Lunch with GuidePoint Security & Semperis

Setting the stage: Why identity is the new perimeter Every attack path eventually runs through identity. This session is about how peers in this room are thinking about closing that gap, before an incident forces the question.

What keeps you up at night? — Executive Threat Briefing GuidePoint IR practitioner leads a real-world threat briefing with specific TTPs attackers use against AD and Entra ID today (DCSync, Golden Ticket, Entra token abuse).

The identity attack kill chain — from exposure to recovery  Walk the kill chain in three acts: Detect, Defend, Recover.

• Detect (15 min): Semperis DSP demo: show what indicators of exposure look like in a real AD environment. Emphasize what SIEM and EDR miss. 
• Defend (15 min): Tiered AD model, privileged access hygiene, Entra ID conditional access gaps. GuidePoint Security shares what they see most commonly misconfigured.
• Recover (15 min): Ransomware live recovery demo. Emphasize speed (minutes, not days), clean-room isolation, and cyber-insurance implications.

Break, informal networking & lunch

Tabletop: "Your AD Forest is down. What do you do?" Peer-facilitated tabletop exercise: Incident response simulation · 45 minutes

• Break into 3–4 tables of 6–8. Each table gets a scenario card such as ransomware that has encrypted DCs, wiped backups, and exfiltrated credentials.
• Scenario prompts: Who do you call first? What's your RTO for AD? What do you tell the board in hour 3? Do you pay? What's your clean-room recovery process?
• Debrief (15 min): Each table shares one gap they discovered in their current plan.

What good looks like: identity resilience maturity model Semperis + GuidePoint closing segment: Where do you stand?