2025-12-13 –, Track 2
The best intelligence isn’t bought, it’s built by you and your organisation. This talk explains how to build the bare-metal infrastructure and the pipelines that run on it to scan the web at scale. We’ll build an open-source sandbox with built-in fingerprinting and runtime detections, then leverage that sandbox to mass-scan large portions of the web (hundreds of millions of domains). By storing results in OpenSearch, we can perform advanced queries and correlations across raw data and derived fingerprints, turning individual incidents into linked campaigns.
Most threat intelligence teams rely on commercial feeds and dashboards to tell them what adversaries are doing. These feeds are noisy, lagging, and rarely give defenders the edge needed. If everyone is buying the same intel, no one has an advantage.
This talk shows how to build your own sovereign threat intelligence capability by fingerprinting adversary infrastructure directly from the web, at scale. We’ll walk through the bare-metal deployment, and the open-source pipelines needed to continuously scan and enrich hundreds of millions of domains. You’ll see how to capture high-signal data - DNS, TLS,, headers, certificates, resources, hosting infrastructure and enrich it with a custom opensource sandbox that performs fingerprinting and runtime detections.
Finally, we’ll explore how storing the results in OpenSearch enables analysts to query, pivot, and stitch data together, linking seemingly isolated incidents into coherent campaigns. Attendees will leave with a blueprint for building their own large-scale adversary tracking system, without relying on third-party feeds or opaque vendors.
The end solution is horizontally scalable, run it on a raspberry pi to have a local private sandbox or run it on a server rack to scan and monitor 100x million domains, hourly.
I’ve been working in Cybersecurity for 8 years. I started out in incident response at CrowdStrike and CME Group, handling live breaches and all the chaos that comes with them. Over time, I realised I preferred building things that prevent incidents, so I moved into security engineering at Synopsys and now Webamon.
These days, I’m all about open-source & self-hosted tooling. I spend most of my time mapping and monitoring the web, crawling domains, fingerprinting infrastructure, and trying to understand how the internet actually works (or doesn’t).
I’ve got a chip on my shoulder when it comes to threat intel vendors selling stale or recycled data. If I can build it myself, I will. I think more people in this field should feel empowered to do the same.