From Pre-Law to FLARE: How Josh Stroschein Became Google's Malware Analyst

S6:E3 - Tom Dejong - Inside the BHIS SOC: Triage, Curiosity, and Career Growth

Episode Show Notes S6:E3 - Tom Dejong - Inside the BHIS SOC: Triage, Curiosity, and Career Growth Episode Summary In this episode of Simply Defensive, hosts Josh Mason and Wade Wells sit down with Tom Dejong, Triage Lead at Black Hills Information Security (BHIS). Tom shares his unconventional path into cybersecurity — from a South Dakota apprenticeship scholarship to becoming one of the most detail-oriented analysts in the BHIS SOC. The conversation covers the realities of SOC triage, the importance of detailed documentation, mentoring new analysts, and how AI is reshaping (but not replacing) blue team work. Whether you're an aspiring SOC analyst, a seasoned defender, or someone curious about how to build a career in cyber without a traditional path, Tom's story and practical advice will resonate. What You'll Learn * How the Build Dakota Scholarship led Tom from apprenticeship to a cybersecurity career * What it's really like working triage at the BHIS SOC * Why detailed ticket notes are a force multiplier for SOC teams * The hypothesis-driven approach to alert investigation * How to pivot off IPs, hashes, process names, and file paths * Why curiosity is the #1 skill for SOC analysts * How AI is being used in modern SOCs (and why it's not taking your job) * The challenge of building SOC training and webcasts * Advice for handling mistakes and learning from them Episode Highlights Tom's Journey Into Cyber From discovering Darknet Diaries and hearing John Strand mention Spearfish, South Dakota — the same town Tom was living in — to landing his first day at Wild West Hacking Fest 2022 as a BHIS intern. The Triage Mindset Tom walks through his approach to investigating alerts: starting with detection logic, checking for prior tickets, and breaking down each piece of evidence in writing to make the logic click. Documentation as a Superpower Why Tom believes detailed notes aren't just nice-to-have — they're essential for the next analyst down the line and for his own thought process. AI in the SOC Tom's honest take on using AI for investigations, polishing client communications, and writing detection logic — plus why he's not worried about it taking his job. Advice for Blue Teamers You're going to make mistakes. Use them as learning experiences. Lean on your teammates. Stay curious. Timestamps * 00:00 Intro and Welcome * 01:00 Tom's Role at the BHIS SOC * 01:30 From Apprenticeship to Cybersecurity: The Build Dakota Story * 03:00 Discovering BHIS Through Darknet Diaries * 04:00 Wild West Hacking Fest as Day One * 04:30 Behind the Scenes of a SOC Webcast * 06:30 The Art of Alert Triage and Pivoting * 08:30 Building Conference Talks and Training Content * 10:30 Where Tom Sees His Career Going * 11:30 Why Curiosity Is the #1 SOC Skill * 12:30 Favorite Alert Types to Work * 14:00 Round Robin vs. Self-Assigned Tickets * 15:00 Note-Taking and Documentation Best Practices * 19:00 Building a Hypothesis When an Alert Comes In * 20:30 AI in the SOC: Hype, Reality, and Use Cases * 24:00 Will AI Replace SOC Analysts? * 26:00 Training Resources for New Analysts * 28:00 Advice for Aspiring Blue Teamers * 29:30 Closing Thoughts Resources Mentioned * Black Hills Information Security: https://www.blackhillsinfosec.com/ [https://www.blackhillsinfosec.com/] * Antisyphon Training: https://www.antisyphontraining.com/ [https://www.antisyphontraining.com/] * Build Dakota Scholarship: https://www.builddakotascholarships.com/ [https://www.builddakotascholarships.com/] * Darknet Diaries Podcast: https://darknetdiaries.com/ [https://darknetdiaries.com/] * Wild West Hacking Fest: https://wildwesthackinfest.com/ [https://wildwesthackinfest.com/] Connect with Tom * LinkedIn: Tom Dejong at Black Hills Information Security * BHIS Webcasts & Workshops: Available through Black Hills Information Security Connect with Your Hosts * Josh Mason: https://www.linkedin.com/in/joshuacmason/ [https://www.linkedin.com/in/joshuacmason/] * Wade Wells: https://www.linkedin.com/in/wadingthrulogs/ [https://www.linkedin.com/in/wadingthrulogs/]

S6E2: John Hammond on Security Research, Storytelling, Deception, and Getting Hired in Cybersecurity

John Hammond on Security Research, Storytelling, and Deception for Defenders In this Simply Defensive episode, hosts Josh Mason and Wade Wells interview John Hammond, a Huntress security researcher, YouTuber, and educator, about his career path and defensive research. Hammond explains he has never worked as a penetration tester, SOC analyst, or detection engineer, instead “falling into” security research through hands-on Capture the Flag work and building cyber threat emulation course content, earning Offensive Security’s OSCE3 bundle recognition. He discusses why storytelling and communication are critical for translating attacker tradecraft into actionable defenses, emphasizing understanding the attack chain to identify places to break it. He recommends building a public portfolio of write-ups and notes, and says multiple creators covering the same topic can still provide value through different explanations. The conversation also highlights endpoint deception and honeypots, challenges of reversing compiled binaries versus script-based malware, and his advice to document thoroughly in shared organizational knowledge bases. 00:00 S6E2: John Hammond on Security Research, Storytelling, Deception, and Getting Hired in Cybersecurity 01:27 Meet John Hammond 01:57 Security Researcher Life 04:43 OffSec Certs Explained 06:55 From CTF to Research 08:47 Storytelling in Cyber 12:10 Turning Attacks to Defense 15:19 Getting Hired as Researcher 16:48 Portfolio and Honeypots 19:05 Make the Video Anyway 21:40 Alternate Data Streams Nerdout 23:36 CTFs Then and Now 24:28 Life Shifts Priorities 25:44 Beyond CTFs Next Trend 26:52 Deception Meets Detection 28:48 Honeypots and Program Maturity 31:13 Malware Reversing Boss Fights 35:09 Blue Team Advice Document Everything 37:51 Where to Find John and Training 38:49 Wrap Up and Farewell

From Blue Team Challenges to AI Innovations: A Conversation with Jason Haddix

In this episode of Simply Defensive, Josh Mason and Wade Wells sit down with Jason Haddix — CISO veteran, AI security thought leader, and founder of Arcanum Information Security — for a wide-ranging conversation on where AI is actually headed in cybersecurity, and what blue teamers need to know right now. Jason shares what he's learned from running AI scaling assessments inside major enterprises, why most organizations are still in the early stages of AI adoption, and how the industry needs to stop thinking about AI security like traditional web app security. He breaks down the stages of AI adoption (from custom bots to agents), explains why input validation is a losing game for LLM security, and makes the case for classifiers, guardrails, and LLM-based routing as the real defense-in-depth play for AI systems. Wade and Jason also revisit the Red Blue Purple AI course, talk through how RAG and context engineering are transforming what's possible for blue teamers, and discuss why the credential leakage problem is still one of the biggest vectors defenders aren't taking seriously enough. Topics covered: * Why CTI struggles to prove value — and where it actually matters most * Stealer logs, credential leakage, and when rolling an account isn't enough * AI adoption stages: custom bots → RAG → agents * Why SOAR skepticism is a preview of AI hesitancy * Context engineering vs. prompt engineering * Defending AI systems: prompt-level protections, classifiers, guardrails, and LLM routing * When does a prompt become IP? * Jason's advice for blue teamers: embrace AI as a tool, find your annoying tasks, and start chipping away Connect with Jason Haddix: * Twitter/X: @jhaddix [https://twitter.com/jhaddix] * Arcanum Information Security: arcanam-sec.com [https://arcanamsec.com] * GitHub (free tools & resources): ARCanum Information Security on GitHub * Newsletter: Executive Offense by Jay Haddix Resources mentioned: * Red Blue Purple AI Course (ARCanum) * Flare (threat intelligence / credential monitoring): flare.io [https://flare.io] * Detections.ai Connect with the Hosts: * Josh Mason: linkedin.com/in/joshuacmason [https://linkedin.com/in/joshuacmason] * Wade Wells: linkedin.com/in/wadingthrulogs [https://linkedin.com/in/wadingthrulogs]

From Pre-Law to FLARE: How Josh Stroschein Became Google's Malware Analyst

In this episode of Simply Defensive, Josh Mason and Wade Wells sit down with Josh Stroschein — aka The Cyber Yeti — a former professor turned reverse engineer now working on one of the largest malware analysis teams in the world. Josh shares his unconventional path through .NET development, credit card processing security, and academia before landing at Google. He opens up about teaching reverse engineering while learning it himself, building educational CTFs, and the realities of making it as a full-time reverse engineer in an industry where those roles are rare. What you'll hear: 🔹 From pre-law to pilot training to PhD in cybersecurity 🔹 How teaching RE forced him to truly master it 🔹 Life inside Google's FLARE team (via Chronicle → Mandiant) 🔹 Flareon CTF — the RE challenge that's run for 12 years 🔹 A wild Black Hat NOC story involving an infected Mac and Atomic Stealer 🔹 Using AI to build malware samples for training labs 🔹 Why going low-level is the best advice for blue teamers Chapters: 00:00 Introduction and Welcome 00:50 Josh's Connection to Dr. Gerald Auger 02:00 The Non-Traditional Path: Pre-Law, Pilot Training & .NET Dev 05:00 Getting Into Security at a Credit Card Processor 07:00 Teaching Reverse Engineering at Dakota State 10:00 Flareon CTF and Educational CTF Design 14:00 Is Reverse Engineering Offensive or Defensive? 17:00 How Rare Are Full-Time RE Roles? 21:00 The Path to Google: Chronicle, Mandiant & FLARE 25:00 Learning Through Teaching and YouTube Content 28:00 Black Hat NOC Story: Catching Atomic Stealer Live 33:00 Using AI to Create Malware Training Samples 37:00 Building a Defang Tool (and .NET Nightmares) 40:00 Advice for Blue Teamers: Go Low-Level 🎧 Find Josh Stroschein: → Website: https://www.thecyberyeti.com → YouTube: The Cyber Yeti → Podcast: The Cyber Yeti Podcast 👥 Connect with the Hosts: → Josh Mason: https://www.linkedin.com/in/joshuacmason/ [https://www.linkedin.com/in/joshuacmason/]→ Wade Wells: https://www.linkedin.com/in/wadingthrulogs/ [https://www.linkedin.com/in/wadingthrulogs/]→ Swimlane: https://www.linkedin.com/company/swimlane [https://www.linkedin.com/company/swimlane] 🎙️ Listen on Your Favorite Platform: → Spotify: https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4 [https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4]→ Apple Podcasts: https://podcasts.apple.com/us/podcast/simply-defensive/id1773806182 [https://podcasts.apple.com/us/podcast/simply-defensive/id1773806182]→ Full Playlist: https://youtube.com/playlist?list=PL4Q-ttyNIRAr6DVrsASx1-Fv-TsooJ3M4 [https://youtube.com/playlist?list=PL4Q-ttyNIRAr6DVrsASx1-Fv-TsooJ3M4] 👍 If you enjoyed this episode, don't forget to like, subscribe, and share with your fellow defenders. Every week, Josh Mason and Wade Wells bring you practical, no-fluff conversations with cybersecurity professionals who are doing the work. ========================= All the ways to connect with Simply Cyber https://SimplyCyber.io/Socials [https://simplycyber.io/Socials] ========================= This podcast is presented by Simply Cyber Media Group

Building Zero Trust Tools: Inside ThreatLocker with Product Manager Yuriy Tsibere

In this episode of Simply Defensive, hosts Josh Mason and Wade Wells welcome Yuriy Tsibere, Product Manager at ThreatLocker, for a behind-the-scenes look at how security products actually get built. Yuriy's path to cybersecurity started in Ukraine, where he worked in telecom during sophisticated APT campaigns that lasted over a year. Now at ThreatLocker, he shapes the tools defenders use daily—from allow listing to compliance automation. Episode Highlights: * What product managers actually do at security companies * APT attack patterns: social engineering meets technical exploitation * How allow listing, ring fencing, and network control protect endpoints * Defense Against Configuration (DAC): automating FedRAMP, HIPAA, and NIST compliance * Why misconfigurations remain one of the biggest security gaps * Balancing strict security with real-world usability * Yuriy's top advice for defenders: Educate your personnel Key Takeaway: Most breaches still come from employees clicking without paying attention. Security products matter, but user education accounts for the largest share of issues. Yuriy also emphasizes that when compliance drift happens—when systems become uncompliant—it should trigger an investigation into what changed and why. Resources Mentioned: * ThreatLocker Zero Trust Endpoint Protection * Defense Against Configuration (DAC) for compliance monitoring * Zero Trust World Conference Perfect for blue teamers, SOC analysts, security engineers, and anyone interested in how security products evolve from concept to deployment. Connect with Yuriy Tsibere (Guest) on LinkedIn: https://www.linkedin.com/in/yuriy-tsibere/ [https://www.linkedin.com/in/yuriy-tsibere/] 🔗 Links & Resources: → ThreatLocker Free Trial: https://www.threatlocker.com/simplydefensive [https://www.threatlocker.com/simplydefensive] → Zero Trust World Conference: https://www.intlcybersec.org/zerotrustworldmain [https://www.intlcybersec.org/zerotrustworldmain] 👥 Connect with the Hosts: → Josh Mason: https://www.linkedin.com/in/joshuacmason/ [https://www.linkedin.com/in/joshuacmason/]→ Wade Wells: https://www.linkedin.com/in/wadingthrulogs/ [https://www.linkedin.com/in/wadingthrulogs/]→ Swimlane: https://www.linkedin.com/company/swimlane [https://www.linkedin.com/company/swimlane] 🎙️ Listen on Your Favorite Platform: → Spotify: https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4 [https://open.spotify.com/show/72QTocT5FSTSPV7o1UcMS4]→ Apple Podcasts: https://podcasts.apple.com/us/podcast/simply-defensive/id1773806182 [https://podcasts.apple.com/us/podcast/simply-defensive/id1773806182]→ Full Playlist: https://youtube.com/playlist?list=PL4Q-ttyNIRAr6DVrsASx1-Fv-TsooJ3M4 [https://youtube.com/playlist?list=PL4Q-ttyNIRAr6DVrsASx1-Fv-TsooJ3M4] 👍 If you enjoyed this episode, don't forget to like, subscribe, and share with your fellow defenders. Every week, Josh Mason and Wade Wells bring you practical, no-fluff conversations with cybersecurity professionals who are doing the work. 💡 Brought to you by ThreatLocker – Secure your business with zero trust application control. https://www.threatlocker.com/simplydefensive [https://www.threatlocker.com/simplydefensive] ========================= Sponsored by @ThreatLocker [https://www.threatlocker.com/simplydefensive]- Free 30-day trial visit: https://www.threatlocker.com/simplydefensive [https://www.threatlocker.com/simplydefensive] ========================= All the ways to connect with Simply Cyber https://SimplyCyber.io/Socials [https://simplycyber.io/Socials] ========================= This podcast is presented by Simply Cyber Media Group