This transcript was automatically generated using AI. We apologize for any typographical or grammatical inaccuracies.

Chris: Felipe Pires is the head of identity threat labs and global product advocate at Segura. Red team village director, senior advisor at Rice Cyber Academy, founder of the red team community and AWS community builder, sneak ambassador and application security specialist. He also is a passionate hacking is not a crime advocate and a global speaker who’s hit the stage at some of the biggest security and tech conferences around the world, from Black Hat and Defcon in the US to events across Canada, France, Spain, Germany, Poland, and the Middle East. Beyond the stage, Felipe has also served as a university professor for graduation and MBA courses in Brazil. And he’s the creator and instructor behind hands-on courses  Malware Attack Types with Kill Chain Methodology.  PowerShell and Windows for Red Teamers and Malware Analysis Fundamentals. Felipe isn’t just building skills, he’s truly building a culture. Felipe, welcome to Barcode, my friend.

Filipi Pires: Thank you Chris, thank you so much for having me here I’m so excited for this conversation man! Nice!

Chris: Me too, man. We  can continue the conversation. We started at HackSpaceCon a few weeks ago, which was my first HackSpaceCon, by the way. I really enjoyed it. What were your takeaways from that?

Filipi Pires:  Yeah, it was my first time as well. So I received the invitation last year from Kevin. But I had a kind of conflict of another event in that time. So  the event was very nice. because the Florida community, let’s say, is so huge. And there are a bunch of people that I met virtually.  And I had opportunity to meet those people in person. It was super nice. Not only that, we could see many different talks, technical talks. We had the community space. It was super nice as well. So the opportunity to spread more about the cybersecurity community, how it’s important to keep in touch, to make network, and to share knowledge. It was a very, very nice time on the HackspaceCon.

Chris: Yeah,  yeah, I met a lot of folks there that I’ve met online, never met in person, so I think they had a really good representation there and, I enjoyed.

Filipi Pires:  Yeah. You and me, by the  way, we met virtually, I never, we had opportunity to talk in person, but it was this is super nice.

Chris: Yeah, yeah, definitely, man. And yeah, I enjoyed your talk, by the way. That was very, very good. And I had no idea travel so much and you do a lot of talks. In fact, we were just talking offline about  your next speaking engagement, which is going to be in Chicago soon, correct?

Filipi Pires: Yeah,  I will travel in next few days and I go to b-size 312. I will do the similar talk about the cloud and how the attacker can explore misconfigurations. And after that, I go to Vegas for the business event. Let’s say the  identity versus the event is focused on an identity. It’s a big event, the main event in US focused on identity. And then after that, I go to Brazil.  for the let’s say the partner events, the international party events that we have in Brazil. And by the way, the company that I work is a Brazilian company. And then after that, I go to B-Sides at Boulder in Colorado. And that’s my life, traveling a lot. Yeah, yeah.

Chris: Non-stop, non-stop. I’m gonna try  to get down to Brazil in December to do the conference down there for Red Team Village, so.

Filipi Pires:  Exactly. In December in Brazil, we have the main Hacker event. Let’s say the name of the conference is Hacker to Hackers. It’s a super nice event. It’s more than 20 years. And this is our main conference. And last year, I had the opportunity to bring the Red Team Village for Brazil. And we had three or four members from the core team. And it was a very nice experience to bring  a few space of the DEF CON from Brazilian community. So that was the purpose of that because , I don’t know how this works in US, but I think it’s kind of similar because, to be a part of the  Hacker Summer Camp is not, it’s expensive. If it’s expensive in US, imagine in Brazil because of the currents is six times less than when you compare to dollar.  in Brazil we use real.  is our current so it’s very very expensive for the people travel to the Hacker Summer Camp  the DEFCON event and based on that  maybe no one could have the opportunity to  to see more about how the DEFCON is how is the conference to meet those peoples and based on that I had the idea to bring a part of the DEFCON   the Red Team Village I know that’s DEFCON that’s  It’s bigger than only Red Team Village, but  it’s a Red Team Village for me is a part of Defqon, important part of the Defqon. So I could opportunity to bring this part to my country. It was very, very nice opportunity. And this year probably we will have the same experience. So now I’m a part of the Red Team Village, the core team. So we organizing the Defqon right now, but after the Defqon we organize the participation of Red Team Village at the Hacker to Hackers in Brazil.

Chris: Yeah, man, that’s so cool. And  you said, it’s so important to have that there as well for the folks that can’t make it to the US-based conferences. So  I would love to get down there. But yeah, we had a chance to talk briefly Florida. I got to know you a little bit there. But for the folks that are listening to this that don’t know you and your background, can you talk to me a little bit about that and how you got into the industry?

Filipi Pires:  I love this question because my, let’s say my career is quite different because I’m not the technical guy. Let’s say I’m not graduated in the, know, security stuffs or hacking stuffs. I was graduated in process management. It’s a kind of commercial things. My background is completely different because I was a salesperson when I start my career, I work with some events, but not technical events, just for sales event, let’s say.  And  in 2009, I started to work at Dell Computer in Brazil as a salesperson. I was account manager in the past. yeah, and that time I remembered, okay, I was expecting my career to work always in the sales field. However, I saw, the very good account executive that I can see in the results, to bring the revenue to the company.  is  the guys are very excellent because they have a technical background. And my background is different, it’s a sales background, it’s not a technical. So I thought in that moment, okay, I need to do this shift, I need to go to the technical career, learn more about technical thing, about the infrastructure. And after that, I go back to the sales thing. It was in middle of the 2010 when I moved to the technical career.  However, when I arrived there, I was feeling more passionate with this thing. But in 2015, the cyber security chose me, or information security chose me. I’m not chosen this field, . The field chose me. That’s the real history about that. So I received the opportunity to work at Tremicro. And that’s how started,  understand more about how the  defensive side works, how I should understand more about the threats, how the attacker, create different techniques to explore different environments. And based on this learning that I had, I start to create my defensive skill. And after that, I, and that time I thought, okay, I know that I work in a very nice company, have nice, very nice culture. However, how I can convince my possible customer or my customer that my product is really efficient.  So I should think during the POC, attack, the company should receive a kind of attack and based on this possible attack, I can protect the company.  it does not make sense, I need to, how I could create a kind of strategy to show the real value for the product. And based on that, I start to create my offensive skills. So based on that, I start to, learning more about offensive security. And when I needed to present this for my  previous company in the past. So I presented the offensive security attack, the offensive part and after that, exploring the environment and after that I showed how  the customer could protect the environment. So based on that, I was starting to learn more about the offensive security stuffs because I had the offensive security knowledge, but the offensive security I didn’t have. So based on that, I started learning for myself.  and just to create this kind of scenario. So when I did it, when I had to do kind of demos in my customers, I present the offensive side in the defensive side. So based on that, it’s more , OK, the product is efficient. based on that, I will start to learn more about offensive security. 2019, before the pandemic, I moved to Poland to work as a penetration tester. So that time, I started to work in offensive security.

Chris: Where did you really   learn to hone in on those skills? Were you just self-taught? Was there any,  , specific classes that you took to learn this or was it just, purely driven by your passion to learn?

Filipi Pires:  Thank  Yeah, exactly. That’s based on my passion because  I know I had I had very nice, let’s say, guys that, give me the sort of guidance in the Brazilian, let’s say, for example, Fernando Mercedes, it’s a very known guy, Brazilian guy, this specialist in Maurer. He has a very nice Brazilian community called Mente Binaria. They have a bunch of information about the offensive security and offensive security.

Chris: Got it.

Filipi Pires:  And I heard not only from him, but the other guys in Brazilian community that I should learn more about those bases when you talk about the cyber. When I talk about bases, it’s, okay, I need to understand about base about network, about system operation, about how the application works, how is the flow of the application. So based on this knowledge or I needed to know about the base of the infrastructure, I needed to know about the virtualization stuffs.  and cloud stuffs, kubernetes stuffs. So when I know about those bases, I can put in the, let’s say the hacker mindset, know, the offensive security, the malicious mindset, . So based on that, I start to study a lot about how those bases, because I didn’t have those base. That’s because of my previous, the graduation. was a salesperson. So this is, I knew that I had this kind of gap.

Chris: Yeah, yeah.

Filipi Pires:  I’m here, I need to keep studying .

Chris: Yeah. did you build  a home lab to do sort of hands on? Did you,  , practice on some of the free resources that, that are on the internet?  what was your, what was the way that you connected,

Filipi Pires:  my path was Okay, I had at that time the Tremicro, I had a very nice computer, know,  32 gigabits of memory and the disk. I , I, install some virtual machines, sometimes it’s virtual box or, something from VMware. So I  start to, install the Kali Linux, Paratroy ASC and the other platforms.  and to have those experiences how I can install, how I can use different tools and not only this but how I share in my talk if I remember correctly. So I can use tools  file, command, remember? And I need to know how each tool inside of the platform,  the Katalynx, how each platform really works. What kind of information the file type will try to find inside of the file. It’s about the magic number but these  but the file has a bunch of the database inside of the tool that will check if this database is that and if this information is that, they can check with the file.  The same example that I shared in the conference about the strings. So we string just print at least four characters, not three, not two, not one, just three after at least four characters. So I need to understand these bases.  I shared during my talk in Hackspace.com. So based on that, I created labs and I try to Usually I  to do this. I know that’s many work to do, but I  to compare different tools.  I use it Katalynx and I use it Paratoresk and I just compare the results. And sometimes  for example, for  Recone, for example, you can use it for example WFUS or you can use for example Go Buster.  or GeerBuster, so three different tools for the same thing to do. So it’s nice to see the different results and what is exactly the answer for each different tool that you use. So  this is what was my path. So trying, trying, trying, trying and see the results, .

Chris: I love that approach because you’re not really focused on one platform.  if you’re taking a class on one platform, that’s what you’re learning. But this gives you sort of those different perspectives and what’s gonna be more valuable for you and what’s situation.

Filipi Pires:  Yeah, exactly.   for example, when I made some classes,  as a professor in Brazil,  so I always ask for my students, okay, who here got the internet access to your neighbor, for your neighbor? Usually we have  10 guys in the room, so okay, I got the password for my neighbor, the wifi of my neighbor. Okay, so the second question is, okay, who here, those 10 people using the kind of   YouTube channel or YouTube guidance. So usually those 10 guys using the same YouTube channel, not the same, but the same idea. So the third question is, okay, who inside of those 10 guys can explain how is created the handshake when you disconnect the guy and connect again? You can explain how is created the handshake in the wifi connection.  So no one’s know how the handshake works and how you can, this handshake works and how you can collect those hashes and after that you can, break the hash. So because they use this kind of platform, and  the demos and the YouTube channels videos, but they don’t know those bases, how each things works. So that’s the big, my big concern has old guy in the field. So we should know about those bases. you need to, you can use tools always.  But you need understand how each tool works and how, you asked me about the How  is my path, how was I learned? So I knew my gap, so I needed to study those phases. , okay, network, we have a TCP module, we have an OZ module. Okay, it’s a kind of seven layers. So the authentication process in each layer is a layer four, the application, or layer seven.  It depends on what kind of network you are talking. If it’s Aussie, it’s in layer 7. But if it’s a TPC module, it’s in layer 4. So that’s the type of conversation when you talk about the network. So if you talk about, for example, how you can open the specifically HTTPS access. you should use a kind of , for example, burp suite. can open this kind of access and you can see those HTTPS and then to intercept those connections. Those type of things.

Chris: Yeah, so let me ask you this then. So going back to your talk and your presentations that you give, you’ve hit some really major, major stages,  I mentioned before, Black Hat, Defcon, HackspaceCon, you’ve hit international locations as well, which is very difficult for you, but you also get to speak in front of different levels of

Chris: of an audience, right? You’re talking to practitioners, you’re talking to leadership. What would you say is one trend that you’ve been sort of tracking across all of these events that you think people aren’t  paying enough attention to?

Filipi Pires: I think it’s the major is about the, they using different names, but if I can summarize is about the misconfiguration of  identity. Let me explain more about that because  for example, for the Hansar attack, so  the Hansar just works because the users, the user based on this machine that click in the malicious file,  they have identity, and this user has an identity and above this identity has a permission. So if someone set a wrong permissions or a wrong type of rules from this specifically user, they will click on this binary and they will be infected by runs or for example. So if you talk about the cloud, it will be the same thing. So we can see about the different actions that you have in the cloud for each.  Action has a group of police and rules and stuff  that many things and when I watch those type Conference so usually they  for the leadership they use a different approach and for the technical guys They use another approach but in the end of the day the word that I can  summarize is misconfiguration because if you read something on the newspaper or on TV is you you can

Filipi Pires:  not see a bunch of zero days.  the AnnaCry for example is based on non-misconfiguration. It’s about some error because Microsoft had the patch but no one’s updated. So if you see the biggest attacks for the last 10 years, it’s all about, okay, I cannot update my software, it’s a legacy software and so on and so forth.  Of course, we have a kind of movement for the on-premise to the cloud, the cloud to the microservice. by the end of the day is again for each microservice to be connected, we need to have the permissions. So  in the past, probably you heard about the perimeter is a firewall. Remember? So we should have a very nice perimeter protected using firewall or after next generation firewall or whatever. However, let’s say the perimeter is identity.  And that’s the thing that I heard. So in difference,  I was talking the Middle East and Black Hat Middle East and I watched many people or in their own stage in the main stage talking about the challenge about the how they can implement the Zero Trust. Zero Trust is about culture and Zero Trust is about the authenticate every people. So if you authenticate every people, each people has what? Has identity. And that’s the key. So that’s my  takeaways, let’s say, the conference that I’ve been participating.

Chris: Yeah. Yeah. And it’s a common factor regardless of where you are. Right. And, and, and,  these technologies are still evolving. So,  , I, I know you’re, you’re talking nonstop different places, but what’s your way to keep your, your acts sharpened? , how do you, how do you stay current? , what, keeps your passion alive and how are you continuing to learn all of these new technologies while still be able

Chris: to speak to different groups consistently.

Filipi Pires:   , the thing that I’m doing is, of course, participating in conferences and sometimes I’m trying to, spend a few times to talk about other guys  in the field to understand about those researchers and how they are doing different research and sometimes I need to produce some content for the, let’s say, the C-level and  usually I’m trying to figure how  is the expectation of the market for the next five years, front of.  ,  how they are looking to this and not only this but for the the main brands Let’s say for the about the threads and talk to us because I love about about threads,three micro cloud strike I  to read some reports or even that scope so how they are investigating threats and for example three micro has a specifically team that I They are involved with the futures threats. So this is one way that you can stud how the features is going to us  against us, let’s say, against the company. And that’s one way that I’m trying to keep updated. And of course, when I participate in different conferences, I  to see how the different companies are creating different products and trying to bring some new idea, new technology. Because as I said, I  to talk and I  to talk with the other people and to learn about how they are creating stuff.   

Chris:   I think that forces you to stay current, right? When you’re, know when I’m giving a talk,  just continuing to review that forces, me to go deeper in my research. Because again, this is evolving daily, right? So the talk that I gave four months ago is not gonna be the talk that I give tomorrow. So I think it keeps you constantly current  with threats. And speaking of threats, know,  what,

Filipi Pires:  Yeah.

Chris: I hate to say what keeps you up at night, but what keeps you up at night? Right? What do you what is  top of mind for you that you think is something that cyber attackers are still able to pull off today that defenders just aren’t able to catch? , what what is  the number one threat out there for you today?

Filipi Pires:  It’s a good, it’s a tough question  because  I published yesterday  one of my last article that I wrote about PDF malicious so maybe you think PDF malicious that’s why because but that’s the scenario   okay so for you as a technical guy or someone that I heard in earth now about the the they are technical people that I think okay  I should look into the binaries executables and that’s it. However, for the attacker perspective, they know that if they send some executable for the user, we have a kind of antivirus, we have IDR, we have firewalls and many things. However, so if you send some PDF malicious,  for some reasons, so for the HR team or the people team or even the financial team, this is the use case of the every  they will open PDFs. That’s the key. It’s not a user problem. It’s the day by day of this user.  what ? So they needed the talent acquisition team in the company. So what is the activities? What is the rule? They need to open the CVs. That’s the key. if I am an attacker, so I know this.

Filipi Pires:  So I just need to create the best PDF and I just need to send as an entry point.  because your question is about what kind of thread. So  the attack vector can be different. So you can use more than one. But if you see the biggest attack is totally involved with a specifically third party or even a contractor or in  the the the vector of the attack can be different. However,

Chris: Yeah, it’s still trusting  external entities.

Filipi Pires:  Exactly,  and the logical of the attacker is based on one simple thing. If you’re watching now, if you have a company, you have a formal employee, hiring by W2 or whatever, but you have a third party. Ah, third party is a consulting company. However, for the business logical, sometimes the company hiring some people as a contractor. And when you hire some people as a contractor, you give to these users  the high access, the privilege, because the contractor way is just for the taxes thing,  what mean? So it’s not only US, but in Brazil works the same case. When I live in Portugal is the same case, when I lived in Poland is the same case. So when you hire some people as a contractor, it’s because the company wants to pay less tax than they should pay for the employee.  But on the other hand, when they hire these people as a contractor, they give the full employee access and that’s the key. So, and you can imagine, for example, let’s say that, let’s suppose that I have a company in US, but I need to hire in a specific developer or even a security guy and I can hire in the guy in Brazil. So they will be  This guy will be based on Brazil and if you have any company here in US, the guy will be in Brazil. So this guy in Brazil will have the full access in my environment. Okay? So for the attacker perspective, your question is about the main threats.  I need to explore this guy, this guy has an access here. But he’s a contractor, however the permission that they have is the same as the employee. It’s just , it’s just a, again, taxi way that you can hire people.  And I know that’s how this works because for the executive, let’s say, they need to, they try to pay less tax. That’s the key. So in the end of the day, Chris, it’s not about what is the most common threat. , the question that I should do is what is the common weakness that we have in our company? , for example, the legacy system.  Man, when I started in cybersecurity 2015, 2015, know, 10 years ago, 10 years ago, then this presentation, this conversation 10 years ago. And that time, the old thing is, was the old thing was about legacy. And 10 years after we keep talking about the legacy, 10 years, we can imagine now we have a , we have an AI.

Filipi Pires:  but we keep and have legacy system in our environments. And not only this, but this legacy apps, applications, whatever, there are a bunch of the high privilege.

Chris: Yeah. So do you think the threat could be the company’s own infrastructure and being able to just secure those legacy systems or just still having legacy systems? Because I know a lot of times, especially in, in, healthcare,  it’s, it’s really difficult to, to remove those legacy systems. So it may just be, not knowing how to secure it.

Chris:  But I think you’re right. think the threat is, I guess, overlooking those aspects within your own environment.

Filipi Pires:  Yeah, that’s  a,when I started in cybersecurity, I heard, okay, we should have a security layers. And I thought, okay, so 10 years after my answer is we should keep and have, layers of protection because , okay, if the attacker go,when you have an application, web application, for example, your application needs to be for some reasons, maybe depends on your business, of course, but you need to open to the internet.

Filipi Pires:  But user, usually this application has an unspecifically service account or the WW data user access. So we should have just this kind of level. However, that are kind of administrator access inside of this application. So for the attacker perspective, if they explore the vulnerability in this application, they go inside of this WW user data. And after that, they will try to escalate privilege to go inside of this machine. And after that, to try to move laterally. And after that, to  maybe using the pivoting techniques to go to inside to another network. And this is the step using by the attacker. And if you think about the legacy software, we need to understand how we can maybe try again to isolate those type of legacy things and create layers of the difficult. In the end of the day, we need to bring more difficult for the attackers because if you do some kind of crawler on the internet, not on the internet, but in GitHub or GitLab, you  you will find many credentials there  AWS keys, secrets, OCI, service account. But, Philippe, it’s not problem because those credentials is for the stage environment or for the developer environment. And when you try to use the same keys in the productions, it works. yeah,  that’s the, it works. That’s the answer, it works. .

Chris: It works. Where do you think red teaming in general is, is going?

Filipi Pires:   man,  man this is not good. It depends of country you live. That’s a Yeah, it’s always the same , okay, I Let’s suppose, I’m supposing, okay, just supposing. Okay, I’m the offensive guy and I know how, Burp Suite works, how the,WFLS works, Deer Buster, and I have an experience in offensive security then I

decide to open my company and I decided to offering the Red Team service and at of the day you keep using the same tools and it’s not Red Team operation. The FTO is different  I heard one of my friend of mine the Oliveira is a Brazilian this is my by the way my co-founder in the Red Team community in Brazil that we founded a few months ago so they  he said in a specific phrase they have a talk about that don’t simulate the thread be the thread  the difference so when you try to simulate the thread you’re using probably the burp suite or know WFUS, D-BUS or to get some scripted exactly when you become the thread is different so you simulate or you do the real attack  when you do the physical red team. So we go physically in the company, how you can go inside, you have the security guard, how you can go inside the company and collect all those type of credentials physically and in real not only simulate but being the threat. That’s the key. So I think that a bunch of  mistakes happen in the role about the red team.  as I said,  So some people make this confusion, okay, I’m this Office of Security guy, I have a very nice works on CTFs and I can do the Red Team, but no, it’s just doing pentesting, man. Forget about, you  you’re just running tools or sometimes you buy,Qualis tools or,some Nest tools or something  this, collecting the reports and presenting to the customers, not Red Team. It’s just vulnerability scanning.

Filipi Pires:  So that’s, I think, the big mistakes in different countries. Misconception, exactly.

Chris: Big misconception. Yeah. Yeah.  Yeah. If someone were to come to you tomorrow and wanted to to learn red seeming, what would be the proper way to guide them? How would you guide them?

Filipi Pires:  first of all, I need to understand what kind of base the people that this person has, for example. And after that, I could suggest many things, but one other thing that I would suggest to learn is, of course, understand those bases about, had I said about the applications, about the Because again, Red Team is a team, not the only person. That’s the key, because you need to have this training  for example one guy specifically in the web application another guy maybe in the the API another guy is in mobile another guy in hardening in hardening another guy for example in physical penetration of the physical attack and those type of things so I need I am I asking for this person and tomorrow is what is your passion and about the offensive security because first they need to understand about the offensive security and after that how they can  create this structure about okay

Filipi Pires:  How is the, works the Q chain? How is the attacker works? Okay, so we have the first phase in recognized science and after that creating the entry point. And based on that, I was suggesting some steps. One of the things that I  to suggest, for example, for the web application is the burp academy, the burp switch academy. So there are a bunch of courses there and labs in a practical way. And it’s a free, it’s a free of charge. You don’t need to pay.  pay anything for that. And this is one of my recommendations. The second recommendation is to  to using the hack in the box or even try hack me to to organize all type of things to learn more about in practical way because it’s a practical practice, and but important if you do the burp academy, you have kind of basis there,the main vulnerabilities that you can find in web application. But again, this is just one part  I’m talking about the web.

Filipi Pires:  So the Red Team is completely And of course, being involved with the community  the Red Team Village in the events and trying to see what is the main guys in the field about the Red Team.  On the other hand, it’s interesting because, let’s talk about one of the very known guys in the field about the Naham Sak, for example. Naham Sak is a bug hunter, okay, but it’s a focus on finding vulnerabilities.

Filipi Pires:  I don’t know if the the guy correct for learning about the red team, but for finding vulnerabilities, this is the guy. Definitely. We we need to learn many things with this guy. Definitely. But and of course, if you would  to have this journey, you need to learn about Manahansak. Definitely. And after that, you learn, learn, learn. And because it’s again, Chris is a journey , OK, tomorrow I give some guidance, but the guy really can work with the right team maybe in the next two or three years. That’s the key.

Chris: Yeah, yeah.  I don’t think it gets any realer than being in the community. And that’s the reason that I asked you that it was because I think you spend, long time in your career, not just doing technical work, but also  injecting yourself into the community, teaching the community, advocating for what you do and building community too. So, what do you think is sort of the biggest

Chris: shortfall now between, how security and red teaming is taught and how it’s  practiced in the field. Is it the practicality that somehow doesn’t get connected to the, to the person or, know, how, guess, how do we start ensuring that that gap is, is closed to rectify those blind spots?

Filipi Pires:  Yeah, I think it’s the main problem that I am seeing in our community when I talk about our communities about the security community, okay? Not about Brazilian or US or whatever. I think it’s the same gap or the same concern from my side is about the word journey. Let me explain about the journey because when the guy starts in this field, when  the guy, the person start in the field,

Filipi Pires:  They want to learn very fast and they want to have the results very fast. When  very fast, it’s okay. I’m let’s suppose I would  to work as a bug hunter,  an Ahamsec for example. So they want to go to the, for example, bug crown program or the HackerOne program and they want to figure kind of finding vulnerabilities receiving $10,000.  Come on man, you’re starting today in this and that thing. maybe you can find, but you need to, is adjourn , okay, let me start in an offensive security field or in defensive security, for example. And usually this kind of problem is more for the offensive security, not defensive.  for both, let me fix this for both. Because, okay, the people start in the offensive security and  they start to have a junior guy or just a  security analyst and maybe they working very nice good and they have very nice results and then six months after they receive an offer to be a a Plano guy  for example no more junior but the second level and six months after they jump for another level they receive another offer receiving more two thousand dollars for example to be a senior and they become a senior one year come on man this is not possible

Filipi Pires:  to be a senior  guy in our field in one year just if you go to the specifically in your room and working, know, studying 24 hours but it’s impossible  it’s a journey for example the people are asking me asking me in the few two days or the people always ask me okay, how you get the this be on the UR  in on the stage talking black cat in the US and Middle East and my always answer is  When I started 10 years ago, not yesterday, I started 10 years ago, to build this. It’s 10 years. , I have four kids and I have twins. When I started in this career, the twins were born. So now they are 10 years. So it’s a journey. That’s the key. I think when you talk about security, offensive security, it’s about journey. know,   many companies and people would  to work as red teamers.

Filipi Pires:  but they are working as a pen testers.  they didn’t find the very nice company working a very, or giving a very nice rating operation works and they, that’s the kind of confusion, and, or sometimes they, they receive an offer to work in a specific company and this company is more  just a penetration test inside, for example, they are just working for finding vulnerabilities in the product. That’s

Filipi Pires:  it’s good thing i’m not talking it’s bad it’s good but  the the question that people should

Chris: You don’t get that exposure,  right? You don’t get that exposure. You need that experience to be able to understand the dynamics of the industry.

Filipi Pires:  Yeah.  Yeah, and sometimes again, sometimes you are doing a good job,  you start in a small company and after that you maybe receive , just an example, Please, an example. Okay, you are receiving offers working in AWS, for example, in Amazon, and you’re working a part of the offensive security in the Amazon. You do a kind of finding vulnerabilities on the Amazon,   Okay, maybe you’re not doing the red team operation on Amazon because it’s not part of your rule and that’s the key. But if this job is your passion, you keep in doing this, good. If not your passion, maybe you need to find your passion in the field. That’s the key.

Chris: Yeah, yeah,  that’s what I enjoy about being a consultant is because of the pace of learning different industries, learning different issues. And some people  don’t enjoy that and that’s okay. But I think having that mindset has helped me grow as a consultant, being able to see how, works, what doesn’t work  and speak to those different things. So I agree with you that it is a journey for sure.

Chris: And a journey that doesn’t end, and it’s a journey that you look forward to every day.

Filipi Pires:  Yeah, and I  to add something  I told you in our conversation in Hux SpaceCon, it’s nice to do a talk, it’s very nice to share the knowledge, and usually when the people that watching you, they can have two different perspectives from you, let’s say. One is, okay, this is a fucking speaker, I don’t know if you can use fucking, but anyway

Filipi Pires:  you remember my talk.  Yeah, exactly. So maybe you you look at the guy on stage and get this guy is a fucking guy. No very nice things about the cloud, about the hacking, about, system operation. And they go home after this watching this talk and he can share with another friends. I watched yesterday a very nice talk and the guys are super incredible. Cool.

Chris: I loved it,

Filipi Pires:  On the other hand, and that’s my expectation is when you’re watching this guy and on stage you watch the guy, okay, how I can use this in my job? And if I learn something, I need to put in practical in my job. So that’s the way that I  to work. when I talk, I  to have something to the attendance to use in practical in their jobs. Because in the end of the day, if I be on stage, I’m just be the speaker, whatever.  It’s nice for the ego, but at the end of the day, it’s just, this is kind of  ego or something is just for the kids that I have, my wife, and that’s it. But if you can use it in a practical way, okay, I’m go back to my job and I will fix my misconfigurations in the cloud. Okay, I will do kind of adjustments or settings in my ADR or in my environment. That’s the takeaways that I want to share with my attendees when I talk.  That’s my main job and   Sometimes I heard some guys around me that say, you need to bring more zero day Yes or no, it depends So I prefer to share something more useful than something that I can share that I’m fucking high

Chris: Yeah, no, I love that man.  Tell me about Cigura.  what does Cigura mean and what is your role there?

Filipi Pires:  Segura  means secure, it’s a Portuguese language by the way, and it means secure. So, Segura is a Brazilian company, the company born in Brazil, and the company focuses on Privileged Access Management, or the acronym, it means PAM, but they are changing the business right now, so we are creating identity solutions, let’s say. So, that’s the main core of the company. And the company is globally  is born in Brazil, that the company was born in Brazil, but it’s a global company. I’m part of the United States business unit and not only this, as a speaker, I’m kind of globally speaker in the representing the company. And right now my role is being the head of identity threat labs. The identity threat labs  is the lab responsible for investigate.  new threads, non-threads, doing reverse engineering, finding vulnerabilities and many things that my main role in the organization at this moment.

Chris: Okay. And where can folks listening to this find out more about your company and then also where can they find you and connect with you online?

Filipi Pires:  Yeah, definitely. So they can find me on LinkedIn. Usually it’s Filipe Pires. F-I-L-I-P-I. Many I’s in the world. And Pires is the Pires of the normal. They can find me on LinkedIn and on Twitter. Or not Twitter more, but in X. It’s Filipe Pires as well. And they can find me on Instagram. FilipePires.sec. And the company as well. can find me. We have a website that I  post usually the articles there is the Lab Doc Segura Doc blog. They can find some information there. And of course, there are my YouTube channel. I’m not a podcaster, but I just put in everything, every of my talks in the YouTube channel is a Philippe-Pires. You can find there my talks,  talks that I made on, know, besides Las Vegas and different  know, events that I participate, all those  talks that was published, I put in there, and  in Portuguese, Spanish and English as well. They can find many of my talks there.

Chris: Nice.  Do you have a list of where you’re speaking next?

Filipi Pires:  Jesus,  yeah, I have. was imagining you asking before. Okay, no, next I have. So I go to B-Sides 312 in Chicago, and I go to Vegas for an university, and after that go to Brazil for the Affinity event. I go to

Chris: Yeah. I’m saying you need to  list it. You need to have that listed.

Filipi Pires:  Ah, okay,  no, no, no, okay, okay, I understand your question. No, no, but it’s a good idea, by the way. I should do something , I need to put something on my GitHub. My GitHub is philip86, by the way. And I have there some tools, open source tools, and some things usually I publish there. But I think I need to put there  my features events because I will No, no, no, no.

Chris: Yeah.  Nice.  Your tour dates, man,  your worldwide phenomenon. Everybody needs  to see you.

Filipi Pires:  No, I have a good friend  you that, I will talk on Black Hat this year and on the Arsenal stage and on Defqo as well probably and I’m just waiting some answers. I will talk besides Las Vegas as well again in the Password Con track. No, Password, yeah, Password track. There are Password, yeah, Password Con track. Inside of Besides Las Vegas, one track is called Password Con and we talk there. I receive the approval.  So I would talk in black hat, these sides and I’m expecting to talk at Defqon as well in some village.

Chris: man. All right, well, you are you travel extensively to do these talks when you’re not traveling.

Filipi Pires:  And, and,  I expect to receive a barcode cap.

Chris: Yes, you will have  one. I’m going straight to the mailbox after this talk.

Filipi Pires:  Yeah, because you  I have a water box here, too big. Water box again.

Chris: Water bottle.  So yeah, when you’re not talking, you’re home.  you said, you’re busy with your family life. I’m trying to figure out when you  have downtime. And if you get downtime, I’m just curious, where  do you  to hang out, man? , what are some really cool venues or cool bars that you either go to regularly or during your travels? Give me  a cool bar that you’ve been to.

Filipi Pires:  man, this is a thing that I don’t have any idea because when I travel I  to talk with the people. No, no, I have a time. I have, of course I have a time. But usually when I travel, as you saw in the event, I  to talk to people no matter what bar that we have. They just talk. But usually when I travel I  to go to the Fogo de Chão steakhouse, Brazilian steakhouse.

Chris: You have that you have no time

Filipi Pires:  No matter the country that I have, I try to figure any Brazilian steakhouse Because I was born in south of Brazil just to explain for the attendees or the people that are watching now and all of us is I love steakhouse in my country, my states Rio Grande do Sul is the last city in Brazil So our main meat is a barbecue So the ribs  and usually when I travel I  to go to those type of things and usually when I am home for example trying to rest but  in the weekend I not only the weekend but during the week or a weekend I am a Christian guy  I’m participating at the church I play  drum, guitar, keyboard, bass, sing

Filipi Pires:  whatever thing, I’m church boy, let’s say since the beginning. Yeah.

Chris: Yeah.  right. So I just heard last call here. Do you have time for one more?

Filipi Pires:  Yeah, or maybe two or three.  Man, I talk a lot,  that.

Chris: Now you’re good. I only have one more though. I only have one more. All right. So if you decided to open a cybersecurity themed bar, what would the name be and what would your signature drink be called?

Filipi Pires:  Okay.  Yeah,  that that’s interesting you should go definitely should go to the the hacker to hackers in Brazil because  There are specifically bar in Brazil college cyber cyber beer. Yeah, and I We went there with the red team village with the red team guys there and there are bunch of beers with the cyber names  exploit IPA and whatever

Filipi Pires:  And  it’s a very nice bar, you should go there in December if you go to the Hacker2Hackers.  But I think my beer can be , I love Mauer things, maybe Mauer beer, something  this. I’m normal guy,  Because I love PDF, Mališa’s beer. I don’t know, I’m not creative in this way. But if I have a kind of name for beer or

Chris: So it’s  the only malware that you intentionally enter your environment or drink.

Filipi Pires:  drink

Chris: It’ll be that good that , it’s bad. , it’s bad.  Okay.  OK, I  that. I  that. Our beats. I  it. OK, sounds dangerous, but I’m in.

Filipi Pires:  more bits and it’s a blue color   it’s a very nice  It depends who drink.

Chris: Just  don’t put condensed milk in it.

Filipi Pires:   definitely, yeah. No, no, no, no, no.

Chris: You would? Okay, okay. Man, condensed  milk goes in every drink in Brazil. I remember going to a bar there and there was  a row of condensed milk and then you had all your liquor.

Chris: Crazy.  What else, man?   Favorite dessert, favorite dessert in Brazil.

Filipi Pires:  That’s a bad question because usually I prefer  the dark chocolate in Brazil is not too common  more you can find  dark chocolate in the in the other countries  US but in Brazil is everything is sweet and I think I  mousse chocolate mousse and it’s very nice and with your breast Yeah,  it, but I  if I have a

Chris: Yeah.  Okay.  You  flan?  Yeah, that seems to be a popular   dessert there.

Filipi Pires:  yeah i think pudim  you did you try pudim in brazil pudim it’s a similar to flam it’s a similar to flan but it’s much better yeah it’s yeah it’s the fate  it’s a very similar when you saw when you watch it but   it’s a different when you eat

Chris: All right, Felipe, thank you so much for stopping by.  Really appreciate it. I hope to see you at Hacker Summer Camp coming up soon.

Chris:  And I’ll definitely stop by and we’ll have a we’ll have a malware beats beverage together.

Filipi Pires:  Definitely, thank you. Thank you, Chris, again for having me here for this invitation. think it’s that’s when you asked me about to be here. So I said to you, I’m just for me, just a conversation. If you have a question, you don’t need to send me. Just open your mouth. And that’s the magic happened. And that’s it. ,  again, thank you so much. So if the people do  to.

Chris: The magic happened.

Filipi Pires:  reach me so we have my contacts on LinkedIn or whatever social media you want. The people can send me a message if they have any questions. I’m here and again thank you so much for this space and I hope to see you soon in person,

Chris: Definitely. Thanks, man. You take care.

Filipi Pires:  Take care.