cyber resilience
2 TopicsThe Black Belt of Cybersecurity: What a Former Military Pilot Turned SecOps Leader Knows About Surviving the Chaos
🎧 Listen now to The Resilience Room In 2012, a young Air Force officer named Michael Vetri walked out of his commanding officer's office having just been told his career was about to change forever. He'd trained as a pilot. Now he was being reclassified into a field almost nobody in the room understood. "I'm so sorry you were reclassified into cyber," his flight instructor told him. "If you need someone to talk to, let me know." That's not a joke. That's how misunderstood cybersecurity was fourteen years ago — obscure enough that getting assigned to it sounded like a consolation prize, or worse, a diagnosis. Fast forward to today, and that reluctant recruit is Senior Director of SecOps at a SaaS company serving the biopharma industry, a black belt Krav Maga instructor, and — going by the enthusiasm with which he brought up Assassin's Creed unprompted — a certified nerd in the best sense of the word. Mike sat down on The Resilience Room and covered a lot of ground: emotional intelligence as a revenue driver, the four things that keep security teams from burning out, why AI is currently winning the fight, and how disarming a training knife in a Krav Maga studio taught him more about incident response than most corporate leadership seminars ever did. If you work in this field, several of these are going to land uncomfortably close to home. Good. That's the point. Empathy isn't a soft skill. It's a spreadsheet line item. Mike leads with rank, but not with authority — a distinction the military drilled into him early. "In the civilian world, you can't just say, 'I'm a captain, you're an NCO, you'll do what I say.' No — it's a lot more influential leadership, invoking those empathetic muscles more." He points to a Harvard Business Review study of 189 companies that measured how deeply organizations embedded emotional intelligence principles — self-awareness, self-regulation, empathy, motivation — into their culture. The companies that did it well beat their revenue targets by roughly 20% year over year. The companies that didn't, missed by about the same margin. For an industry that still occasionally treats "soft skills" as a nice-to-have bolted onto technical competence, that's a hard number worth sitting with — especially if your last performance review mentioned "communication" in a slightly ominous tone. The four pillars that keep security teams from quitting Burnout in cybersecurity isn't news to anyone reading this. But Mike's framework for fighting it is refreshingly concrete. He tells every team he leads that people will stay if you give them four things — not in excess, just in moderation: Time. If someone's been grinding through late nights, notice. Let them come in later. Build in recovery. Money. Pay fairly for what they contribute — full stop. Recognition. Not just for wins. How you handle underperformance, professionally and without ambush, matters just as much. Development. Give people room to grow into who they're becoming, not just who they were hired to be. One detail worth stealing: when an underperformance conversation is looming, Mike doesn't open with the problem. He opens with "how are you doing? Everything okay outside of work?" — asked more than once if needed. People under pressure, especially newer employees still trying to prove themselves, often won't volunteer that something's wrong. They'll white-knuckle through it instead. A little space to be asked, rather than told, changes what people are willing to say. During one incident that dragged on for months, Mike built a shift schedule with staggered four-hour windows so his team could claw back rest without falling behind. He also borrowed a page from Air Force operational risk models: a short questionnaire — how much sleep did you get, how many consecutive night shifts, how long since you've touched this system — that produces a risk score. Score too high, and you talk to a duty officer before you're cleared to keep going. It's the kind of instrumented self-check most SOCs could use and almost none have. Be the eye of the hurricane Ask any incident responder what makes a bad night worse, and it's rarely the incident itself. It's the Slack DMs. The "hey, what's going on?" pings stacking up while you're still trying to pull logs. Mike's answer is to act as an umbrella for his team — absorbing pressure from above so the people doing the actual work can think. That starts with managing expectations upward immediately: this is fresh, I'm still learning it, I'll update you in an hour. One sentence, enormous operational space. It tells leadership "I've got this" while telling the incident team "go dark and go deep." Underneath that is a military framework Mike leans on constantly: the OODA loop — Observe, Orient, Decide, Act. In a live incident, the goal is to move through that loop faster than whatever you're up against. The moment you get stuck in "orient," unable to commit to a decision, you've lost the initiative. Everything else — the calm voice, the reassurance, the "breathe, I've got your cover" — exists to keep the team moving through the loop instead of freezing in it. And underneath that is the least glamorous ingredient of all: reps. "You wouldn't want a surgeon who hasn't performed one in three or four months operating on you," Mike says. Tabletop exercises, drilled relentlessly, are what makes calm possible when the real thing hits. AI is winning the speed war — for now This is where the conversation gets genuinely unsettling, in the way only a good SOC-lead story can. Mike cited threat intel research his own team pulled showing that traditional, manually written phishing emails land at about a 12% click rate. AI-generated phishing is landing at 54%. That's not an incremental shift — it's a different category of threat. His framing borrows from military history: "Just like the English were doing great with their longbowmen until they were met with cannons — we're doing great against traditional malware, traditional phishing, until we're met with AI-based malware, AI-based phishing." He pointed to Phantom Raven as a case study in the new normal — a highly polymorphic strain that reshuffles its own hash and callback domains the moment defenders try to contain it, sometimes riding in through a malformed open-source package nobody scrutinized closely enough. Mike's answer isn't to out-human the machines — it's to fight AI with AI, using it to accelerate investigation and triage so humans can make faster calls. But he draws a firm line at execution: "I still think it's a bad idea to let AI execute actions on your security stack." Not because it can't make good calls, but because when it's wrong, it's wrong at machine speed — locking down a developer's test script as if it were a live threat and taking a production deploy down with it. Assessment and evaluation, yes. Pulling the trigger, not yet — not until AI has earned the trust that comes from track record, the same way a junior analyst earns it. He's also thinking about a subtler insider-risk problem taking shape as advanced AI systems move into more sensitive testing and evaluation programs. His concern isn't the technology itself — it's what happens when knowledge of where that technology lives becomes valuable enough to bribe someone for. New capability, same old human vulnerability. Train at black belt level, or don't bother training at all Mike's been doing Krav Maga since a college roommate walked in mid-Assassin's Creed session and told him the game's weapon disarms were based on a real martial art taught nearby. He put the controller down, went and checked it out, and got hooked on his very first class — which happened to be weapon disarming. He made it to black belt in 2014, taught for years, and — genuinely one of the better anecdotes on the episode — met his wife through a self-defense class he was running as a side gig at New Mexico State. Her kicks, he reports, had "so much pepper behind them." The parallel he draws to cybersecurity is the episode's sharpest idea: you're only prepared to handle the level you've actually trained for. A yellow belt can handle a yellow belt. Theoretically, maybe an orange. Train your team only against script kiddies and spray-and-pray attackers, and script kiddies and spray-and-pray attackers are all you'll ever be ready for. The nation-state actor doesn't care what belt is hanging in your dojo. It shows up in the small stuff too — like treating every incident, however minor, as if you might have to defend your handling of it in court one day. Heavily documented, no matter how low-level it looks. "Don't give the opposing attorneys any reason to pierce your veil," as Mike puts it. Complacency doesn't announce itself. It just quietly lowers the belt you're actually prepared to fight at. The throughline of this whole conversation is one Mike states almost in passing but clearly means as a core operating principle: technical skill gets you in the room, but judgment, empathy, and relentless preparation are what keep your team — and your organization — standing when things go sideways. AI is changing the speed of the fight. It isn't changing who has to decide what to do about it. Catch the full conversation with Mike Vetri on The Resilience Room – available on most podcast platforms.20Views0likes0CommentsWant to Become a CrowdStrike Falcon® Pro?
Welcome back to our series, “Behind the Scenes of Immersive One”! The following is a conversation with BenMcCarthy​, Lead Cybersecurity Engineer for Immersive One, and RebeccaSchimmoeller​, Lead Product Marketing Manager. Today, we’re sharing insight into our new CrowdStrike exercises. “The worst time to realize you’re shaky with a process tree or a CQL query is when a high-severity alert hits at 2:00AM, and your manager is breathing down your neck. You don’t want to be fumbling around the interface—you want to be executing. We built these labs so that by the time the real threat shows up, you aren’t even thinking about the tooling, you’re just reacting.” Rebecca: That’s a heavy start, Ben! Glad I’ve had my coffee. But, you’re right. That kind of anxiety is real for everyone in the SOC. We all know the stats on dwell time, and we all know that the tools—even ones as powerful as CrowdStrike—are only as fast as the person driving them. We’ve just dropped a massive hands-on labs collection for CrowdStrike users. But I want to be clear for the analysts reading this: building this kind of natural instinct is all about gaining a tactical edge. You execute in a crisis, and your name’s on the promotion list. Ben: Exactly. If you’re an analyst, you don't need another slide deck on what EDR is. You need hands-on-keyboard time. You need to feel the friction of a live environment to become a superhero for your org in the middle of a crisis. We designed this sequence to take you from the basics of host management all the way to hunting a live APT. It’s about building the muscle memory so that your response is instinctive. Rebecca: Great segway! Let’s get into the "under the hood" stuff because that’s what’s so cool about what you’ve delivered for this live integration with CrowdStrike. What are the high-value workflows analysts will learn to master by doing the exercises? Ben: We don't gatekeep the good stuff. We start with the foundation—Host Management and Prevention Policies—because if your configuration is weak, your defense is weak. And then we move into the "hunter" phase. This is where you’re triaging real alerts and investigating malicious activity through process trees. You aren't just looking at a static image of a threat; you’re navigating the Falcon console to see how that threat is actually moving. Rebecca: That’s where the investigation becomes a hunt. I’m particularly interested in the NG-SIEM part of the collection. We know that log telemetry is where the real stories are told, but it can be intimidating if you aren't comfortable with the syntax. Ben: Absolutely, yeah. We’ve dedicated a whole section to the Next-Gen SIEM and hunting with CQL. If you want to be the person who finds the signal in the noise before anyone else, you have to be fluent in CrowdStrike Query Language. We give you the reps to query logs and hunt for threats so that by the time you hit the final lab—the APT scenario—you’re ready to synthesize everything. You’re using the host management, the policies, the triage, and the SIEM to shut down a simulated sophisticated adversary in real-time. Rebecca: It’s basically a flight simulator for a full-scale intrusion. But I can already hear some Falcon users reading this asking: "Why don't I see this in my dashboard yet?" The answer is, my friends, because this collection isn’t a general release for Immersive—it’s a bit VIP, right, Ben? Ben: Right. Because of our partnership with CrowdStrike, this collection is only available to existing CrowdStrike customers. So if your org uses Falcon and you don’t see these labs in Immersive One, it’s just a matter of permissions. There’s no extra cost. We just need your Manager to let us know so we can flip the switch. Rebecca: If that’s you, it’s a great excuse to have a conversation with your team lead, showing them you’re eager to gain proficiency in the stack your org has already invested in. It makes your boss look good too. It won’t hurt when you become a more lethal defender either! Ben: Honestly, this is why I love building these kits. It’s a win-win. The Manager just needs to reach out to their Customer Success person at Immersive to confirm the CrowdStrike setup. Once that’s done, the exercises are available to the whole team. Rebecca: I’d love to see comments in the Community about this release once folks get in there and start digging into the CQL queries and the APT workflows. Ben: Right? I can’t wait for someone to chat me up at our next Community event. It’s always cool to hear how different people approach the same investigation. But right, this is cybersecurity, so there’s a crucial operational reality at stake: Proficiency is the only thing that actually reduces dwell time. You don't want to be the person second-guessing your search syntax while the clock is ticking in the background. You want to be the one who already has the query ready to go because you’ve run it a dozen times in the simulation. Final Thought Don’t wait for a real breach to find out where your workflow is slow. Get in there now, or get the access from your Immersive Customer Success rep, and be the person who knows exactly what to do the second the screen turns red. Ready to drop into Falcon? Log in to Immersive One to get started. [Access Collection]