Security leader: Michael Lashlee, CSO
In 2022 Mastercard launched its Security Conference Initiative to emphasize the importance of secure coding practices. The goal was to teach software developers to create more secure, resilient software by embedding security within the software development lifecycle.
Founded by the company’s Security Champions, members of the Secure Software Development Lifecycle team, and the Business Security Enablement Guild, the initiative — a periodic event — engages developers through hands-on experiences such as interactive coding challenges and live attack simulations to enhance their secure coding skills and raise their awareness of secure software development lifecycle principles.
Additionally, it fosters collaboration between the software development community and security teams, promotes shared responsibility for security, builds technical expertise, and drives cultural change.
“The biggest benefit is scaling the culture of security by providing an all-hands-towards-secure-coding interactive learning experience,” says Swarali Kulkarni, lead product owner at Mastercard.
Kulkarni notes that the conference covers a wide range of topics, from executive briefings and industry insights to workshops and competitive tournaments, “creating a well-rounded and impactful experience for everyone involved.”
The initiative leans on Secure Code Warrior and Cyberange training platforms to deliver a gamified experience, which has both measurable and required minimal time commitments (two days, with three to four hours each day). The platforms support more than 50 programming languages and provide a range of metrics to assess secure coding accuracy, monitor learning hours, track the number of code flaws resolved, and more.
To date, there have been five conferences, each attended by more than 400 participants from Mastercard’s software development community. Each conference is specifically tailored for programs within Mastercard that express interest in participating, Kulkarni says.
Penn Medicine modernizes it threat detection program
Organization: Penn Medicine
Project: Cyber Threat Detection Overhaul
Security leader: Julian Mihai, CTO
Penn Medicine had installed a top-of-the-line security information and event management (SIEM) solution nearly a decade ago, but the security team recognized a few years ago that the on-premises system could no longer match the speed at which attacks now evolve.
“Now threats can change by the hour, so detection very quickly is paramount today. That was the driver to rethink and retool our detection technology,” says CTO Julian Mihai.
Mihai and his team implemented a new cloud-based SIEM solution in 2024, deploying an innovative constellation of MITRE ATT&CK models to guide strategic and tactical direction of the threat detection program.
“It was a complete redesign, and everything that was legacy was decommissioned,” Mihai says.
Jesse Whyte, director of cybersecurity defense, says the initiative required changes not only in the technology but in people and processes, too. Security staff had to be trained to adopt a “threat intelligence first” approach that focused on evolving threats and how to use new threat intelligence for detection.
The security team also had to implement the right governance to prevent unnecessarily quarantining a critical system. And they had to ensure the egress pipelines could support the volume of data going to the cloud-based SIEM solution.
“The biggest challenge was managing spend, [as a] modern SIEM solutions license is based on the amount of data that is ingested. We needed to create a data-ingestion layer that provided opportunities for us to prune data as it entered the data lake, all while increasing the overall consumption and managing the run-rate of the project,” Whyte explains.
The cloud-native SIEM solution and Penn Medicine’s modernized security operations have delivered impressive results. The team now works seamlessly with its managed security service provider to ensure 24/7 coverage — and it has been freed to “work higher in the stack,” Whyte says, as AI and automation handle routine incidents and tasks.
Critically, the security team’s time to detect and time to contain have been drastically slashed, with PennMed reporting improvements of more than 550% for each.
Organization: TIAA
Project: HUNT (Hyper-Automated Unified Network Threat Hunting)
Security leader: Sastry Durvasula, Chief Operating, Information, and Digital Officer
Security leaders at TIAA formally review and refresh their priorities every year as part of the company’s 3-year-old Cyber 2.0 initiative. In 2024, they decided to focus on enhancing their use of artificial intelligence to counter cyberthreats that were increasingly fueled by AI.
The result: a new capability called Hyper-Automated Unified Network Threat Hunting.
HUNT reduces the risk of undetected threats using innovative AI and machine learning models with a 60-minute maximum detection time. It is built on existing commercial tools with tailored telemetry collection that consolidates suspicious activity across TIAA’s cloud infrastructure.
HUNT goes after what Sastry Durvasula, TIAA’s chief operating, information, and digital officer, calls “sleeper cells” — those threats that hide in an environment, sending signals back to threat actors and waiting for them to activate an attack.
Durvasula, who oversees security, points out how difficult these threats are to detect and how much manual work has traditionally been needed to identify them in an enterprise environment. Durvasula and his team saw AI as key to reducing that manual work and boosting effectiveness and efficiency.
With no commercial solution that met TIAA’s needs available, TIAA built its own.
TIAA teams designed the tool in 2024, building and training the AI/ML models to look for patterns that indicate threats. HUNT, which sits on top of existing tools and uses industry tools, including MITRE ATT&CK framework, notifies an analyst when it detects a threat so the analyst can deactivate the threat.
Rolled out in early 2025, HUNT now reduces the time and resources needed to detect and remediate. “It significantly strengthens our cyber posture,” Durvasula says, adding that he and his team plan to add more automation and intelligence, including generative AI, with the goal of using agentic AI to fully automate threat detection and response.
Walmart enlists AI to proactively identify branded phishing sites at scale
Organization: Walmart
Project: Phishface
Security leader: Jerry Geisler, EVP and CISO
Identifying true threats from the large volume of signals is a challenge familiar to most security functions. To address this, Walmart’s Cyber Intelligence (CI) team created Phishface, a proprietary phishing detection machine learning model trained to identify webpages visually similar to Walmart-branded login pages.
“The volume and influx of brand-abuse websites that were manually processed by the CI team is what initiated the project,” says Jason O’Dell, vice president of security operations.
The CI team built a model that would ingest a feed of domains/websites and identify business-branded websites that could be further fed into detective controls. Once the POC was completed, the CI team transferred Phishface to the SecOps Dev team.
“The primary function of the project was to reduce the volume of signals for probable threats, aiding analysts in identifying potentially harmful and brand-abusing websites,” O’Dell explains, adding that it has delivered “a substantial increase in analyst efficiency and effectiveness.”
“In the past, analysts faced an overwhelming volume of information that was nearly impossible to review in a timely manner. This project rendered that flow of data into a manageable volume, allowing a small team of analysts to efficiently provide timely reviews,” he adds.
The project reduced the number of items by approximately 98.5% on average, enabling analysts to redirect their efforts to higher-priority strategic activities. It has also achieved a 98% level of accuracy, directly enhancing analyst productivity and resource allocation, says Gavin Clark, group director of security operations, threat detection.
Phishface is having a significant impact, O’Dell says, “giving the organization the ability to identify malicious sites quickly, at scale, and feeding that data to other detective controls for near real-time actions. Such a model can analyze web pages rapidly, screen thousands of webpages continuously and adapt to new phishing pages without manual updates. In short, it is shifting detection posture from reactive cleanup to proactive prevention.”
