Becoming a Director: My Six-Year Journey in Security

I’ve recently become a Director of Security @ Rocket.Chat. Six years ago, I was a law student with almost no security knowledge. I don’t write much about my career, but this felt like a milestone worth documenting - both for myself and for anyone earlier in their journey who might find it useful.

Berghem - Trainee Through Leading Two Teams

I started my career at 22 in a Brazilian company called Berghem. My first position was “Information Security Trainee” - in practice, I was a penetration tester assessing web applications, mobile apps, APIs, Active Directory, and AWS environments. Before working there, I had a legal background - I was finishing law school at the time and had gone through some legal internships - and had almost no security knowledge. Having grown up in a favela in São Paulo, Brazil, I saw an opportunity in cybersecurity to work with something I really enjoyed at the same time that I could change my life and my family’s. I wanted to transition and Berghem trusted me by giving me an opportunity - which I’m grateful for.

It was hard, though. I was trying to keep my good grades while learning offensive security and working a full time job - it felt like I was trying to change a tire while the car was still running. It was intense, it was exhausting, I thought about giving up a couple of times, but, in the end, it was very rewarding.

Taking on more responsibility and working intensely made me quickly progress through the ranks and start leading two teams: Pentesting and Compliance. It was a time I barely had any time for myself and it did affect me, but I also grew a lot - personally and professionally.

Loadsmart - Offensive Security Engineer Through Senior

In 2021, I wanted to have an international experience and started applying for a few remote jobs abroad. I interviewed for some, got a couple of offers, and eventually landed a job as an Offensive Security Engineer @ Loadsmart - a logistics software development startup based in the US.

We were a small team and I was their first Offensive Security Engineer - which was a bit scary, but also an interesting opportunity as I would be able to create a lot of things from scratch. Some things worked, others didn’t, but I was 100% invested in the role and, in a year, became a Senior (Offensive) Security Engineer. I was definitely not ready, but Marcelo Magina, my manager at the time and now a good friend of mine, trusted me and offered me that position - I won’t forget that.

The work covered a lot of ground: web app pentesting, API pentesting, mobile pentesting, AWS assessments, adversary simulation, phishing assessments, and more. But what I learned at Loadsmart went beyond the technical. Coming from a consultancy, I was used to doing pentests for external customers and moving on. Here, I was part of an internal team - I had to build real relationships with engineering, product, and other departments, understand how they worked, and make security something they actually wanted to support rather than tolerate. I was also part of a broader security function for the first time, working alongside blue teamers, appsec engineers, and compliance analysts. Seeing how those different pieces fit together taught me a lot about what a mature security team actually looks like.

Rocket.Chat - Senior Application Security Engineer Through Director

Loadsmart was a great company to work at, and I was genuinely happy there. After a couple of years, however, I felt like I wanted to try something different and that I wanted more leadership responsibilities. That’s when, in 2024, I got an offer as a Senior Application Security Engineer @ Rocket.Chat with the possibility of becoming a Staff Engineer and being a technical reference for the team.

When I joined, there was no Application Security team, and the vulnerability management process that existed wasn’t as effective as it could be. A blank canvas in many ways. I started building it: redefining processes, creating threat modeling and application security reviews, integrating security into engineering workflows, and fixing over 60 vulnerabilities myself by getting my hands dirty in the code.

A few months after joining the company, the Security Manager left and the CTO offered me the opportunity of becoming Rocket.Chat’s Head of Security. Due to the size of the team, the culture, and the nature of the position, I was able to lead the team while remaining very hands-on - the best of both worlds, in my opinion. As Head of Security, I hired two new Application Security Engineers and we created a team fully focused on application security. The results were tangible: we responded to issues 10x faster and fixed them 4x faster than before.

In early 2026, I got a few interesting offers and thought about leaving, about trying something new, building something elsewhere. At the time, however, I felt like I had unfinished business at a company that has been very important in my career. I ended up staying. And, with that decision, came my promotion to Director of Security.

Looking Back, Moving Forward

Looking back, soft skills and adaptability made the biggest difference. I was never the most technical person on my teams - there were far more talented engineers around me - but being a jack of all trades, someone who could speak the language of developers, executives, and engineers alike, let me establish meaningful connections across teams and explain security in terms that resonated with both technical and non-technical audiences. That’s how I convinced leadership at different companies to take security seriously, bring more investment to our teams, and recognize the importance of what we were building.

Persistence mattered too. Not being afraid to get my hands dirty, to sit with a complex problem until it cracked - that’s what got things done. But I’d be lying if I said hard work was the whole story. Luck played a role. The right opportunities came at the right time - I just tried to be ready for them when they did.

Now, at 28 years old, I have no idea what the future holds for me. There’s a lot of AI fearmongering in the industry right now, and looking forward can feel a bit unsettling. But honestly? I’m also excited for it. Looking back and reflecting on how interesting my career has been so far, I can’t wait to find out what comes next.