Special Interest Group Updates

STP SIG White Paper published on the future of CERTs/CSIRTs/ISACs and their operating models

“This white paper, authored by AUSCERT, examines the rapid evolution of CERTs/CSIRTs/ISACs as the cyber threat landscape grows increasingly complex and interconnected. Originally created as technical response units, CERTs have since expanded into strategic institutions supporting national resilience, sectoral preparedness, and organisational cyber maturity. Rising regulatory pressures, globalised supply‑chain risk, and competition from commercial cybersecurity providers have reshaped expectations of CERTs, demanding both technical excellence and the ability to coordinate diverse stakeholders during high‑impact events, whilst maintaining sustainable operations.

A core theme of the paper is the diversity of CERT models worldwide: national, sectoral, academic, private, member‑based, and hybrid. These models influence decision‑making authority, funding stability, trust relationships, and operational reach. While such diversity enables CERTs to respond effectively to local needs, it also creates fragmentation, uneven maturity, and blurred boundaries between CERTs and other coordination bodies such as ISACs, ISAOs, and national cybersecurity centres. The paper argues that clearer role delineation and stronger interoperability are essential as incidents increasingly span countries, industries, and regulatory regimes.

CERTs in 2026 face significantly expanded expectations. Beyond incident handling, they are now expected to anticipate emerging threats, provide actionable intelligence, support implementation of cyber policy and regulation, facilitate multi‑stakeholder coordination, and communicate credibly with both technical and non‑technical audiences. These demands create tension: many CERTs must act rapidly and transparently without statutory powers, guaranteed funding, or mandated access to sensitive information. Nonetheless, these challenges also present opportunities for CERTs to serve as trusted convenors that translate policy into operational practice and strengthen ecosystem‑wide resilience.

The future of cyber coordination requires CERTs capable of coupling technical capability with strategic influence. CERTs must build trust across public, private, and academic spheres while adapting their governance models to evolving threats and expectations. The next phase of development will rely on intentional collaboration among governments, regulators, and industry partners to ensure CERTs can continue to provide stability, clarity, and leadership in an increasingly challenging cyber environment.” Dr Ivano Bongiovanni, General Manager, AUSCERT and FIRST STP SIG Chair

Strategic Thinking and Planning SIG

“The new Strategic Thinking and Planning SIG has been launched. This SIG is designed to create a dedicated, global forum for strategic dialogue and knowledge exchange on the current and emerging challenges, opportunities, and innovations within national, regional, and organisational CERTs. The SIG, chaired by Dr Ivano Bongiovanni of AUSCERT, will share models and case studies of how different CERTs are evolving, to help members identify transferrable insights. The STP-SIG will also host expert briefings/roundtables on topics including CERT maturity, capability building, role clarity in multi-agency contexts, and threat intelligence-sharing frameworks. If you are interested in more information or would like to join, head over to https://www.first.org/global/sigs/stp/” - Emma Gamble, Program Officer, Strategic Partnerships & Initiatives, The University of Queensland and FIRST STP SIG Member.

Vulnerability SIG Forecast Report

Vulnerability SIG Forecast Report published in February, predicting 2026 will be the year we cross 50,000 published CVEs:
https://www.first.org/blog/20260211-vulnerability-forecast-2026

CTI-SIG

The CTI-SIG has published two new educational videos on the Webinars page and has launched a new series of educational blog posts, located at the Blog section. These blogs are designed to provide concise overviews of CTI topics while linking, where appropriate, to more comprehensive sections within the Curriculum. Additionally, the SIG is preparing to unveil the latest version of the Curriculum at the upcoming CTI conference.

NETSEC SIG

The NETSEC SIG published “Characterizing Abusive IP Proxies, an NETSEC Incident Response RFC", establishing shared terminology for proxy types and behaviors to support abuse detection, mitigation, and attribution.​​​​​​​​​​​​​​​​ Read more here.

Metrics SIG

By Logan Wilkins - Chair, FIRST Metrics SIG

In January, the Metrics SIG, released the Metrics for the FIRST CSIRT Services Framework – Version 1.0.

This document provides a structured set of metrics intended to help organizations measure the services described in the FIRST CSIRT Services Framework. While the Services Framework describes what CSIRTs do, this work focuses on measuring how effectively those services are delivered.

Version 1.0 includes metrics covering the service areas through Section 7 of the Framework, including:

  • Information Security Event Management
  • Information Security Incident Management
  • Vulnerability Management

The document will be updated to include service areas 8 and 9, Situational Awareness and Knowledge Transfer later this spring. This work reflects a substantial amount of effort and collaboration within the FIRST community. We welcome feedback as the Metrics SIG continues to expand and refine the document in future revisions. We would also be interested to hear how these metrics compare with the approaches your organizations are using today.

Special Interest Group Framework Update

By Graciela Martínez

The Special Interest Groups of FIRST (SIGS) are composed of FIRST Members and non-members/invited parties, coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

The SIG Framework (add link) is the governance guideline that has recently been updated with the input of the SIG chairs, advisory chair Desiree Sacher and the FIRST Board. Currently, the SIGs are working on reviewing/updating their charters electing chair/co-chairs (as applicable) per the guidelines of the updated framework. This review process of charter and leadership will be completed every 2 years starting in 2026.

I’d like to thank Desiree and all of the SIG Chairs and participants for their valuable input and efforts on behalf of the FIRST Community. For anyone interested in know more about the work of the FIRST SIGs - the updated charters will be posted to the website in the coming weeks and many of the SIGS will be delivering updates during the 2026 Annual FIRST Conference in Denver (which will be summarized and shared in the next edition of the newsletter).

Published on FIRST POST: Jan-Mar 2026