Part of: it-sa Expo&Congress 2026 — Intelligence-Driven Cyber Threat Modeling, From Cyber Threat Intelligence to Real-World Defense
Session 04Onsite WorkshopEnglish

28 October 2026, 09:30–11:30 and 14:00–16:30 CEST

it-sa Expo&Congress 2026 Nuremberg, Germany

28 October 202609:30–11:30 AND 14:00–16:30 CEST

it-sa Expo&Congress, room Lissabon, level 1, NCC Mitte, Nuremberg, Germany

it-sa Expo&Congress logo
45 min·Track: Business

What are the business drivers for Cyber Threat Modeling?

What is the format of a Cyber Threat Model and how is it produced today?

Open Source Initiative

Learning Content
  • 1) Fulfill Compliance requirements
  • 2) Risk Management / Risk Mitigation
  • 3) Security Operations (Security Monitoring, Security Investigation and SOC Analysis, Threat Hunting, Incident Response)
  • 4) Threat-led Penetration Testing (TLPT)
  • 5) Natural Language Threat Scenarios (manual modeling)
    • 5.1) Example 1: TIBER-EU Targeted Threat Intelligence Report (non-formalized threat model)
    • 5.2) Example 2: STRIDE asset- and system-centric threat modeling ("less-formal" threat model)
    • 5.3) Example 3: STIX bundle (formal threat model)
      • 5.3.1) Free-of-charge IdoubleS community edition - STIX Visualizer
    • 5.4) Example 4: TIBER-EU Red Team Test Plan
Target Audience
  • C-Level
  • CISO office
  • Risk Managers
  • Head of CDC
  • SOC Managers
45 min·Track: Business

What is the purpose of a Cyber Threat Model and what value does it provide?

IdoubleS/Crowdstrike Joint Value Proposition

Early adopter customer success story, jointly with partners

Open Source Initiative

Learning Content
  • 1) Defence preparation
  • 2) Fulfilling compliance requirements
  • 3) Preemptive security
  • 4) Security Operations (increase the SOC maturity level)
    • 4.1) Prioritization
    • 4.2) Infer pseudocode (STIX patterning), SIEM & EDR detection rules
    • 4.3) SOC Analysis and Security Investigations
    • 4.4) Hypotheses formulation and testing (Threat Hunting)
    • 4.5) Incident Response
  • 5) Security Control Mapping, Gap Analyse
  • 6) Adversary Emulation/Red Testing
  • 7) IdoubleS/Crowdstrike Joint Value Proposition
  • 8) IdoubleS CTM platform value proposition, unique selling points and competitive advantage
  • 9) Customer Case Study and Testimonial
  • 10) Free-of-charge webinar/workshop series 2027 on Operationalizing Threat Models
Target Audience
  • C-Level
  • CISO office
  • Risk Managers
  • Head of CDC
  • SOC Managers
45 min·Track: Technical

What are the challenges of producing a Cyber Threat Model today and how can it be improved by leveraging AI?

Learning Content
  • 1) Natural Language Threat Scenario narrative today (manual modeling)
    • 1.1) Example 1: TIBER-EU TTI report
    • 1.2) Example 2: STRIDE application threat modeling
    • 1.3) Example 3: STIX bundle
    • 1.4) Natural Language Challenges
      • 1.4.1) Context identification
  • 2) Attack Graph & Attack Tree
    • 2.1) Future outlook - automated modeling with help of AI
      • 2.1.1) Large Language Models, prompting
      • 2.1.2) Text classification, Named Entity Recognition, Relationship Extraction (Natural Language Processing)
  • 3) Proposed solution (IdoubleS CTM platform)
    • 3.1) Attack lifecycle represented as threat-centric attack graph on three abstraction layers
      • 3.1.1) Ingestion, context building, TTP extraction, CAPEC extraction, cyber domain entity extraction, relationship creation
    • 3.2) Horizontal and vertical attack paths represented as asset-centric attack tree on multiple tiers
      • 3.2.1) CAPEC, CVE, CWE
    • 3.3) Inferring pseudocode and detection rules for SIEM and EDR
    • 3.4) Platform in the value chain
    • 3.5) Platform users
Target Audience
  • Security Consultants
  • Security Analysts
  • Security Investigators
  • Threat Hunters
  • Incident Responders
30 min·Track: TechnicalInstructor-led practical hands-on

Leverage IdoubleS CTM platform for automated modeling with help of AI

Learning Content
  • 1) Produce an automated threat-centric attack graph including relationships based on a natural language input (Crowdstrike CSIT-22052, Analysis of Mummy Spider's Emotet Delivery System)
  • 2) Sample-based analysis of the quality and accuracy of the generated attack graph across multiple abstraction layers compared to a manually defined baseline.
Target Audience
  • Security Consultants
  • Security Analysts
  • Security Investigators
  • Threat Hunters
  • Incident Responders
45 min·Track: Technical & Business

Showcase IdoubleS CTM platform validation approach and results, jointly with Integration Partner and Early Adopter Reference Customer

Learning Content
  • 1) Qualitative and quantitave validation of automatically generated threat-centric attack graphs against various metrics
    • 1.1) Expert-validated outputs (qualitative)
      • 1.1.1) Triplet meaning (source_object-->relationship-->destination_object)
      • 1.1.2) Analytical reasoning versus hallucination
    • 1.2) Exact baseline match (quantitative)
    • 1.3) TTP addition rate
  • 2) Validation of automatically inferred detection rules for SIEM and EDR
    • 2.1) Introduce established IdoubleS/SVA cloud infrastructure/architecture and joint activities
    • 2.2) IdoubleS platform, SIEM, EDR, endpoints
    • 2.3) Adversary emulation for validating effectiveness of produced detection rules
  • 3) Customer Case Study and Testimonial
Target Audience
  • C-Level
  • CISO office
  • Risk Managers
  • Head of CDC
  • SOC Managers
  • Security Consultants
  • Security Analysts
  • Security Investigators
  • Threat Hunters
  • Incident Responders

Register

Select sessions *

Webinars (Online)

Workshops (Onsite at it-sa Expo&Congress)