Program Agenda

This session provides an in-depth case study of how an AWS security team has strategically integrated AI and automation technologies into their forensics and cyber threat intelligence operational workflows. We will explore the critical questions we asked ourselves when assessing existing processes for AI and automation opportunities, examine the decision-making criteria we used to determine which mechanisms to implement, and share some challenges and valuable lessons learned throughout our implementation journey.

Steve de Vera is a security minded professional with over 20 years of experience in various roles including digital forensics and incident response, red teaming, and security engineering. Steve is currently a manager in the AWS CIRT (Customer Incident Response Team), where he specializes in incident response and threat intelligence.

Cydney Stude is a Security Engineer with the AWS Customer Incident Response Team (CIRT), specializing in incident response and cloud security. Her work focuses on technical depth and real-world insights when handling complex cloud challenges. Cydney translates emerging threat actor trends into strategies to improve how organizations can detect and mitigate evolving attack patterns in the cloud.

Vamshi Edamadaka is a Data Scientist at AWS where his work involves using AI/ML and data science techniques to analyze complex threat data from security incidents. Vamshi primarily focuses on identifying attack patterns and developing predictive models to help AWS proactively defend against cyber threats through data-driven insights and advanced analytics.

The rise of residential proxies and similar covert networks is rendering traditional IOCs increasingly obsolete. Their ephemeral, multi-tenant nature enables adversaries to operate from trusted residential IP space with unprecedented anonymity. Traditional detection approaches struggle when the attacker's infrastructure is also a legitimate home or business.

This talk demonstrates that these networks, while challenging, also present new detection opportunities. It first details the technical architecture and distinctive "tells" of residential proxy infrastructure - including network fingerprinting techniques that persist across IP rotation. It then presents a deep-dive case study tracking a prolific APT operating within one, outlining the unique hunting methodology that uncovered its infrastructure and high-profile victims worldwide.

Attendees will learn practical techniques for hunting adversaries who rely on anonymized infrastructure.

Jonathan Andersen is the founder and CEO of Webscout.io, a Danish network visibility and IP intelligence provider. He previously worked in the Danish government and has a strong interest in cyber threat intelligence.

Organizations are drowning in data but starving for action. Despite billions of IOCs, feeds, and reports, less than 10% ever translate into a real defensive measure. This session demonstrates how we bridged the “intelligence-to-action gap” by building a modular, automated CTI pipeline — transforming intelligence from static reports into measurable defensive outcomes.

Through real-world examples, we’ll explore how automation, integration, and feedback loops enabled faster detection, smarter enrichment, and scalable response. Attendees will walk away with practical insights to operationalize CTI at any maturity level — even with small teams and open-source tools.

Daniel Lima is a specialist in cybersecurity and SOC leadership, advanced persistent threat (APT) defense, cryptography, risk management, and large-scale incident response with over 12 years experience in technology. His experience also extends to P&L management, having overseen high-growth security operations while optimizing cost efficiency and profitability.

As a cybersecurity executive at one of the world’s top three technology companies, Daniel structured and currently lead the largest Security Operations Center (SOC) in the country — a market leader recognized in the ISG Provider Lens Quadrant just two years after its creation. Under his leadership, the SOC achieved more than 100% year-over-year growth for four consecutive years, becoming a benchmark for scalable security operations with at least eight specialized domains (SOCaaS, MSS, CSIRT, OT, VM, Red Team, CTI, and Cloud Security) and over 100 top-tier certified professionals.

Gabriel Testoni is a Cyber Threat Intelligence researcher and cybersecurity instructor with extensive experience in operational intelligence, dark web investigations, and threat actor tracking. With more than a decade in technology, he has specialized in building and leading CTI programs focused on automation, intelligence integration, and large-scale threat detection. Gabriel’s work explores the intersection between intelligence and action — designing architectures that transform analysis into measurable defense outcomes. He is also dedicated to mentoring new professionals in areas such as OPSEC, threat hunting, and intelligence tradecraft, helping teams evolve from reactive operations to proactive defense.

How do you build a CTI capability with no feeds, no budget, and no guaranteed access to a SOC or SIEM? This session shares the ongoing story of creating CTI capacity in a large humanitarian organization by working from the edge inward. Using open-source tools, community intelligence, and strong field partnerships, the team built actionable insight and trust before gaining better central visibility.

Attendees will learn how constraints reshaped priorities, strengthened collaboration, and redefined what CTI maturity can look like under real-world limitations.

Jean-Louis Huynen is a Security Researcher specializing in Cyber Threat Intelligence (CTI) for the humanitarian sector. He previously worked at CIRCL, where he focused on threat intelligence, incident response, and the development of tools supporting these activities. He also collaborated with LIST (Luxembourg Institute of Science and Technology) on the development of a Mixed Reality training platform for security-critical agents. His earlier research, including his PhD at SnT (Interdisciplinary Centre for Security, Reliability and Trust), focused on socio-technical security and root cause analysis methodologies for investigating security incidents.

Casey Knerr is a Cyber Risk Geopolitical Analyst. She has extensive experience in contextualizing cyber attacks, the MITRE ATT&CK framework, and developing Cyber Threat Intelligence products. She also has deep technical knowledge on red teaming and penetration testing.

Digital forensics in the cloud requires specialized techniques and tooling for scalable analysis. This intensive, half-day (4-hour) hands-on workshop provides CTI practitioners with the knowledge to build and operate a complete forensic lab environment on Google Cloud using entirely open-source tools: Turbinia, Plaso, dftimewolf, and Timesketch.

Participants will gain practical experience in the full forensic lifecycle: from setting up scalable infrastructure to performing forensically sound evidence collection from compromised GCP projects, processing the data, and conducting collaborative timeline analysis to determine root cause. Attendees will leave with practical experience using the exact OSDFIR tools and methodologies.

Alexander Jäger is a Senior Security Engineer at Google and doing Incident Response and Digital Forensics. At Google, he leads large-scale security incidents and is a core maintainer of Timesketch, the open-source forensic timeline analysis tool. With over a decade of frontline experience defending major enterprises, Alex is deeply committed to strengthening the global security community. He previously served on the board of FIRST, including as CFO and continues to contribute to various open-source projects and community events.

Janosch Köpper is a Security Engineer on Google's Incident Response team, where he specializes in digital forensics, incident management and automation. He is a core maintainer of the open-source Timesketch project, used for collaborative forensic timeline analysis.

Rulezet is an open-source platform that simplifies the creation, management, and conversion of security detection rules. It supports multiple formats, including Sigma, Suricata, and MISP, enabling security teams to collaborate, automate, and streamline threat detection workflows.

In this session, attendees will learn how Rulezet helps unify rule management, reduce duplication, and improve operational efficiency, with practical examples of rule creation, versioning, and format conversion.

Théo Geffe is a junior developer currently web development at CIRCL. He is passionate about creating web applications and enjoys exploring new technologies.

CTI-Transmute, a new open-source tool developed by CIRCL, addresses this problem by enabling seamless and consistent conversion between the MISP Standard and the STIX language. Leveraging the existing misp-stix library as its back-end, CTI-Transmute acts as a flexible conversion layer designed for real-world operational environments. It allows CTI platforms and tooling that support only one standard to ingest, transform, and export information originating from a different one—without requiring deep modifications or format-specific development.

• project website: https://cti-transmute.org/

Across nearly 30,000 publications on scenario planning, few are able to bridge theory with practice. This is especially true in cyber threat intelligence. While traditional scenario planning literature emphasizes structured analytical methods, most cyber professionals struggle to even apply these meaningfully amidst their dynamic threat landscape.

This talk flips the script. Drawing from years of scenario-based intelligence work and field lessons learned from Dutch special operations veterans, Gert-Jan Bruggink explores how teams can transform theoretical models into adaptive decision-making systems.

Like navigation in hostile terrain, scenario planning succeeds only when teams acknowledge that “the map is outdated.” In cyber threat intelligence, that means moving away from rigid, logic-based strategies to more dynamic, narrative-driven approaches that can thrive amid uncertainty. And as we know, in cyber threat intelligence there's plenty of that. Attendees will learn how to run their own scenario planning sessions, how to align those conversations across hierarchical stakeholders and how to they can turn uncertainty into business opportunity.

Participants leave with a 7-step practical framework for building and maintaining adaptive scenario exercises. This includes templates, facilitator guidance, and lessons learned from real-world applications at his company Venation.

Gert-Jan Bruggink helps leaders make smarter decisions about digital risk using scenario-based intelligence and systems thinking. As Founder & CEO of Venation, he pioneers adaptive scenario planning in cybersecurity, translating uncertainty into opportunity. His work bridges theory and practice, guiding organizations to navigate complexity instead of fearing it.

Sigma is an open and generic format to share log detection signatures. In this hands-on workshop we learn what Sigma is and how to write good Sigma rules by developing some for existing threats. It will cover simple rules for detection of single events as well as correlation rules for detection of event relationships.

Thomas Patzke has almost 20 years experience in information security and has done lots of stuff in this area, from offensive to defensive security topics. Now he is doing incident response, threat hunting and threat intelligence at the Evonik Cyber Defense Team. Furthermore, he is co-founder of the Sigma project and maintains the open-source toolchain (pySigma/Sigma CLI).

Nowadays, Drones have evolved from military tools to affordable consumer devices, reshaping warfare and causing incidents over No-Fly zones like airports and nuclear sites. CIRCL offers a half-day Drone Threat Intelligence Workshop combining theory and practice to enhance your skills in threat hunting and information sharing.

Christian Studer joined CIRCL in 2017 after he graduated with a Master in Computer Science. During his master thesis at CIRCL he showed his capacity to lead existing CIRCL software such as the Potiron framework, a tool to normalize, index and visualize network captures. He is mainly working on MISP, contributing to the core development and several integrations with other tools and formats, most notable, he leads the STIX implementation of the project. He is also the co-chair of the OASIS CTI STIX Subcommittee.

Paul Jung is a long-time security professional with over two decades of experience in the cybersecurity field in Luxembourg. He has built extensive consulting expertise across multiple industries, covering activities from offensive security assessments to incident response and digital forensics. Prior to joining the Computer Incident Response Center Luxembourg (CIRCL) in 2025, he served as Senior Security Architect in the Managed Network Security department of the European Commission, where he work on several border security projects. He later joined Excellium Services (acquired by Thales Group in 2022), where he founded and led the Incident response team (now TCS-CERT), a multi-country CSIRT dedicated to intrusion response. Paul is an occasional speaker at international conferences such as FIRST, Virus Bulletin, Botconf, and Hack.lu, and has published articles on DDoS, botnets, and incident response.

Cyber threat intelligence (CTI) is, at its core, a discipline of decision support. CTI that cannot enable, improve, or otherwise facilitate a security action is of questionable operational value. In evaluating CTI efficacy, we typically focus on applicability, accuracy, and contextuality, but the relationship of CTI to security actions (particularly for tactical flavors of CTI) also demands examination of another metric: timeliness. Put simply, CTI that arrives too late for the decisions supported is irrelevant.

In this discussion we will explore the implications of a time-oriented view to CTI production, dissemination, and integration into operational decision making. From this we will identify a tension at the core of CTI production: between the speed at which CTI is disseminated and the depth or quality of the CTI produced. Put simply, organizations cannot have immediate decision support while simultaneously having deep contextuality in the current environment, leading to discussions of tradeoffs and continuums of possible CTI outcomes. Evaluating CTI thus becomes a question of determining audience and customer needs, purpose, and response timelines to appropriately structure finished CTI for the given entity in question.

Joe Slowik has over 15 years of experience across multiple information security domains, with specializations in cyber threat intelligence, detection engineering, and threat hunting. Joe currently is Director of Cybersecurity Alerting Strategy for Dataminr, and has previously held roles at the MITRE corporation, Huntress, DomainTools, Dragos, Los Alamos National Laboratory, and the US Navy. In addition to the above, Joe also provides threat intelligence training and advising through his company, Paralus LLC.

In an intelligence sharing community, the value of cyber threat intelligence depends on more than just what members contribute. It also relies on how that data is enriched, refined, and turned into actionable insights. This session will share practical methods for transforming raw indicators into high-quality intelligence using PyOTI as the enrichment and vetting engine.

Drawing from three years of experience managing the Retail & Hospitality ISAC’s community MISP instance, the talk will highlight ways to normalize multi-source enrichment, apply consistent tagging, and automate curation to reduce noise while keeping valuable context. Attendees will learn how to identify known bad and known good indicators, tune enrichment workflows, and build tagging practices that reduce alert fatigue and false positives. The session will close with simple, proven steps teams can take to improve the quality and reliability of shared intelligence.

JJ Josing is an open-source enthusiast with a passion for automation. He is RH-ISAC’s Principal Threat Researcher and has spent over seven years in cybersecurity within the retail industry. In his current role, JJ develops original threat research driven by member needs and oversees the management of indicators of compromise. He has also advanced and scaled the RH-ISAC’s sharing environments, supporting the growth of the member community and improving how intelligence is shared, enriched, and operationalized.

Organizations face uncertainty when anticipating future threats and working to protect their assets as the threat landscape evolves. Cyber forecast can be a powerful tool to help decision makers manage this uncertainty and proactively improve security.

Clara Bayón González is a Cyber Threat Intelligence Analyst with over 4 years of experience at Deloitte Global. She has worked on the development and delivery of strategic products for Deloitte worldwide firms, including regional threat landscape and periodic threat landscape briefings. Before moving to cybersecurity Clara studied Psychology and Criminology and participated in a national research study about crimes of sexual nature for profile creation based on evidence.

Elena Casado González is the Intel Operation Lead for Deloitte’s Global Cyber Threat Intelligence team, heading the EMEA Cyber Defense HUB in Spain. With over 12 years of experience, Elena leads major projects in global threat intelligence – building high-performing teams, collecting and transforming data, integrating tools to deliver actionable intelligence to Deloitte worldwide firms. She specialized in criminal investigation and profiling, terrorism and counterterrorism, intelligence operations, crisis management and cyber threat analysis.

Forecasting vulnerability activity is challenging: sightings such as PoCs, scanner detections, or Fediverse mentions are sparse, noisy, and highly bursty. We present experiments on predicting short-term sighting trends for individual vulnerabilities using real-world data and multiple statistical approaches. Classical SARIMAX models struggle under data scarcity, while Poisson regression and simple logistic/decay functions yield more stable and interpretable results. Building on the VLAI severity model, we outline practical techniques CTI teams can apply today to anticipate spikes in attention and better prioritize vulnerabilities despite limited historical data.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.

Cédric Bonhomme is a seasoned computer scientist with a deep passion for computer security and privacy. From 2010 to 2017, he worked as an R&D Engineer at a research center, specializing in Multi-Agent Systems and Cybersecurity. Since 2017, he has been an integral part of CIRCL, actively contributing to CSIRT operations and the development of innovative open-source software projects. Currently, he serves as the lead developer of Vulnerability-Lookup, driving advancements in vulnerability research and management.

This talk chronicles our CTI journey at a large Japanese company - from grassroots efforts to a formal initiative. Despite running CTI activities separately, we remained stuck in a chicken-and-egg situation, unable to advance beyond the active defense phase. However, real-world incidents elevated executive awareness, giving us the opening we needed. We formalized CTI operations through strategic CTI reports, PIR-driven collection, internal study sessions, and AI-assisted process, gradually building cross-team collaboration and security maturity.

Yu Hirata is a cybersecurity specialist at Recruit Co., Ltd., focusing on threat intelligence, cyber incident response. His experience spans cybercrime investigations at a cyber security vendor, including collaboration with INTERPOL, and dark web intelligence at a consulting firm. He also contributes to AI joint research projects and cyber security trainings outside the company.

Cyber threat intelligence is often idolized for being “actionable” — but action alone doesn’t pay the bills or stop adversaries from profiting. This talk challenges the industry’s obsession with tactical “actionability” and reframes the mission around the outcomes that matter to the business and the adversary alike.

Building on the earlier “From Trust Groups to Action Communities” conversation, this session explores how defenders can evolve again — from action to impact. We’ll examine how threat intelligence can influence business decisions, alter adversary cost models, and measure success in real dollars, not dashboards.

Drawing from real-world community collaboration and collective defense case studies, we’ll also explore how informal “Fight Club” networks and open-action communities achieve 1000x force-multiplying effects — even when formal structures fail.

If you’re tired of vanity metrics, “pew-pew” dashboards, and over-engineered slides about IOCs, join us for a practical discussion on how to turn intelligence into outcomes that adversaries can’t afford to ignore.

Brian Hein lives and breathes collaboration and threat Intelligence. A German living in Canada's Capital Ottawa (via Laguna Beach, California) who has spent years conducting advanced threat research at HP's Office of the CTO and HP Security Research as well as at Flashpoint Intelligence. Brian also explored cyber threat intelligence at DTAG, one of the world’s largest carriers. After a year supporting Canadian initiatives, he joined and left Silobreaker, who supported Brian’s mission for over a decade. Brian has co-authored several books and helped develop a couple of patents. He is also active in the Wold Economic Forum’s Cybercrime Atlas initiative where he serves as a Case Lead.

James Shank joined Expel as Director of Threat Operations in 2025. Prior to Expel, James held various roles at threat intelligence companies SpyCloud and Team Cymru. James keeps the needs of the Internet information security community at the center of all his efforts. He is involved in and coordinates several community-oriented efforts to combat online threats, and notably was a part of a collaborative effort to take down Emotet. He works with community members to find innovative solutions to thorny issues that are hard to solve by individual operators.

Telegram hosts a dynamic and fragmented ecosystem of cybercriminal communities that has become a key source of threat intelligence. Yet, discovering and collecting data from these spaces remains difficult due to invite-only access, ephemeral activity, and high noise levels. This work introduces TeleHUNT, an automated framework for systematically discovering and mapping cybercriminal communities on Telegram. TeleHUNT evaluates 28 discovery configurations that combine advertisement types (links, handles, forwards), seed origins (Open Web vs. Dark Web), and contextual or temporal filters to assess efficiency, accessibility, and saturation across multiple operational settings.

Over a 15-day run, TeleHUNT collected more than 43,000 Telegram advertisements linked to 3,468 distinct communities across six cybercrime market segments. Link-based strategies achieved the broadest reach (≈2,000 communities) but generated higher noise (50–70%), while forward- and handle-based approaches offered near-perfect precision (~99%) at the cost of early saturation. Open Web seeds uncovered all six market segments and sustained diversity, whereas Dark Web seeds reached saturation faster. Accessibility analysis confirmed that invite links remain the dominant gateway to private or vetted groups, while forwarded messages obscure provenance. Together, these results provide the first reproducible evaluation of Telegram cybercrime discovery efficiency, offering actionable guidance for CTI teams seeking goal-driven, scalable intelligence collection.

Roy Ricaldi is a Doctoral Researcher in Cybercriminal Ecosystems at the Threat Analysis Group of Eindhoven University of Technology. His research focuses on the evolution of, and shifts within, the cybercriminal ecosystem, examining emerging technical threats and how organized cybercrime operates as a complex, professionalized economy. Roy investigates the organization, motivation, capabilities, and interactions of offenders, to better understand modern cybercrime and enhance deterrence and disruption efforts.

Emmanuele Zambon is an Assistant Professor in the Threat Analysis Group at Eindhoven University of Technology in the Netherlands. His research focuses on intrusion detection engineering, security operations, and the security of critical infrastructure environments. Emmanuele is the CTO of the Eindhoven Security Hub SOC at TU/e. He co-founded and served as CTO of SecurityMatters, now part of Forescout Technologies, a spin-off company that developed a platform for network monitoring, asset inventory, and intrusion detection for industrial networks deployed worldwide.

Luca Allodi is an Associate Professor at Eindhoven University of Technology, the Netherlands, where he leads the Threat Analysis research group. His research investigates the interplay between attacker operations and defensive strategies and technology, with a focus on Cyber Threat Intelligence, Security Operations, Intrusion Detection, and Social Engineering. He is the Scientific Director and is one of the founders of ESH-SOC at TU/e, a professional Security Operations Center that translates cutting-edge research into operational security practices. He founded and leads CTILab at JADS, a research center and laboratory specializing in tailored Cyber Threat Intelligence data and services. He earned his PhD from the University of Trento, Italy, with a thesis on vulnerability risk evaluation and management.

Join industry leaders for a dynamic workshop focused on the core fundamentals of CTI planning. You'll master how to build an Intelligence Collection Plan that directly aligns with stakeholder needs, as well as apply structured analytic techniques, practice creating intelligence reports and discuss feedback techniques as we comprehensively cover the Intelligence Cycle. The workshop will also dive into the Cyber Threat Intelligence - Capability Maturity Model (CTI-CMM) as we discuss strategies for attendees to assess and develop pathways to strategically mature their CTI program.

This workshop provides the essential foundation for CTI success, helping you:  Develop an Intelligence Collection Plan  Enhance your ability to support all steps of the Intelligence Cycle  Identify how to baseline and mature your CTI program

You will gain hands-on experience using a scenario-based practical exercise in a small-group setting. Non-proprietary tools and a catalog of "take home" resources including fillable templates, worksheets and an assessment guide that can be used following the workshop are all provided free of charge.

Garrett Carstens, as Senior Vice President of Intel Operations at Intel 471, coordinates internal and cross-departmental initiatives focused on optimizing timely and relevant intelligence production and delivery. Prior to joining Intel 471, Garrett spent over 15 years in various roles within the U.S. Department of Defense (DoD) and the financial sector– always with a primary mission of identifying, analyzing and mitigating cyber threats.

Freddy Murstad is currently doing his PhD on the cross-section of intelligence and Cyber Threat Intelligence (CTI) and is researching how the intelligence field can help mature the CTI field in the private sector. While researching for his PhD, Freddy also works as the senior threat intelligence analyst at Nordic Financial CERT (NFCERT) in Norway where he supports the financial sector with strategic intelligence. Freddy uses his education and experience with intelligence to bring a multifaceted approach to CTI and provide value to stakeholders.

Kevin Williams is a Senior Director, Client Engagement at Intel 471, he has leveraged a 25-year career in investigative and senior leadership roles at the Metropolitan Police Service and the National Crime Agency, which saw him develop and implement national cybercrime strategies, including advising the UK government on the cyber incident response for the London 2012 Olympics. He has further applied his expertise in intelligence gathering, threat and risk analysis, and high-level stakeholder engagement at KPMG and Pluralsight.

The widespread adoption of LLM and RAG systems to analyze Cyber Threat Intelligence has created a critical and largely unexamined attack surface. What happens when the data you feed your AI is deliberately poisoned? This talk demonstrates how a single malicious OSINT report can be weaponized to compromise an entire CTI RAG pipeline. We will present a live end to end attack that uses a hidden trigger to hijack both the retrieval and generation stages, forcing the system to produce fabricated answers under the attacker's control, even when facing unknown models.

This session moves beyond theory to demonstrate the practical fragility of these systems. Attendees will witness the attack firsthand and, more importantly, will learn actionable, low-cost mitigation strategies to defend their own CTI platforms from this emerging threat.

This presentation's authors include Yen-Shan (Lily) Chen, Sian-Yao Huang, and Cheng-Ling.

Sian-Yao Huang, the technical lead at CyCraft Technology, specializes in creating advanced deep learning models to tackle cybersecurity challenges such as anomaly detection and security analysis. His work has been featured at major conferences like NeurIPS, EMNLP, IJCNN, and CVPR, and he's presented at Black Hat USA, Code Blue Japan, SINCON and SECCON.

Yen-Shan (Lily) Chen is a data scientist at CyCraft Technology, where she currently focuses on research into potential vulnerabilities in Retrieval-Augmented Generation (RAG) frameworks and developing methods to evaluate them. Lily has previously presented at major cybersecurity conferences such as Code Blue Japan and SINCON, and she also published her work at the renowned ACL conference.

OpenTide (Open Threat Informed Detection Engineering), developed at the European Commission CSOC, bridges the gap between unstructured threat intelligence and actionable detections.

By modeling adversary behaviors as Threat Vectors and linking them to detection objectives and supporting rules, OpenTide enables faster operationalization of new intelligence, and understanding detection coverage in a much finer way than ATT&CK mappings. This session will show how OpenTide reframes TTP‑focused intelligence into a scalable workflow for modern detection engineering.

Amine Besson has one goal: figuring out what on earth we should be doing to detect actual threats. As an independent international contractor, Amine works around the world with the smallest to the largest SOCs and MDRs to discover how to answer to that question. Amine's projects usually span across Intelligence, Detection and Response Engineering, with a strong focus on automation and system-thinking over analyst driven workflows. Amine also maintains OpenTide (Open Threat Informed Detection Engineering), a project that was incubated at the European Commission and that aims at providing Detection Engineering teams with a platform to work in a repeatable manner.

Rémi Seguy has over 20+ years in the cybersecurity field, and has dedicated their career to safeguarding organisations by developing robust SOC and effective incident response teams. As a passionate advocate for knowledge sharing and collaboration - "sharing is caring"- Remi has actively contributed to the cybersecurity community and related open-source projects, such as MISP. In their current role, Remi has led the OpenTide initiative, turning it into a project at the core of the Detection Engineering team. Remi is looking for exchanging and collaborating with other Detection Engineering teams to develop repeatable, traceable, and pragmatic processes, effectively bridging the gap between Threat Intelligence, Threat Hunting, and Threat Detection.

Small-to-Medium Enterprises (SMEs) are frequently unable to implement traditional CTI programs due to severe budget constraints and a lack of dedicated security expertise, leaving them critically exposed to common threats. This presentation introduces a practical, resource-optimized CTI architecture designed specifically to close this gap. Our solution relies entirely on a standardized open-source stack (OpenCTI, MISP, STIX) integrated with advanced Cognitive Automation to augment human analysis.

We will detail how to use techniques like Retrieval-Augmented Generation (RAG) and agentic AI to automate high-effort CTI tasks, such as IoC and MITRE TTP extraction, drastically reducing the reliance on manual domain expertise. Attendees will leave with a clear blueprint for establishing a maintainable, high-value CTI capability using efficient MLOps and a strict Human-in-the-Loop governance model, ensuring improved cyber resilience at minimal recurring cost.

Omar Saenz is a Security Specialist and Cybernetics Futurist at Google Cloud, bringing over 20 years of experience in designing secure solutions, secure cloud transitions, and pioneering security automation. A cybernetics engineer by background, he has held diverse security roles—from research and pen testing to leadership—at major organizations including Deloitte, KPMG, and HSBC. Holding a degree in Cybernetics Engineering, a Master's in Business Innovation, and advanced training in AI from institutions like Oxford University's Saïd Business School, Omar is passionate about democratizing security and sharing insights on automation, having presented at major global events such as the CONFidence Conference, ISF Annual World Congress, and the ISC2 Secure Summit.

Raquel Guzman is a Customer Engineer at Google Cloud, specializing in security, where she guides global customers on implementing best practices to secure their cloud environments. She brings a strong focus on DevSecOps, promoting secure development lifecycles, and applying broad security principles to the unique, rapid development needs of startup organizations. Leveraging her prior background in economics and financial services, Raquel transitioned into IT and information security, bringing a holistic perspective to cyber risk and cloud transformation. Originally from the Dominican Republic, her expertise is now focused on helping customers operationalize cloud security best practices in the UK and in Europe.

As cyber incidents multiply in scale and complexity, Computer Emergency Response Teams (CERTs) now play a pivotal role not only in response coordination but also in Cyber Threat Intelligence (CTI) sharing and vulnerability advisory dissemination. Yet, many advisories remain highly technical and inconsistently adopted across varied audiences. This talk introduces the Integrated CERT Communication Framework (ICCF) — a novel, behavioral-based model designed to make CERT communications more targeted, trusted, and actionable. Grounded in established behavioral and communication theories — including Situational Crisis Communication Theory (SCCT), Framing Theory, and Protection Motivation Theory (PMT) — ICCF bridges the gap between technical precision and human understanding. By aligning message framing, motivational triggers, and contextual classification, the framework improves advisory clarity, adoption, and coordination across national and international CERT ecosystems. The session will demonstrate how ICCF strengthens CTI sharing, vulnerability note dissemination, and advisory communication, promoting faster defensive action and a culture of informed cyber resilience.

Dr. Yudhishthira Sapru is working with the Indian Computer Emergency Response Team (CERT-In), the national nodal agency for cyber incident response in India. He has over 20 years of experience in cybersecurity, threat intelligence, SOC operations, and program management, and has led several national initiatives on cybersecurity project implementation, cyber resilience, and cyber threat intelligence sharing. He has been involved in successfully managing SOC operations during events of national importance and large-scale cyberattacks. He has also been involved in the formulation of various policies and guidelines aimed at strengthening the cybersecurity posture of Indian organizations. He has also been involved in coordinating with organizations on vulnerability exploitation–related communications. His expertise combines operational experience with policy understanding, helping organizations improve their cybersecurity readiness and response. He is CISSP, ECIH and PMP certified.

Mr. Rakesh Kumar Singh is a Cybersecurity Scientist at CERT-In with 9 years of hands-on experience in national-level cyber defense operations. His core expertise includes SOC operations, network traffic and log analysis, OSINT, threat intelligence, and end-to-end execution of critical national security projects. He has deep technical proficiency in SIEM, SOAR, threat hunting, incident response, and forensic log investigation. He holds CISSP and ECIH certifications, with a strong foundation in both the strategic and operational domains of cybersecurity

Incorporating Threat Intelligence (TI) into Digital Forensics and Incident Response (DFIR) can be difficult and costly based on several factors. However, this collaboration is crucial in modern incident work, significantly enhancing the DFIR operations, saving time and offering contextualization to consumers of the DFIR report. This presentation aims to explore the relationship between TI and DFIR, providing insights into how TI can be incorporated in incidents with structured processes and responsibilities, and what additional value the usage of appropriate tools and research methodologies can bring. Sample outcomes include campaign, malware family, threat actor and motivation identification as well as expansion of infrastructure through pivoting and hunting.

Stef Collart is a Principal Threat Hunting & Threat Intelligence consultant at NVISO. He has worked in SOC and CSIRT teams for multiple MSSPs and customers across a wide variety of sectors gaining a broad skillset. The broad skillset also reflects the interest in a broad range of topics with a current focus on incident response, threat hunting and threat intelligence.

Efstratios Lontzetidis is a Senior Threat Intelligence Consultant at NVISO. He has experience in consulting and researching roles in both private and public sectors. He holds a BSc in Applied Informatics from the University of Macedonia, a MSc in Information Security and Digital Forensics from the University of East London and certifications such as GCTI, GCIH, CPTIA, CRTIA and PJMR. His research interests include cyber threat intelligence, infrastructure hunting, and malware analysis.

Dr. Thomas Schreck is a Professor for IT-Security at the Munich University of Applied Sciences. Prior he was a Principal Engineer for IT-Security at Siemens and the Head of Siemens CERT. He served between 2015 and 2021 on the Board of Directors of FIRST.org and was the Chairman from 2017 to 2019.

Every cyber attack raises the same question: Who did it?

But what should you know before trying to find that out? This talk takes you through the first steps of getting started with threat actor profiling — exploring the attribution problem, profiling, existing attribution models, and PACT, a new framework in progress built to facilitate the cyberattack attribution process.

Marthe Råheim Rogndokken has a background spanning business, law enforcement, and cybersecurity. She has studied International Business in Slovenia. Later she graduated from the Norwegian Police Academy, and served as a police officer in both first response and investigations. Her passion for technology and security led her to Australia, where she specialized further by completing a bachelor’s degree in cyber security. Marthe is currently a Cyber Threat Intelligence Analyst at Sopra Steria, Norway. Her research on the PACT attribution model was published in Procedia Computer Science on ScienceDirect, and presented at the International Conference on Industry Sciences and Computer Science Innovation (iSCSi) in Portugal.

Outside of work, Marthe is drawn to speed and adrenaline — whether it’s go-karting, surfing, or downhill mountain biking.

Traditional scenario planning is built around long-term foresight. You explore multiple futures, map uncertainties, and prepare for shifts in the environment over years. Cybersecurity doesn’t give you that luxury. Threats move fast. Artificial Intelligence isn’t always perfect. Intelligence products aren’t always acted on. In Cyber, the “future” doesn’t unfold over years, no it could change between incidents, updates, and geopolitical shifts. Cyber teams rarely get the chance to work with stable assumptions, let alone reliable horizons.

This workshop reframes scenario planning for the cyber domain. Instead of long-range foresight, participants learn to build short-cadence, high-uncertainty scenarios that support strategic and operational decision-making. We’ll explore why cyber scenario planning is less like chess — a game of perfect information or understanding of the adversary— and more like poker, where you must make decisions under pressure with terrible information, hidden intentions, and no guarantee you’re playing the right hand. Through guided exercises, participants practice operating in this “poker atmosphere.” They build scenario foundations that can scale into longer-term planning, stress-test decisions under uncertainty, and learn how to create alignment across technical and executive stakeholders. All based on the presenter's extensive experience in applying scenario planning techniques in the private sector. Workshop attendees will leave with a practical approach for cyber scenario development, which they can onwards build on within their internal environment designed specifically for the speed, ambiguity, and adversarial dynamics of cybersecurity.

Gert-Jan Bruggink specializes in helping leaders use proven systems to make informed decisions about digital risk. He supports teams all across the world in understanding adversary tradecraft through narratives and systems thinking. Providing understanding of their threat landscape, enabling informed decision-making and developing cost-effective risk mitigation strategies. Gert-Jan is Founder & CEO of ‘Venation’, where he pioneers the field of scenario-based cyber threat intelligence deliverables. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.

Sherman Chu As the CTI lead for BlackRock, Sherman Chu focuses on applying threat-informed defense to empower security through systematic adversary analyses. He specializes in threat intelligence, incident response, threat hunting, and detection engineering. Previously, Sherman was a threat management solution manager, led the technical threat intelligence team at New York City Cyber Command, performed analyst roles at Citi and Flashpoint, and is a US Army veteran.