Program Overview

The escalating tempo and sophistication of cyber-attacks have rendered a purely reactive security posture obsolete. This session provides a decisive blueprint for advancing national resilience by harnessing authoritative threat intelligence from national agencies like UZ-CERT and global partners like Shadowserver.

Discover how to construct a robust Early Warning System that empowers your team to operationalize intelligence, pivot to proactive threat hunting, and fundamentally transform your CSIRT from a tactical firefighter into a strategic, force-multiplying guardian for the entire nation.

Nicky Fang is a dedicated cybersecurity strategist and advocate, specializing in CSIRT capacity building and threat intelligence integration. With over a decade of operational security experience, Nicky has a proven track record of guiding national CERTs—including those in Uzbekistan, Bhutan, Bangladesh and Mongolia—in transforming their capabilities from reactive postures to proactive, intelligence-driven defense models. A recognized authority on leveraging national early warning systems, Nicky is a frequent presenter at industry forums, sharing expertise on automated threat sharing and strategic resilience against advanced cyber threats.

Large language models are being rapidly integrated into production applications across all industries—from AI-powered customer service and development tools to security automation and business analytics. However, this widespread adoption introduces a fundamental vulnerability: Prompt Injection. Unlike traditional injection attacks, prompt injections exploit the core architecture of how LLMs process natural language, creating a threat that transcends typical security boundaries and affects every deployment scenario from chatbots to automated decision systems.

This technical session demonstrates real-world prompt injection techniques through pre-recorded demonstrations, examining the instruction-data boundary problem that makes LLMs inherently vulnerable. The session then provides practical defense-in-depth strategies with live code examples.

Whether securing customer-facing applications, internal tools, or security systems, attendees will learn with actionable techniques for building more resilient LLM deployments.

Fatih Erdogan: I have over nine years of experience in the cybersecurity, with a strong focus on defensive security and developing cutting-edge cybersecurity solutions. Throughout my career, I have played a key role in digital forensics, incident response, and threat research teams, consistently contributing to strengthening organizational security postures.

Currently, I work as Expert Cyber Security Engineer at Turkish Airlines Technology in Cyber Defense Department, specializing in detection engineering, AI security, and R&D.

Beyond my professional role, I am deeply interested in security research, particularly in AI security and detection engineering. As an active member of the cybersecurity community, I have also delivered talks at prominent cybersecurity conferences, including BSides Prishtina, The H@CK Summit, Hacktrick, and DevFest Istanbul.

Gokay Akin: Starting my career as a Cyber Security Analyst, I continued as Incident Response Analyst and SIEM Administrator. I diversified by consulting for large organizations and managing various projects. I built many enterprises’ Cyber Defence Center infrastructures from scratch and ensured the right transformations went live. Preparing and implementing SIEM replacements and Detection Engineering processes is the area I enjoy most. I am currently the Detection Engineering Team Lead at Turkish Airlines.

I take great pleasure in following rapidly evolving Cyber Security trends and producing proactive solutions for the coming years

Most talks focus on what happens during an incident - the TTPs, alerts. But the real trouble often begins before dusk (Preparation phase) and quietly returns after dawn (Lessons learned phase). “Before dusk” is the time before an incident, when everything looks fine: configs half-done, logs half-kept, standards almost met. “After dawn” is when the breach seems over, reports are written, and everyone relaxes - but nothing really changes.

You’ll hear real a few DFIR stories from across the world - cases where some companies failed while others were ready. You’ll see how small decisions shaped huge outcomes, and learn from their mistakes so you can avoid repeating them.

Artem Artemov: 18 years in DFIR; Former policeman; Conducted high-profile incident responses and investigations on Anunak/Carbanak, Buhtrap, Lurk, Cobalt, Fin7, Qilin, Muddywater, Lockbit and other groups in different regions (Europe, APAC, US, MEA). 100+ trainings and workshops for universities, law enforcement and commercial companies worldwide; Experienced speaker at key cyber security events

Security Operations Centers (SOCs) are often assessed through maturity models, compliance frameworks, and performance metrics. However, real incidents frequently demonstrate that maturity does not always equate to resilience. This presentation focuses on how to practically assess whether a SOC can maintain effective detection, response, and coordination under real operational stress.

Based on field experience across financial institutions, industrial environments, and government SOCs, the session introduces a pragmatic approach to evaluating SOC resilience across people, processes, technologies, and critical dependencies. Rather than reviewing policies and tooling in isolation, the approach emphasizes observing behavior under pressure: decision-making, escalation quality, handovers, and coordination with incident response, IT, and business stakeholders.

Attendees will learn how to assess SOC resilience without waiting for a major breach, using targeted interviews, tabletop exercises, and stress-based scenarios such as concurrent incidents, degraded telemetry, or loss of key personnel. The presentation highlights common hidden failure points identified in real assessments and provides practical guidance on translating findings into prioritized resilience improvements. Participants will leave with a clear methodology and actionable checkpoints to evaluate and strengthen SOC and CSIRT resilience in their own environments.

Imane Bachane is the Founder and CEO of BLUESEC, a cybersecurity consulting firm specializing in SOC transformation, cyber governance, and intelligence-driven security operations across Africa and the Arab regions. Her work focuses on assessing and strengthening the operational effectiveness and resilience of SOCs and CSIRTs, particularly in regulated and resource-constrained environments.

Before founding BLUESEC, Imane led Cyber Threat Intelligence (CTI) activities within a major banking group, where she contributed to building an intelligence capability directly supporting detection, incident response, and security decision-making. Her experience bridges CTI, SOC maturity, and threat-informed defense, with a strong emphasis on converting frameworks and maturity models into practical, executable workflows for operational teams.

Imane works with financial institutions, industrial operators, and national organizations to assess SOC readiness, validate performance under stress scenarios, and improve coordination between SOC, incident response, and governance functions. Her assessments focus on identifying hidden operational dependencies and single points of failure revealed during real incidents.

She is certified SOC-CMM and SANS GSOM, and actively contributes to the regional cybersecurity community, advocating for resilient, maturity-driven, and operationally grounded SOC capabilities.

Jamaleddine Hadini is a cybersecurity practitioner specializing in incident response, digital forensics, and SOC modernization. With more than ten years of experience supporting critical organizations, he develops resilient defense capabilities grounded in threat-informed practices, automation, and defensible architectures. His expertise spans threat hunting, detection engineering, DFIR, and OT/industrial cybersecurity. Jamaleddine holds several certifications, including SANS GCFA, SANS GRID, and CHFI, reflecting his expertise across blue-team operations. A strong advocate for capacity building in Africa, he collaborates with industry partners to strengthen regional expertise and contribute to sustainable, sovereign cyber capabilities.

Security analysts and threat hunters often want to sharpen their ability to detect and respond to malicious network activity, especially without relying on expensive commercial platforms. In this presentation we will review a curated set of free, open-source tools, which provide deeper visibility into organizational network traffic and uncover threats before they escalate.

The presentation begins with a quick dive into core network traffic collection methods, such as packet capture, logging, and NetFlow analysis. We will also explore the daily workflows and investigative mindset of an effective threat hunter. Lastly, we will go through how to identify suspicious patterns, enrich findings with intelligence feeds from the Malware Information Sharing Platform (MISP), and connect the dots between seemingly unrelated events.

Through brief case studies and live-style investigative walkthroughs, you will see how theory translates into practice. The session will conclude with a guided, hands-on demonstration of open-source tools in action—equipping participants with ready-to-use techniques to strengthen their monitoring and detection capabilities immediately.

Arūnas Venclovas, Director of Product Development at NRD Cyber Security Arūnas is an experienced leader in product development with a deep understanding of cybersecurity, IT, and telecommunication markets. Currently serving as the Director of Product Development at NRD Cyber Security, Arūnas is responsible for deploying cyber security solutions in National and sectorial CERTs with the aim to automate operations, build capacity and empower for successful work. Arunas has played a major role in automating and modernizing CSIRTMalta (Malta Critical Infrastructure Protection) operations by improving Incident Detection, Response and Threat Intelligence actualization. Also, he is working closely with multiple CIRT's (Eg-FinCIRT, etc.) in assisting them to improve network detection capabilities by automating threat hunting, rulesets adjustment and solving other related challenges. 

Kazakhstan has spent the last five years building its own national bug bounty ecosystem, connecting ethical hackers with critical infrastructure, banks, telecoms and state agencies. In this talk, we share what it took to design and scale a platform that works reliably at a national level: from architecture and triage workflows to researcher onboarding, trust, and policy.

Bekarys Kabi is the product lead behind Tumar.One, Kazakhstan’s national bug bounty platform. With a background in product management and cybersecurity operations, he has spent the last several years designing triage workflows, scaling researcher communities, and leading the transition of Tumar.One to an open-source, self-hosted model. Bekarys works closely with banks, telecoms, ministries and global open-source projects to help them run structured vulnerability disclosure programs. His focus is on creating practical, transparent and scalable security tools for emerging markets, while building a long-term ecosystem around ethical hacking and coordinated vulnerability disclosure.

Olzhas Satiyev is a cybersecurity leader and one of the pioneers of vulnerability disclosure and offensive security development in Central Asia. He has more than 10 years of experience building security programs for banks, telecom operators and government agencies. As a founder of TSARKA and the KazHackStan conference, he helped shape the regional cybersecurity ecosystem and launched multiple national-scale initiatives. Olzhas focuses on applied security research, red teaming, and building platforms that connect researchers with organizations. His work drives collaboration between ethical hackers and critical infrastructure across Kazakhstan and beyond.

IntelMQ is a Free and Open Source tool chain to automate Threat Intelligence data handling.

IntelMQ automates the boring processes of incident handling to concentrate on the tasks that really need your attention. Learn how to ingest data from various sources such as Shadowserver, how to arrange your bespoke workflows, connect with other systems (such as MISP, databases, RDAP, Ticketing systems etc) and how to notify your constituency.

Contents of the workshop include:

• IntelMQ's unique flexible architecture
• How to quickly set it up
• Practical tips and examples
• Showcase and tryout of different solutions for constituency contact management
• How to notify your constituency about the IoCs in their networks
• Where to get help and connect with the IntelMQ community
• IntelMQ universe: Tools contributed to IntelMQ, augmenting your workflows
• Who is the IntelMQ community
• How to easily extend your system: development basics
• At which stages can Artificial Intelligence help, or not?
• System management and data flow management

The content may vary based on participants' input and questions. Participants are encouraged to send in their questions and examples to intelmq@commongoodtechnology.org beforehand, so we can cover them in more detail in the workshop

About IntelMQ: The open source tool was created in 2014 by CERT.pt and CERT.at (Aaron Kaplan, Tomas Lima) and is used globally for incident handling automation globally by at least 600 IT security teams. It is entirely free of charge. IntelMQ.org is the community supporting the project's the long-term evolution.

What will participants gain from the workshop? An in-depth know-how as well as the skills to deploy and adapt the IntelMQ tool to their specific automation needs.

Sebastian Wagner is an IT-Security expert and trainer, Free Software enthusiast, full-stack software developer, and project manager. He currently working for a small software firm, and is active in NGOs for the common good in cooperation with FIRST and Shadowserver. He co-maintains IntelMQ for 11 years and previously worked at CERT.at for six years.

Whether you are a Red Team or Blue Team specialist, learning the techniques and tricks of malware development gives you the most complete picture of advanced attacks. Also, due to the fact that most (classic) malwares are written under Windows, as a rule, this gives you tangible knowledge of developing under Windows. The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples. The course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware.

The course is divided into four logical sections:

Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running) AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling) Persistence techniques Cryptographic functions in malware development (exclusive) Malware Development for Android and Linux (bonus)

Most of the example in this course require a deep understanding of the Python, Kotlin and C/C++ programming languages.

Knowledge of assembly language basics is not required but will be an advantage

Zhassulan Zhussupov is a cybersecurity enthusiast, author, speaker, and mathematician. Author of popular books:

• MD MZ Malware Development Book (2022, 2024)
• MALWILD: Malware in the Wild Book (2023)
• Malware Development for Ethical Hackers Book (Packt, 2024)
• AIYA Mobile Malware Development Book (Github, 2025) Author and tech reviewer at Packt. Co founder of several cybersecurity research labs, author of many cybersecurity blogs, HVCK magazine, Malpedia contributor. Speaker at more than 20+ international conferences like BlackHat, Security BSides, Arab Security Conference, Hack.lu, Standoff, etc

In today's cyber threat landscape, effective coordination among incident response teams is crucial. This session will provide participants with a high-level overview of open-source tools that facilitate coordination, data sharing, and threat intelligence. The session will cover key tools like MISP and TheHive, and also highlight lesser-known gems that help you maintain an overview of your constituency.

We will focus on coordination tools and also scrape the topic of analysis and forensics.

The session gives you an overview of the role of open-source tools in enhancing coordination and cooperation among teams, including these tooling areas: Threat Intelligence Sharing and OSINT gathering, Attack Surface Reduction, Incident Response, Forensics and Analysis Tools, Analysis tools, Network Monitoring

Sebastian Wagner is an IT-Security expert and trainer, Free Software enthusiast, full-stack software developer, and project manager. He currently working for a small software firm, and is active in NGOs for the common good in cooperation with FIRST and Shadowserver. He co-maintains IntelMQ for 11 years and previously worked at CERT.at for six years.

From contextualized threat scenarios to aid in hypotheses generation to post-hunt activities, threat modelling often results in outputs which are useful as part of structured threat hunting. However, there does not exist a significant amount of literature that connect threat modelling and threat hunting, much less operationalize them together to a threat hunting scenario.

In this workshop, we will teach the basics of technique-based threat modelling with the MITRE ATT&CK framework and perform mitigations with MITRE D3FEND. We will then generate hypotheses for structured threat hunting, and apply it to a simulated threat hunt in a Windows lab environment. We also posit how threat modelling functions and threat hunting functions can complement each other in an iterative chain to provide teams the ability to continuously validate the organisation's security posture.

Donavan Cheah leads cybersecurity within Thales Digital Factory in Singapore. He has led multiple threat modeling, risk assessment and offensive security engagements for a wide variety of customers. He has presented his threat modeling talks and conferences at international conferences such as DefCamp (Romania), SECCON (Japan), VULNCON (India) and SINCON (Singapore), as well as cybersecurity camps such as the Global Cybersecurity Camp 2025 (Taiwan). He also co-leads the Threat Modeling Connect chapter in Singapore, which is a threat modeling community with global presence in the EU, the Americas and Asia. Today, Donavan's interests lie in integrating threat modeling into other cybersecurity activities such as threat hunting, SecOps, as well as looking into AI-related cyber threats.

Mukhtar Serikbayev is an Application Security Architect and DevSecOps Consultant with a strong background in secure software development, architecture assurance, and offensive security. He has led major AppSec transformation initiatives for financial services and government organizations, integrating security into SDLC processes, CI/CD pipelines, and cloud-native architectures. Mukhtar is an Offensive Security Web Expert, he brings hands-on experience in web and mobile testing, secure code review, microservices/API hardening, and threat modeling aligned to attacker behavior. Today, he’s exploring how AI-driven automation and autonomous security agents can improve threat hunting, code assurance, and secure engineering at scale. He is passionate about enabling teams to build secure-by-design, resilient products.

Yoon Yik is a Security Researcher at the Privacy and Security Laboratory at Nanyang Technological University. He has a background in Digital Forensics and Incident Response, Cyber Threat Intelligence and Malware Analysis. He is also co-chapter lead of Threat Modeling Connect Singapore Chapter. Presently, he is passionate about cybersecurity community building and is a "Crew" at Division Zero Singapore cybersecurity community leading initiatives like HackSmith, a 24H cybersecurity tool-making hackathon.

Effective incident response depends not only on detection and mitigation but on the ability to coordinate quickly, collaborate across organizations, and communicate with clarity. This session introduces a practical framework, the “3C’s” developed from direct experience with CSIRTs and national-level response teams across multiple regions. Using real-world cases involving phishing, brand abuse, and infrastructure-level threats, the presentation will highlight how misalignment across internal teams, delayed external coordination, and unclear messaging can cause preventable escalation. It will offer concrete strategies to improve readiness: establishing trusted channels, aligning roles before incidents, and streamlining decision-making under pressure.

Designed for CSIRTs, infrastructure operators, and incident coordinators, the session focuses on improving the human and procedural layers of response, especially in environments where cross-border cooperation is essential.

Mirza Asrar Baig is the Founder and Chief Executive Officer of CTM360, and is the visionary behind developing the Digital Risk Protection stack that embodies the concept of the company. His focus remains on building a highly scalable platform with the vision “Build Locally, Scale Globally”, and he believes in empowering the Arab World to be recognized as a leader in technology research and development.

Mirza is a Computer Science graduate from King Fahd University of Petroleum and Minerals (KFUPM - Dhahran, Saudi Arabia). His educational background underscores his deep commitment to research and innovation. With over 30+ years of experience serving the Information Technology and Cybersecurity requirements of the GCC Financial Sector and government bodies, he is playing an instrumental role in safeguarding the region's digital landscape.

Mirza is actively contributing to the region through speaking engagements and providing invaluable insights into threats specific to GCC organizations. His passion for advancing cybersecurity in today’s digital age has left an indelible mark, reflecting his dedication to enhancing cybersecurity and resilience globally.

CTM360’s technology platform is primarily data-driven and is on track to profile all organizations across the world leveraging public domain data. The technology enables aggregate analytics and real-time cybersecurity posture on industries, countries, and regions. Mirza is now on a mission to have his technology recognized as the go-to choice for regulators as well.

Online fraud incidents often become harder to contain not because of technical gaps, but due to unclear signals, delayed decisions, and fragmented response efforts. This session looks at how fraud campaigns operate in practice and what incident responders need to recognize early to act effectively.

Using real-world, anonymized scenarios, we discuss how understanding campaign behavior, coordinating response actions, and applying timely intelligence can significantly reduce impact.

Mirza Asrar Baig is the Founder and Chief Executive Officer of CTM360, and is the visionary behind developing the Digital Risk Protection stack that embodies the concept of the company. His focus remains on building a highly scalable platform with the vision “Build Locally, Scale Globally”, and he believes in empowering the Arab World to be recognized as a leader in technology research and development.

Mirza is a Computer Science graduate from King Fahd University of Petroleum and Minerals (KFUPM - Dhahran, Saudi Arabia). His educational background underscores his deep commitment to research and innovation. With over 30+ years of experience serving the Information Technology and Cybersecurity requirements of the GCC Financial Sector and government bodies, he is playing an instrumental role in safeguarding the region's digital landscape.

Mirza is actively contributing to the region through speaking engagements and providing invaluable insights into threats specific to GCC organizations. His passion for advancing cybersecurity in today’s digital age has left an indelible mark, reflecting his dedication to enhancing cybersecurity and resilience globally.

CTM360’s technology platform is primarily data-driven and is on track to profile all organizations across the world leveraging public domain data. The technology enables aggregate analytics and real-time cybersecurity posture on industries, countries, and regions. Mirza is now on a mission to have his technology recognized as the go-to choice for regulators as well.

Remarks by: Chris Gibson (FIRST Executive Director – FIRST.org, GB); Olimjon Mirzaev (Director of Cyber Security Center of Uzbekistan, UZ); Bobur Abdullaev (Rector of Inha University in Tashkent, UZ)

Chris Gibson brings a wealth of relevant and up-to-date experience in setting up and managing CERTs at the very highest levels of the worldwide Information and Cyber Security community.

Chris spent over 12 years working in the Computer Emergency Response Team (CERT) whilst at Citigroup and, for 10 years, was part of the leadership of the Forum of Incident Response and Security Teams (FIRST); 2 as Chair. Within FIRST he implemented the Fellowship program. This was created to fund CERTs from UN-designated “Least Developed Nations” (LDCs) allowing them both to join FIRST and attend conferences and training.

Chris joined the UK Government's CERT-UK team in November 2013 to build and launch the UK’s first formally chartered national CERT, joined Close Brothers as Chief Information Security Officer in November 2016, moved to Orwell Group as CISO in Jul 2018 and joined FIRST as it’s Executive Director in May 2019.

Chris’ experience has allowed him to work with colleagues from both inside some of the world’s largest global financial institutions with the complexities that brings and also with colleagues from the incident response community, with members ranging from Microsoft and Oracle through to the national CERTs of Azerbaijan and Indonesia.

We present our experience operating a national Early Warning System that supports more than 200+ government organizations. The system ingests over one million daily threat indicators from global partners, harmonizes and correlates the data, and delivers targeted, actionable alerts to relevant stakeholders. The talk includes two anonymized case studies where failure to respond to early warnings resulted in severe cybersecurity incidents. These cases highlight common challenges in alert handling, escalation, and accountability, and provide practical lessons for improving preventive security operations at scale.

With 5+ years of experience, Sarvar Sultonov and Timur Ishbekov work at UZCERT to safeguard Uzbekistan’s digital sovereignty. They drive Threat Intelligence and Incident Response for government entities, dedicated to maturing the national cybersecurity posture through proactive defense and cross-sector collaboration.