Day 1 - September 25
Day 2 - September 26
Day 1 - September 25 | |
---|---|
09:00 – 09:15 | Opening Remarks |
09:15 – 10:15 | Keynote - Jen Ellis Jen Ellis |
10:15 – 10:45 | GB Quarterly Vulnerability Forecasts Éireann Leverett (Concinnity Risks, GB) |
10:45 – 11:15 | Break |
11:15 – 12:00 | US How Many Vulnerabilities Are There? Benjamin Edwards (Bitsight, US) |
12:00 – 12:45 | IT ES SK How Nestlé Manages Vulnerabilities at Scale Angelo Punuriero (Nestlé, IT); Jenifer Jimenez (Nestlé, ES); Martin Karel (Nestlé, SK) |
12:45 – 13:45 | Lunch |
13:45 – 14:30 | ES From Prompts to Agents: Building Agentic CVE Analysis Systems Andrey Lukashenkov (Vulners, ES) |
14:30 – 15:15 | US Observing Exploitation Activity Jay Jacobs (Empirical Security , US) |
15:15 – 15:45 | Break |
15:45 – 16:30 | NL A New Best Practice Proposal: Connecting Vulnerabilities and Stakeholders at Scale Jeroen van der Ham (NCSC-NL, NL); Ting-Han Chen (University of Twente, NL) |
16:30 – 17:00 | US Art Manion (ANALYGENCE Labs, US) |
Day 2 - September 26 | |
---|---|
09:00 – 09:15 | Opening Remarks |
09:15 – 10:00 | Inside a Ransomware Operation: Analyzing the Black Basta Chat Leak Mil Rajic (Independent Expert) |
10:00 – 10:45 | GB Learning by Making Vulnerabilities Up Éireann Leverett (Concinnity Risks, GB) |
10:45 – 11:15 | Break |
11:15 – 12:00 | NL Understanding Naming and Related Issues Jeroen van der Ham (NCSC-NL, NL) |
12:00 – 12:45 | US Vulnerability Information Elements: What Matters and Why Art Manion (ANALYGENCE Labs, US); Jay Jacobs (Empirical Security , US) |
12:45 – 13:45 | Lunch |
13:45 – 14:30 | US A Time-Series Approach to Predicting CVE Volume Jerry Gamblin (Cisco, US) |
14:30 – 15:15 | CA Vulnerability Mapping and Prioritization Dmitry Raidman (Cybeats, CA) |
15:15 – 15:45 | Break |
15:45 – 16:30 | FR VLAI: A RoBERTa-Based Model for Automated Vulnerability Severity Classification Cédric Bonhomme (CIRCL, FR) |
16:30 – 17:00 | Closing Remarks |
Jeroen van der HamJeroen van der Ham (NCSC-NL, NL), Ting-Han Chen (University of Twente, NL)
Jeroen van der Ham-de Vos (he/him) is associate professor at the University of Twente. His research currently focuses on vulnerability prioritisation and management, incdent response, the many developments in coordinated vulnerability disclosure and ethics of cybersecurity and computer science.
Jeroen is member of the editorial board of the ACM journal Digital Threats: Research and Practice, is an active member of the FIRST community, and was the co-editor of the Code of Ethics for Incident and Security Teams, and serves on several programme committees.
September 25, 2025 15:45-16:30
Jerry Gamblin (Cisco, US)
Jerry Gamblin is a Principal Engineer in the Threat Detection & Response business group at Cisco Security, where he leads research and data science initiatives to enhance Cisco Security products. He is actively involved in the CVE community, participating in various working groups and serving as a member of the EPPS SIG. He regularly speaks on vulnerabilities and vulnerability management at international conferences and manages a CVE data collection site at CVE.ICU.
September 26, 2025 13:45-14:30
Andrey Lukashenkov (Vulners, ES)
Andrey Lukashenkov handles all things revenue, product, and marketing at Vulners - a bootstrapped, profitable company committed to providing an all-in-one vulnerability intelligence platform to the cybersecurity community.
Being naturally curious and having a technical background, he leverages unlimited access to the Vulners database to research various topics related to vulnerability management, prioritization, exploitation, and scoring.
Traditional AI approaches to vulnerability analysis rely on single-model interactions that lack specialized domain expertise and structured intelligence integration. This talk demonstrates the evolution from simple ChatGPT prompts to sophisticated multi-agent systems capable of collaborative cybersecurity analysis.
We'll explore building an agentic CVE analysis system using CrewAI, showcasing how multiple specialized AI agents can work together to provide comprehensive vulnerability intelligence. The presentation covers practical implementation of agent roles, task orchestration, and tool integration with vulnerability databases like Vulners MCP.
Key focus areas include prompt engineering strategies for agent collaboration, handling context limitations through specialized tools, and designing flexible yet specific agent configurations. Attendees will see live demonstrations comparing traditional single-prompt analysis against multi-agent approaches, highlighting improved accuracy and actionable intelligence.
The session concludes with lessons learned from building production-ready agentic systems, emphasizing the critical balance between agent specificity and flexibility. This is not about CVE overload—it's about understanding scalable patterns for complex cybersecurity workflows that extend beyond vulnerability management.
September 25, 2025 13:45-14:30
Benjamin EdwardsBenjamin Edwards (Bitsight, US)
Dr. Benjamin Edwards is a principal research scientist working at Bitsight. An expert in ML and statistics, Ben synthesized security data into actionable insights. He has led research on a wide variety of security topics including vulnerability management, application security, human risk, Next-gen SIEM, nation state cybersecurity policy, and the security of ML models. He is an active member of the security community, contributing to open standards efforts including both EPSS and CVSSv4. His work has been published in leading industry and academic venues.
September 25, 2025 11:15-12:00
Angelo Punuriero
Jenifer Jimenez
Martin KarelAngelo Punuriero (Nestlé, IT), Jenifer Jimenez (Nestlé, ES), Martin Karel (Nestlé, SK)
Angelo Punturiero is an Italian native who has recently moved to the enchanting city of Barcelona. He proudly serves as a Vulnerability Management Senior Specialist in the Nestle’ CSOC Vulnerability Management team. With a deep passion for cybersecurity and the art of fine cuisine, he has improved he's skills through years of experience at renowned IT consulting firms. This professional journey has led him to Nestle’, where he coordinates the process that determines the Corporate Rating of the daily published CVEs, ensuring that the appropriate stakeholders are promptly informed of any imminent risks. Additionally, he actively engages in matters related to Cloud Security and contributes to projects involving Generative AI in the realm of cybersecurity.
Jenifer Jiménez, native of Spain, is currently working as a Senior Vulnerability Management Specialist at Nestlé Global Services in Barcelona. She is vulnerability management orchestration platform lead architect. Prior to her current role, she was part of the team providing security services to global Hewlett-Packard customers, as well as managing the development of security platforms for the CSIRT at CaixaBank. With a deep passion for her work and a commitment to staying at the forefront of industry trends, she strive to make a positive impact in the field of cybersecurity. Her dedication to securing critical systems and her love for salsa dancing and family bring a unique blend of expertise and personal fulfillment to her life.
Martin Karel, a native of Slovakia, is currently leading the Nestlé global vulnerability management and offensive security team based in Spain. He has been a part of the Global CSOC since its establishment in 2016 and has played a crucial role in various key projects, including incident response, security monitoring, and the centralization and automation of vulnerability management processes. Prior to his current role, Martin led similar projects at HP Enterprise and SEAT, a car manufacturer within the VW group. In his leisure time, he is passionate about ballroom dancing and values spending quality time with his two daughters.
September 25, 2025 12:00-12:45
Mil Rajic (Independent Expert)
Mil Rajic: Cyber Security Specialist, Independent Expert, Serbia
September 26, 2025 09:15-10:00
Éireann LeverettÉireann Leverett (Concinnity Risks, GB)
Éireann Leverett is the co-author of Solving Cyber Risk, and regularly writes about cyber risk perception, articulation, and quantification. He is a co-chair of the Ransomware SIG, and long time DFIR innovator and data scientist. When he's not working in cyber insurance and risk, he likes writing code, papers, and taking long walks in nature.
While his bio is serious; he hates writing bios in the third person, and once placed second in an Eireann Leverett impersonation contest.
September 26, 2025 10:00-10:45
Jay JacobsJay Jacobs (Empirical Security , US)
Jay Jacobs is a Co-founder and Chief Data Scientist at Empirical Security and Chief Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of “Data-Driven Security”, a book covering data analysis and visualizations for information security professionals.
September 25, 2025 14:30-15:15
Éireann LeverettÉireann Leverett (Concinnity Risks, GB)
Éireann Leverett is the co-author of Solving Cyber Risk, and regularly writes about cyber risk perception, articulation, and quantification. He is a co-chair of the Ransomware SIG, and long time DFIR innovator and data scientist. When he's not working in cyber insurance and risk, he likes writing code, papers, and taking long walks in nature.
While his bio is serious; he hates writing bios in the third person, and once placed second in an Eireann Leverett impersonation contest.
September 25, 2025 10:15-10:45
Jeroen van der HamJeroen van der Ham (NCSC-NL, NL)
Jeroen van der Ham-de Vos (he/him) is associate professor at the University of Twente. His research currently focuses on vulnerability prioritisation and management, incdent response, the many developments in coordinated vulnerability disclosure and ethics of cybersecurity and computer science.
Jeroen is member of the editorial board of the ACM journal Digital Threats: Research and Practice, is an active member of the FIRST community, and was the co-editor of the Code of Ethics for Incident and Security Teams, and serves on several programme committees.
September 26, 2025 11:15-12:00
Cédric BonhommeCédric Bonhomme (CIRCL, FR)
Cédric Bonhomme is a seasoned computer scientist with a deep passion for computer security and privacy. From 2010 to 2017, he worked as an R&D Engineer at a research center, specializing in Multi-Agent Systems and Cybersecurity. Since 2017, he has been an integral part of CIRCL, actively contributing to CSIRT operations and the development of innovative open-source software projects. Currently, he serves as the lead developer of Vulnerability-Lookup, driving advancements in vulnerability research and management.
September 26, 2025 15:45-16:30
Art Manion
Jay JacobsArt Manion (ANALYGENCE Labs, US), Jay Jacobs (Empirical Security , US)
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Jay Jacobs is a Co-founder and Chief Data Scientist at Empirical Security and Chief Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of “Data-Driven Security”, a book covering data analysis and visualizations for information security professionals.
September 26, 2025 12:00-12:45
Dmitry RaidmanDmitry Raidman (Cybeats, CA)
Dmitry Raidman is a visionary entrepreneur and cybersecurity innovator who has contributed to shaping the future of software supply chain security. Having held critical technology roles at leading companies like FLIR Systems and Sealights, as co-founder and CTO of Cybeats Technologies, he helped Fortune 500 companies to operationalize SBOM (Software Bill of Materials) management by inventing SBOM Studio in 2020. His groundbreaking work extends to AI security, where he co-leads SBOM implementation for AI systems and models and co-founded AISUF.org, the Open Framework for AI Security & Safe Use. A contributor to the NTIA's SBOM standards since 2018 and an active participant in critical security working groups, Dmitry brings over 25 years of expertise in application security, cloud architecture, and DevSecOps. His commitment to industry advancement extends beyond technology through co-founding the Security Architecture Podcast, where he shares insights on enterprise security solutions and architecture.
September 26, 2025 14:30-15:15
Art ManionArt Manion (ANALYGENCE Labs, US)
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
September 25, 2025 16:30-17:00