Research

Research

Research Profile

My research and professional activity are positioned at the intersection of Cyber Threat Intelligence, security governance, security operations, and digital risk management.

While my doctoral work investigates the ransomware ecosystem in depth, my broader research agenda is not limited to ransomware economics. It extends across multiple areas of cybersecurity, including adversary behavior, dark web intelligence, attack surface analysis, SIEM-driven detection, vulnerability management, incident response, regulatory compliance, AI governance, and security awareness.

I approach cybersecurity as a socio-technical discipline: cyber threats are not only technical events, but the result of interactions between attackers, infrastructure, incentives, organizational exposure, defensive maturity, regulation, and human behavior. This perspective allows me to connect academic research with operational cybersecurity, executive decision-making, and real-world resilience.


Areas of Specialization

My work spans several complementary domains of cybersecurity. The following map provides an indicative view of my current specialization profile across research, professional practice, teaching, and applied engineering.

AreaFocus
Cyber Threat Intelligence & Adversary Analysis25%
Governance, Risk & Compliance20%
Security Operations, SIEM & Incident Response17%
Dark Web, OSINT/CLOSINT & Exposure Intelligence15%
Attack Surface, Vulnerability & Risk Prioritization10%
Malware, Detection Engineering & Adversary Simulation8%
Security Awareness, Teaching & Executive Communication5%

The percentages are indicative and represent the relative weight of my current research, professional, and teaching activities. They are not intended as rigid boundaries: many projects combine several areas, especially CTI, GRC, detection engineering, and risk-based decision-making.


Cyber Threat Intelligence & Adversary Analysis

Cyber Threat Intelligence represents the central axis of my academic and professional work. I focus on the collection, normalization, correlation, and interpretation of intelligence from open, closed, and semi-structured sources to support both strategic and operational security decisions.

Key topics include:

  • Threat actor profiling and adversary behavior analysis.
  • Mapping of Tactics, Techniques, and Procedures using frameworks such as MITRE ATT&CK.
  • Intelligence-driven detection and response models.
  • Indicator lifecycle management, including IoCs, IoAs, enrichment, correlation, and prioritization.
  • Transformation of raw intelligence into actionable reporting for analysts, management, and decision-makers.

This research line connects technical threat analysis with organizational resilience, helping transform intelligence into measurable security outcomes.


Governance, Risk & Compliance

A significant part of my work focuses on cybersecurity governance and regulatory alignment. This includes the design of security programs that translate regulatory obligations and risk requirements into operational controls, measurable maturity targets, and business-aligned security practices.

Key areas include:

  • NIS2 readiness and implementation roadmaps.
  • ISO/IEC 27001 alignment and security management processes.
  • Cyber risk assessment and risk-based prioritization.
  • Supplier and third-party cyber risk management.
  • Internal audit, assurance, and control maturity evaluation.
  • Executive reporting and security governance for decision-making bodies.

This area is particularly important because effective cybersecurity is not limited to technology. It requires governance structures, accountability, repeatable processes, and clear alignment between risk, compliance, and business objectives.


Security Operations, SIEM & Incident Response

My research and applied work also cover the operational side of cybersecurity, especially the integration of CTI into security monitoring, threat hunting, and incident response workflows.

Key topics include:

  • SIEM architecture, log correlation, and detection use cases.
  • Threat hunting based on adversary behavior and intelligence indicators.
  • Incident response processes and escalation models.
  • Intelligence-led alert triage and prioritization.
  • Integration of CTI with SOC operations and response playbooks.
  • Executive and technical reporting during cyber incidents.

This line of work aims to reduce the distance between intelligence production and operational action, ensuring that CTI contributes directly to detection quality, response speed, and resilience.


Dark Web, OSINT/CLOSINT & Exposure Intelligence

Dark web intelligence and exposure analysis are core components of my research activity. I study underground ecosystems, data leak sites, credential exposure, cybercrime forums, and adversarial marketplaces as observable surfaces of cybercriminal behavior.

Key topics include:

  • Dark web monitoring and data leak site analysis.
  • Credential exposure and infostealer-related intelligence.
  • OSINT and CLOSINT collection methodologies.
  • Cybercriminal ecosystem observation and actor tracking.
  • Exposure intelligence for organizations, domains, identities, and digital assets.
  • Ethical, legal, and methodological boundaries of intelligence collection.

This area supports both strategic understanding of cybercrime and practical defensive activities such as early warning, exposure reduction, and incident preparation.


Ransomware Ecosystems and Cybercriminal Economies

Ransomware remains one of my most developed research domains, particularly through my Ph.D. work on the structural resilience and evolution of the ransomware economy.

My doctoral research investigates ransomware not only as malware, but as an adaptive criminal ecosystem composed of groups, affiliates, infrastructure providers, initial access brokers, extortion models, negotiation dynamics, data leak sites, and monetization channels.

Ph.D. thesis: Ecosystem Dynamics and Structural Resilience of the Ransomware Economy: A Longitudinal Multi-Method Analysis of the Observable Disclosure Surface (2020–2025).

Key topics include:

  • Longitudinal analysis of ransomware groups and disclosure patterns.
  • Evolution of Ransomware-as-a-Service models.
  • Multilayer extortion and data leak site dynamics.
  • Actor churn, rebranding, affiliate mobility, and ecosystem resilience.
  • Empirical analysis of victim disclosures and observable attack surfaces.
  • Statistical and data-driven modeling for threat actor profiling and risk assessment.

This research line is part of a broader CTI and cyber risk agenda. Ransomware is used as a high-impact case study to understand how cybercriminal ecosystems scale, adapt, fragment, and survive disruption.


Attack Surface, Vulnerability & Risk Prioritization

Another important research and engineering area concerns the analysis of external exposure, vulnerabilities, and attack surface signals. The objective is to support risk-based prioritization rather than producing isolated technical findings.

Key topics include:

  • External attack surface mapping.
  • Vulnerability management and prioritization using CVSS, EPSS, exploitability, and exposure context.
  • Domain, IP, email, technology, and infrastructure enumeration.
  • Risk scoring models based on observable external signals.
  • Correlation between exposure indicators and threat intelligence evidence.
  • Integration of asset intelligence with remediation workflows.

This area connects offensive visibility, defensive prioritization, and governance requirements, enabling security teams to identify what matters most from a risk perspective.


Malware, Detection Engineering & Adversary Simulation

My technical background also includes malware analysis, adversary simulation, and detection engineering. This includes both academic work on Android malware and applied research on adversary tooling, post-exploitation frameworks, and detection logic.

Key topics include:

  • Malware behavior analysis and technical characterization.
  • Android malware research, including fileless delivery concepts and analysis environments.
  • Adversary simulation tools and detection strategies.
  • Cobalt Strike and dual-use tooling in red team and threat actor contexts.
  • Detection logic based on behavioral patterns, IoCs, and IoAs.
  • YARA rules, Sigma-style thinking, and operational detection content.

This area supports the technical depth required to transform intelligence findings into concrete detection opportunities.


AI Governance and Secure AI Adoption

As organizations increasingly adopt AI systems, my work also extends to AI governance and secure AI adoption. The objective is to enable innovation while maintaining security, accountability, auditability, and regulatory alignment.

Key topics include:

  • EU AI Act readiness and AI risk classification.
  • AI governance frameworks and internal policy development.
  • Security of AI-enabled systems, APIs, and third-party AI services.
  • Data governance, explainability, monitoring, and auditability.
  • AI DPIA and risk assessment processes.
  • Secure adoption of generative AI and LLM-based tools in enterprise environments.

This area connects cybersecurity, compliance, innovation, and executive governance.


Applied Engineering & Threat Intelligence Platforms

A central part of my research is the translation of analytical models into operational tools and platforms.

  • Deepye Project: Designed and developed a microservices-based Threat Intelligence Platform for attack surface analysis, integrating OSINT and CLOSINT sources.
  • Threat Intelligence Automation: Development of workflows for enrichment, correlation, risk scoring, and evidence management.
  • Data-Driven CTI: Construction and analysis of datasets for threat actor profiling, ransomware tracking, infrastructure mapping, and risk assessment.
  • Operational Integration: Design of models that connect intelligence production with detection, response, governance, and executive reporting.

This engineering component reflects a core principle of my work: research should not remain abstract, but should produce methods, tools, and frameworks that can be used in real cybersecurity environments.


Academic, Teaching & Supervision Activities

Alongside professional and research activities, I contribute to cybersecurity education and advanced training, especially in Cyber Threat Intelligence, ransomware analysis, dark web intelligence, and security operations.

Academic and teaching activities include:

  • Lectures and modules on Cyber Threat Intelligence, dark web intelligence, ransomware ecosystems, and intelligence-driven incident response.
  • Hands-on laboratories based on real-world scenarios and adversary behavior.
  • Co-supervision of Master’s theses on CTI platforms, dark web monitoring, adversary simulation, and ransomware intelligence.
  • Development of training material for academic, professional, and executive audiences.

Teaching is an important part of my research identity because it transforms complex cybersecurity topics into structured knowledge that can support analysts, students, professionals, and decision-makers.


Research Vision

My long-term research vision is to develop a cybersecurity perspective that connects threat intelligence, risk governance, security operations, and organizational resilience.

The objective is to move beyond reactive security models and support organizations in building intelligence-driven capabilities that can anticipate threats, prioritize risk, improve detection, guide response, and strengthen governance.

In this perspective, ransomware, dark web intelligence, vulnerability exposure, AI governance, and regulatory compliance are not separate topics. They are different dimensions of the same challenge: understanding how digital risk emerges, evolves, and can be managed through intelligence, governance, and operational discipline.