SANS DFIR Europe Summit and Training 2026

Sun, Oct 4 - Sat, Oct 10, 2026
8 Courses
1 NetWars Tournament
English

OREA Hotel Andel's & Virtual (CEST)

Stroupežnického 21, 150 00 Praha 5-Smíchov, Prague, Czech Republic

Jump to:

Event Highlights
Courses
Schedule
Location

Come to Prague for Hands-On Cybersecurity Training

At SANS, our mission remains steady. We continue to deliver relevant cybersecurity knowledge and skills, empowering students to protect people and their assets. Register for SANS DFIR Europe Summit and Training 2026 and continue to build practical cyber security skills you can implement immediately. Choose your course and register now.

SANS DFIR Europe Summit and Training 2026

In-Person Summit & Training
Take your training at the training venue with professional support
Practical cyber security training taught by real-world practitioners
Hands-on labs in a virtual environment
Courses include electronic and printed books
Most courses align with GIAC certifications

Please note, courses are available In-Person in Prague during this event. Please see course details below for availability. For In-Person courses, seating is available on a first-come, first-served basis. Register now to secure your spot.

What Attendees Say

"The DFIR Europe Summit in Prague was an amazing opportunity to connect with top professionals and hear cutting-edge case studies. Easily one of the best events I’ve attended for digital forensics."

"The speakers at DFIR Europe brought deep, real-world knowledge. Every session gave me something I could take back to my investigations."

“It was a privilege to attend DFIR Europe. The summit helped reinforce best practices in incident response and forensics. Can't wait for next year.“

Students Say

Slide 1 of 2
I highly recommend FOR500 for anyone looking to deepen their digital forensics and incident response skills. The course offers a perfect balance of theory and practical application, with real-world examples that bring the content to life. The instructor, Chad Tilbury, is exceptional, sharing his extensive experience and providing valuable insights that you can immediately apply in the field. It’s a must for anyone serious about mastering DFIR techniques!
Youssef HammachFOR500, SANS DFIR Europe Summit & Training
Slide 2 of 2
Fantastic course with in-depth material, delivered by amazing expert. Thanks so much for an amazing week.
Carol OveresFOR508, SANS DFIR Europe Summit & Training

Event Highlights

NetWars Tournaments

As part of your SANS training experience, you’ll receive complimentary access to a NetWars Tournament which is either available at the training event you are attending or will be made available through online access if you are attending a Live Online event. The NetWars Tournament is an interactive cyber range event designed to reinforce your learning through hands-on, gamified challenges.

Early Bird Offer

Save €250 EUR using the code "EarlyBirdEMEA-EURO" and pay for any 4-6 day course (excluding Beta Courses and 300 Level Courses) by September 3, 2026.

Register

Summit and Course Registration

€8,230 EUR

In personIncludes

Add Summit ticket for discounted price of +€100
Course: Live Instructor Training with Hands-on Exercises
Summit: Talks, Presentations and Workshops
DFIR Netwars Tournament

Select course to Enroll

Summit Registration Only

€350 EUR

€350 EUR*Prices exclude applicable local taxes

In personIncludes

Free Lunch and Snacks
Interactive Talks and Sessions
Networking with Peers

Attend In PersonLogin to register

Courses

Looking for Group Purchasing? Contact Us

Showing 8 of 8

Filter by:

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

FOR508Digital Forensics and Incident Response, Artificial Intelligence

GIAC Certified Forensic Analyst
6 Days
36 CPEs
Steve Anson

€8,230 EUR (Course)
€905 EUR (Certification)
*Prices exclude applicable local taxes

View course details

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

FOR610Digital Forensics and Incident Response

GIAC Reverse Engineering Malware
6 Days
36 CPEs

€8,230 EUR (Course)
€905 EUR (Certification)
*Prices exclude applicable local taxes

View course details

FOR500: Windows Forensic Analysis

FOR500Digital Forensics and Incident Response

GIAC Certified Forensic Examiner
6 Days
36 CPEs

€8,230 EUR (Course)
€905 EUR (Certification)
*Prices exclude applicable local taxes

View course details

FOR585: Smartphone Forensic Analysis In-Depth

FOR585Digital Forensics and Incident Response, Artificial Intelligence

GIAC Advanced Smartphone Forensics
6 Days
36 CPEs

€8,230 EUR (Course)
€905 EUR (Certification)
*Prices exclude applicable local taxes

View course details

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

FOR572Digital Forensics and Incident Response

GIAC Network Forensic Analyst
6 Days
36 CPEs

€8,230 EUR (Course)
€905 EUR (Certification)
*Prices exclude applicable local taxes

View course details

FOR578: Cyber Threat Intelligence

FOR578Digital Forensics and Incident Response

GIAC Cyber Threat Intelligence
6 Days
36 CPEs

€8,230 EUR (Course)
€905 EUR (Certification)
*Prices exclude applicable local taxes

View course details

FOR608: Enterprise-Class Incident Response & Threat Hunting

FOR608Digital Forensics and Incident Response

GIAC Enterprise Incident Responder
6 Days
36 CPEs

€8,230 EUR (Course)
€905 EUR (Certification)
*Prices exclude applicable local taxes

View course details

FOR577: LINUX Incident Response and Threat Hunting

FOR577Digital Forensics and Incident Response, Artificial Intelligence

GIAC Linux Incident Responder
6 Days
36 CPEs

€8,230 EUR (Course)
€905 EUR (Certification)
*Prices exclude applicable local taxes

View course details

Schedule

Summit Dates

Sunday 4th October

Training Dates

Monday 5 October - Saturday 10 October

Showing 16 of 18

Filter by:

Select day:

Registration and networking (Summit)

09:00AM - 10:00AM CEST

In-Person

Chair opening remarks

10:00AM - 10:05AM CEST

In-Person

Sarah & Kat’s adventures in data creation

Creating data for CTFs and course materials can be complex and time consuming and we’ve done a lot of it! We will walk you through some of the highs and lows of our experiences and give you practical tips and tricks to learn from our mistakes - like how to get accurate location data, what data is useful to generate, and how many devices do you really need?

Kathryn Hedley, Director – Khyrenz Ltd

Sarah Edwards, Head of DFIR - iVerify

10:05AM - 10:35AM CEST

In-Person

Find the unfindable

This session will explore how advanced forensic techniques can uncover critical evidence in complex investigations, even when conventional forensic tools fail to identify usable artefacts. Through a real-world case study involving a homicide investigation, attendees will learn how investigators recovered and analysed data.

Jean-Philippe Noat, Senior Customer Engagement Manager - Cellebrite

10:35AM - 11:05AM CEST

In-Person

Beyond Signal and WhatsApp: DFIR investigation of Meshtastic

As DFIR teams have strengthened their capabilities for investigating encrypted messaging platforms such as Signal and WhatsApp, threat actors are increasingly exploring alternative communication channels that operate beyond traditional network visibility. Meshtastic, a LoRa-based off-grid mesh networking platform, represents one such emerging technology that security and forensic professionals should be prepared to encounter. Drawing on a real-world case study involving the use of Meshtastic devices for decentralized communications, this session will examine how investigators can identify, acquire, and analyse evidence from non-traditional communication technologies. Join us to gain practical insights into the challenges of reconstructing communication activity in environments where conventional network monitoring and forensic approaches offer limited visibility.

Lorenzo Dina, Innovation & R&D Manager – Bit4Law

11:05AM - 11:35AM CEST

In-Person

Ghosts in the RAM: Your phone's secret travel diary

Smartphones continuously detect nearby Wi-Fi, Bluetooth, and cellular signals, leaving behind transient system artefacts that can reveal a device's movements, even when traditional location data is unavailable. How are forensic investigators able to extract and analyse these artefacts to reconstruct location history and establish device co-location? Through a practical case study, you will learn how wireless signal data stored in memory can be transformed into powerful investigative evidence, with significant implications for both digital forensics and privacy.

Alex Coley, Digital Forensics Specialist - MSAB

11:35AM - 12:05PM CEST

In-Person

Lunch

12:05PM - 01:05PM CEST

AI-Assisted IR without the lies: A browser forensics case

As AI transforms offensive security, incident response teams face a different challenge: How to leverage AI without compromising forensic accuracy. In IR, hallucinations are not acceptable, yet the potential to accelerate investigations is significant. Oren explores how a skills-and-agents pipeline was developed to automate browser forensics, accelerating artefact triage and timeline reconstruction while maintaining evidential integrity. You will learn how the system was validated, where it failed, and the safeguards implemented to minimise hallucinations. Through real-world lessons learned you will gain a practical view of where AI-assisted incident response is ready for production, and where human expertise remains essential.

Oren Biderman, Head of Threat Detection – Daylight Security

Amnon Kushnir, Director of Security Services – Daylight Security

01:05PM - 01:35PM CEST

In-Person

A Pinch of salt typhoon: Dissecting a cross-platform espionage intrusion

Salt Typhoon is widely tracked as a Chinese espionage actor, yet host-level visibility into its operations remains rare. In this session, Roey will take you inside a real intrusion at a scientific government organization, tracing the investigation from compromised Linux systems through to Windows-based collection and exfiltration activities. The investigation uncovered disguised backdoors, trojanized SSH utilities, proxy tooling, credential theft, remote execution, custom malware, and the staged collection of sensitive scientific data. Rather than examining individual malware samples in isolation, Roey will reconstruct the intrusion as it unfolded, showing how each forensic lead revealed the next phase of the operation.

You will gain practical insights into Salt Typhoon's tradecraft and how DFIR, malware analysis, and threat intelligence can be combined to uncover and understand sophisticated espionage activity.

Roey Gideon Shua, Security Researcher - Check Point Software Technologies

01:35PM - 02:05PM CEST

In-Person

Cache me if you can

Modern iOS devices generate and store a wealth of image-related artefacts behind the scenes, many of which can provide valuable investigative insights but are often overlooked during forensic examinations. Join us to explore how these artefacts can be identified, analysed, and correlated with other sources of device data to uncover their origin and significance. Through practical examples, the presentation will demonstrate how UUID-named images can be linked to App Intent and Biome data, and how complex data structures such as Protobuf, bplist, and Base64 can be decoded and interpreted. You will gain a deeper understanding of image provenance, the challenges of attributing images to specific user actions, and the techniques required to extract meaningful evidence from these often misunderstood artefacts. By the end of the session, you will have practical methodologies that can be applied directly to mobile forensic investigations and a clearer understanding of the evidential value—and limitations—of these iOS artefacts.

Elliot Glendye, Training Delivery Manager - Control-F Digital Forensics

02:05PM - 02:35PM CEST

In-Person

Session TBC

02:35PM - 03:05PM CEST

In-Person

Networking break

03:05PM - 03:35PM CEST

In-Person

Agentic triage, unlocking new possibilities

Host-level triage remains one of the most time-consuming aspects of incident response, creating significant challenges during large-scale investigations. In this session, I will share our ongoing work to automate end-to-end triage using agentic swarms capable of analysing systems, tagging evidence, and generating investigation-ready outputs. Drawing on real-world experience, I will explore the challenges, design considerations, and lessons learned from applying AI-driven automation to incident response, providing practical insights for those looking to build similar capabilities.

Matias Bevilacqua, Incident Response manager, EMEA Mondiant (Google)

03:35PM - 04:05PM CEST

In-Person

Closing keynote: Scaling, failing, improving - Two decades of DFIR practice

DFIR has changed dramatically over the past twenty years, shaped by evolving technologies, emerging threats, and lessons learned in the field. In this session, Heather will reflect on the experiences, challenges, and insights that have influenced my approach to investigations, incident response, and leadership throughout her career. Through practical observations and lessons learned, she will explore what it takes to adapt, improve, and remain effective in an ever-changing cybersecurity landscape.

Heather Barnhart, Curriculum Lead, Digital Forensics and Incident Response & Fellow – SANS Institute

04:05PM - 04:50PM CEST

In-Person

Chair closing remarks

04:50PM - 05:00PM CEST

Networking drinks

05:00PM - 07:00PM CEST

In-Person

Tournament: DFIR NetWars

Registration: All students who register for a 4–6 day course will be eligible to play NetWars for free. Registration for this event will be through your SANS Account Dashboard the week of the event.

About DFIR NetWars: Focused on digital forensics, incident response, threat hunting, and malware analysis, this tool-agnostic approach covers everything from low-level artifacts to high-level behavioral observations.

06:30PM - 09:30PM CEST

In-Person & Virtual

Tournament: DFIR NetWars

06:30PM - 09:30PM CEST

In-Person & Virtual

Prague, Czech Republic

OREA Hotel Andel's

Prague enchants visitors with its fairytale architecture, from the iconic Charles Bridge to the towering spires of Prague Castle. The city’s cobblestone streets and charming Old Town Square are steeped in centuries of history. You can enjoy world-class beer in cozy pubs and soak in the laid-back, artistic vibe. With its blend of Gothic, Baroque, and modern influences, Prague feels like stepping into a storybook.

View Hotel

3 Reasons To Stay At The Event Venue

Ultimate Convenience
Eliminate the hassle of daily commutes and wasted travel time. You’ll have everything you need—from your training to dining and amenities - all in one centralized, convenient location.
Seamless Networking Opportunities
Stay where the action is! Maximize your chances to connect with fellow cybersecurity professionals and industry leaders - from impromptu conversations in the lobby to exclusive after-hours events.
All Day, All Event Access
SANS live training events include bonus sessions exclusively at the venue. Staying on-site ensures you won’t miss these opportunities to grow your network and engage with peers beyond the conference agenda.

Three people smiling during a meeting in an office

SEC536: Adversarial AI - Penetration Testing AI Systems

SANS DFIR Europe Summit and Training 2026

Share

Come to Prague for Hands-On Cybersecurity Training

SANS DFIR Europe Summit and Training 2026

What Attendees Say

Students Say

Event Highlights

NetWars Tournaments

Register

Summit and Course Registration

Summit Registration Only

Courses

GIAC Certification

Extra 4 Months of Course Access

NetWars Tournament

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics

Quick view

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

Quick view

FOR500: Windows Forensic Analysis

Quick view

FOR585: Smartphone Forensic Analysis In-Depth

Quick view

FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response

Quick view

FOR578: Cyber Threat Intelligence

Quick view

FOR608: Enterprise-Class Incident Response & Threat Hunting

Quick view

FOR577: LINUX Incident Response and Threat Hunting

Quick view

Schedule

Summit Dates