SANS DFIR Summit Solutions Track 2025

Event Kickoff & Introduction

Supply chain attacks are among the most dangerous threats in cybersecurity, not because they exploit software flaws, but because they exploit trust.

This session explores several high-impact compromises and includes a hands-on lab using DLL side-loading. See how trusted binaries can be weaponized to deliver attacker-controlled payloads, and learn forensic techniques to trace execution paths, detect tampered binaries, and uncover artifacts left on disk and in memory. Get actionable insights to identify and respond to these stealthy, high-consequence attacks with confidence.

Sponsored by Magnet Forensics

In digital forensics and incident response, confidence in detection tools is vital. This session introduces the Anti-Malware Testing Standards Organization (AMTSO) and its open, vendor-neutral testing frameworks. Attendees will learn how AMTSO’s Testing Protocol Standard and Fundamental Principles of Testing support transparent, repeatable evaluations.

We’ll cover why standardized testing matters for DFIR, how labs and vendors can run fair tests, and the real-world impact on tool validation, red teaming, and procurement.

Sponsored by VMRay

Responding to threats in the cloud is delicate - it's not just about eliminating the threat but doing so without causing unintended damage. Cloud environments are complex and unpredictable, forcing security teams to weigh the tradeoff between fast response and a validated, predictable resolution.

This webinar will explore how to design a response strategy based on real-time insight that minimizes blast radius, assigns the right level of authority to different teams, and ensures that response actions are both swift and responsible.

Learn how to strike the balance between speed and control in cloud detection and response. ‍ What You'll Learn Why cloud environments make auto response more complex, and how to implement a guided response model to accelerate MTTR without downtime How to design a response strategy that minimizes blast radius How security teams can strike the balance between speed and control in response How to empower all team members throughout the response process to enhance investigation while limiting burnout.

Sponsored by Stream Security

Scattered Spider has rapidly emerged as one of the most formidable adversaries in the modern cyber threat landscape. Known for its advanced social engineering tactics and targeted intrusions, this highly organized threat group has successfully infiltrated major enterprises, bypassing traditional defenses and causing widespread operational and financial damage.

In this webinar, we will take a deep dive into the anatomy of Scattered Spider’s campaigns—examining their attack vectors, techniques, and the tools that enable their persistence. Attendees will gain insights into the group’s evolving methods, from initial access through phishing and SIM swapping to lateral movement and data exfiltration strategies.

We will also explore real-world case studies that illustrate the impact of their operations and discuss proactive measures organizations can take to detect, mitigate, and prevent such attacks. Join us as we unmask this elusive threat actor and provide actionable intelligence to strengthen your cybersecurity posture against sophisticated adversaries like Scattered Spider.

Sponsored by Extrahop

We will present findings from a new study analyzing the publicly exposed attack surfaces of organizations across the U.S., EMEA, and APAC.

In particular, we’ll highlight recurring patterns in service exposures, risky configurations, certificate mismanagement, and third-party supplier risks—factors that often complicate incident investigations and response workflows. This session equips DFIR teams with actionable intelligence to better understand attacker ingress points, contextualize threats in real time, and enhance post-breach visibility through comprehensive internet-wide data.

Sponsored by Censys