Program Agenda

How do you build a CTI capability with no feeds, no budget, and no guaranteed access to a SOC or SIEM? This session shares the ongoing story of creating CTI capacity in a large humanitarian organization by working from the edge inward. Using open-source tools, community intelligence, and strong field partnerships, the team built actionable insight and trust before gaining better central visibility.

Attendees will learn how constraints reshaped priorities, strengthened collaboration, and redefined what CTI maturity can look like under real-world limitations.

Jean-Louis Huynen is a security researcher at CIRCL. He works on threat detection/intel and the development of tools to support incident response, Previously he collaborated with LIST-- Luxembourg Institute of Science and Technology (LU)--to the development of a Mixed Reality platform for the training for Security Critical Agents (mainly on firearms events and CBRN incidents). Previous research works (and his PhD) at SnT--Interdisciplinary Centre for Security, Reliability and Trust (LU)--focused on the usability of security systems and root cause analysis techniques for investigating security incidents.

Digital forensics in the cloud requires specialized techniques and tooling for scalable analysis. This intensive, half-day (4-hour) hands-on workshop provides CTI practitioners with the knowledge to build and operate a complete forensic lab environment on Google Cloud using entirely open-source tools: Turbinia, Plaso, dftimewolf, and Timesketch.

Participants will gain practical experience in the full forensic lifecycle: from setting up scalable infrastructure to performing forensically sound evidence collection from compromised GCP projects, processing the data, and conducting collaborative timeline analysis to determine root cause. Attendees will leave with practical experience using the exact OSDFIR tools and methodologies.

Alexander Jäger is a Senior Security Engineer at Google and doing Incident Response and Digital Forensics. At Google, he leads large-scale security incidents and is a core maintainer of Timesketch, the open-source forensic timeline analysis tool. With over a decade of frontline experience defending major enterprises, Alex is deeply committed to strengthening the global security community. He previously served on the board of FIRST, including as CFO and continues to contribute to various open-source projects and community events.

Janosch Köpper is a Security Engineer on Google's Incident Response team, where he specializes in digital forensics, incident management and automation. He is a core maintainer of the open-source Timesketch project, used for collaborative forensic timeline analysis.

Across nearly 30,000 publications on scenario planning, few are able to bridge theory with practice. This is especially true in cyber threat intelligence. While traditional scenario planning literature emphasizes structured analytical methods, most cyber professionals struggle to even apply these meaningfully amidst their dynamic threat landscape.

This talk flips the script. Drawing from years of scenario-based intelligence work and field lessons learned from Dutch special operations veterans, Gert-Jan Bruggink explores how teams can transform theoretical models into adaptive decision-making systems.

Like navigation in hostile terrain, scenario planning succeeds only when teams acknowledge that “the map is outdated.” In cyber threat intelligence, that means moving away from rigid, logic-based strategies to more dynamic, narrative-driven approaches that can thrive amid uncertainty. And as we know, in cyber threat intelligence there's plenty of that. Attendees will learn how to run their own scenario planning sessions, how to align those conversations across hierarchical stakeholders and how to they can turn uncertainty into business opportunity.

Participants leave with a 7-step practical framework for building and maintaining adaptive scenario exercises. This includes templates, facilitator guidance, and lessons learned from real-world applications at his company Venation.

Gert-Jan Bruggink helps leaders make smarter decisions about digital risk using scenario-based intelligence and systems thinking. As Founder & CEO of Venation, he pioneers adaptive scenario planning in cybersecurity, translating uncertainty into opportunity. His work bridges theory and practice, guiding organizations to navigate complexity instead of fearing it.

Sigma is an open and generic format to share log detection signatures. In this hands-on workshop we learn what Sigma is and how to write good Sigma rules by developing some for existing threats. It will cover simple rules for detection of single events as well as correlation rules for detection of event relationships.

Thomas Patzke has almost 20 years experience in information security and has done lots of stuff in this area, from offensive to defensive security topics. Now he is doing incident response, threat hunting and threat intelligence at the Evonik Cyber Defense Team. Furthermore, he is co-founder of the Sigma project and maintains the open-source toolchain (pySigma/Sigma CLI).

Nowadays, Drones have evolved from military tools to affordable consumer devices, reshaping warfare and causing incidents over No-Fly zones like airports and nuclear sites. CIRCL offers a half-day Drone Threat Intelligence Workshop combining theory and practice to enhance your skills in threat hunting and information sharing.

Sami Mokaddem is a software developer who has been contributing to the open-source community since 2016 in the fields of information sharing and leak detection. He is working for CIRCL and is part of the MISP core team where he develops and maintains the software as well as its related tools. Native French speaker; fluent in English.

Paul Jung is since a long time a security enthusiast. He works in the security field in Luxembourg since more than two decades. During this time, Paul had extensive consulting experience across multiple industries and can perform roles ranging from offensive security assessments to incident response and digital forensics. Before joining CIRCL (Computer Incident Response Center Luxembourg), he was Senior Security Architect in the Managed Network Security department of the European Commission, leading the technical aspects of major security projects. Then at Excellium Services (acquired by Thales Group in 2022) he founded and led TCS-CERT, a multi-country CSIRT focused on intrusion response. Paul often speaks at conferences (FIRST, Virus Bulletin, Botconf, Hack.lu) and has published articles in magazine on DDoS, botnets, and incident response. Native French speaker; fluent in English.

Cyber threat intelligence (CTI) is, at its core, a discipline of decision support. CTI that cannot enable, improve, or otherwise facilitate a security action is of questionable operational value. In evaluating CTI efficacy, we typically focus on applicability, accuracy, and contextuality, but the relationship of CTI to security actions (particularly for tactical flavors of CTI) also demands examination of another metric: timeliness. Put simply, CTI that arrives too late for the decisions supported is irrelevant.

In this discussion we will explore the implications of a time-oriented view to CTI production, dissemination, and integration into operational decision making. From this we will identify a tension at the core of CTI production: between the speed at which CTI is disseminated and the depth or quality of the CTI produced. Put simply, organizations cannot have immediate decision support while simultaneously having deep contextuality in the current environment, leading to discussions of tradeoffs and continuums of possible CTI outcomes. Evaluating CTI thus becomes a question of determining audience and customer needs, purpose, and response timelines to appropriately structure finished CTI for the given entity in question.

Joe Slowik has over 15 years of experience across multiple information security domains, with specializations in cyber threat intelligence, detection engineering, and threat hunting. Joe currently is Director of Cybersecurity Alerting Strategy for Dataminr, and has previously held roles at the MITRE corporation, Huntress, DomainTools, Dragos, Los Alamos National Laboratory, and the US Navy. In addition to the above, Joe also provides threat intelligence training and advising through his company, Paralus LLC.

Forecasting vulnerability activity is challenging: sightings such as PoCs, scanner detections, or Fediverse mentions are sparse, noisy, and highly bursty. We present experiments on predicting short-term sighting trends for individual vulnerabilities using real-world data and multiple statistical approaches. Classical SARIMAX models struggle under data scarcity, while Poisson regression and simple logistic/decay functions yield more stable and interpretable results. Building on the VLAI severity model, we outline practical techniques CTI teams can apply today to anticipate spikes in attention and better prioritize vulnerabilities despite limited historical data.

Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.

Cédric Bonhomme is a seasoned computer scientist with a deep passion for computer security and privacy. From 2010 to 2017, he worked as an R&D Engineer at a research center, specializing in Multi-Agent Systems and Cybersecurity. Since 2017, he has been an integral part of CIRCL, actively contributing to CSIRT operations and the development of innovative open-source software projects. Currently, he serves as the lead developer of Vulnerability-Lookup, driving advancements in vulnerability research and management.

Cyber threat intelligence is often idolized for being “actionable” — but action alone doesn’t pay the bills or stop adversaries from profiting. This talk challenges the industry’s obsession with tactical “actionability” and reframes the mission around the outcomes that matter to the business and the adversary alike.

Building on the earlier “From Trust Groups to Action Communities” conversation, this session explores how defenders can evolve again — from action to impact. We’ll examine how threat intelligence can influence business decisions, alter adversary cost models, and measure success in real dollars, not dashboards.

Drawing from real-world community collaboration and collective defense case studies, we’ll also explore how informal “Fight Club” networks and open-action communities achieve 1000x force-multiplying effects — even when formal structures fail.

If you’re tired of vanity metrics, “pew-pew” dashboards, and over-engineered slides about IOCs, join us for a practical discussion on how to turn intelligence into outcomes that adversaries can’t afford to ignore.

Brian Hein lives and breathes collaboration and threat Intelligence. A German living in Canada's Capital Ottawa (via Laguna Beach, California) who has spent years conducting advanced threat research at HP's Office of the CTO and HP Security Research as well as at Flashpoint Intelligence. Brian also explored cyber threat intelligence at DTAG, one of the world’s largest carriers. After a year supporting Canadian initiatives, he joined Silobreaker, who supported Brian’s mission for over a decade. Brian has co-authored several books and helped develop a couple of patents.

James Shank has been with Team Cymru for more than ten years, contributing to several different efforts in a variety of ways. He is involved in several community orientated efforts to combat online threats, and recently was part of a collaborative effort to take down Emotet. As Chief Architect of Community Services, he works with community members to architect solutions to thorny issues that are hard to solve by individual operators. Lately, he's been thinking about new ways to collaborate with global partners to solve big picture problems, new tools and techniques that are of value to information security professionals worldwide and decentralized public disclosure of information as a way to pave the road for methods to validate user intention. Tom Millar has served in CISA for 15 years, working to strengthen the agency's information sharing capabilities, increasing the level of public, private and international partner engagement, and supporting initiatives to improve information exchange by both humans and machines, such as the standardization of the Traffic Light Protocol and the development of the Structured Threat Information eXpression. Prior to his cybersecurity career, he served as a linguist with the 22nd Intelligence Squadron of the United States Air Force. Mr. Millar holds a Master's of Science from the George Washington University and is a Distinguished Graduate of the National Defense University's College of Information and Cyberspace.

Join industry leaders for a dynamic workshop focused on the core fundamentals of CTI planning. You'll master how to build an Intelligence Collection Plan that directly aligns with stakeholder needs, whether for an individual project or your entire organization.

This workshop provides the essential foundation for CTI success, helping you:

• Strategically Mature your CTI program.
• Develop a clear pathway for benchmarking performance.
• Justify resource investment using the Cyber Threat Intelligence - Capability Maturity Model (CTI-CMM).

Learn a repeatable process to map and measure your maturity, directly linking your CTI capabilities to improved business and risk outcomes. Walk away with the tools to ensure your CTI efforts deliver maximum value.

You will gain hands-on experience building your own plan from scratch using a scenario-based practical exercise, non-proprietary tools, and a catalog of "take home" resources including fillable templates, worksheets and an assessment guide that are provided free of charge for use in your own environments.

Garrett Carstens, as Senior Vice President of Intel Operations at Intel 471, coordinates internal and cross-departmental initiatives focused on optimizing timely and relevant intelligence production and delivery. Prior to joining Intel 471, Garrett spent over 15 years in various roles within the U.S. Department of Defense (DoD) and the financial sector– always with a primary mission of identifying, analyzing and mitigating cyber threats.

Freddy Murstad is currently doing his PhD on the cross-section of intelligence and Cyber Threat Intelligence (CTI) and is researching how the intelligence field can help mature the CTI field in the private sector. While researching for his PhD, Freddy also works as the senior threat intelligence analyst at Nordic Financial CERT (NFCERT) in Norway where he supports the financial sector with strategic intelligence. Freddy uses his education and experience with intelligence to bring a multifaceted approach to CTI and provide value to stakeholders.

Kevin Williams is a Senior Director, Client Engagement at Intel 471, he has leveraged a 25-year career in investigative and senior leadership roles at the Metropolitan Police Service and the National Crime Agency, which saw him develop and implement national cybercrime strategies, including advising the UK government on the cyber incident response for the London 2012 Olympics. He has further applied his expertise in intelligence gathering, threat and risk analysis, and high-level stakeholder engagement at KPMG and Pluralsight.

The widespread adoption of LLM and RAG systems to analyze Cyber Threat Intelligence has created a critical and largely unexamined attack surface. What happens when the data you feed your AI is deliberately poisoned? This talk demonstrates how a single malicious OSINT report can be weaponized to compromise an entire CTI RAG pipeline. We will present a live end to end attack that uses a hidden trigger to hijack both the retrieval and generation stages, forcing the system to produce fabricated answers under the attacker's control, even when facing unknown models.

This session moves beyond theory to demonstrate the practical fragility of these systems. Attendees will witness the attack firsthand and, more importantly, will learn actionable, low-cost mitigation strategies to defend their own CTI platforms from this emerging threat.

Yen-Shan (Lily) Chen is a data scientist at CyCraft Technology, where she currently focuses on research into potential vulnerabilities in Retrieval-Augmented Generation (RAG) frameworks and developing methods to evaluate them. Lily has previously presented at major cybersecurity conferences such as Code Blue Japan and SINCON, and she also published her work at the renowned ACL conference.

Dr. Yang Cheng-Lin, the data science director at CyCraft Technology, holds a PhD in Artificial Intelligence from the University of Edinburgh. His focus is on security issues in AI applications. His notable work has been featured at prestigious academic conferences like EMNLP and NeurIPS, and his expertise has been showcased at various cybersecurity conferences, including the FIRST CTI Summit, Black Hat USA, Code Blue Japan, HITCon Enterprise, and SINCON.

In a previous talk, we explored the evolution of network fingerprinting from classic tools like p0f to modern methods such as MuonFP, JA4 and JA4+. Those techniques expanded our visibility into network reconnaissance, but how do they translate into practical defense? This follow-up focuses on signals in the noise - concrete case studies where fingerprinting techniques helped detect threats and inform defenses. The goal is for everyone to find something useful, whether you’re new to fingerprinting or looking for advanced applications. We’ll dive into technical details and real-world scenarios, showing how modern fingerprints can uncover hidden patterns and improve security monitoring.

Vlad Iliushin is the co-founder and cybersecurity expert at ELLIO and President of the Anti-Malware Testing Standards Organization (AMTSO). A true cybersecurity enthusiast, Vlad's passionate about network security, IoT, and cyber deception. Before ELLIO, he founded and led the Avast IoT Lab (now Gen Digital), developing security features and researching IoT threats. He has spoken at many conferences, including Web Summit and South by Southwest (SXSW), where he demonstrated IoT vulnerabilities.

While human-readable CTI reports will always have their place, rich, structured CTI data models and formats are the nirvana we've long sought for machine to machine threat sharing between tools of all stripes.

Based on experiences with many platforms, lots of data conversion, and much gnashing of teeth over the years, we'll compare options such as STIX, MISP, and bespoke formats and how we can build more effective structured CTI packages.

Chris Horsley is the CTO and one of the co-founders of Cosive, a cybersecurity and CTI specialist consultancy based in Australia and New Zealand. He has worked on projects with financial institutions, government, resource companies, and the university sector with a particular focus on SOCs, IR, and CTI practices and tooling. He is also highly involved in Cosive’s tooling and service offerings such as its managed MISP service, TIP integrations, anti-phishing service, and fraud detection system.

He also has a long background in the international CSIRT community, which spanned roles including open source intelligence gathering, vulnerability disclosure handling, software and tooling development, malware analysis, and joint initiatives for national CSIRTs. Chris has previously worked as a security analyst for AusCERT, the national CSIRT at that time, and JPCERT/CC, the Japanese national CSIRT.

Dr. Thomas Schreck is a Professor for IT-Security at the Munich University of Applied Sciences. Prior he was a Principal Engineer for IT-Security at Siemens and the Head of Siemens CERT. He served between 2015 and 2021 on the Board of Directors of FIRST.org and was the Chairman from 2017 to 2019.

Traditional scenario planning is built around long-term foresight. You explore multiple futures, map uncertainties, and prepare for shifts in the environment over years. Cybersecurity doesn’t give you that luxury. Threats move fast. Artificial Intelligence isn’t always perfect. Intelligence products aren’t always acted on. In Cyber, the “future” doesn’t unfold over years, no it could change between incidents, updates, and geopolitical shifts. Cyber teams rarely get the chance to work with stable assumptions, let alone reliable horizons.

This workshop reframes scenario planning for the cyber domain. Instead of long-range foresight, participants learn to build short-cadence, high-uncertainty scenarios that support strategic and operational decision-making. We’ll explore why cyber scenario planning is less like chess — a game of perfect information or understanding of the adversary— and more like poker, where you must make decisions under pressure with terrible information, hidden intentions, and no guarantee you’re playing the right hand. Through guided exercises, participants practice operating in this “poker atmosphere.” They build scenario foundations that can scale into longer-term planning, stress-test decisions under uncertainty, and learn how to create alignment across technical and executive stakeholders. All based on the presenter's extensive experience in applying scenario planning techniques in the private sector. Workshop attendees will leave with a practical approach for cyber scenario development, which they can onwards build on within their internal environment designed specifically for the speed, ambiguity, and adversarial dynamics of cybersecurity.

Gert-Jan Bruggink specializes in helping leaders use proven systems to make informed decisions about digital risk. He supports teams all across the world in understanding adversary tradecraft through narratives and systems thinking. Providing understanding of their threat landscape, enabling informed decision-making and developing cost-effective risk mitigation strategies. Gert-Jan is Founder & CEO of ‘Venation’, where he pioneers the field of scenario-based cyber threat intelligence deliverables. Previously, Gert-Jan co-founded innovative start-ups, fulfilled a cyber threat intelligence leadership role at a Big Four accounting firm, and held security engineering roles at a security integrator.