TL;DR
- Ben Brigida is Expel’s Senior Director of SOC Operations Support and employee number nine in company history
- He previously tracked bats in caves and abandoned mines, which, it turns out, is basically alert triage
- He has very strong opinions about hot dogs as sandwiches (as does everyone at this company)
Ben Brigida has been with Expel for over nine years—he started back when the company was still in stealth mode. Today, he oversees a melting pot of teams called SOC Operational Support. It includes detection operations, senior IR analysts, and threat operations. His name is genuinely hard to pronounce (it’s got “rigid” right in the middle, for the record). (Editor’s note: We can’t even call him Ben B., since we also have two of those, although he is the original.)
From bats to backdoors
Ben is what you’d call an industry changer, and he leans into it. Before he ever touched a SIEM, he was doing environmental consulting. More specifically, studying how bats use caves and abandoned mines. Yes, really. And while that career pivot might raise a few eyebrows, Ben has a pretty airtight explanation for why it makes total sense.
“You’ve got something hiding in a cave somewhere that doesn’t want to be found and doesn’t want to explain what it’s doing,” he says. “That’s a bat, and an attacker. They’re hiding in the corners of your environment.”
After moving back to Virginia, a close friend recruited him to join the Mandiant SOC as part of Managed Defense. He credits reading the APT1 report as the moment it all clicked.
“I had always thought cybersecurity would be slinging code,” he says. “What it actually is, is finding people that are trying to be tricky, and APT1 really hammered that home for me.”
He studied, self-taught, passed the interview, and found a bunch of evil. A classic origin story.
Following smart people to Expel
Ben was on the front lines of Mandiant MDR when some of the people he most respected and learned from left to start something new. He didn’t know exactly what they were building, but he knew he trusted them, so he followed. He joined Expel as employee number nine and has been here ever since.
“The organization has always been really transparent and shared the business side of things,” he says. “I like to know how the whole system works, because every employee makes at least a thousand decisions a year, and the more information you have, the better those decisions can be.”
Nine years and a lot of incidents later, he still starts every morning the same way: reviewing every incident from the day before, checking alert volumes, severity levels, and response times. It grounds him in what’s actually happening out in the wild, and it keeps him close to the work even as his role has evolved.
On what keeps him here
Ask Ben what he needs in a job, and he’ll give you three things: constant change and variety, a mission he believes in, and people he likes and respects. He has all three here at Expel, he confirms.
“There’s nothing more creative than somebody trying to steal something,” he says. “Attackers are unbelievably resourceful and competent.”
The mission piece carries real weight for him. He’s quick to acknowledge that cybersecurity is a competitive space full of people trying to solve the same problems—but working in a SOC is something different. “This is a rare private sector job that has an enemy,” he says. “There are real people out there trying to beat our customers, take from them, steal from them, damage them. Being on the blue team side and preventing our customers from having the worst day of their careers, that drives me.”
He’s also a big advocate for career changers in the SOC. Having come from a completely different field himself, he’s seen firsthand that the skills needed for great alert triage aren’t necessarily the ones you’d expect. It’s the ability to operate in ambiguity, figure things out, and work collaboratively.
“There are smart people in every walk of life,” he says. “And a lot of folks—myself included—didn’t know what the skill set for this job actually looked like until they were in it.”
A romantic gesture (depending on who you ask)
Here’s something most people don’t know about Ben: he once named an APT backdoor after his wife. When he was at Mandiant, he discovered a memory-resident backdoor using a custom binary protocol for C2—a novel find. The unwritten rule: if you find it, you get to name it. His colleague Steve Miller suggested he name it after his wife, calling it the equivalent of buying her a star.
He did. She didn’t fully grasp the significance. He still thinks it was cool. (Editor’s note: Ben mentioned his wife’s reaction was something like “that’s nice, dear.” As someone whose spouse also works in a field that’s foreign to me, I can confirm I would have had the same reaction.)
Very important question (and the origin of very important questions)
Here at Expel, we have an ongoing debate about whether a hot dog is a sandwich (even our founders are divided). When asked, Ben confirmed that he’s team sandwich. “If you take a hot dog and put it between two pieces of bread, is that a sandwich? If I take a hot dog in a bun and split the bun, is it then a sandwich? And if you take a piece of ham instead of a hot dog and put it on the split bun, is that a sandwich? If you’re telling me that that little piece of bread that’s still connected breaks the sandwich schema, I disagree.”
Ben also dropped some Expel lore on why we ask these questions:
“We have to be able to have debates about interpreting data in the SOC in stressful times. Those go better if everyone is able to be passionate but also respectful, and that happens when everyone knows how to argue safely with each other. We started doing silly questions in training that no one would actually get heated about so people had practice disagreeing and arguing and debating. We get everyone’s take, which can highlight how some of our quieter members have great takes you have to drag out (versus sticking to the loud ones). We have the person running the question dial it up or down when possible to force a schism and cause people to reflect on their rationale. We ask a variety of questions to try to divide the groups so you don’t create tribalism in the answers. Is it overanalyzed? Yes…we are analysts. Is it effective? Yes…again, analysts.”
But because this particular question is quintessentially Expel, Ben was also prompted with a very important question he hadn’t before: Would you rather sweat ranch dressing, or have permanent Cheeto finger dust on your hands?
He didn’t hesitate. Cheeto dust, obviously.
“I heard an argument that if you sweat ranch, you can sell it,” he says, “but that shows a deep lack of understanding about food safety.” Besides, he lives in Virginia, which has 89% humidity and is 100 degrees most of the summer. Ranch sweat would be, in his words, “a natural disaster.”
The Cheeto dust it is.
