Program Overview

As generative AI and agents increasingly integrate into CTI (Cyber Threat Intelligence) operations, concerns are growing on the ground: “Will automation deprive junior analysts of growth opportunities?”

First, this presentation will outline the design philosophy and implementation/operational examples where “AI agents” and humans (intelligence analysts) co-create to operate and enhance cyber intelligence workflows.

Next, based on experience, we explore how AI and humans have divided roles to address the three critical barriers in CTI: timeliness, relevance, and rationality. The key lies in defining the boundaries of “where to use and where to delegate.”

Finally, while CTI agents have become indispensable members of our team, will they serve as mentors for junior analysts? Or will they become rivals? We also share perspectives on this challenge from a talent development standpoint.

Takahiro Kakumaru: During my research career, I pioneered mobile network security advancements through R&D, actively participated in standardization and international collaborations (including Germany). Transitioning to cybersecurity strategy, I now lead cyber threat intelligence team, particularly in strategic intelligence. Certified in CISSP and GIAC (GCTI), I regularly share expertise at global forums such as FIRST, SANS, AVAR, CTA, and MITRE.

Cyber incidents in Latin America and the Caribbean (LAC) are increasing in frequency, complexity, and geopolitical relevance. National CSIRTs, government institutions, critical infrastructure operators, and private cybersecurity teams frequently face transnational threats with limited coordination mechanisms and asymmetries in cyber maturity. The EU–LAC SHIELD initiative aims to address these gaps through a scalable, structured cooperation model linking the European Union and the LAC region.

This plenary session will introduce the technical and strategic foundations of EU–LAC SHIELD, a bi-regional architecture designed to consolidate cyber-resilience, improve operational readiness, and enhance incident response collaboration. The presentation will describe three core pillars of the initiative: (1) a Community of Practice enabling permanent knowledge exchange across sectors; (2) a Cybersecurity Reserve & Experts Pool supporting rapid cross-border deployment of specialized capabilities; and (3) a networked cybersecurity cluster model that includes public institutions, private providers, academia, and civil society.

Beyond multistakeholder coordination, the session incorporates a geopolitical perspective to examine regional threat drivers, issues of digital sovereignty, and the influence of external actors shaping cybersecurity policy and practice in LAC. Emphasis will be placed on joint detection, situational awareness, playbook interoperability, simulations, and governance mechanisms applicable to regions with uneven cybersecurity maturity.

Participants will gain insights into a collaborative model for operationalizing incident response, facilitating cross-border expertise mobilization, and strategically aligning cybersecurity ecosystems through research-informed decision-making.

Dr. Jean-Marie Chenou is the lead cybersecurity expert with Expertise France, the French technical cooperation agency, where he coordinates the EU–LAC Digital Alliance Policy Dialogues on cybersecurity, a EU-funded cooperation project under the EU-LAC Digital Alliance. He is also an associate professor at Universidad de los Andes, specializing in global political economy, cyber governance, and digital sovereignty. His work focuses on strengthening cyber-resilience through regional cooperation mechanisms, multistakeholder governance, and research-informed policy design. Dr. Chenou has advised national cybersecurity authorities, facilitated technical coordination among public and private incident response teams, and supported the development of cyber policy across the Caribbean, the Andean region, and Central America

Cyber incidents do not recognise borders, yet our response capabilities often remain siloed. This presentation explores how collaboration, standardisation, and automation can transform the way we manage cross-border incidents. We will highlight the limitations of current practices—where information is shared but processes remain fragmented—and discuss how standard operating procedures (SOPs) and cybersecurity playbooks can provide structure, repeatability, and speed in joint responses. The talk will introduce emerging open standards alongside open-source and free to use tools like demonstrating structured processes, common frameworks, and shared playbooks can help defenders to move from ad hoc coordination to efficient, scalable, and resilient cross-border response.

Manos Athanatos has more than 15 years of experience in cybersecurity and research and is a Senior Technical Project Manager at FORTH-ICS and TUC. He is also, acting as a external cybersecurity consultant and product manager. He is a member of the OASIS CACAO TC, TAC TC, CTI TC, FIRST.org and ENISA AHWG on SOC. He has been involved in more than thirty R&D projects in his career, both from the research and the product development scope. He has had the roles of the acting Project Coordinator, Scientific and Technical Coordinator, Technical Team lead, Integrator, Evaluation and Testing Leader, Risk and Quality Assurance Manager, in a number of them. He is also the head of the internal Project Management team and co-leader of the internal technical development team. His main research interests are in the areas of systems, network and system security, deception technologies, cybersecurity automation, network monitoring, CTI and SOC technologies.

Cybercriminals have long depended on domain names for phishing, spam, malware distribution, and botnet operation. Previous work revealed an abnormally high concentration of malicious registrations in a handful of registrars and TLDs. Anecdotal evidence suggests that low registration prices attract cybercriminals, implying that higher costs may discourage them. However, no existing study has systematically analyzed the factors driving abuse, leaving a critical gap in understanding how different variables influence malicious registrations.

Maciej Korczynski is a Full Professor in cybersecurity and Internet measurement at Université Grenoble INP / Université Grenoble Alpes, and a co-founder of KOR Labs. His work bridges research and operations, focusing on measuring and understanding Internet abuse, particularly DNS- and domain-related threats, and translating those insights into actionable intelligence for defenders and ecosystem partners. He has authored multiple peer-reviewed papers on domain abuse, attacker infrastructure, and ecosystem-level defenses, and regularly engages with industry and operational communities to support coordinated mitigation and multi-stakeholder response.

The evolution of threat protection has introduced AI-driven technologies to the battlefield, enhancing both network and malware defenses. However, as security tools grow more sophisticated, humans remain the most exploited target in cybersecurity. Social engineering continues to thrive by leveraging human behavior through massive phishing campaigns.

Through proper training and smart automation, phishing emails and human behavior can be transformed into powerful protection assets. With this approach, every employee becomes an active defender.Instead of relying on four security analysts, we empower 900 users who actively protect one another.

This workshop reveals how Grimaldi built a scalable human centric defense strategy: from motivating users and creating a strong security culture, to automating and validating phishing reports through GSBot.

Operating as the tactical lead under the CISO, Leonardo Geremia orchestrates the operational defense of the Grimaldi Group, a maritime giant spanning 47 nations and over 130 ports worldwide. During crises, he coordinates the full Incident Response lifecycle—from digital forensics to eradication and recovery while fortifying the network through strict global governance and proactive cyber awareness. He translates strategy into concrete security: leveraging continuous Exposure Management and multi-source Threat Intelligence to preempt attacks. With a background forged in high-pressure environments at Generali and Accenture, he now spearheads the continuous cyber-resilience of the Group.

As the Chief Information Security Officer (CISO), Luigi Cavucci serves as the strategic architect behind the Grimaldi Group’s global cyber defense. He defines the security vision for the entire organization, steering the transition to a dynamic, risk-based posture. Beyond technical hardening, he has revolutionized the corporate culture: by fostering a collaborative and participatory approach to Cyber Awareness, he has transformed the workforce into a proactive line of defense, significantly reducing human-error incidents. Leveraging his background in critical infrastructure, he now oversees the global protection of Grimaldi’s digital assets, ensuring that advanced technical defenses and human resilience work in perfect synergy.

Raffaele D’Ambrosio is a cybersecurity engineer and Italian CTF champion specializing in web security. His background includes reverse engineering and web exploitation, with a strong focus on building practical security tools. He has spoken at multiple cybersecurity conferences, contributing from both red team and blue team perspectives, and has taught cybersecurity courses at the university level. Passionate about knowledge sharing, he actively contributes to the security community through talks, teaching, and hands-on research.

Your mission if you choose to accept it: take on the role of a detection engineer to dissect the most popular attack framework for attacks against macOS, Mythic.

Mythic has various agents that can be easily integrated into the framework. In this talk, we will show common features of the agents, including how C2 communication works, how persistence can be set up, and how additional code can be executed.

Our goal is to create robust strategies for the detection of these agents and to find additional traces on the system that can be found by executing these agents on an infected computer. For the red teamers, we will discuss OPSEC considerations that need to be taken into account when using specific commands to prevent immediate detection through an EDR.

Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.

In this 45-minute dive, explore why Purple Teams bridge red and blue divides.

• Learn the 'why': Boost resilience, spot blind spots, scale defenses.
• Discover the 'how': Build from scratch, integrate tools, run exercises.
• Real-world examples from global CERT builds.
• Walk away with actionable steps to launch your own.
• No jargon overload - just practical cyber wisdom.

Alex Kouzmine is a defensive (BLUE) cybersecurity professional. He helped forging three CERT teams on three continents. Now, he's on Société Générale's Purple Team. Their mission: Scale up constant security improvements. Testing defenses. Spotting weaknesses. Strengthening the grid. In cyber wars, it's the quiet work that wins.

The Dark Web is frequently portrayed as a chaotic frontier where data leaks, ransomware groups, and threat actors operate in the open. While this visibility creates a sense of urgency, it also generates significant noise and confusion for organizations.

This session provides an overview on the primary Dark Web threats organizations face and how they look like. Rather than treating the Dark Web as a source of raw facts, we will explore it as a landscape of signals that require validation and context.

By examining real cases, this talk highlights common pitfalls in monitoring, the tactics used by scammers and anatomy of fake claims, showing how to separate meaningful intelligence from deceptive noise.

The goal is to empower decision-makers to focus on what matters, reduce overreaction, ensuring that every action is informed, proportionate, and based on validated information rather than underground fiction.

Giovanni Barbieri has been a Cyber Threat Intelligence Analyst at Group-IB since 2024. Holding a Master’s degree in Computer Engineering, he has worked in the CTI field since 2020, gaining experience across multiple domains, from threat analysis to tool development. Currently, he specializes in researching and analyzing threats originating from underground cybercrime communities.

Zero-day vulnerabilities have become a critical risk to all sectors, both for operational teams and decision-makers. However, their continued presence contrasts with the paucity of available knowledge: there is no consolidated overview, metrics or models to understand their scale. Organisations therefore lack metrics for understanding how zero-days evolve, which limits their ability to anticipate, detect and analyse risk. In the absence of a structural vision, they still rely on traditional vulnerability management based on CVE identifiers, CVSS scores or the existence of a patch, which are useful indicators but insufficient to grasp the interdependencies and ecosystem dynamics that really shape the behaviour of zero-days. Analysis therefore remains confined to isolated vulnerabilities, without understanding the structures that connect them or the mechanisms that promote their emergence, grouping or propagation.

This presentation examines and compares several zero-day vulnerabilities which have been recently exploited and therefore identified. Using a new framework currently under development, we intend to demonstrate the value of a predictive approach to their analysis and reveal the relationships that may exist between them. It also aims to illustrate how better a posteriori knowledge of certain zero-days could have limited or even prevented attacks with significant financial and technological consequences.

Myriam Ouraou is a young cybersecurity engineer specialised in Connected Objects and Cybersecurity, and a graduate of ESILV Paris. She spent two years as an apprentice Cybersecurity Engineer at Thales, where she worked on vulnerability detection and prioritisation across restricted industrial and cloud environments.

She is currently pursuing a PhD at Thales, where she applies graph- and hypergraph-based learning techniques to rethink how organisations assess and manage vulnerabilities at scale. Her work aims to bring more intelligence, context and foresight to vulnerability management, moving beyond traditional methods towards predictive, data-driven approaches.

When the critical React2Shell vulnerability (CVSS 10.0) was disclosed, organizations worldwide faced an unprecedented challenge: unauthenticated remote code execution with active exploitation by state-sponsored actors. This session will showcase how our Security Operations Center (SOC) transformed uncertainty into a structured, proactive response that prevented impact and set a benchmark for vulnerability management. We will walk through our Major Incident mindset, adopted despite formal criteria not being met, and explain why speed, collaboration, and layered detection were key to success. Attendees will learn how we:

• Assessed exposure for React.js and Next.js components under severe data limitations.
• Executed multi-layered detection, combining:
• External scanning
• Attack surface monitoring
• Internal telemetry
• Enabled global communication and accountability, ensuring rapid remediation across all regions

Finally, we will share the outcome: zero vulnerable systems post-remediation, blocked exploitation attempts, and lessons learned that can help any organization respond effectively to high-severity vulnerabilities.

Key Takeaways:

• Why proactive escalation matters when uncertainty meets active exploitation.
• How cross-team collaboration accelerates detection and remediation.
• Practical steps for integrating external and internal tools for layered defense.

Jacek Danda is an accomplished technology and security professional with a proven track record in managing large-scale operations and driving innovation in cybersecurity. With over a two decades of experience spanning information technology, security services, and software development, Jacek combines technical expertise with leadership skills to deliver solutions for complex environments.

He holds a Ph.D. in Information Technology with a specialization in signal processing from AGH University of Science and Technology in Kraków.

Jacek began his career as an Adjunct Professor at AGH University of Science and Technology, where he spent over fifteen years conducting research and teaching courses in IT and signal processing. Transitioning to the industry, he joined Cisco as an IT Engineer, where he also served as Tech Lead for the “OpenKrakow” Innovation Lab, driving cutting-edge projects and collaborating on IoT initiatives. During this time, he also contributed as a Startup Mentor for hub:raum, supporting the ChallengeUp! IoT accelerator program led by Cisco, Deutsche Telekom, and Intel.

In 2017, Jacek moved to Aptiv as a Solutions Architect, designing and implementing scalable IT solutions for automotive systems with a strong focus on security and reliability. His leadership journey continued at TietoEVRY, where he managed the Log Management team within the Security Operations Center, spearheading the development of an innovative log management platform and overseeing SIEM security operations. Since 2021, Jacek has been serving as Head of the Security Operations Center at ISS A/S, where he leads global SOC operations.

For a long time, OT/ICS weren’t connected to the Internet, factories operated in isolation, believing it was safe. Since last decade, that era is over. The line between IT and OT/ICS has blurred, and industrial systems are exposed to threats capable of shutting down entire production lines. In this new landscape, the question is no longer ""if"" an incident will happen, but ""when"", and more importantly, how to respond without stopping everything.

In this talk, we will dive into the reality of incident response in OT/ICS environments: a world where every action has physical consequences, isolating a single workstation might halt a production line with safety and environmental consequences. The priority isn’t simply restoring a system but protecting a process. We’ll revisit the architecture of an industrial system, from the Purdue model to the flow of data between supervision, control, and field layers. Because understanding these interactions is the first step toward understanding why an OT/ICS incident is never “just an IT problem.”

We’ll also explore the attackers’ entry points, often mundane, always dangerous. We will look at the human and organizational weaknesses that can turn an incident into a full-blown crisis. Responding to an OT/ICS incident means walking a tightrope between safety and availability. It means accepting that a technically sound decision might be operationally disastrous. Because ultimately, the key isn’t to react fast, but to react right, keeping the production running, even when everything else is under attack.

Sabri Khemissa is an industrial cybersecurity specialist with a 25 years extensive hands-on experience responding to cyber incidents in operational environments. Former OT Cybersecurity Manager for major industrial groups, he has supported numerous production sites facing security events ranging from malware outbreaks to unauthorized remote access and network intrusions.

He has worked across a wide range of industrial sectors — including energy, food & beverage, transportation, automotive, chemicals, and manufacturing — giving him a clear understanding of the different operational constraints and technical realities specific to each industry. Today, he helps organizations improve their preparedness, detection capabilities, and resilience through realistic OT-focused response plans and site-level technical assessments. And unfortunately, he continues to support companies in these sectors as they face cyber incidents that disrupt or threaten their operations.

Sabri regularly shares feedback from real-world interventions to help bridge the gap between cybersecurity principles and the practical challenges encountered in industrial facilities.

Large enterprises increasingly face a non-traditional insider threat: employment fraud, where the individual hired is not the person performing the work, operates from an undisclosed location, or relies on proxy access for financial gain. Over the past nine months, our CSIRT conducted multiple investigations across a global workforce of approximately 150,000 employees and contractors, uncovering recurring and repeatable techniques used by unrelated actors.

This talk focuses on post-hire detection, not pre-employment vetting. We present how blue teams can identify proxy workers and location fraud using security telemetry already available in most enterprises—primarily identity signals, multi-factor authentication behaviour, endpoint telemetry, and network indicators. Key patterns include consumer VPN usage during authentication, VOIP-based second-factor enrollment, synthetic or virtual mobile devices, mismatches between claimed and observed locations, and indirect access to company-issued laptops physically located in a different country.

At the endpoint level, we show how suspicious or unfamiliar processes observed during investigations can indicate the use of remote monitoring and management (RMM) tooling to relay access. To scale this analysis, we selectively enrich process telemetry using language-model–based analysis combined with controlled web search to determine whether unknown software corresponds to known remote access or management tools.

The session addresses the operational challenges of detecting these behaviours at scale in a highly diverse, global environment, including legitimate edge cases that closely resemble fraud. We conclude with real-world investigation workflows, lessons learned, and practical detection ideas attendees can implement immediately, as well as guidance on how CSIRTs can lead these investigations without becoming HR surveillance teams.

Jean-Francois Dive, threat hunting investigator, Cisco CSIRT: Jean-Francois is a Belgian investigator at Cisco CSIRT for the last 10 years, with 25 years' experience spanning cybersecurity, network, software and systems engineering. While not busy hunting for cyber threats or responding to incidents he enjoys the outdoors and arts in general.

Jeremie Banier is a Belgian Cyber Threat Hunter at Cisco with 20+ years' experience spanning cybersecurity, DevSecOps, and network engineering. With a background in ethical AI, secure infrastructure, and incident response he enjoys beers and is only happy when it rains.