Melina Phillips
Melina Phillips is an Offensive Security Engineer with a background in Security Operations and Incident Detection. She has over ten years of IT experience and six years working directly in cybersecurity, blending hands on blue team work with her current focus on adversary simulation and endpoint compromise.
Her recent talks have been featured at Bsides Cambridge, Security Fest, BruCon, LeHack, HackLu and BlackAlps. She's known for making complex technical concepts accessible without watering them down, and for delivering practical insights grounded in real world attack and defense experience. She strongly believes that Linux security doesn’t have to be presented in a boring way, and that technical depth and creativity can (and should) coexist.
Outside of breaking into infrastructure and chasing down Linux threats, she's usually at CrossFit or playing with makeup, ideally not at the same time.
Sessions
What if I told you the security tool you trust the most (your XDR) is also an attacker's favorite weapon? You spent time, money, and effort deploying it, testing it, fine tuning it, believing it had your back. But what if, instead of stopping threats, it was helping them?
Your XDR isn't broken, in fact, it's doing exactly what it's designed to do and what you set it up to do. The problem? Attackers have figured out how to make it work for them instead of against them.
In this session, we'll discuss how the bad guys manipulate XDR implementations, abuse detection logic, weaponize built-in components, and turn trusted security controls into defensive tools. From abusing existing workflows to full exploitation, you'll see why your XDR might not be protecting you the way you think it is.
Security teams don't miss alerts because they don't care, they miss them because their SIEM never shuts up. Alerts fire constantly, at the wrong time, for expected behavior, until everything starts to sound the same. At some point, it's no longer an alarm. It's just noise.
This talk starts with a simple idea: when an alert fires matters just as much as what it detects. Like a whistle blaring at 2 a.m., many detections technically work, but fail operationally because they lack timing, throttling, or basic context. Alerts trigger during business hours, outside meaningful windows, or so often that everyone learns to ignore them.
Using practical examples, we'll look at common alerting mistakes, why "more alerts" doesn't mean better security, and how small changes, such as throttling, prioritization, and temporal context, can dramatically reduce noise.
From there, we'll walk through what alerts actually matter across application, network, Active Directory, and DNS telemetry, and how to design them so they fire when someone should actually care. The goal isn't silence, it's a SIEM that acts like an alarm clock, not a whistle that goes “woo woo” all night.