Schedule

Workshop Schedule

Speakers and sessions are being announced now through late summer.

Presentation materials will be shared with attendees after the event. Talks will not be recorded.

Day 1 — September 10, 2026

Location: David Brower Center

Coffee will be available at 8:30 AM in the Hazel Wolf Gallery. Talks will take place in the Goldman Theater.

Time Topic & Speaker
9:00 AM Welcome & Opening Remarks
Michelle Pathe
9:15 AM A Few Decades of Zeek and Network Monitoring
Vern Paxson
9:45 AM Zeek 9 and Beyond
Christian Kreibich
10:15 AM Parsnip: Zeek Development for Non-Developers
Melanie Pierce
10:45 AM Beyond conn.log: What We Learned Feeding Zeek Logs to an LLM
Zach Chadwick
11:15 AM From Packets to Practice: Running Zeek Operationally at NERSC
Aaron Scantlin
12:00 PM Lunch (offsite, 90 minutes)
1:30 PM Tales from the Black Hat NOC
Mark Overholser
2:00 PM Spicy and a Remote Code Execution
Evan Typanski
2:30 PM Zeek without ZeekControl
Arne Welzel
3:00 PM Log Schema in Zeek
Christian Kreibich
3:30 PM How To Make Your Zeek Run Faster
Vern Paxson
4:00 PM Break
4:20 PM Open Lightning Talks
4:40 PM Closing Remarks
4:50 PM Walk to reception
5:00 PM Reception at Cornerstone Craft Beer & Live Music

Day 2 — September 11, 2026

Coffee will be available at 8:30 AM in the Hazel Wolf Gallery. Training will take place in the Goldman Theater.

Training Focus: Beginner and Intermediate Zeek Topics

This year’s Zeek training is divided into two complementary sessions.

The first half, Introduction to Running Zeek, provides a practical foundation for deploying and operating Zeek. Participants will learn how to install Zeek, explore the broader Zeek ecosystem, and follow a step-by-step walkthrough of building and bringing a Zeek cluster online.

The second half, Hands-on Scripting, is an in-depth exploration of the Zeek scripting language. Designed for users who want to go beyond a standard deployment, this session focuses on developing custom Zeek scripts to extend Zeek’s capabilities and tailor detections and analysis to their specific environments.

Time Session
9:00 AM Intro & Setup
9:15 AM Introduction to Running Zeek
10:45 AM Break
11:00 AM Introduction to Running Zeek cont’d
12:15 PM Lunch (offsite)
1:30 PM Hands-on Scripting
2:45 PM Wrap-up & Q&A
3:00 PM End of Workshop

Speakers

Vern Paxson

A Few Decades of Zeek and Network Monitoring and How To Make Your Zeek Run Faster

Vern is the creator of Zeek, co-founder and chief scientist at Corelight, and Professor of Computer Science at the University of California, Berkeley. A prolific and internationally-recognized researcher, Vern also leads the Networking and Security Group at the International Computer Science Institute and for decades held a position as a staff scientist at Lawrence Berkeley National Laboratory. His research interests include Internet measurement, high-performance network monitoring, detection algorithms, and combatting cybercrime, censorship, and abusive surveillance.

Christian Kreibich

Zeek 9 and Beyond and Log Schema in Zeek

Christian is the Technical Lead of the Zeek project and an engineer at Corelight. He previously headed the networking group at Lastline, and prior to that was a staff research scientist at the International Computer Science Institute in Berkeley. He has served on the advisory board of the Open Information Security Foundation, and holds a PhD from the University of Cambridge’s Systems Research Group.

Melanie Pierce

Parsnip: Zeek Development for Non-Developers

Melanie has been a Cybersecurity Researcher at Idaho National Laboratory since 2022. She leads the Industrial Control Systems Network Protocol Parser (ICSNPP) team to develop Zeek parsers in Spicy and BinPAC to provide further visibility into critical infrastructure networks. She is also the inventor and maintainer of Parsnip, a tool to lower the barrier of entry for Zeek parser development. Melanie holds a bachelor’s degree in cybersecurity from Brigham Young University and a master’s degree in computer science from Johns Hopkins University. She believes cybersecurity doesn’t need to be expensive or complicated to be effective and is passionate about creating tools to simplify security across all industries.

Zach Chadwick

Beyond conn.log: What We Learned Feeding Zeek Logs to an LLM

Zach Chadwick is a software engineer at QA Cafe, where he has spent more than 20 years building tools to verify gateways and make sense of network traffic. He came to Zeek from the Wireshark world and spends much of his time figuring out how LLMs can be useful for network analysis. When he’s not staring directly into fiber optic cables, he can be heard playing jazz saxophone and flute or seen teaching his girls to ride their bikes without training wheels.

Aaron J. Scantlin

From Packets to Practice: Running Zeek Operationally at NERSC

Aaron is the resident Zeek Geek at the National Energy Research Scientific Computing Center, where — together with ESnet and Lawrence Berkeley National Lab — he frequently discusses cluster management, network IOC detection, and more with his peers. With over 10 years in infosec, Aaron has given talks all over the world on various aspects of computer security — almost always informative, and never failing to entertain!

Mark Overholser

Tales from the Black Hat NOC

Mark is a Silicon Valley tech veteran with over ten years of experience. Since the spring of 2023, he has also been a threat hunter in the Black Hat conference Network Operations Center, participating in three Black Hat conferences globally each year (ten and counting!). His professional background includes roles as a Threat Hunter, Security Engineer, Incident Responder, and Information Security Team Lead for a multi-billion-dollar enterprise.

Evan Typanski

Spicy and a Remote Code Execution

Evan is a software engineer at Corelight, where he works as a maintainer for the Zeek project. His focus is on compilers and low level networking. Before joining Corelight, Evan worked on static code analysis (SAST) for languages like C/C++, Swift, and Rust. He graduated from the University of Virginia with a BS in Computer Science in 2020.

Arne Welzel

Zeek without ZeekControl

Arne is a software engineer on the Open Source team at Corelight with over 15 years of experience in network programming and packets. He works in various corners of Zeek’s code base and ecosystem, notably hacking it to be a JavaScript event emitter.

Training Team

Training will take place on September 11 from 9am to 3pm and will cover beginner to intermediate topics.

Aashish Sharma

Aashish Sharma is a member of the Cyber Security Team at Lawrence Berkeley National Laboratory, where he has worked for the past fifteen years. With nearly 23 years of experience in security and incident response, his work focuses on intrusion detection and incident response. He is a member of the Zeek Leadership Team and has published approximately 19 papers in venues including USENIX and ACM.

Fatema Bannat Wala

Fatema Bannat Wala is a Security Engineer at ESnet/Lawrence Berkeley National Laboratory, where she focuses on network traffic monitoring, threat hunting, and incident response. She holds CISSP certification alongside multiple GIAC certifications and serves on the SANS/GIAC Advisory Board. Fatema is a member of the Zeek Leadership Team and a frequent speaker at FIRST events and the Trusted CI NSF Cybersecurity Summit.