2025 SANS DFIR Summit Recap: The Human Element

During Mari DeGrazia's keynote presentation on day one of the 2025 SANS DFIR Summit, one attendee commented, "Wow, I already have SANS brain!" 

There couldn’t have been a more accurate illustration of the theme that permeated the Summit’s presentations and workshops this year. In fact, it epitomizes the unique value of all SANS summits. The imperative as practitioners is to constantly transform and adapt techniques, tools, and capabilities with every new challenge. Human expertise is a linchpin in every discipline of cybersecurity, and it’s especially crucial in the endlessly changing field that is Digital Forensics and Incident Response (DFIR).  

DFIR practitioners’ responsibilities bridge the gaps between technology, organizational resilience, and human safety. Many investigations carry consequences that directly affect public safety and human wellbeing, demanding timely and accurate responses in situations where the operation of essential services, the preservation of institutional trust, and, in some cases, justice is at risk. With the stakes so high, the collaboration exemplified at SANS Summits is essential in fostering a workforce capable of responding to incidents of every kind. 

The following three key takeaways from the 2025 SANS DFIR Summit emphasize the importance of human expertise, mentorship, and oversight at every level and in every application of our work. 

1) Not all breaches rely on malware.  

Understanding attacker tradecraft is essential to DFIR, and threat actors increasingly exploit trusted systems, legitimate tools, and human error rather than relying solely on malware. Research bears out the trends in cybersecurity headlines: Verizon’s 2025 Data Breach Investigations Report showed the human element as a “gating factor” in 60% of cases reviewed, and only 7% of that subset were human element breaches from interacting with malware. Practitioners must account for cyberattacks that leverage the people and existing elements of a target’s environment.  

For example, Luis Garcia (Incident Response Expert, Sygnia | LinkedIn) and Matthew Mosley (Manager of Incident Response, Sygnia | LinkedIn) in their talk, “A North Korean Cyber Operation,”, gave an example of intrusion using just Python scripts, WebSocket, ARP packets, Zoom automation, and evasion of logs. There is always an information gap; not only are outside attackers relying on this and abusing legitimate IT to evade detection, but insider risk is also a real danger. Many teams don’t know what they don’t know – legal staff, HR, and even physical security may not have the knowledge to vet personnel and processes for cybersecurity.

2) We must train AI like we train our DFIR professionals.  

The value of AI to augment analysis and streamline DFIR workflows is undeniable. The technology is more accessible than ever, even to locally run air-gapped models to address privacy concerns when we work with sensitive data. But what’s also undeniable is the need to move beyond the hype: As Tony Knutson (Principal Consultant, Palo Alto Unit 42, and SANS OnDemand Subject Matter Expert | LinkedIn) highlighted in his Summit talk, “Think Like an Examiner,” tools do not equal analytical knowledge. Errors and hallucinations are real factors to weigh, and taking LLMs at face value in investigations is a recipe for disaster, especially when the stakes are high. The directive has to remain, Trust but Verify. An AI tool is only as strong as the practitioner leveraging it. A human must train and validate everything AI-related.  

Cybersecurity professionals reap the most benefits when training and documentation stay sharp. Resources, skillsets, and staff may vary widely from organization to organization, but the way analysts handle playbooks and preparation of new personnel can sow the seeds of readiness whatever the circumstances. Jessica Gorman (Sr. Director of Security Operations and Incident Response, Experian | LinkedIn) discussed this in her Summit talk, “Playbook Power-Up.” She highlighted research showing that when IR playbooks modified by senior analysts were then used by junior analysts, the junior analysts were effectively upskilled, and able to leverage the guidance more effectively.

3) The DFIR journey never ends, and it needs a multidisciplinary skillset.  

For seasoned professionals and newcomers alike, this Summit was a valuable opportunity to learn from fellow practitioners in the trenches. This on-the-ground truth and inquiry is essential to learning and understanding the reality of DFIR beyond theory and certifications. DFIR encompasses many fields and values professionals who may be looking for a career change, even bringing what may seem like unrelated experience. Someone with skills and knowledge from a red team background would be valuable turning that information around to help an IR team think like an attacker, for example.   

A 65% of the in-person attendees were new to the SANS DFIR Summit. Experienced practitioners have so much to offer to newcomers who are eager to learn, and investing in this process is as essential to DFIR as it is to every cybersecurity discipline. Summits like this ensure that organizations and individuals are better prepared to meet today’s threats while building the next generation of leaders who will guide the field forward. 

Wrapping Up: Our Knowledge Becomes Your Knowledge 

The 2025 SANS DFIR Summit highlighted that strengthening DFIR is a community endeavor as much as a technical discipline. Effective response depends on exchanging knowledge, investing in mentorship of new professionals, and sharing insights as attackers evolve. The talks and workshops offered opportunities for professionals at every level to foster communication and build professional networks that will help the community understand and meet high-stakes challenges together. For new and experienced cybersecurity professionals alike, continuing engagement in the SANS community ensures lessons are shared across the field to keep skills current and perspectives focused. “SANS brain” is the feeling of being overwhelmed with knowledge, and represents a kind of expertise that can only be achieved collaboratively as a community, setting each other up for success. 

For additional details on 2025 SANS DFIR Summit talks, check out this visual summary blog of real-time graphic recordings created by Ashton Rodenheiser of Mind’s Eye Creative Consulting.  

Stay Connected 

A SANS Summit is more than training – it’s a chance to absorb the collective expertise of an active professional community. We encourage you to join us at future Summits in person or online to broaden your expertise and become a part of the SANS community.  

Take a look at the full list of upcoming Summits we host around the globe, and join us for SANS DFIRCON Miami 2025: Sunday, November 16, to Saturday, November 22, 2025. Use the code “25DFIR_CYBER” between October 1 and October 31 when you sign up to secure your spot, and receive a 25% discount on registration.