# Cabreza

> Your Access To OT Cybersecurity Capabilities. Software for building OT security programs and the first independent, on-demand and vetted OT cybersecurity network.

## About

Cabreza, Inc. develops purpose-built solutions that help industrial security teams protect critical infrastructure and build resilient programs. We combine deep OT security expertise with software (Command) and an independent, on-demand and vetted OT cybersecurity network (Connect) to close the people and process gap in OT security.

**Core Philosophy:** Defense says success is nothing getting through. Resilience says success is the process never stopping. We build for the latter.

## Quick Navigation

- [Homepage](https://cabreza.com/): Your Access To OT Cybersecurity Capabilities
- [Command](https://cabreza.com/product): OT security program software
- [Connect](https://cabreza.com/connect): Independent, on-demand and vetted OT cybersecurity microservices
- [SMB Program](https://cabreza.com/initiatives/smb): Community pricing for small & medium businesses
- [Pre-Purchase Risk Reduction](https://cabreza.com/initiatives/pre-purchase): Reduce OT security risk before acquisition closes
- [Frontline Infrastructure Program](https://cabreza.com/initiatives/frontline): Security expertise for critical infrastructure that can't afford to fail
- [Whitepapers](https://cabreza.com/whitepapers): Industrial security research and insights
- [Pricing](https://cabreza.com/command/pricing): Asset Owner & Agency licensing options
- [Sectors](https://cabreza.com/sectors): Industry-specific OT resilience
- [Company](https://cabreza.com/company): Team, mission, and advisors
- [Blog](https://cabreza.com/blog): Latest insights and updates

### Free Tools
- [Self Assessor](https://cabreza.com/self-assessor): Free OT security maturity assessment against NIST 800-82 R3 or NIS2
- [SRFer](https://cabreza.com/srfer): Free standards, regulations & frameworks crosswalk tool
- [Redaction Studio](https://cabreza.com/redaction-studio): Free browser-based document redaction tool

## Industrial Security Whitepapers

Data-driven insights into the gaps between where OT security is and where it needs to be. Free downloads with company email.

### The Gap Between Detection and Resilience in OT Security
Detection is working. Recovery isn't keeping pace. 19% of incidents take over a month to remediate—one of the most significant blind spots in industrial security today.
- Topics: Detection vs resilience, incident response, remediation timelines
- **Download:** https://cabreza.com/whitepapers

### The OT Talent Crisis and Knowledge Gap
52.6% of the OT security workforce has less than five years of experience. Organizations recognize people as their greatest risk, yet invest half as much in workforce development as technology.
- Topics: Workforce development, training investment, certification gaps
- **Download:** https://cabreza.com/whitepapers

### Regulatory Landscape Evolution in OT Security
Colonial Pipeline changed everything. Within months: TSA Security Directives, NIS2, maritime cyber requirements. Maps the new regulatory terrain across NIS2, TSA, MTSA, NERC CIP, and IEC 62443.
- Topics: NERC CIP, NIS2, TSA Security Directives, MTSA, IEC 62443, compliance
- **Download:** https://cabreza.com/whitepapers

### The Process Improvement Gap in Industrial Security
Process improvement ranks 8th in OT security investment at just 31%. Only 17% invest in tabletop exercises. Organizations can see problems but lack the machinery to solve them.
- Topics: Tabletop exercises, process maturity, governance gaps
- **Download:** https://cabreza.com/whitepapers

### IT/OT Convergence: Security Implications
The air gap is dead. 70% of OT incidents originate from IT networks. When ransomware reaches OT, 75% cause partial shutdown, 25% cause full shutdown.
- Topics: IT/OT convergence, network segmentation, ransomware, attack paths
- **Download:** https://cabreza.com/whitepapers

### The Business Case for OT Resilience
Manufacturing downtime costs $50,000-$125,000/hour. Average OT incident costs $2.8M. Quantifies ROI of resilience investments and provides frameworks for making the case to leadership.
- Topics: ROI frameworks, cost of downtime, executive communication, investment justification
- **Download:** https://cabreza.com/whitepapers

**URL:** https://cabreza.com/whitepapers

## Products

### Command — OT Security Program Software
**Command your OT cybersecurity program.**

**What it does:**
- Generates policies, procedures, playbooks, briefings, and compliance documentation in minutes
- Select your output type, add context (domains, technologies, frameworks, audiences), and generate
- Sector-specific content for 12+ industries (Defense, Medical, Semiconductor, Chemical, Oil & Gas, Power, Water, Food & Beverage, Mining, Transportation, Automotive, Maritime)
- Framework alignment: NIST CSF 2.0, ISA/IEC 62443, NERC CIP, CMMC, FDA, TSA, NIS2, MTSA, and more
- Living security program that evolves with your environment

**Key Features:**
- Standards, regulations & frameworks library (NIST, IEC 62443, NERC CIP, NIS2, etc.)
- Content tailored to audience (CISO, SOC team, auditor, plant engineer)
- RTF, Markdown, PDF export
- In-workflow redaction studio
- Unlimited content storage
- Auto-regeneration when context changes
- Program health dashboard

**Pricing - Asset Owner:**
- Individual: $500/month or $5,000/year (2 months free)
- Team: Contact sales
- Enterprise: Contact sales

**Pricing - Agency:**
- Individual: For independent consultants (contact sales)
- Team: For small consulting practices, up to 10 consultants (contact sales)
- Practice: For growing security consultancies, up to 25 consultants (contact sales)
- Enterprise: For agencies and MSSPs, unlimited consultants, white-label options (contact sales)

**URL:** https://cabreza.com/product

### Free Tools

#### Self Assessor
**Free OT security maturity assessment tool.**
- Measure your program maturity against NIST 800-82 R3 or NIS2
- Scored breakdown with gap analysis in under 10 minutes
- No account required, completely free
- **URL:** https://cabreza.com/self-assessor

#### SRFer
**Free standards, regulations & frameworks crosswalk tool.**
- Map and compare controls across 17 security standards, regulations, and frameworks
- NIST 800-53, NIST CSF 2.0, ISO 27001, IEC 62443, NERC CIP, NIS2, and more
- 1,500+ controls mapped
- No account required, completely free
- **URL:** https://cabreza.com/srfer

#### Redaction Studio
**Free, browser-based document redaction tool.**
- Prepares sensitive documents for AI processing
- Removes PII, IP addresses, and proprietary information
- 100% client-side processing—data never leaves your device
- No account required, completely free
- **URL:** https://cabreza.com/redaction-studio

## Frontline Infrastructure Program

Cabreza's Frontline Infrastructure Program provides security expertise for the critical infrastructure CISA calls "target rich, cyber poor" — the systems communities depend on, run by teams that wear five hats and have zero dedicated security staff.

**Who we serve:**
- Water & Wastewater (152,000 US systems, AWIA/EPA compliance)
- Rural Electric Cooperatives (900+ co-ops, NERC CIP Low Impact)
- K-12 School Districts (13,000+ districts, FERPA, 80% increase in attacks)
- Small & Rural Hospitals (Critical Access Hospitals, HIPAA Security Rule)
- Food & Agriculture (FDA FSMA, grain elevators, food safety + cyber convergence)
- Municipal Transit (bus systems, light rail, TSA Security Directives)
- Plus: community colleges, tribal utilities, housing authorities, port authorities, rural broadband, volunteer fire/EMS, public health departments, libraries, waste management

**How Cabreza helps:**
- Generate compliance-ready documentation in minutes (AWIA, NERC CIP, HIPAA, FERPA)
- Built on the frameworks auditors expect (NIST CSF, sector-specific standards)
- A living program, not a static binder — updates when regulations change

**URL:** https://cabreza.com/initiatives/frontline

## Resilience vs. Defense

**Two approaches. Both necessary. One gets more attention than the other.**

### Defense
- Detection
- Monitoring
- Asset discovery
- Vulnerability scanning
- "How do we stop the attack?"
- 20 years of market investment

### Resilience
- Function continuity
- Recovery capability
- Consequence management
- Graceful degradation
- "How do we maintain function despite the attack?"
- What the research community prioritizes

**This isn't our opinion.** It's where the research community landed years ago. Idaho National Lab's CCE methodology, NIST SP 800-160, and PPD-21 all point the same direction: organizations targeted by advanced adversaries will be compromised. Resilience is what happens next.

## Industries Served

We serve industrial organizations across critical infrastructure sectors with sector-specific content and compliance frameworks:

### Automotive Manufacturing
- Industry 4.0 connectivity challenges
- Connected assembly line security
- Supply chain cyber risk (65% show insecure remote access)
- Just-in-time manufacturing protection

### Chemical Processing
- 50% surge in ransomware attacks
- ISA/IEC 62443 implementation
- Legacy DCS protection (1980s–1990s)
- Process safety integration

### Defense & Space Manufacturing
- CMMC 2.0 Level 2 certification requirements (110 NIST SP 800-171 controls)
- ITAR compliance
- Multi-tier supply chain security
- CMMC 2.0 Level 2 certification by 2028

### Electric Power
- NERC CIP mandatory compliance
- BES Cyber System protection
- IT/OT convergence security (75% of breaches originate in IT)
- Grid reliability maintenance

### Food & Beverage
- Doubled ransomware incidents
- FDA FSMA 204 traceability
- NIS2 Important Entity compliance
- $1M+ per hour downtime prevention

### Medical Equipment Manufacturing
- FDA Section 524B requirements
- Clean room system security
- ISO 13485:2016 quality management
- 10–20 year device lifecycle compliance

### Semiconductor Manufacturing
- Nation-state APT attacks (Security Level 4)
- SEMI E187/E188 standards
- CHIPS Act cybersecurity requirements
- Japan's OT Security Guidelines alignment

### Maritime & Ports
- July 2025 MTSA cybersecurity requirements
- Port facility OT security
- Vessel system protection
- Smart port infrastructure

### Mining
- 450% quarter-over-quarter ransomware surge
- Autonomous haulage system security
- Remote, harsh environment operations
- Bill C-26 compliance preparation

### Oil & Gas
- 935% increase in attacks
- TSA Security Directive compliance
- Pipeline cybersecurity assessments
- Offshore platform and SCADA security

### Transportation & Logistics
- 108 ransomware incidents per quarter
- NIS2 essential sector obligations
- TMS and fleet telematics security
- Federally mandated ELD vulnerability management

### Water & Wastewater
- EPA enforcement and AWIA compliance
- 152,000 U.S. water systems
- SCADA and RTU protection
- Small utility resource constraints
- Dedicated page: https://cabreza.com/initiatives/frontline

**URL:** https://cabreza.com/sectors

## Standards, Regulations & Frameworks (SRFs)

Three terms that get used interchangeably. They're not the same thing.

**Standards:** Voluntary technical specs. Define HOW to implement controls. Best practices, not mandatory requirements.
- Examples: ISA/IEC 62443, API 1164, IEEE 1686

**Regulations:** Mandatory legal requirements. Define WHAT you must do. Enforced with penalties.
- Examples: NERC CIP, NIS2, TSA SD, MTSA, FDA 524B

**Frameworks:** Flexible guidance models. Define STRUCTURE for programs. Implementation left to you.
- Examples: NIST CSF 2.0, SP 800-82, SP 800-160

**Why This Matters:** Using the wrong approach wastes resources. Treating a framework like a regulation means over-engineering. Treating a regulation like a suggestion means fines and failures. Cabreza maps content to all three.

**Free Crosswalk Tool:** https://cabreza.com/srfer

## Leadership

### Jason Rivera - Co-Founder & CEO
- Former Gartner analyst for CPS/OT Security
- Former Partner at Security Risk Advisors
- 10+ years in industrial cybersecurity
- s4x26 selected speaker
- Contributed to inaugural CPS Magic Quadrant
- Email: jason@cabreza.com
- LinkedIn: https://www.linkedin.com/in/jasonrivera/

### Marcello Delcaro - Co-Founder & CTO
- Expert in software supply chain security and OT systems
- Specializes in binary analysis, vulnerability research, and security infrastructure
- Experience across Fortune 500 industrial environments
- Email: marcello@cabreza.com
- LinkedIn: https://www.linkedin.com/in/marcellodelcaro/

## Advisory Board

- **Edison Alvarez** - MedTech Security Strategy (Becton Dickinson, formerly Siemens Healthcare)
- **Danielle Jablanski** - OT Security SME (CISA, Atlantic Council, formerly Nozomi)
- **Robert Caldwell** - OT Security Solutions (Raytheon, formerly Mandiant, GE Energy)
- **Vivek Ponnada** - OT Security Growth (Frenos, formerly Nozomi, GE)
- **Ron Brash** - OT Security Research (aDolus, formerly Verve)
- **Christian Baumgartner** - Automation Engineering & OT Operations (Cabreza Switzerland)
- **Mike Tetto** - Enterprise Cyber Security Strategy (Eli Lilly)
- **George Kamide** - Security Product Marketing (Tenable, formerly Claroty, Google)

## Key Differentiators

1. **Resilience-first approach** - Not just security, but operational continuity and recovery
2. **Deep industrial expertise** - Built by practitioners with decades of combined OT security experience
3. **Sector-specific content** - Compliance automation with sector requirements built into workflows
4. **Living documentation** - Evolves with your environment, not static content
5. **Practitioner-built** - Created by people who've done the work in Fortune 500 environments
6. **Free tools** - Self Assessor, SRFer, and Redaction Studio available at no cost

## Contact

- **Website:** https://cabreza.com
- **Sales:** sales@cabreza.com
- **General:** jason@cabreza.com
- **LinkedIn:** https://www.linkedin.com/company/cabreza
- **Twitter:** @Cabreza
- **Demo:** https://calendar.app.google/vnGaVchwM44Qr2Jz9

## Legal

- [Terms of Service](https://cabreza.com/terms)
- [Privacy Policy](https://cabreza.com/privacy)
- [Cookie Policy](https://cabreza.com/cookies)
- [EULA](https://cabreza.com/eula)
- [License Agreement](https://cabreza.com/license)

## Extended Information

For more detailed information including full team bios, complete feature lists, and sector-specific details, see: https://cabreza.com/llms-full.txt

---

*Last updated: April 2026*
*Cabreza, Inc. — Your Access To OT Cybersecurity Capabilities.*