Transforming Security Incident Metadata to Security Outcomes
Cydney Stude, Steve de Vera
fwd:cloudsec North America 2026 · Day 1
In this insightful talk from fwd:cloudsec, Cydney Stude and Steve de Vera from AWS Security Incident Response unveil the **Threat Technique Catalog for AWS (TTC)**, a crucial initiative designed to enhance understanding and defense against adversarial behaviors within the Amazon Web Services ecosystem. The presentation details AWS's journey from a nascent state of incident tracking to establishing a robust framework that extends the widely recognized MITRE ATT&CK model with AWS-specific tactics, techniques, and procedures (TTPs). This catalog is not merely a theoretical exercise; it is continuously refined with real-world observations from the AWS Customer Incident Response Team, providing an invaluable resource for both AWS and its customers to proactively identify, detect, and mitigate emerging threats.
AI review
A competent, well-structured threat intelligence briefing from practitioners with genuine access to AWS incident data. The TTC concept is useful and the real-world grounding is credible, but the techniques presented — credential compromise, trust policy backdoors, region hopping — are familiar territory to anyone who's defended cloud environments. The LLM hijacking angle and the support-case-closure evasion technique are the only things here that feel genuinely fresh.