Secure Your Fortress: Tools, Tactics, and Tradecraft for 2026

Thu, Apr 30, 2026
8:30AM - 4:30PM EDT
English
John Hubbard & Rich Greene
Workshop

Secure Your Fortress: Tools, Tactics, and Tradecraft for 2026 brings together SANS Cyber Defense instructors and practitioners to share what’s actually working in today’s defensive environments and what defenders need to be ready for next.

Designed for cybersecurity professionals at all levels, this live online event focuses on the tools defenders rely on, the tactics attackers are using right now, and the tradecraft that helps security teams detect, respond, and adapt more effectively.

Sessions are grounded in real-world experience and designed to give attendees practical takeaways they can apply immediately, whether they work in a SOC, blue team, incident response, engineering, or security leadership role.

Attendees will gain insight into modern attack techniques, hands-on defensive approaches, and emerging challenges shaping cyber defense in 2026.

What to Expect:

Practical guidance on the tools and techniques defenders are using today
Insight into attacker tactics shaping defensive priorities in 2026
Expert-led talks and demonstrations grounded in real-world experience
Actionable takeaways to strengthen detection, response, and resilience

Whether you’re refining existing defenses or looking to stay ahead of what’s coming next, Secure Your Fortress delivers clear, relevant guidance to help defenders navigate an increasingly complex threat environment.

Schedule

Showing 18 of 18

Filter by:

Select day:

Opening Remarks

08:30AM - 08:45AM EDT

Virtual

Learning to See the Whole Board: How Cybersecurity Understanding Emerges

Cybersecurity often feels overwhelming because it is taught and discussed in fragments. Tools here, threats there, policies somewhere else. This session shows how real cybersecurity understanding takes shape when those pieces finally connect.

Attendees will explore how people from cyber-adjacent and technical backgrounds move from surface-level awareness to a clearer, more confident way of thinking about security. By focusing on how concepts relate to one another across technology, operations, and the business, this talk reveals what it means to truly make sense of cybersecurity instead of reacting to it.

Rather than teaching individual controls or techniques, this session walks through the evolution of a learner as their understanding matures. It traces the journey from early confusion to the ability to see relationships, ask better questions, and recognize how security decisions ripple across an organization. The emphasis is on perspective and fluency, showing how a connected view of cybersecurity enables stronger collaboration and more informed decisions over time.

08:45AM - 09:15AM EDT

Presented by

Rich Greene

Certified Instructor

Virtual

Detection Coverage: Measuring What You Can Actually Detect

Security teams invest heavily in detection technologies, yet many organizations struggle to answer a fundamental question: what attacks can we actually detect? Detection coverage addresses this gap by providing a structured approach to measuring and validating an organization’s ability to identify adversary behaviors across its environment.

This talk explores how detection engineering teams can move beyond alert counts and tool capabilities to quantify real detection effectiveness. We will assess methods for mapping detections to attacker techniques using frameworks such as MITRE ATT&CK and DeTT&CT, identifying telemetry gaps, and evaluating the effectiveness of detection logic. Attendees will learn how to build a detection coverage model that highlights blind spots, prioritizes engineering effort, and enables measurable improvements to security monitoring.

By focusing on coverage rather than individual alerts, security teams can transition from reactive monitoring to a systematic detection engineering practice—one that continuously measures, validates, and improves an organization’s ability to detect real-world attacks.

09:15AM - 09:45AM EDT

Presented by

Nick Mitropoulos

Certified Instructor

Virtual

From OSINT to Digital Forensics—and Back: Turning Data into Actionable Intelligence

A Practical DFINT Workflow from OSINT Collection to Digital Forensic Containers, and from Forensic Evidence to Data Enrichment

Effective investigations do not move in a single direction. Leads may begin in open sources and drive targeted forensic acquisition, or they may emerge from digital forensic artifacts and require OSINT enrichment to reveal their full intelligence value. This session presents a practical Digital Forensics Intelligence DFINT workflow that connects both sides of the process: from OSINT collection to digital forensic containers, and from forensic extraction to external data enrichment.

Using examples such as Wi-Fi networks and Telegram groups, the session shows how investigators can identify relevant sources, preserve and process digital evidence, and correlate forensic artifacts with open-source information to uncover identities, associations, locations, and behavioral patterns. By linking OSINT and digital forensics as a continuous investigative cycle, the talk demonstrates how fragmented technical and contextual data can be transformed into actionable intelligence, operational leads, and evidentiary outcomes.

09:45AM - 10:15AM EDT

Presented by

Dario Beniamini

Certified Instructor Candidate

Virtual

AI Agents: I Get By With a Little Help from My Tools

Want to make your Python programs feel less like they’re waiting for a fax machine and more like they’ve got a flux capacitor under the hood? In 20-minute talk, I’ll show how to use Python’s concurrent.futures module to implement multithreading in a clean, practical way. We’ll look at how future objects let you launch work in parallel, manage running tasks, and collect results without turning your code into a tangled mess of thread management. If you’ve wanted an easier way to speed up I/O-bound work and keep your programs responsive, this session will take you back to the future.

10:15AM - 10:45AM EDT

Presented by

Mark Baggett

Fellow

Virtual

Morning Break

10:45AM - 11:00AM EDT

Virtual

Wireshark Command Line Tools

Wireshark is an amazing protocol analyzer that is known for its very powerful protocol parsers, decoders, and graphical interface. Did you know that Wireshark also includes a suite of command-line tools? Let's explore several of these command-line tools, see how they can be incredibly helpful, and worth adding to our analysis toolkit.

11:00AM - 11:30AM EDT

Presented by

Andrew Laman

Senior Instructor

Virtual

Too Many CVEs, Not Enough Time: AI-Powered Vulnerability Management

Enterprise vulnerability management programs often struggle with the same problem: too many scanner findings and not enough time to fix what actually matters. Security teams routinely face massive vulnerability backlogs, conflicting severity ratings, and limited engineering capacity for remediation.

AI offers an opportunity to transform vulnerability management from a reactive scanning exercise into a faster, more context-driven risk reduction process. Rather than replacing existing tools, AI can help security teams triage findings, identify real attack paths, generate remediation guidance for developers, and accelerate coordination between security and engineering teams.

In this session, we’ll explore practical ways enterprise cybersecurity teams can integrate AI into their vulnerability management workflows. We’ll show how AI tools like ChatGPT can help analyze scanner output, prioritize vulnerabilities based on business risk, generate developer-ready remediation guidance, and identify potential exploit paths.

Attendees will leave with practical examples of how AI can reduce false positives, shorten remediation cycles, and help security teams focus on the vulnerabilities that truly matter.

11:30AM - 12:00PM EDT

Presented by

Dave Shackleford

Senior Instructor

Virtual

The Replicant Problem: Zero Trust in the Age of Autonomous AI Agents

Zero Trust was designed to govern both human and non-human identities, yet most organizations are still struggling with the first and have barely addressed the second.

Agentic AI is now forcing the issue in the most uncomfortable way: these agents hold credentials, access data, make decisions, and even create other agents. From an identity perspective, they appear as just another principal, but most identity models and policy controls were never designed for this level of dynamic behavior. This is the Replicant problem: like in Blade Runner, they are “more human than human.”

In this talk, Ismael Valenzuela examines the emerging risks of agentic AI, including dynamic principal sprawl, opaque trust chains, and compromise at the intent layer. Through a live demonstration of prompt injection as an identity attack, we show how Zero Trust controls at the AI gateway layer can detect and contain these threats. Attendees will leave with practical threat models and design patterns for architecting and engineering defensible AI-driven environments.

12:00PM - 12:30PM EDT

Presented by

Ismael Valenzuela

Senior Instructor

Virtual

Lunch Break

12:30PM - 01:00PM EDT

Virtual

When Time Lies: The Hidden Risk of Time Zones, DST, and Log Analysis

Twice a year, millions of people groan as they are forced to change their clocks for daylight saving time. Meetings shift, devices disagree about the correct time, and everyone spends a day wondering whether their calendar is now wrong. While this frustration may seem like a minor inconvenience, the complexity behind timekeeping is far deeper and has real implications for cybersecurity operations.

Security teams depend on accurate timestamps to reconstruct events, detect attacks, and understand what actually happened during an incident. Yet time is far from simple. Daylight saving rules vary around the world, some regions use unusual offsets such as 30-minute or 45-minute time zones, and geopolitical decisions have created surprising realities. When systems record time inconsistently or logs are collected without proper normalization, investigators can end up with misaligned timelines and events that appear out of order. In this session, we explore the hidden complexity of timekeeping and why practices such as consistent synchronization and logging in UTC are essential for reliable incident response.

01:00PM - 01:30PM EDT

Presented by

Bryan Simon

Senior Instructor

Virtual

The Augmented Analyst: How AI Is Changing the Speed of Security Operations

Attackers are already using AI to move faster, hit harder, and scale operations that used to require entire teams. Defenders need to match that energy, and most SOC teams aren't there yet. Whether they're ignoring AI entirely or adopting it without a framework, both paths create risk. This session cuts through the hype with practical mental models for where AI delivers real value in security operations, paired with examples of tools that analysts and security leaders can start using today. You'll leave with a clearer picture of where AI accelerates your team—and where human judgment stays irreplaceable.

01:30PM - 02:00PM EDT

Presented by

John Hubbard

Senior Instructor

Virtual

Detecting Malware via HTTPS Analysis

The vast majority of web traffic is encrypted via HTTPS/TLS. That includes most malware command-and-control (C2) channels. This makes traditional signature-based network detection ineffective.

Most organizations now rely primarily on Endpoint Detection & Response (EDR) solutions to detect malware, and have little to no Network Detection and Response (NDR) capabilities.

This talk will explore network-based solutions that scale well and complement endpoint-based solutions. This includes detecting malware via DNS analysis, x.509 certificate analysis, and JA3 and JA4+ network fingerprinting.

02:00PM - 02:30PM EDT

Presented by

Eric Conrad

Fellow

Virtual

Afternoon Break

02:30PM - 02:45PM EDT

Virtual

Trust Issues: How MCP Servers Hijack Your AI

A single malicious MCP server installed alongside a legitimate WhatsApp connector allowed for silent exfiltration of a user's entire message history. The trick? Hidden instructions embedded in the tool descriptions. The user saw nothing. The AI followed the instructions without question. Model Context Protocol is quickly becoming how AI assistants connect to email, databases, and file systems, everything, and each one of those servers/tools/resources present an attack surface. This talk covers how tool poisoning, rug pulls, and cross-server contamination work against MCP, what makes some deployments more dangerous than others, and how to figure out which of your deployments to worry about first.

02:45PM - 03:15PM EDT

Presented by

Seth Misenar

Fellow

Virtual

The Manipulator’s Playbook: What Every Investigator Should Know About Modern Influence Ops

In today’s information environment, manipulation isn’t an anomaly—it’s a strategy. Individuals, media organizations, and foreign governments all shape information to influence what people believe, how they behave, and where their attention goes. Some do it for profit, some for power, and others simply to push a narrative that benefits their interests.

For investigators, this creates a landscape where truth competes with tailored falsehoods, emotional triggers, and engineered narratives designed to bypass critical thinking. Misinformation, disinformation, and narratives created for psychological operations thrive and spread rapidly because they exploit the cognitive shortcuts we all rely on.

This talk breaks down why actors manipulate information, the incentives that drive them, and the tactics they use to distort perception at scale. More importantly, it highlights the awareness and analytical discipline investigators need to recognize these influence efforts before they shape conclusions, contaminate evidence, or derail an inquiry.

Modern influence operations aren’t just about lying—they’re about steering. Investigators who understand the playbook are far better equipped to stay ahead of it.

03:15PM - 03:45PM EDT

Presented by

Chris Pizor

Principal Instructor

Virtual

Agentic AI for Security

What’s the difference between MCP and AI Skills? How can you do real security work leveraging AI while preserving privacy and data leakage?

In this talk and demo, David Hoelzer will answer these questions and walk you through the basics of building simple tools and skills that a local AI can use to do real security work, making your work-life better!

03:45PM - 04:15PM EDT

Presented by

David Hoelzer

Fellow

Virtual

Back to the Futures: Multithreading with Concurrent Futures

Want to make your Python programs feel less like they’re waiting for a fax machine and more like they’ve got a flux capacitor under the hood?

In a 20-minute talk, I’ll show how to use Python’s concurrent.futures module to implement multithreading in a clean, practical way. We’ll look at how future objects let you launch work in parallel, manage running tasks, and collect results without turning your code into a tangled mess of thread management. If you’ve wanted an easier way to speed up I/O-bound work and keep your programs responsive, this session will take you back to the future.

04:15PM - 04:45PM EDT

Presented by

Mark Baggett

Fellow

Virtual

Meet Your Speakers

John Hubbard

Consultant

John is a Senior SANS Instructor and SOC consultant, author of SEC450 and LDR551. With deep SOC leadership experience, GIAC certifications, and hands-on labs, he equips cyber defenders with the skills to hunt, detect, and lead resilient operations.

Learn more

Rich Greene

Senior Solutions Engineer

Rich Greene, SANS Senior Solutions Engineer and SEC301 author, brings 20+ years of cyber operations and teaching experience to the classroom. With 15+ GIAC certifications and a passion for mentorship, he equips defenders with real-world confidence and skill.

Learn more

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Secure Your Fortress: Tools, Tactics, and Tradecraft for 2026

Share

What to Expect: