Blank Space: Filling the Gaps in Atomic and Composite Detection
Merav Bar, Gili Tikochinski
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Threat intelligence for cloud environments is systematically incomplete — the industry reports IPs, hashes, and domains while leaving cloud-specific indicators of compromise undocumented and unshared. Wiz researchers Merav Bar and Gili Tikochinski make the case for a new category of cloud IoCs, both atomic and behavioral, and demonstrate with a live attacker group called "Bapak" how this approach catches threats that traditional intelligence misses. ---
AI review
This is the talk the cloud security industry has needed for three years and didn't have a framework to ask for. Bar and Tikochinski identify a genuine structural gap in threat intelligence sharing, demonstrate it with a live attacker group, and leave with a concrete call to action. The Bapak case study with three-SSH-key IoCs and a consistent reconnaissance sequence is the kind of rigorous threat tracking that earns real credit.