Shauli Zacks
Published on: October 15, 2025
SafetyDetectives sat down with Paul Reid, Vice President of Adversary Research at AttackIQ, to talk about turning threat intelligence into evidence-based defense. Paul brings more than two decades in cybersecurity, from data classification and protection at TITUS to leading behavior-driven threat-hunting teams at Micro Focus and OpenText. He has published research, holds several patents, and has presented at stages like the NATO Information Assurance Symposium and SANS.
At AttackIQ, Paul leads a team that analyzes real-world threat actors and converts their tradecraft into precise adversary emulations aligned to MITRE ATT&CK. We discuss how that work powers adversarial exposure validation, what the team learned from dissecting the RomCom malware family, and why continuous, measurable control testing beats assumption-based security every time.
Can you introduce yourself and talk about your background in cybersecurity?
I’ve been working in cybersecurity for over two decades, and my career has been shaped by a fascination with understanding how adversaries actually operate. I started as a technology strategist at TITUS, where I focused on data classification and protection, then moved into product management before transitioning to more threat-focused roles. At Micro Focus and later at OpenText Cybersecurity, I led threat-hunting teams using behavioral analytics to identify emerging threats in customer environments before they could cause damage.
Most recently, as VP of Adversary Research at AttackIQ, I lead a team dedicated to analyzing real-world threat actors and translating their behaviors into emulations that organizations can use to test their defenses. Throughout my career, I’ve been fortunate to publish my research, hold several cybersecurity patents, and speak at conferences such as the NATO Information Assurance Symposium and SANS events. What drives me is the challenge of staying ahead of adversaries who are constantly evolving their techniques.
How have those experiences shaped the way you advise organizations today about adversarial exposure validation?
Leading threat hunting teams taught me something critical: finding threats is only valuable if you can turn those findings into actionable improvements in an organization’s security posture. When I was at OpenText running Team Helios, we often uncovered sophisticated adversary activity, but the real challenge was helping organizations understand whether their existing controls could have detected or prevented those attacks. That gap between threat intelligence and defensive validation is what ultimately drew me to AttackIQ.
Across my experience in both technical and go-to-market roles at TITUS, Interset, and Micro Focus, I learned that effective security isn’t just about intelligence or technology — it’s about operationalizing insights into measurable outcomes. Partner enablement in particular taught me how to translate complex cybersecurity concepts into actionable strategies that resonate with everyone from CISOs to frontline SOC analysts.
Now, with the Adversary Research Team at AttackIQ, we take real threat actor behaviors — like what we’ve documented with RomCom — and create emulations that let organizations safely test whether their defenses actually work against those techniques. Adversary emulation, when aligned with the MITRE ATT&CK framework, is more than just replaying threats; it’s about validating defenses with precision, fostering collaboration, and enabling a proactive, evidence-based approach to security.
The shift from hunting threats in production environments to helping organizations proactively validate their controls has given me a unique perspective: you can have the best threat intelligence in the world, but unless you’re continuously testing and proving your defenses, you’re operating on assumptions, not evidence. That’s the essence of adversarial exposure validation — bridging intelligence and execution to make cybersecurity measurable, resilient, and defensible.
AttackIQ’s Adversary Research Team recently analyzed the RomCom malware family. What stood out to you most about how RomCom has evolved from a backdoor into a broader ecosystem for espionage and financial crime?
What’s remarkable about RomCom is its operational duality. What started as a commodity eCrime malware in 2022 has transformed into a sophisticated tool serving Russian intelligence interests while maintaining its ransomware roots. Our team traced five distinct iterations, each progressively more modular and capable, from a basic backdoor to the current version that supports 42 distinct commands and uses advanced evasion techniques like COM hijacking and named pipes for stealth. But the real story is in the connections. RomCom’s integration with Cuba, Industrial Spy, and Underground ransomware operations reveals something deeper than just malware evolution. This is about operational convergence, where the line between state-sponsored espionage and financially motivated cybercrime isn’t just blurring, it’s strategically erased. The targeting has expanded from Ukraine and NATO-aligned nations to include humanitarian organizations, defense contractors, and critical infrastructure across multiple sectors, demonstrating that this isn’t just about stealing data or encrypting files anymore, it’s truly about strategic disruption at scale.
Why are we seeing the line between nation-state operations and cybercrime become increasingly blurred, and what unique challenges does that pose for defenders?
The traditional boundaries between espionage and crime have become operationally irrelevant, and RomCom exemplifies why. Nation-state actors have recognized that criminal infrastructure provides plausible deniability, self-funding operations, and access to sophisticated tools without the overhead of developing everything internally. Meanwhile, cybercriminal groups gain protection and strategic direction by aligning with state interests. This convergence creates a nightmare scenario for defenders because it breaks our conventional threat models. When you’re facing RomCom, are you defending against a ransomware gang trying to extort you, or a state-sponsored intelligence operation conducting reconnaissance for future geopolitical action? The answer is both, and they’re using the same infrastructure. Defenders cannot compartmentalize their response strategies. They need controls that work against both financially motivated attackers moving fast for payment and patient, persistent adversaries establishing long-term access for strategic purposes. Traditional attribution-based defense planning breaks down when the same backdoor serves multiple masters with differing timelines and objectives.
From your perspective, what does RomCom reveal about the way malware is being used as a strategic tool for influence and disruption on the global stage?
RomCom demonstrates that modern malware has become a multifaceted instrument of statecraft, operating across the full spectrum of conflict, from information gathering to economic disruption to psychological operations. Look at the targeting. Ukrainian government institutions and NATO-aligned countries for intelligence collection, humanitarian organizations assisting Ukrainian refugees for operational awareness, and defense contractors for strategic insight into military capabilities. This is not opportunistic; it is coordinated with broader geopolitical objectives around the war in Ukraine.
What makes it particularly effective as a strategic tool is its polyvalent nature. The same infrastructure that deploys ransomware to fund operations and create economic disruption can simultaneously conduct espionage to inform military and political decisions. The sophistication we’ve seen in the evolution from RomCom 1.0 to 5.0, with the introduction of modular architectures, memory-only execution, and multi-language components for cross-platform compatibility, demonstrates sustained investment and strategic planning. This is malware designed not only to compromise systems but also to support comprehensive influence operations in which technical access enables simultaneous information warfare, financial pressure, and strategic intelligence gathering.
Modern malware campaigns rarely stop at one sector or region. What does this say about attacker motivations, and how should organizations in different industries interpret that threat?
The geographical and sectoral spread of RomCom, from government and defense to telecommunications, finance, technology, and healthcare, reflects a fundamental shift in attacker economics and strategy. For sophisticated adversaries, developing and maintaining advanced malware represents a significant investment; therefore, they maximize their return by targeting broadly rather than narrowly. But there’s a more concerning reality here. The interconnected nature of modern business means that compromising a telecommunications provider gives access to government communications, breaching a technology vendor enables supply chain attacks against defense contractors, and infiltrating healthcare organizations supporting refugees provides intelligence on population movements and humanitarian operations. Organizations need to abandon the “why would they target us?” mindset. If you have data, access, or relationships that could serve either financial or strategic objectives, you’re in scope. The practical implication is that even organizations outside traditional high-value sectors need to implement defense-in-depth strategies and validation programs, because they might be a stepping stone to a more strategic target, or their data might have value that has not been considered in the context of broader geopolitical or criminal operations.
For organizations trying to strengthen their defenses, what practical steps can they take to validate their security controls against advanced, evolving threats like RomCom?
The key is transitioning from assumption-based security to validation-based security, which requires operationalizing threat intelligence within your testing program. Start by understanding the specific tactics, techniques, and procedures that threats like RomCom actually use. COM hijacking for persistence, component staging through registry storage, multi-stage payloads delivered through trojanized software. Then test whether your controls can detect and prevent these behaviors in your environment. This is where adversarial exposure validation becomes critical. We’ve released seven emulations based on the RomCom research that organizations can use to safely simulate these attack chains against their defenses. However, validation is not a one-time exercise.
Threats evolve, as we’ve seen across the five iterations of RomCom, so testing needs to be continuous. Practically, this means integrating automated adversary emulation into your security operations, prioritizing control validation against behaviors that align with threats relevant to your sector and geopolitical exposure, and measuring your program’s effectiveness not by the tools deployed, but by the attack paths successfully blocked. The organizations that do this well treat validation as a core operational capability, not a quarterly project, and they use the results to drive targeted improvements rather than just generating reports. If your security controls cannot stop a known technique used by RomCom, you need to be aware of this before a real adversary exploits it.
