Loading…
← Back to schedule
The Decision Engine: How to Rebuild Security Operations for an AI-Accelerated Threat Environment
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
The queue-based SOC is not a slower version of the future.  It is a structural liability.  


For two decades, security operations has been measured by the wrong things; alert throughput, mean time to detect, SLA adherence.  These metrics are of a queue.  They assume that moving fast enough though enough alerts produces security outcomes.  That assumption has not survived contact with AI-enabled adversaries, exponential telemetry growth, and an accelerating compression of exploitation timelines. 


This talk is about what replaces it. 


The decision engine is not a product, a platform, or vendor pitch.  It is an operating model, a structural redesign of how a security function produces decisions rather than processes alerts.  The mission statement is simple: compress uncertainty faster than adversaries compress time.  Everything else, the detection discipline, the AI architecture, the metrics framework, the cryptographic risk model, is a design decision made against the standard. 


The session covers the three structural shifts that make the legacy model insufficient, the five components of the decision engine operating model, and what the transition looks like in practice, including what fails first, what the hardest organizational resistance looks like, and what early proof points tell you the model is working. 


Specifically attendees will leave with a clear mental model for evaluating their own organizations current posture, a diagnostic framework for identifying where the legacy model is already creating structural risk, and three concrete actions they can take immediately, regardless of budget cycle, platform status, or org structure. 


The talk also addresses the risk that receives the least attention in most security operations conversations: the shrinking half-life of sensitive data.  For organization holding data within multi-year regulatory retention obligations, long lived contractual confidentiality requirements, or enduring intellectual property value, the assumption that exfiltrated data cannot be weaponized for years is eroding.  The question that should be driving triage is not whether a breach occurred, its what the time-to-weaponization of the data involved is.  Most SOCs have no answer to that question.  This talk explains why that gap is a structural risk and what closing it requires.


This is not theoretical framework.  Every element described in this session has been built and validated in a production operational environment, under real constraints, against real adversaries.  The speaker is not standing at the front of the room as a vendor, an analyst, or an academic.  They are standing there as a practitioner who made the transition, knows what it costs, and knows what it produces.
Speakers
avatar for Ren Fellows

Ren Fellows

Manager Cyber Security Operations, REI Co-op
Ren Fellows is the Director of Threat Management at a Fortune 50 financial institution, with over 13 years in security spanning SOC build, large-scale incident response, and zero-day events. Ren's believes the way we've built and lead security operations is due for a fundamental... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link