Skip to main content
Back to News
Automation Conference Cyber Threat Intelligence

FIRST CTI 2026: The Conference CTI Needed

Philipp Kühn
5 min read

Summary

Wrapping up FIRST CTI 2026 in Munich. A single-track, practitioner-driven conference that felt like the opposite of RSA, and was better for it.

FIRST CTI 2026 is over. Three days in Munich, and the format alone made it worth attending. I wrote about day one a few weeks back. This is the wrap-up.

The Format

Large conferences like RSA serve a purpose: broad exposure, cross-industry networking, vendor landscape overview, and content that speaks to the C-suite. They cover a lot of ground. But breadth comes at a cost. Multiple parallel tracks mean you are always choosing, and the audience is necessarily diverse in both role and depth.

FIRST CTI makes a different trade-off, and it pays off. A single track means one room, one conversation, everyone in it together. No choosing between sessions, no catching up on what you missed. You always know what the person three rows ahead talked about, because you were there too.

That design choice shapes everything else. The questions after talks were specific, grounded in operational reality, and often led to longer conversations during breaks. The audience was practitioners, analysts, researchers, team leads who still touch data. People who do the work, talking to people who do the work.

The size amplifies this. Small enough that you run into the same people repeatedly, large enough that you still meet someone new at every coffee break. By day two, conversations carried over naturally between sessions, the way they do when a community actually knows each other. FIRST built something here that deserves to continue.

The Copy-Paste Problem

If there was a single theme that ran through a majority of sessions, it was this: CTI work involves too much manual labour, and everyone knows it.

The copy-paste meme (analysts manually shuttling indicators between platforms, reformatting the same data for different consumers, writing the same boilerplate around different IOCs) was not underused at this conference. Multiple speakers referenced it. Multiple audiences nodded. It is the shared scar tissue of anyone who has worked in a SOC or CERT for more than six months.

Several talks proposed ways forward. Structured text formats, templated reporting, better integration between tools. The ideas are sound, but honest assessment: most proposals are still operating at a small scale. Proof-of-concept work, pilot projects, frameworks that work for one team but have not been tested across organizations. That is not a criticism. It is where the field is. The fact that practitioners are the ones building these solutions, rather than waiting for vendors to solve it, is encouraging. But the gap between “we built something that works for our team” and “this scales across the community” remains wide.

The copy-paste meme, alive and well in CTI

Impact Over Volume

The other thread that kept surfacing: a shift toward qualitative metrics and impact measurement.

This connects directly to what I wrote after day one about Freddy Murre’s work on evaluation metrics. The conference reinforced it from multiple angles. Speakers were explicit about the limitations of counting indicators, counting reports, counting alerts. The question is not how much intelligence you produce. The question is whether any of it changes what someone does.

The talk by Brian Hein and James Shank put this most directly. No hedging, no diplomatic framing. If your intelligence programme cannot demonstrate that it altered a decision, shifted a priority, or informed an action that would not have happened otherwise: what is it for? The directness was refreshing. Too many conference talks wrap this message in enough caveats that the audience can leave without feeling uncomfortable. Hein and Shank did not offer that exit.

What Sticks

FIRST CTI felt like a conference built by the people who do the work, for the people who do the work. Single track. Practitioner focus. Methodology over marketing.

The field is still early in solving its core problems: too much manual work, too few meaningful metrics, too little structured methodology that scales beyond individual teams. But the conversations are happening in the right room now.

These are the same problems we are building Serify to solve. The copy-paste cycle between platforms, the manual reformatting, the boilerplate around every IOC: that is exactly what an automated intelligence pipeline eliminates. Not by replacing the analyst, but by handling the mechanical parts of collection, correlation, and structuring so they can focus on the work that requires judgement.

The scale problem matters too. Individual teams building internal tooling is a start, but it does not produce shared infrastructure. Serify’s approach, a knowledge graph built on open standards like STIX and MISP, is designed to work across organizations, not just within one team’s workflow.

And the shift toward impact over volume is not just a conference theme for us. It is a design principle. Intelligence that does not reach the right stakeholder in a form they can act on is noise, regardless of how efficiently it was produced. The pipeline only matters if the output changes a decision.

If that resonates, get in touch. We are building this now and looking for teams who want to shape it with us.

Ready to enhance your security operations?

Join security teams leveraging AI-powered intelligence to protect their organisations, from CSIRTs and SOCs to NIS2-regulated enterprises.

Get in Touch Learn More