Upcoming Blue Team Con Online Events
April 14, 2026 @ 4:00 PM CT
Maturing your cyber deception program: What’s the plan?
Presented by Suril Desai
Defense teams are adopting cyber deception to detect and hunt threats. Honeypots and honeytokens provide early warning of attacker actions. One of the challenges that defenders grapple with is: where should I place these deceptions? How many should I deploy? What should they represent?
This session provides real-world insights from a security practitioner on strategies for an effective rollout of cyber deception. Learn about the importance of identifying the goals for your deception program, one that focuses on defending against threats, protecting high-value assets, slowing down the adversary.
See how deception can be used to defend against identity threats, insider risk, and ransomware. Learn about the considerations and best practices for deception design. This provides you with practical insights that can be applied on a daily basis for cyber defense.
April 16, 2026 @ 10:00 AM CT
Firewalls and Fire Alarms: What to Do When Your Best Defenses Go Up in Smoke
Presented by Dr. Catherine J. Ullman
Imagine your shock in seeing your newly installed “fireproof” wall completely engulfed in flames. In both fire safety and information security, we often think that we design layers of controls to prevent disaster. In reality, these layers are actually meant to delay disaster. But what happens when those trusted defenses fail? This talk draws on real-world scenarios where controls everyone assumed were in place—from fire doors to firewalls—unexpectedly gave way, leading to chaos and damage.
Using compelling examples from both fields, we’ll examine situations where preventative, detective, and containment controls fell short and explore the lessons they offer for information security. Attendees will learn how layered defenses, regular testing, and resilient response plans can make a difference when systems don’t perform as expected. By blending fire safety insights with actionable security strategies, this talk will prepare you to handle the flames when your own controls go up in smoke.
April 23, 2026 @ 10:00 AM CT
Hidden Dangers Of AI In Developer Workflows: Navigating Security Risks with Human Insight
Presented by Dwayne McDaniel
AI tools like ChatGPT and Copilot have become indispensable in developers’ daily workflows. Whether it is for code samples and scaffolding, prototyping, or documentation, AI can help eliminate a lot of toil from the developer’s day-to-day.
The hidden dangers that AI have introduced that are worth exploring.
This presentation will look at the critical security challenges associated with AI-enhanced development workflows and the essential role of human oversight in mitigating these risks.
We’ll look into three major areas of concern:
- The AI told me to do it that way…
- Hallucinations everywhere
- Where did my data go?
Join this talk to see some real examples of AI getting it wrong, but stay for a discussion on how you can leverage already existing tools to make the best use of the most valuable resource in the company…your team’s time. Expect to leave with a fresh perspective on how bright a future we can build as people fostering more secure and efficient development practices.
April 28, 2026 @ 4:00 PM CT
The Cost of an Incident
Presented by Amanda Draeger
For those incidents that are publicly reported, we see things like “this cost $X million dollars”. Where do those costs come from? How can you use these costs to convince your leadership to invest in security? This talk will look at data from insurance claims to explain where the costs of an incident come from.
Previous Blue Team Con Online Events
April 7, 2026 @ 4:00 PM CT
A New Era of Brute Forcing in Active Directory
Presented by David Horak
Active Directory Domain Services recently celebrated 25 years, making it far from a young technology, yet it is not going anywhere anytime soon. Most companies still rely on Active Directory as their primary identity provider and management solution. One might assume that after all these years, we have ve already mastered securing Active Directory with best practices. However, the reality is quite the opposite and Active Directory environments are often poorly secured, making them one of the main targets for attackers.
In this talk, I will explain some fundamental yet not always known concepts of Account Policies, Replication, and related best practices. More importantly, I will demonstrate a technique to bypass the Account Lockout Policy, allowing almost limitless brute-force attacks on Active Directory accounts. This brute-forcing technique is rarely documented—in fact, I had never heard of it myself until I stumbled upon it by “accident”.
By the end of this session, you will leave with a few key Active Directory configurations to enhance security and most importantly, the knowledge to defend against this brute-force technique.
March 31, 2026 @ 4:00 PM CT
Decoding Dyslexia: Thriving in Cybersecurity with a Different Brain
Presented by Caleb Grossnickle
Cybersecurity is a field that thrives on diverse thinking, pattern recognition, and creative problem-solving — all strengths that often come naturally to those with dyslexia. But for many, dyslexia is still seen as a barrier instead of an asset. In this talk, we’ll challenge that perception.
I’ll share a personal journey of working in cybersecurity while navigating dyslexia, offering practical strategies for success. From how to advocate for yourself in the workplace and build a support system, to using free tools like dyslexia-friendly fonts, high-contrast settings, and even ChatGPT to simplify complex logs — this session is packed with real-world advice.
We’ll also reframe the narrative around dyslexia, focusing on the unique strengths it brings to our field. Whether you’re dyslexic, work with someone who is, or just want to make your team more inclusive, you’ll leave this talk with a better understanding of how neurodiversity can elevate cybersecurity.
March 24, 2026 @ 4:00 PM CT
UNFAIR after all; Critical considerations for risk management frameworks
Presented by Jack Burgess
Current cybersecurity risk models often contain blind-spots from established risk management principles. Highlighting failures of systems like CVSS and EPSS to address the real-world impact of vulnerabilities on individual organizations. We argue that businesses don’t suffer from inaccurate predictions, but from the cost of being wrong, especially when a significant breach leaves no opportunity for recovery. Using key examples from the literature and original research we challenge the reliance on likelihood-based risk assessments, proposing a shift towards understanding the true impact of threats through empirical, context-specific analysis. In this way organizations can better allocate resources, maximize return on investment, and improve cybersecurity preparedness. For practitioners we introduce a set of practical extensions to existing frameworks to better manage their security posture. For the information security community we call for a reevaluation of existing standards emphasizing the need for more robust, real-world value based approaches to information security risk management.
March 17, 2026 @ 4:00 PM CT
Going Beyond Box Checking with Annual Pentests
Presented by Sean ‘4dw@r3’ Juroviesky
Every year in order to maintain compliance or satisfy client requests, your organization purchases an independent penetration test. How often do you already know 95% what a Pentest will turn up? You’ve probably had a lot of these risks for years without the funding, time, or staff to fix them.
Oftentimes executives see the opinions of a 3rd party to be impartial and unfortunately more compelling than their own staff. You can use this strategically to help acquire the resources your department needs to finally close out these risks.
We’ll walk through how to communicate your needs to your pentesting partner so they can tailor the executive summary to precisely communicate the potential business impact of these risks using language your executives are familiar with.
March 12, 2026 @ 10:00 AM CT
Analysis without Paralysis: Mastering the Art of Investigation
Presented by Terryn Valikodath
Effective analysis is essential for identifying and mitigating cybersecurity threats, yet most analysts are never formally taught how to conduct investigations. This talk serves as a primer, equipping you with the insights and techniques needed to structure your investigations—regardless of the operating system or hardware.
We will introduce a structured analysis workflow designed to help analysts systematically transform raw data into actionable findings, uncovering an adversary’s movements with precision. The session will break down key investigative pillars:
- Investigation Strategy – Defining objectives, scope, and a clear plan of action.
- Findings – Organizing and documenting evidence to drive your investigation forward.
- Correlation – Connecting discrete events to build a coherent case.
- Timeline – Establishing a clear sequence of events for deeper insight.
- Enrichment – Leveraging external intelligence to fill gaps and identify patterns.
Finally, we’ll tie it all together into a comprehensive yet efficient report, one so well-structured and insightful that it demands attention and drives meaningful change. Whether you’re new to investigations or looking to refine your approach, this talk will provide the tools to elevate your analysis from chaotic guesswork to forensic mastery.
March 10, 2026 @ 4:00 PM CT
Unseen but Not Unheard: Exposing the Cases of CSS Abuse in Email Threats and Fortifying Defenses
Presented by Omid Mirzaei
Threat actors are constantly exploring innovative methods to exploit benign technologies and applications in their attacks. One such example is using Living-Off-the-Land Binaries (LOLBins) to deliver malware. Another example is exploiting the features of JavaScript to deliver malware to victims’ devices. Cisco Talos has observed an increase in the number of email threats that exploit the properties of HTML and CSS to include text in different parts that are not visible to the recipients of emails. This technique is often referred to as hidden text salting (or poisoning). We have also seen cases of CSS abuse to track users and fingerprint their systems.
This talk will cover a wide range of examples of CSS abuse in email threats. In particular, we will discuss and demonstrate various techniques we’ve identified in the wild that threat actors have used to conceal content in emails. We will address a number of challenges that this technique may pose to conventional and advanced ML-based defensive solutions. Additionally, we will introduce a novel approach to detecting hidden text salting by leveraging the capabilities of Large Language Models (LLMs). These models show promise in improving the accuracy and reliability of email threat detection, paving the way for stronger cybersecurity defense solutions.
June 26, 2025 @ 6:00 PM CDT
Look Around and Find Out – How to Use OSINT to Protect Your OT/ICS Environment
Presented by Wesley Lee
One thing is clear, an incident in an OT/ICS environment affects everyone in almost every industry. If you have read or followed any cybersecurity framework, guidance, best practices, or document that directs you how to protect your organization from an incident or breach, typically you will always find something around understanding or knowing your assets. The same guidance is important in OT/ICS environments as well. This presentation will introduce the world of OT/ICS assets, device, and network discovery using OSINT (Open-Source Intelligence) tools and techniques in order better understand your OT/ICS attack surface. While this talk will focus mainly on the OT/ICS attack surface discovery, this presentation will also point out how some of these OSINT tools and techniques can be modified to understand the IT environment attack surface. Attendees of this presentation will be able to walk away with a methodology, roadmap, and guidance that can be used to perform their own OSINT on their OT/ICS environment.
June 19, 2025 @ 10:00 AM CDT
Wait… Are You Really Hunting Threats?
Presented by Nathalie Cornejo
In a world where cyberattacks are increasing and stealthier, it is essential to take the lead in uncovering an attacker on the network that defense tools haven’t detected; that’s where threat hunting becomes more relevant. Doing a proactive search for malicious activity and understanding if we are focusing on the actors that can affect our business becomes crucial; also, taking into consideration SOC detections won’t be enough to detect sophisticated adversaries who change their behaviors and way to go. This presentation wants to address this to help defenders start a threat-hunting process and have a guide on the most relevant points they should focus on, such as prioritizing the adversaries that they want to detect according to business purpose and, at the same time, demystify threat hunting; these points are fundamental to creating a robust process that ensures you are in the right way to find real threats, additionally, impacting the dwell time in our organizations. Finally, understand the impact of Threat Hunting on blue team processes by translating hunting queries into long-running threat detections, adding further visibility to the SOC, and fostering Google’s “Hunt Once” rule; it is a key learning the author wants to bring to the audience.
June 12, 2025 @ 6:00 PM CDT
What’s in a Name: What Your Wireless Footprint Says about You
Presented by Benjamin Speckien
Can your organization’s security posture be strengthened by monitoring WiFi Probe Requests? What about Bluetooth Low Energy Beacons? Can identifying names and device information sent in cleartext help you authenticate who you’re talking to? Location data of wireless networks people have previously connected to combined with current location can be used to validate identity.
Insecure wireless settings can leak information such as names, travel patterns, places of work, language preferences and even types of cars driven. Imagine a potential candidate at a job fair beaconing in the language of a nation-state threat actor, or a potential business partner with probe requests correlating to a competitor’s office, or even being notified of a Flipper Zero close enough to clone your RFID badge.
This talk is about real-time application of intelligence gained from passively monitoring wireless transmissions from common mobile devices. I will demonstrate an unobtrusive method of collecting and displaying this information. Findings from analyzing large data sets will be presented, demonstrating that this method can be applied to enumerate potential threat actors within a given proximity.
Finally, mitigation techniques and the importance of securing your network preferences will be discussed.
March 27, 2025 @ 10:00 AM CDT
Like a Hurricane: The Life and Times of Privileged Access Management
Presented by Aria Langer
So you want to implement a modern PAM (Privileged Access Management) solution? Awesome. More robust access controls are what the Infosec Gods say your Wild-Wild-West organization needs to inch closer to the mythic land of Pretty-Pretty Zero Trust. How are you going to accomplish this? How do you sell this to those who make the $$$ decisions (who claim to align with the principles of PAM but shudder at the threat of productivity loss)?
Or maybe the full vision of modern PAM isn’t being bought. The risk is “so-low” that it is not worth the trouble and your organization accepts this risk. Is the risk REALLY understood?
But first—what is PAM? This talk will explore iterations of access control across history. Then, let’s kick it up a notch; we’ll discuss how each control (adding up to the idealized “Modern PAM Solution”) plays a vital role (AKA, the difference between solutions provided by traditional PAM vs Modern PAM), and how gaps persist when any one of the controls is missing. We will also talk about the logistical nightmares that come with not just implementing these solutions but even proposing such a program to an organization.
And now for something completely different—I will accomplish all the above using DuckTales metaphors. Life is like a hurricane here in Duckburg! (ooo-WOO-oo!)
April 10, 2025 @ 10:00 AM CDT
Website Fingerprinting: Predicting User Behavior Based on Encrypted Metadata Using Machine Learning
Presented by Josh Honig
In an ongoing project, student researchers at Loyola University Chicago seek to understand how machine learning can be used to identify user web browsing behavior based solely on the metadata of encrypted network traffic, eliminating the need to decrypt data for identification. In order to create a training dataset, researchers created a Python program to repeatedly visit a list of websites and collect network traffic data. The size and direction of the encrypted HTTPS packets were extracted to create a sample for each website and a Random Forest classifier was trained and evaluated on this data. Researchers were able to prove that the trained model provided a reasonably accurate prediction of the website a user was visiting, based only on the metadata of encrypted network traffic (that is, without breaking encryption). This threat model is easy for a lone attacker to establish; the computational requirements are average, and the network visibility required to perform the attack is trivial to obtain. Entities such as Internet Service Providers, corporate network managers, and government agencies already have sufficient visibility to perform the attack we describe.
March 20, 2025 @ 10:00 AM CDT
Data to Defense: Shaping Tomorrow’s Cybersecurity Analysts with AI
Presented by Tawon Saetang (Jibby)
We engineered a way to use AI to turn threat intelligence reports into real data, and we’re using it to transform the way cybersecurity is taught, and make the industry more accessible to everyone. At the core of our approach is a python engine that generates realistic intrusion datasets by mimicking the tactics, techniques, and procedures (TTPs) of real-world cyber threat actors. We augmented the engine by using a custom LLM that can turn intrusion reports into configurations that the engine can consume. This innovative use of AI accelerates our ability to provide story-driven, gamified training modules that immerse participants in the role of cyber defenders, where they confront authentic cybersecurity challenges, investigate threat actor behaviors, and learn to recognize sophisticated attack techniques.
In the resulting game, called KC7, participants are guided through investigations of simulated cyberattacks against fictional companies, created to reflect the complexity and nuance of genuine cyber incidents. They learn to navigate and analyze intricate datasets, mapping their findings to MITRE ATT&CK, enhancing their threat hunting and incident response capabilities. They learn to contextualize evidence, unravel the story behind cyber incidents, and develop critical thinking skills crucial for effective threat detection and response.
The use of AI to generate game data enabled us to deliver hundreds of hours of free, fun, and effective training to thousands of people at no cost. As a result, we’ve helped so many people, from different backgrounds, fall in love with cybersecurity defense, ranging from transitioning professions, to K-12 students.
March 13, 2025 @ 10:00 AM CDT
Security In An IaC Defined World
Presented by Dwayne McDaniel
While it would be amazing to focus 100% on our code in our work, the reality of modern DevOps is we also need to worry about where it runs. In a simpler time, the operations team would grant us precious disk and machine resources after a requisition request. Security was tight, as those servers were locked down behind private networks and gateways. Living in the modern world of platforms as a service and infrastructure as code, IaC, means just taking security for granted is no longer an option.
Even if the security team could manage every possible bit of your infrastructure, understanding how to manage security better is going to help everyone stay safe, especially at scale.
Takeaways:
- What does good security look like
- Everything you need to know about Infrastructure as Code in 3 minutes
- The security issues (and benefits) IaC brings
- Securing the world around your IaC
- When the security team should be involved
- Local/individual testing for scale
There is a huge misunderstanding of vulnerability management. It is commonly incorrectly defined as being synonymous with software updates and patches. It is so much more than that! We will take the audience through a hands-on journey of scanning, enriching data, and creating high-value prioritization to protect against the number one method of threat actor initial access: software vulnerabilities.
March 6, 2025 @ 10:00 AM CDT
Building on CVSS, EPSS, and KEV: A Practical Approach to Vulnerability Prioritization
Presented by Omer Tal
These days, the overwhelming number of vulnerabilities in any system, combined with resource constraints, makes it impossible to remediate all vulnerabilities. Effective prioritization is essential, ensuring that the most critical threats are tackled first to safeguard an organization’s key assets efficiently.
Frameworks like CVSS, EPSS, the KEV catalog, and SSVC have been widely adopted to aid this task. Each framework offers unique insights, yet they often fall short of providing a holistic solution. This leaves organizations juggling multiple tools without a clear path to optimal prioritization.
Join my talk where I explore the strengths and weaknesses of these popular frameworks. I will discuss why no single framework should be used alone and how to develop a comprehensive vulnerability prioritization strategy that leverages the best aspects of each framework. Learn how to transform these theoretical tools into a practical, actionable plan that fits your security needs.
February 27, 2025 @ 10:00 AM CDT
Operationalizing AI For Network/SOC Analysts
Presented by Chris Roffe
The presentation focuses on using Human Design Engineering (HDE) principles for the development of AI tools that are more adaptable to the varying levels of expertise within a SOC or analyst team.
Using logic-rails, behaviors, and trigger-actions to craft the AI assistant into a functional interface that integrates disparate systems, and enable analysts to access and cross-reference data. This integration is crucial for rapid threat identification and response, as it allows analysts to draw connections between indicators of compromise and potential threats without manually navigating through multiple platforms
We will also highlight how AI assistants can be configured to align with the workflows and preferences of human analysts, ensuring that the technology adapts to the user rather than the other way around. This user-centric design is essential for maintaining the human analyst’s role as the decision-maker, leveraging the AI’s processing power to enhance their situational awareness and investigative capabilities. The concept of “human in the loop” is a critical component of this approach. It emphasizes the importance of human oversight in automated processes to ensure that decisions are made with a level of discernment that AI currently cannot replicate.
By reducing the time spent on manual data aggregation and preliminary analysis, AI assistants empower analysts to dedicate more effort to tasks that require their expertise. AI Assistants help not only improve the efficiency of a task workflow but also ensures that human judgment remains at the forefront of the decision-making process for small, medium, or global sized security teams.
