We work across cybersecurity, intelligence, international security, and software development. That lets us keep discussions executive-friendly when needed, but move quickly into technical detail when the problem requires it.

We avoid vague sales language, unnecessary upsells, and one-size-fits-all recommendations.

Recent work has included defining a minimal IT and cybersecurity stack, with cost estimates, for a client aligning to the U.S. Department of Defense CMMC 2.0 framework.

Other engagements include establishing how a startup can evolve toward a mature IT and cybersecurity stack using CSF 2.0 and NIST SP 800-53, surveying cyber-facilitated UAV and drone disruption capabilities, and examining the footprint of Chinese companies in Latin America.

We also conduct deep surveys of Chinese IT stacks, APT and eCrime threats originating in China, the risks of operating an IT presence in that country, and specialized monitoring of Chinese news and social media sources.

Our founder Pablo Brum learned with the best at Georgetown University: professionals from the US intelligence community who defined the craft of intelligence analysis, and now teaches them there as well. This focus on advanced analytic tradecraft is hard to find even in agencies or roles that have “intelligence analyst” or “analysis” in the description.

This approach has two broad features: structured analysis, and application of intelligence techniques. Structured analysis means that each intelligence problem is treated as a question, for which the answer will hinge on a series of drivers. Once enumerated, drivers are populated with all the data pertinent to the case, and analyzed to determine their trajectory as relevant to the problem. The overall answer to the question is a probabilistic statement based not on the analyst’s preferences, recollections, biases, or whims, but rather a conclusion derived from the structure proposed at the beginning, as mechanically as possible.

Speaking of biases, this leads to the second feature of our approach: the application of analytic techniques. While often listed in intelligence manuals, these are rarely used in practice in real-life settings. We, in contrast, do employ them. While structured analysis helps direct analysis in the right direction, techniques contribute the flip side: they help analysts avoid pitfalls and mistakes. Therefore, a proper threat landscape study will consider key assumptions checks, fundamental attribution hypotheses, starburst techniques, and other methods for filtering out analytic errors and omissions.

All of these approaches can be conducted in an interactive form with the client, or produced as deliverables - it is up to the customer to choose.

Fortunately this is quite easy and we recommend everyone in the industry do this as well: by combining news sites, blogs, social media, and your own personal community chat groups and spaces, it is absolutely possible to remain up to date with infosec and national security developments. It takes dedication to go through numerous information sources each day, as well as judgment to assess the quality of what we are reading.

Incidentally, Polo Cyber offers services where, for those who don’t have time to manually read the press, customers can automate their news digest to turn it into actionable alerts for relevant developments involving their brands, suppliers, and technology stacks.

These are not our specialties nor those of our consultants. We may assist with aspects of PCI DSS data security and incidents, but this will be on a case-by-case basis.

You may book an appointment directly with Pablo via this website to have a 60+ minute conversation with him. Following one such call, you may engage indefinitely with Pablo via email in order to figure out future steps and contracted engagements.

Alternatively, you may write to us here describing your issue and questions for us: we will reply pending availability due to existing contracted engagements.

We avoid insecure channels for sensitive material, use proven end-to-end encrypted applications when needed, and sign NDAs as required by clients.

The fixed published price is USD $1,000 for a 60+ minute consultation with Pablo Brum, plus open-ended written follow-ups. Larger engagements are scoped individually. As general guidance, small engagements start around USD $10,000 and larger one-time engagements may fall in the USD $100,000-$150,000 range.

We are particularly good at training and educating audiences of all levels. Pablo first started teaching in college days after graduating, and today is an adjunct at the world’s foremost security program, Georgetown’s Security Studies Program. Former students and alumni have continuously given him the highest marks for both breadth and depth.

This was further the case at both CrowdStrike and Mercado Libre, where Pablo led teams of professionals not just in developing their professional capabilities, but in succeeding him as trainers and leaders themselves.

This is one of our greatest value propositions. The security stack for numerous organizations is currently dependent on annually paid SaaS and other products that, with an investment of engineering time and effort, can be replaced with in-house solutions. We have vast experience in unique environments performing this kind of work, and can lead your engineers (or bring our own) in developing these kinds of systems. Under the right circumstances, customers will net significant annual savings from replacing subscription-based services for their own automations.

We work primarily out of Western hemisphere time zones. We will give special consideration to east Asian customers who are interested in talking to us during east Asian business hours.

For the best possible results, in technical engagements Polo Cyber asks for two counterparts on the customer’s side: a technical lead (could be as high as a CTO or CISO) and an engineer or developer. The second best situation is one when there’s a single technical counterpart. When there’s no technical counterpart at all it is more likely we will bring our own technical staff to work with you, and interact more closely with your top leadership.

We strongly suggest emails that do not spare any details, detailed checklists, and coming prepared with specific questions to consultation sessions with us. We are committed to delivering excellent service in exchange for our consultant fees, and this includes thoroughly perusing materials or context you send us in order to clearly understand your situation.

We are neither anti- nor pro-vendor as a matter of course. We have worked extensively at and with vendors, and find many of them critical for any security stack. At the same time, there are vendor-saturated markets and numerous opportunities whereby an organization can replace an expensive vendor tool with a one-time investment in a proprietary tool and modest maintenance.

Off-the-shelf purchases of vendor products are convenient and can solve some problems fast, but in practice they can also bring their own set of problems.

Brand changes are an example: vendors often juggle product names, discontinue the one you purchased, or otherwise try to push customers in commercially convenient directions, not to mention vendors can outright disappear via acquisition or bankruptcy. Another example involves personnel: customers often find their point of contact at their vendor, whether a sales engineer or a Technical Account Manager (TAM), has moved on to other accounts, teams, or companies - and relations have to be built from scratch. Yet another one has to do with the products themselves: vendors often remove features (maybe moving them behind more expensive tiers) or make changes to their APIs that require maintenance work on your side anyway.

Last but not least, vendors inevitably are looking to upsell customers (that is, stack sales on top of existing sales). Some of them are more artful at this than others, but ultimately it is their core mission and incentive. This does not necessarily align with your organization’s incentives.

There are some vendor products or advantages that cannot be replaced. For instance, certain security products leverage network effects to a degree where an in-house automation, whether developed with us or with others, is an unrealistic replacement. We will make sure to state this explicitly. It is also why we adopt a modular approach to every engagement, and won’t hesitate to point you to worthwhile vendors for certain gaps.

Compliance is not our main business, but we can translate frameworks into practical controls and budgets. Recent examples include CMMC 2.0, CSF 2.0, and NIST SP 800-53 work focused on minimal, realistic IT and cybersecurity stacks.