This signature session takes attendees inside a real-world incident to show how modern MDR and incident response teams actually operate under pressure. Led by an MDR analyst, incident responder, the session walks step by step through an investigation – from the first alert to final outcome.

Along the way, we’ll explore the tradeoffs, decision points, and moments where context and judgment matter most. This is not a demo or a panel – it’s an unfiltered look at how threats are detected, prioritized, and stopped in practice, and what outcomes truly define success.

AI is now a core component of modern MDR services – accelerating investigations, reducing alert fatigue, and helping teams respond at machine speed. But as adoption increases, so do questions around trust, transparency, and accountability.

In this session, industry experts explore how AI is actually being used in the SOC today, where it can deliver real value, and how the “black-box”use of AI & automation can undermine analyst confidence and decision-making. Grounded in real-world MDR workflows and supported by exclusive research from Omdia, the discussion examines why transparency and explain ability are critical to the effective adoption and widespread use of AI in the SOC.

We’ll unpack how transparent AI improves analyst trust, enables better human judgment, and drives measurable security impact – while also examining how attackers are leveraging AI to scale and evade defenses. The session reinforces a simple truth: AI delivers its greatest value in MDR when it augments human expertise with clarity, not obscurity.

Using Exposure Management as an Early Threat Warning System

One of the most important shifts in modern security is the move from vulnerability management to exposure-driven risk reduction. This session explores how organizations are expanding their view of the attack surface to achieve a broader, more continuous view of exposures and drive proactive detection, validation, and response.

We’ll leverage the CTEM framework to drive a discussion on proven ways to implement practical workflows for connecting exposures, threat context, and operational response for improved prioritization and resilience. Attendees will gain a clearer understanding of how exposure management supports preemptive security operations.

Effective detection and response can’t be built on assumptions – it must be continuously validated against how attackers actually operate.

In this session, Rapid7 practitioners explore how continuous red teaming fundamentally strengthens modern MDR by proving detections before they’re tested in a real incident. By safely emulating real-world adversary techniques, Red Teaming continuously validates detection coverage, exposes blind spots, and feeds actionable insights directly into MDR operations.

Attendees will see how this creates a true purple team feedback loop – where detections are tuned, response playbooks evolve, and analysts focus on what matters most. The result is a more preemptive security posture: fewer surprises, faster confidence, and stronger outcomes when threats emerge.

In this lightning talk, Rapid7 highlights how recent innovations across exposure management, MDR, and AI are helping security teams act before impact. We’ll explore how these capabilities come together to reduce noise, close visibility gaps, and support faster, more confident decision-making in complex environments.

Explore Rapid7’s latest innovations, future roadmap, and key capabilities that empower security teams to take command of their environments and mitigate risk effectively.

Security leaders rarely fail due to lack of visibility. They fail when decisions made under pressure can’t be explained, defended, or sustained across the organization.

This exposure management session examines the ways that security leaders collaborate with their cross-functional partners to set security and risk goals across the business, and how they use SLAs/SLOs as a governance mechanism to bridge the gap between identifying exposures and remediating them. Using real-world scenarios and industry research, including IDC findings on cross-functional accountability and cloud responsibility models, we explore the ways that modern security programs prioritize action to known exposures, build formal processes for managing risk exceptions, and accelerate their time to respond to active threats.

Security leaders can no longer rely on activity to demonstrate effectiveness – they’re held accountable for outcomes. As attackers move faster and complexity increases, CISOs must decide what actually matters, what can be ignored, and how much risk is acceptable in real time.

Through a candid discussion, CISOs and industry experts explore what “good” MDR actually looks like in practice, how leaders measure effectiveness beyond alert volume, and where responsibility truly sits. Attendees will gain practical insight into how MDR supports faster, more confident decision-making, enables risk tolerance in the face of attacker speed, and helps organizations focus on outcomes rather than activity.

Security incidents don’t unfold in clean, linear steps – and neither do the decisions that stop them. In this session, we walk through a real-world incident to show how SOC teams actually operate under pressure.

From the first signal to the final outcome, attendees will see what gets ignored, what gets investigated, and why. The session explores how analysts correlate signals across endpoint, identity, and cloud, how trust and handoffs work between teams, and where exposure context influences escalation. This is an unfiltered look at the pace, pressure, and judgment required to defend modern environments – focused on outcomes, not alerts.

Detection engineering is no longer about coverage, volume, or catching everything. As environments become more dynamic and attackers more targeted, the value of a detection is defined by whether it drives the right action at the right time.

In this session, experienced practitioners break down the new rules of modern detection engineering – grounded in real-world SOC and MDR environments. We’ll explore how detection-as-code changes the way teams build, test, and maintain detections; why risk-driven detection strategies outperform volume-based approaches; and what “high-fidelity” actually means as we head into 2026.

This session is designed for security ICs who live in the gap between theory and reality. Attendees will leave with practical guidance on what to prioritize, what to stop doing, and how to design detections that reduce noise, support SLAs, and improve security outcomes under real operational pressure.

Most cloud incidents don’t begin with a critical alert – they begin with overlooked exposure. A misconfiguration, an over-permissive identity, a vulnerable container running in production. By the time an alert fires, escalation is already underway.

In this session, ARMO and Rapid7 walk through how modern cloud attacks unfold – from initial exposure to runtime exploitation and lateral movement. ARMO will set the stage with a strategic perspective on why runtime security has become essential in cloud-native environments. And will demonstrate a real-world cloud application attack scenario, showing how Rapid7 and ARMO together detect, validate, and stop the attack before it becomes a full-scale incident.

Attendees will gain a practical understanding of how exposure connects to runtime behavior, how cloud context reshapes prioritization mid-incident, and how combining exposure insights with detection and response improves signal fidelity without increasing noise. This session delivers both strategic clarity and hands-on insight into how cloud attacks really escalate – and how to interrupt them earlier.

In this session, practitioners walk through real-world incident response workflows, highlighting how open-source tools and investigative tradecraft come together during active incidents.

Attendees will see practical Velociraptor use cases, learn how adversary techniques (often uncovered through red team exercises) inform defensive investigations, and understand how experienced responders approach evidence collection, validation, and decision-making.

Designed for hands-on practitioners, this session sharpens blue team skills and provides a clearer view into how attacks are investigated, contained, and learned from in practice.