Trainings on Monday 29th September 2025
CSIRT/SOC Manager Improvement Training: KPIs for Mandate and Strategy, Stakeholder Engagement, Processes Development
Trainer: Vilius Benetis
Full day training: 09:00 – 17:00
The success of CSIRT/SOCs often depends on how well the team is managed. This training is one of the few available that specifically targets CSIRT/SOC managers, inspiring, motivating, and upskilling them while fostering friendships with other CSIRT/SOC managers. The training is intended for current and future senior and mid-level managers of CSIRTs, SOCs, ISACs, and PSIRTs. The training's objective is to provide time for reflection and collective work on the daily questions and concerns of CSIRT/SOC managers, including KPIs, improving clarity in mandates and strategies, managing stakeholders, developing processes, and achieving process maturity. There will be dedicated time to build relationships between managers and support each other through discussion. This training is an add-on edition of a similar, well-evaluated training delivered at previous TF-CSIRT/FIRST events. Based on feedback, new topics have been added, with a focus on processes and stakeholders.
Digital Forensics 1.0.1 - From Zero to Hero
Trainer: Michael Hamm
Half day training: 9:00 - 13:00
Tools, Tools, Tools, analysts love it to have a large collection of forensics tools available, to perform the analysis and present the results. Unfortunately often the analysts do not exactly know how the tools come to the results. And so, if the tools fail and present wrong results the analyst do not know what is going wrong.
This training will start with a little demo. Different tools produce different output. Than we will:
1. Read a stream of Bit
2. Apply addressing to it
3. Learn to interpret values like integer, signed integer or ASCII
4. Be able to convert a little endian value into a big endian
5. Apply a data structure on the data
6. Recover data manually
At the end of the training the attendee will be able to read a MBR/BootSector and read the partition table manually.
Building OpenShield - personal DNS Threat Intelligence with DNS Firewall
Trainers: Dana Ludviga and Armīns Palms
Full day training: 09:00 – 17:00
Course attendees will acquire hands-on experience in building a powerful DNS Threat Intelligence system with active DNS protection using open-source solution called OpenNameShield. The workshop will cover key areas such as Docker for containerized project management, setting up a DNS server with BIND9, implementing DNS firewalls with Response Policy Zones (RPZ), and using the ELK stack (Elasticsearch and Kibana) for traffic monitoring and analysis. Participants will also learn log normalization and enrichment using rsyslog and Python3, and how to optimize system performance with REDIS to manage outgoing requests efficiently.
By the end of the workshop, attendees will have developed a fully functional OpenNameShield system capable of real-time DNS blocking, DNS threat-hunting, and identifying infected devices based on block statistics, equipping them with the skills to implement their own DNS threat intelligence systems.
Elastic Security Analyst Workshop
Trainer: Thorben Jändling
Half day training:
Take an analyst through triage, investigation, and threat hunting in Elastic Security.
Programme on Tuesday 30th September
| Time | Presentation | Presenter | TLP |
|---|---|---|---|
| 9:00-12:15 | CLOSED MEETING | ||
| 12:15-13:15 | LUNCH | ||
| 13:15 – 13:25 | SC Update | ||
| 13:25 – 14:00 | TBA | ||
| 14:00 – 14:30 | How to detect and block over 150 thousands of investment scam domains | Krzysztof Zając and Paweł Piekutowski | TLP:AMBER |
| 14:30 – 14:45 | Restena CSIRT Team update | Cynthia Wagner | TLP:WHITE |
| 14:45 – 15:15 | COFFEE BREAK | ||
| 15:15- 15:35 | Hugo honeypots a year after | Pavel Valach | TLP:GREEN |
| 15:35 – 16:05 | RedLineStealer use-case study - Building detections in Elastic Security | Thorben Jändling | |
| 16:05 – 17:00 | Lightning Talks |
Programme on Wednesday 1st October
| Time | Presentation | Presenter | TLP |
|---|---|---|---|
| 09:00 – 09:10 | Welcome/Buffer time | ||
| 09:10 – 09:25 | Stuck with Request Tracker? gepaRT is here to help | Michał Praszmo | TLP:GREEN |
| 09:25 – 09:55 | Unifying and Enhancing Open Source Security Tools: Developments in SNER and Taranis-NG at CESNET | Jaroslav Svoboda | TLP:CLEAR |
| 9:55 – 10:30 | Leveraging Model Context Protocol (MCP) to Enable Secure Agentic AI Workflows in Cyber Threat Intelligence | Ensar Seker | |
| 10:30 – 11:00 | COFFEE BREAK | ||
| 11:00 – 11:30 | Leveraging ISP and ASN as New Indicators of Compromise (IOC) in Cyber Threat Intelligence | Sergio Albea | |
| 11:30 – 12:00 | The Achilles’ Heel of AI: Why AI models are vulnerable and how to attack them. | Jan Kohlrausch | |
| 12:00 – 12:30 | Operational Technology Incident Response - An overview and homogeneous future troubles | Sebastian Bocquier | |
| 12:30 – 13:00 | TBA |