MAY 13 | SECURITY PRACTITIONERS TRACK

Security incidents don’t unfold in clean, linear steps – and neither do the decisions that stop them. In this session, we walk through a real-world incident to show how SOC teams actually operate under pressure.

From the first signal to the final outcome, attendees will see what gets ignored, what gets investigated, and why. The session explores how analysts correlate signals across endpoint, identity, and cloud, how trust and handoffs work between teams, and where exposure context influences escalation. This is an unfiltered look at the pace, pressure, and judgment required to defend modern environments – focused on outcomes, not alerts.

Detection engineering is no longer about coverage, volume, or catching everything. As environments become more dynamic and attackers more targeted, the value of a detection is defined by whether it drives the right action at the right time.

In this session, experienced practitioners break down the new rules of modern detection engineering – grounded in real-world SOC and MDR environments. We’ll explore how detection-as-code changes the way teams build, test, and maintain detections; why risk-driven detection strategies outperform volume-based approaches; and what “high-fidelity” actually means as we head into 2026.

This session is designed for security ICs who live in the gap between theory and reality. Attendees will leave with practical guidance on what to prioritize, what to stop doing, and how to design detections that reduce noise, support SLAs, and improve security outcomes under real operational pressure.

Most cloud incidents don’t begin with a critical alert – they begin with overlooked exposure. A misconfiguration, an over-permissive identity, a vulnerable container running in production. By the time an alert fires, escalation is already underway.

In this session, ARMO and Rapid7 walk through how modern cloud attacks unfold – from initial exposure to runtime exploitation and lateral movement. ARMO will set the stage with a strategic perspective on why runtime security has become essential in cloud-native environments. And will demonstrate a real-world cloud application attack scenario, showing how Rapid7 and ARMO together detect, validate, and stop the attack before it becomes a full-scale incident.

Attendees will gain a practical understanding of how exposure connects to runtime behavior, how cloud context reshapes prioritization mid-incident, and how combining exposure insights with detection and response improves signal fidelity without increasing noise. This session delivers both strategic clarity and hands-on insight into how cloud attacks really escalate – and how to interrupt them earlier.

In this session, practitioners walk through real-world incident response workflows, highlighting how open-source tools and investigative tradecraft come together during active incidents.

Attendees will see practical Velociraptor use cases, learn how adversary techniques (often uncovered through red team exercises) inform defensive investigations, and understand how experienced responders approach evidence collection, validation, and decision-making.

Designed for hands-on practitioners, this session sharpens blue team skills and provides a clearer view into how attacks are investigated, contained, and learned from in practice.