In the world of cybersecurity there is always a threat lurking. Waiting in the shadows for the perfect moment to strike. You can sit back and relax and hope for the best and react when it’s too late… or before they even think about making a move you can take control and see everything coming from miles away. In this session, you’ll dive deep into the art of threat modeling—an essential skill that allows you to anticipate risks, identify vulnerabilities, and develop a proactive defense strategy.

Mike will guide you through the process and show you why threat modeling is an offer you simply can’t refuse. You’ll learn how to analyze threats with precision, build effective threat scenarios and develop a mindset that stays one step ahead of the attackers. Ultimately you won’t only understand threat modeling—you’ll lead it with confidence.

Join Mike in the family business, hone your expertise and become the Godfather of Threat Modeling. In this game only the wise and the prepared will survive.

### Overview ###

Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique 100% hands-on training!

I will discuss security bugs found in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.

To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and diving into full-stack exploitation, then this 100% hands-on training is for you. There is a lab exercise for each attack presented in this training + students can take the complete lab environment home after the training session.


### Key Learning Objectives ###

After completing this training, you will have learned about:

- REST API hacking
- AngularJS-based application hacking
- DOM-based exploitation
- bypassing Content Security Policy
- server-side request forgery
- browser-dependent exploitation
- DB truncation attack
- NoSQL injection
- type confusion vulnerability
- exploiting race conditions
- path-relative stylesheet import vulnerability
- reflected file download vulnerability
- hacking with wrappers
- subdomain takeover
- remote cookie tampering
- non-standard XSS attacks
- hijacking tokens via PDF
- XML attacks
- deserialization attacks
- HTTP parameter pollution
- bypassing XSS protection
- hacking with polyglot
- clickjacking attack
- window.opener tabnabbing attack
- RCE attacks
- and more…


### What Students Will Receive ###

Students will be handed in a VMware image with a specially prepared testing environment to play with all bugs presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.


### Special Bonus ###

The ticket price includes FREE access to my 6 online courses:

- Start Hacking and Making Money Today at HackerOne
- Keep Hacking and Making Money at HackerOne
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- DOUBLE Your Web Hacking Rewards with Fuzzing (aka Fuzzing with Burp Suite Intruder)
- How Web Hackers Make BIG MONEY: Remote Code Execution


### What Students Say About This Training ###

This training was attended by security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips, government sector and it was very well-received. Recommendations are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here (https://silesiasecuritylab.com/services/training/#opinions).


### What Students Should Know ###

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.


### What Students Should Bring ###

Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs. Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11.


### Instructor ###

Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid Czagan shares his offensive security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), Hack In The Box (Amsterdam), CanSecWest (Vancouver), 44CON (London), Hack In Paris (Paris), NorthSec (Montreal), SINCON (Singapore), BruCON (Ghent) and for many corporate clients. His students include security specialists from Oracle, Adobe, ESET, ING, Red Hat, Trend Micro, Philips and government sector (references are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions).

Dawid Czagan is the founder and CEO at Silesia Security Lab. To find out about the latest in his work, you are invited to subscribe to his newsletter (https://silesiasecuritylab.com/newsletter) and follow him on Twitter (@dawidczagan), YouTube (https://www.youtube.com/channel/UCG-sIlaM1xXmetFtEfqtOqg), and LinkedIn (https://www.linkedin.com/in/dawid-czagan-85ba3666/).

Understanding eCrime is no longer optional. It is a mission-critical capability for any organization serious about anticipating, preventing, and neutralizing today’s most pervasive cyber threats. This intensive training provides a comprehensive exploration of the eCrime ecosystem, unpacking the full spectrum of adversarial tactics, techniques, and procedures used by financially motivated threat actors to exploit organizations of all sizes and sectors.

Blending traditional intelligence tradecraft with cutting-edge cyber security methodology, this course empowers cyber threat intelligence professionals, SOC analysts, CISOs, and forward-thinking defenders to operationalize threat intelligence, proactively reduce risk, and harden their defensive posture. Whether you are new to the world of eCrime or looking to refine your existing expertise, this course will give you the insight, confidence, and real-world skillset to outpace adversaries.

Through hands-on exercises, real case studies, and live tooling, participants will learn to track and attribute adversary infrastructure, analyze adversary tradecraft, uncover victimology, and confidently identify key players within organized eCrime operations. Attendees will explore the dark web, develop basic operational personas, collect intelligence from adversary-run forums and marketplaces, and learn how to infiltrate closed communities — all safely and effectively.

This is not theory. This is practical, tactical, and grounded in the reality of modern cyber threat operations. By the end of the training, attendees will walk away with the knowledge and tools needed to investigate, disrupt, and counter eCrime adversaries, all while supporting broader intelligence collection plans and strategic security initiatives within their organizations.

In this workshop, participants engage in a high-stakes cyber battle within a factory's OT systems. Divided into Red and Blue Teams, they alternate between offensive and defensive strategies in an interactive game. The workshop emphasizes real-world relevance, dynamic decision-making, and collaborative learning, providing practical cybersecurity insights in an industrial environment.
This workshop offers an interactive cybersecurity experience through a gamified scenario. Participants will be divided into two teams: Red & Blue Team. The game board is a demo factory, where the Red Team's objective is to inflict harm, while the Blue Team's mission is to defend it.
The games starts with an interactive setup phase. The Red Team will choose their tactics and techniques to be able to reach their objectives. The Blue Team will concentrate on understanding their environment and selecting appropriate initial defenses. Following the team introductions, the core of the workshop begins: the game loop, where each team alternates between planning and executing their actions. The Red Team will have different opportunities for their next actions aimed at breaching the Blue Team's defenses. The Blue Team will decide on their countermeasures to thwart the Red Team's efforts. Each round concludes with an evaluation phase, where the effectiveness of the actions taken by both teams is assessed. The workshop wraps up with a recap session, summarizing key learnings and discussing the outcomes of the game.
The workshop's interactive and gamified approach aims to enhance participants' understanding of cybersecurity dynamics with focus of OT environments. Participants will work alongside peers to develop and implement strategies, enhancing their understanding of both offensive and defensive cybersecurity measures. The workshop draws on the extensive experience of seasoned Red and Blue Team specialists to focus on real-world scenarios and case studies. It leverages the deep expertise of Nick and Nicholas, who are OT Blue Team specialists, and Sarah, a Senior Red Teamer with an OT specialization. Their combined knowledge ensures that the workshop addresses current industry challenges in both offensive and defensive OT cybersecurity.
Attendees will acquire a comprehensive understanding of both offensive and defensive cybersecurity strategies, along with enhanced teamwork and communication skills. Additionally, participants will learn to prioritize actions and strategies in emergency situations, gaining knowledge not only about specific tools and techniques but also the strategic approaches fundamental to Red and Blue Team operations in industrial environments.

"Hacking IoT Hardware: The Frugal Way" is an immersive, hands-on training designed for beginners to dive into the world of IoT cybersecurity. This course takes a practical, cost-effective approach to hacking IoT devices and protocols using widely available tools and open-source software. Participants will explore the vulnerabilities in common IoT communication protocols (like MQTT, Zigbee, BLE, LoRa, Sub-GHz RF) and learn how to exploit them for testing and securing IoT hardware.

The course begins with an introduction to IoT and IIoT security, covering the architecture, frameworks, and attack surfaces, including a deep dive into the OWASP IoT Top 10 vulnerabilities. From there, it progresses through hands-on modules that cover specific protocols like MQTT, Zigbee, BLE, LoRa, and Sub-GHz RF. Key topics include network reconnaissance, sniffing, replay attacks, and packet forging, with practical examples and techniques for real-world hacking.

The final sections of the course will focus on hardware-based hacking, including I2C, SPI, UART, and JTAG/SWD, providing participants with the skills to reverse engineer hardware and manipulate data.

In addition to the comprehensive training materials, each participant will receive access to a preinstalled Linux machine named "Trilokya." This machine is specifically designed as a penetration testing tool for IoT environments and will be used throughout the training to perform hands-on attacks and defenses on IoT devices and protocols.

This training is structured to ensure that participants not only understand the theory behind IoT vulnerabilities but also gain the skills needed to conduct attacks and defend against them.


Prerequisites:

Basic understanding of networking and protocols.
Familiarity with cybersecurity concepts.
No prior experience required in IoT or hardware hacking.

Laptop Configuration:

OS: Windows, Linux, or macOS (with virtual machine support if necessary).
Processor: Intel Core i3 or equivalent.
RAM: Minimum 4 GB (8 GB recommended).
Virtualization Software: VMware or VirtualBox (required for running the preinstalled "Trilokya" Linux penetration testing machine).

In many discussions, I noticed that CISOs and security officers do not have any (in-depth) knowledge of SAP. This is why the topic of SAP security often gets underestimated. Anyone interested in gaining insight into the important basics of SAP technologies can benefit from this highly compact crash course on SAP security. The session will give you an overview about security threats related to SAP and strategies to counter them - where possible.

Among other thing, you will learn about
- Different types of SAP servers / systems
  - SAP Application Server ABAP
  - SAP Application Server Java
  - SAP Netweaver
  - S/4 HANA
  - SAP RISE
  - SAP GROW
  - SAP BTP
- Different types of SAP network tools
  - SAP Router
  - SAP Web Dispatcher
  - SAP Cloud Connector
- Different types of SAP clients
  - SAP GUI
  - SAP Netweaver Business Client
- Different types of SAP communication protocols
  - SAP DIAG
  - SAP RFC
- SAP Architecture
  - Landscape layout
  - Internet Communications Manager
- SAP Business Solutions
- Other proprietary SAP technologies, such as
  - SAP ABAP
  - HANA Database
  - Secure Network Communication
  - Solution Manager
  - etc
  
Once the basic servers, concepts and technologies of SAP are understood, the workshop will discuss ways to break them.
With a special focus on the attack potential of an ABAP-based malware.

While this may appear to be somewhat destructive, it is important to understand the full attack potential against - and through - SAP technologies in order to design a solid defense.

With regards to defense, you will learn about
- Various SAP security mechanisms
  - Single Sign-On
  - Security Audit Log
  - ATC
  - UCON
  - etc
- Industry Best Practices and   

I will provide many insights from 20+ years of SAP pentesting.

You want to understand SAP risks? This is the place to be.


Social engineering attacks continuously remain at the top of the threat landscape and data breach reports. But although these reports tend to simplify many breaches as the result of a successful phishing attack, the reality we get from current threat research is evidently more complex. Social engineering attacks have been evolving. Today, the pathway that leads to that successful phishing email is often the result of a larger attack kill chain based on target research and good open-source intelligence that helps attackers identify organizational vulnerabilities in an often-multi-layered methodology. But it doesn't stop there. Weaponized psychology is still a strong component of those attacks.


In this threat landscape, it is paramount for security professionals & teams to better understand how social engineering works, and how to proactively identify and disrupt attack verticals.


This class provides participants with the necessary skills & knowledge on open-source intelligence, weaponized psychology, and the most recent social engineering tactics, techniques and procedures (TTPs) from cyber criminal groups and state-sponsored APTs.


This is an in-depth, intensive class that will help security teams get a comprehensive understanding of social engineering and build better protective measures (proactive & reactive) and inform their security strategy.


The class also helps penetration testers improve their attack scenarios, their recommendations and provide better and more realistic insights to their clients. The training includes a special section on artificial intelligence both for OSINT and social engineering, as well as insights on the present & future of social engineering attacks.


Attendees will leave this class having acquired the psychological knowledge along with the technical capability to simulate social engineering attacks and improve their prevention & response capabilities.

This intensive two-day course equips you with practical skills for identifying and exploiting vulnerabilities in mobile apps across both Android and iOS. You'll analyze a mix of real-world apps and custom training apps using tools like Frida, Burp Suite, jadx and other open-source tools.

By the end of the training, you’ll know how to:

- intercept and analyze any type of network traffic in mobile apps, even when SSL pinning is used,
- bypass protection mechanisms such as root/jailbreak detection,
- decompile APKs and perform manual source code reviews,
- reverse engineer Swift-based iOS applications and
- apply a thorough methodology based on the OWASP Mobile Application Security Testing Guide (MASTG).

The labs cover static and dynamic analysis, reverse engineering, and Software Composition Analysis (SCA), all through hands-on exercises.

No need to bring your own devices — each participant gets access to a cloud-based, rooted Android and jailbroken iOS environment via Corellium.

Whether you are a beginner wanting to learn mobile app testing from scratch, an experienced penetration tester or developer wanting to improve your mobile application security knowledge and skills, or someone looking to have some fun, this training will help you achieve your goals.

## Detailed outline

### Day 1 - Android

We begin with an overview of the Android platform and its security architecture, then move into a full day of hands-on labs covering:

- Setting up an Android testing environment with Corellium
- Using Android Debug Bridge (adb) effectively during app pentests
- Intercepting network traffic from apps built with frameworks like Flutter
- Analyzing network traffic, including non-HTTP protocols, with Burp Suite and Wireshark
- Reverse engineering a Kotlin app and exploiting a real-world deep link vulnerability through manual code review
- Scanning APKs for hardcoded secrets
- Getting started with Frida for dynamic instrumentation
- Analyzing Android app storage options (app-specific, shared storage, etc.)
- Using dynamic instrumentation with Frida to:
- Bypass root detection mechanisms
- Bypass Frida detection mechanisms
- Attacking a real world app and overcome it's protection mechanisms.

### Day 2 - iOS

On the second day, we shift to iOS app security, again focusing on hands-on labs:

- Static analysis of Swift code to identify vulnerabilities and eliminate false positives
- Software Composition Analysis (SCA) for iOS: scanning third-party libraries and mitigation strategies
- Setting up the iOS testing environment with Corellium
- Intercepting network traffic in iOS apps
- Bypassing different implementations of SSL pinning using Frida
- Frida crash course for dynamic instrumentation on iOS Apps
- Analyzing iOS app storage mechanisms
- Testing methodology using jailed (non-jailbroken) devices via Frida gadget injection
- Testing watchOS apps and understanding platform limitations
- Using Frida to bypass runtime protections:
- Anti-Jailbreaking mechanisms
- Frida's detection logic

We’ll wrap up the final day with a Capture the Flag (CTF), where you can apply your new skills and win a prize!

Upon completing the course, participants will:

- have a deeper understanding of mobile app security testing,
- know how to identify and exploit vulnerabilities,
- be able to recommend effective mitigation strategies to development teams, and
- follow a structured testing methodology based on the OWASP Mobile Application Security Testing Guide (MASTG).

### What students should bring

To follow all exercises and participate fully, students should have:

- A laptop (Windows or macOS) with at least 16 GB of RAM and 50 GB of free disk space
- Full administrative access to the system (e.g., ability to disable VPN or antivirus if needed)
- Virtualization software (e.g., VMware, VirtualBox, or UTM); a pre-configured virtual machine will be provided for both x86 and ARM architectures (including M1–M4 MacBooks), with all required tools preinstalled.
- Optional but recommended: A tablet for viewing the lab slides during hands-on sessions.

An iOS or Android device is **not** required. Each participant will receive access to a cloud-based Corellium instance, including a jailbroken iOS device and a rooted Android device, for use throughout the training.

### What students will receive

- PDF slide decks and lab instructions for both Android and iOS.
- All vulnerable training apps, provided as APK and IPA files.
- A Dockerfile containing the APIs with which the apps communicated.
- Detailed write-ups for all labs, which you can review at your own pace after the course.
- Access to a dedicated Slack channel for pre-course preparation, in-class support, and post-course Q&A.
- A certificate of completion.

### What prerequisites should students have before attending this training?

This course is designed for beginner to intermediate participants. Students should have:

- A basic understanding of mobile apps
- Basic experience using the Linux command line

Recently, due to EDRs, it has become harder and harder to abuse credential access by dumping LSASS after compromising a Windows server and gaining local administrator on it. So, many red-teamers, pentesters and APTs have moved towards a stealthier way of abusing credentials access by relaying such credentials in real-time to other misconfigured servers in the network. Gaining administrative access to a server can be quite helpful in this, however all current techniques are not very effective and/or require complete or partial disruption of existing Windows services, making them not very opsec safe. Introducing RelayBox, a new technique to perform a Man-In-The-Service attack. Using RelayBox, an attacker is able to place themselves in between a legitimate Windows service, relay valid authentication attempts, without any disruption to the service's usability. This creates a transparent proxy for SMB and other Windows services. I will present such a technique, the tool used, and demonstrate new relaying techniques that can be chained with this new approach to obtain world domination. Tools shown will also be released after the talk.

This talk unveils 'JWT Puzzles,' a novel and systemic application attack enabling significant lateral movement and privilege escalation within enterprise environments. We expose how common organizational misconfigurations—including shared signing keys and insufficient validation across multiple web applications—create a critical, often overlooked attack surface. Attendees will witness practical demonstrations of how seemingly isolated JWT vulnerabilities can be "mixed and matched" to compromise entire interconnected networks

Infostealer malware is built to collect and dump anything useful from a device. This includes saved browser credentials, autofill data, session cookies, API tokens, wallet addresses, and app-specific passwords. Once collected, these logs are uploaded to Telegram bots, marketplaces, or leak sites.

The research walks through how these logs are typically structured and what credentials they contain. Examples include login details for GitHub, Slack, AWS, Gmail, Notion, Discord, Office 365, database dashboards, and internal dev tools. Logs often include SSH private keys, JWT tokens, and webhook URLs. In many cases, cookies allow attackers to access services without even needing passwords.

By analyzing some incidents using OSINT methods, the research maps the lifecycle of credential stealers. It covers the path from infection, to log exposure, to potential misuse. The examples are based on public stealer log collections and show how much sensitive access data ends up in the open. + Working and defense from common infostealers like Raccoon, Redline, and LummaC2.

LUCR-3 better known as Scattered Spider has surged back in 2025, pivoting its social-engineering playbook from last year’s casino breaches to fresh waves against the insurance, retail and aviation sectors. Within a single June week, LUCR-3 struck several insurers, disrupting airline back-office systems, and a spring ransomware campaign devastated big-box retailers.

Still leveraging push-fatigue MFA bombing, SIM-swapping and help-desk impersonation, LUCR-3 now systematically abuses third-party IT providers to fan out across IaaS, SaaS and PaaS estates living off the land in cloud logs to stay invisible until ransom day. Permiso's P0 Labs has been monitoring LUCR-3's activities for over two years, documenting their evolving tactics, techniques, and procedures (TTPs). This session will delve into LUCR-3's latest strategies and provide actionable insights for cloud defenders to detect and mitigate such threats effectively.

This talk provides a clear and practical comparison between two dominant forms of malware: ransomware and information stealers. While both are used by threat actors to profit from compromised systems, their methods, visibility, and impact differ dramatically.

We’ll start by defining each threat type and examining their primary objectives — ransomware aims for immediate financial gain through extortion, while info stealers quietly extract credentials, financial data, and other sensitive information for resale or future attacks. Worth noting is that Info stealers can and are often used as a precursor for a ransomware attack, connecting these two forms of malware in malicious operations.

We’ll start by defining each threat type and examining their primary objectives — ransomware aims for immediate financial gain through extortion, while info stealers quietly extract credentials, financial data, and other sensitive information for resale or future attacks.

Attendees will leave with a practical understanding of how to differentiate and defend against both types of threats, making this session valuable for security analysts, IT leaders, and anyone looking to strengthen their cyber threat intelligence.

Malware analysis is a vital skill for incident responders who defend against increasingly sophisticated cyberattacks. In high-pressure situations, time is of the essence. Responders often cannot afford to spend days examining a malware sample. Instead, they need to quickly extract Indicators of Compromise (IOCs) to identify other infected systems in the network or detect any installed backdoors.

This presentation explores various malware analysis techniques proven effective in Incident Response scenarios. These methods enable rapid and reliable analysis, helping to uncover additional compromised systems and trace attackers' activities within the network.

Preparedness exercises, whether they are traditional tabletop discussions or more interactive gamified experiences, help us become more prepared – and to do this together, with engagement between individuals who need to perform optimally as a group, under pressure. Based on the speaker’s experiences from preparing and facilitating more than one hundred cyber exercises, including both individual companies and events with multiple companies participating together, this talk will illustrate both which risks and vulnerabilities happen to manifest themselves during incidents (and exercises), and how companies and stakeholders with various roles and levels of experience respond to these.

This talk presents three key contributions aimed at strengthening trust in software systems through automated verification and static analysis. First, we introduce an LLM-driven tool that verifies AI-generated Python code by performing type checking, translating it into the Why3 intermediate verification language, and automatically proving its correctness. Second, we unveil a static analysis tool designed to uncover privacy vulnerabilities in Erlang applications, with a focus on Ejabberd—the messaging server backend used by WhatsApp. Finally, we demonstrate an automated tool for detecting three critical vulnerabilities in Oracle’s blockchain network implementations. Together, these tools highlight novel approaches to securing modern software ecosystems.

What's the problem with using a password manager? Or Linux? It can't be that difficult to understand the difference between your browser and a search engine! While security experts work on the bits and bibbles of code and network structures, the other end of the line is mostly blank. But why is it so damn hard to not act dumb?

Christina Beran, psychologist, and Klaudia Zotzmann-Koch, data privacy expert specialised in security awareness, tackle the hurdles and pitfalls we encounter when trying to convey the importance and appropriate measures to act securely. And most of all what sec experts and programmers have to do, to make users and normal human beings not be the company's or their own worst enemies.

In this talk we deep-dive into the field of network fingerprinting used to identify systems, software, and threats based solely on their network behaviour. You’ll gain insight into how fingerprinting can be used not just to map operating systems and applications, but also to detect malware, command-and-control channels, and stealthy backdoors, even when traditional indicators fail.

We’ll dive into real-world examples showing how defenders leverage subtle protocol deviations and traffic signatures to unmask advanced threats, and how sophisticated attackers attempt to evade detection using traffic obfuscation, encrypted channels, and protocol mimicry.

Managing GitHub security across all organizations and repositories within a company can be challenging. Misconfigured settings, hardcoded secrets, and outdated dependencies often go unnoticed, creating critical security gaps.

In this session, we introduce an opensource tool built to help companies secure their GitHub environments at scale. The tool runs security posture checks across organization and repository levels, scans for hardcoded secrets, performs Software Composition Analysis (SCA), validates security rule sets, detects misconfigurations, and generates a single comprehensive report. The report not only identifies risks but also provides actionable remediation steps, helping teams prioritize and address issues effectively.

By using this tool, companies gain a complete view of their GitHub security posture across all organizations and repositories, making it easier to maintain strong security without adding complexity. This talk is also an open invitation for the community to collaborate and help enhancing the tool.

Spotter is a groundbreaking open-source tool or solution designed to secure Kubernetes clusters throughout their lifecycle. Built on the native tooling of Kubernetes by leveraging CEL (Common Expression Language) for policy definitions, we can define unified security scanning across development, CLI, CI/CD, Admission Controllers, deployments, runtime, and continuous monitoring. Its unique approach enables both enforcement and monitoring modes, ensuring that policies can be applied consistently and mapped directly to industry standards such as CIS, MITRE ATT&CK, etc.

Spotter provides extreamly high flexbility across all Kubernetes phases, providing an innovative approach that no other open-source or commercial solution can replicate. It seamlessly bridges security, DevOps, and platform teams, effectively solving the real-world challenges faced by day-to-day operations.

Here’s the unlikely story of how a bullied 12-year old got a job, bought a computer, and hacked into one of the most prominent online communities of the time and now three decades later stands at the pinnacle of her career in cyber security as the CISO of a global organization. Forged in the IRC chatrooms of 90’s hacker culture, she stumbled and triumphed through a series of serendipitous twists and turns to build a successful career, going from a misfit hacker to a cybersecurity executive.
In her session, Alyssa Miller will share the story of how she navigated a journey from that 12 year-old with a passion for technology through her various roles in technology and security and now finds herself in the C-Suite. You’ll learn from the many twists and turns and lessons learned along her path.
She will the describe how she’s used her own origin story to hack the minds of directors in some of the toughest boardrooms on Wall Street. She’ll show you how embracing authenticity created extreme acceleration in achieving her career aspirations. Alyssa will discuss where these lessons can be applied throughout your own career journey. She'll share the key to successfully entering the community, thriving in growth, and achieving heights you may never have thought possible.
You'll leave this session with knowledge of how to overcome common obstacles, leverage opportunity effectively, and impact the digital world with all the vigor of a 12 year-old hacker.

L.E.E.C.H is a Python tool used for data exfiltration by exploiting publicly exposed web server access logs. It has two operation modes. First operation is file upload and second is file download. Uploaded file is compressed and encrypted, then split into chunks and Base64 encoded as part of the URI. A generated file ID can later be used to download the file. The tool has a basic configuration like random sleep duration between requests, chunk size, minimal URI pattern signature and encryption key. Different log types can easily be supported with minimal code changes.

Presentation describes tool operation and focuses on how similar targets systems can be abused for storing data. Will mention similar work done in the past, malware network communications for data exfiltration, demo the tool and techniques for detection in an AWS Cloud Environment.

The tool will be available as open source after presentation.

* Note that tool should be used without breaking the law and in order to conduct legal activities.

DragonRank, a sophisticated threat actor, primarily targets countries in Asia and a select few in Europe, utilizing deploy BadIIS malware across compromised IIS servers for SEO rank manipulation. In 2023, we already uncovered DragonRank’s commercial website, business model, and instant message accounts. So, what tactics did DragonRank use in these attacks, and most importantly, how can we defend against them?

To answer these questions, we will first discuss how DragonRank compromised Windows IIS servers hosting corporate websites all around the world. Following that, we will discuss the advanced persistence methods employed by DragonRank including lateral movement, privilege escalation and deployment of BadIIS/PlugX in the system. Furthermore, we will explore the details of two unique real-life case studies used by the DragonRank actor from initial access to configuration IIS server to their profitable part.

We will then use all the presented information to identify common flaws in the actor’s offensive strategy. In turn, finding these cases will allow us to discuss how to build an efficient defense strategy against further DragonRank attacks. We hope attendees who work in the security field will leave equipped with practical insights to develop an effective defense strategy against this threat.

Android is the most popular mobile operating system, which makes it a primary target for a plethora of malware attack patterns. This is favored by its open-source nature, the consistent customization possibilities, and the inherent integration with Google services. The ubiquitous utilization of mobile devices represents a risk, particularly relative to nontechnical end users, who often allow suspect applications to run without a critical analysis, which generates potentially dangerous use case scenarios. These include installation of backdoor applications, unauthorized modifications of data installed on the mobile device, or access to highly sensitive personal data. This presentation reports AuthProtect, a scalable integrated model to detect Android malware entities, which considers incremental learning to proactively determine malicious patterns. It is relevant to note that this model implies a novel data generation model, which is used to generate the data that validates the AuthProtect integrated system. This associates Android permissions to various real-world usage scenarios, which offers an in-depth understanding of the permissions-related vulnerabilities, which are used by the target malware entities. The validation dataset includes 82,704 benign application patterns, and 82,704 malware application models. This balanced structure sustains a thorough and precise validation of the AuthProtect integrated system. Furthermore, a similarity-based selective training model is considered, which reduces the amount of data that are necessary to train the incremental learning-based algorithmic solution. This considers only the most relevant data to enhance the functional efficiency of AuthProtect. The reliability and accuracy of the approach is ensured by a test-then-train strategy, which starts with an assessment of the application data to determine the weaknesses and further enhance the training process. It is important to note that the resistance of AuthProtect to adversarial attacks is evaluated, which demonstrates it is capable to manage the scenarios when malware entities are disguised as legitimate. The AuthProtect system proves to be scalable, as it processes large datasets, which makes it suitable for real-world use case scenarios. The experimental evaluation process demonstrates that the AuthProtect system generates an accuracy of 0.9982 relative to real-world datasets, and an accuracy of 0.9857 regarding the synthetic datasets, which demonstrates that it is reliable both concerning ordinary real-world, and adversarial attack patterns.

In this session, we’ll delve into how attackers systematically exploit weaknesses in Operational Technology (OT) systems to compromise critical infrastructure. OT systems—including building management systems (BMS), access control systems (ACS), and surveillance networks (CCTV)—are the backbone of many critical sectors, managing everything from facility operations to security and environmental controls. Despite their importance, these systems are often neglected in cybersecurity frameworks, making them prime targets for exploitation.

We’ll explore real-world attack vectors and strategies used by adversaries to infiltrate OT environments, focusing on how they gain control over critical systems. Through a real-world example, I’ll demonstrate how I successfully gained unauthorized access by chaining misconfigurations to compromise a building management system (BMS). We’ll break down how attackers exploit common entry points, escalate privileges, and disrupt operations. Additionally, we’ll examine how adversaries move laterally across OT networks, leverage misconfigurations, and maintain persistence, evading detection to carry out long-term disruptions. Through case studies and practical demonstrations, you’ll gain insight into the methodologies malicious actors use to infiltrate and compromise entire facilities, all while staying undetected and maintaining control.

By the end of this session, you’ll walk away with actionable technical insights into how to safeguard OT environments against these evolving threats. We’ll discuss effective countermeasures, such as securing remote access, hardening OT networks, and implementing monitoring systems to detect and mitigate attacks before they can compromise critical infrastructure.

This session will equip you with the knowledge to understand how these attacks unfold, how to secure your OT infrastructure, and how to identify and address vulnerabilities that could be exploited by malicious actors.

A vanilla LLM can enumerate ports; an enhanced agent can glide across the entire ATT&CK matrix. We benchmark four upgrades - fine-tuning, Retrieval-Augmented Generation, the Model Context Protocol, and a Neo4j-backed cyber graph - against a production-style lab mapped to ATT&CK. The result is an agent that reaches foothold sooner, moves laterally with fewer detections, and finishes with a draft report that requires minimal human edits.
We dissect how each upgrade boosts specific ATT&CK tactics, then replay a demo in which the agent pivots through privilege escalation and data exfiltration while the dashboard lights up corresponding technique IDs. Failure stories, including a mis-configured context window that unintentionally DoS'ed our own C2, round out the session.

What does looking at the history of malware, threat actors, and related network infrastructure tell us about the future? Are there unexpected connections to be found to help us to not only find attribution, but potentially discover what to block, what to watch out for, and even predict where the next threat will be?
Through the analysis of historical data of various malware variants, focusing primarily on ransomware, I will demonstrate the relationships of infrastructure and other indicators of compromise in an attempt to develop a mechanism for predicting how and where future threats might operate. This presentation will discuss the methods of collecting data and finding connections, and will help the attendees apply these results to their threat modeling and mitigation practices.

FuzzDeck is a structured fuzzing framework designed to facilitate the execution and comparative evaluation of four prominent fuzzers: AFL++, Honggfuzz, LibFuzzer, and Radamsa. The framework automates the key stages of fuzzing, including input corpus generation, target compilation, fuzz execution, crash monitoring, and resource usage profiling. Tailored for deployment on resource-constrained environments such as Raspberry Pi and Kali Linux, FuzzDeck enables seamless performance benchmarking with integrated support for CPU and power consumption analysis, making it a suitable tool for energy-aware security testing in embedded or edge systems.

This talk is a mashup of 7+ peer-reviewed papers from JYU.fi (yeah, cool top-level research "Made in Finland!") spanning work over 3+ years, where we overview application security in critical domains such as Satellite, Aerospace, Avionics, Maritime, Drones (SAAMD), and how they can be attacked via unprotected interfaces of ADS-B, AIS, ACARS, GDL90, EPIRB and similar protocols.

The use of machine learning and artificial intelligence has been on the rise in various industries, including the field of cybersecurity. These technologies have shown great potential in detecting and mitigating cyber threats, but they also come with their own set of risks. One of the most significant risks is the threat of machine learning poisoning attacks.

Machine learning poisoning attacks involve an attacker manipulating the data or the learning algorithm used by an AI model to compromise its accuracy or functionality. This type of attack is particularly dangerous because it can go undetected for a long time, and it can be challenging to trace its origins. A successful poisoning attack can result in the AI model making incorrect decisions, which can lead to a security breach or data loss.

The session will cover practical steps that organizations can take to prevent machine learning poisoning attacks. These measures include data validation, monitoring the performance of AI models, and implementing adversarial training techniques. Attendees will learn how to implement these measures and ensure that their systems are protected against machine learning poisoning attacks. Attendees will gain insights into how these attacks were executed, and the lessons learned from them.
The presentation will also include case studies of high-profile machine learning poisoning attacks, highlighting the impact they had on the organizations targeted.

The increasing reliance on digital systems in modern rocketry, from design and manufacturing to launch operations and in-flight control, introduces significant cybersecurity vulnerabilities. Presentation, "Ignition Under Fire," by Paul Coggin, explores the diverse attack vectors targeting rocket propulsion systems, examining potential consequences ranging from mission delays and data breaches to catastrophic failures. We will analyze the complex interplay of software, hardware, and network components within propulsion systems, identifying key weaknesses susceptible to exploitation. The presentation will delve into specific attack scenarios, software manipulation, sensor spoofing, and network intrusion, highlighting the potential impact on critical rocket equation parameters like delta V, thrust, fuel flow, and combustion stability. Furthermore, we will discuss the unique challenges in securing these complex systems. We will explore how a Zero Trust architecture can be implemented to enhance security by enforcing strict access control, micro-segmentation, and continuous authentication and authorization throughout the propulsion system.

There is a cybersecurity threat looming, that will change everything. Conveniently enough, it can be ignored until it is way too late to act: Once available, Cryptographically Relevant Quantum Computers (CRQC) will effortlessly break asymmetric cryptographic algorithms such as RSA and ECC on which we build our current security infrastructure.
In my talk I will first discuss what makes Quantum Computers uniquely powerful, translating complex physical concepts into practical implications for cybersecurity. We will explore how Shor’s algorithm undermines current cryptographic assumptions and why digital signatures and public key infrastructures are particularly vulnerable. Attendees will gain an overview over the timeline for the development of CRQC, the main actors in the field and why CRQC endanger our privacy already today.
The session will then turn to mitigation strategies, exploring two promising paths: Quantum Key Distribution (QKD) and Post-Quantum Cryptography (PQC). PQC aims at establishing new and hopefully quantum-safe algorithms for creating asymmetric keys, which are currently standardized by NIST. QKD on the other hand provides an unbreakable means for sharing symmetric keys whose security is based on the laws of quantum physics.

Embarking on our first hardware hacking project, we came across the `<name tba>` treat dispensing smart-camera for pets. This device had previous security research completed, however years had passed without further analysis. With a few devices in tow, we pulled them apart and got to hacking. Over the course of 3 months of research we identified vulnerabilities in the mobile application, in the Bluetooth communications, and on the device. This talk will showcase our journey to destroy pet-surveillance devices, our struggles with defeating the firmware encryption, more than a few vulnerabilities found along the way, and we will show you how we got it to play Darude Sandstorm!

What happens when a registrar is the weakest link in your security chain? This talk reveals how systemic failures in credential recovery, 2FA bypass, and email spoofing allow persistent exploitation—even when domains have SPF, DKIM, and DMARC p=reject properly configured.

Based on real-world research conducted between 2018 and 2025, we present ∞-day (forever-day) vulnerabilities affecting over 17,000 domains—including cross-tenant spoofing in N-Able Mail Assure and flaws in Register.it's identity recovery procedures. We’ll demonstrate full control over customer panels with zero credentials, using only PDF forms and social engineering.

We'll also propose a concrete solution: a Reliability Scoring System for registrars and a “Green Check” trust mark for end users, integrated with RDAP and aligned with the NIS2 directive. This talk challenges assumptions about authentication, identity, and trust in Internet infrastructure—and offers both attack and defense insights.

This talk presents a multidimensional analysis of Internet fragmentation, examining how political, technical, economic, and cybersecurity factors are converging to break apart the global Internet. While often viewed through a policy lens, fragmentation has real-world implications at the packet level.

We introduce a lightweight, rule-based detection model capable of identifying fragmented, misconfigured, and adversarial IP/UDP traffic. Built upon RFC 791 semantics, the model analyzes packet offset alignment, TTL discrepancies, and payload irregularities to classify traffic without reliance on machine learning. Through controlled experiments using synthetic fragmented traffic, we demonstrate how fragmentation behaviors map directly to geopolitical and cybersecurity-driven disruptions.

This session will bridge the gap between global governance debates and low-level protocol behaviors, offering tools and insights for analysts, researchers, and defenders navigating an increasingly segmented digital landscape.

In this talk, we begin with taking stock of how Generative AI (GenAI) has influenced the conduct of offensive cyber operations, primarily improving the adversary’s operational effectiveness. With Aquatic Panda (aka Charcoal Typhoon), a prolific China-nexus adversary as the frame of reference, we will discuss how the current state of GenAI can improve the adversary’s tactics, techniques, and procedures (TTPs).

Following then, we will look into how Retrieval-Augmented Generation (RAG) can be applied to generate novel TTPs that would materially enhance an adversary’s offensive capabilities. We will conclude the discourse with a brief prognosis of the impact that Agentic AI could have on offensive cyber operations, particularly in the areas of autonomous operations, agent specialisation, and false flag operations.

With quantum computers on the horizon, today’s cryptographic defenses are running out of time. Fake news, deepfakes, and manipulated media already threaten digital trust, and quantum attacks will soon break the few remaining verification systems. Post-Quantum VerITAS is designed to secure digital content in both classical and post-quantum worlds, ensuring that image provenance remains verifiable even against adversaries with quantum capabilities. Our system combines lattice-based hash functions, post-quantum zk-SNARKs, and quantum-resistant digital signatures such as CRYSTALS-Dilithium. Unlike C2PA, which fails when images are modified or quantum attacks render its cryptography obsolete, Post-Quantum VerITAS provides a trustless, scalable, and quantum-secure solution. It enables real-time verification of images even after edits like cropping, resizing, or blurring, without requiring reliance on centralized authorities.
In this talk, we will break down the cryptographic foundations of Post-Quantum VerITAS, demonstrate how it resists both classical and quantum adversaries, and expose the vulnerabilities in existing provenance systems. We will also show how to implement it to protect against misinformation, ensuring that digital authenticity survives the post-quantum era. The quantum threat is coming. Post-Quantum VerITAS is ready.

Long gone are the times of popping beacons with "jump psexec64". Red teamers reminisce about engagements where smbexec.py is not instantly blocked by any half-decent EDR. But fret not, as this talk will show you the methods to return to old times of effortless* lateral movement.

Most red teamers have probably been in this situation: You miraculously find a set of valid credentials, granting you access to a garden variety of systems. of course, you want to hop on and see what juicy secrets those systems hold. But how do you execute a payload, without the noisy watchdog (aka the ever-so-present EDR) making note of your presence? That's exactly what is talk is about. We'll cover the current landscape of lateral movement techniques and potential detection opportunities to understand, why most off-the-shelf tooling gets busted. Equipped with a solid understanding of what to avoid, a selection of stealthy lateral movement techniques will be presented that circumvents these indicators and flies perfectly under the radar.
After this talk, the audience will not only have a few nice additions to their toolchain in their bags, but also the knowledge how to research both potential detection opportunities and variations of the presented techniques. After all, the blue team doesn't sleep as well.

The Galactic Empire is on the verge of releasing its biggest, most valuable and most important asset: The Death Star. You, the newly appointed Chief Imperial Security Officer, are responsible for improving its security posture. The previous CISO was “let go” and now it’s your job to clean up their mess. Your boss, Darth Vader, is breathing heavily down your neck. He is not amused with the project already over budget in both resources and time, and security will only add to that. His unconventional, yet persuasive leadership style convinces you to make this your top-most priority. How will you approach the massive task of securing the Death Star? This presentation will tell an untold story in the Star Wars universe in which the Death Star’s threats and mitigations were identified and prioritised before its release. Securing an artificial moon with a crew of over 2 million people might put the task of securing your software application into perspective.

WordPress powers over 40% of the web, making its plugin ecosystem a prime target for attackers. While security researchers manually audit plugins for vulnerabilities, the ever-growing number of third-party extensions makes this approach inefficient. What if we could find all the vulnerabilities right after developers publish them?

In this talk, we introduce a research-driven methodology for identifying 0-day vulnerabilities in WordPress plugins using static code analysis. We will showcase how we built a tool that continuously monitors the WordPress Plugin Repository via its SVN system, detects newly pushed code or changesets in real-time using multi-threading, and flags potentially dangerous patterns. By leveraging static analysis, the tool identifies sensitive functions and automatically alerts researchers when risky code is introduced.

We will dive into the inner workings of this automation, discuss the challenges of scaling static analysis for thousands of plugins, and present real-world case studies of zero-days uncovered using this technique.

By the end of this session, attendees will walk away with a deeper understanding of how to leverage real-time monitoring of the repository and static code analysis on a mass scale for vulnerability research.