This isn’t a keynote about what AI could do. It’s a hands-on workshop where we break down exactly how agents work, show the architecture decisions that determine whether they’re trustworthy, and run two complete security workflows live from trigger to resolution.
Walk in curious. Walk out with a playbook.

A prompt gives you an answer. An agent takes action, perceiving, reasoning, acting, and observing in a continuous loop. We’ll make the distinction concrete and show why it rewrites the rules for security operations.
Three pillars every agent must have: Context (what it sees), Tools (what it can do), and a Harness (what keeps it in check). Get these wrong and your agent is either blind, powerless, or out of control. We’ll walk through each one with real security examples.
Isolated agents making decisions on stale data. No shared state. Inconsistent answers across your team. We’ll show exactly what breaks, why it breaks, and what unified real-time context looks like when it’s working.

Workflow 1: Threat Intel Closed Loop
An agent ingests IOCs from threat intel feeds, hunts your environment for matches, investigates any evidence it finds, responds automatically when confidence is high enough, and writes detection rules to close the loop. No human required until it matters.
Step by step:

Every anomalous activity gets checked against your entitlement data in ServiceNow. If the service isn’t authorized, it gets blocked immediately. Then a deep investigation runs, evidence is gathered, and cleanup happens automatically with a closed ticket at the end.

WHO THIS IS FOR

