Program Overview

During my research career, I pioneered mobile network security advancements through R&D, actively participated in standardization and international collaborations (including Germany). Transitioning to cybersecurity strategy, I now lead cyber threat intelligence team, particularly in strategic intelligence. Certified in CISSP and GIAC (GCTI), I regularly share expertise at global forums such as FIRST, SANS, AVAR, CTA, and MITRE.

As generative AI and agents increasingly integrate into CTI (Cyber Threat Intelligence) operations, concerns are growing on the ground: “Will automation deprive junior analysts of growth opportunities?”

First, this presentation will outline the design philosophy and implementation/operational examples where “AI agents” and humans (intelligence analysts) co-create to operate and enhance cyber intelligence workflows.

Next, based on experience, we explore how AI and humans have divided roles to address the three critical barriers in CTI: timeliness, relevance, and rationality. The key lies in defining the boundaries of “where to use and where to delegate.”

Finally, while CTI agents have become indispensable members of our team, will they serve as mentors for junior analysts? Or will they become rivals? We also share perspectives on this challenge from a talent development standpoint.

Cyber incidents in Latin America and the Caribbean (LAC) are increasing in frequency, complexity, and geopolitical relevance. National CSIRTs, government institutions, critical infrastructure operators, and private cybersecurity teams frequently face transnational threats with limited coordination mechanisms and asymmetries in cyber maturity. The EU–LAC SHIELD initiative aims to address these gaps through a scalable, structured cooperation model linking the European Union and the LAC region.

This plenary session will introduce the technical and strategic foundations of EU–LAC SHIELD, a bi-regional architecture designed to consolidate cyber-resilience, improve operational readiness, and enhance incident response collaboration. The presentation will describe three core pillars of the initiative: (1) a Community of Practice enabling permanent knowledge exchange across sectors; (2) a Cybersecurity Reserve & Experts Pool supporting rapid cross-border deployment of specialized capabilities; and (3) a networked cybersecurity cluster model that includes public institutions, private providers, academia, and civil society.

Beyond multistakeholder coordination, the session incorporates a geopolitical perspective to examine regional threat drivers, issues of digital sovereignty, and the influence of external actors shaping cybersecurity policy and practice in LAC. Emphasis will be placed on joint detection, situational awareness, playbook interoperability, simulations, and governance mechanisms applicable to regions with uneven cybersecurity maturity.

Participants will gain insights into a collaborative model for operationalizing incident response, facilitating cross-border expertise mobilization, and strategically aligning cybersecurity ecosystems through research-informed decision-making.

Manos Athanatos has more than 15 years of experience in cybersecurity and research and is a Senior Technical Project Manager at FORTH-ICS and TUC. He is also, acting as a external cybersecurity consultant and product manager. He is a member of the OASIS CACAO TC, TAC TC, CTI TC, FIRST.org and ENISA AHWG on SOC. He has been involved in more than thirty R&D projects in his career, both from the research and the product development scope. He has had the roles of the acting Project Coordinator, Scientific and Technical Coordinator, Technical Team lead, Integrator, Evaluation and Testing Leader, Risk and Quality Assurance Manager, in a number of them. He is also the head of the internal Project Management team and co-leader of the internal technical development team. His main research interests are in the areas of systems, network and system security, deception technologies, cybersecurity automation, network monitoring, CTI and SOC technologies.

Cyber incidents do not recognise borders, yet our response capabilities often remain siloed. This presentation explores how collaboration, standardisation, and automation can transform the way we manage cross-border incidents.We will highlight the limitations of current practices—where information is shared but processes remain fragmented—and discuss how standard operating procedures (SOPs) and cybersecurity playbooks can provide structure, repeatability, and speed in joint responses. The talk will introduce emerging open standards alongside open-source and free to use tools like demonstrating structured processes, common frameworks, and shared playbooks can help defenders to move from ad hoc coordination to efficient, scalable, and resilient cross-border response.

Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.

Your mission if you choose to accept it: take on the role of a detection engineer to dissect the most popular attack framework for attacks against macOS, Mythic.

Mythic has various agents that can be easily integrated into the framework. In this talk, we will show common features of the agents, including how C2 communication works, how persistences can be set up, and how additional code can be executed.

Our goal is to create robust strategies for the detection of these agents and to find additional traces on the system that can be found by executing these agents on an infected computer. For the red teamers, we will discuss OPSEC considerations that need to be taken into account when using specific commands to prevent immediate detection through an EDR.

Alex is a defensive (BLUE) cybersecurity professional. He helped forging three CERT teams on three continents. Now, he's on Société Générale's Purple Team. Their mission: Scale up constant security improvements. Testing defenses. Spotting weaknesses. Strengthening the grid. In cyber wars, it's the quiet work that wins.

In this 45-minute dive, explore why Purple Teams bridge red and blue divides.

• Learn the 'why': Boost resilience, spot blind spots, scale defenses.
• Discover the 'how': Build from scratch, integrate tools, run exercises.
• Real-world examples from global CERT builds.
• Walk away with actionable steps to launch your own.
• No jargon overload - just practical cyber wisdom.

Giovanni has been a Cyber Threat Intelligence Analyst at Group-IB since 2024. Holding a Master’s degree in Computer Engineering, he has worked in the CTI field since 2020, gaining experience across multiple domains, from threat analysis to tool development. Currently, he specializes in researching and analyzing threats originating from underground cybercrime communities.

The Dark Web is frequently portrayed as a chaotic frontier where data leaks, ransomware groups, and threat actors operate in the open. While this visibility creates a sense of urgency, it also generates significant noise and confusion for organizations.

This session provides an overview on the primary Dark Web threats organizations face and how they look like. Rather than treating the Dark Web as a source of raw facts, we will explore it as a landscape of signals that require validation and context.

By examining real cases, this talk highlights common pitfalls in monitoring, the tactics used by scammers and anatomy of fake claims, showing how to separate meaningful intelligence from deceptive noise.

The goal is to empower decision-makers to focus on what matters, reduce overreaction, ensuring that every action is informed, proportionate, and based on validated information rather than underground fiction.

Imane Bachane is the Founder and CEO of BLUESEC, where she focuses on SOC transformation, cyber governance, and intelligence-driven security operations across Africa and the Arab regions. Before creating BLUESEC, she led Cyber Threat Intelligence activities for a major banking group, helping build and align an intelligence function that directly supported detection, response, and strategic decision-making. Her expertise bridges CTI, SOC maturity, and threat-informed defense, with a strong focus on turning frameworks and models into practical workflows that real SOC teams can execute. She works with financial institutions, industrial operators, and national organizations to help them move from reactive monitoring to structured, intelligence-led operations. Imane is an active contributor to the regional cybersecurity ecosystem, advocating for sovereign, resilient, and maturity-focused SOC capabilities, and for making cyber intelligence useful, usable, and rooted in operational reality.

Jamaleddine Hadini is a cybersecurity practitioner specializing in incident response, digital forensics, and SOC modernization. With more than ten years of experience supporting critical organizations, he develops resilient defense capabilities grounded in threat-informed practices, automation, and defensible architectures. His expertise spans threat hunting, detection engineering, DFIR, and OT/industrial cybersecurity. Jamaleddine holds several certifications, including SANS GCFA, SANS GRID, and CHFI, reflecting his expertise across blue-team operations. A strong advocate for capacity building in Africa, he collaborates with industry partners to strengthen regional expertise and contribute to sustainable, sovereign cyber capabilities.

Why do SOCs with "mature" processes still miss high-profile attacks? The problem isn't the tools—it’s the Detection Maturity Gap. Organizations accumulate dozens of use cases that satisfy auditors but fail to trigger during real intrusions due to weak validation and theoretical logic.

Drawing on extensive experience securing critical infrastructure across Africa and the Middle East, we will present a field-tested Detection Maturity Model designed to bridge this gap. This talk moves beyond theory to offer a five-step framework for operational resilience: Threat Relevance, Telemetry Readiness, Logic Quality, Operational Validation, and Measurability.

Using anonymized case studies, this session exposes why standard maturity metrics fail and demonstrates how to pivot from "compliance-driven" to "intelligence-led" detection. Attendees will gain a diagnostic toolkit to evaluate their own programs and ensure their detections work when it matters most, not just on paper.

Zero-day vulnerabilities have become a critical risk to all sectors, both for operational teams and decision-makers. However, their continued presence contrasts with the paucity of available knowledge: there is no consolidated overview, metrics or models to understand their scale. Organisations therefore lack metrics for understanding how zero-days evolve, which limits their ability to anticipate, detect and analyse risk. In the absence of a structural vision, they still rely on traditional vulnerability management based on CVE identifiers, CVSS scores or the existence of a patch, which are useful indicators but insufficient to grasp the interdependencies and ecosystem dynamics that really shape the behaviour of zero-days. Analysis therefore remains confined to isolated vulnerabilities, without understanding the structures that connect them or the mechanisms that promote their emergence, grouping or propagation.

This presentation examines and compares several zero-day vulnerabilities which have been recently exploited and therefore identified. Using a new framework currently under development, we intend to demonstrate the value of a predictive approach to their analysis and reveal the relationships that may exist between them. It also aims to illustrate how better a posteriori knowledge of certain zero-days could have limited or even prevented attacks with significant financial and technological consequences.

When the critical React2Shell vulnerability (CVSS 10.0) was disclosed, organizations worldwide faced an unprecedented challenge: unauthenticated remote code execution with active exploitation by state-sponsored actors. This session will showcase how our Security Operations Center (SOC) transformed uncertainty into a structured, proactive response that prevented impact and set a benchmark for vulnerability management. We will walk through our Major Incident mindset, adopted despite formal criteria not being met, and explain why speed, collaboration, and layered detection were key to success. Attendees will learn how we:

• Assessed exposure for React.js and Next.js components under severe data limitations.
• Executed multi-layered detection, combining:
• External scanning
• Attack surface monitoring
• Internal telemetry
• Enabled global communication and accountability, ensuring rapid remediation across all regions

Finally, we will share the outcome: zero vulnerable systems post-remediation, blocked exploitation attempts, and lessons learned that can help any organization respond effectively to high-severity vulnerabilities.

Key Takeaways:

• Why proactive escalation matters when uncertainty meets active exploitation.
• How cross-team collaboration accelerates detection and remediation.
• Practical steps for integrating external and internal tools for layered defense.

Sabri Khemissa is an industrial cybersecurity specialist with a 25 years extensive hands-on experience responding to cyber incidents in operational environments. Former OT Cybersecurity Manager for major industrial groups, he has supported numerous production sites facing security events ranging from malware outbreaks to unauthorized remote access and network intrusions.

He has worked across a wide range of industrial sectors — including energy, food & beverage, transportation, automotive, chemicals, and manufacturing — giving him a clear understanding of the different operational constraints and technical realities specific to each industry. Today, he helps organizations improve their preparedness, detection capabilities, and resilience through realistic OT-focused response plans and site-level technical assessments. And unfortunately, he continues to support companies in these sectors as they face cyber incidents that disrupt or threaten their operations.

Sabri regularly shares feedback from real-world interventions to help bridge the gap between cybersecurity principles and the practical challenges encountered in industrial facilities.

For a long time, OT/ICS weren’t connected to the Internet, factories operated in isolation, believing it was safe. Since last decade, that era is over. The line between IT and OT/ICS has blurred, and industrial systems are exposed to threats capable of shutting down entire production lines. In this new landscape, the question is no longer ""if"" an incident will happen, but ""when"", and more importantly, how to respond without stopping everything.

In this talk, we will dive into the reality of incident response in OT/ICS environments: a world where every action has physical consequences, isolating a single workstation might halt a production line with safety and environmental consequences. The priority isn’t simply restoring a system but protecting a process. We’ll revisit the architecture of an industrial system, from the Purdue model to the flow of data between supervision, control, and field layers. Because understanding these interactions is the first step toward understanding why an OT/ICS incident is never “just an IT problem.”

We’ll also explore the attackers’ entry points, often mundane, always dangerous.We will look at the human and organizational weaknesses that can turn an incident into a full-blown crisis.Responding to an OT/ICS incident means walking a tightrope between safety and availability. It means accepting that a technically sound decision might be operationally disastrous. Because ultimately, the key isn’t to react fast, but to react right, keeping the production running, even when everything else is under attack."

Jean-Francois Dive, threat hunting investigator, Cisco CSIRT: Jean-Francois is a Belgian investigator at Cisco CSIRT for the last 10 years, with 25 years' experience spanning cybersecurity, network, software and systems engineering. While not busy hunting for cyber threats or responding to incidents he enjoys the outdoors and arts in general.

Jeremie is a Belgian Cyber Threat Hunter at Cisco with 20+ years' experience spanning cybersecurity, DevSecOps, and network engineering. With a background in ethical AI, secure infrastructure, and incident response he enjoys beers and is only happy when it rains.

Large enterprises increasingly face a non-traditional insider threat: employment fraud, where the individual hired is not the person performing the work, operates from an undisclosed location, or relies on proxy access for financial gain. Over the past nine months, our CSIRT conducted multiple investigations across a global workforce of approximately 150,000 employees and contractors, uncovering recurring and repeatable techniques used by unrelated actors.

This talk focuses on post-hire detection, not pre-employment vetting. We present how blue teams can identify proxy workers and location fraud using security telemetry already available in most enterprises—primarily identity signals, multi-factor authentication behaviour, endpoint telemetry, and network indicators. Key patterns include consumer VPN usage during authentication, VOIP-based second-factor enrollment, synthetic or virtual mobile devices, mismatches between claimed and observed locations, and indirect access to company-issued laptops physically located in a different country.

At the endpoint level, we show how suspicious or unfamiliar processes observed during investigations can indicate the use of remote monitoring and management (RMM) tooling to relay access. To scale this analysis, we selectively enrich process telemetry using language-model–based analysis combined with controlled web search to determine whether unknown software corresponds to known remote access or management tools.

The session addresses the operational challenges of detecting these behaviours at scale in a highly diverse, global environment, including legitimate edge cases that closely resemble fraud. We conclude with real-world investigation workflows, lessons learned, and practical detection ideas attendees can implement immediately, as well as guidance on how CSIRTs can lead these investigations without becoming HR surveillance teams.