CTI Summit Solutions Track - CTI in the AI Arms Race: Building Resilient, Adaptive Intelligence Platforms for 2026: Day 1

Mon, Jan 26, 2026
12:00PM - 5:00PM EST
English
Ismael Valenzuela
Solutions Forum

Thank You To Our Sponsors

As adversaries harness AI to deploy polymorphic malware, agentic automation, and high-speed deception, defenders must respond with intelligent, explainable, and resilient threat intelligence systems. The CTI market—projected to grow from $14.1 billion in 2025 to $29.5 billion by 2029—is rapidly transitioning toward consolidated, cloud-native XDR platforms and autonomous detection pipelines. Simultaneously, ethical AI, regulatory compliance, and post-compromise resilience elevate the stakes.

Join Ismael Valenzuela, SANS Author and Senior Instructor, as he chairs this year’s CTI Solutions Track, bringing together innovators and practitioners to explore how CTI can evolve from static reporting to autonomous, actionable intelligence. Together, we’ll examine how to design LLM-assisted pipelines, integrate threat intelligence into incident response automation, ensure transparency and AI ethics, and adapt to regulatory mandates.

Through vendor showcases, demo panels, and hands-on sessions, participants will gain the tools and strategies needed to architect CTI systems that are not only smart, but resilient, responsible, and future-proof.

Don't Forget to Register for Day 2.

Schedule

Showing 10 of 10

Filter by:

Select day:

Event Kickoff and Introduction

12:00PM - 12:15PM EST

Presented by

Ismael Valenzuela

Senior Instructor

Virtual

AI-Orchestrated Attacks and Deception-Driven Detection

The rise of AI-driven attacks —like the recent Anthropic-generated multi-stage attack—shows AI-orchestrated attacks at every stage. Bad actors are now using AI to execute recon, gain lateral movement, and achieve privilege escalation at machine speed using massive parallelism. This reality forces a new approach to threat hunting, challenging CTI assumptions as AI agents adapt rapidly and bypass traditional controls. This session will demonstrate how deception technology delivers high-fidelity, intent-based signals to disrupt AI-driven kill chains. We will detail the Anthropic attack case study and demonstrate how deception-based detection provides CTI teams with repeatable, high-context intelligence on AI-enabled threats.

You will learn how to:

Detect AI-generated attack paths using deception signals that expose real attacker intent
Integrate decoys and breadcrumbs into threat hunting, IR, and red-team workflows
Enrich CTI with adversary behavior patterns derived from deception telemetry

*Sponsored by Zscaler

12:15PM - 12:45PM EST

Presented by

Amir Moin

Staff Product Manager - Deception

Virtual

A Tour of the Cybercrime Underground: How Cybercrime Forums and Dark Web Marketplaces Really Work

Join Eric Clay, CMO and Research Team Co-Lead at Flare, for a straightforward walkthrough of the cybercrime underground. This session breaks down the structure of dark web forums, marketplaces, and closed communities, explaining what they are, how they function, and why they matter to defenders. The session will conclude with a live demo of Flare, illustrating how organizations can monitor these underground spaces to identify threats and exposures earlier.

*Sponsored by Flare

12:45PM - 01:15PM EST

Presented by

Eric Clay

CMO and Research Team Co-Lead

Adrian Cheek

Senior CyberCrime Researcher

Virtual

5 Agentic AI Use Cases to Transform Your SOC Operations Today

CTI based Agentic AI is changing the face of the SOC operations. This talk will dive into a case study of how a Managed Security Services Provider is leveraging Agentic AI for scaling out analyst’s operations and dramatically improving mean-time-to-detection (MTTD). The following Agentic AI driven SOC use cases will be discussed: Alert Triage True / False Positive Validation True Positive Alert Prioritization IOC Harvesting and AI Driven Detection Engineering Participants will learn about the target use cases, the impacts on real world operations, the training data used, and key requirements for success.

*Sponsored by ReversingLabs

01:15PM - 01:45PM EST

Presented by

Richard Robitaille-Muffler

Director, Product Management

Jim Wojno

Director, Product Management

Virtual

Break

01:45PM - 02:00PM EST

Virtual

Agentic Threat Intelligence: Driving Outcomes Across the Security Program

Manual analysis creates critical bottlenecks. Join Global Solutions Architect Rob Lowe to witness how Google Threat Intelligence’s Agentic capabilities compress days of research into a workflow that takes minutes. Rob will demonstrate transforming a single IOC into a comprehensive hunting methodology.

In this session, learn to:

Automate Context:

Instantly correlate raw IOCs with threat actors and campaigns.

Generate Code:

Build production-ready YARA, YARA-L, and Sigma rules automatically.

Map Frameworks:

Extract tactical behaviors directly to MITRE ATT&CK without manual effort.

*Sponsored by Google Cloud

02:00PM - 02:30PM EST

Presented by

Rob Lowe

Global Solutions Architect

Virtual

Shadows in the Steppe – New Insights into Hydra Saiga’s Post-Exploitation Playbook

In the broader geopolitical landscape of Central Asia, Hydra Saiga - also known as Yorotrooper - has emerged as a persistent predator. With at least 34 organizations compromised across 8 countries, this state-sponsored actor has moved beyond simple intrusions to master the art of long-term persistence within water and energy infrastructure. This session dives into the specific telemetry CTI professionals need to track Hydra Saiga’s tradecraft. We will move past high-level attribution to dissect their post-exploitation behavior, focusing on: Custom & Commodity Blends: How they weaponize experimental commodity malware alongside bespoke tools to complicate detection and attribution. Infrastructure & Evasion: A breakdown of their C2 architecture and the specific techniques used to bypass defenses. Strategic Targeting: Why their consistent focus on the Water and Energy verticals serves as a digital mirror to Central Asian geopolitical interests.

Join us as we bridge the gap between regional signal and global threat intelligence, emphasizing the critical importance of greater threat research focus on less-covered regions.

*Sponsored by VMRay

02:30PM - 03:00PM EST

Presented by

Pol Thill

Cyber Threat Investigator

Fatih Akar

Security Product Manager

Virtual

Session Six

03:00PM - 03:30PM EST

Virtual

Session Seven

03:30PM - 04:00PM EST

Virtual

Event Recap and Closing Remarks

04:00PM - 04:15PM EST

Presented by

Ismael Valenzuela

Senior Instructor

Virtual

Meet Your Speaker

Ismael Valenzuela

Vice President Threat Research & Intelligence

Ismael is a Senior SANS Instructor and Arctic Wolf VP. Author of SEC530 and a prestigious GSE-certified expert, he blends decades of SOC, threat research, and community contributions to equip defenders with resilient, adversary-aware strategies.

Related events

View all events

SANS Cyber Threat Intelligence Summit & Training 2026

Obtain hands-on, practical skills from the world's best instructors by taking a SANS course at SANS Cyber Threat Intelligence Summit & Training 2026.

Mon, Jan 26 - Mon, Feb 2, 2026 • ET
Rosslyn, VA, US & Virtual (ET)
11 Courses

View event details Register

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

CTI Summit Solutions Track - CTI in the AI Arms Race: Building Resilient, Adaptive Intelligence Platforms for 2026: Day 1

Share

Thank You To Our Sponsors