2025-10-14 –, Main Track
The Anti-Malware Testing and Standards Organization (AMTSO) Real-Time Threat List (RTTL) is a collaborative platform that aggregates fresh malware and URL samples from over 15 security vendors. Designed to reduce sample bias in third-party efficacy testing, RTTL also offers a unique opportunity to generate high-quality, real-time threat intelligence; especially for those who contribute and gain access to the feed.
This presentation explores how RTTL can be elevated from a sample-sharing service to a dynamic intelligence source by integrating it with the Triage sandbox. Triage specializes in malware configuration extraction and supports over 200 config dumping utilities, enabling the identification of C2 infrastructure, malware hosting URLs, FTP credentials, SMTP credentials, and more. Its robust tagging system further enhances sample classification by malware family, variant, and behavior.
Over the past year, more than 350,000 RTTL samples were detonated in Triage, revealing valuable insights into execution success rates, IoC enrichment frequency, and broader malware trends. This session will present key findings from this analysis and demonstrate how RTTL submissions can be transformed into actionable threat intelligence.
A key goal of this talk is to highlight the value of contributing to RTTL, not only to access enriched IoCs but also to improve the overall quality of the service. By showcasing the intelligence Triage can extract, the presentation aims to encourage broader vendor participation and explore potential collaboration models, including a donation of Triage services in exchange for enriched IoC feeds or a community investment in Triage to enhance RTTL’s impact.
Join us for a deep dive into how the Anti-Malware Testing and Standards Organization’s (AMTSO) Real-Time Threat List (RTTL) can evolve from a malware sample-sharing platform into a powerful source of real-time threat intelligence. This session explores the integration of RTTL with the Triage sandbox, an advanced malware analysis tool that extracts rich indicators of compromise (IoCs) such as C2 infrastructure, malware hosting URLs, and stolen credentials.
With contributions from over 15 security vendors, RTTL offers a unique opportunity for unbiased efficacy testing. But its true potential lies in what happens after submission. By analyzing over 350,000 RTTL samples detonated in Triage over the past year, we’ll uncover trends in execution success, IoC enrichment, and malware behavior.
Attendees will gain insight into how RTTL contributors can benefit from enhanced intelligence feeds, and how showcasing the value of Triage’s config extraction capabilities could encourage broader vendor participation. Whether through a collaborative donation model or strategic investment, this session makes the case for upgrading RTTL into a more impactful, community-driven threat intelligence resource.
Grayson Milbourne is the Security Intelligence Director at OpenText Cybersecurity focusing on comprehensive security solutions. Over the past 20 years, Grayson has worked in various areas of the company including time as the Director of Threat Research. His areas of security intelligence expertise include malware analysis, data science and security education. In his current role, Grayson has been focusing on efficacy development where he ensures OpenText Cybersecurity products are able to defend against the most cutting-edge threats. Additionally, he supports the Sales and Marketing efforts with thought leadership and threat metrics that result in industry papers, ebooks, webinars, podcasts and blogs. Grayson has been a longtime advocate for better 3rd party testing of security products and represents OpenText Cybersecurity at the Anti-Malware Testing and Standards organization, AMTSO. Through his efforts in participation, AMTSO released testing standards that greatly improved testing quality when followed. Grayson is an avid participant in the security community and drives awareness of current threats by speaking at major events such as RSA and Virus Bulletin. Beyond his passion for protecting people from cyberthreats, Grayson loves aviation and holds a private pilot license. His other passions include, strategic boards games, skiing and playing golf. He lives in Louisville, Colorado with his wife, Danielle and their two cats, Theodore and Aiden.