Ezz Tahoun
Ezz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada's Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.
Session
In cybersecurity, analysts routinely drown in noisy, fragmented alerts—making it difficult to uncover coordinated, multi-stage attacks. This talk introduces an innovative approach to contextualizing alerts and extracting hidden attack chains using fully explainable, open-source machine learning—no black boxes or complex large-language models involved. Attendees will explore how clustering algorithms, temporal knowledge graphs, and Markovian sequencing methods can systematically map security alerts, logs, and telemetry to MITRE ATT&CK Techniques, clearly revealing attacker tactics and objectives. The session will include practical demonstrations using the speaker’s open-source tool, Attack Flow Detector, available on GitHub. Participants do not need deep data science expertise; basic familiarity with MITRE ATT&CK and standard SOC processes will help maximize learning outcomes. After attending, participants will understand how to implement transparent ML-based correlation workflows, reduce false positives, accelerate response times, and detect stealthy, multi-step attack flows.