CTI Summit Solutions Track - CTI in the AI Arms Race: Building Resilient, Adaptive Intelligence Platforms for 2026: Day 2

Tue, Jan 27, 2026
10:00AM - 5:00PM EST
English
Ismael Valenzuela
Solutions Forum

Thank You To Our Sponsors

As adversaries harness AI to deploy polymorphic malware, agentic automation, and high-speed deception, defenders must respond with intelligent, explainable, and resilient threat intelligence systems. The CTI market—projected to grow from $14.1 billion in 2025 to $29.5 billion by 2029—is rapidly transitioning toward consolidated, cloud-native XDR platforms and autonomous detection pipelines. Simultaneously, ethical AI, regulatory compliance, and post-compromise resilience elevate the stakes.

Join Ismael Valenzuela, SANS Author and Senior Instructor, as he chairs this year’s CTI Solutions Track, bringing together innovators and practitioners to explore how CTI can evolve from static reporting to autonomous, actionable intelligence. Together, we’ll examine how to design LLM-assisted pipelines, integrate threat intelligence into incident response automation, ensure transparency and AI ethics, and adapt to regulatory mandates.

Through vendor showcases, demo panels, and hands-on sessions, participants will gain the tools and strategies needed to architect CTI systems that are not only smart, but resilient, responsible, and future-proof.

Don't Forget to Register for Day 1

Schedule

Showing 14 of 14

Filter by:

Select day:

Welcome and Opening Remarks

10:00AM - 10:15AM EST

Presented by

Ismael Valenzuela

Senior Instructor

Virtual

Transforming Microsoft's 100 trillion daily signals into actionable threat intelligence

Threat Intelligence is no longer just data, it’s actionable insight embedded directly into your security operations. In this session, we’ll explore the latest insights from the Microsoft Digital Defense Report and how Microsoft is transforming intelligence into dynamic, curated intelligence within our security ecosystem, empowering your team. Learn how the latest innovations, including enhanced workflows and threat intelligence specific agents, are helping analysts to move faster and act on better intel than ever before.

*Sponsored by Microsoft

10:15AM - 10:45AM EST

Presented by

Elliot Volkman

Director of Threat Intelligence

Alex Klausner

Sentinel Senior Product Marketing Manager

Virtual

Session Two

10:45AM - 11:15AM EST

Virtual

The Agentic AI Advantage in the Modern SOC: Every Decision Sharper. Every Second Faster.

Chris Jacob presents “The Agentic AI Advantage in the Modern SOC: Every Decision Sharper. Every Second Faster.” at the SANS CTI Summit on January 26–27, 2026. The talk frames the SOC at a crossroads as teams face faster threats, tighter budgets, and rising board expectations. Chris outlines how unified defense, outcome-driven security, and modular Agentic AI shift operations from reactive detection to autonomous decision-making. Real results show major reductions in noise, MTTR, and cost, proving the SOC can become a strategic advantage.

*Sponsored by Securonix

11:15AM - 11:45AM EST

Virtual

Break

11:45AM - 12:00PM EST

Virtual

How Geopolitics and AI Will Radically Reshape the Threat Landscape

In the next 3 to 5 years, the acceleration of AI and geopolitical conflict will make yesterday's defenses obsolete. Is your threat intelligence program ready for the shift?Steve Stone, SentinelOne’s Chief Customer Officer will discuss what he predicts the next 3 years will look like in cyber, based on SentinelOne's latest intelligence.You will gain a deep understanding of the future threat landscape driven by: Geopolitical Escalation: The expansion of state-sponsored cyber operations, including globally impactful campaigns from adversaries like Russia and North Korea that increasingly target critical infrastructure. The Convergence of Motives: Analyzing how nation-state actors and sophisticated cybercrime groups are increasingly sharing TTPs and tooling, blurring the lines of attribution and defense. The AI Multiplier: How the malicious deployment of Artificial Intelligence in the attack chain will fundamentally alter the speed and severity of breaches, compressing timelines and redefining the status quo. Get the essential intelligence you need to make the right decisions in the present to prepare yourself for the future, ensuring your defensive strategy keeps pace with the rapidly collapsing threat horizon.

12:00PM - 12:30PM EST

Presented by

Steve Stone

Chief Customer Officer

Virtual

Inside the Negotiation Room: Real-World Lessons from 15 Countries of Ransomware Incidents

Ransomware negotiation is a high-pressure battlefield combining psychology, economics, and threat intelligence. This session shares operational lessons from real-world engagements, revealing negotiation patterns, deception tactics, and mistakes that determine payment outcomes. Attendees will learn practical methods to profile ransomware crews in the first 30 minutes, control the negotiation tempo, and avoid psychological traps that lead to panic payments. The talk offers actionable, intelligence-driven playbooks to reduce ransom demands by up to 90%. Participants leave with communication templates and decision frameworks based on anonymized transcripts and tactical breakdowns.

*Sponsored by SOCRadar

12:30PM - 01:00PM EST

Presented by

Ensar Seker

CISO & DPO & BCM

Virtual

Procedures Make It Possible: Solving a Persistent CTI Challenge

More security teams are using the Tactics & Techniques from MITRE ATT&CK® successfully for strategic assessments and risk management. But technical defenders, such as detection & emulation engineers, need more detailed & granular CTI to do their jobs - they need the data contained within Procedures. No widely accepted standard for Procedures has ever existed, greatly limiting their adoption. This session covers how Tidal Cyber is solving the persistent Procedure challenge by adopting an accurate but practical definition of and data model for Procedures, and using large-scale data analysis powered by an original artificial intelligence solution to create and maintain a living, easily searchable library of adversarial Procedures.

*Sponsored by Tidal Cyber

01:00PM - 01:30PM EST

Presented by

Scott Small

Director of Cyber Threat Intelligence

Virtual

No Peer Review? No Problem: Structured Analysis for Small CTI Teams

Most CTI analysts don't work in a SCIF surrounded by peers ready to poke holes in their analysis. They work from home. They might be the only dedicated analyst at their company. Or they're staring down a 4-hour deadline with no time to schedule a peer review.

Structured analytic techniques exist precisely for these moments. But tools like Key Assumptions Check, Analysis of Competing Hypotheses, and Devil's Advocacy were built for collaboration in mind. What happens when you're working alone or with a small team?

In this talk, we’ll cover practical examples of how we use an LLM to assess attribution and intent for a recent campaign. You'll see how the model helps run a Key Assumptions Check, generate competing hypotheses from the same evidence, challenge your conclusions, and conduct a pre-mortem to spot potential flaws in your analysis.

This isn't about AI replacing analytic tradecraft. It's about using AI to enforce it when working in less-than-ideal conditions (which is most of the time).

Attendees will leave with a list of prompts they can apply immediately to their own analysis, along with practical guidance for setting up an LLM as an effective sparring partner.

*Sponsored by Feedly

01:30PM - 02:00PM EST

Presented by

David Johnson

Threat Intelligence Advisor

Virtual

Break

02:00PM - 02:15PM EST

Efficient Threat Intelligence Operationalization with a Closed Loop Approach

Organizations continue to invest heavily in threat intelligence (TI), yet most never fully realize its value. Feeds are purchased, dashboards are populated, and reports circulate—but few environments translate intelligence into reliable, automated defense actions. This requires a closed-loop approach: converting raw threat information into relevant contextual detection and response while reducing false positives.

This session will discuss operationalizing cyber threat intelligence (CTI) with a closed-loop approach that leverages components such as SIEM, SOAR, XDR etc. We will present approaches to establishing a structured pipeline, automating enrichment, creating risk-scored detections, and executing conditional responses that minimize noise while maximizing defensive impact.

*Sponsored by Cyware

02:15PM - 02:45PM EST

Presented by

Sachin Jade

Chief Product Officer

Virtual

Session Nine

02:45PM - 03:15PM EST

Virtual

Session Ten

03:15PM - 03:45PM EST

Virtual

Event Recap and Closing Remarks

03:45PM - 03:50PM EST

Presented by

Ismael Valenzuela

Senior Instructor

Virtual

Meet Your Speaker

Ismael Valenzuela

Vice President Threat Research & Intelligence

Ismael is a Senior SANS Instructor and Arctic Wolf VP. Author of SEC530 and a prestigious GSE-certified expert, he blends decades of SOC, threat research, and community contributions to equip defenders with resilient, adversary-aware strategies.

Related events

View all events

SANS Cyber Threat Intelligence Summit & Training 2026

Obtain hands-on, practical skills from the world's best instructors by taking a SANS course at SANS Cyber Threat Intelligence Summit & Training 2026.

Mon, Jan 26 - Mon, Feb 2, 2026 • ET
Rosslyn, VA, US & Virtual (ET)
11 Courses

View event details Register

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

CTI Summit Solutions Track - CTI in the AI Arms Race: Building Resilient, Adaptive Intelligence Platforms for 2026: Day 2

Share

Thank You To Our Sponsors