In the security industry, we often take well-established development practices, such as the DevOps infinity loop, add a layer of security, and label it "DevSecOps." However, this approach frequently overlooks a critical issue: layering complex security processes onto efficient development processes can create inefficiency. In this talk, I argue that true innovation in security comes not from tooling or automation alone, but from mastering the underlying process first. By drawing an analogy to simple machines — where incremental improvements led to the evolution of tools like levers, wheels, and pulleys — I will illustrate how optimizing foundational processes leads to scalable, effective security practices. Attendees will leave with practical insights on reducing inefficiencies and fostering consistent improvement in their security workflows.

Most incident response and chain analysis tooling is built with an implicit assumption: account-based execution risk is the problem. That assumption holds, until it doesn’t.

Using Filecoin as a case study, this talk explores why many otherwise capable vendors struggle to support novel chains, and why gaps appear not because of neglect but because the mental model itself breaks down and product margins don't get in the way.

Filecoin isn’t a smart contract chain with storage bolted on. It’s a distributed system designed to verify long-lived behavior across independent operators. The primary asset isn’t just balance but it’s behavior over time. The dominant risks may not necessarily exploits, but they're based in incentive failures, coordinated degradation, and economic edge cases.

We’ll unpack what this means for incident response teams and why chain analysis and incident response platforms tend to miss the mark when stepping outside familiar ecosystems:

• Why transaction-centric alerts miss slow-burn incidents
• Why actor behavior matters more than bytecode inspection
• Why “the incident” often belongs to the network, not an app
• Why generic EVM heuristics actively create false confidence and false positives

To be crystal clear this talk is not a critique of vendors, it’s a lessons-learned hot take briefing from the field. Supporting novel chains requires different playbooks, different baselines, and a willingness to abandon security absolutism in favor of contextual risk analysis.

The key takeaway: if your incident response model can’t reason about incentives, time, and roles, it will fail quietly on novel chains right up until the ecosystem feels the impact.

This session aims to help security teams recognize those limits early, adapt deliberately, and build coverage that actually reflects how decentralized infrastructure fails in practice.