SANS 2026 SOC, SIEM, SOAR Forum

Fri, Feb 27, 2026
9:00AM - 4:00PM EST
English
Mark Orlando
Solutions Forum

Thank You To Our Sponsors

Security teams are under increasing pressure to detect, respond, and adapt at the speed of today’s evolving threats. The SANS 2026 SOC, SIEM, SOAR Forum brings together practitioners, architects, and leaders to share real-world experiences, lessons learned, and proven practices for advancing Security Operations.

Through interactive discussions, expert panels, and practitioner-led talks, attendees will explore the latest approaches to optimizing SOC design, improving SIEM effectiveness, and automating response with SOAR technologies. The forum will highlight what’s working in the field—how organizations are breaking down silos, tuning detection pipelines, integrating AI and automation responsibly, and building resilient, adaptive operations. Participants will leave with actionable insights, new perspectives, and a stronger community of peers all focused on the same goal: creating faster, smarter, and more effective security operations.

Why Register?

Expert-led Sessions
Flexible Attendance (Attend live or watch on your own time)
On-Demand Access (Revisit sessions and download presentations at your convenience)
Connect with Industry Leaders
Build Your Professional Network
Earn CPE Credits

Get Connected -> Join us on Slack!

Schedule

Showing 16 of 16

Filter by:

Select day:

Event Kickoff and Introduction

09:00AM - 09:15AM EST

Presented by

Mark Orlando

Certified Instructor

Virtual

Go Beyond SIEM to Transform your SOC with AI

Traditional, human-centered SOCs have failed to keep pace. To move faster than today's AI-enabled adversaries, you must transform security operations. Get the playbook for building a modern SOC with Cortex XSIAM, the industry's leading AI-powered SOC platform. You'll learn how to go beyond legacy SIEMs and security point products by harnessing the power of Precision-AI and native automation, enabling lightning fast workflows and unrivaled threat protection - all within a single platform.

*Sponsored by Palo Alto Networks

09:15AM - 09:45AM EST

Presented by

Florian Schmidt

Senior Domain Consultant

Virtual

AI revolutionizes SOC Operations

AI-powered SOC automations are no longer futuristic ideas – they are practical, real-world solutions already making security teams faster, smarter, and more effective. The question is no longer "Should we leverage AI?" but rather "How can we leverage AI responsibly and effectively within our Security Operations teams and workflows?" The introduction of AI into security workflows is not about replacing humans – it’s about empowering them. Join our session to hear firsthand how AI can reduce noise, accelerate investigations, and help security teams stay ahead of evolving threats.

*Sponsored by Rapid7

09:45AM - 10:15AM EST

Presented by

Juraj Cief

Product Manager for AI-powered Security Operations4

Virtual

Why SIEM Migrations Fail: You Don’t Have a Tool Problem, You Have a Data Problem

You invested heavily in your SIEM. Now it's expensive, noisy, and you're not sure it's catching what matters. So you migrate to a new platform, rebuild your detections, and two years later find yourself in exactly the same place. Sound familiar? The uncomfortable truth is that your SIEM isn't the problem—your data is. SIEMs are wrappers around data and process. Switch the wrapper without fixing what's inside, and you've just bought yourself an expensive reset button. This talk reframes data collection as a first-class security operations problem. We'll show how leading teams design detection starting from threat scenarios, not from whatever logs happen to be available. Attendees will learn: Threat-informed data sourcing: How to use threat modeling to identify which data sources actually matter for the threats you face—and which fields within those sources you need ROI-driven decisions: A practical framework for calculating the return on investment of data sources and detections, so you can justify costs and cut noise Coverage analysis: Methods to understand and communicate your detection coverage gaps to stakeholders Data quality fundamentals: Why "we have the logs" doesn't mean you can detect anything, and how to measure and improve log quality Building a sustainable program: Moving from one-time fixes to continuous improvement We'll ground this in real-world case studies, including how missing Zoom authentication logs enabled North Korean operatives to remain undetected, and other examples where the data problem became visible only during incident response—when it was too late. You'll leave with a practical playbook for treating data collection as the strategic capability it is, not an afterthought to your next SIEM purchase.

*Sponsored by Beacon Security

10:15AM - 10:45AM EST

Presented by

Gal Tal-Hochberg

Co-Founder and CEO

Virtual

Scaling Context with LLMs: The Missing Piece in SOC Investigations

Modern SOC investigations don’t fail because alerts are missed. They fail because context doesn’t scale. As incidents span identity, cloud, endpoint, and SaaS systems, analysts are left to manually pull, connect, and reason over fragmented and often conflicting signals. This session focuses on the role of context in SOC investigations and why traditional automation and alert-centric workflows break down at scale. We’ll break down the different types of context that matter during investigations: identity state, asset role, business intent, timing, and evidence, and the practical challenges of using them consistently in real environments. We’ll then examine how LLMs can help scale context in investigations: pulling and normalizing signals across systems, maintaining investigation state, surfacing contradictions, and supporting analyst reasoning. Just as importantly, we’ll cover where LLMs fall short and why human judgment remains critical. Attendees will leave with a clear, practical model for using context and AI together to improve investigation outcomes without adding noise or false confidence.

*Sponsored by Daylight Security

10:45AM - 11:15AM EST

Presented by

Eldad Rudich

Co-Founder and CTO

Virtual

Leveraging Cybercriminal Tactics for Enhanced Network Security with the use of AI

Perimeter defenses are a long-standing strategy, but cybercriminals and ransomware operators are increasingly adept at bypassing them. Once inside, they exploit network blind spots, utilize encrypted traffic, and target cloud workloads to remain undetected. What if you could turn these tactics to your advantage? In this discussion, Fortinet cybersecurity expert will explore how SOC teams can proactively hunt for attackers by using their own strengths against them.

*Sponsored by Fortinet

11:15AM - 11:45AM EST

Presented by

Peter Steyaert

Sr Manager, Systems Engineering

Virtual

Break

11:45AM - 12:00PM EST

Virtual

Lessons Learned: Deploying AI SOC Agents in the Real World

AI SOC agents are now operating in real SOCs, at scale, autonomously investigating hundreds of thousands of alerts. But for most security leaders, the biggest questions remain: does the technology actually work, how do you evaluate it safely, and what should you expect once it’s deployed? Where does software end and where does outsourced MDR begin? This session distills practical lessons learned from deploying AI SOC agents in production at organizations such as Zapier, UiPath, Mysten Labs, and Indiana Farm Bureau Insurance, as well as at large MSSPs. We’ll walk through what security teams should look for when evaluating AI SOC technology, how these agents integrate with existing SIEM, ticketing, and automation tools, and what changes (and what doesn’t) once they’re live in the SOC.

*Sponsored by Dropzone AI

12:00PM - 12:30PM EST

Presented by

Edward Wu

CEO & Founder

Virtual

You Can’t Prompt Your Way Out of Bad Data: Why Context, Not Models, Wins in the Cloud

Attackers are already using AI to move faster, blend in better, and exploit cloud complexity at machine speed. Defenders are responding with AI-powered SOCs, automated triage, and SOAR playbooks. Yet most teams are still losing time, confidence, and clarity. Why? Because AI without the right data model does not create advantage. It amplifies uncertainty. In this session, Jason Nations, former CISO of OG&E, will break down what AI is and is not doing in modern security operations, and why the defender’s only durable advantage is data that reflects reality, not snapshots, not logs, not guesses. Together, we’ll explore how attackers use AI to rapidly learn cloud environments, manipulate identities, permissions, and configurations, and expand blast radius in minutes. We will contrast that with how most SOCs still operate on stateless signals, stale cloud posture, and fragmented tooling. The result is AI fighting AI, but one side is blindfolded. Jason will argue that the next evolution of the SOC is not more alerts or smarter prompts, but stateful, real-time understanding of the environment. When defenders operate on live context, AI becomes a force multiplier instead of a noise engine. This talk is a practical discussion for SOC leaders navigating scarce talent, growing attack surfaces, and relentless pressure to move faster without breaking production.

*Sponsored by Stream.Security

12:30PM - 01:00PM EST

Presented by

Jason Nations

Field CISO

Virtual

From Alert Fatigue to Risk Clarity: Rebuilding Detection and Response with Agentic AI

Security operations teams are under increasing pressure as environments grow more dynamic, cloud-native, and identity-driven. Traditional SIEM models overwhelm analysts with severity-based alerts, driving noise, burnout and missed risk. At the same time, security leaders are expected to deliver faster response, clearer prioritization, and measurable outcomes with fewer resources. It’s time to move beyond alert-driven triage. In this session, you will learn how modern SOCs are shifting to risk-based detection and response using unified telemetry, behavior analytics, and governed agentic AI. We will explore how modular AI agents, operating with human-in-the-loop controls, help security teams suppress noise, surface real risk, and act with speed and confidence. Attendees will gain practical insight into how this model enables stronger security outcomes while improving analyst productivity and executive visibility. In this session, you’ll learn: Why static rules and severity scores break down in cloud-native, identity-centric environments How agentic AI reduces false positives while elevating analyst effectiveness How to design risk-centric pipelines that unify detection, triage, and response Real-world lessons from SOC teams that reduced MTTR and analyst burnout without adding headcount Whether you're leading a SOC, design detection strategies, or report cyber risk to executive stakeholders, this session will hekp you move from reactive alert handling to intelligent, scalable threat defense. Every second matters. Make every decision count.

*Sponsored by Securonix

01:00PM - 01:30PM EST

Presented by

Chris Jacob

Field CISO

Virtual

AI Hype vs. Detection Reality: Why AI SOC Will Only Accelerate Your Debt–Unless You Fix the Fundamentals

Tired of the AI SOC vendor hype? While everyone is focused on automating alert triage—the "squeaky wheel" of SecOps—they are ignoring the core problem: flawed detection. If your team is already drowning due to poorly tuned rules, even the most advanced AI will simply triage noisy alerts at machine speed, leaving your underlying issues unresolved. This session unpacks the brutal reality: AI SOC often treats detection as a problem they’ll fix later, when it is, in fact, a more fundamental issue. We’ll lay out the essential truth: Detection engineering must be a first-class citizen. Otherwise, AI will just compound your detection debt compounds and accelerate the interest payments. Join us to learn: Actionable strategies for building stronger, more resilient security operations How to improve detection quality and fidelity How to tighten the feedback loops across your data pipelines, SIEM, SOAR, and threat intelligence Stop chasing AI shortcuts and start solving the prerequisite problems that will truly unlock the full potential of AI SOC.

*Sponsored by Cardinal Ops

01:30PM - 02:00PM EST

Presented by

Dr. Anton Chuvakin

Security Advisor at Office of the CISO, Google Cloud

Bryan Peace

Sr. Product Marketing Manager

Virtual

Break

02:00PM - 02:15PM EST

Building a Cloud Detection Engine: Reducing Noise in the Cloud and AI Era

Cloud and AI have changed how SecOps teams operate, and how attackers move. In the cloud, detection isn’t a nice to have - it’s foundational. In this session, Itay Harel and Tal Moriah break down how to build a threat detection engine designed for modern cloud environments through the lens of detecting and responding to Shai Hulud. They’ll share how tracking real-world threats shapes better detections, and why pulling context from across identity, SaaS, VCS, cloud, and runtime platforms is critical to understanding what’s actually happening in your environment. They’ll also cover how AI fits in as a practical way to correlate signals and reduce noise, helping analysts focus on what matters most. Attendees will leave with a clear view of how to move fast in the cloud, and how to build detection that keeps up.

*Sponsored by WIZ

02:15PM - 02:45PM EST

Presented by

Tal Moriah

Product Marketing Manager

Itay Harel

Cloud Threat Detection Lead

Virtual

Your Next SOC Analyst Won’t Be Human: The Reality of Agentic AI in Security

Security Operations Centers are under increasing pressure. Alert volumes continue to rise, environments grow more complex, and experienced analysts remain scarce. While AI copilots have improved analyst productivity, a more significant shift is now underway: the emergence of agentic AI systems that can autonomously investigate alerts, gather evidence, make decisions, and execute response actions. This session explores the reality behind agentic AI in security operations. Moving beyond marketing claims and theoretical future states, we examine what agentic systems can actually do today, and how quickly they are actually being adopted. We'll also break down how agentic AI operates inside the SOC, multi-step investigation workflows, contextual evidence gathering, and guided or automated response.

*Sponsored by Sumologic

02:45PM - 03:15PM EST

Presented by

Chas Clawson

Field CTO, Security

Oren Shevach

Senior Director, Product Management

Virtual

Building the Future of Cyber Defense with AI Agents

Join us for an insightful session where we dive into Google's innovative approach to cybersecurity, leveraging the power of AI agents to transform security operations. In an era where cyber threats are constantly evolving, we will explore how AI is no longer just a futuristic concept but a present-day reality in defending against sophisticated attacks. Explore how Google is building and integrating AI agents to work alongside human analysts, augmenting their capabilities and allowing them to focus on the most critical challenges. We will share key principles and lessons learned from our journey, offering a roadmap for organizations looking to adopt an AI-powered defense strategy.

*Sponsored by Google

03:15PM - 03:45PM EST

Presented by

Ben Frenkel

Group Product Manager, AI Security

Virtual

Event Recap and Closing Remarks

03:45PM - 04:00PM EST

Presented by

Mark Orlando

Certified Instructor

Virtual

Meet Your Chairperson

Mark Orlando

Co-Founder & CEO

Mark Orlando brings extensive cybersecurity leadership experience from the Pentagon, White House, and Fortune 500 sectors. As Bionic Cyber's CEO, he's a respected security operations expert with military and academic credentials.

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SANS 2026 SOC, SIEM, SOAR Forum

Share

Thank You To Our Sponsors

Why Register?