08:30 – 09:00

09:00 – 09:25

Meeting Room: Sky Lounge 1

Welcome speeches

• Carlos Sanchez, Area Head Cyber Security, Vodafone Cyber Security Germany, 15'
• Andrija Višić, Senior Community & Programme Manager, ETIS Central Office, 5'
• Welcome by our sponsor, Abnormal AI, 5'

09:25 – 09:30

Groups separate and start their meetings

CERT-SOC WORKING GROUP MEETING STARTS

IN THE SKY LOUNGE ROOM

09:30 – 11:00

Meeting Room: Sky Lounge 1

Introduction and Roundtable, 10'

Goal: Welcome speech and agenda overview, followed by a roundtable where all participants introduce themselves (only name, company, role).

Company Updates, 50'

Goal: Each company is allocated 2 minutes to present recent challenges, threats, incidents, projects, and future plans. Also delivering expectations from this 2-day meeting. New members in the group receive a longer time slot, if requested.

A Power Point Template to fill in will be circulated to all members in advance of the meeting.

Update expected from (these may extend into session 2):

• BICS
• BT Group
• CYTA
• Deutsche Telekom Security GmbH
• KPN
• Latvijas Mobilais Telefons SIA
• NOS
• POST Luxembourg
• Proximus ADA
• Sunrise GmbH
• Swisscom
• TDC NET
• Telefonica Germany
• Telenet
• Telenor Norway
• Telia Company
• Vodafone Germany

11:00 – 11:30

Coffee Break

11:30 – 12:30

Meeting Room: Sky Lounge 1

Continuation of company updates (20-30 minutes)

+

Theme: The use of multi SIEMs (on-prem, and cloud SIEMs), the use of SOAR, what will be the IA role in this new architecture. Let's highlight best practices for monitoring telecom protocols, edge devices, and IT/OT infrastructure in the cloud while leveraging threat intelligence and purple teaming for proactive defense.

Moderator: CERT-SOC Core-Team

Presentation 1: “Use of ESQL in Elastic SIEM", Jesse Helder, KPN, 15’

Discussion: "How other companies handle forensic/incident response in the cloud?" All, 20’

12:30 – 13:30

Location - Vodafone Cantine

Lunch Break in the Vodafone Cantine

Area: EG B1 

13:30 – 14:00

Meeting Room: Sky Lounge 1

Presentation 3: "Infrastructure tracking space for priority threats within BT", Daniyal Naeem, BT, time slot duration tbc

Description: Most threat intelligence stops at indicators of compromise, but real tracking begins where IOCs end. In this talk, I’ll walk through how we track China’s cyber infrastructure by analysing persistent patterns in certificates, ASNs, passive DNS records, and behavioural fingerprints across campaigns. I’ll share how we use proactive techniques and a range of platforms to move beyond reactive alerting toward continuous, large-scale infrastructure tracking. Expect real-world examples, operational lessons, and insights into uncovering the “hidden web” behind China’s cyber operations.

14:00 – 15:30

Meeting Room: Sky Lounge 1

Goal: During the discussion we will explore how cybersecurity teams can improve readiness through effective tabletop exercises and the emerging role of AI in training. It also addresses the growing concern of analyst burnout and the need for mental resilience within high-pressure environments. Lastly, it delves into insider threats—how they evolve, how attackers exploit human factors, and what best practices organizations are adopting to detect and mitigate them.

Submit your 5-10 min presentation to av@etis.org. Expected, so far:

• Swisscom
• TDC NET
• Sunrise
• LMT
• other?

Moderator: CERT-SOC Core-Team

15:30 – 16:00

Coffee Break

16:00 – 17:00

Meeting Room: Sky Lounge 1

Theme: Representatives of telcos that were active in addressing signalling security issues and threat actors in the past months are invited toshare their progress. Others are invited to prepare a presentation on discoveries from their countries.

Moderator: CERT-SOC Core-Team

Presentation 1: "AI model for Signalling Threat Intelligence", Karim Gharoual, BICS, 15’

Presentation 2: "Update from Post Luxembourg", Alexandre De Oliveira, 20'

Leftover time to be used for Q&A and discussion with all CERT-SOC WG attendees.

18:30 – 19:30

19:30 – 22:30

09:00 – 11:00

Meeting Room: Sky Lounge 1

Theme: Telecom operators increasingly face abuse and fraud challenges when customers unknowingly connect malware-infected devices purchased from untrusted online marketplaces. This session explores how anti-abuse and cyber fraud teams detect, mitigate, and respond to such threats while balancing privacy, scale, and customer experience.

Moderator: Andrija Višić, ETIS Central Office

Presentation 1: Thomas Lademann, Swisscom, 10'

Presentation 2: Piotr Kijewski, Shadowserver CEO, 50+'

Q&A session: 5-10'

Presentation 3: Fabian Marquardt, Cyber Threat Intelligence Analyst, Deutsche Telekom, 15' + Q&A

• Discovery and tracking of adversary infrastructure related to ORB and proxy networks
• Blocking of ORB and Proxy network infrastructure to protect customers

Moderated discussion, 15'

Other presentations:

“ETIS as a European Telco ISAC – update”, Andrija Višić, ETIS CO, 5’

11:00 – 11:30

Coffee Break

11:30 – 12:30

Meeting Room: Sky Lounge 1

Part I - presentations from members:

• "Experiments with AI Agents", Diogo Goncalves, NOS, 10' + Q&A
• Other? Email Andrija at av@etis.org 

Part II - Format & Goal: Telecom operators and suppliers will have guided, problem-solving conversations during this session. 40'

Please come prepared to answer the following:

• What types of email compromise do we see most often

Moderator: CERT-SOC WG core-team

12:30 – 13:30

Location - Vodafone Cantine

Lunch Break in the Vodafone Cantine

Area: EG B3 wooden benches 

13:30 – 14:30

Meeting Room: Sky Lounge 1

Moderator: CERT-SOC core-team

Format: Roundtable where each company gets to have a slot for a presentation with or without slides. Slides prepared are not shared afterwards with participants.

TBC - 10+ minutes per participant to talk about incidents:

• Vodafone Germany - 10-15 min slot, Patrick Sulewski, Senior Manager, Vodafone Cyber Security Germany
  
• CYTA - 10-15 min slot, Andreas Giorgakis, Security & Operation of Networks & Services, CYTA
• etc.

To confirm your slot email Andrija at av@etis.org 

14:30 – 15:00

Meeting Room: Sky Lounge 1

Questions to address in your presentations:

• Could you share experiences with certain Cyber Threat Intel (CTI) platforms and your decisions made along the way?; + What are your most recent exercises, achievements and failures you can share when it comes to threat hunting?
  • Presentation 1 by Neline van Ginkel, Telenet, 15'
  • Presentation 2 by Patrick Schwinn, Swisscom, 15'

To submit a presentation proposal, email Andrija at av@etis.org 

Moderator: CERT-SOC core-team

15:00 – 15:15

Meeting Room: Sky Lounge 1

A short session dedicated to follow-ups and discussing topics that arose during the meeting’s discussions. Participants will brainstorm and compile a list of future topics for consideration in upcoming ETIS events.

Before leaving, participants are kindly requested to fill out the Feedback Form.