Loading…
Audience: Early Career clear filter
Saturday, September 12
 

10:30am CDT

Designing deception in GCP: what’s effective density?
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Defenders have deployed honeypots and honeytokens to detect threats targeting GCP workloads. The dynamic and ephemeral nature of cloud workloads with the resource-based policy model in GCP introduces unique characteristics that influence the design of deception. Defenders need to determine answers to questions such as: how many deceptions to deploy, what should they represent, how many of each type, how should these be named, where should the deceptions be placed? This session provides real-world insights from a security practitioner on the design of a deception strategy for cloud workloads that spans honeytokens (GCP IAM service accounts, GKE service accounts) and honeypots (compute instances, storage, pods).
Speakers
avatar for Suril Desai

Suril Desai

VP Engineering, Acalvio
Suril is VP Engineering and Security SME at Acalvio. Suril has deep domain expertise in cybersecurity and has a strong academic and industry background in Computer Science. Suril holds several patents.
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Detection Engineering for AI Agents: Building Defenses That Work When Your Attacker Can Think
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
The bot detection playbook defenders have relied on for years — IP blocklists, rate limits, behavioral baselines, CAPTCHA — was built for a threat that no longer exists. Modern adversaries are deploying LLM-powered agents that reason, adapt, and evolve their behavior in response to detection. For defenders, this means the threat model has fundamentally changed.   This talk, drawn from production experience building bot mitigation systems at Amazon, provides blue teamers with a practical framework for detection engineering against agentic AI attackers. The session covers: how to identify the behavioral signatures of LLM-driven agents (and why they're different from both humans and traditional bots); detection signal categories that remain robust against adaptive adversaries; pipeline architecture for high-velocity threat detection at scale; and incident response workflows when an AI-powered attacker is actively evading your controls.   Critically, this talk addresses the strategic challenge defenders face: in an adversarial ML environment, your model is always at risk of being reverse-engineered and evaded. How do you build detection systems that are robust to an adversary who can iterate as fast as you can? Attendees will leave with detection engineering patterns they can apply to bot defense, fraud prevention, and automated threat response — and a realistic understanding of where current defenses still have gaps.
Speakers
avatar for Shashwat Jain

Shashwat Jain

Sr. Software Development Engineer, Amazon
Shashwat Jain is a Senior Software Development Engineer at Amazon, where he architects and deploys AI-powered bot mitigation systems protecting Amazon's global e-commerce platforms from sophisticated automated threats. With expertise spanning real-time behavioral detection engines... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

From Logs to Logic: Building Detections That Don’t Suck
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Most security teams have no shortage of logs, yet turning that data into reliable detections is a different problem entirely.

In reality, detection efforts often fall apart because of messy data, vague assumptions, and a haphazard approach to building and maintaining them. The outcome is all too familiar: overwhelmed analysts tuning out alerts, threats slipping through the cracks, and detections that look impressive in presentations but crumble under real-world pressure.


This presentation pulls back the curtain on how detection engineering actually works in the trenches. We'll start with raw telemetry data and walk through the process of translating attacker behavior into testable hypotheses, then converting those hypotheses into detection logic that gets refined through ongoing feedback.


I'll introduce a practical lifecycle for detection engineering, covering research, hypothesis development, creation, validation, deployment, and tuning. This structured approach ensures that detections aren't just built once and forgotten, but evolve alongside the threats they're designed to catch.


Finally, we'll bridge detection engineering with threat hunting and broader cyber operations. You'll walk away with a straightforward framework for building detections that are not just technically sound, but genuinely useful when it matters most.
Speakers
avatar for Kyle Barboza

Kyle Barboza

Senior Threat Informed Defense Engineer, Financial Services Company
Kyle is a detection engineer and cyber operations leader focused on turning raw telemetry into actionable defense. He specializes in threat detection, incident response, and building scalable detection programs using automation and detection-as-code principles.With experience leading... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

How to Do Just About Anything (Including Security): Turning Curiosity and Creativity into a Career
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Learning something new, for me, often means figuring it out myself. While we have tutorials and AI on demand, experimentation and a willingness to get things wrong is still required. My story started with a book called “How to Do Just About Anything” and a realization that, with enough curiosity, you actually can.


This talk shares a non-linear path from breaking computers as a teen to understand them, creating within extreme constraints, and turning trial and error into a career that spans from high school dropout to security leadership, all while staying true to my art-tech-geek roots.


Rather than focusing on specialization, I’ll break down the practical patterns behind building strong fundamentals, both technical and human, combined with curiosity, creativity, and ownership can open doors and get you into conversations you weren’t “qualified” to be in.


I’ll connect these ideas directly to real-world security work: learning new domains quickly, navigating organizational complexity, and building the relationships needed to drive change. We’ll explore how incremental improvement compounds over time, how to operate in environments where “this is how it’s always been done” is the default, and how community involvement accelerates growth.


If you’ve ever felt like your path doesn’t fit a traditional mold, or you just know you can do more, this talk offers a practical perspective on how building beyond your core strengths can help you create opportunities, influence outcomes, and define your own path in security.
Speakers
avatar for Dan Browder

Dan Browder

Director, Information Security Portfolio, First National Bank of Omaha (FNBO)
Dan has over 25 years of experience working at the in technology and security spanning roles of graphic design, help desk and security risk. He leads strategic cybersecurity initiatives that shape FNBO’s security posture, with a focus on strategy, risk reporting, AI governance... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Models and More: using data to inform decision making
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Organizations of all types are working to use data to make better decisions. This includes risk management decisions, such as whether to avoid, mitigate, accept, or transfer a particular risk. But what types of data work best? How do correlation and causation impact your risk analysis? Learn from a cyber insurance pro how they balance the speed of modeling and analytics with the deep experience of domain experts to choose what risks to accept. You will walk away with an understanding of how to effectively use different data sources to support risk management in your organization. 
Speakers
avatar for Amanda Draeger

Amanda Draeger

Principal Cyber Risk Engineer, Liberty Mutual Insurance
Amanda is a Principal Cyber Risk Engineer at Liberty Mutual Insurance. She is an Army vet, has way too many credentials, and likes yarn. 
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Same Network, Different Worlds: Bridging the IT Ops and SOC Divide
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
A temporary service account with Domain Admin rights gets created at 11 PM to patch a legacy application. The sysadmin logs off and forgets about it. The SOC sees the account creation, flags it as authorized admin activity, and moves on. Three weeks later, that account becomes an attacker's persistence mechanism. Nobody did anything wrong. And that is exactly the problem.
IT operations and security teams share the same network but operate in fundamentally different worlds. Sysadmins speak the language of uptime, change windows, and ticket queues. SOC analysts speak the language of alerts, TTPs, and kill chains. Both teams assume the other has visibility into what is happening, and both teams are wrong. The result is a gap that does not show up in any audit report but lives quietly in every environment: misattributed alerts, forgotten service accounts, unclaimed security tasks, and legitimate admin activity that looks completely indistinguishable from an attacker who already knows your environment inside and out.
Most organizations try to solve this with better documentation, cleaner org charts, and the occasional cross team meeting. It does not work. The gap is not a process problem. It is a knowledge problem. Security analysts often do not know enough about how systems are actually administered day to day to separate noise from signal. Sysadmins often have no idea how their routine tasks appear inside a SIEM and have even less awareness of the quiet risk they are generating while doing everything by the book.
This session is built on a premise that is easy to understand but rarely acted on: the person best positioned to bridge that gap is someone who has stood on both sides of it. Drawing from hands on experience managing and securing environments across multiple client organizations at an MSSP, this talk translates the operational realities of IT administration into the detection focused language of the SOC and does the same in reverse. No theory. No vendor pitch. Just an honest look at how two teams who are supposed to be working together keep accidentally working against each other.
Attendees will work through real world scenarios that are very common between companies and industries. They will experience each scenario from the IT ops side and the SOC side to understand what happens. The audience will leave with a practical communication framework they can bring back to their organization before the next incident forces the conversation anyway. 
Whether there is a junior analyst trying understand the authenticity of alerts or a systems engineer who has never thought of how routine tasks look like from a SOC lens, this session will be inclusive of all.
Speakers
avatar for Sameer Singhal

Sameer Singhal

System Engineer II, EXOS
Sameer bridges the critical gap between infrastructure engineering and security operations. He holds a bachelor's degree in Cybersecurity from Purdue University and is currently a Systems Engineer II working his way towards a Cybersecurity Analyst I position at an MSSP, where he supports... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk
 
Blue Team Con 2026
From $0.00

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Thursday, September 10
Saturday, September 12
Microsoft Technology Center (Aon Center)
Swissôtel Chicago
  • Talk
  • Training
  • Company
  • Abstract
  • Acalvio
  • Amazon
  • Beazley Security
  • Black Hills Information Security
  • Bloom security
  • Broadcom
  • C Spire
  • Campbell Clinic
  • Coalfire
  • CQURE
  • Critical Path Security
  • Data Defenders
  • Dataminr
  • Daylight Security
  • DHS/CISA
  • EXOS
  • First National Bank of Omaha (FNBO)
  • Flare
  • Fortune 150 Food & Bev Manufacturer
  • GetReal Security
  • Horizon Secured
  • Invisible Technologies
  • LevelBlue
  • Liberty Mutual Insurance
  • Nationwide
  • Netwrix
  • Notion
  • Pixee AI
  • Push Security
  • Rapid7
  • Reflex Security
  • Reversec
  • Revology
  • SCYTHE
  • Semperis
  • Spacewalk.ai
  • SpecterOps
  • StoneX
  • TrustedSec
  • Webflow
  • WiCyS Wisconsin
  • Zelis Healthcare
  • Audience
  • Advanced
  • Beginner
  • Early Career
  • Intermediate
  • Subject
  • Application Security / DevSecOps
  • Career Matters
  • Governance / Risk / Compliance
  • Management / Leadership
  • Physical Security
  • Resilience
  • Security Operations / Tools
  • Threat Hunting and Red Teaming
  • Threat Intel and DFIR
  • Vulnerability Management