Diogo Guerra (SVP Engineering Feedzai)

Show Notes

We talk with Diogo Guerra about building fraud and risk platforms at global scale while keeping engineering speed high and security standards uncompromising. We dig into why security leadership sits close to engineering at Feedzai, how they operationalize threat modeling, and where AI helps or hurts productivity. 
• Diogo’s scope across engineering, security, IT, and cloud operations for a 190-person organization 
• Feedzai’s focus on transactional fraud, anti-money laundering, and identity intelligence using behavioral and device analytics 
• Why SaaS responsibility and tier-one bank expectations raise the security bar 
• Balancing developer velocity with open source risk using context-driven vulnerability management 
• Rapid mitigation playbooks across thousands of servers without stopping delivery 
• Nonnegotiable security gates including threat modeling before major production changes 
• Bringing AI into the full development lifecycle with shared context and curated skills 
• A small architecture group distributing AI setups and productivity patterns across teams 
• Managing token cost, model choice, and avoiding lock-in as AI usage scales 
• How Gen AI amplifies social engineering scams and why identity signals matter 
• What agentic commerce could mean for fraud detection and cyber-fraud convergence 

Chapters

• 0:00: Welcome And Guest Background
• 1:28: What Feedzai Builds And Why
• 3:30: One Leader For Engineering And Security
• 5:52: SaaS Shift And Rising Responsibility
• 7:56: Open Source Risk Without Slowing Down
• 12:08: Nonnegotiable Gates Like Threat Modeling
• 15:16: Using AI Across The Dev Cycle
• 23:40: Managing AI Tooling Cost And Lock In
• 26:36: Gen AI Supercharges Scams And Defense
• 29:41: Agentic Commerce And Cyber Fraud Convergence
• 32:10: Final Takeaways And Goodbye

Transcript

Welcome And Guest Background

Speaker 0:02

Welcome to the Unicorn CISO Podcast. It is Pedro from 33N. Let's get started with today's episode. All right. Thanks everyone for joining another episode of the Unicorn CISO podcast. Today we're lucky to have Diogo Guerra, senior VP engineering at Feedzai, joining us in the podcast. Welcome, Diogo. Thank you for joining.

Speaker 1 0:26

Thank you, Pedro. Thank you for the invite.

Speaker 0:29

Thank you. It's very, very interesting to have uh someone that uh takes on the engineering leadership as well as the security in inside. So I'm sure we'll get to discuss on that. Just as a starter, I mean, could you provide also an overview on how did you get to the current role you have today? What is the scope for you in your function?

Speaker 1 0:53

Sure. So basically, I'm the uh one of the the first employees at uh at Feedzai, always uh joined as a as a software engineer and quickly uh became the the leader of the uh the engineering group uh initially with four or five engineers. Today I own not only the the engineering teams, but also security and and IT, as well as let's say cloud operations, which is also part of engineering and team of roughly 190 people so far this this year.

What Feedzai Builds And Why

Speaker 1:28

Could you provide also an overview on Feedzai as as a company and where are you? I mean, what's the scope of the company today, right?

Speaker 1 1:38

So Feedzai is basically focused on risk management, mainly around transactional payments of cards, transfers, also part of risk on AML. And we have recently, or along the years, also expanded not only from the core of the transaction fraud, but also the agents and fields such as the behavioral analytics, device analytics, which are becoming much more important for the scope of detecting fraud. So today we have our core business of transactional fraud. Then we have expanded to anti-money laundering, and we have been developing over the last five years all of the space that we call identity, which as I was mentioning, has multiple solutions around the devices, both web and mobile, and understanding behavior of the end users, which is basically deployed in the mobile apps or web bankings of our customers and helps them and us to detect fraudulent behaviors even before the transaction actually happens. We basically operate in all the continents. We mostly focus on the tier one financial institutions, and we have processed last year around 120 billion transactions worldwide, which is about 9 trillion dollars uh of money that's that we have monitored.

Speaker 3:16

Amazing. So great great footprint and and and fraud for financial services. Obviously, there is tight links between engineering and security, especially in areas like like AppSec.

One Leader For Engineering And Security

Speaker 3:30

But I was curious, I mean, how how did your role of of having both engineering and security come to be, right? Uh we obviously discussed uh in between us, it's a bit of uh a circumstance of uh of uh evolution of the team, but but I was curious, I mean, if there's also good reasons for in the case of Fitzai for the security and engineering leadership being under the same role.

Speaker 1 3:55

Yeah, so again, I'll say that in general, tech companies tend to have uh let's say security as well as engineering under the same leadership. Uh traditionally, the the the CTO as our let's say founding CTO has stepped down for pursuing different challenges. I took over basically all the technology functions. And again, I I agree that uh in a in a tech company the product is let's say the core of the uh of the company. And in our case, as the core is also dealing with a lot of personal identification data, card data, so there's a lot of data privacy involved. So I think it really helps to have the the security and the development side and the operational side of the core of the company run through the same leadership because we need to have the the right trade-offs uh in order to move the business forward, but also making sure that that it's it's safe because uh ultimately if customers lost or lose the trust on us, we also lose the the business, right? So it's it's a big reputational side that is also at place. But it's a definitely a day-to-day uh trade-off and challenge between speed and and security.

Speaker 5:21

Very clear. I mean, obviously, fraud and cyber are are quite intertwined, right? And and so it it could be also the case that in in in a company that is playing in fraud, I mean, there's already a general sense, a general feeling for security best practices, both in the software development side as well as all the functions across the company, right? Would you say that from your experience in comparing to other tech companies, I mean, there's inherently a more higher perception on security risk in feeds I would you say versus

SaaS Shift And Rising Responsibility

Speaker 5:52

others?

Speaker 1 5:52

Yeah, so I think it has been an evolution of multiple factors. So the fact that we mostly work for very large financial institutions, we usually target the top the top banks worldwide, which again have massive structures of security compliance, they they they also push that on us. And the the second one is as we took the decision about seven years ago to move from a traditional on-prem setup where we would develop software, but it would be operated and inside the customer firewalls into a SaaS model. And we today we we run basically 95% of our workloads in uh in a SaaS model in the in the cloud. You're basically taking additional risk and additional uh liability on our side, which is uh something that we need to take very seriously. But in a world where they were not even used to send the data across, it put a lot of ice on our security best practices, on our security posture. And that became part of the DNA of the company, right? Being one of the trailblazers of this space, moving to SaaS and taking that responsibility, it definitely shaped how we how we think. So from what I see with with Beers, we definitely take security, I wouldn't say more seriously, but we definitely probably invest more as a consequence of doing business and dealing with these very large organizations, which by themselves they also are already very mature and have massive investment on the on this field.

Speaker 7:46

Makes perfect sense. Uh I guess the the friction line might come when when we move in and talking about what is actually one of the core topics of this podcast, right?

Open Source Risk Without Slowing Down

Speaker 7:56

Which is balancing productivity and and and software, in this case, product development speeds with security, right? And this is a big topic in itself, and particularly now when you're talking about uh how uh open source software is brings risk into an organization, how third-party libraries, et cetera, are are uh sources of liability, right? And so how do you manage and what's the friction line in your experience between uh speed and developer velocity today with with security, right? And code security.

Speaker 1 8:29

Yeah, so again, as uh I would say the majority of more recent tech companies are building software, you heavily depend on on open source, right? Because your core business is to build software applied to a domain, not create general tech. So we pizza is not different, right? So we have a very large dependency on open source, which also gives us a lot of credibility and and stability and innovation, but that comes with its with its own risks. Usually what we do is we try to come with always with a lens of what is the threat, what is the risk into our business, right? As an example, you can have basically tools scanning your your software, but they don't know how that uh is is effectively uh deployed, what is the context, what are the the other controls. So we always have this uh this mindset of we don't just take the the the outputs of the of the tools and we treat them as something that needs to be fixed right away without any any context. But at the same time, when we do really see some of the the risks and we see that they can eventually be exploited after some of the previous controls being broken, we we take it seriously and we have the mechanisms for sure to roll out very quickly. As an example, with the copy fail threat that happened, I believe, roughly a month, more slightly more than a month ago. It was published by the European the European authorities, uh the search author authorities on a Friday, roughly 9 a.m. In the US, it was reported roughly 12 hours before. We took basically 18 hours uh to to not effectively patch because the fix was not there yet, but the mitigation was rolled out across all of our fleet, both for customers as well as as corporate, which is more than 3,000 servers worldwide, in in less than 18 hours. And we didn't have to stop the company to do that, the teams just executed as as they are trained and prepared for. Of course, this comes with is the compounding effect of all of the automation that we have, all of the practices to operate large-scale infrastructure. And the same happened actually six days, seven days after with two new vulnerabilities. So that's basically how we balance from one side we need to be ready. From the other side, we we also look at what is the possible impact in the context of feed zype. And we have a straight relationship between the security and the development teams, and for sure it helps being under the same leader.

Speaker 11:40

Very clear. I mean, obviously, on on the on the response side, uh this is always a challenge, right? Especially when you have zero day or close to it uh vulnerabilities. In in the prevention side, I mean, are there limits? Are there non-negotiable gates that I mean you've you've you've found yourself together discussing with the teams that I mean this this are again non-negotiable gates for for security and that you cannot compromise for developer velocity?

Nonnegotiable Gates Like Threat Modeling

Speaker 1 12:08

Yeah, so so there's we have been evolving our our security practices. So vulnerability is just one of the just one of the things that we look into, but even from the development phase is threat modeling, understanding where the the applications can bring additional risks, even be beyond the the vulnerabilities, right? Because one thing is looking at open source vulnerabilities, which we have tools to scan it, and and we have the traditional gates of you cannot bring a dependency when you're building an application to basically with existing critical vulnerabilities. But we it it's more than that, right? Is you're building authentication systems, you're building applications and APIs that could be vulnerable beyond the the open source, and that's why having a close relationship and it's it's part of the official process. We cannot take a service or a major change to production without threat modeling. And that's a collaboration between the app security team and the development teams, which we started, let's say, small, and we are getting more and more mature at doing it, and even more recently, starting to develop AI skills to help the teams doing those analyses faster and even in the in the during the development, having the the AI support to make sure that when you get to the threat modeling part, um the uh the the threats itself were already handled.

Speaker 13:47

All right, so we start as early as threat modeling, which is which is already maybe past what what larger corporates do, right? Not not the tech companies, but but that this this is already uh non-negotiable for you.

Speaker 1 14:01

Yeah, so definitely again we we have moved away just from the open source vulnerabilities, which uh we have uh we have pipelines that that validated, we are getting and and trying to tighten those uh let's say those those controls, uh meaning how much time you're allowed to move or to execute pipelines when new vulnerabilities came in on the software that you already have. And even what of actually one of the first agents that we are trying uh quoting in production, production meaning to to our use, is a CV agent, which is basically connected to our SNC instance, which is the tool use for vulnerability assessments, and continuously monitor and prioritize the new vulnerabilities that were raised and apply vulnerabilities automatically, uh the fixes automatically to the code bases, and then running the tests and ultimately sending out to the to the to the team to approve to basically facilitate facilitate all of the all of the process.

Speaker 15:15

Very clear.

Using AI Across The Dev Cycle

Speaker 15:16

This this is actually a good segue into software development, velocity, or operativity, right? And uh I guess over the last two years a lot also has changed, and there's big expectations on improvements with with use of code copilots, etc. And so the question to you here is I mean, what are what's your reflection on on the opportunity there? And then also in in what regards to to security, if this is can be in certain circumstances a major block to to achieving these targets, right, of productivity?

Speaker 1 15:52

So I I think we are in uh in a pendulum, right? A few months back, it seemed like the every software engineering role would be extinct in 12 to 24 months. More recently, it seems to be the tokens doomsday, because now tokens become more expensive than the actual software engineers. So we I think we got to the two extremes. My opinion and the way that we are approaching GitHub design is from one side, it will probably fall in the middle, in the sense that companies need to be more mature at using these tools. But also, as the models mature, maybe you don't need to depend on the most expensive and heaviest model to do the majority of the of the tests. And if you see today, like Kimi models versus Claude model, they're basically one order of magnitude cheaper, and they probably can do 50% of the of the tests. For sure it's not 100%, but it's it's definitely something that that will change the the economics. So the way that we are approaching it is making sure that we include that we include AI in the full software development cycle, meaning that every engineer that joins FeedZI should be highly productive with AI in a matter of weeks, not in a matter of months or or maybe years, in the context of feed zy, right? So making sure that the uh the tools that we are using have access to all of our contexts, like the JIRAs, the the CI CD systems, the the SNCC, so basically all the tools that we use, and also building a significant amount of curated skills that help our teams to develop faster, but with the let's say the rules and the mindset that we have at Red Design, right? As an example, there's definitely skills from uh from the coming from the security team and helping that. There's there's uh skills uh helping the the teams, making sure that we reuse properly the software, and this also affects the security of of the systems because how the systems authenticate, how the systems should be should handle encryption. So all of the architectural best practices that are also security related, we are basically incorporating all of those into these skills to make sure that it helps scale the teams faster and get that velocity without the the need of a lot of training. So, in my opinion, I think this can help us much more to scale the knowledge in the in the company. But we definitely still need good engineers, right? And that has been always our our core. We need engineers that the tools accelerate their work, but they need to have a critical mindset, they need to know exactly what we want to build, and then leverage the tools to do it faster. So our expectation is definitely that we can elevate the speed, and in some cases, and I think the case of security is one of them, because it's not a traditional skill or highly developed skills from all engineers, that you can elevate that knowledge and that that output by introducing those skills and the tools in the in the development cycle.

Speaker 19:22

That's that's very interesting. I mean, the the level of control and care in building skills. Were you having a specialized small platform team to kind of curate and push the effort there for the whole organization, or or no? This in the end relies on the individual needs uh of each engineer. And so this is kind of a collaborative effort, but with with local initiatives in each one of the potential interested party.

Speaker 1 19:46

Yeah. We basically have uh let's say a set of people that in this case are are actually working directly under my my guidance. We we we launched in our in our case, cursor more than than a year ago, roughly a year ago, but without this concern of how do we make it integrated, how do we bring the context of feed design, and we have let's say mild results results. Right now, we we took that that difference of how do we make sure that it's not just about skills, right? It's about distribution, how do we distribute these things fast, how do we make sure that everyone is using the same setup? So I have a team that that we call technology and architecture group, which is uh basically four principles that work very close to me, and that usually they are trying to solve engineering-wide challenges, right? It's it's not just designing architecture from uh from the the ivory tower, let's put it that way, but really understanding what can help the team overall on uh on the day-to-day. And definitely productivity and reliability is something that is part of the the core values. So right now they are uh they are driving it with the support of some teams, and and they are the ones that are being responsible for for that. I think it really helps on bootstrapping. Let's see how it's how it evolves. Uh, of course, they are working on a day-to-day with uh the rest of the teams, even getting time allocated with particular teams to help them come to the right mindset. Because this is AI is not just about learning AI, even that there are no instruction books of um of how to use AI, it's also a different mindset, is engineers will probably stop doing certain mistakes, the traditional more buggy code that that comes from not reminding something, sloppiness, and so on, more towards different types of risks. And that also requires an adjustment of mindset. And that's why we are basically doing this with the more senior people that can have say good enough gut feeling of to transition. But that's that's how we are rolling it out.

Speaker 22:13

Quite quite interesting. Just out of curiosity, this is four people and how many people in the engineering org?

Speaker 1 22:19

Roughly 180 in the product overall organization. Then we have about additional 100 people more close to services. But this team actually is even catering not with the same level, let's say, of investment, but for example, making sure that our internal tool that does this distribution and so on also works, for example, for product managers to quickly prototype. So they have actually built the integration with our user interfaces. So today a product manager can use AI to basically do some prototyping. And it's already integrated with our design system, our deployment processes, our single portal, and they can directly publish to production, not yet to production, that will require some additional validations, but but at least to lower environments without having to go through the traditional pipelines and hurdle of a software engineer. So this team is also looking at some of those, I say, non-tech use cases as well.

Speaker 23:35

Very clear. So it even extends beyond engineering work. So very, very

Managing AI Tooling Cost And Lock In

Speaker 23:40

interesting. Final top uh question on this topic. I mean, it it's it's quite interesting, but we also have to to make sure we we we cover others, is is around uh the cost management, right? You're mentioning before. And so in your case, and and at this point in time in the maturity of using these tools, I mean, if you're already looking to kind of balance this productivity versus cost trade-off, right?

Speaker 1 24:02

Yeah, so we are let's say still in early stages of let's say analyzing the the cost and the and the value. We try to make it simple. If we we usually monitor flow metrics of of the teams, the velocity and so on. If the flow and uh and the velocity of the team starts increasing is is definitely where we will we will focus. Right now, because even this more centralized approach has has emerged relatively recently over the last three months, despite already having a lot of a lot of progress, the results are still individual by individual, and uh and it's much harder to measure in that in that way. We want to see the the team velocity evolving. In terms of cost management, of course, not only do we have the observability for that, but we are already thinking about, for example, when we are deploying agents, most of the of them, because in the beginning they are doing simple tasks, making sure that you don't go with a default model, again, the the cloud, the most recent claude or so, because they don't we don't need those those those models to do as a basic, basic code changes. Of course, when you are planning software and so on, uh it's different. So we are already having some discussions of how do we avoid to be completely locked in to a model or to a tool, and eventually, again, having a balance between open source models and proprietary models, but also eventually it may it probably will make sense to host our own models as we as we scale the usage and it gets more normalized. We are looking at the economics of that as well.

Speaker 25:57

Quite interesting. We could spend the whole episode, I'm sure, on this topic. But I wanted also to cover one interesting uh uh the uh question or topic also, which is uh what what does the the what's the trend in the in the fraud side, right? And generally there's this idea that uh fraud is is is only growing, and every type of fraud maybe generally people think is is growing with on the back of Gen AI. And so my question to you is how on on the defense and and the attacker side, what is Gen AI, what impact is having is Gen AI having in Fitzai's business, right? And the type of vulnerabilities that you're protecting against.

Gen AI Supercharges Scams And Defense

Speaker 1 26:36

Yeah, so again, I would say the main group where it where it affects is on social engineering. There's multiple types of social engineering, and and it's not something new. What happened with Gen AI is it basically exploded the quantity and quality of social social uh engineering. So scams, for example, was already growing in the in the past years, even before Gen AI, and right now it's the dominant way of fraud. So basically authorized fraud, where uh you are you're led to think that a certain transaction that you should be making uh will help you in uh in some way. There's so many types of scams right now, and you actually performed that that transaction because you were misguided or led to to do that. And for sure, voice, synthetic identities, even just even on the on the traditional uh phishing, the quality and the targeting of those emails, you no longer see the traditional generic emails of phishing. They are very targeted with context of the of the person, which for sure helps that that social engineering to go through. On the defense side, uh that basically just uh reinforced our investment on the identity side. One of the we started that that space with an acquisition roughly five years ago. Uh as I was saying, of the uh of the behavioral analytics and device, especially on the behavioral side, because what you are trying to understand is even let's say not storing any uh PII because for us it's irrelevant who is the person, but having an identifier of that person and tracking their behavior, how speed they type, how how fast they are with usually with their touches or with their mouse when using their banking apps, being mobile or or web. In these situations, in general, if you are hesitant, if you are nervous, we can say detect those outliers of be of behavior and help prevent prevent those transactions, usually with asking more questions or or even stepping up authentication. So that has been for sure one of our big focus over the past years. And Gen AI just made it so much easier for everyone. It democratized this type of attacks. And let's not forget that traditionally fraudsters are the ones that start using all of the recent tech. And it was no different with with Gen AI.

Speaker 29:30

Very clear.

Agentic Commerce And Cyber Fraud Convergence

Speaker 29:41

Final question I also wanted to cover is what you're seeing in in the next few years, right? Again, we're talking talking even before the the we started recording the podcast about how the um the gentic commerce is is booming potentially in the next few years. I I'm curious if if if this and other topics are in your mind for the next couple of years.

Speaker 1 30:02

Yeah, for sure. So uh Genti is is definitely one of the things that we are uh investigating and monitoring. There is not yet, let's say, enough data or even reports of let's say in in volume of fraudulent agents. So how do you understand and detect if it's a legitimate or a fraudulent agent, right? Because it's not that we want to block anything that comes from an agent, is how do we detect that is a fraudulent versus a non-fraudulent agent, right? So that's definitely something we are trying to work on, potentially techniques of fingerprinting and other stuff, but for sure the traditional behavioral analytics won't work for this, and that's effectively why uh there's another trend that we are seeing, which is much bigger than this, but might help as well, might have some correlation, which is how do we converge the world of cyber with fraud or financial risk? As this becomes much more closer to the devices, the users, the context, in many cases, we data that is traditionally available to uh cyber teams, it's uh it might be uh as well useful for this, right? Even on the even today, we already, of course, use uh IPs to understand what type of IP is it's behind the VPN or not. And this is already the basic cyber information, but going further on the at the networking level, the firewall level, to to understand bits and pieces of of information that might help us understand if if a certain transaction uh or certain behavior is fraudulent or not. Uh so definitely something that we are uh watching and and investigating with with some partners that I think it it will be part of the of the future of the over the the upcoming years.

Final Takeaways And Goodbye

Speaker 32:10

Very clear, Diogo. Thanks. Great ending to the to the episode. Thanks for taking the the time to speak to us. It was super interesting, super insightful.

Speaker 1 32:19

Thank you, Pedro.