From Playbooks to Agents: Building Your Own Autonomous SOC

Everyone’s suddenly got an “Autonomous SOC.” Vendors pitch it like it’s magic, but most of it still runs on static playbooks duct-taped to alert rules. In this session, we’re cutting through the fluff and getting real about what it actually takes to build or evaluate an autonomous security operation.

We’ll start with a practical framework to evaluate where platforms really land on the autonomy spectrum, beyond the marketing claims. Then we’ll dive into the building blocks you can use to move toward autonomy yourself: AI agents, Model Context Protocol (MCP), Agent-to-Agent communication (A2A), and agentic UIs (AG-UI). These components aren’t just buzzwords, they’re how you connect context, memory, and coordination across security workflows.

One key part of the talk will compare the old way (playbooks) with the new (AI agents). Think: reactive flows that only trigger if the stars align vs. proactive agents that handle reasoning, context-building, and adaptive workflows. We’ll look at where playbooks still have a place, where they break down, and how agents can actually scale incident response without relying on brittle decision trees.

This session is for security engineers, platform teams, and leaders trying to move past buzzwords and get real outcomes from AI and automation in the SOC.

From SOAR to AI-Driven Security: Do We Need a New Name for the Future of Automation?

In this session, I’ll walk you through the evolution of SOAR (Security Orchestration, Automation, and Response) and how vendor acquisitions have shaped its trajectory. Once a standalone solution that revolutionized security automation, SOAR is now being integrated into larger platforms, leaving many to question: is SOAR still relevant, or is it time for a new term that better reflects the power of AI and machine learning?

We’ll dive into how AI-driven technologies, such as Agentic Process Automation (APA) and agent-based workflows, could signal the next era of security automation. I’ll discuss whether we need a fresh label for these new advancements, especially with tools that are smarter, faster, and more adaptable to evolving threats.

Beyond the theory, I’ll provide real-world examples of agents that can be used in security automation, and show how they can be deployed within security environments. You'll leave with a short guide on deploying these agents effectively, along with a breakdown of the pros and cons—what works well and what challenges to watch out for.

Lastly, we’ll look at how all of this ties into the bigger picture, specifically how agent-driven automation fits with detection engineering and incident response. Expect to walk away with practical knowledge on how these technologies will reshape security operations, helping us move from reactive to proactive, intelligent security management.

Don't Build House of Cards - The Use-Case that every Threat Intel Program Needs

A Threat intel program's performance and success highly depend on the Threat Intel use-cases. Finding and creating the right ones has been one of the biggest challenges that Threat Intel teams face. To help the threat intel community tackle this problem, we have created three use-case groups: IOC Champion SPOC(Single point of truth) Strategic Infographic The goal is to help deliver actionable and relevant Threat Intelligence that is tailored according to your needs.

SOC Summit 2021 - Budapest

Intelligent Threat Intel: “LEAD” Framework

“Doing” threat intelligence is important—but doing it right is critical. We have been using threat intelligence for many years as part of the SOC, incident response and threat hunting teams; these are some of the use cases that have mastered it. Applying threat intelligence outside of these use cases is where it can get problematic. This is where the LEAD framework comes in play.

Presented at RSA conference 2020 , DefCamp 2019 and Fal.Con - Conference