Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 2 p.m.
(240 minutes).
This workshop is for SOC analysts, threat hunters, and defenders dealing with alert fatigue, fragmented telemetry, and the challenge of spotting coordinated attacks. Instead of large language models or costly vendor tools, we’ll use open-source, explainable ML to map alerts, logs, and events into contextualized attack stories.
Attendees will work hands-on with real-world-style data to find root causes, build kill chains, and generate actionable tickets—False Positive, Incident, and Attack Story—that mirror real SOC workflows. We’ll use the Attack Flow Detector tool, which runs in Google Colab—no install needed.
No data science experience required. The class is technical but beginner-friendly, with guided exercises and examples. Basic knowledge of logs and MITRE ATT\&CK helps but isn’t required. The focus is on outcomes: understanding what happened, why, and how to respond—without black-box AI or complex queries.
By the end, students will know how to clean noisy data, map alerts to attacker techniques, cluster related events, and build end-to-end attack narratives. All tools and content are open-source, transparent, and ready to use in real environments.
Presenters:
-
Ezz Tahoun
Ezz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada's Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.
Similar Presentations: