Bianca Suciu

• Reduced analysis time of the most critical cyber threat intelligence impacting Cisco through automation with Recorded Future, Python and Feedly, from 16 hours to 5 hours, enabling security teams to respond to high-impact threats and protect over 1 million Cisco customers 30% faster.
• Correlated Cisco products, Cisco customers, Cisco locations, adversary tools and TTPs from past Cisco incidents with attack vector impact and Cisco security events in order to rapidly research, threat hunt, and mitigate 5–10 most critical threats to Cisco.
• Mapped, researched, and validated MITRE ATT&CK TTPs for one APT threat per week, such as UNC5221 disabling Linux host security controls after exploiting CVE-2025-0282 in Ivanti Secure VPN.
• Hunted for TTPs such as lateral movement via LDAP across Cisco EDR, IPS, and telemetry using Splunk and Osquery and documented gaps such as ensuring SELinux packages are installed and other commands executed to validate the procedures.
• Analyzed emerging TTPs impacting Cisco infrastructure monthly to improve Cisco Advanced Security team’s ability to emulate and defend against emerging ESXi-focused ransomware techniques. For example, I wrote a 20 page report about ransomware campaigns targeting ESXi, like SPRITE SPIDER’s Defray777 and CARBON SPIDER’s Darkside, including attack vectors via vCenter and SSH using Plink.
• Produced 3–6 daily strategic threat intelligence reports analyzing critical geopolitical and industry threats, including potential cyber-warfare DDoS targeting an implant in Cisco VPN infrastructure in Ukraine, to inform leadership and guide operational planning. This enabled proactive mitigation recommendations, such as air-gapping critical partners or deploying emergency hardened hardware, enhancing Cisco’s resilience against high-impact attacks.
• Tracked changes in IOCs and TTPs in the Midnight Blizzard APT which targeted Cisco’s industry in 2024, by doing a retroactive threat hunt and identified that M.B. was not reusing tools across campaigns, but that they were adapting every campaign to where the weakest vulnerability was: CVE-2022-27924 in Zimbra in 2022, cloud OAuth misconfigurations in 2023, and RDP config trust in 2024.
• Developed automation logic in processes such as enriching IOCs with data from Umbrella DNS, AbuseIPDB, and VirusTotal data to help analysts auto-mitigate new widespread IOCs 20% faster, specifically to decide whether to block new IOCs observed across a high volume of Netflow, DNS, and VPN log events, where widespread presence may indicate either a benign widespread service or a large-scale attack.
• Participated in weekly info-sharing groups such as IT-ISAC where contributors from different org in the IT industry analyze the latest weekly CTI critical to the industry and report whether they were impacted by these threats, so contributors could use the CTI information to write CTI reports for their stakeholders, and create threat hunts if applicable.
• Helped the Incident Response team respond to 7 major active incidents through analyzing and hunting for IOCs, TTPs, and tools used by the adversary in the incident. Identified MFA Fatigue as the primary initial access vector during an active Cisco intrusion investigation, where the MFA fatigue was executed against an account whose Cisco corporate credentials were obtained through Chrome password sync to a compromised Google account.
• Collaborated with the Cisco Brand team once a week to identify up to 100 new FQDN threats weekly to the Cisco brand such as impersonating domains with malware drive-by-downloads, typo-squatting, unofficial Cisco partners, and initiated domain take-down requests to protect the Cisco brand.Reduced analysis time of the most critical cyber threat intelligence impacting Cisco through automation with Recorded Future, Python and Feedly, from 16 hours to 5 hours, enabling security teams to respond to high-impact threats and protect over 1 million Cisco customers 30% faster.
• Correlated Cisco products, Cisco customers, Cisco locations, adversary tools and TTPs from past Cisco incidents with attack vector impact and Cisco security events in order to rapidly research, threat hunt, and mitigate 5–10 most critical threats to Cisco.
• Mapped, researched, and validated MITRE ATT&CK TTPs for one APT threat per week, such as UNC5221 disabling Linux host security controls after exploiting CVE-2025-0282 in Ivanti Secure VPN.
• Hunted for TTPs such as lateral movement via LDAP across Cisco EDR, IPS, and telemetry using Splunk and Osquery and documented gaps such as ensuring SELinux packages are installed and other commands executed to validate the procedures.
• Analyzed emerging TTPs impacting Cisco infrastructure monthly to improve Cisco Advanced Security team’s ability to emulate and defend against emerging ESXi-focused ransomware techniques. For example, I wrote a 20 page report about ransomware campaigns targeting ESXi, like SPRITE SPIDER’s Defray777 and CARBON SPIDER’s Darkside, including attack vectors via vCenter and SSH using Plink.
• Produced 3–6 daily strategic threat intelligence reports analyzing critical geopolitical and industry threats, including potential cyber-warfare DDoS targeting an implant in Cisco VPN infrastructure in Ukraine, to inform leadership and guide operational planning. This enabled proactive mitigation recommendations, such as air-gapping critical partners or deploying emergency hardened hardware, enhancing Cisco’s resilience against high-impact attacks.
• Tracked changes in IOCs and TTPs in the Midnight Blizzard APT which targeted Cisco’s industry in 2024, by doing a retroactive threat hunt and identified that M.B. was not reusing tools across campaigns, but that they were adapting every campaign to where the weakest vulnerability was: CVE-2022-27924 in Zimbra in 2022, cloud OAuth misconfigurations in 2023, and RDP config trust in 2024.
• Developed automation logic in processes such as enriching IOCs with data from Umbrella DNS, AbuseIPDB, and VirusTotal data to help analysts auto-mitigate new widespread IOCs 20% faster, specifically to decide whether to block new IOCs observed across a high volume of Netflow, DNS, and VPN log events, where widespread presence may indicate either a benign widespread service or a large-scale attack.
• Participated in weekly info-sharing groups such as IT-ISAC where contributors from different org in the IT industry analyze the latest weekly CTI critical to the industry and report whether they were impacted by these threats, so contributors could use the CTI information to write CTI reports for their stakeholders, and create threat hunts if applicable.
• Helped the Incident Response team respond to 7 major active incidents through analyzing and hunting for IOCs, TTPs, and tools used by the adversary in the incident. Identified MFA Fatigue as the primary initial access vector during an active Cisco intrusion investigation, where the MFA fatigue was executed against an account whose Cisco corporate credentials were obtained through Chrome password sync to a compromised Google account.
• Collaborated with the Cisco Brand team once a week to identify up to 100 new FQDN threats weekly to the Cisco brand such as impersonating domains with malware drive-by-downloads, typo-squatting, unofficial Cisco partners, and initiated domain take-down requests to protect the Cisco brand. Reduced analysis time of the most critical cyber threat intelligence impacting Cisco through automation with Recorded Future, Python and Feedly, from 16 hours to 5 hours, enabling security teams to respond to high-impact threats and protect over 1 million Cisco customers 30% faster.
• Correlated Cisco products, Cisco customers, Cisco locations, adversary tools and TTPs from past Cisco incidents with attack vector impact and Cisco security events in order to rapidly research, threat hunt, and mitigate 5–10 most critical threats to Cisco.
• Mapped, researched, and validated MITRE ATT&CK TTPs for one APT threat per week, such as UNC5221 disabling Linux host security controls after exploiting CVE-2025-0282 in Ivanti Secure VPN.
• Hunted for TTPs such as lateral movement via LDAP across Cisco EDR, IPS, and telemetry using Splunk and Osquery and documented gaps such as ensuring SELinux packages are installed and other commands executed to validate the procedures.
• Analyzed emerging TTPs impacting Cisco infrastructure monthly to improve Cisco Advanced Security team’s ability to emulate and defend against emerging ESXi-focused ransomware techniques. For example, I wrote a 20 page report about ransomware campaigns targeting ESXi, like SPRITE SPIDER’s Defray777 and CARBON SPIDER’s Darkside, including attack vectors via vCenter and SSH using Plink.
• Produced 3–6 daily strategic threat intelligence reports analyzing critical geopolitical and industry threats, including potential cyber-warfare DDoS targeting an implant in Cisco VPN infrastructure in Ukraine, to inform leadership and guide operational planning. This enabled proactive mitigation recommendations, such as air-gapping critical partners or deploying emergency hardened hardware, enhancing Cisco’s resilience against high-impact attacks.
• Tracked changes in IOCs and TTPs in the Midnight Blizzard APT which targeted Cisco’s industry in 2024, by doing a retroactive threat hunt and identified that M.B. was not reusing tools across campaigns, but that they were adapting every campaign to where the weakest vulnerability was: CVE-2022-27924 in Zimbra in 2022, cloud OAuth misconfigurations in 2023, and RDP config trust in 2024.
• Developed automation logic in processes such as enriching IOCs with data from Umbrella DNS, AbuseIPDB, and VirusTotal data to help analysts auto-mitigate new widespread IOCs 20% faster, specifically to decide whether to block new IOCs observed across a high volume of Netflow, DNS, and VPN log events, where widespread presence may indicate either a benign widespread service or a large-scale attack.
• Participated in weekly info-sharing groups such as IT-ISAC where contributors from different org in the IT industry analyze the latest weekly CTI critical to the industry and report whether they were impacted by these threats, so contributors could use the CTI information to write CTI reports for their stakeholders, and create threat hunts if applicable.
• Helped the Incident Response team respond to 7 major active incidents through analyzing and hunting for IOCs, TTPs, and tools used by the adversary in the incident. Identified MFA Fatigue as the primary initial access vector during an active Cisco intrusion investigation, where the MFA fatigue was executed against an account whose Cisco corporate credentials were obtained through Chrome password sync to a compromised Google account.
• Collaborated with the Cisco Brand team once a week to identify up to 100 new FQDN threats weekly to the Cisco brand such as impersonating domains with malware drive-by-downloads, typo-squatting, unofficial Cisco partners, and initiated domain take-down requests to protect the Cisco brand.Reduced analysis time of the most critical cyber threat intelligence impacting Cisco through automation with Recorded Future, Python and Feedly, from 16 hours to 5 hours, enabling security teams to respond to high-impact threats and protect over 1 million Cisco customers 30% faster.
• Correlated Cisco products, Cisco customers, Cisco locations, adversary tools and TTPs from past Cisco incidents with attack vector impact and Cisco security events in order to rapidly research, threat hunt, and mitigate 5–10 most critical threats to Cisco.
• Mapped, researched, and validated MITRE ATT&CK TTPs for one APT threat per week, such as UNC5221 disabling Linux host security controls after exploiting CVE-2025-0282 in Ivanti Secure VPN.
• Hunted for TTPs such as lateral movement via LDAP across Cisco EDR, IPS, and telemetry using Splunk and Osquery and documented gaps such as ensuring SELinux packages are installed and other commands executed to validate the procedures.
• Analyzed emerging TTPs impacting Cisco infrastructure monthly to improve Cisco Advanced Security team’s ability to emulate and defend against emerging ESXi-focused ransomware techniques. For example, I wrote a 20 page report about ransomware campaigns targeting ESXi, like SPRITE SPIDER’s Defray777 and CARBON SPIDER’s Darkside, including attack vectors via vCenter and SSH using Plink.
• Produced 3–6 daily strategic threat intelligence reports analyzing critical geopolitical and industry threats, including potential cyber-warfare DDoS targeting an implant in Cisco VPN infrastructure in Ukraine, to inform leadership and guide operational planning. This enabled proactive mitigation recommendations, such as air-gapping critical partners or deploying emergency hardened hardware, enhancing Cisco’s resilience against high-impact attacks.
• Tracked changes in IOCs and TTPs in the Midnight Blizzard APT which targeted Cisco’s industry in 2024, by doing a retroactive threat hunt and identified that M.B. was not reusing tools across campaigns, but that they were adapting every campaign to where the weakest vulnerability was: CVE-2022-27924 in Zimbra in 2022, cloud OAuth misconfigurations in 2023, and RDP config trust in 2024.
• Developed automation logic in processes such as enriching IOCs with data from Umbrella DNS, AbuseIPDB, and VirusTotal data to help analysts auto-mitigate new widespread IOCs 20% faster, specifically to decide whether to block new IOCs observed across a high volume of Netflow, DNS, and VPN log events, where widespread presence may indicate either a benign widespread service or a large-scale attack.
• Participated in weekly info-sharing groups such as IT-ISAC where contributors from different org in the IT industry analyze the latest weekly CTI critical to the industry and report whether they were impacted by these threats, so contributors could use the CTI information to write CTI reports for their stakeholders, and create threat hunts if applicable.
• Helped Incident Response respond to 7 major active incidents through analyzing and hunting for IOCs, TTPs, and tools used by the adversary in the incident. Identified MFA Fatigue as the primary initial access vector during an active Cisco intrusion investigation, where the MFA fatigue was executed against an account whose Cisco corporate credentials were obtained through Chrome password sync to a compromised Google account.
• Collaborated with the Cisco Brand team once a week to identify up to 100 new FQDN threats weekly to the Cisco brand such as impersonating domains with malware drive-by-downloads, typo-squatting, unofficial Cisco partners, and initiated domain take-down requests to protect the Cisco brand.

• Resolved 5,200 customer escalations annually for detection content in ClamAV, Snort, Cisco Email Security, and Advanced Malware Protection, improving resolution speed by 10%. When a bank CEO reported a spear-phishing bypass, I analyzed the headers, identified missed indicators, validated related regex logic, updated the failing detection filters, and deployed a fix that prevented similar attacks across all Cisco customers.
• Reviewed RFCs daily to diagnose issues in email-threat detections. For example, a HELO-forgery rule logic conflicted with RFC 5321 and RFC 1912 protocol recommendations. By validating the rule’s assumptions against protocol standards and collaborating with detection engineering, I confirmed it would generate false positives and made revisions that reduced alert noise and improved detection accuracy.
• Analyzed 400 multilingual webpages headers, scripts, certificates, and content per day to identify web-skimming, HTML/JS injection, outdated libraries, suspicious redirects, malware downloads, phishing, and brand impersonation, and to classify the site purpose and audience. This work improved threat classification accuracy and enhanced the precision of web-reputation scoring across the platform.
• Analyzed 600 multilingual emails per day to detect phishing URLs, exploit attachments, forged headers like HELO, Date, Received, or Message-ID, BEC patterns, and attempts to evade SPF/ DKIM/DMARC through deceptive techniques. This work improved the detection fidelity of machine learning systems and strengthened the organization’s ability to block sophisticated phishing and malware campaigns.
• I analyzed files in the malware sandbox to determine their reputation using behavioral indicators such as VM‑evasion techniques, strings and mutexes linked to known malware families, suspicious registry or process‑injection activity, anomalies detected by Snort or AV engines, and ATT&CK based indicators.
• Reviewed 5 Snort detection rules daily to ensure emerging malware variants were properly detected and validated their effectiveness against recent packet captures and malware samples.

• Analyzed and translated 200-400 websites and 400-600 emails per day from approximately 1 million Cisco customers to improve the efficacy of data classification and detection engines. I helped mitigate approx. 40 malicious website payloads and 100 email payloads through making changes to reputation filters.
• Authored weekly guidelines to help analysts to accurately classify emails from Cisco Email Security Appliance customers, reducing analysis time by 10–20%.
• Initiated a Python side-project that collected URLs from 500000 emails from Cisco customers to track daily categorization and reputation metrics and identify missed spam. I found that 20% of the emails that were reported as phishing which analysts were manually classifying as phishing contained uncategorized URLs.
• Volunteered on a project with the threat intelligence team to monitor the Darkweb forums for data leaks and exploit sales targeting the South American financial industry. I identified and reported on one data leak from a bank containing employee passwords.

Provided teaching assistance for two professors in Computer Forensics and Information Security

Principles. Graded assignments, tests, and helped answer technical questions for approximately 100 students.

• Tested search, submit, reset, and booking buttons across different pages in a new Amtrak webpage.
• Tested Amtrak website performance and layout in multiple browsers (Chrome, Firefox, Safari, and IE).
• Checked the Amtrak ticket purchase flow for both registered and guest users.