THINK RED. ACT BLUE.
Most security programs are built by defenders who've never thought like attackers, or red teamers who've never had to operationalize their findings. Think Red. Act Blue. is the bridge.
Get the Framework Guide — free
No spam. Unsubscribe anytime.
Security teams that only defend rarely understand the adversary.
Security teams that only attack rarely understand how to defend at scale.
The best practitioners do both.
Think Red. Act Blue.
— Ismael Valenzuela, Creator of the Think Red, Act Blue philosophy
The Three Pillars
THINK RED
Understand adversary behavior from the inside out.
ACT BLUE
Translate that knowledge into operational defense.
STAY SHARP
Adversaries evolve. Your practice must too.
Latest from The Monday Brief
- Forest Blizzard Proved That Changing One DNS Setting on a Home Router Is Enough to Harvest Enterprise Credentials at Scale
- A Poisoned Package, a Compressed Kill Chain, a Public Target List, and a Weaponized Leak
- While You Were Watching Your XDR Alerts, Attackers Took the Pipeline, the Phone, and the Executive
INTRODUCING
ATT&CK LENS
The only MITRE ATT&CK v18 tool built specifically around the Think Red. Act Blue. philosophy.
Slice the Enterprise matrix by adversary, technique, platform, or detection coverage. Understand where attackers are active and where your detections are blind.
Used in SANS SEC530 labs. Free to use.
Launch ATT&CK Lens →Upcoming SEC530 Sessions
View all at SANS →- In-PersonJuly 13, 2026 — Washington, DC Register at SANS →
- In-PersonSeptember 28, 2026 — Paris, France Register at SANS →
ABOUT
ISMAEL VALENZUELA
Creator of the Think Red, Act Blue philosophy | Redefining how defenders think about adversaries to build security architectures that actually hold.
As the creator of the Think Red, Act Blue philosophy, the foundational framework behind SANS SEC530: Defensible Security Architecture & Engineering , I've spent my career bridging the gap between offensive threat understanding and defensive security operations. Think Red, Act Blue challenges security teams to adopt the adversary's perspective — not to attack, but to architect smarter, more resilient defenses. This approach has shaped how thousands of security professionals worldwide design detection strategies, build zero-trust architectures, and operationalize threat intelligence — moving the industry away from checkbox compliance toward continuous, threat-informed defense. As a SANS course author and instructor, I bring this philosophy to life through hands-on labs and real-world scenarios that equip defenders to stay ahead of evolving threats.
The Ecosystem
The Monday Brief
Weekly security intelligence.
All Around Defender
The practitioner community.
ATT&CK Lens
Threat modeling tool.
SANS SEC530
The course.
Not ready for the framework guide?
At least stay in the loop.
The Monday Brief lands every Monday — security intelligence, detection engineering insights, and framework updates. No fluff. Unsubscribe anytime.