APWG eCrime 2026 Training Day Sessions

Modeling Adversaries Through Chaos 

Pete Herzog, ISECOM, Co-founder

12:00-3:00 PM / Room Assignment: TBA 

This 3-hour workshop introduces the Adversarial Analysis Model (AAM), a state-based analytical framework for modelling through the chaos of actor behavior in cybercrime, fraud, and adversarial contexts. Unlike kill-chain models that map what an attacker did, AAM captures what an actor is in a position to do next, by structuring 240 distinct behavioural states along five properties, three phases, four OODA observation faces, and four polarity/locus layers.

Attendees learn the framework’s surgical-counter operations — Mirror, Twin, Opposite, and Lever — which let an analyst manipulate an actor’s state to anticipate, redirect, or interdict their next move. The framework’s full state grid stays in research use; this training covers the operations and structural shape attendees can use against their own research subjects with whatever attributes they have available.

The session pairs the framework with a live worked example: an anonymised phishing operator drawn from open cybercrime telemetry, modelled in front of the room across the framework’s four OODA faces. Attendees then break into pairs to model a research subject of their choosing — a phishing actor, a money-laundering cluster, a romance scammer, a state-aligned operator by applying Mirror/Twin/Opposite/Lever to the live attributes provided.

By the close of the session, participants leave with a portable analytical posture they can use with their own tooling, against actors at any of the layers eCrime researchers regularly investigate.

Competencies Cultivated

• Threat-state thinking — separating “what an actor did” from “what state an actor is in”
• Mirror / Twin / Opposite / Lever — surgical operations to anticipate, redirect, or interdict
• Multi-locus modelling — accounting for an actor’s perspective on themselves, their target, and their context simultaneously
• OODA-face awareness — using four observation modes rather than collapsing to single-perspective analysis

• Portability — applying the framework without specialised tools, using whatever attributes the analyst already has on their research subject

   

Audience

Cybercrime researchers, threat intelligence analysts, fraud investigators, and law enforcement practitioners who already work with actor-attribution data and want a more analytical model than incident-based or kill-chain models provide. Experience working from telemetry-based actor profiles is assumed.

Prerequisites

None required. Familiarity with at least one cybercrime actor type (phishing operator, BEC group, money-laundering ring, romance scam network, etc.) will make the hands-on segment more productive.

Session Length

3 hours strict preferred. Workable as 2 hours if scheduling forces — would compress the hands-on segment from 1 hour to 30 minutes and cut one of the operations from the demo.

Session structure:

Amplify the Signal: Investigating phishing campaigns through domain clustering

Sven Krohlas, SpamHaus

12:00-3:00 PM / Room Assignment: TBA 

Threat intelligence sharing isn’t linear. It doesn’t simply move from A to B. It flows through an interconnected ecosystem of ISPs, hosters, registries and registrars, security vendors, governments, and law enforcement — where action happens.

When high-quality, verified threat intelligence is shared, it exposes clusters, uncovers related infrastructure, and creates opportunities for stakeholders to block, suspend, investigate, and escalate.

Here at Spamhaus we, among other detections, process APWG eCx data. In this session, we will take you on a practical 'signal-to-impact' journey, demonstrating how shared threat reporting of phishing and malware can lead to clusters of malicious domains, rogue networks and finally coordinated disruption at scale. This kind of disruption even works before the actual takedown and can, in the most extreme cases, protect users even from bulletproof criminal setups.

In this session we will inspire and discuss ways to find clusters of similar domains (this might be your next research project!) and have passive DNS hands on experience with real world phishing examples. Participants will learn how to pivot from a single phishing report to uncover broader infrastructure and additional malicious domains, demonstrating how one indicator can rapidly expand into hundreds of related cases for sharing with the anti-abuse community.

3:00-5:30 PM / Room Assignment: TBA  

Practical API Integration: Connecting Applications to the eCrimex eXchange Data Clearinghouse

Carlos Ramirez, APWG Engineering

This session introduces developers, data analysts, and technical researchers to the fundamentals of integrating with the eCrimex API. We’ll walk through how to authenticate, query, and interact with the platform’s data endpoints to retrieve and update information programmatically.

Attendees will learn:

• How the API is structured (endpoints, methods, authentication, response formats)

• How to make test calls using tools like Postman or cURL

• Example workflows for pulling and submitting data

• Common pitfalls and best practices for efficient API use

The session is designed for technical users who want to automate tasks, build integrations, or analyze platform data directly via the API. Participants will leave with working examples, API documentation pointers, and a clearer understanding of how to leverage the system’s capabilities in their own applications or research.

.