Sandra Bardón
With over 17 years of experience in the field of Cybersecurity, Sandra is a Cyber Security Officer and leads the Cyber Exercises Service at the United Nations International Computing Center (UNICC). Previously, she was a researcher in the Technology Branch at the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and was part of the Joint Cyberspace Command (MCCE) since its creation, serving there for 11 years.
Her main areas of expertise are penetration testing, red teaming, and exploiting, as well as -previously- digital forensics, threat hunting, and incident response.
She is a regular participant and part of the organization as a Red Team leader in various international cyber exercises, with over 14 years of experience leading, organizing, and serving as core team member in some of the world’s most complex and specialized cyber exercises, such as Locked Shields, Crossed Swords, Cyber Coalition (ENISA), Coalition Warrior Interoperability Exercise (NATO), International Cyber Defense (DoD), Ciberbastión (MCCE), multiple exercises for the Spanish Ministry of Defence, and various CTFs organized by SANS and other international organizations.
Sandra is also a frequent speaker at national and international cybersecurity conferences and has taught in several Master’s programs at the Universidad Autónoma de Madrid.
She holds a degree in Telecommunications Engineering and a Master’s Degree in ICT Security from the Universidad Europea de Madrid, along with certifications such as OSCE, OSCP, GXPN, among many others.
She has been awarded the Aeronautical Merit Cross with White Distinction and is a member of the #SomosMujeresTech group, which aims to promote the visibility of women in leadership roles within the technology and innovation sectors.
Session
Designing a solid Red Teaming infrastructure is not just a critical task – it’s a way of life. After years of real-world operations - and surviving them - I’ve learned that the difference between a successful exercise and one that collapses within the first hour often comes down to the C2. Or rather, the C2s.
In this talk, I will present a complete update of the infrastructure I use in the most demanding Red Teaming exercises, where EDRs show no mercy and the margin for error is zero. I’ll discuss how I have evolved from monolithic architectures to distributed environments, with multiple layers, interconnected C2s, advanced redirectors, and fallback techniques that allow operations to continue even when the adversary starts fighting back.
But this isn’t just about tools. It’s about decisions:
- What type of C2 to use depending on the objectives
- When to prioritize stealth over noise
- How to integrate traffic profiles that stay under the radar
- Which protocol is most effective when you need to survive a well-trained SOC
I’ll also share real cases and specific configurations I’ve used, including a complex environment built to emulate APTs in collaboration with MITRE, aimed at enriching ATT&CK with new TTPs. I will also discuss a new C2 that has changed the rules of the game due to its ability to bypass modern defenses with a level of ease that’s almost scary, and which not many people have seen or tested properly yet.
I’ll wrap up with a review of some evasion techniques that have worked for me against well-configured EDRs, no smoke, no empty promises. Only what has actually allowed me to keep operating when the infrastructure was on fire.
This is not a step-by-step guide, it’s a realistic, sharp, and practical look at how to build (and keep alive) a Red Teaming infrastructure in hostile times.