FIRST Blog

Seven signals cyber experts agreed on at FIRST Paris 2026

Mon, 23 Mar 2026 00:00:00 +0000

The cybersecurity industry has been facing multiple parallel challenges in recent years. The pace at which cybercrime evolves is hard to match, but gatherings like FIRST provide a unique opportunity for the community to convene, reflect, and move forward together.

Bangalore 2026 FIRST Technical Colloquium highlights resilience, AI, and community

Thu, 19 Mar 2026 00:00:00 +0000

The 2026 FIRST Technical Colloquium in Bangalore brought together a group of security professionals and students for two days of practical learning, technical discussion, and community building on Cisco's campus on February 10-11, 2026. The event created space for attendees to exchange ideas, share lessons learned, and strengthen connections across the incident response community.

Threats, Tech, and Tashkent: FIRSTUZ26 Recap

Wed, 18 Mar 2026 00:00:00 +0000

The 2026 FIRST Regional Symposium for Central Asia brought the global cybersecurity community to Tashkent, Uzbekistan over February 26-27, 2026, marking an exciting milestone for the organization. Hosted by UZCERT and INHA University in Tashkent, it was the very first regional symposium organized by the Forum of Incident Response and Security Teams (FIRST) in Central Asia, and it did not disappoint.

The Trust Builders: FIRST’s African Liaisons

Wed, 11 Mar 2026 00:00:00 +0000

2025 Vulnerability Forecast: Year-End Review

Mon, 29 Dec 2025 00:30:00 +0000

As 2025 draws to a close, we find ourselves in the satisfying position of reviewing forecasts that worked. Next year’s forecast will look and feel a bit different, but you can expect that in January and we like to keep them separate.

Upskilling Communications

Tue, 16 Dec 2025 00:00:00 +0000

Sharing information in cybersecurity is vital for prevention and response. There’s a lot of technical processes available, and best practice to learn from. FIRST, for example, was created for that exact reason back in the 90s, to share techniques and information between teams.

Building Resilience Through Reporting

Mon, 01 Dec 2025 00:00:00 +0000

The Actioning Alerts and Advisories (A4) project aimed to improve threat reporting in cybersecurity by providing technical expertise, analysis, and communications support to National Cybersecurity Incident Response Teams (CSIRTs). The project worked with teams from four countries, fostering collaboration and knowledge-sharing

Building Resilience Through Reporting

Mon, 01 Dec 2025 00:00:00 +0000

he Actioning Alerts and Advisories (A4) project aimed to improve threat reporting in cybersecurity by providing technical expertise, analysis, and communications support to National Cybersecurity Incident Response Teams (CSIRTs). The project worked with teams from four countries, fostering collaboration and knowledge-sharing among stakeholders, and empowering CSIRTs to create actionable reports that can be used to prevent cyber threats.

2025 Q4 Vulnerability Publication Forecast

Thu, 16 Oct 2025 00:30:00 +0000

Usually, we begin a blog post with a review of last quarter, but our volunteer team couldn’t get a forecast out last quarter. We had several pressing matters between multiple team members, and we apologise. So, we’ll move swiftly on to this quarter’s predictions.

Women of FIRST

Mon, 16 Jun 2025 00:30:00 +0000

Cyber Incident Simulation: Piecing Together an Attack Through a Public Policy Lens

APAC DNS Forum 2025

Tue, 03 Jun 2025 00:30:00 +0000

Peter Lowe, FIRST’s DNS Abuse Policy Ambassador, shares a review of the APAC DNS Forum in Hanoi, Vietnam, where he met with representatives from various organizations and had valuable discussions about DNS abuse and data sharing.

Black Basta Ransomware Leak: Key Findings and Insights

Sun, 25 May 2025 00:30:00 +0000

A leak of 200,000 internal Black Basta chat messages reveals how a modern ransomware group structures its operations to attack victims, employing a range of tactics that, theoretically, should be easy to defend against.

Time to kick out Human Error?

Mon, 21 Apr 2025 00:30:00 +0000

Last year I opened a presentation with this: «Human error are the words cyber security guys use when they don't know shit». The response was laughter. But I think it is true. Here's why, and why it's relevant to incident responders.

2025 Q2 Vulnerability Forecast

Tue, 08 Apr 2025 00:30:00 +0000

We’re expecting 9006 +/- 1259 vulnerabilities this quarter, as we close out the year.

The FIRST Board of Directors Launches FIRST’s Strategy Framework

Mon, 03 Mar 2025 00:30:00 +0000

The FIRST Board of Directors is introducing a new structured approach to strategic planning, aimed at enhancing the organization’s ability to fulfill its mission and solidify its position as a global leader in cybersecurity and incident response.

Vulnerability Forecast for 2025

Tue, 25 Feb 2025 00:30:00 +0000

In 2025 we expect another record-breaking year of CVE production. This year we expect 45505 +/- 4,363 CVEs to be published in the calendar year (CY). There’s a 5% chance the actual number exceeds the maximum (49868) and a 5% chance is less than the minimum (41142). Rather than give you a false sense of precision, it’s probably far easier to say we expect between 41-50k of vulnerabilities in calendar year CY 2025.

APAC DNS Forum 2025

Tue, 25 Feb 2025 00:30:00 +0000

Vulnerability forecast 2026: The Year Ahead

Tue, 11 Feb 2025 00:30:00 +0000

As we turn the page on another year and raise our glasses to new beginnings, we at FIRST have been busy doing what we do best: thinking quantitatively about what lies ahead. And our forecast for 2026 is both sobering and, we hope, useful.

The 2024 Vulnerability Forecast: Year in Review

Mon, 06 Jan 2025 00:30:00 +0000

In calendar year 2024 we had another record breaking 40,704 CVEs published.

Ransomware Empowerment Training

Mon, 23 Dec 2024 00:30:00 +0000

The FIRST Multi-Stakeholder Ransomware SIG is very pleased to announce the release of the first version of the Ransomware Empowerment training. This has been a significant undertaking, requiring many months of dedicated effort from our dear SIG members. We have made it our priority to ensure that this training is TLP:CLEAR, so that it can be of benefit to all.

CVSS v4.0 Turns One Year Old

Mon, 04 Nov 2024 00:30:00 +0000

FIRST and the CVSS Special Interest Group (SIG) would like to wish a very happy first birthday to the newest version of CVSS, version 4.0!

2024 Q4 Vulnerability Forecast

Mon, 23 Sep 2024 00:30:00 +0000

We’re expecting 9006 +/- 1259 vulnerabilities this quarter, as we close out the year.

From Fukuoka to Copenhagen: LAC’s Insights on the Latest Cyber Threat Trends

Fri, 28 Jun 2024 10:30:00 +0000

The 36th annual FIRST Conference, "FIRSTCON24," was held from June 9 to 14, 2024, in Fukuoka, Japan. This marked the first time in 15 years that the conference was hosted in Japan, with the last event taking place in Kyoto in 2009. The conference saw a remarkable turnout with 997 participants from 99 countries and regions.

Unveiling Active Directory Security Risks: A Comprehensive Analysis of Management Issues and Vulnerabilities

Fri, 21 Jun 2024 10:30:00 +0000

In this report, CyCraft research team analyzes 27 listed companies in Taiwan, Level-A government agencies and healthcare institutions, covering 46 AD Domains, with 1,057,000 objects included.

2024 Q3 Vulnerability Forecast

Wed, 29 May 2024 00:30:00 +0000

As usual we like to verify our previous forecast before we make the next one. Due to travel, I must do this a few days before I should (normally on the 1^st of June).

2024 Q2 Vulnerability Forecast

Thu, 25 Apr 2024 10:30:00 +0000

So what are we expecting in terms of numbers of CVEs this quarter?

The vulnerability forecast for 2024

Thu, 11 Jan 2024 10:30:00 +0000

Every year we make a prediction to the number of vulnerabilities we expect to see published by NVD. We define this as the number published between New Year’s Day in 2023 to New Year’s Eve 2023, which is not the same as CVE’s that begin with 2023 as an identifier.

Is the LoA DoA for Routing

Fri, 22 Dec 2023 10:30:00 +0000

Back in the early days of the Internet, when everybody knew everybody, the way that you validated yourself to a Certificate Authority (CA) for an X509 certificate for Secure Sockets Layer (SSL) was to send a fax on company letterhead.

The rising tide of vulnerabilities…might be more predictable than you think.

Wed, 22 Nov 2023 18:00:00 +0000

Over two days in late September, attack surface management teams, incident responders, data scientists, and vulnerability management practitioners gathered in Cardiff, Wales.

The 35th Annual FIRST Conference: Perspectives from a First-time Attendee

Fri, 14 Jul 2023 00:01:00 +0000

In today's rapidly evolving digital landscape, the need for robust cybersecurity solutions has never been more critical.

M3AAWG 58 Meeting in Dublin, June 2023

Fri, 30 Jun 2023 00:01:00 +0000

Sadly, this year I wasn't able to join everyone at the Annual FIRST Conference in Montreal. By all accounts it was a brilliant time and I'm genuinely jealous of everyone who got to be there - especially the DNS Abuse SIG members who got to meet up in person.

Predicting the volume of CVEs with Vuln4Cast

Fri, 02 Jun 2023 00:01:00 +0000

National CERT and CSIRT teams regularly need to write alerts on upcoming CVEs, and might want to know how many alerts to expect to write.

Inside Look: Adobe Incident Response Team Players - Lauren Park, Director, Security Coordination Center at Adobe

Thu, 01 Jun 2023 00:01:00 +0000

Adobe has long focused on establishing a strong foundation of cybersecurity, built on a culture of collaboration, multiple capabilities, and deep engineering prowess. We aim to take a proactive approach to defending against security threats and issues and continuously monitor the threat landscape, learn from, and share our learnings with security experts around the world, and feed information back to our development teams to strengthen our products.

Remembering Andrew Cormack - by Serge Droz

Fri, 12 May 2023 16:00:00 +0000

It’s with great sadness that we learned Andrew Cormack had passed away in April. Andrew was more than just an expert. His curious and open mind inspired many in our community.

123456 again?! Why aren't we learning to address the human factor more successfully?

Fri, 05 May 2023 00:00:00 +0000

People have become the main driver for breaches but the human factors remain insufficiently addressed in the IT security sector. We are working on changing that.

DNS Abuse Techniques Matrix

Wed, 01 Mar 2023 00:00:00 +0000

The DNS Abuse SIG is very pleased to announce the publication of the DNS Abuse Techniques Matrix, the work of many months and a great number of people from various parts of the security and DNS worlds.

Long Time No See!

Thu, 23 Feb 2023 00:00:00 +0000

"Long time no see!” was the most popular phrase at the TF-CSIRT – FIRST Regional Symposium in Bilbao, Spain. And it has been a long time indeed – last time we met all together was in Malaga in 2020. We had some virtual events in the meantime, but it was certainly nice to see old faces and meet new colleagues in real life. The first joint post-pandemic event took place from 30th of January to 2nd of February, kindly hosted by the Basque Cybersecurity Centre.

ICANN was a massive success in getting the word out about DNS Abuse and FIRST

Thu, 27 Oct 2022 00:00:00 +0000

In September, ICANN invited me to talk about DNS Abuse at the ICANN75 AGM in Kuala Lumpur, Malaysia. It was a great success! My presentation ‘The Challenge of Defining DNS Abuse’ was well received, and many attending industry specialists asked good questions, especially about FIRST's work. I made many valuable connections, including people from ICANN, the DNS Abuse Institute, registries, registrars, CERTs, commercial companies, government organizations, and many more.

Building a trusted and Cyber Secure Europe

Fri, 05 Aug 2022 00:00:00 +0000

The European Union Agency for Cybersecurity is dedicated to achieving a high common level of cybersecurity across Europe. For more than 15 years, ENISA has played a key role in enabling digital trust and security across Europe, together with its stakeholders including the Member States and EU bodies and agencies.

Average Ransom Payment Up 71% This Year, Approaches $1 Million

Fri, 29 Jul 2022 00:00:00 +0000

With the recent release of the 2022 Unit 42 Ransomware Threat Report, we thought it would be a good time to take a quick look at ransomware activity that we’ve seen so far in 2022.

SOARs vs. No-Code Security Automation: The Case for Both

Fri, 22 Jul 2022 00:00:00 +0000

Just a few years ago, security orchestration, automation and response (SOAR) was the new buzzword associated with security modernization. Today, however, SOAR platforms are increasingly assuming a legacy look and feel. Although SOARs still have their place in a modern SecOps strategy, the key to driving SecOps forward today is no-code security automation. Read on to learn what lightweight security automation means, how it compares to SOAR and why SOARs alone won’t help you stay ahead of today’s security threats.

I Want the Needle and the Haystack: YARA + Security Analytics for Incident Response

Fri, 15 Jul 2022 00:00:00 +0000

I want the needle, and the haystack to go along with it. Attackers take advantage of siloed data and security tools to exploit systems using misconfigurations and move laterally. This lateral movement across different attack surfaces has attackers flowing between the control plane and data plane of your environment to escalate privileges and seek out targeted access.

The Challenge of Defining DNS Abuse

Thu, 19 May 2022 13:00:00 +0000

DNS Abuse is a pretty widely used term. On the surface, it might seem like a simple term that's easily understood. But when you look more closely, the definition depends on your perception of the issue—and can be defined both broadly, or more narrowly.

FIRST Technical Colloquium in the Netherlands – sees global experts converge in Amsterdam to share knowledge and inspire collaborations

Thu, 28 Apr 2022 01:00:00 +0000

I had the absolute pleasure of participating in and attending the recent FIRST Technical Colloquium at the W Hotel in Amsterdam, Netherlands, April 12–14. It was great to see nearly 100 people attend and over 50 people participating in training at this long-awaited in-person event. The program featured 17 speakers and two on-site trainers who held several popular workshops.

Keep CSIRTs out of the lines of fire

Thu, 24 Feb 2022 16:00:00 +0000

FIRST encourages states to not attack CSIRTs and critical infrastructure

Automation SIG: A New SIG Adventure

Wed, 05 Jan 2022 00:00:00 +0000

Every incident response team globally is facing a serious increase of workload. As attackers scan and penetrate networks via automation, so must defenders look at automation.

Meeting in person at the FIRST Oslo Technical Colloquium

Tue, 07 Dec 2021 17:00:00 +0000

Last month, I was honored to be one of the planners and participants of the FIRST Technical Colloquium (TC) in Norway. Organized by FIRST members, the event was held just outside of Oslo at the Telenor Expo, Telenor headquarters in Fornebu.

Threat hunting: an outdated technique or a tactical advantage?

Mon, 02 Aug 2021 00:00:00 +0000

Velociraptor vs. PrintNightmare

Mon, 26 Jul 2021 00:00:00 +0000

Hunting a Zero day!

Ongoing campaign leveraging Exchange vulnerability potentially linked to Iran

Mon, 19 Jul 2021 00:00:00 +0000

Industry Peers Are the Path Towards a Collective Defense

Mon, 12 Jul 2021 00:00:00 +0000

Thank You FIRST Community for Helping Team Cymru Reach a New CSIRT Assistance Program Milestone

Thu, 28 Jan 2021 17:00:00 +0000

Together, We’re Creating Better Threat Intelligence Sharing for the World

Preparing for Post-Intrusion Ransomware

Mon, 11 Jan 2021 17:00:00 +0000

This evolving and brutally effective threat can have a significant impact on an organization’s resources, finances, and reputation, but it can be stopped

Using similarity to expand context and map out threat campaigns

Mon, 04 Jan 2021 17:00:00 +0000

Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes.

Forecasting: All for One and One for All in Cybersecurity

Mon, 21 Dec 2020 17:00:00 +0000

Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity

Mon, 14 Dec 2020 17:00:00 +0000

Pay2Key – The Plot Thickens

Mon, 07 Dec 2020 17:00:00 +0000

Last weekend we issued a ransomware alert about a wave of attacks using a never-seen-before strain dubbed ‘Pay2Key.’ Our investigation suggested the ransomware operators were mostly targeting Israeli companies. The ransomware used in the attacks spread rapidly across victims’ networks, leaving significant parts of the network encrypted along with a ransom note, threatening to leak stolen corporate data unless the ransom is paid.

Ethics, Responsibilities, Vulnerabilities

Mon, 18 May 2020 15:00:00 +0000

Coordinated Vulnerability Disclosure is hard: Here is what to do about it.

Maturity Level 3 (Advanced) - Proactive...we’re ready for anything (mostly)

Thu, 24 Jan 2019 14:00:00 +0000

Hopefully what we’ve outlined as suggested services and functions a PSIRT could offer at the various stages of their development will be helpful and inspires your team to raise their game.

Maturity Level 2 (Intermediate) - I am reactive, but I’ve trained for it!

Wed, 23 Jan 2019 14:00:00 +0000

Are you mature, are you immature - what are you? Maturity Level 2 is about adapting the ad-hoc PSIRT strategies into full blown policies and processes.

The Beginning - a very fine place to start!

Tue, 22 Jan 2019 14:00:00 +0000

To start you on your path to PSIRT goodness, you’ll want to read and digest the PSIRT Maturity Document created by your friendly global FIRST PSIRT representatives. And what’s a better place to start than at the beginning?

What is a PSIRT and where do I start?

Mon, 21 Jan 2019 14:00:00 +0000

The right place to get your fill on how to make a world-class Product Security Incident Response Team.

Cold Incident Response 2018

Mon, 29 Oct 2018 19:00:00 +0000

An organizers view on the 2018 Oslo Technical Symposium

100 days on the board of directors of FIRST

Mon, 29 Oct 2018 19:00:00 +0000

Alexander Jaeger shares his expirience after 100 days being on the board of directors of FIRST.

FIRST address to the Global Commission on the Stability of Cyberspace

Sat, 22 Sep 2018 10:00:00 +0000

Maarten Van Horenbeeck, Board Member of FIRST, delivers a statement to the Global Commission on the Stability of Cyberspace, in Singapore.

Ready to Respond to the Cyber Norms Debate

Mon, 23 Apr 2018 10:00:00 +0000

Klée Aiken, APNIC's External Relations Manager, shares his views on cyber norms and how they will impact incident responders.

The GDPR and WHOIS privacy

Thu, 12 Apr 2018 07:00:00 +0000

Background on the issue

CERT NZ Statement about WHOIS and GDPR

Tue, 10 Apr 2018 07:00:00 +0000

CERT NZ describes how important the usage of WHOIS is during an incident investigation.

A Long History of Building Trust and Engagement

Tue, 27 Mar 2018 10:00:00 +0000

Microsoft's Principal Security Program Manager, Jerry Bryant, discusses a long history of building trust and engagement in security.

FIRST at the Global Conference on Cyberspace (GCCS)

Sat, 06 Jan 2018 10:00:00 +0000

An overview of the Global Conference on Cyberspace, and the work FIRST does in the policy community.

Security, Incident Response, Privacy and Data Protection

Mon, 11 Dec 2017 13:00:00 +0000

EUrope is in the course of introducing completely new legisaltion regulation privacy and data protection. Much of the data that CSIRTs use potentially is affected by this.

Towards efficient cyber resilience

Mon, 27 Nov 2017 10:00:00 +0000

As the internet becomes imorteant in every more areas of our daily lifes ways need to be found to ensure resilience. The by far most important to achieve cyber resilience is collaboration across boarders.

Behind the scenes at the FIRST-tech team

Mon, 06 Nov 2017 16:00:00 +0000

The FIRST tech team is re-working a lot of things behind the scenes. Some insights from the frontier.

Strengthening the community of Incident Response and Security Teams

Wed, 01 Nov 2017 02:00:00 +0000

Recent updates from the Board of Directors about recent activities and an outlook what we are currently working on.

Training in emerging nations: Laying the seed to close the digital divide

Thu, 19 Oct 2017 10:00:00 +0000

For the longest time the growing Internet and digital communication was hailed as the path to a new and better world. But poorer countries where mostly left out from the benefits. Serge Droz writes about how FIRST delivers training in these regions.

Keynote by Brian LaMacchia: “Post-Quantum Cryptography”

Sat, 17 Jun 2017 10:00:00 +0000

The FIRST Conference’s Keynote sessions concluded today with a presentation by Brian LaMacchia, Director of the Security & Cryptography group within Microsoft Research (MSR). In this department, his team conducts basic and applied research and advanced development.

Keynote by Martijn de Hamer: “18 years old, it’s time to become mature”

Fri, 16 Jun 2017 01:00:00 +0000

Day four of the FIRST Conference began with a keynote presentation by Martijn de Hamer, the head of the National Cyber Security Operations Center (NCSOC) at the National Cyber Security Center (NCSC-NL) in the Netherlands. After having had various roles in the field of information security, de Hamer first started working for NCSC-NL (previously GOVCERT.NL) in 2005. Additionally, he is active in the field of CSIRT maturity and other aspects of CSIRT capacity building.

Keynote by Florian Egloff: “Cybersecurity and the Age of Privateering”

Thu, 15 Jun 2017 23:55:00 +0000

Day 3 of the FIRST Conference got started with keynote speaker Florian Egloff. Florian Egloff is a Clarendon Scholar, a D. Phil (PhD) Candidate in Cyber Security at the Centre for Doctoral Training in Cyber Security at the University of Oxford, and a Research Affiliate at the Cyber Studies Programme at Oxford University's Department of Politics and International Relations. He is currently working on his thesis entitled "Cybersecurity and non-state actors: a historical analogy with mercantile companies, privateers, and pirates."

Keynote by Darren Bilby: “A Decade of Lessons in Incident Response”

Tue, 13 Jun 2017 23:00:00 +0000

Day 2 of the FIRST Conference got started with keynote speaker Darren Bilby, a manager in Google’s Enterprise Infrastructure protection team, who is also a staff security engineer and self-described digital janitor. A 10-year veteran at Google, Bilby was the tech lead for Google’s Global Incident Response Team for six years, managed Google's European detection team in Zürich for two years and has also worked as a software engineer building out Google’s security tools. He was also the founder and a core developer of the open source GRR Incident Response project.

Opening keynote by Alex Stamos at the 29th Annual FIRST Conference in San Juan, Puerto Rico

Tue, 13 Jun 2017 15:00:00 +0000

FIRST's Annual Conference kicked off on Monday morning, June 12th of 2017 with its opening keynote speaker, Facebook Chief Security Officer (CSO) Alex Stamos. As security lead for one of the world’s most noted companies, Stamos began his lecture with some of the biggest security challenges Facebook deals with.