35th Annual FIRST Conference | Empowering Communities


About the Annual FIRST Conference

Established in 1990, FIRST is an international non-profit association of Computer Security and Incident Response Teams (“CSIRTs”), Product Security and Incident Response Teams (“PSIRTs”), and independent security researchers from the public, private, and academic sectors. Membership comprises of over 600 teams with representation from over 100 nations. The annual conference provides a forum for sharing goals, ideas, and information on how to improve global cyber security. FIRST is a front-line enabler in the global response community, providing access to the best practices, tools, and trusted communication with its member teams.

Named one of the Top 19 Information Security Conferences of 2020 by TripWire, the FIRST annual conference promotes worldwide coordination and cooperation among computer security and incident response teams (CSIRTs). The conference provides a forum for sharing goals, ideas, and information on how to improve computer security on a global scale.

FIRST seeks to:

  • Facilitate better communication and information sharing among teams and the global community at large
  • Foster cooperation and coordination in incident prevention
  • Provide prompt rapid reaction to incidents

David Lacey writes in Computer Weekly:

"Of all the security clubs and associations, the one that impresses me most is FIRST. Why? Because it’s focused, born out of real business requirements and it’s highly selective, i.e. you have to be sponsored and audited to gain membership. FIRST is not a club that exists to make an income for its organizers. It’s an international community that serves a real purpose: helping Government, Industry and Academia to respond quickly and effectively to new security threats. So I have no hesitation in recommending that you book a space in your busy diary to attend their Annual Conference."

Who Can Attend?

The annual conference promotes worldwide coordination and cooperation among computer security incident response teams (CSIRTs). Any individual with interest, involvement, or responsibility in the field of incident response and computer security should attend. Attendance to the conference is open to non-members.

This conference will also be of interest to:

  • Technical staff who determine security product requirements and implement solutions
  • Policy and decision makers with overall security responsibility
  • Law enforcement staff who are involved in investigating cyber crimes
  • Legal counsel who work with policy and decision-makers in establishing security policies
  • Senior managers directly charged with protecting their corporate infrastructure
  • Government managers and senior executives who are responsible for protecting systems and critical infrastructure

Past participants have included information security practitioners, executive management, network architects, system and network administrators, software and hardware vendors, security solutions providers, ISPs, law enforcement, and general computer and network security personnel.

Conference Benefits

The conference provides a forum for sharing goals, ideas and information on how to improve global computer security. The five-day event includes:

  • Incident Response, Management, and Technical Tracks
  • Hands-on Workshops and Tutorials
  • Featured Keynote Presentations & Panel Discussions
  • Special Interest Groups (SIGs) & Birds of a Feather (BoFs) Meetings
  • Global Networking Opportunities
  • Lightning Talks
  • Exhibit Hall

In addition to sharing FIRST’s mission, attending the annual conference will enable you to:

  • Earn over 20 continuing professional education credits
  • Learn the latest security strategies in incident management
  • Increase your knowledge and technical insight about security problems and their solutions
  • Keep up-to-date with the latest incident response and prevention techniques
  • Gain insight on analyzing network vulnerabilities
  • Hear how the industry experts manage their security issues
  • Interact and network with colleagues from around the world to exchange ideas and advice on incident management best practices


  • FIRST SIG Updates
  • 0-day In-the-Wild Exploitation in 2022...so far.
  • A Diamond is an Analysts Best Friend Introducing the Diamond Model for Influence Operations Analysis
  • Attack Flow - Beyond Atomic Behaviors
  • Being A Better Defender By Channeling Your Worst Adversary
  • Beyond Incident Reporting - An Analysis of Structured Representations for Incident Response
  • Bridging Together Independent Islands - STIX Custom Objects and Matching Mechanisms to Correlate Cyberspace and Real-World Data
  • Build Automated Malware Lab with CERT.pl Open-Source Software
  • CERT-UA: Research and Technical Analysis of Large-Scale Cyber Attacks in Ukraine in 2021
  • Community Management and Tool Orchestration the Open-Source Way via Cerebrate
  • Creating an Information Security/Information Assurance Program - Lessons Learned
  • CSAF - the Magic Potion for Vulnerability Handling in Industrial Environments
  • CSIRT and SOC Modernization Practices
  • Cyber Ireland - Addressing Cyber Crime Through Industry-Academia-Government Collaboration
  • Cybersecurity Maturity in the Pacific Islands - Integrating CERT Services in a Regional Framework
  • Decoding the Diversity Discussion
  • DNS as Added Security Against Ransomware Attacks
  • Don't Blame the User! Stop the Phish Before it is Even Sent
  • EDR Internals From a Defenders Perspective
  • Endorsing the New Rules
  • Enhancing Operations Through the Tracking of Interactive Linux-based Intrusion Campaigns
  • Follow the Dynamite: Commemorating TeamTNT's Cloud Attacks
  • Formulating An Intelligence-Driven Threat Hunting Methodology
  • Global IR in a Fragmented World
  • Going with the (work)flow? Incident Response for Vicious Workflows
  • How I Handled One of the Biggest Banking Fraud Incidents of 2020
  • How to Secure Your Software Supply Chain and Speed-Up DFIR with Hashlookup
  • How to Talk to a Board so the Board Will Talk Back
  • Improving Sector Based Incident Response
  • Incident Response Investigations in the Age of the Cloud
  • In Curation We Trust: Generating Contextual & Actionable Threat Intelligence
  • Internet Spelunking: IPv6 Scanning and Device Fingerprinting
  • It's Just a Jump To The Left (of Boom)
  • Keynote: Cybersecurity's Image Problem and What We Can All Do About It
  • Keynote: Online Child Sexual Abuse Material (CSAM): The Insider Attack You Have Not Seen Coming
  • Keynote: What Do We Owe One Another In Cybersecurity?
  • Knowledge Management - Nourishing and Enhancing Your Communication and Intelligence
  • Living with Ransomware - The New Normal in Cyber Security
  • More Than a CSIRT: Lessons Learned from Supporting a National Response to COVID-19
  • Never Walk Alone: Inspirations From a Growing OWASP Project
  • No More Ransomware in Critical Infrastructure!
  • Open Source Doesn't Care About You, But You Should Care About It
  • Operation GamblingPuppet: Analysis of a Multivector and Multiplatform Campaign Targeting Online Gambling Customers
  • Prioritizing Vulnerability Response with a Stakeholder Specific Vulnerability Categorization
  • Ransomware Incident Response - The Real-World Story of a Ransomware Attack
  • Ransomware, Risk, & Recovery: Protecting and Creating Resilience for Hybrid Active Directory
  • Ransomware Stages of Grief
  • Reversing Golang Binaries with Ghidra
  • Rise of the Vermilion: Cross-platform Cobalt Strike Beacon Targeting Linux and Windows
  • Sightings Ecosystem: A Data-driven Analysis of ATT&CK in the Wild
  • Speed is key: Leveraging the Cloud for Forensic Artifact Collection & Processing
  • Traffic Light Protocol 2022: Updates for An Improved Sharing Experience
  • The Blue Side of Documentation
  • There is No TTP
  • Threats versus Capabilities Building Better Detect and Respond Capabilities
  • The SolarWinds Supply Chain Compromise
  • Timing is Everything: Generic Trigger Events for Malware Memory Dumping
  • VEXed by Vulnerabilities That Don't Affect Your Product? Try This!
  • Watching Webpages in Action with Lookyloo
  • Who Do You Think You Are?
  • Who Shares Wins
  • Your Phone is Not Your Phone: A Dive Into SMS PVA Fraud