BoFs, SIGs, & Scheduled Side Meetings

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Academic Security SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Academic Security SIG at: https://www.first.org/global/sigs/academicsec/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Ai Security SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Ai Security SIG at: https://www.first.org/global/sigs/ai-security/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Automation SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Automation SIG at: https://www.first.org/global/sigs/automation/

Dr. Pedram Hayati is the Founder and CEO of SecDim, where he focuses on redefining developer engagement in security through developer-oriented wargames. As a security researcher who is proficient in offsec to appsec, he has reported thousands of vulnerabilities to Fortune 500 companies, published over 25 zero-days, and has led a global penetration testing team for 2nd largest Defence contractor. Pedram lectures postgraduate security courses at the University of New South Wales, Australian Defence Force Academy. He is the founder of SecTalks.org, the largest non-profit security community in Australia. He has presented at top global security conferences such as at Black Hat, DEF CON, Hack In The Box, OWASP and FirstCon.

Large Language Models promise “auto‑magical” vulnerability hunting and instant patch generation—but how much of that is marketing smoke and how much is deployable engineering reality? In this interactive Birds‑of‑a‑Feather session we’ll cut through the hype and share field notes from teams that have actually pointed LLMs at production codebases.

• What LLMs do well today: accelerating triage, drafting testable patches, and turning dry advisories into human‑friendly tasks.
• Where they bite back: hallucinated fixes, gap‑riddled context windows, supply‑chain disclosure risks, and the sneaky legal gotchas of generated code.
• Benchmarks that matter: precision/recall for exploit paths, patch acceptance rates, and Mean‑Time‑To‑Merge—plus the dirty secrets behind those headline “90 % bug‑fix” claims.
• Guard‑rails that work in real pipelines—prompt‑engineering patterns, policy-as‑code checkpoints, and fall‑back workflows when the robot says “LGTM” but your gut says “nope”.
• A pragmatic checklist for dev leads to pilot, measure, and scale AI‑assisted remediation without burning trust or budgets.

Bring your own war‑stories, scepticism, and caffeine. You’ll leave with actionable guidance, a clearer risk model, and a few ready‑to‑run prompts that survive contact with real‑world CI/CD.

Aashish Sharma is a senior member of the Lawrence Berkeley National Lab CSIRT and has been using Zeek (formally known as Bro) as a part of Berkeley Lab's security.

Aashish has been active in security and incident response community for over 22 years and has presented his work at 3 different FIRST conferences.

Zeek has been a powerhouse in intrusion detection and prevention for over 25 years — trusted by academics, researchers, and companies around the world. Now, wouldn’t it be awesome to bring that energy to FIRST?

Let’s get together to swap stories, share OPSEC tips, brainstorm ideas, and geek out over all things network monitoring and intrusion detection. Right now, there isn’t a dedicated space for this kind of collaboration at FIRST… but with enough enthusiasm, we could kickstart a brand-new SIG (Special Interest Group)!

Whether you’re a seasoned Zeek wizard or just getting started, we’d love to have you join the conversation. Let’s build something great together!

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for CTI SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Cyber Threat Intelligence (CTI) SIG at: https://www.first.org/global/sigs/cti/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Cybersecurity Communications SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Cybersecurity Communications SIG at: https://www.first.org/global/sigs/communications/

Ken Bagnall is the co-founder of Silent Push and specializes in making (asking his co-founder John for) new data points to map threat actor activity. Previously VP of products at FireEye after they acquired his email security company.

Ken has built a popular free community app for the security community to help establish the risk and reputation of all online infrastructure and track threat actor activity.

This is a chance for everyone to collaborate on some of the DPRK recent activity that is escalating. We'll share what Silent Push has seen across a few different campaigns. We will facilitate a sharing session for members to help everyone get a more rounded view of the activity.

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Human Factors in Security SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Human Factors in Security SIG at: https://www.first.org/global/sigs/hfs/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for ICS SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Industrial Control Systems (ICS) SIG at: https://www.first.org/global/sigs/ics/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Malware Analysis SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Malware Analysis SIG at: https://www.first.org/global/sigs/malware/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Metrics SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Metrics SIG at: https://www.first.org/global/sigs/metrics/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for NetSec SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the NetSec SIG at: https://www.first.org/global/sigs/netsec/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Policy SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Policy SIG at: https://www.first.org/global/sigs/policy/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for CPG SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Retail and Consumer Packaged Goods (CPG) SIG at: https://www.first.org/global/sigs/cpg/

Trey Darley has been a long-standing member of the FIRST community, and has served a variety of volunteer roles, including a term on the FIRST board, during which he co-founded the FIRST standards committee. Trey is well known for his work on open cybersecurity standards like STIX/TAXII and others. He's also been aligned with the Langsec faction for many years. Trey's patron saints are Grace Hopper, Evi Nemeth, and Paul Erdös.

This Bird of a Feather session will convene the emerging Time Security SIG to address the critical but often overlooked domain of time synchronization security. As modern security operations depend increasingly on precise time correlation, malicious manipulation of time protocols represents a growing attack vector with implications for incident detection, log integrity, and forensic analysis.

The session will focus on three critical objectives:

1. Developing open-source baseline templates for securing time across common environments;
2. Building awareness of time-based vulnerability classes, including manipulation attacks and synchronization abuse;
3. Establishing practical defensive measures to detect and prevent time-based attacks.

While this work naturally complements broader initiatives like the Epochalypse Project addressing the 2038 time rollover vulnerability, the Time Security SIG will concentrate specifically on immediate time synchronization abuse detection and prevention strategies. This BoF session welcomes security practitioners, researchers, and incident responders interested in contributing to this foundational security domain. Join us to help establish robust standards for time security that will strengthen our collective defense capabilities.

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Security Lounge SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Security Lounge SIG at: https://www.first.org/global/sigs/seclounge/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for SOC SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Security Operations Center (SOC) SIG at: https://www.first.org/global/sigs/soc/

Eva Papadogiannaki received her Ph.D. in Computer Science from the University of Crete, where she also earned her B.Sc. and M.Sc. degrees in 2015 and 2017, respectively. She is currently the director of TLScope, and a postdoctoral researcher at the Technical University of Crete. Previously, she was a research fellow at the Foundation for Research and Technology – Hellas (FORTH), and has also worked as an R&D engineer at Niometrics. Her research focuses on networking systems and encrypted traffic analysis, among other areas. Her work has been published in leading journals and conferences, including IEEE/ACM Transactions on Networking (TON), ACM Computing Surveys (CSUR), the ACM Web Conference (WWW), and the International Symposium on Research in Attacks, Intrusions, and Defenses (RAID).

Modern cybersecurity faces growing challenges due to the rise of encrypted threats and sophisticated evasion techniques. Malware, phishing campaigns, and botnet activity now seamlessly hide within encrypted traffic, rendering traditional detection methods ineffective. While decrypting traffic could expose these threats, it introduces serious privacy concerns and compliance risks with regulations such as GDPR, NIST 800-53/207, and ISO 27701. Additionally, traffic decryption is costly—requiring complex infrastructure changes and high resource investment.

At the same time, many state-of-the-art cybersecurity tools remain reactive and offer limited threat coverage. Passive detection systems like Snort, Suricata, and Zeek fail to inspect encrypted flows and typically respond only after an attack has occurred. Threat Intelligence (TI) platforms, while valuable, often provide accurate data only for known threats, and their coverage varies significantly depending on the source—rarely overlapping across vendors, as shown by recent studies. This landscape underscores the urgent need for proactive, privacy-preserving threat detection that doesn’t rely solely on decryption or static threat databases.

To address the challenges of detecting threats in secure network communications, we introduce TLScope—a real-time detection tool that analyzes ongoing communications with hosts to uncover malicious network configurations. TLScope goes beyond traditional methods by providing actionable insights into its classification decisions, enabling faster and more informed responses.

If you're interested in Threat Intelligence, Detection Systems, or just curious about TLScope’s features—let’s talk! We’ll discuss early-stage detection of malicious actors through TLS metadata analysis and how actionable insights into adversarial network configurations can enhance malware signatures, ML-based anomaly detection, and threat correlation workflows.

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for TLP SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Traffic Light Protocol (TLP) SIG at: https://www.first.org/global/sigs/tlp/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for Vulnerability Coordination SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Vulnerability Coordination SIG at: https://www.first.org/global/sigs/vulnerability-coordination/

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

This SIG Meeting is an opportunity for VRDX SIG Members to meet in-person and for those interested in the group to learn more about getting involved.

Learn more about the Vulnerability Reporting and Data Exchange (VRDX) SIG at: https://www.first.org/global/sigs/vrdx/