PENDING · STRIPE SECURITY LABS · INTERNAL MANAGER (PROPOSED) ● ONLINE · MENLO PARK / 2026.05.01 FT3 v0.9 · APACHE-2.0 · github.com/stripe/ft3 INQUIRY WINDOW · OPEN · 5-DAY RESPONSE ● UPLINK · TX 38.4 KB/S PENDING · STRIPE SECURITY LABS · INTERNAL MANAGER (PROPOSED) ● ONLINE · MENLO PARK / 2026.05.01 FT3 v0.9 · APACHE-2.0 · github.com/stripe/ft3 INQUIRY WINDOW · OPEN · 5-DAY RESPONSE ● UPLINK · TX 38.4 KB/S
// ● online STATUS · 2026.05.01 · MENLO PARK

engineering
the adversary.

Principal Software Architect at Stripe. I build the systems, frameworks, and people that turn adversary tradecraft into a defender's instrument — from Tier-3 incident response at Amazon to attacker engineering at scale.

PORTRAIT · 3:4
Speaking & Inquiry [ jump to ft3 ]
LAT 37.4848°N LON 122.1484°W UPTIME · 19y SECTOR · FINTECH / SECURITY ● TX
// resume of impact
// trajectory · 2007 → present hover any node for detail
INTEL2007RESEARCH2012AMAZON · TIER-32017STRIPE · ATTACKER ENG2022FT3 · OSS2024PENDING · SSL2026
2022 — Now
Stripe
Principal Software Architect · Head of Attacker Engineering

Founded and scaled the Attacker Engineering practice. Drives offensive-informed architecture across Stripe's payments, identity, and platform surfaces.

Attacker Engineering FT3 Architecture Detection R&D
tier
MULTI-YEAR PROGRAM
2017 — 2022
Amazon
Tier-3 Incident Response · Senior Security Engineer

Top-tier responder for the highest-severity events across AWS and retail. Tool-builder for the responders who came after.

Incident Response Forensics Threat Hunting
tier
TIER-3
Earlier
Industry · Federal · Research
Threat Intelligence · Adversary Emulation

A career arc moving from intel-side analysis to engineering, anchored in elite intel communities and red/blue collaboration.

Intel Emulation Community
tier
FOUNDATION
// project spotlight · ft3

An open framework
for friendly threat tradecraft.

FT3 is the operational backbone of Stripe's attacker engineering work — open-sourced so defenders everywhere can plan, stage, execute, and triage adversary emulation against the systems they're paid to protect.

github.com/stripe/ft3 open · apache-2.0
Plan
Map techniques to coverage
Stage
Repeatable emulation cells
Triage
Surface real defender gaps
~/operations/ft3 — bashLIVE
// receipts — ft3 precedence trail four tracks · nine dates · one record

The receipts.

Precedence is a fact of the record, not a claim in a deck. The dates run from the first internal authoring of FT3 to the agentic ship. Every node below is verifiable in the public record.

view as
FT3 / DARKSHEER
FS-ISAC
RH-ISAC + TARGET
MITRE CTID
Feb 2024
FT3 authored
Internal at Stripe — first cut of the framework.
Oct 2024
Submitted to FS-ISAC
FT3 talk proposal sent to the 2025 Spring Summit CFP.
28 Jul 2025
FT3 published
Open-sourced publicly on GitHub.
Apr 2026
FT3 ships agentic
★ FIRST LIVING AGENTIC FRAMEWORK
Stripe launches FT3 with agentic capabilities — first 'living' agentic framework.
Oct 2024
DECLINED
FS-ISAC declines the FT3 proposal. The receipt that lights the rest of the trail.
1 Apr 2025
CFPF launched
FS-ISAC launches the Cyber Fraud Prevention Framework.
3 Aug 2025
Fraud Taxonomy
NRF + RH-ISAC + Target publish a 'Fraud Taxonomy.'
12 Nov 2025
F3 published
MITRE CTID publishes F3 — Fight Fraud Framework — based on CFPF.
8 Apr 2026
F3 STIX 2.1 bundle
MITRE CTID releases the STIX 2.1 bundle for F3.
Presentation Declined
Feb '24
May '24
Aug '24
Nov '24
Feb '25
May '25
Aug '25
Nov '25
Feb '26
FT3 authored Feb 2024. Proposal submitted Oct 2024. CFPF launched Apr 2025. FT3 public Jul 2025. Fraud Taxonomy created Aug 2025. F3 public Nov 2025. Precedence is a fact of the record, not a claim in a deck.
// projects · selected work github.com/darksheer ↗
OPEN-SOURCE
ft3
The framework behind the FT3 spotlight above. Plan, stage, execute, triage.
framework · python view
OPEN-SOURCE
darksheer / sigil
Detection-content compiler. Translate hypothesis → query language → coverage report.
tool · ts view
OPEN-SOURCE
darksheer / pkt-ops
Packet-level operator notebooks for adversary-emulation labs.
research · notebook view
CLOSED
█████████████
Long-running adversary-emulation engine. Productionized at scale.
platform · internal // classified
CLOSED
███████████
Closed-circle threat intelligence tooling. Vetted distribution only.
intel · ndA // classified
CLOSED
████████████████
Personal R&D — staged offensive primitives. Disclosed selectively.
r&d · personal // classified
// media
01
BLACKHAT · 2025
Engineering the Adversary at Scale
KEYNOTE · 45 MIN
02
RSA · 2024
Friendly Threat Triage: Building FT3
KEYNOTE · 45 MIN
03
DEF CON · 2024
From Tier-3 IR to Attacker Engineering
KEYNOTE · 45 MIN
04
FIRST · 2023
Closed-loop Defender Telemetry
KEYNOTE · 45 MIN
05
BSIDES SF · 2023
The Art of Adversary Emulation
KEYNOTE · 45 MIN
06
OSCON · 2022
Open Source the Red Team
KEYNOTE · 45 MIN
EP · ART
● now playing · ep 042
The Defender's Edge — with Vincent Passaro
Risky Business · Apr 2026
00:0042:00
// signal log updated when something is worth saying
PINNED · FIELD NOTE · 2026.04.22

Why detection content is a liability if you can't replay it.

We treat alert rules like configuration. They behave like code — with all the rot, drift, and silent breakage that implies.

read · 8 MIN open ↗
POST-046 ESSAY

Engineering the adversary: a working definition.

What changes when you stop chasing alerts and start modeling the attacker as a system you instrument and replay on demand.

READ · 12 MIN 2026.04.04 open
POST-045 TEARDOWN

T1556.006 — six months of replay data.

A look at one technique across hundreds of FT3 cells. The defender gap is not where you think it is.

READ · 6 MIN 2026.03.18 open
POST-044 INTERVIEW

Notes from a Tier-3 IR career.

Excerpts from a long-form conversation about responding to the worst day at the largest company in the world.

READ · — 2026.02.27 open
POST-043 RELEASE

FT3 v0.9 — emulation cells, finally repeatable.

The release that makes adversary emulation feel like CI for the defender's hypothesis.

READ · 3 MIN 2026.02.05 open
archive rss / atom feed // 5 of 47 · indexed 2026.04.22
// training & collaborations
/training
TRAINING
Attacker Engineering Bootcamp

Cohort-based 4-week program for senior security engineers transitioning into adversary-emulation roles.

PRIVATE · ENTERPRISE
/collab
COLLAB
Closed-circle Threat Intel

Long-standing collaborator across vetted intel communities — vendor, federal, and operator-led.

MEMBER · MULTIPLE
/advisory
ADVISORY
Detection R&D Advisory

Selective advisory for security platforms whose detection content I respect.

BY REFERRAL
/mentor
MENTOR
Engineer-to-Operator Mentorship

Mentor for engineers crossing the bridge into hands-on offensive and IR work.

ONGOING
// about

A career spent at the seam
between engineering and intel.

Two decades on the wire. The arc starts in intel — pattern-of-life, signals, attribution — and bends through research, top-tier incident response, and the operator floor before landing in the architecture seat.

Today the work is about building the systems and the people who turn adversary tradecraft into a defender's instrument. Open frameworks, deep collaborations, and the long game.

Currently · Menlo Park · Stripe · pending Stripe Security Labs.

ENGINEER OPERATOR INTEL // THE CRAFT
// contact

Speaking, advisory,
and select consulting.

Inquiries are read personally. Lead with context — what you're protecting, who you think is in scope, and the deadline you're working against.

// also reachable
direct
click to copy
response window · 5 business days
signal preferred for sensitive matter
pgp · on request
// off-clock

What keeps the work sustainable. Quiet pursuits, deliberate rest.

OFF-CLOCK · 01 Long-distance trail running
OFF-CLOCK · 02 Vintage HF radio + packet capture
OFF-CLOCK · 03 Black coffee, slow chess
OFF-CLOCK · 04 Mentoring early-career operators