If you have registered already for the meeting, ....
you SHOULD update your registration all by yourself for the trainings -> see below for detailed information about the Friday workshops/trainings!
Go to: https://indico.tf-csirt.org/event/10https://indico.tf-csirt.org/
Please note, that it if you have registered before, you need to adjust your "booking". By going to the above URL you will be told (hopefully ;) that you are registered for this event. Then you can click on "See details". If you did that, you can see a "feather" icon with the choice to "Modify" ... click on that and move down to "Selection of Meeting Sessions" and make your choices!
The selections you make will have no influence on the fees etc., so it is just an additional information we need for planning and setting up the rooms.
But if you are not registered for a training and come to Jerez, you might find the training you actually wanted most not available any longer.
Time and space are limited (as always), seats will be assigned on "first come, first serve" based on your updated registrations ... free seats might be available on short notice in Jerez on-site! (but do not depend on it ;)
Programme on Wednesday, 4th February
| Time | Presentation | Presenter | TLP | Audience |
|---|---|---|---|---|
| 9:00 - 9:30 | Welcome | Věra Mikušová, TF-CSIRT Steering Committee Chair; José Ignacio Martínez, Councillor for Digital Transformation, Jerez de la Frontera City Council; Manuel Perera, Managing Director for Digital Strategy, Andalusian Digital Agency | All participants | |
| 09:30 – 10:15 | Plate Spinning: Managing Cybersecurity in a large Public Administration | Eloy Rafael Sanz | All participants | |
| 10:15 – 10:45 | Stop Hitting Yourself: Turning Evasion Techniques Against Malware | Patrick Staubmann | TLP:AMBER | All participants |
| 10:45 -11:15 | COFFEE BREAK | All participants | ||
| 11:15– 11:45 | From compliance to curiosity: gamifying cybersecurity education for CERT.LV constituents | Dana Ludviga | All participants | |
| 11:45 – 12:15 | Vulnerability alerting across the supply chain | Stuart Murdoch | All participants | |
| 12:15 – 13:15 | LUNCH | All participants | ||
| 13:15 – 13:30 | Approach for Cross-border and cross EU-regulations to mandatory incident reporting | Vilius Benetis | All participants | |
| 13:30 – 14:00 | The New Feed on The Block: CERT.br feeds via IntelMQ | Cristine Hoepers and Klaus Steding-Jessen | All participants | |
| 14:00 – 14:30 | Swamp Space 2026: IP4 Prefixes Past to Present | John Kristoff | TLP:CLEAR | All participants |
| 14:30 – 14:45 | TBD | All participants | ||
| 14:45 – 15:15 | COFFEE BREAK | All participants | ||
| 15:15- 15:45 | The Art of Pivoting - Techniques for Intelligence Analysts to Discover New Relationships in a Complex World | Alexandre Dulaunoy | All participants | |
| 15:45 – 16:00 | IDMEFv2 update: how SOC's alerts could be aggregated in national/sectorial SOCs | Vilius Benetis | All participants | |
| 16:00 – 17:00 | Lightning talks | ad-hoc selection of topics | All participants |
Programme on Thursday, 5th February
| Time | Presentation | Presenter | TLP | Audience |
|---|---|---|---|---|
| 09:15 – 09:30 | Welcome/Buffer time | TF-CSIRT Steering Committee | All participants | |
| 09:30 – 10:00 | Research: AI used for code security tools | Stuart Murdoch | All participants | |
| 10:00 – 10:30 | SIM3 expanding to SOC/ISAC/PSIRT & other developments | Don Stikvoort | All participants | |
| 10:30 – 11:00 | COFFEE BREAK | All participants | ||
| 11:00 – 11:45 | Large-Scale Tracking of Malicious DHT Nodes | Grzegorz Janowski | All participants | |
| 11:45 – 12:00 | CyberBastion International League (CBIL): Building a Global, Practice-Driven Cyber Defence Community | Miroslaw Maj and Marcin Fronczak | All participants | |
| 12:15 – 13:15 | LUNCH | All participants | ||
| 13:15 - 17:00 | Closed session | Agenda will be distributed separately! | TLP:RED | Accredited and certified teams, FIRST members |
| 19:00 | Social dinner | N/A | All participants |
Trainings on Friday, 6th February
If you have registered already for the meeting, you can update this registration all by yourself for the trainings.
Please note, that it if you have registered before, you need to adjust your "booking". The selections you make will have no influence on the fees etc., so it is just an additional information we need for planning and setting up the rooms.
But if you are not registered for a training and come to Jerez, you might find the training you actually wanted most not available any longer. Time and space are limited (as always), seats will be assigned on "first come, first serve" based on your updated registrations ... free seats might be available on short notice in Jerez on-site! (but do not depend on it ;)
| Time | Training | Trainer | TLP | Audience |
|---|---|---|---|---|
| 09:00 – 10:30 | Morning Training, Part 1 | see below | All participants | |
| 10:30 – 11:00 | COFFEE BREAK | All participants | ||
| 11:00 – 12:30 | Morning Training, Part 2 | see below | All participants | |
| 12:30 – 13:30 | LUNCH | All participants | ||
| 13:30 – 15:00 | Afternoon Training, Part 1 | see below | All participants | |
| 15:00 – 15:30 | COFFEE BREAK | All participants | ||
| 15:30 – 17:00 | Afternoon Training, Part 2 | see below | All participants |
Details for the Morning Trainings/Workshops
Please find below some information about the offered trainings! (Ordered by title, alphabetically, rooms will be assigned only at the day of the training!)
Threat Hunting
Trainers
- Sergio Albea
- Angel Ares Arias
The Workshop
This is a practical Threat Hunting workshop where we’ll dive into real-world threat scenarios based on multiple cases observed during this 2025.
Don’t worry if you’re not familiar with this topic — this workshop is designed for all skill levels, oriented to Threat Hunting, and we’ll start with a clear and simple introduction to basic detections so you can get comfortable before jumping into the action.
What to Expect?
Learn how to hunt for threats across different scenario such as:
- Network-based threats
- Identity-based anomalies
- Host-based suspicious behavior
- Apply Threat Intelligence on Threat Hunting
- Explore how to turn raw data into real detections
- Discover how to build your own hunting queries and detection rules
Bring Your Laptop!
You’ll need your computer — in the second part of the session, we’ll break into groups to solve real-world threat hunting cases using the tools and queries we explored during the training.
Vulnerability Lookup and GCVE: A Decentralized Approach to Vulnerability Publishing and Management
Trainers
- Alexandre Dulaunoy
The Workshop
This hands-on workshop introduces the open-source Vulnerability Lookup project and the Global Common Vulnerabilities and Exposures (GCVE.eu) initiative, two complementary efforts designed to modernize and decentralize the way vulnerabilities are published, shared, and consumed.
Participants discovered how Vulnerability Lookup acts as a collaborative platform for collecting, enriching, and analyzing vulnerability data, supporting every stage of the vulnerability management lifecycle, from discovery and prioritization to tracking remediation and assessing exposure. The session introduced GCVE, a next-generation, decentralized framework for vulnerability identification that empowers organizations to act as GCVE Numbering Authorities (GNAs) with greater autonomy and flexibility.
- How to publish and synchronize vulnerabilities using the GCVE and vulnerability-lookup ReST API.
- How decentralized allocation empowers vendors, researchers, and CSIRTs to disclose vulnerabilities more efficiently.
- How to leverage Vulnerability Lookup to support vulnerability triage, enrichment (EPSS, CVSS, Multi KEV), and exposure tracking.
- How Vulnerability Lookup integrates with GCVE to provide real-time insights, cross-references, and analytics.
- Best practices for integrating GCVE and Vulnerability Lookup into your existing vulnerability management workflows.
Background Information
- Website https://www.vulnerability-lookup.org/ - https://gcve.eu/
- Online service of vulnerability-lookup at CIRCL - https://vulnerability.circl.lu/
Details for the Afternoon Trainings/Workshops
Please find below some information about the offered trainings! (Ordered by title, alphabetically, rooms will be assigned only at the day of the training!)
CyberBastion – Hands-on Simulation for Prevention and Response
Trainers
- Marcin Fronczak
- Miroslaw Maj
The Training
This half-day training uses CyberBastion, an interactive simulation and training platform designed to teach prevention and response to cyberattacks through practical, scenario-based exercises. Participants work in small teams and learn how to build, operate, and defend a complex ICT environment under realistic constraints.
CyberBastion simulates the functioning of an organisation exposed to cyber threats. Each team receives a predefined budget that can be increased during the game. Participants must choose and deploy security measures across eight categories: Organization, Physical Infrastructure, Entire Network, Network Perimeter, Internal Network, Endpoints, Applications, and Data.
Each security measure provides a different contribution to prevention and response. The winning team is the one that most effectively prepares its environment for cyber incidents.
The training consists of four progressively more complex scenarios.
- Demo Scenario – Introduction to platform and mechanics.
- Basic Scenario – Fundamentals of defensive strategies and incident reaction.
- Advanced Scenario (with Playbooks & Data Sources) – Complex attacks with predefined playbooks.
- Advanced Scenario – TTX Mode – Discussion-based exercise with separate roles: CSIRTs, internal CSIRTs, authorities, vendors, ISACs.
Target Audience
National and sectoral CSIRTs, enterprise/internal CSIRTs, SOC teams, analysts, incident responders, cybersecurity teams of essential service operators, authorities, vendors, ISACs.
Learning Objectives
During the training, participants gradually develop a practical understanding of how to build a resilient security posture while working under real-world constraints. They experience the consequences of strategic choices and learn to balance preventive and responsive capabilities. The scenarios guide them through coordinated incident handling, showing how effective teamwork, structured playbooks, and available data sources support decision‑making throughout the incident lifecycle. An important element of the training is also improving communication and collaboration in a multi‑stakeholder environment, reflecting the dynamics between CSIRTs, operators of essential services, vendors, and authorities.
Requirements
Participants should bring laptops configured for access to a public internet connection.
Let’s Automate RTIR
Trainers
- Armins Palms
- Dana Ludviga
The Workshop
There are many ticketing systems available to help manage and oversee the daily work of an Incident Response (IR) team. Among them, RTIR (Request Tracker for Incident Response) is one of the most widely used systems by CERT and CSIRT teams. It offers extensive functionality, including support for manual scripting. However, to truly extend RTIR’s capabilities, it’s often necessary to go beyond the standard interface and leverage its API.
In this workshop, you will learn how to enhance RTIR through automation and integration.
Using the RTIR API, you will explore how to:
- Prepare RTIR for automation
- Parse and process incoming events
- Automate routine tasks within RTIR
- Enrich tickets with data from external sources
- Integrate RTIR with external tools such as Mattermost
This hands-on course is designed for beginners and provides the foundational knowledge needed to automate and extend RTIR. By the end of the workshop, participants will be equipped with the skills to customize and automate their organization’s RTIR environment to better suit their needs.