More dates

Payment plans

How does it work?

  • Reserve your order today and pay over time in regular, automatic payments.
  • You’ll receive your tickets and items once the final payment is complete.
  • No credit checks or third-party accounts - just simple, secure, automatic payments using your saved card.

SO-CON 2026 Conference & Training

Share
Convene - 1201 Wilson Blvd
Arlington VA, United States
Add to calendar

Mon, Apr 13, 9am - Sat, Apr 18, 5pm 2026 EDT

Event description

SO-CON 2026 is a two-day conference followed by four days of Adversary Tactics training courses.

SO-CON is where the community comes together to advance the practice of Attack Path Management. From adversary tradecraft to real-world defense strategies, this is the event shaping identity-first security. Whether you’re breaking, defending, or building programs, SO-CON unites tradecraft, research, and best practices all in one place.

Further details will be posted soon, keep an eye out for updates! Or sign up to be notified when new details are announced.


ATTENDEES WILL GET TO:

  • Discover Cutting Edge Insights
    Explore new approaches, tools, and techniques to combat identity-based attack paths. Discover the latest trends, research from frontline practitioners, case studies and firsthand experiences.

  • Learn Comprehensive Skills
    Gain in-depth knowledge into how to attack, defend, and harden enterprise environments against advanced threat actors from our in-the-field experts.

  • Connect with Industry Peers
    Connect in-person on the latest in the industry. Immerse yourself in interactive sessions, gain practical insights, and build lasting relationships.


RECOMMENDED HOTELS:

SO-CON 2026 Schedule

SO-CON 2026 consists of a two-day conference followed by four days of training, beginning on Monday, April 13, 2026.

Stay tuned for the full schedule and details!

Conference

Join us for our two-day, in-person conference that includes informative sessions, educational activities, and networking opportunities!

Trainings

Upgrade your skills by taking one of our four different courses

  • Free Conference Pass Included

  • Alumni Discount on Training: 25% off - reach out to training-sales@specterops.io

  • Engage with our Frontline Practitioners

  • Hands-on Labs throughout the courses

  • Note: Only in-person training tickets are considered part of the SO-CON event; virtual tickets do not include the in-person benefits of the event

Adversary Tactics: Identity-driven Offensive Tradecraft

As modern architecture increasingly shifts services and data from on-premises infrastructure to the cloud, Identity becomes the thread that ties everything together.

Our Adversary Tactics: Identity-driven Offensive Tradecraft course is a follow-on to our Adversary Tactics: Red Team Operations course and offers an in-depth look at identity-driven attacks, targeting both on-premises and hybrid identities. Participants will learn how to abuse the intricacies of different authentication and authorization mechanisms to traverse on-premises and cloud environments, gain access to integrated systems, and even cross tenants. Participants will also be equipped with a practical approach to identifying known attack paths and forging new ones within complex operational environments and across people, processes, and technology.

Full course details here.

Adversary Tactics: Red Team Operations

Upgrade your Red Team engagements with bleeding-edge Tactics, Techniques, and Procedures (TTPs) used by attackers in real-world breaches. This course will teach participants how to infiltrate networks, gather intelligence, and covertly persist in a network like an advanced adversary. Participants will use the skillsets taught in Adversary Tactics: Red Team Operations to go up against live incident responders in an enterprise lab environment designed to mimic a mature real-world network. Participants will learn to adapt and overcome Blue Team response through collaborative feedback as the course progresses.

Topics covered include:

  • Design and deploy sophisticated, resilient covert attack infrastructure

  • Utilize advanced Active Directory attack techniques to execute domain enumeration, escalation, and persistence

  • Perform sophisticated post-exploitation actions, including sophisticated data mining, going beyond just achieving “Domain Admin”

  • Use cutting-edge lateral movement methods to move through the enterprise

  • Practice “offense-in-depth” by utilizing a variety of tools and techniques in response to defender actions and technical defenses

  • Effectively train network defenders to better protect themselves against advanced, persistent adversaries

Full course details here.

Adversary Tactics: Tradecraft Analysis

Your organization has just implemented the leading detection and response products. Are they configured with default configuration? How much faith should you have in your ability to detect sophisticated attacks? How would you simulate attacks to ensure robust detections are in place? This course will teach the importance of understanding the inner workings of attack techniques and telemetry availability and provide a workflow for developing robust detection analytics or data driven evasion decisions. Focusing on various Windows components and attacker TTPs, you will dive deep into how software abstracts underlying capabilities and how attackers can interact with deeper layers to bypass superficial detection capabilities.

In Adversary Tactics: Tradecraft Analysis, we will present and apply a general tradecraft analysis methodology for offensive TTPs, focused on Windows components. We will discuss Windows attack techniques and learn to deconstruct how they work underneath the hood. For various techniques, we will identify the layers of telemetry sources and learn to understand potential detection choke points. Finally, the course will culminate with participants creating their own technique evasion and detection strategy. You will be able to use the knowledge gained to both use your telemetry to create robust detection coverage across your organization, and truly assess the efficacy of that coverage.

Whether you are a red team operator or detection engineer, you will have a comprehensive understanding of several attack chains. Red team operators will learn an approach to analyzing their own tools, a better understanding of which techniques to select to evade detection, and how to better describe to defenders why an evasion was successful. Detection engineers will understand how to craft a strategy to create robust detections and better detect families of attacks.

Full course details here.

Adversary Tactics: Detection

Enterprise networks are under constant attack from adversaries of all skill levels and intentions. For many it feels that blue teamers are only facing a losing battle. The attacker “only needs to be successful once” to cause havoc; the blue team must prevent them every time, under every condition, at every step of the way. The goal of Adversary Tactics: Detection is to turn that statement on its head and provide you confidence through a new defensive mindset. Preventative solutions are designed to stop attacks before they start, but against an adversary with enough time and resources; all eventually will fail. Rather than making the primary effort of security operations attempting to prevent any attack from being successful, assume breaches could (and likely would) occur and focus on developing robust detections around activity in all stages of the attack cycle. A strategy that focuses on deep understanding of post-exploitation activity (privilege escalation, lateral spread, pivot, persistence) produces high-quality alerts, creating a minefield where the attacker “only needs to be detected once” for blue teamers to respond. 

This course builds on standard network defense and incident response (which often focuses on alerting for known malware signatures) by focusing on abnormal behaviors and the use of adversary Tactics, Techniques, and Procedures (TTPs). We will teach you how to engineer detections, steering clear of brittle indicators in favor of attacker TTPs. In addition, you will learn use utilize free and/or open source data collection and analysis tools (such as Sysmon, Windows Event Logs, and ELK) to analyze large amounts of host information and build detections for malicious activity. You will use the techniques and toolsets you learn to create  robust detections in a simulated enterprise network undergoing active compromise from various types of threat actors. 

Full course details here.


Questions?

Reach out to socon@specterops.io and a Specter will be in touch soon!

Special Tickets

Are you a member of the U.S. Government? Email training-sales@specterops.io for a registration code to receive 50% off an in-person ticket for the conference days or training.

Photography & Video Notice
By attending this event, you acknowledge that photography and video recording may take place. By entering the event premises, you consent to being photographed, filmed, and/or otherwise recorded for promotional, marketing, and archival purposes.

Powered by

Tickets for good, not greed Humanitix dedicates 100% of profits from booking fees to charity

Convene - 1201 Wilson Blvd
Arlington VA, United States
Host icon
Hosted by SpecterOps