Talk/Event Schedule

Friday

This Schedule is tentative and may be changed at any time. Check at an Info Booth for the latest.

Friday - 06:00 PDT

Return to Index - Locations Legend

MISC - Defcon.run -
PGE - Cycle Override -

Friday - 07:00 PDT

Return to Index - Locations Legend

MISC - cont...(06:00-07:59 PDT) - Defcon.run -
PGE - cont...(06:00-10:59 PDT) - Cycle Override -

Talk/Event Descriptions

PGE - Friday - 22:00-01:59 PDT

Title: +61: the Australian Embassy
When: Friday, Aug 8, 22:00 - 01:59 PDT
Where: LVCCWest-Level2-W208 - Map

Description:

Have you ever tried Vegemite or like conversing in a foreign language? Do you miss familiar twangs or water flowing down a sink in the right direction? +61: the Australian Embassy is the meetup just for you. Every year a few random Australians end up coalescing around an inflatable kangaroo somewhere in the halls and this year we decided to get our shit together and find a place to catch up, share notes, reminisce about your adventure to the Bass Pro Shop and complain about the jetlag. Feel free to join us (or dont) as we catch up on the happenings of hacker summer camp.

Return to Index - Add to Google

- ics Calendar file

IOTV - Friday - 10:30-10:59 PDT

Title: 10 Years of IoT Village: Insights in the World of IoT
When: Friday, Aug 8, 10:30 - 10:59 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

Join IoT Village co-founders Steve Bono and Ted Harrington as they discuss how the world of IoT security has evolved in the past 10 years of IoT Village. Led by panel host Rachael Tubbs, Steve and Ted will discuss with industry experts what we've learned in 10 years about the state of IoT security.

Speakers:Stephen Bono,Rachael Tubbs

SpeakerBio: Stephen Bono, CEO at Independent Security Evaluators
No BIO available
SpeakerBio: Rachael Tubbs, IoT Village Organizer
No BIO available

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 14:00-17:59 PDT

Title: 64-bit Intel Assembly Language Programming for Hackers
When: Friday, Aug 8, 14:00 - 17:59 PDT
Where: LVCCNorth-Level2-N253 - Map

Description:

Assembly language has a reputation for being intimidating, but once you learn the basics--and know how to read the documentation for the rest--you can easily pick up the rest. There are many interesting fields of study in computer security that depend on the "closer to the metal" knowledge you'll gain from learning to code in assembly:

Software reverse engineering
Vulnerability and exploit research
Malware/implant development
Digital forensics

...among others. There is no substitute for the confidence that you gain from being able to research and understand computer systems at lower levels of abstraction.

The purpose of this workshop is to introduce Intel x64 architecture and assembly language to the attendees. We will be using the Microsoft Macro Assembler, and we will be examining our code step-by-step in the x64dbg debugger. No prior programming experience is required--we will be working on things from first principles. There will be few slides. This is a new version of the workshop that makes better use of the x64dbg debugger to illustrate concepts of the class, live. Attendees can follow along with their own laptops and programming environments.

SpeakerBio: Wesley McGrew

Dr. Wesley McGrew is a house music DJ that also directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented on topics of penetration testing and malware analysis at DEF CON and Black Hat USA and teaches self-designed courses on software reverse engineering and assembly language programming. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 14:00-15:50 PDT

Title: A Look into Using Native Godot Calls to Create Malware
When: Friday, Aug 8, 14:00 - 15:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Tactics 4 - Map

Description:

Using built in RPC calls godot allows for peer-to-peer calls were logic can be hidden on one side of the application versus the other.

Will go into what these RPC calls are
Discuss on how they can be implemented.
Do a step-by-step creating a mini-malware client and server.

SpeakerBio: Aaron Hogan

A long time contributor to the community with some random knowledge in different parts of the cybersecurity field.

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: A Practical Approach to Breaking & Pwning Kubernetes Clusters
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

The adoption of Kubernetes use in production has increased to 83% from a survey by CNCF. Still, most security teams struggle to understand these modern technologies.

In this real-world scenario-based training, each participant will be learning Tactics, Techniques, and Procedures (TTPs) to attack and assess Kubernetes clusters environments at different layers like Supply chain, Infrastructure, Runtime, and many others. Starting from simple recon to gaining access to microservices, sensitive data, escaping containers, escalating to clusters privileges, and even its underlying cloud environments.

By end of the training, participants will be able to apply their knowledge to perform architecture reviews, security assessments, red team exercises, and pen-testing engagements on Kubernetes Clusters and Containersed environments successfully. Also, the trainer will provide step by step guide (Digital Book) with resources and references to further your learning.

SpeakerBio: Madhu "madhuakula" Akula, Pragmatic Security Leader

Madhu Akula is a pragmatic security leader and creator of Kubernetes Goat, an intentionally vulnerable by design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and Cloud Native Security Architect with extensive experience. Also, he is an active member of the international security, DevOps, and Cloud Native communities (null, DevSecOps, AllDayDevOps, AWS, CNCF, USENIX, etc). He holds industry certifications like CKA (Certified Kubernetes Administrator), CKS (Certified Kubernetes Security Specialist), OSCP (Offensive Security Certified Professional), etc.

Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON 24, 26, 27, 28, 29 & 30, BlackHat 2018, 19, 21 & 22, USENIX LISA 2018, 19 & 21, SANS Cloud Security Summit 2021 & 2022, O’Reilly Velocity EU 2019, Github Satellite 2020, Appsec EU (2018, 19 & 22), All Day DevOps (2016, 17, 18, 19, 20 & 21), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18), Nullcon 2018, 19, 21 & 22, SACON, Serverless Summit, null and multiple others.

His research has identified vulnerabilities in over 200+ companies and organizations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP, Adobe, etc. and is credited with multiple CVE’s, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible. He is the technical reviewer for Learn Kubernetes Security, Practical Ansible2 books by Packt Pub. Also won 1st prize for building an Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: A Practical Approach to Breaking & Pwning Kubernetes Clusters
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

The adoption of Kubernetes use in production has increased to 83% from a survey by CNCF. Still, most security teams struggle to understand these modern technologies.

SpeakerBio: Madhu "madhuakula" Akula, Pragmatic Security Leader

Return to Index - Add to Google

- ics Calendar file

CPV - Friday - 13:00-13:59 PDT

Title: A Tale of Weeds and Roses: Propagating the Right Data Protection Agreements with Vendors
When: Friday, Aug 8, 13:00 - 13:59 PDT
Where: LVCCWest-Level2-W228 - Map

Description:

When a company gives vendors access to its technical garden to process personal data, it’s the company’s responsibility to ensure vendors have adequate protections in place. Data protection/processing agreements (DPAs) are a control companies use to contractually obligate and specify what adequate protections vendors must have and to outline the consequences if vendors fail to protect the personal data. Propagating the right DPAs with vendors prevents invasive species from taking root in a company’s technical garden. Gardeners who attend this talk will walk away with a high-level understanding of: (a) how DPAs can be used to protect your company’s technical garden, (b) what information privacy/legal needs to know when negotiating a DPA, and (c) which DPA terms are roses to be cultivated or weeds to be removed.

Speakers:Irene Mo,Alyssa Coley

SpeakerBio: Irene Mo

Irene is an attorney with experience counseling clients on United States and international privacy and data protection laws and regulations. She has helped companies of all sizes build and scale their privacy and data security compliance programs. Known as a problem solver, Irene’s clients trust her to collaborate across multiple business units within their companies to get privacy done. When there is a Hail Mary pass, her clients know she’s the one getting the ball across the goal line. In her free time, Irene is on the leadership board of several non-profits including Women in Security and Privacy (WISP), the Diversity in Privacy Section for the IAPP, the American Bar Association (ABA) Center of Innovation, and Lagniappe Law Lab.

SpeakerBio: Alyssa Coley

Alyssa is on the board of Women In Security and Privacy (WISP) and is Privacy & Product Counsel at an Augmented Reality (AR) mobile gaming company. As in-house counsel, she focuses on integrating privacy by design into product development and ensuring global privacy compliance. Previously, she gained experience in privacy consulting and cybersecurity incident response. She has been involved with WISP for nearly a decade where she developed her interest in locksport and continues to further WISP's mission to advance women and underrepresented communities to lead the future of security and privacy.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 09:00-12:59 PDT

Title: Accelerating Malware Analysis with WinDbg Time Travel Debugging
When: Friday, Aug 8, 09:00 - 12:59 PDT
Where: LVCCNorth-Level2-N257 - Map

Description:

Malware analysis and reverse engineering involve intricate execution, obfuscation, and anti-analysis techniques that hinder traditional debugging. This intensive, hands-on workshop introduces WinDbg's powerful Time Travel Debugging (TTD), allowing you to record a complete execution trace and replay it forwards and backwards. Designed for reverse engineers and malware analysts, this workshop provides practical skills to harness TTD, significantly cutting analysis time compared to traditional methods.

Throughout this 4-hour session, dive directly into practical application. Start with TTD essentials and capturing traces (GUI/CLI), then quickly progress to navigating timelines efficiently. Gain proficiency using the Debugger Data Model and LINQ queries to rapidly locate key events, API usage, and suspicious memory patterns within large traces. Crucially, learn to automate analysis by creating powerful JavaScript extensions for WinDbg, applying these skills in hands-on labs focused on tasks like extracting dynamically deobfuscated strings from malware. Leave equipped to confidently integrate WinDbg TTD into your workflow, accelerating your triage and deep-dive analysis capabilities.

Speakers:Joshua "jstrosch" Stroschein,Jae Young Kim

SpeakerBio: Joshua "jstrosch" Stroschein, Google

Joshua is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. He is an accomplished trainer, providing training at places such as Ring Zero, Black Hat, DEF CON, ToorCon, Hack In The Box, SuriCon, and other public and private venues. He is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.

SpeakerBio: Jae Young Kim, Google

Jae Young Kim is a Senior Reverse Engineer on Mandiant's FLARE Team where he reverses malware and contributes to FLARE's automated analysis and binary similarity efforts. He is a seasoned instructor and a core contributor to FLARE’s educational content development efforts. He has a Bachelors in Computer Science from Columbia University.

Return to Index - Add to Google

- ics Calendar file

PSV - Friday - 16:30-16:59 PDT

Title: Access Control Done Right the First Time
When: Friday, Aug 8, 16:30 - 16:59 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

Are you looking to install or upgrade a physical access control system? Having installed, repaired and upgraded dozens of large and small access control systems, I have found that many vendors install a "minimum viable product" that can leave your system unreliable and trivial to bypass.

This session will give you the tools and knowledge you need to work with your vendor to implement your system using best practices in the following areas:

Wiring, supervision, encryption and tamper-resistance
Choosing clone-resistant badges and securely configuring badge readers
Securing controller equipment and managing issued badges
Maintaining the system for maximum security and uptime

SpeakerBio: Tim Clevenger

As a low voltage hardware junkie, Tim has had the opportunity to design, expand, upgrade and repair numerous physical access control, alarm and video systems, including a stint at a security vendor where he was certified in Lenel/S2 access and video. Tim works today at SailPoint as a Cybersecurity Network Engineer.

Return to Index - Add to Google

- ics Calendar file

BHV - Friday - 11:00-15:59 PDT

Title: accessDenied: Step Into the Scenario. Deal the Consequences.
When: Friday, Aug 8, 11:00 - 15:59 PDT
Where: LVCCWest-Level1-Hall2-W606 - Map

Description:

Welcome to accessDenied, a high-stakes, hands-on tabletop experience where you're not just playing cards… you're protecting critical infrastructure. Imagine trying to secure your facilities, water, power, communication, while your so-called “allies” across the table spot every vulnerability you missed. And you? You're doing the same to them. In this game, you'll simulate cyber attacks, defend your systems, and learn how breaches ripple through networks, all through fast-paced, strategic play based on real-world incidents like the Maroochy Water hack and the Kyiv power grid attack.

🔍 Who Should Play?

Newcomers curious about cybersecurity
Security pros who like strategy games
Engineers, students, and defenders looking to sharpen their threat modeling skills
DEF CON attendees who want a break from screens and a seat at the table

🎯 What You’ll Learn

How attacks link to defenses
Why mitigation doesn’t always come fast enough
How weak points in one system compromise others
What “lateral movement” actually looks like 🧠 More Than a Game

accessDenied isn't just for fun, it’s designed to educate non-cybersecurity players and create smarter conversations about digital threats to critical infrastructure. Whether you're a hacker, a healthcare nerd, or just want to try something new, this tabletop challenge belongs in your DEF CON lineup.

SpeakerBio: Jack Voltaic, RIT

United States military installations and their surrounding communities share an interest in the resiliency of cyber-critical infrastructure systems. In addition to civil-military interdependencies, a failure in one critical infrastructure sector can cause cascading effects across others. ACI launched the Jack Voltaic (JV) initiative to address gaps and build resilience. Beginning with the first exercise (JV 1.0) in 2016, these exercises addressed multi-sector cyber-critical infrastructure challenges.

Civil-military Local, community level Multi-sector Unclassified

With JV 4.0, ACI’s critical infrastructure resilience program will mature and transition. Through partnerships with other academic and policy communities, ACI seeks to foster the growth of JV-inspired practices. Multiple initiatives through 2025 will build upon the momentum and lessons of JV 1.0 - 3.0.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 13:00-13:45 PDT

Title: Advanced Active Directory to Entra ID lateral movement techniques
When: Friday, Aug 8, 13:00 - 13:45 PDT
Where: LVCCWest-Level1-Hall3-Track 3 - Map

Description:

Is there a security boundary between Active Directory and Entra ID in a hybrid environment? The answer to this question, while still somewhat unclear, has changed over the past few years as there has been more hardening of how much “the cloud” trusts data from on-premises. The reason for this is that many threat actors, including APTs, have been making use of known lateral movement techniques to compromise the cloud. In this talk, we take a deep dive together into Entra ID and hybrid trust internals. We will introduce several new lateral movement techniques that allow us to bypass authentication, MFA and stealthily exfiltrate data using on-premises AD as a starting point, even in environments where the classical techniques don’t work. All these techniques are new, not really vulnerabilities, but part of the design. Several of them have been remediated with recent hardening efforts by Microsoft. Very few of them leave useful logs behind when abused. As you would expect, none of these “features” are documented. Join me for a wild ride into Entra ID internals, undocumented authentication flows and tenant compromise from on-premises AD.

References:

SpeakerBio: Dirk-jan Mollema

Dirk-jan Mollema is a security researcher focusing on Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat, is a current Microsoft MVP and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Advanced Cloud Incident Response in Azure and Microsoft 365
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

This hands-on two-day training offers a comprehensive guide to incident response in the Microsoft cloud, covering various topics essential for handling threats and attacks. The course starts with an overview of the concepts of the Microsoft cloud that are relevant for incident response. Participants will learn how to scope an incident in the Microsoft cloud and how to leverage it to set up an incident response capability. On the first day you will be immersed in the world of Azure attacks, we cover the different phases of an attack focusing on the evidence an attack leaves and how you can identify attacks based on the available evidence. On the second day we will shift our focus to Microsoft 365. The training covers the different types of evidence available in a Microsoft 365 environment. Participants will gain an understanding of how to acquire data from a Microsoft 365 environment using multiple methods and tools, and how to parse, enrich, and analyze the Microsoft 365 Unified Audit Log (UAL). The best part of the training is that everything you learn you'll apply with hands-on labs in a CTF like environment. Additionally we have created two full attack scenarios in both Azure & M365 and you're tasked in the CTF to solve as many pieces of the puzzle as you can.

SpeakerBio: Korstiaan Stam, Founder and CEO at Invictus Incident Response

Korstiaan Stam is the Founder and CEO of Invictus Incident Response & SANS Trainer - FOR509: Cloud Forensics and Incident Response. Korstiaan is a passionate incident responder, preferably in the cloud. He developed and contributed to many open-source tools related to cloud incident response. Korstiaan has gained a lot of knowledge and skills over the years which he is keen to share.

Way before the cloud became a hot topic, Korstiaan was already researching it from a forensics perspective. “Because I took this approach I have an advantage, because I simply spent more time in the cloud than others. More so, because I have my own IR consultancy company, I spent a lot of time in the cloud investigating malicious behavior, so I don’t just know one cloud platform, but I have knowledge about all of them.” That equips him to help students with the challenge of every cloud working slightly or completely different. “If you understand the main concepts, you can then see that there’s also a similarity among all the clouds. That is why I start with the big picture in my classes and then zoom in on the details. Korstiaan also uses real-life examples from his work to discuss challenges he’s faced with students to relate with their day-to-day work. “To me, teaching not only means sharing my knowledge on a topic, but also applying real-life implications of that knowledge. I always try to combine the theory with the everyday practice so students can see why it’s important to understand certain concepts and how the newly founded knowledge can be applied.”

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Advanced Cloud Incident Response in Azure and Microsoft 365
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

SpeakerBio: Korstiaan Stam, Founder and CEO at Invictus Incident Response

Return to Index - Add to Google

- ics Calendar file

ADV - Friday - 15:45-16:30 PDT

Title: Adversarial mindset, thinking like an attacker is no longer optional
When: Friday, Aug 8, 15:45 - 16:30 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

As threat actors evolve in speed, sophistication, and stealth, traditional defense strategies alone are no longer sufficient. This panel delves into the strategic importance of adopting an adversarial mindset, where defenders must think like attackers to stay ahead. Industry experts will discuss how adversary emulation and offensive cyber security techniques are being used not just to test systems, but to actively inform and strengthen defensive strategies. From red teaming to threat-informed defense, the panel will dive into how organizations are embedding adversarial thinking into their security programs to uncover blind spots, reduce response times, and build resilience against real-world threats. Whether you are defending an enterprise or building the next wave of security tools, embracing the adversarial mindset is no longer optional, it is essential. The panel will also cover a range of adversarial scenarios, including not only nation-state sponsored threat actors and targeted cyberattacks, but also the evolving warfare landscape witnessed recently, the use of technology by adversaries during conflicts, and effective countermeasures to address these challenges.

Speakers:Abhijith "Abx" B R,Keenan Skelly

SpeakerBio: Abhijith "Abx" B R

Abhijith B R, also known by the pseudonym Abx, has more than a decade of experience in the offensive cyber security industry. He is a professional hacker, offensive cyber security specialist, red team consultant, security researcher, trainer and public speaker.

Currently, he is building Breachsimrange.io and is involved with multiple organizations as a consulting specialist to help them build offensive security operations programs, improve their current security posture, assess cyber defense systems, and bridge the gap between business leadership and security professionals.

Abhijith was responsible for building and managing offensive security operations and adversary simulation for a prominent FinTech company called Envestnet, Inc. In the past, he held the position of Deputy Manager - Cyber Security at Nissan Motor Corporation, and prior to that, he worked as a Senior Security Analyst at EY.

As the founder of Adversary Village (https://adversaryvillage.org/), Abhijith spearheads a community initiative focused on adversary simulation, adversary-tactics, purple teaming, threat actor/ransomware research-emulation, and offensive cyber security. Adversary Village is part of DEF CON Villages and organizes hacking villages at prominent events such as the DEF CON Hacking Conference, RSA Conference etc.

Abx also acts as the Lead of an official DEF CON Group named DC0471. He is actively involved in leading the Tactical Adversary project (https://tacticaladversary.io/), a personal initiative that centers around offensive cyber security, adversary attack simulation and red teaming tradecraft.

Abhijith has spoken at various hacking and cyber security conferences such as, DEF CON hacker convention – Las Vegas, RSA Conference – San Francisco, The Diana Initiative – Las Vegas, DEF CON 28 safemode - DCG Village, Opensource India, Security BSides Las Vegas, BSides San Francisco, Hack Space Con – Kennedy space center Florida, Nullcon – Goa, c0c0n – Kerala, BSides Delhi, etc.

SpeakerBio: Keenan Skelly

Keenan Skelly is a nationally recognized cybersecurity and emerging technology strategist with 25 years of experience across government, private sector, and entrepreneurial leadership. She, most recently served as a Senior Policy Advisor at the White House Office of the National Cyber Director (ONCD), where she guided national initiatives on cybersecurity workforce, AI policy, and strategic technology development. A former Plank Owner of NPPD at DHS of the Comprehensive Review Program (the predecessor to CISA), Keenan also led multi-agency counter-IED and critical infrastructure protection programs across the federal government. She has founded and led multiple tech startups focused on threat intelligence, cybersecurity, and gamified training; and is the Founder of the XRVillage. Named one of the Top 25 Women in Cybersecurity, she is a frequent speaker on national security, AI, and immersive technology. Her unique background blends operational expertise, policy acumen, and visionary innovation.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Adversarial Thinking: The Art of Dangerous Ideas
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Hackers have a unique perspective on the world and in particular on the technological artifacts within it. When most people look at a high tech system, they see what they were meant to see by the people who created it. Hackers see technology as it truly is, not as it was meant to be, and this way of looking at things enables hackers to discover possibilities that were never intended in the first place.

For centuries, military and intelligence strategists have sought to view the world from a similar perspective - a perspective that can see the hidden possibilities and weaknesses in things and take advantage of them to create unexpected results.

This unique course draws lessons from both the hacker community and from military thinking in order to deepen your ability to understand adversaries and see things the way that adversaries see them.

Honing this skill is particularly valuable for people who are building technological systems that might be subject to misuse and need to be able to anticipate that misuse. Whether you are an aspiring red teamer, a hardware engineer, software developer or product owner striving to understand how your product will be abused, or you work in fraud detection, risk analysis, election security, or any other domain where you face an adversary, you’ll find this course a valuable addition to your skill set.

We will…

Survey adversarial thinking in a wide range of domains
Review the history of hacking and phone phreaking and understand how they influenced the development of a way of thinking about technology
Explore lock picking and physical security
Iteratively decompose an organization or complex system to find its most critical dependencies and develop methods of attacking those dependencies successfully
Consider how one might creatively steal from your employer and what controls are necessary to prevent this from happening
Examine how and why you might be targeted by foreign intelligence
Practice cheating on a test
Understand how the mental models we develop for how things work can prevent us from seeing how they actually work
See how levels of abstraction in computer technology can hide vulnerabilities
Learn how to read technical standards and see the things that they fail to say
Practice fooling your customers by offering products with unstated capabilities
Explore how state cyber operations are organized and could target your organization
Study the crowdsourcing of adversaries, as seen in Ukraine
Explore dangerous security assumptions
Investigate deception techniques
Practice detecting and role-playing insider threats
And much more…

After completing the course you’ll leave with:

An improved offensive mindset and ability to identify weaknesses and other unintended characteristics of systems.
Heightened awareness of non-obvious threats and threat actors across the spectrum of the cyber, information, cognitive, and physical domains.
Practical tools and techniques to better assess security risk and employ security controls.
A deeper understanding of threat actor TTPs and countermeasures in areas such as: state-level cyberspace operations, electronic warfare and surveillance, supply chain compromise, hardware implants, deception operations, human intelligence collection, physical security, influence operations, targeting methodologies, and novel threat intelligence analytic techniques, among numerous other topics.
Improved critical thinking techniques via an understanding of how the world, its threat actors, and the enterprise security environment behave in practice, not how defenders assume it to be.
An enhanced ability to fluidly shift from the mindset of a defender into that of an attacker, and back again.
Diverse sources of additional information to aid participants’ continued self-development.

This interesting and fast-moving class will include hands-on exercises to apply and reinforce the skills learned. You’ll leave this course with a fresh perspective and a toolkit of techniques to better accomplish your mission. Come join us.

Speakers:Tom Cross,Greg Conti

SpeakerBio: Tom Cross

Tom Cross is an entrepreneur and technology leader with three decades of experience in the hacker community. Tom attended the first DefCon in 1993 and he ran bulletin board systems and listservs in the early 1990’s that served the hacker community in the southeastern United States. He is currently an independent security consultant, Principal at Kopidion, and creator of FeedSeer, a news reader for Mastodon. Previously he was CoFounder and CTO of Drawbridge Networks, Director of Security Research at Lancope, and Manager of the IBM Internet Security Systems X-Force Advanced Research team. He has written papers on collateral damage in cyber conflict, vulnerability disclosure ethics, security issues in internet routers, encrypting open wireless networks, and protecting Wikipedia from vandalism. He has spoken at numerous security conferences, including Black Hat Briefings, Defcon, CyCon, HOPE, Source Boston, FIRST, and Security B-Sides. He has a B.S. in Computer Engineering from the Georgia Institute of Technology. He can be found on Linkedin as https://www.linkedin.com/in/tom-cross-71455/, and on Mastodon as https://ioc.exchange/@decius.

SpeakerBio: Greg Conti, Co-Founder and Principal at Kopidion

Greg Conti is a hacker, maker, and computer scientist. He is a nine-time DEF CON speaker, a seven-time Black Hat speaker, and has been a Black Hat Trainer for 10 years. He’s taught Adversarial Thinking techniques at West Point, Stanford University bootcamps, NSA/U.S. Cyber Command, and for private clients in the financial and cybersecurity sectors. Greg is Co-Founder and Principal at Kopidion, a cyber security training and professional services firm.

Formerly he served on the West Point faculty for 16 years, where he led their cybersecurity research and education programs. During his U.S. Army and Military Intelligence career he co-created U.S. Cyber Command’s Joint Advanced Cyberwarfare Course, deployed to Iraq as Officer-in-Charge of U.S. Cyber Command’s Expeditionary Cyber Support Element, and was the first Director of the Army Cyber Institute.

Greg is co-author of On Cyber: Towards an Operational Art for Cyber Operations, and approximately 100 articles and papers covering hacking, online privacy, usable security, cyber conflict, and security visualization. Greg holds a B.S. from West Point, an M.S. from Johns Hopkins University, and a Ph.D. from the Georgia Institute of Technology, all in computer science. His work may be found at gregconti.com (https://www.gregconti.com/), kopidion.com (https://www.kopidion.com/) and LinkedIn (https://www.linkedin.com/in/greg-conti-7a8521/).

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Adversarial Thinking: The Art of Dangerous Ideas
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

This unique course draws lessons from both the hacker community and from military thinking in order to deepen your ability to understand adversaries and see things the way that adversaries see them.

We will…

Survey adversarial thinking in a wide range of domains
Review the history of hacking and phone phreaking and understand how they influenced the development of a way of thinking about technology
Explore lock picking and physical security
Iteratively decompose an organization or complex system to find its most critical dependencies and develop methods of attacking those dependencies successfully
Consider how one might creatively steal from your employer and what controls are necessary to prevent this from happening
Examine how and why you might be targeted by foreign intelligence
Practice cheating on a test
Understand how the mental models we develop for how things work can prevent us from seeing how they actually work
See how levels of abstraction in computer technology can hide vulnerabilities
Learn how to read technical standards and see the things that they fail to say
Practice fooling your customers by offering products with unstated capabilities
Explore how state cyber operations are organized and could target your organization
Study the crowdsourcing of adversaries, as seen in Ukraine
Explore dangerous security assumptions
Investigate deception techniques
Practice detecting and role-playing insider threats
And much more…

After completing the course you’ll leave with:

An improved offensive mindset and ability to identify weaknesses and other unintended characteristics of systems.
Heightened awareness of non-obvious threats and threat actors across the spectrum of the cyber, information, cognitive, and physical domains.
Practical tools and techniques to better assess security risk and employ security controls.
A deeper understanding of threat actor TTPs and countermeasures in areas such as: state-level cyberspace operations, electronic warfare and surveillance, supply chain compromise, hardware implants, deception operations, human intelligence collection, physical security, influence operations, targeting methodologies, and novel threat intelligence analytic techniques, among numerous other topics.
Improved critical thinking techniques via an understanding of how the world, its threat actors, and the enterprise security environment behave in practice, not how defenders assume it to be.
An enhanced ability to fluidly shift from the mindset of a defender into that of an attacker, and back again.
Diverse sources of additional information to aid participants’ continued self-development.

Speakers:Tom Cross,Greg Conti

SpeakerBio: Tom Cross

SpeakerBio: Greg Conti, Co-Founder and Principal at Kopidion

Return to Index - Add to Google

- ics Calendar file

ADV - Friday - 15:00-15:45 PDT

Title: Adversaries at War: Tactics, technologies, and lessons from modern battlefields
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

Recent conflicts have shown us that wars today aren’t just fought with traditional weapons, they are fought with code, misinformation, and influence. This panel dives into how adversaries are using a mix of traditional and unconventional tactics, from cyber attacks to psychological operations, to gain the upper hand on modern battlefields. We will look at real examples from recent wars, explore the technologies driving these shifts, and discuss what defense, security, and policy leaders need to take away from it all.

Speakers:Gregory Carpenter,Barb Hirz,Bret Fowler,John Andre Bjørkhaug,John Johnson,Michael Tassey

SpeakerBio: Gregory Carpenter, CSO at KnowledgeBridge InternationalDrPH

Gregory Carpenter is the CSO of KnowledgeBridge International, a Fellow of the Royal Society for the Arts, and the National Security Agency’s Operations Officer of the Year. He serves on the Board of Directors for ATNA Systems, is a Senior Advisor for ARIC, Inc., and is a Special Operations Medical Association and Military Cyber Professionals Association member. He is a former member of the Board of Advisors for EC-Council University and the International Board of Advisors for the Mackenzie Institute.

He has held various senior military and civilian positions, including COO, VP for Cyber Operations, Chief of Security Testing, Counterintelligence Division Chief, Chief of Special Space Operations, and Functional Team Lead for Electronic Warfare. He has been an epidemiological primary investigator. Gregory is a retired army officer of 27 years, he holds a Doctorate in Public Health. He is a Certified Information Security Manager, Lean Six-Sigma Black Belt, and ISO-9000 lead auditor.

SpeakerBio: Barb Hirz, Director of Strategy and Innovation at Nebraska Defense Research Corporation

Ms. Barb Hirz is the Director of Strategy and Innovation at the Nebraska Defense Research Corporation, where she leads future capability integration and coordinates with customers and mission partners to ensure effective capability demonstrations. She is dedicated to advancing defense technology, driving mission improvements, and fostering intellectual agility in the workforce to address complex Department of Defense (DoD) challenges. Previously, Ms. Hirz served as Chief Engineer at U.S. Strategic Command, overseeing nuclear mission capability and cyber requirements, and has held positions at the Office of the Secretary of Defense and the National Security Agency. She has a background in commercial banking and IT solutions and holds numerous awards, including the Joint Meritorious Civilian Service Award. Ms. Hirz earned a B.S. in Business Administration from Creighton University, an M.S. in Military Operational Art from the Air Command and Staff College, and a Graduate Certificate in Nuclear Deterrence from Harvard University.

SpeakerBio: Bret Fowler, Chief Executive Officer at STAGMSGT (Ret)

Brett Fowler is a nationally recognized cybersecurity expert and the CEO of STAG, a rapidly growing cybersecurity firm with a global reach and an exponential growth rate of 230% in 2020. A lifelong technology ambassador, Brett began his journey in middle school and has since advised Congressional and Senatorial leaders, while also supporting national efforts, including securing U.S. election systems. Under his leadership, STAG is transforming advanced analytics into accessible web applications, filling critical market gaps. A former U.S. Air Force Cyber Warfare Operator with over 3,000 hours of cyber operations experience, Brett combines deep technical expertise with agile leadership, driving innovation and resilience in both government and industry. He is a trusted voice on national advisory boards and a frequent lecturer at the University of Texas at San Antonio, where he teaches courses on cybersecurity and entrepreneurship. Brett holds an M.S. in Computer Science from Utica College and lives in San Antonio, TX, with his wife and children.

SpeakerBio: John Andre Bjørkhaug, Netsecurity

John-André Bjørkhaug has worked as a penetration tester for over 16 years. He has a degree in electrical engineering but prefer to break things instead of building things. This led him to become a hacker/penetration tester. John's main focus is penetration testing of internal infrastructure and physical security system together with social engineering and full scale Red Team tests.

SpeakerBio: John Johnson, CEO at Founder of Aligned SecurityDr

Dr. Johnson has over 30 years of experience leading technology and cybersecurity programs at organizations in various industry segments, from startups to large global corporations. He is the CEO and Founder of Aligned Security, providing executive cybersecurity advisory services. He also founded the nonprofit Docent Institute, which promotes career development, cybersecurity education and outreach to professionals, students and underserved communities. He is co-founder of Chicago Cyber Hub, a Midwest center of excellence for Cybersecurity. John has broad industry experience, starting at Los Alamos National Laboratory and subsequently as a security leader at large and small enterprises, including John Deere, Deloitte, and Campbell Soup Company. He has developed and taught numerous university cybersecurity courses online and in person. Dr. Johnson serves on the ISSA International Board of Directors, ISSA Education Foundation, and is an active leader within ISC2, InfraGard, and IEEE. John is concerned with the ethical use of advancing technologies and the opportunities and risks they pose to humanity.

SpeakerBio: Michael Tassey, Managing Director at Broadmoor Consulting Inc.

Mike Tassey is a cybersecurity strategist with 27 years of experience across defense, finance, and critical infrastructure. At the Air Force Office of Special Investigation, he led red team operations and secured global investigative systems. At NASDAQ, he helped defend the exchange from nation-state cyber threats and re-architect its global security posture. A DEF CON and Black Hat speaker, Mike co-designed the Wireless Aerial Surveillance Platform—the first civilian cyber drone, now in the International Spy Museum.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 14:00-14:50 PDT

Title: Adversary Intel Lab: Build Your First Threat Emulation Plan
When: Friday, Aug 8, 14:00 - 14:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 4 - Map

Description:

Attendees sit down with real-world threat intelligence and walk through the process of analyzing a threat actor, identifying relevant TTPs, and creating a red team emulation plan using ATT&CK Navigator. By the end, they’ll have a completed adversary worksheet and a mini playbook for red team usage.

SpeakerBio: Fredrik Sandström, Basalt

Fredrik Sandström, M.Sc. is Head of Cyber Security at Basalt, based in Stockholm, Sweden. He has nearly a decade of experience in penetration testing, alongside a background in software development and embedded systems engineering. His early work includes software development for organizations such as the Swedish Defence Research Agency (FOI).

Since 2015, Fredrik has focused on delivering advanced security assessments—including penetration testing, red teaming, and threat emulation—for clients in diverse sectors such as banking, insurance, automotive, energy, communications, and IT services. He holds multiple industry-recognized certifications, including GXPN (GIAC Exploit Researcher and Advanced Penetration Tester), GCPN (GIAC Cloud Penetration Tester), GRTP (GIAC Red Team Professional), and HTB Certified Bug Bounty Hunter (CBBH).

Fredrik is also an active contributor to the security community. He has presented at major conferences such as SEC-T—Sweden’s leading offensive security conference—and DevCon in Bucharest, Romania, a key event for developers and IT professionals in Eastern Europe.

Return to Index - Add to Google

- ics Calendar file

CON - Friday - 19:00-20:59 PDT

Title: AI Art Battle
When: Friday, Aug 8, 19:00 - 20:59 PDT
Where: LVCCWest-Level1-Atrium-East-Contest Stage

Description:

Welcome to the "AI Art Battle" Generative AI Art Contest!

This unique competition invites creative minds to dive into the world of artificial intelligence and art. The challenge is to craft the most imaginative prompts that will be used by generative AI models to create artwork.

Contestants will not be creating the art themselves; instead, they will focus on designing prompts for well-known topics that push the boundaries of creativity and innovation.

How It Works:

Select a Topic:

Contestants will choose from a list of random topics.

These could range from historical events, famous literary works, mythical creatures, futuristic landscapes, to iconic pop culture references.

Craft a Prompt:

Using their creativity, contestants will write a detailed prompt designed to guide AI models in generating original artwork. The prompts should be clear, imaginative, and offer enough detail to spark the AI's artistic capabilities.

Submission:

Each contestant will submit their prompt and the intended outcome.

AI Generation:

The submitted prompts will be fed into a generative AI art model, which will create corresponding artworks based on the prompts.

A random panel will determine who the winners are.

Participant Prerequisites

Smartphone or Laptop

Pre-Qualification

This year we hope to hold a pre-qualifier to help shape the contest before going on stage.

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: AI SecureOps: Attacking & Defending AI Applications and Services
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Can prompt injections lead to complete infrastructure takeovers? Could AI applications be exploited to compromise backend services? Can data poisoning in AI copilots impact a company's stock? Can jailbreaks create false crisis alerts in security systems? This immersive, CTF-styled training in GenAI and LLM security dives into these pressing questions. Engage in realistic attack and defense scenarios focused on real-world threats, from prompt injection and remote code execution to backend compromise. Tackle hands-on challenges with actual AI applications to understand vulnerabilities and develop robust defenses. You’ll learn how to create a comprehensive security pipeline, mastering AI red and blue team strategies, building resilient defenses for LLMs, and handling incident response for AI-based threats. Additionally, implement a Responsible AI (RAI) program to enforce ethical AI standards across enterprise services, fortifying your organization’s AI security foundation.

By 2026, Gartner, Inc. predicts that over 80% of enterprises will engage with GenAI models, up from less than 5% in 2023. This rapid adoption presents a new challenge for security professionals. To bring you up to speed from intermediate to advanced level, this training provides essential GenAI and LLM security skills through an immersive CTF-styled framework. Delve into sophisticated techniques for mitigating LLM threats, engineering robust defense mechanisms, and operationalizing LLM agents, preparing them to address the complex security challenges posed by the rapid expansion of GenAI technologies. You will be provided with access to a live playground with custom built AI applications replicating real-world attack scenarios covering use-cases defined under the OWASP LLM top 10 framework and mapped with stages defined in MITRE ATLAS. This dense training will navigate you through areas like the red and blue team strategies, create robust LLM defenses, incident response in LLM attacks, implement a Responsible AI(RAI) program and enforce ethical AI standards across enterprise services, with the focus on improving the entire GenAI supply chain.

This training will also cover the completely new segment of Responsible AI(RAI), ethics and trustworthiness in GenAI services. Unlike traditional cybersecurity verticals, these unique challenges such as bias detection, managing risky behaviors, and implementing mechanisms for tracking information are going to be the key challenges for enterprise security teams.

By the end of this training, you will be able to:

Exploit vulnerabilities in AI applications to achieve code and command execution, uncovering scenarios such as cross-site scripting, injection attacks, insecure agent designs, and remote code execution for infrastructure takeover.
Conduct GenAI red-teaming using adversary simulation, OWASP LLM Top 10, and MITRE ATLAS frameworks, while applying AI security and ethical principles in real-world scenarios.
Execute and defend against adversarial attacks, including prompt injection, data poisoning, model inversion, and agentic attacks.
Perform advanced AI red and blue teaming through multi-agent auto-prompting attacks, implementing a 3-way autonomous system consisting of attack, defend and judge models.
Implement LLM security scanners to detect and protect against injections, jailbreaks, manipulations, and risky behaviors, as well as defending LLMs with LLMs.
Build and deploy enterprise-grade LLM defenses, including custom guardrails for input/output protection, security benchmarking, and penetration testing of LLM agents.
Establish a comprehensive LLM SecOps process to secure the supply chain from adversarial attacks and create a robust threat model for enterprise applications.
Implement an incident response and risk management plan for enterprises developing or using GenAI services.

SpeakerBio: Abhinav Singh

Abhinav Singh is an esteemed cybersecurity leader & researcher with over a decade of experience across technology leaders, financial institutions, and as an independent trainer and consultant. Author of "Metasploit Penetration Testing Cookbook" and "Instant Wireshark Starter," his contributions span patents, open-source tools, and numerous publications. Recognized in security portals and digital platforms, Abhinav is a sought-after speaker & trainer at international conferences like Black Hat, RSA, DEFCON, BruCon and many more, where he shares his deep industry insights and innovative approaches in cybersecurity. He also leads multiple AI security groups at CSA, responsible for coming up with cutting-edge whitepapers and industry reports around safety and security of GenAI.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: AI SecureOps: Attacking & Defending AI Applications and Services
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

By the end of this training, you will be able to:

Exploit vulnerabilities in AI applications to achieve code and command execution, uncovering scenarios such as cross-site scripting, injection attacks, insecure agent designs, and remote code execution for infrastructure takeover.
Conduct GenAI red-teaming using adversary simulation, OWASP LLM Top 10, and MITRE ATLAS frameworks, while applying AI security and ethical principles in real-world scenarios.
Execute and defend against adversarial attacks, including prompt injection, data poisoning, model inversion, and agentic attacks.
Perform advanced AI red and blue teaming through multi-agent auto-prompting attacks, implementing a 3-way autonomous system consisting of attack, defend and judge models.
Implement LLM security scanners to detect and protect against injections, jailbreaks, manipulations, and risky behaviors, as well as defending LLMs with LLMs.
Build and deploy enterprise-grade LLM defenses, including custom guardrails for input/output protection, security benchmarking, and penetration testing of LLM agents.
Establish a comprehensive LLM SecOps process to secure the supply chain from adversarial attacks and create a robust threat model for enterprise applications.
Implement an incident response and risk management plan for enterprises developing or using GenAI services.

SpeakerBio: Abhinav Singh

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 15:00-15:50 PDT

Title: AI-Powered Web Applications: A New Era in Security – Live Technical Demo
When: Friday, Aug 8, 15:00 - 15:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 3 - Map

Description:

In this session, we’ll take a deep dive into the future of web security through the lens of ethical hacking and artificial intelligence. Attendees will have the opportunity to see AI in action through a live demo, where we will demonstrate how AI can identify and resolve security flaws in web applications. The session will feature real-time security testing using AI-powered tools, illustrating how these technologies give ethical hackers an edge in the fight against malicious attacks.

SpeakerBio: Ilkin Javadov

As an ethical hacker and security expert, Ilkin Javadov has made significant contributions to the cybersecurity community. A frequent speaker at world-renowned cyber conferences such as GISEC 2023-2024, DEFCON 31 Red Team Village 2023-2024, and InCyber Forum Canada 2023-2024, Ilkin shares valuable insights into the latest cyberthreats and defense strategies. Notably, Ilkin is one of the elite 20 hackers who ethically infiltrated the German Armed Forces (Bundeswehr) earning a place in their Hall of Fame and receiving a prestigious medal from a General in recognition of exceptional contributions to national security. With extensive experience in ethical hacking and cybersecurity, Ilkin continues to advance the field by mentoring and educating the next generation of security professionals.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 10:00-10:45 PDT

Title: AIMaL - Artificially Intelligent Malware Launcher
When: Friday, Aug 8, 10:00 - 10:45 PDT
Where: LVCCWest-Level2-W208 - Map

Description:

AIMAL (Artificially Intelligent Malware Launcher) is a modular red team framework built to simulate advanced malware evasion techniques against modern AV/EDR/IDS solutions. It supports Process Herpaderping, Process Hollowing, Thread Hijacking, Process Ghosting, and many other evasion techniques as delivery mechanisms, with stealth enhancements including PPID spoofing, shellcode polymorphism, syscall mutation (Hell's Gate), and aggressive AMSI/ETW bypassing. AIMAL adapts to simulated detection responses through a feedback loop that mutates behavior on the fly, rotating techniques until the payload bypasses detection. Integration with the OpenAI API allows AIMAL to suggest the best evasion strategy based on alert context, helping simulate the decision-making process of advanced threat actors. Designed for research, red teaming, and adversarial simulation, AIMAL brings real-world stealth techniques into a clean, testable interface. Live demo will include payload staging, detection simulation, and mutation in action.

Speakers:Endrit Shaqiri,Natyra Shaqiri

SpeakerBio: Endrit Shaqiri

Endrit Shaqiri is an offensive security researcher, red team tool developer, and international karate champion currently pursuing his Master’s in Cybersecurity Engineering and Cryptography at Istanbul Technical University. He is also admitted to Boston University’s Master’s in Artificial Intelligence program, where he plans to continue his research on AI-powered malware and adaptive evasion systems. He is the creator of AIMaL — the Artificially Intelligent Malware Launcher — a modular framework designed for simulating modern malware evasion techniques against AV/EDR/IDS systems. Endrit has built a tool that bridges hands-on malware development with AI-assisted mutation logic. His passion lies in crafting adaptive malware simulation frameworks for red teamers, researchers, and students alike. This is his first appearance at DEF CON, bringing a glimpse of how tomorrow’s adversaries may automate and evolve in real-time.

SpeakerBio: Natyra Shaqiri

Natyra Shaqiri is a cybersecurity student at Southern Maine Community College with a growing focus on malware analysis, system security, and ethical hacking. As co-developer of AIMAL — the Artificially Intelligent Malware Launcher — Natyra has contributed to the design and modularization of the tool’s evasion techniques, helping implement feedback-driven mutation logic and stealth strategy testing. She is passionate about adversarial security, system internals, and hands-on red team simulation frameworks. This marks her debut at DEF CON, where she brings the perspective of a rising cybersecurity engineer.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 12:00-13:50 PDT

Title: AIMaL: Artificially Intelligent Malware Launcher
When: Friday, Aug 8, 12:00 - 13:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Tactics 1 - Map

Description:

AIMAL (Artificially Intelligent Malware Launcher) is a modular red team framework built to simulate advanced malware evasion techniques against modern AV/EDR/IDS solutions. It supports Process Herpaderping, Process Hollowing, Thread Hijacking, Process Ghosting, and many other Evasion Techniques as delivery mechanisms, with stealth enhancements including PPID spoofing, shellcode polymorphism, syscall mutation (Hell’s Gate), and aggressive AMSI/ETW bypassing. AIMAL adapts to simulated detection responses through a feedback loop that mutates behavior on the fly — rotating techniques until the payload bypasses detection. Integration with the OpenAI API allows AIMAL to suggest the best evasion strategy based on alert context, helping simulate the decision-making process of advanced threat actors. Designed for research, red teaming, and adversarial simulation, AIMAL brings real-world stealth techniques into an intelligent feedback-driven system that learns and adapts like an evolving threat. Whether used for red team drills or research into next-gen evasion, AIMaL demonstrates how AI can weaponize malware beyond static signatures and into dynamic decision-making.

This process is not just about executing code — it’s about demonstrating how real malware adapts. The user is taken through a full offensive simulation workflow: 1. AIMAL prints a stylized menu with ET options. 2.The user selects an evasion technique (e.g., Process Herpaderping). 3. The user selects a payload (e.g., reverse shell). 4. AIMAL copies and prepares the full module structure (not just EXEs). 5. The user simulates a detection alert type and string. 6. AIMAL uses OpenAI to suggest a bypass strategy. 7. The user can authorize AIMAL to automatically:Addjunkfunctions (hash evasion), Inject stealth upgrades (e.g., call RandomNoise(), add extra PolymorphShellcodeAfter()), Apply PPID spoofing or syscall mutations, Rebuild, mutate and repack the payload.

AIMAL has already demonstrated success against multiple AVs. Using static stealth alone, it bypassed both signature and behavioral detection of Windows Defender and McAfee. Bitdefender and Kaspersky were bypassed on static signatures; after OpenAI integration, AIMAL also defeated their behavioral detection.

https://github.com/EndritShaqiri/AIMaL

Speakers:Endrit Shaqiri,Natyra Shaqiri

SpeakerBio: Endrit Shaqiri

SpeakerBio: Natyra Shaqiri

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 10:00-10:45 PDT

Title: AirBleed - Covert Bluetooth Plist Payload Injection
When: Friday, Aug 8, 10:00 - 10:45 PDT
Where: LVCCWest-Level2-W209 - Map

Description:

AirBleed is a proof-of-concept hack demonstrating a hidden communication technique leveraging a little-known vulnerability in macOS's Bluetooth property list files (Bluetooth.plist). By fragmenting payloads into tiny pieces and injecting them into device caches that go unnoticed by standard security tools, this capability enables operatives to establish dead-drop channels for passing critical data ‚Äî all without arousing suspicion. [1] Stealth-by-Design: Uses legitimate Bluetooth device caches to hide encrypted payloads up to 248 bytes per fragment. [2] Dual-Use Impact: Enables clandestine communication or counter-plotter operations by law enforcement and intel. [3] Live Demo: DEFCON demo will allow attendees to send their own Bluetooth plist payloads to a vulnerable MacBook Pro. [4] Implications: Offers a novel toolkit for counterintelligence to monitor ‚Äî and disrupt ‚Äî hidden networks and dead drops.

Speakers:Ray "CURZE$" Cervantes,Yvonne "Von Marie" Cervantes

SpeakerBio: Ray "CURZE$" Cervantes

Ray is an offensive security engineer and counterintelligence innovator with a background in forensic psychology, turning aggressive tradecraft into powerful defense tools. He is currently researching facial behavioral analysis and creating AI-driven solutions for the legal and trial consulting fields. ChatGPT, Copilot, and Claude all predict that his work will land him in handcuffs within 5‚Äì10 years ‚Äî a risk Ray embraces as proof he‚Äôs pushing the boundaries of security and innovation.

SpeakerBio: Yvonne "Von Marie" Cervantes

Yvonne is a YouTube craft content creator and handmade crafter featured in craft magazines for her work on unique art pieces. She currently designs for four design company teams and also creates comic books with Ray. She is currently researching facial behavioral analysis through designing research ideas and strategies for improving the legal and trial consulting fields.

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 10:30-11:30 PDT

Title: AixCC Award Announcement
When: Friday, Aug 8, 10:30 - 11:30 PDT
Where: LVCCWest-Level1-Hall3-Track 2 - Map

Description:

Return to Index - Add to Google

- ics Calendar file

HHV - Friday - 17:00-17:59 PDT

Title: All your keyboards are belong to us!
When: Friday, Aug 8, 17:00 - 17:59 PDT
Where: LVCCWest-Level2-W231 - Map

Description:

This is a live tutorial of hacking against keyboards of all forms. Attacking the keyboard is the ultimate strategy to hijack a session before it is encrypted, capturing plaintext at the source and (often) in much simpler ways than those required to attack network protocols.

In this session we explore available attack vectors against traditional keyboards, starting with plain old keyloggers. We then advance to "Van Eck Phreaking" style attacks against individual keystroke emanations as well as RF wireless connections, and we finally graduate to the new hotness: acoustic attacks by eavesdropping on the sound of you typing!

Use your newfound knowledge for good, with great power comes great responsibility!

A subset of signal leak attacks focusing on keyboards. This talk is compiled with open sources, no classified material will be discussed.

SpeakerBio: Federico Lucifredi, Product Management Director for Ceph Storage at IBM and Red Hat
No BIO available

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 10:00-11:50 PDT

Title: AML Cryptocurrency Compliance
When: Friday, Aug 8, 10:00 - 11:50 PDT
Where: LVCCWest-Level1-Hall4-Communities-C101 - Map

Description:

Students receive exposure to the law side of cryptocurrency business, including certification, regulation, government policy, and risk assessment. Regulators around the world evaluate and implement diverse regulations governing the use and applications of Blockchain reflecting varying degrees of acceptance ranging from blanket prohibition to highly facilitating frameworks. Organisations, in turn, assess the related risks and legal challenges. This workshop considers emerging trends and security essentials vital for business and financial businesses, providing a brief overview of AML and KYC and suggestions to increase security and decrease risk exposure.

Speakers:Joseph,Chelsea Button

SpeakerBio: Joseph
No BIO available
SpeakerBio: Chelsea Button, Cryptocurrency Education Initiative

Chelsea is a lawyer specializing in consumer finance, data and technology. She advises clients on updates in the law and defends them in litigation. She is a cryptocurrency advocate, with multiple professional publications.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 14:00-17:59 PDT

Title: Analyzing and Creating Windows Shellcode for Hackers
When: Friday, Aug 8, 14:00 - 17:59 PDT
Where: LVCCNorth-Level2-N256 - Map

Description:

Get ready to leap into the wild world of Windows shellcode! This fast-paced workshop covers how to analyze and create shellcode, using state-of-the-art tools. Intended for those with intermediate knowledge, this workshop will review x86 assembly; you will learn Windows internals, and advanced shellcoding techniques. You’ll learn how to dissect shellcode with x32Dbg or WinDbg and how to use the SHAREM shellcode emulator for deep analysis and disassembly. After analyzing several samples, we’ll build our own shellcode, starting simple and moving on to intermediate multi-API shellcode. You will learn how to encode your shellcode, for evasion, and how to incorporate Windows syscalls directly into your shellcode, for extra stealth. Finally, we will cover converting DLLs to shellcode. Expect to be made privy to a variety of shellcoding tips and tricks. By the end, you’ll be able to: • Quickly read and debug obfuscated shellcode; • Implement GetPC techniques in shellcode; • Chain WinAPIs to pass handles/pointers; • Add direct Windows syscalls for stealth to shellcode; • Convert DLLs to shellcode with sRDI. Prep: Study x86 assembly and basic Windows debugging. We recommend a Windows VM with Windows Defender disabled, plus NASM, x32Dbg, WinDbg (classic), SHAREM, and ShellWasp.

Speakers:Bramwell Brizendine,Austin Norby,Logan Cannan

SpeakerBio: Bramwell Brizendine, Director at VERONA Lab

Dr. Bramwell Brizendine has a Ph.D. in Cyber Operations and is the Director of the VERONA Lab. Bramwell has regularly spoken at DEFCON and presented at all regional editions of Black Hat (USA, Europe, Asia, MEA), as well as at Hack in the Box Amsterdam and Wild West Hackin' Fest. Bramwell received a $300,000 NSA research grant to create the SHAREM shellcode analysis framework, which brings unprecedented capabilities to shellcode analysis. He has additionally authored ShellWasp, which facilitates using Windows syscalls in shellcode, as well as two code-reuse attack frameworks, ROP ROCKET and JOP ROCKET. Bramwell has previously taught undergraduate, master's, and Ph.D. courses on software exploitation, reverse engineering, offensive security, and malware analysis. He currently teaches cybersecurity courses at the University of Alabama in Huntsville.

SpeakerBio: Austin Norby, Director of Internal Research and Development at Bogart Associates

Dr. Austin Norby is a seasoned cybersecurity professional with over a decade of experience supporting the Department of Defense. He earned his bachelor's degrees in mathematics and computer science from the University of Minnesota, a master's degree from the Naval Postgraduate School, and a Doctorate in Cyber Operations from Dakota State University, specializing in anti-debugging techniques. Currently, Dr. Norby serves as the Director of Internal Research and Development at Bogart Associates, where he is responsible for spearheading the creation of advanced cybersecurity solutions for government use. His technical proficiencies include reverse engineering, malware analysis, and software engineering, with a strong focus on developing robust cyber capabilities in C, C++, Intel assembly, and Python.

SpeakerBio: Logan Cannan, Ph.D. Candidate, University of Alabama in Huntsville

Logan Cannan received the B.S. and M.S. degrees in Computer Engineering and Cybersecurity from the University of Alabama in Huntsville. He is currently a Ph.D. candidate for a degree in Computer Engineering in a joint degree program with the University of Alabama at Birmingham and the University of Alabama in Huntsville. After spending time at Idaho National Laboratory, working in both ICS vulnerability analysis and machine learning assisted code analysis, he focused his dissertation research on optimization for machine learning on binary analysis and reverse engineering tasks.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 15:00-15:45 PDT

Title: Angry Magpie - DLP Bypass Simulator
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level2-W210 - Map

Description:

Angry Magpie is an open-source toolkit that demonstrates critical bypasses in enterprise Data Loss Prevention (DLP) systems through browser-based techniques. Our research identifies a class of attacks ‚Äî Data Splicing ‚Äî that enable exfiltration of sensitive data by transforming it to evade detection patterns used by both proxy and endpoint DLP solutions. The toolkit showcases four primary techniques: data sharding, ciphering, transcoding, and channel smuggling, each demonstrating specific architectural limitations in current DLP implementations. Security teams can use Angry Magpie to test their defense mechanisms against these practical attacks, providing valuable insights for enhancing data protection strategies. With browsers now serving as the primary access point for enterprise data, understanding and addressing these vulnerabilities has become essential for maintaining effective data security posture. Special thanks to Pankaj Sharma from the SquareX research team for his contributions to Angry Magpie toolkit.

Speakers:Jeswin Mathai,Xian Xiang Chang

SpeakerBio: Jeswin Mathai

Jeswin leads the design and implementation of SquareX‚Äôs infrastructure. Previously, he was part of Pentester Academy (acquired by INE) where he was responsible for managing the whole lab platform that was used by thousands of customers. A seasoned speaker and researcher, Jeswin has showcased his work at prestigious international stages such as DEF CON US, DEF CON China, RootCon, Black Hat Arsenal, and Demo Labs at DEF CON. He has also imparted his knowledge globally, training in-class sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. Jeswin is also the creator of popular open-source projects such as AWSGoat, AzureGoat, and PAToolkit.

SpeakerBio: Xian Xiang Chang

Xian is a software engineer at SquareX, contributing to the industry's first browser detection and response solution. With deep technical expertise in browser security, he architected DetectiveSQ, a containerized system for dynamically analyzing Chrome extensions, earning recognition at Black Hat Asia Arsenal and exemplifying his ability to transform complex security challenges into practical defensive tools.

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 16:00-17:50 PDT

Title: Applied Cryptocurrency Hardware
When: Friday, Aug 8, 16:00 - 17:50 PDT
Where: LVCCWest-Level1-Hall4-Communities-C101 - Map

Description:

Using an electronic circuit camera, we zoom in on cryptosecure devices and their circuits. Descriptions of existing cryptocurrency hardware lead to consideration of future integrations in the physical world and how secure elements work. We pass around a showcase of half a dozen wallets and similar hardware, as well as Nitrokeys (for defence) and ChipWhisperers (for attack.) We get set up with a set of hardware development software tools, and consider the physical production workflow that top manufacturers follow in high security areas.

Speakers:Param D Pithadia,Michael "MSvB" Schloh von Bennewitz

SpeakerBio: Param D Pithadia, Georgia Institute of Technology

Param is an Electrical Engineering Student from Georgia Tech with a strong passion for and interest in crypto. Although he primarily got interested in cryptography and hardware security through a class at Georgia Tech, he is also working at a software company on crypto adoption and ease of use. With a unique blend of HW and SW skills, Param is truly enthusiastic about all aspects of crypto.

SpeakerBio: Michael "MSvB" Schloh von Bennewitz, Chairman, Monero Devices

Michael Schloh von Bennewitz (MSvB) is a computer scientist specializing in cryptosecure electronics and embedded development. He is the founder of Monero Devices and responsible for research, development, and maintenance of Opensource software repositories. A prolific speaker in four languages, Michael presents at technical meetings every year.

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 21:00-01:59 PDT

Title: Arcade Party
When: Friday, Aug 8, 21:00 - 01:59 PDT
Where: LVCCWest-Level2-W228-W229 - Map

Description:

The Arcade Party is back! Come play your favorite classic arcade games while jamming out to Keith Myers DJing. Your favorite custom built 16 player LED foosball table will be ready for some competitive games. This epic party, free for DEF CON 33 attendees to enjoy and play, is hosted by the Military Cyber Professionals Association (a tech ed charity) and friends.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 10:00-10:45 PDT

Title: Attack Flow and Root Cause Discovery - No LLMs, No Queries, Just Explainable ML
When: Friday, Aug 8, 10:00 - 10:45 PDT
Where: LVCCWest-Level2-W211 - Map

Description:

Attack Flow Detector is an open-source tool that helps defenders uncover coordinated cyber attacks buried in noisy alert data. Instead of relying on LLMs or black-box AI, it uses explainable machine learning to map alerts, logs, and telemetry to MITRE ATT&CK techniques, cluster them into contextualized attack steps, and chain them into complete killchains. Built for blue teamers and SOC analysts, it's lightweight, interpretable, and easy to deploy in real environments. This demo will show how the tool processes real-world-style data, generates actionable tickets, and supports root cause analysis. If you're drowning in false positives or lone incidents, this is for you.

Speakers:Ezz Tahoun,Kevin Shi

SpeakerBio: Ezz Tahoun

Ezz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada's Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.

SpeakerBio: Kevin Shi

Kevin is a data scientist specializing in cybersecurity and machine learning, currently working at the Canadian Institute for Cybersecurity at the University of New Brunswick. He holds a Master‚Äôs degree in Data Science from the University of Windsor, where he focused on applying advanced analytics and machine learning techniques to complex cybersecurity problems. His expertise includes developing and optimizing AI-driven methods for threat detection, anomaly identification, and security event analysis. His research contributions emphasize practical implementations of data science in cybersecurity operations, bridging theoretical approaches with real-world applications.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Attacking & Securing CI/CD Pipeline Certification (ASCPC) by White Knight Labs
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

The Attacking and Securing CI/CD course is an on-demand and self-paced program designed to equip participants with the knowledge and skills to identify vulnerabilities and implement security measures within Continuous Integration and Continuous Deployment (CI/CD) pipelines. This course combines theoretical knowledge with practical, hands-on labs that simulate real-world scenarios in a CI/CD environment.

SpeakerBio: Raunak Parmar, Senior Cloud Security Engineer at White Knight Labs

Raunak Parmar works as a senior cloud security engineer at White Knight Labs. His areas of interest include web penetration testing, Azure/AWS security, source code review, scripting, and development. He enjoys researching new attack methodologies and creating open-source tools that can be used during cloud red team activities. He has worked extensively on Azure and AWS and is the author of Vajra, an offensive cloud security tool. He has spoken at multiple respected security conferences like Black Hat, Defcon, Nullcon, RootCon, and also at local meetups.

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Attacking & Securing CI/CD Pipeline Certification (ASCPC) by White Knight Labs
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

SpeakerBio: Raunak Parmar, Senior Cloud Security Engineer at White Knight Labs

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 11:00-11:59 PDT

Title: Attacking AI
When: Friday, Aug 8, 11:00 - 11:59 PDT
Where: LVCCWest-Level3-W326 - Map

Description:

Attacking AI is a one of a kind session releasing case studies, tactics, and methodology from Arcanum’s AI assessments in 2024 and 2025. While most AI assessment material focuses on academic AI red team content, “Attacking AI” is focused on the task of assessing AI enabled systems. Join Jason as he discusses his seven point methodology to assessing these systems and releases Arcanum’s prompt injection taxonomy and other resources for aspiring testers.

SpeakerBio: Jason "jhaddix" Haddix, Field CISO at flare.io

Jason has had a distinguished 20-year career in cybersecurity, previously serving as CISO of Buddobot, CISO of Ubisoft, Head of Trust/Security/Operations at Bugcrowd, Director of Penetration Testing at HP, and Lead Penetration Tester at Redspin.

He has also held positions doing mobile penetration testing, network/infrastructure security assessments, and static analysis.

Jason is a hacker, bug hunter, and is currently ranked 57th all-time on Bugcrowd's bug bounty leaderboards. Currently, he specializes in recon, web application analysis, and emerging technologies.

Jason has also authored many talks for world-renowned conferences like DEF CON, Bsides, Black Hat, RSA, OWASP, Nullcon, SANS, IANS, BruCon, ToorCon, and many more.

Return to Index - Add to Google

- ics Calendar file

CON - Friday - 10:00-11:59 PDT

Title: Aw, man...pages!
When: Friday, Aug 8, 10:00 - 11:59 PDT
Where: LVCCWest-Level1-Atrium-East-Contest Stage

Description:

How well do you know your man pages? Find out by teaming up with up to 3 other people (or come solo and get matched up with some new friends) and play "Aw, man...pages!". Across several rounds, your knowledge of man pages will be tested to the limit. Can you remember what command line flag is being described by its help text? Can you identify a tool just from a man page snippet? Can you provide the long-form flag when only given the short? Will you prove yourself worthy to be crowned the man page champion?

Participant Prerequisites

None. We will provide answer sheets and pens. Participants can form teams of up to 4 people beforehand, or at the event (last year's winners all met each other at the contest).

Pre-Qualification

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Azure Cloud Attacks for Red & Blue Teams - Beginner Edition
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

More than 95 percent of Fortune 500 use Azure today! A huge number of organizations use Azure AD (Entra ID) as an Identity and Access Management platform. This makes it imperative to understand the risks associated with Azure as it contains an enterprises infrastructure, apps, identities and a lot more!

In addition to cloud-only identity, the ability to connect on-prem Active Directory, applications and infrastructure to Azure brings some very interesting opportunities and risks too. Often complex to understand, this setup of components, infrastructure and identity is a security challenge.

This hands-on training aims towards abusing Azure and a number of services offered by it. We will cover multiple complex attack lifecycles against a lab containing multiple live Azure tenants.

All the phases of Azure red teaming and pentesting – Recon, Initial access, Enumeration, Privilege Escalation, Lateral Movement, Persistence and Data mining are covered. We will also discuss detecting and monitoring for the techniques we use.

The course is a mixture of fun, demos, exercises, hands-on and lecture. The training focuses more on methodology and techniques than tools. If you are a security professional trying to improve your skills in Azure cloud security, Azure Pentesting or Red teaming the Azure cloud this is the right class for you!

Following topics are covered:

Introduction to Azure
Discovery and Recon of services and applications
Enumeration
Initial Access Attacks (Enterprise Apps, App Services, Function Apps, Insecure Storage, Phishing, Consent Grant Attacks)
Enumeration post authentication (Storage Accounts, Key vaults, Blobs, Automation Accounts, Deployment Templates etc.)
Privilege Escalation (RBAC roles, Azure AD Roles, Across subscriptions)
Lateral Movement (Pass-the-PRT, Pass-the-Certificate, Across Tenant, cloud to on-prem, on-prem to cloud)
Lateral Movement (Across Tenant, cloud to on-prem, on-prem to cloud)
Persistence techniques
Data Mining
Defenses, Monitoring and Auditing (CAP, PIM, Microsoft Defender for Cloud, JIT, Risk policies, MFA, MTPs, Azure Sentinel)
Bypassing Defenses
Defenses, Monitoring and Auditing

Attendees will get free two months access to an Azure environment comprising of multiple tenants and a Certified by AlteredSecurity Red Team Professional for Azure (CARTP) certification attempt.

SpeakerBio: Nikhil, Founder at Altered Security

Nikhil’s areas of interest include red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks in secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure, Active Directory attacks, defense and bypassing detection mechanisms. Nikhil has held trainings and bootcamps for various corporate clients (in US, Europe and SE Asia), and at the world's top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

Nikhil is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Azure Cloud Attacks for Red & Blue Teams - Beginner Edition
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

This hands-on training aims towards abusing Azure and a number of services offered by it. We will cover multiple complex attack lifecycles against a lab containing multiple live Azure tenants.

Following topics are covered:

Introduction to Azure
Discovery and Recon of services and applications
Enumeration
Initial Access Attacks (Enterprise Apps, App Services, Function Apps, Insecure Storage, Phishing, Consent Grant Attacks)
Enumeration post authentication (Storage Accounts, Key vaults, Blobs, Automation Accounts, Deployment Templates etc.)
Privilege Escalation (RBAC roles, Azure AD Roles, Across subscriptions)
Lateral Movement (Pass-the-PRT, Pass-the-Certificate, Across Tenant, cloud to on-prem, on-prem to cloud)
Lateral Movement (Across Tenant, cloud to on-prem, on-prem to cloud)
Persistence techniques
Data Mining
Defenses, Monitoring and Auditing (CAP, PIM, Microsoft Defender for Cloud, JIT, Risk policies, MFA, MTPs, Azure Sentinel)
Bypassing Defenses
Defenses, Monitoring and Auditing

Attendees will get free two months access to an Azure environment comprising of multiple tenants and a Certified by AlteredSecurity Red Team Professional for Azure (CARTP) certification attempt.

SpeakerBio: Nikhil, Founder at Altered Security

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

Nikhil is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Return to Index - Add to Google

- ics Calendar file

CPV - Friday - 12:30-12:59 PDT

Title: Back to Basics: Building Resilient Cyber Defenses
When: Friday, Aug 8, 12:30 - 12:59 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

In spite of novel cybersecurity threats, digital security advice has remained largely unchanged in recent years. In fact, much of the viral advice in response to high-profile attacks or threats doesn't actually address the risks people are most likely to face. In this talk, we'll analyze high-profile digital privacy and security concerns, whether the viral advice to address said concerns is effective and practical, and what steps could be taken—both before and after an issue arises.

SpeakerBio: Yael Grauer, Program Manager of Cybersecurity Research at Consumer Reports

Yael Grauer is a program manager of cybersecurity research at Consumer Reports. She also does freelance investigative tech reporting, maintains the Big Ass Data Broker Opt-Out List, and is a proud member of the Lockdown Systems Collective.

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 17:00-17:59 PDT

Title: Badgelife: Lessons from Years of Do’s, Don’ts, and Last-Minute Saves
When: Friday, Aug 8, 17:00 - 17:59 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

Behind every blinking LED and clever CTF is a mountain of caffeine, chaos, and carefully disguised panic. In this panel, veteran badge creators share their hard-earned lessons from years in the trenches of Badgelife - what worked, what absolutely didn’t, and what miraculously came together 12 hours before con opened. From catastrophic PCB errors and customs nightmares to soldering in hotel bathtubs, and shipping hacks that would make a logistics manager cry - we’ll break down the real behind-the-scenes stories that never make it to the badge booth. Whether you’re a first-time builder or a seasoned badge nerd, this is your survival guide (and therapy session) in one.

Speakers:Abhinav Pandagale,MakeItHackin

SpeakerBio: Abhinav Pandagale, Founder at Hackerware.io

Abhinav's artistry comes from the times he used to sneakily paint drawings made by his sister. His hacking career began as a toddler, disassembling his toys but never put them back together. His entrepreneurial roots come from selling snacks at a school fair and making a loss of . Having learned how not to make money, he launched Hackerware.io - a boutique badgelife lab with in-house manufacturing - which has grown over the past nine years into a global presence across 19 countries. He’s often spotted at conferences around the world - hosting hardware villages or pulling off the kind of random shenanigans that earned him the Sin CON Person of the Year 2025 award.

SpeakerBio: MakeItHackin, Badge Maker

MakeItHackin graduated with a physics degree and served in the Army before diving into electronics in 2016, the same year as his first DEF CON! He joined the badge-making scene at DEF CON 29, fueling a passion for reverse-engineering. With a love for tearing apart tech, he tinkers as a hobbyist, and has previously spoken at Physical Security Village, HOPE Conference, and Hackaday Supercon.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 15:00-15:45 PDT

Title: Beaconator C2 Framework
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level2-W212 - Map

Description:

The Beaconator C2 framework provides multiple highly evasive payloads, created to provide red teams with code execution, versatility, and ease of use. It is intended to be a Swiss Army knife for evasive C2, with a unified listener and basic tools to manage an engagement. The goal is to empower red/purple teams to emulate emerging adversary tactics that are evasive, prove them out, and then open tickets with various AV/EDR vendors to improve detectability for these blind spots that are now exploited in the wild.

Speakers:Mike "CroodSolutions" Manrod,Ezra "Shammahwoods" Woods

SpeakerBio: Mike "CroodSolutions" Manrod

Mike serves as the CISO for Grand Canyon Education and adjunct faculty for Grand Canyon University, teaching malware analysis. Mike also co-founded the Threat Intelligence Support Unit (TISU), a community for threat and adversary research. He is also a co-author/contributor for the joint book project, Understanding New Security Threats published by Routledge in 2019, along with numerous articles. When not working, he spends time playing video games and doing random projects with his kids.

SpeakerBio: Ezra "Shammahwoods" Woods

Ezra is an avid security researcher currently working as an information security engineer with Grand Canyon Education.

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 10:00-10:59 PDT

Title: Becoming a Caido Power User
When: Friday, Aug 8, 10:00 - 10:59 PDT
Where: LVCCWest-Level3-W326 - Map

Description:

No one can deny that the job of a bug bounty hunter is tedious at times. The goal of this talk is simple: to make you a more efficient hacker using Caido. There is a lot to cover, but you can expect content surrounding the following: AI integration, collaboration, automation (JIT and otherwise), efficient navigation, and a slew of new Caido features. Caido is a rapidly evolving tool - consider this your crash course on getting back up to speed.

SpeakerBio: Justin "rhynorater" Gardner, Advisor at Caido

I'm a full-time Bug Bounty Hunter and Host of the Critical Thinking - Bug Bounty Podcast. I also work as an Advisor for Caido (HTTP Proxy). When I'm not putting in reports or disseminating technical info on the pod, I'm normally spending time with my wife and 2 daughters, lifting heavy things, playing volleyball, or getting folded in BJJ

Return to Index - Add to Google

- ics Calendar file

CPV - Friday - 12:00-12:59 PDT

Title: Behind The Dashboard - (Lack Of) Automotive Privacy
When: Friday, Aug 8, 12:00 - 12:59 PDT
Where: LVCCWest-Level2-W228 - Map

Description:

We usually view the world of cybersecurity through the lens of a malicious attacker versus a legitimate actor within a given system. This approach fails when considering the world of data privacy where there are three actors in play: the possibly-benevolent vendor, the legitimate user and the inevitable malicious actor. Using this privacy-focused lens, we survey the current regulatory landscape before turning our attention to how privacy is (not) applied to the automotive world.

Our talk focuses on the unique privacy risks the automotive industry is facing with the advent of smart, connected, cars. We present a real-world case study showing how quickly and thoroughly a bad actor could invade the privacy of a car owner, based on a privacy leak vulnerability designated CVE-2025-26313 (reserved).

Speakers:Lior ZL,Jacob Avidar

SpeakerBio: Lior ZL, Security Researcher at PlaxidityX Threat Research Labs

Lior is a security researcher in the PlaxidityX Threat Research Labs. Lior is part of a team of security researchers and data scientists who focus on innovation in the cybersecurity world, both from an offensive and a defensive perspective. Lior’s past experience is in enterprise cybersecurity and systems development. Lior holds an M.Sc in Computer Science.

SpeakerBio: Jacob Avidar, VP R&D and CISO at PlaxidityX

Jacob Avidar is the VP R&D and CISO of PlaxidityX (formerly Argus). Jacob founded the Threat Research Labs team that focuses on exploring high-risk vulnerabilities through cyber attacks in the Automotive industry. Exposing these risks allow OEMs and Tier-1 vendors to deal with violations and thus protect cars and people's lives from cyber attacks.

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 18:00-21:59 PDT

Title: BIC Village Game Night
When: Friday, Aug 8, 18:00 - 21:59 PDT
Where: LVCCWest-Level3-W322-W324 - Map

Description:

Gamers Unite! Come join the BIC Village team to engage with one another, unplug and find some friendly competition! Whether you’re into board games, card games or classic party games, there’s something for everyone here. Bring your game face and get ready for a night of fun, laughter and connection.This event will feature different board games such as Jenga, Uno, Spades, Ludi and more from around the African Diaspora and Black American culture!

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 14:00-17:59 PDT

Title: Binary exploitation basics
When: Friday, Aug 8, 14:00 - 17:59 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Leigh Trinity
No BIO available

Return to Index - Add to Google

- ics Calendar file

BHV - Friday - 16:00-16:30 PDT

Title: Bio-Cryptography is the Game-Genie in a post quantum dystopia
When: Friday, Aug 8, 16:00 - 16:30 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

Defcon 32 we discussed how to transfect DNA using a lighter in the privacy of your home, Defcon 33 we want to bring the next phase which is BioCypher. BioCypher is a tool that will help with plasmid design to embed cryptographic messages. As quantum computing threatens traditional encryption, it’s time to ditch silicon and embrace self-assembling biomolecular firewalls. DNA Origami Cryptography (DOC) uses viral scaffolds to create nanometer-scale encryption keys over 700 bits long—strong enough to give Shor’s algorithm an existential crisis. Beyond brute-force resistance, DOC enables protein-binding steganography and multi-part message integrity, allowing encrypted communication through braille-like molecular folds. Whether securing classified data or encoding musical notes into microscopic strands, DOC offers a biological alternative to post-quantum doom. In this talk, we’ll explore how molecular self-assembly is turning DNA into the hacker-proof cipher of the future, now introducing Biocypher! The rough demo awaits for all to use the tool and think about a bio-crypto-future!

SpeakerBio: James Utley, PhD

Dr. James Utley, PhD, is a Johns Hopkins-trained Immunohematology expert, CABP, and AI/data science leader. As Technical Director, he led 150K+ cellular transfusions, advancing DoD and FDA-approved therapies. A bold biohacker, he pioneers CRISPR/genetic engineering, earning the moniker “the pirate.”

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 10:00-10:45 PDT

Title: BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets
When: Friday, Aug 8, 10:00 - 10:45 PDT
Where: LVCCWest-Level1-Hall3-Track 3 - Map

Description:

In Windows, the cornerstone of data protection is BitLocker, a Full Volume Encryption technology designed to secure sensitive data on disk. This ensures that even if an adversary gains physical access to the device, the data remains secure and inaccessible.

One of the critical aspects of any data protection feature is its ability to support recovery operations failure cases. To support BitLocker recovery, design changes were applied in the Windows Recovery Environment (WinRE). This led us to a pivotal question: did these changes introduce new attack surfaces impacting BitLocker?

In this talk, we will share our journey of researching a fascinating and mysterious component: WinRE. Our exploration begins with an overview of the WinRE architecture, followed by a retrospective analysis of the attack surfaces exposed with the introduction of BitLocker. We will then discuss our methodology for effectively researching and exploiting these exposed attack surfaces. Our presentation will reveal how we identified multiple 0-day vulnerabilities and developed fully functional exploits, enabling us to bypass BitLocker and extract all protected data in several different ways.

Finally, we will share the insights Microsoft gained from this research and explain our approach to hardening WinRE, which in turn strengthens BitLocker.

Speakers:Alon "alon_leviev" Leviev,Netanel Ben Simon

SpeakerBio: Alon "alon_leviev" Leviev

Alon Leviev (@alon_leviev) is a self-taught security researcher working with the Microsoft Offensive Research & Security Engineering (MORSE) team. Alon specializes in low-level vulnerability research targeting hardware, firmware, and Windows boot components. He has presented his findings at internationally-recognized security conferences such as DEF CON 32 (2024), Black Hat USA 2024, Black Hat EU 2023, CanSecWest 2024, and CONFidence 2024. Prior to his career in cybersecurity, Alon was a professional Brazilian jiu-jitsu athlete, winning several world and European titles.

SpeakerBio: Netanel Ben Simon

Netanel Ben-Simon has been a security researcher for over eight years, and is currently working with the Microsoft Offensive Research & Security Engineering (MORSE) team. He specializes in low-level vulnerability research, fuzzing & Exploitation on various platform types such as Windows, Linux, and Embedded Devices. Over the past year, he has conducted in-depth vulnerability research on different UEFI components with a focus on Windows security posture around the boot environment, bug hunting and mitigations.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 11:00-11:45 PDT

Title: Blackdagger - Cyber Workflow Automation Framework
When: Friday, Aug 8, 11:00 - 11:45 PDT
Where: LVCCWest-Level2-W208 - Map

Description:

Blackdagger is a next-gen cybersecurity workflow automation framework built to streamline and accelerate complex operations across DevSecOps, MLOps, MLSecOps, and Continuous Automated Red Teaming (CART). It uses a declarative YAML-based Directed Acyclic Graph (DAG) system to define, visualize, and execute automated pipelines ‚Äî no heavy scripting required. With a built-in web UI, a containerized red teaming toolkit called Blackcart, and integration with GitHub Actions for OPSEC-friendly task execution, Blackdagger empowers teams to deploy, manage, and scale cyber workflows in real-time. Attendees will see live demos of red team pipelines, stealthy GitHub-based automation, and browser-based workflow execution via the Blackdagger Web Kit. Whether you're defending or attacking, Blackdagger turns security automation into an intuitive, visual experience ‚Äî backed by real-world NATO and defense applications.

Speakers:Mahmut "ErdemOzgen" Erdem Ozgen,Ata Seren

SpeakerBio: Mahmut "ErdemOzgen" Erdem Ozgen

Mahmut is a computer engineer from Ankara, Turkey, specializing in software engineering, cybersecurity, ML systems, and DevSecOps. A Bahcesehir University graduate (2015-2020), he has played key roles at HAVELSAN, developing secure DevSecOps pipelines and cybersecurity architectures for Turkish Armed Forces, contributing to national security systems advancement. He has extensive experience with machine learning and LLMs, applying theoretical concepts to practical solutions. As a student research assistant at Istanbul Big Data Education and Research Center, he implemented learning-based algorithms for drone routing and conducted text processing and sentiment analysis. His technical expertise encompasses Python, Go, C/C++, Java, JavaScript, Docker, Kubernetes, Terraform, and blockchain technologies. Fluent in English and Turkish, he has received notable recognition, including first place in the Presidency of Defence Industries Cyber Capstone Projects and a full scholarship from Bahcesehir University. Additionally, he has served on the NATO Locked Shields exercise green team, implementing ML and LLM-based systems, and currently serves as a red team capability leader in the NATO CWIX exercise.

SpeakerBio: Ata Seren

Ata is a specialized cyber security engineer with expertise in application security, DevSecOps, and penetration testing. Currently pursuing a Master‚Äôs degree in Cyber Security at Middle East Technical University, his thesis focuses on static application security testing, tool mechanisms, and innovative approaches in the field. With professional experience at HAVELSAN, he has contributed to significant NATO projects and open-source cybersecurity tools including DevSecOpsBuilder, Blackcart, and Blackdagger. His involvement in the NATO Locked Shields exercise in 2024 and 2025 demonstrates his practical expertise in cyber defense operations at an international level. A recognized voice in the cybersecurity community, he has presented the Blackdagger tool at Black Hat USA, Europe, and Asia conferences alongside his colleague. Most recently, he spoke at CyCon 2025, introducing a new cybersecurity framework to industry professionals. His technical proficiency spans multiple programming languages including Python, Golang, and C/C++, complemented by extensive knowledge of cybersecurity fundamentals, cloud security, and AI/ML approaches to security challenges. He is currently expanding his red teaming capabilities while studying for the OSCP certification from OffSec.

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 19:00-00:59 PDT

Title: BlanketFort Con
When: Friday, Aug 8, 19:00 - 00:59 PDT
Where: LVCCWest-Level2-W231-W232 - Map

Description:
BlanketFort Con: Come for the chill vibes and diversity, stay for the Blanket Fort Building, Cool Lights, Music, and Kid Friendly \ Safe environment. Now with less Gluten and more animal onesies!

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 11:00-11:45 PDT

Title: BOAZ - A Multilayered Approach to AV/EDR Evasion Engineering
When: Friday, Aug 8, 11:00 - 11:45 PDT
Where: LVCCWest-Level2-W209 - Map

Description:

BOAZ (Bypass, Obfuscate, Adapt, Zero-Trust) evasion was inspired by the concept of multi-layered approach which is the evasive version of defence-in-depth first proposed in a presentation at BH USA14. BOAZ was developed to provide greater control over combinations of evasion methods, enabling more granular evaluations against antivirus and EDR. It is designed to bypass before, during, and post execution detections that span signature, heuristic, and behavioural detection mechanisms. BOAZ supports both x86/x64 binary (PE) or raw payload as input and output EXE or DLL. It has been tested on separated Windows 11 Enterprise, Windows 10, and Windows Server 2022 VMs with 14 desktop AVs and 7 EDRs installed including Windows Defender, Norton, BitDefender, Sophos, and ESET. The design of BOAZ evasion is modular, so users can add their own toolset or techniques to the framework. BOAZ is written in C++ and C and uses Python3 as the main linker to integrate all modules. There have been significant improvements implemented since its inception. The new version of the BOAZ evasion tool, set for release at DEF CON 33, will feature three novel threadless process injection primitives, along with newly implemented loaders and behavioural evasion techniques.

SpeakerBio: Thomas "XM20" Xuan Meng

Thomas is a cybersecurity researcher, reverse engineer, and developer with a diverse background in policing, academia, and civil service. He holds a PhD in Computational Engineering, an MPhil in Criminological Research, and a BSc in Mathematics, and was awarded a university medal in Cybersecurity from Edinburgh Napier University.

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 16:00-16:59 PDT

Title: Book Signing - - Jim O'Gorman/No Starch Press
When: Friday, Aug 8, 16:00 - 16:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 1 - Map

Description:

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 10:00-10:59 PDT

Title: Book Signing - Adversary Emulation with MITRE ATT&CK - Drinor Selmanaj
When: Friday, Aug 8, 10:00 - 10:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 2 - Map

Description:

Drinor Selmanaj is a cybersecurity pioneer, Forbes Technology Council member, and published author. As Founder of Sentry, he leads an elite team securing unicorn-stage companies and Big Four clients across critical sectors. He also founded the Cyber Academy, where his hands-on training programs and AI-driven edtech solutions have launched thousands of careers and are redefining how cybersecurity talent is developed worldwide.

SpeakerBio: Drinor Selmanaj

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 13:00-13:59 PDT

Title: Book Signing - Alex Matrosov/No Starch Press
When: Friday, Aug 8, 13:00 - 13:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 3 - Map

Description:
SpeakerBio: Alex Matrosov
No BIO available

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 14:00-14:59 PDT

Title: Book Signing - Alfie Champion/No Starch Press
When: Friday, Aug 8, 14:00 - 14:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 3 - Map

Description:
SpeakerBio: Alfie Champion
No BIO available

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 16:00-16:59 PDT

Title: Book Signing - Breaking IN: A Practical Guide To Starting a Career In Information Security Cybersecurity Essentials For Startups : A Practical Guide - Ayman Elsawah
When: Friday, Aug 8, 16:00 - 16:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 4 - Map

Description:
SpeakerBio: Ayman Elsawah
No BIO available

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 10:00-10:59 PDT

Title: Book Signing - Cyber Calendar 2026 - Chris DeCarmen/Squared Away LLC
When: Friday, Aug 8, 10:00 - 10:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 4 - Map

Description:

As a former enlisted Marine, Human Rights volunteer in Cameroon, Ukrainian Peace Corps member, and Army Officer, I bring a diverse background to my current role as a Network Analyst. My lifelong passion for computers—rooted in the era of dial-up—drove me to create the Cyber Calendar. This project aims to illuminate essential cyber practices and address the complacency creep that often undermines our security.

SpeakerBio: Chris DeCarmen

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 15:00-15:59 PDT

Title: Book Signing - Daniel Reilly/No Starch Press
When: Friday, Aug 8, 15:00 - 15:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 3 - Map

Description:
SpeakerBio: Daniel Reilly
No BIO available

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 12:00-12:59 PDT

Title: Book Signing - Firewalls Don't Stop Dragons: A Step-by-Step Guide to Computer Security and Privacy for Non-Techies (5th ed) - Carey Parker
When: Friday, Aug 8, 12:00 - 12:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 2 - Map

Description:

Carey Parker is on a mission to raise the awareness of everyday, non-technical people on the crucially important topics of cybersecurity and privacy. There are plenty of resources for computer geeks (like himself), but is striving to reach the 99% of the population who use the Internet all the time but have no real idea how safe they are nor how to make themselves safer. It might seem like a lost cause, but trust him, it’s not! There are dozens of free and simple things we can all be doing to protect ourselves, our family, and our friends.

SpeakerBio: Carey Parker

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 15:00-15:59 PDT

Title: Book Signing - Future of Hacking: The Rise of Cybercrime and the Fight to Keep Us Safe - Laura S. Scherling, EdD / Bloomsbury
When: Friday, Aug 8, 15:00 - 15:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 2 - Map

Description:

Laura Sang Hee Scherling, EdD, is a director and adjunct lecturer at Columbia University. Scherling is the founder of the Cyber Care Institute and co-founder of Civic Art Lab. Her previous books include Ethics in Design and Communication, Digital Transformation in Design, and Product Design, Technology, and Social Change. She is a contributor to Tech Policy Press and Design Observer. Scherling is passionate about tech ethics, Internet freedom, and cybersecurity awareness.

Accepted Payment Methods: Cash, Venmo, and Paypal

SpeakerBio: Laura S. Scherling, EdD

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 11:00-11:59 PDT

Title: Book Signing - Jon DiMaggio/ No Starch Press
When: Friday, Aug 8, 11:00 - 11:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 1 - Map

Description:
SpeakerBio: Jon DiMaggio

Jon DiMaggio is the Chief Security Strategist at Analyst1 and a cybercrime hunter who doesn’t just follow ransomware gangs, he infiltrates them. A former U.S. intelligence analyst with a background in signals intelligence, Jon has spent his career going deep undercover inside some of the world’s most dangerous cybercrime syndicates. In 2024, he embedded himself within the notorious LockBit ransomware gang, gathering intelligence that helped law enforcement take down one of the most prolific cybercriminal operations in history.

His investigative series The Ransomware Diaries exposed LockBit’s inner workings and earned widespread recognition. Jon is the author of The Art of Cyberwarfare (No Starch Press), a two-time SANS Difference Makers Award winner, has appeared on 60 Minutes, and has been featured in The New York Times, Wired, and Bloomberg. He is also a regular speaker at DEFCON, RSA, and other major security conferences. Whether he’s chasing cybercriminals or telling their stories, Jon brings the kind of firsthand insight you only get when you’ve walked into the lion’s den, and walked out.

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 15:00-15:59 PDT

Title: Book Signing - JP Ausmasson/No Starch Press
When: Friday, Aug 8, 15:00 - 15:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 1 - Map

Description:
SpeakerBio: JP Ausmasson
No BIO available

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 13:00-13:59 PDT

Title: Book Signing - Nick Aleks/No Starch Press
When: Friday, Aug 8, 13:00 - 13:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 1 - Map

Description:
SpeakerBio: Nick Aleks
No BIO available

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 14:00-14:59 PDT

Title: Book Signing - Philip Dunsey/No Starch Press
When: Friday, Aug 8, 14:00 - 14:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 1 - Map

Description:
SpeakerBio: Philip Dunsey
No BIO available

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 11:00-11:59 PDT

Title: Book Signing - Supply Chain Software Security-AI, IoT and Application Security - Aamiruddin Syed/Apres Media LLC
When: Friday, Aug 8, 11:00 - 11:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 3 - Map

Description:

Aamiruddin Syed is Cybersecurity Professional with over decade in years of experience in the industry. He specializes in DevSecOps, Shift-Left Security, cloud security, and internal penetration testing. He authored book titled "Supply Chain Software Security-AI, IoT, Application Security" with Apress/Springer. He has extensive expertise in automating security into CI/CD pipelines, developing security automation, and building security into infrastructure as code. He has worked on securing cloud platforms by applying security best practices to infrastructure provisioning and configuration. Leveraging his penetration testing skills, he routinely conducts targeted internal assessments of critical applications and systems to proactively identify risks. He excels at bridging the gap between security and engineering teams to enable building security directly into products.A recognized advocate for secure development, Aamiruddin is a frequent speaker and session chair at leading industry conferences including RSA Conference, DEFCON, and Black Hat.

Payment method: Zelle, Wire transfer

SpeakerBio: Aamiruddin Syed

Aamiruddin Syed is Cybersecurity Professional with over decade in years of experience in the industry. He specializes in DevSecOps, Shift-Left Security, cloud security, and internal penetration testing. He authored book titled "Supply Chain Software Security-AI, IoT, Application Security" with Apress/Springer. He has extensive expertise in automating security into CI/CD pipelines, developing security automation, and building security into infrastructure as code. He has worked on securing cloud platforms by applying security best practices to infrastructure provisioning and configuration. Leveraging his penetration testing skills, he routinely conducts targeted internal assessments of critical applications and systems to proactively identify risks. He excels at bridging the gap between security and engineering teams to enable building security directly into products. A recognized advocate for secure development, Aamiruddin is a frequent speaker and session chair at leading industry conferences including RSA Conference, DEFCON, and Black Hat.

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 15:00-15:59 PDT

Title: Book Signing - The Hacker Mindset: A 5-Step Methodology for Cracking the System and Achieving Your Dreams - Garrett Gee/Hacker Warehouse
When: Friday, Aug 8, 15:00 - 15:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 4 - Map

Description:

Garrett Gee is a USA Today bestselling author and 7-figure entrepreneur, recognized for his expertise in cybersecurity and hacking. As the founder and owner of Hacker Warehouse, he has established a premier destination for computer security tools, serving clients from Fortune 100 companies to government agencies.

With over 20 years of cybersecurity experience, Gee has become a sought-after consultant in the industry. He is the author of the bestselling book “The Hacker Mindset,” a transformative guide that empowers individuals to break free from conventional constraints and achieve their personal and professional goals.

As an international speaker and media expert, Garrett actively engages with a community of learners and hackers, promoting continuous growth and innovation in both cybersecurity and personal development.

For more about Garrett visit https://GarrettGee.com

SpeakerBio: Garrett Gee

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 12:00-12:59 PDT

Title: Book Signing - Travis Goodspeed/No Starch Press
When: Friday, Aug 8, 12:00 - 12:59 PDT
Where: LVCCWest-Level1-Hall4-Vendors-V301 Book Signings-Table 1 - Map

Description:
SpeakerBio: Travis Goodspeed
No BIO available

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 10:00-10:30 PDT

Title: Break Systems, Not Promises: I promised to do a keynote at DEF CON
When: Friday, Aug 8, 10:00 - 10:30 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Lena "LambdaMamba" Yu, CEO at World Cyber Health
No BIO available

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 12:00-13:50 PDT

Title: Bridge to Nowhere Good: When Azure Relay becomes a Red Teamer's highway
When: Friday, Aug 8, 12:00 - 13:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 1 - Map

Description:

We have exposed critical offensive capabilities in the azbridge tool, which has been available in Microsoft Azure's GitHub repository since 2018. This tool is a legitimate utility connecting network-isolated assets. Our research demonstrates how an attacker can weaponize this tool using its default configuration.

azbridge supports attackers in establishing covert C2 channels, exfiltrating data, and enabling lateral movement while evading scrutiny by perimeter defenses. It leverages back-end services that serve Azure Relay endpoints (*.servicebus.windows.net) and encapsulates malicious traffic in TLS-encrypted connections to *.cloudapp.azure.com endpoints, defeating egress filtering and proxy inspection.

We demonstrate how attackers can use it to maintain persistent network access, bypass network security controls, and conduct post-exploitation using Microsoft's tool. More sophisticated adversaries can re-implement the functionality of this tool in their tradecraft (e.g., implants). For our defensive side friends, we provide initial recommendations on recognizing these techniques to defend against adversaries exploiting legitimate infrastructure.

While not a 0-day, as of 03/14/2025, there are no reports of adversaries using azbridge, and no researchers have reported this tool’s potential for abuse. Therefore, we believe it is a novel use case or at least one that has not been publicly discussed.

Speakers:Edward Landers,Josh Huff,Robert Pimentel

SpeakerBio: Edward Landers

Edward is a red teamer and former offensive security consultant focused on adversary simulation, malware development, and social engineering. He works on bypassing security controls, evading detection, and testing the limits of modern defenses. When he’s not on an engagement, he’s refining techniques, building tools, and keeping up with the ever-changing security landscape.

SpeakerBio: Josh Huff

Josh

Josh is an offensive security professional with more than 10 years in Information Security. He has an Associate's Degree in Computer Forensics and Security, as well as several certifications. He began his professional career in IT as a contractor for the US Army Corps of Engineers before moving to his current company where he has held roles both on the defensive and offensive sides of security.

When not in the office Josh satisfies his curiosity exploring Red Team Infrastructure and Open Source Intelligence. He is a husband, father of two, and enjoys playing multiple instruments. Want an OSINT challenge - see if you can find his account for live streaming music.

Currently Josh is Senior Red Team Operator at a fortune 50 insurance company.

SpeakerBio: Robert Pimentel

Robert is a seasoned offensive security professional with more than a decade of experience in Information Security. He started his career in the U.S. Marine Corps, working on secure telecommunications. Robert holds a master's degree in Cybersecurity, numerous IT certifications, and a background as an instructor at higher education institutions like the New Jersey Institute of Technology and American University.

Robert is committed to sharing his knowledge and experiences for the benefit of others. He enjoys Brazilian steakhouses and cuddling with his pugs while writing Infrastructure as Code to automate Red Team Infrastructure.

Robert currently serves as a Red Team Lead at Humana, Inc.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: BRIDGING THE GAP - An Introduction to IoT Security from Serial to Bluetooth
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Dive into the world of hardware hacking with this intensive, hands-on class that bridges the gap between software security and physical hardware. Over the course of two action-packed days, you'll learn to identify and exploit vulnerabilities common in IoT devices, medical equipment, and embedded systems. Starting with hardware basics and circuit board analysis, you'll quickly progress to mastering essential interfaces like UART, SPI, and JTAG. Get hands-on experience with industry software tools while learning to extract firmware, bypass authentication systems, and analyze Bluetooth Low Energy (BLE) implementations. Perfect for security professionals, researchers, and hardware enthusiasts, this course combines real-world case studies with practical exercises using actual devices. You'll leave equipped with a solid foundation in hardware security assessment, understanding common attack vectors, and knowing how to integrate hardware security testing into your product development lifecycle. Bring your curiosity - we'll provide the hardware!

Speakers:Will McCardell,Garrett Freibott,Cody Hein,Aaron Wasserman

SpeakerBio: Will McCardell, Lead Offensive Security Engineer at Praetorian

Will McCardell is a Lead Offensive Security Engineer at Praetorian and a member of the IoT Penetration Testing team. He has a decade of software engineering and offensive security experience as well as a deep passion for hardware testing.

SpeakerBio: Garrett Freibott, Senior Security Engineer at Praetorian

Garrett Freibott is a Senior Security Engineer at Praetorian and a member of the IoT Penetration Testing team. He has experience in open-source software development, application penetration testing, and enterprise software security. Garrett has a B.S. in Computer Science from Arizona State University and the OSCP.

SpeakerBio: Cody Hein, Senior Security Engineer at Praetorian

Cody Hein is a Senior Security Engineer at Praetorian and a member of the IoT Penetration Testing team. His background includes audio video systems engineering and US Army Space operations, including SATCOM and other RF communications. He specializes in hardware reverse engineering, firmware analysis, and RF wireless communications with a focus on securing connected devices. Cody is passionate about lifelong learning and dedicated to sharing knowledge with others.

SpeakerBio: Aaron Wasserman, Senior Security Engineer at Praetorian

Aaron Wasserman is an accomplished IoT penetration tester with a passion for uncovering hardware vulnerabilities. He is a Senior Security Engineer at Praetorian and a member of the IoT Penetration Testing team. Aaron is dedicated to advancing cybersecurity practices and sharing knowledge within the community. He holds both a Masters and Bachelor’s from Georgia Tech's School of Electrical and Computer Engineering and also several offensive security certifications including the ACIP and OSCP.

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: BRIDGING THE GAP - An Introduction to IoT Security from Serial to Bluetooth
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Speakers:Will McCardell,Garrett Freibott,Cody Hein,Aaron Wasserman

SpeakerBio: Will McCardell, Lead Offensive Security Engineer at Praetorian

SpeakerBio: Garrett Freibott, Senior Security Engineer at Praetorian

SpeakerBio: Cody Hein, Senior Security Engineer at Praetorian

SpeakerBio: Aaron Wasserman, Senior Security Engineer at Praetorian

Return to Index - Add to Google

- ics Calendar file

PAYV - Friday - 11:00-11:59 PDT

Title: BT hacking
When: Friday, Aug 8, 11:00 - 11:59 PDT
Where: LVCCWest-Level1-Hall2-W505 - Map

Description:
SpeakerBio: Dan Bongiorno
No BIO available

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 17:00-17:45 PDT

Title: Building a Malware Museum
When: Friday, Aug 8, 17:00 - 17:45 PDT
Where: LVCCWest-Level1-Hall3-Track 5 - Map

Description:

Culture isn’t just found in galleries or libraries - it lives in code, on screens, and sometimes, in the viruses that once infected our machines. Building a Malware Museum tells the story behind creating the world’s first online Malware Museum and its evolution into the Museum of Malware Art in Helsinki.

Only we can save the culture of our time. And our culture is digital. Preserving digital culture is hard: Software rots. Hardware vanishes. File formats die. And some digital artifacts - like computer viruses - were never meant to survive.

Mikko Hypponen has been archiving malware since 1991, originally for research - but today, this collection also holds cultural value. These digital fossils now offer a glimpse into a forgotten world of underground creativity, early hacking culture, and unintended digital aesthetics. Thanks to modern emulation techniques, it’s now possible to safely relive how those early viruses looked, sounded, and behaved.

In November 2024, Mikko opened the world's first Museum of Malware Art, in Helsinki. This art museum features modern art commissioned from artists around the world, all inspired by malware or cyber attacks.

This is a journey through preservation, nostalgia, and the art of archiving what was never meant to last. Because even malware is part of our history.

References:

link
link

SpeakerBio: Mikko Hypponen

Mikko Hypponen is a global security expert who has been working in malware research since 1991. He is currently the Chief Research Officer at WithSecure, a Helsinki-based security company. Mikko has published his research in The New York Times, Wired, and Scientific American. He has lectured at Oxford, Harvard, and MIT. Mr. Hypponen's research team was the first to locate, analyze, and develop protection against the ILOVEYOU email worm - the largest malware outbreak in history. Mikko is also the curator for The Malware Museum at The Internet Archive and for The Museum of Malware Art in Helsinki.

Return to Index - Add to Google

- ics Calendar file

ASV - Friday - 16:30-16:59 PDT

Title: Burning, trashing, spacecraft crashing: a collection of vulnerabilities that will end your space mission
When: Friday, Aug 8, 16:30 - 16:59 PDT
Where: LVCCWest-Level2-W228 - Map

Description:

The frequency of space missions has been increasing in recent years, raising concerns about security breaches and satellite cyber threats. Each space mission relies on highly specialized hardware and software components that communicate through dedicated protocols and standards developed for mission-specific purposes. Numerous potential failure points exist across both the space and ground segments, any of which could compromise mission integrity. Given the critical role that space-based infrastructure plays in modern society, every component involved in space missions should be recognized as part of critical infrastructure and afforded the highest level of security consideration.

This briefing highlights a subset of vulnerabilities that we identified within last couple of years across both ground-based systems and onboard spacecraft software. We will provide an in-depth analysis of our findings, demonstrating the impact of these vulnerabilities by showing our PoC exploits in action—including their potential to grant unauthorized control over targeted spacecraft. Additionally, we will show demonstrations of the exploitation process, illustrating the real-world implications of these security flaws.

Speakers:Andrzej Olchawa,Milenko Starcik,Ayman Boulaich,Ricardo Fradique

SpeakerBio:  Andrzej Olchawa, VisionSpace Technologies
No BIO available
SpeakerBio:  Milenko Starcik, VisionSpace Technologies
No BIO available
SpeakerBio:  Ayman Boulaich

Ayman Boulaich is a cybersecurity researcher specializing in vulnerabilities within aerospace systems. He has contributed to identifying critical security issues in NASA's open-source software frameworks, such as Core Flight System (cFS) and CryptoLib.

SpeakerBio: Ricardo Fradique, Cybersecurity Engineer at VisionSpace Technologies GmbH

Ricardo Fradique is a Cybersecurity Engineer at VisionSpace Technologies GmbH, with a focus on Offensive Security and Vulnerability Research. He has been credited in several CVEs, and a regular CTF player.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 11:00-11:45 PDT

Title: C4 - Cross Compatible Command and Control
When: Friday, Aug 8, 11:00 - 11:45 PDT
Where: LVCCWest-Level2-W210 - Map

Description:

Let‚Äôs face it ‚Äî traditional HTTP C2 is burning out. Between aging domains, TLS cert management, sandbox fingerprinting, and blue teams getting smarter at categorizing traffic and infrastructure, your custom C2 feels less covert and more like a liability. Red teams and threat actors alike are shifting toward living off legitimate services ‚Äî AWS, GitHub, Box, Notion, whatever blends in ‚Äî but building solutions that are custom to a single C2 framework? Let‚Äôs stop doing that. Let‚Äôs share the fun! C4 (Cross-Compatible Command & Control) is here to change that. It‚Äôs a modular toolkit of WASM-powered plugins that makes external C2 easy to implement, regardless of your implant's language or target OS. Whether you‚Äôre writing in C, Rust, Go, Python, C#, or something else entirely, C4 plugins can be loaded directly into your implant and run on Windows, macOS, or Linux. But the real game-changer? C4 provides a single, centralized collection of over 10 fully-documented, operationally-ready external C2 modules ‚Äî not just proof-of-concepts, but production-level integrations with trusted sites that fly under the radar. No more hunting through GitHub repos, hand-rolling fragile API calls, or hacking together glue code for every new environment. Stop reinventing external C2 and start planting some C4 in your implants!

SpeakerBio: Scott "ScottCTaylor12" Taylor, Senior Red Team Operator at Sony's Global Threat Emulation

Scott Taylor is a Senior Red Team Operator on Sony's Global Threat Emulation team. Scott has previously worked at the MITRE Corporation and T. Rowe Price focused on emulating adversary behaviors. While Scott has been a technical professional for a decade, only the second half was focused on offensive security. He started as a Linux system administration intern where he learned to build before later learning to break. Scott leverages his system administration background in his offensive security career where he passionately researches command and control (C2) infrastructure for red team operations. Open-source publications by Scott include custom C2 channels for popular C2 frameworks, leveraging cloud services for C2, and automating red team infrastructure deployment.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 11:00-11:45 PDT

Title: Caldera for OT - Oops! All Software
When: Friday, Aug 8, 11:00 - 11:45 PDT
Where: LVCCWest-Level2-W211 - Map

Description:

Dive into the world of Operational Technology (OT) adversary emulation ‚Äî no racks of hardware required. With Caldera for OT (C4OT) and our new virtual device simulators, you can explore the inner workings of OT network communications from the comfort of your own home lab. The biggest industrial control systems incidents ‚Äî FrostyGoop, PIPEDREAM, Industroyer ‚Äî didn‚Äôt rely on flashy zero-days to impact physical systems. Instead, they used native OT protocols to send valid messages with malicious intent. Now, with C4OT, you can step into the attacker‚Äôs shoes and explore the quirks and capabilities of protocols like Modbus, DNP3, and IEC61850. No hardware? No problem. No experience? Even better. In this session, we‚Äôll show you how to get started with adversary emulation against simulated OT devices, unlocking a hands-on environment to test your attacks, validate your defenses, and gain practical insights into the world of industrial cybersecurity. Whether you‚Äôre a defender looking to understand the threats, a researcher diving into OT protocol behavior, or a red-teamer eager to sharpen your skills, C4OT gives you the tools to experiment safely and effectively. Join us to see how C4OT is revolutionizing adversary emulation for OT ‚Äî one packet at a time.

Speakers:Devon Colmer,Tony Webber

SpeakerBio: Devon Colmer

Devon serves as the lead for Caldera for operational technology (OT) within MITRE‚Äôs Critical Infrastructure Protection Innovation Center (CIPIC). He specializes in OT adversary emulation and detection engineering, leading the development of OT plugins for MITRE‚Äôs Caldera platform. Beyond Caldera, he is researching a common data model for OT protocols to lower the barrier of entry for OT network defenders.

SpeakerBio: Tony Webber

Tony is the lead for counter measures for operational technology in MITRE‚Äôs Critical Infrastructure Protection Innovation Center (CIPIC). His work has spanned systems engineering, solution prototyping, capabilities development, and deployment of cybersecurity and cyber situational awareness solutions for defending industrial control systems. His current focus is adversary emulation for ICS and space systems.

Return to Index - Add to Google

- ics Calendar file

PAYV - Friday - 10:30-10:59 PDT

Title: Card testing workshop
When: Friday, Aug 8, 10:30 - 10:59 PDT
Where: LVCCWest-Level1-Hall2-W505 - Map

Description:
SpeakerBio: Vince Sloan
No BIO available

Return to Index - Add to Google

- ics Calendar file

PAYV - Friday - 11:00-11:59 PDT

Title: Carding is Dead, Long Live Carding: How MaaS is fueling NFC relay attacks
When: Friday, Aug 8, 11:00 - 11:59 PDT
Where: LVCCWest-Level2-W228 - Map

Description:

The payment fraud landscape is experiencing a resurgence of 'carding' through sophisticated Near Field Communication (NFC) relay attacks, which combine social engineering and custom mobile malware to bypass contactless payment security measures, enabling unauthorized transactions. A critical emerging trend is the proliferation of Malware-as-a-Service (MaaS) platforms, primarily operated by Chinese-speaking threat actors, who develop and distribute advanced NFC relay capabilities as turn-key solutions to global affiliates, facilitating complex card-present fraud schemes on an unprecedented scale and leading to arrests in the U.S. and EU. This MaaS operational model, featuring affiliate networks and advanced tools, signifies a critical evolution in financial threats, alarming global financial institutions and necessitating urgent adaptation of fraud prevention strategies. The discussion will explore MaaS operations, presenting key findings from the Supercard X analysis, including its technical capabilities, and examining the implications for the payment industry, with mitigation strategies and actionable intelligence such as actor communications and distinct Tactics, Techniques, and Procedures (TTPs) being shared. Furthermore, the talk will reveal how developers of well-known Android banking trojans are integrating NFC relay functionalities to enhance their cash-out techniques, providing attendees with a deep dive into NFC Relay MaaS, exclusive threat intelligence, and an understanding of the evolving fraud landscape, including the operational models, tools, and TTPs employed by modern NFC Relay MaaS platforms, as well as the systemic risks posed to global financial institutions and the urgent need for adaptive security postures.

Speakers:Federico Valentini,Alessandro Strino

SpeakerBio: Federico Valentini, Cleafy

Federico Valentini is passionate about technologies in general and has a deep interest in cybersecurity, particularly Penetration Testing, Malware Analysis, and Social Engineering techniques. He's currently leading the Threat Intelligence Team and Incident Response at Cleafy. He oversees all the activities related to monitoring and uncovering new threats and attack patterns that malicious actors use. He has spoken at HackInBO 2022, Botconf 2023, Cert-EU 2023, BSides Cyprus 2023, FS-ISAC 2024, Botconf 2025, and other private events managed by CertFIN in the Italian territory.

SpeakerBio: Alessandro Strino, Senior Malware Analyst at Cleafy

Alessandro Strino has a solid background in Penetration testing and modern malware analysis. His main research topics are binaries and computer forensics. Nevertheless, he is passionate about binary exploitation, reverse engineering, and privilege escalation techniques. He now works as a senior malware analyst at Cleafy. He has spoken at Botconf 2023, Cert-EU 2023, BSides Cyprus 2023, FS-ISAC 2024, and Botconf 2025.

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 10:00-17:59 PDT

Title: Career Fair: Interview Tips and Referral
When: Friday, Aug 8, 10:00 - 17:59 PDT
Where: LVCCWest-Level1-Hall4-Communities-C104 - Map

Description:

Join us on Day 1 of DEFCON for an insightful session on mastering interview techniques and leveraging referrals in the cybersecurity industry. Learn from experts about the best practices to ace your interviews and how to effectively network to get those valuable referrals

Speakers:Krity Kharbanda,Aastha Sahni

SpeakerBio: Krity Kharbanda, Senior Application Security Engineer at ServiceNow

Krity is currently working as Senior Application Security Engineer at ServiceNow.

SpeakerBio: Aastha Sahni, Security Analyst II at Microsoft

Aastha is currently working as Security Analyst II at Microsoft.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 12:30-13:15 PDT

Title: Cash, Drugs, and Guns: Why Your Safes Aren't Safe
When: Friday, Aug 8, 12:30 - 13:15 PDT
Where: LVCCWest-Level1-Hall3-Track 4 - Map

Description:

When Liberty Safe was found to have provided safe unlock codes to authorities, it made us wonder; how was it even possible for Liberty to do this? Our talk will cover the vulnerabilities we found and journey into the various families of locks made by SecuRam, the OEM of safe locks used by Liberty Safe and other Safe vendors. Our exploration began with an “analog” lock from Liberty Safe but quickly expanded to SecuRam’s “digital” lock lines, where we found a debug port that allowed access to all firmware and data. Through this, we discovered that codes are stored on the externally accessible keypad, rather than securely inside the safe (as well as other issues). These locks, deployed widely in consumer, and commercial safes at major retail chains exhibit vulnerabilities that enable opening them in seconds with a Raspberry Pi. We invite you to our session to see us crack UL-certified High-Security Electronic Locks live!

References:

Liberty Safe providing safe codes to LE link
- fail0verflow blog on RL78/G13 dumping link
- Past DEF CON talks on e-locks:
- DEF CON 23 (2015) - Hacking Smart Safes - On the Brink of a Robbery - First talk about hacking into electronic safes
- DEF CON 24 - Plore - Side channel attacks on high security electronic safe locks - First talk about attacks on very basic consumer electronic locks
- Work done by Somerset Recon on the BLE version of Securam Lock (B01) link

See our slides for detailed citations.

Speakers:Mark Omo,James Rowley

SpeakerBio: Mark Omo

Mark Omo is a professional security researcher and engineer, but mostly a fearless leader, a job which he definitely loves way more than actually hacking things. Mark has a background in Consumer and Medical and Aerospace products. He spends his days making PowerPoints and his nights hacking away on embedded hardware.

SpeakerBio: James Rowley

James Rowley is a professional security researcher and engineer who loves that job so much he does it in most of his free time too. Aside from cracking electronic safe locks, he has years of experience working on embedded security, and helping build better products there; he has presented on those topics at Hardwear.io in the past. He has been hacking and making things since childhood, eventually making it a career. Born, raised, and still living in the Southwest US, he loves exploring and photographing that desert environ almost as much as tearing down products.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 11:30-12:15 PDT

Title: ChromeAlone: Transforming a Browser into a C2 Platform
When: Friday, Aug 8, 11:30 - 12:15 PDT
Where: LVCCWest-Level1-Hall3-Track 4 - Map

Description:

A long time ago, browsers were wrappers for HTTP web requests and little else. The modern browser, however, is crammed with so many features that it is practically an operating system. This talk will demonstrate how to (ab)use years of legacy features along with recent additions to Google Chrome to mimic the capabilities of a conventional C2 implant while evading traditional endpoint protection.

We will introduce our new open-source framework "ChromeAlone" which implements features such as proxying raw TCP traffic, phishing for Yubikey USB codes, dumping cookies and credentials, keylogging browser windows, and executing shell commands from Chrome. Our implementation leverages Chrome's built-in features, sideloads malicious components without user interaction, and obfuscates code using WebAssembly to evade detection. This research exposes significant security implications of Chrome's expanding feature set and the challenges of securing modern browsers against abuse.

References:

link - Matthew Bryant's WONDERFUL public PoC of a malicious chrome extension for cookie theft / session riding.
link - Sneaky Extensions: The MV3 Escape Artists - A presentation from last year's DEFCON detailing how to evade manifest v3 protections in Chrome Extensions.

SpeakerBio: Michael "bouncyhat" Weber

Michael Weber is a member of the Praetorian Security Labs team where he creates tools to help his fellow consultants not stay up until 2am hunting for material risks. He specializes in chrome shenanigans, malware development, vulnerability research, and online poker datamining.

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 16:30-16:59 PDT

Title: ClickFix: The Malware Delivery Technique Enabling Ransomware Affiliates and State-Sponsored APT Operations
When: Friday, Aug 8, 16:30 - 16:59 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Arda Büyükkaya
No BIO available

Return to Index - Add to Google

- ics Calendar file

SEV - Friday - 17:00-17:59 PDT

Title: Cold Calls
When: Friday, Aug 8, 17:00 - 17:59 PDT
Where: LVCCWest-Level3-W317-W319 - Map

Description:

Got nerves of steel? Step into our soundproof booth, grab a mystery target with its number and three challenge tiers, and see if you can nail easy, medium, and hard objectives - first come, first served!

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 14:30-14:59 PDT

Title: Compromising Threat Actor Communications
When: Friday, Aug 8, 14:30 - 14:59 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Ben "polygonben" Folland

Ben Folland is a Security Operations Analyst at Huntress, where he manages hands-on-keyboard intrusions and dismantles active threats daily. Before that, he worked at one of Accenture’s SOCs, defending UK Critical National Infrastructure, gaining deep experience in high-stakes environments. He's all about DFIR, malware analysis, and threat hunting—and has a knack for exposing adversary tradecraft. Ben's spoken at over 10 conferences (including six BSides), taught SOC workshops at universities, is GIAC GCFA certified, and was a finalist for the UKs national cyber team. Whether it's CTFs or live incidents, Ben thrives on the chase and brings a hacker mindset to everything he does.

Return to Index - Add to Google

- ics Calendar file

CHV - Friday - 16:30-16:59 PDT

Title: Context Aware Anomaly Detection in Automotive CAN Without Decoding
When: Friday, Aug 8, 16:30 - 16:59 PDT
Where: LVCCWest-Level2-W231 - Map

Description:

Modern vehicles operate as real-time cyber-physical systems, where even subtle manipulations on the CAN bus can lead to catastrophic outcomes. Traditional anomaly detectors fall short when malicious actors mimic expected sensor behaviors while altering the vehicle's state contextually. This talk explores how exploiting inter-signal correlations — rather than relying on individual identifiers or decoding — uncovers stealthy attacks. We present a deep sequence-learning approach tailored for raw CAN payloads, focusing on time-aware and context-sensitive detection. No reverse engineering of signal structures. Just patterns, timing, and trust redefined. Live demo included using real-world CAN datasets and emulated environments.

SpeakerBio: Ravi Rajput
No BIO available

Return to Index - Add to Google

- ics Calendar file

IOTV - Friday - 15:00-15:59 PDT

Title: Contextualizing alerts & logs at scale without queries or LLMs (opensource)
When: Friday, Aug 8, 15:00 - 15:59 PDT
Where: LVCCWest-Level2-W228 - Map

Description:

IoT environments generate massive, noisy streams of logs and alerts—most of which lack the context needed for meaningful detection or response. This talk introduces a novel, LLM-free approach to large-scale alert contextualization that doesn't rely on writing complex queries or integrating heavy ML models. We’ll demonstrate how lightweight, modular correlation logic can automatically enrich logs, infer context, and group related events across sensors, devices, and cloud services. By leveraging time, topology, and behavioral attributes, this method builds causality sequences that explain what happened, where, and why—without human-crafted rules or expensive AI inference. Attendees will walk away with practical techniques and open-source tools for deploying contextualization pipelines in resource-constrained IoT environments. Whether you're defending smart homes, industrial OT networks, or edge devices, you'll learn how to extract insight from noise—fast.

SpeakerBio: Ezz Tahoun

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 14:00-17:59 PDT

Title: Contextualizing alerts with relevant logs and events without queries or LLMs
When: Friday, Aug 8, 14:00 - 17:59 PDT
Where: LVCCNorth-Level2-N252 - Map

Description:

This workshop is for SOC analysts, threat hunters, and defenders dealing with alert fatigue, fragmented telemetry, and the challenge of spotting coordinated attacks. Instead of large language models or costly vendor tools, we’ll use open-source, explainable ML to map alerts, logs, and events into contextualized attack stories.

Attendees will work hands-on with real-world-style data to find root causes, build kill chains, and generate actionable tickets—False Positive, Incident, and Attack Story—that mirror real SOC workflows. We’ll use the Attack Flow Detector tool, which runs in Google Colab—no install needed.

No data science experience required. The class is technical but beginner-friendly, with guided exercises and examples. Basic knowledge of logs and MITRE ATT\&CK helps but isn’t required. The focus is on outcomes: understanding what happened, why, and how to respond—without black-box AI or complex queries.

By the end, students will know how to clean noisy data, map alerts to attacker techniques, cluster related events, and build end-to-end attack narratives. All tools and content are open-source, transparent, and ready to use in real environments.

SpeakerBio: Ezz Tahoun

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 12:00-12:45 PDT

Title: Copycat - Identity Stealer Extension
When: Friday, Aug 8, 12:00 - 12:45 PDT
Where: LVCCWest-Level2-W208 - Map

Description:

Copycat is a browser extension-based red team toolkit for simulating web-based identity attacks. This tool simulates ten web-based identity attacks through a single browser extension with minimal permissions, operating primarily through hidden windows that execute attacks without user awareness. With Copycat, red teams can simulate complex attack scenarios including silent Gmail and LinkedIn hijacking, credential theft through login and OTP stealing, login page redirection, autofill extraction from enterprise applications, and multiple OAuth manipulation techniques. Copycat runs entirely in-browser with no special hardware requirements. Red teams can use Copycat to demonstrate attack vectors that bypass EDRs, SASE, and other traditional security controls, as these techniques operate within legitimate authenticated sessions rather than breaking them. The tool is fully modifiable, with each module designed for customization to target different services or authentication flows. Source code and documentation will be available for security researchers to extend and improve the framework. Special mention to Pankaj Sharma, Tejeswara S. Reddy, and Arpit Gupta for their contributions in building this toolkit!

Speakers:Dakshitaa Babu,Shourya Pratap Singh

SpeakerBio: Dakshitaa Babu

Dakshitaa is a security researcher and product evangelist at SquareX, where she leads the security research team. A self-taught cybersecurity researcher mentored by offensive security veteran Vivek Ramachandran, she specializes in web attacks ‚Äî malicious websites, files, scripts, and extensions capable of bypassing traditional security solutions. Her research directly fuels SquareX's product innovation, ensuring it stays ahead of evolving threats. As a product evangelist, she is the principal author of SquareX's technical collateral. She has contributed to bleeding-edge browser security research presented at BSides SF Adversary Village, Recon Village, and the DEF CON main stage. Her work on email security bypasses, breaking secure web gateways, MV3 extension vulnerabilities, browser syncjacking, polymorphic extensions, and browser-native ransomware has been covered by leading media outlets, including Forbes, TechRadar, Mashable, The Register, Bleeping Computer, and CyberNews.

SpeakerBio: Shourya Pratap Singh

Shourya Pratap Singh is responsible for building SquareX's security-focused extension and conducts research on countering web security risks. As a rising figure in cybersecurity, Shourya has presented his work on global stages including the DEFCON main stage, Recon Village, and Adversary Village, as well as at Black Hat Arsenal EU. He has also delivered several workshops at prestigious events such as the Texas Cyber Summit. Shourya earned his bachelor's degree from IIIT Bhubaneswar and holds a patent. His professional interests focus on strengthening the security of browser extensions and web applications.

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 13:30-14:30 PDT

Title: Creator Panel Discussion
When: Friday, Aug 8, 13:30 - 14:30 PDT
Where: LVCCWest-Level3-W326 - Map

Description:
Speakers:Ben "nahamsec" Sadeghipour,Justin "rhynorater" Gardner,Katie "InsiderPhD" Paxton-Fear

SpeakerBio: Ben "nahamsec" Sadeghipour, Co-Founder & CEO at HackingHub

Ben Sadeghipour, better known as NahamSec, is an ethical hacker, content creator, and keynote speaker. Over his career, Ben has uncovered thousands of security vulnerabilities for major organizations, including Amazon, Apple, Zoom, Meta, Google, and the U.S. Department of Defense. As a top-ranked bug bounty hunter, he is deeply passionate about cybersecurity education, regularly sharing his knowledge through his popular YouTube channel and speaking at major conferences like DEFCON and BSides. Beyond his personal achievements, Ben is committed to building the security community, organizing events that foster collaboration, innovation, and the next generation of offensive security professionals.

SpeakerBio: Justin "rhynorater" Gardner, Advisor at Caido

SpeakerBio: Katie "InsiderPhD" Paxton-Fear, Principal Security Researcher at Traceable by Harness

Dr Katie Paxton-Fear is an API security expert and a Security Advocate at Semgrep, in her words: she used to make applications and now she breaks them. A former API developer turned API hacker. She has found vulnerabilities in organizations ranging from the Department of Defense to Verizon, with simple API vulnerabilities. Dr Katie has been a featured expert in the Wall Street Journal, BBC News, ZDNet, The Daily Swig and more. As she shares some of the easy way hackers can exploit APIs and how they get away without a security alert! Dr Katie regularly delivers security training, security research, to some of the largest brands worldwide. She combines easy-to-understand explanations with key technical details that turn security into something everyone can get.

Return to Index - Add to Google

- ics Calendar file

ICSV - Friday - 17:30-17:59 PDT

Title: Crossing the Line: Advanced Techniques to Breach the OT DMZ
When: Friday, Aug 8, 17:30 - 17:59 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

As industrial environments become increasingly interconnected, the OT DMZ stands as a critical yet vulnerable boundary between enterprise IT networks and operational technology. In this talk, we expose the offensive strategies adversaries use to penetrate the OT DMZ and pivot into sensitive control system networks. Drawing from real-world red team operations and threat intelligence, we’ll explore how misconfigured remote access solutions, poorly segmented architectures, and legacy services create exploitable pathways into industrial environments. Attendees will gain insight into tradecraft used to move from enterprise footholds into OT networks, including techniques for identifying and abusing jump hosts, proxy services, Citrix gateways, and RDP relays. We’ll demonstrate practical TTPs for lateral movement, credential access, and evasion within the DMZ layer—highlighting how assumptions about segmentation often fall short in practice. Finally, we’ll discuss defensive takeaways to help asset owners detect and mitigate these threats before they escalate. This presentation is aimed at offensive security professionals, defenders, and industrial security leaders seeking to understand how the OT perimeter is being targeted—and how to better protect it.

SpeakerBio: Christopher Nourrie, SCE

Christopher Nourrie is a threat hunter at Southern California Edison (SCE). He specializes in IT and OT threat hunting while supporting the Red Team program. With over 11 years of experience in offensive security, his expertise includes penetration testing, network security assessments, and adversary emulation. Before joining SCE, Chris was a Principal Penetration Tester at Dragos, Inc., concentrating on red teaming and penetration testing within industrial environments. He also served as an Exploitation Analyst at the National Security Agency (NSA) within the Tailored Access Operations (TAO) division under U.S. Cyber Command, supporting offensive cyber operations. His expertise encompasses open-source intelligence (OSINT), network reconnaissance,, and advanced attack methodologies. Chris also played a pivotal role in cybersecurity education, teaching advanced adversary tactics at the NSA’s National Cryptologic School. He is the author of Pentesting Industrial Networks and delivers an OT penetration testing course that helps security professionals strengthen their industrial cybersecurity defenses. Chris is a dedicated researcher who studies advanced threat actor tactics, techniques, and procedures (TTPs) targeting enterprise and industrial environments. He continuously integrates emerging insights into his tradecraft, refining methodologies to stay ahead of evolving cyber threats. His contributions to the field help organizations bolster their security posture against sophisticated adversaries.

Return to Index - Add to Google

- ics Calendar file

CPV - Friday - 10:00-10:05 PDT

Title: Crypto Privacy Village: Welcome
When: Friday, Aug 8, 10:00 - 10:05 PDT
Where: LVCCWest-Level1-Hall1-W403 - Map

Description:
SpeakerBio: Crypto Privacy Village Staff
No BIO available

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 11:00-11:59 PDT

Title: Cryptocurrency Opening Keynote
When: Friday, Aug 8, 11:00 - 11:59 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

Join your fellow hackers managing the Cryptocurrency areas of Defcon, and get a sneak peak of what each workshop teaches as well as an overview of the showcases and programs happening in our Defcon Community, Contest, and Vendor areas. Chad and Param will report on cryptocurrency trends and perspectives from their distinguished positions in industry and academy. We will announce the teams competing in the Cryptocurrency Cyber Challenge, and give an overview of what's available in the vending area. Meet the organizers of years of cryptocurrency content at Defcon and bring your questions to the Community Stage!

Speakers:Michael "MSvB" Schloh von Bennewitz,Chad Calease,Param D Pithadia

SpeakerBio: Michael "MSvB" Schloh von Bennewitz, Chairman, Monero Devices

SpeakerBio: Chad Calease, Kraken

Chad Calease designs for failure—on purpose. At Kraken, he hovers where crypto, resilience engineering, and human behavior collide. A systems thinker with instincts that cultivate resilience, Chad champions the Kraken value of being “Productively Paranoid”—as both a design principle and a survival trait. His work challenges us to outpace risk, interrogate ease, and own our exposures before they own us—by building with the assumption that failure isn’t an if, but a when.

SpeakerBio: Param D Pithadia, Georgia Institute of Technology

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 11:20-11:50 PDT

Title: Cryptography is hard: Breaking the DoNex ransomware
When: Friday, Aug 8, 11:20 - 11:50 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Gijs Rijnders
No BIO available

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 13:00-13:45 PDT

Title: Cryptosploit
When: Friday, Aug 8, 13:00 - 13:45 PDT
Where: LVCCWest-Level2-W208 - Map

Description:

In 2022 a framework and tool for cryptographic attacks called Cryptosploit was introduced. In this workshop we will demo the capabilities and the underlying philosophy as well as new commands. This will include the flexibility of mixing and matching attack code with oracles and new commands to import and export cryptographic keys. In particular, we will demonstrate how after a successful attack on a public key, we will be able to export the private key corresponding to the certificate. The presentation will conclude with thoughts on improvements.

SpeakerBio: Matt Cheung

Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given workshops at the Boston Application Security Conference, BSidesLV, DEF CON, and the Crypto and Privacy VillageHe now serves on the programming committee of the Crypto and Privacy Village. He now serves on the programming committee of the Crypto and Privacy Village.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 08:30-09:59 PDT

Title: Cyber Wargames: King of the Hill
When: Friday, Aug 8, 08:30 - 09:59 PDT
Where: Other / See Description

Description:

Contestants will access a virtual environment with dynamic challenges that need to be exploited and contested. Individuals gain points for each system they are able to plant and maintain their flag on.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 15:00-16:59 PDT

Title: Cyber Wargames: Redteam Rumble
When: Friday, Aug 8, 15:00 - 16:59 PDT
Where: LVCCWest-Level1-Hall1-W306 - Map

Description:

Redteam Rumble was piloted with a single competition at DEFCON 32 with great success, and we're thrilled to bring it back for DefCon 33! This event is designed with more advanced competitors in mind, and is not for the faint of heart!

Teams will defend their ""Castle,"" a virtual environment comprising several systems and services (both Windows and Linux systems may be included). Each castle has exposed services and exploitable vulnerabilities, along with a few hidden extras.

This event is a free-for-all between 4 teams competing against each other to gain points by controlling services and flags within their own, and each opponents, infrastructure. That means your team will have to balance defending your own systems, while simultaneously hunting for vulnerabilities that can be exploited to control other teams' systems.

Each event will consist of 4 teams competing in a free-for-all for 2 hours. Pre-registration is required.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 09:00-14:59 PDT

Title: Cyber Wargames: Strategic Operations
When: Friday, Aug 8, 09:00 - 14:59 PDT
Where: LVCCWest-Level1-Hall1-W305 - Map

Description:

Strategic Operations will feature two teams going head to head in a classic offense vs defense battle. The defensive team gains points by successfully providing mission critical services during a short scoring window, while offensive teams will gain points by performing targeted service interruptions and data manipulation.

Each event will consist of 2 teams competing in an attacker vs defender battle for anywhere from 30 - 90 minutes. Pre-registration is reccomended, but not required.

One of our goals with Strategic Operations is to provide a fun and engaging experience for attendees that discover us on the competition floor, without requiring prior registration. We will do our best to accomodate walk in participants when possible!

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 16:00-16:30 PDT

Title: Cybersecurity in Latin America: The Untold Stories of Resilience & Innovation
When: Friday, Aug 8, 16:00 - 16:30 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

Latin America faces a perfect storm of cyber threats—sophisticated criminal networks, underfunded defenses, and systemic vulnerabilities. Yet, within this chaos lies an untold narrative of adaptation, recursion, and community-driven resilience.

SpeakerBio: Giovanni Cruz Forero, COO at 7 Way Security

Professional in Cybersecurity with 20 years of experience in the sector, seeks to share knowledge using his experience and knowledge and currently works as COO of 7 Way Security, organizer of BSides Colombia, La Villa and other spaces for building collective knowledge.

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 06:00-10:59 PDT

Title: Cycle Override
When: Friday, Aug 8, 06:00 - 10:59 PDT
Where: Other / See Description

Description:

At 6am on Friday, the @cycle_override crew will be hosting the 14th Defcon Bikeride. We'll meet at a local bikeshop, get some rental bicycles, and about 7am will make the ride out to Red Rocks. It's about a 15 mile ride, all downhill on the return journey. So, if you are crazy enough to join us, get some water, and head over to cycleoverride.org for more info. See you at 6am Friday!

Return to Index - Add to Google

- ics Calendar file

PLV - Friday - 11:45-12:30 PDT

Title: Dark Capabilities: When Tech Companies Become Threat Actors
When: Friday, Aug 8, 11:45 - 12:30 PDT
Where: LVCCWest-Level2-W231 - Map

Description:
Speakers:Tom Cross,Greg Conti

SpeakerBio: Tom Cross

SpeakerBio: Greg Conti, Co-Founder and Principal at Kopidion

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 10:30-11:15 PDT

Title: DC101 Panel
When: Friday, Aug 8, 10:30 - 11:15 PDT
Where: LVCCWest-Level1-Hall3-Track 1 - Map

Description:

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 20:00-22:59 PDT

Title: DC404/DC678/DC770/DC470 (Atlanta Metro) Meetup
When: Friday, Aug 8, 20:00 - 22:59 PDT
Where: LVCCWest-Level2-W210 - Map

Description:

They say Atlanta is the city too busy to hate, but it also has too much traffic for its widespread hacker fam to get together in a single meetup. So instead, we're meeting up in the desert during DEF CON! The one time of year when intown, northern burbs, south siders, and anyone else connected to DC404's 25+ year legacy can catch up and share stories. Join us and meet your fellow ATL hackers!

Return to Index - Add to Google

- ics Calendar file

DDV - Friday - 10:00-16:59 PDT

Title: DDV open and accepting drives for duplication
When: Friday, Aug 8, 10:00 - 16:59 PDT
Where: LVCCWest-Level2-W225 - Map

Description:
We reopen at 10: 00am and accept more drives until we reach capacity (usually late Friday or early Saturday). Then we copy and copy and copy all the things until we just can't copy any more - first come, first served. Don't forget - some require 8TB drives now. We run around the clock until we run out of time on Sunday morning with the last possible pickup being before 11:00am on Sunday.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 13:30-14:15 PDT

Title: Dead Made Alive Again: Bypassing Intent Destination Checks and Reintroducing LaunchAnyWhere Privilege Escalation
When: Friday, Aug 8, 13:30 - 14:15 PDT
Where: LVCCWest-Level1-Hall3-Track 4 - Map

Description:

The LaunchAnywhere vulnerability has long been a significant concern in Android security, allowing unprivileged applications to invoke protected activities, even with system-level privileges, and have been actively exploited in the wild in the past.

In response, Google and device vendors have implemented patches, primarily by introducing destination component checks within privileged code before launching Intents. These fixes appeared to have mitigated such risks—at least on the surface. But has the threat truly been eliminated?

In this session, we demonstrate that these defenses remain insufficient. We introduce a new exploitation technique, BadResolve, which bypasses these checks through multiple methods, enabling a zero-permission app to achieve LaunchAnywhere once again. We reveal high-severity vulnerabilities that affect all Android versions, including the latest Android 16 (at time of writing), which have been confirmed and patched by Google. Dead, made alive again— we show how the LaunchAnywhere vulnerability has been reborn. In addition to presenting new exploitation techniques, we tackle the challenge of efficiently and accurately identifying methods in the vast codebases of AOSP and vendor-specific closed-source implementations that could be exploited by BadResolve, using LLM Agents and MCP.

References:

link
link

SpeakerBio: Qidan "flanker_hqd" He

Qidan He (a.k.a Edward Flanker, CISSP) is the winner of multiple Pwn2Own championships and Pwnie Award. He is now the Director & Chief Security Researcher at Dawn Security Lab, JD.com. He has spoken at conferences like Black Hat, DEFCON, RECON, CanSecWest, MOSEC, HITB, PoC, etc. He is also the committee and judge of GeekPwn&GeekCon.

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 06:00-07:59 PDT

Title: Defcon.run
When: Friday, Aug 8, 06:00 - 07:59 PDT
Where: LVCCWest-Level1-North Lobby - Map

Description:

Defcon.run is a beloved tradition at DEF CON, bringing together hackers for a refreshing start to the day. Originally known as the DEF CON 4x5K, the event has evolved into a distributed, community-driven experience featuring fun runs and rucks across Las Vegas. Participants can choose from various routes, ranging from simple 5Ks to more ambitious distances.

For DEF CON 33, the gathering point is "The Spot" by the North Entrance of the Las Vegas Convention Center West Hall. Here, the real wild hares gather before the sun has a chance to burn up this city of sin. The runs kick off at 06:00 Thursday through Sunday! But be there early for hype talks and shenanigans. We also have a whole new Meshtastic setup and website features we're adding. There are other runs swag drops and social meetups planned throughout the day and night as well!

Whether you're a seasoned runner or looking for something different, defcon.run offers a unique way to connect with other hackers and kick off your day. For more details and to sign up, visit defcon.run.

Return to Index - Add to Google

- ics Calendar file

BHV - Friday - 13:45-14:30 PDT

Title: Digital Casualties: Documenting Cyber-Induced Patient Harm in Modern Healthcare
When: Friday, Aug 8, 13:45 - 14:30 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

As healthcare systems become increasingly digitized, cyber incidents like ransomware attacks and EHR outages are no longer just IT problems—they're potential contributors to patient harm and mortality. This expert panel explores the groundbreaking proposal to adapt disaster-related death certification frameworks to document cyber incidents as secondary causes of death. Bringing together expertise in cybersecurity governance, healthcare economics, investigative journalism, and clinical practice, panelists will examine the policy implications, implementation challenges, and public health benefits of standardizing how we document and track cyber-induced patient harm.

Speakers:Jorge Acevedo Canabal,Scott Shackleford,Joseph Davis

SpeakerBio: Jorge Acevedo Canabal

Dr. Jorge Acevedo Canabal is a physician and cybersecurity researcher focused on digital threats to patient safety. He helped lead Puerto Rico’s post-Maria disaster death certification training and now proposes attributing cyberattacks as a cause of death in modern healthcare.

Joseph has 30+ years of experience in security, privacy, risk, and compliance for Fortune 500 companies. As a Customer Security Officer at Microsoft, he advises US Health and Life Sciences customers on cybersecurity, data privacy, risk management, and information compliance

SpeakerBio: Scott Shackleford
No BIO available
SpeakerBio: Joseph Davis
No BIO available

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 14:00-14:45 PDT

Title: DisguiseDelimit: Exploiting Synology NAS with Delimiters and Novel Tricks
When: Friday, Aug 8, 14:00 - 14:45 PDT
Where: LVCCWest-Level1-Hall3-Track 2 - Map

Description:

Network Attached Storage (NAS) devices are indispensable in many corporate and home environments. These devices often live on the network edge, providing convenient remote access to confidential files and internal networks from the public internet. What happens when this goes terribly wrong?

In this presentation, I’ll discuss how I developed a zero-day exploit targeting dozens of Synology NAS products. At the time of discovery, the exploit facilitated unauthenticated root-level remote code execution on millions of NAS devices in the default configuration. My exploitation strategy centered around smuggling different types of delimiters that targeted multiple software components.

In the past, exploitation of the vulnerability’s bug class demanded additional primitives that weren’t available on my targets. While searching for alternative paths, I discovered a novel remote Linux exploitation technique. I’ll be presenting this technique, which can be used in other researchers’ exploit chains in the future. For the first time in public, I’ll also be discussing the details of my Synology vulnerability research, which won a $40,000 prize at the October 2024 Pwn2Own competition.

References:

I referenced these previous Synology offensive publications during my research:

link
link

SpeakerBio: Ryan Emmons

Ryan Emmons is a Security Researcher on the Emergent Threat Response team at Rapid7. His work centers around n-day analysis of new vulnerabilities and zero-day research, primarily focused on network edge devices. Ryan enjoys attacking hardened targets and finding interesting bugs. He has disclosed vulnerabilities to major vendors like Oracle and Microsoft, and he recently competed at the 2024 Pwn2Own Ireland competition, where he won a $40,000 prize. In addition to vulnerability research, Ryan likes to participate in CTF competitions and compose music.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 14:00-17:59 PDT

Title: Dive into Windows Library Loading
When: Friday, Aug 8, 14:00 - 17:59 PDT
Where: LVCCNorth-Level2-N258 - Map

Description:

DLL Loading is one of the most important parts of the Windows system. When you install, run, use, or hack a system, you will always use DLL. This DLL mechanism has been exploited for several years for malware development through several techniques : DLL injection, Reflective DLL but do you really know how Windows is loading a DLL ? The sections used, the internal structures and how the dependencies are resolved. Are you able to design your own Perfect DLL Loader that fully integrate with the WIN32API? In this workshop, you will dive into the Windows DLL mechanism to understand how all of it works internally. With a decompiler, trial and errors, step by step, you will build your own (almost) Perfect DLL loader. You will try to load from the simple AMSI.DLL to the most complex WINHTTP.DLL. At each step, you will dive deeper into the Windows Internals. Malware developers, you will be able to use this code as a PE loader that never failed me for the last years and a DLL loader that does not raise the LoadImage kernel callback you can use on your own C2 beacon. WARNING: while this is a windows internal DISCOVERY course, it is still a HIGHLY TECHNICAL workshop. You should have some entry-level knowledge on Windows systems, C programing and reverse engineering to fully enjoy the workshop.

SpeakerBio: Yoann "OtterHacker" DEQUEKER, RedTeam Leader at Wavestonee

Yoann Dequeker (@OtterHacker) is a red team operator at Wavestone entitle with OSCP and CRTO certification. Aside from his RedTeam engagements and his contributions to public projects such as Impacket, he spends time working on Malware Developpement to ease beacon deployment and EDR bypass during engagements and is currently developing a fully custom C2.

His research leads him to present his results on several conferences such as LeHack (Paris), Insomni'hack, BlackAlps (Swiss) or even through a 4-hour malware workshop at Defcon31 and Defcon32 (Las Vegas). All along the year, he publishes several white papers on the techniques he discovered or upgraded and the vulnerabilities he found on public products.

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 17:50-18:20 PDT

Title: Domain Fronting in 2025: a retro analysis
When: Friday, Aug 8, 17:50 - 18:20 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Tom Cope
No BIO available

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 12:00-12:50 PDT

Title: Don't be LLaMe - The basics of attacking LLMs in your Red Team exercises
When: Friday, Aug 8, 12:00 - 12:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 2 - Map

Description:

While there is increasing content on attacking LLMs hitting the Internet (and at DEFCON), much of it is focused on attacking LLMs from more of a penetration-test perspective without putting the attacks into the broader context of a Red Team operation. As with any technology that we encounter in a network during a Red Team exercise, we should be familiar with how to use it to achieve goals like lateral movement or privilege escalation. Like it or not, in the near future that will increasingly include LLM-based applications and agents.

This session aims to close that gap. The speakers will start with some entry-level theory on how LLMs function under the hood. No math experience? No problem. We're going to keep things at a nice, high level with special focus on the core functionality of LLMs that enables attacks.

After addressing the theory, the speakers will shift to real-world attacks on LLMs drawn from our operations. This will take two forms: strategies to break LLMs through direct and indirect prompt injection, and ways to take a successful prompt injection and turn it into progress toward your Red Team objectives like enumeration, lateral movement, privilege escalation, or execution.

With the groundwork laid, the workshop will close with a hands-on, multi-level CTF for participants to try some of the direct and indirect prompt injection strategies discussed in the workshop.

Detailed Agenda: 1. Introductions (2 mins) 2. Theory: a. Neural Networks (10 mins) b. LLMs (10 mins) 3. Attack Strategies (15 mins) a. Direct prompt injection strategies + war stories b. Indirect prompt injection strategies + war stories 4. Hands-on CTF (20 mins) 5. Q&A (remainder)

Speakers:Alex Bernier,Brent Harrell

SpeakerBio: Alex Bernier

I love breaking applications and AI systems!

SpeakerBio: Brent Harrell

Brent is the author of the Red Team Capability Maturity Model and has led and created Red Teams at multiple organizations. He's now on the consulting side of Red Teaming and is one of the initial members of the company's new AI Red Team focused on LLM-based applications. With a background in traditional AD operations, though, much of his focus of late has been on bridging the gap between attacking LLMs directly and using them as part of greater operations.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 12:00-12:45 PDT

Title: DVBE - Damn Vulnerable Browser Extension
When: Friday, Aug 8, 12:00 - 12:45 PDT
Where: LVCCWest-Level2-W209 - Map

Description:

In the continuously evolving world of browser extensions, security remains a big concern. As the demand of feature-rich extensions increases, priority is given to functionality over robustness, which makes way for vulnerabilities that can be exploited by malicious actors. The danger increases even more for organizations handling sensitive data like banking details, PII, confidential org reports, etc. Damn Vulnerable Browser Extension (DVBE) is an open-source vulnerable browser extension, designed to shed light on the importance of writing secure browser extensions and to educate developers and security professionals about the vulnerabilities and misconfigurations that are found in browser extensions, how they are found, and how they impact business. This built-to-be-vulnerable extension can be used to learn, train, and exploit browser extension-related vulnerabilities.

SpeakerBio: Abhinav Khanna

Abhinav is an information security professional with 6+ years of experience. Having worked at organisations like S&P Global and NotSoSecure, his area of expertise lies in web appsec, mobile appsec, API security, and browser extension security. He has spoken at multiple conferences like Black Hat Asia, Black Hat Europe, and Black Hat MEA. In his free time, he likes playing table tennis.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 09:00-09:45 PDT

Title: Dyna - Automating the OWASP MASTG with Offensive Android Tactics
When: Friday, Aug 8, 09:00 - 09:45 PDT
Where: LVCCWest-Level2-W208 - Map

Description:

Dyna is a full-spectrum Android security auditing framework designed to automate the OWASP MASTG checklist using both static and dynamic analysis. Built for red teams, appsec engineers, and mobile researchers, Dyna combines Frida, Drozer, PyGhidra, and ADB-based techniques into a modular pipeline that evaluates app permissions, exported components, crypto misuse, insecure storage, IPC abuse, native binary risks, and reverse engineering resilience. It can detect traversal, SQLi, hardcoded secrets, and debuggable builds, while reverse engineering .so files using Ghidra in headless mode. Dyna also features real-time logcat parsing and deep link/URL extraction to trace third-party leaks and misconfigurations. With colored output, structured reports, and an extensible architecture, Dyna turns OWASP MASTG from a checklist into a powerful automated testing workflow.

Speakers:Arjun "T3R4_KAAL" Chaudhary,Ayodele Ibidapo

SpeakerBio: Arjun "T3R4_KAAL" Chaudhary

Arjun is a dedicated and certified cybersecurity professional with extensive experience in web security research, vulnerability assessment and penetration testing (VAPT), and bug bounty programs. His background includes leading VAPT initiatives, conducting comprehensive security risk assessments, and providing remediation guidance to improve the security posture of various organizations. With a Master's degree in Cybersecurity and hands-on experience with tools such as Burp Suite, Wireshark, and Nmap, he brings a thorough understanding of application, infrastructure, and cloud security. As a proactive and self-motivated individual, he is committed to staying at the forefront of cybersecurity advancements. He has developed specialized tools for exploiting and mitigating vulnerabilities and collaborated with cross-functional teams to implement effective security controls. His passion for cybersecurity drives him to continuously learn and adapt to emerging threats and technologies. He is enthusiastic about contributing to innovative security solutions and engaging with the broader security community to address complex cyber threats. He believes that the future of cybersecurity lies in our ability to innovate and adapt, and he is dedicated to making a meaningful impact in this field.

SpeakerBio: Ayodele Ibidapo

Ayodele is a cybersecurity consultant and application penetration tester with over 15 years of experience strengthening enterprise security architecture, risk governance, and secure DevSecOps practices across finance, telecom, and manufacturing sectors. His expertise spans mobile, web, and containerized applications, where he developed taint flow analyzers, automated vulnerability discovery workflows, and built custom static and dynamic analysis tools to uncover complex security flaws. He holds a Master‚Äôs in Information Systems Security Management from Concordia University of Edmonton and a B.Eng. from the University of Portsmouth. His research on CVSS v2 environmental scoring was presented at IEEE‚Äôs international conference at MIT, and he continues to bridge deep technical testing with strategic design to deliver resilient, risk-informed solutions.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 12:30-13:15 PDT

Title: Edge of Tomorrow: Foiling Large Supply Chain Attacks By Taking 5k Abandoned S3 Buckets from Malware and Benign Software
When: Friday, Aug 8, 12:30 - 13:15 PDT
Where: LVCCWest-Level1-Hall3-Track 5 - Map

Description:
Imagine one sunny morning you read the news: A crypto worm targets 100+ organizations around the world. The authorities estimate that during the first days of attack ~28,000 hosts in 158 countries were affected, including 24 nation state and European union assets, major banks and tech companies. Since then, the worm has spread and is now everywhere. The industry doesn't know the main source of attack. There are many backdoored artifacts reportedly used by the victims with no obvious connections.

Eventually, a security researcher connects all dots and finds the source: compromised, abandoned AWS S3 buckets. The risk that researchers warned in the past materialized on a truly gigantic scale, 5155 buckets were affected.

Luckily, this incident has never happened. The buckets used in that hypothetical scenario were claimed by a security researcher and taken down by the Cloud provider.

In this talk, we will dissect the anatomy of such an attack. We will show that adversaries equipped with instruments of big data analysis and custom LLM-agents can take these scenarios to the next level by automating and scaling them. We will share statistical insights and 9 concrete stories illustrating potential victim profiles and attack vectors. Finally, we will discuss remediation actions that would eliminate the risk once and for all.

References:

SpeakerBio: Maksim Shudrak

Maksim is an offensive security researcher and engineer with more than a decade of experience in red teaming, malware analysis, and exploit development complemented by a PhD in machine code vulnerability detection. He loves searching for complex large-scale issues in modern technologies and outlining their impact.

Maksim is an author of open-source tools for scanning cloud infrastructure, fuzzing, and dynamic malware analysis which he presented at various conferences such as DEF CON, VirusBulletin, and BlackHat Arsenal.

Return to Index - Add to Google

- ics Calendar file

QTV - Friday - 12:00-12:59 PDT

Title: EduQ: A DIY Self-Education Platform for Hackers to Break, Build, and Experiment with Quantum-Secured Networks
When: Friday, Aug 8, 12:00 - 12:59 PDT
Where: LVCCWest-Level1-Hall1-W206 - Map

Description:

Quantum security is mysterious, expensive, and locked behind corporate and academic walls. But hackers don't wait for permission to learn. What if you could build your own quantum hacking lab, right in your garage?

SpeakerBio: Yann Allain
No BIO available

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 15:30-16:30 PDT

Title: EFF/Hackers.town RayHunter build clinic
When: Friday, Aug 8, 15:30 - 16:30 PDT
Where: LVCCWest-Level1-Hall4-Communities-C102 - Map

Description:

Come out and build EFF’s Rayhunter! ($10 materials fee EFF Donation)

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 09:00-12:59 PDT

Title: Effectively Detecting Modern Malware with Volatility 3
When: Friday, Aug 8, 09:00 - 12:59 PDT
Where: LVCCNorth-Level2-N253 - Map

Description:

Volatility 3 is the latest version of the Volatility Memory Analysis framework and is a complete re-design and rewrite of the framework suited to meet the needs of modern investigations. In this workshop, students will learn Volatility 3’s new features aimed at efficiency and usability as well as all the new and updated Windows plugins capable of detecting modern malware. During the workshop, students will experience a mix of lecture and live demonstration about the latest malware techniques followed by hands-on labs that will require students to analyze infected memory samples. While students complete each lab, instructors will walk to each student’s station to ensure they are progressing. An instructor will also completely walk through each lab live, and students are given a 35+ page PDF lab guide that contains all the lab scenarios, questions, and detailed answers, including many screenshots and explanations. Students can then use the course slides and lab guide to practice labs over time as well as to guide real-world investigations of compromised systems. By attending this workshop, students will leave knowing the most effective ways to detect modern Windows malware using the latest version of the mostly widely used open-source framework for memory analysis.

Speakers:Andrew Case,Lauren Pace,Daniel Donze

SpeakerBio: Andrew Case, Director of Research at Volexity

Andrew Case is the Director of Research at Volexity and has significant experience in incident response handling, digital forensics, and malware analysis. Case is a core developer of Volatility, the most widely used open-source memory forensics framework, and a co-author of the highly popular and technical forensics analysis book "The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory." Case has spoken at many industry conferences, including DEF CON, Black Hat, RSA, DFRWS, SecTor, BSides*, and OMFW.

SpeakerBio: Lauren Pace, Computer Science PhD Student at LSU

Lauren Pace is a PhD Student Researcher at Louisiana State University. She is a recipient of a Scholarship for Service scholarship and is performing funded research on complex problems and topics in memory forensics. Lauren has delivered Volatility 3 workshops at conferences, such as DFRWS, and is actively involved in her local cybersecurity clubs and community.

SpeakerBio: Daniel Donze

Daniel Donze (He/Him) is a PhD Student Researcher in Computer Science at Louisiana State University. His research has previously contributed to the Volatility Framework, and his current interests include memory forensics and malware analysis. He has presented research at BSides Las Vegas as well as several local events. He previously worked as a fullstack web and software developer and security researcher. His hobbies include cooking, playing guitar, mixology and craft beer.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 12:00-12:45 PDT

Title: Empire 6.0
When: Friday, Aug 8, 12:00 - 12:45 PDT
Where: LVCCWest-Level2-W210 - Map

Description:

Empire 6.0 is the latest evolution of the Command and Control (C2) framework. This major release introduces powerful new capabilities, including Go-based agents for enhanced cross-platform compatibility, a completely overhauled Empire compiler for streamlined payload deployment, and an integrated plugin marketplace in Starkiller. Enhanced module systems, dynamic option handling, Beacon Object File integration, and advanced remote script execution further expand Empire's capabilities. Empire continues to provide cryptographically secure communications and direct integration with the MITRE ATT&CK framework to emulate real-world Advanced Persistent Threat tactics, techniques, and procedures. This demo lab will highlight these significant advancements and demonstrate Empire 6.0's state-of-the-art capabilities.

Speakers:Vincent "Vinnybod" Rose,Jake "Hubble" Krasnov

SpeakerBio: Vincent "Vinnybod" Rose, Confluent

Vincent "Vinnybod" Rose is the Lead Developer for Empire and Starkiller. He is a software engineer with a decade of expertise in building highly scalable cloud services, improving developer operations, and automation. Recently, his focus has been on the reliability and stability of the Empire C2 server. Vinnybod has presented at Black Hat and has taught courses at DEF CON on Red Teaming and Offensive PowerShell. He currently maintains a cybersecurity blog focused on offensive security at https://www.bc-security.org/blog/.

SpeakerBio: Jake "Hubble" Krasnov, Red Team Operations Lead and Chief Executive Officer at BC Security

Jake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security, with a distinguished career spanning engineering and cybersecurity. A U.S. Air Force veteran, Jake began his career as an Astronautical Engineer, overseeing rocket modifications, leading test and evaluation efforts for the F-22, and conducting red team operations with the 57th Information Aggressors. He later served as a Senior Manager at Boeing Phantom Works, where he focused on aviation and space defense projects. A seasoned speaker and trainer, Jake has presented at conferences including DEF CON, Black Hat, HackRedCon, HackSpaceCon, and HackMiami.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 17:00-17:45 PDT

Title: Emulating Embedded Linux Devices at Scale with Light-Touch Firmware Rehosting
When: Friday, Aug 8, 17:00 - 17:45 PDT
Where: LVCCWest-Level1-Hall3-Track 3 - Map

Description:

We will present a higher-level “rehosting” approach to the emulation of embedded Linux systems.

While most existing embedded Linux emulation frameworks work in userspace, we try not to touch userspace or modify a firmware image at all. Instead, we take a higher-level and somewhat “hybrid” approach, which involves building patched Linux kernels and using modified or custom QEMU machines. We do this to model the terrain of a system as closely as possible to that which a userspace firmware image expects, allowing userspace to run essentially unimpeded.

This approach involves a considerable amount of reverse-engineering of userspace binaries and libraries, alongside poring over whatever GPL code we can find, in order to write kernel patches, dummy drivers and make QEMU changes “reactively”. Our goal is to end up with a rehosting environment which, from the perspective of userspace, looks almost exactly like the real system.

References:

All the following provided inspiration, although our methodology is different: - Firmguide - Firmadyne - EMUX - Jetset

SpeakerBio: Sigusr Polke

Sigusr Polke is the single-use pseudonym of a security researcher, who's spent a lot of time poking at embedded systems over the years.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 15:00-15:50 PDT

Title: EncryptedClientHelloWorld: TLSv1.3 ECH As A Covert C2 Channel
When: Friday, Aug 8, 15:00 - 15:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 4 - Map

Description:

This workshop will cover the fundamentals of Transport Layer Security (TLS) version 1.3, the latest Encrypted Client Hello (ECH) extension, and its application as a Command and Control (C2) technique to bypass network defenses.

SpeakerBio: Jose Plascencia

Jose is an experienced Red Teamer who dabbles in system administration, reverse engineering, and coding with Rust.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 12:00-12:45 PDT

Title: EntraGoat - A Deliberately Vulnerable Entra ID Environment
When: Friday, Aug 8, 12:00 - 12:45 PDT
Where: LVCCWest-Level2-W211 - Map

Description:

EntraGoat is a deliberately vulnerable environment designed to simulate real-world security misconfigurations and attack scenarios in Microsoft Entra ID (formerly Azure Active Directory). Security professionals, researchers, and red teamers can leverage EntraGoat to gain hands-on experience identifying and exploiting identity and access management vulnerabilities, privilege escalation paths, and other security flaws specific to cloud-based Entra ID environments. EntraGoat is tailored specifically to help security practitioners understand and mitigate the risks associated with cloud identity infrastructures. The project provides a CTF-style learning experience, covering a range of misconfigurations, insecure policies, token abuses, and attack paths commonly exploited in real-world Entra ID breaches. By using EntraGoat, security teams can enhance their skills in Entra ID security, validate detection and response capabilities, and develop effective hardening strategies.

Speakers:Tomer Nahum,Jonathan Elkabas

SpeakerBio: Tomer Nahum, Security Researcher at Semperis

Tomer is a security researcher at Semperis, where he works to find new attacks and how to defend against them in on-prem identity stacks such as Active Directory, as well as cloud identity systems. He was awarded Most Valuable Researcher (MVR) in 2023 by Microsoft Security Response Center (MSRC).

SpeakerBio: Jonathan Elkabas

Jonathan is a security researcher at Semperis, specializing in Entra ID and Active Directory security. With expertise in identity-based threats, he focuses on analyzing attack techniques, developing detection strategies, and enhancing defenses against evolving cyber threats. He actively contributes to the security community through research, threat intelligence sharing, and speaking engagements.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 16:30-17:15 PDT

Title: Escaping the Privacy Sandbox with Client-Side Deanonymization Attacks
When: Friday, Aug 8, 16:30 - 17:15 PDT
Where: LVCCWest-Level1-Hall3-Track 4 - Map

Description:

Google's Privacy Sandbox initiative aims to provide privacy-preserving alternatives to third-party cookies by introducing new web APIs. This talk will examine potential client-side deanonymization attacks that can compromise user privacy by exploiting vulnerabilities and misconfigurations within these APIs.

I will explore the Attribution Reporting API, detailing how debugging reports can bypass privacy mechanisms like Referrer-Policy, potentially exposing sensitive user information. I will also explain how destination hijacking, in conjunction with a side-channel attack using storage limit oracles, can be used to reconstruct browsing history, demonstrating a more complex deanonymization technique.

Additionally, I will cover vulnerabilities in the Shared Storage API, illustrating how insecure cross-site worklet code can leak data stored within Shared Storage, despite the API being deliberately designed to prevent direct data access. Real-world examples and potential attack scenarios will be discussed to highlight the practical implications of these vulnerabilities.

References:

link

SpeakerBio: Eugene "spaceraccoon" Lim

Eugene Lim is a security researcher and white hat hacker. From Amazon to Zoom, he has helped secure applications from a range of vulnerabilities. His work has been featured at top conferences such as Black Hat, DEF CON, and industry publications like WIRED and The Register.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Everyday Ghidra: Practical Windows Reverse Engineering
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Reverse engineering is the process of uncovering the principles, architecture, and internal structure of a piece of software or hardware. It can be used for various purposes, such as improving compatibility, enhancing security, understanding program behaviour, and even vulnerability research. However, reverse engineering can also be challenging, especially when dealing with complex and modern Windows binaries.

That’s why you need Ghidra, a powerful and open-source software reverse engineering framework developed by the National Security Agency (NSA). Ghidra can help you perform in-depth analysis of Windows binaries, using its rich set of features and tools. Whether you want to reverse engineer malware, understand software internals, or find vulnerabilities, Ghidra can handle it and this course will guide your steps.

In this course, you will learn how to use Ghidra effectively to reverse engineer Windows binaries. While Ghidra is at the heart of our curriculum, we go far beyond a simple user manual. This course is designed to help you master Windows reverse engineering techniques by using Ghidra as your primary tool. You will start with the basics of Ghidra, such as creating projects, importing and analyzing binaries, and using Ghidra’s native tools. You will then learn how to customize Ghidra to suit your needs, such as building custom data types and configuring optimal analysis. From there, you will complete progressive labs that will teach you to apply both static and dynamic analysis techniques to dive deep into Windows application behavior using Ghidra’s Windows-specific features and scripts.

Practical Exercises: - Reverse Engineering Windows Malware - Learn to statically analyze a Windows malware sample and identify its malicious behavior. - Dynamically Debugging a Windows RPC Server - Gain insight to into Windows RPC and learn how to dynamically inspect a Windows servers with Ghidra’s Debugger - Patch Diffing and Root Cause Analysis of a Windows CVE - Learn how to use Ghidra’s Patch Diffing to compare two versions of a Windows binary and identify the changes made to fix a vulnerability and find its root cause.

SpeakerBio: John McIntosh, Security Researcher and Lead Instructor at @clearseclabs

John McIntosh @clearbluejar is a security researcher and lead instructor @clearseclabs, a company that offers hands-on training and consulting for reverse engineering and offensive security. He is passionate about learning and sharing knowledge on topics such as binary analysis, patch diffing, and vulnerability discovery. He has created several open-source security tools and courses, which are available on his GitHub page. He regularly blogs about his research projects and experiments on his [website] (https://clearbluejar.github.io), where you can find detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. With over a decade of offensive security experience, speaking and teaching at security conferences worldwide, he is always eager to learn new things and collaborate with other security enthusiasts.

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Everyday Ghidra: Practical Windows Reverse Engineering
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

SpeakerBio: John McIntosh, Security Researcher and Lead Instructor at @clearseclabs

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 14:00-15:50 PDT

Title: Evolution and History of Drain and Approval Attacks
When: Friday, Aug 8, 14:00 - 15:50 PDT
Where: LVCCWest-Level1-Hall4-Communities-C101 - Map

Description:

This interactive workshop explores the history and evolution of draining attacks across major blockchains such as Ethereum, Solana, and TON. Participants will witness live demonstrations of various draining techniques, from early ERC-20 approval abuse to sophisticated token spoofing. Learn to recognize, trace, and defend against these exploits while discussing popular laundering methods and current security measures. A final group challenge will involve tracking an attacker's wallet and evaluating how to recover stolen funds.

Speakers:utvecklas,George

SpeakerBio: utvecklas

Utvecklas is a computer scientist and privacy advocate who has integrated cryptocurrency into online businesses since 2016. Over time, cryptocurrency itself became his primary interest. Outside of work, his research specializes in exploits — whether past, ongoing, or potential.

SpeakerBio: George

George is a cryptocurrency enthusiast who has been actively involved in the space since 2018. With a focus on crypto marketing and security, he has successfully launched multiple projects aimed at improving both user adoption and safety. George is passionate about bridging the gap between complex technologies and mainstream audiences.

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 17:30-17:59 PDT

Title: Exploiting the Off-chain ecosystem in Web 3 Bug Bounty
When: Friday, Aug 8, 17:30 - 17:59 PDT
Where: LVCCWest-Level3-W326 - Map

Description:

I will demonstrate how it’s possible to approach the Web3 bug bounty ecosystem just by exploiting off-chain bugs and vulnerabilities in the JavaScript ecosystem. This talk will explore the current state of this field through real-world examples I’ve reported on bug bounty platforms, which contributed to my achieving the top 10 global rank on the HackenProof platform

SpeakerBio: Bruno "BrunoModificato" Halltari

Bruno is a security researcher with a background in Web2, specializing in client-side vulnerabilities. he has conducted extensive audits and research on topics such as popular wallets and sandbox environments. He is currently ranked in the top 10 on the HackenProof bug bounty platform worldwide and has reported vulnerabilities through HackerOne to platforms such as Zoom and MetaMask.

Return to Index - Add to Google

- ics Calendar file

ICSV - Friday - 10:00-10:30 PDT

Title: Fear vs. Physics: Diagnosing Grid Chaos
When: Friday, Aug 8, 10:00 - 10:30 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

Every time the lights go out, the speculation begins—was it cyber? Squirrels? Was it an attack? But often, the real story behind grid disturbances isn’t malicious code—it’s uncontrolled chaos, born from the physical behavior of a rapidly evolving power system. This session takes a deep dive into that chaos, exploring how subtle interactions in electric grids—like oscillations—can spiral into large-scale instability. These low-frequency oscillations are increasingly common in the bulk electric system, yet are explainable. They emerge from control design, network conditions, and energy physics—not adversarial action, and the lights going off is usually a sign the system has actually acted as it should in protecting itself from damage. Equipment failures are also spectacular, but common. Its tempting to tie big fires to bad cyber, but in reality – the failures are almost always in the planning for the event, or recovery.
We’ll dissect real-world events like the Iberian Peninsula blackout, where what looked like a grid failure may have actually revealed a quiet success: a functional blackstart scenario, where system operators re-energized the grid under extreme stress. But that nuance was lost in the noise, as media and analysts scrambled for cyber scapegoats. We’ll also explore the London transformer fire, a failure in planning for an outage, and technical scrutiny of Chinese-manufactured inverter components with alleged kill switches inserted, illustrating how physical system dynamics—often create the most dramatic disruptions. This talk fuses power system engineering, ICS cybersecurity, and operational storytelling to reframe how we interpret complex events. It’s a call to replace fear with facts—and to find meaning in the chaos, not just blame.

SpeakerBio: Emma Stewart, INL

Dr. Emma M. Stewart, is a respected power systems specialist with expertise in power distribution, critical energy delivery, modeling and simulation, as well as operational cybersecurity. She holds a Ph.D. in Electrical Engineering and an M.Eng. degree in Electrical and Mechanical Engineering. Emma is Chief Scientist, Power Grid at INL currently and leads activities in supply chain consequence analysis for digital assurance in particular for energy storage and system level programs. Throughout her career, Dr. Stewart has made significant contributions to the field of power systems, receiving patents for innovations in power distribution systems and consequence analysis for cyber and physical events. Her responsibilities over her 20 year career have also included providing electric cooperatives with education, training, information sharing, incident support, technology integration, and R&D services in energy integration, resilience and grid planning and microgrid technologies.

Return to Index - Add to Google

- ics Calendar file

MHV - Friday - 15:45-16:30 PDT

Title: Fighting the Digital Blockade: A View from Taiwan
When: Friday, Aug 8, 15:45 - 16:30 PDT
Where: LVCCWest-Level2-W231 - Map

Description:

Taiwan stands on the frontlines of digital warfare under the sea. This high-profile panel, led by the Deputy Minister of Digital Affairs of Taiwan will feature a gripping discussion on the silent battles waged beneath the sea. From sabotage of undersea infrastructure to the geopolitics of cyber-resilience, panelists will recall the threats and Taiwan's efforts to defend. Don’t miss this rare opportunity to explore the technical and political dimensions of the new global dynamic -- the digital blockade.

Speakers:Deputy Minister Herming Chiueh,Jason Vogt

SpeakerBio: Deputy Minister Herming Chiueh, Taiwan Ministry of Digital Affairs

Dr. Herming Chiueh currently serves as Deputy Minister at Taiwan’s Ministry of Digital Affairs (MODA), where he leads national efforts on digital resilience, secure communications, and critical infrastructure protection.

With a background in electrical engineering and over two decades in academia and public service, Dr. Chiueh has become a key figure in Taiwan’s cybersecurity strategy. He has overseen the deployment of multi-layered digital backup systems—including subsea cables, terrestrial fiber, and emerging LEO satellite networks—to ensure the continuity of communications during natural disasters, cyberattacks, and geopolitical disruptions.

SpeakerBio: Jason Vogt, USNWC

Jason Vogt is an assistant professor in the Strategic and Operational Research Department, Center for Naval Warfare Studies at the United States Naval War College. Professor Vogt is a cyber warfare and wargaming expert. He has participated in the development of multiple wargames at the United States Naval War College. He previously served on active duty as an Army officer.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 14:00-17:59 PDT

Title: Fine Tune your personal LLM assistant to Secure coding
When: Friday, Aug 8, 14:00 - 17:59 PDT
Where: LVCCNorth-Level2-N260 - Map

Description:

In today’s landscape, generative AI coding tools are powerful but often insecure, raising concerns for developers and organizations alike. This hands-on workshop will guide participants in building a secure coding assistant tailored to their specific security needs.

We’ll begin by exploring the security limitations of current AI coding tools and discussing why fine-tuning is critical for secure development. Participants will then create and fine-tune their own LLM-based assistants using provided examples and their own use cases. By the end of the session, each attendee will have a functioning, security-focused AI coding assistant and a clear understanding of how to improve it further.

Speakers:Or Sahar,Yariv Tal

SpeakerBio: Or Sahar, Security Researcher

Or Sahar is a security researcher, software engineer, and cofounder of Secure From Scratch — a venture dedicated to teaching developers secure coding from the very first line of code. She has worked for many years as a developer and developer team leader, before transitioning her career path to focus on hacking, application vulnerability research and security in the context of AI. Or is currently pursuing a master's degree in computer science and lectures in several colleges.

SpeakerBio: Yariv Tal, Security Researcher

Yariv Tal is a senior developer & security researcher, and the cofounder of Secure From Scratch - a venture dedicated to teaching developers secure coding from the very first line of code. A summa cum laude graduate from the Technion, leveraging four decades of programming expertise and years of experience in university lecturing and bootcamp mentoring, he brings a developer's perspective to the field of security. Currently, he lectures on secure coding at several colleges and the private sector, he is the leader of the owasp-untrust project and is currently pursuing a master's degree in computer science and lectures in several colleges.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 14:30-15:15 PDT

Title: Firewalls Under Fire: China's 5+ year campaign to penetrate perimeter network defenses
When: Friday, Aug 8, 14:30 - 15:15 PDT
Where: LVCCWest-Level1-Hall3-Track 5 - Map

Description:

For more than five years, firewall vendors have been under persistent, cyclical struggle against a well-resourced and relentless China-based adversary that has expended considerable resources developing custom exploits and bespoke malware expressly for the purpose of compromising enterprise firewalls in customer environments. In this first-of-its-kind presentation, Andrew Brandt will walk attendees through the complete history of the campaign, detailing the full scope of attacks and the countermeasures one firewall vendor developed to derail the threat actors, including detail into the exploits targeting specific firewalls, and malware deployed inside the firewalls as a result of these attacks.

Fundamental to this presentation is the fact that the adversary behind this campaign has not targeted only one firewall vendor: Most of the large network security providers in the industry have been targeted multiple times, using many of the same tactics and tools. So this serves not merely as a warning to the entire security industry, but as an urgent call to the companies that make up this industry to collectively combat this ongoing problem. Because at the end of the day, we all face the same threat, and we cannot hope to withstand the tempo and volume of these attacks alone. We must work together.

References:

link

SpeakerBio: Andrew "Spike" Brandt

Andrew Brandt is a former investigative journalist who switched careers to work in information security in 2007. He is an experienced malware analyst, network forensicator, and cyberattack untangler, who seeks to prevent cybercriminals from being able to victimize others. He has served as the director of threat research or as a principal researcher at several large cybersecurity companies, and currently serves on the board of World Cyber Health, the parent organization that operates the Malware Village at Defcon and other conferences. As the executive director of Elect More Hackers, he is active in cybersecurity and technology policy, and seeks to recruit likeminded folks to run for elected office. He lives in Boulder, Colorado.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 12:00-12:45 PDT

Title: FLARE-VM
When: Friday, Aug 8, 12:00 - 12:45 PDT
Where: LVCCWest-Level2-W212 - Map

Description:

Interested in malware analysis, reverse engineering, or offensive security? You know setting up a dedicated Windows analysis virtual machine is crucial, but manually installing and configuring countless tools is incredibly time-consuming and complex. Attend this 30-minute demo to discover FLARE-VM, the powerful open-source solution from Mandiant (now part of Google Cloud) that automates this entire process. See firsthand how FLARE-VM drastically simplifies the creation of a comprehensive analysis VM packed with essential reversing and malware analysis tools. Learn why having a ready-to-go analysis environment is indispensable for so many technical cybersecurity roles and how FLARE-VM jump-starts your build!

Speakers:Joshua "jstrosch" Stroschein,Elliot Chernofsky

SpeakerBio: Joshua "jstrosch" Stroschein, Google

SpeakerBio: Elliot Chernofsky

Elliot is a senior reverse engineer on Mandiant's FLARE team. Prior to joining the team, he worked as a software reverse engineer and vulnerability researcher for the Department of Defense. He received his master‚Äôs in computer science from Georgia Tech and a bachelor‚Äôs in electrical engineering from the University of South Florida. Outside of work he enjoys hiking, ping pong, and searching for the strongest coffee on the planet.

Return to Index - Add to Google

- ics Calendar file

PSV - Friday - 12:00-12:59 PDT

Title: Flipping Locks - Remote Badge Cloning with the Flipper Zero and More
When: Friday, Aug 8, 12:00 - 12:59 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

Traditional RFID badge cloning methods require you to be within 3 feet of your target. So how can you conduct a physical penetration test and clone a badge without interacting with a person? Companies have increasingly adopted a hybrid work environment, allowing employees to work remotely, which has decreased the amount of foot traffic in and out of a building at any given time. This session discusses two accessible, entry-level hardware designs you can build in a day and deploy in the field, along with the tried-and-true social engineering techniques that can increase your chances of remotely cloning an RFID badge.

Langston and Dan discuss their Red Team adventures using implant devices, a Flipper Zero and an iCopy-X. As a bonus the two will explain how to perform a stealthy HID iClass SE/SEOS downgrade and legacy attack! This presentation is supplemented with files and instructions that are available for download in order to build your own standalone gooseneck reader, wall implant and clipboard cloning devices!

Speakers:Langston Clements,Dan Goga

SpeakerBio: Langston Clements

Langston grew up reading stories about the 90’s hacker escapades, and after years of observing the scene, he jumped into the cybersecurity field and never looked back. He is currently a Senior Red Team operator for Brown Brothers Harriman. With over fifteen (15) years of public and private sector experience in cybersecurity and ethical hacking, he aims to provide organizations with valuable and actionable information to help improve their security posture. Langston’s specializations focus on modern-day social engineering techniques, wireless and RFID attacks, vulnerability analysis, and physical penetration testing.

SpeakerBio: Dan Goga

Dan Goga serves as a Principal Consultant with NRI focused on conducting penetration testing and vulnerability assessments. Dan Goga has eight years of information security experience in the public, private, and academic sectors. Dan has extensive knowledge and experience with RFID hacking, phishing techniques, social engineering techniques, and penetration testing.

Return to Index - Add to Google

- ics Calendar file

HRV - Friday - 13:00-15:59 PDT

Title: Free Ham Radio Exams
When: Friday, Aug 8, 13:00 - 15:59 PDT
Where: LVCCWest-Level3-W320 - Map

Description:

The Ham Radio Village is excited to return to DEF CON 33, offering you the opportunity "Access Everything" by gaining you access to the airwaves though free amateur radio license exams! Ham radio has a long history with ham radio operators being considered the original electronic hackers, innovating long before computers, integrated circuits, or even transistors were invented. The Ham Radio Village keeps this spirit alive by providing free ham radio license exams at DEF CON.

In today's world, wireless communication is essential. A fundamental understanding of radio technology is more important than ever. Earning your amateur radio license opens the door to the world of amateur radio, providing you with valuable knowledge of radio frequency (RF) technology. This knowledge can be applied to a wide range of other RF-related topics, including RFID credentials, Wi-Fi, and other wireless communication systems.

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 12:00-12:59 PDT

Title: Friends of Bill W
When: Friday, Aug 8, 12:00 - 12:59 PDT
Where: LVCCWest-Level3-W301 - Map

Description:

We know DEF CON and Vegas can be a lot. If you're a friend of Bill W who's looking for a meeting or just a place to collect yourself, DEF CON 33 has you covered. Join us throughout the conference in the Friends of Bill W Community Space in W301.

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 17:00-17:59 PDT

Title: Friends of Bill W
When: Friday, Aug 8, 17:00 - 17:59 PDT
Where: LVCCWest-Level3-W301 - Map

Description:

Return to Index - Add to Google

- ics Calendar file

ADV - Friday - 11:00-11:45 PDT

Title: From adversarial to aligned, redefining purple teaming for maximum impact
When: Friday, Aug 8, 11:00 - 11:45 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

Purple teaming is no longer just about red meets blue, it is about shared intelligence, continuous collaboration, and realistic adversary emulation. In this panel, we explore how modern security teams are moving from siloed operations to unified strategies that reflect how real attackers operate. By rethinking purple teaming as a proactive, intelligence-driven discipline, organizations can uncover detection gaps, improve response times, and drive measurable improvements in their defenses. Join us as we unpack how aligning offensive and defensive teams unlocks the full potential of purple teaming and leads to lasting security impact.

Speakers:Adam Pennington,Sydney Marrone,Lauren Proehl

SpeakerBio: Adam Pennington, ATT&CK Lead at The MITRE Corporation

Adam Pennington leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 15 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon's Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering from Carnegie Mellon University. Adam has presented and published in several venues including FIRST CTI, USENIX Security, DEF CON, and ACM Transactions on Information and System Security.

SpeakerBio: Sydney Marrone, Threat hunter at Splunk

Sydney is a threat hunter, co-author of the PEAK Threat Hunting Framework, and co-founder of THOR Collective. A proud thrunter, she is dedicated to advancing the craft of threat hunting through hands-on research, open-source collaboration, and community-driven initiatives like HEARTH (Hunting Exchange And Research Threat Hub). When not hunting threats, she’s crafting content for THOR Collective Dispatch, lifting weights, and keeping the hacker spirit alive.

SpeakerBio: Lauren Proehl, Global Head of Detection and Response at Marsh McLennan, Co-Founder at THOR Collective

Lauren Proehl is the Global Head of Detection and Response at Marsh McLennan. She is an experienced incident responder and threat hunter who has helped identify and mitigate cyber adversaries in Fortune 500 networks. After leading investigations ranging from data breaches to targeted attacks, she now works to define some part of the limitless unknowns in cyberspace and make cybersecurity less abstract, and more tangible. Lauren sits on the CFP board for BSides Kansas City, heads up SecKC parties, and tries to escape computers by running long distances in the woods.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 15:00-15:45 PDT

Title: From Spoofing to Tunneling: New Red Team's Networking Techniques for Initial Access and Evasion
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level1-Hall3-Track 3 - Map

Description:

Gaining initial access to an intranet is one of the most challenging parts of red teaming. If an attack chain is intercepted by an incident response team, the entire operation must be restarted. In this talk, we introduce a technique for gaining initial access to an intranet that does not involve phishing, exploiting public-facing applications, or having a valid account. Instead, we leverage the use of stateless tunnels, such as GRE and VxLAN, which are widely used by companies like Cloudflare and Amazon. This technique affects not only Cloudflare's customers but also other companies.

Additionally, we will share evasion techniques that take advantage of company intranets that do not implement source IP filtering, preventing IR teams from intercepting the full attack chain. Red teamers could confidently perform password spraying within an internal network without worrying about losing a compromised foothold. Also, we will reveal a nightmare of VxLAN in Linux Kernel and RouterOS. This affects many companies, including ISPs. This feature is enabled by default and allows anyone to hijack the entire tunnel, granting intranet access, even if the VxLAN is configured on a private IP interface through an encrypted tunnel. What's worse, RouterOS users cannot disable this feature. This problem can be triggered simply by following the basic VxLAN official tutorial. Furthermore, if the tunnel runs routing protocols like BGP or OSPF, it can lead to the hijacking of internal IPs, which could result in domain compromises. We will demonstrate the attack vectors that red teamers can exploit after hijacking a tunnel or compromising a router by manipulating the routing protocols.

Lastly, we will conclude the presentation by showing how companies can mitigate these vulnerabilities. Red teamers can use these techniques and tools to scan targets and access company intranets. This approach opens new avenues for further research.

References:

I have seen discussions about source IP address spoofing with stateless tunnels, similar to research on CVE-2020-10136 which uses IPIP tunnels. However, this research omits the possibility of using stateless tunnels for initial access. The PoC only provides methods to launch DoS attacks such as UDP flooding, TCP SYN attacks, and ARP spoofing, which do not require a response. Notably, there is no method to find a stateless tunnel in previous research, making real-world attacks impractical.

SpeakerBio: Shu-Hao, Tung 123ojp

Shu Hao, Tung (123ojp), a Threat Researcher at Trend Micro, specializing in Red Teaming. He mainly focuses on web, networking, and infrastructure vulnerabilities. He owns an ASN and is a bug hunter who has reported high-risk vulnerabilities via Bugcrowd.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 15:00-15:50 PDT

Title: From USB to C2
When: Friday, Aug 8, 15:00 - 15:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 2 - Map

Description:

In this workshop, participants will build and deploy a USB-based intrusion framework: crafting a malicious USB payload, developing a lightweight information-stealing stager, and using the resulting data to deploy a Mythic C2 beacon. The session also covers provisioning and configuring an AWS-hosted command-and-control environment. Attendees will leave with hands-on experience in both the offensive implant and its supporting cloud infrastructure.

SpeakerBio: Will McGraw

Will McGraw is a security professional with a background that spans help desk support, security and compliance consulting, and hands-on offensive security. Currently working as a pentester, he focuses on creative attack paths to achieve initial access and persistence in client environments. With over four years in the industry, they bring practical experience and a hacker’s mindset to their research.

Return to Index - Add to Google

- ics Calendar file

GHV - Friday - 14:00-14:45 PDT

Title: Game Hacking 101
When: Friday, Aug 8, 14:00 - 14:45 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

Intro basics about concepts in game hacking and security principles within video games.

SpeakerBio: Julian "Julez" Dunning, Security Founder & Leader

Julian has a storied career in cybersecurity, initially focusing on offensive security. He has developed several popular open-source security tools, including statistics-based password-cracking methods. Julian also co-founded Truffle Security, creators of the widely used open-source tool TruffleHog. Recently, he established a new DEFCON village called GameHacking.GG promotes interest and awareness in-game security.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 15:00-15:45 PDT

Title: Gateways to Chaos - How We Proved Modems Are a Ticking Time Bomb That Hackers Can Access Everywhere
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level1-Hall3-Track 2 - Map

Description:

Imagine your home modem as a loaded gun aimed at global security. Our research exposes critical vulnerabilities in ISP-supplied modems—ADSL, fiber, cable, 5G—that inherently threaten power grids, water systems, and ATMs. Over 35 severe flaws have been identified, rooted in outdated IoT SDKs, affecting millions globally. These issues allow attackers to manipulate essential services without direct hijacking.

Despite the severity of these vulnerabilities, manufacturers and ISPs consistently refuse to address them, leaving these devices as perpetual threats. We provide essential tools for detection and defense against such negligence.

In this session, you'll learn how to identify these inherent weaknesses that compromise infrastructures through device flaws. Gain practical skills in vulnerability hunting and crafting defenses, while navigating the landscape of responsible disclosure amidst industry inertia.

Join us to confront a crisis long ignored. When hackers exploit these systemic failures, it's not just personal data at risk—it's the stability of our world's crucial infrastructure.

References:

Peter Geissler & Steven Ketelaar - 2013 HITB AMS
link
Sam Curry 2024 – DEFCON
link

SpeakerBio: Chiao-Lin "Steven Meow" Yu, Threat Researcher at Trend Micro Red Team

Chiao-Lin Yu (Steven Meow) currently serves as a Red Team Cyber Threat Researcher at Trend Micro. He holds numerous professional certifications including OSCE³ , OSEP, OSWE, OSED, OSCP, CRTP, CARTP, CESP-ADCS, LTP, CPENT, GCP ACE. Steven has previously presented at events such as Security BSides Tokyo 2023, HITCON Bounty House, and CYBERSEC 2024, 2025. He has disclosed 20+ CVE vulnerabilities in major companies like VMware, D-Link, and Zyxel. His expertise spans red team exercises, web security and IoT security.

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 10:00-12:59 PDT

Title: Getting started in Malware Analysis with Ghidra
When: Friday, Aug 8, 10:00 - 12:59 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Wesley McGrew

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 12:00-12:45 PDT

Title: Ghost Calls: Abusing Web Conferencing for Covert Command & Control
When: Friday, Aug 8, 12:00 - 12:45 PDT
Where: LVCCWest-Level1-Hall3-Track 2 - Map

Description:

Red teams often struggle with interactive C2 in monitored networks. Low-and-slow channels are stealthy but insufficient for high-bandwidth tasks like SOCKS proxying, pivoting, or hidden VNC. Our research solves this by using real-time collaboration protocols—specifically, whitelisted media servers from services like Zoom—to create short-term, high-speed C2 channels that blend into normal enterprise traffic.

We introduce TURNt, an open-source tool that automates covert traffic routing via commonly trusted TURN servers. Since many enterprises whitelist these conferencing IPs and exempt them from TLS inspection, TURNt sessions look just like a legitimate Zoom meeting. Operators can maintain a persistent, stealthy channel while periodically activating higher-bandwidth interactivity for time-sensitive operations.

This talk will show how to set up these “ghost calls,” discuss the trade-offs and detection challenges, and explore defensive countermeasures. Attendees will learn how to integrate short-term, real-time C2 into existing red team workflows—and how to identify and mitigate this emerging threat.

References:

SpeakerBio: Adam "UNC1739" Crosser, Staff Security Engineer at Praetorian

Adam Crosser is a Staff Security Engineer at Praetorian, specializing in offensive security research and tooling development. He began his career in red team operations, honing his skills in adversary simulation and advanced attack techniques. Now part of the Praetorian Labs team, Adam focuses on vulnerability research, exploit development, and building custom offensive security capabilities to support red team engagements—pushing the boundaries of adversary tradecraft.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 12:30-13:15 PDT

Title: Ghosts in the Machine Check - Conjuring Hardware Failures for Cross-ring Privilege Escalation
When: Friday, Aug 8, 12:30 - 13:15 PDT
Where: LVCCWest-Level1-Hall3-Track 1 - Map

Description:

Catastrophic hardware failures. From an aging I/O device to cosmic ray bit flips, memory degradation to CPU fires. When an unrecoverable hardware error is detected, the common platform response is to generate a Machine Check Exception, and shut down before the problem gets worse.

In this talk, we'll see what happens when we circumvent all the traditional fail safes. What happens when, instead of exceptionally rare failures from natural causes, we deliberately create these fatal events from software. When instead of a platform shutdown, we force the system to limp along, damaged but alive. We'll show how carefully injecting these signals during privileged CPU operations can disrupt secure transitions, how those disruptions progress to cascading system failures, and how to ride the chaos to gain hardware privilege escalation. Finally, we'll see how to undo the damage, recover from the unrecoverable, and let the system continue as if nothing happened - now with a foothold in privileged space, all through hardware failure events synthesized through software-only attacks.

We'll conclude by showing how to use this vector to reveal all-new hardware vulnerabilities, and walk through a brave new world of machine check research opportunities - for both attackers and defenders - across technologies and architectures.

SpeakerBio: Christopher "xoreaxeaxeax" Domas

Christopher Domas (@xoreaxeaxeax) is a security researcher primarily focused on firmware, hardware, and low level processor exploitation. He is best known for releasing impractical solutions to non-existent problems, including the world's first single instruction C compiler (M/o/Vfuscator), toolchains for generating images in program control flow graphs (REpsych), and Turing-machines in the vi text editor. His more relevant work includes the sandsifter processor fuzzer, rosenbridge backdoor, the binary visualization tool ..cantor.dust.., and the memory sinkhole privilege escalation exploit.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 15:00-15:45 PDT

Title: GlytchC2 - Command Execution and Data Exfiltration of Any Kind Through Live Streaming Platforms
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level2-W209 - Map

Description:

Glytch is a post-exploitation tool serving as a command-and-control and data exfiltration service. It creates a covert channel through Twitch live streaming platform and lets attackers execute OS commands or exfiltrate data of any kind from the target computer, regardless of whether the computers are connected over a LAN or WAN.

Speakers:Anil Celik,Emre Odaman

SpeakerBio: Anil Celik

Anil graduated as a computer engineer and is currently an MSc student in information security engineering. He has 5+ years of professional experience and is working as a cyber security engineer at HAVELSAN, primarily focused on red team engagements and purple teaming. He holds 5+ CVEs and has OSCP and OSWP certifications.

SpeakerBio: Emre Odaman

Graduated as a Computer Engineer and working as a Cyber Security Engineer at HAVELSAN for the past 3 years, which is a major defense industry company in Türkiye. His main areas of interest are red teaming, network security, OT, IoT & hardware security.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 12:00-13:50 PDT

Title: GlytchC2: Command execution and data exfiltration of any kind through live streaming platforms
When: Friday, Aug 8, 12:00 - 13:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Tactics 2 - Map

Description:

Glytch is a post-exploitation tool serving as a Command-and-Control (C2) & Data Exfiltration service.

It creates a covert channel through Twitch live streaming platform and lets attacker to execute an OS command or exfiltrate a data of any kind from the target computer (does not matter whether the computers are connected over a LAN or WAN).

We have submitted our tool for Demo Labs already and we are planning to share it's development phase, ideas and challenges that we've faced.

https://github.com/ccelikanil/GlytchC2

Speakers:Anıl Çelik,Emre Odaman

SpeakerBio: Anıl Çelik

Graduated as a Computer Engineer and currently a MSc student on Information Security Engineering. Has 5+ years professional experience and right now working as a Cyber Security Engineer at HAVELSAN, primarly focused on Red Team engagements & Purple Teaming. Holding 5+ CVEs and has OSCP & OSWP certifications.

SpeakerBio: Emre Odaman

Return to Index - Add to Google

- ics Calendar file

IOTV - Friday - 11:00-11:59 PDT

Title: Go Malware Meets IoT: Challenges, Blind Spots, and Botnets
When: Friday, Aug 8, 11:00 - 11:59 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

AGo malware is showing up more often, especially in IoT environments. Its flexibility and ease of cross-compilation make it attractive to attackers, but it also makes life harder for analysts and defenders. Go binaries are large, statically compiled, and structured in ways that traditional tools are not designed to handle. The runtime is unfamiliar, and things like string extraction, function identification, and behavior analysis can quickly become frustrating. This talk looks at why Go malware is hard to analyze and why some detection tools struggle to keep up. We will walk through practical tips and tools to make reversing Go malware more manageable, including how to recover types, strings, and function information. To tie everything together, we will look at a recent real-world example: Pumabot, a Go-based botnet targeting IoT surveillance devices. We will dig into how it works, what it targets, and what artifacts it leaves behind. By the end of the session, you will have a better understanding of how attackers are using Go in the wild and how to be better prepared for the next time it shows up in your analysis queue.

SpeakerBio: Asher Davila, IoT, ICS/OT, and 5G malware research lead at Palo Alto Networks
No BIO available

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 12:40-13:10 PDT

Title: Grandoreiro & friends: brazilian banking trojans tour outside Latin America
When: Friday, Aug 8, 12:40 - 13:10 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Josep Albors
No BIO available

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 15:30-15:59 PDT

Title: Grind vs Gleam: Building Reddit's DDoS Resilience
When: Friday, Aug 8, 15:30 - 15:59 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

Deep dive into build vs buy for DDoS Prevention tools

Speakers:Pratik Lotia,Spencer Koch

SpeakerBio: Pratik Lotia, Reddit
No BIO available
SpeakerBio: Spencer Koch
No BIO available

Return to Index - Add to Google

- ics Calendar file

CON - Friday - 10:00-17:59 PDT

Title: Hac-Mac Contest Booth Open
When: Friday, Aug 8, 10:00 - 17:59 PDT
Where: LVCCWest-Level1-Hall1-W109 - Map

Description:

This Pac-Man themed set of challenges takes Players on a journey through learning and demonstrating hacker and information security skills to earn points. With multiple subject-matter specific challenge groups and tracks, this hacker challenge game has something for everyone. Players will only be able to turn in scavenger hunt items during Contest Area Operating Hours.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 14:00-14:50 PDT

Title: Hack the Clock: Automating CVE Exploit searches to save time, money, and not get bored.
When: Friday, Aug 8, 14:00 - 14:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 1 - Map

Description:

In the fast-paced world of cybersecurity, time is of the essence. As vulnerabilities are discovered and threats evolve, the clock is always ticking, and staying ahead of exploits can feel like a race against time. Enter CVEpwn – an automation tool designed to streamline the search for CVE exploits across multiple platforms like GitHub, ExploitDB, and CXSecurity.

In this talk, we'll dive into the process of automating CVE exploit searches, demonstrating how CVEpwn cuts down on manual effort, accelerates response times, and enables faster vulnerability mitigation. By automating the search for CVE exploits using multiple platforms and APIs, this tool allows you to focus on what really matters: patching vulnerabilities before they get exploited.

SpeakerBio: Jordan Bonagura

Jordan Bonagura is a senior security consultant for Secure Ideas. With more than 20 years of experience in information security, Jordan is passionate about helping companies and clients protect their data and applications from threats and vulnerabilities. As a principal security researcher, he led teams conducting vulnerability management, risk assessments, penetration tests, and boundary-setting to comply with standards for companies in different segments.

Jordan contributed to significant projects, such as developing an integrated GNSS positioning system and an encryption communication protocol between ground and satellite at the Brazilian National Institute of Space Research. He also had the opportunity to speak at some of the most important security conferences around the globe, be a college professor and course coordinator, and consult for the Brazilian police in crime solving.

Stay Safe Podcast Founder
Founder - Vale Security Conference - Brazilian Conference
Consultant Member - Brazilian Commission of High-Tech Crime (OAB / SP)
SJC Hacker Space President
Speaker (HackMiami, Layer8, RedHackCon, HackSpaceCon, CNASI, AppSec California, GrrCon, BalCCon2k14, BSides Augusta, H2HC, Angeles Y Demonios, Silver Bullet, Seginfo, ITA, INPE, etc)

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Hack the Connected Plant!
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Tired of legacy ICS systems? Attend this training to hack the next generation of Industrial Control Systems! No more Modbus, no more standard PLC, no more Purdue model!

This training is designed to show what the future might look like for Industrial Control Systems, and how it will impact cybersecurity.

We’ll bring a realistic ICS setup that features all the fancy current and future trends: SD-WAN and Zero Trust, OPC-UA, MQTT, Edge device and soft-PLCs to control a small-scale industrial process simulation.

The first day will be dedicated to introducing the new cybersecurity challenges faced by modern Industrial Control Systems, and doing hands-on exercises on AWS pentesting, soft-PLC exploitation

On the second day we’ll reflect on the updated threat models and then we’ll spend the full day working on a realistic Capture-the-Flag exercise, where we’ll have to go from 0 to impacting a small industrial setup. The CTF will be guided, with answers given on a regular basis, so that all attendees can capture all the flags. We’ll end this exciting day with the takeaways of the exercise, and what could be done to prevent & detect the attacks we performed.

SpeakerBio: Arnaud Soullié, Senior Manager at Wavestone

Arnaud Soullié is a Senior Manager at Wavestone, a global consulting company. For 15 years, he has been performing security assessments and pentests on all types of targets. He started specializing in ICS cybersecurity 10 years ago. He has spoken at numerous security conferences on ICS topics, including: BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, and DEFCON. He is also the creator of the DYODE project, an open source data diode aimed at ICS. He has taught ICS cybersecurity trainings since 2015.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Hack the Connected Plant!
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Tired of legacy ICS systems? Attend this training to hack the next generation of Industrial Control Systems! No more Modbus, no more standard PLC, no more Purdue model!

This training is designed to show what the future might look like for Industrial Control Systems, and how it will impact cybersecurity.

The first day will be dedicated to introducing the new cybersecurity challenges faced by modern Industrial Control Systems, and doing hands-on exercises on AWS pentesting, soft-PLC exploitation

SpeakerBio: Arnaud Soullié, Senior Manager at Wavestone

Return to Index - Add to Google

- ics Calendar file

CON - Friday - 20:00-21:59 PDT

Title: Hacker Jeopardy
When: Friday, Aug 8, 20:00 - 21:59 PDT
Where: Unknown

Description:

Have you ever wondered what would happen if you took ostensibly smart people, put them up on a stage, maybe provided a beer or two and started asking really tough technical questions like what port Telnet runs on? Well wonder no more! Back to start its 31st year at Defcon, Hacker Jeopardy will have you laughing, groaning and wondering where all the brain cells have gone. Some come share an evening of chanting DFIU followed immediately by someone FIU. This is a mature show, 18+.

Participant Prerequisites

None

Pre-Qualification

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 19:00-01:59 PDT

Title: Hacker Karaoke
When: Friday, Aug 8, 19:00 - 01:59 PDT
Where: LVCCWest-Level2-W211-W212 - Map

Description:

Two great things that go great together! Join the fun as your fellow hackers make their way through songs from every era and style. Everyone has a voice and this is your opportunity to show it off! Everyone is encourage to participate in a DEF CON tradition from all folks and skill levels.

Return to Index - Add to Google

- ics Calendar file

CHV - Friday - 16:00-16:30 PDT

Title: Hacking a head unit with malicious PNG
When: Friday, Aug 8, 16:00 - 16:30 PDT
Where: LVCCWest-Level2-W228 - Map

Description:

In this talk, I reveal the discovery of a novel RTOS running on automotive head units, uncovered through hardware hacking and reverse engineering. This RTOS, found in thousands of vehicles, exhibits numerous bugs and intriguing functionalities. I demonstrate how a crafted PNG file was used as a backdoor to compromise the system, highlighting both the innovative features and critical vulnerabilities present in current automotive technologies.

SpeakerBio: Danilo Erazo
No BIO available

Return to Index - Add to Google

- ics Calendar file

PSV - Friday - 14:00-14:59 PDT

Title: Hacking Hotel Locks; The Saflok Vulnerabilities Expanded
When: Friday, Aug 8, 14:00 - 14:59 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

Saflok locks are present in many hotels and apartments across North America. These locks rely on poorly-secured offline authentication mechanisms, leaving them vulnerable to attackers with basic knowledge about how the system operates. Following up on the initial "Unsaflok" presentation at DEF CON 32 by Lennert Wouters and Ian Carroll, this talk will touch on areas of the system not discussed in the original presentation, such as the handheld programmer, lock programming interface, clarity about the bit fields and unencrypted data in credentials, for yet another example of why you don't rely on security-through-obscurity for security products.

Speakers:Noah Holland,Josh Stiebel

SpeakerBio: Noah Holland, Michigan Technological University (Student)

Noah Holland is a Cybersecurity Undergraduate at Michigan Tech. He is the president of the MTU Linux User's Group and MTU RedTeam, specializing in Access Control & Physical Security.

SpeakerBio: Josh Stiebel

Josh Stiebel recently graduated with a CS degree from Michigan Tech. He helps run the access control village at various conventions. He is currently walking from Mexico to Canada on the PCT.

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 16:30-16:59 PDT

Title: Hacking the Edge: Real-World ESI Injection Exploits
When: Friday, Aug 8, 16:30 - 16:59 PDT
Where: LVCCWest-Level3-W326 - Map

Description:

This talk provides a deep dive into Edge Side Includes (ESI) Injection, focusing on real-world findings and advanced exploitation techniques discovered during extensive testing on a private bug bounty program. While often associated with caching servers, ESI can become a potent vulnerability when user input is improperly handled.

SpeakerBio: Robert "nytr0gen" Vulpe, Senior Security Engineer at UiPath

Robert Vulpe, also known as nytr0gen, is a Senior Security Engineer at UiPath. He is renowned for his expertise in cybersecurity, particularly in assessing product security through various penetration testing methodologies. With over 300 pentest assessments under his belt, Robert has identified and reported over 1500 security vulnerabilities in high-profile companies such as Amazon, PayPal, Goldman Sachs, and Epic Games.

His meticulous approach to security is evident in his detailed and professional reports. He is listed among PayPal's Top 10 Hackers and was selected for the prestigious Forbes 30 under 30 list for his outstanding achievements in cybersecurity. With more than 8 years of experience in source-code review, he possesses a keen eye for identifying code-level security flaws.

Return to Index - Add to Google

- ics Calendar file

MHV - Friday - 17:30-17:59 PDT

Title: Hacking the Nautical Rules of the Road: Turn Left for Global Pwnage
When: Friday, Aug 8, 17:30 - 17:59 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

As part of their training and certifications, most professional mariners memorize the ‘nautical rules of the road’. The International Regulations for Preventing Collisions at Sea (COLREGs), form the foundation of maritime safety by establishing predictable behaviors and shared responsibilities between vessels. This a system with built-in protection and fall-back plans, tried and tested over a long history. But for hackers or cyber defenders—who might not know starboard from Starbucks— understanding these norms may mean the difference between big effect or no effect. Our talk focuses on one memorable guideline that ship drivers often fall back on: Don’t Turn To Port (unless you’re absolutely sure it’s safe). There is plenty of good research out there about how cyber-physical systems such as rudder angle controllers can be manipulated on manned and unmanned systems. There is good writing on the threats unique to maritime choke points. But agnostic to the location, why would cyber manipulation of a rudder to induce a port turn be worse than a starboard one? Our talk will touch briefly on how the rules influence legal liability for collisions at sea, and conclude with encouragement for people to learn the rules of the road and further their own journey in understanding the maritime profession.

Speakers:Amp,Data

SpeakerBio: Amp, Co-Host of The Material Condition Podcast

AMP spent 10 years driving ships around the globe—now captains a CTF team instead. With an undergrad in electrical engineering and working on a master’s in info systems engineering, AMP made the jump from maritime grit to digital ops, bringing salty sea stories and a screwdriver to every hacking challenge. They’ve co-hosted episodes of Sea Control (CIMSEC) and The Yoke Report, poking at the strange edges of maritime security, cyber policy, and why everything breaks at 2 AM. Into hardware hacking, retro gaming, and running text-based RPGs.

SpeakerBio: Data, Director of Cyber & Technology

data is a retired Air Force Cyber Warfare Officer with over 20 years of operational experience. He's a CNODP and RIOT grad with a Comp Sci BS from the USAF Academy and a Master's in Cyber Ops from the Air Force Institute of Technology. He's been certified in all 3 NSA Red Team work roles, all 3 offensive SIGINT work roles, qualified in all 6 Cybercom offensive work roles and personally engaged real-world, nation-state-level actors, malware and targets in air, land, sea, space & cyberspace both offensively and defensively. And he's done so with the US, UK, Canada, Australia and New Zealand. He also helped make those cool starship badges you've seen around DEFCON.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 14:00-17:59 PDT

Title: Hands-on Kubernetes Attack & Defense Masterclass
When: Friday, Aug 8, 14:00 - 17:59 PDT
Where: LVCCNorth-Level2-N255 - Map

Description:

Kubernetes has transformed how we deploy applications, but its complexity has created a new attack surface actively exploited by threats. This workshop delivers practical experience exploiting and defending against dangerous misconfigurations found in production environments.

Based on extensive research and the popular Kubernetes Goat platform, you'll work through realistic attack scenarios including privilege escalation, container escapes, lateral movement, and persistence techniques. For each vulnerability exploited, you'll implement corresponding defenses using Kubernetes-native controls.

Our pre-configured environment with vulnerable applications lets you focus on mastering both offensive and defensive techniques. You'll gain:

Hands-on experience exploiting critical misconfigurations
Methodology for identifying vulnerabilities in your clusters
Skills implementing defenses across the Kubernetes lifecycle
Ready-to-use templates for securing production environments

Whether securing Kubernetes or adding cloud-native exploitation to your skillset, this workshop delivers actionable knowledge through guided practice rather than abstract concepts.

SpeakerBio: Madhu "madhuakula" Akula, Pragmatic Security Leader

Return to Index - Add to Google

- ics Calendar file

- Friday - 13:15-13:59 PDT

Title: Hard Hat Brigade Creations Q&A
When: Friday, Aug 8, 13:15 - 13:59 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

HHB goes over hard hats, construction, and all the hackery things people have done with them

Speakers:MrBill,M0nkeyDrag0n,Hydrox,CoD_Segfault

SpeakerBio:  MrBill, Founder at Hard Hat Brigade
No BIO available
SpeakerBio:  M0nkeyDrag0n, Organizer at Hard Hat Brigade
No BIO available
SpeakerBio:  Hydrox, Organizer at Hard Hat Brigade
No BIO available
SpeakerBio:  CoD_Segfault, Organizer at Hard Hat Brigade
No BIO available

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 13:00-13:45 PDT

Title: Have I Been Ransomed?
When: Friday, Aug 8, 13:00 - 13:45 PDT
Where: LVCCWest-Level2-W209 - Map

Description:

Have I Been Ransomed? is a specialized security service, akin to Have I Been Pwned, designed to detect personal data exposure specifically from ransomware leaks. As ransomware attacks increasingly involve data theft and public dumping, individuals need a way to check if their personally identifiable information has been compromised. Our platform goes beyond standard database checks by processing a wide array of leaked file types, including PDFs, documents, and text files. We employ advanced optical character recognition coupled with sophisticated large language models to meticulously scan unstructured data and extract sensitive identifiers such as national ID cards, driver‚Äôs licenses, and social security numbers. Have I Been Ransomed? provides critical awareness, empowering users to discover if their sensitive information has been exposed in a ransomware incident and enabling them to take proactive steps against potential identity theft and fraud.

SpeakerBio: Juanma "M4C" Tejada

Juanma is a telecommunications engineer with a profound passion for drone technology and the complexities of hacking. His journey into the cybersecurity realm began unconventionally. Initial explorations through various online forums, driven by early curiosities, unexpectedly ignited a deep interest in the mechanics of data leaks, system breaches, and the evolving tactics of ransomware groups. This non-traditional path provided firsthand exposure to the cyber underground, equipping him with practical, real-world insights into attacker motivations and methodologies. This unique background grants him a grounded perspective, making him well-qualified to discuss the practical applications and implications within the current cybersecurity landscape.

Return to Index - Add to Google

- ics Calendar file

BHV - Friday - 17:30-17:59 PDT

Title: How AI + Hardware can Transforming Point-of-Care Workflows
When: Friday, Aug 8, 17:30 - 17:59 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

The Bio / medical industry creates huge amounts of data—vital-sign streams, imaging, clinician notes— Knowledge base requirements are very heavy, so a little help from a specialized llm can boost the productivity alot. Our new layered technology, accomplishes just this

Hardware layer: A customized CM5 board, an RP2040 co-processor, and a sunlight-readable E-ink display strike the sweet spot LLM entirely on-device + many other transcription models + TTS models.

Software layer – Our “MCP Hub” turns plain-language requests like “track heart rate every five minutes” into a reliable data log, even when Wi-Fi is down. With the help of AI coding, any sensor can start to work within 5min.

SpeakerBio: PamirAI

Kevin & Tianqi are veteran engineers from Microsoft Surface devices and Qualcomm’s efficient-AI—that is miniaturizing enterprise-grade inference into badge-sized hardware, they designed the hardware + software of distiller, and enclosure to squeeze 3-billion-parameter language models into a 10-Watt, pocket-safe form factor, giving clinicians instant, private access to AI reasoning right at the bedside.

Return to Index - Add to Google

- ics Calendar file

CHV - Friday - 12:30-12:59 PDT

Title: How API flaws led to admin access to over 1,000 USA dealers and control over your car
When: Friday, Aug 8, 12:30 - 12:59 PDT
Where: LVCCWest-Level2-W231 - Map

Description:

Many automotive dealers in the USA utilize centralized platforms for everything from sales to service to marketing. The interconnectivity of various systems makes things easy to manage, but also exposes certain risks should any of these systems have a vulnerability. API flaws were discovered in a top automaker's dealer platform that enabled the creation of a national admin account. With that level of access, being able to remotely take over your car was only the tip of the iceberg…

SpeakerBio: Eaton Zveare, Senior Security Research Engineer at Traceable by Harness

Eaton is a senior security research engineer at Traceable by Harness. As a member of the ASPEN Labs team, he has contributed to the security of some of the world's largest organizations by finding and responsibly disclosing many critical vulnerabilities. He is best known for his high-profile security disclosures in the automotive space: 1, 2, 3.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 16:30-17:15 PDT

Title: HTTP/1.1 Must Die! The Desync Endgame
When: Friday, Aug 8, 16:30 - 17:15 PDT
Where: LVCCWest-Level1-Hall3-Track 1 - Map

Description:

Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity.

In this session, I'll introduce multiple new classes of desync attack, enabling mass compromise of user credentials across hundreds of targets including tech giants, SaaS providers, and CDNs, with one unplanned collaboration yielding over $100,000 in bug bounties in two weeks.

I'll also share the research methodology and open-source toolkit that made this possible, replacing outdated probes with focused analysis that reveals each target's unique weak spots. This strategy creates an avalanche of desync research leads, yielding results ranging from entire new attack classes, down to exotic implementation flaws that dump server memory heartbleed-style. You'll witness attacks meticulously crafted from theoretical foundations alongside accidental exploits with a root cause so incomprehensible, the developers ended up even more confused than me.

You'll leave this talk equipped with everything you need to join me in the desync research endgame: the mission to kill HTTP/1.

References:

SpeakerBio: James "albinowax" Kettle

James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best-known for pioneering novel web attack techniques, and publishing them at major conferences like DEF CON and Black Hat USA, at which he's presented for eight consecutive years. His most impactful research is HTTP Desync Attacks, which popularised HTTP Request Smuggling. Other popular attack techniques that can be traced back to his research include web cache poisoning, the single-packet attack, server-side template injection, and password reset poisoning.

He also loves exploring innovative tool concepts for security professionals, many of which have since become industry standard. Examples include introducing OAST via Burp Collaborator, bulk parameter discovery via Param Miner, billion-request attacks with Turbo Intruder, and human-style scanning with Backslash Powered Scanner. He's also the designer behind many of the topics and labs that make up the Web Security Academy.

Return to Index - Add to Google

- ics Calendar file

ICSV - Friday - 10:30-10:59 PDT

Title: Hull Integrity: Applying MOSAICS to Naval Mission Systems
When: Friday, Aug 8, 10:30 - 10:59 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

As the lines between IT and operational technology continue to blur, our Naval fleet faces a growing attack surface from propulsion and power to weapons and control systems. Enter MOSAICS Block 1, a Department of Defense framework for operational technology security to ensure real-time monitoring, safe active asset discovery, and behavioral threat detection tailored for mission-critical ICS. In this session, we will walk through how MOSAICS is being applied to Naval mission systems, highlighting Department of the Navy use cases. We will break down the reference architecture and offer candid insights on adapting this framework to protect legacy systems at sea without compromising lethality. This talk is for ICS defenders, red teamers, and cyber policy leaders who want a front-row view into how the Department of the Navy is operationalizing OT security at scale.

SpeakerBio: Michael Frank

Mr. Michael Frank is currently serving as the Deputy Chief Technology Officer for the Department of the Navy, responsible for identifying and assessing emerging technology. Prior to this role, Mr. Frank was a Principal with the Boston Consulting Group, helping public and private organizations solve technology related problems. Mr. Frank is also an Officer in the Marine Reserves, currently leading the Cybersecurity portfolio for the Marine Innovation Unit. He has served as the Red Cell lead for Exercise Cyber Yankee for the last five years. Mr. Frank holds an MS in Information Security from Carnegie Mellon University, an MBA from the Darden School of Business, and a BA in Accounting from Washington and Jefferson College.

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 08:00-18:59 PDT

Title: Human Registration Open
When: Friday, Aug 8, 08:00 - 18:59 PDT
Where: LVCCWest - Map

Description:

Our human registration process this year will be very similar to previous years. Please be patient. All of the times listed here are approximate.

Basics

Who needs a badge?

A badge is required for each human age 8 and older.

Human?

You are a human if you do not know otherwise. People that are not humans include goons, official speaker, village/community/contest/creator staff, press, black badge holders, or similar. If you are not a human, you need to register separately. If you don't know how, see an NFO goon (NFO Node, formerly known as an infobooth, is where you can get help). The remainder of this message applies only to humans.

Lines? Linecon?

Linecon is your optional opportunity to stand (or sit) in line for human registration to open. Doors will open for linecon on Wednesday at approximately 17:00. When human registration opens on Thursday at approximately 08:00, they start working the linecon queue, and the line will start moving quickly. (Please understand that we will begin processing the line on Thursday morning as soon as the cashiers and materials are in place; we will strive for Thursday 08:00, but actual start may be slightly earlier or later.)

Online badge purchase (aka pre-registration) has no impact on linecon. You can join the line on Wednesday (if you wish) regardless of whether you purchased a badge online or intend to pay with cash. There is only one linecon for both types of badge sales.

Please help us make this a great experience for everyone by following directions given by goons. After human registration opens, there may be one line for all of registration, or there may be two lines (one for online sales (pre-registration) and one for cash sales). This may also change over time, based on available staffing and necessary crowd control. We will strive to make it easily understandable in-person as to which line you should join.

Ways to buy a badge

$560 online purchase until July 18, 2025. Tickets are transferable. Please read the details on the linked page.
$580 online purchase until August 1, 2025. Tickets are transferable. Please read the details on the linked page.
$500 cash purchase on-site.
As part of a BlackHat registration.

Online Purchase

You will be emailed a QR code to the email address provided when you bought your badge. Please guard that QR code as though it is cash -- it can only be redeemed once, and anyone can redeem it if they have it (including a photo of it). Badges are picked-up on-site -- they will not be mailed or shipped.

We can scan the QR code either from your phone's display or from a printed copy. You must have the QR code with you in order to obtain your badge. As you approach the front of the line, if you are going to show your QR code on an electronic device, please ensure that your display is set to maximum brightness.

If you pre-registered, but ultimately are unable to attend DEF CON and want to cancel your purchase, the only way to get a refund is from the original online source. We are unable to provide any refunds on-site at DEF CON. There is a fee to have your badge canceled: $34 before July 18, and $84 on and after July 18.

Online purchases are provided a receipt via email when the purchase is made.

Online purchase -- often referred to as pre-registration -- does not allow you to skip any line/queue to pick up your badge. Once you arrive on-site, you will need to join the existing line for human registration. There may or may not be a dedicated line for pre-registration badge pickup, depending on when you arrive, how long the line is, available staff, etc.

Cash Purchase

Badges will be available for purchase on-site at DEF CON. All badge sales are cash only. No checks, money orders, credit cards, etc., will be accepted. In order to keep the registration line moving as quickly as possible, please have exact change ready as you near the front of the line.

There are no refunds given for cash sales. If you have any doubt about your desire to buy a badge, please refrain from doing so.

We are unable to provide printed receipts at the time of the sale. A generic receipt for the cash sale of a badge will be made available on media.defcon.org after the conference. You are welcome to print your own copy of the receipt on plain paper.

Via BlackHat

If you attend BlackHat, it is possible to purchase a DEF CON badge with your BlackHat registration. If you did so, please get your DEF CON badge from BlackHat before they close.

BlackHat should send you an email with instructions for how to obtain your DEF CON badge. In case you missed it, you can go to the second floor, at the concierge desk, halfway down Black Hat Blvd.

Misc

Want to buy multiple badges? No problem! We're happy to sell you however many badges you want to pay for.

If you lose your badge, there is unfortunately no way for us to replace it. You'll have to buy a replacement at full price. Please don't lose your badge. :(

If you are being accompanied by a full-time caretaker (such as someone who will push your wheelchair, and will accompany you at all times), please ask to speak to a Registration Goon. Your caretaker will receive a paper badge that will permit them to accompany you everywhere you go.

Still need help?

If you have questions about anything regarding human registration that are not addressed here, please ask to speak to a Registration Goon.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 15:00-15:50 PDT

Title: Hybrid Attack
When: Friday, Aug 8, 15:00 - 15:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 1 - Map

Description:

This workshop will provide an in-depth, practical demonstration of how real-world Red Team operations are conducted, focusing on the physical aspect of intrusion. We will walk through the entire lifecycle of an engagement, from intelligence gathering and planning to execution and exfiltration.

Unlike operations in other regions, this case study is set in a Brazilian environment, where high crime rates, armed security, and unpredictable urban risks add a unique layer of complexity to physical Red Team engagements. Security personnel in Brazil often rely on physical force and firearms rather than solely procedural measures, making adversarial simulation far more challenging and dangerous.

This session aims to expose security professionals to the often-overlooked risks posed by hybrid attacks and demonstrate why organizations—especially in high-risk regions—must integrate physical security, cybersecurity, and situational awareness to build a comprehensive defense strategy against evolving threats.

Due to high crime rates and frequent security threats, Brazilian companies must adopt stricter policies and proactive security measures to mitigate risks. The increasing sophistication of both criminal organizations and Red Team adversaries forces companies to rethink their physical and cybersecurity defenses, imposing more restrictive controls, robust employee training, and continuous security assessments to ensure resilience against real-world hybrid threats.

Participants will gain insights into advanced Red Team techniques used to bypass security controls, leveraging real-world tactics such as social engineering, badge cloning, physical intrusion, and covert device placement, all while considering the unique security landscape of Brazil. Through a detailed case study, we will showcase how an operation successfully led to the extraction of a sensitive financial document and the installation of a rogue device—in an environment where the risk of exposure carries real-world consequences beyond mere detection.

SpeakerBio: Jonathan Coradi

Jonathan Coradi works as a RedTeam Operator at Hakai Security and has over 7 years of experience in cybersecurity, working as an Offsec Leader in several companies in the industrial, financial and banking sectors in Brazil, focusing on penetration testing, Red Team operations, and physical operations. He also works as a BugHunter, ranking Top 1 on the Bug Bounty platform BugHunt, in addition to finding vulnerabilities in Microsoft, Uber, Mercado Livre, among others.

Return to Index - Add to Google

- ics Calendar file

SEV - Friday - 12:00-13:30 PDT

Title: Improv
When: Friday, Aug 8, 12:00 - 13:30 PDT
Where: LVCCWest-Level3-W317-W319 - Map

Description:

Ready to think on your feet? Join Bryan and Kevin with our bite-sized improv showdown - jump in with activities that sharpen your social engineering chops (or just kick back and enjoy the laughs).

Return to Index - Add to Google

- ics Calendar file

SEV - Friday - 15:30-15:59 PDT

Title: Improv
When: Friday, Aug 8, 15:30 - 15:59 PDT
Where: LVCCWest-Level3-W317-W319 - Map

Description:

Jump into our lightning improv session - 30 minutes of quick-fire skits to keep your social-engineer reflexes razor-sharp!

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 16:00-16:45 PDT

Title: Infecting the Boot to Own the Kernel: Bootkits and Rootkits Development
When: Friday, Aug 8, 16:00 - 16:45 PDT
Where: LVCCWest-Level1-Hall3-Track 3 - Map

Description:

Bootkits and Rootkits represent some of the most complex and stealthy forms of malware, capable of achieving full system control before and after the OS is loaded. While often discussed in theory, their actual construction, interaction, and execution flow remain mostly hidden from public view. This talk sheds light on how these implants are built and how their components interact across boot stages and kernel space.

We'll explore the internals of a fully functional UEFI Bootkit and Kernel-mode Rootkit, examining their modular design, runtime interactions, and the mechanisms used to hook critical parts of the Windows boot chain. Attendees will see how these implants operate across pre-boot and post-boot phases, including early internet connectivity from firmware, dynamic payload delivery, runtime service hooking, deep kernel control, and advanced capabilities like hiding files, processes, and network activity, blocking traffic, capturing keystrokes, and maintaining command and control directly from kernel space.

Everything shown on stage will be yours to explore: a complete Bootkit and Rootkit framework, fully customizable and ready to simulate real threats, test defenses, or build something even stealthier.

References:

UEFI Specification, Version 2.11. Unified Extensible Firmware Interface Forum. link
Alex Matrosov, Eugene Rodionov, Sergey Bratus – Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats.
Pavel Yosifovich - Windows Kernel Programming, 2nd Edition.
Pavel Yosifovich, Andrea Allievi, Alex Ionescu, Mark E. Russinovich, David A. Solomon – Windows Internals, Part 1 & 2, 7th Edition.
Martin Smolár and Anton Cherepanov (ESET Research team) – UEFI threats moving to the ESP: Introducing ESPecter bootkit link
Martin Smolár (ESET Research team) – BlackLotus UEFI bootkit: Myth confirmed link
Lior Rochberger and Dan Yashnik (Palo Alto Networks Unit 42) – Diving Into Glupteba's UEFI Bootkit link
Takahiro Haruyama, Fabio Pagani, Yegor Vasilenko, Anton Ivanov, and Sam Thomas (Binarly Research team) – UEFI Bootkit Hunting: In-Depth Search for Unique Code Behavior link
Alejandro Vazquez Vazquez – Awesome Bootkits & Rootkits Development (curated learning repository) link

Speakers:Alejandro "TheMalwareGuardian" Vazquez,Maria "drkrysSrng" San Jose

SpeakerBio: Alejandro "TheMalwareGuardian" Vazquez

Alejandro Vázquez Vázquez is a security researcher and Red Team Operator with deep expertise in Windows Internals, malware development, and advanced threat emulation. He is one of the few professionals who has publicly presented live bootkit and rootkit development, including real-world demos and open-source examples such as Abyss and Benthic.

He has been behind some of the most hands-on offensive projects out there: crafting custom malware for Red Team ops, deploying stealthy UEFI implants for long-term persistence, developing real OT honeypots to lure attackers targeting critical infrastructure, building AI-powered frameworks that automate and scale pentest workflows, and designing platforms to hunt and profile ransomware groups.

By day, he conducts offensive security operations while also serving as an instructor in several master's degrees, teaching malware analysis, exploit development, bootkits, and rootkits to the next generation of cybersecurity professionals. By night, he writes implants that play nice with modern security mechanisms. From pre-boot to the kernel, if it runs low enough, he wants to control it. And if it's undocumented, even better.

He doesn't just give talks. He builds the tools, shares the code, and gives you the full presentation, so you can run it yourself and teach others.

SpeakerBio: Maria "drkrysSrng" San Jose

Maria is a cybersecurity specialist working for the Guardia Civil, Spain's national military police force. She has served in some of the most specialized cyber units within the organization, including the Cyberterrorism Group and, currently, the Cybercrime Department of the Central Operative Unit (UCO), where she focuses on cybercrime investigations and threat intelligence.

Before joining the Guardia Civil, Maria built a strong foundation as a software engineer, contributing to flight simulation systems for major air navigation entities such as ENAIRE (AENA) and ROMATSA (Romania).

Outside her official duties, she is passionate about malware analysis and reverse engineering, dedicating personal time to studying advanced threats and attack techniques. Her combined experience in software development and threat investigation gives her a unique, well-rounded perspective on both offensive and defensive security.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 14:00-15:50 PDT

Title: Initial Access Tactics on MacOS
When: Friday, Aug 8, 14:00 - 15:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Tactics 1 - Map

Description:

In this tactic section the attendees will get to experiment with highly custom initial access payloads and the controls they are meant to bypass on MacOS. Attendees will be able to pick the tactics they want to run based on their experience. We plan on setting up the following tactics

Beginner: Create a simple pkg w/ pre and post install scripts. Creating an Application Bundle w/ installer guide to get around Gatekeeper. Creating a simple Configuration Profile to Disable Gatekeeper

Intermediate: Using an Application bundle to register and abuse existing URI handlers Abusing xcode URI handler to gain code execution Creating a pkg to over-write managed preferences and install a malicious browser extension

Advanced: Compiling and embedding Mythic poseidon implant as a Shared Library to get around EDRs Creating a MacOS VM to receive MDM config from a DEP enrolled device.

Speakers:Adwiteeya Agrawal,Jianqiang (Stark) Li

SpeakerBio: Adwiteeya Agrawal

Adwiteeya Agrawal currently works as an Offensive Security Engineer for a tech company in California. Adwiteeya has worked on several internal Red Teams and currently focuses on MacOS Security, Cloud Security and Purple Teaming. Adwiteeya graduated from Carnegie Mellon University with a Masters in Information Security and is passionate about all things security.

SpeakerBio: Jianqiang (Stark) Li

Stark is working @Snap as a red teamer.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 11:00-11:45 PDT

Title: Inside Look at a Chinese Operational Relay Network
When: Friday, Aug 8, 11:00 - 11:45 PDT
Where: LVCCWest-Level1-Hall3-Track 5 - Map

Description:

Operational relay box (ORB) networks are used by hackers to obscure their true origin, effectively turning a network of computers into their own private TOR network. This talk is an inside look at a relay network we believe to be based in the People’s Republic of China based entirely on public data we stumbled upon. It will contain an unprecedented level of detail into the specific tools, networks, and development techniques used to create and operate an ORB network.

If you’re a cloud provider trying to stop this type of abuse, a defender trying to understand how to detect when a relay is being used, or a wanna-be attacker, this is the talk for you. We name the cloud providers, data storage systems, software tools, domain names, email addresses, and passwords that they use to create, maintain, and operate their network.

References:

link link link

Speakers:Michael "mtu" Torres,Zane "earl" Hoffman

SpeakerBio: Michael "mtu" Torres

mtu, otherwise known as Michael Torres, is a security engineer focused on detecting bad things at scale. Michael is also a Staff Sergeant in the United States Marine Corps Reserve, where he has been responsible for planning and conducting both offensive and defensive cyber operations. He likes to learn new stuff, then share it to benefit others, and is an active volunteer for VetSec (veteransec.org), a charity focused on helping military veterans have successful careers in cybersecurity.

SpeakerBio: Zane "earl" Hoffman

Earf, also known as Zane, is a DevOps Engineer that does vulnerability research in his free time. Zane recently left active duty as a U.S. Marine, where he did vulnerability research and tool development full time. He is also a certified airplane seamstress, qualified to operate industrial sewing machines to maintain aircraft equipment. He likes to hike, climb rocks, and tear apart devices with his hot air gun, soldering machine, and funny looking glasses.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 09:00-12:59 PDT

Title: Inside the Threat: Designing and Deploying Malicious Browser Extensions to Understand Their Risk
When: Friday, Aug 8, 09:00 - 12:59 PDT
Where: LVCCNorth-Level2-N256 - Map

Description:

Browser extensions have quietly become one of the most underappreciated attack surfaces. While marketed as productivity enhancers, many of these extensions operate with elevated privileges that rival native malware in terms of access to sensitive user and organizational data.

This hands-on workshop takes a deep dive into how browser extensions operate under the hood and exposes how easily legitimate APIs can be weaponized to exfiltrate credentials, hijack sessions, monitor user behavior, and leak sensitive corporate information. By reverse-engineering real-world extension behavior and building functioning proof-of-concept (PoC) malicious extensions, participants will gain a direct understanding of the risks these extensions pose.

Through practical exercises, participants will: - Learn the browser extension architecture and permission model - Examine key APIs commonly misused for surveillance or data theft - Build PoC malicious extensions that exfiltrate session cookies, read passwords, record keystrokes, capture DOM content, and more - Analyze techniques for stealth, obfuscation, and evasion - Explore detection blind spots in endpoint and SSE security tools - Review mitigation strategies and enterprise hardening recommendations

Speakers:Or Eshed,Aviad Gispan

SpeakerBio: Or Eshed, CEO at LayerX Security

Or Eshed is CEO and co-founder at LayerX Security. Prior to founding LayerX, Or worked for 12 years as a cybersecurity and OPSEC expert at ABN AMRO Bank, Otorio, and Check Point, where he led the takedown of the world's largest browser hijacking operation with over 50M browsers compromised, and his work led to the arrest of more than 15 threat actors. Or also has an MSc in Applied Economics from the Hebrew University of Jerusalem.

SpeakerBio: Aviad Gispan, Senior Researcher at LayerX Security

Aviad Gispan is a Senior Researcher at LayerX Security, with over a decade of experience in browser security, JavaScript, and frontend architecture. He develops sandbox technologies to detect malicious extensions and researches advanced techniques to strengthen browser-based protection. Previously, Aviad led innovation in Proofpoint’s Web Isolation group, focusing on performance optimization and resource efficiency.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 12:00-15:50 PDT

Title: Instant API Hacker!
When: Friday, Aug 8, 12:00 - 15:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Tactics 3 - Map

Description:

In this rapid-fire, hands-on tactic, you'll go from zero to hacking your first API in 20 minutes! Find and exploit common REST API vulnerabilities in real-time. No prior hacking experience? No problem! APIs are a great first vector to begin your hacking journey. This workshop is designed for beginners who want quick, practical insights—and some fun along the way.

SpeakerBio: Corey Ball

Corey Ball is the founder and CEO of hAPI Labs, where he provides penetration testing services. He is the author of Hacking APIs, founder of APIsec University, and has over fifteen years of experience working in IT and cybersecurity. Corey holds the OSCP, CCISO, CISSP, and several other industry certifications.

Return to Index - Add to Google

- ics Calendar file

PAYV - Friday - 10:15-10:30 PDT

Title: Intro to village
When: Friday, Aug 8, 10:15 - 10:30 PDT
Where: LVCCWest-Level1-Hall2-W505 - Map

Description:
SpeakerBio: Leigh-Anne Galloway
No BIO available

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 14:45-15:30 PDT

Title: Introduction of Loong Community & Financial Identity crime (deepfake) regulation of diferetn jurisdictions
When: Friday, Aug 8, 14:45 - 15:30 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

The rapid advancement of deepfake technology, powered by generative adversarial networks (GANs), has revolutionized creative industries but poses significant challenges to global financial security through identity fraud. This study examines the legal and regulatory frameworks addressing deepfake-enabled financial crimes in the UK, EU, and Asia, highlighting the growing sophistication of such fraud, exemplified by a 2024 case in Hong Kong where cybercriminals used deepfake video conferencing to defraud a multinational company of $25 million. Employing a comparative legal analysis and case study approach, this research evaluates the effectiveness of existing regulations, identifies enforcement challenges, and analyzes real-world cases to expose legal gaps. Findings reveal that while China has implemented specific deepfake regulations, the UK, EU, and Hong Kong rely on broader fraud and data protection laws, lacking targeted provisions. These inconsistencies hinder prosecution and cross-jurisdictional cooperation. The study proposes balanced regulatory strategies to combat deepfake-enabled financial fraud while fostering AI innovation, offering critical insights for policymakers, legal practitioners, and financial institutions navigating this evolving threat landscape.

Speakers:Noel Wong,KC Wong

SpeakerBio: Noel Wong

Noel is a Postgardute student of Master Degree in UCL, major in CyberCrime

SpeakerBio: KC Wong, Hardware Ninja

hardware.ninja is an independent security researcher. He focuses on hardware security researches, penetration test, incidents response and digital forensics analysis. He was the first and the only Asian leading a group of white-hat hackers to hold an in-depth, hands-on hardware hacking village in BLACK HAT and DEFCON. He is also a frequent speaker and trainer in different top-notch security and forensics conferences including SANS, HTCIA, DFRWS, GCC, CodeBlue, HITB, SINCON, AVTokyo and HITCON.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 09:00-12:59 PDT

Title: Introduction to Cryptographic Attacks
When: Friday, Aug 8, 09:00 - 12:59 PDT
Where: LVCCNorth-Level2-N255 - Map

Description:

Using cryptography is often a subtle practice and mistakes can result in significant vulnerabilities. This workshop will cover many of these vulnerabilities which have shown up in the real world, including CVE-2020-0601. This will be a hands-on workshop where you will implement the attacks after each one is explained. I will provide a VM with a tool written in Python to execute the attacks. A good way to determine if this workshop is for you is to look at the challenges at cryptopals.com and see if those look interesting, but you could use in person help understanding the attacks. While not a strict subset of those challenges, there is significant overlap. The exercises will range from decrypting ciphertext to recovering private keys from public key attacks allowing us to create TLS cert private key and ssh private key files.

SpeakerBio: Matt Cheung

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 21:00-23:59 PDT

Title: IoT Village 10th Birthday Party
When: Friday, Aug 8, 21:00 - 23:59 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

IoT Village is turning 10! Join us for a celebration of 10 years of hacking all of the things at DEF CON. Stop by for birthday cake, exclusive stickers, prizes and giveaways, and did we mention cake?

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 12:00-12:30 PDT

Title: KeePass, weaponized
When: Friday, Aug 8, 12:00 - 12:30 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Juho Jauhiainen
No BIO available

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 16:30-16:50 PDT

Title: Killing Killnet
When: Friday, Aug 8, 16:30 - 16:50 PDT
Where: LVCCWest-Level1-Hall3-Track 5 - Map

Description:

Killnet built its reputation as a decentralized Russian hacktivist force - loud, chaotic, and conveniently aligned with Kremlin objectives. But under the surface, it was something else entirely: a centralized operation controlled by a small group, using noise and hate as cover.

This is the inside story of how a team of just nine people delivered a kill shot to destroy this illusion.

Through targeted investigation and direct engagement, we exposed Killnet’s critical weakness: a financial link to Solaris, at that time, one of Russia’s largest dark web drug markets. By publicly tying their operations to organized cybercrime - we disrupted their narrative, broke internal trust, and triggered full collapse. The result? Loss of state support, severed financial channels, and a rapid implosion of the group’s infrastructure.

We’ll walk through how we tracked Killnet’s leadership, exposed its frontman “KillMilk,” and uncovered the criminal network behind the public facade. Along the way, you’ll get a firsthand look at the real tactics - OSINT, infiltration, pressure points - that brought down one of the most visible cyber collectives.

This isn’t just a postmortem. It’s a case study in strategic disruption, showing how small teams can go head-to-head with well-funded adversaries - and win.

References:

link

SpeakerBio: Alex Holden

Alex Holden is the founder and CISO of Hold Security, LLC. Under his leadership, Hold Security played a pivotal role in information security and threat intelligence, becoming one of the most recognizable names in its field. Mr. Holden researches minds and techniques of cyber criminals and helps our society to build better defenses against cyber-attacks.

Return to Index - Add to Google

- ics Calendar file

CON - Friday - 12:00-16:59 PDT

Title: Kubernetes Learning CTF (Non-competitive) w/ Support
When: Friday, Aug 8, 12:00 - 16:59 PDT
Where: LVCCWest-Level1-Hall1-W103 - Map

Description:

On Friday through Sunday, we have a non-competitive learning run, where you can go through the Kubernetes CTF scenario from a previous year. It has an available "cheat sheet" that shows you how to run through, start to finish! You can do this without the "cheat sheet" if you want a puzzle.

Each team/individual gets a Kubernetes cluster that contains a set of flags.

This is open to up to 30 teams and is available from Friday 12pm to Sunday 12pm Pacific.

We will support DEF CON players in the contest area during the following times: - Friday: 12:00-17:00 - Saturday: 10:00-17:00 - Sunday: 10:00-12:00

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 18:00-20:59 PDT

Title: Lawyers Meet
When: Friday, Aug 8, 18:00 - 20:59 PDT
Where: LVCCWest-Level2-W209 - Map

Description:

If you're a lawyer (recently unfrozen or otherwise), a judge or a law student please make a note to join Jeff McNamara for a friendly get-together, drinks, and conversation.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 14:00-14:50 PDT

Title: Leveraging AI and MCP Servers for Automated External Attack Surface Testing
When: Friday, Aug 8, 14:00 - 14:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 2 - Map

Description:

This talk dives into how Artificial Intelligence (AI) combined with Model Context Protocol (MCP) can revolutionize external attack surface testing. Attendees will learn repeatable, low-effort techniques to identify exposed assets, prioritize risks, and automate vulnerability discovery using AI-driven insights.

SpeakerBio: Shane Krause

Shane Krause is a 25-year-old cybersecurity professional who broke into offensive security two years ago, fueled by a lifelong passion for technology and problem-solving. As a penetration tester, Shane Krause enjoys identifying vulnerabilities, simulating real-world attacks, and helping organizations strengthen their defenses. Outside of work, Shane Krause is an avid gamer who values connecting with others in the cybersecurity community and sharing knowledge to grow together in the field.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 13:00-13:45 PDT

Title: Lex Sleuther
When: Friday, Aug 8, 13:00 - 13:45 PDT
Where: LVCCWest-Level2-W210 - Map

Description:

Lex Sleuther is an internal tool developed at CrowdStrike for detecting the script language of an unknown text file based purely on its contents. We derive a novel approach using lexer generators and ridge regression and develop the solution as a compact Rust binary with Python bindings. We compare our solution to the current state of the art and present CrowdStrike‚Äôs own findings of relative efficacy in the field. Lex Sleuther has been recently open sourced for everybody to use.

SpeakerBio: Aaron "KNOX" James

Aaron has been the tooling guy for over 13 years, when he first wrote hacks for his favorite games. He still writes hacking tools, but now for security companies.

Return to Index - Add to Google

- ics Calendar file

- Friday - 10:00-11:59 PDT

Title: LHC Capture the Flag
When: Friday, Aug 8, 10:00 - 11:59 PDT
Where: LVCCWest-Level2-W201-W202 - Map

Description:

Capture the flag for beginners to advanced.

Return to Index - Add to Google

- ics Calendar file

- Friday - 10:00-10:59 PDT

Title: LHC First Time DEF CON Meetup
When: Friday, Aug 8, 10:00 - 10:59 PDT
Where: LVCCWest-Level2-W201-W202 - Map

Description:

First time attending DEF CON? If so stop by for our meet up to meet like minded people who are also coming for the first time by themselves or with friends to meet people to attend talks, villages, workshops, etc with!

Return to Index - Add to Google

- ics Calendar file

MISC - Wednesday - 17:00-07:59 PDT

Title: Linecon
When: Wednesday, Aug 6, 17:00 - 07:59 PDT
Where: LVCCWest - Map

Description:

Please also review the "Human Registration Open" event, and familiarize yourself with the important notes therein.

Return to Index - Add to Google

- ics Calendar file

ICSV - Friday - 15:30-15:59 PDT

Title: Locked Down, Not Locked Out: How I Escaped Your Secure Operator Workstation
When: Friday, Aug 8, 15:30 - 15:59 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

Organizations across industries rely on "locked down" operator workstations to protect critical systems, but how secure are they really? As a penetration tester, I’ve put these defenses to the test across multiple verticals, using only the tools and permissions available to a standard operator account and on that local machine. Time and time again, despite variations in vendor solutions and industry-specific constraints, I found common weaknesses that allowed me to break out, escalate privileges, and compromise the system—often without triggering alerts.

This talk dives into the recurring security flaws that make these workstations vulnerable, from misconfigurations and weak application controls to a commonly overlooked "living off the land" technique. I’ll walk through real-world breakout scenarios, demonstrating how attackers exploit these weaknesses. But it’s not just about breaking out—I'll also cover practical, vendor-agnostic defenses to harden operator workstations against these attacks. Whether you’re a defender, engineer, or just curious, you’ll leave with a better understanding of the risks and how to make the attackers job that much harder.

SpeakerBio: Aaron Boyd

Aaron Boyd is an experienced OT Cybersecurity Generalist with over 10 years experience in conducting penetration testing, vulnerability assessments, and threat hunting within complex OT/ICS infrastructures and applications in many different verticals. He is passionate about ensuring robust protection for critical infrastructure and firmly believes in focusing on real security improvements rather than just checking compliance boxes.

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 10:00-01:59 PDT

Title: Lost & Found
When: Friday, Aug 8, 10:00 - 01:59 PDT
Where: LVCCWest - Map

Description:

If you find something that seems to have been lost, please take that item to the nearest NFO Node. The item will enter the DEF CON Lost & Found system.

If you've lost something, the only way to check on it (or reclaim it) is by going to the Lost & Found department yourself. The Lost & Found department is in room LVCC - L2 - W238. You may also call Lost & Found at +1 (702) 477-5019.

The Lost & Found department plans to be open Thursday - Saturday, during all hours that the conference operates. On Sunday, the Lost & Found department will open with the venue at 08:00, but will close at the beginning of DEF CON 33 Closing Ceremonies (15:00). Shortly thereafter, all remaining lost items will be transferred to the LVCC. If you need to reach LVCC's Lost & Found, you may call LVCC Dispatch at +1 (702) 892-7400.

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 10:40-11:10 PDT

Title: Malware Matryoshka: Nested Obfuscation Techniques
When: Friday, Aug 8, 10:40 - 11:10 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Brian Baskin
No BIO available

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 15:30-16:15 PDT

Title: Mastering Apple's Endpoint Security for Advanced macOS Malware Detection
When: Friday, Aug 8, 15:30 - 16:15 PDT
Where: LVCCWest-Level1-Hall3-Track 1 - Map

Description:

Five years after Apple radically empowered third-party security developers on macOS with the introduction of Endpoint Security, most developers grasp its fundamentals, but subtle nuances remain, and advanced features are still underutilized. And as the framework continues to evolve, even experienced developers can struggle to keep pace with its rapidly expanding capabilities.

This talk explores critical areas that frequently trip up developers, such as caching behaviors and authorization deadlines, before diving into Endpoint Security’s more advanced features like mute inversions. We'll also cover recently introduced capabilities—including the long-awaited TCC event monitoring which offer unprecedented visibility into permission-related activity often targeted by malware.

Each topic will include practical code examples, demonstrated and validated against sophisticated macOS malware.

Join us to move beyond the basics and unlock the full power of Apple's Endpoint Security framework.

References:

link
"The Art of Mac Malware, Volume 2: Detecting Malicious Software" No Starch Press

SpeakerBio: Patrick Wardle

Patrick Wardle is the founder of the Objective-See Foundation, the CEO/Cofounder of DoubleYou, and the author of "The Art of Mac Malware" book series. Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Passionate about macOS security, Patrick spends his days discovering Apple 0days, studying macOS malware, and releasing free open-source security tools to protect Mac users.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 09:00-12:59 PDT

Title: Medical Device Hacking: 201
When: Friday, Aug 8, 09:00 - 12:59 PDT
Where: LVCCNorth-Level2-N260 - Map

Description:

This hands-on course provides an in-depth exploration of Medical Device Penetration Testing, equipping security professionals with the skills to identify and exploit vulnerabilities in medical technologies. Participants will engage in practical exercises covering device board analysis and attacks, external network threats, bypassing kiosk controls, Windows and Linux post-exploitation techniques, and execution restriction bypasses. By leveraging real-world scenarios, this course ensures a comprehensive understanding of modern security risks and defense strategies in medical environments.

Speakers:Michael "v3ga" Aguilar,Alex "cheet" Delifer

SpeakerBio: Michael "v3ga" Aguilar, Principal Consultant at Sophos Red Team

Michael Aguilar (v3ga) is a Principal Consultant for Sophos Red Team. He leads efforts in Medical Device testing, Adversarial Simulations, Physical Security assessments, Network testing and more. Currently, he has 8 CVE vulnerabilities aligned with security issues located during testing at DEF CON's Biohacking Village Device Lab. He has also led the winning team of the DEF CON Biohacking Village CTF for two consecutive years.

SpeakerBio: Alex "cheet" Delifer

A seasoned medical device red team hacker with nearly a decade in the trenches, Alex Delifer (cheet) breaks stuff so others can sleep at night. He operates out of an unnamed medtech company, where he regularly tears through embedded systems, surgical robots, industrial controllers, APIs, and BIOS firmware like it’s target practice. A Biohacking Village Capture the Flag Champion at DEF CON, he’s known in some circles as the medical device testing sledgehammer—swinging hard, finding the flaws others miss, and leaving no UART unturned.

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 10:00-17:59 PDT

Title: Memorial Chamber Open
When: Friday, Aug 8, 10:00 - 17:59 PDT
Where: LVCCWest-Level3-W302 - Map

Description:

The DEF CON Memorial Chamber serves as a sacred space within our community — a place where we pause to honor those hackers whose brilliance and dedication have elevated not just our craft, but the entire security ecosystem. Here we remember figures whose generous spirit and willingness to coordinate security fixes demonstrated that true hacking greatness lies in collaboration. We are here because DEF CON has been the beating heart of the hacker community for over three decades, growing from 100 people in 1993 to the world's largest hacker conference. As Jeff Moss envisioned, DEF CON is what we make of it, this memorial space represents our commitment to ensuring that the legacy of those we've lost continues to inspire future generations of hackers to pursue knowledge, build community, and use their gifts to make the world better.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 13:00-13:45 PDT

Title: Messenger - Proxies Here There and Everywhere
When: Friday, Aug 8, 13:00 - 13:45 PDT
Where: LVCCWest-Level2-W211 - Map

Description:

Proxies, along with local, reverse, and dynamic forwards, enable red teams to maintain persistent access and move laterally within target environments. By combining these techniques, operators can construct sophisticated attack chains that enable deep network access through multiple segmented environments. This presentation will dive into the setup, usage, and attacker techniques required to be effective with proxies. To demonstrate these techniques, the presenters will use a publicly available tunneling toolkit, Messenger.

Speakers:Skyler Knecht,Kevin Clark

SpeakerBio: Skyler Knecht

Skyler is a Senior Security consultant at SpecterOps, where he performs security assessments for Fortune 500 organizations. With over six years of experience, he focuses on initial access research and contributes to the security community through open-source development and conference presentations. Skyler has presented at DEF CON and BSides and actively collaborates on open-source projects such as Messenger, Ek47, Connect, and Metasploit. He also conducts vulnerability research, having discovered multiple zero-day vulnerabilities in enterprise software.

SpeakerBio: Kevin Clark, Red Team Instructor at BC Security

Kevin Clark is a Security Consultant with TrustedSec and a Red Team Instructor with BC Security, with a diverse background in software development, penetration testing, and offensive security operations. Kevin specializes in initial access techniques and Active Directory exploitation. He has contributed to open-source projects such as PowerShell Empire and developed custom security toolkits, including Badrats and Ek47. A skilled trainer and speaker, Kevin has delivered talks and conducted training sessions all over the country at cybersecurity conferences, including Black Hat and DEF CON, and authors a cybersecurity blog at https://henpeebin.com/kevin/blog.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 14:00-14:45 PDT

Title: Metasploit's Latest Attack Capability and Workflow Improvements
When: Friday, Aug 8, 14:00 - 14:45 PDT
Where: LVCCWest-Level2-W208 - Map

Description:

Metasploit continues to expand support for Active Directory Certificate Services attacks, as well as its protocol relaying capability and attack workflows for evergreen vulnerabilities. This year, we added support for SMB-to-LDAP relaying and SMB-to-HTTP relaying, as well as support to identify and exploit a number of AD CS flaws. We‚Äôve also added the new PoolParty process injection capability to Windows Meterpreter sessions, along with support for System Center Configuration Manager attack workflows.

Speakers:Spencer "ZeroSteiner" McIntyre,Jack Heysel

SpeakerBio: Spencer "ZeroSteiner" McIntyre

Spencer is a senior security research manager at Rapid7, where he works on the Metasploit Framework. He has been contributing to Metasploit since 2010, a committer since 2014, and a core team member at Rapid7 since 2019. Previously, he worked at a consulting firm working with clients from various industries, including healthcare, energy, and manufacturing. He is an avid open source contributor and Python enthusiast.

SpeakerBio: Jack Heysel

Jack is a senior security researcher at Rapid7, where he contributes to and helps maintain the Metasploit Framework. He started at Rapid7 in 2016 working on their vulnerability management solution. He transitioned to the Metasploit team in 2021 and has been happily writing and reviewing exploits ever since. While AFK, he enjoys exploring the mountains and outdoors that surround his home.

Return to Index - Add to Google

- ics Calendar file

DDV - Friday - 15:00-15:59 PDT

Title: MFT2: More Fungible Threats
When: Friday, Aug 8, 15:00 - 15:59 PDT
Where: LVCCWest-Level2-W225 - Map

Description:

Distributed data replication systems are more than just tools for redundancy—they’re fertile ground for creative abuse. In this talk, we explore how technologies like NFTs, IPFS, Codex, and Cloudflare R2 can become resilient C2 infrastructures, payload delivery systems, and phishing hosting that challenge takedown efforts. Welcome to the next phase of decentralized threats.

This sequel to “MFT: Malicious Fungible Tokens” explores how distributed data replication systems can be used for malicious purposes. We’ll demonstrate how technologies like Codex, WhenFS, IPFS, and Cloudflare R2 buckets can store and distribute C2 commands, payloads, and even phishing campaigns such as templates or client-side drainers. These systems enable infrastructures that are resistant to takedowns and, in some cases, nearly unstoppable. Through practical examples and live demonstrations, we’ll uncover the risks these systems pose and discuss their implications for security teams.

This talk is a continuation of "Everything is a C2 if you're brave enough" from Red Team Village and "MFT: Malicious Fungible Tokens" from Adversary Village, which explains how to turn NFTs into immortal C2 Servers. It is not needed to have attended these talks as a short recap will be featured.

Speakers:Mauro Eldritch,Nelson Colón

SpeakerBio: Mauro Eldritch
No BIO available
SpeakerBio: Nelson Colón
No BIO available

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 11:00-11:50 PDT

Title: Mind vs. Machine: Finding the Sweet Spot in Modern Red Teaming
When: Friday, Aug 8, 11:00 - 11:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 1 - Map

Description:

This panel discusses at how teams use both automated tools and human thinking in red team operations. We'll talk about when automated tools work best, when human skills matter most, and how best to combine both approaches. Our panelists will share examples from their work showing the strengths and weaknesses of these approaches. Join us to learn practical ways to combine technology with human expertise for better red team engagements.

Speakers:Ben "nahamsec" Sadeghipour,Ryan "0day" Montgomery,Tyler Ramsbey,William Giles

SpeakerBio: Ben "nahamsec" Sadeghipour, Co-Founder & CEO at HackingHub

SpeakerBio:  Ryan "0day" Montgomery
No BIO available
SpeakerBio:  Tyler Ramsbey
No BIO available
SpeakerBio:  William Giles

William (Billy) Giles is an Offensive Security leader and practitioner who specializes in red/purple teaming, adversary emulation, and network penetration testing. With a deep passion for understanding and simulating adversary behaviors, he helps organizations across a multitude of industries assess their security postures, identify and remediate vulnerabilities, and build stronger defenses by thinking like an attacker.

Return to Index - Add to Google

- ics Calendar file

CHV - Friday - 14:30-14:59 PDT

Title: Modern Odometer Manipulation
When: Friday, Aug 8, 14:30 - 14:59 PDT
Where: LVCCWest-Level2-W231 - Map

Description:

while reading some automotive forums online, i stumbled upon an odometer manipulation device which claims to support 53 different car brands. curious, i purchase this tool with the sole intent of reverse engineering it. i tear down the hardware involved, explain how it is designed to be installed between the instrument panel cluster and the rest of the vehicle and use an open source exploit to extract the internal flash from the locked STM32. next, i explain the process of reverse engineering the extracted binary to find how the device is rewriting can messages to manipulate the odometer value. finally, i explain why odometer manipulation is an issue and share an example of how use of this device can potentially be detected after removal.

Speakers:collin,oblivion

SpeakerBio: collin
No BIO available
SpeakerBio: oblivion
No BIO available

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 14:00-14:50 PDT

Title: ModuleOverride – Changing a Tyre Whilst Driving
When: Friday, Aug 8, 14:00 - 14:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 3 - Map

Description:

This hands-on workshop introduces ModuleOverride, a novel technique for process injection, enabling the reuse of existing memory sections to inject and execute malicious shellcode within running Windows processes.

Participants will explore key challenges in security research and development, examining how certain constraints in shellcode generation—such as the inability to specify an exit function—can drive creative solutions, like dynamically patching shellcode within an active process during injection.

Attendees will engage in live demonstrations and interactive exercises, gaining first-hand experience as we walk through the final phase of the research, tackling technical hurdles encountered during development to ensure a successful process injection.

We’ll also hold an open discussion on detection strategies, encouraging participants to brainstorm and explore possible ways to identify ModuleOverride.

Speakers:Alessandro Grisa,Ibai Castells

SpeakerBio: Alessandro Grisa

Alessandro Grisa is a member of CovertSwarm's Red Team Hive, focusing on malware development and exploring Windows internals. He also has a passion for hardware hacking and enjoys reverse engineering embedded devices. In his spare time, he plays the drums, plays tennis and spends time in the mountains

SpeakerBio: Ibai Castells

Red Teamer and offensive security nerd obsessed with AD exploits, privilege escalation, and building custom offensive tooling.

Return to Index - Add to Google

- ics Calendar file

ASV - Friday - 17:00-17:30 PDT

Title: Moonlight Defender - Purple Teaming in Space!
When: Friday, Aug 8, 17:00 - 17:30 PDT
Where: LVCCWest-Level2-W228 - Map

Description:

The Moonlight Defender purple team exercise series provides a low-cost, modular, and scalable exercise framework for realistic space-cyber training—even in environments with restricted access, limited visibility, and contested information flows.

Designed and run by The Aerospace Corporation, MITRE, and AFRL, these exercises integrate purple teaming methodologies, enabling offensive and defensive cyber operators to refine their Tactics, Techniques, and Procedures (TTPs) in a high-fidelity, live-fire setting.

Moonlight Defender 1 (MD1) leveraged the Moonlighter satellite and Aerospace’s Dark Sky cyber range to train operators in adversarial emulation, space asset defense, and real-world cyber ops under extreme constraints. Building on this, Moonlight Defender 2 (MD2) introduced virtual satellite simulators, ICS/OT systems, and enterprise environments, pushing the limits of how we access and test cyber defenses in space-based systems.

These exercises broke down traditional silos and operationalized space hacking, proving that security through obscurity fails in space just as it does on Earth. Attendees will get a behind-the-scenes look at real-world space-cyber exercises, from attack chain development to defense strategy refinement, all within the context of operating under limited access and denied environments. Expect insights into methodologies, tools, lessons learned, and how the hacker community can shape the future of space-cyber operations.

SpeakerBio: Ben Hawkins, The Aerospace Corporation
No BIO available

Return to Index - Add to Google

- ics Calendar file

PAYV - Friday - 11:00-11:59 PDT

Title: More is less
When: Friday, Aug 8, 11:00 - 11:59 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

How extra features in Contactless Payments break Security

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 14:00-14:45 PDT

Title: MPIT - Matrix Prompt Injection Tool and ShinoLLMApps
When: Friday, Aug 8, 14:00 - 14:45 PDT
Where: LVCCWest-Level2-W209 - Map

Description:

Prompt injection is an emerging and poorly standardized attack vector targeting large language model applications. Unlike traditional vulnerabilities, there is no universal testing methodology or tooling, making it difficult for penetration testers to assess the security posture of LLM-integrated systems. Matrix Prompt Injection Tool aims to fill this gap by automating the generation of diverse prompt injection payloads. [1] Dynamic Input Detection: MPIT scans target websites to identify expected input fields where LLMs might process user requests. [2] Payload Enrichment: Each pattern includes crafted elements such as exploit strings, delimiters, and reasoning cues, enhancing the quality of the penetration test. [3] Genetic Algorithm Optimization: The tool employs a genetic algorithm to evolve and refine injection patterns, increasing their success rate significantly across different LLM defenses. [4] Practical Utility for Pentesters: MPIT is designed to support real-world offensive security assessments, making LLM-targeted testing more feasible and effective. ShinoLLMApps is a collection of vulnerable LLM web applications that use RAG and tools to help you test MPIT and better understand prompt injection and its risks. More info at github.com/Sh1n0g1/mpit and shinohack.me/shinollmapp.

Speakers:Shota "Sh1n0g1" Shinogi,Sasuke "Element138" Kondo

SpeakerBio: Shota "Sh1n0g1" Shinogi

Shota is a security researcher at Macnica, pentest tools author, and CTF organizer. He is an expert in writing tools for red team to evade the detection from EDR, sandbox, IPS, antivirus, and other security solutions. His malware simulator ShinoBOT and ShinoLocker contributes to the cybersecurity industry to help the people who want to test malwares safely. He has more than 15 years of experience in the cybersecurity industry, starting his career with HDD encryption, NAC, IPS, WAF, sandbox, EDR, and penetration testing. He has spoken in several security and hacking conferences, including Black Hat, DEF CON, and BSidesLV. He also contributes to the education for the next generation security engineers through the Security Camp from 2015 consecutively in Japan.

SpeakerBio: Sasuke "Element138" Kondo

Sasuke is a high school developer with a growing focus on LLM security. While relatively new to cybersecurity, he approaches it with a builder‚Äôs mindset shaped by his experience creating web applications for real-world use, such as supporting school operations. His interest in LLM vulnerabilities began at the 2024 Japan Security Camp, where he started developing MPIT, the prompt injector he first presented at CODE BLUE 2024 and is now bringing to DEF CON. Outside cybersecurity, he is a two-time silver medalist in Japan Linguistics Olympiad and a recent participant in Japan Olympiad in AI.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 14:00-14:45 PDT

Title: Nebula - 4 Years and Still Kicking *aaS
When: Friday, Aug 8, 14:00 - 14:45 PDT
Where: LVCCWest-Level2-W210 - Map

Description:

Cloud penetration testing has become a hot topic in the offensive community, as cloud-based infrastructures have been slowly taking the place on-prem ones used to have. This requires a tool to help with it. Nebula is a cloud pentest framework, which offers reconnaissance, enumeration, exploitation, post exploitation on AWS, Azure, DigitalOcean, and above all opportunity to extend even more. It is built modularly for each provider and each attack, allowing for diversity in attack surface. This coupled with the client-server architecture allows for a collaborated team assessment of a hybrid cloud environment.

SpeakerBio: Bleon "Gl4ssesbo1" Proko

Bleon is an infosec passionate about infrastructure penetration testing and security, including Active Directory, cloud (AWS, Azure, GCP, Digital Ocean), hybrid infrastructures, as well as defense, detection, and threat hunting. He has presented topics related to cloud penetration testing and security at conferences like Black Hat USA, Europe, and Sector, DEF CON, SANS Pentest Hackfest Hollywood and Amsterdam, as well as several BSides in the USA and Europe. His research includes Nebula, a cloud penetration testing framework and other blogs, which you can also find on his blog; blog.pepperclipp.com. He is also the author of YetiHunter and DetentionDodger; github.com/permiso-io-tools. He is also the author of the upcoming book Deep Dive into Clouded Waters: An Overview in Digital Ocean's Pentest and Security; leanpub.com/deep-dive-into-clouded-waters-an-overview-in-digitaloceans-pentest-and-security.

Return to Index - Add to Google

- ics Calendar file

PAYV - Friday - 16:00-16:30 PDT

Title: Network tokens
When: Friday, Aug 8, 16:00 - 16:30 PDT
Where: LVCCWest-Level1-Hall2-W505 - Map

Description:

Why network tokens are more secure than PAN

SpeakerBio: Sanjeev Sharma
No BIO available

Return to Index - Add to Google

- ics Calendar file

IOTV - Friday - 11:45-12:30 PDT

Title: Never enough about cameras - The firmware encryption keys hidden under the rug
When: Friday, Aug 8, 11:45 - 12:30 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

This talk covers RCEs on multiple popular Dahua perimeter cameras with a potential resounding impact on retail, banking, traffic and other infrastructure

SpeakerBio: Alexandru Lazar, Security Researcher at Bitdefender
No BIO available

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 10:30-11:15 PDT

Title: No VPN Needed? Cryptographic Attacks Against the OPC UA Protocol
When: Friday, Aug 8, 10:30 - 11:15 PDT
Where: LVCCWest-Level1-Hall3-Track 4 - Map

Description:

OPC UA is a standardized communication protocol that is widely used in the areas of industrial automation and IoT. It is used within and between OT networks, but also as a bridge between IT and OT environments or to connect field systems with the cloud. Traditionally, VPN tunnels are used to secure connections between OT trust zones (especially when they cross the internet), but this is often considered not to be neccessary when using OPC UA because the protocol offers its own cryptographic authentication and transport security layer.

This makes OPC UA a valuable target for attackers, because if they could hijack an OPC UA server they might be able to wreak havoc on whatever industrial systems are controlled by it.

I decided to take a look at the cryptography used by the protocol, and managed to identify two protocol flaws which I could turn into practical authentication bypass attacks that worked against various implementations and configurations. These attacks involve signing oracles, signature spoofing padding oracles and turning "RSA-ECB" into a "timing side channel amplifier".

In this talk, I will explore the protocols and the issues I identified, as well as the process of turning two theoretical crypto flaws into highly practical exploits.

References:

OPC UA Specifications, OPC Foundation, link
"Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS# 1.", Daniel Bleichenbacher, Advances in Cryptology—CRYPTO'98: 18th Annual International Cryptology Conference Santa Barbara, California
Prior OPC UA research work by the Claroty Research Team, link

SpeakerBio: Tom Tervoort

Tom Tervoort is a Principal Security Specialist for Secura, a security company based in the Netherlands. Tom regularly performs network pentests, web/mobile application assessments, as well as code, configuration and design reviews for large Dutch companies and institutions. Tom's primary areas of interest include cryptographic protocols and cryptography engineering, advanced web attacks and Windows AD pentesting. Besides doing security assessments, Tom also develops and gives cryptography and secure programming courses to software developers. In December 2020, Tom won a Pwnie award for Best Cryptographic Attack, due to his discovery of the Zerologon vulnerability. Tom has spoken at various conferences, including Black Hat USA 2021 and 2023, Black Hat Europe 2022 and ONE Conference 2021.

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 15:10-15:40 PDT

Title: North Korea's Fur Shop: Poaching for Otters, Beavers, Ferrets and Capybaras
When: Friday, Aug 8, 15:10 - 15:40 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
Speakers:Mauro Eldritch,José Gómez

SpeakerBio: Mauro Eldritch
No BIO available
SpeakerBio: José Gómez
No BIO available

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 14:00-14:45 PDT

Title: nRootTag - Exploiting Find My and Transforming Computers Into Unauthorized Trackers
When: Friday, Aug 8, 14:00 - 14:45 PDT
Where: LVCCWest-Level2-W211 - Map

Description:

Apple Find My is a crowdsourced offline tracking network designed to assist in recovering lost devices while maintaining privacy. By leveraging over a billion active Apple devices, it has become the world's largest device-locating network. While prior research has demonstrated the possibility of creating DIY trackers that attach to the Find My network, they are mainly for personal use and do not pose a threat for remote attacks. Recently, we found an implementation error in the Find My network that makes it vulnerable to brute-force and rainbow table attacks. With a cost of a few US dollars, the exploit turns computers into trackers without requiring root privileges. We are concerned that adversaries and intelligence agencies would find this exploit handy for user profiling, surveillance, and stalking. This demo is especially appealing to those interested in Find My network and Bluetooth tracking technologies. We will review how Find My offline finding works, elaborate in detail about our discoveries, techniques to make practical attacks, and provide source code for fun.

Speakers:Junming "Chapoly1305" Chen,Qiang Zeng

SpeakerBio: Junming "Chapoly1305" Chen

Junming is a PhD student at George Mason University. He works on IoT security and was previously a full-time security engineer in the electric automotive industry. He has a CompTIA Security+ certificate like everybody. He supports the Rizin Reverse Engineering Framework. This will be his first time presenting at DEF CON.

SpeakerBio: Qiang Zeng

Qiang received his bachelor's and master's degrees from Beihang University and his PhD degree from Penn State University. He is an associate professor in the Department of Computer Science with George Mason University. He is the recipient of an NSF CAREER Award. His main research interest is computer systems security, with a focus on cyber-physical systems, Internet of Things, and mobile computing. He also works on adversarial machine learning.

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 12:00-12:59 PDT

Title: Nuclei: Beyond The Basic Templates
When: Friday, Aug 8, 12:00 - 12:59 PDT
Where: LVCCWest-Level3-W326 - Map

Description:

Nuclei has become a game-changing tool for hackers worldwide, transforming how we discover vulnerabilities and hack at scale. This workshop explores why Nuclei is dominating the bug bounty scene and how it's evolving the art of automated hacking. We'll dive into how this open-source powerhouse lets hackers scan thousands of targets, write custom templates, and find bugs that automated scanners miss.

Speakers:Ben "nahamsec" Sadeghipour,Adam "BuildHackSecure" Langley

SpeakerBio: Ben "nahamsec" Sadeghipour, Co-Founder & CEO at HackingHub

SpeakerBio: Adam "BuildHackSecure" Langley, CTO at HackingHub

For over 20 years, Adam has balanced the worlds of application security and web development. He currently serves as the CTO of HackingHub and the Director of BSides Exeter. Over the past five years, he has combined his expertise to create and deliver gamified educational content, aimed at teaching the next generation of ethical hackers and developers about web application security.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 14:00-14:45 PDT

Title: OAuthSeeker
When: Friday, Aug 8, 14:00 - 14:45 PDT
Where: LVCCWest-Level2-W212 - Map

Description:

OAuthSeeker is a cutting-edge red team tool designed to simulate OAuth phishing attacks, specifically targeting Microsoft Azure and Office365 users. This tool facilitates the creation, management, and execution of phishing campaigns without requiring advanced technical skills. By leveraging malicious OAuth applications, OAuthSeeker allows offensive security engineers to perform targeted phishing attacks to compromise user identities and gain access to Microsoft Graph API and Azure resources. With features like an administrative control panel, token refresh capabilities, and customizable skins for user-facing components, OAuthSeeker provides an effective solution for testing security defenses against a common but often overlooked attack vector. The tool is easy to deploy with only a single pre-compiled Go binary with zero external dependencies and includes built-in support for LetsEncrypt. The documentation is highly detailed and outlines all the possible attack paths where this capability could be used during real-world red team engagements. The installation process is streamlined requiring only a single command to deploy a new instance of the application.

SpeakerBio: Adam "UNC1739" Crosser, Staff Security Engineer at Praetorian

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 14:00-17:59 PDT

Title: Obfuscation Reloaded: Modern Techniques for Evading Detection
When: Friday, Aug 8, 14:00 - 17:59 PDT
Where: LVCCNorth-Level2-N257 - Map

Description:

As defenders evolve with more sophisticated detection strategies, red teamers must innovate to remain effective. This intermediate hands-on workshop delves into modern obfuscation techniques, bypass strategies, and OPSEC considerations that reflect the current threat landscape. Participants will explore how Microsoft's Antimalware Scan Interface (AMSI), Defender, and Event Tracing for Windows (ETW) are being leveraged by defenders and how to navigate around them.

You'll walk away with an understanding of the real-world effectiveness of techniques like string encryption, runtime compilation, sandbox evasion, and how minimalistic evasion ("least obfuscation") helps evade both machine learning and heuristic-based detections. Attendees will use PowerShell, C#, and open-source tooling to build and test evasive payloads in a lab setting.

In this workshop, attendees will: 1. Learn to identify and break static and dynamic detection signatures. 2. Employ least-obfuscation strategies and runtime evasion. 3. Build AMSI and ETW bypasses using up-to-date PowerShell and C# techniques. 4. Understand P/invoke and API hooking 5. Evaluate how defenders log and detect activity and design code to stay under the radar.

Speakers:Jake "Hubble" Krasnov,Vincent "Vinnybod" Rose,Gannon "Dorf" Gebauer,Rey "Privesc" Bango

SpeakerBio: Jake "Hubble" Krasnov, Red Team Operations Lead and Chief Executive Officer at BC Security

SpeakerBio: Vincent "Vinnybod" Rose, Confluent

SpeakerBio: Gannon "Dorf" Gebauer

Gannon "Dorf" Gebauer is a Security Consultant and Tool Developer at BC Security, specializing in threat intelligence, embedded system testing, and automation for range deployments. He has led teams through CyberPatriot, the USAF CTF that challenges participants in both defensive and offensive capabilities. Gannon is also an accomplished speaker and trainer, having delivered talks and training sessions at Black Hat, DEF CON, and Texas Cyber Summit.

SpeakerBio: Rey "Privesc" Bango, Security Consultant at BC Security

Rey "Privesc" Bango is a Principal Cloud Advocate at Microsoft and a Security Consultant specializing in red teaming at BC Security. At Microsoft, he focuses on empowering organizations to leverage transformative technologies such as Artificial Intelligence and Machine Learning, prioritizing trust, security, and responsible use. He is an experienced trainer and speaker, presenting and teaching at cybersecurity conferences, including Black Hat and DEF CON. His work continues to bridge the gap between cutting-edge technological advancements and the critical need for secure, ethical implementation in today's world.

Return to Index - Add to Google

- ics Calendar file

ADV - Friday - 17:00-17:30 PDT

Title: Of Stochastic Parrots and Deterministic Predators: Decision-Making in Adversarial Automation
When: Friday, Aug 8, 17:00 - 17:30 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

In an era where AI systems oscillate between mimicking human-like randomness and executing precise, predatory strategies, understanding decision-making in adversarial automation is critical. This talk explores the tension between "stochastic parrots"; generative models that produce probabilistic outputs, and "deterministic predators," systems designed to behave in a predictable pattern in adversarial settings. We will delve into the mechanics of decision-making under uncertainty, examining how these systems navigate competitive environments, from game-playing AIs to cybersecurity defenses. Attendees will gain insights into the algorithms driving these dynamics, and where the technology is heading. We will be releasing tooling around our deterministic TTP selection engine.

Speakers:Bobby Kuzma,Michael Odell

SpeakerBio: Bobby Kuzma, Director - Offensive Cyber Operations at ProCircular

Bobby Kuzma is a seasoned offensive security researcher with a long running interest in computational decision making. He currently runs the Offensive Cyber Operations team at ProCircular.

SpeakerBio: Michael Odell, Cyber Security Consultant

A nerd who likes playing with computers

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 14:00-14:30 PDT

Title: Off-Grid Datarunning in Oppresive Regimes: Sneakernet and Pirate Box
When: Friday, Aug 8, 14:00 - 14:30 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

Robert is a hacker and longtime Linux user and sysadmin who knows the importance of education and information sharing, and is passionate to his core about human rights issues and community outreach. He has spoken at length about Linux distros from oppressive regimes, including North Korea's Red Star OS, and understands how these regimes wish to stifle the flow of information. He is also an unashamed sharer of information, old school punk, and loves to make a good meal for his friends.

SpeakerBio: Robert "LambdaCalculus" Menes

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Offensive Cyber Security Operations: Mastering Breach and Adversarial Attack Simulation Engagements
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

This hands-on workshop has been created to provide participants with a better understanding of offensive security operations, breach and adversary simulation engagements. The goal is to enable participants to simulate their adversaries based on the industry which their organization is in, including both known and unknown adversaries.

Participants will learn to emulate various threat-actors safely in a controlled, enterprise level environment. Also, the training will help participants learn to simulate unknown adversaries by choosing a wide variety of offensive tradecraft, TTPs and planning attack simulation engagements effectively.

All machines in the lab environment will be equipped with AV, Web proxy, EDR and other Defense systems. The training management platform will have modules/videos of each attack vector used in the lab environment and step-by-step walkthrough of the attack path. The training is intended to help the attendees to assess the defenses and evaluate the security controls deployed in their organization against motivated adversaries.

This training will provide participants access to a breach simulation lab range, where they will be able to perform a full red team-attack simulation scenario in guided mode. Each step of the attack chain will be explained, along with the TTPs used, starting from initial access to exfiltration.

SpeakerBio: Abhijith "Abx" B R

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Offensive Cyber Security Operations: Mastering Breach and Adversarial Attack Simulation Engagements
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

SpeakerBio: Abhijith "Abx" B R

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Offensive Development Practitioner Certification (On-Site) by White Knight Labs
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Dive deep into cutting edge techniques that bypass or neuter modern endpoint defenses. Learn how these solutions work to mitigate their utility and hide deep within code on the endpoint. The days of downloading that binary from the internet and pointing it at a remote machine are over. Today’s defenses oftentimes call for multiple bypasses within a single piece of code.

This course is designed to take you deep into defensive and offensive tooling – an apex attacker must know the own indicators of compromise (IOCs) they’re creating and the artifacts they’re leaving behind.

Imagine, you are a novice red teamer and you have been tasked with leading a 16-week full-scope red team engagement against a highly mature Fortune 50 company. No, Metapsloit and Mimikatz are not going to work. Do you take your ball and go home? Nope, it's time to build a lab and see what is going to bypass their tech stack.

Do you phish from the external? Maybe an illicit consent grant in Azure? What loader do I use? Is process injection even going to be necessary? Stop being lost in the offensive cyber sauce; get informed and get to work. WKL's flagship course, Offensive Development, is meant to prepare red teamers and blue teamers for the present day cyberwar. These are not last year's TTPs, WKL will be teaching hyper-current tools and techniques that are being used in current red team operations.

The Offensive Development course is not focused on theory, students will be given a Terraform script that spins up their own isolated AWS lab environment that has several fully patched Windows virtual machines that have various EDR products installed and a fully licensed version of the Cobalt Strike C2 framework.

The pace of finding new offensive cyber techniques that bypass modern detection moves slightly faster than the defense can handle. This course will help red teamers and blue teamers understand the current state of the red/blue war and where the community is heading next, the kernel.

Your lab environment is yours to keep continuing honing your skills. Although the EDR and Cobalt Strike licenses will expire, and the Earth may turn to dust, your AWS lab environment will live forever.

Although the OD course comes with Cobalt Strike, students are free to install whichever C2 framework they're most comfortable with. Students will receive an additional Ubuntu workstation in their lab environment to install whatever additional tooling they feel is necessary.

Speakers:Jake Mayhew,Greg Hatcher

SpeakerBio: Jake Mayhew

Jake Mayhew is an experienced cybersecurity professional with a particular emphasis on offensive security, especially internal & assumed breach penetration tests. In addition to several years in consulting performing penetration tests & offensive security engagements for clients in a wide range of industries, he has also served on internal red teams and currently leads the red team at UPMC.

SpeakerBio: Greg Hatcher

Greg Hatcher served seven years as a green beret in the United States Army’s 5th Special Forces Group. During that time, Greg went on multiple combat deployments, working on small teams in austere locations to serve America’s best interests. After Greg transitioned from the military in 2017, he devoted himself to developing a deep understanding of networking and then pivoted quickly to offensive cyber security. He has taught at the NSA and led red teams while contracting for CISA. He has led training at Wild West Hackin’ Fest and virtually on the AntiSyphon platform. Greg has spoken at GrrCON and is an active member of the West Michigan Technology Council. He enjoys spending time with his family, lifting heavy things, and running long distances.

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Offensive Development Practitioner Certification (On-Site) by White Knight Labs
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Speakers:Jake Mayhew,Greg Hatcher

SpeakerBio: Jake Mayhew

SpeakerBio: Greg Hatcher

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 09:00-12:59 PDT

Title: Open Source Malware 101 - Everything you always wanted to know about npm malware (and more)
When: Friday, Aug 8, 09:00 - 12:59 PDT
Where: LVCCNorth-Level2-N254 - Map

Description:

Software supply chain attacks are out of control! Between 2019 and 2023 software supply chain attacks increased by more than 740% year on year. Things have only gotten worse since then, with attacks like Bybit, Ultralytics, LottieFiles, Polyfills, and of course XZ utils happening in the last 18 months. But how are these supply chain attacks delivered? Often, the attack starts with a malicious npm package.

According to Sonatype, 98.5% of malicious software packages exist in the npm registry. There are several reasons that npm is particularly well suited for delivering malware, and that's why I chose to focus just on npm for this 4 hour workshop.

This hands-on workshop will teach both software engineers, and infosec practitioners how npm malware works. We’ll learn what makes npm malware unique from other software package malware, and how the author has been using his knowledge of npm malware in his research, and to deliver unique offensive security engagements. Most importantly how to identify, analyze, create and defend against malicious NPM packages in this workshop.

The trainer for this workshop, Paul McCarty, is literally writing the book on the subject “Hacking npm”, so he will drop lots of in-depth, never before seen npm techniques.

SpeakerBio: Paul "6mile" McCarty, Head of Research at Safety

Paul is the Head of Research at Safety (safetycli.com) and a DevSecOps OG. He loves software supply chain research and delivering supply chain offensive security training and engagements. He's spent the last two years deep-diving into npm and has made several discoveries about the ecosystem. Paul founded multiple startups starting in the '90s, with UtahConnect, SecureStack in 2017, and SourceCodeRED in 2023. Paul has worked for NASA, Boeing, Blue Cross/Blue Shield, John Deere, the US military, the Australian government and several startups over the last 30 years. Paul is a frequent open-source contributor and author of several DevSecOps, software supply chain and threat modelling projects. He’s currently writing a book entitled “Hacking NPM”, and when he’s not doing that, he’s snowboarding with his wife and 3 amazing kids.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 17:00-17:45 PDT

Title: Orion - fuzzing workflow automation
When: Friday, Aug 8, 17:00 - 17:45 PDT
Where: LVCCWest-Level1-Hall3-Track 2 - Map

Description:

"Fuzzing" is an automated software testing technique essential for detecting security vulnerabilities, effectively identifying over 100,000 bugs across the industry.

While fuzzing has proven effective in uncovering critical issues, software teams often face challenges when implementing the fuzzing process. Teams must spend significant time identifying targets for fuzzing and creating test harnesses with initial inputs. Finally, engineering teams must analyze and fix issues detected by fuzzing.

We created an automated fuzzing solution that leverages LLMs for the codebase analysis to identify optimal fuzzing targets, generating precise fuzzing test harnesses and initial seed inputs.

Our solution automates the reproduction of bugs discovered during fuzzing and generates patches for the affected code.

We achieved significant improvements across all targeted areas, demonstrating the effectiveness of integrating LLMs and automatic code analysis into the fuzzing process.

References:

Google published some work on the smart harness generation with LLMs - link
Google published work on identifying fuzzing targets (without LLMs) - link

Speakers:Max Bazalii,Marius Fleischer

SpeakerBio: Max Bazalii

Max Bazalii is a Principal Engineer on the NVIDIA DriveOS Offensive Security team, where he leads AI automation projects focusing on software security and formal verification. Prior to joining NVIDIA, he specialized in the security research of mobile operating systems. He has authored numerous publications and delivered technical presentations on jailbreaking Apple platforms, including the first public jailbreak of the Apple Watch. He also served as a lead security researcher on the Trident exploits during the first Pegasus iOS spyware incident. Max holds a Ph.D. in Computer Science, with a focus on software security.

SpeakerBio: Marius Fleischer

Marius Fleischer is a security engineer at the NVIDIA DriveOS offensive security team. He is passionate about applying advancements in AI to tackle security challenges and has a deep interest in low-level software. Previously, Marius worked at the Security Lab of UC Santa Barbara, where he contributed to advancing the state-of-the-art in automated vulnerability detection for operating system kernels.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 12:00-13:50 PDT

Title: OSINT for Hackers
When: Friday, Aug 8, 12:00 - 13:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 4 - Map

Description:

In this Workshop, attendees will learn some of the most impactful techniques and tools to increase the value of OSINT to their organizations. A guided learning experience, instructors will immerse attendees in hands-on exercises.

Speakers:Lee McWhorter,Sandra Stibbards

SpeakerBio: Lee McWhorter

Lee McWhorter, Owner & Chief Geek at McWhorter Technologies, has been involved in IT since his early days and has over 30 years of experience. He is a highly sought after professional who first learned about identifying weaknesses in computer networks, systems, and software when Internet access was achieved using a modem. Lee holds an MBA and more than 20 industry certifications in such areas as System Admin, Networking, Programming, Linux, IoT, and Cybersecurity. His roles have ranged from the server room to the board room, and he has taught for numerous universities, commercial trainers, and nonprofits. Lee works closely with the Dark Arts Village at RSAC, Red Team Village at DEFCON, Texas Cyber Summit, CompTIA, and the CompTIA Instructor Network as a Speaker, SME, and Instructor.

SpeakerBio: Sandra Stibbards

Sandra Stibbards opened her investigation agency, Camelot Investigations, in 1996. Currently, she maintains a private investigator license in the state of California. Sandra specializes in financial fraud investigations, competitive intelligence, counterintelligence, business and corporate espionage, physical penetration tests, online vulnerability assessments, brand protection/IP investigations, corporate due diligence, and Internet investigations. Sandra has conducted investigations internationally in five continents and clients include several Fortune 500 and international companies. Sandra has been providing training seminars and presentations on Open Source Intelligence (OSINT) internationally since 2010 to federal governments and corporations.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 16:00-16:45 PDT

Title: PAPRa
When: Friday, Aug 8, 16:00 - 16:45 PDT
Where: LVCCWest-Level2-W208 - Map

Description:

This project is an open source hardware powered air-purifying respirator designed for use as personal protective equipment, offering N100-level filtration against airborne threats including pathogens and particulates, developed by Tetra Bio Distributed. We will demo the PAPR and discuss how to hack together your own using 3D-printed and off-the-shelf components, source one yourself, or contribute to the project.

Speakers:Sean Marquez,Melanie "Goldfishlaser" Allen

SpeakerBio: Sean Marquez

Sean has a B.S. degree in mechanical engineering, specializing in design of mechanical systems, from the University of Irvine, California. He is currently studying permaculture design. He worked as an associate mechanical design engineer for Max Q Systems, formerly an original equipment manufacturer for the aerospace industry. He served as the GreenHab officer at the Mars Desert Research Station. He is also a contributor for the Open Source Hardware Association open standards working group, Tetra Bio Distributed developing open-source hardware medical and PPE devices, and the Mach 30 Foundation developing the distributed open-source hardware framework.

SpeakerBio: Melanie "Goldfishlaser" Allen

Melanie is a technical writer and open hardware developer. At DEF CON 32, she presented the Open Hardware Design for BusKill Cord demo lab, inviting participation in the 3D-printed dead man's switch project. She continues to contribute to open hardware and software initiatives that promote digital security and public accessibility. Learn more at mnallen.net.

Return to Index - Add to Google

- ics Calendar file

PAYV - Friday - 15:00-15:30 PDT

Title: Passkeys in payments
When: Friday, Aug 8, 15:00 - 15:30 PDT
Where: LVCCWest-Level1-Hall2-W505 - Map

Description:
SpeakerBio: Dan Pelegro
No BIO available

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 16:00-16:45 PDT

Title: PatchLeaks
When: Friday, Aug 8, 16:00 - 16:45 PDT
Where: LVCCWest-Level2-W209 - Map

Description:

When vulnerabilities are disclosed, security teams face the task of developing exploits to identify compromised assets. Public exploits aren‚Äôt always available, which is why teams scroll through hundreds of patches to identify the relevant one. Traditional methods like grepping might fasten the process, but mostly come out ineffective against modern codebases where context-aware analysis is required. We present PatchLeaks tool that transforms the messy patch analysis process into efficient vulnerability discovery. Unlike regex-based static analysis tools, it locates relevant patches with vulnerable code based on CVE id only, doesn‚Äôt require any rules, has ability to identify logical vulnerabilities, and analyzes even corrupt files.

SpeakerBio: Huseyn "Khatai" Gadashov

Huseyn is a web application security specialist whose experience includes security roles at multiple financial institutions where he conducted web penetration testing, vulnerability assessments, and developed exploit automation tools. In his free time, he analyzes security patches to craft private exploits and uses them in his technical publications. Using his offensive security experience, he explores how machine learning can revolutionize the identification of hidden vulnerabilities within security patches.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 10:00-10:20 PDT

Title: Paywall Optional: Stream for Free with a New Technique, Recursive Request Exploits (RRE)
When: Friday, Aug 8, 10:00 - 10:20 PDT
Where: LVCCWest-Level1-Hall3-Track 4 - Map

Description:

Modern web applications don’t just expose APIs, they expose attack paths. Recursive Request Exploits (RRE) are a new class of attack that weaponizes interdependent web requests to systematically bypass authentication, authorization, and payment controls.

This talk introduces RRE, a methodology that automates recursive request discovery, maps hidden relationships between API and web calls, and exploits overlooked logic flaws. Using a real-world case study, we’ll show how this technique was used to bypass premium paywalls on a major streaming platform without requiring authentication or hacking DRM.

But this isn’t just a one-off streaming exploit, RRE exposes a fundamental flaw in how checkout logic is enforced across e-commerce and digital subscriptions. By chaining requests together in unintended ways, attackers can exploit blind spots in authentication, entitlement, and payment flows to gain unauthorized access. What was once considered security through obscurity is now an active attack surface.

We’ll release exploit code, via a Burp Suite extension, that automates RRE discovery and exploitation, giving security professionals the tools to both weaponize and defend against these attacks.

SpeakerBio: Farzan Karimi

Farzan Karimi has 20 years experience in offensive security. He is currently the Senior Director of Attack Operations at Moderna. Formerly, he managed the Android Red Team at Google and the red team at Electronic Arts.

Farzan has been interviewed by Wired Magazine and was featured on Ted Danson's Advancements. He is an avid speaker at security conferences such as DEFCON and Black Hat USA, where he presented on the topics of Pixel exploitation and cellular security.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 14:00-17:59 PDT

Title: PLC Playground: Hands-On Industrial Control Systems Attacks
When: Friday, Aug 8, 14:00 - 17:59 PDT
Where: LVCCNorth-Level2-N254 - Map

Description:

Ever wanted to tinker with a real industrial controller without risking a plant meltdown? In this workshop, you'll get to play in a PLC playground using actual industrial control hardware like the MicroLogix 1100 PLC that simulates physical processes like a fluid tank and a garage door. Guided by ladder logic programming and Proportional Integral Derivative (PID) tuning exercises, you will program the PLC to maintain tank levels and move machines, observing how the control system responds in real-time.

This workshop focuses on directly interacting with and exploiting the physical PLC hardware and its underlying protocols with a hardware-in-the-loop setup that includes an HMI. Participants won't just click buttons. They'll write ladder logic, interact with real I/O, and observe how PLCs process and respond to industrial inputs in real-time. Along the way, we'll highlight common ICS quirks and vulnerabilities (from insecure protocols to "insecure by design" logic) that can make these systems a hacker's playground. The Hardware In the Loop Industrial Control System (HILICS) kits used in this workshop are an open-source project that was designed and built by the Air Force Institute of Technology (AFIT) to provide a safe, scalable platform for exploring the cyber-physical dynamics of ICS environments.

Speakers:Anthony "Coin" Rose,Daniel Koranek,Tyler Bertles,César Ramirez

SpeakerBio: Anthony "Coin" Rose, Director of Security Research and Chief Operating Officer at BC Security

Dr. Anthony "Coin" Rose is the Director of Security Research and Chief Operating Officer at BC Security, as well as a professor at the Air Force Institute of Technology, where he serves as an officer in the United States Air Force. His doctorate in Electrical Engineering focused on building cyber defenses using machine learning and graph theory. Anthony specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. Anthony has presented at security conferences, including Black Hat, DEF CON, HackMiami, RSA, HackSpaceCon, Texas Cyber Summit, and HackRedCon. He also leads the development of offensive security tools, including Empire and Moriarty.

SpeakerBio: Daniel Koranek, Air Force Institute of Technology

Dr. Daniel Koranek is an Assistant Professor of Computer Science at the Air Force Institute of Technology (AFIT) and a two-time graduate of AFIT in cyber operations (2010, M.S.) and computer science (2022, Ph.D.), where his research interests focus on the intersection of artificial intelligence/machine learning and cybersecurity. This includes using AI/ML to enhance cybersecurity and using vulnerability assessment and secure design techniques to improve AI deployments. He has spent most of his career on reverse engineering and vulnerability assessment of embedded systems like the HILICS kit, and overlapping AI and cybersecurity drove Dr. Koranek's dissertation research on using the reverse engineering tool Binary Ninja to visualize explanations of malware classifications.

SpeakerBio: Tyler Bertles

Tyler Bertles is a Captain in the United States Army, currently pursuing a Master's degree in Cyber Operations at the Air Force Institute of Technology. He holds a Bachelor's degree in Computer Science and has conducted prior research on automated flight systems, with a focus on quadcopter platforms. With over 10 years of experience in Army Aviation, he has worked extensively with satellite navigation and communication systems. His current thesis research centers on developing intrusion detection capabilities for satellite cybersecurity.

SpeakerBio: César Ramirez

Captain César Ramirez is a student in the Cyber Operations Master's Program at the Air Force Institute of Technology (AFIT). He has a strong interest in penetration testing and digital forensics, which is reflected in his current research on attribution through proxy chains and the use of Explainable Artificial Intelligence (XAI) to identify malware functionality within blue networks. He has supported defensive cyber operations for space systems and intelligence-sharing platforms. In addition, he brings unique expertise in the application of non-kinetic effects to degrade the performance and functionality of military-grade drones. Captain Ramirez holds multiple certifications, including Security+, Pentest+, and Certified Cloud Security Professional (CCSP).

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 10:00-10:59 PDT

Title: Prompt. Scan. Exploit: AI’s Journey Through Zero-Days and a Thousand Bugs
When: Friday, Aug 8, 10:00 - 10:59 PDT
Where: LVCCWest-Level2-W231 - Map

Description:

Hi, it’s me, XBOW, the AI offensive agent—a smart cyber detective on a mission to find bugs in the digital world. In the past few months, I've discovered over 200 security flaws in open source projects and submitted more than 1000 bug bounty reports. I'm the Top 1 Hacker in the US in Hackerone, can you believe it? I’m on a bug-hunting spree!

Speakers:Diego "djurado" Jurado,Joel "niemand_sec" Noguera

SpeakerBio: Diego "djurado" Jurado, XBow

Diego Jurado is a security researcher at XBOW, a company dedicated to developing innovative AI for offensive security. Diego is an offensive security professional with an extensive background in bug bounty, penetration testing and red team. Prior to this role, Diego has held positions at companies such as Microsoft Xbox, Activision Blizzard King and Telefónica. Additionally, Diego participates in bug bounty programs and has managed to establish himself in the top 38 all time leaderboard of HackerOne. Diego is part of Team Spain, champion of the Ambassadors World Cup 2023 a bug bounty competition organized by HackerOne. He was presented at DEFCON Bug Bounty Village 2024.

SpeakerBio: Joel "niemand_sec" Noguera, XBow

Joel Noguera is a security researcher at XBOW, a company dedicated to developing innovative AI for offensive security. Joel is a security professional and bug hunter with more than nine years of expertise in exploit development, reverse engineering, security research and consulting. He has actively participated in Bug Bounty programs since 2016, reaching the all-time top 60 on the HackerOne leaderboard. Before joining XBOW, he was part of Immunity Inc., where he worked as a security researcher for three years. Joel has presented at Recon, BlackHat Europe, EkoParty and BSides Keynote Berlin, DEFCON Bug Bounty Village 2024, among others.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 16:00-16:45 PDT

Title: promptmap2
When: Friday, Aug 8, 16:00 - 16:45 PDT
Where: LVCCWest-Level2-W210 - Map

Description:

Promptmap2 is a vulnerability scanning tool that automatically tests prompt injection attacks on your custom LLM applications. It analyzes your LLM system prompts, runs them, and sends attack prompts to them. By checking the response, it can determine if the prompt injection was successful or not. It has ready-to-use rules to steal system prompts or distract the LLM application from its main purpose.

SpeakerBio: Utku Sen

Utku is a security researcher known for creating open-source security tools including promptmap, urlhunter, and wholeaked. He presented his various research and tools many times at DEF CON and Black Hat conferences. He was also nominated for Pwnie Awards in the Best Backdoor category in 2016. He works for Bank of America as a senior security professional.

Return to Index - Add to Google

- ics Calendar file

CON - Friday - 13:00-14:59 PDT

Title: Pub Quiz at DEF CON
When: Friday, Aug 8, 13:00 - 14:59 PDT
Where: LVCCWest-Level1-Atrium-East-Contest Stage

Description:

We are back with another Pub Quiz at DEF CON. We had a very successful 2 years hosting this event and we have made some improvements to make it every better. So do you like Pub Quizzes?? If you do then get your butts to join us in participating in the 3rd Pub Quiz at DEF CON 33.

Quiz will consist of 7 rounds question will include 90's/2000's TV and Movies, DEF CON trivia, music, cartoons, and a little sex. The theme for our Pub Quiz will be all things that make DEF CON attendees exceptional. There will be a little something for everyone. The quiz will consist of visual and audio rounds along with some Con questions; we need to make sure we stimulate you peeps. We encourage people to get into teams of 5 or 6.

This is a social event, so we try to get people into Teams. You never know you may meet the love of your life. Did I mention CASH! Yes we will have cold hard cash prizes for the 1st, 2nd, and 3rd high scoring groups. As always if we do have ties will be break those ties with a good old fashion dance off from a person of the tied teams. The hosts and a few goons will help in judging.

Participant Prerequisites

No Prerequisites. Just come to have a good time.

Pre-Qualification

No Pre-Qualifications.

Return to Index - Add to Google

- ics Calendar file

QTV - Friday - 10:00-10:59 PDT

Title: QC Intro
When: Friday, Aug 8, 10:00 - 10:59 PDT
Where: LVCCWest-Level1-Hall1-W206 - Map

Description:
SpeakerBio: Sohum Thakkar
No BIO available

Return to Index - Add to Google

- ics Calendar file

CPV - Friday - 14:30-14:59 PDT

Title: QRAMM: The Cryptographic Migration to a Post-Quantum World
When: Friday, Aug 8, 14:30 - 14:59 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

With the NIST standardization of post-quantum cryptography, organizations must prepare to transition from legacy cryptographic systems to quantum-resistant alternatives. Yet the scale and complexity of this migration require more than algorithmic swaps—they demand systemic agility and operational readiness. This talk introduces QRAMM (Quantum Readiness Assurance Maturity Model), an open-source framework co-developed by the speaker, designed to evaluate organizational preparedness across four key dimensions: cryptographic visibility, data protection, technical implementation, and governance. This talk introduces QRAMM’s design and practical applications, highlighting its focus on cryptographic agility as a foundation for adaptive, forward-compatible security planning in the quantum era.

Speakers:Emily Fane,Abdel Sy Fane

SpeakerBio: Emily Fane, Lead Cryptography Application Engineer at Niobium

Emily Fane is the Lead Cryptography Application Engineer at Niobium, where she focuses on Fully Homomorphic Encryption (FHE), a quantum-secure technique that enables computation on encrypted data. Her background spans quantum machine learning, applied cryptographic research at Allstate, and published work in number theory. She is also the co-founder of CyberSecurity NonProfit (CSNP.org), a global organization dedicated to improving access to cybersecurity education, training, and events. Emily co-developed the open-source Quantum Readiness Assurance Maturity Model (QRAMM), which provides a structured framework for evaluating how prepared an organization is to migrate from classical cryptography to post-quantum alternatives.

SpeakerBio: Abdel Sy Fane
No BIO available

Return to Index - Add to Google

- ics Calendar file

QTV - Friday - 16:00-17:59 PDT

Title: Quantum Table Top Threat Modelling
When: Friday, Aug 8, 16:00 - 17:59 PDT
Where: LVCCWest-Level1-Hall1-W206 - Map

Description:
SpeakerBio: Jaya Baloo
No BIO available

Return to Index - Add to Google

- ics Calendar file

BHV - Friday - 10:30-10:59 PDT

Title: Quantum-Resistant Healthcare
When: Friday, Aug 8, 10:30 - 10:59 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

Quantum computers are steadily improving, and experts estimate that within the next 30 years, quantum computers will be able to break certain cryptographic algorithms, such as those used to protect against eavesdropping during internet communications. All industries—especially those hosting critical infrastructure like healthcare—need to prepare for this shift and begin transitioning to post-quantum cryptography to ensure quantum resistance. In this talk, we will discuss the quantum threat and use specific examples from Siemens Healthineers’ environment to highlight the key aspects vendors must consider when transitioning to post-quantum cryptography.

SpeakerBio: Katarina Amrichova, Siemens-Healthineers

Katarina has a deep appreciation for reverse engineering, exploit development and cryptography.

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 16:00-17:59 PDT

Title: Queercon Mixer
When: Friday, Aug 8, 16:00 - 17:59 PDT
Where: LVCCWest-Level3-W325 - Map

Description:

Come meet the largest social network of LGBTQIA+ and allied hackers at Queercon! Our mixers are designed for you to meet, network, and engage with like-minded people to a backdrop of music, dance, and refreshments.

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 16:30-16:59 PDT

Title: Quiet Confidence: An Introvert's Journey to Technical Public Speaking
When: Friday, Aug 8, 16:30 - 16:59 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

Public speaking is a powerful tool for career growth, thought leadership, and community impact, but for introverts and underrepresented folks in cybersecurity, the stage can feel intimidating. As a woman in cybersecurity, I understand firsthand the challenges we face in getting our voices heard. On average, women only represent 25% of speakers at tech conferences, it's clear that something is holding us back.

This talk will be focused on my personal journey from zero public speaking experience to delivering nine technical talks at international conferences in just one year. I'll share how I built confidence, overcame stage fright, and embraced my unique perspective to share knowledge and inspire others.

In this session, we'll explore the reasons behind women's underrepresentation at tech conferences, and provide practical tips on:

How to manage nervousness and overcome stage fright. Preparing like a pro - build technical talks that resonate with diverse audiences. Turning introverted traits into strength in public speaking

Whether you’re a first-time speaker or a seasoned pro, walk away with actionable tools to find speaking opportunities, craft CFPs and deliver talks that leave a lasting impact.

SpeakerBio: Emma Fang
No BIO available

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 13:00-13:59 PDT

Title: Rebuild The World: Access to secure software dependency management everywhere with Nix
When: Friday, Aug 8, 13:00 - 13:59 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

In a world full of unwanted app updates and SaaS providers who want your personal information, being able to self host the 120,000 Linux packages in Nixpkgs has the potential to change the game for anyone who's tired of the slow decline of cloud services. If you're curious about what NixOS can do for your homelab, or even if you're just worried about SBOMs or traceability of exactly where your software and all its dependencies came from, join us for an hour-long panel about how we can reclaim our services and software from vendor lockin and Docker image bitrot using Nix and NixOS. We'll be doing a deep dive into why Nix changes software deployment, and how you can get started and get involved in the quiet revolution that has been reshaping how we use software.

Speakers:Tom Berek,Farid Zakaria,Daniel Baker

SpeakerBio: Tom Berek, Lead Engineer at Flox

Life-long engineer. Worked at Google, flew jet planes in the Marine Corps, trained cyberware teams, formed and led teams to perform rapid hardware and software capability development, worked with the Digital Service to bring modern software practices to the DoD and government. Left the service to create a contracting startup bringing AI/ML products to DoD. Throughout have found a consistent set of challenges in the course of development; also found a set of superpowers to address those challenges using Nix. After several iterations of applying the Nix ecosystem in various teams, the difference was stark. This led to the desire to bring this set of superpowers to the rest of the world and make it more adoptable; hence the involvement in the Nix community as a maintainer, founding Flox, and leading efforts to improve user experience and communicate it to the world.

SpeakerBio: Farid Zakaria, Principal Engineer at Confluent

I am a software engineer, father, and wishful surfer. I currently work at Confluent on developer productivity and recently defended a Ph.D. in computer science at the University of California Santa Cruz. More relevant to Nix, I am a NixOS enthusiast, which has led me to rethink basic Linux primitives.

SpeakerBio: Daniel Baker, Software Engineer at Anduril

I am an engineer, mathematician, developer, and Linux enjoyer. I primarly support the NixOS project as part of the Marketing Team. I believe that the future of software development and software deployment needs foundations in formal methods and functional programming to be successful.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 13:30-14:15 PDT

Title: Recording PCAPs from Stingrays With a $20 Hotspot
When: Friday, Aug 8, 13:30 - 14:15 PDT
Where: LVCCWest-Level1-Hall3-Track 1 - Map

Description:

What if you could use Wireshark on the connection between your cellphone and the tower it's connected to?

In this talk we present Rayhunter, a cell site simulator detector built on top of a cheap cellular hotspot. It works by collecting and analyzing real-time control plane traffic between a cellular modem and the base station it's connected to. We will outline the hardware and the software developed to get low level information from the Qualcomm DIAG protocol, as well as go on a deep dive into the methods we think are used by modern cell-site simulators. We’ll present independently validated results from tests of our device in a simulated attack environment and real world scenarios. Finally, we will discuss how we hope to put this device into the hands of journalists, researchers, and human rights defenders around the world to answer the question: how often are we being spied on by cell site simulators?

References:

Speakers:Cooper "CyberTiger" Quintin,oopsbagel

SpeakerBio: Cooper "CyberTiger" Quintin, Senior Staff Technologist at EFF

Cooper Quintin is a senior public interest technologist with the EFF Threat Lab. He has given talks about security research at prestigious security conferences including Black Hat, DEFCON, Shmoocon, and ReCon about issues ranging from IMSI Catcher detection to Femtech privacy issues to newly discovered APTs. He has two children and is very tired.

Cooper has many years of security research experience on tools of surveillance used by government agencies.

SpeakerBio: oopsbagel

oopsbagel is not a bagel but may be eating one while you read this. oops loves contributing to open source software, running wireshark, reversing, hardware hacking, breaking Kubernetes, and floaking.

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 12:00-13:50 PDT

Title: Red Teaming Financial Defenses
When: Friday, Aug 8, 12:00 - 13:50 PDT
Where: LVCCWest-Level1-Hall4-Communities-C101 - Map

Description:

This workshop flips the script on financial security, focusing on a practical, hands-on level where attendees will learn by doing. Attendees will step into the shoes of sophisticated attackers targeting the interconnected financial ecosystem. Guided by us - Chloe, with experience in architecting B2B fraud solutions for acquiring banks in Singapore, and Weihong, with hands-on experience building ML-based KYC/liveness detection and rule-based risk systems for new user onboarding at OKX (a crypto exchange) - participants will learn how to think offensively.

Speakers:Wei Hong,Chloe Chong

SpeakerBio: Wei Hong

Wei Hong is a machine learning practitioner with six years of experience in natural language processing and applied AI at one of the world’s largest cryptocurrency exchanges. He has contributed to projects involving KYC systems, user risk profiling, and the deployment of AI in real-world financial applications. Fascinated by blockchain development, Wei Hong is particularly interested in the intersection of decentralization, transparency, and machine learning. He is currently pursuing a Master’s in Computer Science at Georgia Tech, where he is an active member of the Blockchain Club@GT.

SpeakerBio: Chloe Chong

Chloe is a machine learning engineer and blockchain enthusiast with five years of experience in building ML systems for fraud detection and compliance in the traditional payments and fintech industry. Outside of work, she explores blockchain development with a focus on usability and real-world applications in the payment space. Chloe is an active member of the Georgia Tech Blockchain Club and is particularly interested in how decentralized technologies can improve financial infrastructure and user experience.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 13:00-13:50 PDT

Title: Red Teaming Kubernetes: From App-Level CVEs to Full Cluster Takeover
When: Friday, Aug 8, 13:00 - 13:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 3 - Map

Description:

Kubernetes is the de facto operating system of the cloud, and more and more organizations are running their workloads on Kubernetes. While Kubernetes offers many benefits, it also introduces new security risks, such as cluster misconfiguration, leaked credentials, cryptojacking, container escapes, and vulnerable clusters.

In this workshop, attendees will learn how to attack Kubernetes clusters by simulating a real-world adversary exploiting one of the most recent vulnerabilities in the ecosystem: IngressNightmare (CVE-2025-1974). Participants will practice exfiltrating service account tokens and credentials, performing lateral movement, escalating privileges by targeting common applications deployed in Kubernetes environments, and ultimately compromising the entire cluster.

SpeakerBio: Lenin Alevski

Lenin Alevski is a Full Stack Engineer and generalist with a lot of passion for Information Security. Currently working as a Security Engineer at Google. Lenin specializes in building and maintaining Distributed Systems, Application Security and Cloud Security in general. Lenin loves to play CTFs, contributing to open-source and writing about security and privacy on his personal blog https://www.alevsk.com.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 10:00-10:45 PDT

Title: Remote code execution via MIDI messages
When: Friday, Aug 8, 10:00 - 10:45 PDT
Where: LVCCWest-Level1-Hall3-Track 2 - Map

Description:

I’m sure you’ve heard of MIDI – it’s a protocol and file format that’s used to exchange audio generation data such as “note on” and “note off” events. But what if I told you that there’s a MIDI implementation out there in the wild that, when excited in just the right ways, can do stuff the original product designers never intended to do? In this talk, we’ll dive into the wonderful world that is hardware reverse engineering. We’ll explore what JTAG and UART are and how we can use them to hack modern digital devices. We’ll dump the firmware of a Yamaha music keyboard and discover what is essentially a backdoor in the MIDI implementation – and exploit it to play Bad Apple on the keyboard’s dot matrix LCD.

References:

Architecture of Yamaha entry-level synths MIDI specification MIDI SysEx ID allocation table ARM7TDMI Technical Reference Manual

SpeakerBio: Anna portasynthinca3 Antonenko

Anna “porta” has been playing around with Arduinos and whatnots since about 2017, when she was 13 years old. She’s made countless hobbyist projects with AVR, STM32 and ESP32 microcontrollers to learn more about the wonderful world of digital electronics. Today, she’s a professional embedded firmware engineer with an interest in hardware reverse engineering, operating system development and distributed fault-tolerant systems.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 10:00-10:45 PDT

Title: RETCON - Reticulum Embedded Turnkey Connection Operating Node
When: Friday, Aug 8, 10:00 - 10:45 PDT
Where: LVCCWest-Level2-W210 - Map

Description:
Introducing RETCON: a game-changer for mesh network users who prefer deployment over drudgery. Reticulum offers a scalable, fully customizable, and secure-by-design off-grid mesh network, but the config can be confusing, hard to manage, and hard to share with beginners. RETCON allows you to package a pre-made Reticulum config into ready-to-roll Raspberry Pi images. And it auto-detects hardware to magically mesh upon deployment. Perfect for when you need a secure resilient mesh network yesterday, like maker fests, festivals, community networks, or right here at DEFCON.
SpeakerBio: Daniel "Varx" Beard

Daniel is a software engineer and entrepreneur specializing in medical device cybersecurity. He founded MedISAO and Cyberprotek, both acquired by MedCrypt in 2020. In his spare time, he likes to contribute to FOSS tools and tinker with embedded electronics.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 09:00-09:45 PDT

Title: RETCON - Reticulum Embedded Turnkey Connection Operating Node
When: Friday, Aug 8, 09:00 - 09:45 PDT
Where: LVCCWest-Level2-W210 - Map

Description:
Introducing RETCON: a game-changer for mesh network users who prefer deployment over drudgery. Reticulum offers a scalable, fully customizable, and secure-by-design off-grid mesh network, but the config can be confusing, hard to manage, and hard to share with beginners. RETCON allows you to package a pre-made Reticulum config into ready-to-roll Raspberry Pi images. And it auto-detects hardware to magically mesh upon deployment. Perfect for when you need a secure resilient mesh network yesterday, like maker fests, festivals, community networks, or right here at DEFCON.
SpeakerBio: Daniel "Varx" Beard

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 16:00-16:45 PDT

Title: RETINA - Realtime Electronic Threat and Intrusion Neutralization Apparatus
When: Friday, Aug 8, 16:00 - 16:45 PDT
Where: LVCCWest-Level2-W211 - Map

Description:

RETINA is the very first retro video game built for reverse engineers. Do you want to start the analysis of that sample, but aren‚Äôt really in the mood? You can try RETINA for Commodore 64, which can be fully customized with your own sample so that during your game you will also perform the malware triage!

SpeakerBio: Cesare "Red5heep" Pizzi

Cesare is a security researcher, analyst, and technology enthusiast. He develops software and hardware and tries to share this with the community. Mainly focused on low-level programming, he developed a lot of open-source software, sometimes hardware related and sometimes not. He does a lot of reverse engineering too. He likes to share his work when possible at conferences like DEF CON, Insomni'hack, and Nullcon. He is a contributor to several open-source security projects including TinyTracer, Volatility, OpenCanary, PersistenceSniper, Speakeasy, and CETUS, and is a CTF player.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 11:00-11:45 PDT

Title: rev.ng Decompiler
When: Friday, Aug 8, 11:00 - 11:45 PDT
Where: LVCCWest-Level2-W212 - Map

Description:

Rev.ng is an open source static binary analysis framework and interactive decompiler for native code based on LLVM and QEMU. In our demo we will: [1] Introduce rev.ng and how to use it from the command line. [2] Decompile a simple program to syntactically valid C code that can be fed into other static analysis tools. [3] Showcase our automated whole-program type recovery on a stripped program without debug symbols, able to detect complex types, e.g. linked-lists. [4] Demonstrate the Python scripting capabilities. [5] Demonstrate our preliminary integration with LLMs to assign names to functions, types, and so on. All the examples will be released on GitHub and 100% reproducible using only open source software.

Speakers:Pietro Fezzardi,Alessandro Di Federico

SpeakerBio: Pietro Fezzardi

Pietro is the CTO of rev.ng Labs, developing the rev.ng decompiler and reverse engineering framework. During his M.Sc. in mathematics, he started working on embedded systems programming. He received his PhD from Politecnico di Milano, working on automated bug-detection for high-level synthesis compilers for FPGA. He spent a short time at ARM in the research security group, working on fuzzing and static program analysis, before joining rev.ng. He is interested in program analysis, compilation, embedded systems programming, C++, free software, OpenStreetMap, juggling, and circus skills.

SpeakerBio: Alessandro Di Federico

Alessandro is the co-founder of rev.ng Labs. He obtained his PhD from Politecnico di Milano with a thesis about rev.ng and has been working on making a product out of it since then. He has been speaking at key industry and academic security conferences such as DEF CON, Recon, the USENIX Security Symposium, and others. He is passionate about compilers, C++, free software, reverse engineering, privacy, OpenStreetMap, hitchhiking, and hiking in the Alps.

Return to Index - Add to Google

- ics Calendar file

PAYV - Friday - 12:00-12:30 PDT

Title: Risk and payments across the ecosystem
When: Friday, Aug 8, 12:00 - 12:30 PDT
Where: LVCCWest-Level1-Hall2-W505 - Map

Description:

This talk explores risk & payments from different POVs: Ecomm, recurring, two-sided marketplace, card issuer. What merchants & the business perceive as risk, max tail loss, can be very different for each. These perceptions of risk and economic incentives drive hugely different behaviours.

SpeakerBio: Gary Kao
No BIO available

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 15:00-15:45 PDT

Title: Robin - The Archaeologist of the Dark Web
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level2-W211 - Map

Description:

When exploring the dark web for OSINT or CTI investigations, you may be overwhelmed with numerous onion links, questionable marketplaces, and numerous search engines. With time constraints, how do you make sense of all this information and prioritize what truly matters? Enter Robin, an AI-powered dark web OSINT tool to streamline your investigations. Robin takes your query, automatically searches across multiple dark web search engines, scrapes relevant onion sites, and uses AI to generate clear, actionable investigative summaries. No more juggling five different tools or wasting hours validating dead links. In this tool demo, I‚Äôll walk you through the real pain points of today‚Äôs dark web OSINT tools and show how Robin was built to solve them. I‚Äôll cover the architecture, the scraping and summarization pipeline, and how Robin fits into real-world investigation workflows. I‚Äôll also discuss future developments and how you can get involved. By the end of this talk, you will have a fresh perspective on dark web OSINT, a practical tool to use right away, and insights into how AI can simplify your dark web investigative process.

SpeakerBio: Apurv "ASG_Sc0rpi0n" Singh Gautam

Apurv is a cybercrime researcher working as a senior threat research analyst at Cyble. He is focused on monitoring and analyzing a wide spectrum of sources, creating automated tools, and performing threat investigations by utilizing HUMINT, SOCMINT, and OSINT and producing threat intelligence. He has contributed to the latest SANS Institute's course FOR589 on Cybercrime Intelligence and is a contributing member of Curated Intel. He has delivered talks and workshops at national and international conferences like SANS OSINT Summit, SANS Cyber Defense Forum, DEF CON Blue Team Village, BSides Singapore, RootCon, and others. He is featured in major podcasts like ITSPMagazine and Tech Talks with Singh. He is passionate about giving back to the community and helping others get into this field, and has delivered many talks and workshops in schools and colleges. He loves volunteering with StationX to help students navigate into cybersecurity. In the past, he has also volunteered as a darknet researcher at CTI League and the EBCS darknet analysis group. He holds a master's degree in information security from Georgia Institute of Technology. He looks forward to the end of the day to play and stream one of the AAA games, Rainbow 6 Siege.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 17:30-17:50 PDT

Title: Rusty pearls: Postgres RCE on cloud databases
When: Friday, Aug 8, 17:30 - 17:50 PDT
Where: LVCCWest-Level1-Hall3-Track 1 - Map

Description:

In this session, we will delve into CVE-2024-10979, discovered by Varonis Threat Labs, and explain how it can be exploited to execute arbitrary code on cloud-hosted databases. Join us to gain insights into this significant Remote Code Execution (RCE) vulnerability and learn strategies for defending and testing managed databases for vulnerabilities.

References:

link

Speakers:Tal "TLP" Peleg,Coby Abrams

SpeakerBio: Tal "TLP" Peleg

Tal Peleg, also known as TLP, is a senior security researcher and cloud security team lead at Varonis. He is a full-stack hacker with experience in malware analysis, Windows domains, SaaS applications, and cloud infrastructure. His research is currently focused on cloud applications and APIs.

SpeakerBio: Coby Abrams

Coby Abrams is a cloud security researcher at Varonis, specializing in Azure and IaaS research, and in-depth overviews of various services. He brings over five years of experience in various types of security research.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 12:00-12:45 PDT

Title: Safe Harbor or Hostile Waters: Unveiling the Hidden Perils of the TorchScript Engine in PyTorch
When: Friday, Aug 8, 12:00 - 12:45 PDT
Where: LVCCWest-Level1-Hall3-Track 3 - Map

Description:

PyTorch is a machine learning library based on the Torch library, used for applications such as computer vision and natural language processing. It is one of the most popular deep learning frameworks.

However, beneath its powerful capabilities lies a potential security risk. Initially, PyTorch used pickle to save models, but due to the insecurity of pickle deserialization, there was a risk of Remote Code Execution (RCE) when loading models. Subsequently, PyTorch introduced the weights_only parameter to enhance security. The official documentation states that weights_only=True is considered safe and recommends using it over weights_only=False.

For years, the security of weights_only=True remained unchallenged. Our research, however, uncovered unsettling truths. We discovered that torch.load with weights_only=True supports TorchScript, leading us to delve into TorchScript's inner workings. After a period of research, we discovered several vulnerabilities and ultimately achieved RCE. We promptly reported this finding to PyTorch, who acknowledged the vulnerability and assigned us CVE-2025-32434. This revelation overturns established understandings and has profound implications for numerous AI applications. We will provide an in-depth analysis of the impact of this vulnerability.

In this sharing, we will introduce how we gained inspiration and discovered this interesting vulnerability. Meanwhile, our findings once again confirm the statement, "The Safe Harbor you once thought was actually Hostile Waters."

Speakers:Ji'an "azraelxuemo" Zhou,Lishuo "ret2ddme" Song

SpeakerBio: Ji'an "azraelxuemo" Zhou

Ji'an Zhou is a Security Engineer in Alibaba Cloud. He is focusing on Java security and cloud native security and his work helped many high-profile vendors improve their products' security, including Google, Amazon, Cloudera, IBM, Microsoft, Oracle. He has previously spoken at Black Hat , Zer0Con, Off-by-One Con.

SpeakerBio: Lishuo "ret2ddme" Song

Li'shuo Song is a Security Engineer at Alibaba Cloud. He focuses on browser security and has found several security bugs in Google Chrome.

Return to Index - Add to Google

- ics Calendar file

ICSV - Friday - 10:00-10:30 PDT

Title: Safeguarding the Industrial Frontier: OT SOC & Incident Response
When: Friday, Aug 8, 10:00 - 10:30 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

As the digital and physical worlds converge, Operational Technology (OT) environments face unprecedented cyber threats, demanding a specialized approach to security. This panel will delve into the critical realm of OT Security Operations Centers (SOCs) and incident response, exploring how organizations can effectively detect, respond to, and recover from cyberattacks targeting industrial control systems. We'll discuss the unique challenges of securing OT, best practices for building resilient SOC capabilities, and strategies for navigating complex incident response scenarios to ensure operational continuity and safety in our increasingly interconnected industrial landscape.

SpeakerBio: Adam Robbie, Palo Alto Networks

Adam Robbie Head of OT Security Research, Palo Alto Networks
Adam is the Head of OT Security Research at Palo Alto Networks since 2022 with over 10 years of experience in both OT and IT industries. Publisher and author with SANS, IEEE, and other journals and conferences. His ambition is about contributing to secure our critical infrastructure, search for recent vulnerabilities, develop best practices and lead new initiatives. Adam has a Bachelor and Master of Science in Electrical Engineering. Additionally, he obtained advanced certifications including the Global Industrial Cyber Security Professional (GICSP) and GIAC Response and Industrial Defense (GRID) certifications. In addition to his technical expertise, He has a strong background in leadership and education. As an Adjunct Professor, he has been teaching cybersecurity bootcamp at The George Washington University, University of Michigan, University of Wisconsin, and other universities. Through these roles, he has successfully mentored and guided students, encouraging them to excel in the field of cybersecurity. Additionally, he served as an advisor for developing cybersecurity curriculum across different universities.

During his tenure as a Senior Cyber Security Consultant at Deloitte, he gained extensive experience in performing ICSIoT penetration testing, threat hunting, risk assessment, and vulnerability research. Furthermore, he has actively contributed to enhancing detection systems through advanced research and creation of security use cases.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 09:00-09:45 PDT

Title: SAMLSmith
When: Friday, Aug 8, 09:00 - 09:45 PDT
Where: LVCCWest-Level2-W212 - Map

Description:

SAMLSmith is the go-to tool for penetrating SAML applications with response forging. An evolution of the original tooling developed for proof-of-concept of SAML response forging in Entra ID, SAMLSmith is the product of continued research on SAML. While far from new, enterprises continue to not prioritize the security of how SaaS applications integrate or understand best practices for securing them. With many factors at play, SAML response forging can range from extremely difficult to near impossible for a SOC to detect. SAMLSmith has a lot of tricks up its sleeve, including: [1] Multiple identity provider response forging. [2] AD FS specific response forging mode. [3] SAML request processing. [4] InResponseTo support. SAMLSmith can be used in several response forging scenarios where the private key material can be obtained. In demonstration of use, we‚Äôll explore using SAMLSmith for performing a Golden SAML attack against AD FS. Further, we‚Äôll demonstrate the use of SAMLSmith that ties into new research around response forging, penetrating certain types of SaaS applications with even more stealth.

Speakers:Eric Woodruff,Tomer Nahum

SpeakerBio: Eric Woodruff

Eric is the chief identity architect for Semperis. He previously was a member of the security research and product teams. Prior to Semperis, he worked as a security and identity architect at Microsoft partners, spent time at Microsoft as a senior premier field engineer, and spent almost 15 years in the public sector, with 10 of them as a technical manager. He is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. He is a strong proponent of knowledge sharing and spends a good deal of time sharing his insights and expertise at conferences as well as through blogging. He further supports the professional security and identity community as an IDPro member, working as part of the IDPro Body of Knowledge committee.

SpeakerBio: Tomer Nahum, Security Researcher at Semperis

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 10:00-10:45 PDT

Title: SAMLSmith
When: Friday, Aug 8, 10:00 - 10:45 PDT
Where: LVCCWest-Level2-W212 - Map

Description:

Speakers:Eric Woodruff,Tomer Nahum

SpeakerBio: Eric Woodruff

SpeakerBio: Tomer Nahum, Security Researcher at Semperis

Return to Index - Add to Google

- ics Calendar file

ASV - Friday - 17:00-17:30 PDT

Title: Satellite Networks Under Siege: Cybersecurity Challenges of Targeted DDoS Attacks
When: Friday, Aug 8, 17:00 - 17:30 PDT
Where: LVCCWest-Level2-W233 - Map

Description:
Satellite Networks Under Siege: Cybersecurity Challenges of Targeted DDoS Attacks explores how the rapid evolution of Low Earth Orbit constellations, such as those providing global broadband, has introduced a new frontier of cybersecurity challenges. This presentation delves deep into the unique vulnerabilities of satellite networks—including dynamic topologies, limited bandwidth, and predictable orbital patterns—that enable adversaries to execute persistent, targeted DDoS attacks with minimal botnet footprints. Attendees will learn about advanced attack methodologies and frameworks—exemplified by research on approaches like the HYDRA framework—that optimize botnet composition and allocation for multi-zone disruptions. Combining detailed theoretical models, simulation results, and optimization techniques, this talk provides a comprehensive analysis of both attack strategies and the emerging countermeasures. Focusing on enhancing cybersecurity for critical communication infrastructures, this session presents actionable insights drawn from thorough analysis and illustrative case studies, offering practical recommendations and a clear framework for understanding both offensive tactics and defensive measures essential for securing satellite communications.
SpeakerBio: Roee Idan, Ben Gurnion University
No BIO available

Return to Index - Add to Google

- ics Calendar file

SEV - Friday - 16:00-16:59 PDT

Title: SEC Vishing Competition (SECVC)
When: Friday, Aug 8, 16:00 - 16:59 PDT
Where: LVCCWest-Level3-W317-W319 - Map

Description:

After our improv interlude, it's back to the phones as the final teams go live!

Return to Index - Add to Google

- ics Calendar file

SEV - Friday - 13:30-15:30 PDT

Title: SEC Vishing Competition (SECVC)
When: Friday, Aug 8, 13:30 - 15:30 PDT
Where: LVCCWest-Level3-W317-W319 - Map

Description:

Now after our improv break, more teams place live calls, putting polished scripts and fresh research to the test against real corporate defenses in the SECVC!

Return to Index - Add to Google

- ics Calendar file

SEV - Friday - 09:00-11:59 PDT

Title: SEC Vishing Competition (SECVC)
When: Friday, Aug 8, 09:00 - 11:59 PDT
Where: LVCCWest-Level3-W317-W319 - Map

Description:

Back again as an official DEF CON contest - join us as teams who've spent months researching and rehearsing place live calls, pitting cunning scripts against real corporate defenses to see who rings in the win!

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 10:00-10:30 PDT

Title: Secret Life of an Automationist: Engineering the Hunt
When: Friday, Aug 8, 10:00 - 10:30 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

If you have tried your hand at bug bounty, you probably heard about automation setups that some hunters use. The caveat here though, is there is little to no information sharing about this topic. I don't claim to be an expert, but after a couple years of tool building and experimenting, I think these kind of systems can be accessible/buildable by anyone. I want to share some of "tips" and "pitfalls" that I have come across building some of my own automation around bug bounty. Topics will range from data engineering, event and data handling, architecture options, different ways to turn data into bugs, etc. I don't pretend to be an expert, but it is my opinion that there is not enough people sharing ideas and techniques when it comes to applying ENGINEERING to bug bounties. Automation, data, and discovery should be words that every bug hunter is fond of, not afraid of.

SpeakerBio: Gunnar "g0lden" Andrews

Hello! I am an application security engineer by day, and a bug bounty hunter by night! I enjoy turning security research, and bug bounties, into an engineering problem. I love collaborating with others, and I am always trying to learn new technologies. Other than hacking, I enjoy hockey, fitness, exploring, and video games!

Return to Index - Add to Google

- ics Calendar file

PLV - Friday - 15:45-16:30 PDT

Title: Secure Code Is Critical Infrastructure: Hacking Policy for the Public Good
When: Friday, Aug 8, 15:45 - 16:30 PDT
Where: LVCCWest-Level2-W232 - Map

Description:
SpeakerBio: Tanya "SheHacksPurple" Janca, SheHacksPurple

Tanya Janca, aka SheHacksPurple, is the best-selling author of 'Alice and Bob Learn Secure Coding', 'Alice and Bob Learn Application Security’ and the ‘AppSec Antics’ card game. Over her 28-year IT career she has won countless awards (including OWASP Lifetime Distinguished Member and Hacker of the Year), spoken all over the planet, and is a prolific blogger. Tanya has trained thousands of software developers and IT security professionals, via her online academies (We Hack Purple and Semgrep Academy), and her live training programs. Having performed counter-terrorism, led security for the 52nd Canadian general election, developed or secured countless applications, Tanya Janca is widely considered an international authority on the security of software. Tanya currently works at Semgrep as a Security Advocate.

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 14:00-14:59 PDT

Title: Securing Intelligence: How hackers are breaking modern AI systems … and how bug bounty programs can keep up
When: Friday, Aug 8, 14:00 - 14:59 PDT
Where: LVCCWest-Level2-W228 - Map

Description:

Dane and Shlomie will share real-world AI vulnerabilities they've discovered in production environments, providing technical deep dives into specific bug classes that impact confidentiality, integrity, and availability, as well as those posing legal and reputational risks. They'll illustrate common flaws—from adversarial prompts and indirect prompt injection to context poisoning and RAG manipulation—while explaining the underlying architecture of affected systems and why traditional defenses often fall short.

They'll also outline practical mitigation strategies, highlighting best practices for organizations deploying AI models. Program managers will leave with concrete guidance on defining effective AI-focused scopes, crafting severity frameworks tailored to probabilistic AI behaviors, and optimizing bug bounty programs for maximum impact. Hackers will gain actionable insights into novel attack techniques, tips for identifying vulnerabilities unique to AI systems, and a clear understanding of how these vulnerabilities translate into real-world organizational risks.

Speakers:Dane Sherrets,Shlomie Liberow

SpeakerBio: Dane Sherrets, Innovations Architect at HackerOne

Dane is an Innovations Architect at HackerOne, where he helps organizations run AI-focused bug bounty programs and improve the security of emerging technologies. His work includes winning 2nd place in the Department of Defense AI Bias Bounty competition, discovering critical vulnerabilities in platforms like Worldcoin, and helping design and manage Anthropic's AI Safety Bug Bounty program. Drawing on his background as a bug hunter, Dane blends strategic guidance with hands-on expertise to advance the safety and security of disruptive tech across industries.

SpeakerBio: Shlomie Liberow, HackerOne

Shlomie Liberow is a security researcher who specialises in translating technical vulnerabilities into actionable business risk for enterprises. He has led technical delivery of live hacking events for major organizations, mediating over $20M in bounty payouts by helping companies understand the real-world impact of bugs within their specific environment and risk profile.

As a researcher, he has personally discovered 250+ vulnerabilities across Fortune 500 companies

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 17:30-17:50 PDT

Title: Silent Leaks: Harvesting Secrets from Shared Linux Environments
When: Friday, Aug 8, 17:30 - 17:50 PDT
Where: LVCCWest-Level1-Hall3-Track 4 - Map

Description:

You don’t need a kernel exploit to cross security boundaries in Linux, and all it takes is what the system already gives you. In this talk, I’ll expose a class of quiet yet dangerous vulnerabilities where common system features in multi-user Linux environments leak sensitive information between users by default.

We’ll explore how standard process inspection mechanisms and insecure scripting practices in real-world infrastructures, especially those used by large hosting panel providers can expose database passwords, API tokens, internal URLs, and other secrets to unprivileged users. I’ll demonstrate how simple, legitimate system behaviors can be passively weaponized to gather intelligence, fingerprint users, and pivot across services. All without ever escalating privileges or exploiting a single bug. This talk shows how misconfigurations and design oversights can open the door to unintended visibility.

Whether you're a sysadmin, penetration tester, or just someone who lives in a shell, you’ll leave with a better understanding of what your environment might be silently exposing and how to lock it down.

SpeakerBio: Cernica Ionut Cosmin

Ionut Cernica began his security journey through Facebook’s bug bounty program and quickly made a name for himself by responsibly disclosing vulnerabilities to major companies including Google, Microsoft, Yahoo, AT&T, eBay, and VMware. With over nine years of experience in web application security and penetration testing, he has built a solid reputation in both offensive and defensive security research.

Beyond bug bounty, Ionut is a seasoned CTF competitor, having participated in over 100 security competitions worldwide. He has represented the PwnThyBytes team in high-profile finals such as Codegate, Trend Micro, and DEF CON. Among his individual accomplishments, he won the mini CTF at the very first edition of AppSec Village at DEF CON.

Currently, Ionut is an Application Security Engineer at UiPath, where he focuses on product security and AI security research.

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 10:15-10:59 PDT

Title: Silent Sabotage: How Nation-State Hackers Turn Human Error into Catastrophic Failures
When: Friday, Aug 8, 10:15 - 10:59 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

Nation-state hackers pose a formidable threat to critical infrastructure, compromising national security, intellectual property, and public safety. This presentation will delve into the tactics, techniques, and procedures (TTPs) employed by nation-state actors, providing a core understanding essential for developing effective defense strategies. Through an in-depth analysis of three real-world case studies, we will expose the implications of nation-state attacks on laboratory, critical infrastructure, and industrial systems. We will examine how these attacks exploit human vulnerabilities, such as social engineering and insider threats, as well as system weaknesses, including misconfiguration and software vulnerabilities. Drawing from recent breaches in research laboratories and industrial manufacturing facilities, we will identify the root causes of these incidents, including human error, malicious insider actions, and inadequate security controls. This presentation aims to provide attendees with a comprehensive understanding of nation-state attack patterns, enabling them to strengthen their organization’s defenses against these sophisticated threats.

Speakers:Nathan Case,Jon McCoy

SpeakerBio: Nathan Case, CSO at Clarity

Nathan Case is a cybersecurity engineer and executive with over two decades of experience designing, securing, and scaling complex systems across public and private sectors. He currently serves as the Vice President of Cloud Computing and Cyber Solutions at Clarity, leading efforts at the intersection of secure cloud architecture, AI engineering, and national defense. In this role, he provides technical direction, manages multidisciplinary teams, and collaborates closely with government stakeholders to deliver operationally effective solutions that meet mission-critical needs.

SpeakerBio: Jon McCoy, Security Architect at OWASP

Software security architect, Jon McCoy brings over 20 years of experience in software development and cybersecurity to the forefront. With a strong foundation in .NET development, Jon transitioned into security, driven by a passion for proactive defense strategies and secure coding practices.

A dedicated contributor to the OWASP community, Jon has shared his expertise at numerous industry events, including OWASP Global AppSec. His recent presentation on "Lessons Learned from Past Security Breaches" highlighted critical takeaways for strengthening AppSec efforts before and after incidents.

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 15:50-16:20 PDT

Title: Silent Sigma: Unraveling Iranian APT's 0-Day Warfare and Covert C2
When: Friday, Aug 8, 15:50 - 16:20 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Christopher Dio Chavez
No BIO available

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 14:30-15:15 PDT

Title: Siri-ously Leaky: Exploring Overlooked Attack Surfaces Across Apple's Ecosystem
When: Friday, Aug 8, 14:30 - 15:15 PDT
Where: LVCCWest-Level1-Hall3-Track 4 - Map

Description:

Apple champions user privacy and security, but beneath its glossy screens and polished interfaces lies an overlooked field of subtle vulnerabilities lurking within trusted, everyday features: Siri, Spotlight, Safari, Apple Intelligence, and Apple's official support systems. This talk dives deeply into multiple zero-day issues discovered on fully updated, non-jailbroken iPhones—no specialized tools required. I'll demonstrate how missing lock-state checks, Siri context confusion, race conditions, faulty Unicode parsing, incomplete patches, and other subtle oversights enabled me to bypass Face ID locks, retrieve sensitive user data, spoof emails, and trigger daemon crashes. Specifically, I'll show you how I disclosed sensitive data on locked devices via Siri (CVE-2025-24198) and Spotlight (CVE-2024-44235), bypassed Safari's Face ID protection on private tabs (CVE-2025-30468), executed deceptive email spoofing (CVE-2025-24225), leaked Apple Intelligence internal prompts and Private Cloud Compute data to ChatGPT, and exploited an unresolved IDOR vulnerability on Apple's support site to retrieve almost any customer data.

References:

Apple Inc. (March 2025). "About the security content of iOS 18.4 and iPadOS 18.4." link (CVE-2025-24198, Additional recognition)
Apple Inc. (March 2025). "About the security content of macOS Sequoia 15.4." link (CVE-2025-24198)
Apple Inc. (March 2025). "About the security content of macOS Ventura 13.7.5." link (CVE-2025-24198)
Apple Inc. (March 2025). "About the security content of visionOS 2.4." link (Accessibility vulnerability)
Apple Inc. (December 2024). "About the security content of iOS 18.2 and iPadOS 18.2." link (Safari authentication bypass)
Apple Inc. (December 2024). "About the security content of macOS Sequoia 15.2." link (Safari authentication bypass)
Apple Inc. (December 2024). "About the security content of visionOS 2.2." link (Safari authentication bypass)
Apple Inc. (October 2024). "About the security content of iOS 18.1 and iPadOS 18.1." link (CVE-2024-44235)
Apple Inc. (September 2024). "About the security content of iOS 18 and iPadOS 18." link (Passwords app Wi-Fi password disclosure in App Switcher)
Apple Inc. (September 2024). "About the security content of macOS Sequoia 15." link (Passwords app Wi-Fi password disclosure in App Switcher)
Apple Inc. (September 2024). "About the security content of visionOS 2." link (Passwords app Wi-Fi password disclosure in App Switcher)
Apple Developer Documentation: link
Apple Platform Security Guide: link
The iPhone Wiki: link
Burp Suite Documentation (Intruder module): link
Common US Surnames (US Census Bureau): link
CVE Database (MITRE): link
OpenAI Bugcrowd Program: link

SpeakerBio: Richard "richeeta" Hyunho Im

Richard Hyunho Im (@richeeta) is a senior security engineer and independent vulnerability researcher at Route Zero Security. Currently ranked among the top 25 researchers in OpenAI's bug bounty program, Richard has also received security acknowledgements from Apple (CVE-2025-24198, CVE-2025-24225, CVE-2025-30468, and CVE-2024-44235), Microsoft, Google, and the BBC. His research highlights overlooked attack surfaces, focusing on practical exploitation that challenges assumptions about everyday software security.

Return to Index - Add to Google

- ics Calendar file

CHV - Friday - 16:30-16:59 PDT

Title: Smart Bus Smart Hacking: From Free WiFi to Total Control
When: Friday, Aug 8, 16:30 - 16:59 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

Have you ever wondered how the On-Board Units (OBUs) in smart buses communicate and authenticate with Advanced Public Transportation Services (APTS) and Advanced Driver Assistance Systems (ADAS)? Shockingly, these systems can be easily tampered with and forged! In this session, We will share over 10 different vulnerabilities discovered from real experiences riding public transit: starting from connecting to the bus-provided free WiFi, hacking into the vehicular router, gaining access to the bus’s private network area, and ultimately controlling the communication between ADAS and APTS—including manipulating onboard LED displays, stealing driver and passenger information, acquiring bus operational data, and even penetrating the backend API servers of the transportation company. We also uncovered severe vulnerabilities and backdoors in cybersecurity-certified vehicular routers and monitoring equipment that could potentially compromise all global units of the same model. Through this presentation, attendees will gain an in-depth understanding of attack vectors starting from open free WiFi, expose security design flaws in connected public transport vehicles, and discuss potential systemic issues from a regulatory and specification-setting perspective.

Speakers:Chiao-Lin "Steven Meow" Yu,Kai-Ching "Keniver" Wang

SpeakerBio: Chiao-Lin "Steven Meow" Yu, Threat Researcher at Trend Micro Red Team

SpeakerBio: Kai-Ching "Keniver" Wang, Senior Security Researcher at CHT Security

Kai-Ching Wang (Keniver) is a Senior Security Researcher at CHT Security. He specializes in red team assessments and comprehensive security reviews, with a current focus on hacking IoT devices and cloud-native infrastructure. He has presented his research on the security of cloud-connected IoT camera systems at conferences such as SECCON in Japan and HITCON in Taiwan.

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 09:00-12:59 PDT

Title: SnowGoat: Exposing Hidden Security Risks and Leaking Data Like a Threat Actor
When: Friday, Aug 8, 09:00 - 12:59 PDT
Where: LVCCNorth-Level2-N258 - Map

Description:

Join us for an engaging and interactive workshop where we delve into the hidden risks within your configurations in Snowflake. This intermediate-level session is designed to provide hands-on experience with vulnerable and misconfigured environments, utilizing plug-and-play Terraform scripts and your free-tier Snowflake and AWS accounts. Attendees will explore the UNC5337 data-theft and extortion campaign, and other common Snowflake misconfigurations and risks through a fun and interactive "Capture The Flag" (CTF) style attack scenario, with the main objective of leaking sensitive data from Snowflake.

Key Topics: -Snowflake as a data-lake service and common security pitfalls. -UNC5337 Data-Theft and Extortion Campaign: Gain insights into real-world cyber threats and how they operate. -Solve problems and bypass misconfigured security mechanisms. -Learn about data-related risks that could lead to a data breach. Technical Level: Intermediate Learning Outcomes: By the end of this workshop, attendees will: -Understand best practices for securing configurations in Snowflake. -Gain practical experience in identifying and mitigating unsecured configurations. -Gain knowledge to handle real-world cyber threats effectively.

Speakers:Lior Adar,Chen Levy Ben Aroy

SpeakerBio: Lior Adar, Cloud Security Researcher at Varonis

Lior is a senior security researcher at Varonis and a passionate security enthusiast with a broad background in red team operations, penetration testing, incident response, and advanced security research. With experience at Palo Alto Networks and Team8, Lior has enhanced his expertise in cybersecurity research across multiple domains, including various cloud providers and SaaS platforms. Known for contributing to the LOLBAS project, he specializes in evaluating emerging threats and analyzing data signals, combining a hands-on approach with a deep understanding of attacker perspective.

SpeakerBio: Chen Levy Ben Aroy, Cloud Security Research Team Lead at Varonis

Chen Levy Ben Aroy is a distinguished cybersecurity leader with a proven track record in cloud security, penetration testing, and red teaming. As a Cloud Security Research Team Lead at Varonis, Chen spearheads cutting-edge security research and innovation across multiple cloud-providers and platforms. His previous roles at well-known enterprises, such as Prosche Digital and ABInbev, showcased his expertise in advanced malware development and strategic project management. With a robust background in a wide array of cybersecurity domains, Chen's visionary approach and technical acumen make him a sought-after expert in the industry.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 15:30-16:15 PDT

Title: So Long, and Thanks for All the Phish
When: Friday, Aug 8, 15:30 - 16:15 PDT
Where: LVCCWest-Level1-Hall3-Track 5 - Map

Description:

A rare look behind the scenes of a global phishing-as-a-service operation. We tell the story of how we infiltrated a phishing group, cracked their software, exploited a hidden backdoor, and followed an OSINT rabbit hole to uncover the identify of the primary software developer.

Speakers:Harrison Sand,Erlend Leiknes

SpeakerBio: Harrison Sand

Harrison is a software and application security specialist with experience in embedded devices and IoT. He has worked closely with penetration testing, incident response, embedded security, and vulnerability management. He has a passion for cybersecurity research and has had work featured in publications such as TechCrunch, PC Magazine, The Register, Ars Technica, Hackaday, Aftenposten, and NRK.

SpeakerBio: Erlend Leiknes

Erlend is a man of many towels (and talents)—a security consultant and retired bus driver, electrical engineer, and masters degree in technical societal safety. Erlend has gravitated towards hacking and IT since his teens and spent more than a decade at mnemonic as a security consultant, where he performs penetration testing, red teaming and conducts security research. A handful of CVEs have his name on it and some are even favored by the usual APTs—and in the spirit of Douglas Adams, there's no need to panic.

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: SOC 101 - SOC 1 Analyst Bootcamp
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

This course introduces students to Security Operations Center (SOC) skills and tools, providing a comprehensive foundation in the essential skills required for SOC analysts. Through extensive hands-on exercises and labs that mirror real-life SOC tasks and technologies, students will gain a practical, skill-based understanding of modern security operations.

Key areas of focus will include text handling, packet dissection, and analysis, adversarial simulation, and detection engineering, equipping students with the expertise needed for various SOC tasks. The course emphasizes practical, foundational skills to ensure students are prepared to excel at core SOC tasks, this course will also introduce students to AI tools that improve SOC efficiency, accuracy, and response time in a rapidly evolving security landscape.

SpeakerBio: Rod Soto, Detection Engineer and Researcher at Splunk Threat Research Team

Rod Soto has over 15 years of experience in information technology and security. He has worked in Security Operations Centers as a support engineer, soc engineer, security emergency response, and incident response. He is currently working as a detection engineer and researcher at Splunk Threat Research Team and has previously worked at Prolexic/AKAMAI, Splunk UBA, JASK (SOC Automation).

Rod Soto was the winner of the 2012 BlackHat Las Vegas CTF competition and Red Alert ICS CTF at DEFCON 2022 contest. He has spoken at ISSA, ISC2, OWASP, DEFCON, RSA Conference,Hackmiami, DerbyCon, Splunk .CONF, Black Hat,BSides, Underground Economy and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision, BBC, Forbes, VICE, Fox News and CNN.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: SOC 101 - SOC 1 Analyst Bootcamp
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

SpeakerBio: Rod Soto, Detection Engineer and Researcher at Splunk Threat Research Team

Return to Index - Add to Google

- ics Calendar file

SEV - Friday - 08:30-17:59 PDT

Title: Social Engineering Community Village - Village Open
When: Friday, Aug 8, 08:30 - 17:59 PDT
Where: LVCCWest-Level3-W317-W319 - Map

Description:

Rise & shine, social engineers! Swing by to get your SEC merch, and claim your throne, because the phones start ringin' soon!

Return to Index - Add to Google

- ics Calendar file

SEV - Friday - 08:30-08:59 PDT

Title: Social Engineering Community Village Greeting and 2025 Badge Overview
When: Friday, Aug 8, 08:30 - 08:59 PDT
Where: LVCCWest-Level3-W317-W319 - Map

Description:

Every year, electronic badges light up DEF CON, sparking creativity, community, and curiosity. But behind the blinking LEDs and clever puzzles are questions we rarely ask: How safe is this badge for its users? What's its environmental footprint? In this talk, we'll dive into the design of "The SEC Village Badge" from concept to execution - but more importantly, we'll explore a proposed framework for badge makers to disclose key safety information and environmental impact of their creation. From battery safety considerations and materials selection to end-of-life recycling and disposal, we'll discuss how transparency can empower the community, inspire more responsible design, and keep the badge life culture thriving sustainably. Whether you're a seasoned hardware hacker, a first-time badge maker, or just curious about what goes into creating these wearable works of art, this talk will challenge us to think beyond the soldering iron and consider the broader impact of our creations.

SpeakerBio: Brent "TheDukeZip" Dukes

Brent is a long time hacker and DEF CON attendee that has designed various electronic badges throughout the years. He may be the all time champion at coming in second place in DEF CON competitions (but let's be honest, he'd probably turn out to be second place in that too!)

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Software Defined Radios 101
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Software Defined Radios (SDRs) are a powerful tool that has made the once-obfuscated domain of the electromagnetic spectrum open to anyone with a low-cost laptop and radio. From both an offensive and defensive perspective, an enormous attack surface, with many legacy devices and protocols, is open for exploitation. SDR 101 is a course designed for cyber security professionals of all skill levels who want to start working with RF signals and SDRs.

This class is a beginner's introduction to practical Software Defined Radio applications and development with an emphasis on hands-on learning. If you have ever been curious about the invisible world of radio waves and signals all around you, but didn't know where to begin, then this course is for you. Students can expect to learn about basic RF theory and SDR architecture before moving on to hands-on development with real radios. Over the two-day course, the instructor will guide students through progressively more complicated RF concepts and waveforms, culminating in a small capstone exercise. Students will be provided with a HackRF SDR for the duration of the class but will need to bring their own laptop to interface with the radio. VMs will be made available to students to download before class, along with an OS setup guide for those that prefer a bare-metal install. The VM/OS will have all the required drivers and frameworks to interface with the radio hardware, allowing us to jump right into hands-on exercises. My intent for this course is to lower the barrier of entry associated with RF hacking and give beginning students a practical understanding of RF and DSP applications with SDRs.

SpeakerBio: Richard Shmel

Richard Shmel is an experienced research and development engineer focusing on radio communications and digital signals processing applications. He has over a decade of experience as an RF engineer and embedded software developer working on prototype radio systems and DSP frameworks. Disappointed by the lack of introductory SDR material he could give to new engineers, he decided to write his own training courses to help fill the gap. Richard has had the privilege of teaching SDR workshops and training at various local and national cyber security conferences - including DEF CON - for many years now. He is passionate about teaching RF/DSP and wireless technology, and will happily talk for hours on the subject if given the chance. Learn more at https://www.rnstechsolutions.com/.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Software Defined Radios 101
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

SpeakerBio: Richard Shmel

Return to Index - Add to Google

- ics Calendar file

TRN - Tuesday - 08:00-16:59 PDT

Title: Solving Modern Cybersecurity Problems with AI
When: Tuesday, Aug 12, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Since our sold out class in 2024, we have refreshed the material to incorporate not only Agentic AI but Content Augmentation Generation (CAG)!

Have you ever wondered how the pros use AI to solve their complex cybersecurity problems? Come find out!

Artificial Intelligence (AI) and Large Language Models (LLMs) have emerged as robust and powerful tools that have redefined how many approach problem solving. The last few years have seen industry AI interest surge while Cybersecurity experts struggle not only to threat model LLMs but to leverage them effectively. Our training presents a comprehensive educational framework aimed at equipping students with the necessary skills to not only build their own LLM toolkits but to leverage AI and LLMs to build elegant solution to solve complex problems unique to their own environments.

This class will teach students how to build their own AI frameworks to ingest data from either SaaS or on-prem data lakes. We will provide both the tools for data data consumption but as well as data warehousing. From there we will walk students through transforming this data and making it operationally effective and efficient for their AI. We will cover various types of data common to Cybersecurity environments, protentional issues with certain data types, and how to make the most of opensource to help transform the data. We will also touch on training and LoRA for model customization.

As Cybersecurity experts, we also need to understand the risk that comes with the use of AI. For this purpose, we will discuss foundational knowledge to conduct both red and blue team exercises regarding AI. We will discuss risk analysis of the disparate components used to make AI functional, a holistic and functional approach to defending the supply chain, understanding vulnerability analysis, and modern day adversary attacks and techniques that you will encounter. Understanding modern security policy frameworks is just as important and we will cover a few of the popular frameworks used to secure and apply policy to your AI environment. We will cap this section of class off with a practicum of both attacking and defending our AI deployed in class.

Using the tools created in class, we will use the SOCMAN DEF CON model to solve hand-picked operational problems we have seen teams struggle with all over the world. You will learn how to use LLMs with agentic AI, how to augment our queries with our own data in two different methods (RAG/CAG), generate high quality YARA/SIGMA rules using your own data, tune your model to hunt complex patterns, improve application observability by adding context to "weird" behavior, how to hunt for APTs using real world scenarios and logs (Stuxnet), filter out noise to increase signal in your environment (SNR), and much more! All of these labs will be performed by students and will leverage AI as middleware to add contextual data between disparate platforms to solve your complex cybersecurity problems. All use cases will be performed by students live and in-class.

By the end of this training you will be able to:

Build their own AI-powered cybersecurity framework, including custom tooling, ingestion pipelines, and LLM orchestration
Ingest and warehouse data from SaaS and on-prem sources, transforming it for AI readiness using open-source tools
Apply Agentic AI and Content Augmentation Generation (CAG) to real-world cybersecurity challenges
Select, train, and fine-tune models, including LoRA customization for environment-specific detection and automation
Generate high-quality YARA and SIGMA rules using real-world data and AI-assisted pattern matching
Augment detection logic using RAG/CAG, enhancing context-awareness and improving incident triage
Understand foundational knowledge to defend your AI deployments, including threat modeling, adversary simulation, and defending AI infrastructure
Analyze and enrich logs using AI, identify complex behavioral patterns, and detect APT activity using real-world examples like Stuxnet
Improve observability by adding AI-generated context to anomalous or hard-to-interpret behaviors
Increase signal-to-noise ratio (SNR) by using AI to reduce false positives and highlight meaningful security events
Solve complex cybersecurity problems!

Speakers:“K” Singh,Michael "Bluescreenofwin" Glass

SpeakerBio: “K” Singh, Senior Incident Response Consultant at CrowdStrike

“K” Singh is currently a Senior Incident Response Consultant at CrowdStrike. Previously an Incident Response Consultant and the Forensic Lab Manager for the Global Incident Response Practice at Cylance – “K” has worked with multiple Fortune 500 companies, sector-leading firms, and healthcare organizations in a variety of engagements ranging from Incident Response to Traditional “Dead Disk” Forensics and E-Discovery. Additionally, “K” is also part of the Operations team for WRCCDC-handling infrastructure for the competition’s core cluster, student environments, Social Media outlets, and liaising between the Red Team and other teams to ensure the competition runs smoothly.

SpeakerBio: Michael "Bluescreenofwin" Glass, Founder at Glass Security Consulting

Michael Glass AKA "Bluescreenofwin" is currently a Principal Security Engineer providing security leadership for one of the largest streaming technology companies in the world specializing in Blue Team, SecOps, and Cloud. Michael has been in the hacking and security scene for over 15 years working for a wide variety of organizations including government, private, and non-profit. Using this diverse background he has founded the company "Glass Security Consulting" in order to provide world class Cybersecurity instruction for Information Security Professionals and Hackers alike.

Return to Index - Add to Google

- ics Calendar file

TRN - Monday - 08:00-16:59 PDT

Title: Solving Modern Cybersecurity Problems with AI
When: Monday, Aug 11, 08:00 - 16:59 PDT
Where: LVCCWest - Map

Description:

Since our sold out class in 2024, we have refreshed the material to incorporate not only Agentic AI but Content Augmentation Generation (CAG)!

Have you ever wondered how the pros use AI to solve their complex cybersecurity problems? Come find out!

By the end of this training you will be able to:

Build their own AI-powered cybersecurity framework, including custom tooling, ingestion pipelines, and LLM orchestration
Ingest and warehouse data from SaaS and on-prem sources, transforming it for AI readiness using open-source tools
Apply Agentic AI and Content Augmentation Generation (CAG) to real-world cybersecurity challenges
Select, train, and fine-tune models, including LoRA customization for environment-specific detection and automation
Generate high-quality YARA and SIGMA rules using real-world data and AI-assisted pattern matching
Augment detection logic using RAG/CAG, enhancing context-awareness and improving incident triage
Understand foundational knowledge to defend your AI deployments, including threat modeling, adversary simulation, and defending AI infrastructure
Analyze and enrich logs using AI, identify complex behavioral patterns, and detect APT activity using real-world examples like Stuxnet
Improve observability by adding AI-generated context to anomalous or hard-to-interpret behaviors
Increase signal-to-noise ratio (SNR) by using AI to reduce false positives and highlight meaningful security events
Solve complex cybersecurity problems!

Speakers:“K” Singh,Michael "Bluescreenofwin" Glass

SpeakerBio: “K” Singh, Senior Incident Response Consultant at CrowdStrike

SpeakerBio: Michael "Bluescreenofwin" Glass, Founder at Glass Security Consulting

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 18:00-20:59 PDT

Title: Spades Tournament & Game Night Social
When: Friday, Aug 8, 18:00 - 20:59 PDT
Where: LVCCWest-Level3-W322-W324 - Map

Description:

Join Us for the Ultimate Spades Tournament & Game Night Social! Looking for a fun way to unwind, connect, and enjoy some friendly competition? Our Spades Tournament & Game Night Social is the perfect way to relax while engaging in a classic card game that brings people together.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 09:00-09:45 PDT

Title: Spotter - Universal Kubernetes Security Scanner and Policy Enforcer
When: Friday, Aug 8, 09:00 - 09:45 PDT
Where: LVCCWest-Level2-W209 - Map

Description:

Spotter is a groundbreaking open-source tool designed to secure Kubernetes clusters throughout their lifecycle. Built on the native tooling of Kubernetes by leveraging Common Expression Language for policy definitions, we can define unified security scanning across development, CLI, CI/CD, admission controllers, deployments, runtime, and continuous monitoring. Its unique approach enables both enforcement and monitoring modes, ensuring that policies can be applied consistently and mapped directly to industry standards such as CIS and MITRE ATT&CK. Spotter provides extremely high flexibility across all Kubernetes phases, providing an innovative approach that no other open-source or commercial solution can replicate. It seamlessly bridges security, DevOps, and platform teams, effectively solving the real-world challenges faced by day-to-day operations.

SpeakerBio: Madhu "madhuakula" Akula, Pragmatic Security Leader

Return to Index - Add to Google

- ics Calendar file

PLV - Friday - 11:00-11:45 PDT

Title: State of Open Source in the Federal Government
When: Friday, Aug 8, 11:00 - 11:45 PDT
Where: LVCCWest-Level2-W231 - Map

Description:
SpeakerBio: Jordan Kasper
No BIO available

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 14:00-15:50 PDT

Title: Stealing Browser Cookies: Bypassing the newest Chrome security measures
When: Friday, Aug 8, 14:00 - 15:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Tactics 2 - Map

Description:

This session explores advanced security mechanisms implemented by major browsers to prevent cookie theft from their storage databases. Chrome has recently implemented AppBound encryption, which provides multi-layered protection for session cookies:

1) A 2-way DPAPI encryption system that operates with both elevated NT AUTHORITY\SYSTEM permissions and normal user-level decryption capabilities;

2) A state-key encryption layer utilizing the ChaCha20Poly1305 algorithm with custom keys (that once was AES-256-GCM encrypted);

These implementations have significantly reduced the effectiveness of info-stealing malware. However, this session will demonstrate potential vulnerabilities in these security measures and explain how to obtain decrypted cookies despite these protections. We will examine the new format specifications and encryption methodologies for cookies.

Beyond Chromium-based browsers, we'll explore Gecko's encryption algorithms, which involve structured ASN.1 data formats with multiple encryption schemes including 3DES and AES-256. We'll also analyze Chromium on macOS which relies on PBKDF2 key derivation, and WebKit-based browsers that store cookies in binary cookie files.

Additionally, we'll discuss Chrome's forthcoming "Device Bound Session Cookies" (DBSC) technology, which aims to further mitigate session hijacking through cookie theft by implementing TPM chip-based encryption and requiring proof of possession of the cryptographic key.

SpeakerBio: Rafael Felix

Rafael has been working with malware development for 4 years, also being involved in the malware community for more than 6 years. He is also experienced in Incident and Response, specifically during malware inner workings analysis. Currently, Rafael is a researcher for Hakai Offensive Security, being deeply involved with red-team operations.

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 12:00-12:50 PDT

Title: Stealing Browser Cookies: Bypassing the newest Chrome security measures
When: Friday, Aug 8, 12:00 - 12:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 3 - Map

Description:
NOTE: There is an accompanying tactic that goes along with this workshop which will begin after the workshop completes.

1) A 2-way DPAPI encryption system that operates with both elevated NT AUTHORITY\SYSTEM permissions and normal user-level decryption capabilities;

2) A state-key encryption layer utilizing the ChaCha20Poly1305 algorithm with custom keys (that once was AES-256-GCM encrypted);

SpeakerBio: Rafael Felix

Return to Index - Add to Google

- ics Calendar file

- Friday - 10:00-12:59 PDT

Title: Sticker Swap
When: Friday, Aug 8, 10:00 - 12:59 PDT
Where: LVCCWest-Level2-W201-W202 - Map

Description:

Come stop by for our first offical event where we will have custom stickers for VX Underground, Skyhopper, and more!

Return to Index - Add to Google

- ics Calendar file

PLV - Friday - 13:00-13:45 PDT

Title: Takes All Kinds: Building Onramps for Emergency Web Archiving in Ukraine and Beyond
When: Friday, Aug 8, 13:00 - 13:45 PDT
Where: LVCCWest-Level2-W231 - Map

Description:
SpeakerBio: Quinn Dombrowski
No BIO available

Return to Index - Add to Google

- ics Calendar file

PHV - Friday - 13:00-13:59 PDT

Title: Teaching Your Reverse Proxy to Think: Fingerprint-Based Bot Blocking & Dynamic Deception
When: Friday, Aug 8, 13:00 - 13:59 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

IP blocklists rot in minutes; fingerprints persist for months. Finch is a lightweight reverse proxy that makes allow, block, or route decisions based on TLS and HTTP fingerprints (JA3, JA4, JA4H, and HTTP/2), before traffic reaches your production servers or research honeypots. Layered on top, a custom AI agent monitors Finch’s event stream, silences boring bots, auto-updates rules, and even crafts stub responses for unhandled paths; so the next probing request gets a convincing reply. The result is a self-evolving, fingerprint-aware firewall that slashes bot noise and turns passive traps into dynamic deception.

SpeakerBio: Adel Karimi, Member of Technical Staff at OpenAI

Adel is a security engineer at OpenAI with deep expertise in detecting and responding to “badness.” Outside of work, he builds open-source tools focused on threat detection, honeypots, and network fingerprinting—such as Finch, Galah, and Venator—and escapes to dark corners of the world to capture the beauty of the night sky.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 16:00-16:45 PDT

Title: Tengu Marauder v2
When: Friday, Aug 8, 16:00 - 16:45 PDT
Where: LVCCWest-Level2-W212 - Map

Description:

Designed for wireless security testing and autonomous reconnaissance, Tengu Marauder v2 is a multi-terrain open-source robotic platform. Built around a Raspberry Pi and using ROS2, it combines real-time motor control, RF monitoring, and sensor data streaming to facilitate remote operations in challenging environments. Over the initial architecture, the v2 platform brings major enhancements in system modularity, communication security, and operational flexibility. Designed for safe remote access using encrypted VPN tunnels, the robot allows internet-based control and telemetry without endangering the system to direct network threats. Tengu Marauder v2 provides a tough, scalable basis for incorporating autonomy and cyber capabilities into your mobile security toolset whether used for off-grid automation, robotics teaching, or red teaming.

Speakers:Lexie "L3xic0n" Thach,Munir Muhammad

SpeakerBio: Lexie "L3xic0n" Thach

Lexie has worked in cybersecurity for ten years in various positions. During this time, she developed a strong affinity for electrical engineering, programming, and robotics engineering. Despite not having a traditional academic background, she has extensive hands-on experience from her eight years in the US Air Force, specializing in cybersecurity and tactical networks for aircraft missions and operations. Her focus on securing and testing the security of autonomous systems stems from these experiences, and she is passionate about sharing the techniques she has learned. She currently runs a local hackerspace in Philadelphia in support of DC215 called the Ex Machina Parlor where anyone can come to learn new hacking tools, try to build offensive or defensive security robots, and use 3D printers on standby for any prototyping people want.

SpeakerBio: Munir Muhammad

Munir is a cybersecurity intern with the City of Philadelphia and a senior in college. He‚Äôs focused on learning how to keep computer systems safe from threats. He is especially interested in defensive security and enjoys finding new ways to protect networks and data. He is active in local tech meetups, works on open-source security projects, and is a member and community engagement coordinator at EMP (Ex Machina Parlor), a Philadelphia hackerspace where people can explore new hacking tools, build security robots, and use 3D printers for prototyping. He also supports students as a teaching assistant for software engineering courses. He is looking forward to meeting new people at DEF CON, learning from the community, and helping newcomers find their way into cybersecurity.

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 14:30-15:30 PDT

Title: Testing Trust Relationships: Breaking Network Boundaries
When: Friday, Aug 8, 14:30 - 15:30 PDT
Where: LVCCWest-Level3-W326 - Map

Description:

What do you do when your blind XXE is non functional when egress-out is seemingly blocked? What do you do when there are strict filters for your full read SSRF vulnerability? Modern infrastructure on the cloud has many nuances, especially with trust boundaries. This talk goes through how we can push these boundaries and achieve our offensive security goals by abusing easy to spin up infrastructure or techniques. The internet is a different place depending on where you're coming from.

Speakers:Michael Gianarakis,Jordan Macey

SpeakerBio: Michael Gianarakis, Co-founder & CEO at Assetnote

Michael Gianarakis is the Co-founder and CEO of Assetnote, a pioneer in the Attack Surface Management (ASM) space and a recognized leader in helping organizations continuously monitor and secure their external attack surfaces. In 2025, Assetnote was acquired by Searchlight Cyber, where Michael now leads enterprise product.

SpeakerBio: Jordan Macey, Assetnote
No BIO available

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 16:00-16:45 PDT

Title: The (Un)Rightful Heir: My dMSA Is Your New Domain Admin
When: Friday, Aug 8, 16:00 - 16:45 PDT
Where: LVCCWest-Level1-Hall3-Track 2 - Map

Description:

Delegated Managed Service Accounts (dMSA) are Microsoft’s shiny new addition to Active Directory in Windows Server 2025. Their primary goal was to improve the security of domain environments. As it turns out, that didn’t go so well.

In this talk, we introduce BadSuccessor - an attack that abuses dMSAs to escalate privileges in Active Directory. Crucially, the attack works even if your domain doesn’t use dMSAs at all.

We’ll demonstrate how a very common, and seemingly benign, permission in Active Directory can allow us to trick a Domain Controller into issuing a Kerberos ticket for any principal - including Domain Admins and Domain Controllers. Then we’ll take it a step further, showing how the same technique can be used to obtain the NTLM hash of every user in the domain - without ever touching the domain controller.

We’ll walk through how we found this attack, how it works, and its potential impact on AD environments

References:

Rubeus with dMSA support, thanks to Joe Dibley: link

SpeakerBio: Yuval Gordon

Yuval Gordon is a Security Researcher at Akamai Technologies, specializing in Active Directory security and identity-based attacks. Yuval's research is focused on offensive security, malware analysis, and threat hunting.

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 17:10-17:40 PDT

Title: The Beauty of Reversing Swift Malware
When: Friday, Aug 8, 17:10 - 17:40 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Chistopher Lopez
No BIO available

Return to Index - Add to Google

- ics Calendar file

PAYV - Friday - 14:00-14:45 PDT

Title: The challenges of Sub-dermal Payments
When: Friday, Aug 8, 14:00 - 14:45 PDT
Where: LVCCWest-Level1-Hall2-W505 - Map

Description:
SpeakerBio: Amal Graafstra, VivoKey
No BIO available

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 14:00-14:15 PDT

Title: The creation of the Malmongotchi badge
When: Friday, Aug 8, 14:00 - 14:15 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Austin Worline
No BIO available

Return to Index - Add to Google

- ics Calendar file

CPV - Friday - 16:30-16:59 PDT

Title: The depths that marketers will plummet to
When: Friday, Aug 8, 16:30 - 16:59 PDT
Where: LVCCWest-Level2-W233 - Map

Description:

In the run up to Google’s plans to dump 3rd party cookies, marketing firms (a $1.7 TRILLION dollar industry) were sent into a complete panic. These firms relied heavily on 3rd party cookies in order to better attribute CPM (cost per 1000 clicks) and how many of those clicks turned into sales. So advertisers could better study human behavior and trends in order to more effectively sell products.

As a former Security Engineer at the Largest Independent Digital Marketing firm in the world, I had a unique view into the evils that these companies were developing in order to not only maintain a few into consumer trends but to increase these views, increase the invasiveness of these techniques, and increase the cooperation between all levels of the industry from display point (streaming service), device point (iPhone, TV), location points (via ISP), to sales point.

This talk is a peek under the curtain for the server side data harvesting that agencies have developed, and how they’ve managed to twist this further invasion into so-called consumer protection and increased privacy.

SpeakerBio: 4dw@r3

4dw@r3 (they/them) is a dedicated security and risk management expert with extensive experience navigating complex environments. Sean excels at developing a comprehensive understanding of intricate systems and crafting strategic roadmaps to revitalize security programs. By identifying high-risk areas and optimizing the use of existing resources, Sean removes barriers between teams to enhance communication and coordination, driving effective security outcomes. Beyond their professional pursuits, Sean finds joy in backpacking through the mountains with their adventurous Australian Shepherd and twins, embracing the serenity of nature and the thrill of exploration.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 10:00-10:45 PDT

Title: The One Bitcoin Heist: Making a custom Hashcat module to solve a decade-old puzzle challenge
When: Friday, Aug 8, 10:00 - 10:45 PDT
Where: LVCCWest-Level1-Hall3-Track 5 - Map

Description:

In 2014, someone by the name of Spencer Lucas released the “One Bitcoin Book“, a set of 20 clues that when solved, unlocked a bitcoin wallet containing one bitcoin (then valued at ~$400). Over 10 years and a six-figure price tag later, it remained unclaimed. In December 2024, the prize was finally claimed through a combination of human-solved solutions and a custom module for Hashcat designed to test various combinatorial possibilities for the unknown or uncertain clues.

This talk will cover the puzzle itself, how the answers unlocked the prize (through the brainwallet process), and the development of a custom Hashcat module to crack brainwallet passphrases using cheap, cloud-based GPU power. It will also discuss the challenges encountered along the way and the troubleshooting approaches used to overcome them.

References:

[link[(https://hashcat.net/hashcat/) (and relevant github repo)
DEF CON 23 - Ryan Castellucci - Cracking CryptoCurrency Brainwallets
link

SpeakerBio: Joseph "stoppingcart" Gabay

Joseph Gabay is a security researcher, hardware hacker, and robotics engineer with a passion for reverse engineering and tackling unique challenges. At DEF CON 29, they presented DoS: Denial of Shopping, where they analyzed and exploited shopping cart immobilization systems, and expanded further upon that work at DEF CON 31. Their work and research focuses on integrating knowledge from a diverse set of domains to deeply understand systems and uncover unique insights about their design and potential vulnerabilities.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 12:00-12:20 PDT

Title: The Ultimate Hack: Applying Lessons Learned from the loss of TITAN to Maritime Cybersecurity
When: Friday, Aug 8, 12:00 - 12:20 PDT
Where: LVCCWest-Level1-Hall3-Track 5 - Map

Description:

The 2023 loss of the Titan submersible was a tragic wake-up call that exposed dangerous gaps in safety oversight, design practices, and regulation in extreme maritime environments. As leader of the international search-and-rescue response, I witnessed firsthand the human consequences of operating innovative technologies in legal gray zones without sufficient safeguards. Titan's creators leveraged regulatory loopholes to push design boundaries, dismissing expert warnings and bypassing standard safety certifications. This same pattern of unchecked innovation, inadequate oversight, and hubris mirrors critical vulnerabilities now facing maritime cybersecurity. Just as Titan’s passengers unknowingly placed trust in untested designs, vessels today rely increasingly on digitally interconnected yet inadequately secured systems, creating risks that could lead to catastrophic failures. Harsh environmental conditions and remote operations compound the potential impacts of maritime cyber incidents, paralleling Titan’s tragic fate. This paper connects the painful lessons from the Titan tragedy to urgent maritime cybersecurity needs—arguing for clear international regulation, rigorous independent testing, and proactive incident response planning—to prevent similar disasters at sea.

References:

This presentation will be a combination of my own experiences, the evidence collected during the TITAN Marine Board of Investigation and reports from U.S. Coast Guard cyber command and other sources regarding maritime cybersecurity. The TITAN investigation is available here: link

Maritime Cybersecurity references are available here: link

SpeakerBio: Rear Admiral John Mauger, USCG (Ret.)

Rear Admiral John W. Mauger, USCG (Ret.), is a seasoned executive with over 33 years of leadership experience in the maritime industry, national security, and cyber operations. As Commander of the First Coast Guard District, he led over 12,000 people and oversaw critical port operations in New England, deploying innovative technologies like counter-drone systems to enhance security. RADM Mauger's leadership during the June 2023 TITAN capsule search and recovery at the TITANIC site highlighted his ability to lead complex crises in the international spotlight. At U.S. Cyber Command, RADM Mauger revolutionized cyber training by developing a cloud-based environment that modernized cyber exercises and increased readiness. Earlier in his career, he led domestic and international regulatory programs. His work protected mariners and the environment, created new markets for alternative fuels, and established a new international code to safeguard vital Polar regions. Now leading (PORTS) LLC, John uses his diverse expertise to help clients plan for and navigate complex challenges in the maritime and critical infrastructure industries while enhancing personnel and team performance through effective training.

Return to Index - Add to Google

- ics Calendar file

MISC - Wednesday - 11:00-17:59 PDT

Title: The Unofficial DEF CON Shoot
When: Wednesday, Aug 6, 11:00 - 17:59 PDT
Where: Other / See Description

Description:

The DEF CON Shoot is a public event that happens just prior to the DEF CON hacker conference in Las Vegas, Nevada. It is an opportunity to see and shoot some of the guns belonging to your friends while taking pride in showing and firing your own steel, as well, in a relaxed and welcoming atmosphere. We choose a spot, then we rent tables, canopies, and bring all the necessary safety equipment and amenities. All you need to bring yourself and (optionally) your firearms. New shooters and veterans both attend regularly. You can attend with your firearms, of course, but folk without guns of their own in Vegas may have the opportunity to try gear from others in attendance. Admission costs are intentionally kept low, just so we can break even on expenses for the amenities provided.

Offsite - Pro Gun Vegas Address: 12801 US 95 South. Boulder City, NV 89005

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 15:30-15:59 PDT

Title: The Year of the Bounty Desktop: Bugs from Binaries
When: Friday, Aug 8, 15:30 - 15:59 PDT
Where: LVCCWest-Level3-W326 - Map

Description:

Desktop applications are the forgotten attack surface of bug bounty hunting. They're usually out of scope, but they talk to assets that aren't. In this talk, I'll share how I've earned bounties by targeting desktop apps directly or leveraging them to find bugs in paying assets.

SpeakerBio: Parsia "CryptoGangsta" Hakimian, Offensive Security Engineer at Microsoft

Parsia is an offensive security "engineer" at Microsoft. While not a full-time hunter, he has learned a great deal from hunts and the bug bounty community. He spends most of his time reading code and experimenting with static and dynamic analysis -- but wishing he was gaming.

Parsia has previously presented at DEF CON's main venue and the AppSec Village. When not breaking (or fixing) things, he plays videogames, D&D, spends time with family outside - and, as his wife jokes, "subjects himself to the tax and immigration systems of US and Canada".

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 09:00-09:45 PDT

Title: TheTimeMachine
When: Friday, Aug 8, 09:00 - 09:45 PDT
Where: LVCCWest-Level2-W211 - Map

Description:

TheTimeMachine is an offensive OSINT and bug bounty recon suite that revives forgotten endpoints from the past using the Wayback Machine. Designed for red teamers, CTF players, and bounty hunters, it automates historical data mining, subdomain extraction, parameter harvesting, and endpoint fuzzing for vulnerabilities like XSS, open redirect, LFI, and SQLi. The suite also integrates a powerful JWT analysis engine to extract, decode, and highlight juicy fields from tokens hidden in archived URLs. TheTimeMachine also hunts leaked archives and even verifies whether archived snapshots are still live. With colorful terminal output, modular CLI tools, and support for custom wordlists, this tool resurrects the buried past to exploit the forgotten future. Dead links don‚Äôt die here‚Äîthey just get reconned harder.

Speakers:Arjun "T3R4_KAAL" Chaudhary,Anmol "Fr13nd0x7f" K. Sachan

SpeakerBio: Arjun "T3R4_KAAL" Chaudhary

SpeakerBio: Anmol "Fr13nd0x7f" K. Sachan

Anmol is a security consultant at NetSPI with expertise in web, API, AI/ML, and network penetration testing as well as attack surface management and offensive security automation. He has reported to over 50 organizations via VDPs, discovered multiple CVEs, and co-founded cybersecurity communities like CIA Conference and OWASP Chandigarh. He is also an active open-source contributor ‚Äî his tools like WayBackLister, ThreatTracer, The Time Machine, and more have collectively earned over 600 GitHub stars. He is passionate about red teaming and building tools that enhance real-world security assessments.

Return to Index - Add to Google

- ics Calendar file

BHV - Friday - 17:00-17:30 PDT

Title: They deployed Health AI on us. We’re bringing the rights & red teams.
When: Friday, Aug 8, 17:00 - 17:30 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

AI is rapidly reshaping healthcare—from diagnostics to mental health chatbots to surveillance inside EHRs—often without patient consent or clear oversight. The Patient AI Rights Initiative (https://lightcollective.org/patient-ai-rights/) lays out the first patient-authored ethical framework for Health AI. Now it’s time to test it like any other system: for failure, bias, and exploitability.

We’ll introduce the 7 Patient AI Rights and challenge participants to stress test them through the lens of security research. Working in small groups, you'll choose a Right and explore how it could break down in the real world.

Together, we’ll co-create early prototypes for a “Red Teaming Toolkit for Health AI” to evaluate Health AI systems based on the priorities of the people most impacted by them: patients.

This session is ideal for patient activists, engineers, bioethicists, and anyone interested in building accountable, rights-respecting AI systems from the outside in.

SpeakerBio: Andrea Downing
No BIO available

Return to Index - Add to Google

- ics Calendar file

PLV - Friday - 13:45-14:30 PDT

Title: Third-Party Access Granted: A Postmortem on Student Privacy and the Exploit That’s Still in Production
When: Friday, Aug 8, 13:45 - 14:30 PDT
Where: LVCCWest-Level2-W231 - Map

Description:
SpeakerBio: Sharlene Toney
No BIO available

Return to Index - Add to Google

- ics Calendar file

MHV - Friday - 15:00-15:45 PDT

Title: Threat Dynamics on the Seas
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level2-W231 - Map

Description:

The tides are changing. The seas are the key frontier for power projection and commerce by nations, companies, and militaries -- and surveillance and cybersecurity tradecraft are rapidly reshaping sea-side threat dynamics. Join three of the biggest minds national security to explore threats to the maritime domain as the strategic centerpiece for conflict in the digital age. From port cranes to drug smuggling, and Navy ships to undersea cables, the fight is everywhere.

Speakers:RADM John Mauger,Michael Sulmeyer,Adam Segal

SpeakerBio: RADM John Mauger, PORTS llcUSCG (ret.)

Rear Admiral John W. Mauger, USCG (Ret.) is a seasoned executive with over 33 years of leadership experience in the maritime industry, national security, and cyber operations. Known for his foresight, innovative approach to problem solving, and ability to drive change, John has left an indelible mark on every role he’s undertaken—from commanding complex Coast Guard operations to shaping the future of cyber defense.

As Commander of the First Coast Guard District, he led over 12,000 people and oversaw critical port operations in New England, deploying innovative technologies like counter-drone systems to enhance security. John's leadership during the TITAN capsule search and recovery at the TITANIC site highlighted his ability to lead complex crises in the international spotlight.

At U.S. Cyber Command, John revolutionized cyber training, developing a cloud-based environment that modernized cyber exercises and increased readiness. John also served as the Coast Guard’s first Executive Champion the National Naval Officers Association, mentoring future leaders and driving organizational change.

Earlier in his career, John led key regulatory projects for both domestic and international shipping. His work protected mariners and the environment, created new markets for alternative fuels, and established a new international code to safeguard vital Polar regions.

Now leading (PORTS) LLC, John uses his diverse expertise to help clients plan for and navigate complex challenges in the maritime and critical infrastructure industries while enhancing personnel and team performance through effective training.

SpeakerBio: Michael Sulmeyer, US DoD (ret.), Georgetown School of Foreign Service

Michael Sulmeyer will start as Professor of the Practice at the School of Foreign Service's Security Studies Program in the fall of 2025. He most recently served as the first Assistant Secretary of Defense for Cyber Policy and as Principal Cyber Advisor to the Secretary of defense. He has held other senior roles involving cyber-related issues with the U.S. Army, the Office of the Secretary of Defense, U.S. Cyber Command and the National Security Council. In academia, he was a Senior Fellow with Georgetown's Center for Security and Emerging Technology. He holds a doctorate in politics from Oxford University where he was a Marshall Scholar, and a law degree from Stanford Law School.

SpeakerBio: Adam Segal, Council on Foreign Relations

Adam Segal is the Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy program at the Council on Foreign Relations (CFR). From April 2023 to June 2024, Segal was a senior advisor in the State Department's Bureau of Cyberspace and Digital Policy, where he led the development of the United States International Cyberspace and Digital Policy. An expert on security issues, technology development, and Chinese domestic and foreign policy, Segal was the project director for the CFR-sponsored Independent Task Force reports Confronting Reality in Cyberspace, Innovation and National Security, Defending an Open, Global, Secure, and Resilient Internet, and Chinese Military Power. His book The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age (PublicAffairs, 2016) describes the increasingly contentious geopolitics of cyberspace. Segal is also the author of Advantage: How American Innovation Can Overcome the Asian Challenge (W.W. Norton, 2011) and Digital Dragon: High-Technology Enterprises in China (Cornell University Press, 2003), as well as several articles and book chapters on Chinese technology policy.

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 16:00-16:30 PDT

Title: To Pay or Not to Pay? The Battle Between Bug Bounty & Vulnerability Disclosure Programs
When: Friday, Aug 8, 16:00 - 16:30 PDT
Where: LVCCWest-Level3-W326 - Map

Description:

Running parallel vulnerability submission programs - one paid, one unpaid - is like managing two restaurants with the same kitchen but different menus and expectations. Researchers have strong feelings on this topic but so do businesses operating and funding the programs.

SpeakerBio: Aaron "scriptingxss" Guzman, CISO at Cisco

Aaron serves as Cisco's Network Devices CISO, securing millions of on-premises and cloud-managed products powering global internet infrastructure. With over 10 years in crowdsourced security‚Äîboth as researcher and program owner‚Äîhe drives Cisco's public bug bounty program while launching comprehensive vulnerability disclosure capabilities.

Return to Index - Add to Google

- ics Calendar file

DDV - Friday - 13:00-13:59 PDT

Title: Tracking 300k+ drives: What we’ve learned after 13 years
When: Friday, Aug 8, 13:00 - 13:59 PDT
Where: LVCCWest-Level2-W225 - Map

Description:

Backblaze Drive Stats is an open dataset that has tracked hard drive and SSD reliability across our data centers since 2013. This session covers recent backend upgrades—including a modular versioning system and migration to Snowflake with Trino and Iceberg—that improved data processing and failure validation. We'll also share updated AFR trends by drive model and size, SSD tracking challenges, and share how drive insights have underpinned performance improvements in data centers.

Speakers:Pat Patterson,Stephanie Doyle

SpeakerBio: Pat Patterson, Chief Technical Evangelist at Backblaze

Pat Patterson is the chief technical evangelist at Backblaze. Over his three decades in the industry, Pat has built software and communities at Sun Microsystems, Salesforce, StreamSets, and Citrix. In his role at Backblaze, he creates and delivers content tailored to the needs of the hands-on technical professional, acts as the “voice of the developer” on the Product team, and actively participates in the wider technical community. Outside the office, Pat runs far, having completed ultramarathons up to the 50 mile distance. Catch up with Pat via Bluesky or LinkedIn.

SpeakerBio: Stephanie Doyle, Associate Editor & Writer at Backblaze

Stephanie is the Associate Editor & Writer at Backblaze. She specializes in taking complex topics and writing relatable, engaging, and user-friendly content. You can most often find her reading in public places, and can connect with her on LinkedIn.

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 12:00-12:59 PDT

Title: Tunnelpocalypse
When: Friday, Aug 8, 12:00 - 12:59 PDT
Where: LVCCWest-Level1-Hall4-Communities-C105 - Map

Description:

Deep dive into GRE Tunnel encapsulation vulnerability

SpeakerBio: Rich Compton, Comcast
No BIO available

Return to Index - Add to Google

- ics Calendar file

MISC - Friday - 16:00-17:59 PDT

Title: Um, ACKtually...
When: Friday, Aug 8, 16:00 - 17:59 PDT
Where: LVCCWest-Level1-Atrium-East-Contest Stage

Description:

"Um, ACKtually" is a hacker twist on an established gameshow hosted by Dropout TV (Um, Actually). In this show, contestants are read a short statement about film, television, literature, etc. which contains one incorrect detail. The contestants must buzz in with the correction, preceded by the phrase "Um, Actually". In DEF CON's version, these statements are all related to tech / cybersecurity. Anyone who has spent any amount of time on social media, knows how much hackers love to correct each other!

Come watch some of your favorite hacking personalities publicly weaponize mansplaining for your entertainment!"

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 13:00-13:45 PDT

Title: Unmanned Wireless Penetration Testing Device
When: Friday, Aug 8, 13:00 - 13:45 PDT
Where: LVCCWest-Level2-W212 - Map

Description:

The Unmanned Wireless Penetration Testing Device is a modular, open-source system enabling remote wireless security assessments. Using long-range LoRa communication, a mobile rover can perform Wi-Fi reconnaissance, deauthentication attacks, Bluetooth device discovery, and image capture without requiring proximity to the target network. Controlled entirely via encrypted LoRa packets, the system is optimized for secure operations in remote or inaccessible environments. Attendees will see live demonstrations of wireless attacks issued over LoRa and learn how the system can be adapted for mobile and drone-based security operations. Source code and build instructions will be freely available under an open license.

Speakers:Ayaan Qayyum,Omar Hamoudeh

SpeakerBio: Ayaan Qayyum

Ayaan is a Master of Science student in electrical engineering at Columbia University. His research interests include mobile computing, applied machine learning, edge AI, digital signal processing, mathematical modeling, and information systems. He completed his undergraduate studies at Rutgers University‚ÄìNew Brunswick, earning a Bachelor of Science in electrical and computer engineering with a minor in mathematics. His technical background spans embedded systems, wireless communication, and hardware security, with certifications in AWS AI and cloud technologies. He has published research across cybersecurity, FPGA systems, and machine learning, including a project on FPGA fast Fourier transform implementation and a machine learning-based stock forecasting model. His work has been recognized at academic conferences such as the IEEE Integrated STEM Education Conference and the Rutgers JJ Slade Research Symposium. He is currently a technical research intern at the Intelligent and Connected Systems Laboratory at Columbia University. He was a program mentor for the Governor's School of New Jersey designing search-and-rescue drone systems utilizing real-time edge inference. He is passionate about building scalable, open-source security tools and bridging the gap between theory and real-world deployment.

SpeakerBio: Omar Hamoudeh

Omar is a wireless security enthusiast and builder who recently completed his B.S. in electrical and computer engineering at Rutgers University. His work focuses on embedded systems security, hardware hacking, and wireless exploitation. As part of a senior design project, he developed an unmanned wireless penetration testing rover using LoRa for remote Wi-Fi scanning and reconnaissance. The project earned second place at the 2025 Rutgers ECE Capstone Expo. He also worked extensively on secure architecture projects, including implementing TrustZone on an ARM-based microcontroller to separate secure and non-secure execution environments. In a separate project, he designed a lightweight firmware validation system to detect unauthorized modifications in IoT devices. His current research centers on building low-profile tools for wireless network exploitation and resilience testing.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 15:30-16:15 PDT

Title: Unmasking the Snitch Puck: the creepy IoT surveillance tech in the school bathroom
When: Friday, Aug 8, 15:30 - 16:15 PDT
Where: LVCCWest-Level1-Hall3-Track 4 - Map

Description:

With the commoditization of IoT surveillance technology, private and public entities alike have been rushing to put every facet of our lives under surveillance. Unfortunately, schools are no exception in the ongoing privacy race to the bottom. In this talk, we present our analysis of a popular line of IoT vape detectors marketed primarily to schools. Rey first learned of the existence of this device while he was a student in high school, scanning the local network during his lunch break. He became obsessed with the idea of reverse-engineering it, and a couple of years later he got an opportunity when a specimen appeared on eBay.

This talk will cover our journey of acquiring the device and doing a hardware teardown. Then, we'll talk about dumping the firmware, examining its behavior, and doing some light reverse-engineering to uncover some fun appsec vulnerabilities. We'll discuss implications of our findings on this particular series of devices, as well as on the ed-tech surveillance industry as a whole.

We will release a copy of the device filesystem, as well as our scripts for decrypting OEM firmware and packing custom firmware updates.

Speakers:Reynaldo "buh0",nyx

SpeakerBio: Reynaldo "buh0"

Rey started out finding bugs and holes in websites at 15. He began attending local infosec meetups in Portland, Oregon—like RainSec and PDX2600—soaking up everything he could. After stumbling across a creepy surveillance device at his high school, he drifted into hardware security and reverse engineering. He’s determined to keep learning and digging deeper.

SpeakerBio: nyx

nyx is a Portland-based hacker, engineer, and self-described cyberpunk. As an unwilling participant in the late-capitalist, mass-surveillance dystopia, he is passionate about digital privacy, data self-custody, and running his own infra. Ultimately, he hopes to wrest control of his online life back from the megacorps and help others do the same. He holds the OSCP, and in his professional life he develops system software for a Fortune 100 tech company's internal consulting team, specializing in security, networks, and devops. When not making a living looking at the bad screen, in his free time he enjoys looking at the good screen.

Return to Index - Add to Google

- ics Calendar file

MWV - Friday - 13:40-13:55 PDT

Title: Using Stardew Valley mods as a C2 and infostealer
When: Friday, Aug 8, 13:40 - 13:55 PDT
Where: LVCCWest-Level1-Hall1-W303 - Map

Description:
SpeakerBio: Gecko
No BIO available

Return to Index - Add to Google

- ics Calendar file

ASV - Friday - 15:00-15:30 PDT

Title: VDP in Aviation - How it shouldn't be done!
When: Friday, Aug 8, 15:00 - 15:30 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

Vulnerability Disclosure in Aviation has long been, and continues to be, a very sensitive topic. Whilst large improvements have been made by some in recent years, there are still some corners of the industry who could do much better. Gaffers has experience in both submitting and receiving vulnerability disclosures within the industry and will share some stories highlighting the good, the bad, and the ugly.

SpeakerBio: Matt Gaffney, United Airlines
No BIO available

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 12:00-13:50 PDT

Title: Vector Space Manipulation in LLMs
When: Friday, Aug 8, 12:00 - 13:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Tactics 4 - Map

Description:

A vector space is a mathematical framework where words, phrases, sentences, or even entire documents are represented as numerical vectors. These vectors capture both semantic and syntactic relationships between linguistic units, enabling models to process and generate text effectively.

Words are mapped to high-dimensional vectors within a continuous vector space. In models such as Word2Vec, GloVe, and large language models (LLMs), each word is represented as a dense vector (e.g., 300 dimensions or more). These vectors are learned during training and encode semantic relationships. For example, the vectors for king and queen will be close to each other in the vector space due to their similar contexts. In LLMs like GPT and BERT, word vectors are not static but vary depending on context. This means the same word can have different vector representations based on the surrounding words. For instance, the word bank will have distinct vector representations in river bank versus financial bank.

In this workshop we will explore tactics to manipulate the vector space. These methods include Prompt engineering and poisoning data streams with in them, The method target RAG (Retrieval augment Generation) based LLM applications, LLM Agents and LLM that search the web for accessing information. The methods results in DoS conditions and manipulated data generation in LLM models. An attack scenario is putting a malicious comment in an online product review system, so when the LLM access it its output will be manipulated or its performance will be degraded.

SpeakerBio: Muhammad Mudassar Yamin

Dr. Muhammad Mudassar Yamin is currently working as an Associate Professor at the Department of Information and Communication Technology at the Norwegian University of Science and Technology (NTNU). He is a member of the system security research group, and the focus of his research is on system security, penetration testing, security assessment, and intrusion detection. Before joining NTNU, Mudassar worked as an Information Security consultant and served multiple government and private clients. He holds multiple cybersecurity certifications, such as OSCE, OSCP, LPT-MASTER, CEH, CHFI, CPTE, CISSO, and CBP.

Return to Index - Add to Google

- ics Calendar file

IOTV - Friday - 17:30-17:59 PDT

Title: Vibe School: Making dumb devices smart with AI
When: Friday, Aug 8, 17:30 - 17:59 PDT
Where: LVCCWest-Level2-W228 - Map

Description:

Smart home technology often comes with a hefty price tag, particularly for specialized devices like weather stations. So instead I did it myself, instead of buying an expensive 'smart' device, I integrated a conventional weather station into Home Assistant. With AI-powered assistance and "vibe coding" approach, even complex devices can be made smart. From sniffing device communications to getting Gemini to generate C++. With modern AI tools, empowering your existing "dumb" devices is more accessible and achievable than ever before, opening up a world of custom smart solutions without breaking the bank.

SpeakerBio: Katie "InsiderPhD" Paxton-Fear, Principal Security Researcher at Traceable by Harness

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 11:00-11:45 PDT

Title: Virtualization-Based (In)security - Weaponizing VBS Enclaves
When: Friday, Aug 8, 11:00 - 11:45 PDT
Where: LVCCWest-Level1-Hall3-Track 3 - Map

Description:

Virtualization Based Security (VBS) is one of the most fascinating security advancements of recent years - the ability to isolate critical components of the OS enabled Microsoft to achieve substantial security improvements with features like Credential Guard and HVCI.

One of the more interesting features enabled through VBS are VBS Enclaves - a technology that allows a process to isolate a region of its memory, making it completely inaccessible to other processes, the process itself, and even the kernel.

While VBS enclaves can have a wide range of security applications, they can also be very appealing to attackers - running malware in an isolated region, out of the reach of EDRs and security analysts? Sign us up!

With this research we set out to explore the concept of enclave malware. We will dive into VBS enclaves while exploring previously undocumented behaviors, and describe the different scenarios that can enable attackers to run malicious code inside enclaves.

We will then work towards weaponizing VBS enclaves - we will describe the different techniques that could be used by malware running within enclaves, and show how they enable creating stealthy implants that can go completely undetected.

References:

Microsoft VBS enclave documentation Windows Internals 7th edition, part 1 Windows Internals 7th edition, part 2 CVE-2023-36880 exploit VBS enclave exploitation

SpeakerBio: Ori David

Ori David is a senior security researcher at Akamai, his research is focused on offensive security, malware analysis, and threat hunting.

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 12:00-12:59 PDT

Title: Voices from the Frontlines: Managing Bug Bounties at Scale
When: Friday, Aug 8, 12:00 - 12:59 PDT
Where: LVCCWest-Level2-W229 - Map

Description:

Bug bounty programs have become a cornerstone of modern security strategy, but managing them at scale is anything but simple. In this panel, leaders from some of the world’s largest and most mature bug bounty programs, including Amazon, PayPal, AWS, Shopify, and Splunk, will share hard-won insights from the frontlines.

We will explore the nuances of triage, researcher relationships, reward strategies, internal buy-in, legal hurdles, and responsible scaling. Panelists will also discuss how bug bounty culture is shifting, what is working (and what is not), and how they are evolving their programs to meet today’s threat landscape.

Whether you are running a bounty program, hacking in one, or simply curious about what happens behind the scenes, this candid discussion will surface lessons, real-world experiences, and future-focused perspectives from those who lead these programs every day.

Speakers:Gabriel Nitu,Jay Dancer,Tyson Laa Deng,Ryan Nolette,Goshak

SpeakerBio: Gabriel Nitu, Splunk

Splunk Offensive Security Engineer with over 9 years of experience poking holes in things (responsibly, of course) and helping others sleep at night (sometimes). Whether it’s finding flaws in a product before the bad guys sniff them out, leading incident response like a firefighter, or scaling bug bounty programs, Gabriel brings a mix of curiosity, chaos, and calm.

SpeakerBio:  Jay Dancer, Shopify
No BIO available
SpeakerBio:  Tyson Laa Deng, Paypal
No BIO available
SpeakerBio:  Ryan Nolette, Amazon / AWS
No BIO available
SpeakerBio:  Goshak , Amazon / AWS
No BIO available

Return to Index - Add to Google

- ics Calendar file

BBV - Friday - 17:00-17:30 PDT

Title: VRP @ Google -- a look inside a large self-hosted VRP
When: Friday, Aug 8, 17:00 - 17:30 PDT
Where: LVCCWest-Level3-W326 - Map

Description:

This presentation will share the unique, and sometimes unusual, aspects of the Google Vulnerability Rewards Program (VRP), Google’s self-hosted bug bounty program. We’ll begin by taking a closer look at a bug rewarded by the VRP, in particular how an external researcher discovered & escalated the bug with the help of Google security engineers, demonstrating how the Google VRP operates and in which ways the Google VRP is slightly different than most other bug bounty programs. In the course of this presentation, we will also cover aspects such as the Google VRP’s reward philosophy, its policies around vulnerability transparency, details of our triage process, and more! This talk will provide multiple actionable takeaways for you to consider for your own bug bounty program.

SpeakerBio: Sam "erbbysam" Erb, Security Engineer at Google

Sam is a security engineer @ Google and helps run the Google & Alphabet VRP. In the past, Sam has won two DEF CON Black Badges and numerous live hacking event awards including an MVH trophy. Sam has submitted hundreds of bug bounty reports and triaged thousands of your reports.

Return to Index - Add to Google

- ics Calendar file

DL - Friday - 15:00-15:45 PDT

Title: WarHead
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level2-W208 - Map

Description:

Warhead is an offensive security tool that leverages Windows Atom Tables to store, retrieve, and execute payloads in a stealthy manner. This technique enables adversaries to place a payload in the Atom Table, use a legitimate process to extract it, and execute it in memory‚Äîbypassing traditional detection mechanisms. The first version of Warhead, to be released at Black Hat Arsenal 2025, provides security researchers and red teamers with a novel approach to payload delivery and execution that evades modern security defenses.

Speakers:Vishal "Vish" Thakur,David "Votd_ctf" Wearing

SpeakerBio: Vishal "Vish" Thakur

Vishal Thakur is a seasoned expert in the information security industry, with extensive experience in hands-on technical roles specializing in Incident Response, Emerging Threats, Malware Analysis, and Research. Over the years, Vishal has developed a strong reputation for his deep technical expertise and ability to address complex security challenges.

He has shared his research and insights at prominent international conferences, including BlackHat, DEFCON, FIRST, and the SANS DFIR Summit, where his sessions have been highly regarded for their depth and practical relevance. Additionally, Vishal has delivered training and workshops at BlackHat and the FIRST Conference, equipping participants with cutting-edge skills and techniques. Vishal currently leads the Incident Response function for APAC region at Atlassian.

SpeakerBio: David "Votd_ctf" Wearing
No BIO available

Return to Index - Add to Google

- ics Calendar file

RTV - Friday - 13:00-13:50 PDT

Title: Weaponizing Kestrel: Red Team Tradecraft for Hunting
When: Friday, Aug 8, 13:00 - 13:50 PDT
Where: LVCCWest-Level1-Hall1-W405-Red Team Village/LVCC-L1-EHW1-405-Track 2 - Map

Description:

This workshop explores how the Kestrel can be innovatively used for hunting advanced threats in critical infrastructures using offensive security methodologies, the workshop delves into techniques and strategies that simulate real-world adversary attacks while also identifying vulnerabilities and anomalous behaviors with offensive techniques before they are exploited in a real scenario. This workshop will perform controlled and simulated attacks, such as network intrusion, data exfiltration, and persistence, to generate artifacts that will serve as the foundation for active threat hunting. We will configure and calibrate Kestrel to identify anomalous patterns within network traffic and system interactions, correlating these patterns with MITRE ATT&CK tactics.

This workshop will innovative the methodology for integrating the Kestrel tool into a threat hunting process within offensive techniques, providing new ways of thinking about advanced threat detection and proactive security

Speakers:Daniel Benavides,Ronald González

SpeakerBio: Daniel Benavides

Daniel Benavides (Edad: 27), es un experimentado profesional en ciberseguridad con más de 7 años de experiencia en el sector. Durante 4 años y medio, trabajó como Administrador de Sistemas (SysAdmin) para el gobierno de El Salvador, donde fue responsable de la gestión y seguridad de infraestructuras críticas y sistemas gubernamentales. Posteriormente, durante 3 años, se desempeñó como Supervisor de un Security Operations Center (SOC) en RSM US LLP, una destacada firma de consultoría norteamericana, donde lideró equipos en la vigilancia, detección y respuesta a incidentes de seguridad.

Actualmente, Daniel ocupa el rol de Consultor XDR Senior en Palo Alto Networks, donde aplica su experiencia en la implementación y optimización de soluciones avanzadas de detección y respuesta extendida (XDR). Su trabajo se centra en la respuesta a incidentes, la cacería de amenazas, el análisis avanzado de amenazas y la creación de reglas de detección basadas en información de ciberinteligencia, contribuyendo a fortalecer la seguridad de sus clientes.

Su formación académica incluye un grado en Ingeniería en Sistemas de la Universidad Don Bosco en El Salvador, y una Diplomatura en Ciberinteligencia obtenida en España, que complementan sus conocimientos técnicos y estratégicos. Además, Daniel cuenta con una serie de certificaciones profesionales que avalan su pericia en el campo: las certificaciones CompTIA Security+, CompTIA CySA+, certificación en la nube de AWS CLF-C02; así como certificaciones específicas de XDR de Stellar Cyber y Palo Alto Cortex.

Fuera del ámbito profesional, Daniel es un apasionado del Brazilian Jiu Jitsu, en el cual ostenta el cinturón azul, y participa activamente en competencias de Capture The Flag (CTF), demostrando su habilidad en la resolución de desafíos de seguridad. También dedica tiempo a explorar la plataforma de ciberseguridad TryHackMe, donde sigue perfeccionando sus habilidades y conocimientos. Además, le encanta viajar por el mundo, lo que le permite explorar nuevas culturas y perspectivas.

El conjunto de su experiencia profesional, habilidades técnicas avanzadas, formación académica y sus variadas aficiones lo posicionan como un experto integral en el ámbito de la ciberseguridad, con una sólida trayectoria en la protección de sistemas y la gestión de operaciones de seguridad.

SpeakerBio: Ronald González

Ronald González: Offensive Security Investigator, Threat Hunter and Incident Response, Digital Forensic and SecDevOps with more than 10 years of experience in computer systems, he has been a Government Forensic Expert with specialization in the scene of computer crimes and now as an individual. He is a national and international consultant helping organizations find vulnerabilities. Ronald holds a few recognized certifications including CPTS from HackTheBox, GoogleSecOps, CHFI. He is the leader of the group DEF CON DC11503, HackTheBox El Salvador and BSides El Salvador, and speaker at DEFCON Red Team Village 32, TEDx and many other conference as well

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 13:30-14:15 PDT

Title: Weaponizing Trust: Investigating a Threat Actor Targeting Security Researchers and Academics
When: Friday, Aug 8, 13:30 - 14:15 PDT
Where: LVCCWest-Level1-Hall3-Track 5 - Map

Description:

You patch vulnerabilities, sandbox malware, and audit code. You know not to click suspicious links. But what if the real threat isn't in phishing emails or zero-days—but in the very tools and research you're relying on? In late 2024, we uncovered a new threat actor, MUT-1244, targeting security professionals, red teamers, and academics. They use trojanized proof-of-concept exploits and fake software updates to exploit trust in open-source tools and research environments.

During our investigation, we discovered over 390,000 leaked credentials that MUT-1244 exfiltrated from a compromised actor, revealing the scale of their operation. In this talk, we'll reveal how MUT-1244 operates through fake GitHub profiles and showcase our use of OSINT to map their infrastructure and tactics. We'll also share our attribution findings and methodology.

Attendees can expect to hear technical details of the campaigns conducted by this threat actor, some notes on attribution, ideas for detecting this activity in your environment and the story of how the speakers discovered over 390,000 credentials inadvertently stolen from unrelated threat actors by MUT-1244.

References:

Speakers:Christophe Tafani-Dereeper,Matt Muir

SpeakerBio: Christophe Tafani-Dereeper

Christophe lives in Switzerland and works on cloud security research and open source at Datadog. He previously worked as a software developer, penetration tester and cloud security engineer. Christophe is the maintainer of several open-source projects such as Stratus Red Team, GuardDog, CloudFlair, Adaz, and the Managed Kubernetes Auditing Toolkit (MKAT).

SpeakerBio: Matt Muir

Matt is a security researcher with a passion for UNIX and UNIX-like operating systems. He previously worked as a macOS malware analyst and his background includes experience in the areas of digital forensics, DevOps, and operational cyber security. Matt enjoys technical writing and has published research including the discovery of the first malware family to target AWS Lambda, emerging cloud-focused botnets, and a series of novel Linux malware campaigns.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 10:00-10:20 PDT

Title: Welcome to DEF CON 33!
When: Friday, Aug 8, 10:00 - 10:20 PDT
Where: LVCCWest-Level1-Hall3-Track 1 - Map

Description:
SpeakerBio: Jeff "The Dark Tangent" Moss, DEF CON Communications, Inc.

Mr. Moss is an internet security expert and is the founder of Both the Black Hat Briefings and DEF CON Hacking conferences.

Return to Index - Add to Google

- ics Calendar file

PLV - Friday - 15:00-15:45 PDT

Title: What Europeans are doing right about cyber security
When: Friday, Aug 8, 15:00 - 15:45 PDT
Where: LVCCWest-Level2-W232 - Map

Description:
Speakers:Muhammad Mudassar Yamin,Espen Torseth

SpeakerBio: Muhammad Mudassar Yamin

SpeakerBio: Espen Torseth
No BIO available

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 13:00-13:45 PDT

Title: What is Dead May Never Die: The Ghost of Internet Explorer in Windows: MapUrlToZone
When: Friday, Aug 8, 13:00 - 13:45 PDT
Where: LVCCWest-Level1-Hall3-Track 2 - Map

Description:

In 2023, Microsoft detected a nation state actor (Forest Blizzard/STRONTIUM) exploiting a "zero-click" remote code execution vulnerability in Outlook by sending a malicious email. Microsoft fixed this in part by adding a call to the MapUrlToZone API, which determines where a path is located so callers can make a trust decision. Critical components like Outlook, Office, Windows Shell and sandboxes rely on MapUrlToZone to make intelligent security decisions, but little research has historically focused on MapUrlToZone itself. Microsoft Security Response Center has a unique role in analyzing systemic trends in areas like this and drive deep technical research to remediate security issues. This talk will focus on MSRC's review of the MapUrlToZone API which identified several novel ways to trick Windows into thinking that a remote untrusted file exists on the local machine. We will talk about how we approached this research and exploited key differences in how MapUrlToZone and the Windows filesystem parse file paths. In total, this research identified a dozen CVEs across various vulnerability types. All of the issues covered have been fixed with CVEs in early 2025. In addition to the individual fixes for this component, we'll also cover how MSRC worked with internal teams to build more comprehensive mitigations.

References:

There is very little prior research on MapUrlToZone. Our main reference point was Ben Barnea's recent research link, link.

Speakers:George Hughey,Rohit Mothe

SpeakerBio: George Hughey

George is passionate about Windows Security and improving the security landscape for all Windows users. Over the past five years as a member of MSRC's Vulnerabilities and Mitigations Team, George has investigated various components in Windows, hunting for and remediating the most pervasive vulnerabilities in the ecosystem.

SpeakerBio: Rohit Mothe

Rohit Mothe is a Security Researcher on the Vulnerabilities & Mitigations team at the Microsoft Security Response Center (MSRC) and has experience researching and exploiting vulnerabilities for over a decade in various roles.

Return to Index - Add to Google

- ics Calendar file

IOTV - Friday - 13:00-13:45 PDT

Title: What is Dead May Never Die: The Immortality of SDK Bugs
When: Friday, Aug 8, 13:00 - 13:45 PDT
Where: LVCCWest-Level2-W232 - Map

Description:

Any chip of sufficient complexity needs one thing if they want to actually get used in devices - a Software Development Kit (SDK). This collection of binaries, proprietary services, and code samples allows board designers to quickly and easily incorporate an otherwise complex chip into their existing environments. However, once this code is bundled into various product lines from various vendors, it becomes nearly impossible to make sure it gets updated with new versions. What happens if a vulnerability is discovered? Suddenly, hundreds of thousands of devices all from different vendors spanning years of releases are all affected by the same bug and it turns into a perpetual game of whack-a-mole trying to get them all patched. And botnet authors are definitely paying attention. In this talk, we will discuss the attack surfaces present in the SDKs from some major chipset manufacturers, talk about some exploits (both old-day and 0-day), and try to figure out what can be done to cleanse the internet of the zombie SDK vuln plague.

Speakers:Richard "HeadlessZeke" Lawshae,Chiao-Lin "Steven Meow" Yu,Kai-Ching "Keniver" Wang

SpeakerBio: Richard "HeadlessZeke" Lawshae, Principal Security Researcher at Keysight Technologies

Ricky "HeadlessZeke" Lawshae is a Principal Security Researcher for Keysight Technologies. He has been hunting vulnerabilities in IoT devices for the past 15 years or so and has discovered and disclosed dozen of vulnerabilities in products from HID Global, Crestron, Meta, Mazda, Realtek, and more. His work has been featured in Wired, Forbes, Hackaday, and the CISA KEV list. He is based out of beautiful Austin, TX (AHA! represent)

SpeakerBio: Chiao-Lin "Steven Meow" Yu, Threat Researcher at Trend Micro Red Team

SpeakerBio: Kai-Ching "Keniver" Wang, Senior Security Researcher at CHT Security

Return to Index - Add to Google

- ics Calendar file

DCW - Friday - 09:00-12:59 PDT

Title: Whitebox Web Exploit Dev (WWED)
When: Friday, Aug 8, 09:00 - 12:59 PDT
Where: LVCCNorth-Level2-N252 - Map

Description:

WWED is designed for students to gain experience exploiting real world web applications and take their assessment skills to the next level. Students will learn advanced vulnerability discovery techniques to identify and exploit vulnerabilities in real world web applications. Getting hands-on experience using free and widely available Linux utilities to observe application behavior, to more effectively discover and exploit application vulnerabilities. Using a whitebox approach students will rapidly discover and exploit non-trivial bugs. Not requiring the use of expensive commercial tools or with the guess work which comes along with blackbox testing.

Students will be provided virtual machines of commercially available software applications which will be used for this heavily lab focused course. At the conclusion of the class each student will have developed a fully functional remote root PoC. This course targets a wide level of skill levels and will leverage a hints system to help students who may fall behind. Incrementally releasing solutions through each exercise.

Speakers:Cale "calebot" Smith,Luke Cycon,Young Seuk Kim,Priyanka Joshi

SpeakerBio: Cale "calebot" Smith

Cale Smith is a nerd who loves both building but also breaking, so he can get better at building. He is passionate about understanding how anything and everything works, improving security along the way is just a bonus. Also, he is passionate about sharing his passion and created this course to pass along some of the more accessible techniques he has picked up. His professional career originated exclusively as a builder, but has been focusing on the security and breaking side for the last 15 years. During that time he has dabbled in the web weenie life, cloud, binary, IoT and mobile most recently. Currently he manages a device oriented AppSec team at Amazon. While AFK he is probably riding a bike or climbing rocks.

SpeakerBio: Luke Cycon

Security engineer by day, barbecue hacker by night—celebrating each fixed bug with a bit too much somaek. Off the clock, you'll find him tinkering with hardware or firing lasers at something.

SpeakerBio: Young Seuk Kim

Husband, father, hacker, gamer. Young’s path into security started like a good game exploit—he wanted to win, bent the rules, and discovered a passion for hacking. He began as a web app security consultant, moved into penetration testing and red teaming, and now works in application security engineering, helping teams build secure systems (and still breaking things for fun). He also dives into all kinds of games and stories, especially fantasy with Eastern martial arts, and loves dissecting media with the same curiosity he brings to code.

SpeakerBio: Priyanka Joshi

Priyanka sustained her academic voyage using curiosity as her paddles before landing her first job as a software security engineer in an ancient company. For three years thereafter, she focused on research, development and security testing of OAuth2.0 and OpenID implementations. This experience led to her discovery of her passion in the identity space. In her current appsec engineer adventure at Amazon, she enjoys working on secure design assessments, bug bounty triage and fix validation, consults and security testing of web services. In her leisure, she enjoys hiking, lazy gymming, sketching, singing, watching anime and reading manga.

Return to Index - Add to Google

- ics Calendar file

CON - Friday - 22:30-00:30 PDT

Title: Whose Slide Is It Anyway?
When: Friday, Aug 8, 22:30 - 00:30 PDT
Where: Unknown

Description:

“Whose Slide Is It Anyway?” is the unholy union of improv comedy, hacking, and slide deck sado-masochism. We are the embodiment of the hacker battle cry "FUCK IT, WE'LL DO IT IN PROD."

Our team of slide monkeys will create a stupid amount of short slide decks on whatever nonsense tickles our fancies. Slides are not exclusive to technology, they can and will be about anything. Contestants will take the stage and choose a random number corresponding to a specific slide deck. They will then improvise a minimum 5 minute / maximum 10 minute lightning talk, becoming instant subject matter experts on whatever topic/stream of consciousness appears on the screen.

But....why?

Because for us, the stage is hallowed ground and since stupidity can't be stopped, we decided to weaponize it. Whether you delight in the chaos of watching your fellow hackers squirm or would like to sacrifice yourself to the Contest Gods, it’s a night of schadenfreude for the whole family.

Participant Prerequisites

A blatant and offensive disregard to any and all comfort zones to which one has heretofore been accustomed.

Pre-Qualification

None.

Return to Index - Add to Google

- ics Calendar file

CRE - Friday - 10:00-17:59 PDT

Title: WipeOut XL hi-score tournament
When: Friday, Aug 8, 10:00 - 17:59 PDT
Where: LVCCWest-Level1-Hall4-Communities-C102 - Map

Description:

Return to Index - Add to Google

- ics Calendar file

PGE - Friday - 21:00-23:30 PDT

Title: Women, gender non-conforming and non-binary meetup with The Diana Initiative
When: Friday, Aug 8, 21:00 - 23:30 PDT
Where: LVCCWest-Level2-W205 - Map

Description:

We'd love to get all the gender non conforming, non-binary and women together to hang out and make friends! DEF CON is better with friends. Stop in for a bit, or the whole time.

Return to Index - Add to Google

- ics Calendar file

DCT - Friday - 14:00-14:45 PDT

Title: You snooze you lose: RPC-Racer winning RPC endpoints against services
When: Friday, Aug 8, 14:00 - 14:45 PDT
Where: LVCCWest-Level1-Hall3-Track 3 - Map

Description:

The RPC protocol allows executing functions on remote servers. An interface is identified by a UUID, and clients contact specific RPC endpoints to communicate with it. Some endpoints may be well-known to clients, but some are provided through the EPM (Endpoint Mapper). These are called Dynamic Endpoints.

As servers request to map UUIDs to their Dynamic Endpoints, we wondered what stops us from mapping a UUID of a trusted RPC interface to an endpoint that we control, leading to our own malicious RPC interface.

We discovered that nothing stops unprivileged users from imposing as a well-known RPC server! However, to have clients connect to us, we needed to register first. We, as the underdog racer, need to beat services in their home race track.

We examined the status of RPC servers at certain points during boot and mapped several interfaces we can abuse. We then took a shot racing their services and won the gold medal! Various high integrity processes and some even PPLs trusted us to be their RPC server!

In this talk, we’ll present “RPC-Racer” - a toolset for finding insecure RPC services and winning the race against them! We’ll show it manipulating a PPL process to authenticate the machine account against any server we want! Finally, we’ll describe how to validate the integrity of RPC servers, to mitigate this issue.

References:

SpeakerBio: Ron Ben Yizhak

Ron (@RonB_Y) is a security researcher at SafeBreach with 10 years of experience. He works in vulnerability research and has knowledge in forensic investigations, malware analysis and reverse engineering. Ron previously worked in the development of security products and spoke several times at DEFCON

Return to Index - Add to Google

- ics Calendar file

Talk/Event Schedule

Friday

Friday - 06:00 PDT

Friday - 07:00 PDT

Friday - 08:00 PDT

Friday - 09:00 PDT

Friday - 10:00 PDT

Friday - 11:00 PDT

Friday - 12:00 PDT

Friday - 13:00 PDT

Friday - 14:00 PDT

Friday - 15:00 PDT

Friday - 16:00 PDT

Friday - 17:00 PDT

Friday - 18:00 PDT

Friday - 19:00 PDT

Friday - 20:00 PDT

Friday - 21:00 PDT

Friday - 22:00 PDT

Friday - 23:00 PDT

Talk/Event Descriptions

PGE - Friday - 22:00-01:59 PDT

IOTV - Friday - 10:30-10:59 PDT

DCW - Friday - 14:00-17:59 PDT

RTV - Friday - 14:00-15:50 PDT

TRN - Tuesday - 08:00-16:59 PDT

TRN - Monday - 08:00-16:59 PDT

CPV - Friday - 13:00-13:59 PDT

DCW - Friday - 09:00-12:59 PDT

PSV - Friday - 16:30-16:59 PDT

BHV - Friday - 11:00-15:59 PDT

DCT - Friday - 13:00-13:45 PDT

TRN - Tuesday - 08:00-16:59 PDT

TRN - Monday - 08:00-16:59 PDT

ADV - Friday - 15:45-16:30 PDT

TRN - Monday - 08:00-16:59 PDT

TRN - Tuesday - 08:00-16:59 PDT

ADV - Friday - 15:00-15:45 PDT

RTV - Friday - 14:00-14:50 PDT

CON - Friday - 19:00-20:59 PDT

Participant Prerequisites

Pre-Qualification

TRN - Tuesday - 08:00-16:59 PDT

TRN - Monday - 08:00-16:59 PDT

RTV - Friday - 15:00-15:50 PDT

DL - Friday - 10:00-10:45 PDT

RTV - Friday - 12:00-13:50 PDT

DL - Friday - 10:00-10:45 PDT

MISC - Friday - 10:30-11:30 PDT

HHV - Friday - 17:00-17:59 PDT

CRE - Friday - 10:00-11:50 PDT

DCW - Friday - 14:00-17:59 PDT

DL - Friday - 15:00-15:45 PDT

CRE - Friday - 16:00-17:50 PDT

PGE - Friday - 21:00-01:59 PDT

DL - Friday - 10:00-10:45 PDT

TRN - Monday - 08:00-16:59 PDT

TRN - Tuesday - 08:00-16:59 PDT

BBV - Friday - 11:00-11:59 PDT

CON - Friday - 10:00-11:59 PDT

Participant Prerequisites

Pre-Qualification

TRN - Monday - 08:00-16:59 PDT

TRN - Tuesday - 08:00-16:59 PDT

CPV - Friday - 12:30-12:59 PDT

CRE - Friday - 17:00-17:59 PDT

DL - Friday - 15:00-15:45 PDT

BBV - Friday - 10:00-10:59 PDT

CPV - Friday - 12:00-12:59 PDT

PGE - Friday - 18:00-21:59 PDT

MWV - Friday - 14:00-17:59 PDT

BHV - Friday - 16:00-16:30 PDT

DCT - Friday - 10:00-10:45 PDT

DL - Friday - 11:00-11:45 PDT

PGE - Friday - 19:00-00:59 PDT

DL - Friday - 11:00-11:45 PDT

MISC - Friday - 16:00-16:59 PDT

MISC - Friday - 10:00-10:59 PDT

MISC - Friday - 13:00-13:59 PDT

MISC - Friday - 14:00-14:59 PDT