FIRST Concludes Sold-Out 2026 Cyber Threat Intelligence Conference in Munich

MUNICH, GERMANY, APRIL 23, 2026 - Today, the Forum of Incident Response and Security Teams (FIRST) successfully concluded its sold-out 2026 Cyber Threat Intelligence Conference. The three-day event brought hundreds of professionals from across the cyber threat intelligence landscape together in Munich for workshops, plenary sessions, and hands-on training.

The 2026 program was chaired by Thomas Schreck of Munich University of Applied Sciences and Patrick Grau of Exyte. Sessions were led by practitioners and researchers from Google, AWS, the European Commission CSOC, ENISA, CIRCL (Computer Incident Response Center Luxembourg), CERT-In, Intel 471, Nordic Financial CERT, Sopra Steria, Deloitte, BlackRock, Recruit, CyCraft Technology, Eindhoven University of Technology, NVISO, NTT DATA, Expel, and the Retail & Hospitality ISAC, among others.

"FIRST’s Cyber Threat Intelligence Conference gives this community a rare kind of access: direct conversation with the people doing the work, in a format you can't replicate anywhere else," said Chris Gibson, CEO, FIRST. "People come here to compare notes on problems they’re solving, to meet the researcher(s) whose paper(s) they've been quoting for a year, and to leave with answers they won't find anywhere else. That kind of collaboration has to be built in a room, and that's what this conference is all about."

From Signal to Action: The Case for Collective Intelligence

The cyber threat landscape of 2026 has evolved into a perfect storm: AI-powered ransomware is being weaponized at machine speed, nation-state actors are launching increasingly aggressive campaigns against critical infrastructure, and geopolitical tensions have made every connected organization a potential target. According to the World Economic Forum's Global Cybersecurity Outlook 2026, 87% of respondents now identify AI-related vulnerabilities as the fastest-growing cyber risk. FIRST CTI 2026 stands as the field's answer: a dedicated, practitioner-driven forum where the global intelligence community can share, learn, and act together.

Conference Highlights

FIRST CTI 2026 packed a full practitioner program: deep-dive technical sessions, hands-on workshops, and analyst-focused discussions — built for the people who actually do the work. Plenary talks addressed sensitive, real-world challenges drawn directly from current threat campaigns, while small-group workshop tracks offered interactive learning led by recognized experts.

From Signal to Action

Operationalizing intelligence was the dominant theme at FIRST CTI 2026. Practitioners across sessions tackled the persistent gap between data and defensive action — building CTI pipelines under resource constraints, structuring collection around real stakeholder needs, and automating enrichment to cut through noise. The through-line was pragmatism: intelligence that cannot drive a security decision has no operational value.

AI, Automation & the Shifting Attack Surface

The second major thread was the double-edged role of AI in modern CTI. Sessions explored how LLMs, RAG architectures, and cognitive automation can multiply analyst capacity — but also introduced hard questions about what happens when those systems are the target. Poisoned OSINT, compromised pipelines, and adversarial manipulation of AI-assisted analysis made clear that the field is adopting AI fast, and only beginning to reckon with the integrity risks that come with it.

New Capabilities and Partnerships

Several organizations showcased new capabilities and partnerships at the conference. Silobreaker introduced a new agentic AI capability designed to help CTI analysts speed up research, surface relevant context, and strengthen structured analysis; CTM360 launched its AI-powered external Continuous Threat Exposure Management (CTEM) platform; Venation announced a partnership with UK-based POKKIT (created by SIDEKICK Venture Studio) to deliver scenario-based cyber resilience guidance in plain English and Dutch to smaller EMEA organizations operating below the "cybersecurity poverty line."

TLP:CLEAR sessions were live-streamed and are available on FIRST's YouTube Channel.

FIRST CTI 2026 was made possible by our Platinum sponsor, CTM360; our Gold sponsors: Atos, Censys, Dataminr, DCSO, EclecticIQ, Filigran, Group-IB, Intel 471, Silobreaker, and VMRay; our Silver sponsors: Arctic Security and Siemens; our Champion sponsors: Monday and Vertex; our Lanyard sponsor: ZeroFox and our Networking Reception Sponsor: Dream.

Ends

Issued on behalf of FIRST. For further information please contact pr@first.org.

About FIRST

FIRST aspires to bring together incident response and security teams from every country across the world to ensure a safe internet for all. Founded in 1990, the Forum of Incident Response and Security Teams (FIRST) consists of internet emergency response teams from more than 840 member teams, 205 liaisons, and 4 associates spanning corporations, government bodies, universities and other institutions across 115 countries in the Americas, Asia, Europe, Africa, and Oceania. For more information and to see the full calendar of events, visit: FIRST.Org.

Connect with FIRST on social media via Bluesky, GitHub, LinkedIn, Mastodon, Meta, X, and YouTube.