Stripe's Vincent Passaro on Fraud Taxonomies & Generating Red Team Testing Roadmaps
Stripe's 3-person intel team created FT3 (fraud tools, tactics & techniques), a framework modeled after MITRE ATT&CK but purpose-built for financial fraud, to eliminate the communication breakdown where "fraud" required constant reverse engineering. The structured taxonomy now powers both analyst workflows and automated fraud systems operating at transaction-millisecond speeds, with technique-based tagging that gives fraud engines the context to make informed decisions without human interpretation of vague "fraudulent" alerts.
Vincent Passaro, Engineering Manager at Stripe Security, walks through their shift from reactive blocking to building infrastructure targeting packages for law enforcement prosecution. By mapping card testing, account takeovers, and money movement techniques across the full attack chain, the team now produces actionable intelligence packages. The framework drives LLM-powered classification of legacy incident reports, threat-informed red team testing by automatically mapping techniques to API capabilities, and standardized intelligence sharing with financial institutions.
Topics discussed:
- Creating FT3 framework modeled after MITRE ATT&CK to establish standardized fraud technique taxonomy
- Transitioning from AWS tier-3 incident response to financial fraud intelligence while applying cloud security methodologies
- Building infrastructure targeting packages that map adversary infrastructure roles for law enforcement prosecution
- Scaling small teams through technique-based tagging that enables fraud systems to make decisions at millisecond transaction speeds
- Leveraging LLMs for automated classification of historical incident reports and mapping fraud techniques to API endpoint capabilities
- Integrating threat intelligence with red team and fraud operations to create threat-informed testing roadmaps prioritized by business impact
Key Takeaways:
- Build fraud-specific taxonomies to eliminate communication gaps where "fraud" requires constant reverse engineering.
- Map fraud techniques across the full attack timeline for complete adversary behavior visibility.
- Create infrastructure targeting packages that identify adversary server roles and network diagrams for prosecution-ready intelligence sharing.
- Leverage LLMs with fraud technique context to automatically classify historical incident reports and identify new techniques.
- Use API documentation and fraud frameworks together with LLMs to generate threat-informed red team testing roadmaps.
- Prioritize threat actor tracking based on business impact and platform prevalence rather than defaulting to nation-state actors or compliance checklists.
- Integrate threat intelligence, red team, and fraud operations under unified leadership to enable rapid validation of observed techniques.
- Design fraud frameworks with extensive contextual documentation to enable adoption by non-security teams and facilitate machine-readable intelligence sharing across organizations.