SANS 2026 SOC, SIEM, SOAR Forum

Fri, Feb 27, 2026
10:00AM - 5:00PM EST
English
Mark Orlando
Solutions Forum

Thank You To Our Sponsors

Security teams are under increasing pressure to detect, respond, and adapt at the speed of today’s evolving threats. The SANS 2026 SOC, SIEM, SOAR Forum brings together practitioners, architects, and leaders to share real-world experiences, lessons learned, and proven practices for advancing Security Operations.

Through interactive discussions, expert panels, and practitioner-led talks, attendees will explore the latest approaches to optimizing SOC design, improving SIEM effectiveness, and automating response with SOAR technologies. The forum will highlight what’s working in the field—how organizations are breaking down silos, tuning detection pipelines, integrating AI and automation responsibly, and building resilient, adaptive operations. Participants will leave with actionable insights, new perspectives, and a stronger community of peers all focused on the same goal: creating faster, smarter, and more effective security operations.

Why Register?

Expert-led Sessions
Flexible Attendance (Attend live or watch on your own time)
On-Demand Access (Revisit sessions and download presentations at your convenience)
Connect with Industry Leaders
Build Your Professional Network
Earn CPE Credits

Schedule

Showing 6 of 6

Filter by:

Select day:

Event Kickoff and Introduction

10:00AM - 10:15AM EST

Presented by

Mark Orlando

Certified Instructor

Virtual

Why SIEM Migrations Fail: You Don’t Have a Tool Problem, You Have a Data Problem

You invested heavily in your SIEM. Now it's expensive, noisy, and you're not sure it's catching what matters. So you migrate to a new platform, rebuild your detections, and two years later find yourself in exactly the same place. Sound familiar? The uncomfortable truth is that your SIEM isn't the problem—your data is. SIEMs are wrappers around data and process. Switch the wrapper without fixing what's inside, and you've just bought yourself an expensive reset button. This talk reframes data collection as a first-class security operations problem. We'll show how leading teams design detection starting from threat scenarios, not from whatever logs happen to be available. Attendees will learn: Threat-informed data sourcing: How to use threat modeling to identify which data sources actually matter for the threats you face—and which fields within those sources you need ROI-driven decisions: A practical framework for calculating the return on investment of data sources and detections, so you can justify costs and cut noise Coverage analysis: Methods to understand and communicate your detection coverage gaps to stakeholders Data quality fundamentals: Why "we have the logs" doesn't mean you can detect anything, and how to measure and improve log quality Building a sustainable program: Moving from one-time fixes to continuous improvement We'll ground this in real-world case studies, including how missing Zoom authentication logs enabled North Korean operatives to remain undetected, and other examples where the data problem became visible only during incident response—when it was too late. You'll leave with a practical playbook for treating data collection as the strategic capability it is, not an afterthought to your next SIEM purchase.

10:15AM - 10:45AM EST

Presented by

Gal Tal-Hochberg

Co-Founder and CEO

Virtual

Scaling Context with LLMs: The Missing Piece in SOC Investigations

Modern SOC investigations don’t fail because alerts are missed. They fail because context doesn’t scale. As incidents span identity, cloud, endpoint, and SaaS systems, analysts are left to manually pull, connect, and reason over fragmented and often conflicting signals. This session focuses on the role of context in SOC investigations and why traditional automation and alert-centric workflows break down at scale. We’ll break down the different types of context that matter during investigations: identity state, asset role, business intent, timing, and evidence, and the practical challenges of using them consistently in real environments. We’ll then examine how LLMs can help scale context in investigations: pulling and normalizing signals across systems, maintaining investigation state, surfacing contradictions, and supporting analyst reasoning. Just as importantly, we’ll cover where LLMs fall short and why human judgment remains critical. Attendees will leave with a clear, practical model for using context and AI together to improve investigation outcomes without adding noise or false confidence.

10:45AM - 11:15AM EST

Presented by

Eldad Rudich

Co-Founder and CTO

Virtual

Leveraging Cybercriminal Tactics for Enhanced Network Security with the use of AI

Perimeter defenses are a long-standing strategy, but cybercriminals and ransomware operators are increasingly adept at bypassing them. Once inside, they exploit network blind spots, utilize encrypted traffic, and target cloud workloads to remain undetected. What if you could turn these tactics to your advantage? In this discussion, Fortinet cybersecurity expert will explore how SOC teams can proactively hunt for attackers by using their own strengths against them.

11:15AM - 11:45AM EST

Presented by

Peter Steyaert

Sr Manager, Systems Engineering

Virtual

Break

11:45AM - 12:00PM EST

Virtual

Lessons Learned: Deploying AI SOC Agents in the Real World

AI SOC agents are now operating in real SOCs, at scale, autonomously investigating hundreds of thousands of alerts. But for most security leaders, the biggest questions remain: does the technology actually work, how do you evaluate it safely, and what should you expect once it’s deployed? This session distills practical lessons learned from deploying AI SOC agents in production at organizations such as Zapier, UiPath, Mysten Labs, and Indiana Farm Bureau Insurance, as well as at large MSSPs. We’ll walk through what security teams should look for when evaluating AI SOC technology, how these agents integrate with existing SIEM, ticketing, and automation tools, and what changes (and what doesn’t) once they’re live in the SOC.

12:00PM - 12:45PM EST

Presented by

Edward Wu

CEO & Founder

Virtual

Meet Your Chairperson

Mark Orlando

Co-Founder & CEO

Mark Orlando brings extensive cybersecurity leadership experience from the Pentagon, White House, and Fortune 500 sectors. As Bionic Cyber's CEO, he's a respected security operations expert with military and academic credentials.

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SANS 2026 SOC, SIEM, SOAR Forum

Share

Thank You To Our Sponsors

Why Register?

Schedule

Event Kickoff and Introduction

Why SIEM Migrations Fail: You Don’t Have a Tool Problem, You Have a Data Problem

Scaling Context with LLMs: The Missing Piece in SOC Investigations

Leveraging Cybercriminal Tactics for Enhanced Network Security with the use of AI

Break

Lessons Learned: Deploying AI SOC Agents in the Real World

Meet Your Chairperson

Mark Orlando

Event Kickoff and Introduction

Why SIEM Migrations Fail: You Don’t Have a Tool Problem, You Have a Data Problem

Scaling Context with LLMs: The Missing Piece in SOC Investigations

Leveraging Cybercriminal Tactics for Enhanced Network Security with the use of AI

Break

Lessons Learned: Deploying AI SOC Agents in the Real World