, Vince Passaro learned early that systems fail under pressure, and someone has to understand why. That has always been the work. From Fort Bragg to Booz Allen, General Atomics, Fotis Networks, Buddha Labs, AWS, and Stripe, the pattern has stayed the same: understand how adversaries win, find where defense breaks, and build what should have existed all along.

At AWS, that meant response and cyber intelligence systems built for failure at global scale. At Stripe, it means attacker engineering, FT3, and frameworks that give defenders a shared operating language for fraud and adversary behavior. The logos are not the story. The pattern is: find what is broken, understand it completely, and build what fixes it properly. No theater. No abstractions. Just the work.

CURRENTLY · STRIPE

ENGINEER OPERATOR INTEL // THE CRAFT
Contact

Speaking, advisory, training and select consulting.

Inquiries are read personally. Lead with the problem, the system under pressure, and what outcome needs to change.

// also reachable
direct
click to copy

response window · 5 business days
signal preferred for sensitive matter
pgp upon request

//off-clock

What keeps the work sustainable: signal, solitude, discipline, and the people worth building for.

Ducati Streetfigther V4s on the track
Ducati Official Club San Diego
Tuscany farmhouse at sunset
A NERD ABROAD
Jeff Walker Tattoos - Dragon
Mythical Things
Strasbourg Cathedral Strasbourg France
WUNDERLUST