2026 Talks
Ghost in the Hiring Machine: How to Spot Fake Personas Before They’re on Your Payroll
Common Ground, Tuesday 15:00-15:30, Florentine F
People are getting hired and trusted every day. Some of them do not exist at all, yet they still pass interviews, collect paychecks, and gain access to sensitive systems. Campaigns attributed to the DPRK have shown that this threat is very real. So how do you catch a ghost with a resume? Attendees will learn practical OSINT techniques for spotting fake personas and receive a checklist for thorough background checks. They will see these methods applied through two cases based on a true story, illustrating how these personas succeeded, how one could have been prevented, and where OSINT reaches its limits. These techniques not only help attendees detect fake personas but also provide practical ways to protect their own privacy and control what personal information is visible online.
How to Break Into My Home - Home Alarm Hacking 101 - TOKEN: 12
Skytalks, Tuesday 17:00-17:45, Sienna
How to Break Into My Home - Home Alarm Hacking 101 Ever bought a "proprietary, cloud-connected" alarm system and promised yourself you wouldn't poke at it? Yeah, me neither. After four years of restraint, I finally snapped and went full red-team on my own home - physical access, alarm bypass, crypto teardown, the usual stuff. This talk walks through the complete pwnage: from Flipper Zero-ing the garage door and borrowing the conveniently-placed ladder to silence the outdoor siren, to cracking the superuser installer code on the third brute-force attempt. We'll dig into a "world-leader manufacturer's flagship" alarm panel, its laughable "encryption" that would make Bruce Schneier cry, a replay attack to disarm the panel, which is "rejected" but executed anyway ¯\_(ツ)_/¯, and a "secret" fat client that lives on the world's most popular "binary piracy" site. No recording policy appreciated - the vendor is still trying to figure out how to deal with this. Bring your lockpicks. Leave my address at home. And always pay your cleaning lady well.
Open Relays in 2026: Red Team Initial Access Vectors
Breaking Ground, Monday 15:00-15:45, Florentine A
Think open email relays are a relic of the pre-1990s? Many online services may still function as one, especially with cloud-based multi-tenant infrastructure blurring the line between trusted and untrusted users. Traditional defenses like trusted IP ranges and SMTP authentication are no longer sufficient. In this talk we will discuss our adventures of exploitation of internet facing services which allow cross-tenant email origination to arbitrary email addresses effectively weaponizing this for initial access via phishing. We will discuss 4 concrete examples involving cross-tenant abuse of Microsoft online services that sent email on behalf of a highly privileged service principal. These new offensive techniques for initial foothold avoiding malicious attachments (which have high rate of detection) and focus on TTPs for weaponizing trusted cloud workflows, including web API manipulation targeting email clients where JavaScript execution is disabled, creative HTML injection paths, filter bypass strategies, and input-length constraint abuse. I’ll also cover the dead ends where exploits that looked promising but later collapsed under real-world conditions. With inbox placement effectively guaranteed, user-click probability is super high. We’ll dissect how desktop email clients differ from their web-based counterparts, and how those differences can be leveraged to shape exploit delivery and execution. Although the specific vulnerabilities were responsibly disclosed and quickly patched, the underlying patterns are far from unique and similar weaknesses likely exist across other enterprise applications beyond Microsoft’s online services. We’ll close with practical guidance for defenders on building hardened email-templating and notification pipelines, ensuring that your own web services can’t be hijacked and act as open relays, allowing threat actors to gain initial access or escalate their foothold.
Your Next Breach Won’t Have an Attacker - TOKEN: 2
Skytalks, Monday 11:00-11:30, Sienna
At 2 AM, our IR team got the call: production codebase wiped, database exposed, customer data missing. Classic breach indicators. Except the attacker wasn't a threat actor — it was an AI coding assistant with --dangerously-skip-permissions and a vague instruction to "clean things up." Over the past year, Profero's IR team has responded to a growing category of incidents we call AI-induced destruction — catastrophic damage caused by helpful AI assistants that developers trusted too much, instructed too vaguely, and permissioned too broadly. These incidents initially present like sophisticated attacks: data exfiltration, configuration tampering, mass deletion. But the root cause is a developer saying "fix the issues" to an agent with production access. This talk dissects three real incidents with full forensic reconstructions, walks through exactly how we distinguished AI-induced damage from adversarial behavior, and hands you a triage checklist and permission policy framework you can implement Monday morning. Demo: Live triage walkthrough using real artifacts from real engagements — actual tool invocation logs, chain-of-thought execution records, and ACL modification trails, anonymized at the client level only.
Wi-Fight Club: I am Jack’s Evil Twin
Training Ground, Tuesday 10:30-18:30, H110
Wi-Fight Club: I am Jack's Evil Twin will teach you how to deploy rogue AP (Evil Twin) in your client's environment. Using rogue APs lets you test your client's Wireless Intrusion Detection System (WIDS), passwords, wireless phishing education, and overall wireless security. We will discuss rogue AP Tactics, Techniques, and Procedures, and how / why they work. In this workshop you will set up a CAPTIVE PORTAL, WPA2, and 802.1x rogue AP. We will also go over OWE and WPA3-SAE transition mode attacks. We will wrap up the workshop by setting up a WIDS with Nzyme, learning what it should be detecting and alerting. We will walk through a scenario at a client's site, then set up a rogue AP to harvest users' credentials for the various client networks. We will go through how to crack the harvested credentials. We will finish up with a section on defense. We will be using EAPHAMMER, HOSTAPD-MANA, WIFIPHISHER, and AIRBASE-NG for the rogue AP section. HASHCAT, AIRCRACK-NG, and JOHN for the cracking section. This workshop is for beginners, but participants should have basic Linux and 802.11 knowledge and be comfortable using virtual machines.
Selective Defense: When Blue Teams Choose Who Matters - TOKEN: 4
Skytalks, Monday 15:00-15:45, Sienna
We like to believe blue teams are neutral. That we defend systems, not people. That risk is objective. That hasn’t been my experience. In this skytalk, I’ll share real scenarios where organizations made the decision not to engage (explicitly or implicitly) because of who the client was. Not based on risk, capability, or scope, but on bias. I’ve seen teams hesitate, deprioritize, or outright decline work tied to certain communities, industries, or regions in ways that didn’t align with any technical justification. This isn’t about policies on paper. It’s about how decisions actually get made in rooms where no one writes things down. We’ll talk about what that looks like in practice: how bias gets disguised as “fit,” “risk tolerance,” or “resource constraints,” how it impacts who receives protection, and how it quietly shapes the threat landscape by leaving certain groups more exposed than others. I’ll also speak to the position of being inside those environments; navigating the tension between professional responsibility and witnessing decisions that don’t sit right, especially when speaking up carries its own risk. This isn’t a talk about diversity initiatives or surface-level fixes. It’s a conversation about power, protection, and the uncomfortable reality that even in security, not everyone is treated as equally worth defending. Because if we’re honest, blue teaming isn’t just about stopping attackers. It’s also about deciding who we’re willing to protect in the first place.
Catch Me If You Can: Hooking your way into encrypted intimate IoT traffic
Common Ground, Tuesday 15:30-16:00, Florentine F
I wanted to hack a butt plug. And no, that is not the name of the next big pop hit. But really, what happens when you try to hack a butt plug over the internet and its app won't let you see what it's saying? This inquisition started with a simple curiosity about adult IoT devices and quickly ran into a 'wall': two Chinese companion apps for adult toys that encrypt all their API traffic on top of TLS, making traditional fuzzing and parameter tampering impossible. 'Come' with me as we walk through the journey of breaking those protections layer by layer using Frida and Burp Suite, bypassing SSL certificate pinning, and hooking native OpenSSL functions to pull AES keys directly out of memory. Along the way, we built CrypticBurp, a Burp extension that decrypts, lets you edit, and re-encrypts app-layer traffic on the fly, making these apps fuzz-able! The talk covers two apps, two different approaches (dynamic instrumentation and static analysis), and makes the case that app-layer encryption on consumer IoT devices could just be security theater hiding hardcoded keys and real vulnerabilities underneath. And from what we've found so far, about ~80% (or 4 out of 5) of Chinese-manufactured adult toys sold on Amazon use one of these apps as their companion app, amplifying this as a serious privacy, as well as a health and safety concern. Tooling and techniques aside, this talk highlights how methodical reverse engineering can tear down defenses that look solid on the outside but crumble once you start poking at them.
The Erosion of the Neutral Web and What Can Be Done to Save It - TOKEN: 10
Skytalks, Tuesday 14:00-14:45, Sienna
Since the dawn of the public internet, entities have co-opted a so-called "neutral" space, those machines neither attacker nor victim controlled, for various reasons: to proxy traffic, create DDoS networks, or similar. Yet we have seen an incredible uptick in the weaponization of this space by state-directed entities, leveraging vulnerable devices (especially residential equipment) and enhanced control mechanisms to produce complex proxy networks for offensive cyber use. Solving this problem is vexing as the "real" solution relies in securing the "neutral" web through which these operations take place. But likely operations taken by governments are moving in concerning directions, from more intrusive state interaction with infrastructure to nationalist device bans to riskier types of counter-offensive cyber. Within this context, the hacker community risks seeing the emergence of a balkanized internet where various entities divide the globe between "us" and "them" with the neutral space disappearing. In this discussion we will analyze the technical problems in play and what a hacker ethos might achieve to push back against the erosion of the space we all live in.
Stack Overflow, but the Largest Byte is 3F
Proving Ground, Tuesday 14:30-15:00, Firenze
This talk walks through the discovery and weaponization of a 0-day I discovered in Tinyweb, demonstrating how it is possible to achieve reliable Remote Code Execution (RCE) within a heavily restricted Base64 environment. The constraints of this exploit were extremely challenging: There was a maximum physical buffer of 692 bytes, and a flawed Base64 decoder dropped any hex byte larger than 0x3f. With the majority of standard x86 instructions, normal techniques are off-limits. With this presentation, I'll break down the steps required to escape this sandbox. Attendees will learn how to utilize a dirty ROP chain, build a custom decoder stub, utilize SIB (Scale-Index-Base) bytes, optimize an egg hunter, and finally jump to shellcode. Ultimately, this talk proves that within severe restrictions, understanding assembly and memory can change an impossible stack overflow into a reliable exploit.
Breaking The Silence: Cyber Harassment Research Continued…. - TOKEN: 11
Skytalks, Tuesday 15:00-15:45, Sienna
Cyber harassment raises legal and technological challenges where speech and misconduct overlap. This session outlines legal thresholds, evidence preservation, and response strategies while addressing psychological impacts and advocating for stronger protections, policies, and support systems.
Ace Your AppSec Interview: Hands-on Practice and Insights
Training Ground, Monday 15:00-17:00, PUB 365 Back Room
Application Security interviews can be challenging, but the right preparation can set you apart. In this hands-on workshop, you’ll tackle real-world AppSec scenarios through interactive mock interviews designed to build your confidence and sharpen your interviewing skills.
Come With Me If You Want a Job
Hire Ground, Monday 15:00-15:55, Florentine B
I feel a bit like Sarah Connor trying to warn people about Skynet. The difference is, I am not just warning you. I am trying to prepare you. I have given over 50 career talks in cybersecurity over the past six years. I told thousands of people how to hack their job search, build their brand, and land the roles of today. Then something changed. I went to an AI security event, lifted my head up from the day-to-day grind, and went deep. One month and $15,000 in AI credits later, my entire view of this industry was shattered. What I, a non-technical recruiter, can now build is insane. The advice I gave you in 2024 is obsolete. The industry has likely peaked in headcount. The jobs many of you are working in or studying to get into will not exist in 24 to 36 months. Teams are getting smaller but broader. The market is splitting in two, and there is no middle ground. This talk follows the money, breaks down six core problem domains that AI is creating, and looks at the underlying skills you will need to operate across them. It is not a list of job titles to chase. It is a look at where the problems are and what it takes to solve them.
Building a Quantum Safe Test Lab
Common Ground, Monday 15:00-15:45, Florentine F
This presentation outlines the setup and architecture for a post-quantum cryptography (PQC) test lab environment. It details the use of multiple isolated virtual machines—including Linux, Windows 11 Insider Preview, and Windows Server Insider Preview nodes—to evaluate PQC algorithms and hybrid TLS key exchanges across platforms. Automation and orchestration tools are employed to ensure reproducibility and facilitate testing. The Linux environment is configured with essential development tools, SymCrypt, and OpenSSL, enabling secure experimentation and cross-platform interoperability tests.
Sybil-Resistant Hiring: Verifying Real Signal in Cyber Interviews
Hire Ground, Tuesday 12:00-12:25, Florentine B
The goal of this talk is to cut the broken feedback loop in cyber hiring. Candidates are optimizing for keywords and volume instead of showing real growth and problem-solving. Hiring managers are fraing in AI-generated noise and responding by adding more filters instead of getting clear on what they actually need. Both sides are making it harder on each other. This talk challenges candidates to stop gaming the process and start showing continuous development. Real problems solved, real skills built, on the resume and in conversation. It challenges hiring managers to stop hiding behind generic requirements and design a hiring process that reflects what the role actually demands.
IT Security Certifications: Everything you wanted to know and more
Hire Ground, Tuesday 10:00-10:55, Florentine B
Whether you are an experienced InfoSec professional or just getting into the field, you will be confronted by a wide range of InfoSec certifications. Security+, CISSP, CISA, CEH, GSEC, etc. What are these certifications? What does it take to obtain them and keep them? Which ones should I focus on? And just as important, do I really need to obtain one for my career? In this presentation, we will go over the basics of certifications. And hopefully dispel some myths along the way. We start there, addressing some of these myths: do certs guarantee a job? do I really need one to get a job? how are companies using certs or the lack of them from candidates? We then address why they exist, how you obtain them (studying and testing), how you keep them, and how they work. We will look at the InfoSec certifications from the 5 main certifying bodies, CompTIA, ISC2, ISACA, EC-Council, and SANS/GIAC. And we will then look at several more specialized certifications that InfoSec professionals should be aware of and may also wish to pursue. And finally, we’ll try to answer what may be the most important question: what certs should I pursue? At the end of the presentation, attendees should have a better understanding of certifications and hopefully a good idea as to which ones they may want to pursue.
(A)I Feel the Need: The Need for Ludicrous Speed
Common Ground, Tuesday 17:00-17:45, Florentine F
Buckle up for a tag team AI security reality check that goes fast, occasionally furious, and kicks hype straight into the cosmos. Whether we like it or not, AI ai-n’t going away. It’s writing code, wiring up workflows, and sneaking into places our security controls never signed an NDA for. Some say the security rules have alllll changed. The truth is messier: some things are just the same old risks prancing around in a snazzy new jumpsuit, but now we’re dealing with “Look at me, Mum, I’m a DEvLeLoPisTeR” humans wielding AI like they just invented fire. In an igloo. Doused in gasoline. And No-as-a-Strategy is still an express train to Riskville. But now with added ludicrous speed. We slice through the noise, myth bust overhyped narratives, and sniff out snake oil from a mile away. Partake in our interactive “Can I Ship It?” segment on real world AI use cases, as we break them down from both enthusiastic builder and risk responsible perspectives. You’ll leave with clearer, no nonsense guidance for tackling AI driven risk, anecdotes you can drop into real “yes, but” conversations, and a few Britishisms you never knew you needed until now. It’s designed for practitioners, product folks, and leaders who want to think about AI related security without the doom, the jargon, and the marketing spin.
After the Jailbreak: A Product Security Incident Response Playbook for Agentic LLM Applications
Proving Ground, Tuesday 15:00-15:30, Firenze
Prompt injection. Jailbreaks. Tool misuse. Memory poisoning. Agent escape. The offensive side of LLM security has a rich and still-growing literature. The defensive side, the part that matters when an incident actually happens in a production system, has almost none. This talk is about what happens after the jailbreak. After a compromised customer service agent has already exfiltrated data through a tool call you didn't threat-model. After an autonomous code agent has already committed a malicious change. After a persistent memory store has been quietly poisoned across thousands of user sessions. Drawing on established product security incident response practice and the emerging agentic AI security literature, this talk walks through where traditional PSIRT workflows break when the product under triage is an LLM-powered application: evidence preservation in ephemeral context, scoping compromise through tool graphs you didn't inventory, root cause analysis on probability distributions, patching that isn't a version bump, and disclosure without a CVE namespace. Attendees leave with a concrete incident response playbook adapted for LLM-powered systems, a triage checklist for responders facing their first AI-native incident, and a sharper view of where their existing IR process silently fails when AI enters the product.
Paved Roads, AI Potholes: Security Platform Engineering in 2026
[un]prompted, Monday 17:00-17:30, Tuscany
Security platform engineering isn't new, but doing it well in 2026 looks very different than it did two years ago. This talk is a practical, opinionated guide to building a security development function from scratch: identifying problems worth solving, shipping MVPs, hiring the right people, and knowing when to throw your work away and hand it to a vendor. What makes this talk different is the honest look at how AI has reshaped the landscape. We'll cover how techniques like ralph loops let you prototype security tooling faster than ever, but also the flood of new problems AI has created. Agent sandboxing, AI access control, and features shipping before anyone's secured them. We'll be real about where AI genuinely helps, where it's marginal, and why shipping faster doesn't eliminate the maintenance burden. Whether you're a security engineer thinking about building your first tool or a leader deciding whether to staff a dedicated team, you'll leave with a practical framework to make that call.
Every ride you take - Hacking a City’s Public Transportation
Breaking Ground, Wednesday 12:30-13:00, Florentine A
Let's talk about some critical infrastructure that millions of people use every day: Public transportation. In this talk, I’ll present some findings that I discovered in the public transportation ecosystem of one of the largest cities in Argentina, impacting more than 1.5 million people daily. Reading code, chaining vulnerabilities, weak access controls, and flawed internal designs, I got full access to core mobility systems, from buses to taxis, including DVRs, transport cards, user data, real-time tracking and administrative panels. We’ll walk through the technical exploitation path, the real-world impact and the lessons learned.
Agents of Chaos: A Systemic Approach to Finding GCP 0-Days
Common Ground, Wednesday 10:30-11:00, Florentine F
Do you have what it takes to find 0-days in cloud provider infrastructure? It’s more likely than you might think. Searching for vulnerabilities in CSPs can sound intimidating, but it’s more accessible than it seems, and I will guide you through it. I will share a tool and proven methodology for identifying vulnerabilities as we explore two severe privilege-escalation vulnerabilities I discovered in Google Cloud services. We will learn why GCP’s built-in service agent identities are inherently flawed, and I’ll demonstrate how you can exploit them to escalate your privileges from minimal access to full project control. We’ll talk about why IAM vulnerabilities like these are unique to the cloud, common, and straightforward to hunt for (once you know where to look). Come for the 0-days, stay for the tools to find your own.
Binary Jiujitsu: White Belt and Blue Belt Fundamentals
Training Ground, Monday 10:30-14:30, H108
Day 1: White Belt — Foundations of Binary Exploitation Binary exploitation has a reputation for being inaccessible — not because the concepts are beyond reach, but because most resources assume a baseline beginners don't have. Students get dropped into complex environments, spend hours fighting toolchains and libc versions, and never make it to the actual exploitation concepts. Binary Jiu-Jitsu fixes this with a structured, gamified curriculum modeled after the Brazilian jiu-jitsu belt system. This instructor-led workshop takes students from zero exploitation experience to writing working exploits against 32-bit x86 binaries. Across four stripes, students learn process memory layout, source code auditing, dynamic analysis with GDB, and exploit development with pwntools — with hands-on challenge binaries at every step. The workshop concludes with a White Belt assessment. Students who pass exchange their electronic badge for a blue belt and are invited to compete in a post-workshop CTF for Binary Jiu-Jitsu tournament medals. No prior exploitation experience required, some programming experience helps Day 2: Blue Belt — Shellcode and 64-bit White belt gave you control of the instruction pointer. Blue belt teaches you what to do with it. This instructor-led workshop picks up where White Belt leaves off, moving students into 64-bit environments and teaching them to write their own shellcode from scratch. Students begin by discovering why their white belt techniques fail on 64-bit targets — rebuilding their mental model around the x86-64 ABI and register-based calling conventions. From there, students learn x86 assembly fundamentals before writing and injecting working execve shellcode into live processes. The workshop closes by introducing NX — the protection that makes direct shellcode injection impossible on modern systems — and covers the foundational concept behind Return Oriented Programming as the answer to it. Students leave understanding not just how to exploit, but why the techniques they just learned stop working and where the curriculum goes next. Students who pass the Blue Belt assessment exchange their badge and are invited to compete for tournament medals. Prerequisite: White Belt or equivalent buffer overflow fundamentals.
Social Engineering the Machine
Ground Truth, Wednesday 12:00-13:00, Florentine E
Social engineering works because it doesn't need to beat your logic, it just needs to prevent your logic from activating. This talk is about that mechanism, and what happens when you train a machine to notice it. Human susceptibility to social engineering is not random. Attackers exploit predictable cognitive patterns, urgency that bypasses deliberation, authority signals that shortcut verification, familiarity cues that lower scrutiny, reciprocity that creates obligation. These aren't tricks. They're repeatable targeting primitives. We break down how they work across three real-world attack scenarios: BEC email fraud, spearphishing, and vishing (pretexting phone calls), annotating every cognitive hook in plain language. Then we run a live demonstration to see how well these known primitives work against real people. Two Agentic Bots, with the Same base model. One has been given cognitive defense training, a system prompt encoding awareness of influence techniques and how to name them when they appear. The other has no such training. The audience socially engineers both via QR code, and we observe in real time which techniques the defended model catches, which it misses, and what that tells us about awareness as a defense primitive. The demonstration is deliberately simple. The question isn't whether a system prompt can perfectly defend against prompt injection: It's whether framing a model to think about influence changes its behavior in measurable ways. The audience finds the edges. All demo code and the defended bot's system prompt are open source. These bots will be publicly available after the demonstration.
AD security is not the end : Why Middleware is the New Tier 0 and How It Can Be Weaponized for Total Compromise
Breaking Ground, Tuesday 10:00-10:45, Florentine A
The EDR is green. The Active Directory is hardened. The SOC is watching for every suspicious PowerShell execution, malicious network packet and every known malware signature. In this high-maturity environment, a traditional intrusion isn't just difficult, it's a trap. But while the front door is locked and bolted, the "Management Plane" has left the keys under the mat. This talk deconstructs a series of high-impact Red Team operations where we achieved total enterprise compromise without ever needing to drop a custom binary or fight an EDR. Instead of fighting the defenses, we became the defenders. We call this Administrative Living-off-the-Land (ALotL): the art of moving through an organization by abusing the very trust chains meant to secure it. We will trace the domino effect of a real-world operation, starting from a quiet foothold in a CI/CD runner. You will see how we pivoted through IAM workflows, hijacked cloud control planes, and ultimately turned the organization's own security tooling against them. By the time we reached Domain Admin, our footprint was indistinguishable from a busy Monday morning for a DevOps engineer. The uncomfortable reality? When an attacker's actions are 100% legitimate administrative API calls, "detection" becomes a philosophical question of intent rather than a technical one of telemetry.
OT Systems: how to secure them in practice!
Training Ground, Wednesday 10:00-12:00, H114
Securing OT systems is often presented as challenging, with multiple business constraints - but is it that complicated, especially considering a single industrial site? In this 4-hour, hands-on workshop, each participant will manipulate a simple but realistic Industrial Control System setup with SCADA systems & PLCs. Attendees will have the opportunity to secure it step by step, through several hands-on exercises & discover how to manually secure OT systems: OT inventory, backups, network security, system hardening and detection. What if the real challenge is OT security at scale? Besides implementing manual security on our setup, we will address each step of the way OT security at scale and share feedback on how large companies are securing their OT systems, both at organizational & technical level: community of OT cyber correspondents, OT DMZ and security tools deployment.
C(2)YA: Inside the Adversary’s Inbox
Breaking Ground, Monday 18:00-18:45, Florentine A
85 findings exploitable from the internet with zero prior access. 28 takedown chains. Crypto failures that let you decrypt all C2 traffic with one recovered key. Six months ago I pointed LLM-assisted research at the five most-deployed open-source C2 frameworks - Havoc, Mythic, Sliver, Covenant, AdaptixC2 - from a defender's perspective. 251 design flaws, behavioral weaknesses, and vulnerabilities later, I had something I didn't expect: a systematic map of how to turn these frameworks against the operators running them. I validated every finding in realistic lab environments. Then I tested the passive-observation class against 35 live Havoc servers using Shodan and Censys. What I found: operators running active campaigns against victims in education, manufacturing, legal, and biotech across eight countries. Five distinct archetypes emerged - from a student-level operator struggling with UAC bypass, to a mass deployer running hundreds of agents with near-zero manual commands. The root cause across all five frameworks is the same design assumption: the only adversary is the target machine. Five independent teams built the same blind spot. Eight bug classes recur across all five codebases. That's not coincidence - it's architecture. The research is classified on a defender-weighted severity scale, not CVSS, because the fingerprinting bug that tells you where the server is ranks above the one that merely crashes it. The talk delivers a practical framework for defenders and a legal/ethics tier that tells law enforcement which findings require a court order, which are one-packet kills reachable from the internet right now, and which stay in the paper. Havoc was archived by its maintainer on February 21, 2026. No patches coming. The tools exist. The findings are here. This talk is about what defenders do with them.
Privacy’s Defenders: How Hackers Helped and Can Do So Again
Common Ground, Monday 11:00-12:00, Florentine F
Hackers have a long history standing up for justice and that history has a lot to teach and inspire the hackers of today as we face a world with 360-degree surveillance that is increasingly marshaled against us by both companies and governments. My talk will tell background and stories from my book, Privacy's Defender, that tells the story of my 30 years working with EFF to try to protect security and privacy in the digital age. Cards on the table: I'm trying to recruit you to join in the fight.
Your Red Team Doesn’t Follow a Kill Chain: What 95 Engagements Actually Look Like
Breaking Ground, Tuesday 11:00-11:30, Florentine A
We recorded everything 95 red team engagements did: 1,265 terminal sessions, 6,001 commands... and built causal knowledge graphs that track how operator knowledge flows between actions. The data contradicts several things the security industry takes for granted. Operators don't follow a kill chain. They spiral between credential access and discovery an average of 12 times per engagement. Lateral movement fails 58% of the time, and most of those failures produce artifacts nobody monitors for. Hostnames, not IP addresses, are the real knowledge bottleneck. A third of engagements pivot on a single breakthrough command. And the best predictor of reaching exploitation isn't command count; it's causal edge density. We release Ithildin, the open-source toolkit, so you can run this analysis on your own engagements.
FHIRbug: Cross-Vendor OAuth Security Patterns in 14 Production Healthcare APIs
Common Ground, Wednesday 10:00-10:30, Florentine F
Healthcare FHIR APIs are mandated by CMS-9115-F for most US insurers and ONC §170.315(g)(10) for certified EHRs. The mandate produced dozens of production FHIR deployments at payers, EHR vendors, and middleware aggregators, each implementing the same OAuth 2.0 / SMART-on-FHIR stack with its own auth-layer quirks. In a 72-hour engagement, I tested 14+ healthcare FHIR OAuth implementations for one bug class: response-discrepancy-driven OAuth client ID enumeration (CWE-204, RFC 6749 §5.2 gap). Results: **seven of fourteen stacks leak client_id existence** through four error-discriminator patterns. Three are different OAuth products (Okta, IBM Security Verify, Django OAuth Toolkit). The fourth is one major EHR vendor whose product code affects 748+ hospital deployments. For that vendor I extended the breadth test to a 100-endpoint random sample: **98 of 100 returned cryptographically byte-identical responses** (one SHA256 per response class across 98 independent hospital deployments). Conclusive evidence of a product-level defect. The not-vulnerable stacks (CMS BCDA's Go SSAS, Redox's Auth0+Okta tenants, Microsoft Entra) show the pattern is avoidable with explicit error-response hygiene. The same engagement produced a cross-vendor SMART-on-FHIR discovery survey (16 stacks), JWT fuzzing with 10 attack classes, and a CMS DPC bulk-FHIR investigation that surfaced a HAPI-style serialization leak. That finding was attributed to DPC's non-HAPI serializer, not HAPI itself, after a mid-engagement correction worth discussing. The talk delivers three things: the cross-vendor findings with framing for other hunters to replicate, the 6-phase methodology (`PLAYBOOK.md`), and `FHIRbug`, an open-source toolkit (22 modules, 14 CLI subcommands) at github.com/bobbykuzma/fhirbug. No undisclosed vendor findings will be named. Vendors in active coordinated disclosure are discussed in aggregate ("one major EHR vendor") with specifics added only where the 90-day window has closed by conference date. Audience takeaways: a reusable FHIR attack methodology, an open-source toolkit to apply it, and a template for cross-vendor sector analysis.
The Meeple Problem: How to Build Risk Controls Around Actions, Not Roles
Ground Truth, Tuesday 11:00-11:45, Florentine E
Our riskiest employees aren't in the roles we've built our security programs around—and the data has been showing us this for years. HR and legal top DLP violation charts, not developers. Executives click phishing links at four times the rate of frontline staff, request more security bypasses, and access more unauthorized data than almost any other group—yet remain institutionally protected from scrutiny. Younger "digital natives" are measurably riskier than older ones. And the contractor nobody was watching onboards threat actors. When we reduce a human being to a single variable—their role, their seniority, their employment status—we treat them like a meeple: a playing piece of one color, one value, one assumed behavior. Security programs built on meeple logic make simultaneous errors in both directions. They over-train the people who don't need it and burn through their goodwill. They under-monitor the people who do, because those people don't match the shape the program was designed around. This session draws on 6,500+ person survey research across nine countries, behavioral telemetry from hundreds of thousands of employees, and real-time incident analysis to make a single uncomfortable argument: role is the wrong sole variable for human risk decisions—and using it as a proxy across our control stacks creates false positives and false negatives simultaneously. You'll leave with red flags that signal biased assumptions have calcified into permanent policy, specific variables to cross-reference in your existing tech stack, and a framework for building cohorts around what people actually do—not what their org chart says they should. No new tooling required. Just better questions.
For Prompt Injection, Press 1: Hacking AI Voice Agents
Proving Ground, Tuesday 15:30-16:00, Firenze
What happens when you social engineer an AI agent that was trained to be helpful over the phone? Can you get it to reveal its system prompt out loud? Will it disclose information about other callers? How far can you push it before its guardrails kick in? AI voice agents sit behind telephony layers like speech-to-text, text-to-speech, and call routing that introduce new attack surfaces and opportunities. They're replacing human operators everywhere: answering phones at doctor's offices, handling IT help desks, triaging customer support, booking appointments. They sound human, but underneath they're the same LLMs we've been prompt injecting. I built an open-source tool that tackles this by placing real phone calls to voice AI agents, speaking attack scenarios using text-to-speech, capturing responses via speech recognition, and analyzing transcripts for signs of successful exploitation. It maps 20 attack scenarios across five categories from the OWASP Top 10 for LLM Applications: prompt injection, sensitive information disclosure, system prompt leakage, excessive agency, and misinformation. Detection uses pattern matching and an LLM judge to catch both obvious and subtle failures. I'll demo the tool live against voice AI agents and walk through what these attacks look like in practice.
SIGINT and the U.S. Intelligence Community: What I Actually Did During OEF - TOKEN: 9
Skytalks, Tuesday 12:00-12:30, Sienna
Most people think the U.S. Intelligence Community is some kind of wizard tower: shadow agencies, secret rooms, and covert spy mumbo jump. It’s mostly a black box to outsiders, and honestly…that’s by design. I spent over a decade on the inside. This talk is a blunt, unclassified walkthrough of what the U.S. Intelligence Community (USIC) actually is, how it’s structured, and how it functions. We’ll start with a fast, broad overview of the 17 U.S. intelligence agencies, and why the system looks like an overcomplicated nonsense mess…..because it is. Then we’ll break down the “INTs” in plain English: SIGINT, HUMINT, IMINT, MASINT, and OSINT. What are these disciplines actually used for? And how do they feed into operations? After that, I’ll give a quick background on my role as a Signals Intelligence (SIGINT) analyst supporting Operation Enduring Freedom (OEF), then we get into the real meat: what I actually did for years supporting combat operations. Not movie stuff. Real-world analyst work. Building target packages, assessing high value targets, analyzing areas of interest, and pushing actionable intelligence into the hands of people who were making life-or-death decisions. No classified sources. No “methods.” Nothing that crosses the line. If the USIC has ever seemed like a locked room full of jargon and bullshit…come to the show.
Purple Teaming in Practice: Emulate, Detect, Adapt
Training Ground, Monday 10:30-14:30, PUB 365 Back Room
**Think Like The Adversary. Defend Like You Mean It.** Ready to level up your purple teaming game? Join us for a hands-on, 4-hour deep dive into the art of adversary emulation, where red and blue stop fighting and start collaborating. We'll walk through the full Purple Team lifecycle using the newly updated **Purple Team Exercise Framework (PTEF)**, from pre-engagement planning to live threat emulation. This is not a theory only session; you'll get your hands dirty by actually running one. ## What You'll Walk Away With: - A solid, end-to-end understanding of the purple teaming process - Clarity on the roles and personnel needed to run an effective exercise - Hands-on experience with the Purple Team Exercise Framework - Techniques for building and executing custom threat emulation campaigns - Real tool reps across the threat emulation stack - Hunting skills to surface malicious activity during a live engagement ## Requirements - A laptop with a modern web browser - Curiosity and a willingness to get your hands dirty
FLASI: When Your SIEM Is Too Expensive to Tell You the Truth
Breaking Ground, Tuesday 15:00-15:30, Florentine A
Every firewall in your network is generating millions of events per day. Your SIEM is probably ignoring most of them, not because your team isn't paying attention, but because the economics force you into an impossible choice: log everything and blow your budget on EPS licensing, or filter aggressively and quietly lose the visibility you need to detect real threats. This is the problem FLASI was built to solve. FLASI (Firewall Log Analytics and Security Intelligence) is an open-source platform built from the ground up inside a real SOC, designed to ingest, parse, and transform firewall logs into actionable threat hunting dashboards using Grafana, Vector.dev, and VictoriaLogs/Elasticsearch without sacrifices. In this talk we'll cover how FLASI works under the hood: the data pipeline design, the hard lessons from running it in production and a live threat hunting case study. We'll also walk through a live Grafana dashboard demo showing how a SOC analyst can go from a suspicious indicator to a full network picture in under 5 minutes. If you want to make sense out of your firewall logs, this talk is for you.
Bridging the Gap - – Four Realities of Getting Hired in Cyber Security
Hire Ground, Wednesday 10:00-10:45, Florentine B
This session explores the disconnect between academic cybersecurity training and real-world industry expectations. Attendees will gain practical strategies to better prepare emerging professionals through hands-on experience, foundational skill development, and community engagement. This session explores how educators, practitioners, and the cybersecurity community can work together to bridge the gap between classroom learning and real-world security operations. Drawing on years of industry experience and teaching cybersecurity students, this talk highlights the challenges new professionals face when entering the workforce, including unrealistic expectations, lack of practical experience, and the highly competitive nature of entry-level roles.
Hands on with USB HID Attacks
Training Ground, Tuesday 15:00-19:00, H116
They always say don't plug in unknown USB devices, but that warning only lands when people understand what's actually at stake. This hands-on training demystifies USB and HID attacks using O.MG Devices and DuckyScript 3, taking attendees from zero knowledge to deploying functional payloads against real targets. It will focus on O.MG devices, but the skills learned will be transferable to any DuckyScript-compatible device. This training will cover the fundamentals of physical red teaming and what separates Hollywood hacking from real-world assessments, dig into how USB works under the hood including USB protocol, HID, keymaps, accessibility-first payload design, and the gotchas that burn people in the field. From there we step through the O.MG platform itself, building out payloads starting from the basics up to more powerful capabilities like C2 integration, GeoFencing, HIDX Stealth Link, and remote control. Attendees will be hands-on throughout, writing and testing real payloads against live targets. We will work through practical payload design from the ground up, including how to account for target OS, locale, and existing devices, and how to think about reliability and repeatability the way a professional engagement demands. This training will also cover OPSEC: what to do, what not to do, and how to avoid the mistakes that get redteamers caught or leave a payload dead on arrival. By the end, you will have a solid foundation for incorporating USB HID attacks into your physical red team toolkit, and the troubleshooting instincts to make them work when it counts.
Low Severity, High Impact: The Bugs Companies Ignore
Breaking Ground, Monday 17:00-17:45, Florentine A
Bug bounty programs promise a simple deal: find a vulnerability, report it, and it gets fixed. But that promise starts to break when the issue is not a technical exploit, but a flaw in how the business itself works. Imagine a platform offering “unlimited free beverages.” With a bit of curiosity, you discover a way to claim them endlessly. No hacking, no advanced tooling, just a gap in the logic. You report it expecting impact. Instead, it is labeled “low severity,” rewarded modestly if at all, and quietly deprioritized. This talk focuses on those bugs. Not the flashy RCE chains or memory corruptions, but the ones that actually cost companies money. Business logic abuse. The kind that bypasses payments, exploits referral systems, and unlocks premium resources at scale, often in ways anyone could reproduce. Through real-world cases, including major e-commerce platforms, Snapchat via PlayCanvas, and a global fast-food chain, we will break down how these flaws work, how to systematically find them, and what makes them so effective in practice. More importantly, we will look at what happens after you report them. Why are financially impactful issues often labeled “low severity”? Why do they struggle to compete with more traditional vulnerabilities? And why do companies, even when aware, sometimes choose not to prioritize fixing them? You will leave with a practical approach to identifying these vulnerabilities, and a clearer understanding of the incentives, trade-offs, and blind spots that shape how companies respond to them.
89 Seconds to Compromise: Inside npm Supply Chain Attacks and How to Fight Back
Proving Ground, Wednesday 10:30-11:00, Firenze
The npm ecosystem is facing a relentless and growing wave of attacks driven by both nation-state actors and AI-powered threats. Since 2019, over 1.23 million malicious packages have hit the registry, with a 156% spike in 2024 alone. This talk is not theory. It is a practitioner account drawn directly from incident response during two massive supply chain breaches: the Nx/s1ngularity compromise in August 2025 and the Axios attack in March 2026, attributed to the North Korean group UNC1069 and the highest-impact npm supply chain attack ever recorded by download exposure. We break down the attacker playbook from both sides: social engineering, npm account takeovers, AI-weaponized coding agents, and the rise of state-sponsored operations. Then we flip to the defender reality: what these breaches actually look like in EDR and SIEM telemetry, how to scope and contain the damage fast, and what a battle-tested IR playbook needs to look like in 2026. You will walk away with a concrete IR playbook, real-world detection queries, an honest look at what attackers actually do once they are on a developer machine, and a set of proactive controls that genuinely shrink your blast radius.
I am CVE, AMA!
Common Ground, Wednesday 12:00-12:45, Florentine F
I am CVE, AMA! At BSidesLV 2025, we put together a panel of CVE experts to discuss the state and future of CVE. Alas, we ran out of time for audience questions, caught some shade over that, so this year, we’re coming back with an “Oops all questions!” version. Expect a short intro from the panel, then we’ll turn it over to the audience for questions and discussion! No topic is taboo, modulo the code of conduct, of course.
Tod Beardsley, Lindsey Cerkovnik, Jerrry Gamblin, Madison Ficorilli, Katie Noble
Criminal Hijacking: Profiling Threat Actors engaged in session takeover with Infostealer Logs
PasswordsCon, Tuesday 15:00-16:00, Tuscany
In this talk, we present findings from a novel campaign that turned infostealer malware against cybercriminals. By seeding a cracked version of BLTools, a credential checker used almost exclusively in underground forums, a threat actor effectively doxxed hundreds of fellow criminals and created a unique intelligence windfall in the process. This dataset offers an unfiltered view into real-world operations behind account takeover, financial fraud, romance scams, and credential monetization. Rather than observing attackers from the outside, we analyze their behavior from within, including their tools, environments, workflows, and operational mistakes. We will walk through key TTPs uncovered across these systems, including credential management practices, OPSEC failures, infrastructure reuse, and the tooling ecosystem that enables cybercrime at scale. Attendees will gain grounded insight into how low- to mid-tier actors actually operate day to day. We will also explore the ethical considerations of this approach and how defenders can use these insights to better detect, disrupt, and understand modern threat activity.
Agents Under Fire
Ground Truth, Wednesday 11:00-11:45, Florentine E
AI and agents are reshaping how we work, but do they hold up when everything is on fire and an attacker is actively taking down your network? We put that to the test at three competitions, CIRCUS and WRCCDC 2026 Qualifiers and Regionals. Across these events, we challenged common assumptions and marketing claims about whether AI helps or hinders defenders. To get answers we built a tool to intercept every AI request across 30 human and AI blue teams and professional red teams. In total, we captured and analyzed millions of tokens, prompts, and responses. Some things worked, AI successfully triaged broken services from minimal, often unclear input, filled knowledge gaps on demand, and reduced back-and-forth when defenders provided limited context. It proved useful as a rapid augmentation layer under pressure. Other things did not, defenders tended to use AI like a search engine, reactively, one issue at a time, rather than as a strategic or proactive tool. This limited its effectiveness in complex, evolving scenarios. We also uncovered in common AI safety mechanisms. Filters blocked legitimate prompts hundreds of times while still allowing clearly malicious or intent-driven prompts through. This mismatch created friction for defenders without meaningfully stopping abuse. In this talk, we break down what worked, what failed, and why. We examine the design decisions behind both the tools and their usage, and explore what it means to hand control, even partial control, to AI agents in high-stakes defensive environments.
Prompt Injection Is an Auth Bug: The Case Against Bearer Tokens in an Agentic World
[un]prompted, Monday 14:00-14:45, Tuscany
We've been calling prompt injection an AI safety problem. It isn't. It's an authorization problem we've been letting the AI safety community own because the word "prompt" is in the name. And the deeper bug isn't even prompt injection; that's just the loudest symptom. Every authentication system in production today assumes whoever holds the credential intends to use it the way the issuer expected. That assumption breaks completely when the bearer is an agent that can be redirected by an email, a webpage, or a WebSocket from a browser tab. Picture an agent with legitimately issued OAuth tokens to your Slack, your inbox, and your laptop. An attacker never speaks to the model. They open a WebSocket from a browser tab, authenticate to the local gateway, and instruct the agent to do its job: search, read, exfiltrate. Every credential is valid. Every action is in scope. Every existing control says yes. This is ClawHavoc, February 2026, and it's a preview of what every agent framework is on track to ship. The auth system worked exactly as designed. That's the problem. OAuth scopes, JWTs, mTLS encode *who is acting*, none encode *why*. Finer scopes can't close the gap. Zero Trust largely hasn't, because most deployments still resolve to "is the bearer authenticated" at the decision point; they moved the perimeter without changing the question. This talk argues authorization at scale has to decompose into three time-separated decisions: **policy at call-site** instead of at token issuance, **signed intent attestations** propagated across delegation hops, and **human-in-the-loop as architectural primitive** rather than UX afterthought. None works without the others. After 15+ years building security programs through basic auth, OAuth, SAML, and passkeys — and the last few wiring agents into systems never designed to host them — I'll offer a four-part evaluation framework for auditing your own agent stack's authorization model, and a sharper answer the next time someone tells you their agent framework is "secure because it uses OAuth."
Devising and Detecting Voice Phishing: Large AI Voice Models (ElevenLabs, Gemini, Sesame) vs. Traditional Human Scam Techniques
Ground Truth, Monday 10:00-10:45, Florentine E
Voice phishing (vishing) attacks have traditionally been limited by the need for human operators. The rapid emergence of high-quality AI voice synthesis and large language models (LLMs) reduces this bottleneck and enables scalable, automated scams. In this presentation, we describe a large-scale survey experiment (N=4100) and qualitative interviews (N=12) that assessed U.S. adults’ susceptibility to AI-powered voice phishing attacks. Participants were exposed to audio recordings or transcripts of scam scenarios generated by leading voice models, including Llama Full Duplex, Sesame, Gemini, OAI AVM, Play.AI, and ElevenLabs. We tested five different scam scenarios, such as password reset scams and relative-in-distress scams. Success rates reached up to 36% for certain scam categories. Caller persuasiveness was the strongest predictor of compliance, regardless of whether the caller was believed to be human or machine, and certain models (most notably Sesame) achieved ratings comparable to human voices, or sometimes even slightly surpassing them. We also present detection strategies for AI-generated voice phishing, including human recognition and automated classification. Our study shows that humans struggle to distinguish AI-generated scam calls from human voices: participants frequently misidentified human callers as AI, correctly recognizing human voices only 24–45% of the time. We also present an economic analysis showing that human-operated vishing is unprofitable at US wages, while AI-powered vishing is already profitable for several models. Thus, the primary risks of present-day AI-vishing lie in improved scalability, not in novel or “superhuman” persuasion techniques. The increased incentive for attackers will likely lead to a surge in attacks. Our study raises concerns for consumer protection and model release policies, and highlights the lack of technical and regulatory protection mechanisms.
Making Preparedness and Personal Resilience Approachable
I Am The Cavalry, Wednesday 10:00-10:30, Copa
Disaster preparedness is often approached as "buy some stuff" rather than "take some action". This talk will bring together best practices from across the United States and beyond to examine ways that preparedness can be made more accessible for everyone, regardless of income, lifestyle, or location, with the focus being on personal and household resiliency rather than gathering "things".
Kill the Login: Continuous Trust in the Age of AI
PasswordsCon, Tuesday 12:00-12:30, Tuscany
Authentication has always answered one question at one moment: is the human at the keyboard who they claim to be? Passwords, MFA, passkeys, and behavioral biometrics share that frame. Agentic AI breaks it. When an authorized LLM agent files the expense, moves the funds, or pushes the deploy, the question is no longer “is this the right human.” It’s “is this the right actor — human or not — and is the session still trustworthy right now?” In some workflows the question inverts entirely: a human at the keyboard becomes the anomaly, and continued machine execution is the trusted path.
Jacqueline Suttin, Len Noe, Corrina Alcoser, Steven Bernstein
Nobody Told Me I Could Grow: Building a SOC Career You Actually Want
Hire Ground, Wednesday 11:00-11:55, Florentine B
You landed a SOC job, or you're trying to. Either way, nobody handed you a map. Most organizations hire L1 analysts and leave them to figure it out on their own after initial training. There's no written career ladder, no clear answer to "what does L2 even mean," and no one telling you which cert to get next or how to ask for a promotion/raise when the path was never defined in the first place. This talk is for analysts at the beginning of that journey. It's for people who are hungry to grow but don't know where to start, or who've been grinding alerts for some time and feel stuck. We'll cut through the noise on certs, demystify what real tier progression looks like across L1 through L3, and talk about how to stay motivated when the work is repetitive and the finish line is invisible. This isn't advice from a vendor booth or a recruiter. It's a real look at what analyst development looks like from inside a security operations environment: the good, the hard, and the practical steps you can take starting right away.
From Prompt to Pwn: Hands-On Exploitation of LLM-Powered Applications with OWASP Techniques
Training Ground, Tuesday 15:00-19:00, H114
Large language models are no longer “just chat.” In production applications they sit behind authentication and session boundaries, invoke tools, query databases, read files, reach internal URLs, and take actions on behalf of users. That turns familiar application risks SQL and NoSQL injection, SSRF, path traversal, broken access control, cross-site scripting, and supply-chain issues into conversation-driven attack paths: the payload may never touch a traditional form field. This Training Ground workshop is a guided, hands-on offensive lab. You will exploit Vulnerable AI Application, an open-source training platform that pairs a deliberately hardened shell with isolated, vulnerable AI-powered agents mapped to the OWASP Top 10 for LLM Applications. You only need a laptop and a browser: the hands-on environment is hosted on AWS and accessed via a dedicated workshop URL no local lab install required. We move from beginner-friendly explanations of threat models and first exploits into intermediate multi-step chains tool abuse combined with classic web flaws to complete realistic objectives: prompt injection and jailbreaks, system prompt extraction, RAG poisoning, SQL and NoSQL injection mediated by an agent, sensitive disclosure via traversal and SSRF, excessive agency and BOLA through customer-style flows, XSS from LLM-generated output, and supply-chain-style compromise paths in agentic workflows. The day balances short concept blocks with live exploitation, progress tracking, and debriefs on what secure design and testing look like on the defender’s side. You leave with repeatable patterns for red teams and application security engineers who must assess LLM-integrated systems not only the model, but the whole tool surface behind it.
From the Wild West to Yes, If: Building an AI Security & Governance Program
Proving Ground, Tuesday 11:30-12:00, Firenze
Every organization is adopting AI. Few are doing it with security and compliance at the table. At Cengage — one of the largest educational publishers in the world — AI initiatives were spinning up faster than any governance process could track, with student data, author IP, and proprietary curriculum all in the balance. In 25 minutes, we’ll walk through how we built an AI security and governance program from scratch: how we assessed 67 AI vendors in 15 months, how we stopped being the Department of No, and how we red-teamed our own AI integrations with real findings. You’ll leave with a practical framework you can take back on day one.
ACME for S/MIME and the S/MIME ecosystem
Breaking Ground, Monday 11:00-11:30, Florentine A
The ACME protocol is very popular for obtaining TLS certificates but not so much for acquiring an S/MIME certificate for securing emails. This talk shows how bad manually purchasing a certificate is and how it can be automated. Emails are very a popular means for communication but their security is sub-par. S/MIME enables encrypted emails but procuring such a certificate is difficult. With ACME for S/MIME, the task becomes surprisingly easy. We present an evaluation of all existing vendors of S/MIME certificates. We analysed the vendors' offering for their usability and privacy by measuring the time from zero to certificate as well as their privacy policies. We find that neither of the ten vendors provide a satisfactory offering. We finally sketch a way forward through ACME for S/MIME and present a prototypical implementation for Thunderbird. We bought certificates from all vendors of S/MIME certificates with their CA in Mozilla's Trust Store. For each vendor, we recorded the procurement process and analysed the time and clicks needed, the number of requests and their sizes, and the number of privacy invading third-party requests. Further, we checked on the privacy policies and adjacent documentation to count the number of words and analyse the readability of the necessary documents. Our results suggest that the market does not provide a satisfactory solution. The vendors either control your secret key, invade your privacy with well-known third-party trackers, or require a PhD to read their privacy policies. Some vendors did not even manage to create a valid certificate. The best way forward is to establish ACME for S/MIME which allows for a (n)one-click solution. We have created a prototype to show that this is technically feasible.
Five AIs Walk Into a Severity Meeting: Auto-Triage and the Evolution of GM’s Bug Bounty
Common Ground, Tuesday 18:00-18:45, Florentine F
Five AIs Walk Into a Severity Meeting: Auto‑Triage and the Evolution of GM’s Bug Bounty A decade ago, vulnerability handling at GM looked like it did at many large organizations: ad‑hoc disclosures arriving via inboxes, spreadsheets holding state, and a lot of institutional memory doing the heavy lifting. The OwnStar research became a forcing function, making it clear that “accepting reports” wasn’t the same as having a real, scalable vulnerability disclosure program. This talk traces the evolution from that pre‑program chaos to a formal Vulnerability Disclosure and Bug Bounty Program—and then to the realization that even a structured, human‑driven triage process doesn’t scale once report volume and complexity explode. We’ll walk through the failure modes that consistently showed up at scale: slipping SLAs, duplicate hunting across tools, repro becoming the long pole, and severity decisions that depended more on intuition than evidence. The second half of the talk dives into Auto‑Triage, an AI‑assisted pipeline we built to handle those pressures. Sitting on top of HackerOne and Slack, it combines scope and asset mapping, multi‑signal duplicate detection, safe automated reproduction in sandboxes, and a multi‑agent “severity meeting” that behaves more like a real review board than a single model guessing a score. We’ll also show how confirmed bounty findings turn into broader variant hunting and SDLC guardrails, not just closed tickets. This is a practitioner’s story—what worked, what failed, and what we wish we’d known earlier—for anyone running or scaling a VDP or bug bounty program and feeling the pain.
Jacob Martinez, Aakash Krishana, Christopher Walter, Jason Brown
Rekt Teaming: What Attackers See When They Look at Your Bug Bounty PoC
Breaking Ground, Wednesday 11:30-12:15, Florentine A
In April 2026, Panther’s supply chain scanner picked up three different corporate red teams publishing malicious artifacts to npm. They each exhibited different levels of opsec failure. Asurion published a series of packages so convincingly undistinguishable from real malware that we reported it to them as a targeted attack against their company and customers, Socket’s automated scanner independently corroborated the packages as malware, and the story was picked up by Hacker News. It wasn’t until after a few weeks of media coverage that Asurion came forward to self-identify the campaign as a red team exercise. Disney tied their exercise’s C2 infrastructure to a red teamer’s personal domain, committing them to maintaining that trust anchor in perpetuity. And MOIKA, a Russian carwash company, exposed internal package namespaces for themselves and their technology partners, handing subsequent “parasitic” attackers a working exploit on a silver platter. These campaigns are perfect examples of why public software registries are the wrong place to publish your red team engagement artifacts. This talk deep dives the anti-patterns seen in each of these campaigns, highlights the attack surface they create, and demonstrates how an attacker would exploit these self-inflicted vulnerabilities. Intent or authorization is not externally observable from software artifacts, only capability. Your dependency confusion PoC does the next attacker’s recon and development work for them. C2 infrastructure serves up benign payloads now, but creates an indefinite maintenance obligation on trust anchors like domain names and npm user accounts.
The Holy Grail of Election Security: Serious Quest or Theater of the Absurd? - TOKEN: 1
Skytalks, Monday 10:00-10:45, Sienna
What if election officials in an American swing state were willing to unlearn everything they knew? What if they set out on an earnest quest for more secure elections? They were willing, and this is the story of one county’s pilot program, featuring open-source tools, distributed custody of records, and unprecedented public transparency. The story is previously unpublished, and includes operational lessons from the real world deployment of this election security program. You will learn how the project integrates open-source with existing vendor platforms. How it was designed with an eye toward becoming a full-system protocol. Why it is a model for any jurisdiction to improve election security. Its development was a quest on par with the search for the Holy Grail – complete with the fervor, the fighting, and the obstacles. Chief among the obstacles, how to provide proof-of-security to losing candidates and a skeptical public. But what if the program involved the public? What if it recruited everyday citizens as voter roll auditors going into the 2026 midterm? What if it had tamper-evidence that’s instantly visible to the public? What if this quest could quiet conspiracy theories – silly talk and absurd theatrics – borne of half-assed research by laypersons who become “experts” after consuming a white paper on Google? Election managers are boxed in by vendor limitations. They’re forced by state and federal law to carry out certain processes that clearly threaten security. They answer to multiple authorities with no unified agenda. Yet they’re obligated to deliver the Holy Grail – secure elections. The Grail has evaded their grasp because no concrete proof of election system security has been available. This pilot, grounded in the Center for Internet Security Controls, answers the challenge.
Your Airspace Has a Security Problem: A Field Guide to Counter-UAS
Common Ground, Monday 17:00-17:45, Florentine F
The airspace under 400 feet is turning into infrastructure. Delivery drones, police drones-as-first-responder, medical runs, and the tourist who never checked the flight restriction over the stadium are all sharing it. We want almost all of those drones there. The problem is that we cannot reliably see them, and the rules governing intervention are being written right now. This is a field guide from someone who works the problem at major public events. We will walk the whole chain in plain terms: how you actually detect a drone, and why a cop's phone sometimes beats a six-figure sensor; what Remote ID really is on the wire, a license plate anyone can read and forge; why the detection range you were promised falls off a cliff; and what happens when you try to stop one. Jamming takes down your own drones. Takeover works on some of them, some of the time. And the drone that already went quiet, over fiber, cellular, or full autonomy, beats the whole radio-based playbook. You will leave able to build a $50 receiver that sees the same compliant traffic as the expensive gear, with a clear picture of where the real gaps are. These decisions are being made this year, and the people who understand the radios should be in the room. Greg A. is a systems integrator who works TAK and counter-drone operations at major public events and is an active EMT. He writes about building COTS Remote ID receivers and RF detection at ampledata.org, speaks frequently at technology, public-safety, and wireless events.
When CI Trusts Attackers: Exploiting Metadata Injection in GitHub Actions for Supply Chain Compromise
Breaking Ground, Tuesday 15:30-16:00, Florentine A
Modern CI/CD systems are built to automate trust — but insecure assumptions inside pipelines can turn attacker-controlled metadata into code execution primitives. This talk introduces Metadata Injection Attacks, a class of CI/CD vulnerabilities where fields such as branch names, pull request titles, commit messages, and tags are implicitly trusted and executed inside privileged GitHub Actions workflows. By abusing unsafe scripting patterns and the widely misunderstood pull_request_target trigger, attackers can achieve remote code execution on CI runners, access sensitive secrets, and compromise downstream software artifacts. Using a real-world case study from an open-source project, we demonstrate how a malicious branch name led to command injection and secret exposure within a production workflow. We then generalize the issue across modern CI/CD ecosystems, showing how insecure trust boundaries appear repeatedly in real repositories and automation pipelines. The session culminates in a full end-to-end supply chain attack demonstration: from malicious pull request creation to CI compromise, secret theft, and artifact poisoning. Attendees will learn how these attacks work, why common mitigations fail, and how to design secure-by-default workflows using safer input handling, hardened permissions, and secure automation patterns.
How to Stand Out in Cybersecurity’s Most Competitive Job Market
Hire Ground, Monday 18:00-18:55, Florentine B
There are 514,000+ open cybersecurity jobs in the U.S. and somehow it still feels impossible to get hired. Entry-level postings demand 3-5 years of experience. Hundreds apply for the same role. AI is reshaping which skills matter. And nobody tells you what actually makes a hiring manager stop scrolling and read your resume. This talk fixes that. As a hiring manager who reviews resumes globally and has built teams across six countries, I'll show you exactly what makes candidates stand out and what gets them ignored. No motivational fluff. No "just get Security+" advice. Tactical, example-driven guidance organized around four cybersecurity Role Families — Builders, Breakers, Defenders, Governors — so you can apply what matters to YOUR career path. You'll learn how to build in public for your specific role family using GitHub, LinkedIn, and personal portfolios, with real repos that got people hired. You'll see what a good-to-excellent resume looks like from the hiring manager's side, including the structure and framing that gets past ATS filters and human reviewers. You'll learn how to use AI tools like Claude to prepare your resume, research companies before interviews, and practice answers that demonstrate depth instead of keywords. I'll address the elephant in the room: imposter syndrome is not a bug in your personality, it is a feature of working in a field that changes faster than anyone can learn it. And I'll make the case that if you're already in this industry, helping someone break in is not charity — it is how healthy communities work. If you've ever stared at a job posting and thought "I'm not qualified for this," you probably are. You just don't know how to show it yet. Let's fix that.
Step-by-Step Malware Development: Evading EDR from Loaders to the Kernel
Training Ground, Wednesday 10:00-12:00, H116
Endpoint Detection and Response (EDR) systems are essential components of modern enterprise security. To evaluate them effectively, offensive security professionals benefit from understanding how these defenses operate beneath the surface. This hands-on workshop provides a step-by-step guide to custom malware development, C2 customization, and kernel-level exploitation, covering multiple stages of the attack chain in a single session. To understand the mechanics of detection, we will use Elastic Defend throughout the workshop. By analyzing its open-source detection rules, participants will observe their initial payloads being blocked, understand the reasons behind the detections, and iteratively rewrite their code to bypass the sensors. We begin in user-land, implementing foundational injection techniques before moving to evasion strategies. Attendees will build custom loaders utilizing Module Stomping, Call Stack Spoofing, and Indirect Syscalls to evade memory scanners and behavioral analysis. Next, we transition to C2 customization. Participants will modify the source code of the Havoc C&C framework, removing static signatures and altering behavioral indicators to establish a stealthy C2 session. Finally, attendees will explore Bring Your Own Vulnerable Driver (BYOVD) techniques for post-exploitation. We will demonstrate how to use vulnerable drivers to blind or kill the EDR sensor. By the end of this workshop, attendees will learn how to build custom evasion loaders.
Came for the AppSec scans, stayed for the flaky tests
Common Ground, Monday 14:30-15:00, Florentine F
I'm an AppSec lead. My job was rolling out security scans in CI. Once the scans shipped, I stayed and fixed the parts of the pipeline nobody else would touch. Six months, solo, on top of the day job. Four AI-driven bots later, this talk focuses on two of them. -The one that worked best: a CVE-fixing bot that's kept us at 0 CVEs for three months and counting. -The one that miserably failed: a flaky DB test bot that couldn't see flakiness. To a one-shot AI review, a test that sometimes passes and sometimes fails just looks broken. The DB suite went from 42.3% peak failure rate to near zero, not by automating harder but by ditching the bot and pairing with Claude on each failure by hand. The fixes were technical (race conditions and cache, mostly) but the reason they didn't get fixed wasn't. People click "Run again" several times a day instead of looking at why. Nobody fixes it until somebody who isn't supposed to does. Walk out and measure your team's rerun rate (I'll share the script). Then go fix the smallest thing nobody else will.
Beyond Static Analysis: Memory Forensics for Go Malware
Breaking Ground, Monday 10:30-11:00, Florentine A
Go has become an increasingly popular language among malware developers due to its ability to produce statically linked, cross-platform executables that challenge static analysis. These binaries embed a substantial runtime and compiler-generated metadata and are compiled with aggressive optimizations that discard type information for function parameters and local variables. Go further complicates analysis by representing strings as pointer-length pairs rather than null-terminated sequences, employing a caller-allocated stack model that obscures argument boundaries, and fragmenting program state across concurrent goroutines. Although reverse-engineering tools like IDA Pro and Ghidra provide Go-specific support, they are limited to compile-time artifacts and cannot recover runtime execution state or artifacts that persist solely in memory. In this talk, we present the first memory forensics framework for runtime analysis of Go binaries, implemented as open-source Volatility 3 plugins. By parsing Go's internal structures, our framework reconstructs type and function metadata, recovers heap-allocated and static strings, and classifies functions by origin. Through ABI-aware backward analysis, it derives execution paths and argument values from call sites. To capture runtime state beyond what static analysis reveals, it analyzes goroutine stacks to identify actively executing functions and recover their runtime argument values. All these capabilities were used to analyze malware from recent incidents, including the BRICKSTORM backdoor, Obscura ransomware, and Pantegana RAT. During this talk, we will show demos of the plugins recovering C2 endpoints, persistence mechanisms, encryption keys, ransom notes, attacker-issued commands, and execution state, including critical artifacts absent from published threat intelligence. Attendees will learn why reverse engineering tools alone are not enough for analyzing Go malware, how Go runtime internals appear in memory, and how the Volatility 3 plugins recover artifacts from real-world malware samples.
Breaking the Modern Boot Chain on Windows and Linux: Exploiting UEFI Internals
Breaking Ground, Tuesday 17:00-17:45, Florentine A
Modern operating systems rely on UEFI firmware as the root of trust for the entire boot chain. Secure Boot, signed bootloaders, and kernel protections are all built on the assumption that this layer cannot be modified once the platform is properly configured. But what happens when that assumption fails? In recent years, vulnerabilities in bootloaders, leaked signing keys, and logic flaws in trusted components have shown that the UEFI attack surface is far larger than most security professionals realize. Once firmware is compromised, traditional security controls stop mattering - code executes before the operating system starts, before EDR loads, and before most protections even exist. In this talk, we take real vulnerabilities in trusted boot components and follow them all the way through. We reverse known CVEs in signed EFI binaries and turn them into reliable exploitation primitives, then build on top of those primitives to gain execution before the OS starts, manipulate the boot flow, and bypass protections on both Windows and Linux systems. The focus is on how these pieces connect in practice and how control is established during the earliest stages of the boot process. Everything is backed by demos that walk through the full attack chain, from reversing a vulnerable component to abusing it in a real scenario and ultimately deploying a persistent bootkit before the system has a chance to defend itself. All the material will be shared after the talk, including malware, exploits, and lab setups, so attendees can reproduce the workflow and study it in detail - including exploitation techniques that are not publicly documented.
The Laptop Is the Perimeter: How Attackers Target Developers to Breach the Software Supply Chain
PasswordsCon, Wednesday 11:30-12:00, Tuscany
Attackers have always targeted developers because developers sit closest to the systems that build, ship, and operate software. Unlike most employees, a single developer's laptop can expose cloud credentials, CI tokens, SSH keys, and package publishing rights. And access to those systems is exactly what attackers are after. Supply chain attacks have evolved recently. Starting with the Nx “s1ngularity” attack, we are seeing more poisoned trusted packages that systematically steal GitHub tokens, npm credentials, SSH keys, and other secrets from developer systems. The Shai-Hulud campaign pushed the model further with a self-replicating npm worm. Now, agentic AI ecosystems and skill marketplaces pose a new supply chain threat, in which malicious skills and prompt-based payloads turn “helpful automation” into credential theft and code execution. This talk explains why the developer workstation is now one of the most important control points in software supply chain security. We will walk through recent attacks and go over practical defenses developers can adopt immediately to keep everyone safe.
Who Goes There? Actively Detecting Intruders With Cyber Deception Tools
PasswordsCon, Tuesday 18:00-18:30, Tuscany
Intrusion detection works best when you can discover the attacker while they are still in the system. Finding out after the fact does little to protect your systems and your data. Ideally, you would want to set an alarm that an attacker would trigger while limiting the damage to your environment. We know from many recent breaches that attackers commonly try to expand their foothold in a system by finding and exploiting hardcoded credentials in environments they have accessed. We can use these behavioral patterns to our advantage by engaging in defensive cyber deception. You might already be familiar with the concept of honeypots, false systems, or networks meant to lure and ensnare hackers. There is a subclass of honeypots that require almost none of the overhead, are simple to deploy, are used by many industries, and lure attackers into triggering alerts while they are trying to gain further access. The industry has arrived at the term honeytoken for this branch of cybersecurity tooling.
Minutes from Malice: Detect Cloud Exposures in Minutes
Proving Ground, Wednesday 11:00-11:30, Firenze
Cloud network exposure is highly dynamic as resources can receive temporary IPs, challenging traditional scanners. This talk presents an open-source framework using cloud inventory APIs (e.g., AWS Config) for near real-time exposure monitoring across hybrid cloud and on-prem networks at any scale.
How to Ransomware USB Devices
Common Ground, Monday 10:00-10:45, Florentine F
Everyone knows you shouldn’t plug in a USB drive you found in the parking lot. Users are widely taught to avoid connecting untrusted storage devices, but that caution doesn’t usually extend to other kinds of peripherals, such as webcams, hubs, or docks. Or what about the USB devices you already own, plugged into your computer? One wrong website visit and one wrong click and your device is now mine, and you need to pay me to repair it or go buy a new one. While often research is done focusing on high end and complex devices, many common day to day devices pass through the net, escaping the deep technical audit other devices go through. In this talk I’ll break that cycle by lifting the veil on the ubiquitous USB hub. I’ll delve into how these devices work, their common silicon roots, and how the same problems affect too many devices to count.
Certificate Transparency logs as OSINT
PasswordsCon, Wednesday 12:00-12:45, Tuscany
13 years ago, RFC 6962 introduced the "Certificate Transparency Log" as a mechanism for domain owners to monitor for "missisuance" of certificates. A key feature of Transparency Logs is that they are public, allowing anyone to anonymously search the details of any certificate issued by any major CA. In the context of publicly available web services, this is a naturally complementary design, but has interesting implications when enterprises issue "public" certificates for private, internal services. This data, and the view to DNS it provides, can be an interesting source of OSINT when broadly sampled. This talk will cover the basics of Certificate Transparency logging implementations and differences in policy between CAs, but will mostly focus on interesting data that can be found today in CT logs for major companies.
Cyber Jobs Dumpster Fire: Honest Advice from 2 Veterans
Hire Ground, Monday 17:00-17:55, Florentine B
The cybersecurity job market has shifted hard lately! Resumes are getting filtered by automation, interview processes longer and frustrating, and “entry-level” roles are demanding senior-level experience. If you’re feeling stuck, ignored, or constantly ghosted, you’re not alone! In this two-person panel, Josh Mason (Solutions Architect at Synack, founder of Noob Village, former USAF pilot) and John Stoner (Army veteran, cybersecurity leader and CTI guru) will give direct, no-BS advice on how to improve your resume, position yourself in a crowded market, and survive interviews without sounding like a buzzword generator. This will be an interactive session with real talk, practical examples, and plenty of Q&A. Expect brutal honesty but practical advice!
Root To CISO – Just AIsk
Hire Ground, Monday 14:00-14:55, Florentine B
AI is changing cybersecurity fast, but the path to becoming a security leader still comes down to far more than tools and technology. This interactive panel brings together experienced CISOs from very different backgrounds to discuss the real-world journey into security leadership. From building teams and security programs to hiring, communication, burnout, boardrooms, and adapting to constant change, we’ll have an honest conversation about what actually matters on the road to becoming a CISO. We’ll also discuss how AI is impacting hiring, workforce development, security operations, and leadership expectations — and what technical professionals should focus on if they want to grow into leadership roles themselves. Last year’s session turned into an almost entirely audience-driven Q&A with a packed room, and we’re hoping to do even more of the same this year. Bring your questions, challenges, and career concerns — Just AIsk.
Spanning the Eras: Egress Domain Governance from On-Premises to Agentic Sandboxes
Proving Ground, Tuesday 17:00-17:30, Firenze
Your production infrastructure just reached out to a suspicious domain - now what? Security teams can detect external threats, but often cannot answer a critical question: which internal service actually initiated the traffic? In modern hybrid cloud environments, egress requests pass through shared proxies, NAT layers, and ephemeral compute making service identity difficult to trace. Without reliable attribution, teams are forced into a risky tradeoff: block traffic and risk breaking production, or allow it and risk ongoing compromise. This talk presents a practical approach to service attribution and domain governance based on production infrastructure. We show how to trace egress traffic back to the originating service by combining proxy logs, eBPF telemetries and container metadata. Rather than relying on any single source of truth, this approach combines multiple different signals to identify the service responsible for a given domain or IP. We demonstrate how we build and patch baseline ACL allowlists iteratively, and how egress control policies can be safely enforced using detection and enforcement mode. Building on the attribution layer, we introduce a domain governance model that balances an automated review workflow and Human-in-the-loop(HITL), avoiding bottlenecks while maintaining efficiency and security guarantees. We then show how the governance model is being applied to the egress control of agentic sandboxes to safely unlock high-demand AI capabilities while keeping the agent itself untrusted.
A Whole-of-Society Plan to Save the Country… or at Least Make Friends at Happy Hour
I Am The Cavalry, Monday 18:30-19:00, Copa
From Volt Typhoon to Mythos, cyber threats continue to increase quickly. We need to quickly increase the capacity to prepare for and response to these threats through a whole-of-society approach to cybersecurity. The pieces are there. We’re working to put the pieces together, focusing on state-led cyber volunteer programs as a critical path to resilience for critical infrastructure and under-resourced organizations. This talk explains the movement toward civilian cyber corps, the benefits these cyber volunteer organizations are providing, how we can quickly scale this solution, and how you can help.
Finding vulnerabilities in windows kernel drivers & performing BYOVD attacks
Breaking Ground, Tuesday 14:30-15:00, Florentine A
In this talk, we will cover reverse engineering Windows kernel-mode drivers, identifying vulnerabilities, and performing BYOVD (Bring Your Own Vulnerable Driver) attacks. We will learn techniques to exploit driver vulnerabilities in order to bypass EDRs or gain kernel-level permissions. Additionally, we will review BYOVD attacks carried out by real APTs and how they disable EDRs and antivirus software using kernel-mode techniques.
Operation Graceful Exit: Creating Smart Policies For Software End of Life
I Am The Cavalry, Tuesday 18:30-19:15, Copa
In the past five years, unsupported, “end of life” software has transformed from a niche IT management issue for large corporations and industry players to a pressing, global security crisis. In that time, cybercriminals and nation-state backed hacking crews have been actively targeting vulnerable edge devices with unsupported “EoL” software and firmware - and using the compromised devices to power massive botnets and other infrastructure used to enable attacks on governments, private and public sector firms and critical infrastructure. In just one example, GreyNoise revealed in their recent State of the Edge report that one of the most frequently targeted flaws (3.75 million sessions) observed in the second half of 2025 was a five year old flaw (CVE-2020-2034) found in five different end-of-life versions of Palo Alto’s PAN OS operating system. What’s fueling that crisis? One problem is that our current software marketplace has no rules protecting consumers by stipulating a minimum software support period, requiring vendor transparency about software support and security updates, or assigning responsibility for abandoned and unsupported software. But that may be about to change. You’ll hear from leading advocates for smart, cyber policies like the Connected Consumer Products End of Life Disclosure bills, model legislation that has been introduced in three state legislatures in the past six months (NY, MA and CA) and that mandates transparency about software support periods before consumers buy devices, and requires companies that lease hardware to customers to replace devices running end of life software at no cost their customers. And that’s just the beginning. Also in the works is more comprehensive legislation that mandates a “graceful exit” when vendors decide to end support for software: emphasizing security, longevity and resilience. Change is coming. This is a session that can’t be missed!
Introduction to offline password cracking with Hashcat
PasswordsCon, Tuesday 11:00-12:00, Tuscany
This talk will be an introduction to offline password cracking with hashcat, it will cover requirements, drivers, some basic hardware and then a walk through methodology. This talk will also cover hashcat support resources and the best way to engage with the hashcat team with issues.
Decentralized Deception: EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades
Proving Ground, Tuesday 10:30-11:00, Firenze
Traditional malware distribution relies on staying one step ahead of domain blacklists and sandbox detection. But what happens when the threat actor hijacks the very tools we use to defend our networks? This talk breaks down a sophisticated, high-resilience campaign dubbed EtherRAT, which targets the "keys to the kingdom". We will explore how attackers utilize GitHub Facades, clean, SEO-optimized repositories, to separate their search engine visibility from their malicious payloads. By impersonating common Windows administrative utilities like PsExec, AzCopy, and Sysmon, the attackers ensure they only infect high-privilege targets while maintaining a dominant search presence that evades platform-level takedowns. Beyond the delivery mechanism, we will dive into the malware’s unique C2 infrastructure. EtherRAT utilizes "EtherHiding," a technique that leverages Ethereum smart contracts as a decentralized, "takedown-proof" dead-drop resolver.
GobRAT: Deeper Into the Abyss - TOKEN: 6
Skytalks, Monday 18:00-18:30, Sienna
GobRAT is Go language malware first described in research by JPCERT/CC in 2023 and by Sekoia.io in their late-2024 blog "Bulbature, Beneath the Waves of GobRAT" with pointers to likely China-centric actors. The malware and broader C2 ecosystem described through reverse engineering and a series of certificate-based indicators compromised a reported 75k devices in 139 different countries. Open directory leaks indicated the bot was composed primarily of SOHO Routers, IOT devices, Network Attached Storage Devices, and others comprised the bot infrastructure. This talk transforms the previous static view of GobRAT’s infrastructure and describes its observed behavior “in the wild.” Building on the prior work, this presentation demonstrates the unique relationships between components, new indicators that can be used to identify and distinguish GobRAT administrative components and identify bot participants through enumeration and network communications. Participants will be exposed to previously unpublished characteristics of the GobRAT architecture and new developments that may indicate changing TTPs over time.
Winning From Constraints
Training Ground, Monday 15:00-19:00, H110
Fundamentally most Security Operations teams cannot measure if they are doing well or poorly against mostly unseen actors. With standards that pose no questions and offer no concepts the industry leaves teams on their own. Operational excellence, folk-lore and hoping for the best become attractive candidates to fill the void. This workshop examines the structural forces that brought us here, then works through how to discover and assess real security outcomes. We introduce principles and practices to help analysts, engineers, and managers build and execute a meaningful strategy for their organization.
Burn the Five Year Plan: An Anti-Roadmap for the Rest of Us
Hire Ground, Tuesday 15:00-15:45, Florentine B
Forget the five year plan. We're burning it down. My roadmap said I was supposed to be a lawyer. Go to an Ivy League school. Guess which of those things happened? Neither one. My decade in the car business started with a dealership owner chasing a salesman down the driveway with a baseball bat. Most people would have been horrified. I laughed and saw a job opportunity. I didn't plan my way into cybersecurity either. An MIS class, a few wrong turns, and every disaster in between got me where I am today: building cyber programs from scratch and leading teams of cyber professionals. The anti-roadmap isn't a failure to plan nor is it an accident or happenstance. It's a different kind of intelligence - for the ones with ambition, a decent tolerance for chaos, and zero interest in playing it safe. Safe is a roadmap. This isn't that. This talk is for the zigzaggers. The ones who aren't sure what they want to be when they grow up. The ones who fought for the title and felt like an imposter every single day. The ones who keep showing up anyway. Buckle up. There are no GPS coordinates where we're going.
Vibe Coding a Backport: Deep Dive into Backported Patch Generation
Training Ground, Wednesday 10:00-11:30, H112
When a new CVE drops, a new cycle begins where teams have to scramble and prioritize fixing since it isn't as simple as pulling the latest upstream commit. Legacy dependencies, shifting APIs, and operational stability requirements turn backporting into a surgical exercise in code archaeology. In this hands-on lab, attendees will go deep on how to generate a backported patch for a real-world vulnerability, which will start with the CVE-2024-37370 in MIT Kerberos example, used across major Linux distributions and many CNCF projects. We’ll start by walking through what makes a vulnerability CVE-worthy, examining the affected code, and studying how upstream fixed it. From there, attendees will work step-by-step to adapt that fix for an older codebase, tracing impact across API changes, dependencies, test suites, and documentation. Along the way, we’ll explore other techniques to evaluate patch safety, prevent regressions, and identify unintended side effects before they hit production. Participants will get hands-on with live systems, debugging failed patches, exploring incomplete fixes, and learning techniques to trace risk across multiple legacy branches. We’ll cover both the defender’s and attacker’s perspectives understanding how incomplete backports leave exploitable gaps, and how to close them. By the end of the session, attendees will have produced and validated their own safe backport patch, gaining practical skills they can apply immediately in production environments. This lab is designed for engineers, SREs, and security practitioners who want to move beyond “apply and pray” and learn the craft of backporting in high-stakes, real-world conditions.
Who Let the DAGs Out: When Your Orchestrator Plays the Wrong Tune
Breaking Ground, Wednesday 10:30-11:15, Florentine A
Everyone runs Apache Airflow. Almost nobody treats it like what it is: a production control plane that stores cloud credentials and runs arbitrary Python. This talk is offensive research into that plane, from real exposed instances to fresh findings on the current release. We autopsy two unauthenticated Airflow boxes found live on the internet — one leaking ticketing credentials, the whole AWS map, a path to IAM, and clonable ticket barcodes (touched nothing, disclosed responsibly CERT-to-CERT until it was taken offline); one running an attacker's tooling next to confirmed RCE through Airflow's own variable substitution, which works on every version. We explain the architectural seam that keeps old, exposed 2.x alive, show why DAGs are an attack surface, and demo a finding on 3.2.1: a Connection API that leaks Slack webhooks and bearer tokens in plaintext. MITRE rates it only medium — but we show what can really go wrong.
Watching Agents Work: A Behavioral Audit of 189 Offensive-Security LLM Runs
Ground Truth, Monday 18:00-18:45, Florentine E
Every offensive-security AI vendor publishes a solve-rate. Almost none of those numbers describe what agents actually do on the way to the flag. We ran four frontier Claude models (haiku-4.5, sonnet-4.6, opus-4.6 & opus-4.7) against 60 web-application CTF benchmarks. 189 attempts. 68,049 traced spans. Every tool call recorded in Phoenix. The goal was to watch them work and tag what we saw (not to crown a winner.) Five behaviors held across every model and every difficulty tier: - **Agents prefer their own tools.** 87.7% of all tool calls bypass the rich tool surface for raw HTTP and shell. Of 40 provided tools, 26 are effectively dead. - **No methodology, just react and guess.** No wordlists, no checklists, no PTES sequencing. 82% of agents pivot after a failure rather than enumerate. - **Good guessers, until they're not.** Roughly half of correct solves involve a guess at a critical step. The same pattern with a wrong answer misses the vulnerability entirely. - **Sharp PTES phase asymmetry.** Strong at chaining vulnerabilities once inside; weak at thorough enumeration; weak at methodical exploitation, where 62% of failures stall; weak at producing usable reports. - **Benchmarks measure pattern-match speed.** That's the strength agents already have. Thoroughness, methodology adherence, robustness under wrong guesses, reporting quality (the dimensions that decide a real engagement ) aren't present in any current leaderboard. This talk walks through each behavior with live demos in Phoenix UI, replaying real traces from the corpus. The audit framework (PTES tagger, tool-tier classifier, recovery-shape analyzer) will be open-sourced so any team can run the same audit on their own runs. The closing question isn't which agent is best. It's which gaps the field should be testing first.
Burp, But Yours: Hands-On Extension and Bambda Development
Training Ground, Monday 10:30-14:30, H112
Ever wished Burp did one extra thing exactly the way you wanted? This workshop is about making that happen. In this half-day, hands-on session, you’ll learn how to extend Burp Suite using the right tool for the job: BChecks, Bambdas, extensions, and the BApp Store. We’ll cover what each option can do, where it fits in a real testing workflow, and when it’s time to move from a quick Bambda to a full extension. Then we’ll build. You’ll write and load Bambdas against real Web Security Academy labs, modify a Burp extension using the official extension template project, and start your own project by working through the same loop you’ll use after the workshop: spot the testing pain point, pick the right extensibility path, write or generate code, load it, test it, debug it, and make it better! By the end, you’ll have practical Burp tooling you can keep using, plus a clearer path for sharing your ideas with teammates, clients, or the wider Burp community.
My email address is an API key?
PasswordsCon, Tuesday 14:30-15:00, Tuscany
Email addresses aren't secrets. They’re not meant to be. So why do so many SaaS products create “private” email addresses that both authenticate and authorize users? Trello does it for boards. Asana does it for projects. Even my insurance company uses private email addresses for confidential claims data. The UI calls these strings email addresses, and users treat them like it. They get pasted into forums, added to support tickets, and logged on mail servers. Very few people store them with the care they'd give an API key or password. And honestly, most of the time, the risk is pretty minimal. This talk walks through what happens when it isn't. We'll dig into a widely used developer platform where the consequences of leaking one of these addresses get particularly bad, and then zoom out to the broader pattern. You'll leave knowing how to spot these types of credentials in tools you already use, how to reason about when it actually matters, and what to ask vendors when it does.
Authorization phishing: how attackers stopped targeting logins
PasswordsCon, Wednesday 10:00-10:45, Tuscany
We spent a decade hardening the login. First we got strong password requirements. Then passwords got MFA. Then MFA got phishing-resistant with passkeys. But attackers have adapted. Authorization phishing targets OAuth consent and authorization flows instead of authentication. There’s no fake login page, credentials to phish, or MFA factor to defeat. The victim authenticates legitimately, on the real identity provider, and hands the attacker a token on the way out. And no, this isn't just AITM or MFA downgrade. This sidesteps the login process entirely, regardless of the authentication controls in place — which is why attackers are adopting it at scale. This new class of attack covers consent phishing, device code phishing, and ConsentFix — a new ClickFix variant we identified after a Russia-linked campaign abusing Azure CLI’s OAuth flow. Device code phishing alone has gone from niche red-team technique to tier-1 threat, used by state-aligned actors and criminal PhaaS operators alike. I'll demo each technique end-to-end, walk through real in-the-wild campaigns and show what detection and prevention actually look like when the attack never touches your login at all.
The Dots Do Matter: Gmail’s Invisible Blindspot
PasswordsCon, Tuesday 14:00-14:30, Tuscany
You've probably heard that dots don't matter in Gmail addresses. Well, I'm here to tell you they actually do matter, and I have 22 years of unsolicited evidence sitting in my inbox to prove it. Back in 2004, I was lucky enough to get one of the early invite-only Gmail accounts. Six characters, no numbers, no underscores. Just my name. It felt like winning the internet lottery. Because of that six-character address, I've spent two decades at the center of an invisible email collision, accidentally collecting data about other people's lives. Bank statements from Colombia. A flight itinerary from Congo to Guangzhou. A Nissan CARFAX report from New Jersey. But here is the scary stuff: password reset links, login codes, and account-recovery emails for accounts I never created. 89 Snapchat accounts. 168 TikTok accounts. A one-click login link to an Instagram account that was never mine. And in the past three years, roughly 25 people have made my address the recovery email on their Google account, in one case handing me a live link to potentially download their entire Google account data: every email, photo, document and search query. All of this without any 1337 hacking. No phishing, no exploits, no social engineering. Just a dot that Gmail ignores and the rest of the internet doesn't. In this talk I'll walk you through what I found across four continents and multiple languages, why an email address quietly became an identity and authentication token that nobody verifies, how criminals have already exploited this gap in documented fraud cases, and why, despite years of public discussion, nobody has measured how widespread it really is. This talk also documents my personal bug bounty submission to several major platforms' vulnerability disclosure programs, so come hear the talk for updates on how that story ends. The dots do matter. Someone needs to measure this phenomenon and do something about it. Maybe that someone is going to be in this room. I'm actively looking for research partners and collaborators to move this project forward!
Engineering the Hunt: Developing AI SKILLs for Network Security Monitoring
Training Ground, Monday 15:00-19:00, H116
### **Workshop Summary: Engineering the Hunt** **"Engineering the Hunt: Developing AI SKILLs for Network Security Monitoring"** is a hands-on workshop designed to solve alert fatigue and unscalable manual triage. Moving beyond theory, this session empowers responders to optimize their processes without needing expensive new infrastructure. **Core Activities & Takeaways:** * **Translate Expertise:** Learn to convert successful manual threat hunting routines (e.g., detecting DNS tunnels and lateral scans) into automated workflows. * **Practical Development:** Use real network security data to develop and validate SIEM queries and Agentic AI "SKILLs" files. * **Democratize Detection:** Automate proven techniques to make advanced threat hunting accessible to analysts of all skill levels, significantly reducing detection time. * **Minimize Risks:** Navigate the pros, cons, and pitfalls of AI-assisted hunting, with a strict focus on reducing token costs, AI hallucinations, and false positives. Attendees will walk away with deployable tooling and customized Agentic AI SKILLs, ready for immediate implementation in their own organizational environments.
CerBERTus: A Three-Headed Approach to Prompt Security
Ground Truth, Monday 15:00-15:45, Florentine E
LLM jailbreak detection is often framed as a binary task: is a prompt harmful or benign? This framing is brittle. Harmful requests can be concealed inside roleplay, fiction, urgency, or “academic” pretexts, while legitimate prompts can be topically close to unsafe content without malicious intent. As a result, single-label detectors overfit to surface patterns, yielding both false negatives (adversarial rewrites) and false positives (adjacent-benign prompts). We introduce CerBERTus, a three-headed BERT-based model for prompt security. A single shared encoder feeds three classification heads: (1) harmfulness (primary), (2) goal category (what the user is trying to do), and (3) framing style (how the request is presented). The auxiliary goal and frame tasks act as inductive bias, encouraging the representation to separate objective from wrapper so the harmfulness head can learn their interaction rather than memorizing superficial cues. To train and stress-test this separation, we build a structured factorial prompt corpus that systematically crosses goals with frames. Goals include harmful, adjacent-benign, and generic-benign requests spanning categories such as cyberattacks, fraud/social engineering, explosives, chemical/biological weapons, conventional weapons, drug synthesis, privacy/doxxing, human trafficking, extremist propaganda, and racism/nativism. Frames include adversarial jailbreak styles (e.g., roleplay/persona, screenplay/fiction, urgency/crisis, academic pretext, obfuscation, injection-like prefixes) as well as benign and null/plain framing. In this design, the same goal appears in many styles, and the same style applies to both harmful and benign goals. We achieve 0.96 AUC on a held-out harm category and 0.983 AUC on held-out jailbreak framings, demonstrating that the model generalizes to both novel attack goals and novel presentation styles it has never encountered during training. We will cover the threat model, dataset construction, training objective, and evaluation strategy, and discuss when multi-task supervision improves robustness and interpretability. The final takeaway is simple: stop treating jailbreak detection as a flat binary classifier and start modeling the attacker’s degrees of freedom by disentangling what is being asked (goal) from how it is being asked (frame).
Putting the CAT in the HAT: Exploring Cognitive Threats in the Context of Human Autonomy Teams (HAT)
Ground Truth, Tuesday 10:00-10:45, Florentine E
The cognitive attack surface represents the sum total of vectors through which a system’s information-processing capacities can be manipulated without informed consent. Crucially, this surface includes "agentic systems," defined as any human, artificial, or organizational entity capable of perceiving information and exercising agency. We define cognitive hacking as the practice of exploiting the psychophysical, neuroergonomic, and psychosocial limitations of these systems to degrade, deny, or deceive decision-making. If an attacker poisons the data feeding a dashboard, they have hijacked the human’s perception without showing the human a false image or compromising the machine’s core software. Is the human, is it the machine, or is it the system which is compromised? The Cognitive Attack Taxonomy (CAT) Version 2.0 maps the cognitive attack surface, across four layers whether these systems are individuals made of flesh, silicon-based agents, a bureaucracy, or a familiar combination of these. Layer I (STRUCTURE): The physical systems underlying cognition. Layer II (COGNITIVE): Internal processing and context interpretation. Layer III (NETWORK): Connectedness and trust. Layer IV (POLICY): Rules and governance, distinct from Layer III by virtue of formalized engagements. This presentation builds upon previous years’ presentations by mapping this updated framework onto new attack surfaces involving human-autonomy teams (HATs) and describes cognitive attacks on next generation human-AI hybrid systems.
Dr. Strangeprompt, or How I Learned to Stop Coding and Love my AI
Hire Ground, Tuesday 14:00-14:55, Florentine B
Most cybersecurity careers were built on a lie: that technical mastery compounds forever. It does not. The command-line wizard became the tool operator. The tool operator became the framework expert. The framework expert became the platform administrator. Every generation of security work has been abstracted, packaged, automated, and sold back to us as progress. Each time, the people who adapted moved up. The people who stayed loyal to the old craft became less relevant. AI is the next abstraction layer, but this one is different. It does not just replace a tool. It replaces the need to personally perform entire categories of work: scripting, log review, alert triage, detection engineering, policy generation, reporting, architectural review, and junior engineering tasks. The career ladder is being rewritten in real time. The winner is no longer the person who knows the best tool. The winner is the person who can direct AI systems, validate their outputs, chain them into workflows, and turn machine-speed execution into security outcomes. In this session, two experienced CISOs trace the evolution of security careers from command-line tradecraft to AI-orchestrated operations. We will identify which roles are collapsing, which skills still matter, and how practitioners can move above the automation layer before the market moves them out of the profession. This is not a talk about prompts. It is a talk about survival.
Social Tech for the AIpocalypse - TOKEN: 7
Skytalks, Tuesday 10:00-11:00, Sienna
The rise of ai-driven workflows and tools has compromised the former social tech that people relied on in order to find facts and understand the world - for instance, telling someone to "just google it" is no longer useful, given the confluence of heavy spam and misleading ai summaries. This talk will center around the changes in assumptions of what tools are available to people, and suggest social technologies to mitigate the loss of previous fidelity signals.
Ask EFF
Common Ground, Tuesday 14:00-15:00, Florentine F
Electronic Frontier Foundation (EFF) is excited to be back at BSides Las Vegas addressing the policy issues that matter most to security professionals. During this interactive panel discussion, our speakers will provide insights on urgent digital rights topics and showcase EFF's work defending privacy, fighting surveillance, and protecting free speech. Whether the conversation turns to combating surveillance, building liberatory tools, or diving into how we defend hackers will be up to the audience. This session prioritizes active engagement and real conversation about the issues keeping the security community up at night. Panelists include Haley Pederson, EFF's Legal Intake Coordinator; Rory Mir, Director of Open Access & Tech Community Engagement; Alexis Hancock, Director of Engineering; Kenyatta Thomas, Social Media and Video Manager; and Cindy Cohn, recent Executive Director.
Rory Mir, Haley Pedersen, Cindy Cohn, Kenyatta Thomas, Alexis Hancock
Democratizing Hack-The-Box: Intent as Infrastructure for Vulnerable Topologies
Proving Ground, Tuesday 11:00-11:30, Firenze
Manual construction of high-fidelity, pedagogically sound, vulnerable topologies is a grueling necessity. Building these environments is a specialized and cumbersome practice. Yet, they’re necessary to enable security research, tool development, and adversary emulation. The development of these environments requires meticulous planning and a lot of manual labor to weave together misconfigurations and intentionally injected vulnerabilities to accurately mirror real-world attack paths. This talk deconstructs the mindset and operational planning needed to build realistic, vulnerable networks. Within this talk, we also introduce a new paradigm: Intent as Infrastructure (IaI). By using agentic AI to automate the topology construction process, we transfer the capability to build high-fidelity environments directly back to the community. This project, affectionately named the Game of Everything (GoE), is a spiritual successor to Game of Active Directory (GOAD).
Lyra: An LLVM IR Obfuscator for Rust
Breaking Ground, Tuesday 18:00-19:00, Florentine A
Rust is rapidly becoming the language of choice for red team tooling, implants, and security-critical software. Yet the offensive security ecosystem has almost no obfuscation tooling for it. Nearly every production obfuscator targets C/C++ binaries or operates on final PE/ELF images; Rust's unique compile pipeline, name mangling, and LLVM IR patterns require a fundamentally different approach. This talk presents Lyra, an open-source, cargo-native LLVM IR obfuscator for Rust. Lyra intercepts each crate during a normal "cargo build" via RUSTC_WRAPPER, transforms the LLVM IR with a configurable pass pipeline - string encryption, basic-block shuffling, indirect-branch obfuscation - recompiles the result with llc + clang, and substitutes the object before the real MSVC linker runs. Zero changes to the Rust compiler, zero changes to the target project's source code, one flag on the command line. We walk through the architecture, the engineering challenges unique to Windows/MSVC (UTF-16 response files, allocator-shim object preservation, inkwell's undocumented panic guards), and live before-and-after demonstrations in IDA Pro, Ghidra, and Binary Ninja. We also show a YARA rule that confidently matches a plain demo build returning zero results on the obfuscated binary, and two consecutive unseeded builds producing different hex patterns, defeating a rule written on the first build. Lyra is released open-source at the time of the talk. All demos are reproducible from the release. Attendees leave with a working tool they can run against their own Rust projects the same day.
The Shadow IT Leak: Solving Silent Data Loss in Vulnerability Pipelines
Ground Truth, Monday 17:00-17:45, Florentine E
Vulnerability management is only as effective as the data pipeline supporting it. In complex enterprise environments, raw vulnerability data through scanner payload APIs are matched against incomplete Asset Inventories (CMDBs) using multi-stage "waterfall" joins. Standard ETL practices, such as, permissive JSON parsing and SQL/Pandas inner joins, act as silent filters, dropping unmatched records to keep the pipeline green. Consequently, an end-to-end pipeline can execute perfectly while silently hemorrhaging data as it moves from one stage to another, particularly when joined with disparate datasets to produce a coherent vulnerability report. In a security context, these dropped rows aren't just "bad data"; they are Shadow IT, vanishing before they even reach the database. This directly leads to incomplete CISO monthly metrics. Even worse, routing them to "Undefined" catch-all buckets creates massive security toil, leaving Critical CVEs waiting weeks for manual triage. To bridge this gap between high-scale data engineering and enterprise security posture, we will dissect the mechanics of data leakage within a PySpark and Airflow stack. Firstly, we explore logic-driven loss at the DataFrame level, demonstrating how inner joins and heuristic "sibling node" guesses delete assets universally. Secondly, we tackle concurrency-driven loss at the database layer—whether it manifests as deadlocks in SQL Server or "Last Write Wins" overwrites in NoSQL systems like Cassandra. Last, we will implement an enriched Dead Letter Queue (DLQ) pattern in PySpark that attaches explicit failure metadata to orphaned vulnerabilities, drastically reducing Mean Time to Remediation (MTTR) for triage teams. Crucially, we will cover how to implement in-flight reconciliation between Airflow pipeline hops, ensuring mathematical proof of data completeness.
Rejected-Input Programming: Exploiting Parsers That Say No Too Late
Breaking Ground, Wednesday 10:00-10:30, Florentine A
Security tools, logs, and developers usually treat rejected inputs as failed attacks. This talk shows the opposite: rejected inputs can become an exploitation interface. Rejected-Input Programming is a technique for chaining inputs that fail final validation into a controllable write primitive against live application state. If a parser applies callbacks, config updates, policy entries, or plugin metadata before the whole input is accepted, every “invalid” file may still leave state behind. Repeated rejected inputs can become byte-granular writes that reach privileged configuration, policy, session, or dispatch state. This is not a talk about one parser bug. It is a technique talk about parser integration failures. I will demonstrate the primitive across policy loaders, TLV protocols, archive indexes, plugin manifests, and production parser-library integration shapes using inih, Expat, and libyaml. Real-world findings discovered during this research are handled through coordinated disclosure and referenced as integration- pattern evidence without naming individual applications. The talk ends with a concrete fix: atomic loaders that stage state, validate the entire input, and commit only after success.
The Keyless Backdoor: Detecting GCP Workload Identity Federation Abuse
Breaking Ground, Monday 10:00-10:30, Florentine A
Static GCP service account keys are out. Workload Identity Federation (WIF) is the keyless replacement, letting workloads from any OIDC provider impersonate GCP service accounts. It's also an under-detected persistence vector hiding in audit logs most defenders haven't enabled. This talk demonstrates three WIF attacks. First: an open pool with empty attribute_condition and an over-broad service-account binding that lets any external token impersonate the service account. Second: a provider-update backdoor that grafts an attacker-controlled identity onto an existing pool in one API call. Third: a recently documented X.509 technique where a provider trusts an attacker-controlled CA, letting any certificate it signs impersonate the service account. For each, the talk walks through the audit log trail and the hunting query that catches it. The catch: GCP logs WIF setup for free, but credential use lands in paid tiers most teams never enable. Without them, you see setup but not abuse. Attendees will leave with hunting queries, detection rules, and a cost-to-coverage breakdown.
From Forest to Bonsai: Pruning and Explaining Logs for Air-Gapped IoT Devices Using Local LLM
Proving Ground, Wednesday 10:00-10:30, Firenze
According to IoT Analytics, IoT devices in use worldwide are projected to grow from 21 billion in 2025 to 40 billion by 2030. Yet real-time security products such as EDR, standard in IT environments, cannot be deployed on many of these devices due to resource constraints. Although log aggregation tools exist, they leave analysts to manually parse vast volumes of context-poor logs. This problem is compounded in air-gapped environments, where cloud-based solutions are categorically unavailable. In this talk, we will introduce our tool: a 1-bit quantized large language model (LLM) that provides context to logs and reduces the time from log aggregation to triage for Linux-based edge IoT devices in air-gapped environments. Our tool runs entirely on the device with no cloud dependency, and turns large volumes of raw logs into a concise narrative with natural-language recommendations. Because all inference happens locally, log data never leaves the device, an essential property for regulated industries where data exfiltration is prohibited by compliance requirements. This talk targets SOC analysts, security engineers, and IoT system architects who work in such environments and face alert fatigue from log-based detection. This talk will first explain the structural challenges of IoT security monitoring under air-gapped constraints. We will then walk through the design rationale of our fully on-device three-layer pipeline: lightweight log collection, semantic log clustering that groups logs into templates and surfaces those that deviate from established patterns, and inference using Bonsai 1.7B, whose ~250MB footprint enables operation on such devices. The final part addresses how we reduce analyst cognitive load by delegating contextual interpretation and recommended actions to the LLM, while keeping triage decisions in human hands. A live demonstration will show how raw logs flow through the pipeline to produce natural-language anomaly explanations and recommended actions.
Breaking BOTS II: How frontier AI cheats evals
[un]prompted, Monday 11:00-11:45, Tuscany
If an AI is 70% accurate at automating each task of a 10-task investigation, 97% of cases end up incomplete. We set out to close this AI investigation gap over the last few years, and using CTFs as one of our challenge sets, we finally broke them. To our horror, we realized frontier AI has been breaking our own evals. We noticed AIs began returning correct answers even without touching the logs. They’re advanced persistent threats in all but name: agents are gaming tasks, models are replaying answers, harnesses are leaking data, and more. Frontier AI autonomously attacking evals is important far beyond CTFs: Evals are core to agentic AI development and AI trust. This talk explores the cat-and-mouse using the popular and freely available Splunk Boss of the SOC CTF. We’ll start by systematically describing how to push AI models from barely passing to winning. Beginning with a baseline of off-the-shelf tools like Claude Code getting us surprisingly far, we’ll show how model improvements, model configurations, agentic harnesses, and prompting help close the gap. We then switch to the adversarial lens, and explore the attacks we’re observing. Just as importantly, we share the mitigations we’ve been putting in. The result is the robust comparison of investigation models and harnesses on botsbench, and for those doing their own evals, a look into the adversarial reality of working with modern reasoning-grade agents. Ultimately: Evals matter, but they're now part of your attack surface. Don’t let AI lie to you on your core benchmarks.
Burn the Trail: Why Your Personal Digital Exhaust Is An Organizational Problem (And What To Do About It)
Training Ground, Monday 10:30-14:30, H116
This workshop addresses the critical intersection of personal privacy and organizational security. In today's digital landscape, employee data is no longer private, it's a commodity traded by data brokers, scraped by social media platforms, and weaponized by threat actors through breach dumps. The session begins by exposing how seemingly minor data leaks such as a single email address or overshared social profile, can be the avenue through which to bypass multi-factor authentication, enable precision spear-phishing, or facilitate physical security breaches. Participants shift from "passive victim" to "hardened target" through hands-on exercises covering four core areas: The Leakage Audit: Identifying where personal data exists across data broker aggregators, forgotten breach dumps, and cached search results. Architecting Anonymity: Scrubbing digital exhaust using email aliasing, virtual phone numbers, and masked financial transactions. Digital Hygiene: Establishing password manager workflows and adopting a privacy-first mindset for new account creation. The Great Scrub: Step-by-step guidance on submitting opt-out requests to major data brokers and leveraging removal tools to disappear from search results. The workshop emphasizes that personal privacy functions as a corporate security control. Reducing the Personally Identifiable Information (PII) footprint of an organization's workforce significantly decreases social engineering success rates and limits the blast radius of credential stuffing attacks. Participants leave equipped to clean up their own digital habits, protect their teams, and treat privacy as the critical security layer it represents. The ultimate goal: starve data brokers of the information that fuels modern cyberattacks. By recognizing that individual privacy directly impacts organizational resilience, attendees gain practical tools to defend against increasingly sophisticated threats targeting the human element of security.
Your Training Data Is Too Boring: Surfacing the Long Tail With Anomaly Detection and LLMs
Ground Truth, Wednesday 10:00-10:45, Florentine E
Supervised classifiers in cybersecurity are often trained on data that doesn't capture the most unusual examples. Benign training sets are dominated by simple, common patterns while malicious sets reflect known attacks from past investigations. The long tail of unusual files on both sides goes unlabeled. When these files appear in production, classifiers are more likely to misclassify them, generating false positives that overwhelm SOCs and false negatives that let threats through. Traditional approaches to labeling difficult examples don't scale. Manual labeling is expensive, rule-based collection is too narrow, and anomaly detection alone has historically produced unacceptable false positive rates. But anomaly detection combined with LLMs is excellent at something else: finding and labeling the unusual data that is missing from cybersecurity training sets. In this talk, we present an automated pipeline that combines anomaly detection and LLMs to augment training data for a suite of cybersecurity models. To surface distinctly unusual data, we use complementary anomaly detection methods that each operate on different feature representations. Then, an LLM classifies each anomaly with format-specific prompts calibrated per data type. Critically, we use separate prompts that err toward malicious and benign respectively, achieving high precision on both label types. The labeled anomalies augment the training data for cybersecurity classifiers. We evaluate our method across three structurally different data types with monthly ingestion scales spanning separate orders of magnitude. We'll explain the architecture, walk through LLM reasoning on real anomalous files, show real world before and after results, and give you everything you need to build this for your own detection systems.
Security Before Cyber: Building Robust Security & Compliance Programs from Scratch
Training Ground, Tuesday 15:00-19:00, PUB 365 Back Room
Most security folks inherit a security program, or learn how to build one (with lots of pain and suffering) as they go. Small companies and startups don't need to suffer those mistakes - with this training, we'll coach you through the elements of a healthy security program and use them to set up metrics and a strategic roadmap meaningful to leadership. You'll learn how to use these metrics and roadmap to justify security purchases. If you're an IT person moving into security, or a security person wanting to understand strategy better, this training is for you!
The State of Mac Malware: How macOS Became a First-Class Target
Proving Ground, Tuesday 18:00-18:15, Firenze
For years, the conventional wisdom was that Macs don't get malware. That story is over. Atomic Stealer (AMOS) has matured into a polished malware-as-a-service operation with regular version churn and a thriving criminal-forum economy around it. MacSync arrived shipping with notarized Developer IDs and ClickFix-style Terminal-paste delivery, breaking the long-standing assumption that "signed and notarized" means safe. North Korean actors are running fake-recruiter campaigns against macOS developers. The macOS threat landscape has changed more in the last 18 months than in the five years before it. This talk is a current map of that landscape: the families that matter right now, how they're getting on the box, what they steal, and where Apple's built-in defenses help, where they don't, and what defenders need to layer on top. We'll dig into AMOS as the template the rest of the ecosystem is copying, MacSync as the case that forced everyone to rethink notarization, and the macOS primitives attackers keep abusing — osascript, AppleScript GUI prompts, Keychain dumping, Launch Agents. Attendees will leave with a current threat model for macOS in their environment, a short list of the families and TTPs to actually care about today, and practical pointers for detection using free and built-in macOS telemetry.
It bleeds…but we can’t kill it: how IPIDEA’s weak opsec allowed us to see the inner workings behind the botnet’s resilience. - TOKEN: 5
Skytalks, Monday 17:00-17:45, Sienna
IPIDEA is a Chinese-based criminal proxy network with over 10MM daily IPs, made up of backdoored victim devices in virtually every nation on earth. This network is marketed on underground forums, funneling malicious traffic at petabyte scale. In terms of its presence and reach, the IPIDEA proxy service has us completely surrounded - and has only continued to grow since 2020. Their lax approach to security is a critical concern for victims - but also allowed researchers to take advantage. In this talk we will show their operations from the inside out, including how their operators brute-forced access into government targets in the U.S. and other countries, spread their holdings among providers for resilience...and even applied for credit cards. We conclude by showing how bit a threat this proxy is, and what we can all do to fight back. There will be receipts, memes, and photos of the puppy that's being left sad and fatherless, just for the sake of this talk.
To catch a PseudoScientist - TOKEN: 6
Skytalks, Monday 18:30-18:45, Sienna
Scientific publishing is increasingly vulnerable to organized credibility fraud. Paper mills, pay-to-publish journals, fake peer review, citation rings, authorship scams, and platform-based scam researchers have turned parts of academic publishing into a marketplace where scientific authority can be bought, rented, or faked. This talk examines how these systems operate, how fraudulent researchers use publications and platforms to manufacture legitimacy, and how weak publishing incentives allow low-quality or deceptive work to enter the scientific record. I bring receipts!
Always Cloudy in Chengdu, Inside the Sophos Pacific Rim Campaign - TOKEN: 13
Skytalks, Tuesday 18:00-18:45, Sienna
Between 2018 and 2023, a small security operations team inside Sophos ran one of the longest running counterintelligence operations ever conducted by a private security vendor against a nation state adversary, tracking a China nexus actors through five years of escalating adversary contact, from the discovery of the Cloud Snooper stealth rootkit through to the FBI indictment of Guan Tianfeng. This talk is the operational account of that campaign: not a retrospective of the published Pacific Rim research, but the story of how that intelligence was actually built. It covers the decisions made in real time, when to deploy telemetry, when to hold back patches to preserve opsec, when to share intelligence with government partners and when to wait and what it means to conduct persistent counterintelligence against a state backed actor when you are a commercial security company, not a government agency. The adversary made mistakes. They worked China office hours and stopped during city lockdowns. They browsed Malaysian property listings through the firewall they were attacking. Reused tooling lifted from a prior Fortinet campaign without cleaning the artefacts. Submitted a critical zero-day as a bug bounty the day before deploying it at scale. They were findable and the process of finding them, tracking these malicious actors across five years of operations, and ultimately contributing to a indictment is the practical lesson this talk exists to deliver. Attendees will leave with a grounded understanding of how China-nexus adversary operations are actually structured, what persistent vendor led counterintelligence looks like in practice, and why its important to select a vendor that takes forward action.
Abusing Agentic AI Browsers: An Exploit-Based Approach
[un]prompted, Monday 10:00-10:45, Tuscany
AI browsers are all the rage now, transforming the good-ol'-browser from a passive observer of the web into an active, agentic participant. But with great power comes great responsibility, and AI browsers are ripe for exploitation, effectively turning them into autonomous insider threats. This session will deep-dive into agentic AI browsers, how they can be exploited, and what security professionals can do about it. We'll examine the building blocks of AI browsers and the key architectures for LLM, SLM, and MCP-based deployments, and for each one, we'll systematically demonstrate how they can be exploited and compromised. We'll go beyond theoretical explanations and demonstrate real-life exploitation pathways of both AI-specific attack vectors (such as prompt injection, bending guardrails, AI memory poisoning, etc.), as well as traditional exploitation pathways such as CSRF, font-based injections, and RCEs that have been given new life by agentic browsers.
Music School Dropout to Cybersecurity Auditor - My Journey Into Cybersecurity
Hire Ground, Wednesday 12:30-12:50, Florentine B
Kim is a Cybersecurity Auditor at Google where she and her team operate as Google's the third-line of cyber defense. Her journey to this role was unexpected, starting life on a music-focused path before falling into technology. She discovered a passion for cybersecurity while working in software testing and learned to code along the way. Kim emphasizes the importance of pursuing passions, building an online presence, investing in networking, and maintaining a positive attitude to achieve success in one's career.
ScamBench: Measuring Real-World Risk of AI-Generated Social Engineering
Ground Truth, Tuesday 18:00-18:45, Florentine E
AI systems are rapidly lowering the cost and increasing the scale of phishing and social engineering attacks. After studying AI-enabled deception and fraud for over half a decade, we have compiled our knowledge into ScamBench, a benchmark designed to systematically evaluate AI-enabled social engineering across email, voice, and multi-step attack scenarios, such as pig butchering. This presentation describes how we model personalized attacks and measure their effectiveness against three datasets: human participants via real-world phishing simulations, synthetic users, and human participants via large-scale survey assessments. Each data set measures three types of social engineering: personalized (based on information such as affiliation and collaborators), semi-personalized (based on information like the user’s zip code), and generic. We present the methodology and results from each data stream, including our approaches to OSINT collection, email personalization, and the construction of individual vulnerability profiles. We also describe how we design synthetic users to closely mirror real-world behavior and demographics. We then outline a range of defensive measures, including policy interventions such as strengthened KYC requirements for domain registrars, and practical guidance for individual users on data minimization (specifying which personal information to remove or retain based on its relative value to the user versus its utility to an attacker, as informed by our vulnerability profile analysis). Finally, we discuss our ongoing collaboration with Frontier AI labs and how ScamBench could be used as part of pre-deployment security assessments to inform safer, more responsible model releases.
From Copilot to Commander: Building Agentic AI for Security Investigations
Training Ground, Tuesday 10:30-14:30, H114
A hands-on 4-hour workshop on building AI systems that reliably run security investigations. Many teams now get useful help from copilots and coding agents on single questions. Few can reliably run many-step investigations across logs, tools, and incidents. Investigation agents fail not because of model quality, but because investigations are multi-step, ambiguous, and tool-heavy: small errors avalanche, and unlike AI coding, there are no unit tests to keep things on track. Join a fun and interactive workshop with the instructors who taught the most popular Black Hat 2025 AI training, built the first AI agent to autonomously solve the full Splunk Boss of the SOC CTF, and won the US Cyber Command AI alert competition. This workshop brings the essence of a 2-3 day course version. One demo and three labs are paired with lecture material. Use course-provided LLMs and agent harnesses, or BYO tools like Claude Code and OpenCode: * Demo - OSS AI: Run an OSS LLM locally and watch it hallucinate on SOC questions * Lab 1 - AI CTF (30m): Point an agent harness at an investigation CTF spanning endpoint, cloud, identity, email, and other incident types * Lab 2 - Timelining (1hr): Author and use a plan.md timelining skill * Lab 3 - Evals leaderboard (1hr): Score the skill, error-analyze the traces, fix the skill, watch the score move * Keep iterating at home after the workshop Fundamentals cover OSS model selection, agent harness anatomy, MCP and skills, planning patterns, evals, and adoption patterns. You leave with a working agent, reusable skills, a methodology, and ideas on what to do next. Audience: SOC/IR analysts, threat hunters, detection engineers, architects, technical leaders Prereqs: Laptop, familiarity with security data, optional Python. Recommended: Pre-work to install an agent harness.
Root Access to Reality — A Project Management Bootcamp for Hackers
Training Ground, Monday 15:00-19:00, H114
Root Access to Reality A Project Management Bootcamp for Hackers Half-Day Session | 4 Hours Most hackers can crack a system in minutes but watch their own projects spiral into chaos for months. Root Access to Reality is a no-nonsense, half-day bootcamp designed to give security professionals the same level of control over their projects that they have over a target system. This session strips project management down to its core exploits — scope definition, task prioritization, timeline management, and stakeholder communication — and re-frames them through the lens of the security mindset. Attendees will learn why a well-structured project plan is just another form of reconnaissance, why scope creep is the most dangerous vulnerability in any operation, and how agile sprints mirror the iterative nature of a penetration test. Through hands-on exercises, real-world "plus/delta" of failed security projects, and brutally honest discussions about why smart people ship late, participants will walk away with a practical PM toolkit tailored to the way hackers actually think and work. No Gantt charts were harmed in the making of this session. Key Takeaways: 1) Map the hacker methodology to proven project management frameworks 2) Identify and neutralize scope creep before it kills your project 3) Build a lightweight roadmap that survives first contact with reality 4) Communicate progress to stakeholders without losing your soul Prerequisite: Attendees should have working knowledge of at least one offensive or defensive security domain. No PM experience required — in fact, a complete absence of it is considered an asset.
Mapping the AI Security Landscape: A Comprehensive Analysis of Research Clusters, Disciplinary Gaps, and Defense-Attack Misalignment
[un]prompted, Monday 18:00-18:30, Tuscany
AI systems are increasingly being used to conduct cyberattacks and are simultaneously becoming prime targets. Still, the field studying this phenomenon is fragmented across AI safety, human-computer interaction, cybersecurity, misinformation research, psychology, law, and governance. This AI security community analysis maps the literature and research clusters across five major academic databases, including Elsevier and Semantic Scholar. We examine which communities are most prominent and most neglected, identify leading institutions, researchers, and geographic hubs for each area, and analyze how the intersection of AI and cybersecurity is defined across different sectors. We propose a 12-category taxonomy of AI security threats and defenses, a catalog of 200+ empirical benchmarks and evaluation frameworks, and a framework of 30 mitigation strategies spanning technical, organizational, and regulatory layers. We also introduce the AI Security Threat Surface model, which characterizes AI systems as simultaneously being attack vectors, attack targets, and attack amplifiers. We hypothesize that our analysis will reveal fragmented research communities, suboptimal cross-disciplinary collaboration, and defense research that is poorly aligned with the latest advances in attack capabilities. We further expect to find that the most critical intersections of AI and cybersecurity are systematically understudied relative to their risk surface. Complete findings from our literature mapping and taxonomy analysis will be presented at BSides in August.
Building and Leading High-Performing Security Teams: A Practitioner’s Playbook
Hire Ground, Monday 11:00-11:25, Florentine B
Most security leaders are exceptional technologists, but building and managing a high-performing security team requires an entirely different skill set - one that is rarely taught and almost never documented. This talk closes that gap.Drawing on 20+ years of experience spanning Big 4 consulting, multiple security org builds from scratch, and security leadership roles at fintech, banking, and SaaS companies, this session delivers a comprehensive, practitioner-tested playbook for security team leadership.Attendees will walk away with actionable frameworks across the full leadership lifecycle: crafting job descriptions that attract elite talent, structured onboarding plans that accelerate time-to-contribution, Agile practices purpose-built for security teams, performance management grounded in four concrete pillars, and managing up to executives with clarity and confidence.Beyond operational mechanics, the talk addresses the human dimensions of leadership that often go unspoken: building psychological safety, navigating conflict, developing a culture of continuous learning, and supporting team well-being to prevent burnout, a persistent challenge in a high-pressure field. Key topics include: * Hiring and onboarding frameworks tailored for security roles * People management and feedback best practices * Agile sprint structures adapted for security team workflows * Performance management pillars that go beyond job role execution * Personal development and learning plan design for practitioners * Managing up: communicating effectively with executives and boards * Remote team leadership and cross-functional stakeholder engagement Whether you are a first-time security manager, a seasoned CISO, or a practitioner preparing to lead, this session delivers real-world guidance, not theory. Every framework presented has been used in production at companies ranging from 10-person startups to public companies. Come prepared to take notes; the slides include reusable templates you can apply to your team on Monday.
Victim as a Service: Engaging with Trust Based Scams using AI
Ground Truth, Monday 11:00-11:30, Florentine E
Pig butchering and other interactive online scams build trust over weeks to months, making them both highly effective and extremely difficult to study. In this talk, I will describe how we measure ground truth on this difficult and growing ecosystem. First, I’ll describe the design of an LLM-driven system that can sustain realistic, long-term engagement with scammers for weeks to months, enabling large-scale investigation of their tactics in the wild. I will discuss how we attract scam attempts, maintain thousands of convincing dialogues over time, and navigate the "milestones" scammers use to advance victims toward payment. I'll end with what this approach uncovered about scammer workflows (such as the “cross-platform” jump the majority of them use) and how this measurement-driven understanding of the pig-butchering ecosystem powers data-driven scam defenses.
Trust No Agent: Cryptographic Identity and Verifiable Messaging for AI
Common Ground, Tuesday 11:00-11:30, Florentine F
Multi-agent AI systems are proliferating fast, but who is the agent? Most deployments rely on TLS, API keys, and bearer tokens, with no portable identity, no message attribution, and no audit trail. When one agent tells another to take an action, the receiver has no additional verification the sender is who it claims to be. This talk demonstrates a practical stack for solving both problems: Auth0 Machine-to-Machine (M2M) applications for scoped API access, paired with ATProto (the protocol underlying Bluesky) for cryptographic, publicly verifiable agent identity and messaging. Each agent gets a DID and a secp256k1 keypair. Its public key lives in Auth0 client_metadata. Every message is a signed ATProto record, verifiable by anyone without trusting a central authority. To make this observable, we built a live demo: two teams of AI agents play Codenames. Audience members watch a real-time feed of agent deliberation records stream over ATProto; each one signed, DID-attributed, and auditable. You'll watch agents disagree, defer to each other, and guess wrong; all with verifiable authorship.
Threat Actors: Gotta Catch Them All
Training Ground, Monday 10:30-14:30, H114
This hands-on workshop explores the world of cyber threat actors and the intelligence that helps us understand and counter their activity. Participants will learn how to identify threat actor tactics, techniques, and procedures (TTPs), and apply threat intelligence models to real-world case studies. They will also learn how to pivot from a single indicator of compromise (IoC) to build a picture of threat activity. Through collaborative exercises, attendees will analyze incidents using frameworks such as MITRE ATT&CK and build actionable threat intelligence profiles.
Nullify Prompt Injection Attacks
[un]prompted, Monday 15:00-15:30, Tuscany
For the last few years, it feels like everywhere you turn there’s another story of a prompt injection causing massive AI system misbehavior and security incidents. So companies build filters, do AI model red-teaming, and create observability gateways. But these defenses miss the root cause: fixing the architectures that make these attacks dangerous in the first place. In this talk, we argue something intentionally controversial: prompt injection can become operationally irrelevant if AI systems are designed correctly. We’ll show why modern AI systems fail under adversarial input, why common “guardrails” break, and what actually works in production. Through real-world examples, we’ll explore encapsulation, type safety, deterministic policy enforcement, hallucination containment, and the “lethal trifecta” pattern that makes AI systems exploitable.
Bashing CloudShells for mining, networking, exfil and persistence at scale
Breaking Ground, Tuesday 11:30-12:15, Florentine A
We reverse-engineered 3 private CloudShell protocols (AWS/GCP/Azure), uncovered IAM and design flaws along the way, and built an API and an open-source toolkit, **CloudBasher**, that automates CloudShell exploitation at scale while mitigating technical constraints like container reset, ephemeral file systems, and user sudo access. We'll demo exploit cases riding on the API including deployment of a C2 network running across multiple accounts/regions, and delve into the underlying research of how IAM design idiosyncrasies that allow wider-scale abuse: - WebSocket sessions survive API token revocation; - Unmanaged role sessions + unmanaged CloudShell resources == high volume resource abuse - Default permissions that make it easier to exploit CloudShells - How ephemeral controls like cContainer resets can be overcome (access/IAM/file) to achieve persistence - Survivability of locked down environments - What `$HOME` persistence means for implant survival
Hunting North Korean Malware Over the Years - TOKEN: 13
Skytalks, Tuesday 18:45-19:00, Sienna
We've been fascinated watching how North Korean threat actors scale their operations, the range of their activity, and the creativity of their attacks. They have been actively evolving their tradecraft and malware over the years, and we've encountered many variants firsthand. This talk will mostly focus on Famous Chollima, and in particular Contagious Interview — a targeted operation aimed mostly at IT professionals, leveraging the trust of legitimate developer platforms including GitHub, GitLab, Bitbucket, and NPM to distribute malicious payloads. As Incident Responders at Atlassian, we've been on the front lines fighting this abuse on Bitbucket. In this talk, I'll walk through how we tracked the campaign, how we hunted for it across our infrastructure, and the challenges we faced along the way. I'll share concrete statistics — how many repositories investigated and taken down, the variants we observed — and leave you with actionable threat-hunting intelligence you can apply on your own platforms today.
X-Ray Specs for Agents: Pentesting MCPs, Skills, and the Plugin Supply Chain
Common Ground, Tuesday 11:30-12:15, Florentine F
MCP X-Ray is an open-source scanner that brings pentest tradecraft to MCP servers, the services that let AI agents use external tools, data, and systems. It pairs static analysis with active testing against the live server: statically, X-Ray flags insecure tool definitions, over-privileged tools, vulnerable dependencies, and exposed secrets; then it runs an LLM-driven pentest, calling the real tools with adversarial inputs to exploit the bugs static scanners miss, command injection, SSRF, path traversal, and authorization bypass, and exports results as SARIF for GitHub code scanning, VS Code, and CI gates. The demo finds and exploits two of these vulnerabilities in a live MCP server, then shows how the same exploit classes surface in agent skills, plugins, and other parts of the AI agent supply chain.
Destroyed by Breach: Corporate casualties of cybersecurity failures
Common Ground, Tuesday 10:00-11:00, Florentine F
The cybersecurity industry has spent 15 years promoting the same narrative: a breach can be an extinction-level event, and 60% of small businesses fail within six months of being hacked. It's a great line for a vendor pitch or a board slide, but is it true? The Destroyed by Breach project was created to investigate this narrative by searching for evidence. Discovering how these companies failed can help others from suffering the same fate. This talk walks through the origin of the project, the stories behind some of its most instructive entries — from Code Spaces' five-person collapse in 2014 to more recent, more complicated failures — and the uncomfortable conclusion the data points to: the most important lesson is in how the breach is handled, not how the breach happens. We will also look at the different ways these companies died, what separated them from peers who got hit and survived, and why the absence of good failure data is itself one of the biggest problems in security today.
AWS Principal Threat Hunting: Behavioral Baselining for Malicious Activity
Training Ground, Monday 15:00-19:00, H108
Cloud security encounters attacks that elude standard detection. In AWS, unauthorized access keys are a common cause of breaches. The vastness of AWS—over 450 services and 19,000 API actions—complicates threat visibility and exposes gaps in traditional tools. This workshop empowers participants with direct, hands-on experience using the AWS Threat Hunter tool to improve threat detection. Attendees will focus on building behavioral baselines and leveraging data-driven analysis to detect subtle AWS principal anomalies, enabling more precise detection than traditional event monitoring. Attendees will move beyond standard techniques by building multi-stage detection pipelines that create individualized baselines for each IAM principal and systematically flag personalized deviations, linking outliers directly to risks.
Reheated Leftovers are Making Us Sick: How Old Data Breaches are Causing New Problems
PasswordsCon, Wednesday 11:00-11:30, Tuscany
Americans hate leftovers. With at least 40% of people despising them, and according to the CDC, our leftovers are making us sick. With over 48 million people getting sick each year. Not to be outdone, Cybercriminals are using leftovers, or previously compromised data, to cause us all heartburn. Previously compromised data is identity and credential data that was exposed in past breaches and later repackaged, aggregated, enriched, and reused in new attack campaigns. While AI and complex zero-day exploits are getting all the headlines, cybercriminals are still finding success using stolen login credentials from years ago. Which begs the question – why are criminals using these old data breaches as the starting point for new exploits? Because it works. This presentation will explore how attackers are using leftovers to target us by highlighting a few examples pulled from the headlines. Before outlining why this approach is still effective, along the way, we will discuss common pitfalls of traditional approaches to passwords. Then we will explore how we can bring fresh recipes to cybersecurity.
Turning GitHub Issues Into RCE: Exploiting AI Agents in CI/CD Pipelines
[un]prompted, Monday 17:30-18:00, Tuscany
Prompt injection has often been dismissed as a model safety issue, but that assumption fails once AI is embedded into systems that can act. In this talk, we show how AI agents in CI/CD pipelines introduce a new attack path where untrusted user input can influence privileged execution. We proved this by achieving command execution and exfiltrating secrets across multiple production systems, including Google, Datadog, Vercel, and other Fortune 500 environments. In Google’s Gemini CLI, we injected instructions that caused the agent to call internal tools and write secrets such as GITHUB_TOKEN, GEMINI_API_KEY, and cloud credentials into public issue data. In Vercel workflows, we injected payloads into model-generated output that were later executed in a shell context, resulting in GH_TOKEN exfiltration. Across systems, the pattern is consistent: untrusted input enters prompts, model output drives behavior, and that behavior executes with elevated privileges. We break down the exploit chains and show why this class of vulnerability is difficult to eliminate in practice.
Legalized Discrimination: How Algorithms gradually take away our rights
Proving Ground, Tuesday 12:00-12:45, Firenze
AI has captivated the world with the massive productivity enhancements it brings to traditional workflows. However, automation is not always beneficial. Decision making that does not involve humans from start to finish can (un)intentionally punish certain demographics without anyone noticing. The automated nature also makes it more challenging for those that were disenfranchised to appeal verdicts, as there is no mechanism for humans to intervene. In this talk, I share two instances of being denied from boarding transportation that I paid for, once on a bus and the other on a plane. I elaborate on how the staff dealt with my complaints and how they repeatedly lied to my face in order to free themselves of any wrongdoing. I reveal the disparate burden the current legal system puts on consumers, as I could only produce probable theories that caused my tickets to be cancelled at the last minute since neither corporation was able to reproduce any logs that could definitively prove what flagged their autonomous agents. Then, I explain why this matters to security researchers and the general public. This issue isn't limited to transportation. Agents are being deployed across numerous industries without the necessary guardrails and accountability systems to prevent such oversights. As the public sector joins the AI bandwagon, more decisions on public matters will be decided by computers, which we cannot avoid as opposed to boycotting companies. For instance, if local voting booths lack the budget to hire enough workers to check people's identification and instead resort to AI robots supplied by a private institution, how can we definitively ensure that the faceless machines are systemically denying people of color significantly more often than the privileged, and how can they fight back? I elaborate on how we can solve this emerging problem before it is too late.
The Synthetic Insider: Securing Non-Human Identities in Cloud Workflows
PasswordsCon, Tuesday 18:30-19:00, Tuscany
Cloud security has traditionally focused on human and service identities. However, AI-driven automation is introducing a new category: **non-human identities that act autonomously in cloud environments**. These “synthetic insiders” operate in CI/CD pipelines and internal tooling, interacting with code, APIs, and infrastructure using inherited permissions. Unlike traditional identities, their behavior is non-deterministic, their ownership is unclear, and their actions are difficult to audit. In this talk, we explore how AI agents break existing identity and access assumptions. We show how these systems become over-permissioned, bypass approval boundaries, and introduce gaps in accountability. Attackers can exploit this not by stealing credentials, but by influencing trusted automation. We then present a framework for securing non-human identities, including ownership models, permission scoping, and improved observability. As AI becomes part of cloud operations, identity must evolve beyond *who has access* to *what is acting on our behalf*.
S.L. Confidential: The Dirty Secrets of InfoStealers - TOKEN: 3
Skytalks, Monday 14:00-14:45, Sienna
We read stealer logs for a living. After thousands, you stop seeing credentials and start seeing people: the CEO’s kids' school names autofilled in the browser, the error message they Google translated at 2am, the bank accounts, the affair, the password they reuse for everything. Stealer logs are the most intimate piece of intelligence in our industry, and they're sold for the price of a sandwich. We want to show you what's inside several. Not sanitized screenshots from a vendor blog: real logs, real victims, including some of the operators themselves, and the full sweep of what 50 million of them floating around the underground looks like at ground level. The browser autofills alone will change what you knew about the capabilities of stealer malware. This talk benefits two audiences at once: the IR people who get called when one of these logs lights up an executive, and the red teamers who can't credibly emulate a modern adversary without understanding what a stealer log actually hands the attacker on day one. To have some hope about the future, we'll get into Chrome's Application-Bound Encryption (already broken but its ok and why) and Device Bound Session Credentials (the interesting one), and where each leaves us. And then we want to share where we think the next generation of stealers is heading. On the defensive side, we'll get into Chrome's Application-Bound Encryption (already broken, and that's actually fine) and Device Bound Session Credentials (the actually-interesting one), and where each leaves us. And then where we think the next generation of stealers are heading: webcam capture at infection, real persistence in the browser, and what happens when a log stops being a snapshot and becomes a live wire. You think you know what's in a stealer log. You don't. We’ll show you.
MCP Servers Are a New Attack Surface: A Practitioner’s Guide to Building and Using Them Securely
Proving Ground, Tuesday 17:30-18:00, Firenze
Model Context Protocol is only as secure as the server you build it on. In under two years it has gone from wiring up local tools to the default way AI agents reach real systems, and it is now shared infrastructure backed by major companies, with tens of thousands of servers published. An agent crosses a trust boundary on every tool call and resource fetch, and the protocol leaves the server to decide what is allowed. If the server does not draw those boundaries, nothing else will. This is a builder's guide for anyone writing their first MCP server. The perspective of this talk is from a security engineer and OWASP GenAI Security Project contributor who builds MCP servers. Securing one is not just about adding controls. Often it is about keeping the surface small. It is how you pick a transport and what it exposes, why a few high-leverage tools beat a long list of narrow ones, and why the most effective control is sometimes removing a capability rather than guarding it. This talk closes with a short checklist for the other side of the problem: what to check before you connect a third-party MCP server, drawn from the OWASP guidance on third-party MCP usage. You will leave with a mental model for the trust boundaries an MCP server has to own, patterns you can apply to your own server, and a checklist for vetting the MCP servers you consume.
Quality Over Quantity: A Targeted Approach to Breaking Into Cybersecurity
Proving Ground, Tuesday 14:00-14:30, Firenze
You can apply to hundreds of jobs and hope something sticks. That is spray and pray. It can work, but it wears you down, scatters your effort, and leaves your results to chance. There is a steadier way that keeps you consistent inside a scope you can actually sustain. It is not a secret. It is a system. I broke in with no US work history and no network to inherit, and this targeted approach landed me interviews at Meta, Palo Alto Networks, TikTok, and IBM. The system is simple. Build a short list of target companies, small enough that you can actually keep up with it. Rank them by what genuinely matters to you. Then work the list from the ones you want least to the ones you want most, so every interview becomes practice for the one that counts. Whether you are an international student, a career changer, a bootcamp grad, or early in your career and trying to break into security or level up, this is for you. You will leave knowing how to build your own targeted list, research and reach the right people, use conferences and meetups for networking in addition to LinkedIn, and keep your resume and LinkedIn profile ready, because luck favors the prepared. The real skill is turning one opportunity into many.
Hacking My First Web App: A Hands-On Lab to Exploit & Fix Real Flaws
Training Ground, Wednesday 10:00-12:00, H110
Security checklists and "Top 10" lists are fine, but they don't teach you how an attacker actually thinks. To really understand web security, you have to get your hands dirty breaking code. This workshop skips the theory and puts you straight into the terminal. We’ve built a lab full of intentionally messy, vulnerable apps that mimic the real-world flaws found in modern software. You’ll spend the session acting as the attacker to see how these bugs actually work under the hood. We’ll be hunting for: IDOR: Poking at IDs to grab data you shouldn't see. XSS: Forcing a browser to run your own scripts to hijack sessions. SSRF: Tricking a server into attacking its own internal network. SQLi: Talking directly to the backend database to bypass logins. We’ll move from simple "Hello World" exploits into advanced bypasses that real hackers use. You’ll walk away knowing exactly why these bugs exist in the code, and more importantly, how to actually kill them at the source.
Reality Pentesting in Practice: Hands-On Cognitive Red-Teaming
Training Ground, Monday 15:00-19:00, H112
As technical defenses mature, adversaries pivot to a reliable vector that remains largely unpatched and massively scalable: human perception. What were once amateur influence operations are now industrial-scale campaigns with dedicated infrastructure, precision behavioral targeting, and AI-augmented execution... And yet, most security teams still have no engagement methodology for the cognitive layer. Reality Pentesting is a framework for adversarial testing of human perception and decision-making, organized across a 5-layer Cognitive Field Topology (Sensory Interface, NeuroCompiler, Mind Kernel, The Mesh, Cultural Substrate). In this workshop, you'll work the methodology end-to-end against a fictional target. You know how to scope a pentesting engagement, run recon, walk an exploit chain, and write up your findings. This workshop applies that same disciplined methodology to a target most practitioners have never truly tested: human cognition. Four hands-on modules: 1. Recon & Scoping — Build a cognitive profile of your target. Identify primary info inputs, trust hierarchies, and Personally Identifiable Behavior (PIB) leakage. Define rules of engagement and the consent boundary. 2. Topology Mapping & Attack Chain — Walk the five layers. Identify exploitable surfaces at each. Tabletop a multi-layer attack chain and identify which controls would/n't catch it. 3. Scoring & Triage — Without a standardized CVSS for cognition, how do we rank findings? You'll prototype a scoring system and stress-test it against real-world incidents from the recent past. 4. Reporting & Remediation — Draft a remediation plan that grapples with the dosage problem (where awareness training tips into distrust cultivation), the audit log problem (was this belief organic or implanted?), and the intimacy problem (duty-of-care). Attendees will leave with a working topology, scoping template, draft scoring rubric, and a candid sense of the structural problems the field still can't cleanly solve. Bring a laptop, a curious mind, and tolerance for playing with unfinished frameworks.
If an Autistic Girl From Rural Mississippi Can Make It in Infosec, So Can You: Building a Cybersecurity Career on Your Own Terms
Hire Ground, Tuesday 11:00-11:55, Florentine B
This talk is about building a successful infosec career when traditional networking advice doesn’t work for you. As an autistic woman in cybersecurity, I’ll share what actually helped me build a career: deep technical interests, teaching, community involvement, creating visible impact, and finding ways to become genuinely valuable to hiring managers without relying on small talk or “working the room.” From hackerspaces and workshops to public speaking and content creation, this talk focuses on practical strategies for turning your differences into strengths and building a career on your own terms.
Reverse Engineering and Exploitation from Real DEF CON Challenges
Training Ground, Tuesday 15:00-19:00, H112
(All my workshops have associated multiday classes and are modular so if scheduling requires, I can do them in a different duration slot) CTF write-ups make everything look easy until you try it yourself. In this workshop, participants will break real DEF CON CTF challenges with guidance on how to think through them. Instead of just showing solutions, we walk through the process: how to analyze binaries, identify vulnerabilities, and turn them into exploits. Using tools like IDA Free, Ghidra and Pwntools, attendees will reverse engineer programs, debug behavior, and build exploit scripts. The focus is on how to approach unknown binaries and figure out how to break them, not just how to follow a solution. By the end, participants will be able to go from “what is this binary?” to “here’s how I exploit it.”
Making the Leap: Advice for Career Field Changers or those new to IT
Hire Ground, Wednesday 12:00-12:25, Florentine B
Making the leap into IT or cybersecurity—especially later in your career—can feel like an uphill battle. Many “entry-level” roles paradoxically require years of experience, leaving newcomers stuck wondering how to get started. This talk cuts through that frustration with practical, real-world guidance on how to break into the field without following the usual ineffective advice. Drawing from firsthand experience transitioning from over a decade as an EMT into cybersecurity, I’ll share how I spent seven months applying full-time to land my first role—during a period of real financial pressure—and how I used that opportunity to pivot into a significantly better position within six months. We’ll explore what actually matters to employers, how to build meaningful hands-on experience, and how to translate non-traditional backgrounds into strengths. Attendees will walk away with actionable strategies, free and accessible tools, and a clear path to breaking into IT or cybersecurity—even without prior professional experience.
What Bounds Your Coding Agent? A Field Guide to Access, Inputs, Supply Chain, and Hooks
Common Ground, Wednesday 11:00-11:45, Florentine F
An AI coding agent in 2026 is best understood as three trust questions running in parallel. 1. What can it reach? When you launch the agent on your laptop, it inherits your shell, your `~/.aws/credentials`, your SSH keys, your `kubectl` config, the database clients your `.pgpass` knows about. 2. What shapes its decisions? Every tool call is a function of your prompt, the agent's own reasoning, and the context it pulled in from MCP responses, scraped READMEs, dependency docs, and issue bodies. All three sources are rendered into the model with the same trust level and no native untrusted-source tag. 3. What's it allowed to load? The skills, MCP servers, and plugins it has access to come from a supply chain you mostly didn't build, distributed through marketplaces with varying degrees of vetting. Each question is its own attack surface, and most coding-agent incidents in the last twelve months sit at the intersection of two or three of them. A malicious MCP server (supply chain) sends a prompt-injected tool result (inputs) that gets the agent to run a shell command against the production credentials it inherited from your shell (access). The interesting failures live in the seams. The good news, is that the harness has caught up. There's now a real control plane for each of the three questions: agent sandboxes, allowed-MCP enforcement, managed skills and managed plugins on Teams and Enterprise plans, and the hook system (PreToolUse, PostToolUse, UserPromptSubmit, SessionStart) for inspecting and blocking tool calls based on what action is being taken, what input prompted it, and what context is in scope. All of it is in the official Anthropic and MCP docs. Live demos walk one chained attack that touches all three boundaries, then defend the same attack with off-the-shelf harness controls. For developers, security engineers, and detection engineers.
Your Context is Mine! When a Single Drop Poisons the AI Agent’s Well
Ground Truth, Tuesday 15:00-15:45, Florentine E
Every AI agent you've seen lately works the same way under the hood. It pulls in documents, emails, Slack messages, search results, whatever it can find, stuffs them into a context window and reasons over all of it at once. That's what makes agents useful. It's also what makes them exploitable. We've been running a large-scale empirical study of a question the field hasn't taken seriously enough. What happens when you slip a single adversarial document into that context alongside dozens of legitimate ones? We call this Context Poisoning (CXP) and it is not prompt injection. There are no rogue instructions, nothing a prompt injection filter would catch. The attacker has exactly one objective: to flip the agent's decision. Every move looks legitimate. The poisoned document just reads like a well-written report that happens to say the opposite of everything else. The model reads it, finds it credible and shifts its conclusion. To achieve the flip, the attacker can use a variety of attack vectors, like a subtle or strong assertion propped up by a plausible "the record has been updated" framing, or a blunt or even fabricated claim that needs no craft at all. We ran this across realistic enterprise recommendation scenarios: HR evaluations, financial analysis and corporate strategy. The findings challenge assumptions builders are making today. Robustness to CXP is far from uniform. The obvious defense, drowning the poison in more legitimate context, turns out to be unreliable. And some of the context engineering practices that make agents smarter can widen the attack surface instead. On defense, we've been analyzing a variety of approaches like secure context engineering and prompt hardening. Some directions look promising, but no single measure closes the gap and the analysis is still coming in. In this talk we'll walk through the threat model, share what the empirical study is showing us so far, show live demos of CXP flipping agent decisions and cover what we're learning about defense. This is ongoing research and we'll be honest about what we know, what surprised us and where the open questions are.
Mind the Gap: Bridges, Backplanes, and BloodHound
Breaking Ground, Tuesday 14:00-14:30, Florentine A
Segmentation is the last line of defense for unsecurable systems, but it's the toughest control to enforce at scale. Savvy attackers skip the firewall and slip through the accidental bridges, out-of-band channels, and protocol gateways that nobody scoped: from a technician's laptop, to a dusty old printer, to a thermostat that exposes hundreds of building controls from a single overlooked service. This talk covers the most dangerous failures and how to analyze them at scale using open-source tools. We'll start with three common entry points and how to find them: * **Bridges:** multi-interface hosts and network devices doing things they shouldn't. * **Out-of-band channels:** baseboard management controllers, KVM-over-IP systems, and serial port servers used for remote console access. * **Backplanes and buses:** the OT and building-automation protocols that expose sensitive equipment to hostile networks. With the raw data in hand, we'll cover the identity-correlation tricks that catch the same physical host sitting on two networks at once, then feed the result into BloodHound Open Graph and produce the real network map; not the one IT handed you.
Ghost Records: Killing a Vulnerability Class at Enterprise Scale
Breaking Ground, Monday 14:00-14:45, Florentine A
Subdomain takeover has been talked about at conferences for years. Every researcher knows how to find one. So why does it remain one of the most persistent, frustrating, and quietly dangerous problems facing enterprises with large cloud footprints? This talk goes well past the 101. It's about what it actually takes to stop playing whack-a-mole with subdomain takeover in a large, multi-account AWS environment — and start killing it as a vulnerability class instead. We'll be candid about where the time really goes in environments like this: triaging hundreds of low-impact researcher reports, duplicate report floods that swallow bug bounty triage capacity, the ownership-routing nightmare of a sprawling multi-account estate with no central DNS owner, and the point where you realize you can't out-hire a problem like this — you have to out-automate it. We cover what works: automated detection that finds dangling DNS records before researchers do, ownership mapping so findings auto-route to the team that can fix them, and DNS cleanup hooks baked into IaC teardown pipelines so the bug class stops being created in the first place. We also get into the relationship dynamics — how automating detection can shift the researcher relationship from adversarial ("you're spamming us") to collaborative ("you found something real"). We open-source Ghost Records, which inventories all account-owned Elastic IPs across every AWS region and cross-references them against Route53 records to find dangling DNS in seconds. Read-only, multi-account, parallel scanning. Live demo included. If you run a bug bounty program, manage cloud security at scale, or hunt for subdomain takeovers, this talk speaks to you. Half the audience reports these bugs. The other half triages them. We'll cover both sides.
Crypto Is Fine. The Code Is Not: Real-World Cryptographic Failures
Proving Ground, Tuesday 10:00-10:30, Firenze
Cryptography has a reputation for being intimidating, mathematical, and difficult to reason about. In reality, many cryptographic failures in production systems have very little to do with cryptography itself. They happen because of small implementation mistakes such as skipping a validation check, trusting unvalidated input, or selecting the wrong algorithm. In this talk, we take a practical and data-driven look at the OWASP Cryptographic Failures category using GitHub Security Advisories collected as of January 2026. We begin with a brief overview of how these vulnerabilities are distributed across CWEs, then focus on two of the most common failure patterns. Using real vulnerable open source libraries, we examine signature verification bypasses and algorithm confusion bugs. Rather than only showing exploits, this talk actively involves the audience. For each case study, we pause at key moments and work through the vulnerability together, asking questions like what inputs could be sent or what assumptions might be broken. Live demos and CTF-style challenges are used throughout, making the session interactive and approachable even without a cryptography background.
Social Engineering Has a Grammar: Reverse-Engineering the Sequence Behind Real Attacks
Ground Truth, Tuesday 17:00-17:45, Florentine E
Social engineering is commonly described in terms of techniques or signals. Analysis of real- world interactions suggests a more complex structure: actions appear in sequences, and their position within the interaction influences how they are interpreted. This talk presents an empirical analysis of over +1,200 call transcripts. It will focus on identifying whether interaction steps follow stable ordering patterns and how those patterns relate to outcomes. The results show that key elements (e.g., role cues, requests, and verification steps) co-occur as recognizable schemas and sub-scripts rather than independent signals. The session walks through these sub- script sequences and discusses how they can inform detection, red teaming, and training.
One Package, One Backdoor: Can AI Stop the Next Supply Chain Attack Before It Reaches You?
Common Ground, Monday 18:00-18:45, Florentine F
Open source packages are the foundation of modern software development. They save time, reduce cost, and accelerate delivery. But every package you install is also a potential entry point for an attacker. This session takes a hands-on approach to understanding software supply chain attacks from both sides of the attack. On the offensive side, attendees will see how attackers introduce malicious code into a new package release without raising immediate suspicion. We cover how a malicious package establishes a command and control channel during installation, how it reads and exfiltrates environment variables including API keys, cloud credentials, and database connection strings, and how typosquatting tricks developers into installing the wrong package. We use real documented cases across npm, PyPI, and Maven to ground every concept in reality. On the defensive side, we explore how AI is changing the speed and accuracy of supply chain threat detection. We walk through the architecture of tools like the Elastic Supply Chain Monitor, which watches package registries in real time, generates diffs between old and new releases, and sends those diffs to a large language model for classification. The LLM looks for obfuscated code, unexpected network connections, process spawning, and credential access patterns. When it finds them, it alerts the security team before any developer installs the package. We also cover the hardening techniques that reduce your attack surface before an incident happens: using lockfiles to pin exact dependency versions, avoiding exposure of dependency files on public websites, using private artifact repositories to control what enters your environment, and integrating automated dependency scanning into your CI/CD pipeline. Attendees will leave with a clear mental model of the threat, a reference architecture for AI-assisted detection, and a practical checklist they can bring back to their team on Monday.
Mitigating Digital Risk in Critical Infrastructure
Training Ground, Tuesday 10:30-14:30, H112
What Engineers Need to Know About Cyber and Why (and are not getting this in school) This workshop uses a case study of a hypothetical engineering project to support discussion and application of the principles for digital risk mitigation using material developed from Cyber-Informed Engineering (CIE). The scenario draws from a selection of real-world case studies, is fictional, and is crafted to support the application of CIE principles. Workshop participants get a workbook to structure their journey, capture insights and lessons learned, and provide a useful takeaway item that can further conversations after the event. This material demonstrates additional tools that can be employed to reduce digital risk in critical infrastructure projects, upgrades and redesign efforts. This track is designed for anyone who is interested in learning a methodology of designing out cyber-risk before a system is placed into operation.
I Built a Fake Company and the Internet Believed Me - TOKEN: 14
Skytalks, Wednesday 10:00-10:45, Sienna
What starts as a simple honeypot quickly spirals into something much stranger when attackers begin expecting a company instead of a server. So naturally, I built one. This talk dives into the creation and operation of a fully fictional organization designed to attract, confuse, study, and waste the time of attackers. Over time, the environment evolved into a sprawling ecosystem of fake employees, believable infrastructure, synthetic business operations, LinkedIn profiles, intentionally bad decisions, strange telemetry, accidental realism, and the occasional catastrophic own-goal. Everything is automated as much as possible using Ansible, infrastructure-as-code, scripted behavior generation, monitoring pipelines, and enough operational duct tape to frighten a compliance auditor into another dimension. But maintaining a fake company on the public internet turns out to have very real consequences. We’ll explore what worked, what failed spectacularly, the operational weirdness of sustaining deception long term, how attackers behave when they believe they’ve found a legitimate target, and the bizarre moments where the line between simulation and reality started getting blurry. Because eventually, the fake employees start needing passwords.
Translating Cybersecurity Expertise into Community Practice: Lessons from Minneapolis Mutual Aid Work - TOKEN: 8
Skytalks, Tuesday 11:15-11:45, Sienna
Cybersecurity is often framed as a discipline focused on protecting corporations, governments, and critical infrastructure. For many professionals in the industry, the work stops there. Yet these same skills used to defend enterprise systems can also be leveraged to support vulnerable communities, grassroots organizers, and mutual aid networks. This reframes cybersecurity knowledge as something that is not solely confined to corporate settings, but instead applicable to broader and more impactful community efforts. When these skills are shared in service of the greater good, they help bridge the gap between industry professionals and the general public, advancing social justice in an increasingly digital world.
The Timing of Exploitation Evidence and Prediction
Ground Truth, Monday 14:00-15:00, Florentine E
This session examines how the Exploit Prediction Scoring System (EPSS) works, what it was designed to do, and how to use it correctly in vulnerability prioritization. Presented by one of the creators of EPSS, the talk begins with a practical overview of the model, its goals, data inputs, and why a probabilistic approach offers a different lens than traditional scoring systems. We will also explore exploitation evidence sources and how they differ in semantics, coverage, and latency, with a focus on what those differences mean when comparing “known exploited” signals to predictive scores.
Programming PLCs for Fun, Profit, and Disaster: Get Your Shit Off the Internet - TOKEN: 15
Skytalks, Wednesday 11:15-12:45, Sienna
Critical infrastructure is still running on exposed controllers, default credentials, brittle remote access, flat networks, unsupported software, and hope. Attackers don’t need Stuxnet, a nation-state budget, or deep industrial expertise. Often, they don’t even need novel exploits. A grid scientist, national-security practitioner, OT red teamer, cybersecurity journalist, and policymaker will have the candid conversation that vendors, operators, regulators, and policymakers rarely have in public: Why is operational technology still exposed? Why do apparently obvious fixes fail? Why have years of public warnings not produced enough operational change? Who is accountable for securing these systems? And what can we realistically change before the next script kiddie (or state actor) changes a physical process? Under the Chatham House Rule, we will have an honest discussion about what must change, and how to move critical systems from “please don’t touch” to defensible and resilient.
Nicole Schwartz, Abhi Ramchandran, Donald McFarlane, Keenan Skelly
The 0-day Vending Machine: No Mythos Necessary
Proving Ground, Wednesday 11:30-12:00, Firenze
Everywhere you look, someone is either panicking about or celebrating Mythos, the superhuman AI that will break everything. Attackers will exploit systems at light speed! Defenders will be overwhelmed with vulnerabilities! The sky will fall! (And of course, AI stock prices will rise). But what if you aren't in the secret handshake club? This talk covers my experiments combining an existing code analysis framework with boring, currently available models to create the mythical 0-day vending machine, and the surprisingly interesting bugs (and catastrophic failures) along the way.
Everything I had to learn about Passkeys
PasswordsCon, Tuesday 12:30-12:45, Tuscany
When I joined a new company in the middle of their passkey implementation, I was just a purple team security engineer. However, with almost every meeting I joined, someone would make a comment, complaint, or question about passkeys directed at me. Hi my last name is Paskey and I'm going to share everything I learned so you can also banter with coworkers, answer questions, or give the impression you might have an idea what a passkey is.
DPAPI Was Never a Lock: How Infostealers Break Every Windows Credential Store
PasswordsCon, Tuesday 10:00-11:00, Tuscany
Saved passwords on Windows rely on three things: a browser process, the Data Protection API (DPAPI), and a user account that has not yet been compromised. Infostealers break all three in minutes. This talk follows a complete infostealer kill chain inside an isolated lab. The chain starts with a single HTA file delivered over HTTP and ends with every saved browser credential, every LSA secret, and the DPAPI master key in attacker hands. No zero-days. No custom tooling. Open source only. The session walks through three credential theft layers in sequence. First, browser storage: Chrome and Edge cookies, Login Data, and extension secrets pulled directly from the user profile while DPAPI sits in front of them. Second, memory: a keylogger migrated into explorer.exe that captures every keystroke without writing a byte to disk. Third, system memory: LSASS access after a fodhelper UAC bypass, exposing NTLM hashes, Kerberos keys, and DPAPI_SYSTEM, the master key that unlocks the browser data harvested in stage one. Every step maps to MITRE ATT&CK. Every step uses Metasploit, msfvenom, and Mimikatz loaded as Kiwi. Every step runs live during the talk against a Windows 11 target on screen. The audience leaves with concrete detection signal mapping for each phase, knowledge of which protections actually hold (Credential Guard, LSASS Protected Process Light, hardware-backed credential stores) and which ones do not (default UAC, browser-managed passwords, file-based antivirus), and a reproducible lab they can run themselves to validate EDR coverage. This is what an attacker sees the moment a user runs the wrong file. Saved passwords are not safe by storage. They are safe by execution boundary, and that boundary is the one most defenders trust the least.
CI Fortify
I Am The Cavalry, Tuesday 17:00-17:45, Copa
CI Fortify is an emergency planning effort led by CISA to ensure our critical infrastructure can operate through a crisis. In this talk we'll discuss how to operate without phones or internet, assumed breach in an OT environment, and what operators and cybersecurity professionals can do to improve the resilience of critical infrastructure.
Proxy Networks and the Threat to Critical Infrastructure
I Am The Cavalry, Tuesday 10:45-11:30, Copa
Adversaries continue to target critical national infrastructure (CNI) via cyber means, and have improved their technical and OPSEC mechanisms in doing so. Key to this evolution is leveraging proxies of compromised network devices, often in residential or small office settings, to facilitate communication from adversary to victim space. In this discussion we will analyze the technical nature of these networks, their implications for monitoring and defense, and policy and ethical considerations for response and mitigation. In doing so we will review current intrusion activity associated with PRC and Russian entities, and the risks associated with continued operations.
Broadcast, Don’t Chat: Hyperlocal Emergency Comms on $11 Radios Or: Why the Mesh Won’t Save You
I Am The Cavalry, Tuesday 10:00-10:45, Copa
When critical infrastructure fails — a cyberattack on a water utility, a Cascadia earthquake, a wildfire that takes the cell network with it — the public's most urgent need isn't chat. It's trustworthy answers: Is the water safe? Which shelter is open? Which hospital is accepting patients? Today, that information lives on websites that assume working cell towers, stable power, and multi-megabyte page loads. Mesh platforms like Meshtastic and MeshCore are often proposed as the fallback. We'll show why they're the wrong shape for the job: emergency information dissemination is one-to-many, but mesh chat protocols are many-to-many. Flood routing saturates, node databases cap out, and every participant transmits — causing consumers of information to become trackable RF emitters. To bridge this gap, we built the right shape: SLIMcast (working title), an open-source, one-way broadcast carousel that pushes signed, SLIM-formatted emergency information pages over bare LoRa. Think NOAA Weather Radio meets teletext — except a county EM office, utility, hospital, or neighborhood resilience hub can stand one up for under $100, and receivers start at $11. Receivers never transmit: unlimited audience, zero RF signature, no license required. We'll demo the working system live — author a boil-water notice, hit send, watch receivers around the room light up — and present head-to-head measurements against Meshtastic and MeshCore: airtime, carousel refresh, delivery time under load, and battery life. Everything (gateway, receiver firmware, bill of materials, deployment guide) is on GitHub. Leave knowing how to deploy one for your community before the next bad day.
Do Not Go Gentle Into the Night Disrupting the disrupters of UnDisruptable27
I Am The Cavalry, Monday 10:00-11:30, Copa
Title: Do Not Go Gentle Into the Night Disrupting the disrupters of UnDisruptable27
The Water Must Flow
I Am The Cavalry, Monday 14:00-16:00, Copa
This session includes a licensed water engineer, a developer of the Idaho National Labs Cyber-Informed Engineering practice and a water regulator.
No Water: No Hospitals : Continuity of Care under Crisis
I Am The Cavalry, Monday 17:00-18:00, Copa
No Water: No Hospitals : Continuity of Care under Crisis
Food for Thought: Concentration , Cold Chain, & Consequences
I Am The Cavalry, Monday 18:00-18:30, Copa
Food for Thought: Concentration , Cold Chain, & Consequences
Glass Houses: AI-Era OT/ICS Sprints
I Am The Cavalry, Tuesday 15:00-16:00, Copa
Glass Houses: AI-Era OT/ICS Sprints
Power Resilience for Lifelines :Can The Electrotech Stack Light the Way?
I Am The Cavalry, Tuesday 14:00-15:00, Copa
Power Resilience for Lifelines :Can The Electrotech Stack Light the Way?
Taiwan Conflict: Most Likely/Most Damaging
I Am The Cavalry, Wednesday 10:30-11:15, Copa
Taiwan Conflict:Most Likely/Most Damaging
The Next 12 Months
I Am The Cavalry, Wednesday 11:15-12:00, Copa
The Next 12 Months
The DIE Triad: The Past Present and Future of Security and How to Stop It
I Am The Cavalry, Tuesday 18:00-18:30, Copa
A talk about the DIE Triad and exploring the past and present state of security to reveal a compelling pattern that clearly predicts the future of security. What emerges is a radically different paradigm that challenges our long-held assumptions, redefines our goals, and turns conventional thinking about security on its head.
