Remi Seguy
With over 20+ years in the cybersecurity field, I have dedicated my career to safeguarding organisations by developing robust SOC and effective incident response teams. As a passionate advocate for knowledge sharing and collaboration - "sharing is caring"- I have actively contributed to the cybersecurity community and related open-source projects, such as MISP. In my current role, I have led the OpenTide initiative, turning it into a project at the core of the Detection Engineering team. I am looking for exchanging and collaborating with other Detection Engineering teams to develop repeatable, traceable, and pragmatic processes, effectively bridging the gap between Threat Intelligence, Threat Hunting, and Threat Detection.
Sessions
Threat intelligence has matured significantly in the domain of indicators of compromise (IOCs), with standardised formats and automated sharing infrastructure. Yet when it comes to adversary behaviors - tactics, techniques, and procedures (TTPs), intelligence is still largely delivered through unstructured reports, PDFs, and blog posts. This creates a persistent gap: while defenders receive rich insights, they lack a systematic way to translate those insights into actionable detection engineering outcomes. Measuring detection coverage remains difficult, often reduced to basic ATT&CK matrix mappings that fail to capture the relational and technical nature of adversary behaviors. Meanwhile, intelligence evolves faster than most teams can analyse, leaving detection engineers overwhelmed and without a standardised workflow to prioritise or model new threats.
OpenTide (Open Threat Informed Detection Engineering, an open source framework developed at the European Commission CSOC) addresses this challenge by introducing a structured, top‑down intelligence‑to‑detection flow. At its core are Threat Vectors - an open construct for modeling TTPs at any level of granularity. Threat Vectors can be interrelated to form attack graphs, enabling defenders to build a dynamic and continuous coverage picture as new intelligence emerges.
Within OpenTide, detection objectives and supporting rules are explicitly linked to Threat Vectors, creating a direct mapping from intelligence to detection logic. A normalised schema ensures that unstructured intelligence can be ingested, transformed, and operationalised consistently. Furthermore, experimental integrations with large language models (GenTide R&D Project) accelerate the creation of these objects, demonstrating how automation can reduce the time from intelligence inputs to detection deployment.
By reframing how we model and consume TTP‑focused intelligence, OpenTide provides a scalable path to actionable detection engineering. It enables defenders to move beyond static mappings, measure coverage in context, and continuously align detection priorities with the evolving threat landscape.
OpenTide : https://github.com/OpenTideHQ
The purpose of this panel is discuss where the participants see the still-young, still-emergent discipline of Detection Engineering going.
The tools and know-how presented over the last 2 days in the village will be pitted against ideas from Diana (moderator) and the audience.
The panelists will try to explore together how the detection engineering landscape might evolve over the next few years,