Blue Team Con 2026

arrow_back View All Dates

8:00am CDT

Defending Enterprises - 2026 Edition

Thursday September 10, 2026 8:00am - Friday September 11, 2026 5:00pm CDT

Microsoft Technology Center (Aon Center)

Limited Capacity seats available

Updated for 2026, our immersive 2-day Defending Enterprises training is the natural counterpart to our popular Hacking Enterprises course.

Not only have several existing topics had major tweaks; the training includes an entirely new section on Entra ID and Azure cloud based attacks!

You’ll play a SOC analyst in our Microsoft Sentinel cloud-based lab and try to rapidly locate IOA’s and IOC’s from a live enterprise breach executed by the trainers in real time.
Whether you’re new to Kusto Query Language (KQL) or a seasoned pro, there’s plenty for you in the 2-days! Yes, we’re using Microsoft Sentinel, but the underlying threat detection theory, logic and threat hunting approach is transferable into your own environments, whatever your preferred platform.

We look at the top 10+ methods we use in offensive engagements and show how these can be caught, along with numerous other examples and methods that go above and beyond these common TTPs!

This training goes beyond threat hunting as we peek into the world of detection engineering and the processes involved in converting logic into alerts!
With 14 hands-on exercises, many of which also featuring extra time and bonus content, you’ll gain real-world experience in the following areas:

* Introduction to Kusto Query Language (KQL)
* Reviewing popular phishing attacks and living off the land techniques
* Locating C2 traffic and beaconing activity
* Detecting persistence activities
* Digging into credential exploitation (Kerberoasting, Pass-the-Hash, Pass-the-Ticket, DCSync)
* Reviewing Active Directory Certificate Services (AD CS) attacks
* Identifying lateral movement (WinRM, SMB)
* Cloud Attacks (Entra ID Enumeration, Azure IMDS, Authentication Tokens, Conditional Access, App Registrations)
* + much more!

We know 2 days isn't a lot of time, so you'll also get 14-days FREE lab time after class and Discord access for support.

Prerequisites: Detection methods will be taught during training, however an understanding of KQL concepts would be beneficial, and previous SOC experience and/or pentesting is advantageous but not required.

Trainers

Jeroen "Jay" Hoof

Instructor, SANS

Jeroen Hoof is a SANS Certified Instructor Candidate for SEC504: Hacker Tools, Techniques, and Incident Handling and a Security Operations Specialist at Davinsi Labs, where he specializes in intrusion analysis, SOC operations and detection engineering. With a career spanning law enforcement investigations, SOC operations, and cyber breach response, Jeroen brings a practitioner’s perspective... Read More →

Owen Shearing

Director, In.security

Owen (@rebootuser) is a co-founder of In.security, a specialist cyber security consultancy offering technical and training services based in the UK. He has a strong background in networking and IT infrastructure, with well over two decades of experience in technical security roles... Read More →

Thursday September 10, 2026 8:00am - Friday September 11, 2026 5:00pm CDT
Microsoft Technology Center (Aon Center)

Training

Audience Intermediate
Subject Threat Hunting and Red Teaming

8:00am CDT

Exploring AI Visibility: Shedding Light on Shadow AI, Attack Surface, Telemetry, and LLM Proxies

LIMITED

Thursday September 10, 2026 8:00am - Friday September 11, 2026 5:00pm CDT

Microsoft Technology Center (Aon Center)

Limited Capacity seats available

With the explosive adoption of AI agents, corporate networks are experiencing a massive influx of programmatic and shadow AI usage. Unfortunately, default audit capabilities provided by major AI vendors are notoriously sparse, leaving defenders with little to no visibility. Many providers only organize logging in a "billing forward" manner rather than focusing on cybersecurity.

This 2-day, hands-on training workshop equips security teams with the practical skills needed to detect, audit, and secure AI usage within their environments. Attendees will learn how to identify shadow AI usage from existing network and endpoint logs (such as Zeek and Sysmon) without needing increased vendor visibility. Because AI tooling is ultimately just software, we will also explore how these tools can introduce vulnerabilities, such as unauthenticated servers allowing local execution.

Furthermore, the course will move beyond basic logs to explore advanced visibility techniques. Attendees will learn how to use OpenTelemetry to extract detailed insights from major AI providers that support it, and how to deploy LLM proxies to actively intercept and inspect AI activity and tool calls. Finally, we will dive deep into the Model Context Protocol (MCP), a protocol specifying how AI apps integrate with external tools, and demonstrate the severe risks of malicious integrations via the "Evil MCP" vector.

Prerequisites: Linux terminal or powershell

Trainers

Corey Thuen

Founder, Gravwell

Corey Thuen is the CEO and Co-Founder of Gravwell, an analytics platform built for massive-scale security telemetry. With over a decade of experience across IT, IoT, and ICS/OT security, he brings a unique, attacker-informed perspective to cyber defense. Previously, Corey was a vulnerability... Read More →

Thursday September 10, 2026 8:00am - Friday September 11, 2026 5:00pm CDT
Microsoft Technology Center (Aon Center)

Training

Audience Intermediate
Subject Security Operations / Tools

8:01am CDT

Offense for Defense

LIMITED

Thursday September 10, 2026 8:01am - Friday September 11, 2026 5:00pm CDT

Microsoft Technology Center (Aon Center)

Limited Capacity seats available

Join us for Offense for Defense, a high-impact, hands-on cybersecurity course built specifically for blue team professionals, systems administrators, SOC analysts, threat hunters, and incident responders. This training arms defenders with the tactics, tools, and mindset of attackers, empowering teams to proactively identify weaknesses and design better protections, detections, and responses. All while learning from one of the most prominent names in cybersecurity instruction and enterprise penetration testing.

Prerequisites: A couple of years in IT

Trainers

Tim Medin

CEO, Red Siege

Tim is the CEO and founder of Red Siege Information Security. He is the creator of the Kerberoasting. Tim was a Senior Instructor and course author (SEC560) at The SANS Institute. Tim has performed penetration tests on a wide range of organizations and technologies. Tim is an experienced... Read More →

Thursday September 10, 2026 8:01am - Friday September 11, 2026 5:00pm CDT
Microsoft Technology Center (Aon Center)

Training

Audience Intermediate
Subject Threat Hunting and Red Teaming

Blue Team Con 2026

From $0.00

Tickets

Success you have shared X tickets.

Blue Team Con 2026

8:00am CDT

Jeroen "Jay" Hoof

Owen Shearing

8:00am CDT

Corey Thuen

8:01am CDT

Tim Medin

Get help with the event

Choose your checkout method

Success you have shared X tickets.

Blue Team Con 2026

8:00am CDT

Jeroen "Jay" Hoof

Owen Shearing

8:00am CDT

Corey Thuen

8:01am CDT

Tim Medin

Get help with the event