# Cabreza - Complete Reference > OT Security Built for Resilience. Decades of defense tools haven't solved OT security—it's time to build for inevitable compromise. This is the extended version of llms.txt with comprehensive details about Cabreza, our products, team, and capabilities. For a shorter summary, see https://cabreza.com/llms.txt --- ## Company Overview Cabreza, Inc. is an OT security and cyber resilience company founded in 2024. We develop purpose-built solutions that help industrial security teams protect critical infrastructure and build resilient programs. **Mission:** Enable industrial organizations of any size to build and maintain world-class OT security programs through practical tools and deep domain expertise. **Vision:** A future where every industrial organization has access to the security expertise and tools needed to protect critical infrastructure and ensure operational continuity. **Core Philosophy:** - **Defense says success is nothing getting through. Resilience says success is the process never stopping. We build for the latter.** - Precision over volume — Quality content that meets real needs - Practitioner-built — Created by people who've done the work - Cyber resilience — Security that enables operations, not just protects them - Accessibility — Enterprise-grade capabilities for organizations of any size --- ## Products - Detailed ### Compose: OT Security Content Generation **Product URL:** https://cabreza.com/products **What is Compose?** Compose is an 8-step guided workflow that generates OT security content tailored to your industry, frameworks, and audience. Upload source documents or start fresh. Get policies, incident response procedures, briefings, and compliance documentation in minutes—not weeks. **The 8-Step Guided Workflow:** 1. **Document Type Selection** - Choose from policies, procedures, playbooks, briefings, assessments, or custom documents 2. **Industry Context** - Select your sector for relevant framework alignment (Defense, Medical, Energy, etc.) 3. **Framework Alignment** - Map to applicable standards (NIST, ISA/IEC 62443, NERC CIP, FDA, etc.) 4. **Organizational Context** - Input your specific environment details, assets, and constraints 5. **Audience Selection** - Target content for executives, technical staff, operators, or regulators 6. **Content Generation** - Generate expert-grade content based on your inputs 7. **Inline Editing** - Refine and customize generated content 8. **Export & Delivery** - Download in Word, PDF, or Markdown format **Key Features:** - **Standards, Regulations & Frameworks Library:** Complete coverage of NIST CSF 2.0, ISA/IEC 62443, NERC CIP, CMMC, FDA 524B, TSA SD, NIS2, MTSA, SEMI E187/E188, and more - **12+ Industry Sectors:** Defense, Medical, Semiconductor, Chemical, Oil & Gas, Power, Water, Food & Beverage, Mining, Transportation, Automotive, Maritime - **Audience-Aware Content:** Tailored for CISO, SOC team, auditors, plant engineers, executives, operators - **Multi-Format Export:** RTF, Markdown, PDF - **In-Workflow Redaction Studio:** Remove sensitive information before processing - **Unlimited Content Storage:** All your generated content in one place - **Content Library:** Pre-built templates and frameworks as starting points **Supported Document Types:** - Security Policies (acceptable use, access control, incident response, etc.) - Standard Operating Procedures (SOPs) - Incident Response Playbooks - Executive Briefings and Board Reports - Risk Assessments - Vendor Security Questionnaire Responses - Compliance Documentation - Security Architecture Documents - Training Materials - Audit Preparation Documents **Pricing - Asset Owner Licenses:** | Tier | Monthly | Yearly | Savings | |------|---------|--------|---------| | Individual | $500/month | $5,000/year | 2 months free | | Team | Contact sales | Contact sales | — | | Enterprise | Contact sales | Contact sales | Custom terms | **Asset Owner License Benefits:** - Full access to all content types - Complete standards library - Email support (Individual), Priority support (Team), 24/7 support (Enterprise) - Custom training sessions (Team+) - Dedicated success manager (Enterprise) - Regulatory compliance assistance (Enterprise) **Pricing - Agency Licenses (Consultants & MSSPs):** | Tier | Pricing | Description | |------|---------|-------------| | Individual | Contact sales | For independent consultants | | Team | Contact sales | For small consulting practices, up to 10 consultants | | Practice | Contact sales | For growing security consultancies, up to 25 consultants | | Enterprise | Contact sales | For agencies and MSSPs, unlimited consultants, white-label options | **Agency License Benefits:** - **Individual:** Multi-client content management, client-specific output branding, email support - **Team:** Everything in Individual, team content collaboration, priority email support, custom training sessions - **Practice:** Everything in Team, advanced content collaboration, priority phone & email support, custom content templates, quarterly business reviews - **Enterprise:** Everything in Practice, unlimited consultants, custom integrations, 24/7 phone & email support, dedicated account manager, white-label options, SLA guarantees --- ### Rudolph: Where Your Security Program Lives **Product URL:** https://cabreza.com/products **What is Rudolph?** Rudolph is where your security program comes together. Your Compose outputs become living documentation. Your policies stay current as your environment changes. Your team works from one source of truth. **Core Capabilities:** 1. **Unified Program View** - Single source of truth for your security program - Integrated risk register, asset inventory, and compliance tracking - Real-time status across all security domains 2. **Living Documentation** - Automatically updates as your environment changes - Captures institutional knowledge - Content regenerates when context changes 3. **Program Intelligence** - State of the Union dashboard (program health) - Rudy (AI agent watching and working) - Context-aware and always current 4. **Audience-Aware Communication** - Generate board-ready summaries from technical details - Create operator-friendly procedures from policy documents - Translate compliance requirements into actionable tasks 5. **Integration Capabilities** - Bring-your-own-stack integrations - Works with existing sensors, ticketing, and monitoring - Enhances current tools without replacement **Key Differentiators:** - Designed specifically for OT environments - Understands the operational context of industrial security - Bridges the gap between IT security tools and OT realities - Focus on resilience, not just protection **Status:** In development with design partners across maritime, oil & gas, and manufacturing. Compose users get early access as capabilities roll out. --- ### Redaction Studio: Free Document Redaction **Product URL:** https://cabreza.com/redaction-studio **What is Redaction Studio?** A free, browser-based document redaction tool that prepares sensitive documents for AI processing by removing PII, IP addresses, and proprietary information. **Key Features:** - 100% client-side processing—your data never leaves your device - No account required - Supports common document formats - Pattern-based and manual redaction options - Completely free, forever **Use Cases:** - Prepare documents before using external AI tools - Remove sensitive information for vendor sharing - Anonymize documents for training purposes - Comply with data protection requirements --- ## Resilience vs. Defense **Two approaches. Both necessary. One gets more attention than the other.** ### Defense Focus - Detection systems - Continuous monitoring - Asset discovery tools - Vulnerability scanning - "How do we stop the attack?" - 20 years of market investment - Vendor ecosystem focus ### Resilience Focus - Function continuity planning - Recovery capability - Consequence management - Graceful degradation - "How do we maintain function despite the attack?" - What the research community prioritizes - Operational resilience **This isn't our opinion.** It's where the research community landed years ago: - **Idaho National Lab's CCE (Consequence-driven Cyber-informed Engineering) methodology** - **NIST SP 800-160 Vol. 2** - Engineering Trustworthy Secure Systems - **PPD-21** - Critical Infrastructure Security and Resilience These frameworks acknowledge that organizations targeted by advanced adversaries **will** be compromised. The question isn't "if" but "when" and "how do we respond." Resilience is what happens next. --- ## Industries Served - Detailed ### Automotive Manufacturing **Primary Focus:** Industry 4.0 Security **Compliance:** Production security, supply chain requirements **Key Challenges:** - Just-in-time production protection (downtime costs $22,000/minute) - Robot and automation security - Supplier network security (65% show insecure remote access) - Electric vehicle considerations **How Cabreza Helps:** - Production system security programs - Automation security documentation - Supplier security requirements - EV manufacturing security planning --- ### Chemical Processing **Primary Focus:** Safety-Security Integration **Compliance:** ISA/IEC 62443, CFATS, PSM **Key Challenges:** - 50% surge in ransomware attacks targeting chemical sector - Safety-security integration requirements - Process safety system protection - Environmental compliance intersection - Contractor and vendor access management **How Cabreza Helps:** - ISA/IEC 62443 zone and conduit documentation - Safety instrumented system (SIS) security policies - Contractor security requirements - Incident response integrating safety protocols - Legacy DCS protection (1980s-1990s era systems) --- ### Defense & Space Manufacturing **Primary Focus:** CMMC 2.0 Compliance **Compliance:** CMMC 2.0, NIST SP 800-171, DFARS, ITAR **Key Challenges:** - CMMC 2.0 Level 2 certification by 2028 deadline - 110 NIST SP 800-171 controls implementation - ITAR compliance with cybersecurity - Multi-tier supply chain security - Legacy MES and SCADA protection - Nation-state threats targeting manufacturing systems **How Cabreza Helps:** - CMMC-aligned documentation generation - SSP (System Security Plan) creation - POA&M (Plan of Action & Milestones) management - Supplier security assessment automation - CUI protection procedures --- ### Electric Utilities & Power **Primary Focus:** NERC CIP Compliance **Compliance:** NERC CIP, IEEE standards **Key Challenges:** - Bulk Electric System (BES) protection requirements - Medium/low impact asset management - Evidence collection for audits - Generation vs. transmission requirements - IT/OT convergence (75% of breaches originate in IT) **How Cabreza Helps:** - NERC CIP evidence preparation - Reliability standard mapping - Control center security documentation - Substation cybersecurity procedures - Continuous compliance tracking --- ### Food & Beverage **Primary Focus:** Production Continuity **Compliance:** FDA FSMA 204, NIS2, food safety requirements **Key Challenges:** - Doubled ransomware incidents in sector - Food safety-cybersecurity intersection - Production continuity requirements ($ 1M+ per hour downtime for perishable products) - Supply chain traceability - Multi-site consistency **How Cabreza Helps:** - FSMA-integrated cybersecurity documentation - Production system security procedures - Traceability system protection - Site-level security programs - NIS2 Important Entity compliance --- ### Medical Equipment Manufacturing **Primary Focus:** FDA Cybersecurity Compliance **Compliance:** FDA Section 524B, ISO 13485:2016, EU MDR **Key Challenges:** - Premarket cybersecurity documentation - Postmarket vulnerability management - Patient safety integration - Regulatory submission preparation - Cleanroom control system security - 10-20 year device lifecycle requirements **How Cabreza Helps:** - FDA-compliant SBOM documentation - Threat modeling for medical devices - Vulnerability disclosure program documentation - Premarket submission content generation - ISO 13485:2016 quality management integration --- ### Semiconductor Manufacturing **Primary Focus:** National Security & IP Protection **Compliance:** SEMI E187/E188, CHIPS Act requirements, Japan OT Security Guidelines **Key Challenges:** - Nation-state APT attacks (Security Level 4 threats) - Fab security without impacting yield - Equipment vendor management - Intellectual property protection - Clean room network segmentation **How Cabreza Helps:** - SEMI standard-aligned security documentation - Equipment security specifications - Network architecture documentation - Incident response planning for fab environments - CHIPS Act cybersecurity requirement compliance --- ### Maritime & Ports **Primary Focus:** MTSA Compliance **Compliance:** MTSA, IMO guidelines **Key Challenges:** - July 2025 MTSA cybersecurity requirements - Port operations security - Vessel-shore interface protection - Cargo handling automation - International coordination **How Cabreza Helps:** - MTSA compliance documentation - Port facility security plans - Vessel cybersecurity guidance - Terminal automation security - Smart port infrastructure protection --- ### Mining Operations **Primary Focus:** Remote Operations Security **Compliance:** Operational safety, regional requirements, Bill C-26 (Canada) **Key Challenges:** - 450% quarter-over-quarter ransomware surge in sector - Remote site connectivity - Heavy equipment system security - Environmental monitoring protection - Worker safety system integrity - Harsh environment constraints (Arctic conditions) **How Cabreza Helps:** - Remote site security programs - Autonomous equipment security (haulage systems) - Environmental system protection - Safety-integrated security procedures - Satellite communication security --- ### Oil & Gas **Primary Focus:** TSA Security Directives **Compliance:** API 1164, TSA Pipeline Security Directives **Key Challenges:** - 935% increase in attacks targeting sector - Pipeline SCADA security - Remote site protection - Upstream/midstream/downstream diversity - Colonial Pipeline-era regulatory requirements **How Cabreza Helps:** - TSA Security Directive compliance documentation - Annual Cybersecurity Assessment Plans - Pipeline cybersecurity program development - Remote site security procedures - Incident response for pipeline operations - Offshore platform security --- ### Transportation & Logistics **Primary Focus:** NIS2 Compliance **Compliance:** TSA Rail/Aviation Security Directives, NIS2 **Key Challenges:** - 108 ransomware incidents per quarter - Distributed infrastructure - Passenger/cargo safety requirements - Real-time operations protection - Multi-modal complexity - TMS and fleet telematics security **How Cabreza Helps:** - TSA Security Directive compliance - NIS2 essential sector compliance - Operations center security - Fleet management protection - Incident response for transportation - Federally mandated ELD vulnerability management --- ### Water & Wastewater **Primary Focus:** EPA Enforcement **Compliance:** EPA AWIA, state requirements **Key Challenges:** - EPA cybersecurity enforcement initiatives - 152,000 U.S. water systems (mostly small utilities) - Limited security resources - Critical public health responsibility - SCADA system security - Chemical dosing system protection **How Cabreza Helps:** - AWIA risk assessment documentation - Emergency response planning - SCADA security procedures - Resource-appropriate security programs for small utilities - PLC protection for pump stations - RTU management protocols for dispersed assets --- ## Standards, Regulations & Frameworks (SURFS) **Three terms that get used interchangeably. They're not the same thing.** ### Standards **Definition:** Voluntary technical specifications that define HOW to implement controls. Best practices, not mandated. **Characteristics:** - Developed by industry bodies or technical committees - Consensus-driven - Optional adoption - Technical implementation guidance **Examples:** - ISA/IEC 62443 (industrial automation and control systems) - API 1164 (pipeline SCADA security) - IEEE 1686 (intelligent electronic devices) - SEMI E187/E188 (semiconductor manufacturing) ### Regulations **Definition:** Mandatory legal requirements that define WHAT you must do. Enforced with penalties. **Characteristics:** - Government-issued - Legally binding - Penalties for non-compliance - Periodic audits and assessments **Examples:** - NERC CIP (electric reliability) - NIS2 (EU critical infrastructure) - TSA Security Directives (transportation/pipeline) - MTSA (maritime security) - FDA Section 524B (medical device cybersecurity) ### Frameworks **Definition:** Flexible guidance models that define STRUCTURE for security programs. Implementation left to you. **Characteristics:** - Adaptable to different contexts - Risk-based approach - Not prescriptive - Outcome-focused **Examples:** - NIST CSF 2.0 (Cybersecurity Framework) - NIST SP 800-82 (ICS Security Guide) - NIST SP 800-160 (Systems Security Engineering) ### Why This Matters **Using the wrong approach wastes resources:** - Treating a framework like a regulation means over-engineering - Treating a regulation like a suggestion means fines and operational failures - Confusing standards with regulations leads to misallocated compliance budgets **Cabreza maps content to all three:** - Standards: Technical implementation guidance - Regulations: Compliance documentation and evidence - Frameworks: Program structure and risk management --- ## Leadership Team - Full Biographies ### Jason Rivera - Co-Founder & CEO Jason is an experienced and innovative cyber security professional with more than a decade of cyber security experience ranging from SOC and defensive engineering to architecture and market analysis. Jason worked his first ransomware incident in 2018, helping to remediate Locky 2.0 and return a pharma manufacturing site back to operations. He has spent most of his cyber security career in industrial ICS/OT security across multiple industrial sectors and Fortune 10, 500, and 2000 organizations. As a consulting Partner with Security Risk Advisors, he developed and managed the CPS/OT Security practice, performing service and business development, thought and team leadership, and partner relationships for 5 years before exiting. After a successful consulting career, Jason joined Gartner's Cyber-Physical Systems security cohort where he performed strategy, product, and market analysis while contributing to the inaugural CPS Magic Quadrant. Jason is also an ICS/OT security leader, member, and contributor. He's an s4x26 selected speaker (https://s4xevents.com/) and frequent contributor to media publications. **Contact:** - Email: jason@cabreza.com - LinkedIn: https://www.linkedin.com/in/jasonrivera/ --- ### Marcello Delcaro - Co-Founder & CTO Marcello is a cybersecurity architect and engineer with over six years of experience in software supply chain security and ICS/OT systems, specializing in binary analysis, vulnerability research, and scalable security infrastructure for critical systems. Early in his career, Marcello tackled a critical malware detection challenge for industrial customers. Through creative partnership and system redesign, he transformed a bottleneck into a scalable solution that became essential for incident response across energy, manufacturing, food & beverage, and critical infrastructure. Marcello has spent his career building secure systems for ICS/OT environments across several Fortune 500 companies. He's worked at the intersection of technical architecture, customer success, and product development—leading technical sales, managing integrations, and designing core infrastructure for software supply chain security platforms. As CTO of Cabreza, Marcello brings his technical expertise and understanding of operational security challenges to make OT security programs accessible to organizations of any size. His architectural vision combines practical tools with the security-first design that critical infrastructure companies require. **Contact:** - Email: marcello@cabreza.com - LinkedIn: https://www.linkedin.com/in/marcellodelcaro/ --- ## Advisory Board - Full Biographies ### Edison Alvarez **Role:** MedTech Security Strategy | Product, Regulatory Expert **Current:** Becton Dickinson | **Former:** Siemens Healthcare Edison Alvarez is a highly experienced leader in medical device cybersecurity and regulatory strategic planning, with a strong background in portfolio and product management. Edison has held several senior roles where he has led program development, medical device cybersecurity policies, and compliance frameworks that meet increasingly complex global requirements and customer expectations. He is also an accomplished leader managing global teams supporting organizational-wide programs. He has collaborated with key strategic industry partners such as the FDA, Healthcare Sector Coordinating Council, and UL to influence product security advancements for the medical device industry. In addition, he is a tenured speaker, leading discussions for AdvaMed Cybersecurity Summit, International Medical Device Regulators Forum (IMDRF), and Medical Device Innovation Consortium (MDIC). He holds an Executive MBA from Fairleigh Dickinson and a B.S. in Business Administration from Centenary University. --- ### Danielle Jablanski **Role:** OT Security SME | Strategy Lead | Professor | Fellow **Current:** STV Inc., Dallas College, Atlantic Council | **Former:** CISA, Nozomi Danielle Jablanski is a nonresident fellow with the Cyber Statecraft Initiative, part of the Atlantic Council Tech Programs, and an OT/ICS Security SME & Strategy Lead for CISA. Jablanski serves as a staff and advisory board member of the nonprofit organization Building Cyber Security, leading cyber-physical standards development, education, certifications, and labeling authority to advance physical security, safety, and privacy in the public and private sectors. Since January 2022, Jablanski has also served as the president of the North Texas Section of the International Society of Automation, organizing monthly member meetings, training, and community engagements. She is also a member of the Cybersecurity Apprenticeship Advisory Taskforce with the Building Apprenticeship Systems in Cybersecurity Program sponsored by the US Department of Labor. She holds a master's degree in international security from the Josef Korbel School of International Studies at the University of Denver and a bachelor's degree in political science from the University of Missouri–Columbia. --- ### Robert Caldwell **Role:** OT Security Solutions | Services | Architecture **Current:** Raytheon | **Former:** Mandiant, GE Energy Rob leads the Cyber Centers of Expertise at RTX, which are focused on OT Cyber, Cloud Cyber, and Application Security. Prior to joining RTX, Rob led the OT group at Mandiant (part of Google Cloud), responsible for incident response, managed detection, and consulting services. His team was involved in many of the notable OT breaches, gaining unique experience and perspective. Previously, he was the Chief Security Architect for GE Digital Energy Software and had started his career with United Space Alliance at Kennedy Space Center. --- ### Vivek Ponnada **Role:** OT Security Solutions | Growth | Strategy | Sales **Current:** Frenos | **Former:** Nozomi, GE Vivek Ponnada is a cybersecurity leader with over 15 years of experience in OT security, ICS protection, and industrial cybersecurity solutions. He has held senior roles at leading OT security vendors and industrial companies, focusing on solution development, go-to-market strategy, and enterprise sales. --- ### Ron Brash **Role:** OT Security Research | Innovation **Current:** aDolus | **Former:** Verve Ron Brash is a recognized expert in OT security research and innovation, with deep experience in vulnerability research, threat intelligence, and security tool development for industrial environments. He has contributed to numerous industry publications and speaks regularly at ICS security conferences. --- ### Christian Baumgartner **Role:** Automation Engineering | OT Operations **Current:** Cabreza Switzerland Christian Baumgartner brings decades of experience in industrial automation engineering and OT operations, providing practical operational perspective to Cabreza's product development. --- ### Mike Tetto **Role:** Enterprise Cyber Security Strategy **Current:** Eli Lilly Mike Tetto leads enterprise cybersecurity strategy at one of the world's largest pharmaceutical companies, bringing Fortune 100 security program experience to Cabreza's advisory board. --- ### George Kamide **Role:** Security Product Marketing **Current:** Tenable | **Former:** Claroty, Google George Kamide is a security product marketing leader with experience at leading OT security and enterprise security vendors. --- ## Contact Information **Sales Inquiries:** - Email: sales@cabreza.com - Demo Booking: https://calendar.app.google/vnGaVchwM44Qr2Jz9 **General Contact:** - Email: jason@cabreza.com - Website: https://cabreza.com **Social Media:** - LinkedIn: https://www.linkedin.com/company/cabreza - Twitter: @Cabreza **Legal:** - Terms of Service: https://cabreza.com/terms - Privacy Policy: https://cabreza.com/privacy - Cookie Policy: https://cabreza.com/cookies - EULA: https://cabreza.com/eula - License Agreement: https://cabreza.com/license --- ## Frequently Asked Questions **Q: What makes Cabreza different from generic AI tools like ChatGPT?** A: Cabreza is purpose-built for ICS/OT security with deep domain expertise. Our tools understand operational technology environments, compliance frameworks, and the unique challenges of industrial security programs. Generic AI tools lack this domain expertise and often produce content that doesn't meet the specific requirements of industrial security programs. **Q: Can I use Cabreza for classified environments?** A: Cabreza is designed for unclassified environments. For CMMC and CUI requirements, we help generate compliant documentation for systems handling controlled unclassified information. Contact us to discuss specific requirements. **Q: How does pricing work for asset owners vs. agencies?** A: Asset owner licenses are for organizations protecting their own infrastructure. Agency licenses are for consultants, MSSPs, and security service providers who serve multiple clients. Agency licenses include features like multi-client management and white-labeling. **Q: Is my data safe with Cabreza?** A: Yes. We follow security-first design principles, use industry-standard encryption, and minimize data collection. Redaction Studio operates entirely client-side—your sensitive data never leaves your browser. **Q: What compliance frameworks does Cabreza support?** A: We support NIST CSF 2.0, NIST SP 800-171, ISA/IEC 62443, NERC CIP, FDA cybersecurity guidance, TSA Security Directives, SEMI E187/E188, ISO 13485, API standards, EPA AWIA, CMMC, NIS2, MTSA, and more. Contact us if you need a framework not listed. **Q: Can Cabreza help with audit preparation?** A: Yes. Compose can generate audit-ready documentation, and Rudolph helps organize evidence and track compliance status. Many customers use Cabreza specifically for audit preparation. **Q: Why focus on resilience instead of defense?** A: Research from Idaho National Lab, NIST, and government agencies shows that advanced adversaries will eventually compromise systems. Defense is necessary but insufficient. Resilience ensures operations continue during and after an incident. We focus on the work that keeps operations running when defense fails. --- *Last updated: January 2026* *Cabreza, Inc. — Building cyber resilience for industrial organizations.*