Did you know that a fire in Chicago drove us to adopt exit signs, backup power to emergency lights, standardized testing all fire extinguishers. In 1903, Chicago’s Iroquois Theater became the site of one of the deadliest fires in U.S. history. More than 600 lives were lost when faulty wiring and inadequate exits turned an afternoon performance into a catastrophe. In its aftermath, building codes were rewritten, outward-swinging exit doors became standard, and new fireproofing methods spread across theaters, schools, and public spaces nationwide, making the world a safer place. It made Chicago the perfect backdrop for the security community, continually dealing with fires of their own, to gather for BlueTeamCon 2025.

This year marked the fifth occasion of the event. Over 500 security practitioners, researchers, and industry leaders gathered to share stories, ideas, and best practices. The event lasted 4 full days, with the first two days offering in-depth trainings, while the remaining days featured speakers about how to best defend the enterprise. The theme that echoed across the talks was not about chasing perfection, but about finding better approaches in the real world.

Here are just a few of the highlights from BlueTeamCon 2025.

Walls, Ladders, and the Value of Logs

Jake Williams, IANS Faculty Member and VP of R&D at Hunter Strategy, started us off with the keynote: “Less Resources, More Impact: Doing More With Less in Cybersecurity.” He described a landscape where costs are rising while budgets remain stagnant. Many teams have lost free services they once relied on, and the few institutional supports left, like CISA’s reports, are no longer as trustworthy or comprehensive. Jake said security leaders must adapt to an environment where the external scaffolding of their programs is eroding.

Visibility matters more than prevention. He used the memorable analogy that a "30-foot wall only creates a market for a 32-foot ladder." No perimeter will ever be high enough to stop a determined adversary. Instead of pouring resources into walls, teams should invest in telemetry. Logs, even when not paired with expensive SIEM platforms, are the backbone of an investigation, but only if retained properly. He urged attendees to increase event log storage beyond the unbelievably small default of 20 MB in Windows, a small but crucial adjustment that can prevent valuable records from rolling over.

For those who lost SIEM budgets entirely, his advice was practical: deploy Security Onion, an open source tool that runs on commodity hardware, and explore Sysmon, which extends Windows event logging. While these tools are not perfect, they deliver critical visibility with $0.00 in licensing costs. Jake also encouraged teams to drop sunk cost bias and conduct zero-based reviews of their programs. Every project should be reevaluated on cost and value, with no exceptions for legacy investments.

His conclusion set the tone for the conference: “Don’t let perfect stand in the way of better.”

Your Hidden Lives In Your Inbox

In her talk “Why Your Email Matters,” Amy "BitsDanceForMe" Devine, Systems Architect at AV, walked attendees through an unusual journey of researching her personal inbox, which she has had for 20 years. That introspection revealed just how much of our digital identity is anchored to email. What began as a cleanup project quickly transformed into a case study in how email can represent multiple personas and even strangers who mistakenly sign up with your address.

Her inbox reflected more than her own life. Misguided signups exposed medical data, loan applications, and even TSA travel records tied to people she had never met. The risks ranged from mild annoyance to severe exposure, including personally identifiable information and account recovery details for services she never used. She also discussed recent research on how your email profile can affect your credit score.

Amy's session was both personal and universal. Email is often underestimated in security conversations, but as her research showed, it is an identity hub that deserves greater protection. Strong passwords and two-factor authentication are only the beginning. Managing and cleaning inboxes proactively, being vigilant about account linkages, and recognizing the potential for synthetic identity theft are all critical steps.

Managing Admins In Active Directory Via Entra ID?

In their joint talk, Eric Woodruff, Chief Identity Architect at Semperis, and Jake Hildreth, Principal Security Consultant at Semperis, gave a talk, “Can Opposites Attract? Domain Admins – Meet Red Tenant.” The talk emerged from a conversation at the previous year's BlueTeamCon, where Jake thought it was a "dumb idea" to try to manage Active Directory through Microsoft Entra ID. But that conversation turned into a riveting talk where they explored one of the most pressing challenges in modern enterprises, managing admin accounts securely.

Traditional tiered security models assume that privileged accounts are neatly separated, with administrators working from isolated machines. In practice, however, privileged accounts bleed into daily-use devices, and Privileged Access Workstations (PAWs) rarely meet their intended standards. Cloud services only complicate matters, with hundreds of Azure roles making it almost impossible to define privilege tiers cleanly, with everything scope creeping its way to that highest tier of importance and clearance. And since "Tier 0" users shouldn't use Windows Hello for Business, since by Microsoft's own advice, you should never sync domain admins to Entra ID directly, managing admin users becomes a completely different workload than managing any other identities.

Their solution is the "Red Tenant" model, first proposed by glueckkanja. By isolating AD domain controllers in a dedicated Entra tenant, organizations can better contain privileged accounts, simplify management of PAWs, and prevent privilege creep. It is not a universal fix, but it represents a thoughtful attempt to untangle the hybrid identity knot and create a more manageable structure for critical accounts.

Cutting Through the AI Hype

In his session, “Agents of Change: Practical Adoption Framework for Agentic AI in Security Operations,” Ryan Rowcliffe, Field CTO at Legion Security, talked us through a successful deployment of AI in a Security Operations Center (SOC). Rather than promising the moon, he grounded the discussion of AI in the practical realities of enterprise adoption.

He acknowledged that internal AI experiments often stall due to unclear goals, lack of expertise, and weak governance. To address these barriers, he presented a comprehensive toolkit that included ROI calculators, risk classification matrices, and project templates designed to guide responsible adoption.

Ryan also highlighted the unique risks posed by agentic AI systems, arguing that we cannot treat them like just another type of non-human identity. Sending sensitive operational data to external providers like OpenAI or Anthropic is fraught with danger. Instead, he urged security teams to consider dynamic identity management built on decentralized identifiers and verifiable credentials, paired with zero trust principles.

The results can be powerful. He shared a case study where agentic AI cleared a backlog of 20,000 alerts in a month, dramatically reducing analyst toil and response times. The message was clear: AI can be transformative, but only if deployed carefully and incrementally.

Better Over Perfect: Security in the Real World

Beyond the individual talks, BlueTeamCon's unifying theme was not about perfection, but about progress. Security teams are learning to thrive in imperfect conditions, and the lessons shared in Chicago reflected that spirit.

Visibility Beats Walls

Every session reinforced that prevention-only strategies are insufficient. Attackers will always find a taller ladder. The real defense lies in visibility. Retaining logs, even with minimal infrastructure, provides investigators with the data they need. Deploying the right tools, many of which are open-source, and making small changes to existing configurations, although not flawless, creates affordable layers of visibility that can tip the balance in a crisis.

Collaboration Over Isolation

Lean times highlight the value of community. Where budgets cannot stretch to consultants, peer relationships can fill the gap. A quick call to a trusted colleague can provide clarity in the fog of an incident. Informal networks, built on mutual support, also protect against burnout, a critical concern for blue teamers who often carry heavy responsibility with limited resources.

Progress Over Perfection

Incremental wins add up. Automations that save minutes per day compound into hours of regained focus. Free observability and monitoring tools may lack enterprise polish, but they deliver critical coverage. New privileged identity management models like "Red Tenant" are not universally applicable, but they advance the conversation. Perfect is unattainable, but progress is within reach.

The Better Path Is Often The Pragmatic One

BlueTeamCon 2025 was really about how to get better at security by embracing the one thing we all have in common: our humanity. The deeper lessons were clear across many of the talks. Our greatest resource is not a tool or a budget line item; it is each other.

Your author was able to proudly present two different talks, one on rethinking NHI and one on AI in developer workflows. At the heart of both of these talks, though, was a plea to remember what we are ultimately securing, the humans who make and use our systems.  Security thrives when we share openly, ask for help, and show empathy.

Just as the aftermath of the Iroquois Theater fire proved that lasting progress comes from collective action, BlueTeamCon reminded us that better security is built not only on logs, automation, or identity frameworks, but on empathy, trust, and collaboration.