2026-04-25 –, Track 2
Most security teams are stuck in reactive mode: alerts fire, analysts scramble, incidents get closed, rinse and repeat. But what if there was a way to think about detection and response as a continuous cycle that actually gets better over time?
The TDR Lifecycle is a five-stage model I developed and refined over years of building and leading threat detection and response teams. It maps everything a detection and response program needs to consider: from tool management and use case development all the way through automation and feeding controls back through the business.
This isn't a vendor pitch or theoretical framework, it's a practical model you can steal and adapt for your own organization. Whether you're building a program from scratch or trying to mature an existing one, this talk will give you a mental map for identifying gaps and prioritizing where to focus your efforts.
Shawn Thomas is the Director of Threat Detection and Response at ZoomInfo, where he spends his days building the systems and teams that find badness before it becomes a headline. With nearly 20 years of experience in security, he's done stints across incident response, detection engineering, and security operations, basically anywhere there are fires to fight and chaos to wrangle.
In a past life he was a regular on the conference circuit and hosted some infosec podcasts, but these days he's a recovering extrovert who prefers the company of birds to people. When he's not hunting threats, he's in the woods with a camera, hoping a pileated woodpecker holds still for once.