Trainings 2026
Training Location: Rochester Institute of Technology 1 Lomb Memorial Drive, Rochester, NY, 14623, United States
The following workshops will be offered on Friday, the day before the main conference:
Date: Friday, March 20th 2026
Netflow and Network Behavior Analytics for Blue Teams
Joe Gray
8:00 AM - 12:00 PM
Network telemetry is one of the most valuable data sources available to defenders, yet many Blue Team analysts
are never taught how to reason about it beyond basic alerts or dashboards. This training focuses on using
Netflow and flow based data to understand network behavior, identify suspicious activity, and support
investigations in a structured and defensible way.
Participants will learn how to interpret flow records, recognize normal versus abnormal patterns, and use
network behavior to answer investigative questions. Rather than focusing on a specific vendor or tool, the
training emphasizes analytical thinking that can be applied across environments, platforms, and data sources.
This course is designed for analysts who want to move beyond surface level indicators and develop confidence in
explaining what network data is actually showing them, both in day to day operations and in interviews or
professional discussions.
are never taught how to reason about it beyond basic alerts or dashboards. This training focuses on using
Netflow and flow based data to understand network behavior, identify suspicious activity, and support
investigations in a structured and defensible way.
Participants will learn how to interpret flow records, recognize normal versus abnormal patterns, and use
network behavior to answer investigative questions. Rather than focusing on a specific vendor or tool, the
training emphasizes analytical thinking that can be applied across environments, platforms, and data sources.
This course is designed for analysts who want to move beyond surface level indicators and develop confidence in
explaining what network data is actually showing them, both in day to day operations and in interviews or
professional discussions.
Applied Threat Intelligence: Tracking Adversary Behavior with OSINT and CTI
Joe Gray
1:00 PM - 5:00 PM
This four hour training is a hands on Cyber Threat Intelligence course focused on analyst execution rather than
theory. The goal is to teach participants how to take public adversary reporting and OSINT and turn it into
structured, behavior focused intelligence that supports defensive work.
After a brief alignment on what OSINT and Cyber Threat Intelligence are, participants spend the majority of the
session extracting adversary behaviors from real world reporting. Those behaviors are then structured using the
MITRE ATT&CK Framework, the Diamond Model, and the Pyramid of Pain to understand how an adversary operates and
what matters defensively.
This course is designed for Blue Team analysts and defenders who want practical experience doing intelligence
work they can apply operationally and explain clearly in interviews and professional discussions.
theory. The goal is to teach participants how to take public adversary reporting and OSINT and turn it into
structured, behavior focused intelligence that supports defensive work.
After a brief alignment on what OSINT and Cyber Threat Intelligence are, participants spend the majority of the
session extracting adversary behaviors from real world reporting. Those behaviors are then structured using the
MITRE ATT&CK Framework, the Diamond Model, and the Pyramid of Pain to understand how an adversary operates and
what matters defensively.
This course is designed for Blue Team analysts and defenders who want practical experience doing intelligence
work they can apply operationally and explain clearly in interviews and professional discussions.
Breaking AI: Prompt Injection, Data Exfiltration and Practical Defenses That Work
Pavan Reddy
8:00AM - 12:00PM
AI systems don’t fail like traditional software, they fail silently, follow the wrong authority, and can be
steered into leaking data or taking unintended actions. This 4 hour hands-on workshop teaches you how modern
“AI vulnerabilities” actually show up in deployed LLM features by attacking and defending a sandboxed car
dealership chatbot that’s connected to an internal database. Then you will pivot to real-world data exfiltration
patterns via direct and indirect prompt injection (including untrusted content in RAG-like workflows).
Attendees will actively craft exploits, observe impact, and implement practical mitigations (least-privilege
tooling, strict schemas, policy gates, and confirmation workflows). BYOL-friendly; compute runs on free
resources (e.g., Google Colab). Fully Hands-on, minimal coding (no prior experience needed).
steered into leaking data or taking unintended actions. This 4 hour hands-on workshop teaches you how modern
“AI vulnerabilities” actually show up in deployed LLM features by attacking and defending a sandboxed car
dealership chatbot that’s connected to an internal database. Then you will pivot to real-world data exfiltration
patterns via direct and indirect prompt injection (including untrusted content in RAG-like workflows).
Attendees will actively craft exploits, observe impact, and implement practical mitigations (least-privilege
tooling, strict schemas, policy gates, and confirmation workflows). BYOL-friendly; compute runs on free
resources (e.g., Google Colab). Fully Hands-on, minimal coding (no prior experience needed).
You Accidentally Got a Job in Cybersecurity, Now What?
Abe Abernethy
Annie Zempel
8:00AM - 12:00PM
Nobody tells you that cybersecurity jobs in a small business up to medium-sized enterprise are 20% technology
and 80% translation, negotiation, and sifting through garbage. This half-day workshop explodes five common lies
the industry tells itself, drawing from real-world experience building security programs that survive contact
with business reality. You'll learn to measure what matters (not what's easy), communicate technical concepts at
management or board level without treating executives like children, and build resilient programs using proven
frameworks instead of vendor fever dreams. Includes practical exercises with executives from the Graylog SIEM's
Customer Enablement team to cement concepts through hands-on work. Leave with concepts and frameworks you can
deploy Monday, metrics that matter, and the ability to explain why security isn't just "the team that says no.
and 80% translation, negotiation, and sifting through garbage. This half-day workshop explodes five common lies
the industry tells itself, drawing from real-world experience building security programs that survive contact
with business reality. You'll learn to measure what matters (not what's easy), communicate technical concepts at
management or board level without treating executives like children, and build resilient programs using proven
frameworks instead of vendor fever dreams. Includes practical exercises with executives from the Graylog SIEM's
Customer Enablement team to cement concepts through hands-on work. Leave with concepts and frameworks you can
deploy Monday, metrics that matter, and the ability to explain why security isn't just "the team that says no.