The following abstracts are available for delivery at security meetings and conferences.

Charles' Biography

Charles Herring is co-Founder and Chairman at WitFoo. WitFoo was founded to enable the sharing of information and operations across the craft of Cybersecurity. Charles leads research and development of the WitFoo Precinct platform, which ingests trillions of messages each day across hundreds of clusters to detect cybercrime and provide secure methods of sharing data and operations across corporations, organizations, law enforcement, national security and insurers.

In 2026, Charles led the Nuclear Code Fork initiative at WitFoo, eliminating all external open source dependencies from the analytics platform in response to supply chain risks amplified by AI-assisted attack tooling. Every line of code now ships from in-house with full air-gapped build capability.

Charles regularly speaks on research at conferences including DEFCON, Secure360, GrrCON, BSidesSPFD and ChiBrrCon. He began his career in cybersecurity analytics in 2002 while in the US Navy serving as the Network Security Officer for the Naval Postgraduate School. After leaving active duty in 2005, he ran a consulting company focused on data and operations sharing across private and public sector organizations. In 2012, he joined Lancope designing and deploying advanced network security solutions. In 2015, he joined Cisco Systems through the Lancope acquisition before launching WitFoo in 2016. He has served WitFoo as CTO, CEO, and currently as Chairman.

Charles and his wife Mai are currently based in New Zealand, where they are supporting WitFoo's international expansion. When he is not researching challenges in big-data and cybersecurity, he enjoys SCUBA diving, cricket matches at Hagley Oval, and long dinners with Mai.

Talk Abstracts

The following talk abstracts are available for conferences, meetings or private discussions.

Topic 1: Coding with AI — Building Production Software with Claude

Technical Level: Intermediate to Advanced
Audience: Developers, Engineering Managers, CTOs

Abstract

For the past year, I have been building WitFoo's analytics platform almost entirely with Claude Code. Not as a side experiment, but as the primary development method for production cybersecurity software that processes billions of signals daily. Along the way, I trained our development and support teams on these approaches and refined the workflow through hundreds of sessions (and more than a few spectacular failures).

This session shares what actually works: the repository structure, the prompt templates, the testing discipline, and the honest limitations of AI-assisted development at scale. I will demonstrate the Plan → Build → Test → Document → Finalize workflow we use for every session, walk through the anatomy of a well-formed CLAUDE.md file, and show how a layered testing pyramid (unit → system → e2e → full suite) catches the mistakes that Claude will confidently ship if you let it.

Objectives

• Structure a repository for durable multi-session AI-assisted development
• Write prompt templates that enforce scope, quality, and test coverage
• Build a testing and utilities layer that makes Claude's work verifiable
• Choose between Opus and Sonnet for the phase of work at hand
• Recover gracefully when things come off the rails (because they will)

Resources: Coding with Claude, Teaching Claude the Old Tricks, The Closing Window: AI's Value-to-Cost Ratio Is Shifting Fast

Topic 2: Empathetic Processing and Temporal Link Analysis

Technical Level: Intermediate to Advanced
Audience: Data Engineers/Scientists, Incident Responders, SOC Architects

Abstract

Security operations centers face a paradox: vast telemetry, yet limited actionable insight. This session explores how empathetic processing, temporal link analysis, and the principle of predestination of data can address that challenge by enabling AI systems to reason about context, causality, and evidentiary needs.

Empathetic Processing models analytics as a human-centric dialogue. Systems listen to diverse signals, resolve dissonance among conflicting narratives, and speak findings in role-appropriate language for analysts, auditors, and executives. This approach reduces reliance on brittle parsers through NLP-based intent comprehension, and it anticipates compliance requirements from the moment of ingestion (predestination of data), ensuring forensic completeness before incidents occur.

Temporal Link Analysis correlates events across time, constructing a resilient graph of nodes and edges from fully comprehended forensic artifacts. This enables evaluation against theories of crime and supports dynamic, object-oriented analysis that adapts as new relationships emerge.

Objectives

• Understand the design principles behind empathetic processing and predestination of data
• Apply temporal link analysis for long-horizon correlation and attack path reconstruction
• Explore the roles of ML, graph theory, LLMs, and NLP in emulating expert reasoning
• Assess how labeling, structuring, and pipeline strategies affect accuracy, speed, and cost

Resources: Empathetic Processing and Temporal Link Analysis (includes whitepaper and slides)

Topic 3: Artificial Intelligence to Deter Cybercrime

Technical Level: Intermediate to Advanced
Audience: Data Engineers/Scientists, Developers, Incident Responders, Law Enforcement

Abstract

Cybersecurity analysis leading to deterrence of cybercrime requires processing thousands to billions of digital signals per second. Those signals must be accurately comprehended, forensically preserved, then used to detect and investigate potential cybercrime. The work products must not only assist investigators but must be translated into language that non-technical lay audiences (judges, lawyers, and jurors) can understand.

This presentation explores how generative artificial intelligence (GenAI), natural language processing (NLP), graph theory, and artificial narrow intelligence (ANI) play a role in delivering these outcomes. The session includes demonstrations of open source toolkits, datasets, and models designed to assist in this work.

Objectives

• Build a dataset and train a generative AI model using the ArtiFish toolkit
• Understand the strengths and weaknesses of GenAI, NLP, ANI, and Graph Theory in cybersecurity analysis
• Examine the impact of triaging digital signals on effective analysis
• Use generative AI to translate cybersecurity analytic data for non-technical audiences

Topic 4: Building a Global CyberGrid

Technical Level: Intermediate to Advanced
Audience: Data Engineers/Scientists, Developers

Abstract

Detecting, catching and successfully prosecuting cybercrime requires collaboration across private sector, law enforcement, insurance companies, and national security agencies. Even small organizations produce gigabytes to terabytes of evidence across their internal and cloud instances. Much of this signal evidence contains information protected by law.

Law enforcement needs to collect evidence from victim organizations without spending hundreds of labor hours. Organizations need a way to package and share evidence with law enforcement without creating undue risk. Insurers need effective ways of underwriting policies and adjusting claims associated with cybercrime.

In this session, I detail how terabytes of data collected across hundreds of independent Cassandra clusters each day can be safely leveraged to meet the goals of reducing cybercrime and its associated costs. I cover schema design for cross-organizational sharing, using REST APIs for transport across clusters, leaning into Cassandra TTL for data garbage collection, and best practices to ensure resilience and performance in diverse environments.

Topic 5: SECOPS Driving Criminal Prosecution

Technical Level: Beginner & Intermediate
Audience: Security Managers/Executives, Incident Responders

Abstract

At a key point in the history of cybersecurity operations, it was passively decided that SECOPS is an extension of IT OPS. This session examines the thesis that SECOPS is an extension of the craft of Law Enforcement, and the consequences of building SECOPS on IT models (which were themselves derived from manufacturing models). Approaches from Law Enforcement that can accelerate and improve SECOPS will be examined. Methods of safely leveraging law enforcement to reduce cyber risk and costs will also be demonstrated.

Resources: https://www.witfoo.com/infosec-craft/secops-driving-prosecution/

Topic 6: Metric Driven DevOps

Technical Level: Advanced
Audience: Data & System Architects, Developers

Abstract

Developing software that changes the world, exceeds customer expectations, provides turn-key functionality in diverse scenarios, and meets security and compliance requirements is the holy grail of Security Development Operations (SECDEVOPS). There are thousands of variables that need to be constantly addressed to find the balance that delivers sustainable and secure success. In this session, I outline an innovative approach to secure DevOps called Metric Driven Development.

Objectives

• Creating a metric collection infrastructure to alert on security and functionality deficiencies
• Utilizing metrics to write optimized unit and system tests
• The optimal value of code coverage, application pen-testing, and static code analysis
• Integrating metrics into customer support evolutions
• The place of containerization in SECDEVOPS
• Building metric-driven use cases from hypothesis to pivot
• Reducing SOAR playbook maintenance costs through abstraction and normalization

By the conclusion of the session, attendees will have the tools necessary to implement lean and effective development pipelines that deliver secure and useful code in a fraction of the time and at a fraction of the development cost.

Resources: ExploitCon Slides: Metric Driven SECDEVOPS

Topic 7: The Seven Unstable Conversations of Cyber Security

Technical Level: Beginner
Audience: Any Business or Security Personnel

Abstract

WitFoo was founded in 2016 to develop the tools and data required to mature the craft of cybersecurity operations. The research has focused on seven unstable conversations within each part of the craft. This session shares the findings on each of the 7 conversations and explores remedies and impacts.

1. Investigators do not understand what their tools are saying
2. Managers cannot track security practice success
3. Security practice cannot express value to business
4. Security vendors cannot be held accountable
5. Organizations cannot safely share information with each other
6. Organizations cannot safely report crimes to law enforcement
7. Law enforcement lacks evidence to prosecute criminals