Cybersecurity protects free speech and human rights. It plays a crucial role in resisting authoritarian regimes and protecting democratic freedoms. This talk discusses how encryption, anonymity tools, and similar technologies can help activists, journalists, and citizens evade state surveillance and censorship. Discussion highlights how digital resistance strategies can be used to counter oppression.

Note: DCGVR Talks are scheduled 1 hour slots, but the actual presentations can be as short as 30 minutes. Please arrive at the start of the hour.

Joel is a cybersecurity researcher, penetration tester, and educator with over 15 years’ experience in system administration, security, and consulting. His PhD produced a framework for designing dynamically generated penetration testing laboratories, and his current research focuses on offensive security skills development.

A walkthrough of how Theori’s Robo Duck CRS was designed and built to use LLMs to find and fix bugs in AIxCC.

Machine Learning (ML) security is far older than what most people think. The first documented “vulnerability” in a ML model dates back to 2004. There are several well oiled teams that have been managing AI risk for over a decade. A new wave of “AI red teamers” who don’t know the history and the purpose are here. Some are doing brand safety work by making it harder for LLMs to say bad things. Others are doing safety assessments, like bias testing. Both of these aren’t really “red teaming” as there isn’t an adversary. The term is getting abused by many, including myself as I organized the misnamed Generative Red Team at DEFCON 31. There are new aspects to the field of ML Security, but it’s not that different. We will go over the history and how you should learn about the field to be most effective.

What does it mean to serve your country in cyberspace? This virtual panel brings together representatives from the Cyber Talent Initiative (CTU), Blacks in Cybersecurity (BIC), and the Minority Cybersecurity Professionals Association (MCPA) to discuss pathways to national service through cybersecurity. Panelists will explore career opportunities in federal agencies, public-private partnerships, and mission-driven tech, while highlighting programs that support underrepresented talent in public service roles. Join us to learn how your cybersecurity skills can make an impact at the national level.

Ms. Nikkia Henderson is a Portfolio Manager in the federal government with 15+ years of experience. She’s an advocate for women in cybersecurity and enjoys tea, cooking, beaches, and aquariums.

What would it take to start a movement away from the major platforms, for people to #reclaimtech for themselves from the clutches of multi-billion dollar companies and VC backed unicorns, retrieving our data, our autonomy, and our sovereignty? We are a collection of conscientious objectors to the Big Tech ecosystems building community around peer-to-peer support and connection as we exit from these extractive ecosystems. Opting out of toxic systems, we believe, is not about digital minimalism but about opting in to stronger connections, more ethical systems, and a better future. In this talk, the Founders of Tech Reclaimers introduce our approach to bringing tech sovereignty to the masses: meeting people where they are, joining them on their journey, building confidence step by step, and fostering community in the process.

Janet Vertesi (she/hers) is associate professor of sociology at Princeton University, where she is well known for her ìopt out experimentsî to evade tracking by data companies and embrace alternative tech systems, as well as for her in-depth studies of NASAís teams. An expert in the nexus between technology and society, she is a mobile Linux evangelist, teaches courses in critical technical practice and design, and sits on the advisory boards of the Data & Society Institute and the Electronic Privacy Information Center. Ask her how to make sure the Internet doesnít know that youíre pregnant.

Andy Hull (he/him) has been abusing computers since they came with cassettes and not enough RAM. He dabbles with recreational hacking, enjoys a spot of light homelabbing, and still dreams of being a Demoscener next year. Andy believes that computers should be tools that set us free and enshrine our rights as humans, not abusive platforms that imprison and enrage us.

What if learning Nix was like a speed-run?

A few months ago, I’d never touched Nix. Then my friend’s brother told me about PlanetNix at Scale22x. I flew from Florida to California with Nix on an old laptop and only four days of flailing experience. I felt grossly under prepared, but after the talks and meeting brilliant people, I was hooked.

Today, I’m building Nix infrastructure full-time and manage every device I own declaratively with tools like Clan.

This talk maps my route from ‘what the hell is a derivation?’ to contributing to Nix projects in 100 days. I’ll share the exact learning path, struggles, and wins. As someone close enough to remember the pain but far enough to have some solutions, I’ll crash-course some tough Nix concepts with live demos showing my real usage.

For beginners and the Nix-curious, this can be a great launch point for YOUR speed-run. Nix’s learning curve is infamous, but with the right fundamentals and some problem framing, it doesn’t have to be.

Developer, NixOS enthusiast, hardware repair tech.

Tras un año explorando los límites de la inteligencia artificial generativa, el equipo detrás de 0din, el GenAI Bug Bounty Program de Mozilla, comparte hallazgos, aprendizajes y desafíos enfrentados al detectar y reportar jailbreaks en modelos de IA. Esta charla ofrece una mirada técnica y crítica sobre cómo evolucionan los vectores de ataque en sistemas generativos, qué patrones se repiten, y cómo la comunidad puede colaborar para construir modelos más seguros y confiables.

Marco Figueroa is the GenAI Bug-Bounty Programs Manager at Mozilla’s 0DIN program, the industry’s first dedicated LLM bug-bounty platform. He leads the global researcher community that dissects guardrails across ChatGPT, Claude, Gemini and open-source LLMs. Marco’s research has repeatedly shown how hex-encoded and other obfuscated prompts can coerce GPT-4o into writing working exploit code, a technique covered by The Register and Bitdefender’s Hot-for-Security column. He also uncovered the extent of OpenAI’s container file system exposure, demonstrating live upload-and-execute paths inside ChatGPT’s Debian sandbox, as reported in Dark Reading.

The path from a working demo to an AI vishing agent that can survive in the wild is littered with failed calls and bad prompts. We walked that path so you don’t have to. This talk is a rapid-fire rundown of 10 lessons learned from taking a bot into production. We’ll dive into: how to craft pretexts that don’t collapse under pressure, the dirty secrets of managing conversational latency, and the surprising challenge of handling accents and background noise. Iíll break down the trade-offs between self-hosted models and commercial API infrastructure, their inherent limitations, and the privacy considerations to address. Learn how to tune prompts for believable improvisation and avoid the uncanny valley.

Matt Holland is a startup co-founder and CISO who builds security solutions designed for the real world. His career has taken him from leading security for iconic brands like Unilever and the John Lewis Partnership to his current role as co-founder of vishr.ai, a venture tackling the threat of AI-driven social engineering. His approach is a product of that journey. He tackles every challenge by blending the strategic discipline of a global CISO, the commercial focus of an MBA, the relentless drive of a startup founder, and the adversarial mindset needed to counter modern threats.

Enrico Faccioli is a London-based entrepreneur tackling AI-driven social engineering. His latest venture, vishr.ai, uses conversational AI to provide employees with realistic vishing simulations and hands-on training. Following his MSc in Finance from Warwick Business School, he moved from overseeing the tech strategy for L&G’s real assets funds (£28bn AUM), into startup leadership as COO of the geospatial AI startup Gyana, before a breach of his own fuelled a pivot into solving critical security challenges.

Join IoT Village co-founders Steve Bono and Ted Harrington as they discuss how the world of IoT security has evolved in the past 10 years of IoT Village. Led by panel host Rachael Tubbs, Steve and Ted will discuss with industry experts what we’ve learned in 10 years about the state of IoT security.

The Department of Defense (DoD) has publicly embraced AI and its application in strategic war planning. What could possibly go wrong? What does “war planning” really involve, anyways? And why haven’t Skynet and our AI overlords ended the need for petty human conflicts by now? The presenters (former war planning advisors for the Secretary of Defense) discuss how war plans are really developed and how AI could improve that process. They will also talk about how the use of AI in war planning makes us vulnerable–both technologically and cognitively–in unanticipated ways. The presentation will conclude with policy ideas to get ahead of potential problems with AI-powered war planning.

Noah K has spent the past 15 years in the U.S. government developing national security policy. He was the Director for War Plans in the Office of the Secretary of Defense. In this role, he led the team responsible for providing civilian oversight of our national war plans and managing civilian-military dialogue across a range of issues regarding the Department’s planning for major conflicts. He has previously worked on issues involving special operations, and cyber intelligence. He currently works at a Federally Funded Research and Development Center exploring how national security and artificial intelligence create both opportunities and risks.

Clark F has worked in the national security and defense policy space for the past decade. From 2020-2023, he served as an advisor to the Secretary of Defense on war plans, drafting national security strategic guidance and managing the Europe and space war plans portfolios. Clark currently works at a Federally Funded Research and Development Center, focusing on the intersection of defense strategy, emerging technology, and national security applications in the Indo-Pacific theater.

Bloatware. We all hate it, and most of us are good at avoiding it. But some vendor tools – especially those managing critical drivers – are still necessary, often because the drivers available through Windows Update just aren’t good enough for performance-critical computing.

What started as a routine driver update took a sharp turn when I confirmed a reboot modal… from my browser. Wait, my browser shouldn’t be able to do that!? To my disappointment (and maybe some surprise), it turned out to be arbitrary code execution – right from the browser. This kicked off a week-long deep dive, uncovering seven trivial CVEs in seven days across several vendors, all exploiting a common pattern: privileged services managing software on Windows with little regard for security.

In this talk, I’ll walk through the journey of discovery and exploitation of several vulnerabilities that lead to LPE/RCE.

With over two decades in IT – 15 years focused on cybersecurity – Leon is the CTO of Orange Cyberdefense’s SensePost Team. His career has taken him from a Tier 1 ISP, a private investment bank and now into full-time consulting, giving him a broad, real-world view of security challenges across industries. Today, Leon spends his time researching and hacking everything from enterprise networks to web and mobile applications. Passionate about building and innovating, he’s a regular contributor to the InfoSec community, sharing tools, insights, and lessons learned to help push the field forward.

An introduction to the gold standard of physical key escrow, the Knox Box (and associated products) by a former employee, including information about the new eLock. All information is from the public domain or private research, but we can all but guarantee you’ll learn something new.

The most obvious, fundamental problem with Ballot Marking Devices is encoding voters’ choices in images voters cannot read and tabulating from those images. Compounding BMD problems, these systems produce at least three distinct images of voters’ selections: the choices in QR/bar code images, a printed text list purporting to show those encoded choices, and a ballot image produced by precinct scanners. These images and printed list may be subject to different possible mistakes misperceptions, or manipulation. Regulations have not kept up with vulnerabilities—but simply adding more regulations will not suffice. This presentation reviews regulations in several states, beginning with Florida, as an example to examine when and if the printed list for voter review may be counted.

Martha Mahoney is a Professor of Law and Dean’s Distinguished Scholar at the University of Miami School of Law. She has taught since 1990 in areas including Election Law, Law and Social Justice, Voting Rights, Criminal Law, and Property. She was a founding member of the Miami-Dade Election Reform Coalition. Her work with the Coalition and extensive research in public records helped expose flaws in DRE votings ystems, and she continues to research issues of voting and equality. She has made presentations on electronic voting issues at conferences and workshops, spoken on electronic voting problems to state and local governmental bodies, and submitted reports on voting and inequality to the Department of Justice. Her current research addresses inadequate regulation and fundamental flaws in ballot marking devices. A former labor and community organizer, Professor Mahoney received a B.A. from the University of the State of New York’s Regents External Degree Program, an M.A. in History from Tulane University, and a J.D. from Stanford Law School. She has published extensively in the fields of racial and economic inequality. She is co-author of an innovative legal casebook, Martha R. Mahoney, John O. Calmore & Stephanie M. Wildman, Social Justice: Professionals, Communities, and Law (2d ed. West 2013).

When a company gives vendors access to its technical garden to process personal data, it’s the company’s responsibility to ensure vendors have adequate protections in place. Data protection/processing agreements (DPAs) are a control companies use to contractually obligate and specify what adequate protections vendors must have and to outline the consequences if vendors fail to protect the personal data. Propagating the right DPAs with vendors prevents invasive species from taking root in a company’s technical garden. Gardeners who attend this talk will walk away with a high-level understanding of: (a) how DPAs can be used to protect your company’s technical garden, (b) what information privacy/legal needs to know when negotiating a DPA, and (c) which DPA terms are roses to be cultivated or weeds to be removed.

Irene is an attorney with experience counseling clients on United States and international privacy and data protection laws and regulations. She has helped companies of all sizes build and scale their privacy and data security compliance programs. Known as a problem solver, Irene’s clients trust her to collaborate across multiple business units within their companies to get privacy done. When there is a Hail Mary pass, her clients know she’s the one getting the ball across the goal line. In her free time, Irene is on the leadership board of several non-profits including Women in Security and Privacy (WISP), the Diversity in Privacy Section for the IAPP, the American Bar Association (ABA) Center of Innovation, and Lagniappe Law Lab.

Alyssa is on the board of Women In Security and Privacy (WISP) and is Privacy & Product Counsel at an Augmented Reality (AR) mobile gaming company. As in-house counsel, she focuses on integrating privacy by design into product development and ensuring global privacy compliance. Previously, she gained experience in privacy consulting and cybersecurity incident response. She has been involved with WISP for nearly a decade where she developed her interest in locksport and continues to further WISP’s mission to advance women and underrepresented communities to lead the future of security and privacy.

• Overview of exploited vulnerabilities
• Breakdown of the cyberattack
• Analysis of the impact and consequences
• SK Telecom’s incident response and mitigation
• Key lessons and takeaways for cybersecurity preparedness

Business logic vulnerabilities in APIs are often design oversights that lead to dangerous outcomes. They occur when attackers abuse legitimate API behavior to bypass controls or exploit workflows. In this talk, we’ll share field experience developing behavioral analysis techniques that surface exploitable API behaviors at scale.

We developed a method for passively analyzing API responses – clustering similar logic flows and flagging anomalies that suggest potential abuse paths. You’ll see how business logic vulns manifest in real-world APIs, how attackers chain together valid actions to achieve unintended outcomes, and how defenders can catch these issues early. The session will conclude with practical strategies for integrating business logic awareness into threat modeling and CI/CD pipelines.

Former pentester for the French Intelligence Services. Former Machine Learning Research @ Apple.

Tristan Kalos, co-founder and CEO at Escape, draws from a background as a software engineer and Machine Learning Researcher at UC Berkeley. Motivated by firsthand experience witnessing a client’s database stolen through an API in 2018, he has since become an expert in API security, helping security engineers and developers worldwide building secure applications. He is an experienced keynote and conference speaker, presenting at Forum InCyber, bSides, APIdays, GraphQL conf, and other international software development and cyber security conferences.

Are you looking to install or upgrade a physical access control system? Having installed, repaired and upgraded dozens of large and small access control systems, I have found that many vendors install a “minimum viable product” that can leave your system unreliable and trivial to bypass.

This session will give you the tools and knowledge you need to work with your vendor to implement your system using best practices in the following areas:

• Wiring, supervision, encryption and tamper-resistance
• Choosing clone-resistant badges and securely configuring badge readers
• Securing controller equipment and managing issued badges
• Maintaining the system for maximum security and uptime

As a low voltage hardware junkie, Tim has had the opportunity to design, expand, upgrade and repair numerous physical access control, alarm and video systems, including a stint at a security vendor where he was certified in Lenel/S2 access and video. Tim works today at SailPoint as a Cybersecurity Network Engineer.

En esta charla exploraremos cómo acelerar el cálculo de funciones hash, centrándonos especialmente en el uso de dispositivos reconfigurables como las FPGAs. Comenzaremos con una introducción a las funciones hash, su papel fundamental en criptografía y seguridad informática, y sus propiedades clave como la irreversibilidad y la resistencia a colisiones.x000D x000D A continuación, haremos un repaso comparativo de las distintas plataformas de cómputo donde se pueden implementar algoritmos hash: CPU, GPU, ASIC y FPGA, analizando sus ventajas, limitaciones y casos de uso típicos. Nos detendremos especialmente en las FPGAs (Field-Programmable Gate Arrays), explicando su arquitectura, su capacidad de paralelismo masivo y su flexibilidad para implementar lógica específica.x000D x000D Por último, veremos la implementación del algoritmo SHA-256 en una FPGA. Mostraremos cómo se traduce el algoritmo a lógica digital, qué técnicas se pueden aplicar para optimizar el rendimiento, y qué resultados se pueden obtener en términos de velocidad y eficiencia energética.

Pablo has been an FPGA designer for over 10 years, specializing in digital signal processing and control algorithms, with a strong focus on their implementation in FPGA-based systems. He is the founder of ControlPaths Eng., a consultancy dedicated to electronic design and FPGA development. In addition to his professional work, Pablo authors the blog controlpaths.com, where he regularly publishes articles on FPGAs, SoCs, and hardware acceleration.

Pablo es diseñador de FPGA con más de 10 años de experiencia. Está especializado en procesado digital de señal e implementación de algoritmos de control sobre FPGA. Además de su trabajo, escribe regularmente en el blog controlpaths.com, donde investiga y publica artículos sobre procesado digital de señal en FPGA, y aceleración HW. Ha sido ponente en algunas charlas en España y Europa como AsturconTech (Asturias), Vicon (Vigo) o Embedded World (Nuremberg).

As threat actors evolve in speed, sophistication, and stealth, traditional defense strategies alone are no longer sufficient. This panel delves into the strategic importance of adopting an adversarial mindset, where defenders must think like attackers to stay ahead. Industry experts will discuss how adversary emulation and offensive cyber security techniques are being used not just to test systems, but to actively inform and strengthen defensive strategies. From red teaming to threat-informed defense, the panel will dive into how organizations are embedding adversarial thinking into their security programs to uncover blind spots, reduce response times, and build resilience against real-world threats. Whether you are defending an enterprise or building the next wave of security tools, embracing the adversarial mindset is no longer optional, it is essential. The panel will also cover a range of adversarial scenarios, including not only nation-state sponsored threat actors and targeted cyberattacks, but also the evolving warfare landscape witnessed recently, the use of technology by adversaries during conflicts, and effective countermeasures to address these challenges.

Abhijith B R, also known by the pseudonym Abx, has more than a decade of experience in the offensive cyber security industry. Currently he is involved with multiple organizations as a consulting specialist, to help them build offensive security operations programs, improve their current security posture, assess cyber defense systems, and bridge the gap between business leadership and cyber security professionals. Abhijith’s professional exposure is stretched across multiple industries and various other sectors. As the founder of Adversary Village, Abhijith spearheads a community driven initiative exclusively focused on adversary simulation, adversary tactics, purple teaming, threat-actor/ransomware research-emulation, and offensive security-adversary tradecraft.

Keenan Skelly is a nationally recognized cybersecurity and emerging technology strategist with 25 years of experience across government, private sector, and entrepreneurial leadership. She, most recently served as a Senior Policy Advisor at the White House Office of the National Cyber Director (ONCD), where she guided national initiatives on cybersecurity workforce, AI policy, and strategic technology development. A former Plank Owner of NPPD at DHS of the Comprehensive Review Program (the predecessor to CISA), Keenan also led multi-agency counter-IED and critical infrastructure protection programs across the federal government. She has founded and led multiple tech startups focused on threat intelligence, cybersecurity, and gamified training; and is the Founder of the XRVillage. Named one of the Top 25 Women in Cybersecurity, she is a frequent speaker on national security, AI, and immersive technology. Her unique background blends operational expertise, policy acumen, and visionary innovation.

Recent conflicts have shown us that wars today aren’t just fought with traditional weapons, they are fought with code, misinformation, and influence. This panel dives into how adversaries are using a mix of traditional and unconventional tactics, from cyber attacks to psychological operations, to gain the upper hand on modern battlefields. We will look at real examples from recent wars, explore the technologies driving these shifts, and discuss what defense, security, and policy leaders need to take away from it all.

Dr. Carpenter is an expert in submolecular information security, specializing in medical IoT, and DNA/nano-tech security, with extensive experience in deception, information warfare, and electronic warfare. His background includes work at the NSA and three decades in government, he has led numerous operations combatting cybercrime, adversarial activity, and counterexploitation theory. A recognized leader in counter-deception, psychological operations, and the application of advanced security techniques, Dr. Carpenter has spoken at numerous international conferences, including several DEFCON villages, Le Hack, Victoria International Privacy and Security Summit, Hack in Paris, Hacker Halted and Cyber Chess. Dr. Carpenter is a member of the Special Operations Medical Association and the Royal Society of Arts, leveraging these networks to advance the integration of security into emerging technologies. With a focus on defending the digital infrastructure at the molecular level, Dr. Carpenter’s work encompasses the intersection of cybersecurity and biological systems, ensuring that both digital and physical infrastructures remain secure against evolving threats.

Ms. Barb Hirz is the Director of Strategy and Innovation at the Nebraska Defense Research Corporation, where she leads future capability integration and coordinates with customers and mission partners to ensure effective capability demonstrations. She is dedicated to advancing defense technology, driving mission improvements, and fostering intellectual agility in the workforce to address complex Department of Defense (DoD) challenges. Previously, Ms. Hirz served as Chief Engineer at U.S. Strategic Command, overseeing nuclear mission capability and cyber requirements, and has held positions at the Office of the Secretary of Defense and the National Security Agency. She has a background in commercial banking and IT solutions and holds numerous awards, including the Joint Meritorious Civilian Service Award. Ms. Hirz earned a B.S. in Business Administration from Creighton University, an M.S. in Military Operational Art from the Air Command and Staff College, and a Graduate Certificate in Nuclear Deterrence from Harvard University.

Brett Fowler is a nationally recognized cybersecurity expert and the CEO of STAG, a rapidly growing cybersecurity firm with a global reach and an exponential growth rate of 230% in 2020. A lifelong technology ambassador, Brett began his journey in middle school and has since advised Congressional and Senatorial leaders, while also supporting national efforts, including securing U.S. election systems. Under his leadership, STAG is transforming advanced analytics into accessible web applications, filling critical market gaps.

A former U.S. Air Force Cyber Warfare Operator with over 3,000 hours of cyber operations experience, Brett combines deep technical expertise with agile leadership, driving innovation and resilience in both government and industry. He is a trusted voice on national advisory boards and a frequent lecturer at the University of Texas at San Antonio, where he teaches courses on cybersecurity and entrepreneurship. Brett holds an M.S. in Computer Science from Utica College and lives in San Antonio, TX, with his wife and children.

Dr. Johnson has over 30 years of experience leading technology and cybersecurity programs at organizations in various industry segments, from startups to large global corporations. He is the CEO and Founder of Aligned Security, providing executive cybersecurity advisory services. He also founded the nonprofit Docent Institute, which promotes career development, cybersecurity education and outreach to professionals, students and underserved communities. He is co-founder of Chicago Cyber Hub, a Midwest center of excellence for Cybersecurity. John has broad industry experience, starting at Los Alamos National Laboratory and subsequently as a security leader at large and small enterprises, including John Deere, Deloitte, and Campbell Soup Company. He has developed and taught numerous university cybersecurity courses online and in person. Dr. Johnson serves on the ISSA International Board of Directors, ISSA Education Foundation, and is an active leader within ISC2, InfraGard, and IEEE. John is concerned with the ethical use of advancing technologies and the opportunities and risks they pose to humanity.

Mike Tassey is a cybersecurity strategist with 27 years of experience across defense, finance, and critical infrastructure. At the Air Force Office of Special Investigation, he led red team operations and secured global investigative systems. At NASDAQ, he helped defend the exchange from nation-state cyber threats and re-architect its global security posture. A DEF CON and Black Hat speaker, Mike co-designed the Wireless Aerial Surveillance Platform—the first civilian cyber drone, now in the International Spy Museum.

Marcus J. Carey is the creator of the best selling Tribe of Hackers cybersecurity book series. Marcus is renowned in the cybersecurity industry and has spent his more than 20-year career working in penetration testing, incident response, and digital forensics with federal agencies such as NSA, DC3, DIA, and DARPA. He started his career in cryptography in the U.S. Navy and holds a Master’s degree in Network Security from Capitol College. Marcus was previously the founder and CEO of Threatcare (acquired by ReliaQuest), a venture-backed cybersecurity and software services company based in Austin, Texas. He regularly speaks at security conferences across the country. Marcus is passionate about giving back to the community through things like mentorship, hackathons, and speaking engagements, and is a voracious reader in his spare time.

Sanne Maasakkers is working for Threat intel at Mandiant, previously at NCSC-NL. After spending some years in offensive security, she now uses this knowledge to make Dutch vital infrastructure more resilient. She is mainly interested in researching social engineering tactics and techniques of the bigger APTs and presented ‘Phish like an APT’ last year at the digital version of Adversary Village. Additionally, she likes to host CTFs for young talents, coach the European CTF team, and host awareness sessions.

Abhijith B R, also known by the pseudonym Abx, has more than a decade of experience in the offensive cyber security industry. Currently he is involved with multiple organizations as a consulting specialist, to help them build offensive security operations programs, improve their current security posture, assess cyber defense systems, and bridge the gap between business leadership and cyber security professionals. Abhijith’s professional exposure is stretched across multiple industries and various other sectors. As the founder of Adversary Village, Abhijith spearheads a community driven initiative exclusively focused on adversary simulation, adversary tactics, purple teaming, threat-actor/ransomware research-emulation, and offensive security-adversary tradecraft.

OT environments typically are very predictable, lack variation and human interaction. AI works much harder in IT environments, therefore should cost less in OT environments. Why should one pay the same for two very different technologic performances? Chat will engage audience to on premise that AI pricing models should be different in IT and OT.

This talk will focus on AI red-teaming as an evaluation process and how it might fit into a broader AI evaluation ecosystem. The first part will contextualize the current state of AI red-teaming evaluations. We will discuss feedback that CSET has received from various AI stakeholders, such as ambiguity around current best practices for AI red-teaming and how lack of transparency hinders community efforts to develop those best practices. The second part will introduce the idea of a “virtuous cycle” for AI evaluations, in which an information sharing and reporting ecosystem can create beneficial feedback loops for AI development, testing, flaw and vulnerability disclosure, and patching.

In this presentation, we reveal how we used LLMs to discover 900 vulnerabilities in popular open-source tools that were never disclosed. How we caught and watched North Korean APT Lazarus debug a supply chain attack in real time and how we discovered the office Ripple (XRP) cryptocurrency SDK had been backdoored.

We started a multi-year long research project to identify how we could identify novel use cases for using LLM in supply chain security. The research fousces on two approaches

1. using public changelogs to identify when security issues were patched and never disclosed
2. Using LLMs to identify malware in public packages on NPM

The presentation covers both technical details of our system and how use use out-the-box frontier models as well as taking deep dives into some of the more interesting findings.

Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learnt first-hand how critical it is to build secure applications with robust developer operations. Today as the Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.

Have you traveled and used in-flight internet services on airlines? Guess what…Evil Twins have been discovered in the wild on commercial airlines. This talk covers a tale of two people, the passenger in a rush to connect to in-flight services and the SOC analyst charged with the task of unraveling the truth.

This talk will introduce the many components that comprise the on-wing infrastrucutre and how they relate to the passengers as they journey through the skies. Tasked with unraveling a tip, the SOC Analyst must understand the relationships of the pieces to the pizzle, from tying together the logged events and knowing what the infrastructure is on-wing, ultimately piecing together a bigger puzzle via other telemetry provided by ads-b, satellite or more.

The key takeaways I’ll be focusing on are what an analyst should do to prepare themselves to hunt in this arena, processing that evdence to support their hypothesis and unlock the truth behind that pesky browser portal that didn’t feel right. Joine me for a talk about Evil Twins in the sky!

M0nkeydrag0n plays a blue teamer by day and a Hard Hat Bridage member in the after hours. Having spent a decade in IT support before shifting to his current role, m0nkeydrag0n has spent the last few years growing professionally as a cyber security engineer and endeavors to share tactics, approaches and stories with those looking to make that shift into security as well…or any pivot for that matter!

Lately, rediscovering R/C vehicles as allowed him to take flight, if only by FPV. But playing with RF is always fun, whether it’s trying to catch folks on WiGLE, designing cases for wardriving kits, earning his ham tech cert or just enjoying motorcycles for a long ride…and internet points!

Come wardrive with the Hard Hat Brigade!

When we travel with valuable baggage, we rely on the security of locks, especially those that are TSA-approved. But how secure are they really? In this talk, we’ll present our research on the vulnerabilities and bypasses of these locks and their embedding into the baggage, covering the most common models as well as the newer TSA008. We’ll discuss how lock picking techniques, master keys, and bypass methods can compromise the security of all TSA-approved models, potentially putting our belongings at risk.

Héctor is a Senior Managing Security Consultant at Bishop Fox with over 13 years of experience in offensive security, digital forensics, threat hunting, and incident response. Hector has presented at international conferenses such as DEFCON, SummerCon, WWHF & Ekoparty. He also leads Pwntacles, a student-driven hackerspace focused on cybersecurity research and development.

Our team will share the key lessons, discoveries, and challenges we encountered during our AIxCC journey. We’ll walk through what worked, what didn’t, and the unexpected insights we gained along the way. Beyond reflection, we’ll highlight opportunities to improve AI-powered cybersecurity systems and explore where we believe the field could and should go next.

This is a live tutorial of hacking against keyboards of all forms. Attacking the keyboard is the ultimate strategy to hijack a session before it is encrypted, capturing plaintext at the source and (often) in much simpler ways than those required to attack network protocols.

In this session we explore available attack vectors against traditional keyboards, starting with plain old keyloggers. We then advance to “Van Eck Phreaking” style attacks against individual keystroke emanations as well as RF wireless connections, and we finally graduate to the new hotness: acoustic attacks by eavesdropping on the sound of you typing!

Use your newfound knowledge for good, with great power comes great responsibility!

A subset of signal leak attacks focusing on keyboards. This talk is compiled with open sources, no classified material will be discussed.

Getting started in cyber from nontraditional entry points

DEF CON Groups Dept 2nd Lead

Historically, Phishing attacks require extensive manual effort involving meticulous target research, intricate scenario crafting, and technical infrastructure deployment. However, the landscape is evolving with the adoption of Artificial Intelligence, which is transforming how phishing campaigns are conducted by reducing the required skill levels and effort. This talk explores how Artificial Intelligence enables threat actors to automate the critical phases of phishing campaigns, from initial reconnaissance to creating compelling and targeted communications and standing up attack infrastructures. It covers:x000D x000D – The inherent challenges in conventional phishing operations, emphasizing the extensive manual labor required for target reconnaissance, scenario development, and infrastructure setup. Attendees will understand why these labor-intensive processes have historically constrained the scalability and customization of phishing campaigns.x000D – How to utilize various AI models to craft convincing, contextually accurate phishing messages that mimic authentic corporate communication patterns. x000D – End-to-end Automated approaches for quickly standing up credible phishing websites, significantly lowering technical entry barriers for threat actors.x000D x000D At the end, participants should understand how to deploy AI-driven phishing campaigns using different models to achieve various results and address challenges within a phishing attack workflow.x000D

As an experienced Red Team leader, Daniel applies a strong software development and networking background to help Fortune 500 companies identify and remediate vulnerabilities in various technologies, including corporate networks, applications, and smart devices. With more than 15 years of experience in Cybersecurity, prominent local and international security conferences such as HOU.SEC.CON, ISC2 Security Congress, and Black Hat Regional Summit featured his Offensive Security research. Daniel holds a B.Sc. in Computer Science and an M.Sc. in Cybersecurity. In 2019, Daniel was part of the team that won the DEF CON Biohacking Village Capture the Flag competition.

—

With over 15 years in offensive security, Daniel applies a strong software development and networking background to help Fortune 500 companies identify and remediate vulnerabilities in various technologies, including corporate networks, applications, and smart devices. With more than 15 years of experience in Cybersecurity, prominent local and international security conferences such as HOU.SEC.CON, ISC2 Security Congress, and Black Hat Regional Summit featured his Offensive Security research. Daniel holds a B.Sc. in Computer Science and an M.Sc. in Cybersecurity. In 2019, Daniel was part of the team that won the DEF CON Biohacking Village Capture the Flag competition.

AI models have had a ~4x YoY increase in compute for the last 70 years. In the security domain, what has 4x effective compute brought us in 2025 and what will it bring us in 2026? In this session, Jason will give us a survey of the bleeding edge of security applications, from a frontier AI lab perspective, including advanced persistent threats, and what new security threats are coming from AI and can be defended by AI in 2026 and beyond.

Nick and Kit team up to explain a story of fraud and scam as often reported in the news. A method of deceit with a unique financial angle is introduced, starting with a video to illustrate the problem. History of the actors involved in the analysis and security research reveals their complementary partnership, where they observe the scam to develop defense methods. A breakdown of the scam workflow follows its progress and funds are tracked as they move from the victim’s possession. Finally, advice is given how to protect from becoming a victim of similar fraud.

Nick Percoco is the Chief Security Officer at Kraken, where he spearheads the frameworks and protocols that ensure a secure and seamless trading experience for clients. A recognized leader in the security and hacker community, Nick brings nearly 30 years of expertise in cybersecurity and technology, shaping the industry’s approach to threat defense and risk mitigation. A dedicated contributor to the security community, he founded THOTCON, Chicago’s premier non-profit hacking conference, and has been a contributor to secure infrastructure and network design at DEFCON, the world’s largest hacking conference, since 2017. An accomplished speaker and researcher, Nick has presented groundbreaking work on cryptocurrency security, targeted malware, mobile security (iOS & Android), and IoT vulnerabilities at leading global forums, including Black Hat, RSA Conference, DEFCON, CfC St. Moritz, and SXSW.

With more than 3M subscribers on YouTube and beyond, Kit pioneered scambaiting. “Everyday there are scammers taking advantage of people. I call them to waste their time, walk people through their “script” and lies, report info when I can, and otherwise make light of a dark situation.”

“Anatomy of Telecom Malware” is a Telecom Village talk spanning 2G, 3G, 4G/LTE and cloud-native 5G. It dissects how attackers weaponise every layer of the stack—SS7/SIGTRAN, Diameter, GTP, SMPP and SBA APIs—while adding three critical lenses:

• Supply-chain infiltration: poisoned firmware builds and compromised eSIM-provisioning servers that let implants enter the core before day 0.
• Transit-based backdoors: malware such as the LightBasin “GTPDoor” family that hides its C2 inside roaming GTP-C/U tunnels, crossing operator boundaries unnoticed.
• Field-proven attacks: campaigns like SIMjacker’s SS7/S@T-browser exploitation for OTP interception and recent SS7-redirect bank-fraud cases, plus roaming-hub spyware and diameter peer-scraping seen in the wild.

Attendees leave with a telecom-specific kill-chain map, protocol-aware detection tricks, and a 10-point hardening checklist to protect both legacy and future networks.

Akib Sayyed is the Founder and Chief Security Consultant of Matrix-Shell Technologies, an India-based telecom-security firm he established in 2014. Recognised industry-wide as a 5G and telecom-signalling security specialist, Akib has spent more than a decade helping mobile-network operators, MVNOs and regulators uncover and remediate vulnerabilities across legacy (2G/3G/4G) and next-generation (5G Core, VoLTE/VoNR/VoWi-Fi) networks. His expertise spans protocol penetration testing (SS7, Diameter, GTP), radio-access assessments and security-automation tooling.

Under Akib’s leadership, Matrix-Shell has grown into India’s first NCCS-designated 5G Core security test lab and holds ISO/IEC 17025 accreditation for its methodology and results. A frequent conference speaker and Black Hat trainer, he also co-organises the Telecom Village community, where he shares latest threat-intel and open-source tools with the wider security ecosystem. linkedin.com

Across consulting engagements, Akib is known for delivering:

• Policy-aligned testing mapped to 3GPP TS 33.xxx, GSMA FS-series and ITSAR frameworks.
• Automated scanners that cut signalling-assessment time from weeks to hours.
• Action-oriented reports complete with PCAP evidence and remediation playbooks.

Driven by a mission to “secure the core,” Akib continues to advise operators on rolling out resilient 5G infrastructure, mentors the next wave of telecom-security engineers and contributes to global standards bodies shaping the future of mobile-network defence.

Construct, test, and use a real antenna. Two kits are available: a VLF Foxhunt Loop to win your local fox hunts, and a LoRa Yagi antenna and become the alpha-ham dominating oppressive gain and narrow beam width.

Join us as we condense the sum total of humanity’s antenna knowledge into 30 gripping fun-filled minutes of building, testing, and using a built from scratch antenna. Afterwards the instructors will be around to help with assembly in the Village.

This talk will demonstrate building this year’s antenna building workshop. Our selections this year include a VHF loop for fox-hunting, suitable for use in this year’s fox-hunt. Second is a LoRa compatible Yagi. You will learn the basics of antenna construction, testing, and finally verifying with the cold cruel uncaring reality of physics that your antenna works.

We will also cover trouble-shooting antennas, common pitfalls, and unsolicited life advice.

Chem Engineer, ex Navy Nuke and deep submersible pilot. Currently Director of planning for large Si wafer manufacturer.

As we have seen with AIxCC, AI brings new tools to help with cybersecurity. But developing and operating AI/ML applications introduces new dimensions of risk due to their dynamic behavior, inherent complexity, and often opaque decision-making processes. The transition from Development and Operations (DevOps) to Development, Security, and Operations (DevSecOps) revealed the need for security practices integrated into the Software Development Life Cycle (SDLC) to address critical software security gaps. Machine Learning Operations (MLOps) will now need to go through the same transition into MLSecOps. MLSecOps places a strong emphasis on integrating security practices within the ML development life cycle. It establishes security as a shared responsibility among ML developers, security practitioners, and operations teams. Embracing this methodology enables early identification and mitigation of security risks, facilitating the development of secure and trustworthy ML models.

Join Shellphish captains Wil Gibbs and Lukas Dresel for a candid fireside chat on building ARTIPHISHELL, the fully-autonomous cyber reasoning system (CRS) that turned large-language models into indispensable teammates. They’ll trace their journey, from integrating LLM-powered reasoning into fuzzers for finding crashes to generating patches with LLM intuition. By the end, you’ll have a blueprint for fusing LLMs with traditional bug-finding techniques, an honest look at what still breaks, and fresh ideas for your own vulnerability-research workflow.

Unlock the secrets of shellcode by learning the fundamentals of low-level payload construction. In this session, you will learn how to craft Linux shellcode from scratch, starting with nothing but opcodes and a clear understanding of the syscall interface. Through live walkthroughs and byte-level insights, you will see how small instructions can yield powerful control. This is not magic; it’s precision, intention, and raw skill. After the talk, you will have the chance to test your abilities with hands-on challenges that turn theory into practical exploitation.

f4_u57 is a senior undergraduate at Arizona State University and a security researcher at Research Innovations Incorporated (RII). His interests focuses on vulnerability research in embedded devices, with an emphasis on program analysis and system security. In his spare time, he is an active CTF player.

Rapid advancements in AI raise important concerns about cybersecurity risks. While existing work shows AI still falls short of human expertise in cybersecurity, we aim to identify indicators of emerging capabilities and risks by studying the gap between AI and expert human performance. We compare top hackers—selected for their proven track record in security research and competitions—with AI systems attempting to exploit real and synthetic targets. This comparison helps us pinpoint where current frontier model evaluations fall short, what tacit knowledge is needed to exploit vulnerabilities effectively, and how these gaps might be addressed. By distilling the expertise, intuition, and problem-solving approaches that make human experts more effective than current foundation models, we highlight the unique skills that continue to differentiate human practitioners. Conversely, we seek to identify areas where AI’s latent capabilities may offer distinct advantages, helping experts better leverage these tools in their work. Our work aims to improve AI cybersecurity evaluations, address critical gaps in evidence-based policymaking, and better equip practitioners to adapt to shifts in the offense/defense landscape.

Bias doesn’t just exist in algorithms—it shows up across the entire cyber stack. This panel brings together leaders from government, defense, and industry to explore how systemic bias can creep into everything from security controls and threat modeling to hiring pipelines and data governance. We’ll unpack how biases—human and machine—undermine trust, widen attack surfaces, and perpetuate inequality in cybersecurity workflows. Whether you’re building tech, shaping policy, or defending networks, this session challenges you to audit more than just code.

Dynamic and influential cybersecurity leader serving as Deputy CISO for the City of Philadelphia, host of CISO Stories, and adjunct professor at Harrisburg University and Penn State. With nearly two decades of experience, she specializes in cybersecurity audit & compliance, NIST frameworks, and safeguarding sensitive data such as PII, PHI, and FTI. Highly engaged in the cyber community—as a speaker, mentor, and advocate—she champions proactive security culture, diversity, and hands-on learning at conferences and in the classroom. Outside of work, Jessica channels her creativity into photography and networking, earning recognition as a thought leader and role model in cybersecurity.

Accomplished business and technology executive with a 19‑year track record, currently serving as Business Product Manager for Enterprise Cloud Platforms at Bank of America. A CPA candidate and MBA graduate, Kaleeque blends deep financial acumen with cloud and service delivery expertise honed at institutions like Citrix, CAI, and Deloitte. Recognized for his leadership and community involvement, he actively volunteers with Charlotte’s Alliance of Black Accountants, promoting thought leadership and innovation in both technology and finance.

“Public access – off” should mean safe, right? Not when a wildcard principal sneaks into Terraform or a quick-start template letting any logged-in account (yours, mine, or a stranger’s) access your sensitive data.

We ran a large-scale, cross-cloud hunt for this quiet misconfiguration, testing it in AWS, Azure and GCP and measuring how often it shows up in real environments. The flaw is sneaky: anonymous requests are getting blocked, yet any authenticated account can still perform actions such as list, get, or even put objects – so a quick browser check tricks you into thinking the bucket is private. Our data shows that more than 15% of cloud environments had at least one bucket publicly exposing sensitive data. As for the remaining 85%, “not public” doesn’t always mean private. Further analysis revealed that many of these supposedly restricted buckets still exposed sensitive information unintentionally, including configuration files, code, and AI models.

In this talk we’ll outline our scan approach, present the headline numbers and walk through our methodology for detecting risky buckets.

Danielle Aminov is a part of Wiz’s threat research team, specializing in network-based threats and threat intelligence. She develops detection strategies for large cloud environments. With over six years in offensive security within the IDF and in the cyber department of a global consulting firm, Danielle has expertise in red team operations and penetration testing.

Yaara Shriki is a Threat Researcher at Wiz, specializing in cloud security and network-based attacks. She explores novel ways to integrate ML and NLP into her security work. Yaara is currently pursuing an MSc in Computer Science at Tel Aviv University. She previously worked as a security researcher at Aqua Security and Checkpoint.

I love code autoformatters, but I jump between a lot of projects, and figuring out the rules for each project is tedious. Nix and Treefmt make this a whole lot better, but don’t provide editor integrations.

I’ll talk about how I built a format-on-save Neovim plugin that Does the Right Thing. If you aren’t a Neovim user, I hope to inspire you to build a similar integration for your preferred editor.

Programmer. Speedcuber. Formerly at Arista Networks, the World Cube Association, and Honor Technology. Currently on sabbatical, spending my time leveling up my Nix skills and contributing to the community.

Tune in for a demonstration of a prototype autonomous system developed as a collaboration between Microsoft Research, Microsoft Defender Research, and Microsoft Discovery & Quantum.

Imagine discovering critical intelligence hidden inside live video streams faster than any human analyst could. We’ll begin with a compelling hypothetical scenario: a breaking news livestream unintentionally captures crucial clues about a missing person’s location, but overwhelmed human investigators miss the moment. Inspired by real world challenges investigators face daily, this scenario motivated us to build Autonomous Video Hunter (AVH), a system of AI powered agents that scour video content in real time to extract actionable OSINT.x000D x000D Technical core:x000D We’ll showcase how AVH combines open source AI models for image recognition and audio transcription, orchestrated by custom Python based agents. These agents autonomously analyze video streams, detect critical visuals, logos, speech keywords, and quickly cross reference these clues against online databases and OSINT repositories.x000D x000D Live demo:x000D Experience AVH live as it identifies a target logo and relevant context (e.g., social media profiles and geolocation clues) from a random video clip in mere seconds. We’ll also address practical challenges, from reducing false positives to scaling efficiently across multiple simultaneous streams.x000D x000D By the end of this lightning talk, attendees will understand how autonomous agents transform overwhelming video data into OSINT insights rapidly and effectively. We’ll also share a lightweight open source AVH tool for the OSINT community to use and build upon.

Kevin Dela Rosa is the CTO of Cloudglue (formerly Aviary Inc), building AI video understanding platforms that transform audiovisual content into structured data for LLM and agentic retrieval use cases. With 14+ years in multimodal AI, he previously led engineering teams at Snapchat developing billion-scale visual search systems and generative AI products. His work has been featured at technical conferences including CVPR, NeurIPS, AAAI, ISMIR, AWS re:Invent, KubeCon, and cultural and entertainment venues ranging from Cannes and Art Basel to the Super Bowl and The Late Late Show. At Cloudglue, he leads research and development of technologies enabling AI systems to comprehend complex audiovisual content, focusing on creating systems that allow AI agents to see, hear, and understand the visual world at scale

AzDevRecon is a powerful web-based enumeration tool designed for offensive security professionals, red teamers, and penetration testers targeting Azure DevOps. It streamlines the discovery of misconfigurations, exposed secrets, and security gaps by leveraging token-based authentication, including Personal Access Tokens (PAT) and Azure DevOps Access Tokens (with aud=499b84ac-1321-427f-aa17-267ca6975798). AzDevRecon automates project and repository discovery, pipeline analysis, and user permission mapping, helping security teams uncover escalation paths and hardcoded credentials. Its intuitive web-based interface simplifies complex reconnaissance, enabling faster and more effective security assessments of Azure DevOps environments. This presentation will demonstrate how AzDevRecon enhances offensive security capabilities, providing actionable insights to strengthen DevOps security postures.

Features: – Token-Based Enumeration – Extract insights using Azure DevOps Access tokens or PAT. – Project & Repository Discovery – Identify accessible projects and repositories. – Pipeline & Build Enumeration – Analyze Azure Pipelines for security flaws. – Secrets & Credential Hunting – Detect hardcoded secrets and exposed tokens. – User & Permission Analysis – Map roles, permissions, and escalation paths. – Web-Based UI – Easy-to-use interface for efficient enumeration.

Raunak Parmar works as a senior cloud security engineer at White Knight Labs. His areas of interest include web penetration testing, Azure/AWS security, source code review, scripting, and development. He has 4+ years of experience in information security. He enjoys researching new attack methodologies and creating open-source tools that can be used during cloud red team activities. He has worked extensively on Azure and AWS and is the author of Vajra, an offensive cloud security tool. He has spoken at multiple respected security conferences like Black Hat, Defcon RTV, MCTTP, HackSpaceCon, RootCon, and also at local meetups.

In spite of novel cybersecurity threats, digital security advice has remained largely unchanged in recent years. In fact, much of the viral advice in response to high-profile attacks or threats doesn’t actually address the risks people are most likely to face. In this talk, we’ll analyze high-profile digital privacy and security concerns, whether the viral advice to address said concerns is effective and practical, and what steps could be taken—both before and after an issue arises.

Yael Grauer is a program manager of cybersecurity research at Consumer Reports. She also does freelance investigative tech reporting, maintains the Big Ass Data Broker Opt-Out List, and is a proud member of the Lockdown Systems Collective.

Behind every blinking LED and clever CTF is a mountain of caffeine, chaos, and carefully disguised panic. In this panel, veteran badge creators share their hard-earned lessons from years in the trenches of Badgelife – what worked, what absolutely didn’t, and what miraculously came together 12 hours before con opened. From catastrophic PCB errors and customs nightmares to soldering in hotel bathtubs, and shipping hacks that would make a logistics manager cry – we’ll break down the real behind-the-scenes stories that never make it to the badge booth. Whether you’re a first-time builder or a seasoned badge nerd, this is your survival guide (and therapy session) in one.

Abhinav’s artistry comes from the times he used to sneakily paint drawings made by his sister. His hacking career began as a toddler, disassembling his toys but never put them back together. His entrepreneurial roots come from selling snacks at a school fair and making a loss of . Having learned how not to make money, he launched Hackerware.io – a boutique badgelife lab with in-house manufacturing – which has grown over the past nine years into a global presence across 19 countries. He’s often spotted at conferences around the world – hosting hardware villages or pulling off the kind of random shenanigans that earned him the Sin CON Person of the Year 2025 award.

MakeItHackin graduated with a physics degree and served in the Army before diving into electronics in 2016, the same year as his first DEF CON! He joined the badge-making scene at DEF CON 29, fueling a passion for reverse-engineering. With a love for tearing apart tech, he tinkers as a hobbyist, and has previously spoken at Physical Security Village, HOPE Conference, and Hackaday Supercon.

Bradán graduated third grade with a degree in crayon. This, combined with his unwavering belief in “how difficult could it be”, has made him eminently qualified to wash dishes. His background in UX Designer & User Research and as a purveyor of personas demonstrates his profound talent for making stuff up with confidence. Bradán pre-dates the internet and ARPANET.

BadVR Data Exploration through VR visualization. See RF signals, cellular signals and step into the data with a hands-on VR experience

Suzanne Borders, CEO + Founder, BadVR, Inc. Suzanne studied psychology at University of Missouri, Kansas City and previously worked as Lead UX/Product Designer for over 9 years at companies such as Remine (raised $48M) and CREXi (raised $54M) where she specialized in designing intuitive, high-performant data analytic interfaces. In 2019, Suzanne founded BadVR and was awarded a “Rising Stars” innovation award from IEEE. To date, she’s raised over $4M in non-dilutive funding for BadVR, via grants from the National Science Foundation, NOAA, Magic Leap, Qualcomm, and more. Suzanne has grown the company from 2 to 25 people and was awarded 4 patents for innovations she created while leading the BadVR team. Over the past 5 years, Suzanne emerged as a thought-leader in the immersive data visualization and analytics space. She has been a keynote speaker at over 25 national and international conferences. In her spare time, Suzanne travels for inspiration (81 countries and counting) and is proud to be a published author and former punk.  Suzanne thrives at the intersection of product design, immersive technology, and data; she’s a believer in the artistry of technology and the technicality of art and remains passionately dedicated to democratizing access to data through universally accessible products. 

Jad Meouchy, CTO + Co-Founder, BadVR, Inc. Jad, originally from northern Virginia, holds dual B.S. degrees in Computer Engineering and Psychology from Virginia Tech, and is a graduate of the Thomas Jefferson High School for Science and Technology. While in college, he engineered and built the data visualization components of an emergency response simulation that went on to receive 2M in public grant funding. Over his 15-year career, Jad has founded five startups and successfully exited three. His professional expertise is in software architecture and development, specifically big data analytics and visualization, and virtual and augmented reality development. Based in Los Angeles since 2010, Jad promotes the community by organizing developer meetups and events, and volunteering time for STEM initiatives.

Bandxhil es una amenaza sofisticada que ha operado bajo el radar en Latinoamérica desde al menos 2016, especializándose en el robo de información confidencial y el control remoto de sistemas comprometidos. Este actor destaca por su Remote Access Trojan (RAT) modular desarrollado en Java, el cual está diseñado para evadir detección y adaptarse a múltiples sistemas operativos, incluidos Windows, Linux y macOS.x000D Durante esta charla, exploraremos la cadena completa de infección de Bandxhil, iniciando con su acceso inicial mediante campañas de phishing. Estos correos imitan facturas legítimas y redirigen a las víctimas hacia plataformas como OneDrive, donde se descarga un script Visual Basic altamente ofuscado. Este script despliega el payload principal, un archivo JAR modular que sirve como base de la operación de este actor.x000D A lo largo de la sesión, desglosaremos sus técnicas clave, incluyendo:x000D • Uso de LOLBins para ejecución.x000D • Ofuscación y cifrado de variables AES, Blowfish y XOR y combinado con codificación Base64.x000D • Keylogging, captura de pantalla y grabación de audio/video para la recopilación de datos.x000D • Comunicación con servidores C&C vía sockets TCP y tráfico cifrado, diseñado para evitar detección.x000D • Compilación dinámica de módulos maliciosos x000D Para cerrar, se compartirán lecciones aprendidas y estrategias de detección basadas en el framework MITRE ATT&CK y el Modelo Diamante, junto con reglas YARA y estrategias prácticas para su mitigación en entornos corporativos.x000D

Armando Aguilar es un analista de inteligencia de ciberamenazas con más de 7 años de experiencia en la identificación, análisis y mitigación de amenazas que se encuentran afectado a México y Latinoamérica. Actualmente, es miembro del equipo de Threat Intelligence en una institución financiera mexicana_x000D_ x000D A lo largo de su trayectoria profesional, Armando se ha desempeñado como analista de Inteligencia de Ciberamenazas, especializándose en el análisis de malware, traza de campañas y creación de perfilamientos de amenazas (Threat Profile). Cuenta con amplia experiencia en OSINT Assessment, análisis de técnicas estructuradas y pruebas de penetración.x000D x000D Armando es egresado de la carrera Ingeniería en Computación de la Facultad de Estudios Superiores Aragón, donde inició su formación en Ciberseguridad en el Laboratorio de Seguridad Informática. Continuó su preparación en los Diplomados de Tecnologías de la Información y Seguridad Informática; y ha recibido capacitaciones por parte de la UNAM sobre temas de Computo Forense, Respuesta a Incidentes, Auditoria de Seguridad Informática y Pruebas de Penetración. Actualmente, cuenta con las certificaciones del Cyber Threat Intelligence (GCTI) y Certified Forensic Analyst (GCFA) emitidas por el GIAC, Certification Threat Intelligence Analyst (CTIA) y Certified Ethical Hacker (CEH) emitida por EC-Council y Certification Malware Analysis Professional emitida por Elearnsecurity.

This talk presents a practical methodology for reverse engineering real-time embedded firmware built on ARM Cortex platforms. Using Ghidra as the primary analysis environment to facilitate collaboration. We will demonstrate how to reconstruct the core layers of an embedded system to gain deep insight into its operation. The Board Support Package (BSP) is mapped using the SVD loader plugin to associate memory-mapped registers with hardware peripherals. The Hardware Abstraction Layer (HAL) is analyzed through custom type recovery and function pattern matching to identify initialization routines and peripheral control logic. At the RTOS level, we apply Ghidra’s BSim plugin to detect task creation, scheduler logic, and inter-process communication constructs used in FreeRTOS and similar kernels. The session equips attendees with a structured approach to reversing embedded C/C++ applications, even when symbols are stripped and source code is unavailable. The goal is to enable firmware analysts, security researchers, and engineers to confidently dissect the layered architecture of constrained, real-time embedded systems.

Caleb Davis is a founding member of SolaSec, a cybersecurity consulting firm specializing in advanced penetration testing for embedded and connected systems. Based in Dallas/Fort Worth, he holds a degree in Electrical Engineering from the University of Texas at Tyler and is a patent-holding expert with vast experience in hardware and firmware security. Caleb leads deep technical assessments across a range of high-impact industries, including medical devices, automotive, industrial control systems, ATMs and financial terminals, aerospace components, and consumer electronics. His work focuses on secure design, trusted boot processes, cryptographic implementations, and threat modeling, helping organizations integrate security throughout the development lifecycle and align with industry and regulatory standards.

After DC32, we had one question for ourselves: How could we possibly build upon the work done with last year’s ADS-B badge? Building upon the work we talked about at 38C3, the badge became a mixture of ideas. We wanted new functions extend the badge, but also be accessible for everyone. That set our direction for this year: a radio SAO that would have multiple levels of connectivity. Join us for a behind-the-scenes look as we walk through how we were able to (ab)use hardware to receive out of band signals, creating a custom signal processing chain, and create an SAO that can be integrated into your own badge. Now that you’ve got your hands on this year’s Aerospace Village badge, join Adam and Robert as they discuss the challenges and successes the team faced while building this year’s village badge.

We usually view the world of cybersecurity through the lens of a malicious attacker versus a legitimate actor within a given system. This approach fails when considering the world of data privacy where there are three actors in play: the possibly-benevolent vendor, the legitimate user and the inevitable malicious actor. Using this privacy-focused lens, we survey the current regulatory landscape before turning our attention to how privacy is (not) applied to the automotive world.

Our talk focuses on the unique privacy risks the automotive industry is facing with the advent of smart, connected, cars. We present a real-world case study showing how quickly and thoroughly a bad actor could invade the privacy of a car owner, based on a privacy leak vulnerability designated CVE-2025-26313 (reserved).

Lior is a security researcher in the PlaxidityX Threat Research Labs. Lior is part of a team of security researchers and data scientists who focus on innovation in the cybersecurity world, both from an offensive and a defensive perspective. Lior’s past experience is in enterprise cybersecurity and systems development. Lior holds an M.Sc in Computer Science.

Jacob Avidar is the VP R&D and CISO of PlaxidityX (formerly Argus). Jacob founded the Threat Research Labs team that focuses on exploring high-risk vulnerabilities through cyber attacks in the Automotive industry. Exposing these risks allow OEMs and Tier-1 vendors to deal with violations and thus protect cars and people’s lives from cyber attacks.

Good developer experience and cyber security, almost sounds like oxymorons together. But, is it really? How can we make both better, together?

We will explore how we can both improve our developer experience and application security together. How application security and the developer experience overlap, and practical steps that we’ve observed to have outsized impact on improving both AppSec and DevEx together, that you can take back to your teams and start doing today.

Note: DCGVR Talks are scheduled 1 hour slots, but the actual presentations can be as short as 30 minutes. Please arrive at the start of the hour.

Dan is an AppSec specialist, and has over a decade of experience in IT and cybersecurity, covering a broad range of specialist technical and leadership roles. Prior to roles, these include roles such as Head of Product, Human-centred Designer, Solutions Architect, Project Manager, Systems Administrator, an AppSec and Product Security educator, a senior security architect, a penetration tester and a data science researcher.

Today, hey leverage their diverse experiences to sherpa and help all roles in engineering teams build safer, more trustworthy, and secure products balancing business, experience, and technical needs. Their contributions to industry include presentation at various security conferences including DCG VR, BSides Melbourne, BSides Brisbane, and Christchurch Hacker Conference, on various security topics and a contributing author to an O’Reilly book on Application Security. But, they are just a nerd learning and sharing knowledge to make our community a safer place.

AI systems are evolving from copilots to autonomous, multi-agent architectures, expanding the attack surface across tool execution, persistent memory, and inter-agent communication. This hands-on session extends copilot security methods to agentic ecosystems, covering threat modeling for multi-agent pipelines, supply-chain defenses, safeguarding sensitive workflows, and prompt injection at scale. Through real-world case studies—independent and integrated assistant deployments—you’ll learn to implement policy-as-code guardrails, fine-grained access controls, and red-team strategies for agent behavior. Whether you’re securing or penetrating AI workflows, you’ll leave equipped with actionable patterns to defend and harden end-to-end autonomous systems without stifling innovation.

Jeremiah is the Head of the AI business unit at Sage, and focuses on delivering world class AI for Finance, Accounting, and Business Operations. He leads the expert team which has invented and deployed over 16 AI services in 8 global products, making 20 million AI predictions daily. Before joining Sage, he founded and led data science and machine learning teams at Covid Act Now, FLYR Labs, Squelch, Apteligent (VMware), and Orange Labs. His interests include data privacy, ethical AI, and building AI systems that help people in their daily lives and jobs. He holds degrees in mathematics from MIT and Pierre and Marie Curie University. When not working on machine learning and AI, he can be found trail running, climbing rocks, and doing math.

Andra is a Principal Application Security Specialist at Sage, with over seven years of experience in the field of application security. She is responsible for implementing DevSecOps practices, conducting security assessments, and developing secure coding guidelines for software engineering and AI/ML teams. She has a strong background in software development and project management, as well as a master’s degree in information and computer sciences. She has been co-leading the OWASP London Chapter since 2019, where she organises and delivers events and workshops on various security topics. She is passionate about educating and empowering developers and stakeholders to build and deliver secure software and best practices in a fast-paced, results-driven environment.

Payments infrastructure is often built with strong security and reliability guarantees but those guarantees can be undermined by failures in the systems it depends on. In this talk, we examine postmortems from real-world outages where the core payments systems remained robust, yet external or supporting infrastructure such as DNS, authentication services, cloud dependencies, or third-party integrations introduced vulnerabilities during periods of instability

Tapan is an engineering manager with deep experience in building and scaling payment systems. With a background that spans global enterprises and early-stage startups, he brings a well-rounded perspective to technical and organizational challenges. He holds an engineering master’s degree, which grounds his practical work in strong technical foundations

As organizations explore AI automation for AppSec, ensuring reliable and trustworthy output becomes critical. This talk examines practical challenges in building AI systems that can consistently interpret security requirements, process engineering documentation, and produce high quality threat models and code scanning results.

We’ll explore technical approaches to prevent hallucinations, handle conflicting documentation, normalize AI outputs, and validate assessments against established policies. Drawing from real-world implementation experience, we’ll share key patterns for building robust security automation systems that maintain high accuracy while scaling across engineering organizations.

Emily has been securing AI systems since 2018. She oversaw application security for Amazon’s Alexa AI organization and owned data security and privacy at Moveworks (an enterprise AI assistant). She’s now the CEO and co-founder of Clearly AI, a YC-backed startup automating security and privacy reviews.

The challenges of synthetic content identification echo many of those faced in information security. This talk explores the lessons we’ve learned from moving past single-point solutions and embracing a multi-factor, probabilistic approach. We will draw parallels between classic security challenges and the new frontier of content provenance, demonstrating that while signals like watermarks are valuable, a more comprehensive, layered strategy is essential for building a resilient framework to identify AI-generated and manipulated content.

Defcon 32 we discussed how to transfect DNA using a lighter in the privacy of your home, Defcon 33 we want to bring the next phase which is BioCypher. BioCypher is a tool that will help with plasmid design to embed cryptographic messages. As quantum computing threatens traditional encryption, it’s time to ditch silicon and embrace self-assembling biomolecular firewalls. DNA Origami Cryptography (DOC) uses viral scaffolds to create nanometer-scale encryption keys over 700 bits long—strong enough to give Shor’s algorithm an existential crisis. Beyond brute-force resistance, DOC enables protein-binding steganography and multi-part message integrity, allowing encrypted communication through braille-like molecular folds. Whether securing classified data or encoding musical notes into microscopic strands, DOC offers a biological alternative to post-quantum doom. In this talk, we’ll explore how molecular self-assembly is turning DNA into the hacker-proof cipher of the future, now introducing Biocypher! The rough demo awaits for all to use the tool and think about a bio-crypto-future!

Dr. James Utley, PhD, is a Johns Hopkins-trained Immunohematology expert, CABP, and AI/data science leader. As Technical Director, he led 150K+ cellular transfusions, advancing DoD and FDA-approved therapies. A bold biohacker, he pioneers CRISPR/genetic engineering, earning the moniker “the pirate.”

Bringing together diverse cultures and queer voices for an afternoon of connection. Come support our vibrant community!

The Digital Markets Act (DMA) is a landmark European law which aims to make digital markets fairer and open. The DMA regulates the behaviour of “gatekeepers”: large digital players whose closed platforms may limit innovation and choice for users. The DMA sets out “do’s and don’ts”, such as enabling interoperability, allowing alternative services (e.g. browsers or app stores), and treating third parties on equal footing.

In this presentation, you get to hear first-hand from the DMA enforcers about their experience, focusing on the first-ever enforcement action taken under the DMA. In March 2025, the European Commission spelled out how Apple must make iOS and iPadOS work seamlessly with third-party products and services, in particular connected devices such as smartwatches and headphones. We provide insights into how we delivered this concrete change, how the security community played a useful role, and what the benefits will be for developers and users.

We give a perspective on how the DMA preserves system integrity, security and user privacy when introducing interoperability to a previously closed platform. We also give a broader outlook on what other benefits businesses and end users can expect from the DMA, especially in terms of giving users full control and choice over their devices and data.

Victor Le Pochat works in the enforcement team for the Digital Markets Act at the European Commission (DG Connect). Prior to the Commission, he was a postdoctoral researcher working on monitoring the security and privacy of large web ecosystems. He previously presented his work at Black Hat, FOSDEM, and various academic cybersecurity conferences. Victor speaks in a personal capacity and does not speak on behalf of the European Commission.

You all know that PLC4TRUCKS is unintentionally accessible wirelessly (CVEs 2020-14514 and 2022-26131). In this talk we will dig into the details of the new CVE-2024-12054 and some other results on the ECU investigated. This talk is tailored to those with an automotive cybersecurity background. We found ECUs running the KWP2000 diagnostic protocol on PLC4TRUCKS, supposedly secured with their fancy seed-key exchange. But guess what? Those seeds are way more predictable than they should be. A bit of timing trickery, a classic reset attack, and boom – we’re in, no peeking at the ECU’s responses needed. Blind, non-contact attacks on PLC4TRUCKS? Yep, we found a way. Turns out wireless unauthorized diagnostics access isn’t just limited to older equipment. These newer trailer brake controllers’ diagnostic functions can be abused too. This situation highlights the need for future tractors to deploy mitigations that protect the trailer from wireless attacks because they are all reachable and even the new ones are vulnerable.

Ben is a Senior Cybersecurity Research Engineer at the National Motor Freight Traffic Association, Inc. (NMFTA)™ specializing in hardware and low-level software security. He has held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations.

Ben has conducted workshops and presentations at numerous cybersecurity events globally, including the CyberTruck Challenge, GENIVI security sessions, Hack in Paris, HackFest, escar USA and DEF CON.

Ben holds a M.Sc. Eng. in Applied Math & Stats from Queen’s University. In addition to speaking on the main stage at DEF CON, Ben is a volunteer at the DEF CON Hardware Hacking Village (DC HHV) and Car Hacking Village (CHV). He is GIAC GPEN and GICSP certified, chair of the SAE TEVEES18A1 Cybersecurity Assurance Testing TF (published J3322), a contributor to several American Trucking Associations (ATA) Technology & Maintenance Council (TMC) task forces, ISO WG11 committees, and a voting member of the SAE Vehicle Electronic Systems Security Committee.

This year has posed greater challenges for job seekers, with many highly skilled Blue Teamers faced with layoffs and greater competition for fewer jobs. This panel will consist of leaders and practitioners from multiple areas of the cybersecurity field, sharing their journeys and perspectives on hiring in the industry. They’ll answer your questions on handling the job search, perspectives on hiring in a difficult job market, and advice on how to advance your career and skill up technically.

Best known in the community for directing BSLV HireGround & BSidesCharm Hiring Village, Kirsten also co-founded Car Hacking Village in 2015. After a decade helping run it, she left and joined ICS Village and can be found at many conferences and events throughout the year speaking and volunteering. She settled into technical recruiting after working on helpdesks over twenty years ago. She is currently serving as the VP of Talent at SilverEdge and is always open to helping those who reach out – especially transitioning service members and veterans!

‘

Join BTV staff as we share this year’s highlights, puzzle and Capture the Flag events stats and winners, and shout our amazing volunteers, staff, sponsors, and of course attendees. Say goodbye for now, and snag any leftover swag!

And here’s how they got away with it? Or, and here’s how they got caught? The choice is yours as you join the interactive experience. Choose a team (or be assigned one!) and plot your attack or defence. Part role-playing game, part threat model, and part chaos, the attack unfurls: The attackers try desperately to get out with the cash, the bank tries to stop them, and the police pull together what little clues they have to go on. Can you get away with it? Or will you be spending your life behind bars?

NOTE: This is a limited-capacity session, and will be capped at 25 attendees.

Dr Katie Paxton-Fear is an API security expert and a Security Advocate at Semgrep, in her words: she used to make applications and now she breaks them. A former API developer turned API hacker. She has found vulnerabilities in organizations ranging from the Department of Defense to Verizon, with simple API vulnerabilities. Dr Katie has been a featured expert in the Wall Street Journal, BBC News, ZDNet, The Daily Swig and more. As she shares some of the easy way hackers can exploit APIs and how they get away without a security alert! Dr Katie regularly delivers security training, security research, to some of the largest brands worldwide. She combines easy-to-understand explanations with key technical details that turn security into something everyone can get.

Attributing cyber threats to a specific nation-state remains one of the most complex challenges in cybersecurity. Cyber attribution relies on analyzing digital artifacts, infrastructure patterns, and adversary tactics, none of which provide definitive proof on their own. Threat actors continuously evolve, adopting new methodologies and obfuscation techniques that make attribution increasingly difficult. Over the past decade, North Korea’s cyber operations have transformed from rudimentary attacks into highly sophisticated campaigns that rival the capabilities of established cyber powers. Initially, DPRK’s cyber program consisted of loosely organized groups with limited technical capacity, but today, these actors operate under a structured, state-controlled framework with clear strategic objectives. This research presents an in-depth analysis of how DPRK threat actors have adapted, restructured, and collaborated, shedding light on the complexities of nation-state attribution.

Seongsu Park(@unpacker) is a passionate researcher on malware research, threat intelligence, and incident response with over a decade of experience in cybersecurity. He has extensive experience in malware researching, evolving attack vectors researching, and threat intelligence with a heavy focus on response to high-skilled North Korea threat actors.

Now he is working in the Zscaler APT Research team as a Staff Threat Researcher and focuses on analyzing and tracking security threats in the APAC region.

Despite their widespread use in maritime and remote communication environments, VSAT systems have not received sufficient attention regarding their security vulnerabilities. Recent incidents, such as the Lab Dookhtegan hacker group’s attack on Iranian ship networks and the demonstration of firmware reverse engineering and remote root exploitation targeting VSAT modems (e.g., Newtec MDM2200) at DEFCON, highlight the critical security challenges associated with VSAT systems. Against this backdrop, our research team presents a detailed overview of our ongoing research since 2023, encompassing the collection and re-hosting of VSAT firmware, as well as systematic vulnerability analysis through the ACU web interface. Specifically, we provide an in-depth analysis and demonstration of recently discovered VSAT ACU web vulnerabilities (CVE-2023-44852 ~ CVE-2023-44857). Additionally, we describe the application of experimental testbed environments based on the methodology proposed in the paper “Securing Maritime Autonomous Surface Ships: Cyber Threat Scenarios and Testbed Validation.” This research aims to thoroughly analyze the security vulnerabilities and attack potentials inherent in VSAT systems, emphasizing the importance of strengthening maritime cyber security and fostering international collaboration, while providing practical recommendations for policy and technological enhancements.

Juwon Cho is currently pursuing a Master’s degree in Information Security at Yonsei University, where his research focuses on AI security, particularly jailbreak attacks on large language models. He is actively exploring methods to evaluate and strengthen the robustness of generative AI through adversarial prompting and system-level analysis. He was selected as one of the Top 30 participants in the 12th Best of Best program at KITRI, completing intensive training in security strategy and product development. He also received the Excellent Award at the Chungcheong Cybersecurity Conference in September 2023 for his team’s work on scenario-based analysis of cyber threats in critical infrastructure.

Storm-2372 (Feb’25) has been virtually ignored, even though Russian threat actors demonstrated in-the-wild exploits using OAuth Device Code Phishing (Syynimaa, Oct’20) and PRT/device registration abuse (Moller, Oct’23) that fundamentally puts all Entra customers at risk via its abuse of OAuth, the device registration service, SSO and compromise of the Primary Refresh Token.

This talk starts with Moller’s original research and compares the API calls and logging for valid device registration flows against the original and other expected attack variants including non-device code OAuth, non-phishing attacks, and endpoint compromise.

We’ll then look at additional implications of the attack, look at on-the-wire payloads, then focus on the challenge of effective detection by going through published best practices with detecting off of Entra sign-in logs, what may or may not be blocked by conditional access policies, where continuous access evaluation helps or not, and what is detected by Sentinel and Cloud Defender.

We will demo the attack, show API payloads, confuse ourselves with logs, using native Microsoft functionality and try to answer what can and can’t be done effectively against this attack. Along the way we’ll rant about what makes detection (and prevention) so difficult based on the design of Entra, its logs, and native tooling.

Jenko Hwong heads threat research at WideField Security, focusing on identity-based attacks and abuse. Prior, he spent 5 years at Netskope Threat Research Labs and has spent 20 years in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and Windows security.

Back in 2020 the Brazilian Central Bank launched PIX, a real time wire transfer and payment protocol that has been adopted by the Brazilian population, and nowadays PIX represents the most used payment method in the country. However, local cybercriminals quickly adapted and leveraged PIX for malicious activity. Since then, criminal activity in Brazil has ramped, from kidnapping, stealing of mobile phones, to money laundering “on steroids” and targeted banking trojans. Instant wire transfers made fraudulent transactions run faster than the speed of light, and were almost impossible to stop and to recover the stolen funds. A criminals’ paradise. In this presentation we will discuss the fraud schemes that were fueled by PIX and the ones that emerged since then, haunting the local population.

Lord Anchises Moraes Brazilborn of the house Hacker, First of His Name, Born in Computer Science, Cybersecurity Work-aholic, Lead of Threat Intel Realm, founder of Security BSides São Paulo, Supreme Chancellor of Garoa Hacker Clube, He for She volunteer at WOMCY (LATAM Women in Cybersecurity), Mente Binária NGO Counselor, Security Specialist and Protector of the Cyber Space realm.

This is the story of how Malware Village, Malmons aka Malware Monsters, and everything good that followed came into existence — all sparked by the Big BAN. In early 2024, after standing up for others, I was banned and ostracized from the local cybersecurity communities in my home country. At the time, I had never spoken at a conference outside that community — I hadn’t even attended DEF CON as an attendee. At first, it felt like the end of everything, because that local community meant the world to me back then. But then I stopped and asked myself:

“Why not create my own world — one filled with light?”
 “I shall shine bright to light the way, even in the darkest night.” The best revenge is to shine bright and live your best life. Now, let there be light — in the world of bits and bytes.

Trying to break into cybersecurity? Forget the hype. This panel cuts through the noise to show you what actually works: what roles are out there, what skills and certs are worth your time, how to build a real resume, and how to find your people in the community. We’ll talk job hunting, self-study, mentorship, influencers (the good and the grifty), and how to avoid wasting time and money. Ends with an open Q&A. No gatekeeping. No fluff.

Rosie Anderson is Head of Strategic Solutions for th4ts3cur1ty.company AKA Magical Genie Person. Having previously spent two decades talking to businesses to solve their hiring challenges, and helping people to break into cyber security as a recruiter, Rosie now uses those skills to help businesses solve their cybersecurity challenges. Rosie also founded BSides Lancashire, is a Director of BSides Leeds and restarted the Manchester 2600 Hacker Community, the only 2600 to be run by two women in its 40 year history. She was awarded Most Inspiring Woman in Cyber Security for 2024 and Cyber Newcomer for 2025.

Rosie has been a mentor for Capslock a cyber training programme for over two years, and is also part of the Ethical Council for Hacking Games. Giving back is important to her, and she loves the pay-it-forward mentality.

Tib3rius is a professional penetration tester who specializes in web application hacking, though his background also includes network penetration testing. He is OSCP certified, and likes developing new tools for penetration testing, mostly in Python. He helps run an OSCP prep discord server, and enjoys passing on his knowledge to students who have a passion for information security.

Jayson E. Street referred to in the past as: a “notorious hacker” by FOX25 Boston, “World Class Hacker” by National Geographic Breakthrough Series, and described as a “paunchy hacker” by Rolling Stone Magazine. He however prefers if people refer to him simply as a Hacker, Helper & Human.

He is the Chief Adversarial Officer at Secure Yeti and the author of the “Dissecting the hack: Series” (which is currently required reading at 5 colleges in 3 countries that he knows of). Jayson is also the DEF CON Groups Global Ambassador. He’s spoken at DEF CON, DEF CON China, GRRCon, SAINTCON & at several other CONs & colleges on a variety of Information Security subjects. He was also a guest lecturer for the Beijing Institute of Technology for 10 years.

He loves to explore the world & networks as much as he can. He has successfully robbed banks, hotels, government facilities, Biochemical companies, etc. on five continents (Only successfully robbing the wrong bank in Lebanon once, all others he was supposed to)!

He is a highly carbonated speaker who has partaken of Pizza from Bulgaria to Brazil & China to The Canary Islands. He does not expect anybody to still be reading this far, but if they are please note he was proud to be chosen as one of Time’s persons of the year for 2006.

Matt Olmsted has worked professionally in software engineering for over a decade, and been interested in infosec his entire career. In 2024 he decided to go for the CISSP as his first infosec cert and passed the exam at the minimum number of questions after only studying two weeks. He’s something of a polymath and renaissance man, the latter in both a literal and figurative sense.

Open-source security is facing an existential crisis. From the xz backdoor to Log4Shell and even vulnerabilities in ncurses, we are witnessing a recurring pattern: widely used but poorly scrutinized components becoming critical attack vectors. GRUB2 is no exception.

In this talk, I will present a deep dive into several vulnerabilities I discovered in GRUB2’s major filesystem drivers—exploitable flaws in one of the most privileged and security-critical pieces of software in the modern boot chain. Despite its role in Secure Boot, GRUB2 lacks fundamental OS security mechanisms (no ASLR, no modern exploit mitigations) and processes a large volume of untrusted input—violating Google’s “”Rule of 2″” security principle.

We’ll begin with an overview of UEFI and Secure Boot, demonstrating how GRUB2 fits into the ecosystem and why it remains an attractive target for attackers. I will then detail my findings, showcasing how an attacker can exploit these flaws to subvert Secure Boot entirely. Through a practical demonstration, we will explore the implications of these vulnerabilities—turning a standard bootloader attack into a full-blown compromise of system integrity.

Additionally, I will be describing my journey into discovering similar vulnerabilities other bootloaders such as U-boot and Barebox.

Finally, we will discuss the broader security implications, including the urgent need for stronger security practices in open-source bootloaders and what steps can be taken to prevent the next major supply chain disaster.

This talk will be essential for security researchers, enterprise defenders, and anyone relying on Secure Boot for protection. If you thought your bootloader was secure—think again.

Note: DCGVR Talks are scheduled 1 hour slots, but the actual presentations can be as short as 30 minutes. Please arrive at the start of the hour.

Jonathan Bar Or (“JBO”) is an information security expert and a hacker, focusing on binary analysis, vulnerability research, application security, reverse engineering, and cryptography.

His research has uncovered critical vulnerabilities that have impacted millions of users worldwide, shaping security best practices across the industry. Frequently cited by major news outlets, his work has influenced both academia and industry, driving meaningful security improvements.

He is also a seasoned public speaker, presenting at top security conferences and sharing deep technical insights on exploitation techniques, mitigations, and emerging threats.

Forget the black and white world of traditional Red Teaming, where success means finding that one perfect exploit. In the age of GenAI, we’re painting with a whole new palette. When your target can think, reason, and never give the same answer twice, how do you know if you’ve really broken it? Welcome to the technicolor challenge of AI Red Teaming, where we’re not just looking for vulnerabilities – we’re evaluating personality quirks, safety boundaries, and whether an AI system has gone rogue in fascinating new ways. Join me to explore why it takes AI to test AI, how the future of Red Teaming is less binary, and even your testing tools need to think outside the (black) box.

Jason Ross is a passionate cybersecurity expert with a diverse skill set in generative AI, Penetration Testing, Cloud Security, and OSINT. As a product security principal at Salesforce, Jason performs security testing and exploit development with a specific focus on generative AI, Large Language Models, and Agentic systems.

Jason is a frequent speaker at industry conferences, and is active in the security community: participating as a core member of the OWASP Generative AI Security Project, and serving as a DEF CON NFO goon.

Malicious packages have grown 156% YoY for supply chain security and supply chain attacks cost organizations $41 billion in 2023 (projected to reach $81 billion by 2026). This session underscores the urgent need to re-examine our defensive postures for software supply chain security by taking an offensive security perspective.

Our talk explains the offensive security methods in the software supply chain, exploring how attackers can compromise entire organizations by targeting each layer of the supply chain.

We define the attack surface, which spans the source, build, and distribution phases, and then showcase advanced techniques used to exploit these components. Drawing on our in-depth research, we demonstrate real-world exploits including supply chain hacks that backdoor hidden dependency links resulting in financial gain for attackers and harm to millions of companies.

Attendees will learn not only how these vulnerabilities are discovered and exploited but also how to apply offensive insights to reinforce their security practices.

Roni Carta, known as Lupin and co-founder of Lupin & Holmes, is an ethical hacker specializing in offensive cybersecurity, with a strong background in bug bounty hunting, including a $50,000 reward for hacking Google AI, red teaming at ManoMano, and significant research into software supply chain vulnerabilities, notably presenting at DEF CON 32 and recently reporting a hack of Google’s AI Gemini; his diverse technical skills range from ATO and RCE exploits to supply chain security, earning him recognition in various cybersecurity competitions.

Think you know what your GitHub Actions are doing? Think again. This talk breaks down GitHub Actions security risks, exposes real-world exploits, and reveals hidden threats. We’ll compare existing security tools and introduce a new one to help secure workflows and detect vulnerabilities.

I’m Igor Stepansky, a Product Security Engineer at Axonius for more than 3 years with a background as a cybersecurity analyst. My expertise includes integrating security solutions such as SAST, IaC, SCA, secrets detection, malicious package identification, and more. I’m also responsible for penetration testing, securing cloud and Docker environments, GitHub hardening, and building cool tools to enhance security workflows. I’m passionate about sharing practical knowledge and insights gained from working with diverse security solutions in a modern enterprise environment like Axonius.

I’m a security architect and team leader at Axonius, and a board member of the OWASP Israel chapter. I lead cross-functional security initiatives and support teams in building secure, scalable systems. Before stepping into architecture, I spent seven years in hands-on penetration testing, which gave me a strong foundation in understanding how real-world threats work—and how to approach them effectively. I’m passionate about bridging the gap between security and development, making security more approachable, and creating space for curiosity, collaboration, and continuous learning.

We will tell the story of our ups and downs competing in the challenge and the lessons we learned along the way and give an overview of the competition, detail how our approach to the competition evolved as the rules and objectives changed, share our key takeaways, and outline what’s next for CRS.

CTF.ae will perform a CTF Walkthrough Session, where they’ll dive into some of the most interesting challenges from our inaugural Capture The Flag competition. In this session, we’ll showcase a selection of the vulnerabilities hidden in the competition’s ecosystem — spanning web, API, and LLM assets — and demonstrate how they could be discovered and exploited. Whether you participated in the CTF or are just curious to learn, this is a great chance to see real-world techniques and creative solutions in action, explained by the creators themselves.

Everything you need to know about getting started in bug bounty

Before and at the dawn of the world wide web, the Internet was mostly unencrypted and unprotected. In this talk, I’ll discuss the culture of the pre-WWW Internet, the hardware we used and the security practices. I’ll discuss my experiences from the Internet of the late 1980’s and the early 1990’s up until the introduction of the WWW. I’ll go over experiences with technologies such as 10Base5 Ethernet, telnet, finger, rsh/rlogin/rdist, etc. I will also talk about my experiences working with law enforcement to bust a hacker in one of the first such arrests in Florida history.

Richard Rauscher is the Head of Technology for the University of South Florida Bellini College of Cybersecurity, AI and Computing and an Associate Professor of Computer Science. In previous roles, he was the Executive Vice President of Miva, Inc. in San Deigo, the Director of Research Informatics for Penn State University, the CIO of Karmanos Cancer Institute in Detroit and the first CISO of Moffitt Cancer Center in Tampa. He has a PhD in Computer Science from Penn State and a CISSP certification.

Dr. Pellegrino has over 20 years of research and development experience in information science. He has researched and built systems for the Pentagon, U.S. Department of Homeland Security, U.S. Army, U.S. Navy, DuPont, Dow Chemical, Pfizer, and smaller organizations. His work has received international awards in Visual Analytics and Data Integration. He is an expert in the fields of Natural Language Processing (NLP) and Linked Data, including ontology development. Work done for the U.S. Navy has included support for the CVN 78 and other platforms. In addition, he is a computer programmer and has led Software Engineering projects within large organizations.

Trying to trace an attacker pivoting from AWS to Azure to GCP often feels like building detections in silos while attackers exploit the seams. As detection engineers (DEs), we know the pain: scattered logic, cloud-specific alerts, and a fragmented view. We need to move beyond individual events and reconstruct the cross-cloud kill chain to see the full attack.

This DEF CON Lightning Talk is a practical DE playbook for AWS, Azure, and GCP. No fluff, just ‘how-to’ for building detections that connect the dots across clouds.

In ~15 minutes, we’ll cover: Cross-Cloud TTPs: How attackers really pivot between AWS, Azure & GCP in 2025 and the patterns they leave. Mapping Logs to Kills: Identifying essential logs (CloudTrail, Azure AD, GCP Audit, etc.) and mapping them to attack stages. Crafting Correlation Rules: Real SIEM examples (Sentinel/Chronicle/etc.) for stitching events together – think ‘Azure Risky Login’ + ‘AWS Role Use’ = P1 Alert. Actionable DE Strategies: Threat intel integration, baselining cross-cloud activity, and building high-fidelity alerts. Automation & OCSF: Streamlining ingestion and normalization so you can focus on the hunt. If you write detection rules or hunt threats in a multi-cloud mess, this is for you. You’ll leave with actionable TTPs, correlation logic examples, and a clear path to building detections that reveal the entire cross-cloud kill chain. Let’s build better traps.

Gowthamaraj Rajendran is a cybersecurity professional and Threat Detection Engineer at Meta, with over 4 years of experience. For the past 2 years, he has specialized in creating precise and effective detection capabilities.

The frequency of space missions has been increasing in recent years, raising concerns about security breaches and satellite cyber threats. Each space mission relies on highly specialized hardware and software components that communicate through dedicated protocols and standards developed for mission-specific purposes. Numerous potential failure points exist across both the space and ground segments, any of which could compromise mission integrity. Given the critical role that space-based infrastructure plays in modern society, every component involved in space missions should be recognized as part of critical infrastructure and afforded the highest level of security consideration.

This briefing highlights a subset of vulnerabilities that we identified within last couple of years across both ground-based systems and onboard spacecraft software. We will provide an in-depth analysis of our findings, demonstrating the impact of these vulnerabilities by showing our PoC exploits in action—including their potential to grant unauthorized control over targeted spacecraft. Additionally, we will show demonstrations of the exploitation process, illustrating the real-world implications of these security flaws.

Ayman Boulaich is a cybersecurity researcher specializing in vulnerabilities within aerospace systems. He has contributed to identifying critical security issues in NASA’s open-source software frameworks, such as Core Flight System (cFS) and CryptoLib.

Ricardo Fradique is a Cybersecurity Engineer at VisionSpace Technologies GmbH, with a focus on Offensive Security and Vulnerability Research. He has been credited in several CVEs, and a regular CTF player.

Join us for a bite-sized introduction to machine code programming with x86 assembly language! In this beginner-friendly course, we’ll cover the essentials of assembly language and show you how to get started. You’ll learn about registers, operands, and instructions, as well as how to write and debug simple assembly programs. Our experienced instructors will guide you through hands-on exercises and examples, so you can practice what you’ve learned in a relaxed and supportive environment. By the end of this course, you’ll have a solid foundation in x86 assembly language and be able to tackle more advanced topics with confidence. Whether you’re new to programming or just looking for a new challenge, “Byte-Sized Basics” is the perfect place to start your journey into machine code programming.

State and local governments (SLTTs), small and medium-sized businesses (SMBs), and nonprofits across the United States are routinely targeted by cyber criminals and nation-states. The societal impacts of those cyber attacks are significant—they force schools to close, hospitals to postpone patient treatment, courts to delay proceedings, and disrupt municipal services.

One way they improve their resilience is by outsourcing some of their information security responsibilities. IT managed service providers (“MSPs”), managed security service providers (“MSSPs”), and other information security service providers can provide a long-term option for high-risk communities to improve their resilience. But not all ITSSPs are created equal – how good are these organizations, really, at protecting small organizations? How affordable are they, and how good are their services?

As part of the Cyber Resilience Corps initiative, Michael Razeeq and Grace Menna interviewed around 20 organizations, including MSPs, MSSPs, IT and cybersecurity consultancies, and their clients, to identify challenges to expanding service provider support to more high-risk communities. This talk will present key findings from their research and policy recommendations to expand service provider coverage across high-risk communities we depend on.

Grace Menna is a Public Interest Cybersecurity Fellow at the UC Berkeley Center for Long-Term Cybersecurity (CLTC). In this role, she leads public interest cybersecurity research and oversees the coordination of CLTC and the CyberPeace Institute’s newest initiative, the Cyber Resilience Corps, mobilizing cyber volunteering efforts across the US to defend community organizations, including nonprofits, municipalities, rural hospitals and water districts, K-12 schools, and small businesses from cyber threats.

She is an active member of the security research community and helps organize the policy track of DC-based hacker conference, DistrictCon. Previously, Grace supported global cyber capacity-building initiatives at the Atlantic Council’s Cyber Statecraft Initiative and, as a consultant, advised U.S. tech companies across policy, intelligence, trust & safety, and other security areas.

Michael Razeeq is a cybersecurity, privacy, and technology law attorney with experience advising and supporting global companies in the media, financial services, and energy sectors, as well as a multinational law firm. Razeeq also serves as an adjunct faculty member at Brooklyn Law School. He is licensed to practice law in New York and Texas, and he holds IAPP CIPP/US, ISACA CISM, and GIAC-GLEG certifications.

Razeeq is also Non-resident Fellow, Public Interest Cybersecurity with UC Berkeley’s Center for Long-Term Cybersecurity (CLTC), where he is researching the ways that service providers can improve cyber resilience for vulnerable organizations and augment the work of civilian cyber corps.

Previously, as a #ShareTheMicInCyber Fellow, Razeeq examined the legal frameworks governing civilian cyber corps established in several U.S. states and in other jurisdictions to identify best practices. Razeeq has published articles about civilian cyber corps in Lawfare and through New America. He has also presented on civilian cyber corps in various forums, including the Rubrik Zero Labs Data Security Decoded podcast, the 2024 New America Future Security Forum, the Caveat podcast from the Cyberwire by N2K Networks, and the 2024 Cyber Civil Defense Summit hosted by the UC Berkeley Center for Long-Term Cybersecurity.

The payment fraud landscape is experiencing a resurgence of ‘carding’ through sophisticated Near Field Communication (NFC) relay attacks, which combine social engineering and custom mobile malware to bypass contactless payment security measures, enabling unauthorized transactions. A critical emerging trend is the proliferation of Malware-as-a-Service (MaaS) platforms, primarily operated by Chinese-speaking threat actors, who develop and distribute advanced NFC relay capabilities as turn-key solutions to global affiliates, facilitating complex card-present fraud schemes on an unprecedented scale and leading to arrests in the U.S. and EU. This MaaS operational model, featuring affiliate networks and advanced tools, signifies a critical evolution in financial threats, alarming global financial institutions and necessitating urgent adaptation of fraud prevention strategies. The discussion will explore MaaS operations, presenting key findings from the Supercard X analysis, including its technical capabilities, and examining the implications for the payment industry, with mitigation strategies and actionable intelligence such as actor communications and distinct Tactics, Techniques, and Procedures (TTPs) being shared. Furthermore, the talk will reveal how developers of well-known Android banking trojans are integrating NFC relay functionalities to enhance their cash-out techniques, providing attendees with a deep dive into NFC Relay MaaS, exclusive threat intelligence, and an understanding of the evolving fraud landscape, including the operational models, tools, and TTPs employed by modern NFC Relay MaaS platforms, as well as the systemic risks posed to global financial institutions and the urgent need for adaptive security postures.

Federico Valentini is passionate about technologies in general and has a deep interest in cybersecurity, particularly Penetration Testing, Malware Analysis, and Social Engineering techniques. He’s currently leading the Threat Intelligence Team and Incident Response at Cleafy. He oversees all the activities related to monitoring and uncovering new threats and attack patterns that malicious actors use. He has spoken at HackInBO 2022, Botconf 2023, Cert-EU 2023, BSides Cyprus 2023, FS-ISAC 2024, Botconf 2025, and other private events managed by CertFIN in the Italian territory.

Alessandro Strino has a solid background in Penetration testing and modern malware analysis. His main research topics are binaries and computer forensics. Nevertheless, he is passionate about binary exploitation, reverse engineering, and privilege escalation techniques. He now works as a senior malware analyst at Cleafy. He has spoken at Botconf 2023, Cert-EU 2023, BSides Cyprus 2023, FS-ISAC 2024, and Botconf 2025.

During World War II, the predecessor to the CIA, the Office of Strategic Services, developed a framework for the French Resistance to identify vulnerabilities in key German defenses and infrastructure. The framework, titled “CARVER” applies the following designations to enumerated components of complex systems: Criticality, Accessibility, Recuperability, Vulnerability, Effect, Recognizability. The same framework, viewed through a security framework, will highlight a system’s strengths or weaknesses, depending on the analyst’s tasking. The panel will follow this outline: overview of election integrity issues; history of carver analysis; the ranking matrix; why we chose the items as critical; ranking of each item; discussion of the final rankings; how to secure.

Michael Moore is the CISO for the Arizona Secretary of State’s Office. Michael has worked to develop federal, state, and local government partnerships as well as collaborated with trusted vendors to protect democracy and fulfill our shared duty to the American voter. The greatest threats to elections are MDM and the resulting insider threat caused by radicalized citizens. The best protection against these threats is combatting lies with the truth, developing secure and resilient systems that prevent attacks whenever possible, allow for detections of compromise and facilitate accurate and rapid recovery. Michael has pushed forward these initiatives in his own organization as well as across the Elections community.

Will Baggett is a Lead Investigator for Digital Forensics and Insider Threat at a Fiscal Infrastructure organization. He is also Director of Digital Forensics at Operation Safe Escape (volunteer role), a non-profit organization providing assistance to victims of domestic abuse.

The Chaining of Vulnerabilities session is essential for anyone serious about understanding real-world security threats. Attackers rarely rely on a single flaw – instead, attackers combine multiple low or medium-risk issues to breach systems and exfiltrate data. This session will reveal how these chains are built, and how overlooked weaknesses can lead to full system compromise. With practical case studies, attack flow breakdowns, and defense strategies, you’ll gain critical insight into offensive thinking and how to build more resilient systems. Whether you’re a developer, security engineer, or red teamer, this session will sharpen your knowledge about how subtle flaws can be linked into powerful exploit chains.

Monish Alur Gowdru is dedicated to securing applications end-to-end, with over 5 years of experience in application security, software development, and secure code review. His passion for finding security gaps in applications sparked a deeper interest in learning to build applications, driving him to build the skills needed to secure systems from the ground up. This journey led him to earn a Master’s degree in Computer Science with a specialization in Information Assurance, along with hands-on experience as a Software Engineer. While this is his first time speaking at a conference, he’s an active contributor to local security communities and a mentor to those starting their careers in the field.

LinkedIn: https://www.linkedin.com/in/ag-monish/ Email Address: monish.alurgowdru@gmail.com

Meet Apoorwa Joshi – Security Engineer, Code Whisperer & Threat Tamer at Amazon. With over 6 years in the trenches of application and cloud security at scale, she currently brings her talents to helping teams think like attackers before the attackers do. Armed with a Master’s degree, a knack for demystifying technical complexity, Apoorwa specializes in “shifting left” Based in Austin, Texas, Apoorwa is part of a new wave of security professionals. Though this is her first time on the conference stage, she’s no stranger to leading conversations that matter from mentoring junior engineers to influencing cross-team architecture decisions. When she’s not taming threats or refactoring risk, she enjoys playing ping pong and spending time with her cat.

Ask her about: threat modeling, secure architecture, DevSecOps, or how to sneak security into sprint planning without getting side-eyes.

Sharing the lessons learned from 42-beyond-bug’s AIxCC journey with the open source community.

Ever wondered what happens after you hit “submit” on a bug bounty report? At T-Mobile, each submission kicks off a behind-the-scenes journey that spans teams, tools, and time zones. In this talk, we’ll walk through the lifecycle of a bug bounty submission—from Bugcrowd’s triage desk to our internal security workflows—and show why not every finding is considered equal from a business risk perspective.

We’ll demystify our internal process: how we prioritize, validate, assign ownership, and resolve reports. You’ll see what makes a report fast-tracked to payout—and what gets politely declined. Backed by stats, we’ll reveal how many submissions we get, how many are duplicates or out of scope, and how we determine true impact.

Expect real war stories: from late-night calls and team escalations to reports that sent us scrambling. We’ll also lighten the mood with a few “creative” submissions that didn’t quite hit the mark.

Most importantly, we’ll share submission tips drawn from common pain points—what helps us help you, and how high-quality reports earn faster turnarounds, higher payouts, and opportunities like private programs, CVEs, and Bug Bashes.

Whether you’re a seasoned hunter or just starting out, this session will give you an honest, inside look at how BBPs work from our end—and how you can maximize your success.

Elisa Gangemi is a Senior Cybersecurity Engineer on the OffSec Team at T-Mobile, where they manage the Penetration Testing Pipeline and contribute to the company’s Bug Bounty Program. With prior experience in offensive and product security at startups, Elisa helped launch vulnerability management programs, including bug bounty initiatives and security tooling. They began their technology career as a QA tester, then transitioned into InfoSec at Akamai Technologies, working on technical program management and security research. Elisa holds the GIAC GWAPT certification and serves on the GIAC Advisory Board. They’ve enjoyed learning hacking techniques and have participated in a U.S. team that twice placed in the top four at NorthSec’s CTF in Montreal. DEF CON 33 marks their first year attending and speaking.

Using the Internet has become synonymous with giving up privacy.

“That’s just the way it is,” people tell themselves. “Of course, the company has access to my data.”

But what if you had a choice?

What if every app you used online could be truly private-respecting — in the real sense of the term, not the “”privacy policy”” sense?

That’s what we’re here to discuss. Chelonia is the first implementation of Shelter Protocol: an end-to-end encrypted, federated protocol for building any kind of user-friendly web application.

Greg isn’t so much a hacker as he is an engineer, quietly building fortresses for hackers to play with (or run away from in defeat). He got his start securing data at rest with an app called Espionage — user-friendly folder encryption and plausible deniability for Mac users. He moved on to securing data in motion, creating DNSChain and defining DPKI (decentralized public key infrastructure), a vision to fix the inherent security flaws in HTTPS. This is his first DEF CON, where he will be presenting a work 10 years in the making: a new protocol and way of building any web app that is end-to-end encrypted, decentralized, and user-friendly.

Greg isn’t so much a hacker as he is an engineer, quietly building fortresses for hackers to play with (or run away from in defeat). He got his start securing data at rest with an app called Espionage — user-friendly folder encryption and plausible deniability for Mac users. He moved on to securing data in motion, creating DNSChain and defining DPKI (decentralized public key infrastructure), a vision to fix the inherent security flaws in HTTPS. This is his first DEF CON, where he will be presenting a work 10 years in the making: a new protocol and way of building any web app that is end-to-end encrypted, decentralized, and user-friendly.

The phrase “national security impacts of offensive cyber in the healthcare sector” typically brings to mind images of destructive, obvious attacks on hospitals. It should also bring to mind the covert theft of vast troves of biological data. The PRC has a well established policy of stealing intellectual property as a path to development using tactics which have come, in recent years, to prominently feature hacking. The theft of US and allied biological data is crucial to our personal privacy, civil liberties, and national security and we must understand what data is most likely to be targeted in order to best defend it. In sectors other than biotechnology, PRC state-sponsored hacking often focuses on areas identified for development in major planning documents and areas to which the PRC party-state is already devoting significant financial resources to research. For this reason, it is useful to understand the intersection of PRC targeted areas for growth and development and areas in which stealing US sources of data is the easiest and most easily applicable to emerging biotechnology sectors. This talk identifies those sectors and discusses potential consequences.

Amelia is an intelligence analyst at Margin Research where she specializing in combining science and technology and regional expertise. Before working at Margin, Amelia worked at a DC-based research shop. Amelia graduated from Brown University with the Albert A. Bennett Prize for Exceptional Accomplishment in the Mathematics Concentration as well as honors in the security studies concentration.

We present a set of power side channel attacks against protocols from the classical phase of quantum key distribution. Cascade error correction and Toeplitz hashing based privacy amplification both prove to be vulnerable to full key recovery attacks when an attacker is assumed to the ability to monitor power consumption on the post processing device. We examine attack performance on both Cortex-M4 MCU and Artix-7 FPGA.

We ran a research study at Brigham Young University where we tested a novel phishing technique where AI voice cloning is used to imitate specific people. This talk will discuss the results of the study and potential safeguards to prevent these phishing scams.

Katherine recently graduated in the cybersecurity program at Brigham Young University, and an incoming PhD student for the University of Wisconsin-Madison.

Abhinav’s artistry comes from the times he used to sneakily paint drawings made by his sister. His hacking career began as a toddler, disassembling his toys but never put them back together. His entrepreneurial roots come from selling snacks at a school fair and making a loss of . Having learned how not to make money, he launched Hackerware.io – a boutique badgelife lab with in-house manufacturing – which has grown over the past nine years into a global presence across 19 countries. He’s often spotted at conferences around the world – hosting hardware villages or pulling off the kind of random shenanigans that earned him the Sin CON Person of the Year 2025 award.

What if I told you that until recently, sharing CloudWatch dashboards publicly could introduce an initial access vector for attackers targeting AWS accounts? And that a series of bugs rooted in Amazon Cognito resulted in dozens of dashboards being exposed on the internet?

This is the story of a vulnerability accidentally discovered in a cloud security assessment and patched by AWS in July 2024, which provided unauthenticated actors some …unexpected permissions into a target account. Our research takes a deep dive into this relatively unknown exploitation technique, showcasing once more why default configuration isn’t always secure.

Join us in this journey that starts from the peculiar discovery, covers the analysis of an undocumented web application, and leads to the eventual 4-step attack that could breach the cloud perimeter. This talk will not only investigate the impact of a bug that once was, but will also discuss the risks remaining post-remediation, providing guidance on what AWS users can do to protect their estates against abuse.

Leo is a Senior Security Consultant at WithSecure where he leads the Attack Path Mapping service. His current role involves planning and conducting offensive security assessments, while building the team globally and pushing the boundaries of adversarial simulation.

When he’s not helping SOC teams or leading purple teams for WithSecure’s clients, you will find Leo presenting in security conferences around the world including DEF CON, SO-CON, DEATHcon, ROOTCON and BSides. His research output has ranged from mobile security to CVEs on IBM and Cisco products but his secret passion of cloud security can be seen from talks about AWS attack paths and Kubernetes threat detection.

Kubernetes is a security challenge that many organizations need to take on, and we as pentesters, developers, security practitioners, and the technically curious need to adapt to these challenges. In this talk we will look at tactics, techniques, and tools to assess and exploit Kubernetes clusters. We will evade runtime syscall filters, exploit custom sidecars, and chain attacks that go from compromising a build environment, to exploiting production applications. We’ll cover real world attack paths, provide practical advice, and guidance using the experience of conducting hundreds of reviews of containerized environments and even building secure Kubernetes-based services.

Mark Manning (@antitree) has experience running a container security research practice as a penetration tester and working in a product security org building a Kubernetes service for thousands of customers. He has been focused on containerization and orchestration technologies like Kubernetes and performs containerization and sandboxing assessments and research. This includes running container breakouts and attack simulations on orchestration environments, performing architecture reviews of devops pipelines, and working with developers to assist with applications that leverage containerization technologies like namespace isolation, Linux kernel controls, syscall filtering, gVisor, and integration with products like Docker and Kubernetes.

Susan Lerner will provide an overview of the ongoing litigation in New York state court, Common Cause NY v. Kosinski, which challenges the legality of using the ES&S ExpressVote XL all-in-one ballot marking device and tabulator under New York law. The ExpressVote XL records votes in barcodes – unreadable to the naked eye – which, Common Cause NY asserts, violates New York law. NY statute provides that all voters must have the opportunity to verify their votes before they are cast. Notably, the federal Help America Vote Act includes the same provision. Should Common Cause NY prevail in state court, the decision could spark further action. The recording or votes in barcodes or QR has been controversial since its introduction. In 2019, Colorado Secretary of State Jenna Griswald (D) announced an initiative to end encoding votes in barcodes/QR codes in Colorado. In March, Donald Trump issued an executive order that sought to prohibit encoding votes in barcodes/QR codes in federally certified voting machines. This talk will explore the legal arguments at issue in the NY case, that could have repercussions elsewhere.

Susan Lerner is executive director of Common Cause New York. Susan joined Common Cause in December 2007. She is responsible for setting priorities, strategy, lobbying, serving as a spokesperson, fund-raising and leading the team for the New York organization. Before joining Common Cause, Susan served from 2003-07 as executive director of the California Clean Money Campaign. As a member of the New York and California bars, she was a litigator for almost 20 years. Susan has a bachelor’s degree in psychology from the University of Chicago and a law degree from the New York University School of Law.

Like any good summer camp, we should take a moment to unwind – a recess, if you will. One that’s filled with friendship (bracelets) and… dragonflies? Stop by to make your own pride flags and other crafty beaded accessories!

Like any good summer camp, we should take a moment to unwind – a recess, if you will. One that’s filled with friendship (bracelets) and… dragonflies? Stop by to make your own pride flags and other crafty beaded accessories! (No experience required, while supplies last)

This talk unveils how a single OPSEC failure—a threat actor testing keylogging and infostealing malware on his own production system—exposed an cybercrime operation in real time. By intercepting Telegram-based command-and-control (C2) communications, we gained direct access to screenshots and keylogs from the threat actor’s backend infrastructure, uncovering additional campaigns he was actively running. We’ll explore how Telegram bots were used to exfiltrate stolen data, how bot tokens were embedded within malware, and how YARA rules and VirusTotal were leveraged to trace and analyse related samples. This session combines technical insight with strategic takeaways, demonstrating how attackers’ dependence on mainstream platforms like Telegram can be turned against them—and how such real-world discoveries can reshape threat intelligence and bolster defensive strategies.

Ben Folland is a Security Operations Analyst at Huntress, where he manages hands-on-keyboard intrusions and dismantles active threats daily. Before that, he worked at one of Accenture’s SOCs, defending UK Critical National Infrastructure, gaining deep experience in high-stakes environments. He’s all about DFIR, malware analysis, and threat hunting—and has a knack for exposing adversary tradecraft. Ben’s spoken at over 10 conferences (including six BSides), taught SOC workshops at universities, is GIAC GCFA certified, and was a finalist for the UKs national cyber team. Whether it’s CTFs or live incidents, Ben thrives on the chase and brings a hacker mindset to everything he does.

Modern vehicles have evolved into sophisticated, internet-connected computing platforms with attack surfaces spanning cloud infrastructure, telematics systems, and over-the-air update mechanisms. With the automotive industry generating over $11 billion in cyberattack losses in 2023 alone, security researchers struggle to comprehensively map connected vehicle ecosystems using traditional OSINT methodologies that lack automotive-specific knowledge. This presentation introduces a systematic OSINT methodology designed for automotive threat intelligence, combining conventional reconnaissance techniques with automotive-focused discovery methods to identify exposed automotive APIs, misconfigured cloud infrastructure, vulnerable telematics endpoints, and supply chain weaknesses that standard assessments typically miss. Through live demonstrations using real automotive manufacturer targets, attendees will learn to adapt existing OSINT tools like Shodan, Censys, and certificate transparency logs with automotive-focused data sources to build complete attack surface maps of connected vehicle ecosystems. Participants will gain practical skills for discovering OTA update infrastructure, fleet management systems, and connected vehicle APIs while learning to transform raw reconnaissance data into actionable automotive threat intelligence that can be immediately applied whether entering the automotive security space or expanding traditional pentesting expertise into the rapidly growing connected vehicle market.

Reuel Magistrado is an Auto Threat Researcher at VicOne, specializing in web application, web services, and mobile application penetration testing for automotive clients. He is also involved in creating CTF challenges for automotive security. With extensive experience conducting manual security assessments that go beyond automated tools, Reuel has authored technical reports and delivered security solutions to various clients in previous roles at NCC Group and iZOOlogic.x000D x000D Reuel holds multiple industry certifications including Burp Suite Certified Practitioner (BSCP), APIsec Certified Practitioner (ACP), Practical Mobile Pentest Associate (PMPA) and several specialized penetration testing certifications from The SecOps Group. He also shared his expertise through technical presentations, including his recent talk at NCC Group Philippines’ “Pwning Hall of Fame,” where he demonstrated a race condition exploit leading to price manipulation.

Modern vehicles operate as real-time cyber-physical systems, where even subtle manipulations on the CAN bus can lead to catastrophic outcomes. Traditional anomaly detectors fall short when malicious actors mimic expected sensor behaviors while altering the vehicle’s state contextually. This talk explores how exploiting inter-signal correlations — rather than relying on individual identifiers or decoding — uncovers stealthy attacks. We present a deep sequence-learning approach tailored for raw CAN payloads, focusing on time-aware and context-sensitive detection. No reverse engineering of signal structures. Just patterns, timing, and trust redefined. Live demo included using real-world CAN datasets and emulated environments.

IoT environments generate massive, noisy streams of logs and alerts—most of which lack the context needed for meaningful detection or response. This talk introduces a novel, LLM-free approach to large-scale alert contextualization that doesn’t rely on writing complex queries or integrating heavy ML models. We’ll demonstrate how lightweight, modular correlation logic can automatically enrich logs, infer context, and group related events across sensors, devices, and cloud services. By leveraging time, topology, and behavioral attributes, this method builds causality sequences that explain what happened, where, and why—without human-crafted rules or expensive AI inference. Attendees will walk away with practical techniques and open-source tools for deploying contextualization pipelines in resource-constrained IoT environments. Whether you’re defending smart homes, industrial OT networks, or edge devices, you’ll learn how to extract insight from noise—fast.

Ezz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada’s Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.

There’s been remarkably little discussion about how mobile forensic tools fare against adversarially modified environments, particularly in terms of forensic reliability. Tools (and investigators) often assume that target devices function as expected, with minimal scrutiny of whether that assumption holds. Our research demonstrates otherwise – sophisticated anti-forensic techniques placed within Android devices can silently compromise evidence, placing longstanding investigative and extraction methodologies at risk.

Our research addresses a blind spot in Android logical extraction workflows – namely, an assumption that once mobile forensic software overcome the hurdle of device access, the extraction is assumed to follow correctly. While forensics software excel at getting a foot in the door, from our actual tests they offer little against stealthy, second-layer countermeasures that can silently manipulate or destroy data post-access.

Dr Weihan Goh is an Associate Professor at the Singapore Institute of Technology (SIT). His research interests include digital forensics, anti-forensics, security testing, as well as technologies for cybersecurity education such as cyber ranges, CTF / CDX, remote proctoring, and anti-fraud / anti-cheat systems. Beyond teaching and research, Dr Goh participates in capture-the-flag exercises, going by the CTF handler ‘icebear’.

Joseph Lim is an Information Security undergraduate at the Singapore Institute of Technology, with a diploma in Infocomm Security Management from Singapore Polytechnic. With a strong foundation in cybersecurity, he is particularly interested in mobile security and digital forensics. Joseph has also previously presented research on mobile malware at the 14th ACM Conference on Data and Application Security and Privacy (2024).

Soon Leung Isaac is currently pursuing a degree in Information and Communication Technology, specializing in Information Security, at the Singapore Institute of Technology. Previously, he served as a SOC analyst in the Singapore Armed Forces for two years, where he was responsible for safeguarding Singapore’s military network. His main areas of research include offensive security and mobile security.

Pseudo-Random Number Generators are often overlooked and core features of our computational experience. From research and processes irrelevant to security (i.e. Monte-Carlo simulations) to essential security functionality like secret generation, random number generation plays a significant part in our ability to utilize the modern internet. In turn, they have a unique history, threat model, and set of applications. We will discuss the history of pseudo-random number generation, the types of random number generators, where they are supposed to be utilized, and how to break them, when relevant. Additionally, we will discuss the future direction of random number generation in light of preparation for the advent of large-scale quantum computing.

1nfocalypse is a software engineer with an interest in coding theory, cryptography, and numerical analysis. He is currently working on portions of libstdc++-v3 and enjoys implementing/tinkering with cryptographic primitives and standards.

Orv W6BI will discuss how to create a ham radio IP network with off the shelf hardware and open source software.

Orv W6BI will discuss how to create a ham radio IP network with off the shelf hardware and open source software from AREDN. The AREDN software supports over a hundred different devices from several different vendors. The AREDN software allows advertising services, such as web servers, cameras, VOIP phones, etc.

Usable RF links can be up to 30 miles. For those lacking a line of sight path to an AREDN node, the software supports inter-node network links via the Internet.

AREDN islands can be linked via ‘superhodes’ to allow access to remote nodes. It can be viewed at https://worldmap.arednmesh.org

Orv W6BI is a retired Linux system administrator, an ARRL Santa Barbara Section

Technical Specialist and the AREDN Project Manager.

He was first licensed as WN6WEY in 1967. He’s been into digital ham radio all his life, starting with CW. He worked his way up through RTTY, PACTOR, packet radio and PSK31, and started messing around with ham radio networking in 2014. He helped deploy the initial ham radio network nodes and backbone buildout in Ventura County and western Los Angeles County.

He’s also active in coordinating the build-out and maintenance of the wider Southern California ham radio network, which now spans from Paso Robles in central Calfornia south to the Mexican border and east to Las Vegas, comprising over 550 nodes, both hilltop and ground-level, including hospitals, PDs and EOCs.

He’s given over 80 presentations about ham radio networking using AREDN software over the last ten years and mentored many hams worldwide on ham radio networking. He’s active in AREDN groups in Facebook, Slack, Telegram, and Discord, and monitors the forums on the AREDN website.

Current ship simulators are designed to help masters and mates pass their STCW exams. They were never designed for cybersecurity use. So, here is the interesting question that will be considered during the presentation. What is the ideal architecture of a virtual ship environment for cybersecurity education, assessment, and research use? Recent work at UNCW suggests there is a need for a hybrid virtual environment comprised of a full mission (above and below the waterline) ship simulator coupled with sub-system device emulators and specialized software applications. Examples of required device emulators include communication devices, bridge instruments, and industrial controllers. Coupling can be accomplished through logical or physical means. Examples of specialized software applications include network traffic generation, strategically located test access points for staging exploits, cyber data analytics, and trainer control over directed simulations. Cybersecurity use cases are being used to help shape derivative functional requirements. Rather than develop a novel virtual environment from scratch, UNCW has been looking into the feasibility of augmenting an existing, commercially available ship simulator with new functionality such that it is fit for cybersecurity use. Unitest’s, Winterthur X92 marine engine simulator is an ideal candidate that will be briefly demonstrated during the presentation.

Jeff Greer is an Assistant Professor of Practice in Cybersecurity at the University of North Carolina Wilmington. When not teaching he is reading, writing, and coding. The focus of his applied R&D work is the application of system-of-systems engineering practices to resolve maritime cybersecurity problems. Prior to retiring from corporate life, Jeff was an integral part of an executive team that built a mobile broadband business delivering internet services to ships at sea around the world. Jeff is a member of the USCG Sector 5 Area Maritime Security Council and the FBI Infragard program. Jeff holds an MS Degree in Cybersecurity Technology from the University of Maryland Global Campus.

Dr. Laavanya Rachakonda is an Assistant Professor in the Department of Computer Science at the University of North Carolina Wilmington, serving in this role since August 2021. She earned her Ph.D. and M.S. in Computer Science and Engineering under Dr. Saraju P. Mohanty at the University of North Texas, Denton, in 2021, and holds a B.Tech. in Electronics and Communication Engineering from VMTW, JNTUH, India.

As the Founder and Director of the Smart and Intelligent Physical Systems Laboratory (SIPS) at UNCW, Dr. Rachakonda leads a multi-disciplinary team researching cutting-edge applications of Machine Learning, Artificial Intelligence, IoT, and IoMT. Her lab’s focus spans Smart Healthcare, Agriculture, Transportation, and Smart Living, aiming to create sustainable, intelligent systems with robust security and privacy integration. SIPS is dedicated to developing low-power, fully automated systems processed at the edge, supporting stress-free and sustainable living.

A discussion of FOSS tools that can assist with the avoidance of technology platforms that exist to monitize and exploit their users. Discussion and demos of QubesOS, “de-googled” alternative mobile operating sytems, local archiving tools, RF based communications, ways to reduce your “Digital Exhaust”.

Giglio is a cybersecurity professional currently working in the Healthcare space. Giglio’s career parallels the rise of the “personal computer” and has watched the computing paradigm oscillate between centralised and decentralised and finally to enshittified.

Buildings are largely overlooked when it comes to cyber security. The onus is typically placed on physically securing the building and the people inside of them. What most gloss over is the fact that industrial control systems run these buildings and without them, every day functions become unavailable and downright dangerous. The dangers are growing as buildings become more “connected” and require internet access to operate (ex. sustainability and IoT). Malicious use of engineering protocols (Modbus, Fox, BACNet) and targeted attacks against BAS systems are growing (ex. KNXLock).”

Environments run the gamut from overly secure, to the point of crippling, all the way to leaving RDP exposed with no logging or MFA to critical systems. There is no easy fix, properties must invest in technology and people to create a defensible environment. This presentation will show how cyber security can be enabled which fits with the business’s operations and minimal disruption.

Building types are not constrained to only office space. Properties come in all varieties from warehouses and manufacturing spaces to data centers and shopping malls. All of this needs to be taken into account when assessing the environment and recommending tools and procedures. This talk will cover common architectures seen, typical control systems found in buildings (BMS, FLS, elevator, lighting, power…), reproducible steps to help companies/users understand their vulnerabilities and how we, as an industry, move forward.

For the most part, these are not technical problems, but a literal gap that needs to be addressed directly by budgetary and policy controls. The industry is pushing for cybersecurity budgeting, standards and visibility for properties, which are largely ignored or misunderstood by owners and operators. This is a solvable problem and I want attendees to feel empowered to ask tough questions and be prepared to have an educated conversation about the risks and not use fear mongering or scare tactics to get cybersecurity put in place.

Thomas Pope is the Head of Property Cybersecurity at Jones Lang Lasalle (JLL). His team assists customers and internal teams with securing control systems at their properties and how to accomplish cybersecurity at scale with regards to building operations. Previous stints including leading incident response engagements at Cisco Talos as an Incident Commander, Adversary Hunter at Dragos; searching for ICS-specific adversaries and standing up multiple cybersecurity programs at Duke Energy.

Cross-Site WebSocket Hijacking (CSWSH) is a powerful yet underexplored vulnerability in modern web applications. This talk looks at how advancements in browser security, such as SameSite cookie defaults, Total Cookie Protection, and Private Network Access, have reshaped its exploitability. Through real-world case studies from past security assessments, we’ll examine scenarios where CSWSH attacks succeeded, but would now be mitigated by contemporary browser features. Attendees will gain insights into the prerequisites for successful CSWSH exploitation, understand the implications of browser security enhancements, and learn best practices for securing WebSocket implementations against such attacks.

Laurence is an application security consultant at Include Security with a broad range of interests. He is the co-founder of CryptoHack, a popular cryptography challenge platform. He got addicted to CTFs at university and has been learning as much as he can about web, cryptography, network, and infrastructure security since then. In his spare time he loves going on cycling and hiking trips.

As industrial environments become increasingly interconnected, the OT DMZ stands as a critical yet vulnerable boundary between enterprise IT networks and operational technology. In this talk, we expose the offensive strategies adversaries use to penetrate the OT DMZ and pivot into sensitive control system networks. Drawing from real-world red team operations and threat intelligence, we’ll explore how misconfigured remote access solutions, poorly segmented architectures, and legacy services create exploitable pathways into industrial environments. Attendees will gain insight into tradecraft used to move from enterprise footholds into OT networks, including techniques for identifying and abusing jump hosts, proxy services, Citrix gateways, and RDP relays. We’ll demonstrate practical TTPs for lateral movement, credential access, and evasion within the DMZ layer—highlighting how assumptions about segmentation often fall short in practice. Finally, we’ll discuss defensive takeaways to help asset owners detect and mitigate these threats before they escalate. This presentation is aimed at offensive security professionals, defenders, and industrial security leaders seeking to understand how the OT perimeter is being targeted—and how to better protect it.

Christopher Nourrie is a threat hunter at Southern California Edison (SCE). He specializes in IT and OT threat hunting while supporting the Red Team program. With over 11 years of experience in offensive security, his expertise includes penetration testing, network security assessments, and adversary emulation. Before joining SCE, Chris was a Principal Penetration Tester at Dragos, Inc., concentrating on red teaming and penetration testing within industrial environments. He also served as an Exploitation Analyst at the National Security Agency (NSA) within the Tailored Access Operations (TAO) division under U.S. Cyber Command, supporting offensive cyber operations. His expertise encompasses open-source intelligence (OSINT), network reconnaissance,, and advanced attack methodologies. Chris also played a pivotal role in cybersecurity education, teaching advanced adversary tactics at the NSA’s National Cryptologic School. He is the author of Pentesting Industrial Networks and delivers an OT penetration testing course that helps security professionals strengthen their industrial cybersecurity defenses. Chris is a dedicated researcher who studies advanced threat actor tactics, techniques, and procedures (TTPs) targeting enterprise and industrial environments. He continuously integrates emerging insights into his tradecraft, refining methodologies to stay ahead of evolving cyber threats. His contributions to the field help organizations bolster their security posture against sophisticated adversaries.

Join your fellow hackers managing the Cryptocurrency areas of Defcon, and get a sneak peak of what each workshop teaches as well as an overview of the showcases and programs happening in our Defcon Community, Contest, and Vendor areas. Chad and Param will report on cryptocurrency trends and perspectives from their distinguished positions in industry and academy. We will announce the teams competing in the Cryptocurrency Cyber Challenge, and give an overview of what’s available in the vending area. Meet the organizers of years of cryptocurrency content at Defcon and bring your questions to the Community Stage!

Michael Schloh von Bennewitz (MSvB) is a computer scientist specializing in cryptosecure electronics and embedded development. He is the founder of Monero Devices and responsible for research, development, and maintenance of Opensource software repositories. A prolific speaker in four languages, Michael presents at technical meetings every year.

Chad Calease designs for failure—on purpose.​ At Kraken, he hovers where crypto, resilience engineering, and human behavior collide. A systems thinker with instincts that cultivate resilience, Chad champions the Kraken value of being “Productively Paranoid”—as both a design principle and a survival trait. His work challenges us to outpace risk, interrogate ease, and own our exposures before they own us—by building with the assumption that failure isn’t an if, but a when.

Param is an Electrical Engineering Student from Georgia Tech with a strong passion for and interest in crypto. Although he primarily got interested in cryptography and hardware security through a class at Georgia Tech, he is also working at a software company on crypto adoption and ease of use. With a unique blend of HW and SW skills, Param is truly enthusiastic about all aspects of crypto.

In recent years, ransomware has been one of the most prolific forms of cybercrime with financial gain as primary motive. The problem keeps getting bigger with a new operation seeing the light almost every month. While reverse engineering ransomware is fun, it also serves a greater purpose: can we find a vulnerability that allows us to decrypt a victim’s files without interacting with the criminals? Enter the DoNex ransomware, a new operation that has entered the scene very recently. They have a leak website on the dark web where some victims have been named and shamed. Reverse engineering of a DoNex sample revealed a vulnerability that allowed us to decrypt every encrypted file for victims under a trivial condition. To help victims recover from a ransomware attack, we published a decryption tool on the NoMoreRansom platform, an initiative from a number of parties including the Dutch National Police to keep ransomware operators from extorting victims. In this talk, we will dive into the technical details of DoNex and how we exploited a vulnerability to decrypt files affected by DoNex without the need to negotiate with the cybercriminals.

Everything you need to know about beating CTF challenges

Threat intelligence reports from reputed parties contain a wealth of OSINT including threat actor details, campaign information, IOCs (indicators of compromise), and TTPs (Tactics, Techniques and Procedures). Such threat intelligence is predominantly consumed with a human in the loop due to several challenges posed: Threat intelligence is often in natural language and difficult to extract automatically; These reports may have incomplete information and may require synthesizing multiple reports to construct a better view of the attack; Some intelligence such as TTPs are often implicit in the report and requires language comprehension; Not all indicators in a report are malicious and further they could have different degrees of confidence on the level of maliciousness and what they define as malicious.x000D x000D The labor intensive manual process not only makes it difficult/error prone to identify actionable threat intelligence in the form of battlecards but also leave users vulnerable to mentioned attacks due to the increased time gap threat reports and manual extraction of intelligence. The problem is exacerbated by the fact that many similar threat reports with different pieces of intelligence scattered across reports especially for emerging attacks.x000D x000D We build an agentic system to automate the collection and synthesis of cyber threat intelligence from threat reports using LLM Agents and unsupervised machine learning techniques into battlecards. At a high-level, CTI-Agent first extracts threat actor, campaign, TTPs and IOCs from recently published threat reports from reputed parties using specially crafted prompts on LLMs (Large Language Models) as well as using regular expressions/known knowledge which we refer to as signature based techniques. The agent also generates concise summaries for each threat report using LLMs. After performing a round of validation, the agent uses the summaries and extracted intelligence to synthesize multiple reports together and provide a battlecard with easily digestible threat intelligence. The agent follows the proven ReAct (Reason Action) framework to plan tasks autonomously and achieve the final goal of producing accurate battlecards by reasoning and then acting (i.e. calling various tools) multiple times. We plan to share our experience and lessons learnt during the process of build the CTI-Agent.x000D x000D The outline of the presentation is as follows:x000D x000D CTI to Battlecards_x000D_ How battlecards are used to help protect networks_x000D_ Manual, time consuming, error-prone_x000D_ Multiple threat reports with inconsistent descriptions_x000D_ May contain conflicting IOCs/TTPs_x000D_ x000D Modeling CTI Reports_x000D_ Converting unstructured or semi-structured data into structured threat information_x000D_ Challenges involved_x000D_ x000D Three key LLM patterns_x000D_ Prompting LLMs (simple and CoT prompting)x000D RAG (Retrieval Augmented Generation)x000D Agents_x000D_ x000D Prompting LLMs_x000D_ How to effectively prompt LLMs to elicit best output_x000D_ Examples_x000D_ x000D RAG_x000D_ Describe a RAG system using a diagram_x000D_ x000D Agents_x000D_ Describe an magnetic system using a diagram_x000D_ x000D Evals_x000D_ Evaluating LLM/Agentic systems is a challenging task_x000D_ Show how one can incrementally build an eval dataset to evaluate_x000D_ x000D Agent Tool Calling_x000D_ Introduce Agent tool calling_x000D_ Introduce MCP protocol_x000D_ x000D Multi-Agent Systems_x000D_ Common patterns_x000D_ Introduce A2A protocol_x000D_ x000D Popular Agent Planning Techniques_x000D_ Introduce what agent planning is_x000D_ Introduce patterns like Reflection and ReAct_x000D_ x000D Guardrails_x000D_ Explain the need to have guardrails_x000D_ Provide examples_x000D_ x000D Multi-Agentic System Overview_x000D_ Monitor and collect recent threat reports from reputed parties_x000D_ Agentic System to extract Threat Actor, Campaign, TTPs and IOCs_x000D_ Extract using CoT prompted LLMs_x000D_ Extract using signature based methods x000D Validate the collected threat intelligence information via reflection and LLM-as-a-Judge_x000D_ Create threat report summaries for each threat report prompting LLMs_x000D_ Collect additional IOCs related to campaigns using in-house intelligence_x000D_ Save reports, summaries, threat intelligence data to a database_x000D_ Cluster threat reports to identify related threat reports (i.e. those reports discussing the same threat or campaign)x000D Generate language embeddings for the threat summaries for threat reports_x000D_ Generate graph embeddings by modeling threat reports and threat intelligence extracted as a graph and using unsupervised graph learning algorithm_x000D_ Combine both embeddings together and perform unsupervised learning to cluster embeddings together_x000D_ The embeddings in the same cluster correspond to threat reports discussing the same threat or campaign_x000D_ Generate battlecards that can be readily used by security operations professionals_x000D_ Note: The above steps will be visualized into multiple slides and showed how to realize them in practice.x000D x000D Agentic System Evaluation_x000D_ Dataset_x000D_ Experimental results_x000D_ x000D Lessons Learned_x000D_ Various lessons learned during the construction and evaluation of this system plus several other agentic systems that the author built_x000D_ x000D Summary_x000D_ Key take aways from the presentation_x000D_

Mohamed Nabeel, PhD, is a cyber security veteran leading the efforts on proactive detection and graph based threat intelligence research and development. He is an open-source enthusiast and a member of Apache Software Foundation. Currently, he is a principal security researcher at Palo Alto Networks. He is passionate about securing AI, and building AI powered tools and systems to help defenders stay one step ahead of Internet miscreants. During his spare time, he teaches AI/Cyber Security to graduate students and mentors cyber security research students at National University. He has authored and presented 25+ US patents and 25+ papers at top security conferences including RSAC, VirusBulletin, IEEE S&P and Usenix Security. Some of his inventions are patented by a rising cyber security firm named bfore.ai and some are successfully productized and deployed at PANW.

This panel brings together offensive cyber security experts and community leaders to explore the critical role of the adversarial mindset in modern cyber security. From red teaming and threat emulation to vulnerability research, we’ll discuss how thinking like an attacker strengthens defense strategies. e will also highlight the power of grassroots security communities in sharing knowledge, advancing tradecraft, and building the next generation of defenders. Join us for a conversation that bridges offense, defense, and the culture that makes it all possible.

Len Noe is a Technical Evangelist, White Hat Hacker, and BioHacker. Noe is an international security speaker who has presented in over 50 countries and at multiple major security conferences worldwide including presenting at the World Conference at the Hague. Len is a global thought leader in the Transhuman/Human+ movement and utilizes microchip implants to advance cyber security and the human experience. Len has had his research published in multiple news outlets globally and is a regular participant on numerous security podcasts. Prior to 2001 Noe was a Black/Grey Hat Hacker and learned most of his skills by practical application. Noe has spent 29 years working in the areas of web development, system engineering/administration, architecture, and coding; for the past nine years, he has focused on information security from an attacker’s perspective. He also actively participates in the activities of the information security communities in Texas, the Autism Society, and many others.

Chris Glanden (AKA Pr0ph-1T) is a cybersecurity advisor, thought leader, and prolific content creator with over 25 years of industry experience. Formerly a security solutions engineer, he’s now the Founder and CEO of BarCode Security, a boutique services firm specializing in creative narrative strategy, helping organizations and individuals strengthen their brand presence and visibility. He’s also the host of the award-winning podcast “BarCode” and a founding member of the Cyber Circus Network (CCN). With a passion for storytelling that extends beyond the microphone, he also writes and directs indie films based on true stories spawned from within the cyberworld.

I’ve been working as Head of Identity Threat Labs and Global Product Advocate at Segura®, Red Team Village Director, Senior Advisor Raices Cyber Academy, Founder of Red Team Community (Brazil and LATAM), AWS Community Builder, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US (Black Hat & Defcon), Canada, France, Spain, Germany, Poland, Black Hat MEA – Middle-East – and others, I’ve served as University Professor in Graduation and MBA courses at Brazilian colleges, in addition, I’m Creator and Instructor of the Course – Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis – Fundamentals (HackerSec).

Phillip Wylie is a distinguished cybersecurity professional with over 27 years of combined IT and cybersecurity experience, including more than 21 years focused on information security. Specializing in offensive security with over a decade of hands-on experience, Phillip has extensive expertise in penetration testing, red team operations, and social engineering engagements, working both as a consultant and as an in-house pentester for enterprise organizations.

As a passionate educator, Phillip served as an Adjunct Instructor at Dallas College for over 3.5 years and has developed curricula for INE and P3F. He is the concept creator and co-author of The Pentester BluePrint: Starting a Career as an Ethical Hacker and was featured in Tribe of Hackers: Red Team. Phillip hosts two prominent cybersecurity podcasts: The Phillip Wylie Show and Simply Offensive.

Phillip is a sought-after conference speaker, hands-on workshop instructor, and dedicated mentor to cybersecurity professionals worldwide.

Our vulnerability disclosure ecosystem is strained. NVD backlogs persist, while the CVE program, after a near-critical funding crisis impacting its stability, struggles with vulnerability volume and assignment consistency under ongoing resource pressure. CISA’s role also evolves amidst these challenges. This talk dissects these US program issues and their impact on AppSec professionals, then examines rising global players like ENISA and other vulnerability databases, assessing their pros, cons, and impact on vulnerability management.

Researcher. Builder. Hacker. Traveler.

Everything you need to know about getting started in cybersecurity

Step into an empowering panel experience spotlighting accomplished women reshaping the cybersecurity landscape. Through candid conversation, our panelists—from industry leaders to public-sector defenders—share real-world stories about breaking into and thriving in cyber, building resilient networks, and advancing diversity. You’ll hear how they navigated nontraditional entry points, found mentorship, bridged the gender gap, and built careers rooted in both technical skill and community. Perfect for early-career professionals and aspiring leaders, this session offers practical advice, personal insight, and inspiration to chart your own game-changing path in cybersecurity.

Ms. Nikkia Henderson is a Portfolio Manager in the federal government with 15+ years of experience. She’s an advocate for women in cybersecurity and enjoys tea, cooking, beaches, and aquariums.

Ms. Arielle Baine is the Chief of Cybersecurity for Region 3 at DHS’s Cybersecurity and Infrastructure Security Agency (CISA), overseeing operations across six states and D.C. She leads a team focused on cyber preparedness, risk mitigation, and incident response through public-private partnerships. Baine brings over 13 years of federal and DoD cybersecurity experience, with previous roles at the FDA, FTC, and Hanscom Air Force Base. She holds a master’s in cybersecurity and certifications including CISSP, CCSP, and CEH.

Ms. Zandreia Keys is a senior intelligence and cybersecurity executive with more than 20 years of experience leading threat intelligence operations, cyber risk analysis, and national security strategy. A U.S. Navy veteran and federal leader, she has built and led high-impact intelligence teams across multiple agencies, driving modernization, mission integration, and secure information sharing across the cyber enterprise.

Ms. Keys is recognized for her ability to bridge operational intelligence with executive decision-making, strengthen public-private collaboration, and lead through change in complex environments. Outside of her professional work, she is also an entrepreneur and mentor, committed to cultivating diverse talent in the national security and cybersecurity fields.

You know how to secure and break systems – but what about the laws and policies that govern them? Whether you like it or not, cybersecurity is now deeply entangled with law and politics. Governments are making decisions about encryption, vulnerability disclosure, surveillance, and the limits of offensive operations – decisions that shape what you can build, break, publish, or patch. What you need is a fast-paced, no-jargon-needed crash course in cyber policy, designed specifically for DEF CON attendees. We’ll start early: the crypto wars (no, not that crypto), hacking laws, and security research. From there, we’ll look at how today’s key institutions – legislatures, federal agencies, international coalitions – are approaching the future of cybersecurity. Topics include the debate over vulnerability disclosure and use, efforts to regulate encryption and mandate software security, the evolving norms of state-sponsored hacking, AI policy’s impact on cybersecurity, post-quantum encryption, and conflicts over digital sovereignty. Finally, we’ll cover how you can engage on these debates. If you’ve ever found yourself yelling at a Congressional hearing on C-SPAN or ignoring it entirely, this talk will help you understand how the levers of cyber policy work – and how you can hack them, too.

Heather West is a policy and tech translator, product consultant, and long-term digital strategist guiding the intersection of emerging technologies, culture, governments, and policy. Equipped with degrees in both computer and cognitive science, Heather focuses on data governance, data security, artificial intelligence (AI), and privacy in the digital age. She is a subject matter authority who has written extensively about AI and other data driven topics for over a decade. She is also a member of the Washington Post’s The Network, “a group of high-level digital security experts” selected to weigh in on pressing cybersecurity issues.

When a system is compromised, the first questions are often: Who did this? and What were they after? But effective cybersecurity—and modern AI‑enhanced defense—goes far beyond just identifying the attacker; it’s about anticipating their next move.

Defeating cyber adversaries starts long before an alert fires. In this fast‑paced primer, we demystify the CTI intelligence lifecycle and structured models such as MITRE ATT&CK, showing how they convert raw telemetry into high‑value intelligence ready for action and fuel smarter purple‑team collaboration.

Join us for an introductory session on the fundamentals of Threat Intelligence—what it is, how it works, and how it’s used to uncover, understand, and respond to evolving cyber threats—then see how AI‑powered automation accelerates indicator extraction, suggests hunting hypotheses, stitches detections across your stack for real‑time response, and how purple‑team validation closes the loop by proving your intel‑driven controls stop the threats you care about before the next breach.

Carlo Anez Mazurco is a career cybersecurity consultant who designs and implements defensive strategies for organizations of every size. Holding multiple GIAC‑level credentials (GCIH) alongside Security+ and Network+, he distills 15 years of threat‑hunting and incident‑response experience into actionable guidance. Carlo coaches hands‑on labs at DEFCON’s Blue Team Village and provides year‑round training for community groups such as the Women’s Society of Cyberjutsu, local BNI chapters, and veteran‑led upskilling programs—helping the wider security community build resilient, AI‑aware defenses.

Matthias Göhring is security consultant and penetration tester at usd AG, an information security company based in Germany with the mission #moresecurity. He is Head of usd HeroLab, the division of usd specialized in technical security assessments. In addition, he holds lectures at Technical University Darmstadt and University of Applied Sciences Darmstadt on ethical hacking and penetration testing. In previous scientific work, he focused on network and communication security as well as software security.

Previous publications: – Catching the Clones – Insights in Website Cloning Attacks, Risk Connect Conference, 2021 – Path MTU Discovery Considered Harmful, IEEE 38th International Conference on Distributed Computing Systems (ICDCS), 2018 – Tor Experimentation Tools, IEEE Security and Privacy Workshops, 2015 – On randomness testing in physical layer key agreement, IEEE 2nd World Forum on Internet of Things (WF-IoT), 2015

Thinking about a career in offensive security? Join this interactive fireside chat with professionals working on the front lines of red teaming, penetration testing, exploit development, and adversary emulation. Panelists will share their personal journeys, advice on breaking into the field, and reflections on what it takes to thrive in offensive security. Whether you’re just starting out or looking to pivot your career, bring your questions and curiosity—this is your chance to learn directly from those who’ve made hacking their day job.

Latin America faces a perfect storm of cyber threats—sophisticated criminal networks, underfunded defenses, and systemic vulnerabilities. Yet, within this chaos lies an untold narrative of adaptation, recursion, and community-driven resilience.

Professional in Cybersecurity with 20 years of experience in the sector, seeks to share knowledge using his experience and knowledge and currently works as COO of 7 Way Security, organizer of BSides Colombia, La Villa and other spaces for building collective knowledge.

Profesional en Ciberseguridad con 17 años de experiencia en el sector, busca compartir conocimiento haciendo uso de su experiencia y conocimiento y en este momento trabaja como CEO de Be Hacker Pro donde plantea estrategias para el fortalecimiento del capital humano con talentos en ciberseguridad, es cofundador de CSIETE y 7 Way Security, organizador de BSides Colombia, HackLab Bogotá y otros espacios de construcción de conocimiento colectivo.

Cypherpunks write code that is open source, privacy-oriented, decentralized, trust-minimized, verifiable/auditable, interoperable, and bundled in Linux distributions. Cypherpunks don’t use Java. But in 2025 using Java 25 and Nix — they can and should!

We will review how functional-style programming, minimalism, pattern-matching, native compilation and integration with C/C++/Rust through a new FFM mechanism are game-changers for Java developers and worthy of a second look by those who dismissed Java years ago.

In this session we will see how Nix can reliably build native and JIT-compiled tools and applications, how dependencies can be minimized and bootstrappability achieved.

We will compare Maven’s bytecode packaging to the Nix model and how the two can be integrated while also brining in native libraries.

Real-world examples will be provided. We will look at the gaps that remain and how to close them so we can live the Java-cypherpunk dream and contribute to the “Great Tree”.

Mr. Gilligan learned C and UNIX as an undergrad at Berkeley. In his early career he wrote device drivers and networking protocols. He reluctantly learned Java and learned the good, the bad, and the ugly. His journey has included consulting, management, and entrepreneurship. He is the co-maintainer of bitcoinj, contributes to other open source projects, and is working to better integrate secure enclaves with secp256k1 ECC and Nix.

Cyberpunk authors, like Neal Stephenson in Snow Crash, have long envisioned a world run by ruthless mega-corporations, with more power than governments, engaging in threat activity. We now live in such a world. Tech companies wield immense, often invisible power, far beyond what they admit to users. We’ve caught glimpses:

• A cloud provider scanning customer data for offensive content • A rideshare app tracking users after the ride ends • A robotic vacuum that builds maps of your home • A respected security company bricking systems across the globe… accidentally

These aren’t theoretical. They’re the tip of the iceberg. The real capabilities, the ones no one talks about, are far more dangerous.

Governments know it. That’s why some ban certain apps and hardware. Threat actors know it. That’s why they break in. The question is: do you know what’s really possible?

This talk explores the dark potential of modern tech platforms, the things they’re structurally able to do, whether or not they intend to. We’ll walk through scenarios where companies might be tempted to go offensive, where insiders (or outsiders) could gain and weaponize access, and how these powers could be misused at scale.

Because in security, it’s never about what a system claims to do. It’s about what it can do.

Tom Cross is an entrepreneur and technology leader with three decades of experience in the hacker community. Tom attended the first DefCon in 1993 and he ran bulletin board systems and listservs in the early 1990’s that served the hacker community in the southeastern United States. He is currently Head of Threat Research at GetReal Security, Principal at Kopidion, and creator of FeedSeer, a news reader for Mastodon. Previously he was CoFounder and CTO of Drawbridge Networks, Director of Security Research at Lancope, and Manager of the IBM Internet Security Systems X-Force Advanced Research team. He has written papers on collateral damage in cyber conflict, vulnerability disclosure ethics, security issues in internet routers, encrypting open wireless networks, and protecting Wikipedia from vandalism. He has spoken at numerous security conferences, including Black Hat Briefings, Defcon, CyCon, HOPE, Source Boston, FIRST, and Security B-Sides. He has a B.S. in Computer Engineering from the Georgia Institute of Technology. He can be found on Linkedin as https://www.linkedin.com/in/tom-cross-71455/, on Mastodon as https://ioc.exchange/@decius, and on Bluesky as https://bsky.app/profile/decius.bsky.social.

Greg Conti is a hacker, maker, and computer scientist. He is a nine-time DEF CON speaker, a seven-time Black Hat speaker, and has been a Black Hat Trainer for 10 years. He’s taught Adversarial Thinking techniques at West Point, Stanford University bootcamps, NSA/U.S. Cyber Command, and for private clients in the financial and cybersecurity sectors. Greg is Co-Founder and Principal at Kopidion, a cyber security training and professional services firm.

Formerly he served on the West Point faculty for 16 years, where he led their cybersecurity research and education programs. During his U.S. Army and Military Intelligence career he co-created U.S. Cyber Command’s Joint Advanced Cyberwarfare Course, deployed to Iraq as Officer-in-Charge of U.S. Cyber Command’s Expeditionary Cyber Support Element, and was the first Director of the Army Cyber Institute.

Greg is co-author of On Cyber: Towards an Operational Art for Cyber Operations, and approximately 100 articles and papers covering hacking, online privacy, usable security, cyber conflict, and security visualization. Greg holds a B.S. from West Point, an M.S. from Johns Hopkins University, and a Ph.D. from the Georgia Institute of Technology, all in computer science. His work may be found at gregconti.com (https://www.gregconti.com/), kopidion.com (https://www.kopidion.com/) and LinkedIn (https://www.linkedin.com/in/greg-conti-7a8521/).

800xl co-founder of DCGVR

(DCNextGen is for youth 8-18 attending DEF CON) And just like that, it’s a wrap! While we’re sad to see the fun end, we want to give everyone one last big thank you.

Join us for a final farewell to say goodbye to new friends and hear about all the cool plans we have for next year. We’ll also be handing out prizes for all the Capture the Flag (CTF) events—you must be present to win!

Bianca ‘BiaSciLab’ Lewis is an 18 year old hacker that has been working in cyber security since the age of 11. She started her journey by hacking a mock election reporting system at Defcon at the age of 12 gaining national attention leading her to attend a congressional hearing on election security. Since then Bianca has become an international speaker discussing election security, Social Media Psyops, psychological warfare, women in tech, and other various cyber security topics at DEF CON, Black Hat, Defcamp and numerous other conferences including H.O.P.E. where she was the youngest ever to speak. Seeing the lack of young girls in the cyber space, she also started Girls Who Hack, her non-profit with the mission of teaching girls the skills of hacking so that they can change the future. She provides free online and in person classes on the most important topics in cyber security and online safety. Currently BiaSciLab is a key member of The Hacking Games working as the lead of their youth advisory and influence board “C.Y.B.E.R.” that exists to support The Hacking Games mission to guide the next generation with a passion for hacking onto pathways that drive positive change in the world.

Future of DDoS Attacks and Prevention

We demonstrate a vulnerability in a commonly-used autopilot computer that allows unsigned firmware to be pushed through trusted update channels such as SD cards and NMEA 2000 networked chart plotters without authentication or cryptographic validation. We show how a malicious ‘.swup’ file can be crafted and accepted by the system to gain persistent code execution, enabling arbitrary CAN bus injection on marine control networks. The attack chain, reminiscent of removable media-style delivery in air-gapped systems, demonstrates how firmware-level control in marine environments can be leveraged to disrupt navigation subsystems. We will walk through firmware extraction, reverse engineering of firmware and CAN subroutines, firmware repackaging, and live effects on NMEA 2000 networks. No physical access to the autopilot is needed, the attack leverages trusted firmware delivery via the chart plotter over NMEA 2000.

Carson Green is a graduate research assistant in systems engineering from Colorado State University, with a bachelor’s degree in electrical engineering. He enjoys designing and debugging PCB’s, researching vulnerabilities in cyber-physical systems, and can often be found playing the banjo.

Rik is a PhD student at Colorado State University exploring the tangled edge of embedded systems and cybersecurity. His research focuses into real-world vulnerabilities in automotive and industrial controllers, from reverse-engineering to network protocol level vulnerabilities. He’s previously shared his work at DEF CON and NDSS. When he’s not pulling apart PCBs, you’ll find him elbow-deep in his vegetable garden, proving that both firmware and tomatoes need rooting.

Modern processors are built for speed, but in doing so, they make dangerous assumptions. The very features that make processors fast can also make them untrustworthy. This talk explores how features like speculative and out-of-order execution open the door to powerful side-channel attacks like Spectre and Meltdown. You’ll learn how these vulnerabilities allow attackers to read privileged memory, bypass isolation, and leak secrets that should never be exposed. Through clear explanations and live demonstrations, we’ll show how trust in hardware can be misplaced and how those lies can be turned into exploits.

As malware continues to evolve rapidly through code reuse, obfuscation, and minor variant generation, understanding the lineage of malicious code has become a critical part of threat intelligence and incident response. In this talk, we present how machine learning, embeddings, and graph-inspired modelling can be used to automatically uncover relationships between malware samples and trace their evolutionary history at scale.

Performing analysis of fake images and videos can be challenging considering the plethora of techniques that can be used to create a deepfake. In this session, we’ll explore methods for identifying fake images and videos whether created by AI, photoshopped, or GAN-generated media. We’ll then use this for the basis of a live demonstration walking through methods of exposing signs of alteration or AI generation using more than a dozen techniques to expose these forgeries. We’ll also highlight a free GPT tool for performing your own analysis. Finally, we’ll provide additional resources and thoughts for the future of deepfake detection.    

Michael T. Raggo has over 30 years of security research experience. During this time, he has uncovered and ethically disclosed vulnerabilities in products including Samsung, Checkpoint, and Netgear. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding” for Syngress Book. He is also a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, SANS. He was also awarded the Pentagon’s Certificate of Appreciation.

Explores how DCGs extend the DEF CON ethos year-round. Shares practical stories of how local group POCs foster community. Encourages attendees to connect with their local group or form their own group in the absence of a DCG.

DEF CON Groups Global Coordinator

Jayson E. Street referred to in the past as: a “notorious hacker” by FOX25 Boston, “World Class Hacker” by National Geographic Breakthrough Series, and described as a “paunchy hacker” by Rolling Stone Magazine. He however prefers if people refer to him simply as a Hacker, Helper & Human.

He is the Chief Adversarial Officer at Secure Yeti and the author of the “Dissecting the hack: Series” (which is currently required reading at 5 colleges in 3 countries that he knows of). Jayson is also the DEF CON Groups Global Ambassador. He’s spoken at DEF CON, DEF CON China, GRRCon, SAINTCON & at several other CONs & colleges on a variety of Information Security subjects. He was also a guest lecturer for the Beijing Institute of Technology for 10 years.

He loves to explore the world & networks as much as he can. He has successfully robbed banks, hotels, government facilities, Biochemical companies, etc. on five continents (Only successfully robbing the wrong bank in Lebanon once, all others he was supposed to)!

He is a highly carbonated speaker who has partaken of Pizza from Bulgaria to Brazil & China to The Canary Islands. He does not expect anybody to still be reading this far, but if they are please note he was proud to be chosen as one of Time’s persons of the year for 2006.

DEF CON Groups Dept 2nd Lead

This session will introduce the strategy of designing and deploying deception strategies across ICS environments, by leveraging and operationalizing the Mitre Engage adversarial framework. This presentation will discuss the complexities related to deploying deception within ICS environments, and how to design a deception strategy geared towards the adversaries targeting your environment. A real-world case study, focusing on APT44, will demonstrate how to implement a deception strategy for Critical Infrastructure organisations.

Brent has over 18 years experience working in the cybersecurity industry. He spent 12 years working in the Australian government sector, including Law Enforcement agencies, leading national cyber teams. Following his government work, Brent led the global digital forensics and incident response team for a Fortune 500 bank. His expertise has led him to working directly with C-Suite and Crisis Management teams, handling large-scale cyber incidents, including APT-linked cyber espionage campaigns. In addition to government and financial sectors, Brent has extensive experience working in Operational Technology industries, including telecommunications and energy providers.

While cloud-native AI dominates security discussions, desktop apps—still vital in engineering, design, and finance—are quietly evolving. No longer just “legacy,” they now embed local LLMs, predictive UIs, automation, and offline inference.

This talk reframes AI security for desktop environments. We’ll explore new risks: prompt injection in on-device models, adversarial inputs, inference abuse, and insecure plugins. These threats don’t replace traditional flaws like memory corruption or unsafe parsing—they amplify them.

We’ll demo prompt injection on a local LLM and file-format fuzzing causing legacy crashes. Then we’ll cover AI-aware threat modeling, including tampered models and insecure automation. If you think desktop app security is solved, this talk will challenge that—and offer tools to secure hybrid software at the AI + legacy intersection.

Uday is a principal security engineer at Autodesk, where he focuses on securing applications at the intersection of traditional software and emerging AI features. His work spans offensive research, fuzzing, threat modeling, building guardrails and integrating security into the SDLC at scale. He is especially passionate about securing desktop applications in a world rapidly shifting toward AI-first development.

Outside of work, Uday enjoys playing CTF challenges, running fuzz farms, and snowboarding to unwind. He is committed to mentoring others in the security community and is excited to share lessons from the field.

This panel features several researchers that were central to the TTBR as well as the similar Ohio EVEREST Study and will delve further into the conduct of those studies, and how they may inform election security research today.

Debra Bowen was the elected Secretary of State of California for two terms from 2007 to 2015. Prior to that, from 1992 to 2006, she had been a member of the California Assembly and then the Senate. In 2007, at the beginning of her term as Secretary of State, she commissioned the Top to Bottom Review (TTBR) of voting systems used in California. The review involved top computer security researchers, attorneys, and accessibility experts, and provided the nation with an unprecedented view into the state of voting machines. The TTBR led to critical changes to improve California’s elections and influenced other states to move away from the most insecure voting systems. In parallel she commissioned the Post Election Audit Standards Working Group (PEASWG), a group of experts charged with outlining standards for election auditing. From their report emerged the very first formal description of what came to be known as risk-limiting audits (RLAs), now widely viewed as the “gold standard” of auditing techniques. RLAs make the notions of evidence-based elections and software independence, two of the fundamental pillars of election integrity, an achievable goal.For her “bold leadership and her steadfast resolve to protect the integrity of the vote” she was honored with a 2008 Profile in Courage Award by the John F. Kennedy Presidential Library and Museum.

Matt Blaze is the McDevitt Chair of Computer Science and Law at Georgetown University, where his research focuses on problems at the intersection of technology, public policy, and law. Prior to joining Georgetown, he was a professor of computer science at the University of Pennsylvania, and prior to that, a founding member of the Secure Systems Research Department at AT&T Bell Labs. He holds a PhD in computer science from Princeton, an MS from Columbia, and a BS from the City University of New York. Blaze’s scholarship and practical work in high-integrity voting and elections technology dates back more than 25 years. He led teams that examined source code for security vulnerabilities on behalf of the states of California and Ohio for the Top-to-Bottom Review and EVEREST studies. He has testified on election security and other topics before the US Congress over a dozen times, served on various federal and state advisory boards, and has published numerous scholarly research papers on elections and related subjects. He is a founding member of the DEFCON Voting Village, and currently serves as board chair of the Election Integrity Foundation.

As healthcare systems become increasingly digitized, cyber incidents like ransomware attacks and EHR outages are no longer just IT problems—they’re potential contributors to patient harm and mortality. This expert panel explores the groundbreaking proposal to adapt disaster-related death certification frameworks to document cyber incidents as secondary causes of death. Bringing together expertise in cybersecurity governance, healthcare economics, investigative journalism, and clinical practice, panelists will examine the policy implications, implementation challenges, and public health benefits of standardizing how we document and track cyber-induced patient harm.

Dr. Jorge Acevedo Canabal is a physician and cybersecurity researcher focused on digital threats to patient safety. He helped lead Puerto Rico’s post-Maria disaster death certification training and now proposes attributing cyberattacks as a cause of death in modern healthcare.

Joseph has 30+ years of experience in security, privacy, risk, and compliance for Fortune 500 companies. As a Customer Security Officer at Microsoft, he advises US Health and Life Sciences customers on cybersecurity, data privacy, risk management, and information compliance

Hospitals and trauma centers face critical delays in triage, patient monitoring, and shift handoffs—leading to avoidable medical errors, increased wait times, and compromised patient safety. What if AI-powered triage, biometrics, and AI-driven simulation labs could change that? This talk explores how biometric AI, smart bedside displays, digital handoff systems, and AI physiology simulations can enhance emergency care, reduce human error, and revolutionize medical training. Key Innovations We’ll Unpack: 1. AI-Facial Recognition: Upon entry to the hospital/facility, AI-powered sensors take a real-time picture of each patient as they walk/check into the ED and sync the biometric picture with their Medical Record Number (MRN) patient chart. 2. AI-Powered Biometric Triage: AI sensors continue to scan patients in the waiting room, analyzing vital signs (HR, respiratory rate, O2 sat, temp), non-verbal distress like bleeding (trauma), pain based on facial droop (Stroke), chest pain or shortness of breath (Heart Attack), syncope, labor/delivery, and grimacing (pain), and factor all these into the Emergency Severity Index (ESI) algorithm for a real-time comprehensive display to triage staff for their review. 3. Digital Handoff Reporting: Automated shift changes summaries ensure that critical patient data like medical and surgical history, labs, vital trends, pending orders, isolation precautions, and risk factors are not lost between clinicians. It also reduces paper waste, redundancy, and inefficiencies like report duration. 4. Digital Smart Room Display (i.e. TV): Like at a nice hotel room, your patient room tv would provide you with a personalized channel with your real-time medical updates (aka tv medical chart), that are approved by your providers, that are synced to your EHR chart and secured with a personalized pin you created during registration. Upon discharge of the hospital, your channel would be deactivated. This would enhance the time from provider-to-patient communication, decrease patient wait times for results, and ensure healthcare treatment transparency. It is optional and on-demand for the patient and family if consent is given by the patient. 5. AI Physiology in Simulation Labs: AI-driven simulated patient models that replicate real-time human physiology, responses to trauma, medication interactions, and disease progression—transforming medical education. 6. Cybersecurity in AI-Driven Emergency Care: Protecting biometric patient data, preventing AI hallucinations and poisoning, and securing AI-driven training systems. By integrating AI-driven biometrics, automating bedside displays and handoff reports, and AI physiology in healthcare, we can prioritize critical patients faster, reduce handoff errors, and accelerate healthcare education. The future of emergency care isn’t just faster, it’s predictive, automated, and cybersecure.

Dr. Jennifer Schieferle Uhlenbrock has 20+ years of healthcare experience. She bridges clinical practice, business, and cybersecurity best practices. A published technical writer and speaker, she translates complex security and patient safety challenges into clear, actionable insights.

Computers are constantly at work—running processes, handling data, and logging everything they do. These digital breadcrumbs, known as telemetry and artifacts, not only help systems run smoothly but also become crucial clues when something goes wrong.

When a machine is compromised, those logs can tell a story: what happened, how it happened, and who (or what) was behind it.

Join us for an introductory presentation on digital forensics, where you’ll learn how cybersecurity professionals analyze these traces to investigate and understand cyber incidents. No prior experience required—just curiosity and an interest in uncovering the truth behind the breach.

Sarthak Taneja is a detection engineering and threat intelligence professional who started out in the world of penetration testing, giving him a 360-degree view of attack paths—whether the is defending against them or, let’s be real, figuring out how to break in. When he is not decoding the latest threats, you’ll find him jet-setting across the globe, stirring up the security scene by organizing and volunteering at conferences everywhere.

The CVE Program has been a cornerstone of cybersecurity for over two decades, but its original design was never meant to support AI-discovered vulnerabilities, real-time coordination, or global software supply chains. The CVE Program has evolved from a technical utility to become a pillar of public cybersecurity policy. As governments craft regulation around vulnerability disclosure, product security, and software liability, the CVE system is increasingly at the center of the conversation, but innovation in vulnerability discovery has outpaced innovation in vulnerability tracking, lagging behind the needs of policy, industry, and international coordination.

This panel will explore how public policy can promote innovation within the CVE Program to meet growing global expectations. Topics will include how AI and automation can modernize disclosure at scale, how CVE labelling can evolve with emerging technologies, and how solutions must address the risk of fragmentation (national vulnerability databases and duplicative disclosure systems) to be future proof.

Elizabeth Eigner is a Security Policy Strategist on Microsoft’s Global Cybersecurity Policy team, where she represents Microsoft on the Hacking Policy Council, where she works collaboratively with industry leaders and policymakers to advance responsible cybersecurity and strengthen the frameworks that underpin software security worldwide. Previously, she served as Microsoft’s representative on the Cloud Service Provider Advisory Board (CSP-AB), contributing to FedRAMP public policy discussions and best practices for cloud security. Elizabeth also leads Microsoft’s Advancing Regional Cybersecurity (ARC) initiative, focusing on improving incident response capabilities and cyber capacity building in the Global South.

Before joining Microsoft, Elizabeth worked at The Washington Technology Industry Association to enhance Washington State’s innovation ecosystem. At MIT Solve, she collaborated with tech-based social entrepreneurs on solutions fostering digital inclusion and equitable economic opportunity. She holds a B.S. in Political Science from Northeastern University, with a concentration in Law and International Security.

Trey Ford is a seasoned strategic advisor and security thought leader with over 25 years of experience in offensive and defensive disciplines (incident response, application, network, cloud, and platform security). Trey has held key leadership roles at Deepwatch, Vista Equity Partners, Salesforce, Black Hat, and more. He has also been a valued member of Bugcrowd’s advisory board for over a decade.

Trey is passionate about working with enterprise leaders, corporate directors, and investors to help teams strengthen their technology and execution strategy. He believes in a hands-on approach to building, breaking, and deconstructing security problems.

Trey has a Master of Science from the University of Texas at Austin and executive education at Harvard Business School. Hailing from Austin, he is a husband, father, and an instrument rated private pilot.

Open-source intelligence in Discord may seem surface level. Some techniques include searching through chat history using search operators similar to Google dorking and reviewing a user’s profile to look for any linked accounts tied to their Discord account. Going beyond this and analyze the servers that a user is a part of, more assumptions and inferences can be made based on those servers. I applied what I saw and experienced with Student Hubs and applied it to cybersecurity within Discord. The information from knowing what cybersecurity servers a person is in informed me of what their experience level was, the type of field they were interested / worked in, and potentially even where they lived.x000D x000D However, you can only reach a certain point by joining servers within Discord. This type of approach can only be done at scale and this presents its own set of problems. Scaling this seemed unlikely to happen until a service known as Spy.pet was publicly disclosed in April 2024. Spy.pet was marketed as a data broker that was inadvertently a very capable OSINT tool that could be used for Discord. Knowing that it would be available for a short time before it got shut down, I was able to access Spy.pet to use and document what capabilities it had. Since then, there have been more data scrapers that have appeared with their own reasons. These include third-parties (malicious or not), academic researchers, and cybercrime groups. I will cover the capabilities and OPSEC failures from some of the data scrapers in the past year as well as how it could possibly be approached in the future. Most importantly, I will go over protections at the user and server level.

Zach a.k.a “UberZachAttack” is a PSU alum, works within offensive security, and holds various certifications.

Effective phishing campaigns traditionally demand extensive manual effort, involving detailed target reconnaissance, crafting believable scenarios, and setting up infrastructure. These manual processes significantly restrict scalability and customization. This talk explores a practical approach to leveraging Generative AI for automating core aspects of phishing workflows, drawing on direct experiences and real-world threat actors such as Emerald Sleet, Crimson Sandstorm, and Charcoal Typhoon.

The session thoroughly compares results from different models and platforms, including OpenAI ChatGPT, Anthropic Claude, and local alternatives, highlighting distinct strengths, weaknesses, and techniques for optimizing outcomes. Attendees will gain insights into deploying an end-to-end phishing campaign, emphasizing the models’ effectiveness in reducing the technical barrier of scaling phishing attacks. Finally, the talk underscores that while AI significantly enhances operational efficiency, it functions best when complemented by human judgment and expertise, reinforcing the critical human factor in cybersecurity practices.

As an experienced Red Team leader, Daniel applies a strong software development and networking background to help Fortune 500 companies identify and remediate vulnerabilities in various technologies, including corporate networks, applications, and smart devices. With more than 15 years of experience in Cybersecurity, prominent local and international security conferences such as HOU.SEC.CON, ISC2 Security Congress, and Black Hat Regional Summit featured his Offensive Security research. Daniel holds a B.Sc. in Computer Science and an M.Sc. in Cybersecurity. In 2019, Daniel was part of the team that won the DEF CON Biohacking Village Capture the Flag competition.

—

With over 15 years in offensive security, Daniel applies a strong software development and networking background to help Fortune 500 companies identify and remediate vulnerabilities in various technologies, including corporate networks, applications, and smart devices. With more than 15 years of experience in Cybersecurity, prominent local and international security conferences such as HOU.SEC.CON, ISC2 Security Congress, and Black Hat Regional Summit featured his Offensive Security research. Daniel holds a B.Sc. in Computer Science and an M.Sc. in Cybersecurity. In 2019, Daniel was part of the team that won the DEF CON Biohacking Village Capture the Flag competition.

Systems engineers may need different toolchains, whether its a specific configuration for a unique target or something so they can cross compile. On many distros, this requires either manually building the toolchain or finding the right packages. With Nix, we can do it declaratively.

I will be going into the new toolchain attributes mechanism in nixpkgs and how my work on the Standard Environment team opens the door to many new things for embedded and systems engineering with nix.

Low level programmer, OS/Zig/Linux dev, Nixpkgs committer (LLVM). Likes to watch 大空スバル (Subaru Oozora).

Domain fronting has quickly become to go to method for stealthy data exfiltration and beacon callbacks, popularised by C2 frameworks such as Posh and Cobalt Strike. In this talk we will review cloud providers and CDNs attempts to shutdown domain fronting and just how feasible it is in 2025

Using the Dominion touchscreen BMD debuted at Voting Village 2023, we will discuss and demonstrate in real-time how technically simple “hacks” to the ballot displayed on the voter’s touchscreen can directly impact the vote count, or alternatively impact the voter’s decisions. These simple “hacks” to the election definition (with no need to inject malware) include the manipulation of display of candidate choices, silent removal of candidates from the display, and using false instructions on the touchscreen to intentionally misinform voters regarding candidates or ballot questions. Furthermore, attempting to determine/recover from such hacks on the election outcomes can range from difficult to impossible. In addition to discussing the tactics and potential impacts, we will illuminate underlying system design decisions which enabled such hacks to be technically simple, feasible, and easily executable. The knowledge and tools used/discussed were obtained through public means and public websites, available to an unlimited number of people. This talk will focus on the general methodology and ease of the vote manipulation, the range of impacts, the feasibility and scalability. Immediately following the on-stage presentation, a deeper dive into the technical aspects will occur in the adjacent Voting Village lab room.

Drew Springall is an Assistant Professor of Computer Science at Auburn University, and is a hacker/security researcher with a focus on the technical/concrete aspects of voting system security. Since 2013, Drew has worked to understand and demonstrate the difficulty attackers would face should they attempt to attack such systems as deployed in the real-world and given realistic resources to leverage. Most recently, Drew has worked specifically on the DVSorder ballot randomization flaw and the ”Security Analysis of Georgia’s ImageCast X Ballot Marking Devices” report published along with Prof. J. Alex Halderman.

Kubernetes has become a center of modern cloud-native applications. Its complex architecture and dynamic nature introduce new security issues regularly, and while significant strides have been made in addressing security challenges, the task of managing entities and their access rights remains daunting. This talk will explore authorization auditing, examining the challenges of identifying cluster entities and access rights vs the required privileges to perform their intended tasks. We will discuss the importance of audit logs in understanding access patterns and complexities associated with such log analysis. We will introduce KIEMPossible, an open-source tool designed to help achieve least privilege status. KIEMPossible analyzes entities’ permissions and usage through audit logs, providing insights for informed decision-making. This aims to simplify Kubernetes Infrastructure Entitlement Management (KIEM), allowing organizations to mitigate risks associated with excessive privileges.

A Security Researcher at Palo Alto Networks specializing in Cloud and Kubernetes.

ICS Malware is rare. Yet, ICS Malware like FrostyGoop and TRISIS, and related discoveries like COSMICENERGY, were all found on VirusTotal, so analysts still hunt for novel ICS Malware in public malware repositories. In the process, they discover all kinds of tools: research, CTFs, obfuscated nonsense code with no effects, and sometimes, malware targeting ICS/OT sites. But how do they find and filter out the benign from malicious? Or the ICS and ICS-related malware from regular IT malware?

In this talk, we will use recently discovered samples to walk through the process of hunting and analyzing potential ICS threats. We’ll show the simple queries we use to cast a net, our typical analysis process, and relevant follow-on actions like victim notification. Lastly, we’ll discuss how we decide whether a sample is ICS malware using Dragos’s ICS malware definition.

Jimmy Wylie is a malware analyst at Dragos, Inc., who searches for and analyzes threats to critical infrastructure. He was the lead analyst on PIPEDREAM, the first ICS attack “”utility belt””, and TRISIS, the first malware to target a safety instrumented system. Formerly a DoD Contractor and malware analysis instructor, he has over 14 years of experience with reverse engineering and malware analysis. In his off-time, Jimmy enjoys playing board games, solving crossword puzzles, and testing the limits of his library card. He can be found on BlueSky: @mayahustle.bsky.social

Sam is currently an Associate Principal Vulnerability Analyst at Dragos where he researches vulnerabilities and malware impacting OT/ICS systems. Specifically, Sam discovers 0-day vulnerabilities in industrial software and threat hunts for ICS-related malware in public data sources. Sam has analyzed notable ICS-related malware, including components of PIPEDREAM and Fuxnet. Sam has presented at several cybersecurity conferences, including Dragos’ DISC (’22 and ’23), DISC:EU ‘24, and BSides:Zurich.

The presentation will be based on a new paper that examines which elements of a post-election audit are necessary to provide publicly available evidence to confirm the outcome of an election is correct. The paper and presentation will take a close look at the post-election audits conducted after the 2024 election in the seven closely contested swing states and will examine if the audits conducted after the November election meet, or don’t meet, the criteria for effective, trustworthy, meaningful, and reliable audits.

Susan Greenhalgh is the Senior Advisor on Election Security for Free Speech For People. Ms. Greenhalgh has previously served as vice president of programs at Verified Voting and at the National Election Defense Coalition, advocating for secure election protocols, paper ballot voting systems and post-election audits. Recognized as an expert on election security, she has been invited to testify before the U.S. Commission on Civil Rights and has been an invited speaker at meetings of the MITRE Corporation, the National Conference of State Legislatures, the Mid-West Election Officials Conference, the International Association of Government Officials, the Election Verification Network and the E-Vote-ID conference in Bregenz, Austria. She is a frequent source for reporters from TheNew York Times, The Washington Post, The Wall Street Journal, Politico, USAToday, Associated Press, National Public Radio and other leading news outlets. She has appeared on CNN and MSNBC’s The Rachel Maddow Show, and various other television news shows. She has a BA in Chemistry from the University of Vermont.

Come hear Carson and Eric discuss some of the most challenging topics in security operations today. Carson Zimmerman and Eric Lippart, “Doom” and “Gloom,” respectively, have been working in security ops for over a combined 40 years, and have seen a thing or two. They will cut the buzzword bingo and offer frank opinions about how to get SOC right, and how to get it wrong.

This year, we’ll be discussing topics like: * The constant march of incidents and assume breach has transcended cliche– what are you doing to keep yourself and your crew sane? * Where are you investing right now to detect and block with nation state adversaries– what’s working and what hyped methods are a waste of time? * Speaking of cliches, too many alerts, not enough people and time– yes, we need to tune, but what are we doing to win here? Is it sustainable? Should we give up on conventional detection? * Let’s talk about generative AI– where are you seeing SOC actually use it, and where do you think we’re still a ways off? * Return to office- we hear about it in the news, but is it realistic? Does RTO preclude world class talent?

Bring your questions, let’s go!

Carson Zimmerman has been working in and around security operations centers (SOCs) for over 20 years. Carson is a Principal Security Researcher at Microsoft, working to elevate SOCs around the globe through industry-leading security capabilities. He co-authored 11 Strategies of a World-Class Cybersecurity Operations Center, available at mitre.org/11Strategies.

Eric Lippart has spent over 20 years deeply involved in cyber operations and engineering across the national security and financial services spaces. His early career in cyber started at MITRE, where he spent well over a decade supporting cyber operations and initiatives within the DoD and Intelligence Community before ultimately moving on to support the financial industry. He is a regular presenter at various security conferences, and has enjoyed contributing to numerous books, articles, white papers, and presentations on the topic of cyber operations. Eric is currently the Global Head of Cyber Operations at Manulife/John Hancock.

A quick talk about the basics around Physical Security Assessment.

In this half hour overview, village residents Utvecklas and George explain the basics of how Drain and Approval Attacks work. Judging from attendance at yesterday’s workshop of the same name, we get to hear if this particular attack is easy to identify, and how likely we are to be victims. A review of lessons learned in the workshop lead to sneak previews of Georg and Utvecklas’ next generation of research and likely outcomes.

George is a cryptocurrency enthusiast who has been actively involved in the space since 2018. With a focus on crypto marketing and security, he has successfully launched multiple projects aimed at improving both user adoption and safety. George is passionate about bridging the gap between complex technologies and mainstream audiences.

Utvecklas is a computer scientist and privacy advocate who has integrated cryptocurrency into online businesses since 2016. Over time, cryptocurrency itself became his primary interest. Outside of work, his research specializes in exploits — whether past, ongoing, or potential.

En esta charla mostraré los detalles de una investigación reciente del GERT de Kaspersky sobre una vulnerabilidad en un driver que permite a un atacante ejecutar código malicioso para evadir los antivirus de los sistemas. Analizaremos cómo se descubre la vulnerabilidad, la forma en que un atacante la aprovecha para desactivar soluciones de seguridad y cómo logra la evasión completa. Además, presentaremos un análisis técnico del ataque y del incidente, incluyendo el flujo de ejecución y cómo se consigue el bypass de las defensas modernas. Finalmente, discutiremos contramedidas y recomendaciones para protegerse frente a este tipo de ataques.

Actualmente me desempeño como Incident Response Specialist en el Global Emergency Response Team (GERT) de Kaspersky, cuento con 6+ años de experiencia realizando tanto forense digital, así como Análisis de Malware y Reversing, y previo a dedicarme a DFIR (Digital Forensics and Incident Response) laboré 2 años como Penetration Tester.x000D He colaborado en distintos proyectos de Threat Intelligence y Threat Hunting.x000D Actualmente soy profesor de los módulos de Análisis Forense y Análisis de Malware en un diplomado de seguridad de la información en México.x000D x000D Certificaciones: GREM, GCFA, eCTHP, CHFI.

White House National Security Council Senior Director for Cyber Alexei Bulazel will join AIxCC creator and Dartmouth Fellow Perri Adams in conversation on the AIxCC stage.

Are you an IT or cybersecurity professional tired of navigating corporate hierarchies and seeking permission to innovate? This 45-minute session is your roadmap to transforming from an employee to an entrepreneur, taking full ownership of your expertise and future. We’ll dismantle the traditional barriers to entry and empower you to become a game-changer in the Managed Service Provider (MSP) landscape.

This talk will equip you with actionable strategies and practical resources to launch and scale your own successful MSP. We will delve into the essentials of building a robust service offering, with a strong emphasis on cybersecurity. Discover proven techniques for effectively responding to security-focused Request for Proposals (RFPs) and crafting compelling Request for Quotations (RFQs) that win business. Furthermore, we’ll explore powerful models for collaboration and teaming up with fellow professionals to expand your capabilities and market reach. Finally, we will address the critical aspect of funding, outlining various avenues to secure the capital needed to fuel your venture.

Join us to learn how to duck the gatekeepers, bypass the permission slips, and step into a future of full ownership, innovation, and impactful service delivery. It’s time to become the game changer you were meant to be.

Kevin Mitchell is a highly accomplished security professional with over 8 years of expertise spanning hardware embedded systems, automotive security, and application security. His deep technical skills encompass penetration testing, vulnerability research, firmware reverse engineering, and hardware analysis, evidenced by the discovery of CVE-2023-52709. 1 Kevin also brings experience in utilizing SAST/SCA tools and managing software dependencies with SBOMs, complemented by industry certifications like CISSP, CEH, and OSWP. He is a proactive and results-oriented individual dedicated to securing cutting-edge technologies.

Quantum security is mysterious, expensive, and locked behind corporate and academic walls. But hackers don’t wait for permission to learn. What if you could build your own quantum hacking lab, right in your garage?

Yann is a cybersecurity researcher, hardware hacker, and quantum security enthusiast with a background in electronics. After years of working in hardware security , he transitioned into quantum technologies , focusing on DIY approaches to breaking and securing quantum networks. His work emphasizes open-source learning, hands-on hacking, and making quantum security accessible to all.

Elevator floor lockouts are often used as an additional, or the only, layer of security. This talk will focus on how to correctly incorporate elevators into your security design, and how badly set up elevators could be used to access restricted areas– including using special operating modes, tricking the controller into taking you there, and hoistway entry.

Bobby is involved in the planning of Physical Security Village. He enjoys anything mechanical and is currently serving as VP R&D at GGR Security Consultants. I like trains and milk.

Ege is a security researcher specialising in access control systems and electronics. She is currently pursuing a degree in Electrical Engineering and work part-time for GGR Security as a Security Risk Assessor

Enshittification is the malware whose whole mission is to keep you powerless and paying for something that degrades your user experience in the pursuit of unending profit growth. Yes, bills have to be paid, but it’s alarmingly prevalent, and propagating at a speed only proportionate to our propensity to spend on stuff doing the enshittifying without consequence. A great man once said ”La piraterie n’est jamais finie” (piracy is never over) and if there is one place in the world where a solution can be born, it’s Defcon. Let’s talk.

We will look at many examples, ramifications and propagation methods for the Enshittification malware, and how to establish perimeter defenses to stop it. We’ll also cover the activities and examples leading the way in decontaminating the products, services and technologies we like(d).

In the end, (it doesn’t even maaatter. see what we d-…) we need each other and our biggest challenge is getting along in the context of fighting enshittification. Let’s come together and fix this.

Join Sam B.G., GITC, scsideath and Spike for an awesome panel!

Andrew Brandt is a former investigative journalist who switched careers to work in information security in 2007. He is an experienced malware analyst, network forensicator, and cyberattack untangler, who seeks to prevent cybercriminals from being able to victimize others. He has served as the director of threat research or as a principal researcher at several large cybersecurity companies, and currently serves on the board of World Cyber Health, the parent organization that operates the Malware Village at Defcon and other conferences. As the executive director of Elect More Hackers, he is active in cybersecurity and technology policy, and seeks to recruit likeminded folks to run for elected office. He lives in Boulder, Colorado.

Neumann Lim has a strong background in cybersecurity and infrastructure management currently leading the Odlum Brown Team. He also has an extensive IR experience at previous companies such as Deloitte Canada, EY, CGI, and ISA. Currently, Neumann is serving in advisory board roles at SANS, EC-Council and other organizations. Neumann’s expertise includes digital forensics, incident response, modernizing infrastructure, infrastructure resilience, site reliability, malware research, pentesting and leadership in information security policies. Outside of corporate life, Neumann is the co-founder of Malware Village, judge and participant of various cyber CTFs. Neumann is often seen speaking or leading workshops at various conferences such as DEFCON, BlueTeamVillage, GrayhatCon, BSides, Toronto CISO Summit, CCTX, HTCIA, IACIS.

Remember that soul-crushing moment when you opened an 8.9 GB of burp suite file? Yeah, fun times. But here’s something even more annoying: reading a random blog post where someone casually mentions a $5,000 bug—an unauthenticated admin panel hidden on some obscure, unpredictable URL of a well known target.x000D x000D I feel you, it’s hard to deal with huge attack surfaces, endless URLs and thousands of subdomains. And it’s even harder to expand your attack surface to find pages that no one ever looked at it before. Don’t get me wrong—I still think AI sucks at pentesting (sue me). It won’t chain exploits, think creatively, or outsmart a well-configured WAF. But here we are. It’s really good at generating path/subdomains, and picking out the most important targets from a massive list. And lastly, AI can be a smart assistant that is specifically configured for the target app’s test. It handles the boring stuff, so you can focus on breaking things.x000D x000D In this talk, we’re not glorifying AI—we’re putting it to work. Smart, sharp, and right where it counts.

Hey! I’m Ozgun (aka ozzy), a 25-year-old security researcher. By day, I’m trying to live as a penetration tester. By night? Well, it’s a mix—sometimes hunting web bugs, sometimes sneaking around in red team ops, and sometimes just trying not to lose all my chips at poker.x000D x000D I’ve spoken at several conferences, including Hacktivity, BsidesPrague, and DEFCON. Lately, I’ve picked up a new hobby—studying LLMs and AI. Not the hype, but the scientific magic side of things. I’ve been exploring how to blend them into cybersecurity in smarter, more effective ways.

Google’s Privacy Sandbox initiative aims to provide privacy-preserving alternatives to third-party cookies by introducing new web APIs. This talk will examine potential client-side deanonymization attacks that can compromise user privacy by exploiting vulnerabilities and misconfigurations within these APIs.

I will explore the Attribution Reporting API, detailing how debugging reports can bypass privacy mechanisms like Referrer-Policy, potentially exposing sensitive user information. I will also explain how destination hijacking, in conjunction with a side-channel attack using storage limit oracles, can be used to reconstruct browsing history, demonstrating a more complex deanonymization technique.

Additionally, I will cover vulnerabilities in the Shared Storage API, illustrating how insecure cross-site worklet code can leak data stored within Shared Storage, despite the API being deliberately designed to prevent direct data access. Real-world examples and potential attack scenarios will be discussed to highlight the practical implications of these vulnerabilities.

The presentation will conclude by emphasizing the critical need for rigorous security and privacy research to ensure that Privacy Sandbox APIs effectively protect user data and achieve their intended privacy goals, given the complexity and potential for unintended consequences in their design and implementation.

Eugene Lim is a security researcher and white hat hacker. From Amazon to Zoom, he has helped secure applications from a range of vulnerabilities. His work has been featured at top conferences such as Black Hat, DEF CON, and industry publications like WIRED and The Register.

El ciberengaño es un tipo de protección valiosa para detectar, interrumpir e influir en los adversarios dentro de una red. Sin embargo, definir planes de ciberengaño viables presenta desafíos importantes. Esta sesión proporciona una metodología estructurada para acotar esta brecha, permitiendo el diseño e implementación de actividades eficaces sobre entornos de producción.x000D x000D La presentación abarcará la siguiente metodología dividida en cuatro fases:x000D 1- Extracción de comportamientos: Comenzaremos examinando escenarios de ciberataques e informes de amenazas persistentes avanzadas (APT) para entender el tipo de extracción de TTP relevantes para el ciberengaño.x000D 2- Selección de criterios: Se debatirán los criterios que guiarán a la aplicación de las actividades de ciberengaño, centrándose en objetivos como la interrupción, el estímulo, la detección o la recopilación de información. Se hará hincapié en la importancia de establecer objetivos claros para aumentar la eficacia de las estrategias de engaño.x000D 3- TTP vs actividades de engaño: Aquí se explorarán distintos tipos de actividades para asignar las TTP extraídas y entender el papel de un Honeypot y sus alternativas. Se aprenderá a diseñar técnicas de engaño que se dirijan a vulnerabilidades específicas según criterios predefinidos.x000D 4- Diseño narrativo: Exploraremos el papel de la narrativa en el engaño, haciendo hincapié en la integración, la credibilidad y la interpretación. Buscaremos dejar claro el proceso para crear historias convincentes que contextualicen las actividades de engaño y respalden la estrategia general. Se compartirán ejemplos prácticos y casos reales cada una de las fases de la metodología. x000D x000D Los asistentes obtendrán información sobre los retos y las mejores prácticas de la implementación de estrategias de ciberengaño, incluyendo aplicaciones en el mundo real, errores comunes y tendencias futuras. x000D x000D Al final de la sesión, los asistentes tendrán una comprensión estructurada de una operación de ciberengaño.x000D x000D Esta presentación está basada y derivada de la experiencia obtenida sobre servicios para organizaciones, entrenamientos para comunidades (Ekoparty 2022 / 2023 / 2024), congresos académicos regionales (JAIIO 2024 / Argencon 2024)x000D x000D Además, de congresos reconocidos en ciberseguridad, entre los que se encuentran: x000D – Blackhat Arsenal USA 2024_x000D_ https://www.blackhat.com/us-24/arsenal/schedule/#dolos-t-deceptive-operations-lure-observe-and-secure-tool-38673_x000D_ x000D – RSA Conference 2025_x000D_ https://path.rsaconference.com/flow/rsac/us25/FullAgenda/page/catalog/session/1727157670597001cJuG_x000D_ x000D – FIRST Conference 2025_x000D_ https://www.first.org/conference/2025/program#pFrom-TTPs-to-Deception-Crafting-Strategies_x000D_ x000D – Blackhat Arsenal USA 2025_x000D_ https://www.blackhat.com/us-25/arsenal/schedule/index.html#buda-behavioral-user-driven-deceptive-activities-framework-45178_x000D_ x000D Gracias por el tiempo y la oportunidad de compartir

Cybersecurity professional with 14+ years of experience as Security and IT consultant. Certified Incident Handler (ECIH) with a degree in Information Security and Communications. Currently works as R&D+i Manager at BASE4 Security, where he leads the company’s research and development initiatives.

Cybersecurity professional with a background in electronic engineering and several industry-recognized certifications. 20+ years of teaching experience at the most prestigious universities in Argentina. 4 published books and +15 peer-reviewed research papers. Has worked in the public and private sectors, including regional roles in global companies.

Voting is complicated. Vendors attempt to manage this complexity with complex voting systems made of bespoke software and hardware. Testing and certification provide at best some confidence that a voting system is properly designed; they are not capable of providing confidence any particular election outcome produced with that system is correct. In 2007 John Wack and I introduced the notion of software independence to refocus attention on the evidence produced by a voting system, instead of on the correctness of the voting system itself. A voting system is software-independent if “an undetected change or error in its software cannot cause an undetectable change or error in an election outcome.” Software independence is mandated by the VVSG; all new federally-certified voting systems must now be software independent. In this talk I give some perspective on voting systems, with an emphasis on voting systems for U.S. elections, and on software independence. Some areas for future research are also discussed.

Dr. Ronald Rivest is an Institute Professor at the Massachusetts Institute of Technology (MIT), and a member of MIT’s Department of Electrical Engineering and Computer Science and its Computer Science and Artificial Intelligence Laboratory. He is a cryptographer and computer scientist whose work has spanned the fields of algorithms and combinatorics, cryptography, machine learning, and election integrity. Along with Adi Shamir and Len Adleman, Rivest is one of the inventors of the RSA algorithm. He is also the inventor of the symmetric key encryption algorithms RC2, RC4, and RC5, and co-inventor of RC6. (RC stands for “Rivest Cipher”.) He also devised the MD2, MD4, MD5 and MD6 cryptographic hash functions. Rivest’s more recent research has been election security, based on the principle of software independence: that the security of elections should be founded on physical records, so that hidden changes to software used in voting systems cannot result in undetectable changes to election outcomes. His research in this area includes improving the robustness of mix networks in this application, the 2006 invention of the ThreeBallot paper ballot based end-to-end auditable voting system (which he released into public domain in the interest of promoting democracy), and the development of the Scantegrity security system for optical scan voting systems. He was a member of the Election Assistance Commission’s Technical Guidelines Development Committee. He is a Member of the National Academy of Engineering, a Fellow of the ACM, and a Member, American Academy of Arts and Sciences. In 2002, along with colleagues Shamir and Adleman, he was awarded the A. M. Turing Award.

1. Look back over the past years of attack trends.
2. How telecom technology evolution has changed attacks.
3. How industry collaboration and information sharing can help mitigate future threats

This talk explores the importance of implementing robust access controls in GraphQL and REST APIs and the severe consequences when these controls are not properly enforced. GraphQL, a flexible data query language, allows clients to request exactly the data they need, but without proper access control mechanisms, sensitive data can be easily exposed. Using the Feeld dating app as a case study, we will dive into a critical security review of how the lack of access controls in GraphQL and REST endpoints led to the exposure of users’ personal data, including sensitive photos, videos and private messages. This session will highlight common access control vulnerabilities in GraphQL and REST implementations , real-world examples of security lapses, their impact and remediation.

        We dive into a critical security review of the Feeld dating app.

        Feeld, known for its unique features that cater to a wide range of preferences and relationships, unfortunately had serious security vulnerabilities that exposed users' private data, including sensitive photos and personal information.

        Here's what we uncovered:
        1- Profile information was accessible to non-premium users.
        2- Other people's messages could be read without proper authentication.
        3- Photos and videos from chats were exposed unauthenticated.
        4- The ability to delete, recover, and edit other people's messages.
        5- Profile information could be updated by anyone.
        6- Unauthorized likes from any profile.
        7- Messages could be sent in other users' chats.
        8- Viewing others' matches without permission.

Bogdan Tiron is a seasoned security consultant with over 10 years of experience specializing in application security. He has a proven track record of enhancing security measures for leading organizations, including bet365, JPMorgan Bank, GFK, HSBC, Lloyds Bank, and WorldRemit. Throughout his career, Bogdan has held various roles, including application security consultant, pentester, security architect, and DevSecOps specialist. Four years ago, recognizing a gap in quality within the pentesting industry, he co-founded FORTBRIDGE, a cybersecurity consulting company that offers pentesting, phishing, and red-teaming services to clients seeking to enhance their security posture. Passionate about staying ahead of emerging threats, Bogdan is dedicated to fostering a culture of security within organizations and empowering teams to integrate security practices seamlessly into their workflows.

A deep dive into real-world, high-profile CVEs exposes a critical pitfall in AppSec: treating every high-severity vulnerability urgently without understanding its exploitability and business impact. We’ll analyze cases where CVEs are labeled as critical but were originally exploited in different environments, and often found in widely shared kernel code that turned out to be nearly impossible to exploit on cloud containers. By dissecting CVE patches, tracing fix propagation, and attack vectors across platforms like Android, Chrome, and cloud containers, we’ll reveal how misinterpreting CVE context leads to wasted triage cycles, unnecessary fixes, and security teams chasing irrelevant threats.

Liad Cohen is a Security Research Team Lead and a Data Scientist at OX Security. His day-to-day work involves empowering open source security and code security with AI capabilities, developing innovative data-driven AppSec detection systems from ideation to PoCs to production, and making product roadmap a reality, backed by deep pioneer security research. He started his career as a young “script kiddie”, later becoming a gifted mathematician. Liad holds a Master of Science degree in Computer Science. He is a Mentor in hackathons and CTFs, publishing academic papers and articles in security journals and presented state of the art security research at BlackHat USA, RSA Conference, OWASP Global and others.

Moshe is a Senior Security Researcher at OX Security, a company specializing in software supply chain security, and has worked in the security industry for 13 years. His work spans cloud security research, container security, memory forensics, and an in-depth understanding of programming languages. He also has extensive experience in mobile security, including iOS and Android research, deep analysis of Android malware, sandboxing, and memory forensics.

Beyond security research, Moshe has published multiple “Can It Run Doom?” projects online, and is also a professional guitarist in a progressive metal band.

Get ready to blow your mind (and maybe even some stack bounds) as we explore the art of buffer overflows! In this beginner-friendly talk, we’ll take you on a journey through the basics of buffer overflows. We’ll cover what they are and why they’re a problem with hands-on examples demonstrating how to create and exploit them. You’ll learn the fundamentals of stack-based exploits, including how to write vulnerable code and how to find vulnerabilities in others’ code. We’ll cover it all in a clear and concise way, so you can get started on your path to learning about memory corruption. And don’t worry, we won’t leave you hanging, we’ll also provide you with practical tips and tricks for defending against these attacks. So, if you’re ready to learn more about security and get a solid foundation in buffer overflows, join us for “Exploiting Expectations”!

I will demonstrate how it’s possible to approach the Web3 bug bounty ecosystem just by exploiting off-chain bugs and vulnerabilities in the JavaScript ecosystem. This talk will explore the current state of this field through real-world examples I’ve reported on bug bounty platforms, which contributed to my achieving the top 10 global rank on the HackenProof platform.

We’ll begin with bugs I discovered in a JavaScript sandbox used by a Web3 social platform and a Web3 website. The first involved a misconfiguration of DOMPurify, where developers attempted to filter links. I’ll show how I exploited this by tricking DOMPurify into treating a malicious javascript: URI as a safe link. The talk will also cover a 0-day vulnerability I found in another sanitization library used within the sandbox.

The final two bypasses involve React’s global “”is”” attribute. Although the developers had blocked this attribute due to its XSS potential, I will show how I bypassed the protection by exploiting a prototype pollution vulnerability in a library exposed inside the sandbox. This, combined with specific new gadgets inside React, allowed me to pass the is attribute and achieve XSS.

All of these issues could lead to account takeover and were classified as high severity. I will also discuss the broader impact of XSS vulnerabilities on Web3 platforms, particularly the risk posed when wallets are connected.

Bruno is a security researcher with a background in Web2, specializing in client-side vulnerabilities. he has conducted extensive audits and research on topics such as popular wallets and sandbox environments. He is currently ranked in the top 10 on the HackenProof bug bounty platform worldwide and has reported vulnerabilities through HackerOne to platforms such as Zoom and MetaMask.

Big data, big mess. Bigger and more data is in Fabric, the more messy it can be. Azure unified the data lake house, data warehouse and PowerBI services into a SaaS platform called Fabric. In this talk, we discuss the three areas in the tenant level settings to look after and not to open up Fabric to everything. Then we will discuss data exfiltration scenarios (like data pipeline or notebook etc), how is it possible to create backdoor account (i.e.: Activator).

Intro – 1min Who am I and what is Fabric.

Tenant Level Settings to Review – 4mins Selecting the top 3 tenant level areas (External Data Sharing, Admin API calls, Information Protection) to review why they can be dangerous.

Data Exfiltration via Data Pipeline, Notebook, Shortcut, SQL Endpoint, Mirrored Db – 12mins Discussing the possibilities of how data pipeline can automatically copy data from our own tenant’s source to a destination in a different tenant. SQL Endpoint is automatically created for reading purposes. Guest account in Entra ID can be added to the workspace as viewer and using SQL Server Management Studio (SSM) to open SQL analytics endpoint. Mirrored Database is automatically synchronize data between 2 database where the destination can be an external tenant. A notebook is all about executing code and handling existing data (handing out the data). Demo video about a pipeline copy to another tenant storage account.

Backdoor via Activator (Notebook, Power Automate, Scheduled Spark Job) – 13mins Discussing how the Activator can be used to create a backdoor user via executing python code via Notebook, Scheduled Spark Job or low-code Power Automate. Demo video (8mins) demonstrating how a backdoor account is created by using Activator to run a Notebook which executes Azure Python SDK code.

Viktor Gazdag has worked as pentester and security consultant for 9 years, lead cloud research working group and M365 capability service. He has reported numerous vulnerabilities in products and plugins from companies such as Oracle, SAP, Atlassian, Jenkins, CloudBees Jenkins, JetBrains, Sonatype. He gave talks about CI/CD and Cloud security at DevOps World, Black Hat USA, DefCon and DoD CyberDT XSWG. He holds multiple AWS/Azure/GCP, Infra as Code, DevOps and Hacking certs and Jenkins Security MVP award.

Queercon is growing up, and everyone with it! Come mingle with other parents and families in the LGBTQIA+ space. Whether you or your children identify with, or are curious about, the community – all are welcome!

Every time the lights go out, the speculation begins—was it cyber? Squirrels? Was it an attack? But often, the real story behind grid disturbances isn’t malicious code—it’s uncontrolled chaos, born from the physical behavior of a rapidly evolving power system. This session takes a deep dive into that chaos, exploring how subtle interactions in electric grids—like oscillations—can spiral into large-scale instability. These low-frequency oscillations are increasingly common in the bulk electric system, yet are explainable. They emerge from control design, network conditions, and energy physics—not adversarial action, and the lights going off is usually a sign the system has actually acted as it should in protecting itself from damage. Equipment failures are also spectacular, but common. Its tempting to tie big fires to bad cyber, but in reality – the failures are almost always in the planning for the event, or recovery.
We’ll dissect real-world events like the Iberian Peninsula blackout, where what looked like a grid failure may have actually revealed a quiet success: a functional blackstart scenario, where system operators re-energized the grid under extreme stress. But that nuance was lost in the noise, as media and analysts scrambled for cyber scapegoats. We’ll also explore the London transformer fire, a failure in planning for an outage, and technical scrutiny of Chinese-manufactured inverter components with alleged kill switches inserted, illustrating how physical system dynamics—often create the most dramatic disruptions. This talk fuses power system engineering, ICS cybersecurity, and operational storytelling to reframe how we interpret complex events. It’s a call to replace fear with facts—and to find meaning in the chaos, not just blame.

Dr. Emma M. Stewart, is a respected power systems specialist with expertise in power distribution, critical energy delivery, modeling and simulation, as well as operational cybersecurity. She holds a Ph.D. in Electrical Engineering and an M.Eng. degree in Electrical and Mechanical Engineering. Emma is Chief Scientist, Power Grid at INL currently and leads activities in supply chain consequence analysis for digital assurance in particular for energy storage and system level programs. Throughout her career, Dr. Stewart has made significant contributions to the field of power systems, receiving patents for innovations in power distribution systems and consequence analysis for cyber and physical events. Her responsibilities over her 20 year career have also included providing electric cooperatives with education, training, information sharing, incident support, technology integration, and R&D services in energy integration, resilience and grid planning and microgrid technologies.

Taiwan stands on the frontlines of digital warfare under the sea. This high-profile panel, led by the Deputy Minister of Digital Affairs of Taiwan will feature a gripping discussion on the silent battles waged beneath the sea. From sabotage of undersea infrastructure to the geopolitics of cyber-resilience, panelists will recall the threats and Taiwan’s efforts to defend. Don’t miss this rare opportunity to explore the technical and political dimensions of the new global dynamic — the digital blockade.

Jason Vogt is an assistant professor in the Strategic and Operational Research Department, Center for Naval Warfare Studies at the United States Naval War College. Professor Vogt is a cyber warfare and wargaming expert. He has participated in the development of multiple wargames at the United States Naval War College. He previously served on active duty as an Army officer.

Prof. Shin-Ming Cheng received his B.S. and Ph.D. degrees in computer science and information engineering from National Taiwan University, Taipei, Taiwan, in 2000 and 2007, respectively. Since 2022, he serves as the Deputy Director-General in Administration of Cyber Security, Ministry of Digital Affairs. He was a Post-Doctoral Research Fellow at the Graduate Institute of Communication Engineering, National Taiwan University, from 2007 to 2012. Since 2012, he has been on the faculty of the Department of Computer Science and Information Engineering, National Taiwan University of Science and Technology, Taipei, where he is currently a professor. Since 2017 to 2022, he has been with the Research Center for Information Technology Innovation, Academia Sinica, Taipei, where he was currently a Joint Appointment Research Fellow.

Maritime vessel controls and operational technology (OT) systems are getting more complex and interconnected. With industry trends aiming to reduce crew, automate tasks, and improve efficiency, these networks are expanding in scale, intricacy, and criticality for vessel operation and maintenance. The standard controller area network (CAN) bus for maritime vessel networks, developed by the National Marine Electronics Association (NMEA), known as NMEA2000. NMEA2000 is an application layer network protocol built on the ISO11783 standard and compatible with automotive SAEJ1939, it uses unique message identifiers known as Parameter Group Number, to define the data within each communication frame. Despite its widespread use, NMEA2000 remains a relatively unexplored domain, particularly in understanding normal versus abnormal network behavior, due to the unavailability of open-source datasets. To address this gap, we constructed a NMEA2000 system consisting of five nodes: GPS/Radar, Wind Speed/Direction sensor, and Multifunction Display. Using this setup, we collected datasets to analyze system behavior and developed deterministic fingerprints for each sensor, establishing a baseline of the normal operating system. We subject the system to controlled attacks to evaluate the accuracy and effectiveness of the fingerprints. This work represents a foundational step towards enhancing security and reliability in maritime OT systems.

Constantine Macris is a Connecticut native and pursuing a PhD at the URI. Constantine is a reserve CDR in the Navy, industry expert in OT and network security and CISO at Dispel.

Maritime vessel controls and operational technology (OT) systems are getting more complex and interconnected. With industry trends aiming to reduce crew, automate tasks, and improve efficiency, these networks are expanding in scale, intricacy, and criticality for vessel operation and maintenance. The standard controller area network (CAN) bus for maritime vessel networks, developed by the National Marine Electronics Association (NMEA), known as NMEA2000. NMEA2000 is an application layer network protocol built on the ISO11783 standard and compatible with automotive SAEJ1939, it uses unique message identifiers known as Parameter Group Number, to define the data within each communication frame. Despite its widespread use, NMEA2000 remains a relatively unexplored domain, particularly in understanding normal versus abnormal network behavior, due to the unavailability of open-source datasets. To address this gap, we constructed a NMEA2000 system consisting of five nodes: GPS/Radar, Wind Speed/Direction sensor, and Multifunction Display. Using this setup, we collected datasets to analyze system behavior and developed deterministic fingerprints for each sensor, establishing a baseline of the normal operating system. We subject the system to controlled attacks to evaluate the accuracy and effectiveness of the fingerprints. This work represents a foundational step towards enhancing security and reliability in maritime OT systems.

Dean Macris is a Connecticut native and pursuing a PhD at the URI. Constantine is a reserve CDR in the Navy, industry expert in OT and network security and CISO at Dispel.

It’s no secret that embedded devices are rife with security bugs just waiting to be found. However, vendors increasingly encrypt their firmware to prevent analysis by researchers, professionals, and inquisitive minds. In this talk, we examine common encryption techniques in real-world devices and how to crack the code—with or without hardware.

Traditional RFID badge cloning methods require you to be within 3 feet of your target. So how can you conduct a physical penetration test and clone a badge without interacting with a person? Companies have increasingly adopted a hybrid work environment, allowing employees to work remotely, which has decreased the amount of foot traffic in and out of a building at any given time. This session discusses two accessible, entry-level hardware designs you can build in a day and deploy in the field, along with the tried-and-true social engineering techniques that can increase your chances of remotely cloning an RFID badge.

Langston and Dan discuss their Red Team adventures using implant devices, a Flipper Zero and an iCopy-X. As a bonus the two will explain how to perform a stealthy HID iClass SE/SEOS downgrade and legacy attack! This presentation is supplemented with files and instructions that are available for download in order to build your own standalone gooseneck reader, wall implant and clipboard cloning devices!

Langston grew up reading stories about the 90’s hacker escapades, and after years of observing the scene, he jumped into the cybersecurity field and never looked back. With over fifteen (15) years of public and private sector experience in cybersecurity and ethical hacking, he aims to provide organizations with valuable and actionable information to help improve their security posture. Langston’s specializations focus on modern-day social engineering techniques, wireless and RFID attacks, vulnerability analysis, and physical penetration testing.

Dan Goga serves as a Principal Consultant with NRI focused on conducting penetration testing and vulnerability assessments. Dan Goga has eight years of information security experience in the public, private, and academic sectors. Dan has extensive knowledge and experience with RFID hacking, phishing techniques, social engineering techniques, and penetration testing.

HD Moore and Nicole Schwartz explore what it takes to create and foster robust cybersecurity communities and why we should all get involved in these important initiatives — now more than ever. HD will share insights from developing the open-source Metasploit Project, drawing parallels with the enduring principles of in-person community building that Nicole and her board members rely upon to grow and sustain The Diana Initiative.

Get strategies for initiating, nurturing, and scaling these vital networks, incorporating inclusive practices, and cultivating sustainable growth. Plus see how you can actively contribute to these communities regardless of your skillset and where you are in your career, and why doing so is critical to building collective and powerful resilience against evolving cyber threats.

HD Moore is a pioneer of the cybersecurity industry who has dedicated his career to vulnerability research, network discovery, and software development since the 1990s. He is most recognized for creating Metasploit and is a passionate advocate for open-source software and vulnerability disclosure. HD serves as the CEO and founder of runZero, a provider of cutting-edge attack surface management and exposure management software. Prior to founding runZero, he held leadership positions at Atredis Partners, Rapid7, and BreakingPoint. HD’s professional journey began with exploring telephone networks, developing exploits for the Department of Defense, and breaking into financial institutions. When he’s not working, he enjoys hacking on weird Go projects, building janky electronics, running in circles, and playing single-player RPGs.

Nicole Schwartz (a.k.a. CircuitSwan) speaks about Information Security, DevSecOps, Software Supply Chain Security, Agile, Diversity & Inclusion, and Women in Technology. She is the Senior Security Product Manager at ActiveState, the Chair of the Board for the Diana Initiative 501(c)3, Director of BSides Edmonton Information Security Foundation, and an organizer of SkyTalks village at BSidesLV.

In the discipline of Format Fu, silence is strength and syntax is sharp. This session explores the art of exploiting format string vulnerabilities, where crafted output can be used to leak memory, overwrite values, and seize control. A single percent x can expose stack addresses. A carefully placed percent n can rewrite memory. You will learn to recognize these subtle flaws, manipulate them with precision, and turn seemingly harmless input into a powerful exploit.

Purple teaming is no longer just about red meets blue, it is about shared intelligence, continuous collaboration, and realistic adversary emulation. In this panel, we explore how modern security teams are moving from siloed operations to unified strategies that reflect how real attackers operate. By rethinking purple teaming as a proactive, intelligence-driven discipline, organizations can uncover detection gaps, improve response times, and drive measurable improvements in their defenses. Join us as we unpack how aligning offensive and defensive teams unlocks the full potential of purple teaming and leads to lasting security impact.

Adam Pennington leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 15 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering from Carnegie Mellon University. Adam has presented and published in several venues including FIRST CTI, USENIX Security, DEF CON, and ACM Transactions on Information and System Security.

Sydney is a threat hunter, co-author of the PEAK Threat Hunting Framework, and co-founder of THOR Collective. A proud thrunter, she is dedicated to advancing the craft of threat hunting through hands-on research, open-source collaboration, and community-driven initiatives like HEARTH (Hunting Exchange And Research Threat Hub). When not hunting threats, she’s crafting content for THOR Collective Dispatch, lifting weights, and keeping the hacker spirit alive.

Lauren Proehl is the Global Head of Detection and Response at Marsh McLennan. She is an experienced incident responder and threat hunter who has helped identify and mitigate cyber adversaries in Fortune 500 networks. After leading investigations ranging from data breaches to targeted attacks, she now works to define some part of the limitless unknowns in cyberspace and make cybersecurity less abstract, and more tangible. Lauren sits on the CFP board for BSides Kansas City, heads up SecKC parties, and tries to escape computers by running long distances in the woods.

Nikhil’s areas of interest include red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks in secure environments that require novel attack vectors and “out of the box” approach. He has worked extensively on Azure, Active Directory attacks, defense and bypassing detection mechanisms. Nikhil has held trainings and bootcamps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

Nikhil is the founder of Altered Security – a company focusing on hands-on enterprise security learning – https://www.alteredsecurity.com/

Why grind when you can hack? In this walkthrough, we explore how modern LLMs and AI tooling can vibe-code game hacks faster than your buddy speedrunning with Cheat Engine. We’ll break down Windows internals—threads, processes, virtual memory—and show how single-player games expose juicy variables ripe for memory editing. Then we crank it up: for online games, we move beyond static memory shenanigans to modifying protocol handlers, intercepting function calls, and fuzzing inputs to uncover server-side bugs like infinite gold, integer overflows, and teleportation exploits. Who needs skills when your AI sidekick can boost you through memory space and into dev-only zones?

Note: DCGVR Talks are scheduled 1 hour slots, but the actual presentations can be as short as 30 minutes. Please arrive at the start of the hour.

Manfred (@_EBFE) has spent the past 20 years reverse engineering and exploiting MMORPGs. He’s dissected the communication protocols of more than 22 well-known online games, bypassed anti-tampering systems, and slipped past software and hardware fingerprinting like it was part of the tutorial. These days, he explores the intersection of security and virtual economies as a security engineer and researcher at [redacted], channeling the same energy he once used to undermine game servers—now powered by CI pipelines and compliance checklists.

What started as a weekend gaming session and a friendly dare evolved into discovering critical vulnerabilities affecting OpenVPN endpoints on a global scale.x000D This talk demonstrates a comprehensive reconnaissance methodology that combines traditional OSINT techniques with modern cloud-based intelligence gathering to map and exploit critical infrastructure at scale.x000D x000D The presentation follows a complete attack chain that showcases advanced reconnaissance techniques:x000D x000D Phase 1: Intelligence Discovery & Infrastructure Mapping_x000D_ 1. VirusTotal RetroHunt OSINT: Writing custom YARA signatures to discover 50+ vulnerable drivers across the internet, demonstrating how one vulnerability discovery can reveal widespread systemic issues_x000D_ 2. Supply Chain Intelligence: OSINT techniques to identify that OpenVPN (the world’s most popular open-source VPN) was the common denominator, affecting thousands of companies and numerous endpoints_x000D_ 3. Target Profiling: Understanding OpenVPN’s multi-process architecture, plugin mechanisms, and Windows internals through open-source research_x000D_ x000D Phase 2: Remote Reconnaissance & Credential Harvesting_x000D_ 1. Network Enumeration: SMB enumeration, null session exploitation, and remote named pipe discovery_x000D_ 2. Credential Intelligence: Capturing NTLMv2 hashes through network reconnaissance and social engineering techniques_x000D_ 3. Cloud-Powered Cracking: Leveraging cloud GPU infrastructure (VAST.AI + Hashcat) to crack enterprise credentials at scale, demonstrating how modern attackers use accessible cloud resources_x000D_ x000D Phase 3: Remote-to-Local Attack Chain_x000D_ 1. Remote Code Execution: Using UNC paths and OpenVPN’s plugin mechanism to execute code remotely_x000D_ 2. Local Privilege Escalation: “Open Potato” attack – exploiting named pipe hijacking and Windows impersonation for LPE_x000D_ 3. Security Product Bypass: Bring Your Own Vulnerable Driver (BYOVD) techniques to achieve kernel code execution and bypass security solutions_x000D_ x000D Reconnaissance Applications:x000D The methodologies demonstrated can be repurposed for legitimate security activities:x000D 1. Red Team Operations: Comprehensive target profiling and credential harvesting techniques_x000D_ 2. Bug Bounty Research: Systematic vulnerability discovery across software ecosystems x000D 3. Threat Intelligence: Understanding how threat actors chain reconnaissance techniques_x000D_ 4. Infrastructure Assessment: Mapping organizational VPN deployments and security postures_x000D_ x000D The talk includes live demonstrations of:x000D – Custom YARA signature development for vulnerability hunting_x000D_ – Cloud-based credential cracking workflows x000D – Remote service enumeration and exploitation_x000D_ – Building comprehensive target profiles through passive reconnaissance_x000D_ – Security product evasion techniques applicable to red team scenarios_x000D_ x000D Attendees will learn practical reconnaissance methodologies that can be immediately applied to their own security research, with emphasis on the intelligence gathering processes that enable sophisticated attack chains.

Vladimir Tokarev is a seasoned senior security researcher, specializing in IoT/OT, Windows, and Linux vulnerabilities research. With extensive experience in cybersecurity, Vladimir has demonstrated a keen ability to identify and address critical security issues in various systems.x000D In 2023, Vladimir presented his research titled “CoDe16: 16 Zero-Day Vulnerabilities Affecting CODESYS Framework, Leading to Remote Code Execution on Millions of Industrial Devices Across Industries” at Black Hat. This comprehensive study focused on vulnerabilities within the widely used CODESYS framework, revealing potential risks to industrial devices across different sectors. Vladimir’s meticulous analysis uncovered a total of 31 new vulnerabilities, highlighting the importance of proactive security measures in OT environments.x000D In addition to his research on CODESYS, Vladimir has contributed to enhancing security in other critical systems. He discovered two new vulnerabilities in the Windows Driver of Foxboro DCS Control Core Services and one new vulnerability in SFPMONITOR.SYS, a component used by SonicWall products. Furthermore, Vladimir has identified vulnerabilities in TP-Link products.x000D twitter: @G1ND1L4

Leaders and program managers from the Advanced Research Projects Agency for Health (ARPA-H) discuss how the agency’s programs are using AI to advance better health outcomes, from securing patient data to discovering new cures and improving health care access.

Andrew Carney, Program Manager, AI Cyber Challenge, DARPA and Program Manager, Resilient Systems, Advanced Research Projects Agency – Health (ARPA-H)

Andrew Carney is program manager for the DARPA AI Cyber Challenge (AIxCC) and a program manager at the Advanced Research Projects Agency for Health (ARPA-H) where he leads programs and projects to improve health cybersecurity.

Carney was previously a technical advisor and contractor for the Defense Advanced Research Projects Agency (DARPA). At DARPA, he supported research efforts focused on reverse engineering, program analysis, human-machine teaming, and automated program repair. Carney has over 15 years of experience in software and hardware vulnerability research, technical education and training, and Capture the Flag (CTF) competitions. He holds a master’s degree in computer science from The Johns Hopkins University.

Los modelos de lenguaje han revolucionado la productividad… y también han abierto nuevas superficies de ataque. Esta charla presenta un recorrido práctico por el OWASP Top 10 para LLMs, destacando vulnerabilidades como prompt injection, data leakage, model denial y más.x000D x000D A través de demostraciones reales, analizaremos cómo estas fallas pueden ser explotadas en entornos empresariales y cómo mitigarlas desde la perspectiva de la seguridad ofensiva y defensiva.x000D x000D Si te interesa el hacking de IA, el análisis de riesgos emergentes o simplemente quieres ver cómo se puede pwn un modelo con unas líneas de texto, esta charla es para vos.x000D

x000D Randy Varela @𝙃𝙖𝙘𝙠𝙞𝙣𝙜𝙢𝙚𝙨𝙨 is a cybersecurity professional with a solid decade immersed in cybersecurity from Costa Rica 🇨🇷 My role as a cybersecurity leader has led me to work on multiple projects from Red Teaming, Risk and Compliance, SOC engineering, Cloud Architect, and Pentesting.

Everyone loves breaking in—but that’s just step 7 out of 10. This session explores what it really takes to run a physical pen test that’s not just exciting, but also safe, smart, and worth the money for your company or client. We’ll follow the full journey – from breach-focused OSINT and recon, to delivering findings that teams act on. Expect war stories, dumb mistakes, and smart takeaways as you learn how to turn a good break-in into a lasting impact.

Too many security programs bring a clipboard to a gunfight. Shawn helps companies match and defend against the adversary’s tactics – no firearms required. As an adversary for hire, Shawn leads physical red teams that test Fortune 100s, government agencies, and critical infrastructure. He started the largest physical red team in Silicone Valley and teaches security risk management and red teaming to cybersecurity graduate students. From fake badges to forged businesses, kidnapping executives to smuggling weapons, he runs ops that find the gaps in physical security before the bad guys do.

In this talk, I’ll share my path from managing a personal NixOS homelab to architecting infrastructure and developer environments for a growing startup. After many false starts and tangled configurations, I found Clan—a powerful framework that transformed how I manage machines, roles, and secrets. With Clan, I’ve replaced fragmented manual processes with a single source of truth for all my deployments, cutting through the clutter and reclaiming hours of maintenance time.

We’ll look at how Clan makes it easy to keep your infrastructure organized, share reusable configuration modules, handle secrets securely with Clan Vars, and scale NixOS across teams without having to start from scratch each time.

I’m a senior software engineer focusing on ETL tooling and Infrastructure. I’ve been nix-pilled for around three years, and slowly infecting all my friends and coworkers. Temporarily based in NYC, more permanently based in Colorado. I’m either on the computer or out in nature, sometimes both at once.

This talk presents a streamlined approach to Dynamic Application Security Testing (DAST) in the Secure Software Development Life Cycle (SSDLC). By integrating DAST directly into existing Selenium-based web tests and using ZAProxy, the traditional complex setup – such as URL parsing and authentication – is avoided. The proposed method leverages functional test coverage to better isolate vulnerabilities and simplifies setup by configuring the proxy in browser features. This integration provides earlier security feedback and increases the efficiency of vulnerability detection compared to traditional spider-based testing, proving it to be a more practical and effective alternative.

Sara has enjoyed testing and automation for more than 10 years, ensuring high quality products in industries such as Telecommunications, Geolocation, Big Data, and Power Electronics. In 2019, she shifted her focus to cybersecurity testing, applying her knowledge of quality assurance to testing security software products. Since then, Sara has continued to hone her skills and integrate cybersecurity into every aspect of her work and research.

Triage sits at the heart of every successful bug bounty and vulnerability disclosure program, yet it remains one of the most misunderstood and friction-heavy processes in our industry. As platforms scale to handle thousands of reports while maintaining quality and researcher satisfaction, the challenge isn’t just operational—it’s fundamentally human.

This talk pulls back the curtain on modern triage operations, exploring how leading platforms structure their workflows, train their teams, and balance the competing demands of speed, accuracy, and community trust. We’ll dive into the operational realities of scaling triage across diverse programs, the tools and processes that enable consistency, and the communication strategies that turn potential conflicts into collaborative dialogues.

Drawing from real-world experiences, we’ll examine how platforms are evolving their approach to handle disagreements constructively, implement fair appeals processes, and gather meaningful feedback from researcher communities. We’ll also look ahead to emerging technologies and cultural shifts that promise to reshape how triage operates.

Whether you’re building a triage team, managing researcher relationships, or simply trying to understand why that report was closed, this session offers practical insights into creating triage processes that serve both security outcomes and human needs. Because great triage isn’t just about finding the right answer—it’s about building the trust and transparency that makes our entire ecosystem stronger.

Hey there hackers! I am a Lead Triager at HackerOne based in Denver. I started my security journey by sending out download links to trojans to unsuspecting users on ICQ. Years later I began poking around internal systems at the companies I worked at. This led to a deeper interest in how easily users can be compromised. Shortly after I went all in on learning all things appsec related. Today I get to see, recreate, assess, and triage your bug bounty reports which range from open redirects to PII disclosure of thousands of customers to novel LLM hacks. I’ve triaged over 10,000 reports. My advice is to validate your input! Feel free to reach out over LinkedIn.

Inti De Ceukelaire is a Belgian ethical hacker and cybercrime investigator. He currently works as the Chief Hacker Officer at Europe’s largest vulnerability disclosure platform Intigriti, a founding member of the Hacker Policy Council. In 2018, Inti won the “Most Valuable Hacker” award at the largest live hacking event in Las Vegas.

With extensive experience in the field of security and ethical hacking, Inti has earned a reputation as a thought leader in the industry. His work and expertise have been featured in a variety of international publications, including the BBC, Wired, The Verge, CNET, Mashable, and New York Magazine. Inti has made global headlines through his security awareness pranks, which have included manipulating the Vatican’s website, creating fake news on Donald Trump’s Twitter account, and hacking Metallica. Through these high-profile stunts, Inti has drawn attention to the importance of cybersecurity and the need for individuals and organisations to be vigilant about potential threats. As an experienced and engaging speaker, Inti is able to make complex topics accessible to a wide audience. He has spoken at a variety of conferences and events, sharing insights on the latest trends in cybersecurity and offering practical tips to help individuals and organisations protect themselves from potential threats.

He is also a trusted source for media outlets seeking expert commentary on topics related to cybersecurity, hacking and technology.

Born and raised in TX, been hacking or breaking things since I was Kid. Got my start in Phreaking because computers were too expensive back then! Been working in the Information Security field since 2013 and have been working for Synack since 2016. I’ve seen over 15k reports in that time and have been pretty active with researchers from all over the world. Before security I worked as a technician for various companies including Geek Squad. Before my time on in IT I did body piercings or worked in various fields included retail and fast food. All of which helped me understand the importance of helping people to the best of my abilities.

Anthony Silva is a Customer Success Manager at YesWeHack, where he manages a diverse portfolio of clients — from startups to international enterprises — across multiple industries and countries.

He supports organizations in designing, launching, and optimizing their bug bounty, vulnerability disclosure (VDP), and pentest programs, guiding them from initial onboarding through the full lifecycle of their engagements.

Anthony works closely with cross-functional teams, including sales, product, technical experts, triage analysts, and the hacker community, to ensure customer satisfaction and program effectiveness.

Before joining YesWeHack, he gained valuable experience in various technology and consulting companies, where he developed a strong foundation in cybersecurity, project management, and client relations. As an active registered hunter on several platforms, he also brings hands-on insight into offensive security practices.

Based in Paris and originally from Toulouse, Anthony has French, Spanish, and Portuguese roots. He is passionate about technology, geopolitics, science, and video games.

Jasmin Landry is a seasoned ethical hacker and full-time bug bounty hunter who has reported hundreds of security vulnerabilities to some of the world’s largest tech companies. After years leading cybersecurity efforts as Senior Director of Information Security at Nasdaq, Jasmin returned to his roots in hacking — now focusing exclusively on uncovering critical bugs through bug bounty platforms. Recognized at multiple live hacking events for top findings, he brings a sharp eye for unexpected issues and a deep understanding of modern attack surfaces. He’s also a co-leader of OWASP Montréal and an active voice in the security research community.

This talk highlights the untold journey of a Black cybersecurity leader navigating the most secure corners of tech—military communications, national defense, and federal compliance. Nykolas Muldrow takes the audience through his lived experiences on Wake Island and Guantanamo Bay, sharing how isolation, racial identity, and high-stakes missions shaped his technical approach and leadership philosophy. Attendees will leave with lessons on building resilience, mastering risk, and leveraging identity to break into rooms not built for us, but needed by us.

Nykolas Muldrow is a Cyber Solutions Architect, U.S. Air Force Cybersecurity Instructor, and CEO of CI Solutions Global Inc. With 15+ years in federal contracting and critical infrastructure defense, he specializes in compliance, cybersecurity operations, and leadership development. A doctoral candidate and national speaker, Nykolas is committed to elevating the Black voice in cybersecurity and building resilient pathways to executive tech leadership. His work fuses real-world defense strategy with culturally informed mentorship and innovation.

What do elite basketball teams and top-tier cybersecurity professionals have in common? More than you might think. In this talk, I’ll share how my journey as a basketball player and official provided a unique foundation for a thriving career in cybersecurity. From the hardwood to the SOC, the skills of teamwork, rapid decision-making, communication, and strategic thinking are not just transferable—they’re essential. Drawing on real-world examples, I’ll demonstrate how the lessons learned from the court directly translate to defending against digital threats, building resilient teams, and navigating high-pressure incidents. Whether you’re a sports enthusiast, a cybersecurity pro, or just curious about unconventional career paths, this session will show you how to leverage your own unique experiences for success in the cyber arena.

Jason Brooks is a cybersecurity professional with a unique blend of military discipline and Silicon Valley roots. A proud Bay Area native and U.S. Navy veteran, Jason brings over a decade of experience in threat intelligence, SOC operations, and cyber defense strategy. With a passion for both technology and community, he identifies as a “nerdlete”—a lifelong learner and athlete—dedicated to protecting digital infrastructure while mentoring the next generation of cyber talent. Grounded in the birthplace of modern tech, Jason represents the second generation of innovators committed to making cybersecurity more diverse, effective, and equitable.

This talk pulls the curtain on the behind-the-scenes badge-making story of the second official Bug Bounty Village badge. A fascinating and intricate blend of interactive electronics, layered PCB prints, and Matrix-style LED effects, all wrapped around an engaging CTF.

Abhinav’s artistry comes from the times he used to sneakily paint drawings made by his sister. His hacking career began as a toddler, disassembling his toys but never put them back together. His entrepreneurial roots come from selling snacks at a school fair and making a loss of . Having learned how not to make money, he launched Hackerware.io – a boutique badgelife lab with in-house manufacturing – which has grown over the past nine years into a global presence across 19 countries. He’s often spotted at conferences around the world – hosting hardware villages or pulling off the kind of random shenanigans that earned him the Sin CON Person of the Year 2025 award.

This talk is an overview of the role of technology in modern US elections, how that technology can fail, and the various safeguards and countermeasures against compromise that can (or should) be employed to keep elections secure.

Matt Blaze is the McDevitt Chair of Computer Science and Law at Georgetown University, where his research focuses on problems at the intersection of technology, public policy, and law. Prior to joining Georgetown, he was a professor of computer science at the University of Pennsylvania, and prior to that, a founding member of the Secure Systems Research Department at AT&T Bell Labs. He holds a PhD in computer science from Princeton, an MS from Columbia, and a BS from the City University of New York. Blaze’s scholarship and practical work in high-integrity voting and elections technology dates back more than 25 years. He led teams that examined source code for security vulnerabilities on behalf of the states of California and Ohio for the Top-to-Bottom Review and EVEREST studies. He has testified on election security and other topics before the US Congress over a dozen times, served on various federal and state advisory boards, and has published numerous scholarly research papers on elections and related subjects. He is a founding member of the DEFCON Voting Village, and currently serves as board chair of the Election Integrity Foundation.

Intro basics about concepts in game hacking and security principles within video games.

Julian has a storied career in cybersecurity, initially focusing on offensive security. He has developed several popular open-source security tools, including statistics-based password-cracking methods. Julian also co-founded Truffle Security, creators of the widely used open-source tool TruffleHog. Recently, he established a new DEFCON village called GameHacking.GG promotes interest and awareness in-game security.

A panel of cyber policy and other experts will discuss the results of the inaugural Policy @ DEF CON Cyber Contingencies Survey.

The moderator will ask a series of questions based on the results of the survey to facilitate a discussion on current and emerging threats, their likelihood, and potential impacts.

Christopher Painter is a globally recognized leader on cyber policy, cyber diplomacy, cybersecurity and combatting cybercrime. He has been at the vanguard of cyber issues for over 30 years, first as a federal prosecutor handling some of the most high-profile cyber cases in the U.S., then as a senior official at the U.S. Department of Justice, the FBI, the White House National Security Council and, finally, as the world’s first cyber diplomat at the U.S. Department of State. Among many other things, Chris is a founder of The Cyber Policy Group, has served as the President of the Global Forum on Cyber Expertise Foundation, serves on the board of the Center for Internet Security and the Public Sector Advisory Board for Palo Alto Networks and was a commissioner on the Global Commission for the Stability of Cyberspace. He is a frequent speaker on cyber issues, frequently is interviewed and quoted in the media and has testified on numerous occasions to U.S. Congressional committees. He has received a number of awards and honors including Japan’s Order of the Rising Sun, Estonia’s Order of Terra Mariana, RSA Security Conference’s Public Policy Award, the Attorney General’s Award for Exceptional Service and was named the Bartles World Affairs Fellow at Cornell University. He received his B.A. from Cornell University and J.D. from Stanford Law School.

Matt Blaze is the McDevitt Chair of Computer Science and Law at Georgetown University, where his research focuses on problems at the intersection of technology, public policy, and law. Prior to joining Georgetown, he was a professor of computer science at the University of Pennsylvania, and prior to that, a founding member of the Secure Systems Research Department at AT&T Bell Labs. He holds a PhD in computer science from Princeton, an MS from Columbia, and a BS from the City University of New York. Blaze’s scholarship and practical work in high-integrity voting and elections technology dates back more than 25 years. He led teams that examined source code for security vulnerabilities on behalf of the states of California and Ohio for the Top-to-Bottom Review and EVEREST studies. He has testified on election security and other topics before the US Congress over a dozen times, served on various federal and state advisory boards, and has published numerous scholarly research papers on elections and related subjects. He is a founding member of the DEFCON Voting Village, and currently serves as board chair of the Election Integrity Foundation.

Matthew Wein is the founder of Wein Strategy Lab, an independent consulting firm focused on cybersecurity and homeland security issues. He previously served as a Professional Staff Member for the U.S. House Committee on Homeland Security, as an official at the Department of Homeland Security, and in Deloitte’s Cyber Risk practice. He also writes the Secure Stakes newsletter that focuses on sports gambling’s impact on Homeland Security.

Winnona DeSombre Bernsen is founder of the offensive security conference DistrictCon, held in Washington DC, and nonresident fellow at the Atlantic council. She was formerly a security engineer at Google’s Threat Analysis Group, tracking targeted threats against Google users. Her most recent paper, Crash (exploit) and burn, focuses on comparing the supply and acquisition pipelines of zero day exploits for the US and China.

War stories and bad moves from those in the field.

Graham Helton is currently a Red Team Specialist at Google specializing in Linux exploitation. Graham posts frequently on his website grahamhelton.com with deep dives on various security related topics. In his free time he likes to pretend like he knows what he’s doing, coffee, and cooking.

Kevin Clark is a Security Consultant with TrustedSec and a Red Team Instructor with BC Security, with a diverse background in software development, penetration testing, and offensive security operations. Kevin specializes in initial access techniques and Active Directory exploitation. He has contributed to open-source projects such as PowerShell Empire and developed custom security toolkits, including Badrats and Ek47. A skilled trainer and speaker, Kevin has delivered talks and conducted training sessions all over the country at cybersecurity conferences, including Black Hat and DEF CON, and authors a cybersecurity blog at https://henpeebin.com/kevin/blog.

Skyler is a Senior Security consultant at SpecterOps, where he performs security assessments for Fortune 500 organizations. With over six years of experience, he focuses on initial access research and contributes to the security community through open-source development and conference presentations. Skyler has presented at DEF CON and BSides and actively collaborates on open-source projects such as Messenger, Ek47, Connect, and Metasploit. He also conducts vulnerability research, having discovered multiple zero-day vulnerabilities in enterprise software.

Capture the Flag competitions offer one of the fastest, most practical ways to break into cybersecurity. These puzzle-style challenges teach real-world skills like reverse engineering, exploitation, and digital forensics through hands-on experience. This talk introduces the structure of CTFs, how to get started, and why they are valuable for both beginners and seasoned professionals. Students, developers, and tech enthusiasts alike can use CTFs to build skills and demonstrate talent. No experience is necessary, just curiosity and a desire to learn by doing.

In this talk, the speaker walks through how they used Nix to declare several AI models with full access to their computer in order to climb the Hack The Box (HtB) leaderboard—after being previously hardstuck at the “Hacker” rank while juggling the responsibilities of being a busy dad.

They demonstrate a semi-autonomous workflow where they are (not) automating themselves out of a job. The talk explores the challenge of tackling numerous CTF problems with limited time and shows how the combination of Nix and AI offers a powerful workflow for solving CTFs that often require multiple, isolated testing environments.

Finally, this custom Nix-based setup is compared to more traditional security-focused distros like Kali and AthenaOS. The talk ends by exploring how this approach transfers to real-world offensive security scenarios—pen testing, red teaming, and bug bounty hunting—and how much of it can be practically applied.

Rambo has been doing offensive security for almost a decade now. He’s okay at it, and has gotten by largely on vibes and personality. In spite of his mediocrity, his current company lets him work side projects that are related to AI and red teaming.

Since our release of the fault-injection attack on the Trezor millions of dollars have been recovered from crypto-wallets – using a simple glitcing attack! However, for a lot of people this is still black magic, and a lot of folks still assume you need expensive equipment to perform the attack. In this demo we will show you how you can hack into the STM32F4 read-out protection – as used in the Trezor attack – with just a couple of dollars of equipment!

Join Jayson E. Street for his annual whirlwind tour through the global DEF CON Groups (DCGs) ecosystem. From Beirut basements to Bogotá rooftops, discover how hackers worldwide are building community, sharing knowledge, and causing good trouble. This kickoff tradition blends heartfelt stories, global updates, and a rallying cry for connection—because DEF CON isn’t just a conference, it’s a movement.

Jayson E. Street referred to in the past as: a “notorious hacker” by FOX25 Boston, “World Class Hacker” by National Geographic Breakthrough Series, and described as a “paunchy hacker” by Rolling Stone Magazine. He however prefers if people refer to him simply as a Hacker, Helper & Human.

He is the Chief Adversarial Officer at Secure Yeti and the author of the “Dissecting the hack: Series” (which is currently required reading at 5 colleges in 3 countries that he knows of). Jayson is also the DEF CON Groups Global Ambassador. He’s spoken at DEF CON, DEF CON China, GRRCon, SAINTCON & at several other CONs & colleges on a variety of Information Security subjects. He was also a guest lecturer for the Beijing Institute of Technology for 10 years.

He loves to explore the world & networks as much as he can. He has successfully robbed banks, hotels, government facilities, Biochemical companies, etc. on five continents (Only successfully robbing the wrong bank in Lebanon once, all others he was supposed to)!

He is a highly carbonated speaker who has partaken of Pizza from Bulgaria to Brazil & China to The Canary Islands. He does not expect anybody to still be reading this far, but if they are please note he was proud to be chosen as one of Time’s persons of the year for 2006.

AGo malware is showing up more often, especially in IoT environments. Its flexibility and ease of cross-compilation make it attractive to attackers, but it also makes life harder for analysts and defenders. Go binaries are large, statically compiled, and structured in ways that traditional tools are not designed to handle. The runtime is unfamiliar, and things like string extraction, function identification, and behavior analysis can quickly become frustrating. This talk looks at why Go malware is hard to analyze and why some detection tools struggle to keep up. We will walk through practical tips and tools to make reversing Go malware more manageable, including how to recover types, strings, and function information. To tie everything together, we will look at a recent real-world example: Pumabot, a Go-based botnet targeting IoT surveillance devices. We will dig into how it works, what it targets, and what artifacts it leaves behind. By the end of the session, you will have a better understanding of how attackers are using Go in the wild and how to be better prepared for the next time it shows up in your analysis queue.

Passionate about binary analysis, binary exploitation, reverse engineering, hardware hacking, retro computing, and music.

Chris Navarrete is a Senior Principal Security Researcher within the Advanced Threat Prevention team at Palo Alto Networks. His work centers on cutting-edge research in cybersecurity, particularly in threat detection and malware analysis. Previously, he served as an adjunct professor of computer science at San Jose State University, teaching Software Security Technologies. He holds a Master of Science in software engineering with a specialization in cybersecurity from San Jose State University. Chris has presented at major industry conferences, including Black Hat Asia, the Computer Antivirus Research Organization (CARO), the Cyber Threat Alliance’s Threat Intelligence Practitioners (TIPS) conference, and Black Hat Arsenal, where he introduced and released BLACKPHENIX — a framework designed to automate malware analysis workflows.

Psychoholics is a group of nerds that love solving puzzles, drinking drinks, and doing escape rooms. We love competing in contests and CTFs, and we also run TFH, Crash&Compile and Dungeons@Defcon. Oh, and we have a Krux. 110001011100001111101 100011100110001101101

Banking Trojans targeting Windows systems have been affecting users in Latin America for many years, with their peculiarities in the tactics, techniques and procedures used by the criminals responsible for their development. However, it was not until the early 2020s that massive campaigns began to be detected with targets outside their usual region of operation, with special emphasis on Spain and Portugal. Since then, these campaigns have not ceased and several malware families have evolved to try to be more effective, with several different criminal groups collaborating in several of these campaigns and sharing their infrastructure. Through all this years many researchers at both sides of the Atlantic ocean have worked together to gather intel that could help to take down these cybercriminal organizations with some important achievements. The goal for this presentation is to analyze the reasons why the criminals behind these threats have been successful despite the increase in online banking security measures, while revealing the latest results obtained after analyzing the most recent campaigns of these threats. We will provide several examples of campaigns used by these malware families and how they are trying to adapt to keep being successful in obtaining new victims.

Join the founding members of Red Team Village as they share what they’ve learned building a community focused on offensive security education and discuss their evolution from hands-on leaders to mentors and advisors. From starting as a DEF CON village to growing into a 20,000+ member community, the founders will explore the complexities of building a successful community as well as the transition to letting others lead day-to-day operations.

This session covers the practical realities of community building and leadership evolution – managing volunteers, scaling membership, balancing content for different skill levels, and maintaining community culture during growth. The founders will share what worked in running the village operations, handling logistics at scale, and responding to community feedback to continuously improve the experience.

The discussion will address key questions about running and transitioning technical communities: How do you manage village operations effectively? What have you learned about scaling community management? How do you handle criticism and feedback constructively? How do you identify and develop new leaders? When and how do you step back without losing community culture? The founders will also cover practical aspects like managing large-scale events and evolving with community needs.

The session wraps up with Q&A where you can explore specific challenges around building technical communities, leadership transitions, and maintaining founding vision while empowering new voices.

Whether you’re involved in community building, thinking about starting something new, or wondering about sustainable leadership models, this panel offers honest perspectives from founders navigating the transition from builders to advisors.

Mike Lisi is the founder of Maltek Solutions, a consulting and solutions company as well as a seasoned professional in the field of cybersecurity. Mike is known for his expertise in network, web application, and API penetration testing, his contributions toward Capture The Flag (CTF) events, and support for college cybersecurity competitions. As the founder of Maltek Solutions, Michael has carved a path of excellence, establishing a dynamic and innovative cybersecurity company. His leadership and technical expertise drive Maltek Solutions to deliver top-notch security solutions to customers and partners throughout the country.

Omar Santos is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. Omar is a Distinguished Engineer at Cisco focusing on artificial intelligence (AI) security, cybersecurity research, incident response, and vulnerability disclosure. He is a board member of the OASIS Open standards organization and the founder of OpenEoX. Omar is the co-chair of the Coalition of Secure AI (CoSAI). Omar’s collaborative efforts extend to numerous organizations, including the Forum of Incident Response and Security Teams (FIRST) and the Industry Consortium for Advancement of Security on the Internet (ICASI). Omar is the co-chair of the FIRST PSIRT Special Interest Group (SIG). Omar is the co-founder of the DEF CON Red Team Village and the chair of the Common Security Advisory Framework (CSAF) technical committee.

Omar is the author of over 25 books, 21 video courses, and over 50 academic research papers. Omar is a renowned expert in ethical hacking, vulnerability research, incident response, and AI security. He employs his deep understanding of these disciplines to help organizations stay ahead of emerging threats. His dedication to cybersecurity has made a significant impact on technology standards, businesses, academic institutions, government agencies, and other entities striving to improve their cybersecurity programs. Prior to Cisco, Omar served in the United States Marines focusing on the deployment, testing, and maintenance of Command, Control, Communications, Computer and Intelligence (C4I) systems.

Savannah Lazzara is a Security Engineer specializing in red teaming at a tech company. Savannah has multiple years of experience in security consulting working with many Fortune 500 corporations and has experience in carrying out security assessments, which include network assessments, social engineering exercises, physical facility penetration tests, and wireless assessments. Savannah also has experience in performing adversary simulation assessments, which include remote red team simulations, insider threat assessments, and onsite red team assessments. Savannahs area of expertise is focused on social engineering and physical security.

Savannah is a member of the Advisory Board for Red Team Village and co-authored ‘Redefining Hacking: A Comprehensive Guide to Red Teaming and Bug Bounty Hunting in an AI-Driven World’. She has spoken at several cybersecurity conferences, including Source Zero Con, BSides, and more. Savannah has also appeared on multiple podcasts, including The Hacker Factor and Hackerz and Haecksen.

There’s an easter egg on our shirts! Have you been racking your brain trying to solve it? Whether you’re on the right track, hitting a wall, or just have no clue where to begin, this is the talk for you! Come hang out and discover the secrets behind our shirt’s design.

Corwin is a simulation software engineer at Rivian Volkswagen Group Technologies with over a decade of experience in the electrified vehicle industry. Drawing on his deep background in controls and robotics, coupled with professional expertise in mapping & localization, vehicle controls, and autonomous driving, he designs and implements cutting-edge simulation software for both the automotive world and beyond. When he’s not busy advancing the automotive world, Corwin loves tackling side projects that push him to learn something entirely new. That’s exactly how he ventured into coding in the privacy and security space, and he’s excited to share those first experiences with you today!

The Pall Mall Process is a multilateral initiative led by the UK and France to address the proliferation and misuse of commercial cyber intrusion capabilities (CCICs) – but what that means in practice is that they’re writing rules for hackers, security researchers, and the companies that employ them. The process recently concluded a Code of Practice for States, and is turning to the question of: what responsibility does the hacking and cybersecurity industry bear?

Join the Hacking Policy Council (a coalition of offensive security practitioners, platforms, and vendors) and representatives of governments convening the Pall Mall Process to discuss what a Code of Practice for Industry could look like, and how to ensure that it protects good faith hackers and researchers. We’re tackling big questions: Should companies share zero-days with governments, and when? What makes a bug bounty “good faith”? How do we keep research ethical without strangling it with red tape?

We will give hackers a behind-the-scenes look at the policy debates shaping global cybersecurity norms, share our thinking, and invite critique, chaos, or consensus from the DEF CON community. Whether you’re a red teamer, researcher, builder, or breaker – join the policy hackers to share how you think we should make (or break) this code.

Heather West is a policy and tech translator, product consultant, and long-term digital strategist guiding the intersection of emerging technologies, culture, governments, and policy. Equipped with degrees in both computer and cognitive science, Heather focuses on data governance, data security, artificial intelligence (AI), and privacy in the digital age. She is a subject matter authority who has written extensively about AI and other data driven topics for over a decade. She is also a member of the Washington Post’s The Network, “a group of high-level digital security experts” selected to weigh in on pressing cybersecurity issues.

Annie is currently based at British Embassy Washington, heading up the cyber policy team on behalf of the Foreign, Commonwealth and Development Office of the UK Government. In this role she represents UK Government policy priorities on cyber and telecoms to the US Government and wider DC-based industry and academic communities. Prior to this role, Annie has worked for close to a decade in other UK Government departments focused on cyber and national security. She has covered a wide variety of operational national security topics.

Attaché for Science and Technology, Emerging Technology, French Embassy

Trey Ford is a seasoned strategic advisor and security thought leader with over 25 years of experience in offensive and defensive disciplines (incident response, application, network, cloud, and platform security). Trey has held key leadership roles at Deepwatch, Vista Equity Partners, Salesforce, Black Hat, and more. He has also been a valued member of Bugcrowd’s advisory board for over a decade.

Trey is passionate about working with enterprise leaders, corporate directors, and investors to help teams strengthen their technology and execution strategy. He believes in a hands-on approach to building, breaking, and deconstructing security problems.

Trey has a Master of Science from the University of Texas at Austin and executive education at Harvard Business School. Hailing from Austin, he is a husband, father, and an instrument rated private pilot.

Bug bounty programs often resemble battlegrounds, where security researchers (“”hackers””) and vulnerability triagers collide over validity, severity, and bounty rewards. Although this friction can strain relationships, it also represents a powerful opportunity for collaboration and community-building. In this session, experienced bug bounty hacker Richard Hyunho Im (@richeeta) and seasoned triage expert Denis Smajlović (@deni) team up to dissect these challenging interactions, share real-world stories from high-stakes bounty scenarios, and propose practical solutions for improved hacker-triager relationships.

Drawing directly from their experiences on both the researcher and company sides, Richard and Denis cover common scenarios including severity debates (e.g., Gmail aliasing vulnerabilities), unclear bug submissions, controversial gray-area issues (such as Apple’s BAC vulnerability rejection), and respectful escalation of bounty disputes (e.g., CVE-2025-24198). Attendees will gain insights into how effective communication, clear business impact framing, and mutual respect can bridge the divide between researchers and triagers.

Beyond monetary rewards, this presentation emphasizes how researchers can strategically leverage bug bounty work to enhance personal branding, build professional networks, and advance career opportunities. With empathy, humor, and candor, Richard and Denis demonstrate that the “”bounty battleground”” doesn’t need to be hostile; it can instead become a place for growth, trust, and professional success.

Key takeaways include actionable strategies for clearer reporting, effectively communicating severity, navigating gray-area cases, and respectfully challenging triage decisions. Ultimately, this talk equips attendees with tools and mindsets to positively shape the bug bounty ecosystem and foster genuine collaboration within the community.

Richard Hyunho Im (@richeeta) is a senior security engineer and independent vulnerability researcher at Route Zero Security. Currently ranked among the top 25 researchers in OpenAI’s bug bounty program, Richard has also received security acknowledgements from Apple (CVE-2025-24198, CVE-2025-24225, CVE-2025-30468, and CVE-2024-44235), Microsoft, Google, and the BBC. His research highlights overlooked attack surfaces, focusing on practical exploitation that challenges assumptions about everyday software security.

Denis Smajlović (@deni) is an OSCP-certified security engineer and Principal Security Consultant at Nova Information Security. Denis brings extensive experience managing high-profile bug bounty programs and collaborating closely with Fortune 500 companies, global tech firms, and major financial institutions. His specialty lies in bridging gaps between external researchers and internal security teams, clearly translating vulnerabilities into tangible business impacts, and fostering constructive, trust-based relationships between hackers and corporate triagers.

In his first-ever public appearance, elite hacker ZwinK joins Casey Ellis (CEO of BugCrowd) and Keith Busby (Acting CISO of the Centers for Medicare & Medicaid Services (CMS)) for a rare, unscripted look inside one of the largest, and most consequential bug bounties in the federal government. CMS touches the lives of 150M+ Americans and secures data that must not go offline — which made its decision to invite hackers inside both radical and risky.

This talk will cover how the program worked, what CMS learned, and how ZwinK uncovered critical vulnerabilities in public-facing federal systems. ZwinK will share his surprising favorite tactics, tools, and recon strategies — including how he hunts for high-value bugs in complex, regulated environments. Keith will explore how CMS weighed the risks of shining a light on its attack surface and how they battled the naysayers and managed federal red tape. Casey will discuss how BugCrowd is helping agencies shift from fear to resilience by operationalizing collaboration with hackers.

Expect real lessons, live banter, and a sharp edge — especially if your agency (or client) is still on the fence about bug bounties. No knowledge of healthcare is needed to enjoy this panel, just come curious!

ZwinK is a renowned ethical hacker and cybersecurity expert with decades of experience in identifying critical vulnerabilities in web mobile applications. Specializing in broken access control (BAC) bugs and often known as “the IDOR guy”, he has established a formidable reputation through meticulous manual penetration testing of digital services and platforms worldwide.

With an impressive track record, ZwinK has logged over 1,300 bugs on the Bugcrowd platform in only four years, showcasing his ability to uncover vulnerabilities. This expertise has earned him the #1 rank in the United States and 9th place globally on the Bugcrowd platform for high/critical impact bugs, a testament to his skill and dedication in the field of ethical hacking. He also holds the first place position on programs hosted by industry giants such as T-Mobile and State Farm.

His work has significantly bolstered the security posture of these organizations, protecting sensitive data and ensuring robust defenses against cyber threats. ZwinK continues to push the boundaries of ethical hacking, and has recently taken to working on federal government programs, such as CMS (“Centers for Medicare & Medicaid Services”). He also loves educating and inspiring the next generation of cybersecurity professionals.

Casey is a serial entrepreneur and executive, best known as the founder of Bugcrowd and co-founder of The disclose.io Project. He is a 25+ year veteran of information security who grew up inventing things and generally getting technology to do things it isn’t supposed to do. Casey pioneered the crowdsourced security as-a-service model, launching the first bug bounty programs on the Bugcrowd platform in 2012, and co-founded the disclose.io vulnerability disclosure standardization project in 2014 prior to its launch in 2018. He’s an active member of a variety of policy and threat intelligence working groups and think tanks such as the Cyber Threat Intelligence League, w00w00, Hacking Policy Council, and the Election Security Research Forum. He has personally advised the US White House, DoD, Department of Justice, Department of Homeland Security/CISA, the Australian and UK intelligence communities, and various US House and Senate legislative cybersecurity initiatives, including preemptive cyberspace protection ahead of the 2020 Presidential Elections, the US National Cyber Strategy, and a variety of policies and EO’s relating to security research, anti-hacking law, and artificial intelligence. Casey, a native of Sydney, Australia, is based in the San Francisco Bay Area.

Keith Busby is the Acting Chief Information Security Officer at the Centers for Medicare and Medicaid Services (CMS), where he leads enterprise cybersecurity, compliance, privacy, policy, and counterintelligence efforts. With over 20 years in IT and security; including leadership roles in cyber threat operations and compliance, he brings a mission-driven approach to modernizing and securing federal systems at scale. Keith’s roots in security run deep: from his time as a U.S. Army veteran to his work securing one of the nation’s largest school districts. He holds a B.S. in Computing and Security Technologies from Drexel University and a M.S. in Cybersecurity and Information Security from Capitol Technology University. Outside of work, Keith is a self-declared participation trophy-winning backyard BBQ pitmaster and a dedicated youth baseball coach. He thrives at the intersection of public service, technical leadership, and dad jokes.

Leah Siskind is an AI artificial intelligence (AI) research fellow at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. At CCTI, her research focuses on the adversarial use of AI by state and non-state actors — including Iran, China, Russia, North Korea — targeting the United States and its allies. Previously Leah served as the deputy director of the AI Corps at the U.S. Department of Homeland Security. She previously spent four years with the U.S. Digital Service in the White House, where she led efforts to modernize government technology. Her private sector experience includes roles at data and analytics companies such as Palantir and Uptake. Earlier in her career, she worked in diplomacy as a representative of Israel’s Foreign Ministry, leading government affairs at the consulate in the Pacific Northwest.

In this talk, I reveal the discovery of a novel RTOS running on automotive head units, uncovered through hardware hacking and reverse engineering. This RTOS, found in thousands of vehicles, exhibits numerous bugs and intriguing functionalities. I demonstrate how a crafted PNG file was used as a backdoor to compromise the system, highlighting both the innovative features and critical vulnerabilities present in current automotive technologies.

What happens to K-12 cybersecurity when federal leadership steps back? This session explores state-led cyber defense models for schools and how the hacker community can play a vital role in this ecosystem.

Our panel brings diverse perspectives on cyber policy and practice currently protecting America’s schools:

• Federal Transition & Filling the Gap: Despite shifting federal priorities, nonprofits and educational leaders continue the critical work of developing policy solutions across all levels of government to improve K-12 cyber defense.
• North Carolina’s Whole-of-State Approach: Combining robust shared services, mandatory incident reporting, and real-time incident response from the Joint Cybersecurity Task Force in support of K–12 schools.
• South Dakota’s Voluntary Model: Free managed AD and Microsoft services with SOC monitoring for any school district
• Hacker Community Integration: How the hacker community can effectively contribute to K-12 security including through victim notification

This discussion will be accessible to policy-focused attendees while providing technical participants with concrete examples of state-level cyber defense efforts. Participants will leave with insights about how to:

• Support K-12 cyber in your state
• Contribute your skills to protecting vulnerable schools
• Models for public-private-hacker collaboration

Michael Klein is Senior Director for Preparedness and Response at the Institute for Security and Technology (IST), where he focuses on improving the resilience of “target rich, cyber poor” critical infrastructure sectors. He comes to the role with nearly 20 years of experience across K-12 education as a teacher, coach, consultant, and school district leader as well as federal cyber policy.

Most recently, as the US Department of Education’s (ED) Senior Advisor for Cybersecurity, Michael led ED’s K-12 cybersecurity work with the National Security Council, Office of the National Cyber Director, CISA, FBI, the Intelligence Community, as well as State, Local, Tribal, and Territorial (SLTT) partners, and the private sector. In his 2 years at ED, he had the honor of briefing senior leaders in the Situation Room during the largest K-12 cyber incident, organizing 3 White House events, including the “Back to School Safely” K-12 Cyber Summit hosted by the First Lady, leading the implementation of National Security Memorandum 22, and establishing a Government Coordinating Council (GCC) that engages key stakeholders around K-12 cybersecurity, ransomware, and critical infrastructure resilience.

Dr. Vanessa Wrenn serves as the Chief Information Officer (CIO) for the North Carolina Department of Public Instruction (NCDPI), where she leads the strategic direction and oversight of cybersecurity, infrastructure, system modernization, and digital learning across the state’s public schools. With a strong focus on protecting sensitive student and education data, Vanessa champions statewide cybersecurity initiatives, ensuring that North Carolina’s K–12 systems are resilient, secure, and future-ready.

In her role, she coordinates with state agencies, school districts, and technology partners to deliver innovative solutions and critical cyber resources, building a safer digital learning environment for more than 1.5 million students and educators. Vanessa is a trusted voice in educational technology and a passionate advocate for cybersecurity awareness and readiness across all levels of public education, leading the advocacy for successful prohibition of payment of ransom laws in North Carolina for state and local government entities and a strong advocate for sustainable cybersecurity funding, including efforts to expand the use of the federal E-rate program to support K–12 cyber defense needs.

Johnathan is the Chief Information Security Officer (CISO) for the State of South Dakota. He is responsible for the state’s cybersecurity program, security strategy, security policy, and general security operations. Prior to this role, Johnathan was an Agency & Application Support Director for the state. In that role, he oversaw the software portfolios for five state agencies and advised their leadership on a number of different IT topics, including security and compliance. Johnathan first joined the state in late 2023 as the deputy CISO. Before that, he spent over 12 years in IT leadership roles with the federal government.

Silas Cutler is a Principal Security Researcher at Censys, where he brings over a decade of specialized experience in tracking organized cyber threat groups and developing advanced pursuit methodologies. Throughout his distinguished career, Silas has held leadership positions at premier cybersecurity organizations, including roles as Resident Hacker for Stairwell, Reverse Engineering Lead for Google Chronicle, and Senior Security Researcher on CrowdStrike’s Intelligence team.

Since 2021, he has played an instrumental role in advancing the Ransomware Task Force’s initiatives and as an adjunct supporting the Institute of Technology, fostering critical collaboration between public and private sectors in combating ransomware threats.

Silas is also the founder and lead developer of MalShare, a pioneering public malware repository that has supported the global security research community since 2013.

Modern SOCs are flooded with alerts yet blind to what matters. This talk shows how to auto-discover attack flows and root causes by hacking context across telemetry, logs, and threat signals. Using open-source tools and correlation logic, we’ll walk through real-world detection pipelines that stitch together events across cloud, endpoint, and network environments. You’ll learn lightweight, vendor-agnostic approaches to enrich data, group alerts by incident, and make sense of security chaos — fast.

Ezz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada’s Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.

Saflok locks are present in many hotels and apartments across North America. These locks rely on poorly-secured offline authentication mechanisms, leaving them vulnerable to attackers with basic knowledge about how the system operates. Following up on the initial “Unsaflok” presentation at DEF CON 32 by Lennert Wouters and Ian Carroll, this talk will touch on areas of the system not discussed in the original presentation, such as the handheld programmer, lock programming interface, clarity about the bit fields and unencrypted data in credentials, for yet another example of why you don’t rely on security-through-obscurity for security products.

Noah Holland is a Cybersecurity Undergraduate at Michigan Tech. He is the president of the MTU Linux User’s Group and MTU RedTeam, specializing in Access Control & Physical Security.

Josh Stiebel recently graduated with a CS degree from Michigan Tech. He helps run the access control village at various conventions. He is currently walking from Mexico to Canada on the PCT.

Imagine a hologram that talks, thinks, and operates offline—no cloud, no internet, no mercy. Born on the ISS and battle-tested in zero-gravity, HoloConnect AI is now aiming at Earth’s most vulnerable systems: medical devices.

This talk reveals how we’re embedding vision- and voice-aware AI inside air-gapped holographic agents that run locally, assist in surgery, and diagnose without ever phoning home. We’ll unpack how we cracked the interface between hardware, holography, and healthcare, and why offline is the new secure. Expect deep insights on sandboxed AI logic, secure embedded stacks, voice spoofing defense, and real-world risks when you give a glowing face to machine intelligence. Bonus: live demo of a medical-grade hologram running without Wi-Fi—because in space and in surgery, there is no Ctrl+Z.

Dr. Fernando De La Peña Llaca reverse-engineered the impossible: beaming a real-time hologram into orbit using consumer devices and custom AI. As CEO of Aexa Aerospace, he led the first off-planet holoportation and is now bringing that tech back to Earth to disrupt how we interact with machines. NASA award-winner, space technologist, and long-time builder, Dr. De La Peña fuses aerospace-grade security with street-smart AI. His current mission? Build a hologram smart enough to help—and locked down enough not to kill. DEF CON is the perfect place to stress-test that logic.

As we know, spacecraft will become prime targets in the modern cyber threat landscape, as they perform critical functions like communication, navigation, and Earth observation. While the launch of the SPARTA framework in October 2022 gave the community insight into potential threats, it didn’t address how to detect them in practical scenarios. In 2025, our research took a different approach as we didn’t just theorize about threats, we actively exploited space systems using SPARTA techniques to figure out what Indicators of Behavior (IoBs) would look like in a real-world attack scenario.

By leveraging offensive cyber techniques from SPARTA, we identified the specific patterns and behaviors that adversaries might exhibit when targeting spacecraft. These insights allowed us to systematically develop IoBs tailored to the operational constraints and unique environments of space systems. As a result, we demonstrated how Intrusion Detection Systems (IDS) for spacecraft can be designed with realistic, data-driven threat profiles.

This presentation will walk through our methodology, from exploiting space systems to crafting practical IoBs, and how these insights can directly translate to building robust IDS solutions. We’ll show how a threat-informed, hands-on approach to cybersecurity can transform theoretical knowledge into practical defenses for space infrastructure.

This talk provides a deep dive into Edge Side Includes (ESI) Injection, focusing on real-world findings and advanced exploitation techniques discovered during extensive testing on a private bug bounty program. While often associated with caching servers, ESI can become a potent vulnerability when user input is improperly handled. I will begin by demonstrating how to identify and confirm ESI injection points, even when standard ESI tags are initially blocked by Web Application Firewalls (WAFs). Attendees will learn how leveraging ESI can allow attackers to bypass the httponly cookie flag. I will detail how this leads directly to high-impact account takeover scenarios that are typically impossible with client-side Cross-Site Scripting (XSS) alone.

The presentation will reveal advanced techniques to overcome challenging scenarios. This includes exploiting ESI in endpoints with a Content-Type of application/json. I will also cover a unique case of exploiting ESI via a proxy endpoint by chaining it with an XSS vulnerability found on a whitelisted third-party domain.

Finally, I will share insights into navigating the realities of bug bounty hunting, including identifying and exploiting re-introduced vulnerabilities, developing persistent bypasses against evolving WAF rules, and the critical role of collaboration in uncovering complex attack vectors.

This is a highly technical talk aimed at attendees familiar with web vulnerabilities (like XSS) and concepts related to caching or CDNs. Basic knowledge of ESI syntax is helpful but not strictly required.

Robert Vulpe, also known as nytr0gen, is a Senior Security Engineer at UiPath. He is renowned for his expertise in cybersecurity, particularly in assessing product security through various penetration testing methodologies. With over 300 pentest assessments under his belt, Robert has identified and reported over 1500 security vulnerabilities in high-profile companies such as Amazon, PayPal, Goldman Sachs, and Epic Games.

His meticulous approach to security is evident in his detailed and professional reports. He is listed among PayPal’s Top 10 Hackers and was selected for the prestigious Forbes 30 under 30 list for his outstanding achievements in cybersecurity. With more than 8 years of experience in source-code review, he possesses a keen eye for identifying code-level security flaws.

Las tecnologías satelitales son el backbone silencioso de nuestra infraestructura digital moderna: desde comunicaciones y navegación, hasta monitoreo climático y operaciones militares. Sin embargo, estos sistemas operan bajo arquitecturas altamente específicas, frecuentemente con tecnologías legacy, protocolos propietarios, y requisitos físicos y orbitales que los hacen difíciles de probar y asegurar. Esta combinación crea un terreno fértil para actores avanzados y amenazas persistentes que pueden explotar la seguridad insuficiente del sector espacial.x000D x000D Esta charla explora técnicas ofensivas enfocadas en vulnerabilidades reales y escenarios tácticos simulados en sistemas satelitales. El contenido está respaldado por investigaciones realizadas en entornos virtuales que emulan estaciones terrestres, elnlaces de comunicación satelital, y enlaces de control y telemetría. Profundizaremos en:x000D x000D – Introducción técnica detallada a la tecnología, protocolos, infraestructura y comunicaciones satelitales_x000D_ – Técnicas para explotacion y atque a los enlaces de comunicación de satélites con estaciones terrestres_x000D_ – Emulación de estaciones terrestres, emuladores de satélites y ataques en ambientes controlados.x000D – Pruebas de penetración simuladas contra satélites virtuales por ejemplo, sniffing, replay, spoofing, y takeover, entre otros.x000D – Modelado de amenazas y TTPs inspirados en grupos APT que han apuntado a infraestructuras aeroespaciales.x000D x000D Lo que aprenderá la audiencia_x000D_ x000D – Cómo iniciar en el área y como construir un entorno de pruebas realista para realizar pentesting ofensivo en sistemas satelitales.x000D – Vectores de ataque RF, spoofing y explotación de protocolos espaciales.x000D – Cómo modelar amenazas ofensivas en el contexto aeroespacial_x000D_ – Limitaciones actuales de la ciberseguridad en el dominio espacial y oportunidades de investigación ofensiva.x000D

Romel Marín es un pentester senior en el equipo de ciberseguridad ofensiva IBM X-Force Red, con una carrera de 10 años. Destaca por su especialización en pruebas de penetración en diferentes tipos de infraestructuras de redes internas y externas, aplicaciones, redes OT, Cloud, dispositivos iot, tecnología aeroespacial, entre otros. Su enfoque reciente ha sido la investigación en ciberseguridad ofensiva y defensiva en tecnologías aeroespaciales e inteligencia artificial. x000D Posee certificaciones destacadas como OSCE, OSCP, OSEP, OSWA, CRTO, CRTP, DSOC, entre otras. Además, es coautor de un libro centrado en ciberseguridad ofensiva con Parrot Security y miembro fundador del grupo Defcon de Costa Rica (DC11506), habiendo sido ponente en múltiples conferencias internacionales.

Drawing from personal experience as a press photographer, this talk highlights the underexplored attack surface created by media access at high profile events like concerts, sporting events and political rallies. We explore how the press badge can become a powerful tool in the hands of a red teamer. By taking into account elements of OSINT, social engineering, and physical and network security, we focus on how lessons learned as a press photographer can directly be applied by red teamers (or threat actors!) to gain a foothold. Once that is achieved, individuals can embed themselves directly within high-visibility individuals and high-value, sensitive devices associated with professional sports teams, musicians and bands, and political leaders and lawmakers. The talk also discusses the importance of looking at the ‚Äòbigger picture‚Äô, and being aware of threats where people may not consider them to come from. Inspired by the spirit of Johnny Long‚Äôs No Tech Hacking, this talk examines how low-tech, high-ingenuity approaches continue to be in a hacker’s arsenal. It makes the case that media impersonation is a serious but overlooked threat vector, and one that allows attackers to bypass traditional perimeters.

Mansoor Ahmad is an offensive security practitioner who has always had a curiosity about how things worked. He studied information technology and worked as a news photographer in college. A quiet kid growing up in a foreign country, he would always accompany his father on errands and observe people’s reactions to different things and the psychology behind it. This started an itch which he has been scratching since then, that has led to a career in information security. When he’s not working, eating or sleeping, Mansoor likes to practice photography and taking naps.

Brad Ammerman, a leading figure in security testing, currently serves as the Senior Director at Prescient Security. His background includes influential roles at companies like Foresite, Optiv Security, Lockheed Martin, DIA, DoD, and Supreme Court of Nevada, where he developed his expertise in offensive security and team management. A skilled hacker himself, Brad is also a recognized speaker, educator, mentor, and disabled veteran, dedicated to teaching and protecting others. He takes great pride in his roles as a devoted husband and father.

As part of their training and certifications, most professional mariners memorize the ‘nautical rules of the road’. The International Regulations for Preventing Collisions at Sea (COLREGs), form the foundation of maritime safety by establishing predictable behaviors and shared responsibilities between vessels. This a system with built-in protection and fall-back plans, tried and tested over a long history. But for hackers or cyber defenders—who might not know starboard from Starbucks— understanding these norms may mean the difference between big effect or no effect. Our talk focuses on one memorable guideline that ship drivers often fall back on: Don’t Turn To Port (unless you’re absolutely sure it’s safe). There is plenty of good research out there about how cyber-physical systems such as rudder angle controllers can be manipulated on manned and unmanned systems. There is good writing on the threats unique to maritime choke points. But agnostic to the location, why would cyber manipulation of a rudder to induce a port turn be worse than a starboard one? Our talk will touch briefly on how the rules influence legal liability for collisions at sea, and conclude with encouragement for people to learn the rules of the road and further their own journey in understanding the maritime profession.

AMP spent 10 years driving ships around the globe—now captains a CTF team instead. With an undergrad in electrical engineering and working on a master’s in info systems engineering, AMP made the jump from maritime grit to digital ops, bringing salty sea stories and a screwdriver to every hacking challenge. They’ve co-hosted episodes of Sea Control (CIMSEC) and The Yoke Report, poking at the strange edges of maritime security, cyber policy, and why everything breaks at 2 AM. Into hardware hacking, retro gaming, and running text-based RPGs.

data is a retired Air Force Cyber Warfare Officer with over 20 years of operational experience. He’s a CNODP and RIOT grad with a Comp Sci BS from the USAF Academy and a Master’s in Cyber Ops from the Air Force Institute of Technology. He’s been certified in all 3 NSA Red Team work roles, all 3 offensive SIGINT work roles, qualified in all 6 Cybercom offensive work roles and personally engaged real-world, nation-state-level actors, malware and targets in air, land, sea, space & cyberspace both offensively and defensively. And he’s done so with the US, UK, Canada, Australia and New Zealand. He also helped make those cool starship badges you’ve seen around DEFCON.

In this talk, we’ll explore how Ham radio can help facilitate open and uncensored communications in situations where traditional communications strictly controlled or even blacked out.

With risks presented by the current global political landscape, Ham radio (amateur radio) has been a powerful tool for communication, especially where governments impose strict control over traditional and digital communication channels.

Nate Moore, call sign N8MOR, is an active member of the Ham Radio Village. He serves on the club’s board and has contributed to various club activities.

Professionally, Nate has over 25 years of experience in the Information Security field and holds multiple certifications. He has shared his expertise with the amateur radio community through presentations on cybersecurity as well as the amateur radio hobby.

Want to learn how to pick handcuffs? This talk is for you!

HHB goes over hard hats, construction, and all the hackery things people have done with them

MrBill started Wardriving in 2003 after attending DC11 and started contributing to Wigle in 2007. He took a break for about a decade (kids) and started up again in 2017 in earnest, and later founded the HardHatBrigade WiGLE group. He passed D4rkM4tter in the global rankings around 2022 and continues to trail @CoD_Segfault in their race to 1 Million WiGLE points. He is often seen at security conferences with a hard hat, mostly with some sort of wardriving functionality. Join him and the rest of the HHB crew in the 24 Hour wardriving event in October.

M0nkeydrag0n plays a blue teamer by day and a Hard Hat Bridage member in the after hours. Having spent a decade in IT support before shifting to his current role, m0nkeydrag0n has spent the last few years growing professionally as a cyber security engineer and endeavors to share tactics, approaches and stories with those looking to make that shift into security as well…or any pivot for that matter!

Lately, rediscovering R/C vehicles as allowed him to take flight, if only by FPV. But playing with RF is always fun, whether it’s trying to catch folks on WiGLE, designing cases for wardriving kits, earning his ham tech cert or just enjoying motorcycles for a long ride…and internet points!

Come wardrive with the Hard Hat Brigade!

CoD_Segfault first went wardriving around 2004, but really kicked up the game in 2021 when joining HardHatBrigade on WiGLE. By 2023, his focus shifted to smaller and more portable wardriving solutions suitable for walking and bike riding. Notable works include ultra small ESP32 wardrivers based on the wardriver.uk project and creation of the BW16-Open-AT project to improve network identification and remove reliance on the closed-source AT firmware.

Origins of Hard Hat Brigade (why), the who / what / how

MrBill started Wardriving in 2003 after attending DC11 and started contributing to Wigle in 2007. He took a break for about a decade (kids) and started up again in 2017 in earnest, and later founded the HardHatBrigade WiGLE group. He passed D4rkM4tter in the global rankings around 2022 and continues to trail @CoD_Segfault in their race to 1 Million WiGLE points. He is often seen at security conferences with a hard hat, mostly with some sort of wardriving functionality. Join him and the rest of the HHB crew in the 24 Hour wardriving event in October.

M0nkeydrag0n plays a blue teamer by day and a Hard Hat Bridage member in the after hours. Having spent a decade in IT support before shifting to his current role, m0nkeydrag0n has spent the last few years growing professionally as a cyber security engineer and endeavors to share tactics, approaches and stories with those looking to make that shift into security as well…or any pivot for that matter!

Lately, rediscovering R/C vehicles as allowed him to take flight, if only by FPV. But playing with RF is always fun, whether it’s trying to catch folks on WiGLE, designing cases for wardriving kits, earning his ham tech cert or just enjoying motorcycles for a long ride…and internet points!

Come wardrive with the Hard Hat Brigade!

CoD_Segfault first went wardriving around 2004, but really kicked up the game in 2021 when joining HardHatBrigade on WiGLE. By 2023, his focus shifted to smaller and more portable wardriving solutions suitable for walking and bike riding. Notable works include ultra small ESP32 wardrivers based on the wardriver.uk project and creation of the BW16-Open-AT project to improve network identification and remove reliance on the closed-source AT firmware.

Gaining access isn’t always about having the perfect pretext. Sometimes, it’s about recognizing subtle shifts in the environment, reading behavioral cues, and adapting on the fly. The best social engineers, like master photographers, don’t just plan—they wait for the decisive moment and take action when the time is right.

This session unpacks a real-world infiltration where success wasn’t about meticulous scripting, but about understanding when and how to pivot in real time. By integrating principles from photography, literature, theater, and deception, we explore how presence, timing, and perception shape the art of infiltration.

Bachelor in Arts of Representation. With certifications in Social Engineering, Red Team & OSINT. Team Leader of Fr1endly RATs, the Social Engineering unit at Dreamlab Technologies Chile. Specializing and developing techniques and methodologies for simulations of Phishing attacks, Vishing, Pretexting, Physical Intrusions and Red Team.

Large-language-model wrappers increasingly rely on the “ChatML” format to segregate system, assistant, and user roles, yet those delimiters introduce a critical appsec flaw: there is a role hierarchy but no ChatML/server-side RBAC or parameter-level trust boundary built in to ChatML or its chat-completions JSON wrapper. Any client that can speak ChatML can also impersonate privilege, similar to the logical flaws of early-2000s webapps. To make it worse: everybody and their mother forked this thing with roles/privileges but no built-in RBAC pioneered by leading model providers.

In twenty minutes we will walk through the anatomy of that oversight and unveil three vendor-agnostic role-injection techniques that bypass guardrails, trigger unbounded consumption, and hijack function calls in under 50 tokens. We then pivot to parameter pollution, showing how key overrides (temperature, system, tools) can be further used to abuse agents.

OWASP AAI001: Agent Authorization and Control Hijacking

Hi, I’m Anit Hajdari, a Security Consultant at Sentry with nearly two years of hands-on experience in the cybersecurity field. Throughout my career, I’ve been involved in a wide range of security assessments, including internal and external network penetration testing, as well as web and mobile application security evaluations. More recently, I’ve expanded my expertise into the emerging area of Large Language Model (LLM) penetration testing, staying ahead of the curve as AI technologies evolve. My work focuses on identifying vulnerabilities, delivering actionable insights, and helping organizations strengthen their overall security posture.

Armend Gashi is Managing Security Consultant at Sentry. With over 5 years in the industry, he specialized in application security and AWS cloud assessments. Armend also performed AI red teaming engagements and developed multi-agent systems to perform security-focused tasks such as code auditing and exploit development.

Robert Shala is co-founder of Sentry, where he leads 50 security consultants and has delivered 2000-plus red-team and appsec engagements for some of the world largest organizatons. He also contributes as a AI Red Teamer for a major AI model developer, probing frontier models for safety and security flaws.

Robert holds an M.S. in Security Studies from Georgetown, a B.S. from RIT, and has a passion for wargaming.

This presentation will describe the history and significance of the California Top to Bottom Review (TTBR), the landmark study of voting systems whose report disclosed many serious security vulnerabilities in the systems used in California and led to changes in the systems certified for use in that state. The talk will also cover that study’s lesser-known but equally important cousin, the Post Election Audit standards Working Group, whose report gave rise to the fundamental concept of risk limiting audits (RLAs).

Debra Bowen was the elected Secretary of State of California for two terms from 2007 to 2015. Prior to that, from 1992 to 2006, she had been a member of the California Assembly and then the Senate. In 2007, at the beginning of her term as Secretary of State, she commissioned the Top to Bottom Review (TTBR) of voting systems used in California. The review involved top computer security researchers, attorneys, and accessibility experts, and provided the nation with an unprecedented view into the state of voting machines. The TTBR led to critical changes to improve California’s elections and influenced other states to move away from the most insecure voting systems. In parallel she commissioned the Post Election Audit Standards Working Group (PEASWG), a group of experts charged with outlining standards for election auditing. From their report emerged the very first formal description of what came to be known as risk-limiting audits (RLAs), now widely viewed as the “gold standard” of auditing techniques. RLAs make the notions of evidence-based elections and software independence, two of the fundamental pillars of election integrity, an achievable goal.For her “bold leadership and her steadfast resolve to protect the integrity of the vote” she was honored with a 2008 Profile in Courage Award by the John F. Kennedy Presidential Library and Museum.

This thought-provoking session dives into the dual-edged role of artificial intelligence in the phishing ecosystem. On one side, AI is enabling attackers to craft more convincing and scalable phishing campaigns, making detection increasingly difficult. On the other, it’s empowering defenders with smarter tools for real-time detection, adaptive filtering, and behavioral analysis. Attendees will gain insight into how AI is transforming both offensive and defensive strategies—and what that means for the future of cybersecurity.

Levone is a recognized cybersecurity expert specializing in the intersection of artificial intelligence and social engineering attacks. With over 18 years of experience in threat intelligence and defensive strategy development, Levone has advised Fortune 500 companies and government agencies.

The Bio / medical industry creates huge amounts of data—vital-sign streams, imaging, clinician notes— Knowledge base requirements are very heavy, so a little help from a specialized llm can boost the productivity alot. Our new layered technology, accomplishes just this

Hardware layer: A customized CM5 board, an RP2040 co-processor, and a sunlight-readable E-ink display strike the sweet spot LLM entirely on-device + many other transcription models + TTS models.

Software layer – Our “MCP Hub” turns plain-language requests like “track heart rate every five minutes” into a reliable data log, even when Wi-Fi is down. With the help of AI coding, any sensor can start to work within 5min.

Kevin & Tianqi are veteran engineers from Microsoft Surface devices and Qualcomm’s efficient-AI—that is miniaturizing enterprise-grade inference into badge-sized hardware, they designed the hardware + software of distiller, and enclosure to squeeze 3-billion-parameter language models into a 10-Watt, pocket-safe form factor, giving clinicians instant, private access to AI reasoning right at the bedside.

Many automotive dealers in the USA utilize centralized platforms for everything from sales to service to marketing. The interconnectivity of various systems makes things easy to manage, but also exposes certain risks should any of these systems have a vulnerability. API flaws were discovered in a top automaker’s dealer platform that enabled the creation of a national admin account. With that level of access, being able to remotely take over your car was only the tip of the iceberg…

Eaton is a senior security research engineer at Traceable by Harness. As a member of the ASPEN Labs team, he has contributed to the security of some of the world’s largest organizations by finding and responsibly disclosing many critical vulnerabilities. He is best known for his high-profile security disclosures in the automotive space: 1, 2, 3.

As digital systems increasingly control the world’s most powerful machines, software failures have become a silent but deadly threat—sometimes with fatal consequences. This DEFCON presentation dives deep into maritime and military incidents where software errors, automation missteps, and human-computer interface flaws have led to catastrophic outcomes. Reviewing the USS Yorktown’s infamous “Smart Ship” crash and the USS Vincennes’ tragic misidentification of a civilian airliner, we dissect how code, configuration, and design choices can escalate into life-or-death situations at sea. We’ll also draw parallels to high-profile aviation incidents like the Boeing 737 Max and F-35, illustrating common threads in software assurance failures across domains. We’ll walk through how a subtle software flaw could be exploited to disrupt critical vessel operations, and what this means for the future of maritime cybersecurity. Attendees will gain insight into the technical, organizational, and ethical challenges of securing mission-critical systems, and leave with practical takeaways for hackers, engineers, and policymakers seeking to prevent the next digital disaster on the high seas.

With 25 years of experience in the maritime sector, Michael is dedicated to ensuring the safety and security of the global Maritime Transportation System (MTS). A retired US Coast Guard Officer, he has conducted numerous safety and compliance inspections, investigated high-profile marine casualties, and established a cybersecurity program at USCG Cyber Command. Previously, as a Business Information Security Officer for Royal Caribbean Group, Michael developed strategies to maintain the cybersecurity and regulatory compliance of the company’s global cruise fleet. Holding a B.S. in Computer Science and an M.S. in Telecommunications, he currently serves as ABS Consulting’s Maritime Cybersecurity Director. In this role, he specializes in managing cyber risks, implementing technical solutions, shaping policy and governance, providing expert advisory services, and designing custom solutions to meet maritime regulatory requirements and best practices.

Austin Reid is a senior consultant at ABS Consulting specializing in securing maritime operational technology with 10 years experience in the Maritime sector from breakbulk, automated container terminal ops, and securing critical vessel systems for all types of ships. He is also a hacker, and security researcher specializing in maritime navigation control systems.

In this talk I’ll describe our investigation of ad-hoc, proprietary EMV features from Apple, Google, Samsung and Square and show that companies independently retrofitting and over-loading the core EMV specification has led to a range of security problems. Along the way I’ll show how we managed to do unauthenticated, over-the-limit, offline payments for Mastercard and ultimately take 25000 from an EMV terminal with no payment card at all.  On the defense side I’ll discuss how formal modeling can make EMV payments safer and I’ll describe our distance bounding amendment to the ISO 14443 standard that could make all EMV payments safer.

Tom Chothia is a Professor of Cyber Security at the University of Birmingham, UK. His research involves the development of new mathematical analysis techniques, and the application of these techniques to real world cyber security problems. His past work on the security of EMV, ApplePay, banking apps, pacemakers and video game cheats have all received widespread media coverage.

in this talk we review how amateur radio were used in the relief effort in NYC Sept 11.

What do you do when major Communications are disrupted and how amateur radio came to the rescue. We will talk about all the technology that was user to support the relief effort. Staffing requirements and jobs that Ham Radio operators did, challenges and solution for working a Major disaster will be covered. Lessons learned and opportunities for you to become involved in emergency communications.

Welcome to the “fun” world of IoT, where security is often an afterthought and vulnerabilities lurk around every corner. This presentation is a guide for vendors on what not to do when designing IoT devices and a survival manual for users to spot insecure gadgets. Ever wondered if your IoT device is spilling your home WiFi secrets to the cloud over HTTP? Spoiler alert: maybe 🙂 Pairing your device over open WiFi and HTTP while providing your home WiFi credentials? Just to vacuum clean your home?
How about IoT devices lying about their Android version? But don’t worry, it already comes with malware pre-infected. Wouldn’t it be nice to access the clear-text admin passwords before authentication? How about multiple different ways to do that? Would you like to see reverse engineering an N-day command injection vulnerability in the login form of a popular NAS device? What could be the easiest way to figure out the (static) AES encryption key for a home security alarm solution? Just RTFM! Why bother with memory corruption when command injection is still the king of IoT threats? I’ll break it down for you, with an analysis of challenges with scalable IoT memory corruption exploits, and the challenges with blind ROP. Last but not least, let’s discuss why Busybox is “not the best” choice for IoT development.

Zoltan (@zh4ck) is a Principal Vulnerability Researcher at CUJO AI, a company focusing on smart home security. Previously he worked as a CTO for an AV Tester company, as an IT Security expert in the financial industry, and as a senior IT security consultant. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass), the Encrypted Browser Exploit Delivery tool (#IRONSQUIRREL) and the Sandbox tester tool to test Malware Analysis Sandboxes, and is partially “responsible” for an IoT botnet infecting 600K devices.

I am a big fan of offsec certs, currently holding OSEP, OSED, OSCE, OSCP, and OSWP.

“How NOT to Perform a Covert Entry Assessment” is a no B.S. discussion that covers what not to do during covert entry engagements–highlighting real-world mistakes, busted Hollywood myths, and missteps that compromise success. We’ll walk through effective techniques for physical site surveys, face-to-face social engineering, and real-time troubleshooting when things go sideways. Attendees will be encouraged to share experiences and lessons learned in an open, interactive format. We’ll also demo our covert entry tools, and discuss how to deliver reliable results to both commercial and high-security government clients.

Brent is a Sr. Principal Security Consultant / Covert Entry Specialist with Dark Wolf Solutions, specializing in social engineering and Red Team-style security assessments for both commercial and Department of Defense clients, as well as his contributions towards the development the drone hacking methodology for the Defense Innovation Unit’s “Blue sUAS” initiative. He also served as a trusted adviser for the TN Dept of Safety and Homeland Security on the topic of physical and cyber security and has held the role of Web/Project Manager and IT Security Director for a global franchise company as well as Web Manager and information security positions for multiple TV personalities.

He has also been interviewed on the popular web series, “Hak5” with Darren Kitchen, Security Weekly, BBC News, featured with Tim Roberts on the popular series “ProfilingEvil” by Mike King, and on Microsoft’s “Roadtrip Nation” television series. His experience includes Internal/External Penetration, Network evasion, Wireless, Web Application, Drone and Physical Security assessments, and Social Engineering.

Brent has also spoken at numerous security conferences, including ISSA International, DEF CON, Black Hat, DerbyCon, multiple “B-Sides” conference events, Appalachian Institute of Digital Evidence conference at Marshall University, and many more.

Tim is a Covert Entry Specialist with Dark Wolf Solutions and Sr. Principal Penetration Tester. He is the founding member of the Lexington DEF CON group (DC859). He has been interviewed on the subject of “White hat hacking” for Microsoft’s “Roadtrip Nation” television series, was featured on IDG Enterprise’s CSO Online publication by Ryan Francis on social engineering, and was interviewed at Black Hat by HelpNetSecurity on security awareness and “Know Your Adversary”. He and Brent White have also been featured a couple of times on the true crime series Profiling Evil with Mike King.

Tim has over fifteen years of professional security experience and has held management, IT, and physical security roles across multiple industries, including healthcare, finance, and government. His experience includes Red Team, Internal/External Network, Wireless, Application, Physical Security, Social Engineering, and more.

Tim has spoken and conducted training at numerous security and hacker conferences, including ISSA International, DEF CON, DerbyCon, NolaCon, various B-Sides, CircleCityCon, Techno Security Con, SaintCon, Appalachian Institute of Digital Evidence at Marshall University, Who’s Your Hacker, was keynote for the S&H Law – FBI/Hacker Panel, and more. By continuing to share these experiences, he hopes to further contribute to the InfoSec community and security awareness as a whole.

The US Digital Millennium Copyright Act (DMCA) broadly prohibits defeating technical measures used to protect copyrighted material, including software. Unfortunately, this can encompass ordinary reverse-engineering and other techniques routinely employed by researchers to examine software-based systems for security vulnerabilities. In 2017, the US Copyright Office enacted a temporary exemption permitting “good faith security research” under some circumstances. This talk will explore what conduct the exemption does and doesn’t cover, and how the exemption helps protect the ability for election security researchers to do their work. The talk will include generous time for questions.

Tori Noble is a Staff Attorney at the Electronic Frontier Foundation. She works on a wide array of intellectual property and civil liberties issues arising from the use of emerging technologies. Tori came to EFF from Dentons US LLP, where she maintained an active litigation and counseling practice centered on First Amendment, privacy, and intellectual property issues. Prior to joining Dentons, Tori worked as a First Amendment fellow at First Look Institute, where she represented The Intercept and its reporters in public records cases and counseled journalists, editors, and filmmakers on a wide range of newsgathering, libel, privacy, and intellectual property issues. During law school, Tori interned at EFF and served as a Google Policy Fellow at the Reporters Committee for Freedom of the Press. Tori holds a J.D. from Stanford Law School and a B.A. from the University of Michigan Gerald R. Ford School of Public Policy.

HUMINT is one of the most powerful, yet least understood tools in cyber threat intelligence. This talk will walk through the full lifecycle of a deep cover HUMINT operation—from identifying high-value sources, to crafting believable personas, navigating forum dynamics, and extracting intelligence through direct engagement with threat actors. We’ll explore how these operations provide early warning of attacks, insights into actor motivations, and access to tools before they’re deployed. But going undercover isn’t without risk. We’ll cover the technical and psychological challenges, OPSEC fundamentals, and ethical dilemmas that define this high-stakes work. Attendees will learn how to map underground communities, build credibility, and collect actionable intelligence without blowing cover. With real-world examples and field-tested strategies, this session offers a rare look inside the human side of CTI—where trust, deception, and tradecraft matter more than tooling. For anyone serious about adversary engagement, this is where the automation ends—and infiltration begins.

Sean Thomas Jones is an accomplished Senior Information Security Professional with decades of experience in successfully stopping hackers, securing networks and applications by using best practices, tools and technologies. He currently works as a Sr Manager with a Threat Intelligence Analyst team to protect the cyber and physical assets of governmental, corporate and high profile individuals.

Join us to explore Reddit’s defense strategy to handle massive traffic and sophisticated abuse. We’ll delve into how Reddit tackles this challenge, from traffic analysis to innovative resiliency techniques, all while understanding why a tailored, in-house approach is vital for such a high-scale platform.

The current bug bounty ecosystem thrives on collaboration between security researchers and organizations, yet it fundamentally hinges on mutual trust. Researchers are required to disclose detailed information about vulnerabilities, often exposing sensitive exploit data, while organizations must trust the accuracy and integrity of these disclosures. This trust-dependent model poses significant risks, including potential misuse of exploit information and uncertainties in reward allocations.

This presentation introduces innovative applications of zero-knowledge proofs through zkVMS (Zero-Knowledge Virtual Machines) and zkTLS (Zero-Knowledge Transport Layer Security) to revolutionize bug bounty programs. With zkVMS, researchers can cryptographically prove the existence of software vulnerabilities without revealing the exploit code or any sensitive details. Similarly, zkTLS enables the cryptographic verification of network interactions—such as HTTP requests leading to SQL injections—without disclosing the actual payloads involved.

We will delve into how these technologies eliminate the need for trust by allowing proof of vulnerabilities in a manner that protects both the researchers’ methods and the organizations’ assets. The session includes a live demonstration showcasing the practical implementation of trustless bug bounties using zkVMS and zkTLS. Attendees will gain insights into the technical mechanisms underpinning these tools and their profound implications for the future of secure, trustless collaboration in cybersecurity.

Join us to explore how zero-knowledge technologies are paving the way towards a new paradigm in vulnerability disclosure—one that enhances security while preserving confidentiality and integrity for all parties involved.

Anto Joseph works as a Principal Security Engineer at Eigen Labs. He enjoys researching distributed systems,DeFi protocols,Android and ML systems.He is involved in developing and advocating security in blockchains & DeFi. Previously, he has worked at Coinbase, Tinder, Intel, Citrix and E&Y in multiple information security roles.He has been a presenter and trainer at various security conferences including BH USA, Defcon, BruCon, HackInParis, HITB Amsterdam, HackLu, Hacktivity, PHdays, X33fCon, NullCon, c0c0n and more. He is an active contributor to many open-source projects and some of his work is available at https://github.com/antojoseph

As the lines between IT and operational technology continue to blur, our Naval fleet faces a growing attack surface from propulsion and power to weapons and control systems. Enter MOSAICS Block 1, a Department of Defense framework for operational technology security to ensure real-time monitoring, safe active asset discovery, and behavioral threat detection tailored for mission-critical ICS. In this session, we will walk through how MOSAICS is being applied to Naval mission systems, highlighting Department of the Navy use cases. We will break down the reference architecture and offer candid insights on adapting this framework to protect legacy systems at sea without compromising lethality. This talk is for ICS defenders, red teamers, and cyber policy leaders who want a front-row view into how the Department of the Navy is operationalizing OT security at scale.

Mr. Michael Frank is currently serving as the Deputy Chief Technology Officer for the Department of the Navy, responsible for identifying and assessing emerging technology. Prior to this role, Mr. Frank was a Principal with the Boston Consulting Group, helping public and private organizations solve technology related problems. Mr. Frank is also an Officer in the Marine Reserves, currently leading the Cybersecurity portfolio for the Marine Innovation Unit. He has served as the Red Cell lead for Exercise Cyber Yankee for the last five years. Mr. Frank holds an MS in Information Security from Carnegie Mellon University, an MBA from the Darden School of Business, and a BA in Accounting from Washington and Jefferson College.

Zero Trust is a powerful concept—but when applied to certified avionics, it can become a safety hazard masquerading as a security control. This talk confronts the policy disconnect between modern cybersecurity mandates and the engineering realities of aircraft systems. We’ll explore how compliance-driven frameworks like NIST SP 800-207, when misapplied, introduce latency, complexity, and certification friction into environments where failure modes are measured in lives, not log files. Through real-world case studies, including GPS spoofing incidents and the F-35B ejection, we’ll examine how policies intended to improve resilience can degrade mission assurance. Attendees will leave with a better understanding of where Zero Trust principles can improve aerospace security and where policy must adapt to the constraints of safety-critical design. If your compliance checklist doesn’t include cognitive load, deterministic timing, or the cost of recertification, this talk is your turbulence warning.

Michael Crouse is a CFII-rated instructor pilot, avionics tinkerer, and cybersecurity strategist specializing in safety-critical systems. With nearly two decades of experience securing U.S. Air Force aircraft, he’s designed, assessed, and defended everything from bomber avionics to anti-tamper and ground systems. He’s served as a lead embedded engineer, ISSM, systems integrator, and unwilling participant in far too many working groups that could’ve been emails. He’s built homebrew avionics, run RF threat detection from a hangar, and developed cyber controls that fail gracefully—even when the rest of the mission doesn’t. His certifications include CISSP, CEH, CFI, and Amateur Radio General Class (because some “wireless” attack surfaces still ride HF). He holds an M.S. in Cybersecurity (completed in just three weeks, because why not). He brings the mindset of a pilot, the discipline of a systems engineer, and the deep disappointment of someone who’s watched Zero Trust get bolted onto safety-critical systems with all the subtlety of a cargo door falling off at cruise.

This talk details a comprehensive reverse engineering analysis of stored-value laundry cards, prevalent in facilities worldwide. The widespread adoption of localised contactless payment solutions, attributed to their convenience, necessitates understanding their internal operations. This analysis explores the mechanisms behind value storage and modification within these cards. During this investigation, a data structure was identified that presented a significant vulnerability. The implications of this vulnerability raise serious concerns, which extend beyond laundry facilities, potentially impacting the security of similar contactless systems globally.

Aidan is a 16-year-old cybersecurity researcher and hardware hacker with a focus on RFID, reverse-engineering, and access-control systems. He developed the Metroflip app for the Flipper Zero, enabling metro-card interaction, and has also cloned AirTags onto microcontroller boards using BLE and reverse-engineering techniques. Aidan competes in CTFs, earning second place at Bsides Las Vegas, and shares his open-source work on GitHub (luu176) to connect with like-minded peers.

Equip is an access control researcher based in Britain, with a focus on RFID systems. Known for his hands-on approach, he’s often found experimenting with RF tech and spreading the good word. Equip is an active contributor in RFID-focused Discord communities, where he regularly helps others troubleshoot and learn. He shares his RFID projects and discoveries on GitHub & Gists, making his work accessible for others in the field.

What if AI could perform autonomous vulnerability research? In this talk, we explore how close we are to that future and what it takes to get there.

We demonstrate how AI agents, powered by LLMs and custom tooling, can analyze Android applications, uncover advanced vulnerabilities, and assist in exploit development. Starting with our open-source JADX MCP plugin (https://github.com/mobilehackinglab/jadx-mcp-plugin) for static analysis, we show how AI can reason about app structure and already find real-world vulnerabilities.

This presentation walks through lessons learned, and what’s possible when you stop treating AI as just a chatbot.

Umit Aksu is the founder of Mobile Hacking Lab, the leading platform for hands-on offensive mobile security training. With over a decade of experience in offensive security, reverse engineering, and vulnerability research, Umit has led red teams, built security programs at companies like Microsoft and ING Bank, and trained hundreds of professionals through Black Hat USA, Black Hat Asia, and his own platform.

He is also the creator of Djini AI, a cutting-edge platform that automates vulnerability discovery in closed-source mobile apps and firmware using agentic AI. His current research focuses on mobile fuzzing, exploitation and building automated AI systems to scale deep vulnerability discovery.

I’ll break down five practical persistence mechanisms that allow adversaries to remain resident in virtualized environments (even through reboots, patching cycles, and partial remediation efforts). These include:

• Payload injection via local.sh and profile.local • Malicious services in /etc/init.d • Symlink hijacking of trusted binaries (like esxcli) • Custom VIB (vSphere Installation Bundle) creation and implantation

While some of these techniques have been observed in malware families like BadVIBes, VIRTUALPITA, and VIRTUALPIE, a couple others represent novel techniques we’ve weaponized in our lab environments but remain largely unobserved in the wild. Every approach is designed to leverage Living-off-the-Land (LOTL) native binaries and config paths, turning ESXi’s minimalism into an attacker’s advantage.

This talk will walk through each method with technical depth, LOTL payload examples, and visual demonstrations. I’ll also explore follow-on actions post-compromise such as ESXi firewall manipulation/DNS reconfiguration to facilitate stable C2 channels. If you’re responsible for red team ops, adversary emulation, or just curious how attackers achieve deep infrastructure persistence, this session will show you a few different ways to persist beneath the hypervisor.

JC is a Cyber Threat Analyst at a cybersecurity startup and a former U.S. Air Force Special Warfare operator. He focuses in studying and modeling adversary tradecraft, internal network and hypervisor exploitation, and researching stealthy persistence techniques. A regular CTF competitor and recent contributor to the MITRE ATT&CK v17 framework, he brings a mission-focused approach to red team research and offensive security

A Great Talk for Aspiring Security Professionals! Discover how a hobbyist hacker —armed only with curiosity and spare time — took on an active supply-chain attack against the popular FOSS communication tool, Pidgin. In this talk, you’ll learn all about the step-by-step incident response process: from spotting red flags in the code to countering advanced social engineering ploys orchestrated by a crafty threat actor across multiple platforms. It’s a real-world example that shows how anyone — even with zero professional security background — can become an effective defender and give back to the community. If you’ve ever found yourself stuck in the frustrating loop of “How can I get a job if I have no experience because I can’t get a job?”, this session is for you.

Last year, both of us (Eliraz and Alon) participated DEF CON, and the Cloud Village was our favorite. One of the topics that was well covered in last’s year conference was the threat of Azure Managed Identities abuse. While many offensive aspects related to it were covered as part of DEFCON, and different articles and talks over the past year, the defensive aspects of it remained uncovered. This year we want to visit the cloud village again, this time sharing our research of the last 4 months, in which we will fill in this significant defensive gap to complement last year’s talks, by focusing on proactive threat-hunting techniques to identify and address Azure MI abuse. By examining common attack vectors and presenting advanced detection strategies, we aim to bridge the visibility gap and equip security teams with practical tools for forensic investigation and real-time monitoring using diverse Microsoft log sources.

We aim to empower participants with advanced strategies for leveraging Microsoft log sources, providing practical knowledge and detailed examples that span both real-time monitoring and forensic investigation. This talk is grounded in comprehensive research we’ve conducted over the past few months, during which we simulated various MI abuse scenarios and analyzed relevant logs and detection opportunities across dozens of enterprise environments. We’ve already released the first 2 parts of our research series, the first part in which we explore the blast radius of a compromised Managed Identity and the significance of NHIs (Non-Human Identities) in the broader cloud threat landscape, and the second one in which we covered threat hunting, investigation techniques, and forensic analysis of such incidents. In this talk, we will cover this and more! Attendees will leave this session equipped with key takeaways that will help them immediately recognize and respond to incidents involving compromised Managed Identities. They’ll learn how to quickly determine if an MI was involved, assess its blast radius, correlate activity across five or more Azure log sources, and use Azure-specific forensic artifacts to speed up containment and remediation. And this isn’t just for incident response teams – SOC analysts and detection engineers will gain tools and techniques for building targeted detections that bring MI-based threats into visibility. Offensive security professionals will benefit too, gaining a clearer understanding of how MIs can be abused to move laterally across Azure subscriptions, Entra ID, Microsoft 365, and even hybrid environments.

Links to our published research docs: 1. Part 1 – Azure Managed Identities internals and blast radius – https://www.hunters.security/en/blog/abusing-azure-managed-identities-nhi-attack-paths 2. Part 2 – Azure Defense – detection, hunting, and DFIR – https://www.hunters.security/en/blog/azure-managed-identity-threat-hunting-detection-methods

Alon is a seasoned Security Researcher with nearly a decade of expertise in cybersecurity and IT, specializing in cloud security, threat research, incident response, and threat hunting. With a strong focus on Azure attacks, he authored The Human-Friendly Guide: Incident Response & Threat Hunting in Azure Cloud. Currently serving as the Security Research Tech Lead at Hunters’ Team AXON, Alon has also held key roles as a DFIR Team Leader, pentester, and cybersecurity consultant. His extensive credentials include certifications such as GCFA, GNFA, CARTP, CESP, and CRTP

Eliraz is a Security researcher, with 16 years of experience. Eliraz’s core expertise includes detection engineering, IR, and forensics. He’s worked on large-scale incidents, including ransom, data theft, and financial frauds. Furthermore, he’s collaborated with global enterprises on reinforcing security infrastructure, tuning hunting operations, and mentoring SOC analysts.

This talk explores the hidden risks in apps leveraging modern AI systems—especially those using large language models (LLMs) and retrieval-augmented generation (RAG) workflows. We demonstrate how sensitive data, such as personally identifiable information (PII) and social security numbers, can be extracted through real-world attacks. We’ll demonstrate model inversion attacks targeting fine-tuned models, and embedding inversion attacks on vector databases among others. The point is to show how PII scanning tools fail to recognize the rich data that lives in these systems and how much of privacy disaster these AI ecosystems really are.

Patrick Walsh has an over 20 year history of running threat research and engineering teams overseeing products ranging from anti-virus and intrusion prevention to enterprise cloud software. He is a long-time advocate for privacy and security and holds multiple patents in that space. Patrick now leads IronCore Labs, an application data protection platform that uses encryption to protect data stored in the cloud while keeping it searchable and usable. Outside of work, he enjoys the outdoors, photography, hacking, lock picking, biking, swimming, and magic.

This BTV panel brings together industry practitioners to share real-world experiences for successfully implementing strategic technologies within organizations. Through a structured 50-minute discussion, panelists provide actionable insights across the complete implementation lifecycle. The session covers implementation case studies, securing organizational buy-in, strategic roadmaps, and technical deployment challenges. Key focus areas include team development, psychological factors, ROI measurement frameworks, and common failure patterns to avoid. Interactive audience engagement ensures relevant discussion of current implementation challenges facing the cybersecurity community. Attendees will gain concrete strategies for driving technology adoption, success measurement frameworks, and connections with experienced practitioners. Ideal for security leaders, architects, and practitioners responsible for implementing new technologies, processes, or strategic initiatives within their organizations.

Betta Lyon Delsordo began her cyber journey at the age of 13 when she started teaching herself to code. This grew into freelance web development work for small businesses in Montana, where she soon realized she needed to know more about application security to keep her clients safe. She began learning more about secure coding and interned with a hacking firm, and realized she was pretty good at it. After completing a Master’s in Cybersecurity at Georgia Tech, obtaining certifications such as the GPEN, and working her way up through pentesting, Betta is now working as a Lead Application Penetration Tester at OnDefend. Her areas of expertise include application security, secure code review, cloud security, and AI hacking. Betta is very involved in the cybersecurity community and with organizations that support women in technology. She has been a mentor for 9 years with Technovation (an international girls coding program), and is an organizer and speaker for organizations promoting diversity in technology including RTC, WiCyS, WISP, and WSC.

Emily Soward has over 15 years of experience in AI R&D with specializations in governance, operations, and security. She is a serial innovator, inventor, founder, and leader in AI incident response, ecological and edge AI research, and AI security research. She is notable for her courses and teaching in AI governance, risk management, operations, and security, as well as her work on AI and ML frameworks for Amazon Web Services. Her contributions to the HITRUST Alliance AI Working Group supported the launch of the first cybersecurity certification for deployed AI systems. In 2024, she cofounded the AI Incident Response & Control (AIRCTL), an open-source project making top AI security skills accessible for small and under-resourced organizations.

Todd Fletcher is a cybersecurity consultant and PhD student with over 25 years of experience in IT leadership, network, application, public government IT leadership, and security engineering. He currently works as a Professional Services Principal Consultant at CrowdStrike, a leading provider of cloud-native endpoint and workload protection solutions.

As a consultant, he assists information security teams from various sectors to assess their security posture, and develop plans to close security gaps while achieving technical and executive success. He is skilled in agile project management, systems automation, SIEM, SOAR, penetration tools, and security program development based on the NIST framework. He also conducts cloud security and automation with Azure DevSecOps.

In addition to his consulting role, he is pursuing a PhD in cyberpsychology, where he explores the psychological aspects of cybersecurity, such as user behavior, motivation, trust, and risk perception. He is passionate about pushing the boundaries of how to drive successful security initiatives from both a technical and psychological perspective with organizations across many industries.

Founding AI engineer at DeepTempo with a background in data science and detection engineering at Dragos, ad fraud detection at Human, and early experience as a SOC analyst in my university’s SOC.

DARPA’s Information Innovation Office (I2O) creates groundbreaking science and delivers future capabilities in the informational and computational domains to surprise adversaries and maintain enduring advantage for national security. Current research and development focuses on related areas including transformative AI, and offensive and defensive cyber.

Learn how the agency is leveraging advances in state-of-the-art AI to produce trustworthy cyber capabilities that operate beyond human capacity and speed – and anticipate adversary countermeasures to create enduring capabilities.

Stephen Winchell joined DARPA as its 24th Director in May 2025. Prior to this appointment, he led the artificial intelligence and autonomy portfolio for the Defense Department’s Strategic Capabilities Office. Previously, he was chief engineer for the Pentagon’s Algorithmic Warfare Cross-Functional Team, commonly known as Project Maven. He is a graduate of the U.S. Naval Academy, where he later taught as a faculty member in the electrical and computer engineering department. He also served as a submarine officer in the U.S. Navy and continues to serve as an officer in the U.S. Navy Reserve. He has been a Presidential Innovation Fellow at the Intelligence Advanced Research Projects Activity and worked with a venture-backed start-up focused on AI security. He received a master’s in business administration from the University of Virginia, a master’s degree in systems engineering from the Johns Hopkins University, and a master’s degree in applied physics from the U.S. Naval Postgraduate School.

Ever wonder what happens behind the scenes when a company gets hacked? Restoring systems, containing the damage, and keeping attackers out for good doesn’t happen by magic — it takes skilled professionals to guide the process.

Enter the Incident Responder: part digital detective, part crisis manager. Their job is to figure out what went wrong, kick out the bad actors, and make sure it doesn’t happen again.

Join us for a beginner-friendly presentation on the essential role of Incident Responders in cybersecurity.

Joshua Morgan is an information security enthusiast and practitioner in the Blue Team realm who enjoys mentoring newcomers to the industry, collaborating with others in the industry, and teaching the importance of securing all aspects of life through his work as an instructor at a local university for a Masters-level information security course.

Joshua has presented at DEF CON and BSides events and is active in the security community, working with the both Packet Hacking Village and Blue Team Village at DEF CON.

Las oportunidades en InfoSec están por todos lados, pero generalmente quedan enterradas entre diversos sitios web, publicaciones en redes sociales, o incluso en algún canal de la última app de mensajería que está de moda. Ya sea una meetup local, un CFP, una actividad de voluntariado, o la posibilidad de patrocinar una iniciativa, muchas personas y organizaciones pierden oportunidades simplemente porque no saben dónde buscar.

InfoSecMap nació para solucionar este problema. Es una plataforma gratuita, impulsada por la comunidad, que reúne todo el ecosistema global de InfoSec en un solo lugar. Destaca eventos, grupos y convocatorias de participación. Desde conferencias importantes hasta CTFs y encuentros pequeños en el bar de la esquina, InfoSecMap te ayuda a explorar qué está pasando por región geográfica o temática, y a descubrir dónde podés conectar y contribuir.

Si te importa la colaboración abierta, el conocimiento compartido y hacer crecer InfoSec en cada rincón del mundo, InfoSecMap es para vos.

Experienced Software & Security Engineer with a demonstrated history of working in the Health Care & Security industry. Skilled in cybersecurity, penetration testing, cryptography, networking, videoconferencing, VoIP. Proficient in C++, with some exposure to Objective-C, Python, and Bash scripting.

This comprehensive talk will provide an in-depth exploration of advanced threat hunting strategies, showcasing the methodologies employed in our recent reporting on the Decline of Black Basta. Attendees will learn how we tracked threat actor activity on the dark web, specifically focusing on Black Basta, to uncover emerging tactics, affiliations, and operational insights through analysis of illicit forums and marketplaces.x000D x000D The presentation will delve into techniques for monitoring the activities of ransomware-as-a-service (RaaS) groups, including how shifts in membership and operational practices occur after disbandment. Further, we will discuss how to harness investigation telemetry to detect and analyze evolving tactics, techniques, and procedures (TTPs). These approaches enable organizations to anticipate sophisticated cyber campaigns and proactively bolster their defensive strategies.x000D x000D By the end of this session, attendees will have actionable insights and practical methodologies to strengthen their threat detection capabilities, ensuring they stay ahead in the rapidly evolving cybersecurity landscape.x000D

John Dilgen is a Cyber Threat Intelligence Analyst at ReliaQuest, where he specializes in researching cyber threats impacting ReliaQuest customers. With a strong technical background, he previously served as an Incident Response Analyst and Trainer at ReliaQuest.

Explore the basics of what CIP is, how it is used in industry, and how to get started hacking it.

Industrial Controls Engineer and ICS security specialist

New to lock picking? Haven’t picked in a year and need a refresher? Don’t know a half-diamond from a turner? This talk is for you! Join one of our knowledgeable village volunteers as we walk you through the very basics of lock picking, from how to hold your tools to the theory behind the technique that makes lock picking possible.

Physical security is an important consideration when designing a comprehensive security solution. There are loads of ways to get through a door without actually attacking the lock itself, including using the egress hardware, access control hardware, and countless other techniques to gain entry. Learn how these attacks work as well as how to defend against these attacks in this talk!

Karen is a Risk Analyst at GGR Security, and is one of GGR’s entry team for physical penetration tests. She has a strong interest in physical security, delivering trainings on physical security vulnerabilities to a wide range of audiences. Karen comes from a background in engineering and has extensive experience in major event logistics. She is one of the Village Leads at the Physical Security Village, and works with the rest of the PSV team to teach how to recognize and fix security exploits to the community. Graphic design is her passion.

The rapid advancement of deepfake technology, powered by generative adversarial networks (GANs), has revolutionized creative industries but poses significant challenges to global financial security through identity fraud. This study examines the legal and regulatory frameworks addressing deepfake-enabled financial crimes in the UK, EU, and Asia, highlighting the growing sophistication of such fraud, exemplified by a 2024 case in Hong Kong where cybercriminals used deepfake video conferencing to defraud a multinational company of $25 million. Employing a comparative legal analysis and case study approach, this research evaluates the effectiveness of existing regulations, identifies enforcement challenges, and analyzes real-world cases to expose legal gaps. Findings reveal that while China has implemented specific deepfake regulations, the UK, EU, and Hong Kong rely on broader fraud and data protection laws, lacking targeted provisions. These inconsistencies hinder prosecution and cross-jurisdictional cooperation. The study proposes balanced regulatory strategies to combat deepfake-enabled financial fraud while fostering AI innovation, offering critical insights for policymakers, legal practitioners, and financial institutions navigating this evolving threat landscape.

Noel is a Postgardute student of Master Degree in UCL, major in CyberCrime

hardware.ninja is an independent security researcher. He focuses on hardware security researches, penetration test, incidents response and digital forensics analysis. He was the first and the only Asian leading a group of white-hat hackers to hold an in-depth, hands-on hardware hacking village in BLACK HAT and DEFCON. He is also a frequent speaker and trainer in different top-notch security and forensics conferences including SANS, HTCIA, DFRWS, GCC, CodeBlue, HITB, SINCON, AVTokyo and HITCON.

We live in a time where we can buy practically anything online. It’s very tempting to buy cheap products online, including electronics. While saving money can be great, what are we really getting here? Where did it really come from, is it safe to use, and what is really going on behind the scenes? Let’s find out!x000D In this talk, we’ll track the supply chain of a foreign smartwatch on Amazon using various OSINT techniques. After going down the rabbit hole, we’ll perform a hardware/software breakdown with automated and manual analyses (and further OSINT based on our findings). By the end of the talk, you will have a better understanding of some of the tools and processes you can use for performing your own due diligence.

Michael Portera is the Vice President of Cyber Solutions at Sequoia, Inc. In this role, Michael contributes heavily to Sequoia’s cybersecurity initiatives and serves as a key advocate for the company’s cutting-edge cloud solutions across the national security sector. Michael spent eight years in Big Four consulting (KPMG and Deloitte), where he delivered IT and cybersecurity services to both public and private sector clients. He later worked as a Red Team Operator and, in 2020, founded a cybersecurity firm that was acquired in 2023. In 2020, he founded a cybersecurity company, which he sold in 2023. He has presented at major conferences and contributes to open-source projects when time allows. Outside of work, he’s a proud girl dad (x2), enjoys video games, vacations with his family, and board games with friends.