Unicorn Library

Key Takeaways from UniCon 2025 – Fall Edition

Written by SCYTHE | Sep 28, 2025 8:16:20 AM

UniCon 2025 – Fall Edition which took place on September 17, 2025 brought together hundreds of cybersecurity practitioners, CISOs, and industry leaders to share strategies for building resilience against evolving threats. Across keynotes, management tracks, and partner sessions, one theme stood out: security is no longer about reacting to headlines or relying on tools alone, it’s about people, processes, and practice.

If you couldn’t attend, here are the highlights and practical lessons.

AI Won’t Replace Humans – It Must Augment Them

Artificial intelligence is shaping modern security, but over-reliance is dangerous.

  • AI can be manipulated. Adversarial tricks, like stickers on clothing that break computer vision, highlight the risks.
  • Automation without judgment fails. Imagine pulling a hospital offline during a stroke emergency; this is why human oversight matters.
  • Augmentation is the goal. Teams that learn how to combine human judgment with AI scale faster and adapt better.

Technical Depth Still Matters in the AI Era

As AI becomes embedded in security workflows, technical fundamentals are more important than ever.

  • Understand the stack.  Networking, databases, protocols - without them, you can’t validate AI outputs.
  • Use AI to learn faster. Large language models can build personalized training paths, but they won’t replace core knowledge.
  • Separate hype from reality. Practitioners who blend technical depth with AI augmentation will stand out.

The “Panic Cycle” in Threat Intelligence

Many teams still fall into the panic cycle:

  • A flashy CVE or headline emerges.
  • Leadership demands action.
  • Analysts scramble without context.
  • Noise drowns out what matters.

How to Break It

  • Start with clear intelligence requirements  tied to business goals.
  • Build asset inventories and telemetry  so you know what’s relevant.
  • Filter out irrelevant hype (e.g., a Salesforce exploit is irrelevant if you don’t use Salesforce).
  • Treat CTI as a capability, not a product feed.

Build a Panic Containment Unit (PCU)

A PCU helps teams quickly triage new alerts and decide if escalation is necessary.

Triage checklist:

  • Do we use this technology?
  • Is it internet-exposed or high-privilege?
  • Is there evidence of in-the-wild exploitation?
  • What’s the exploit complexity?
  • Do we have detections in place?
  • What’s the business impact?

This framework turns reactive panic into repeatable prioritization.

From Tabletop to “Game Day” – Training That Works

Not all tabletops are created equal. Exercises exist on a spectrum:

  • Seminars & workshops: Discussion-based, great for planning and role clarity.
  • Games/role play: Light-touch but still theoretical.
  • Functional exercises: Simulate degraded service, manual operations, or site disruptions without real-world risk.
  • Full-scale exercises: Blend executive decisions (ransom, crisis comms) with operational actions like malware analysis, forensics, bare-metal restore, and service recovery.

👉 The “green zone” (discussion) builds the plan. The “orange zone” (operations) proves whether the plan actually works.

Avoid the IR “Doom Loop”

Teams often contain but don’t fully eradicate threats, leading to reinfection and repeated incidents.

To break the loop:

  • Run eradication drills in a test environment or through emulation.
  • Include manual operations for OT/ICS scenarios.
  • Always drive to root cause analysis, not just symptom containment.
  • Track time-to-restore and cost to turn lessons into executive-level insights.

Train the People Who Turn the Valves

Executives need to understand cyber risk, but resilience is built on the ground.

🔹 In OT/ICS environments, organizations felt 1.7x more prepared when field engineers and technicians participated in tabletops.
🔹 Hands-on staff should run threat hunts, PCAP analysis, and manual operations drills, because they’ll be the ones executing during an incident.

GridX and Sector-Wide Exercises

Utilities and critical infrastructure operators can learn from GridX, a sector-wide exercise led by NERC and E-ISAC.

  • Distributed injects:  Customized to each participant’s actual assets.
  • Hybrid approach:  Combines technical/operational play with an executive tabletop.
  • Realistic pacing:  Executives operate on days and weeks, not SOC-minute timelines.
  • Even outside utilities, the model applies: pair executive decisions with full technical execution for end-to-end resilience testing.

Emulation Closes the Loop

Threat intelligence and training are incomplete without emulation:

- Test adversary TTPs in a safe environment.
- Validate detections and controls.
- Train SOC and IR teams under live-fire conditions.
- Document escalation paths and ownership.

 

Key reminder: Emulation turns theory into readiness.

Always Tie CTI Back to the Business

Every intelligence effort should answer: what’s the business impact?

🔹 Protecting critical IP.
🔹 Preventing downtime in hospitals or plants.
🔹 Meeting regulatory obligations.
🔹 Safeguarding customer trust.

Internal telemetry, detections, incident history, and attack patterns is often more valuable than external feeds.

Conclusion

UniCon 2025 – Fall Edition drove home a hard truth: cybersecurity isn’t about chasing every headline or relying on AI tools. It’s about people, practice, and preparation.

From breaking the panic cycle to running full-scale exercises, from training engineers to testing emulation, the path forward is about shifting from theory to readiness because when game day comes, muscle memory matters more than plans on paper.

Book a demo with us to learn more about how SCYTHE can support your journey to cyber resilience.
View full post