curriculum vitae
Roger Cato Bergheim Johnsen
Lead Security Architect - Threat Informed Defense
Location: Kongsvinger & Oslo, Norway
Birth: 1982
Summary
Roger is a cybersecurity leader and practitioner with broad experience across Security Operations, threat hunting, penetration testing, and software development. He currently serves as Lead Security Architect – Threat Informed Defense at Orkla IT, where he designs secure architectures, builds detection capabilities, and mentors teams in SOC, threat intelligence, and vulnerability management.
He is the author of “The Huntbook by Predefender ”, an online resource for professionalizing threat hunting and incident response. In addition, Roger develops proof-of-concept security tools such as Wraithbind (a Rust-based C2/threat emulation platform) and Sentifender Lexica Detectica (a Streamlit app for exploring Microsoft Defender/Sentinel schemas). Predefender is Rogers personal initiative to both drive innovation and teach threat hunting to the masses.
With a strong background in information security consulting and hands-on programming, he combines strategic vision with technical depth. A passionate Capture The Flag (CTF) participant and reverse engineer, Roger thrives at the intersection of red and blue teaming, bringing creativity, precision, and persistence to solving complex security challenges.
Contact
| Media | |
|---|---|
| Phone | +47 91800451 |
| rogercbjohnsen@gmail.com | |
| https://www.linkedin.com/in/rogerjohnsen/ |
Experience
Orkla IT
Lead Security Architect - Threat Informed Defense
June 2025 - present
In this role, I focus on designing secure, scalable, and resilient architectures that incorporate threat intelligence and adversary behavior insights. My work emphasizes proactive threat detection through intelligence-driven threat hunting and purple teaming, helping to strengthen the organization’s detection and response capabilities. I collaborate closely with cross-functional teams to ensure security is embedded throughout the technology lifecycle and aligned with business objectives.
I also support knowledge sharing across the organization by mentoring teams in SOC operations, threat intelligence, and vulnerability management, and by fostering a culture of secure design. Through regular technical risk assessments and targeted mitigation strategies, I help identify and address security gaps. Staying ahead of emerging threats is a core part of the role, and I continuously adapt our defenses to meet the demands of a dynamic threat landscape.
Achievements: Introduced the company to Threat Informed Defense through threat intelligence, log investigation, pentest and curiosity- Have uncovered severe vulnerabilities in current infrastructure.
Head of Cyber Security Operations
March 2024 - June 2025. Oslo, Norway
As Head of Cyber Security Operations at Orkla IT in Oslo, Norway, I lead a dedicated team of security experts specializing in SOC, penetration testing, and SAP security. Drawing on my background in threat detection and incident response, I have successfully shaped strategic security initiatives to safeguard the company and its customers. My focus on developing a resilient and proactive team has been instrumental in addressing complex security challenges and creating a robust security posture
Achievements: Restructured my department with focus on delivering operational security and consultancy work. Focused SOC into proactive manners and investigation (Threat Hunting), incorporating routines and processes. Tidying the department budget.
SOC Analyst
October 2023 - June 2025. Oslo, Norway
In my role as a SOC Analyst at Orkla IT in Oslo, Norway, I spearheaded the development of threat detection and incident management efforts within the Security Operations Center. By leading a team of analysts, I focused on enhancing our proactive approach to identifying and mitigating threats across diverse environments. My hands-on involvement in threat hunting, SIEM tuning, and escalation processes aimed to improve SOC efficiency and effectiveness, ultimately strengthening our security posture and supporting the organization’s security goals
Achievements: Focused SOC into proactive manners and investigation (Threat Hunting), incorporating routines and processes. Trained analysts in advanced topics such as reversing, analysis and threat hunting.
Defendable AS (former BDO Cybersecurity)
Senior Security Analyst September 2020 - September 2023. Oslo, Norway
In my role as a Senior Security Analyst at BDO Cybersecurity (now Defendable AS), I focused on coaching and educating SOC analysts while building threat hunting capabilities within the organization. After the transition to Defendable AS in 2021, I took on dual roles: working as a Threat Hunter to identify intrusion artifacts alongside the SOC team and serving as Head of Training to guide and develop analysts into top-tier SOC professionals.
Achievements: I designed and led Defendable’s annual internal SOC education conference, an intensive eight-day program for analysts and employees. The conference featured expert-led sessions on malware analysis, log analysis, and operational technologies, significantly enhancing team expertise and collaboration.
Pedab Norge
Security Analyst MSS November 2017 - August 2020. Oslo, Norway
In my role as a Security Analyst MSS at Pedab Norge, I had the opportunity to build a SOC from scratch, utilizing IBM QRadar for monitoring network activities and analyzing security incidents. I developed processes for daily analysis, aided customers in incident handling, and led the creation of integrations for enhanced analysis work.
Achievements: Built a SOC from scratch, onboarding new analysts, automation through Python scripting
Watchcom Security Group AS
Information Security Consultant September 2015 - November 2017. Oslo, Norway
In my role as an Information Security Consultant at Watchcom Security Group AS, I spearheaded the transition of the Vulnerability Management service “Graywolf” to Tenable products. Managing server and scanner stacks, I assessed vulnerabilities through manual testing and provided crucial support to customers. Additionally, I played a key role in validating alerts and incidents in Watchcom’s SIEM offering as 2nd line support, while also implementing enhancements to the SOC process
Achievements: Restructured vulnerability management service, rebuilt and enhanced SOC service.
Protego AS
Senior Security Consultant February 2015 - August 2015. Oslo, Norway
In my role as a Senior Security Consultant at Protego AS, I focused on enhancing cybersecurity measures through penetration testing, vulnerability scanning, and security consulting for clients. I played a key role in developing and improving security services, contributing to the overall success of the company. Company defunct as of Aug. 2015 due to bankrupcy.
Achievements: Penetration tested companies with regards to network, services and web.
Making Waves
Senior Systems Consultant September 2011 - January 2015. Oslo, Norway
In my role as Senior Systems Consultant at Making Waves AS, I specialized in Security, focusing on improving software development processes. I managed in-house penetration testing using tools like Acunetix Web Vulnerability Scanner, BurpSuite, custom tools, and browser extensions. I also researched attack vectors, delivered presentations, and published materials to enhance the organization’s security, improving the overall security profile of the development process. In addition, I worked as a web developer in the Open Source PHP department, primarily focusing on the LAMPP stack. I used tools such as Acunetix, PHP XML, MySQL, Apache, MongoDB, eZ Publish, Apache JMeter for load testing, EPiServer, ElasticSearch, and .NET 4.x
Achievements: Started incorporating security into the development process in forms of vulnerability scanning, loadtesting and unit testing.
bMenu
Software Developer and implementing agile processes December 2010 - September 2011. Oslo, Norway
In my role as a Software Developer at bMenu, I collaborated with the development team to enhance product functionality in PHP and C#. I also played a key role in implementing agile processes, drawing from my experience with eXtreme Programming and Scrum. Additionally, I set up continuous integration servers, Git repository servers, and Zend Server CE webservers to streamline development processes and improve efficiency
Achievements: Implemented agile methodologies
Fronter
Web developer & team leader March 2007 - November 2010. Oslo, Norway
In my role as a web developer and team leader at Fronter AS in Oslo, I focused on extending and implementing new features on the learning management system product. I advanced to team leader, overseeing the Scrum process for a six-person development team and an eleven-person team in total.
Achievements: Lead a developer team.
Hontas AS
Systems Developer September 2005 - December 2006. Kongsvinger, Norway
In my role as a Systems Developer at Hontas AS, I extended and improved the functionality of a hospital product range, including a handheld terminal and workstation. I developed a messaging extension for a custom C++ web browser on the handheld device and collaborated on the development of a mobile app using C# for Siemens Doculive.
Achievements: First professional job, learned a lot about how hospitals are runned.
Diakron Programvare
CEO/Programmer May 2005 - June 2006. Kongsvinger, Norway
Founded a software company during college, developing a PHP-based CMS, “ekorn::websystem”, inspired by concepts from a JSP-based college project
Achievements: Learned to manage my own company.
Education
| Year | School | Study |
|---|---|---|
| 2002 - 2005 | Hedmark University of Applied Sciences | Computer Science |
| 2001 - 2002 | Øvrebyen Videregående Skole | Kongsvinger Allmenfag påbygging |
| 2000 - 2001 | Kongsvinger Tekniske Fagskole (VGS) | Computer and office equipment repairs |
| 1999 - 2000 | Kongsvinger Tekniske Fagskole (VGS) | Electronics |
| 1998 - 1999 | Kongsvinger Tekniske Fagskole (VGS) | Electronics/electric appliances |
Certifications
A small selection of relevant certifications. For more certifications and information, please see my LinkedIn page.
| Certification | Issued by | Issued |
|---|---|---|
| Intelligence-Driven Threat Hunting - Malware | Intel 471 | Jun 2025 |
| Threat Hunting Management: Structuring Collaboration Across Teams | Intel 471 | Jun 2025 |
| Threat Hunting - Discovery (Level 1) | Intel 471 | Nov 2024 |
| Threat Hunting - Collection (Level 1) | Intel 471 | Oct 2024 |
| Foundations of Operationalizing MITRE ATT&CK v13 | AttackIQ | Mar 2024 |
| Cyber Threat ManagementCyber Threat Management | Cisco | Aug 2023 |
| Mapping MITRE ATT&CK to CVE for ImpactMapping MITRE ATT&CK to CVE for Impact | AttackIQ | Jul 2023 |
| Microsoft Certified: Security, Compliance, and Identity Fundamentals SC-900 | Microsoft | Mar 2023 |
| Microsoft Certified: Security Operations Analyst Associate SC-200 | Microsoft | Feb 2023 |
| Certified Ethical Hacker (CEH) | EC-Council | Jun 2019 |
Publications
Technical
Threat Hunt Book
Predefender.com · Sep 10, 2024 → Ongoing.
The Predefender Threat Hunt Book is a comprehensive online resource dedicated to threat hunting, created for cybersecurity professionals looking to deepen their understanding of threat detection and response. It combines structured guidance with practical insights, providing an accessible yet in-depth look into the methodologies, tools, and strategies used in modern threat hunting.
Malware Reversing
The Malware That Wasn’t" - an article on how I reverse engineered a malware sample sent to me.
Other
Series on mindset and thinking
A collection of articles focused on how and ways we think. In many ways the precursor of my work at Defendable and culminated in the “Threat Hunt Book” (2024). Articles released on Medium.com between May 2020 - Aug. 2020.
- The ways to think - part 3, riddle me this
- The ways to think - part 2, lateral thinking
- The ways to think - part 1, all the small things
Personal Projects
Wraithbind C2
Ongoing · 2025 → present
Wraithbind is a proof-of-concept Command and Control (C2) and threat emulation platform, developed in Rust with a Node.js/Vue.js operator interface. It explores secure and resilient communication channels using Nostr (NIP-04 encrypted messaging) and IPFS for decentralized bootstrap and resource distribution.
The project demonstrates advanced knowledge of adversary emulation, modular agent design, and backend/API development, and forms part of the Predefender research portfolio aimed at enhancing detection and response capabilities. Not publicly available / available upon request.
Sentifender Lexica Detectica
Ongoing · 2024 → present
Sentifender Lexica Detectica is a Streamlit-based application that provides a searchable reference for Microsoft Sentinel and Defender data tables and schemas. The app enables users-especially threat hunters-to explore relationships between tables with example Kusto queries and pivot points for easier navigation through the data landscape. Publicly available on sentifender.streamlit.app
Languages
| Language | Proficiency |
|---|---|
| English | Professional Working |
| Norwegian (bokmål) | Norwegian Native |