13th and 14th February, 2026
Kaapelitehdas, Helsinki Finland
Telemetry on trial: A Hands-On EDR testing workshop
knud
Tuomo Makkonen
Telemetry on trial: A Hands-On EDR testing workshop.
In this 3-hour purple-team lab, participants pressure-test an open-source EDR’s core assumptions: where sensors collect, how events correlate, and how anti-tamper holds under stress. We will stand up the stack, baseline telemetry, and run ATT&CK-aligned adversary simulations, fault-injection, and tamper/disable tests to surface blind spots, alert latency, and failure modes.
Built for both red and blue practitioners, you’ll leave with a shared vocabulary and a practical model of what an EDR truly sees (and what it doesn’t) -- ready to drive sharper operations and future purple-team campaigns.
In this 3-hour purple-team lab, participants pressure-test an open-source EDR’s core assumptions: where sensors collect, how events correlate, and how anti-tamper holds under stress. We will stand up the stack, baseline telemetry, and run ATT&CK-aligned adversary simulations, fault-injection, and tamper/disable tests to surface blind spots, alert latency, and failure modes.
Built for both red and blue practitioners, you’ll leave with a shared vocabulary and a practical model of what an EDR truly sees (and what it doesn’t) -- ready to drive sharper operations and future purple-team campaigns.
knud
Knud works at Fraktal.fi in the exciting field of information security. Interests and focus areas span wide, from lock manipulation and covert entry to vulnerability discovery and exploit development, usually focused on traversing trust boundaries one way or another. He enjoys popping shells and stealing corporate secrets, with permission naturally.
Tuomo Makkonen
Tuomo Makkonen is co-founder and CTO of Fraktal, a Helsinki-based cybersecurity consultancy. With over 15 years in both sides of the adversary divide, his current interests lie in modeling real-world attacker behavior across on-prem and cloud environments, and applying large language models to accelerate security work.
