# Cabreza

> OT Security Built for Resilience. Decades of defense tools haven't solved OT security—it's time to build for inevitable compromise.

## About

Cabreza, Inc. develops purpose-built solutions that help industrial security teams protect critical infrastructure and build resilient programs. We combine deep ICS/OT security expertise with practical tools to deliver resilience capabilities that prepare organizations for when defense fails.

**Core Philosophy:** Defense says success is nothing getting through. Resilience says success is the process never stopping. We build for the latter.

## Quick Navigation

- [Homepage](https://cabreza.com/): Decades of defense. It's time for resilience.
- [Products](https://cabreza.com/products): From content to program—Compose & Rudolph
- [Redaction Studio](https://cabreza.com/redaction-studio): Free browser-based document redaction tool
- [Pricing](https://cabreza.com/pricing): Asset Owner & Agency licensing options
- [Sectors](https://cabreza.com/sectors): Industry-specific OT resilience
- [Company](https://cabreza.com/company): Team, mission, and advisors
- [Blog](https://cabreza.com/blog): Latest insights and updates

## Products

### Compose
**Generate OT security content today.**

**What it does:**
- Generates policies, procedures, playbooks, briefings, and compliance documentation in minutes
- 8-step guided workflow tailored to your industry, frameworks, and audience
- Sector-specific content for 12+ industries (Defense, Medical, Semiconductor, Chemical, Oil & Gas, Power, Water, Food & Beverage, Mining, Transportation, Automotive, Maritime)
- Framework alignment: NIST CSF 2.0, ISA/IEC 62443, NERC CIP, CMMC, FDA, TSA, NIS2, MTSA, and more

**Key Features:**
- Standards, regulations & frameworks library (NIST, IEC 62443, NERC CIP, NIS2, etc.)
- Content tailored to audience (CISO, SOC team, auditor, plant engineer)
- RTF, Markdown, PDF export
- In-workflow redaction studio
- Unlimited content storage

**Pricing - Asset Owner:**
- Individual: $500/month or $5,000/year (2 months free)
- Team: Contact sales
- Enterprise: Contact sales

**Pricing - Agency:**
- Individual: For independent consultants (contact sales)
- Team: For small consulting practices, up to 10 consultants (contact sales)
- Practice: For growing security consultancies, up to 25 consultants (contact sales)
- Enterprise: For agencies and MSSPs, unlimited consultants, white-label options (contact sales)

**URL:** https://cabreza.com/products

### Rudolph
**Where your security program lives.**

**What it does:**
- Transforms scattered documents into a connected, living program
- Documentation, communications, and intelligence that stays current
- Learns your environment (sites, assets, architecture, regulatory context)
- Integrates with existing security stack to enhance sensors, ticketing, monitoring
- Auto-regenerates content when your environment changes

**Core Capabilities:**
- Unified program view
- Auto-regeneration when context changes
- State of the Union (program health dashboard)
- Rudy (AI agent watching and working)
- Bring-your-own-stack integrations

**Status:** In development with design partners across maritime, oil & gas, and manufacturing. Compose users get early access as capabilities roll out.

**URL:** https://cabreza.com/products

### Redaction Studio
**Free, browser-based document redaction tool.**

**What it does:**
- Prepares sensitive documents for AI processing
- Removes PII, IP addresses, and proprietary information
- 100% client-side processing—data never leaves your device
- No account required, completely free

**URL:** https://cabreza.com/redaction-studio

## Resilience vs. Defense

**Two approaches. Both necessary. One gets more attention than the other.**

### Defense
- Detection
- Monitoring
- Asset discovery
- Vulnerability scanning
- "How do we stop the attack?"
- 20 years of market investment

### Resilience
- Function continuity
- Recovery capability
- Consequence management
- Graceful degradation
- "How do we maintain function despite the attack?"
- What the research community prioritizes

**This isn't our opinion.** It's where the research community landed years ago. Idaho National Lab's CCE methodology, NIST SP 800-160, and PPD-21 all point the same direction: organizations targeted by advanced adversaries will be compromised. Resilience is what happens next.

## Industries Served

We serve industrial organizations across critical infrastructure sectors with sector-specific content and compliance frameworks:

### Automotive Manufacturing
- Industry 4.0 connectivity challenges
- Connected assembly line security
- Supply chain cyber risk (65% show insecure remote access)
- Just-in-time manufacturing protection

### Chemical Processing
- 50% surge in ransomware attacks
- ISA/IEC 62443 implementation
- Legacy DCS protection (1980s-1990s era)
- Process safety integration

### Defense & Space Manufacturing
- CMMC 2.0 Level 2 certification requirements (110 NIST SP 800-171 controls)
- ITAR compliance
- Multi-tier supply chain security
- November 2025 deadline compliance

### Electric Power
- NERC CIP mandatory compliance
- BES Cyber System protection
- IT/OT convergence security (75% of breaches originate in IT)
- Grid reliability maintenance

### Food & Beverage
- Doubled ransomware incidents
- FDA FSMA 204 traceability
- NIS2 Important Entity compliance
- $1M+ per hour downtime prevention

### Medical Equipment Manufacturing
- FDA Section 524B requirements
- Cleanroom system security
- ISO 13485:2016 quality management
- 10-20 year device lifecycle compliance

### Semiconductor Manufacturing
- Nation-state APT attacks (Security Level 4)
- SEMI E187/E188 standards
- CHIPS Act cybersecurity requirements
- Japan's OT Security Guidelines alignment

### Maritime & Ports
- July 2025 MTSA cybersecurity requirements
- Port facility OT security
- Vessel system protection
- Smart port infrastructure

### Mining
- 450% quarter-over-quarter ransomware surge
- Autonomous haulage system security
- Remote, harsh environment operations
- Bill C-26 compliance preparation

### Oil & Gas
- 935% increase in attacks
- TSA Security Directive compliance
- Pipeline cybersecurity assessments
- Offshore platform and SCADA security

### Transportation & Logistics
- 108 ransomware incidents per quarter
- NIS2 essential sector obligations
- TMS and fleet telematics security
- Federally mandated ELD vulnerability management

### Water & Wastewater
- EPA enforcement
- 152,000 U.S. water systems
- SCADA and RTU protection
- Small utility resource constraints

**URL:** https://cabreza.com/sectors

## Standards, Regulations & Frameworks (SURFS)

Three terms that get used interchangeably. They're not the same thing.

**Standards:** Voluntary technical specs. Define HOW to implement controls. Best practices, not mandated.
- Examples: ISA/IEC 62443, API 1164, IEEE 1686

**Regulations:** Mandatory legal requirements. Define WHAT you must do. Enforced with penalties.
- Examples: NERC CIP, NIS2, TSA SD, MTSA, FDA 524B

**Frameworks:** Flexible guidance models. Define STRUCTURE for programs. Implementation left to you.
- Examples: NIST CSF 2.0, SP 800-82, SP 800-160

**Why This Matters:** Using the wrong approach wastes resources. Treating a framework like a regulation means over-engineering. Treating a regulation like a suggestion means fines and failures. Cabreza maps content to all three.

## Leadership

### Jason Rivera - Co-Founder & CEO
- Former Gartner analyst for CPS/OT Security
- Former Partner at Security Risk Advisors
- 10+ years in industrial cybersecurity
- s4x26 selected speaker
- Contributed to inaugural CPS Magic Quadrant
- Email: jason@cabreza.com
- LinkedIn: https://www.linkedin.com/in/jasonrivera/

### Marcello Delcaro - Co-Founder & CTO
- Expert in software supply chain security and ICS/OT systems
- Specializes in binary analysis, vulnerability research, and security infrastructure
- Experience across Fortune 500 industrial environments
- Email: marcello@cabreza.com
- LinkedIn: https://www.linkedin.com/in/marcellodelcaro/

## Advisory Board

- **Edison Alvarez** - MedTech Security Strategy (Becton Dickinson, formerly Siemens Healthcare)
- **Danielle Jablanski** - OT Security SME (CISA, Atlantic Council, formerly Nozomi)
- **Robert Caldwell** - OT Security Solutions (Raytheon, formerly Mandiant, GE Energy)
- **Vivek Ponnada** - OT Security Growth (Frenos, formerly Nozomi, GE)
- **Ron Brash** - OT Security Research (aDolus, formerly Verve)
- **Christian Baumgartner** - Automation Engineering & OT Operations (Cabreza Switzerland)
- **Mike Tetto** - Enterprise Cyber Security Strategy (Eli Lilly)
- **George Kamide** - Security Product Marketing (Tenable, formerly Claroty, Google)

## Key Differentiators

1. **Resilience-first approach** - Not just security, but operational continuity and recovery
2. **Deep industrial expertise** - Built by practitioners with decades of combined OT security experience
3. **Sector-specific content** - Compliance automation with sector requirements built into workflows
4. **Living documentation** - Evolves with your environment, not static content
5. **Practitioner-built** - Created by people who've done the work in Fortune 500 environments

## Contact

- **Website:** https://cabreza.com
- **Sales:** sales@cabreza.com
- **General:** jason@cabreza.com
- **LinkedIn:** https://www.linkedin.com/company/cabreza
- **Twitter:** @Cabreza
- **Demo:** https://calendar.app.google/vnGaVchwM44Qr2Jz9

## Legal

- [Terms of Service](https://cabreza.com/terms)
- [Privacy Policy](https://cabreza.com/privacy)
- [Cookie Policy](https://cabreza.com/cookies)
- [EULA](https://cabreza.com/eula)
- [License Agreement](https://cabreza.com/license)

## Extended Information

For more detailed information including full team bios, complete feature lists, and sector-specific details, see: https://cabreza.com/llms-full.txt

---

*Last updated: January 2026*
*Cabreza, Inc. — Building cyber resilience for industrial organizations.*