BoFs, SIGs, & Scheduled Side Meetings

A single threat report names an intrusion set. An analyst's job is to answer: "So what? Does this affect us?" That question takes hours of manual pivoting, matching aliases, tracing infrastructure, cross-referencing CVEs against your own exposure. We automated it. Our agentic pipeline ingests published CTI articles, parses STIX entities, performs multi-hop pivots across attack group infrastructure, and scores each campaign against your organization's real external attack surface. Fuzzy matching handles the messy reality of threat actor naming. Graph traversal expands a single report into a mapped network of compromised assets. Multi-stage LLM classification with rule-based floors ensures nothing critical slips through. The result: campaign intelligence that is personal, prioritized, and actionable, delivered in minutes, not days.

We would like to bring together researchers, operators and CSIRTs to discuss practical approaches for analyzing unsolicited Internet traffic ("Internet Background Radiation") and converting it into actionable cyber intelligence. The session will focus on observations from network telescopes (passive monitoring of traffic sent to globally routed but unused IP space) and other types of large-scale, low-interaction sensors that reveal Internet-wide scanning, misconfigurations, worm propagation signals, and DDoS backscatter. The BoF is designed as an informal, participant-driven discussion about data capture, pipeline design (packet/flow processing, enrichment, clustering, and alerting), and analytic techniques suitable for identification of events of interest. A key outcome will be enabling practical collaboration among participants, in particular building trusted connections and facilitating sharing of selected datasets, indicators, and methods.

José Vázquez is a Senior Cyber Security Specialist within the Cyber Security Incident Response Team (CSIRT), focused on transforming traditional security operations into scalable, automation-driven ecosystems. He has led initiatives to redesign incident response workflows by integrating SIEM and SOAR capabilities with autonomous L0 agents, significantly reducing manual triage efforts and operational backlog at scale. His work centers on bridging the gap between detection engineering, automation, and real-world incident response. José is particularly interested in challenging conventional SOC models and driving the evolution towards autonomous, intelligence-led cyber defense strategies.

Traditional CSIRT and SOC operating models are breaking under the weight of alert fatigue, manual triage, and ever-increasing attack surface complexity. Throwing more analysts at the problem is no longer a sustainable solution. This Bird of a Feather session challenges the status quo: what if Tier-1 no longer existed? We will explore a real-world transformation where SIEM and SOAR platforms were re-engineered to support an autonomous Level 0 (L0) agent capable of triaging, enriching, and in many cases resolving security alerts without human intervention. Rather than focusing on tools, this session opens a discussion on:

Eliminating repetitive analyst work through autonomous decision-making Designing trust in machine-driven triage and response Reducing backlog and scaling globally without linear headcount growth Shifting CSIRT roles from reactive responders to strategic threat hunters

We will share key challenges, resistance points, and lessons learned during this transition, including where automation fails and where human expertise remains critical. This is not a presentation. This is an open discussion for teams who believe the current SOC model is unsustainable and are actively exploring what comes next.