Systems fail when the stakes are real. Passaro’s work follows one pattern: find the failure point, understand it completely, and build what should have existed all along.
FT3 is the operational backbone of Stripe's attacker engineering work — open-sourced so defenders everywhere can plan, stage, execute, and triage adversary emulation against the systems they're paid to protect.
Recognized as the first fraud ATT&CK-style framework, FT3 defines the standard for categorizing financial exploitation. By translating established adversary emulation concepts into a specialized fraud taxonomy, it empowers engineers and threat intelligence teams to map complex financial abuse vectors with the same rigor historically reserved for network intrusions.
FT3 authored Feb 2024. Proposal submitted Oct 2024. CFPF launched Apr 2025. FT3 public Jul 2025. Fraud Taxonomy created Aug 2025. F3 public Nov 2025. Precedence is a fact of the record, not a claim in a deck.
The bleeding-edge prototype fork of FT3. This is where I experiment with new models for mapping how adversaries plan, stage, execute, and triage fraud activity across the attack chain before they hit the main framework.
Aqueduct pioneered open-source STIG compliance automation years before the term 'compliance-as-code' existed — its one-script-per-finding architecture and multi-framework coverage became the blueprint the industry eventually standardized around.
Notes from inside the build: attacker engineering. incident response, fraud intelligence, adversary behavior,
and the language systems defenders use when the facts are still arriving.
This session will provide a builder’s view of how fraud intelligence must evolve as adversaries use AI to accelerate their tactics. The next evolution is making that language operational, adaptive, and usable inside real investigative and intelligence workflows.
A hands-on workshop where defenders will leverage Claude Code + the Pure Signal Scout MCP to conduct a real threat intelligence investigations, using live Team Cymry data in a TLP:RED environment.
A hands-on hackathon for threat hunters and cyber investigators focused on using threat intelligence to track and investigate real-world threat and fraud actors. Participants analyze OSINT to uncover malicious operations and connect intelligence into actionable findings.
Opening keynote on the power of the defender community and the responsibility of being in the room. The talk welcomed attendees on behalf of Stripe Security and centered on a simple idea: everyone present had the opportunity to change an outcome for the better.
FT3 brings an ATT&CK-style model to fraud defense. This session breaks down how it actually gets operationalized, from classifying fraud behavior to building workflows teams can act on at scale.
A Piper Sandler Cybersecurity CEO Summit session with Vincent Passaro and Team Cymru CEO Joe Sander on how AI is reshaping external threat detection, fraud intelligence, and internet-scale visibility.
Past the hype: security practitioners are becoming owners of outcomes, not just builders of tools. Explore how analyst judgment, agentic workflows, and product thinking can help small teams move problems that once felt too complex, too slow, or too expensive to solve.
Using the butterfly effect as a metaphor, this keynote explored how trust, permission, and presence can shift complex systems in unpredictable ways, and how community gives legitimacy a path to travel.
FT3 reaches one of the field’s most trusted global defender communities: Underground Economy. The talk presented Fraud Tools, Tactics, and Techniques as a shared framework for defending the financial ecosystem.
FT3 becomes a bridge across fraud, threat intelligence, and security operations. Session explores how shared language reduces translation loss and turns pattern recognition into operational leverage.
FT3 evolves from concept into structure. The talk explored how fraud tactics, techniques, and workflows could be mapped with enough precision to support shared reasoning and defensive action.
FT3 began as an early field signal: fraud needed a common language. The talk introduced the case for a framework that could help defenders classify behavior, compare patterns, and move beyond isolated casework.
Linux Journal covered Aqueduct as open-source hardening infrastructure for RHEL6 systems, showing how its STIG scripts could be deployed with Ansible across a high-performance compute cluster.
Full-day hands-on intensive for TI teams moving past chat interfaces into agentic workflows. Build operational pipelines integrating Claude Code and live telemetry via MCPs. Focus: automating IOC enrichment, mapping adversary infrastructure, accelerating triage at machine speed.
Claude Code 
MCP Engineering complex autonomous systems beyond chat interfaces. Build deep-research pipelines for context gathering, translate concepts into machine-enforceable PRDs/ARDs, equip agents with custom execution skills, and design testing harnesses to iterate and deploy agentic workflows reliably.
Claude Code 
Codex Closed-circle, onsite intelligence fusion. Working with unsanitized telemetry and live campaign data to map adversary infrastructure, classify typologies, and engineer coordinated cross-industry defense.
Claude Code 
SCOUT MCP Hands-on workshop where defenders use Claude Code + Team Cymru's Pure Signal SCOUT MCP for real threat-intel investigations on live SCOUT data in a TLP:RED environment.
In the 82nd Airborne, Vince Passaro learned early that systems fail under pressure, and someone has to understand why. That has always been the work. From Fort Bragg to Booz Allen, General Atomics, Fotis Networks, Buddha Labs, AWS, and Stripe, the pattern has stayed the same: understand how adversaries win, find where defense breaks, and build what should have existed all along.
At AWS, that meant response and cyber intelligence systems built for failure at global scale. At Stripe, it means attacker engineering, FT3, and frameworks that give defenders a shared operating language for fraud and adversary behavior. The logos are not the story. The pattern is: find what is broken, understand it completely, and build what fixes it properly. No theater. No abstractions. Just the work.
CURRENTLY · STRIPE
Inquiries are read personally. Lead with the problem, the system under pressure, and what outcome needs to change.
What keeps the work sustainable: signal, solitude, discipline, and the people worth building for.
