Automation SIG: A New SIG Adventure

By Aaron Kaplan
Wednesday, January 5th, 2022


Every incident response team globally is facing a serious increase of workload. As attackers scan and penetrate networks via automation, so must defenders look at automation.

However, there is no single silver bullet for "automating-away" all of the incident response on the defenders side. Fortunately, FIRST is a strong community which improves security together. The Malta theme conference was "Security is not an island", SIGs are created for this exact purpose. In other words: it makes sense to share knowledge within the SIG, learn from each other and share the condensed knowledge back to the FIRST community. Together we are stronger. Divided we fall.

What we will do

Our aim is to start with a tour of what exists. We would like to gather your stories first. Your successes and even more interesting - your failures in order to not repeat the same mistakes twice.

From there, we would also like to build a list of tools that have prooven to be effective together with their strenghts and weaknessess and their applicability. After all, a tool that works very well for a specific use-case might not be the right one for a different setting. By grouping all the tools available (commercial & open- source), each of us will have a starting point to look at which one might be appropriate to support our own needs.


We also believe in collaboration. It's why we want this SIG to be open to anyone willing to contribute but also establish links with other commmunities like IHAP (Incident Handling Automation Projects group) and TF-CSIRT.

How to get in touch

We plan to kick-start this SIG with a short survey on your needs, your experiences and your potential input. The SIG will have quarterly calls starting end of January 2022.

In addition, we will use FIRST's wiki for documentation purposes and for sharing your know-how back to the wider FIRST community.

You can reach the SIG-chairs via email. In addition, we have a Slack channel.

Joining the SIG is easy: just log into the FIRST portal and click join: