Workshop on Attack Provenance, Reasoning, and Investigation for Security in the Monitored Environment (PRISM) 2026

Modern cyber attacks are increasingly sophisticated, stealthy, and multi-stage, often exploiting diverse infrastructures ranging from enterprise networks and cloud platforms to IoT devices, cyber-physical systems (CPS), and operational technology (OT). Attackers leave behind fragmented traces across logs, alerts, forensic artifacts, and external threat intelligence sources. Reconstructing the “big picture” from these scattered signals—identifying root causes, correlating events across domains, and understanding causal chains—is one of the most critical and challenging problems in cybersecurity today.

Attack provenance and causal investigation have therefore emerged as essential capabilities for defenders. Provenance-based reasoning allows analysts to connect low-level signals into coherent narratives, attribute attacks to root causes, and generate actionable intelligence for detection, mitigation, and prevention. This workshop aims to bring together researchers, practitioners, and policy makers from academia, industry, and government to advance the theory, methodology, and practice of provenance-driven security, while fostering collaboration across areas of cybersecurity research and operations.