THEOS Cybernova
THEOS CyberNova is a cutting-edge podcast that explores the dynamic world of cybersecurity, hosted by THEOS Cyber CEO Paul Jackson.
Each episode delves into the latest trends, challenges, and innovations shaping the cybersecurity landscape, featuring insights from industry experts, thought leaders, and technologists. Paul brings his expertise and passion for cyber security to engaging discussions on topics ranging from emerging threats and data privacy to the future of AI in cyber defense.
Whether you're a professional in the field or simply curious about staying safe in the digital age, THEOS CyberNova offers an invaluable insight into the world of cybersecurity.
THEOS Cybernova
Jayson Vallente: ROOTCON Pioneer Shaping APAC’s Offensive Front
From being a ROOTCON pioneer and core member (aka GOON) to driving large-scale offensive security operations, Jayson “JV” Vallente has been at the forefront of hacking culture and capability in the Philippines and across APAC.
In this live episode from the THEOS Cyber offsite, he joins Paul Jackson to share how he built the country’s first major AppSec teams, is helping ROOTCON grow into Southeast Asia’s premier hacker conference, and why the hacker mindset is essential for staying ahead of adversaries. They explore the role of AI in offensive operations, the power of cross-team collaboration, and the discipline required to thrive as an ethical hacker in today’s threat landscape.
Production Credits:
Presented by: Paul Jackson
Studio Engineer & Editor: Roy D'Monte
Executive Producers: Paul Jackson and Ian Carless
Co-produced by: Theos Cyber and W4 Podcast Studio
This week on the Theo's Cybernova podcast.
Jayson Vallante:Right now a lot of adversaries are using AI. It's really becoming relevant. At the same time, in the Philippines, companies are slowly getting into security and therefore a lot of people now are more interested or learning about it. I guess with us in the Philippines, we grew in hardship, so we are very good with finding ways around things, around systems. Just be careful, because I have seen people. They were very talented but because they crossed the line they were not able to go back to the industry.
Paul Jackson:The Theos Cybernova Podcast, hosted by Paul Jackson. Welcome to the Theos Cybernova Podcast. Season two is well underway and today I have a very special guest in a very special environment. We're here live at the Theos Cyber offsite. We have the entire company in front of us, us and I'm here with the leader of our offensive security department. His name is Jason Valiente, or better known to all of us as JV JV. Welcome to the podcast. Hey everyone, thank you for having me here. Bill, yeah, excited to be here. Yeah, we're very excited to have you because we want to learn more about what your role is, not only in the company, but also in the community, because you're one of the great leaders in offensive security. So why don't you tell us a little bit about your story, how you got into OffSec and how you came to end up as a leader in Theos?
Jayson Vallante:Sure, definitely. So you know, looking back to my experience, I would say I've just been very lucky to really have been a lot, to have a lot of mentors. So I started actually, as I think most of everyone here started from more of an IT admin background and then afterwards, you know, I know I really liked security. I've always been thinking about it, you know, been curious about it. And then when I moved to my company in HP, that's where I met my first mentor. He was apparently my onboarding buddy, but he was actually also the founder of RootCon, dax Labrador. So when I met him, of course I didn't know who he was then he was just my onboarding buddy, but we talked a lot about servers, talked about security, and then that's when I asked him how do you know a lot about this and I'd like to know more about it, and he was very happy to invite me to the gatherings of RootCon, which was called Beer Talk then. So that's where he became my first mentor. He told me what I need to learn, what I need to study. I fell in love with it, of course, and then I decided to move out of IT, move into information security, and then that's where I met my second mentor. It's my second mentor because he gave me a chance to you know, from having no background security to be a system administrator for a bank. So after my experience with being an infosec in the bank, I decided no, I really want to pursue it. So I went into consulting.
Jayson Vallante:I think that time there were no offensive security yet offensive security team in the Philippines as of that time. So I went to Singapore, I did some consulting and then my mentor from HP, before DAX, he called me out and said hey, jp, I think it's time for you to go back to the Philippines. We are forming the first pentest team in the Philippines, which was HP Fortify On Demand in Manila. So when I got the call I said I want to be part of it. So I came back home and then I was part of the pioneer team for HP Fortify On Demand and then after HP I think that's when a lot of my next roles were about starting teams. So after HP I was my previous boss in HP moved to Spider Labs, trustwave, so he asked me to form Spider Labs in Manila. So at the time I moved to Trustwave Spider Labs, I started the first team of Spider Labs in Manila Started about three people, grew it to about 30.
Jayson Vallante:And then, like I said, I was enjoying being able to really just have really passionate people who love security and being able to grow them and support them. And then afterwards, that's when I met Alex and of course, I was very impressed with his vision, what he wanted to do with Theos at the time, and then I joined Theos with also the same mindset of growing another team, but this time also with the values and with what I really wanted to have for my team. And so that's when I started Teos and now we have the offense team with us. I'm very happy and very proud of the team that we have right now. They're not only very cool guys, but they're all very skilled and also just very fun to be with. So I love the culture.
Paul Jackson:Right, right, and I love the way you refer to them as cool guys because, yes, they definitely are root con. You mentioned root con and look, we're here in pampanga at the moment for the off-site and yeah, when I was driving up here, I drove past the new venue, the royce. The royce venue, I mean it's pretty exciting, it's huge, it's it's a beautiful looking venue and, uh, you know, it's know, it's kind of filled me with a sense of excitement for RootCon, which is obviously happening in September 24th to 26th. Is that right? That is right, that's correct.
Paul Jackson:So take us back a little bit. I mean RootCon. You said it started as what BeerCon.
Jayson Vallante:Yes, it started as a very small gathering of, you know, people who were very passionate about, you know, hacking and information security. So it was initially started as beer talk. So we have, we go into a bar, we have some beers and we just talk about hacking. We just, you know, have some challenges, and then it was, you know, just a gathering of really like-minded people. And then it grew. So it just, you know, it grew and grew. It started for about just 30 folks in a bar, then it was going into 50 to about 100.
Jayson Vallante:It was time for us to really consider it as being a conference. Yep, so when we started we wanted to be like the bigger conference which was DEF CON in US, so we coined it as DEF CON PH. So during I think, our third or fourth run it was called DEF CON PH, but at the time DEF CONs originally said that we can't use the brand DEF CON itself, so we changed it. So it was not about business. It should be focused on just technical sharings. It is focused on hacking. So now it's grown to be, I would say, the number one hacker conference in the Philippines. Last year we had 800, close to 800. And now we're going to about. I think we're respecting around 1,000 people.
Jayson Vallante:That's amazing so it's really big and, as you said, passing through the new venue, well, it is a very huge venue.
Paul Jackson:So very excited for it. No, it is amazing, and you're right to point out that the previous conferences were held in a beautiful location overlooking an active volcano right, yes, yes In Tal down south of Manila, but this is close to Clark Airport International Airport, so we're expecting a lot more international attendees from all around the region. And I took a quick glance at the website, the RUCON, and there are some amazing presentations, for example, talking about a deep dive into North Korean hackers which is obviously a pretty hot topic at the moment, and one that particularly intrigues me, is the use of AI in red teaming.
Paul Jackson:What are your views on that? Because obviously there's definitely going to be an impact of the greater use of AI in creativity and red teaming. How do you view this?
Jayson Vallante:I definitely view it with much more on a positive note, because I think, like people are saying right now, if you're not into AI, that your chances are you are falling behind with a lot of what's new right now, and I think right now, a lot of the adversaries are using AI.
Jayson Vallante:It's really becoming relevant. At the same time, also, I think we are now at a stage where AI has matured to be something that can really be valuable, to be of use on actual engagements for us. So I think, for me, I think I'm really excited to see how the presentation would look like, but I think, on our end, with Deus and our team, we are actually already using it. So we are trying it out and we have had a lot of success in terms of being able to leverage AI. It's not about making AI do everything, but it's about I think the topic would be like it's about having a six-man support that you could use for anything and have the team focus on what they want to do in terms of the engagement and then have AI support with the rest. So I think that's the key.
Paul Jackson:So let's take a little step back, because many of the listeners may not understand what a red team actually is right. So in your field can you explain the differences between vulnerability assessments, va, pt, pen testing, penetration testing, rt, red team, purple team, etc. So how do you explain the differences between those?
Jayson Vallante:Sure. So actually, it's a question that is being asked a lot by clients, actually. So I would say that I think what we need to kind of think about in terms, when we try to differentiate these three, this exercise would be the purpose or the goal of the exercise. First, when you talk about vulnerability assessments, we talk about finding vulnerabilities within a certain scope or a system. It's about validating what are the weaknesses within the system, as opposed to penetration testing. It's similar in a way that it also looks for vulnerabilities testing. It's similar in a way that it also looks for vulnerabilities, but you're now trying to exploit those vulnerabilities and try to assess the impact of a certain vulnerability, so we're trying to assess the controls around it as well. So, basically, aside from just finding the loopholes, you're also trying to exploit them and therefore see if there are some controls that will prevent you from going deeper within that context. As for a red team, it would be more of the next level, in a way that you are still looking for weaknesses, but this time not just on the technical aspect of it. They're also covering the vulnerabilities in terms of the processes, in terms of the people's awareness, so in all layers At the same time, not just testing controls, but also now testing the response into certain attacks. So I think these are the different goals that this exercise would fall into and I would say that when do you usually want to use each of them?
Jayson Vallante:I still say that all of them are equally important. It's just a matter of when you are supposed to be, you know, using each of these kinds of assessments. So, vulnerability assessments you use them and you're just trying to have a quick, ordinary scan of or check of the, the hygiene or the, the security of your assets. Penetration testing is something that you do more. It's like that, you know. Vulnerability assessments, you run them, maybe quarterly, and then penetration tests you have to do them at least annually to try to see, you know and be able to validate controls. Thread team, like I mentioned, is a more longer term of an exercise, so it takes a lot more effort, a lot more cost as well. So something that you only do when you are at a certain level of maturity and also at least, maybe just annually. So overall, like I mentioned, the goals are different, but all of these exercises are equally important. It's just a matter of being able to implement them on different layers in your security.
Paul Jackson:Understood, understood, and we also hear talk about purple teaming and I noticed there's one of the presentations coming up in RootCon called 50 Shades of Purple. So, how do you explain purple teaming as differentiate from the other types of testing?
Jayson Vallante:So purple teaming is very interesting in a way that it's not just having one team trying to assess the security of an organization. Purple team is more of a collaborative exercise between not just the red team, our defensive team, but also the blue team as well. So basically, the idea here is that we have our red team come in, we test a couple of attack scenarios, attack vectors, and then we work with our blue team and try to see if our blue team is able to detect it, are they able to respond to it as they should and therefore be able to identify what are the gaps in terms of their defenses in their process, in their playbooks. So it's more of a collaborative exercise wherein we are not just trying to get in but also really work together in terms of improving the defensive capability as well of the organization.
Paul Jackson:So yep Got it. So, although you know your team is predominantly well, it's based in Asia and predominantly the majority of your team is here in the Philippines. I'll ask you a couple of questions relating to this. Firstly, what makes Filipinos so good at off-sec, so good at the ethical hacking and I stress, ethical.
Jayson Vallante:Well, actually, I guess with us in the Philippines, we grew in hardship so we are very good with finding ways around things, around systems, but I think it also goes not just with the Filipinos but, I think, everyone in security. It's something that we need to kind of relearn how to go around the system. But I think the advantage of being in this region is that actually I remember when I went to Singapore before and I was doing consulting, there's an issue with a certain system, so they have our usual support team come in, but when it's something that they couldn't solve, then they call in our special team, which apparently are the Filipinos, because it's not because you know, it's more of like you mentioned, we are very used to finding workarounds. We're very used to finding you know how to work with whatever limited things that we have. So I think that's the key.
Jayson Vallante:In terms of the region itself, I would say that I think security in the Philippines is also just growing right now. So there's a lot of really young talents that are starting to discover information security, are starting to learn. So I think in the Philippines right now there's a lot of talent and a lot of people are very passionate and who are eager to be in cybersecurity. So, yeah, I think that's the scene of InfoSec in the Philippines right now.
Paul Jackson:Yeah, absolutely, and I think we've seen, because obviously we've been advertising- for newcomers to the team and we're getting a lot of response. So it does show that there is a thriving ecosystem, if you like, of talent that is out there, which is good news, right? Yes, definitely, and RootCon as a conference and your involvement in the community, plays an important role in encouraging and energizing youngsters or it doesn't have to be youngsters but, anybody to participate or to be somebody who wants to be involved in this industry right.
Jayson Vallante:Yes, definitely. I think I forgot to mention last time, but I think the ultimate goal when we started RootCon was actually to spread awareness of security in the Philippines, because there was really none at that time, right. So, like I mentioned, we're just really happy it's thriving. Now it's really thriving a lot, but, yeah, I think we want to still continue to raise awareness and share that InfoSec is a real career, and then there's a lot of exciting stuff that we can do in the industry.
Paul Jackson:You raise an interesting point, though, about the maturity of the Philippines cybersecurity landscape, if you like, because you work with clients throughout the world, really. So how do you, as a Filipino, yourself how do you compare the level of maturity here in the Philippines with organizations from elsewhere?
Jayson Vallante:First and foremost, I would, I guess, kind of note that I think, in terms of talent, there's not really a lot of gap. I think there's a lot of really experience and really, you know, there are a lot of experts as well in the Philippines. It's just more of an essay about maturity, just more of in terms of the number of professionals or how aware the country is in terms of information security. Before, when we were talking about it I think we were about, I would say, 10 years behind, that was what we were kind of calling it A lot of the industries, corporations, companies, already have security as a practice in their companies. They already have it as they're not just doing it out of compliance, already doing it as really as it should be. In the Philippines it's still something that is still growing.
Jayson Vallante:Companies are slowly getting into security and therefore, a lot of people now are more interested or learning about it. I think that's where I would say so again, in terms of expertise, we're not really falling behind. There's a lot of experts. It's more of the industry is still new in the country and that there's still a growing number of people and professionals here and hopefully, as it grows a lot more, we'll be able to be on the same level as the other regions as well.
Paul Jackson:Good stuff. So here at Theos Cyber, we have three core pillars right we have the offense which you run, we have the defense and we have the incident response capabilities. How does having these additional services benefit you in your work having the incident response capability and the defense capability?
Jayson Vallante:I was actually very excited when incident response was brought in, because I think it just really kind of made our service more of really holistic in a way.
Paul Jackson:Yes, made it whole.
Jayson Vallante:How does it benefit us? I think for the longest time we have been saying that we wanted that each of the teams were kind of helping each other out. That's what we kind of were marketing before. But, to be honest, we were struggling initially, but now I think, right now, we're now really seeing the value of having these three pillars on the same company. Right now we are able to feed off knowledge and experience from the different pillars, like right now we and Offense are able to learn about how the defense are actually securing it and therefore we try to learn how we could improve our attacks and bypass it and at the same time, they're able also to see how we usually attack as well.
Jayson Vallante:So in terms of incident response, it's also very, very nice because I think recently to a recent exercise with Nate, he engaged our team in terms of thinking about scenarios of how we were supposed to, you know, attack a certain company, and that's where he kind of thought about you know how to use it for purple team exercises and use it as well in terms of when doing investigations. He calls for us and try to see. You know, I'm stuck a certain point. How do you think the attacker. Actually, you know, went through after this. What will you be if you were the attacker? What would be your next steps in terms of this? So we were really getting a lot, or feeding off, knowledge and experience from each other. So we're now able to not just grow from our personal studies or research, but now being able to really actually actually ask and, you know, gain information. Uh, game learning from the other pillars.
Paul Jackson:It's really helping us you know all the three things go and I spoke to nate just recently on the podcast, actually, and he said exactly the same from the opposite perspective in the investigations.
Paul Jackson:It's so critical to have the hacker mindset that you guys bring to the table in unraveling what might have happened during a complex investigation. So so I definitely feel that your teams are very complementary in that regard. And talking about incident response, obviously, as part of resilience for companies mature companies or companies that are on that journey towards maturity resilience is critical. And as part of that resilience, incident response retainers are also critical. Incident response retainers, in a nutshell, are having that emergency service on standby should you need them in a crisis. You know you don't want during a crisis, you don't want to be signing paperwork agreeing limits of liability or other contractual terms during a crisis. So it's having that relationship in advance. But people might think, well, that only really applies to incident response. But how do you get involved in these kind of retainers?
Jayson Vallante:We are definitely involved with these kinds of retainers and when I learned about this type of retainer, I was thinking this is actually very brilliant. Why do I say so? I was thinking this is actually very brilliant. Why do I say so? Because, as you mentioned, incident response retainers are designed to make it easier for you to have someone to support you when an incident happens. But the question now is I'm spending money for that retainer if something happens as an insurance, but what if nothing happens? Right, how do I get value from the money that I paid? So now that's where we come in.
Jayson Vallante:So, if you still have budget in your retainer that you could use, now, you are able to utilize or use the retainer to access our offensive security services via, you know, pen testing, red teaming, or it could also be just you know little things about, I don't know, maybe having like some sort of a briefing, some sort of you know little things about, uh, I know maybe having like, uh, some sort of a briefing, some sort of, uh, you know, a scenario-based exercise.
Jayson Vallante:It could also be just you know some hours as well, in terms of you know, consulting, or, or you know at a certain point, but, but yes, so I guess that's what I find really brilliant is that you know it's about it's having insurance that someone will help you out, but also you know that you will get insurance that someone will help you out, but also you know that you will get value from it because you could you're able to use it for all other services that you actually already, you know, have. And last point is that you don't have to go through all the trouble of procurement.
Paul Jackson:So I guess it is very brilliant. It is and it's very versatile, think your points are well made there. But you also touched on an interesting point about tabletop exercises Because again, if you're designing scenarios, you have to again have that hacker mindset right. So of course, the crisis management team, the incident response team, can lead in terms of managing the crisis, but developing the scenario in the first place needs a hacker mindset, and I guess you and your team enjoy coming up with weird and wacky scenarios for clients.
Jayson Vallante:Of course, definitely. I think having us imagine these kinds of things is something that really excites us. It gets our mindset cracking. So, yeah, definitely In terms of the retainers, you're right, I think, aside from just the response to incidents, you're right, I think, aside from just the response to incidents, but also just bringing the team trying to simulate these types of incidents and scenarios could also bring value to that side of security. I would say.
Paul Jackson:Absolutely. And, by the way, the listeners who are still with us at this point, don't forget to click the like or subscribe buttons on whatever platform you're listening on. It makes a big difference to us in getting the messages out there, these important messages. So I'd like to sort of finish up by asking what advice would you give to an aspiring off-sec or offensive security professional, and what would they have to do to join your elite team at the cyber?
Jayson Vallante:I guess my advice would be to, as they would say, try harder In information security. This career is never easy, so it's not just about you know trying hard, but really you know going above that and trying harder is my advice. Also, the other thing is that information security is not a sprint, it's more of a marathon, I would say so you don't have to really try to run so fast. It's just a matter of you continuously and slowly, step by step, just relearning and growing, and that's how you're able to really grow and grow in your career in information security. And growing and that's where, how, that's how you you're able to really, you know, grow and grow in your career in information security.
Jayson Vallante:And so I guess, when you are new that's what I would like like to say just learn a thing at a time, focus on the things that you want to learn, even if it's just a topic a month, a topic every six months. Learn, maybe, you know, six months. Learn maybe operating systems for six months, learn applications for six months and then get a certification a year. You just have to go step by step, like I said, be patient and really try hard, and then you know what, once you have the skills, all the opportunities will come for you.
Jayson Vallante:So it's not about trying to find it In InfoSec. There's scarcity of skills and talent, so if you have it, all companies will be gunning for you.
Paul Jackson:Okay Now. One of the challenges, though, of being a youngster who's interested in getting into ethical hacking is perhaps crossing the line between ethical and unethical. How do you advise, because it's so you know? I mean, it must be quite easy to cross that line, either inadvertently or in a rash, ill-advised or reckless moment. Yep, how do you advise youngsters who are just sort of learning about ethical hacking and want to test their skills?
Jayson Vallante:First and foremost, I think curiosity is a very good thing, right? I think, as we're in the industry, we have to really remain curious and try to learn, but I think you also just have to be careful to not cross the line, and I think, to be honest, every now and then, we are able to learn from experiences that we have when we are researching and when we are being curious. But what I would want to say, though, is that just be careful, because I have seen people who had really very, very nice, very talented, a good potential, but because they crossed the line and then you know a mistake, a small mistake that they had before, they were not able to go back to the industry. So, in the infosec industry, trust is very important, so if they found out that, if they lose trust in you, then you won't be able to get into the industry.
Jayson Vallante:So I think that's my only advice Stay curious, but, of course, think about the bigger things, right what you really want to achieve the dreams that you have, Because if you step across the line and sometimes if you're very unlucky, then you're not able to go back.
Paul Jackson:Yeah, trust is very important and I don't think don't get caught is the best advice Also. Yes, Stay legit and honestly. This is a great career to get into, isn't it? But make sure that everything is done ethically, because it's that magic word, trust, exactly alright. So look, I always close the podcast by asking my guests what music they listen to, because I know everyone has a way of dealing with stress. My own personal way is I love to unwind with some good music and a good book what music with some good music and a good book.
Paul Jackson:What music do you listen to?
Jayson Vallante:So I'd like to say that I listen to alternative rock and punk rock music a lot. But I think right now, I recently become a dad, so I'm now into Miss Rachel and a lot of the baby songs right now. So that's what I had no choice to listen to. Fantastic, you're a great dad. Look, jason, you're to. Fantastic, you're a great dad.
Paul Jackson:Look, jason, you're a great leader, you're a great dad and it's been fantastic having you on the show and you know, it's been a fascinating conversation and I'm sure the listeners will have learned a lot about this murky world of ethical hacking and offensive security and hopefully, you know, in the future we can have a follow-up conversation for the Theos Cybernova podcast. Thank you for joining me today. Thank you, it was a pleasure. Thank you so much and, as I mentioned, we're in front of a live audience, so please give Jason a round of applause. Theos Cybernova was presented by myself, paul Jackson, the studio engineer and editor was Roy DeMonte, the executive producer was myself and Ian Carlos, and this podcast is a co-production between Theos Cyber and W4 Podcast Studio in Dubai.