DEF CON Workshops List

Longer, more detailed, hands on, lasting half a day.
These have limited seating. These will fill up VERY quickly!

DEF CON Workshops Short Table

defcon.org Workshops page



Agentic Threat Hunting: Building AI That Remembers What You Hunted

Workshop Map Page – LVCCW Level 2 W233 (Workshops)
When:  Friday, Aug 7, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Attendees hunt a supply chain compromise in real telemetry. Not a walkthrough – a hunt. A trojanized developer tool has been backdoored. The artifacts are seeded across a shared Splunk instance at layered difficulty: some obvious, some buried. Over four hours, attendees progress through the Five Levels of Agentic Hunting using the open-source Agentic Threat Hunting Framework (ATHF). Each maturity level unlocks new capabilities ‚Äî structure, searchability, AI research agents, and full agentic workflows ‚Äî that help them find what they couldn’t find before. The first hunt is manual. By the last module, AI agents are surfacing hypotheses, identifying coverage gaps, and pointing hunters toward artifacts they missed. The human decides what to chase. The framework remembers what they found. This is not a tool demo. Attendees will make real analytical decisions, write real SPL queries, hit dead ends, and use AI agents to recover. They leave with a working ATHF workspace, documented hunts from a real investigation, and the experience of hunting with an agentic system.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_am_ws4_4061

People:
    SpeakerBio:  Sydney “letswastetime” Marrone

Sydney Marrone is a threat hunter, cybersecurity professional, co-founder of THOR Collective, author of the Agentic Threat Hunting Framework, and co-author of the PEAK Threat Hunting Framework. She is passionate about making security knowledge accessible and actionable through hands-on research, open-source collaboration, and community-driven projects like HEARTH (Hunting Exchange And Research Threat Hub). Sydney creates resources, leads workshops, and shares insights that spark curiosity and empower defenders. Outside of work, she writes for THOR Collective Dispatch, lifts weights, and makes cyber-themed music using AI to blend creativity and hacker culture.




All About Stoopie InfoStealers: Malware Analysis for Understanding, Custom Coding for True Understanding!

Workshop Map Page – LVCCW Level 2 W231 (Workshops)
When:  Friday, Aug 7, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Infostealers suck. We all know that. We don’t like them. We want you to learn all that you can about them to help thwart the ongoing, ever-evolving threat. On that note, current infostealers are largely rule-based and path-driven, targeting known browser stores and wallets with noisy exfiltration methods. This four-hour workshop, led by Ryan Chapman and Aaron Rosenmund, moves beyond basic comprehension via observation to explore the evolution of precision-based malware. Students will utilize a live, on-demand lab environment to perform deep malware analysis using Ghidra to understand how current stealers operate. The session then transitions from analysis to creation, where attendees code, compile, and re-build their own “evolved” stealers. We replace static file targeting with in-memory relevance models and trade obvious HTTPS exfiltration for stealthy timing and protocol-native patterns. This hands-on, kinesthetic experience focuses on building a custom arsenal from the ground up. Participants will learn to enhance their tools with behavioral stealth, transitioning from identifying “stoopie” patterns to implementing advanced, AI-driven tradecraft and custom red team tool operations. You won’t just learn how what an infostealer is. You’ll learn how they operated end-to-end. Join us :).

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_pm_ws6_4093

People:
    SpeakerBio:  Ryan “@rj_chap” Chapman

Ryan Chapman is the author of SANS‚ FOR528: Ransomware and Cyber Extortion‚ course, teaches SANS‚ FOR610: Reverse Engineering Malware‚ course, and works as a threat hunter @ $dayJob. Ryan has a passion for life-long learning, loves to teach people about ransomware-related attacks, and enjoys pulling apart malware. He has presented workshops at DefCon and other conferences in the past and knows how to create a step-by-step instruction set to maximize hands-on learning.

SpeakerBio:  Aaron “Ironical” Rosenmund

Aaron Rosenmund is an accomplished cybersecurity professional with extensive experience in various leadership roles across multiple organizations. Currently serving as the Managing Director of Tradecraft and Programs at OnDefend since September 2024, Aaron also holds a position at the National Guard Bureau as Staff Lead for the Cyber Shield Red Team, demonstrating a commitment to enhancing cybersecurity defenses. With a background that includes significant roles at Pluralsight, where responsibilities spanned content strategy and security skills development, and the Florida Air National Guard as a Lead Cyber Operator focused on defensive operations, Aaron has developed a comprehensive skill set in threat emulation, cyber system operations, and training. Additionally, past leadership positions as CEO at Aestus Industries and Vice President at Concrete Surface Innovations underscore strong management capabilities and operational expertise. Aaron holds multiple degrees in technology and cybersecurity from respected institutions, underscoring a solid educational foundation in this field.




Attacking Cloud APIs from the IoT Edge

Workshop Map Page – LVCCW Level 2 W222 (Workshops)
When:  Sunday, Aug 9, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

This course covers attacking the cloud REST APIs and IoT provider (cloud customer responsibility) configurations to demonstrate data exfiltration, remote code execution, and lateral movement. Hands-on experience with using an already compromised, simulated IoT device as well as navigating pen testing (fuzzing) of the common protocols (i.e. MQTT, HTTP) will be covered.

Workshop goal Teach students practical, repeatable techniques to observe, extract, and abuse cloud API credentials and logic from the vantage of a compromised IoT device. Students will leave able to enumerate device‚Üícloud flows, extract tokens, fuzz REST/MQTT endpoints, and demonstrate controlled lateral movement inside an isolated cloud tenant.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sun_am_ws7_4023

People:
    SpeakerBio:  Rodney “BenevolentWorm” Beede

Rodney is an offensive security red team pen tester. He has specialized in cloud, web, and IoT security for over 18 years. He has spoken at multiple conferences (BSides, Def Con, Black Hat) on topics ranging from cloud security engineering to IoT device hacking. Rodney has been accredited with multiple CVEs for web vulnerabilities in products such as Wi-Fi hardware and security appliances. He started his career in enterprise web application software development but shifted to the security industry with this master’s thesis research project “A Framework for Benevolent Computer Worms” 2012. Website: https://www.rodneybeede.com/curriculum%20vitae/bio.html




AWS Cloud Security 101: From IAM Misconfigurations to Account Takeover

Workshop Map Page – LVCCW Level 2 W228 (Workshops)
When:  Friday, Aug 7, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

The shortest path from a marketing-site SSRF to production root often runs through AWS, and most defenders can’t see it happening. This workshop teaches you to walk that path yourself.

Working whitebox in provided lab accounts, you’ll move through eight hands-on modules: reading IAM policies for privilege escalation gadgets, turning a single SSRF into a working CLI session via IMDS, abusing cross-account trust, exploiting resource policies across S3/KMS/Lambda, compromising serverless functions, and evading CloudTrail. The workshop closes with a full-chain challenge: build a Python exploit that goes from external SSRF to administrative access in one script.

Prerequisites: Basic AWS familiarity (console + CLI), comfort reading JSON policies, Python. Bring a laptop with AWS CLI v2 and Python 3.10+ installed. No prior offensive cloud experience required.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_am_ws3_4073

People:
    SpeakerBio:  zeta

zeta is an internet plumber and computer toucher. he spends his days reading IAM policies and his nights wondering why anyone wrote them that way.

SpeakerBio:  Rafa “bane” Gutierrez

“Rafael (bane) is the founder of Secure Origin, where he helps organizations doing public-interest work improve their security, infrastructure, and operational resilience. His work spans vulnerability research, security architecture, detection engineering, adversary emulation, infrastructure operations, and targeted technical engagements.

He is also a researcher and technical lead for The Southlander, a local Los Angeles newsroom. He volunteers with Lucy Parsons Lab and conducts independent research on surveillance technology, supporting reporting on how these systems affect journalists, activists, and local communities.”




AWS Principal Threat Hunting: Behavioral Baselining for Malicious Activity

Workshop Map Page – LVCCW Level 2 W228 (Workshops)
When:  Friday, Aug 7, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Cloud security encounters attacks that elude standard detection. In AWS, unauthorized access keys are a common cause of breaches. The vastness of AWS—over 450 services and 20,000 API actions—complicates threat visibility and exposes gaps in traditional tools.

This workshop empowers participants with direct, hands-on experience using the AWS Threat Hunter tool to improve threat detection. Attendees will focus on building behavioral baselines and leveraging data-driven analysis to detect subtle AWS principal anomalies, enabling more precise detection than traditional event monitoring.

Attendees will move beyond standard techniques by building multi-stage detection pipelines that create individualized baselines for each IAM principal and systematically flag personalized deviations, linking outliers directly to risks.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_pm_ws3_4091

People:
    SpeakerBio:  Rodrigo “Sp0oKeR” Montoro

Rodrigo Montoro is the CTO at Clavis Security, bringing over 25 years of leadership and technical expertise to the information technology and cybersecurity landscape. Throughout his career, Rodrigo has been a pioneer in open-source security, specializing in incident detection, response, and Cloud Security. A two-time patented inventor, he holds proprietary technologies for detecting malicious digital documents and analyzing malicious HTTP traffic. With a resume that includes key research roles at Tenchi Security, Apura, Tempest, Sucuri, and SpiderLabs, Rodrigo is a globally recognized authority who frequently speaks at elite conferences such as DEF CON Workshops (2023), DEF CON Cloud Village (3x), Black Hat Brazil Summit, SANS (DFIR, SIEM Summit, CloudSecNext), Source (Boston and Seattle), Toorcon (San Diego), Sector Canada (6x), and BSidesLV.




Battle-Tested Broadcasts: RF Insights From Ukraine

Workshop Map Page – LVCCW Level 2 W233 (Workshops)
When:  Saturday, Aug 8, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Every wireless thing in your life is broadcasting. The question is who’s listening ‚Äî and what they can do with it. Battle-Tested Broadcasts is a four-hour, hands-on workshop on RF detection and direction finding, framed by the most demanding live laboratory in the world for these techniques: the Ukrainian frontline. We start with universal foundations ‚Äî frequency, modulation, antennas, what your SDR can and can’t see ‚Äî and pivot into where neural-time RF detection becomes existential: drones. A pilot powers up an FPV controller thirty seconds before impact. Pure RF detection is often the only sensor in the chain that catches the threat before the drone leaves the ground. We cover what’s actually in the air across a contested battlefield slice ‚Äî controllers, video downlinks, telemetry beacons, battlefield comms, GNSS, and the increasingly exotic bands operators are pushing into to dodge electronic warfare. We dissect the honest limits of common off-the-shelf SDR tooling, and the ways adversaries already evade pure RF detection: from fiber-optic and autonomous drones to wired front-line networks, frequency hopping, and out-of-scan spectrum. Attendees solder and flash a Signal Compass ‚Äî a pocket ESP32 signal detector with directional bearing. Rotating lab stations cover passive scanning, fingerprinting, direction findi

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_am_ws4_4077

People:
    SpeakerBio:  Preston Zen

Preston Zen ‚ the original creator of 1337sheets.com, OSCE3 certified, now leading Kaizen Labs out of a Japan / Ukraine hybrid office. Software, hardware, and cybersecurity background. Volunteering in Ukraine since 2022 with NGOs including Dronarnia, BeeTA, American Made Freedom, and Shield of Freedom on drone systems, RF detection, EW countermeasures, and humanitarian logistics. DEFCON regular since DC25 and a Hac-Man CTF contributor for the past three years. He’s shipped more boards than he’s counted, and has spent enough time near the Ukrainian frontline to have strong opinions about which detection tools actually work when the noise floor is on fire.




Building Agentic Reverse Engineering “Skills”

Workshop Map Page – LVCCW Level 2 W231 (Workshops)
When:  Saturday, Aug 8, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Agentic reverse engineering blends interactive binary analysis with autonomous agent workflows. Building on workshops at REcon and DEF CON Singapore, this session introduces Agent Skills, structured bundles of instructions, scripts, and resources that coding agents discover and execute. Skills enable multi-step RE tasks with high accuracy and minimal prompting via workflow capture and progressive disclosure.

Participants learn how coding agents operate through iterative loops (generate, execute, inspect, refine) and how Skills plug into these loops. The workshop is hands-on: attendees build a multi-platform driver-analysis Skill automating IOCTL enumeration, dispatch-flow analysis (Windows IRPs, Linux file ops, macOS IOKit), code-flow analysis, and workflow capture. A capstone challenge has participants build a second Skill from scratch.

Supports Claude Code, OpenCode, Mistral Vibe, and pi. The instructor provides LLM inference for all attendees, so no paid API keys are required. Students may also use free inference tiers from OpenCode or similar providers.

Attendees leave with practical experience to implement agentic RE Skills in their own workflows. Basic familiarity with RE concepts and a laptop with a coding agent installed is all that is needed.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_pm_ws6_4009

People:
    SpeakerBio:  John “clearbluejar” McIntosh

John McIntosh (@clearbluejar) is a security researcher and founder of ClearSecLabs, specializing in reverse engineering, vulnerability research, and AI-assisted binary analysis. He is the author of ghidriff, an open-source Ghidra-based binary diffing engine, and pyghidra-mcp, a headless Ghidra MCP server enabling LLM-driven, project-wide, multi-binary reverse engineering workflows. An active contributor to the Agent Skills ecosystem, John bridges deterministic analysis with AI-driven reasoning to accelerate vulnerability research. He has delivered training and workshops at DEF CON, Black Hat, REcon, Ringzer0, 44CON, Objective by the Sea, and Insomni’hack, covering topics from practical Windows reverse engineering to building private local LLM RE stacks. His recent work includes the “Agentic RE” training at DEF CON Singapore 2026, the MCP Ghidra workshop at REcon 2025, and the “Supercharging Ghidra” LLM workshop at Ringzer0 COUNTERMEASURE 2025. With over a decade of offensive security experience, John publishes detailed research on reversing CVEs, building RE tooling, and agentic patch diffing at clearbluejar.github.io. His teaching emphasizes reproducibility, progressive skill-building, and contributor empowerment.




Building your own hardware hacking kit to Pentest Bluetooth, WIFI, and more.

Workshop Map Page – LVCCW Level 2 W225 (Workshops)
When:  Sunday, Aug 9, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

You will receive a free hardware kit, documentation, and class introduction to the same hardware configuration used by hundreds of hacking hardware tools as their main core. We will cover Wifi Hacking on both 2 and 5ghz, Bluetooth hacking, packet capture, Flipper interface (bring yours if you have one), Sensor integration (also included), Mesh networking, point to point communications and more. Requirements: Laptop, Fully charged, USB-A interface, Windows OS (we will discuss MAC and Linux, but you will need to have knowledge and permissions to install tools). You can attend without above and still get kit, but it will not be hands on. All information will be published after the workshop if you don’t have a laptop. You will get a modern ESP32, Sensor, breadboard, USB cable, wires and more during the workshop.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sun_am_ws8_4069

People:
    SpeakerBio:  Dallas

Dallas has been involved in hacking since early teens, which translates to sometime in the 80’s. Mentored by Satellite and Ham hackers, has been involved in a few organizations including all levels of government, 3 letter agencies, serving as Chief security officer, CISO, and technical manager of multiple world-wide organizations. Banking, Energy, Space, Telecom, Government and manufacturing. Elected, re-elected, served and got the trophy. OG Considered an expert in Pen testing, variety of related and unrelated technology – occasionally serving 15+ years as a Defcon security goon, and around 10 for B-sides organizations. Alexa Park being his first Defcon. Mostly bored, but thinks AI is kind of fun and enjoys giving back to the community. Doing his best to not get arrested, and share knowledge with those interested in seeking it.




CI/CD Weaponization: Build It, Deploy It, Own It

Workshop Map Page – LVCCW Level 2 W230 (Workshops)
When:  Sunday, Aug 9, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

GitHub Actions has become the de facto automation layer for modern software, and the de facto attack surface. In 2025, a single compromised Action leaked secrets across 23,000 repositories. One year later, the TeamPCP group ran the same playbook at scale by compromising Trivy’s actions. Different victims, same root cause: a CI/CD pipeline that trusted what it shouldn’t.

In this hands-on workshop, participants will build a complete end-to-end attack chain in a controlled lab environment, emulating adversary TTPs observed in recent GitHub Actions breaches. From initial access through malicious workflow manipulation to secret exfiltration, each phase is paired with detection and analysis techniques to bridge offensive and defensive perspectives.

Whether you’re on a red or purple team looking to simulate attacker behavior, or part of a blue team (AppSec or DevSecOps) aiming to harden CI/CD pipelines, this workshop delivers practical, real-world skills grounded in today‚Äôs evolving threat landscape.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sun_am_ws1_4043

People:
    SpeakerBio:  Ricardo Sanchez

Ricardo Sanchez is an accomplished cybersecurity professional with a passion for empowering others through knowledge sharing. He has built his career designing and implementing innovative technology strategies for threat intelligence, detection engineering, and threat hunting to combat evolving cyber threats. Currently, Ricardo leads the Application Security (AppSec) practice at a leading insurance company in Peru, where he works closely with DevSecOps teams to enhance security across the software development lifecycle (SDLC) and supply chain. Committed to lifelong learning, Ricardo thrives on analyzing malware and staying at the forefront of cybersecurity advancements.

SpeakerBio:  Daniel Malvaceda

Daniel Malvaceda is a security architect who spends most of his time figuring out how CI/CD pipelines and supply chains actually fail, then writes it up so others don’t have to learn it the hard way. Lately he’s also poking at AI/LLM agents, since pipelines aren’t the only thing shipping untrusted code anymore. He co-founded pipebreach.com, where real-world supply chain attacks get reproduced, dissected, and written up for everyone else. He also co-organizes the DevSecOps village at Ekoparty (Argentina and Miami), and has dragged these same topics to stages at Ekoparty, DevOps Days, and 8.8 Security Conference. If a pipeline can be weaponized, he wants to know about it first.




Creating Shellcode for Hackers

Workshop Map Page – LVCCW Level 2 W232 (Workshops)
When:  Sunday, Aug 9, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Creating shellcode is for the brave! This workshop takes a modern approach to the time-honored tradition of Windows shellcode creation. Intended for those with intermediate to advanced knowledge, we will refresh x86 assembly and cover Windows internals.

You will create Win32/WoW64 shellcode with NASM before moving onto intermediate, multi-API shellcode. Along the way, we will cover GetPC, position independence, bad characters, calling conventions, stack discipline, manual API resolution through the PEB/TEB, export walking, name/hash-based resolution, strings, and passing handles or pointers between calls.

For evasion, we will explore manual/automated encoding techniques, making our shellcode self-modifying. We will also cover advanced techniques, including direct Windows syscalls with ShellWasp. You will learn Windows structures, native API parameter handling, and creating persistence with syscalls. Expect to be made privy to many shellcoding tips and tricks to bring out the best in your shellcode.

By the end, you’ll be able to: Create Windows shellcode using NASM; launch and debug it; resolve and chain WinAPIs by name or hash; obfuscate and encode shellcode; integrate direct syscalls with ShellWasp.

Prep: Study x86 assembly and basic Windows debugging. A VM will be provided. Required: modern PC (Intel) / VM

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sun_am_ws5_4055

People:
    SpeakerBio:  Bramwell “Bw3ll” Brizendine

Dr. Bramwell Brizendine has a Ph.D. in Cyber Operations and is the Director of the VERONA Lab. Bramwell has regularly spoken at DEFCON and presented at all regional editions of Black Hat (USA, Europe, Asia, MEA), as well as at Hack in the Box Amsterdam, Virus Bulletin, and Wild West Hackin’ Fest. Bramwell received a $300,000 NSA research grant to create the SHAREM shellcode analysis framework, which brings unprecedented capabilities to shellcode analysis and $500,000 as a 2025 DARPA YFA recipient for a PE file emulation framework. He has additionally authored ShellWasp, which facilitates using Windows syscalls in shellcode, as well as two code-reuse attack frameworks, ROP ROCKET and JOP ROCKET. Bramwell has previously taught undergraduate, master’s, and Ph.D. courses on software exploitation, reverse engineering, offensive security, and malware analysis. He currently teaches cybersecurity courses at the University of Alabama in Huntsville.

SpeakerBio:  Austin “quantumite” Norby

Dr. Austin Norby is a seasoned cybersecurity professional with over a decade of experience supporting the Department of Defense. He earned his bachelor’s degrees in mathematics and computer science from the University of Minnesota, a master’s degree from the Naval Postgraduate School, and a Doctorate in Cyber Operations from Dakota State University, specializing in anti-debugging techniques. Currently, Dr. Norby serves as the Director of Internal Research and Development at Bogart Associates, where he is responsible for spearheading the creation of advanced cybersecurity solutions for government use. His technical proficiencies include reverse engineering, malware analysis, and software engineering, with a strong focus on developing robust cyber capabilities in C, C++, Intel assembly, and Python.

SpeakerBio:  Micah Flack

Micah Flack is a cybersecurity researcher at Idaho National Laboratory, where his work spans vulnerability research, firmware and hardware analysis, malware forensics, exploit development, and reverse engineering across multiple platforms and architectures. He is currently pursuing a Ph.D. in Cyber Operations at Dakota State University, with research interests rooted in applied cybersecurity, software exploitation, malware analysis, and shellcoding. Micah also holds both a Master’s degree in Computer Science and a Bachelor’s degree in Cyber Operations from DSU, where he was active in cybersecurity research and competitions. Micah brings a hands-on perspective from his varied experiences in working with assembly, payload development, embedded systems, and offensive security research.




Detecting and Analyzing Memory Only Malware with Volatility 3

Workshop Map Page – LVCCW Level 2 W232 (Workshops)
When:  Saturday, Aug 8, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Memory-only malware is now commonly used by threat actors ranging from criminal organizations to ransomware operators to APT groups. To detect such malware, memory forensics, which is the examination of a system’s volatile memory (RAM), must be performed. Volatility 3 is the latest version of the Volatility Memory Analysis framework and is the most widely used open-source framework for memory forensics. In this workshop, students will learn how to use Volatility 3 to detect the most sophisticated malware techniques found in the wild. This learning will occur through a mixture of lectures, live demos, and extensive hands-on labs where students analyze memory samples infected with real malware. While students work through labs, instructors walk to each student’s station to ensure they are progressing. An instructor also walks through each lab live upon completion, and students are given a 35+ page lab guide that contains all the scenarios, questions, and detailed answers. Students can later use the course slides and lab guide to practice as well as to guide real-world investigations. The workshop’s instructors are core Volatility developers who have made significant contributions to the project. By attending this workshop, students will gain deep knowledge and hands-on experience analyzing memory-only malware.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_am_ws5_4024

People:
    SpeakerBio:  Andrew Case

Andrew Case is the Director of Research at Volexity and has significant experience in incident response handling, digital forensics, and malware analysis. Case is a core developer of Volatility, the most widely used open-source memory forensics framework, and a co-author of the highly popular and technical forensics analysis book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory.” Case has spoken at many industry conferences, including DEF CON, Black Hat, RSA, DFRWS, SecTor, BSides*, and OMFW.

SpeakerBio:  Pierre “Abyss Watcher” Breton

Pierre (Abyss Watcher) Breton is a researcher at Volexity, holding a Master of Science in Cybersecurity, specializing in digital forensics, malware analysis and detection engineering. He is a primary contributor to Volatility, the most widely used open-source memory forensics framework. Breton has demonstrated a great ability to assist the incident response community by developing innovative capabilities and resources. He conveys his passion through the organization of CTF events and training sessions that showcase both accessible and challenging topics.

SpeakerBio:  David McDonald

David McDonald is a researcher and software engineer with 5 years of digital forensics R&D experience. His passion for this field began with his involvement in the University of New Orleans CTF team, as well as through his time as a Systems Programming teaching assistant. After over two years of digital forensics research and development on Cellebrite’s computer forensics team, he joined Volexity’s Volcano team, where he now works to develop next-generation memory analysis solutions. He believes deeply in sharing knowledge and helping others discover their abilities and interests through their own journeys in cybersecurity, and strives to pay forward the benefits of the mentorship that has opened so many doors for him.




Embedded Computing Tools for Wireless Hardware Hacking

Workshop Map Page – LVCCW Level 2 W233 (Workshops)
When:  Friday, Aug 7, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Hands-on exploration of embedded hardware tools implementing multiple wireless communication standards. Experiment with Wi-Fi wireless local area network (WLAN) technology and Bluetooth personal area network (PAN) technology. Stream audio to and from a variety of endpoints. Configure a Nordic nRF52 Bluetooth sniffer to capture and analyze wireless communications using Wireshark. Examine the design and manufacture of an exclusive dual-core embedded hardware target supporting both Wi-Fi and Bluetooth. Leverage the target to experiment with microcontroller-based wireless hardware hacking. Practice both sinking and sourcing Bluetooth Audio streams into and out of the hardware target. Capture Wi-Fi packets using onto the hardware target for transfer to Wireshark for analysis. Perform example security exploits and countermeasures using embedded wireless hardware tools.

PLEASE NOTE: This workshop requires purchasing the necessary hardware tools. A link to complete the purchase of $60 will be provided upon registration for the workshop. The purchased kits will be distributed during the workshop.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_pm_ws4_4046

People:
    SpeakerBio:  Joseph Long

Joseph Long has been tinkering, designing, and hacking electronic systems for about forty years. He is the founder of HackerBoxes.com, the monthly subscription box service for electronics, cybersecurity, and hacker culture. Joseph is a licensed professional engineer and patent attorney who loves to teach electrical engineering and computer science topics.




Entra ID Persistence – Because Passwords Were Never the Problem

Workshop Map Page – LVCCW Level 2 W228 (Workshops)
When:  Saturday, Aug 8, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Modern enterprise security has shifted from network boundaries to identity, making Microsoft Entra ID a critical control plane and a prime target for persistence. While credential theft remains common, sophisticated attackers increasingly establish long-term access through identity-layer backdoors that survive password resets and evade traditional monitoring.

We will explore how attackers achieve durable persistence in Microsoft Entra ID by abusing service principals, federated identities, passwordless authentication methods, and device trust relationships. The session highlights techniques that remain effective even after common remediation actions like credential rotation and MFA enforcement. Through guided, hands-on scenarios, participants will simulate these identity-layer persistence techniques and understand their real-world impact demonstrating how adversaries integrate into legitimate identity workflows to maintain covert, long-term access without raising immediate suspicion.

Participants will step into the role of an adversary and explore how persistence is established and maintained inside Microsoft Entra ID. Rather than focusing on theory, this workshop breaks down real-world attack paths used to retain access beyond initial compromise highlighting techniques that survive password resets, MFA enforcemen

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_pm_ws3_4074

People:
    SpeakerBio:  Raunak “Trouble1” Parmar

Raunak Parmar works as a senior cloud security engineer at White Knight Labs with 6+ years of experience. His areas of interest include web penetration testing, Azure/AWS security, source code review, scripting, and development. He enjoys researching new attack methodologies and creating open-source tools that can be used during cloud red team activities. He has worked extensively on Azure and AWS and is the author of Vajra, AzDevRecon and MsCodePhish. He has spoken at multiple respected security conferences like Black Hat, Defcon, Nullcon, RootCon, HackspaceCon, NorthSec, LeHack , etc and also at local meetups.

SpeakerBio:  Chirag “3xpl01tc0d3r” Savla

Chirag Savla is a Cyber Security professional with 10+ years of experience. His areas of interest include penetration testing, red teaming, azure and active directory security, and post-exploitation research. He prefers to create open-source tools and explore new attack methodologies in his leisure. He has worked extensively on Azure, Active Directory attacks, defense, and bypassing detection mechanisms. He is an author of multiple Open Source tools such as Process Injection, Callidus, etc. He has presented at multiple conferences and local meetups and has trained people in international conferences like Blackhat, BSides Milano, Wild West Hackin’ Fest.




Explore the Windows instrumentation callback

Workshop Map Page – LVCCW Level 2 W225 (Workshops)
When:  Saturday, Aug 8, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

The Nirvana Debug is a type of instrumentation callback existing since Windows 7. This workshop idea is to see how this feature can be weaponized in order to either: – Hijack execution flow – Perform process injection – Perform sleep obfuscation for C2 beacon

During this workshop, you will learn the main principle of Nirvana Debugging, and try to weaponize it. Some debugging, reverse and coding will be needed in order to create a new malware that will evade classic EDR solutions.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_am_ws7_4006

People:
    SpeakerBio:  Yoann “OtterHacker” DEQUEKER

Yoann Dequeker (@OtterHacker) is a red team operator at Wavestone entitle with OSCP and CRTO certification. Aside from his RedTeam engagements and his contributions to public projects such as Impacket, he spends time working on Malware Developpement to ease beacon deployment and EDR bypass during engagements and is currently developing a fully custom C2.

His research leads him to present his results on several conferences such as LeHack (Paris), Insomni’hack (Swiss) or even through a 4-hour malware workshop at Defcon31,32 and 33 (Las Vegas). All along the year, he publishes several white papers on the techniques he discovered or upgraded and the vulnerabilities he found on public products.




From Prompt to PWN: Exploiting LLM Powered Web Applications with OWASP Techniques

Workshop Map Page – LVCCW Level 2 W229 (Workshops)
When:  Saturday, Aug 8, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

This hands-on workshop explores the offensive security of AI-powered applications where Large Language Models connect to real tools via MCP (Model Context Protocol) servers. Over four hours, participants attack 11 purpose-built AI agents across 9 exercises, exploiting vulnerabilities mapped to the OWASP Top 10 for LLM Applications 2025.

You will perform prompt injection (direct and indirect via RAG poisoning), force AI agents to generate malicious SQL/NoSQL queries through MCP tool interfaces, chain path traversal and SSRF through tool-calling parameters, abuse excessive agency via MCP-exposed CRUD operations, trigger stored XSS through LLM output, and achieve remote code execution via a poisoned supply chain, all through natural language conversation.

This workshop is ideal for red teamers, penetration testers, security engineers, and developers building with LLMs. No prior AI or ML experience is required; every technique is demonstrated before the hands-on lab. Just bring a laptop with a browser.

You walk away with practical experience exploiting 93 attack objectives against live LLM agents, a clear understanding of how traditional web vulnerabilities are amplified through AI tool-calling architectures, and the instincts to spot these risks in your own AI deployments.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_pm_ws2_4022

People:
    SpeakerBio:  Abhinav Verma

Abhinav Verma is a Senior Staff Security Engineer at Intuit Inc. with 15+ years of experience across AI security, offensive security, red teaming, product security, and security operations. He currently leads AI security architecture reviews, AI penetration testing, and vulnerability management programs, with a focus on AI security, AI threat modeling, and securing large-scale cloud platforms.

Over the course of his career at Intuit, he has built security automation, scaled continuous security scanning across thousands of assets, led secure design reviews for platforms serving millions of customers, and developed secure coding programs that have helped thousands of engineers shift security left. Abhinav was formerly an independent security researcher and has identified and reported vulnerabilities in numerous major online services and technology companies.

He holds certifications including OSEP, OSCP, OSWP, GWAPT and CEH. Outside of work, Abhinav is a passionate gamer, a trained chef, an avid camper, and a mentor to aspiring offensive security practitioners.




HackTheCloud26: Chaining Cloud Misconfigurations to Compromise Infrastructure

Workshop Map Page – LVCCW Level 2 W230 (Workshops)
When:  Saturday, Aug 8, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

HackTheCloud25 CTF Manager is an automated orchestration framework designed for the management of cloud cybersecurity challenges. It enables the deployment of intentionally vulnerable laboratories across AWS, Azure, and GCP using Terraform as the underlying Infrastructure-as-Code engine. The solution centralizes challenge definitions via YAML files, managing complex dependencies, dynamic variables, and resource outputs through a unified command-line interface (CLI) to list, deploy, destroy, and monitor resources in a controlled environment.

Furthermore, the framework incorporates environment validation, automated credential detection, detailed event logging, and support for reusable configurations, ensuring high scalability and traceability for complex attack scenarios. Collectively, the CTF Manager provides a reproducible and extensible approach to orchestrating practical cloud security exercises for educational purposes, streamlining the creation, operation, and maintenance of vulnerable infrastructures within dedicated testing environments.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_am_ws1_4034

People:
    SpeakerBio:  HackeMate

HackeMate is the host of the YouTube channel under the same name, where the creator, an Offensive Cybersecurity Engineer, shares their expertise in ethical hacking, as well as offensive and defensive security. With over 30,000 subscribers engaged in the world of cybersecurity, they have established themselves as a key figure in the community through challenges, technical analyses, and hands-on demonstrations. Professionally, HackeMate holds Red Team certifications such as the eLearnSecurity Junior Penetration Tester (eJPT) and Web Penetration Tester (eWPT), along with Blue Team certifications like Microsoft Azure Fundamentals (AZ-900) and Microsoft Security, Compliance, and Identity Fundamentals (SC-900). They are also a Google Product Expert for Google Drive, contributing their knowledge in cloud security and optimization.




Hands-on DuckyScript: An Introduction to HID Attack Tools with O.MG Devices

Workshop Map Page – LVCCW Level 2 W222 (Workshops)
When:  Saturday, Aug 8, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

“Don’t plug in devices you don’t trust.” It’s one of the most repeated pieces of security advice in the industry. What actually happens when a malicious USB device is plugged in? How does it work? This hands-on, four-hour workshop answers those questions by putting the tools directly in attendees’ hands. Using O.MG Devices and the DuckyScript v3 scripting language, participants will learn the fundamentals of Human Interface Device (HID) attacks from the ground up. Starting from USB protocol basics all the way through real payload design, delivery strategy, and advanced techniques including wireless triggering, C2 integration, and air-gapped exfiltration (using HIDX StealthLink). The class is beginner-friendly and builds progressively: no prior red teaming experience is required. Only a DuckyScript v3 device is required. Attendees will leave with working scripts, a framework for payload design, and an understanding of what attackers and defenders need to look for. We will cover OpSec, detection (and evasion), and how accessibility-first design thinking can make both attackers and defenders more effective.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_pm_ws8_4037

People:
    SpeakerBio:  wasabi

wasabi is a researcher, tinkerer, and professor of cybersecurity whose work spans IoT and embedded systems, cloud infrastructure, and offensive tooling. Their research focuses on uncovering systemic weaknesses across modern embedded environments, with an emphasis on practical exploitation and defensive resilience. When not tinkering, wasabi spends most of his time outdoors in nature.

SpeakerBio:  Ø1

Ø1 is a seasoned offensive security professional who turned a lifelong passion into a dynamic career. Beginning as a machine operator, he transitioned into the world of cybersecurity, where he has since traveled globally, conducting and leading numerous penetration tests and red team engagements. With a wealth of hands-on experience, he excels at identifying vulnerabilities and strengthening defenses for organizations worldwide. In 2022, he joined the O.MG team, balancing this role alongside his primary job to contribute to product testing, documentation, tooling, and customer support. Beyond his professional pursuits, √ò1 is a devoted cat father with a love for guns, cars, BBQ, and gardening.

SpeakerBio:  Tokugero

Tokugero is a Site Reliability Engineer and Cloud Architect focused on incident response, operations engineering, and running resilient infrastructure at scale. He works across the full ops stack — from system design and automation to the messy realities of keeping production healthy.




Hands-on IoT firmware extraction and flash forensics

Workshop Map Page – LVCCW Level 2 W225 (Workshops)
When:  Friday, Aug 7, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Did you ever wanted to hack an IoT device but did not know how to start? Having UART is nice, but does not help in many cases.

For a complete analysis of an IoT device, it is required to look at the firmware itself. In most cases this means that the firmware, data or encryption keys need to be extracted from the device memory. Many researchers are hesitant to do that as there is a high risk of destroying the device or leaving it in an inoperable state. In this workshop we will look at different flash memory types (EEPROM, SPI flash, NAND flash, eMMC flash) and how to extract the information from them.

We will show that you do not need very expensive hardware to archive your goal and that it is not as complicated as everyone believes. See which tools might be useful for your own lab!

Participants will have the opportunity to work in groups and being provided different kinds of IoT devices (e.g. smart speakers). After a tear-down, you can use different chip-off methods (e.g. Hot air, IR soldering) to remove the flash chip and read it out. Optionally, the tools re-ball and re-solder the IC will be available after the workshop. In the end, each team should have the data and a functional device again.

Bonus: If you brick the device, you can keep the parts as a souvenir or can wear them as badges.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_am_ws7_4076

People:
    SpeakerBio:  Dennis Giese

Dennis Giese is a researcher with the focus on the security and privacy of IoT devices. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices. His most known projects are the documentation and hacking of various vacuum robots. He calls himself a “robot collector” and his current vacuum robot army consists of over 95 different models from various vendors. He talked about his research at the Chaos Communication Congress, REcon, HITCON, NULLCON, and DEFCON.

SpeakerBio:  Braelynn Luedtke

Hacker and tomato farmer. Enjoys researching the security of anything that piques her curiosity. She has previously presented this research at conferences such as Chaos Communication Congress, HITCON and DEFCON.

SpeakerBio:  Arnold Wey

Arnold Wey is an electronics security researcher. His recent work includes security testing of virtual GPU implementations, robot arm communication protocols, and repurposing a 3D printer for fault injection research.

SpeakerBio:  Harsha Potu

Harsha has been taking things apart since he could get his hands on a screwdriver for fun and profit. Nowadays he is a cybersecurity researcher with a decade of experience in embedded security. He loves to reverse boards + firmware and regularly finds vulnerabilities at various layers of execution. Especially interested in breaking secure boot chain designs!




Hecate: A Trivial UART Tool

Workshop Map Page – LVCCW Level 2 W231 (Workshops)
When:  Saturday, Aug 8, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Hecate is an open source UART implant framework designed to make common hardware hacking tasks easy with minimal code. It turns any CircuitPython microcontroller into a powerful, customizable UART implant.

In this workshop, you’ll get to use all the core features of Hecate and see how they work against multiple target devices. We’ll start hands-on by listening to a device’s UART output, and then configuring Hecate to operate in standalone mode and log that UART data to a file. Once we’ve seen it in action, we’ll step back for a bit of lecture about UART, what it’s used for, and what we designed Hecate to be capable of. Armed with this knowledge, you’ll dive into two more hands-on labs: a payload dropper that will playback a custom transaction and a simple detector that will signal an alert when it detects a pattern. We’ll reconvene for a last bit of lecture on how to use some of Hecate’s advanced features, before you dive into the final lab: implement a full implant-in-the-middle capable of modifying UART data in flight.

Hecate makes developing embedded implants trivial, while remaining flexible enough for advanced research and rapid prototyping. You’ll walk away with hands-on experience using the Hecate framework and a working understanding of what’s possible with UART interception, manipulation, and exploitation

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_am_ws6_4072

People:
    SpeakerBio:  mx

Maxie is an erstwhile cloud infrastructure engineer, formerly an SRE at Google Cloud Platform and others. She came to the world of hardware hacking and embedded devices first as a pleasant escape from the quotidian indignities of working in the cloud, and she stayed for the addictive aroma of flux fumes. She enjoys making ill-advised expansions to her homelab and spending evenings at her local hackerspace in Portland, OR.

SpeakerBio:  Joe “SecurelyFitz” FitzPatrick

Joe FitzPatrick (@securelyfitz) is a trainer and researcher at SecuringHardware.com with a personal mission to make all hardware devices at least a bit more secure. He builds tools like Tigard and Erebus, and teaches Applied Hardware Attacks trainings to help people break – and secure – their hardware devices. His actual superpower is the ability to instantly end awkward conversational pauses if you ask him about BSides Portland, the CTRL-H Hackerspace, or drone taco delivery at ToorCamp.

SpeakerBio:  nyx

nyx is a Portland-based hacker, engineer, and self-described cyberpunk. As an unwilling participant in the late-capitalist, mass-surveillance dystopia, he is passionate about digital privacy, data self-custody, and running his own infra. While voiding warranties has long been one of his favorite pastimes, he has lately been fortunate enough to do it professionally as well.




ICS Hack ‘n Track

Workshop Map Page – LVCCW Level 2 W231 (Workshops)
When:  Sunday, Aug 9, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

OT attacks are often discussed but rarely demonstrated – in this workshop we use Caldera for OT to demonstrate realistic attack vectors for Distributed Control Systems used in power plants and other critical infrastructure, as well as how FOSS tools like Malcolm give defenders the information needed to detect blast radius and impacts.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sun_am_ws6_4085

People:
    SpeakerBio:  Pedro Cabrera

Pedro Cabrera is an OT cybersecurity professional and Omnivise Cybersecurity Solutions Architect at Siemens Energy. He specializes in industrial control systems and adversary simulation, focusing on bridging the gap between traditional IT security and operational technology through practical, real-world demonstrations. He has developed custom tooling to simulate PLC interactions and highlight detection challenges in OT environments. His work centers on improving visibility, strengthening defenses, and making complex security concepts more accessible.

SpeakerBio:  Hannes “hercules_hannes” Heck

Hannes is an OT security practitioner currently completing a Bachelor’s degree in Cybersecurity, with a thesis focused on Network Detection and Response systems including Malcolm. Active in the technology field since 2018, when he began a formal computer science apprenticeship, he has progressively deepened his specialization in cybersecurity and currently works at Siemens Energy in an OT Security role focused on solution architecture for industrial environments. He has presented technical topics in both academic and enterprise settings and brings direct hands-on experience with network traffic analysis, industrial control system design, and adversary emulation platforms to this workshop.

SpeakerBio:  Sam Miorelli

Sam Miorelli is the Global Head of Innovation and Customer Success for Siemens Energy Omnivise Cybersecurity. By training he is a mechanical engineer and a lawyer. Prior to his involvement with OT cybersecurity, Sam was the primary lawyer for several billion dollars per year of energy and industrial automation transactions at Siemens worldwide.

SpeakerBio:  Jordan Sanchez

Jordan Sanchez is a Cybersecurity Fellow at Siemens Energy, where he has spent three years doing R&D in OT and ICS security. Graduating from the University of Central Florida with a degree in Computer Science, he conducted undergraduate research on dependency downgrade vulnerabilities in the Android build system. Jordan is joining Amazon as a Security Engineer in September 2026.




Intro to Writing Windows Malware with Rust!

Workshop Map Page – LVCCW Level 2 W230 (Workshops)
When:  Saturday, Aug 8, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

In the Information Security news space, we often hear about the cool malware and tools nation states and APTs develop. While there are many tools out there that “do the thing”, have you ever wonder how it “does the thing”? Instead of just using tools and scripts that sound cool, why not make them?

Using the Rust programming language, you’ll be taken step-by-step into building your own Windows malware! We’ll break down the process and work our way into more complex tasks. From a simple, no-imports binary we’ll slowly work into loading and executing Windows API functions without ever calling “LoadLibrary” or “GetProcAddress” while not touching a single Rust “std::*” function or importing any extra crates!

You’ll be introduced into Windows concepts like the Process Environment Block (PEB), the Thread Environment Block (TEB) and how we can use them to our advantage! At the end of this workshop, you’ll be able to build binaries without any imports while doing fun tricks like shellcode injection!

Some of the topics we’ll touch on are:

  • Assembly!
  • Rust Allocators
  • Windows Structs
  • API Function Calls
  • Binary File Inspection
Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_pm_ws1_4071

People:
    SpeakerBio:  iDigitalFlame

iDigitalFlame is an experienced security researcher that uses his programming skills to expand his abilities and provide teams with the tools needed to complete any engagement. Outside of work, his passion for open source and knowledge sharing has led to the creation of many unique tools and resources. iDigitalFlame also uses his skills to help power many CTFs, including the ProsVJoes CTF at BSidesLV, where he leads the Red Team and provides the platform for Red operations. iDigitalFlame has spoken before at BSidesDE and BSidesLV about cool things learnt in his research like AV evasion or releases open source software like ThunderStorm, a custom C2 platform used in many CTFs he operates in.

SpeakerBio:  Daniel Bravo

Daniel is a self-taught programmer who later earned a B.S. in Computer Science from the University of Maryland. He likes to understand how software works by decompiling binaries and reverse engineering APIs, whether they were meant to be understood or not. Daniel also enjoys working on geospatial projects and web scraping tools, particularly extracting and reconstructing data from mobile platforms. His other interests also include compiler theory, automated reasoning, and verification-aware languages.




Introduction to Malware Analysis

Workshop Map Page – LVCCW Level 2 W232 (Workshops)
When:  Friday, Aug 7, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Analyze malware to find indicators of compromise using static and dynamic techniques. We will analyze Windows executables at the binary level and modify them to cheat at games. We will examine both compiled code and DOTNET executables. We will also examine defenses to prevent memory-corruption attacks, including coding in Rust.

We will demonstrate the techniques and help attendees solve challenges. There are dozens of hands-on projects, with a running CTF scoreboard. Some of the projects are easy enough for beginners, and others will challenge experienced experts. Every participant should leave with some new skills.

All materials are freely available on the Web at samsclass.info and will remain available after the workshop is over.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_pm_ws5_4019

People:
    SpeakerBio:  Sam Bowne

Sam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges. He founded Infosec Decoded, Inc., and does corporate training and consulting for several Fortune 100 companies, on topics including Incident Response and Secure Coding.

Formal education: B.S. and Ph.D. in Physics Industry credentials:

Infosec: CISSP, Certified Ethical Hacker, Security+, Defcon Black Badge, Splunk Core Certified User Networking: Network+, Certified Fiber Optic Technician, HE IPv6 Sage, CCENT, IPv6 Forum Silver & Gold, Juniper JN0-101, Wireshark WCNA Microsoft: MCP, MCDST, MCTS: Vista

SpeakerBio:  Elizabeth Biddlecome

Elizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to cripting languages in cybersecurity competitions, hackathons, and CTFs.

SpeakerBio:  Kaitlyn Handelman

Kaitlyn Handelman is an offensive security engineer at Amazon. Her focus is cybersecurity in space. In addition to traditional penetration testing, Kaitlyn works on physical devices and RF signals. In her free time, she enjoys ham radio, astronomy, and her cat, Astrocat.

SpeakerBio:  Irvin Lemus

Irvin Lemus, CISSP is a Cyber Range Engineer at By Light IT Professional Services, training military personnel through international cyber security exercises. Irvin has been in the field since 2006, involved with cybersecurity competitions since 2015 as a trainer, coach, and mentor. He also has taught IT and Cybersecurity courses at Coastline and Cabrillo Colleges. He is the BACCC Cyber Competitions Regional Coordinator, Board member at Pacific Hackers and is a speaker at DEFCON. He describes himself as, “A professional troublemaker who loves hacking all the things.”




Investigating and Responding to M365 account compromise on a shoestring: Living of the Land Incident Response

Workshop Map Page – LVCCW Level 2 W222 (Workshops)
When:  Friday, Aug 7, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

A compromised mailbox. An inbox rule named “.”. An OAuth consent to an unknown application. A sign-in from a cloud-hosting ASN with user-agent “axios” and MFA status “satisfied by claim in token”. Somewhere in there is the story – and somewhere in the Microsoft 365 logs is the evidence. This four-hour hands-on workshop teaches Business Email Compromise investigation in the tenants most responders actually see: M365 Business Premium or E3. No Sentinel. No SIEM. No problem. Using only native admin centers, PowerShell modules, and a few scripts, you will run a complete BEC investigation end to end. Working through several progressive scenarios, from single-user compromise, through lateral-pivot case with MailItemsAccessed analysis, to multi-account incident with a malicious enterprise app and transport rule. You will learn how to contain, collect, triage, pivot, expand scope, remediate, and produce the three common reporting deliverables: investigation report, attestation letter, internal post-mortem. This is Living off the Land Incident Response. Through chronology and topology, come correlate some logs with me and see what story they tell.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_pm_ws8_4033

People:
    SpeakerBio:  Vince “bitpusher” Weppner

Vincent M. Weppner (Bitpusher) is an Information Security Specialist with 10+ years of dedicated cybersecurity focus and 25 years in IT overall. He works as a Security Analyst at a mid-market MSP and runs an independent IT consulting practice at theTechRelay.com. Generally found lurking in the mountains of Southern California, and occasionally maintaining his open-source tooling at github.com/bitpusher2k. His day-to-day work covers M365 security operations, Active Directory and endpoint security, BEC/ransomware incident response, EDR/SIEM management, and security consulting for SMB and mid-market clients. Specialization in Business Email Compromise was built out of direct operational need: after dozens of BEC incidents, the pattern of “which script do I need to run right now?” became clear enough to codify. Passionately solving puzzles through scripting, and hoping to pass on some of it to you.




Learning to Hack Bluetooth Low Energy with BLE CTF

Workshop Map Page – LVCCW Level 2 W232 (Workshops)
When:  Friday, Aug 7, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

BLE CTF is a series of Bluetooth Low Energy challenges in a capture-the-flag format, created to teach the fundamentals of interacting with and hacking BLE services. Each flag interactively introduces a new concept.

Over the years, BLE CTF has expanded across platforms and skill levels. Books, workshops, trainings, and conferences have adopted it as both an educational platform and CTF. As an open source, low-cost, extensible solution, it has helped advance Bluetooth security research.

This workshop teaches the fundamentals of hacking BLE through hands-on exercises that introduce beginners to new concepts while giving experienced users a chance to try new tools and techniques. After completing it, you will have a solid understanding of how to hack BLE devices in the wild.

New for DEF CON 34: the workshop uses a brand new variant of BLE CTF built specifically for this event. Returning students will face fresh challenges they have not seen before, and the new exercises are designed to resist online walkthroughs and LLM-assisted shortcuts. We will also introduce new client tools, including gratttool, a modern replacement for gatttool (which has been deprecated from most Linux distributions). Whether this is your first BLE CTF or your eighth, you will leave with new skills and tools.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_am_ws5_4054

People:
    SpeakerBio:  Ryan “Hackgnar” Holeman

Ryan Holeman resides in Austin, Texas, where he works as the CISO for Stability AI. He holds a Ph.D. in cyber defense from Dakota State University and has spoken at respected venues such as Black Hat, DEF CON, Lockdown, BSides, Ruxcon, Notacon, and Shmoocon. You can keep up with his current activity, open source contributions, and general news on his blog. His spare time is mostly spent digging into various network protocols, random hacking, creating art, surfing, and shredding local skateparks.

SpeakerBio:  Alek Amrani

Alek Amrani runs the security team at Cape.




Learning to Reverse Engineer Compiled C as We Learn to Write It

Workshop Map Page – LVCCW Level 2 W232 (Workshops)
When:  Saturday, Aug 8, 14:00 – 17:59 PDT

Creator: DEF CON Workshops
Software reverse engineering is a fundamental skill: a prerequisite
to engaging with many fields of study in computer security that depend
on low-level knowledge. Malware analysis, vulnerability research,
offensive tool development, and digital forensics all involve the
analysis of code which has been compiled, obfuscated, or otherwise
stripped of useful names, data types, comments, and other
human-readable information. Without the ability to read disassembled
code, you will not be able to understand code that your computer will
happily execute.

In this workshop, I will guide you through learning to read disassembled code while you learn C. We will progress through the C programming language’s constructs with as few assumptions as possible about your background, and at each stage we will reverse engineer the compiler’s output in Ghidra and trace through with a debugger to understand the generated code. You do not need any prior experience in programming.

I will also be demonstrating useful techniques for using locally-hosted large language models to aid in the learning process. Use AI to improve your own skillset, rather than using it to do the work for you.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_pm_ws5_4002

People:
    SpeakerBio:  Wesley McGrew

Dr. Wesley McGrew directs research, development, reverse engineering, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented at DEF CON and Black Hat USA on topics of penetration testing, malware analysis, critical infrastructure, and vintage computing, and has taught self-designed courses on reverse engineering and cyber operations at Mississippi State University. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems. He has entertained audiences at many DEF CON parties as a house music DJ, as well.




Long Live Empire: A C2 Workshop for Modern Red Teaming

Workshop Map Page – LVCCW Level 2 W231 (Workshops)
When:  Friday, Aug 7, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Behind every breach report from the last decade is a Command and Control (C2) framework. C2 is how operators reach into a compromised network, move sideways, harvest credentials, and stay invisible. This 4-hour, hands-on workshop puts you in the operator’s chair. You set up your own Empire team server, learn the listener-stager-agent model from scratch, and run seven exercises that take you from “never touched a C2” to dumping credentials off a box you compromised yourself.

You’ll spin up an HTTP listener, deploy a .NET agent to a Windows target, and run post-exploitation tradecraft: Rubeus for credentials, SharpHound for AD enumeration, port-forward pivots to internal hosts, and privesc modules that turn a foothold into full control. You’ll even build a custom Empire plugin that auto-runs on every new agent. The capstone is a mini-CTF on a cloud-hosted range we keep open all weekend, with a prize for the winners.

You leave with the mental model most operators take years to build: how modern C2 actually works, what it assumes about the target, and where defenders most often catch it. No VMs to download. No setup before class. Bring a laptop, get on WiFi, and we’ll have agents running before the first break.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_am_ws6_4068

People:
    SpeakerBio:  Jake “Hubbl3” Krasnov

Jake “Hubble” Krasnov is the Red Team Operations Lead at BC Security, with a distinguished career spanning engineering and cybersecurity. A U.S. Air Force veteran, Jake began his career as an Astronautical Engineer overseeing rocket modifications, leading test and evaluation efforts for the F-22, and conducting red team operations with the 57th Information Aggressors. He later served as a Technical Lead Engineer at Boeing Phantom Works, where he focused on embedded security for aviation and space defense projects. A seasoned speaker and trainer, Jake has presented at DEF CON, Black Hat, HackRedCon, HackSpaceCon, and HackMiami, and has previously taught Empire and offensive PowerShell at DEF CON.

SpeakerBio:  Vincent “Vinnybod” Rose

Vincent “Vinnybod” Rose is the Lead Developer for Empire and Starkiller. He is a software engineer with a decade of expertise in building highly scalable cloud services, improving developer operations, and automation. Recently, his focus has been on the reliability and stability of the Empire C2 server. Vinnybod has presented at Black Hat and has taught courses at DEF CON on Red Teaming and Offensive PowerShell. He currently maintains a cybersecurity blog focused on offensive security at https://bcsecurity.io/blog/.

SpeakerBio:  Anthony “Coin” Rose

Dr. Anthony “Coin” Rose is an officer in the United States Air Force, an Assistant Professor, and the Director of the Center for Cyberspace Research at the Air Force Institute of Technology. He holds a doctorate in Electrical Engineering and has expertise in machine learning, with a focus on its application to cybersecurity and malware detection. He is also the founder of SIMAPTIC and the Director of Security Research at BC Security, where he specializes in adversary tactics and emulation planning, Red and Blue Team operations, and embedded systems security. Dr. Rose is credited with 16 CVEs and has presented at numerous security conferences, including Black Hat, DEF CON, HackSpaceCon, HackMiami, and RSA Conference.

SpeakerBio:  Dan Niefeld

Dan Niefeld is the founder of several Cyber Security and Technology organizations. An accomplished social engineer his career has spanned from program management to organizing conferences like Hack Space Con, Dan has spent his career, educating, mentoring and developing disrupting technologies with a focus of Mission and Community Development.




Malware Development 101 – From Zero to Hero: Adapt your payload to your environment

Workshop Map Page – LVCCW Level 2 W230 (Workshops)
When:  Friday, Aug 7, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

This workshop will give an initiation to offensive malware development in C/C++ and how it is possible to adapt the approach depending on the security solution that must be tackled down. Different methods such as ModuleStomping, DLL Injection, Threadless Injection and Hardware Breakpoint for dehooking will be seen. The idea is to start with a basic malware performing process injection and apply additional techniques to start evading EDR. At each step, some analysis on the malware will be performed to understand the differences at the system level and the IOC detected by the EDR. At the end of this workshop, you will have all the knowledge needed to develop your own malware and adapt it to the targeted environment to escape from the basic pattern and spawn your beacons as if EDR didn’t exist.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_am_ws1_4039

People:
    SpeakerBio:  Yoann “OtterHacker” DEQUEKER

Yoann Dequeker (@OtterHacker) is a red team operator at Wavestone entitle with OSCP and CRTO certification. Aside from his RedTeam engagements and his contributions to public projects such as Impacket, he spends time working on Malware Developpement to ease beacon deployment and EDR bypass during engagements and is currently developing a fully custom C2.

His research leads him to present his results on several conferences such as LeHack (Paris), Insomni’hack (Swiss) or even through a 4-hour malware workshop at Defcon31,32 and 33 (Las Vegas). All along the year, he publishes several white papers on the techniques he discovered or upgraded and the vulnerabilities he found on public products.




Offensive Packet Wizardry with Scapy

Workshop Map Page – LVCCW Level 2 W222 (Workshops)
When:  Friday, Aug 7, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Offensive Packet Wizardry with Scapy is a four-hour, 100% hands-on workshop that teaches attendees to build offensive networking tools from scratch in Python using Scapy, the packet crafting library used by red teams, malware analysts, and vulnerability researchers worldwide.

Starting from first principles, raw packet construction, layer stacking, and send/receive mechanics, the workshop moves progressively through active reconnaissance, ARP cache poisoning with live credential interception, TCP/IP stack abuse (session injection, SYN flood, RST killing), protocol fuzzing against an intentionally vulnerable binary service, and full covert channel implementation (ICMP C2 shell, DNS file exfiltration, TCP header steganography).

Every technique is implemented live in Python against an isolated lab network. Students leave with a working, importable red team toolkit, a Python package with a unified CLI, that they built themselves and can adapt for future engagements.

The workshop concludes with “Silent Pivot”, a scored capstone scenario that chains all techniques into a realistic kill chain: stealth discovery, service identification, fuzzer- triggered crash, ICMP command execution, DNS exfiltration of /etc/shadow, and network cleanup, all subject to an IDS alert budget.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_am_ws8_4025

People:
    SpeakerBio:  Mike “Chicolinux” Guirao

Mike “Chicolinux” Guirao began his journey in the security field roughly 25 years ago while completing a master’s degree. Since then, they have developed both broad and deep expertise across this incredible discipline. Currently, they are pursuing a PhD at New Mexico State University, where their research intersects Cybersecurity and Machine Learning/Artificial Intelligence.

In addition to their academic pursuits, Mike serves on the organizing team for the Crypto & Privacy Village. This marks their third time teaching a workshop at DEF CON since DEF CON 24. They also hold several notable industry certifications, including the SANS GCIH, ISC2 CC, and Linux+, and they are excited to share their wealth of experience and knowledge.




OT Systems: how to secure them in practice!

Workshop Map Page – LVCCW Level 2 W225 (Workshops)
When:  Friday, Aug 7, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Securing OT systems is often presented as challenging, with multiple business constraints – but is it that complicated, especially considering a single industrial site? In this 4-hour, hands-on workshop, each participant will manipulate a simple but realistic Industrial Control System setup with SCADA systems & PLCs. Attendees will have the opportunity to secure it step by step, through several hands-on exercises & discover how to manually secure OT systems: OT inventory, backups, network security, system hardening and detection. What if the real challenge is OT security at scale? Besides implementing manual security on our setup, we will address each step of the way OT security at scale and share feedback on how large companies are securing their OT systems, both at organizational & technical level: community of OT cyber correspondents, OT DMZ and security tools deployment. No prior OT experience is required.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_pm_ws7_4014

People:
    SpeakerBio:  Alexandrine Torrents

Alexandrine Torrents is a cybersecurity expert at Wavestone. She started as a penetration tester, and then specialized in OT cybersecurity. She is IEC 62443 certified. She performed dozens of OT cybersecurity assessments across various industries & worked on OT models to perform attacks on PLCs & SCADA systems. Alexandrine also helps secure OT both at technical & organization levels: secure architecture, system hardening, IAM, cyber resilience, detection, governance, awareness & training, risk assessment, cyber by design, etc. Alexandrine works with different CISOs on their OT cybersecurity roadmaps & programs at different scales of large industrial companies: site, business units, Group with worldwide scope. Alexandrine also gives training on OT cybersecurity.

SpeakerBio:  Arnaud SOULLIE

Arnaud Soullie is a Senior Manager at Wavestone. He has over 15 years of experience in security assessments and penetration testing, with 10 years specializing in Industrial Control Systems cybersecurity. He has delivered talks and workshops at DEF CON, Black Hat Europe, BruCON, CS3STHLM, BSides Las Vegas, and others. He is the creator of the DYODE open-source data diode project and has been teaching ICS cybersecurity since 2015.




Pivot, Hunt, Publish: An Offline, Hands-On CTI Workshop for Blue Teams and Threat Researchers

Workshop Map Page – LVCCW Level 2 W233 (Workshops)
When:  Sunday, Aug 9, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Cyber Threat Intelligence is the most overspecified and underspecified discipline in security. Every vendor sells a feed. Every conference has a track. Every blog post claims attribution. And yet – most blue teams still drown in IOCs they cannot operationalize, and most aspiring threat researchers do not know how to pivot from a single sample to a discovered campaign.

This workshop fixes both problems in four hours, fully offline, with every minute of those four hours spent on content rather than setup, and without distributing a single piece of malware.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sun_am_ws4_4075

People:
    SpeakerBio:  Rushikesh Nandedkar

Rushikesh is a researcher. Having more than 10 years of experience under his belt, his assignments have always been pointed towards reducing the state of insecurity for information. His research papers were accepted at the nullcon ’14 ’18 ’20 ’21, BruCON ’16 ’17 ’18 ’19 ’21, Blackhat USA Arsenal ’18 ’19 ’25, DEFCON 24 26 27, x33fcon ’17 ’18 ’20 ’21, BSides Delhi ’17 ’20, c0c0n ’17 ’25, HITCON ’14, NCACNS ’13 + co-author of “DARWIN” (use cases for covert wireless), “DECEPTICON”, an intelligent evil-twin and “SASTRI”, Plug and Play VM for SAST and author of ARC (Artefact Reuse Comparator) and Q-TIP (QR Code Threat Inspection Platform). Being an avid CTF player, for him, solace is messing up with packets, frames, and shellcodes while attempting to reach the state of void *.




Post-Quantum Cryptography (PQC) for Hackers

Workshop Map Page – LVCCW Level 2 W228 (Workshops)
When:  Sunday, Aug 9, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Secure communications are not a luxury ‚Äî they are a foundational requirement for human dignity in the digital age. Our most meaningful conversations, transactions, and decisions demand end-to-end encryption, strong authentication, and verifiable integrity. The notion that “only those with something to hide need strong crypto” is not merely lazy; it is dangerously shortsighted. Privacy is the space where autonomy, intimacy, and authentic human experience thrive. When that space is violated, the damage ripples far beyond the individual.

For decades, classical public-key cryptography has quietly protected everything from online banking to private messaging. That era is ending. Quantum computers are advancing rapidly, and the break of today’s asymmetric algorithms ‚Äî often called the Quantum Apocalypse ‚Äî is no longer a question of if, but when. The window to prepare is narrowing. Migration must begin now.

In this workshop, you’ll implement PQC algorithms from the NSA’s CNSA Suite 2.0. You’ll use C++, OpenSSL and Linux to demonstrate the secure usage of ML-KEM, ML-DSA, AES-256, and SHA-512. You’ll leave with clean, reusable code, deep implementation insight, and the practical skills needed to integrate PQC into real-world systems.

We might not all have something to hide, but we all have something worth protecting.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sun_am_ws3_4070

People:
    SpeakerBio:  Eric “Eijah” Anderson

Eijah is the founder of Code Siren, LLC and has 25+ years of experience in software development. He is the creator of Polynom, the world’s first CNSA Suite 2.0 PQC collaboration app and the author of multiple FIPS 140-3 modules. He is also the developer of Demonsaw, an encrypted communications platform that allows you to share information without fear of data collection or surveillance. Before that Eijah was a Lead Programmer at Rockstar Games where he created Grand Theft Auto V and Red Dead Redemption 2. In 2007, Eijah hacked multiple implementations of the Advanced Access Content System (AACS) protocol and released the first Blu-ray device keys under the pseudonym, ATARI Vampire. He has been a faculty member at multiple colleges, has spoken at DEF CON and other security conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.




Purple Protocol: Adversary emulation for everyone

Workshop Map Page – LVCCW Level 2 W229 (Workshops)
When:  Sunday, Aug 9, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Have you ever been curious about the techniques used by most notorious hackers to infiltrate some of the world’s biggest networks? What would happen if they attacked yours? Companies burn millions of dollars in cybersecurity defenses, yet breaches still happen. Why? Because victory favors the prepared, not the well-funded.

This beginner friendly workshop explores a practical way to test your defenses. You will learn to organize and execute a Threat Intelligence-led Purple Team Engagement with Open Source tooling. You will learn how to select relevant Threat Actors, execute test cases, document results, generate action items for the Blue Team to remediate, and report the results in a way that even executives can understand. (Spoiler: They like Pie Charts, Line Graphs, and bright colors) This will all be done on a VM we will provide with the Open Source tooling pre-installed. Everything learned in this course can be replicated at your organization.

Join us in this workshop to learn why Purple Teaming is undeniably one of the most methodical and effective ways to improve your resilience against the threat actors most likely to attack your organization.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sun_am_ws2_4001

People:
    SpeakerBio:  Patrick “PilotPat” Raiden

Patrick has been working in Cybersecurity for the past decade, ranging from Security Engineering, Vulnerability Management, Penetration Testing, and Red Team Ops.  He holds industry certs including the OSCP, CRTO and GRTP.  He led the effort to build a new Purple Team program at one of the largest healthcare organizations in the United States and continues to manage the program. Patrick is also a DEF CON Black Badge winner.

SpeakerBio:  Ben “Marba$” Strout

Marba$ leads an Offensive Security Team and research vulnerabilities at one of the largest U.S. healthcare conglomerates. With experience spanning healthcare, biotech, pharma, and fintech, his work centers on application security, red teaming, and automation. He is the founder of DC207- Maine’s DEF CON group – and the General Chair / Lead Organizer of BSides Maine.

SpeakerBio:  Brandon “D43m0n” Kraycirik

D43m0n is a senior cyber security research engineer for one of the largest banking institutions in the world. Having over five years of experience in offensive security, specializing in red teaming, vulnerability research, and custom tool development.

He holds advanced certifications that include OSCE3, BSCP, CRTO, CARTP, and eWPTX. While doing so, he was contributing to the cyber security community as the discoverer of CVE-2025-26332 (Dell) and CVE-2025-30398 (Microsoft), while also having authored “Debugging CVE-2023-37679: A Step-by-Step Guide to Fixing the Windows Exploit.”

One of his most recent accomplishments at DEF CON is finally obtaining the accolade of being a Black Badge holder.

Outside of cybersecurity, he is a passionate researcher with a deep appreciation for the outdoors.




Purple Teaming Industrial Control Systems

Workshop Map Page – LVCCW Level 2 W225 (Workshops)
When:  Saturday, Aug 8, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Security monitoring is often presented as the silver bullet for Industrial Control System (ICS) security — but how effective is it against realistic adversaries? In this 4-hour, hands-on workshop, participants will use CALDERA, the open-source adversary emulation framework, to conduct purple-team exercises against simulated & live industrial environments. Attendees will simulate real-world IT and OT attacks, observe what is (and is not) detected across EDR, logs, and network monitoring, and map results to MITRE ATT&CK for ICS. Rather than focusing on exploitation alone, this workshop teaches a repeatable methodology to assess detection coverage, identify OT blind spots, and improve monitoring strategies. Participants leave with concrete techniques they can apply in their own environments — from tabletop exercises to continuous detection testing.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_pm_ws7_4030

People:
    SpeakerBio:  Arnaud SOULLIE

Arnaud Soullie is a Senior Manager at Wavestone. He has over 15 years of experience in security assessments and penetration testing, with 10 years specializing in Industrial Control Systems cybersecurity. He has delivered talks and workshops at DEF CON, Black Hat Europe, BruCON, CS3STHLM, BSides Las Vegas, and others. He is the creator of the DYODE open-source data diode project and has been teaching ICS cybersecurity since 2015.

SpeakerBio:  Alexandrine TORRENTS

Alexandrine Torrents is a cybersecurity expert at Wavestone. She started as a penetration tester, and then specialized in OT cybersecurity. She is IEC 62443 certified. She performed dozens of OT cybersecurity assessments across various industries & worked on OT models to perform attacks on PLCs & SCADA systems. Alexandrine also helps secure OT both at technical & organization levels: secure architecture, system hardening, IAM, cyber resilience, detection, governance, awareness & training, risk assessment, cyber by design, etc. Alexandrine works with different CISOs on their OT cybersecurity roadmaps & programs at different scales of large industrial companies: site, business units, Group with worldwide scope. Alexandrine also gives training on OT cybersecurity.




Reaching Mythos: Hands-On Vulnerability Discovery with Local AI Models

Workshop Map Page – LVCCW Level 2 W229 (Workshops)
When:  Friday, Aug 7, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Anthropic, April 2026: Claude Mythos Preview is “strikingly capable” at zero-day discovery. They chose not to release it.

AISLE, one week later: “The moat in AI cybersecurity is the system, not the model.” They reproduced Mythos-class findings on FreeBSD with a 1,700-line scan.py and a commodity model for under $100.

This four-hour hands-on workshop is the local-hardware version of that argument. Two reproductions, two domains, one harness pattern.

Part I: point AISLE’s open-source pipeline at a pre-patch FreeBSD checkout through a hosted local-AI inference endpoint and reproduce the 17-year-old CVE-2026-4747 that drove Mythos, for sub-dollar spend.

Part II: change domains. Drive Ghidra through MCP tool calls against unpatchable D-Link DNS-320L firmware. Validate CVE-2024-3273 with the advisory in hand, then rediscover it from a blank start once the harness moves enumeration into the driver.

What happens next is what you come to find out. Same hardware, same model, same harness, four hours later: can local AI extend the famous disclosure with bugs the original missed? Come see for yourself.

No GPU. No API. No cloud spend. The workshop hosts inference for the room.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_pm_ws2_4092

People:
    SpeakerBio:  John “clearbluejar” McIntosh

John McIntosh (@clearbluejar) is a security researcher and founder of ClearSecLabs, specializing in reverse engineering, vulnerability research, and AI-assisted binary analysis. He is the author of ghidriff, an open-source Ghidra-based binary diffing engine, and pyghidra-mcp, a headless Ghidra MCP server enabling LLM-driven, project-wide, multi-binary reverse engineering workflows. An active contributor to the Agent Skills ecosystem, John bridges deterministic analysis with AI-driven reasoning to accelerate vulnerability research. He has delivered training and workshops at DEF CON, Black Hat, REcon, Ringzer0, 44CON, Objective by the Sea, and Insomni’hack, covering topics from practical Windows reverse engineering to building private local LLM RE stacks. His recent work includes the “Agentic RE” training at DEF CON Singapore 2026, the MCP Ghidra workshop at REcon 2025, and the “Supercharging Ghidra” LLM workshop at Ringzer0 COUNTERMEASURE 2025. With over a decade of offensive security experience, John publishes detailed research on reversing CVEs, building RE tooling, and agentic patch diffing at clearbluejar.github.io. His teaching emphasizes reproducibility, progressive skill-building, and contributor empowerment.




Salesforce Apex Predator: Breaking Salesforce Sites

Workshop Map Page – LVCCW Level 2 W233 (Workshops)
When:  Saturday, Aug 8, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Salesforce Sites are one of the most under-tested attack surfaces in enterprise security. When pentesters encounter them, most skip past – the Aura framework doesn’t behave like a standard web application, and standard web testing techniques don’t apply. Salesforce sites run on proprietary frameworks (Aura and LWR) with their own API surfaces, access models, and injection patterns. In March 2026, ShinyHunters demonstrated what that blind spot costs: sensitive data exfiltrated from hundreds of organizations through sites no one had tested.

This workshop teaches pentesters and red teamers a complete offensive methodology for Salesforce Experience Sites, going well past the record enumeration that makes up most public guidance on the topic.

Attendees will enumerate objects and dump records via the Aura API, then learn to identify and invoke custom Apex controllers running in system mode – controllers that bypass standard access management mechanisms, and which are surprisingly common and criminally underexplored. We cover SOQL injection in depth: why normal SQL injection tests fail, and how to exploit it. We cover deterministic route enumeration as an unauthenticated user, and LWR sites – Salesforce’s next-generation framework – including the release of LWRed, a new open-source scanner built specifically for them.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_pm_ws4_4032

People:
    SpeakerBio:  Nitay Bachrach

Nitay Bachrach is a security researcher at Reco (Tel Aviv, Israel) specializing in offensive security research against enterprise SaaS platforms. He is a pioneer in Salesforce offensive security: he published new exploitation methods for the Aura framework, discovered the Einstein Wormhole vulnerability and a Public Link exploitation technique in Salesforce’s platform, and identified and responsibly disclosed critical vulnerabilities in dozens of major Salesforce deployments. His research extends to Okta, GCP, and other enterprise platforms. He spoke at Insomni’hack on “Neo4jection” – novel graph injection techniques against Neo4j. In May 2026, he is running a Salesforce-focused CTF event in Tel Aviv. The LWR exploitation methodology and LWRed tool premiering at this workshop represent previously unpublished research from original work on Salesforce’s next-generation Experience Site framework.

SpeakerBio:  Cynthia Ardman

Cynthia has spent 10+ years making life harder for attackers. She currently builds threat detection at Reco, and previously did the same at AppOmni, AWS, and Snowflake, places where “the blast radius” isn’t a metaphor. At AWS she developed MITRE ATT&CK-mapped detection for corporate infrastructure, partnered with the Red Team to close gaps they found, and led a project that knocked hacking tool presence down by 30%. At Snowflake she ran blue team ops and built the SQL-based alerting pipeline from scratch. At StubHub she hunted down an active intrusion by tracing logs across systems and performed the root cause analysis so it wouldn’t happen twice. She came up through desktop support, building Linux blade servers and remediating malware on customer machines, the kind of work that teaches you what actually breaks. CISSP. Splunk ES Admin. Writes Python when she has to and JSONata when nobody’s looking.




Solder, Detect, Listen: Build Your Own EMF Explorer

Workshop Map Page – LVCCW Level 2 W230 (Workshops)
When:  Friday, Aug 7, 14:00 – 17:59 PDT

Creator: DEF CON Workshops

Every electronic device around you is silently broadcasting electromagnetic signals. In this hands-on workshop, you will build an SMD (surface-mount) version of the EMF Explorer from bare PCB to working device, learning progressive SMD soldering techniques from 1206 down to 0603 component sizes along the way. Geared for absolute beginners who are new to soldering and electronics. This session pairs each build stage with a circuit theory deep dive: you will understand the voltage divider powering your board, the op-amp gain stages amplifying EMF signals into audible sound, and how inductor geometry shapes what you can hear. Walk away with a functional EMF listening device, new SMD skills transferable to real-world hardware hacking, and a deeper understanding of the electromagnetic emissions all around you.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_pm_ws1_4045

People:
    SpeakerBio:  Darcy “@Drc3p0” Neal

Darcy Neal (Drc3p0) is an electronics educator and founder of SporkLogic, where they design open-source hardware kits and facilitate soldering workshops at maker and hacker events worldwide. With over 15 years in interactive audio-visual hardware design, Darcy’s work spans RF experimentation, new media installations, boutique synthesizer production, and hands-on electronics education. Their flagship product, the EMF Explorer, is an accessible tool for sonifying electromagnetic fields. They collaborate regularly with Mitch Altman and the Hardware Hacking Assembly, and have taught large-scale soldering workshops across the global hacker community.




Step-by-Step Malware Development: Evading EDR from Loaders to the Kernel

Workshop Map Page – LVCCW Level 2 W228 (Workshops)
When:  Saturday, Aug 8, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Endpoint Detection and Response (EDR) systems are key parts of modern security. This workshop provides a guide for custom malware development, C2 customization, defense evasion, and kernel exploitation. We will use Elastic Defend throughout the session. By analyzing detection logs and rules, we will understand what EDR monitors and why payloads are caught step by step.

After a short overview of Windows defenses and EDR, we focus on malware development. Participants will implement typical malware techniques, such as APC Injection, Thread Hijacking, Fiber and Module Stomping in multiple languages. Next, we learn about call stack analysis. Attendees will implement Stack Spoofing and Indirect Syscalls to hide execution flows and bypass stack analysis.

The workshop then moves to C2 customization using the Havoc C&C framework. By combining custom loaders with C2 source code modifications, participants will bypass static signatures, behavioral rules, and AI detection to successfully establish a C2 session.

Finally, we’ll demonstrate the possibilities of Bring Your Own Vulnerable Driver (BYOVD) attacks for the post-exploitation phase. When we have access to the kernel space, we can take more aggressive measures. We’ll use some vulnerable drivers to kill or blind an EDR sensor itself.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_am_ws3_4049

People:
    SpeakerBio:  Yu Terada

Yu Terada is a security researcher and a red team consultant for Fujitsu. He worked as a SOC Analyst and CSIRT for over five years. In 2021, he joined the company as a Security Researcher. He is primarily involved in developing new attack methods and tools. He also participates in internal red team activities and cyber exercises. He has spoken at Black Hat USA/Europe, BSides Las Vegas, Code Blue, and several conferences in Japan. He holds a Master’s degree in Computer Science, as well as certifications including OSEP, OSCP, CRTL, CETP, ODPC, CISSP, GIAC, etc.

SpeakerBio:  Kotaro “@Decamark / @BinaryPoodle” Osugi

Kotaro Osugi is a security researcher and a red team consultant who has his profession in reverse-engineering. His research area includes malware analysis and binary exploitation. He has given a speech at BHEU Arsenal about a tool for kernel exploitation. OSED and OSEE certified.




Web Hacking 101

Workshop Map Page – LVCCW Level 2 W229 (Workshops)
When:  Friday, Aug 7, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Most security training starts with slides. This workshop starts with a target. Students spend the majority of the course attacking a purpose-built web application across progressive labs covering the vulnerability classes that define modern web security.

Each module follows a difficulty curve. Entry-level labs present classic, unfiltered vulnerabilities for students to exploit independently. Difficulty escalates as filters and defenses appear, requiring adaptation and creative problem-solving. Failed payloads, broken assumptions, and dead ends are not setbacks. They are the learning journey. The frustration of a blocked payload and the persistence to find the bypass is how offensive intuition is built.

A final exploit chaining challenge ties everything together, combining findings across vulnerability classes to demonstrate how moderate issues chain into critical impact, the way real attacks work.

Students attack, fail, adapt, and break through. Hands-on exploitation and the willingness to struggle is the foundation of any security career. It starts here.

All you need is a laptop and persistence.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/fri_am_ws2_4012

People:
    SpeakerBio:  cale “calebot” smith
Cale Smith has spent his entire life obsessed with one question: “Yeah, but how does it actually work?”

He started out building things, then realized breaking them was more fun, and has been doing exactly that across web, cloud, binary, IoT, and mobile ever since. He now manages a device-focused security team at Amazon, where his “what if I just…” instincts are finally considered a job qualification.

SpeakerBio:  Ruchik Dave

Ruchik Samir Dave is a software engineer and security specialist with nearly 20 years of experience at the intersection of complex systems security and emerging threat landscapes. Ruchik has contributed to security frameworks for aviation systems and privacy-compliant architectures for large consumer IoT ecosystems, bringing safety-critical systems expertise to emerging technology platforms. His current research explores cloud security paradigms, security compliance, AI-assisted threat detection systems, and the novel attack surfaces introduced by machine learning implementations in embedded environments, areas that represent the cutting edge of adversarial research and defensive innovation. With a passion for building secure, large-scale software systems, Ruchik’s work addresses the evolving security challenges where traditional cybersecurity meets artificial intelligence, IoT proliferation, and safety-critical infrastructure.

SpeakerBio:  Young Seuk Kim

Husband, father, hacker, gamer. Young’s path into security started like a good game exploit—he wanted to win, bent the rules, and discovered a passion for hacking. He began as a web app security consultant, moved into penetration testing and red teaming, and now works in application security engineering, helping teams build secure systems (and still breaking things for fun). He also dives into all kinds of games and stories, especially fantasy with Eastern martial arts, and loves dissecting media with the same curiosity he brings to code.

SpeakerBio:  Luke Cycon

Luke is a former builder turned security engineer at Amazon, focused on web, cloud, and embedded device security. He came up building things before he discovered that breaking them taught him more about how they really work. These days he likes to poke at things until they misbehave, then help the builders make sure it doesn’t happen twice. Off the clock, you’ll find him tinkering with hardware, firing lasers at something, and celebrating each fixed bug with a bit too much whisky.




Wi-Fight Club: I am Jack’s Evil Twin

Workshop Map Page – LVCCW Level 2 W222 (Workshops)
When:  Saturday, Aug 8, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

‘Wi-Fight Club: I am Jack’s Evil Twin’ will teach you how to deploy rogue AP (Evil Twins) in your client’s environment. Using rogue APs lets you test your client’s Wireless Intrusion Detection System, passwords, wireless phishing education, and overall wireless security.

We will discuss rogue AP Tactics, Techniques, and Procedures, and how / why they work. In this workshop you will set up a CAPTIVE PORTAL, WPA2, and 802.1x rogue AP. We will also go over OWE and WPA3-SAE transition mode attacks.

We will walk through a scenario at a client’s site, then set up a rogue AP to harvest user credentials for the various client networks. We will then crack the harvested credentials. We will finish up with a section on defense. We will be using EAPHAMMER, HOSTAPD-MANA, WIFIPHISHER, and AIRBASE-NG for the rogue AP section. HASHCAT, AIRCRACK-NG, and JOHN for the password cracking section. This workshop is for beginners, but participants should have basic Linux and 802.11 knowledge and be comfortable using virtual machines.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_am_ws8_4004

People:
    SpeakerBio:  James Hawk

James Hawk (He/Him) is a Principal Consultant with Google Public Sector within Proactive Services. He is the wireless subject matter expert for his team. James has led and contributed to numerous assessments (Red Teams and pentests). He has developed internal training and tool updates for 802.11 for his company. James is a 20-year veteran of the U.S. Army and has over 10 years of hands-on experience in wireless technologies. James is constantly researching/testing 802.11 attacks against his home lab. He is a fan of hockey, LetterKenny, and almost anything sci-fi.

SpeakerBio:  Jon “C4V3M4N” Milkins

Jon Milkins (He/Him) is a principal penetration tester focusing on all types of penetration tests from network-based to web applications and APIs to more recently wireless networks. He has developed training and pentest utilities throughout his career to help advance team capabilities. He is a former Army veteran and is attempting to curate small and efficient rulesets for Hashcat in his free time to aid in wireless hash cracking. In his free time, he enjoys playing and running TTRPGs like Delta Green, password cracking, and making hard cider.

SpeakerBio:  Brian Burnett

Brian Burnett is the founder of Offensive Technical Solutions (OTS) where he conducts web-application, internal network, and cloud penetration tests. Prior to founding OTS, he served five years in the United States Army, followed by seven years supporting internal teams at Fortune 500 companies. Brian holds degrees in computer science, pentesting, theology, and Russian. He enjoys tinkering with his home lab, collecting certifications, and committing poorly written code. His hobbies include Brazilian Jiu-Jitsu, purchasing unnecessary power tools, and CrossFit.




Words As Weapons: Breaking AI and Agents; Then Securing Them

Workshop Map Page – LVCCW Level 2 W229 (Workshops)
When:  Saturday, Aug 8, 09:00 – 12:59 PDT

Creator: DEF CON Workshops

Most “AI security” talks stop at the slide that says “prompt injection is bad.” This workshop does the opposite. Attendees spend four hours inside a working, vulnerable production-style AI system – a mock car dealership backed by a real LLM, a real database, and real tool calls – and learn to break it, watch it break, then put it back together with defenses that actually hold. You will: (1) manipulate prices and inventory using direct and indirect prompt injection, (2) reproduce an EchoLeak-style zero-click data exfiltration against a RAG pipeline, (3) execute a model-extraction attack against a deployed classifier, and Each of these modules will layer in defenses one at a time to see how the AI reacts. We close by mapping everything to OWASP LLM Top 10, OWASP Agentic Top 10, NIST AI RMF, and MITRE ATLAS. Built for red teamers handed AI in scope, blue teamers watching agents deploy faster than detections exist, AppSec engineers who used to own the API and now own a chat window, and developers curious what “prompt injection” looks like when it costs money. No prior AI-security background required.

Links:
    Registration (July 14, 2026, Noon US Pacific) – https://events.humanitix.com/sat_am_ws2_4095

People:
    SpeakerBio:  Pavan “pavanreddysec” Reddy

Pavan Reddy is principal developer at Automata LLC, leading FIPS 140-3, FedRAMP ATO, and AI security initiatives. He is an independent AI security researcher and educator focused on making secure AI accessible at scale. He founded QBTrain, a free platform for hands-on AI and AI security education. His peer-reviewed work, published at AAAI, ACM, FLAIRS, HCII, ACSAC, and NeurIPS, spans adversarial ML, prompt injection, and foundation model vulnerabilities. He has delivered 25+ talks and workshops at BSides, OWASP, SquadCon, CAPWIC, ACM SIGCITE, NeurIPS Education, FLAIRS, CVPR 2026 and TechMentor at Microsoft HQ. He holds an MS in CS from George Washington University.