Message from the Chair

We all know that FIRST stands for Forum of Incident Response and Security Teams. Even though most FIRST members are focusing on Incident Response the cohort of Security Teams is increasing too. During the last quarter of 2025, we reached the 1,024 milestone of active members. It took 35 years, but let's guess that reaching 2,048 active members will come faster.

Most member teams bear 'CSIRT', 'CERT' or 'PSIRT' in their names, and have been built, got inspiration from or evolved using the well known CSIRT Framework or the PSIRT Framework. Many use SIM3 maturity model as a way to assess then improve their organisation, procedures, and better handle human and tooling aspects.

Over the recent years, some acronyms started to appear in the community, such as ISAC (Information Sharing and Analysis Centers, which was crafted in 1998), VOC (Vulnerability Operations Center), CTI (Cybersecurity Threat Intelligence) teams, Threat Hunting teams … Should such groups be part of and integrated in CSIRT/CERT/PSIRT teams? There is no formal answer, as it will depend on the context of the hosting organization, its history, current set-up, and plans for evolution.

Some organizations have set up or have plan to create a CDC (Cyber Defense Center named after ITU-T X.1060 recommendation standard) which will supersede and embed all groups named above.

"What's in a name?" is a famous adage attributed to or written by Shakespeare in his play "Romeo and Juliet". Was it in 1597 or in 1599? All specialists do not agree on this ... and logs are missing ... And we all know that in such conditions, it is quite difficult to navigate!

We must adapt our organizations to the threat landscape and include ways to address both existing types of attacks that become more prevalent and become more efficient with the use of AI by threat actors.

As the number of vulnerabilities increases over the years and the burden is increasing on IT teams, CSIRTs or PSIRTs - or VOCs - must provide the right information based on their constituents' context, i.e. potential victims. CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) can help, so do KEVs (Known Exploited Vulnerabilities) that are provided both by security agencies and commercial companies. Often what is expected from IT and OPS teams is guidance, and all that can help them prioritize among all these vulnerabilities.

Last but not least, we must also improve detection. Whether it is the role of a CSIRT, a SOC, a NOC or any other group is not my point. Whoever has the detection mandate does not mandate as long as the work is properly done. It's not a question of pentesting or red teaming, but rather to assess how efficient detection is, and how quickly analysis can be performed, events qualified into incidents, and then handled. Have a look at BAS (Breach and Attack Simulation, that marketing sometimes rebrands in AEV - Adversarial Exposure Validation). Like in a hearing test, your teams will first have to detect noise (events), and then understand what these sounds are (malicious activity ...).

Let's meet at the 20+ FIRST events organized all through 2026 in all regions to discuss all these cyber security topics including prioritization. Bookmark your calendar for April 2026, with both CVE/FIRST VulnCon 2026 and 2026 Cyber Threat Intelligence Conference events!

Published on FIRST POST: Oct-Dec 2025.