THINK RED. ACT BLUE.
Most security programs are built by defenders who've never thought like attackers, or red teamers who've never had to operationalize their findings. Think Red. Act Blue. is the bridge.
Get the Framework Guide — free
No spam. Unsubscribe anytime.
Security teams that only defend don't know what they're defending against.
Security teams that only attack don't know how to operationalize what they find.
The best practitioners do both — fluently, deliberately, at the same time.
That's what this framework is about.
The Three Pillars
THINK RED
Understand adversary behavior from the inside out.
ACT BLUE
Translate that knowledge into operational defense.
STAY SHARP
Adversaries evolve. Your practice must too.
Latest from The Monday Brief
- AI Is Speeding Up Cyber Attacks, but the Real Advantage Still Belongs to Defenders Who Know Their Environment
- The Fight for Strategic Control
- Hiding in Plain Sight: Persistence in Backup Systems, AI Agents, Mobile Runtimes, and Hybrid Operations in Europe
INTRODUCING
ATT&CK LENS
The only MITRE ATT&CK v18 tool built specifically around the Think Red. Act Blue. philosophy.
Slice the Enterprise matrix by adversary, technique, platform, or detection coverage. Understand where attackers are active and where your detections are blind.
Used in SANS SEC530 labs. Free to use.
Launch ATT&CK Lens →Upcoming SEC530 Sessions
View all at SANS →- In-PersonApril 7, 2026 — Washington DC Register at SANS →
- vLiveMay 12, 2026 Register at SANS →
ABOUT
ISMAEL VALENZUELA
VP of Labs, Threat Research and Intelligence at Arctic Wolf. SANS Senior Instructor and Author of SANS SEC530: Defensible Security Architecture & Engineering : Implementing Zero Trust for the Hybrid Enterprise.
20+ years building and breaking security programs across Europe, the Middle East, and North America.
Think Red. Act Blue. is the framework I use to teach practitioners how to close the gap between knowing your adversaries and actually stopping them.
The Ecosystem
The Monday Brief
Weekly security intelligence.
All Around Defender
The practitioner community.
ATT&CK Lens
Threat modeling tool.
SANS SEC530
The course.
Not ready for the framework guide?
At least stay in the loop.
The Monday Brief lands every Monday — security intelligence, detection engineering insights, and framework updates. No fluff. Unsubscribe anytime.