RVAsec 15

Modern threat intelligence moves fast, but detection engineering lags. This talk presents an agentic workflow that transforms OSINT into actionable detections using structured extraction, LLM reasoning, and automated validation. Transparent, auditable pipelines accelerate the CTI lifecycle, from ingestion to Sigma rules, while preserving analyst control, reducing time-to-detection from days to hours.

Everyone is implementing AI chatbots to improve their customer experience and journey, without increasing call centre costs. But this comes with risk: get the configuration wrong and that chatbot can be convinced to part with data that it shouldn't. We think of conventional cyber security controls as being binary, yet AI can sometimes hallucinate, lie and mislead. It's a brave organization that would trust their perimeter security exclusively to AI. We'll include some live demos to illustrate the problem.

Defensive detections and protocols have come a long way. The adoption of MFA was once the sign of a security minded client with a mature security posture but has reached the level of commonplace. Gaining initial access via email or web application has become so difficult that its often skipped entirely as companies opt to place the attacker on the inside of the network as the starting point. Yet, business compromises are on the rise. What are attackers using if they no longer rely on business email compromise as their go-to initial access vector. Well, as was the case with MGM, they’re often just picking up the phone.

After a stolen token grants access to M365, the next move is predictable: search for value before exfiltration. This talk shows how to detect that collection phase using canary tokens built on native telemetry across Outlook and SharePoint/OneDrive. We cover end-to-end implementation and results from live production deployments, including what produced high-fidelity signal and what created noise.