Trey Bilbrey
Head of SCYTHE Labs,
Tampa, Florida, United States
Actions
Trey Bilbrey is the Lead of SCYTHE Labs, specializing in Purple Team Exercises, Threat Emulation, Critical Infrastructure, and holistic cyber operations. Trey's 15+ years of industry experience has allowed him to become an excellent educator, defender of networks, and a cultivator of cybersecurity professionals. Prior to joining SCYTHE, Trey held positions at notable organizations such as Hack The Box (HTB Academy content Developer), The Army Corps of Engineers (ICS/SCADA Penetration Testing), and a veteran of the United States Marine Corps (Defensive and Offensive Cyber Operations). Current certifications include the CISSP, GICSP, GCIP, and K>FiveFour RTAC.
Area of Expertise
Topics
Trends From The Trenches: What Two Years of Purple Teaming Taught Us
Purple Team Engagements (PTEs) are a powerful way to validate detections, improve response workflows, and align offensive and defensive teams, but their true value becomes clear through repeated, real-world execution. This talk shares lessons learned from two years of conducting Purple Team Engagements across diverse organizations, highlighting the trends consistently observed in the field, including common detection gaps, visibility issues, process breakdowns, and unexpected findings.
Drawing from real customer engagements, we explore both the short-term and long-term benefits of purple teaming and how organizations translated findings into meaningful security improvements. Through practical case studies, attendees will see examples where PTE outcomes drove detection enhancements, architectural and logging changes, and measurable reductions in risk, including instances where engagement-driven improvements helped identify significant gaps or prevent real-world incidents. This session provides a candid, experience-driven look at what purple teaming delivers in practice and how to maximize its impact over time. Join us as we recount our time in the Trenches helping organizations win their war against threats.
Stop Talking About Threats, Be The Threat
Stop theorizing about threats, learn to emulate them. This talk reveals practical methodologies for replicating adversary behaviors, crafting advanced emulation tools, and psychological insights that transform your engagements from compliance theater into realistic defense testing.
Purple Team Cheat Codes
With over 15 years in IT/Cyber, I have had plenty of chances to do awesome things, break alot of stuff, and learn from the chaos. This talk is a culmination of that knowledge and meant to provide others with actionable thoughts that they can implement with their security programs regardless of what "Team" they play for. Wether you are on Red, Blue, or otherwise, we are all one team trying to defend our organizations the best we can. We are all purple in the end.
- Key points:
red: Scope is everything. Stick to it and build trust over time. Don't try to be an APT overnight.
red: Have your testing compliment each other (pentest for vulns and external/initial access, Purple assessments for post access)
red: Assumed Breach is the best route. Saves time, money, and frustration.
red: Be creative, Don't forget to be a threat. Creativity and unique thinking will take you far.
blue: Everyone is so caught up in the whoami that they forget to ask how am I. (state is just as important when looking for the threat)
blue: You Can't be expected to know everything... But you should know your assets. (hardware and software inventory)
blue: The Best time to practice your hunt/IR prcedures is now. Don't put it off until you actually need to perform.
blue: Logs or it didn't happen. Nothing worse than finding out your logs aren't aggregated.. ( validate your logs are functioning, being aggregated, and tuned on a regular schedule.)
General: 1 in the hand is better than 2 in the bush. ( Focus on defending against your known threat now instead of panicing about potential risks or vulnerabilities.)
Take Aways:
- Learn from our experience and level up your security program.
- Take back actionable tasks/ideas you can implement with your teams immediately.
Be The Threat
This session will walk the participants through the tenants of threat emulation culminating in them emulating a threat actor of their choice.
This workshop will give participants a chance to get hands on with threat emulation by covering:
How To Define The Threat: What is likely and what are we afraid of?
Gather Intel: Is there any historic reporting of said threat? Students will research a threat actor and gather actionable Behaviors.
Capability Development: We will use that intel gathered to engineer a threat emulation scenario to fit our needs using modern frameworks, scripts, payloads, and even customizing our delivery infrastructure.
Put It To Work: You will get a chance to test your threat against a live environment.
Threat Emulation 101
In the realm of cybersecurity, Threat Emulation is akin to a skilled wizard mastering the arcane arts of replicating real-world threats and their myriad behaviors to scrutinize the defenses of an organization. This mystical practice involves crafting Intelligence-driven scenarios, woven with the threads of reality, to mimic the nefarious maneuvers of creatures that lurk in the shadows. By summoning these simulated events, organizations can fortify their defenses, sharpening their blades against the invisible foes that threaten their digital realms.
Embark on a quest with Trey, the seasoned Threat Emulator, as he unveils the secrets of this mystical art.
Power To The Purple
Title: Power To The Purple
Abstract:
The modern cybersecurity realm is no longer one where defenders can work in a vacuum and be successful. Conversely, many people are starting to lose faith in the value of penetration testing as a mechanism to measure their organizational security posture. A collaborative milestone driven approach where Red and Blue teams operate in tandem, is necessary to ensure a proactive approach to enhancing the security of our organizations. This is where Purple Teaming comes into play. In this 2-hour hands-on workshop you will be introduced to Purple Team Exercises and play the role of a Cyber Threat Intelligence analyst, Red Team operator, and Blue Team security analyst.
We have set up an isolated environment for each attendee to go through a Purple Team Exercise following the Purple Team Exercise Framework (PTEF). This event will give participants a chance to test out new tools, techniques, and procedures learned during the workshop.
- Key Take Aways:
- Learn the basics of Purple Teaming through the study of the PTEF.
- Setup and utilize Command and Control (C2) frameworks.
- Consume Cyber Threat Intelligence from a known adversary.
- Extract adversary behaviors/TTPs and map them to the MITRE ATT&CK framework.
- Play the Red Team by creating and executing adversary emulation plans.
- Emulate the adversary behaviors in a simulated organization to determine how it would stand up to the adversary.
- Play the role of the Blue Team to hunt for malicious behavior and Indicators of Compromise.
- Deploy and utilize popular defensive tooling such as Sysmon, log ingestors, and SIEMS to aide in threat hunting.
Red Team Village at DEFCON 32 Sessionize Event
Adversary Village at DEF CON 32 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top