Everything the team needs for Gartner Security & Risk Management Summit. Demo materials, press, decks, deep-dive script, FAQ, and the booth staffing calendar. One place. One link. Always current.
~6:30 walk-through. Opens on the Agentic Flywheel, switches to the platform, covers Pulse, Investigations (BridgeRock and Atypical Travel), Response, Cases, Detection, Hunt, and closes on PLAID vs PLAID ELITE deployment.
The voiceover script behind the video above. Six and a half minutes. Includes flywheel open, every platform beat, and the deployment-model close. Production notes at the bottom cover Erika's updates for the next recording (AITM investigation, dual atypical-travel options, 7AI as a detection source, the new readable workflows).
Open scriptDay 1 wire release. Two new capabilities launching together: analyst-prompted Threat Hunt and feed-triggered Threat Intel Hunt. Both included in PLAID and PLAID ELITE at no additional cost. Anchored to two production findings: CRXfiltrate and Operation PCP Chain. NIST RA-10 angle for compliance buyers.
Open draftAnna's overview deck. The plan: who's going, what's announcing, booth strategy, the sessions to attend, customer meetings on the calendar, and how the field shows up. Required reading before you fly.
Open deckThe long-form demo guide. Every feature, every click path, every use case. If you are running the live demo at the booth or in a private suite, read this end to end. Investigation walkthroughs covered: Email, Identity, Endpoint, Cloud, DLP, and Clusters.
Open guideThe flywheel reference graphic. Open in a tab beside the demo environment. Six stops, one continuous loop. Used to set the framing before the live demo begins.
Open graphicWhat's new, what's where, what to say. Covers the new product capabilities going live for the show, customer proof points, talk-track basics, and the unwritten rules. Skim it before you walk the floor.
Jump to FAQWho's at the booth, when. Where the executive team is during sessions and customer meetings. Key meals, partner activities, and the executive war room.
Jump to calendarThe on-site channel. Lead handoffs, meeting reschedules, badge tips, swag refill calls, who's at the bar, urgent customer asks. If it happens at Gartner, it happens here. Turn on Notify you about → All new posts in the channel settings.
Open channelAnswers to the questions that come up at every event. New product capabilities, talk track basics, who to grab for what.
Threat Hunt and Threat Intel Hunt. Two new agentic capabilities go live with a wire press release on Day 1 (Monday, June 1). Both run on the same engine that has now completed more than 7 million investigations in production. Both ship to every PLAID and PLAID ELITE customer at no additional cost.
Threat Hunt is hypothesis-driven hunting across customer telemetry. An analyst writes a prompt: a suspected technique, an emerging behavior, a MITRE ATT&CK TTP. The platform executes a full investigation autonomously, returning a confidence-scored finding with recommended response actions in minutes.
Threat Intel Hunt operationalizes external threat intelligence two ways. Curated: paste a news article, blog post, IOC list, or TTP description and run a hunt immediately. Feed-driven: continuous IOC matching from integrated commercial feeds and customer-provided intel, with investigations launching the moment an indicator becomes relevant.
Also live in the demo environment for the first time: Unified Chat, Pulse, Custom Reporting, and the Mobile App.
Two production findings, both surfaced by the 7AI Threat Research Team using the capabilities we are launching:
CRXfiltrate. An undocumented JavaScript execution backdoor that operated across roughly 60 Chrome extension domains for 16 months. No public IOCs. No threat feed coverage. Hypothesis-driven hunting found it. Full research at blog.7ai.com/crxfiltrate.
Operation PCP Chain. When the LiteLLM Python package was compromised on March 24, 2026 (estimated 36% of cloud environments affected through transitive dependencies), Threat Intel Hunt deployed across the customer base within minutes of public disclosure. The hunt confirmed exposure where it existed and, as a byproduct of broad-spectrum hunting, surfaced 33 unrelated true positives that had been sitting undetected.
NIST SP 800-53 Rev. 5 RA-10 requires organizations to establish and maintain a cyber threat hunting capability that searches for indicators of compromise and detects, tracks, and disrupts threats that evade existing controls. Most organizations cannot staff one. Threat Hunt satisfies the requirement with always-on, hypothesis-driven, audit-ready investigations.
For healthcare prospects, it also supports the HIPAA Security Rule (45 CFR §164.306 and §164.308) requirements for organizations protecting electronic protected health information.
Use this with compliance-driven buyers. Skip it with security-driven buyers. They don't care about the framework, they care about the outcomes.
"Inside The World's Largest AI SOC Deployment: Proof, Not Promises."
Wednesday, June 3 · 11:00 AM · 30-minute session · Session code SPS73. (Originally scheduled for 3:00 PM, now moved to 11:00 AM.)
Three speakers: Mike Baker (CISO, DXC), Lior Div (CEO, 7AI), Nate Burke (CMO, 7AI). This is the proof beat for the year. Drag your prospects to it. Anna will have the room number in Slack.
"7AI is the agentic security operations platform. We do the repetitive work so your analysts can do the strategic work. Six stops, one continuous loop. Threat intel, hunt, detect, investigate, respond, optimize. Every cycle sharpens the next. DXC is running it at the world's largest deployment. Want to see it?"
Open the flywheel tab if they're curious. Then run the demo.
Named and approved: DXC Technology (Mike Baker), BigID (Kyle Kurdziolek), Duck Creek Technologies (Benjamin Dulieu), Blackstone (Adam Fletcher), OneSpan (J. David Christensen), Watco (Greg), Cole Scott & Kissane (Jason Thomas), Abacus Insights (Bill Brown).
Anonymous OK: Ochsner Health (healthcare, threat hunting context), Duck Creek (mid-market software when not using Benjamin's name).
The 80%+ Tier 1 workload reduction stat is approved only as a direct quote from Mike Baker. Do not paraphrase it as a body-copy claim.
PLAID is the platform. The customer licenses it and runs their own SOC on top. Their analysts. Their policy. We help onboard and tune.
PLAID ELITE is fully managed. Israel Barak's team operates the platform on the customer's behalf, 24x7. Customer gets the outcomes without staffing the operation. Same platform either way. Same flywheel. Same proof.
Always two words, both caps: PLAID ELITE. Never "Plaid Elite" or "PLAID+ELITE."
No "autonomous SOC." We say agentic SOC or agentic security. Lior's framing: making AI agents work for security teams.
Never frame AI as replacing analysts. The pitch is elevating analysts from triage to strategic work.
No competitor names in conversation if you can avoid it. Use category descriptors instead: "platform-first AI security," "hyperautomation platforms."
Do not self-label 7AI as MDR. PLAID ELITE is managed. It is not "an MDR service."
Show the breadth. Most of the names in our category (AI SOC startups, hyperautomation platforms) do a fraction of what 7AI does. They live in one lane. We are the agentic layer for the entire security operation: threat intel, hunt, detect, investigate, respond, optimize. The whole flywheel.
"You just showed me you go this way and this way" beats every feature comparison. Open the platform tab and walk them through two stops they didn't expect.
For MDR-style comparisons specifically, the differentiator is the platform itself. They get a ticket. PLAID ELITE customers get people who know their environment and the agentic infrastructure underneath. Same platform whether the customer runs it or we run it for them.
One answer, every conversation: "We price based on how you want to buy."
Two common shapes: per asset / per endpoint (the easiest one, the default starting point) or by use case (when a customer wants to start narrow, like just phishing). We meet customers where they are.
The thing to anchor on every time: it's predictable. Predictable for them, no surprise scaling, no nickel-and-diming. That's the part to repeat.
Don't quote a number. Don't speculate on discounts. Hand off to the field rep if they want to get specific.
Expect a lot of this question. National Harbor pulls heavy government attendance, both federal and state and local.
Current answer: "It's on the roadmap and we're moving toward it." Do not commit to a date or claim authorization in process unless the field rep has been briefed otherwise. If they ask follow-up, get their info and route to the field rep covering their account.
This may evolve over the show. Watch #gartnersec2026 for any updates on the official line.
Guidance pending. If the question comes up at the booth, get the attendee's info and route to the field rep on the account or to Allen for a follow-up call.
Updates will go to #gartnersec2026 if we lock a line before or during the show.
Mike Baker (DXC) is confirmed for the Wednesday fireside and will be on the floor around that session. Best opportunity for warm reference intros.
Anna is reviewing the attendee list for other known friendly accounts and will post any she finds in #gartnersec2026. Check the channel before you start prospect conversations so you know who else is in the room.
If a prospect asks for references in their industry, get their info and route through their field rep. We will not do warm intros on the floor without checking with the customer first.
The video is six and a half minutes. It barely scratches the surface. The CTA is schedule a full demo.
The language: "We only had time for six minutes here. I'd love to set up time to show you the full thing." Then either book it on the spot or scan their badge and route to the field rep.
Don't pitch a POC at the booth. Pitch the next conversation.
Get their name, title, company, and a phone number or email. Drop it in #gartnersec2026 with @-mentions to the right person on the team. Anna will coordinate.
For prospect meetings, the field sales team handles the follow-up. For partner meetings, Dave Webber (Cloud Alliances) is your contact.
Use the badge scanner at the booth for any visitor you talk to. Anything beyond a scan (warm intro, qualified conversation, named ask), put a note in #gartnersec2026 tagging the right rep. Marketing will manually add the contact to the Gartner 2026 Salesforce campaign for tracking.
7AI logo apparel is in the booth. Anna's overview deck has the full breakdown. Default is the new 7AI quarter-zip over a black tee. Comfortable shoes. National Harbor is a long walk between the conference center and most of the hotels.
Six rooms at the Gaylord National Resort & Convention Center (201 Waterfront Street, Oxon Hill, MD 20745). Two rooms at the Westin. Aaron is in an AirBnb. Yonatan is local.
Book flights ASAP if you haven't. For T&E, use your personal card and submit for reimbursement via Gusto.
7ai.com/gartnersec. Send it to any prospect or customer you want to schedule a 1:1 with on-site. Lior and Yonatan are available for executive conversations through the link. Anna's overview deck has the suggested email template.
We're recording live Do Human Work episodes throughout the week with security leaders. If you meet someone with a compelling story about how AI is changing their security operations, send them our way and we'll get them on the mic.
Anna runs a four-touch follow-up sequence:
June 4: All conference leads import into HubSpot. Follow-up lists and templates distributed.
June 8: First follow-up emails go out, promoting the AI SOC Gartner Report. Account owners send.
June 17: Second follow-up to anyone who didn't book a follow-up demo, promoting Threat Research pieces.
July 6: Third follow-up, promoting case studies and metrics.
Allen Lieberman, Yonatan Striem-Amit, and Israel Barak are the primary booth demo runners for technical conversations. For non-technical prospects, anyone on the team can run the booth demo using the recorded video plus the Pulse walk-through. Erika's deep-dive script is the source of truth for the long-form demo.
For on-site asks, default to whoever is at the booth right now. For specific needs:
CEO / vision / industry POV: Lior Div.
Architecture / agentic AI / how it works: Yonatan Striem Amit, Allen Lieberman.
Sales conversation, pricing, deals: Tommy Scott, Aaron Cote, or Jonathan Huether (field sales on-site).
Threat research / Threat Hunt examples: Juliana Testa.
Event logistics / lead scanning / customer meetings: Anna Suslova.
Press / analyst conversations: Nate Burke.
For PLAID ELITE and managed-service questions, Allen can cover at the booth. For deeper conversations, ping Israel Barak in Slack and we'll set up a call.
Day-by-day schedule of who's at the booth, sessions to attend, and standing meetings. Edits go through Anna.
| Time | Demo Station 1 | Demo Station 2 | Floater 1 | Floater 2 |
|---|---|---|---|---|
| 10:15 AM – 12:00 PM | Tommy | Yonatan | Jonathan | Anna |
| 12:00 – 2:00 PM | Juliana | Allen | Aaron | Syria |
| 2:00 – 4:00 PM | Tommy | Nate | Jonathan | Anna |
| 4:00 – 5:30 PM | Juliana | Yonatan | Aaron | Syria |
| Time | Demo Station 1 | Demo Station 2 | Floater 1 | Floater 2 |
|---|---|---|---|---|
| 9:45 AM – 12:00 PM | Juliana | Nate | Aaron | Anna |
| 12:00 – 2:00 PM | Tommy | Allen | Jonathan | Syria |
| 2:00 – 4:00 PM | Juliana | Yonatan | Aaron | Anna |
| 4:00 – 5:30 PM | Tommy | Nate | Jonathan | Syria |
| 5:30 – 7:00 PM | Juliana | Allen | Aaron | Anna |
| Time | Demo Station 1 | Demo Station 2 | Floater 1 | Floater 2 |
|---|---|---|---|---|
| 9:45 AM – 12:00 PM | Tommy | Nate | Jonathan | Anna |
| 12:00 – 2:00 PM | Juliana | Allen | Aaron | Syria |
Ten team members at Gartner. Six rooms at the Gaylord, two at the Westin, one Airbnb, and one local. Hotel breakdown in the Overview Deck.