Event: Tech Field Day Exclusive with Microsoft Security

Appearance: Tech Field Day Exclusive Delegate Roundtable Discussion

Company: Tech Field Day

Video Links:

• Vimeo: Microsoft Sentinel Delegate Roundtable Discussion
• YouTube: Microsoft Sentinel Delegate Roundtable Discussion

Personnel: Tom Hollingsworth

In this roundtable discussion, the Field Day delegates discussion the current state of the Microsoft Sentinel. Currently, there is work to do with bringing together multiple portals like Defender, Entra, and Purview, as well as clearing up analysts whose roles span multiple security personas. There is also a need to clarify the licensing requirements and how each of the tools in the overall suite are integrated into workflows. The consensus is that the platform feels like a collection of separate products from different teams rather than a truly unified, integrated solution. This challenge is magnified for organizations with hybrid or multi-cloud environments, where the high cost of ingesting data from non-Microsoft sources like AWS presents a significant barrier to adoption.

The delegates expressed hesitation about making a strategic investment in a platform that seems so early in its development, concerned that future changes could force them to retool their processes. They stressed the need for greater maturity, transparency, and traceability, especially in reporting, as they cannot present “black box” data to senior leadership. For Sentinel to succeed in the real world, the delegates believe Microsoft must demonstrate a stronger commitment to interoperability by adopting open standards like OCSF more quickly and offering more flexibility in data engineering and routing before data enters the Sentinel lake. The feeling is that Microsoft needs to transition from its traditional license-based, “all-or-nothing” approach to prove it can truly function as an open ecosystem partner.

Despite these criticisms, the delegates are optimistic about Sentinel’s potential. The underlying data platform, with its integrated layer of tabular, graph, and vector data, is considered powerful, especially for advanced data science teams. The graph visualizations were particularly praised as an effective way to communicate pre- and post-breach scenarios and risk to business leaders. The delegates concluded that the platform’s greatest current strength is its flexibility. By providing low-code/no-code interfaces and natural language query capabilities, Microsoft empowers customers to build the specific reports and tools they need. This ability for organizations to create their own solutions is seen as a powerful way to bridge the current maturity gap and extract immediate, tailored value from the platform.

Event: Tech Field Day Exclusive with Microsoft Security

Appearance: Microsoft Security Platform Demos

Company: Microsoft Security

Video Links:

• Vimeo: Microsoft Sentinel Capabilities Demo with Abhishek Agrawal
• YouTube: Microsoft Sentinel Capabilities Demo with Abhishek Agrawal

Personnel: Abhishek Agrawal

This presentation demonstrates the capabilities of Microsoft Sentinel’s evolution into a unified security platform, showcasing how a single console empowers security practitioners to manage and investigate threats across their entire digital estate. The core principle is that since “attackers think in graphs” and move across domains, defenders need a consolidated, cross-domain view. This is delivered through the Microsoft Defender console, which brings together tools for identity, endpoints, email, and cloud infrastructure. A key feature is the proactive exposure management capability, powered by the Sentinel Graph. It visualizes attack paths from internet-exposed assets to critical data, allowing teams to prioritize patching the most crucial vulnerabilities first, moving beyond simple vulnerability scanning to understanding true organizational risk.

For post-breach scenarios, the platform offers a unified incident queue that reduces alert fatigue by correlating alerts from both Microsoft and third-party sources into a single “Uber story.” When an incident occurs, the Sentinel Graph is used to stitch together the alerts into a coherent narrative and calculate the potential blast radius, showing analysts where an attacker could pivot next and helping them prioritize response actions. This graph-based approach also transforms threat hunting. While analysts can still run traditional Kusto Query Language (KQL) queries on recent data in the analytics tier, they can now also perform “posture hunting” directly on the graph to proactively find overprivileged access or risky configurations before they can be exploited.

These advanced capabilities are powered by the Sentinel Data Lake, which decouples storage and compute to allow for the cost-effective, long-term retention of high-volume data like syslogs and cloud trails. This data is stored in an open Delta Parquet format, enabling multiple forms of analysis on a single copy of the data. Analysts can run KQL queries for retro-hunts spanning years or perform deep, big-data analysis using Spark and Python directly within VS Code. This is further enhanced by AI, where the Sentinel MCP server and GitHub Copilot allow analysts to perform “vibe hunting.” They can use natural language to ask questions, discover relevant data tables in the lake, and even have the AI generate entire Python analysis notebooks, dramatically upskilling the entire SOC and making sophisticated data science accessible to every team member.

Event: Tech Field Day Exclusive with Microsoft Security

Appearance: Microsoft Sentinel Evolution Executive Session

Company: Microsoft Security

Video Links:

• Vimeo: Microsoft Sentinel Evolution Executive Session
• YouTube: Microsoft Sentinel Evolution Executive Session

Personnel: Gideon Bibliowicz, Scott Woodgate

Microsoft Sentinel is evolving from a market-leading Security Information and Event Management (SIEM) tool to a full-fledged, AI-driven security platform for Microsoft Security and its partners. The core of this evolution is to unify security operations within the Microsoft Defender portal, which will remain the primary interface for SOC analysts. Sentinel is being re-architected to serve as the underlying data and analytics engine for all Microsoft security products, including Defender, Entra, and Purview. This shift addresses the need to ingest and analyze massive volumes of security data from diverse sources affordably and efficiently, setting the stage for advanced AI capabilities and automated security agents. The goal is to eliminate the trade-off between comprehensive security coverage and budget constraints by creating a centralized, scalable foundation.

This new platform is built on several key innovations. The Sentinel Data Lake, now generally available, provides a low-cost tier for long-term data storage (up to 12 years), separating storage costs from compute costs. This makes it feasible for organizations to retain voluminous logs from network devices and other third-party sources that were previously cost-prohibitive. On top of this data lake, Microsoft is introducing new ways to interact with data, most notably the Sentinel Graph. This feature allows analysts to visualize relationships between assets, identities, and activities, helping them to understand complex attack paths and blast radiuses in a more intuitive way, because “attackers think in graphs.” The platform also includes a new MCP (Microsoft Copilot Protocol) server, which enables natural language queries and provides a framework for AI agents to discover and use security tools automatically.

Microsoft emphasizes that this is an open platform designed to support a thriving ecosystem and heterogeneous customer environments. With nearly 400 connectors, the platform is built to ingest and correlate data from third-party tools like CrowdStrike and Zscaler with the same fidelity as Microsoft’s native stack. The vision extends to AI-driven actions, like Attack Disruption, which will be expanded to take actions on third-party systems. This entire stack, from the data platform to the AI capabilities, is brought together in the new Microsoft Security Store. This marketplace allows customers to discover, purchase, and deploy curated security solutions and AI agents from both Microsoft and its partners, completing the transition to a unified, AI-ready security architecture.

Event: Security Field Day 14

Appearance: 1Password Presents at Security Field Day 14

Company: 1Password

Video Links:

• Vimeo: Getting Visibility and Control over SaaS Sprawl with 1Password Extended Access Management
• YouTube: Getting Visibility and Control over SaaS Sprawl with 1Password Extended Access Management

Personnel: Jason Meller

SaaS sprawl creates a number of serious issues for companies: wasted budget, the exposure of sensitive data via unsanctioned apps, and disjointed access management for apps outside SSO. Jason Meller walks through how 1Password helps our customers discover, manage, and secure their entire SaaS ecosystem – even non-SSO apps – via 1Password Device Trust and Trelica by 1Password. This problem has exploded as employees have gained more autonomy to choose their own tools, creating a significant visibility challenge for IT and security teams. 1Password addresses this by using its Device Trust agent to discover the full scope of application usage across an organization. The agent provides deep visibility by identifying browser visits, desktop apps, browser extensions, and even IDE plugins across Windows, macOS, and Linux, all while providing users with a privacy center to understand what data is being collected. This is particularly effective for discovering modern AI tools, which often have multiple components; for example, the agent can detect not only the ChatGPT website but also its native desktop app and VS Code extension.

Once these applications are discovered, 1Password provides nuanced control that goes beyond simple blocking. For a tool like ChatGPT, an administrator can create a policy that doesn’t just ban it but instead ensures employees are using the sanctioned corporate workspace. If a user is detected using a personal account, Device Trust can block them from accessing sensitive company resources until they switch to the approved account, educating the user on the policy in real time. This discovery and control capability is further enhanced by Trelica by 1Password, a SaaS management platform that acts as a single pane of glass for app governance. Trelica integrates with IDPs, financial systems, and its own browser extension to discover shadow IT, manage licenses, and automate complex onboarding and offboarding workflows across hundreds of integrated applications.

Ultimately, these components come together in the 1Password App Launcher, which provides a unified and seamless sign-in experience for end users. The launcher presents all of a user’s applications, whether they are federated through an IDP or require a username and password. When a user clicks an icon, 1Password handles the authentication details in the background—either navigating the SSO flow or autofilling credentials and TOTP codes—while transparently enforcing device trust checks. This creates “experiential uniformity” for the user, allowing IT and security teams to improve security behind the scenes, such as upgrading an app from password-based login to federated SSO, without disrupting the user’s workflow. This holistic approach is central to 1Password’s mission to secure every sign-in to every app from every device.

Event: Security Field Day 14

Appearance: 1Password Presents at Security Field Day 14

Company: 1Password

Video Links:

• Vimeo: How 1Password is Building Agentic AI Security and GenAI Discovery
• YouTube: How 1Password is Building Agentic AI Security and GenAI Discovery

Personnel: Anand Srinivas

Anand Srinivas discusses 1Password’s security-first approach to AI, and shows how our principles inform the AI-related capabilities we’re building. Our first area of focus is ensuring secure access for AI agents via the 1Password SDK, so agents receive timebound, auditable access without the use of hardcoded credentials. In addition, Srinivas shows how our products enable customers to discover and block unapproved genAI tools. This approach is guided by core principles, including adhering to the same zero-knowledge architecture for AI as for user credentials, ensuring authorization is deterministic rather than probabilistic, and never placing raw credentials into an LLM’s context window. 1Password recognizes that agentic AI is fundamentally different from traditional applications; it’s probabilistic, often acts on behalf of a human, and behaves like a hybrid of a user and an application. This unique nature scrambles the traditional, siloed methods of managing secrets for applications versus the workforce, creating a need for a single, unified source of truth for all credentials.

To address these new challenges, 1Password is developing solutions to secure how AI agents and developers interact with sensitive data. One demonstration showed how their SaaS management tool, Trelica, can connect to an LLM through a Model Context Protocol (MCP) server, allowing an AI like Claude to answer questions about enterprise contracts without ever accessing raw credentials. This highlights a way to leverage AI’s power while maintaining strict data governance. The presentation also previewed a significant security enhancement for developers who often “vibe code” and hardcode secrets. A new feature will allow developers to import secrets from a plain-text environment file directly into a secure 1Password vault with a single click, replacing the vulnerable local file with a securely mounted one that requires authentication to access, thus preventing accidental exposure in code repositories.

1Password is extending its reach to secure emerging AI-native platforms. They announced a partnership with the AI browser Perplexity, becoming the exclusive launch partner for password management to ensure users can interact with these new tools securely from the start. This move, along with their work on securing developer workflows and programmatic AI access, demonstrates 1Password’s strategy to apply its user-friendly, security-first philosophy to the entire AI ecosystem. While specific solutions for providing agentic AI with timebound, auditable access are still forthcoming, the company has clearly identified the core problems and is building a framework to solve them, positioning the password manager as a central component of an enterprise’s AI security strategy.

Event: Security Field Day 14

Appearance: 1Password Presents at Security Field Day 14

Company: 1Password

Video Links:

• Vimeo: How 1Password Extended Access Management is Securing the Future of Work
• YouTube: How 1Password Extended Access Management is Securing the Future of Work

Personnel: Jason Meller, Leya Leydiker

1Password is the leader in Extended Access Management, a new category of security that addresses the gaps in access management created by app, identity, and device sprawl. Our platform is composed of three products: our Enterprise Password Manager, Trelica by 1Password, and 1Password Device Trust. In this presentation, Jason Meller and Leya Leydiker explain the Access-Trust Gap facing modern organizations, and explore how our password manager acts as the foundation for our suite of solutions. This “Access-Trust Gap” is defined as the combination of unmanaged devices, shadow IT applications, and sprawling identities that fall outside the purview of traditional security tools like Identity Providers (IDPs) and Mobile Device Management (MDM). Because 1Password is used to store credentials that these other systems don’t cover (like API keys), the company has unique visibility into this growing problem. Their Extended Access Management platform aims to close this gap by providing unified visibility and complete control. The presentation demonstrated this by showing how 1Password Device Trust could detect an unencrypted SSH key on a developer’s laptop, block access to a sensitive app like GitHub, and then seamlessly guide the user to secure that key within their 1Password vault, thereby fixing the issue and training the user simultaneously.

The foundation of this strategy is 1Password’s Enterprise Password Manager (EPM), which secures every step of the user journey, not just the initial login. The platform’s success is rooted in its user-first design philosophy, which stems from its origins as a consumer application. This focus on making the secure way the easy way drives user adoption and reduces friction, which in turn minimizes help desk tickets for things like password resets. The EPM handles not only passwords but also API keys, SSH keys, passkeys, and one-time passcodes (OTPs), allowing it to serve as a single, secure vault for all types of credentials. This capability enables secure sharing among teams, such as a social media team sharing a single login with MFA. Crucially, all of this is built on a “zero knowledge” security model, meaning user data is encrypted locally on their device, and 1Password itself cannot access it, ensuring credentials remain secure even in the event of a breach.

Event: Security Field Day 14

Appearance: Security Field Day 14 Delegate Roundtable Discussion

Company: Tech Field Day

Video Links:

• Vimeo: Security Field Day Delegate Roundtable: Enforcement
• YouTube: Security Field Day Delegate Roundtable: Enforcement

Personnel: Tom Hollingsworth

The presentation discusses the best places to enforce security policy, whether that’s on the endpoint, in the network, or in the cloud, while also exploring where security policy enforcement is headed and how it affects practitioners today. The delegates challenge the traditional default of placing enforcement in the network, but quickly acknowledge its necessity in specific situations. For environments with unmanaged devices, such as universities with student BYOD policies or enterprises with a proliferation of IoT devices like cameras and smart appliances, the network remains the only viable enforcement point. These scenarios highlight that a one-size-fits-all approach is impractical; the correct location for enforcement is heavily dependent on the context of the organization, the users, and the types of devices that need protection. The core challenge is applying effective policy without being able to install an agent or directly manage the endpoint.

As the discussion evolves, it addresses how the very structure of the enterprise network has fundamentally changed. The classic three-tier model of core, distribution, and access has been replaced by a modern equivalent for remote work: the cloud, the internet, and the employee’s home. This shift has eliminated the traditional network choke points where security policies were once enforced. In response to this new reality, the conversation shifts to Zero Trust as a necessary paradigm. Rather than defending a perimeter, Zero Trust treats every access request as a distinct transaction. It simplifies security to its core components—a consumer (like a user or service) attempting to access a resource—and mandates authentication for both sides of every interaction. This is a radical departure from simply funneling traffic through a firewall and underscores the need for a new way of thinking about security architecture.

Despite the conceptual advantages, the delegates recognize the immense difficulty of implementing a Zero Trust model in established “brownfield” environments. The primary obstacle is the requirement to understand and map every data flow and application interaction, a task that has historically been nearly impossible. A more pragmatic path forward is to adopt a “protect surface” strategy, applying Zero Trust principles to one critical application or dataset at a time and expanding from there. The roundtable concludes that while emerging technologies like AI may help in mapping these complex environments, they also introduce new risks and regulatory pressures. Ultimately, the key takeaway is that no enforcement strategy—whether it’s network-based, endpoint-based, or Zero Trust—can succeed without first achieving a comprehensive and accurate understanding of the environment being protected.

Event: Security Field Day 14

Appearance: Introducing SquareX at Security Field Day 14

Company: SquareX

Video Links:

• Vimeo: SquareX Browser Detection and Response Demos
• YouTube: SquareX Browser Detection and Response Demos

Personnel: Shourya Pratap Singh

Shourya Pratap Singh, Principal Software Engineer, discusses the architecture of the SquareX Extension, engineered from the ground up with a modular and scalable design to deliver browser security. He explains how it augments existing security setups. Through demos, Shourya showcases use cases such as Browser Attack Detection and Response, Browser DLP, and enterprise browser use cases. He also highlights how the platform enables rapid modeling of protection against new threats, providing organizations with faster and more comprehensive browser security.

Throughout the presentation, Singh demonstrates how attackers exploit the visibility gap in traditional security tools by executing attacks entirely within the browser. He showcases how malicious files can be hidden in plain sight within legitimate web resources like CSS or WebAssembly files, and then reassembled and triggered as a download on the client side, bypassing proxy-based scanners. Similarly, he illustrates an OAuth consent attack where a legitimate link to a service like Salesforce is used to trick a user into granting risky permissions, leading to data exfiltration that email security and EDRs would miss. In both scenarios, the SquareX browser extension provides the necessary “last mile” control, intercepting the file download or the consent-granting action directly within the browser to block the threat before it can be executed.

Singh explains that the SquareX platform complements existing security setups by providing granular control and deep visibility into browser activity. Administrators can create policies using a simple UI, an AI-powered natural language generator, or a flexible Lua script editor, which allows for rapid defense modeling against novel attacks. Detections are enriched with an “AttackGraph” that maps the user’s entire navigation path leading to an incident, providing far more context than traditional logs. The extension-based approach is positioned as superior to dedicated enterprise browsers, as it avoids disrupting user behavior and workflows, enhances reliability, and seamlessly integrates with any browser to fill the critical security gaps in DLP and EDR.

Event: Security Field Day 14

Appearance: Introducing SquareX at Security Field Day 14

Company: SquareX

Video Links:

• Vimeo: SquareX Browser Detection and Response: Closing the SWG and EDR Visibility Gap
• YouTube: SquareX Browser Detection and Response: Closing the SWG and EDR Visibility Gap

Personnel: Shourya Pratap Singh

SquareX’s browser extension turns any browser on any device into an enterprise grade secure browser. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including Last Mile Reassembly Attacks, rogue AI agents, malicious extensions and identity attacks. SquareX is the only solution that provides BDR, enterprise browser and browser DLP capabilities in a single extension. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience.

In the presentation, Shourya Pratap Singh explains that this solution is necessary because the very definition of an endpoint is evolving. Whereas endpoints were once defined by native applications and local storage, today the browser has become the primary application platform where most organizational work occurs. This shift means that the attack surface has also moved to the browser. Singh argues that traditional security tools, which were designed when browsers were simple rendering tools, are no longer sufficient. The modern browser is a complex ecosystem with advanced protocols and capabilities, making it impossible to infer all threats simply by inspecting network traffic, as was possible in the past. This complexity creates a significant visibility gap for existing security stacks.

Singh details how both Endpoint Detection and Response (EDR) and Secure Web Gateway (SWG) solutions fail to close this gap. EDR tools have limited visibility because the browser operates as a “closed box,” preventing them from seeing threats that live and die entirely within it, such as malicious extensions, identity-based consent attacks, or threats delivered via WebAssembly. Likewise, network-based SWG solutions lack the application context to detect advanced evasions. Singh uses the example of “Last Mile Reassembly Attacks,” where a malicious file is broken into individually benign chunks that pass through network security, only to be reassembled into a threat by JavaScript on the client side. By operating as a browser extension, SquareX’s BDR provides the necessary in-browser visibility to detect and respond to these modern, evasive threats that bypass traditional security controls.

Event: Security Field Day 14

Appearance: Nile Presents at Security Field Day 14

Company: Nile

Video Links:

• Vimeo: Customer Spotlight: The Future Takes Shape with JetZero and Nile
• YouTube: Customer Spotlight: The Future Takes Shape with JetZero and Nile

Personnel: Drew Geyer

Nile’s mission is to be the “easy button” for network and security in on-premises deployments. The company was founded by networking industry veterans, including former Cisco executives John Chambers and Pankaj Patel, to address the complexity of enterprise LAN environments. Nile has pioneered a new architectural approach, backed by numerous patents, that has led to its recognition as a Visionary in the Gartner Magic Quadrant for Enterprise Wired and Wireless LAN Infrastructure. The Nile service is deployed globally across various verticals, powering large-scale environments such as a 12 million square-foot warehouse and concurrently supporting over 200,000 users.

Drew Geyer of JetZero explained that as a revolutionary aviation company developing a next-generation blended wing body aircraft, their network requirements for performance and security are exceptionally demanding. With high-value intellectual property and a $44 billion order backlog, their technology is a prime target for adversaries. However, their initial network, built with top-tier legacy vendors, was a “complete disaster” marked by overwhelming complexity. The small IT team was constantly fighting with a fragile and non-cohesive system of VLANs, ACLs, and bolt-on appliances. This resulted in constant issues, including dead spots across their large hangar, unreliable connections that dropped during crucial investor meetings, and abysmal performance ranging from 3 to 20 Mbps.

Initially skeptical of Nile’s claims, Geyer was won over by their unique philosophy of building security directly into the network fabric rather than adding another tool. A proof-of-concept test “went viral” among employees, who were thrilled with speeds jumping to over 800 Mbps. The full deployment was described as “invisible” to the JetZero IT team, as Nile handled the entire process, delivering a simple, reliable, and high-performing network. The result was a transformative shift from constant firefighting to having a network that operates like a utility, giving the team “peace of mind” to focus on strategic initiatives. Geyer concluded that Nile’s Network-as-a-Service provides the essential foundation that allows JetZero to pursue its mission of building the future of aviation without compromising between security and performance.

Event: Security Field Day 14

Appearance: Nile Presents at Security Field Day 14

Company: Nile

Video Links:

• Vimeo: Security in Action – Top Use-Cases with Nile NaaS
• YouTube: Security in Action – Top Use-Cases with Nile NaaS

Personnel: Jaswanth Kongara, Shiv Mehra

Nile’s mission is to be the “easy button” for network and security in on-premises deployments. The company was founded by networking industry veterans, including former Cisco executives John Chambers and Pankaj Patel, to address the complexity of enterprise LAN environments. Nile has pioneered a new architectural approach, backed by numerous patents, that has led to its recognition as a Visionary in the Gartner Magic Quadrant for Enterprise Wired and Wireless LAN Infrastructure. The Nile service is deployed globally across various verticals, powering large-scale environments such as a 12 million square-foot warehouse and concurrently supporting over 200,000 users.

Shiv Mehra detailed Nile’s Zero Trust fabric, designed to counter common attack paths by securing the infrastructure, controlling network access, and governing post-access activity. The infrastructure itself is hardened by design; Nile hardware has no direct management interfaces like SSH or Telnet, and all communications between fabric components are mutually authenticated and encrypted with MACsec. Access control operates on a “deny by default” principle where physical ports are “colorless,” meaning access is determined solely by identity, not port configuration. Nile makes identity verification a cornerstone, supporting seamless wired and wireless SSO integrated with IdPs, traditional 802.1X/RADIUS, and a robust system for IoT devices that combines continuous fingerprinting with optional device validation to ensure proper identification and segmentation.

This identity-first approach enables a “segment of one,” where every user and device is isolated by default, preventing lateral movement and network reconnaissance as demonstrated in a live demo. The policy engine, called the Trust Service, enforces granular, least-privilege access by requiring every entity to belong to a group (user, device, or application). Policies are then built by defining rules between these groups, enhanced with contextual attributes like device compliance status from an MDM or EDR. A final demo showcased the ease of this model by creating a policy in a few clicks to allow only a specific video streaming protocol between employees, while all other inter-employee traffic, including pings, remained blocked, illustrating how Nile simplifies the implementation of true microsegmentation.

Event: Security Field Day 14

Appearance: Nile Presents at Security Field Day 14

Company: Nile

Video Links:

• Vimeo: Nile NaaS Architecture – A Peek Under the Hood
• YouTube: Nile NaaS Architecture – A Peek Under the Hood

Personnel: Suresh Katukam

Nile’s mission is to be the “easy button” for network and security in on-premises deployments. The company was founded by networking industry veterans, including former Cisco executives John Chambers and Pankaj Patel, to address the complexity of enterprise LAN environments. Nile has pioneered a new architectural approach, backed by numerous patents, that has led to its recognition as a Visionary in the Gartner Magic Quadrant for Enterprise Wired and Wireless LAN Infrastructure. The Nile service is deployed globally across various verticals, powering large-scale environments such as a 12 million square-foot warehouse and concurrently supporting over 200,000 users.

Suresh Katukam elaborated on Nile’s architecture, which is built upon a “Zero Trust Fabric” composed of Nile’s custom-built, enterprise-grade hardware including access points, switches, and sensors. This hardware provides constant, real-time telemetry to the Nile cloud, where an AI engine called Nile Experience Intelligence (NXI) uses closed-loop automation to manage and secure the network. A key architectural principle is that the entire fabric is Layer 3 only, which fundamentally eliminates the complexities and vulnerabilities associated with traditional Layer 2 networking, such as VLANs and broadcast storms. The fabric itself is hardened by design, featuring secure boot, automated patching, and a complete lack of direct management ports like SSH or Telnet, ensuring the infrastructure itself cannot be easily compromised.

This architecture flips the traditional networking paradigm from “communicate first, secure later” to “security first, communicate later.” Instead of relying on a complex stack of overlay solutions like NAC, ACLs, and firewalls, Nile integrates security natively. It unifies policy for all wired and wireless users and devices (IT, OT, and IoT) under a single, identity-based engine that integrates with SSO providers. This enables true micro-segmentation and a “segment of one” by default, where every device is isolated with a blast radius limited to itself unless policy explicitly allows communication. This built-in approach delivers Zero Trust principles to the LAN, simplifying security and operations while offering innovative features like a fully isolated guest service that automatically tunnels traffic directly to the internet.

Event: Security Field Day 14

Appearance: Nile Presents at Security Field Day 14

Company: Nile

Video Links:

• Vimeo: Introduction to Nile NaaS for Strengthening Enterprise Security
• YouTube: Introduction to Nile NaaS for Strengthening Enterprise Security

Personnel: Shashi Kiran

Nile’s mission is to be the “easy button” for network and security in on-premises deployments. The company was founded by networking industry veterans, including former Cisco executives John Chambers and Pankaj Patel, to address the complexity of enterprise LAN environments. Nile has pioneered a new architectural approach, backed by numerous patents, that has led to its recognition as a Visionary in the Gartner Magic Quadrant for Enterprise Wired and Wireless LAN Infrastructure. The Nile service is deployed globally across various verticals, powering large-scale environments such as a 12 million square-foot warehouse and concurrently supporting over 200,000 users.

In his presentation, Shashi Kiran argues that while the data center and the Wide Area Network (WAN) have seen significant security advancements through unification and automation, the Local Area Network (LAN) has been largely neglected. This is a critical vulnerability, as the LAN is where the most users and a growing number of insecure IoT/OT devices reside, creating the enterprise’s largest attack surface. Kiran identifies a “perfect storm” driving the need for change: return-to-office mandates increasing LAN usage, aging infrastructure from pandemic-deferred refreshes, and IT teams facing resource constraints. He describes the current state of LAN security as a complex stack of point solutions, or “corporate spaghetti,” which makes adopting modern principles like Zero Trust nearly impossible due to operational complexity.

To solve this, Nile proposes a fundamental architectural shift rather than adding another product. The solution is a Network-as-a-Service (NaaS) model built on three core principles. The foundation is a unified Zero Trust fabric that natively integrates wired and wireless networks, IT and OT security, and policy enforcement. Secondly, the service is managed through an AI-powered cloud that provides autonomous operations, reducing human error and simplifying lifecycle management. Finally, Nile delivers this entire stack as a service with a predictable OpEx model, eliminating large capital expenditures. This integrated approach combines a Zero Trust fabric, AI-driven operations, and a service-delivery model to make the LAN a first-class citizen of enterprise security, simplifying challenges like guest access, compliance, and microsegmentation.

Event: Security Field Day 14

Appearance: Infoblox Presents at Security Field Day 14

Company: Infoblox

Video Links:

• Vimeo: Growing Government and Industry Adoption of Protective DNS with Infoblox
• YouTube: Growing Government and Industry Adoption of Protective DNS with Infoblox

Personnel: Krupa Srivatsan

Protective DNS is rapidly emerging as a trusted layer of defense across industries. Governments, regulators, and enterprises alike are embracing it as a scalable, proactive way to strengthen security posture. Around the world, governments are looking to adopt Protective DNS to safeguard citizens, while updates to NIST SP 800-81 highlight DNS as a foundational control that can stop threats earlier than other systems—supporting Zero Trust and cyber-resiliency strategies. Industry leaders are also moving fast: Microsoft is embracing Zero Trust DNS to protect devices, and Google Cloud DNS Armor applies DNS-based threat detection to natively secure cloud workloads. Speaker Krupa Srivatsan highlighted this growing adoption by citing a key statistic from a former NSA director stating that 92% of cyberattacks use DNS at some point. She provided several examples of governments implementing national Protective DNS (PDNS) services, including CISA in the U.S. for federal agencies, the U.K. for its public and emergency services, and Australia for its public sector. A notable use case is Ukraine, which deployed a national PDNS service that resulted in a 30-40% reduction in reported financial phishing fraud against its citizens amidst the ongoing conflict.

Srivatsan then discussed the influence of regulatory bodies, focusing on the forthcoming NIST Special Publication 800-81, which centers on DNS security. This guidance is built on three pillars: using Protective DNS to block malicious activity, ensuring DNS hygiene and encryption (like DNSSEC and DNS over HTTPS) to prevent spoofing, and hardening DNS servers against denial-of-service attacks. She connected these principles to the Zero Trust framework, arguing that organizations cannot claim to follow Zero Trust if they implicitly trust their DNS resolver. A true Zero Trust architecture requires not only PDNS and encryption but also a comprehensive asset inventory—a capability inherent to DDI platforms—to apply granular, device-aware security policies.

Finally, she detailed significant adoption by industry leaders. Microsoft’s new Zero Trust DNS feature for Windows 11, for example, will lock down the operating system to only resolve queries through an approved PDNS provider, effectively blocking resolutions to unauthorized domains and hardcoded IP addresses. Similarly, the Google Cloud DNS Armor service natively integrates Infoblox’s threat detection engine directly into the Google Cloud console. In its initial version, the service analyzes DNS logs to detect threats and reports them to Google’s security tools, providing preemptive security for cloud workloads without requiring customers to deploy a separate solution. These initiatives by Microsoft and Google signal a major industry shift towards embedding Protective DNS as a foundational security control.

Event: Security Field Day 14

Appearance: Infoblox Presents at Security Field Day 14

Company: Infoblox

Video Links:

• Vimeo: Infoblox Threat Intelligence (ITI) with Dave Mitchell
• YouTube: Infoblox Threat Intelligence (ITI) with Dave Mitchell

Personnel: Dave Mitchell

Dave Mitchell will introduce the Infoblox Threat Intelligence (ITI) team, highlighting its specialized focus and unique capabilities in DNS-based security. He’ll explore the evolving threat landscape, sharing insights into emerging attack vectors and adversary tactics. The session will demonstrate how Infoblox’s deep expertise in DNS enables superior threat detection and protection. Attendees will gain a clear understanding of what sets Infoblox apart in the cybersecurity ecosystem. As a “recovering operator,” Mitchell explained that his team’s sole focus is DNS, a namespace so vast that it offers attackers near-infinite room to operate. He emphasized that Infoblox’s intelligence is entirely original and not repackaged from other sources. Their process involves a reputation system where algorithms analyze newly registered domains, clustering suspicious ones based on shared attributes like registration patterns and name server behavior. Human researchers then investigate these clusters to identify, name, and track threat actors, building robust signatures that can follow adversaries even as they adapt their tactics. This proactive approach results in a “low regret” security posture, blocking domains that users have no legitimate reason to visit.

This DNS-centric intelligence allows Infoblox to provide “protection before impact.” Mitchell shared that over a recent 90-day period, their system already contained 75% of malicious domains before a single customer query was ever made to them. This is possible because the team observes threat actor infrastructure as it’s being built. A significant portion of the presentation focused on the growing threat of malicious advertising technology (“malvertising”). He detailed how threat actors operate sophisticated Traffic Distribution Systems (TDS) that function like legitimate ad-tech platforms but serve malicious content. These systems use cloaking techniques to profile visitors, redirecting them to scams, info-stealers, or fake software updates only if they match specific criteria, while sending researchers or bots to harmless decoy sites like Google or Alibaba.

Mitchell provided a deep dive into the malvertising ecosystem, illustrating how criminal affiliate networks push everything from cryptocurrency and dating scams to dangerous malware like the SocGholish info-stealer. He highlighted a major threat actor his team has been tracking called Vextrio (also known as “Los Pollos”), a sophisticated cartel that runs a massive TDS operation. Beyond malvertising, he also touched on the persistent problem of lookalike domains, which are impossible for brands to proactively register across all 1,300+ top-level domains, and an advanced command-and-control technique where compromised websites use DNS text records to covertly fetch and decode malicious redirect URLs. These examples underscore the complexity of modern threats and the critical role of specialized, protective DNS in disrupting the attack chain.

Event: Security Field Day 14

Appearance: Infoblox Presents at Security Field Day 14

Company: Infoblox

Video Links:

• Vimeo: A Live Demo of Infoblox Threat Defense
• YouTube: A Live Demo of Infoblox Threat Defense

Personnel: Kevin Zettel

This hands-on session follows the earlier briefings and goes straight into the Infoblox Security Portal. We’ll trace malicious activity from first DNS lookup to automated enforcement, show how verdicts are backed by Infoblox Threat Intelligence, and walk through incident triage and policy tuning. Expect practical coverage of policy creation, exception handling, and integrations that extend protection across endpoint, network, and cloud. You’ll leave with a clear view of day-to-day operations and the metrics that matter. Speaker Kevin Zettel began the demonstration by outlining the five flexible deployment options for Infoblox’s threat defense solution. These include a lightweight endpoint agent for rich user attribution, physical or virtual NIOS appliances, NIOS as a service with IPsec tunnels for cloud and SASE environments, and a simple external resolver configuration. Zettel emphasized that these methods can be mixed and matched, and even without an endpoint agent, the system uses Universal Asset Insights to enrich data, providing crucial context like the specific device, user, and MAC address for every DNS query. He also confirmed that Infoblox provides comprehensive threat feeds for IPs, URLs, and hashes that can be exported to firewalls to counter adversaries who might pivot away from DNS.

Transitioning to the live portal, Zettel showcased the main dashboard, which provides immediate KPIs on the security of the DNS infrastructure. He highlighted the value of “predictive intelligence” and a key metric called “first to detect,” which demonstrates to customers that Infoblox knew about malicious domains on average several weeks before an employee ever clicked on them. The portal offers a detailed, asset-centric view, allowing security teams to identify at-risk devices, trace their entire IP address history across the network, and review all associated security and policy violations. This capability is critical for incident triage, enabling an analyst to quickly understand the scope of an infection and identify other potentially compromised systems by seeing everywhere a device has been.

To demonstrate how security verdicts are backed by intelligence, Zettel navigated to the threat intelligence section, which shows customers which specific threat actor “cartels” are active in their environment and the exact malicious domains their users have accessed. To make the massive volume of DNS data actionable for security operations (SOC) teams, he introduced an AI-powered feature called “Insights,” which automatically correlates millions of individual events into a handful of manageable incidents. For deeper investigation and policy tuning, the integrated “Dossier” research tool allows an analyst to click any indicator (domain, IP, etc.) and receive a consolidated report from over twenty different tools, providing the full context needed to validate a threat and make informed policy decisions.

Event: Security Field Day 14

Appearance: Infoblox Presents at Security Field Day 14

Company: Infoblox

Video Links:

• Vimeo: The Ten Year Protective DNS Journey with Infoblox
• YouTube: The Ten Year Protective DNS Journey with Infoblox

Personnel: Mukesh Gupta

DNS is no longer just infrastructure — it is the frontline of preemptive security. This session highlights Infoblox’s decade-long journey in shaping DNS security, with Protective DNS at the center of defending users against evolving threats. Attendees will see why DNS is uniquely positioned to stop attacks before they spread and how DDI integration delivers powerful visibility, automation, and protection. Speaker Mukesh Gupta detailed Infoblox’s evolution from an enterprise appliance company known for DDI (DNS, DHCP, and IPAM) to a security-focused organization. He explained that as enterprises adopted multiple cloud platforms, they ended up with siloed DNS systems (e.g., on-prem, AWS Route 53, Azure DNS), leading to complexity and outages. Infoblox addressed this by creating “Universal DDI,” a platform that provides a single management layer for all of a customer’s disparate DNS services, whether they are on-premises or in the cloud, and offers a true SaaS-based option for DDI services.

Gupta emphasized that DNS is the first point of detection for nearly all types of cyberattacks—from phishing and malware to data exfiltration—because a DNS query always precedes the malicious action. Blocking threats at this initial DNS layer is highly effective, protecting all devices on the network without deploying new agents and significantly reducing the load on other security tools like firewalls and XDRs. Infoblox’s unique approach, developed by a former NSA expert, focuses on tracking the cybercriminal “cartels” rather than individual attacks. Instead of chasing millions of malicious domains (the “drug dealers”), Infoblox identifies and monitors the infrastructure of organizations like “Prolific Puma” (a malicious URL shortening service) or “VainWiper” (a malicious traffic distribution system) that service thousands of attackers. This “cartel”-focused strategy provides a significant strategic advantage.

The primary benefits of this unique approach are a massive lead time and incredible accuracy. Infoblox can identify malicious domains an average of 68 days before they are used in a campaign, often right after the cartel registers them, allowing for preemptive blocking without waiting for a “patient zero.” This methodology also results in an extremely low false positive rate (0.0002%). Gupta argued that integrating this protection directly into the DDI platform is more operationally efficient, as it prevents finger-pointing between network and security teams when a domain is blocked. Infoblox is now extending this protection to cloud workloads, either by having customers point their cloud DNS to Infoblox’s service or through native integrations, such as the new Google Cloud DNS Armor service, which is powered by Infoblox’s threat intelligence technology.

Event: Security Field Day 14

Appearance: HPE Presents at Security Field Day 14

Company: HPE

Video Links:

• Vimeo: HPE SD-WAN Gateways & Advanced Services
• YouTube: HPE SD-WAN Gateways & Advanced Services

Personnel: Adam Fuoss, Nirmal Rajarathnam

Explore how the HPE secure SD-WAN portfolio helps protect branch locations against cyberthreats while embracing the flexibility of cloud-first architectures. Discover how the new HPE Networking Application Intelligence Engine (AppEngine), strengthens security with real-time defense, leveraging aggregated application security insights such as risk, reputation, vulnerability, and compliance.

In this session, HPE introduced its newly combined SD-WAN portfolio, which includes Aruba SD-Branch, EdgeConnect (formerly Silverpeak), and the Juniper Session Smart Router. The presentation focused on a key security challenge in branch networks: the lateral movement of threats once a bad actor gains entry. Presenters argued that while identity-based segmentation was an improvement over static VLANs, it is insufficient without a deep understanding of the applications traversing the network. To address this gap, HPE unveiled its Application Intelligence Engine (AppEngine), a new service running within the Aruba Central management platform. The engine’s primary goal is to provide a comprehensive application posture, enabling more effective dynamic segmentation to protect against internal threats.

The AppEngine works by ingesting, correlating, and normalizing application data from multiple sources, such as deep packet inspection (DPI) and URL filtering, into a single, unified application catalog. This process creates a rich, contextual profile for each application, complete with security scores, known vulnerabilities, compliance data, and encryption details. From the central dashboard, an administrator can define global, role-based security policies based on this application intelligence. The AppEngine then automatically distributes the appropriate signatures and policies to the relevant enforcement points, like gateways or access points. The demonstration showcased an administrator identifying high-risk applications and creating a policy to block them for specific user roles during business hours, all without touching individual device configurations. Currently, this functionality is available for the SD-Branch solution managed by Aruba Central, with plans to extend its capabilities across the broader portfolio in the future.

Event: Security Field Day 14

Appearance: HPE Presents at Security Field Day 14

Company: HPE

Video Links:

• Vimeo: HPE SRX Series Next-Generation Firewalls & Threat Prevention
• YouTube: HPE SRX Series Next-Generation Firewalls & Threat Prevention

Personnel: Kedar Dhuru, Mounir Hahad, Pradeep Hattiangadi

Discover how the SRX firewall portfolio secures networks of any size. We’ll dive into AI-Predictive Threat Prevention (AI-PTP), which neutralizes zero-day attacks with a proxy-less, real-time, on-device AI engine. We’ll also cover how a Machine Learning detection pipeline continuously provides automatically generated signatures for emerging threats, delivering stronger security without compromising firewall performance.

The session outlines a security philosophy focused on making security easier to operationalize, from the user edge to the data center. The speakers explain that with the rise of device proliferation, distributed applications, and Gen AI, the threat landscape has become more complex. HPE’s approach is to use a comprehensive threat detection pipeline, heavily leveraging AI and machine learning, directly on their SRX firewalls. This strategy aims for a high detection rate and a very low false positive rate without sacrificing performance. The core of the presentation centers on a feature called AI-Predictive Threat Prevention (AI-PTP), which represents a shift from traditional reactive, signature-based models to a proactive approach for identifying both known and zero-day malware.

The AI-PTP system operates using a two-stage process. First, machine learning models are trained in HPE’s ATP Cloud using vast datasets of malicious and benign files. These trained models are then deployed to the SRX firewalls, where the “inference” or detection happens directly on the device. A key differentiator is its inline, proxy-less architecture, which analyzes just the initial portion of a file as it’s being downloaded to quickly determine if it’s malicious. This allows the firewall to block threats in real-time. This on-box capability is part of a defense-in-depth strategy, augmented by cloud-based analysis, including multiple sandboxing methods. During the demonstration and Q&A, it was clarified that this process has a negligible performance impact, can update threat signatures across all customers in minutes, and can automatically place an infected host on a blocklist that is shared across the entire HPE security ecosystem, including NAC and switching solutions.

Event: Security Field Day 14

Appearance: HPE Presents at Security Field Day 14

Company: HPE

Video Links:

• Vimeo: HPE Networking Security Overview with Madani Adjali
• YouTube: HPE Networking Security Overview with Madani Adjali

Personnel: Madani Adjali

This presentation marks a significant moment for HPE, as it’s the first time Aruba Networks, now part of HPE, has presented at Security Field Day since 2018. The recent acquisition of Juniper Networks has further expanded HPE’s security portfolio, leading to the formation of HPE Networking. The presenter, Madani Adjali, highlights the historical context of both Aruba and Juniper’s past presentations at the event, expressing a desire for more frequent participation in the future. The newly formed HPE Networking is structured into several groups, including campus and branch, data center, and WAN, with this presentation focusing specifically on the SASE and security pillar.

The core of the presentation will delve into two main areas: new capabilities within Aruba Central related to application intelligence and advancements in the firewall side of the portfolio, leveraging the SRX platform. The SASE and security pillar, led by Adjali, encompasses a wide range of products, including network access control, SD-WAN, SASE, and firewalls. The audience is given a high-level overview of the comprehensive security offerings now available through HPE, which range from various SD-WAN solutions to a full suite of firewalls, ZTNA, SWG, and CASB. The presenter also mentions ClearPass Policy Manager, a network access control product demonstrated back in 2018, and its new cloud-oriented capabilities.

The presentation aims to be an interactive session, with a team of experts on hand to provide in-depth information and answer questions. The goal is to showcase the power and breadth of the new HPE Networking security portfolio. The speaker emphasizes the significance of this moment for the company, following the recent completion of the Juniper Networks acquisition. The presentation will feature deep dives into the technical aspects of the new security capabilities, with a particular focus on the integration of AI and predictive technologies to enhance threat prevention and application intelligence. The session promises to be informative for anyone interested in the future of network security and the combined strengths of HPE and Juniper Networks.