Cyberrey to highlight DNS as the missing layer in MITRE ATT&CK detection at ITWeb Security Summit 2026

ITWeb Security Summit 2026 will be held in Cape Town on 26 May and in Johannesburg from 2-4 June.

---

Cyberrey, which positions itself as a leading African cyber security distributor, will use its participation at ITWeb Security Summit 2026 to demonstrate why DNS visibility has become a critical, yet underutilised, telemetry layer in modern MITRE ATT&CK-aligned detection strategies.

As African enterprises accelerate SOC maturity, adopt MITRE ATT&CK frameworks and confront AI-driven attack automation, many organisations still discover that their detection capabilities cluster too far to the right of the kill chain. Alerts commonly surface during execution, persistence or data exfiltration – long after adversaries have established footholds.

Cyberrey will showcase how organisations can strengthen the left side of the attack life cycle by incorporating DNS visibility into detection engineering programs, without introducing architectural disruption.

Through its presence at ITWeb Security Summit 2026, Cyberrey will demonstrate how DNSSight enables organisations to enrich DNS telemetry with identity attribution, behavioural baselining and contextual correlation – transforming DNS from a background resolver into an early-stage detection layer.

The MITRE ATT&CK framework has become the common language of detection engineering. It provides structured mapping across adversary tactics and techniques, allowing organisations to measure coverage and maturity.

However, coverage on paper does not always translate to early detection in practice.

Most enterprises have strong telemetry around:

• Endpoint execution
• Credential access
• Lateral movement
• Confirmed command-and-control activity

These detections are important – but they are often reactive.

Early ATT&CK tactics such as initial access, discovery and resource development frequently generate weaker signals in traditional tools. This is where DNS becomes strategically important.

“Many organisations claim ATT&CK coverage on paper, but miss adversary behaviour in practice,” says Abdullah Kaymakci, Head of Business Development & Channel Strategy at Cyberrey. “DNS is one of the few telemetry sources that consistently exposes intent before execution. That is where real defensive advantage exists.”

DNS intersects with multiple ATT&CK tactics earlier than most other data sources.

During initial access, phishing links, drive-by downloads and credential harvesting sites must resolve through DNS – even when access is blocked. DNS records intent regardless of outcome.

During discovery, attackers resolve internal and external services to enumerate infrastructure and test reachability.

During resource development, newly registered domains are tested before being weaponised.

During command and control, beaconing behaviour using fast-flux infrastructure, domain generation algorithms and short-lived domains frequently surfaces first as DNS anomalies.

In each scenario, DNS precedes execution.

Yet despite this alignment, DNS is often relegated to supporting evidence rather than treated as a primary detection signal.

Across Africa, many enterprises operate complex hybrid environments spanning on-premises infrastructure, remote workforces, operational technology networks and cloud workloads. Endpoint coverage may be incomplete. Agent deployment may not be viable across IOT or legacy systems.

Under these conditions, DNS offers a universal telemetry layer that covers managed and unmanaged assets alike.

However, raw DNS logs are difficult to operationalise. High query volume, lack of identity attribution, inconsistent SIEM correlation and absence of behavioural baselines often render DNS data noisy rather than actionable.

“Across complex and distributed environments, early-stage visibility is critical,” says Noko Terrence Tuwe, Regional Director for Africa at Cyberrey. “DNSSight allows organisations to close ATT&CK gaps without adding operational burden or increasing endpoint complexity.”

Mapping DNS events to ATT&CK techniques only becomes meaningful when it leads to reliable detection and response decisions.

DNSSight enables this shift by correlating DNS telemetry in real-time with directory services, DHCP records and VPN authentication logs. DNS queries are automatically attributed to specific users and devices, enriched with first-time domain detection and behavioural context.

Instead of anonymous domain lookups, SOC teams gain:

• First-time domain resolution alerts aligned with phishing techniques.
• Servers resolving infrastructure inconsistent with their operational role.
• Abnormal DNS frequency patterns indicative of beaconing.
• NX-domain behaviour associated with reconnaissance.
• Algorithmic domain patterns consistent with domain generation techniques.

These signals often appear long before endpoint alerts trigger.

By incorporating DNS visibility into ATT&CK-aligned detection programs, organisations strengthen coverage on the left side of the kill chain – where containment is faster and impact is reduced.

Beyond real-time alerts, enriched DNS telemetry significantly enhances threat hunting.

Historical DNS baselining enables analysts to identify:

• Assets that contacted domains for the first time.
• Behavioural deviations preceding confirmed compromise.
• Suspicious infrastructure testing activity.
• Cross-asset correlation patterns.

Rather than relying solely on reactive alerts, DNS becomes a proactive hunting dataset.

This shift supports continuous threat exposure management and detection engineering programs without introducing additional agents or architectural change.

MITRE ATT&CK is not a checklist exercise. Its value lies in detecting adversary behaviour early enough to change outcomes.

As African enterprises continue to mature detection programs and defend against AI-driven automation, early telemetry becomes decisive.

By integrating DNS visibility through DNSSight, organisations enhance detection confidence, improve investigative clarity and reduce reliance on late-stage alerts.

DNS does not replace endpoint or network telemetry. It complements them by illuminating intent before action.

At ITWeb Security Summit 2026, Cyberrey will demonstrate how African organisations can move from framework alignment to practical defensive advantage by leveraging DNS as a foundational detection layer.

About Cyberrey

Cyberrey positions itself as a leading African cyber security distributor working with global and regional technology partners to help organisations modernise security operations without unnecessary disruption. Operating across Africa, Turkey, CIS and EMEA markets, Cyberrey enables enterprises to extract deeper intelligence from the infrastructure they already rely on through solutions such as DNSSight.

About ITWeb Security Summit 2026

ITWeb Security Summit 2026 will be held at Century City Conference Centre, Cape Town on 26 May 2026 and at Sandton Convention Centre in Sandton, Johannesburg from 2-4 June 2026.

Themed: ‘Redefining security in the face of AI-driven attacks, fragile supply chains and a global skills gap’, the 21st annual edition of Security Summit will continue in its tradition of bringing leading international and local industry experts, analysts and end-users together to delve into the specific threats and opportunities facing African CISOs, security specialists, GRC professionals and anyone else who is responsible for securing their organisation from cyber attacks.

Register today. Visit here for Cape Town or here for Johannesburg.