Original research & incident analysis
Campaigns deconstructed end to end, with the reasoning left in.
Invite-only · Practitioner-led · Community
Cyber threat intelligence, shared in confidence.
CTI CON is an invite-only community for people interested in cyber threat intelligence to share research, compare methods, and learn from each other without vendor noise.
Original research
Methods compared
Trust protected
No vendor talks
No recording
CTI CON / Session packet
Member access
CASE-042
CONFIDENCE: HIGH
Campaign reconstruction
IOC set
asn: 20473
cert.sha1
panel /login
Actor profile
Cluster: R-17
victimology · tooling · active hours
Hunt query
ssl.cert.subject.cn:*
pivot shared with members
Detection draft
Sigma + YARA
rules reviewed after session
Trustbefore scale
Methodsbefore slides
Outputmembers can use
Novendor pitches
community first
Trust over scale
The community is deliberately focused, and participants are people actively learning, researching, or working in CTI. People share better when they are around peers who understand the work.
A trusted community of forty engaged CTI people can be more useful than an auditorium of four hundred.
what happens
Substance, from practitioners
Work no one has published yet, explained with enough reasoning that other members can use it.
Threat actor & campaign tracking
Attribution, tooling, and victimology examined with the rigor the subject deserves.
Detection & infrastructure hunting
Methods that travel: how members find what they find, explained well enough to reproduce.
Lessons from intelligence failures
What went wrong, and why. The most useful sessions are often the candid ones.
format
Considered, not crowded
One focused session each month: long enough to go deep, frequent enough to keep momentum.
- 01A monthly gathering
- 02Practitioner-led only
- 03Member-only discussion
session logic
Every session should be useful
Speakers focus on what happened, how it happened, what the actor did, and how others can reproduce the hunt.
< What happened? >
Incident summary, scope, and the signal that made the case worth presenting.
< How did it happen? >
Initial access, infrastructure, tooling, malware chain, and confidence level.
< What can others learn? >
Defensive takeaways, controls, detections, queries, and hunting opportunities.
the community
The conference ends. The community stays active.
After the session, CTI CON becomes a community workspace: research posts, meetup materials, detection review, and member contributions that stay useful between meetups.
membership
By invitation and review
Participation is for people in and around cyber threat intelligence: analysts, hunters, incident responders, malware researchers, detection engineers, students, and serious learners.
[ Request invite ]Public work on record
Research, conference talks, GitHub work, detection contributions, or open-source analysis.
Trusted introduction
If someone you trust already attends, an introduction is the most direct route in.
Reviewed request
Tell us what you work on and what you would bring to the community. Every request is reviewed personally.
community standards
Trust is protected
Discussion is held under the Chatham House Rule. What is said may be used, but never attributed.
join the community
Have an invite code? Register. Need one? Request an invite.
Members log in to access research posts, meetup materials, and community discussions. New users register with an invite code. If you do not have a code, submit your details and the core team will review the request.