JavaScript is disabled in your browser. Re-enable it for better visualization.
To access our schedule without JavaScript
click here.
Alternatively, use the static version below (warning, the static version is potentially outdated):
2025-10-24
2025-10-25
Talk Details
Registration opens (all-day)
Registration opens at the registration room.
Registration Room: --
Opening remarks
Opening remarks
BSidesPDX 2025 Organizers: BSidesPDX 2025 Organizers
Day 1 Keynote
Day 1 Keynote
Perri Adams: Perri Adams is a fellow at Dartmouth’s Institute for Security Technology Studies (ISTS) and former Special Assistant to the Director at the Defense Advanced Research Projects Agency (DARPA), where she advised stakeholders at the agency and across the U.S. government on the next generation of AI and cybersecurity technology.
Prior to this role, Ms. Adams was a DARPA Program Manager within the Information Innovation Office (I2O), where, among other programs, she created the AI Cyber Challenge (AIxCC). A frequent speaker on both technical and cyber policy issues, her written work has been published by Lawfare and the Council on Foreign Relations. She has advised and collaborated with think tanks such as the as Carnegie Endowment for International Peace and Georgetown’s Center for Security and Emerging Technology. She is also an adjunct professor at the Alperovitch Institute at Johns Hopkins School of Advanced International Studies and served for two years on the organizing committee of the DEF CON CTF, the world’s premier hacking competition.
Ms. Adams holds a Bachelor of Science degree in computer science from Rensselaer Polytechnic Institute and is a proud alumna of the computer security club, RPISEC.
Meet the Sponsors (all-day)
Stop by the Registration Room to chat with our amazing sponsors, grab some swag, and learn about the cool things they’re building. They’ll be here throughout the day!
Registration Room: --
CTF live challenges open for the day (all-day)
BSidesPDX 2025 CTF
The annual BSidesPDX 2025 CTF competition, brought to you by an amazing group of volunteers!
Go to https://ctf.bsidespdx.org to register and play!
CTF Room: CTF Room
Accidental Honeypot: How I Ended Up Receiving Tens of Thousands of Emails Meant for "No One"
In 2020, I registered a domain as a joke and privacy experiment. I never expected it to become a passive honeypot. But over the next five years, I received over 30,000 unsolicited emails. From pizza orders and job applications to password resets, IT tickets, and sensitive government faxes, it turns out a lot of systems assume that “noreply” means no one is actually watching.
In this 20-minute talk, I’ll walk through how I accidentally built a data-collecting black hole, what I’ve uncovered inside, and what it reveals about our collective assumptions around placeholder email addresses, dev defaults, and ghost domains. Spoiler: someone is reading the mail.
Cory Solovewicz: Cory Solovewicz spent over a decade as a full-stack web developer before realizing breaking things was even more fun than building them. During COVID, he made the jump to the dark side (legally), and has spent the past four years as a cyber security consultant hacking web apps, APIs, mobile apps, and the occasional thick client.
When he’s not poking at authentication logic or accidentally discovering new ways companies leak personal data, he’s racing bikes, going on long walks with his awesome partner, or hacking random gadgets in his free time. He's passionate about digital privacy, human error, and making security just a little more relatable (and a lot more fun).
contact@cory.so
Drone Blind Spots: Pentesting the Airspace Above Critical Infrastructure
Critical-infrastructure sites have hardened perimeters, access controls, and robust camera systems that deter and catch ground-level intrusions. But what about the airspace above them? This talk addresses a gap many sectors share: detecting and responding to drones. We’ll walk through how airspace pentesting over critical infrastructure actually works, what on-site defenders can do to strengthen detection and response, and demystify how to legally and safely get started with aerial assessments. Attendees will leave with equipment recommendations, a clear runbook for performing this work, and a persuasive narrative to secure budget and buy-in for launching aerial assessment and drone-defense programs.
Alec Hunter: Alec [(@brathadair)](https://x.com/brathadair) is a cyber-physical systems (CPS) security researcher specializing in Electromagnetic Spectrum Operations (EMSO), with extensive experience in drone-based Red Air engagements. He currently serves as a Security Consultant at SpookSec and was previously the Lead Offensive Security Engineer at Phoenix Technologies. He holds several certifications, including DSOC, DOCP, CSVA, CBBH, CDFP, OSWP, and FAA Part 107.
How Zero Trusty is Your Network Access?
Zero Trust is everywhere: on vendor datasheets, compliance frameworks, and executive roadmaps. But how do you separate real enforcement from marketing noise?
In this talk, I present a practical, adversary-informed evaluation of several leading ZTNA solutions tested across the five core pillars of Zero Trust: Identity, Device, Network, Application, and Data. Using a controlled lab environment, I simulated trusted and untrusted scenarios, configured granular access policies, and executed known attack patterns to test each vendor’s actual enforcement capabilities.
Some solutions successfully blocked unauthorized access, enforced policy based on device posture, and prevented common web exploits and data loss. Others fell short: failing to detect endpoint misconfigurations, bypassing service cloaking, or letting malware and sensitive data flow freely. In multiple cases, achieving basic Zero Trust behavior required purchasing additional modules outside the core ZTNA platform.
This session delivers clear results, testing methodology, and takeaways any security team can apply when evaluating ZTNA vendors. If you're tired of buzzwords and want to see how “Zero Trust” actually performs under pressure, this talk is for you.
Derron Carstensen: Derron Carstensen is a cybersecurity architect with over 20 years of hands-on experience across network security, cloud security, offensive security, and Zero Trust architecture. His career spans roles in security engineering, penetration testing, and most recently, leading secure access and Zero Trust initiatives for complex enterprise environments. Derron specializes in Secure Access Service Edge (SASE) deployments, ZTNA validation, and building adversary-informed testing frameworks that bridge the gap between marketing promises and real-world security enforcement. He’s passionate about helping both defenders and assessors make evidence-based decisions in the face of growing vendor noise.
Securing GraphQL from Design to Production
Learn to secure GraphQL interfaces by looking at design decisions and actual attacks. This talk dives into a half dozen GraphQL services that were deployed at a tech unicorn. You'll learn practical defensive strategies, discover where common security controls fall short, and see the fall out from attack scenarios that were missed.
Corey Le: Corey has been in the Information Security space for over 20 years and building software applications even longer. He spent years on the east coast as a principle security consultant with the Interpidus Group before joining the in-house security teams at places like Etsy and Simple. He spent 6 years at a unicorn tech company becoming their Director of Product Security. Currently living on the Oregon Coast, he enjoys tinkering with PCB designs in KiCad, signing off-key punk songs with his son, and trying to convince people that video games can be art.
Corey has previously presented at BlackHat, CanSecWest, Yandex, and BSidesRoc.
I'm not actually an SCCM admin...I just implied it
Microsoft's Configuration Manager (more commonly known as System Center Configuration Manager or SCCM) has received a great deal of attention from the offensive security community in recent years. The service's 30 year history includes a mountain of techincal debt that is still heavily relied on by enterprises across the globe. In fact, even with the industry's shift to cloud, SCCM remains the most depended on solution for endpoint management. This presentation will publicly disclose how an attacker under the right circumstances can abuse this dependence to escalate to SCCM admin simply by implying it.
Garrett Foster: Garrett Foster is an offensive security researcher with over 6 years of experience in information technology. He has conducted successful engagements against organizations that include the finance, healthcare, and energy sectors. Garrett enjoys researching Active Directory and developing offensive security tools. His background also includes roles as a Security Operations Center Analyst and Systems Administrator.
Redacted
Following the discovery of BadBox 1.0, I identified another device disguised as a streaming product called SuperBOX. This one is particularly concerning, as it includes observed command-and-control traffic, a targeted social media campaign, a suspected targeted whisper campaign, ease of use, and direct targeting of key individuals in important sections of U.S. Critical Infrastructure.
This situation has underscored the growing need for research at the intersection of cybersecurity and social psychology, highlighting the importance of helping users recognize and protect themselves from products that offer services that seem “too good to be true.”
Public reporting on this activity began emerging in early 2024, with major coverage appearing in March 2025. I initially discovered this campaign in February 2024 and have since tracked its evolution and broader ecosystem connections. This led to a second PSA from IC3 in May of 2025.
In this talk, I’ll provide:
A walkthrough of the device’s observed behavior.
An overview of the associated social media campaign.
Details of the whisper campaign.
Information on the shell company (or companies) linked to this activity.
Other notable findings and related observations gathered along the way.
D3ada55: Ashley is a Senior Security Solutions Engineer at Censys, where she
specializes in finding things on the internet that really shouldn’t be
on the internet (spoiler: you know it’s everything). Her research has
uncovered IoT botnets hiding in your “totally legitimate” streaming
boxes, pig-butchering scam infrastructure masquerading as romance, and
entire threat actor clusters that probably wish she’d just stop
looking at the internet on the weekends.
When not teaching students how to blue team, red team, or “please stop
clicking on that link” team, Ashley moonlights as a professional cat
herder at BSides Las Vegas SafetyOps as the Chief Security Officer and
BSides Albuquerque: wrangling volunteers, laptops, and chili-themed
challenge coin designs all in the same day.
She has worn many hats: Army Taekwondo competitor, Army Band musician,
SOC analyst, Palo Alto trainer, Google Cloud wrangler, WWE fanatic,
and n00b security researcher (ask her about the latest exploits in
breaking her own lab builds). If it's a device that seems too good to
be true, it probably is and she’s likely researching it.
Come for the IoT horror stories, stay for the leggings.
From Pi to Pwnage: Building a Wearable Hacking Station
Ever dreamed of a portable hacking device that packs the punch of a full Linux system but is cool enough to wear on your arm? This talk is for you. We'll dump the bulky laptops and dive into creating a powerful, Pip-Boy-inspired wearable from scratch, without breaking the bank.
I'll take you through my whole chaotic journey: from picking the right parts to the rage-inducing 3D modeling, cramming a jungle of wires into a tiny space, making a Linux GUI actually usable on a touchscreen, and keeping the thing powered for more than five minutes. I’ve already bricked the components, scoured the darkest corners of GitHub, and copy-pasted with pride, so you get the blueprint without the pain. You’ll leave ready to build your own rig for whatever digital mayhem you have in mind.
Stefan: Stefan is a middle school student with curiosity for computer security that borders on an obsession with digital mayhem. When he's not in class, you can find him with a soldering iron and a keyboard. He got his start early diving deep into code, slinging Python, JavaScript, and GDScript, while also dabbling in C#. His proudest achievement to date? Getting his Flipper Zero banned from his middle school. He's excited to be at BSides PDX to learn from the best and share his own discoveries.
Beyond the Mask: The Snitchpuck
Most organizations that deploy surveillance / safety technology don't actually know what they're putting on their networks exactly. i got curious about one specific device i had found in my high school's network.
when i finally got my hands on one, it raised bigger questions then i expected,
not just about the software or hardware. but about how widely it had been deployed without much scrutiny.
Sharing the research publicly showed me just how much people were questioning it, both inside and outside the security community.
what really surprised me was realizing how tightly knit the Portland Infosec community is, and how many people helped me along this journey.
in this talk, I'll share that story. from the initial discovery, to the struggles, and reflections.
Rey: Rey is an 18-year-old security researcher who started out finding bugs and holes in websites at 15. He began attending local infosec meetups in Portland, Oregon—like RainSec and PDX2600—soaking up everything he could. After stumbling across a creepy surveillance device at his high school, he drifted into hardware security and reverse engineering. He’s determined to keep learning and digging deeper.
CFAA Plus: Moving Computer Law Past the World of the Boombox and Magnetic Tape
A lot has changed since the 80s. Gone is the boom box with a cassette tape. You have a Flipper Zero instead of a magstripe writer. Forget ISDN: you can get better than an OC-24 at your house for less than your long distance bill. Viruses don't put random text on your screen, they shut down hospitals. But you know what hasn't changed? The CFAA. It's about time we look at how our laws can transform the incentives and move us beyond the cyber-vandalism era to respond to real threats with real defenses. Let's stop wringing our collective hands about evil hackers, and get real about how it actually works.
Falcon Darkstar Momot: Falcon (MBA, M.Sc., B.Acc.) is an infosec generalist currently managing product security at Aiven.io, and has over a decade of purple team experience at dozens of firms across a variety of industries. He does systems work, whether the systems are human or computer, and is as at home setting up a security program as figuring out how to verify application code, show immunity to an attack class, or model attackers across the value chain. He will be starting a PhD this winter at Dartmouth working on practical applications for LangSec.
Closing remarks
Closing remarks and reception
BSidesPDX 2025 Organizers: BSidesPDX 2025 Organizers
Friday Reception (evening)
Appetizers and drinks in the back room of Track 1
Back Room in Talk 1: Room at the back of Talk 1
BSides PDX Quiz Show
This is the game where we take some BSides attendees and pit them against each other in a battle of wits to see who’s the smartest… who’s the fastest… who’s going to emerge with the ultimate alpha- geek status for the next year!
WHAT’S IT LIKE? Just like many TV game shows you’re probably already familiar with. We take three contestants, put them on stage and ask them a series of questions relating to aspects of system and network security, exploits, hacking, hardware, software, administration, history, and even some random bits of pop culture thrown in for hack value.
And then maybe we'll do it again with three more contestants!
This event is for anyone with an interest in any or all of the topics that bring people to BSides. Questions for the quiz show are drawn from current events, information security, computer technology, hardware, software, geek culture, games, and general interest topics.
Steve Willoughby: Steve Willoughby is a Senior Software Developer currently focused on observability in Go. He discovered Version 7 Unix while in high school and, apart from brief forays into VMS in college and failed attempts to hide from other operating systems, he’s been spending most waking hours tinkering on UNIX in one form or another, either writing software or administering systems. He lives in the Portland, Oregon area and keeps a vintage Altair 8800 and COSMAC Elf as pets. In his spare time, he runs a MUD game and creates microcontroller gizmos to make his Christmas lights flash in the most over-engineered way possible.
John Mechalas: John has been doing systems administration since the dawn of time servers. Armed with degrees in aeronautical engineering, and a formal CS class in FORTRAN, he is uniquely prepared for our modern age where everything is computer. When he's not working, whenever that is, you can find him doing improvisational comedy, working in his garden, and yelling at clouds.
Portland Hacker Foundation : Asymmetric Impact Year 1
Last year at BSides Portland we started the conversation about creating the Portland Hacker Foundation, and by many measures it seems to have been a roaring success. This session will talk about what we've done, where we're going, and what you can do to help.
Dean Pierce: Dean Pierce is a security researcher from Portland Oregon.
Instant API Hacker
"Instant API Hacker" is a fast-paced, 20-minute presentation that demonstrates how quickly someone can learn to identify and exploit API vulnerabilities. Led by Corey Ball, author of "Hacking APIs" and founder of APIsec University and hAPI Labs. This talk provides a practical introduction to API security testing using real-world tools and techniques. Attendees will witness the exploitation of critical vulnerabilities from the OWASP API Security Top 10, including broken authentication, authorization flaws (BOLA), and excessive data exposure. Through live demos using the crAPI vulnerable lab, participants will see firsthand how APIs can be compromised and gain actionable insights they can apply immediately. The presentation concludes with free resources for continued learning, including access to vulnerable labs and APIsec University courses.
Corey Ball: Corey Ball is the author of Hacking APIs and founder of APIsec University a completely free learning platform with over 120,000 students. He was the winner of the SANS Difference Makers Award for book of the year. With over 15 years of experience in IT and Cybersecurity, Corey now leads penetration testing as the CEO of hAPI Labs.
The Life and Death of a Municipal Surveillance Technology in Seattle
Seattle was one of the first USA cities to have a Surveillance Ordinance. This enables Seattle residents to pull back the curtain on a type of mass surveillance not as commonly discussed by the news media: a service that provides real-time travel time calculations using a system of WiFi/Bluetooth MAC address sniffers deployed across the city. I'll bring you up to speed on this surveillance technology, the variety of issues that have been identified with it (both technical and non-technical), and its removal from Seattle. I'll also discuss some aspects about privacy of mobile devices specific to challenges with MAC addresses (i.e. randomization, anonymization, etc). Lastly, I will give you pointers on how to get started reviewing surveillance technologies your local municipality has deployed, so that you too can put your technical/security skills to use to help your neighbors and community.
C.S.: I'm an independent security researcher & privacy advocate. Over the last 7 years, I've reviewed and given public comment on all of Seattle's official surveillance technologies. I've worked closely with the Seattle Community Surveillance Working Group. I've also organized with various local non-profits and grassroots groups participating in the Seattle Surveillance Ordinance process and on state-level legislation spanning: civil liberties, data privacy, digital IDs, automated decision systems, right to repair, and other bills.
From walkie-talkies to Meshtastic: an overview of communication platforms
When traditional infrastructure fails, as it often does in the PNW, we may lose power, water, and even accessible roads. How do you plan to check in with your friends, family, share resources, and help others? In this talk, we’ll cover what options are available for long-distance remote communications between individuals: FRS, GMRS, CB, Amateur Radio, as well as Meshtastic. For the second half of the talk, we'll dive in deeper on Meshtastic: how it compares in terms of capabilities, legality, range, and ease of integration, as well as edge cases. By the end of the presentation, participants will be equipped with actionable knowledge to select affordable communication tools for their needs, ensuring they remain connected when it matters most.
Slava I. Maslennikov: Slava holds a general-level license for Amateur Radio. When away from Meshtastic and HF, he manages DevOps, SRE, and Cloud teams - or provides consulting services in these fields. He has two orange cats and by now is probably one himself. Either get him a beer or a job - he’s currently unemployed.
Disaster Ready Digital Safety: Building resilient support systems for domestic violence survivors
Safety Net Project, the tech safety team at the National Network to End Domestic Violence (NNEDV) has seen a significant uptick in recent years with local organizations requiring additional aid and guidance on best practices to support survivors of domestic violence and continue critical communication, in the face of natural disaster events like fires, hurricanes, and flooding. This project was born out of a direct response to this need - inspired by literal natural disasters across the United States.
Graduate students from the University of Washington (UW) are conducting research on this critical topic of cyber security best practices and guidelines for local victim service providers in the context of disaster preparedness and response. Some key topics covered include: emergency response communication plans, privacy and digital protection during disasters, as well as location tracking (stalkerware, tracking through car, airtag, dog pet finder, children’s devices, etc.), detection, and prevention. The research presented will serve as a comprehensive guide that fills the current gap in NNEDV’s resources, by offering actionable recommendations to help local organizations continue critical communication and safeguard survivors during and after natural disasters.
Naomi Meyer: Naomi brings over a decade of expertise spanning software engineering, cybersecurity, and education leadership. She just graduated honors with her Master's in Cybersecurity and Leadership from the University of Washington, while conducting ethical bug bounty research. During her 5 years at Adobe as a Software Development Engineer, she built large-scale features and served on technical committees while becoming a seasoned speaker at international engineering conferences. Before transitioning to tech, Naomi taught English as a foreign language in local classrooms across Asia and with the Peace Corps in West Africa. She enjoys weekends outside in the mountains with her dog.
A History of Fuzzing
Many a presenter, including myself, has talked about fuzzing. Usually, we touch on a small amount of theory and then show off what a cool tool we built or what a difficult target we fuzzed. Instead this talk will focus on fuzzing history. Where did we start? How did we get here? What were the turning points along the way? For each major development, we'll cover a motivating example, the theory behind a solution, and a tiny implementation until we arrive at the modern day.
Rowan Hart: Rowan is a Senior Security Engineer at Microsoft and previously worked at Intel as a fuzzing researcher. He also dabbles in security tooling as a hobbyist and as a writer. When not at the computer, you can find him at the skate park, on Mt. Hood, or on the rock wall.
Hackers + AI: Faster, Smarter, More Dangerous
Hackers are turning AI into a force multiplier for cybercrime. In this 20-minute talk, we’ll demo real hacker AI tools such as WormGPT and show how criminals use them to uncover vulnerabilities, generate exploits, and even weaponize zero-days at unprecedented speed. These tools also churn out phishing emails and call scripts in any language, letting novice hackers attack like experts on a global scale. See how AI is reshaping cybercrime and what defenders must prepare for now.
Sherri Davidoff: Sherri Davidoff is the founder of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity.” As a recognized expert in cybersecurity, she has been called a “security badass” by The New York Times. Sherri is an instructor for Black Hat, where she serves on the Black Hat USA Review Board and trains security professionals from around the world. She is also a faculty member at the Pacific Coast Banking School, where she teaching bankers and regulators about cybercrime. She is a GIAC-certified forensic analyst (GCFA) and penetration tester (GPEN) and received her degree in computer science and electrical engineering from MIT.
Matt Durrin: Matt Durrin is the Director of Training and Research at LMG Security and a Senior Consultant with the organization. He is an instructor at the international Black Hat USA conference, where he has taught classes on ransomware and data breaches. Matt has conducted cybersecurity seminars, tabletop exercises and classes for thousands of attendees in all sectors, including banking, retail, healthcare, government, and more. He is also the co-author of a new book, Ransomware and Cyber Extortion: Response and Prevention. A seasoned cybersecurity and IT professional, Matt specializes in ransomware response and research, as well as deployment of proactive cybersecurity solutions. Matt holds a bachelor’s degree in computer science from the University of Montana, and his malware research has been featured on NBC Nightly News.
New phone, who dis? The quest for a true Burner Phone
Do burner phones really still exist, or are they the stuff of urban legend? Can you get a phone that's untraceable any more? Why would you even want to?
Follow my journey as I find out, and maybe discover some privacy tips along the way.
Mike Niles: Mike works in Municipal Government IT, and has over 25 years of varied tech jobs under his belt ranging from end-user and application support to systems administration, patch management and cybersecurity.
Mike's spare time is typically consumed with gaming with his kids, cybersecurity conferences, and referring to himself in the third person.
PNW vs. Bay Area: Observations from the Seattle Startup Scene
In this raw, open, and honest session, I'll pull from my own and fellow VC-backed founder experiences on the crazy journey to build a security startup based in the PNW. We'll cover all major parts of the 0 -> 1 journey, including: ideation / idea validation, learning to sell, raising capital, building an MVP, finding PMF, and building a team. 1 year after graduating from the Y Combinator 2024 cohort, I'll open up about the things I wish I knew sooner, and the secrets to YC's success. I'll specifically talk about the challenges and strengths of building a non-SF-based startup.
Emily Choi-Greene: Emily is the CEO and co-founder of Clearly AI, a YC-backed startup automating security and privacy reviews based in Seattle. Previously, she oversaw application security for Amazon's Alexa AI organization and owned data security and privacy at Moveworks (an enterprise AI assistant).
Automating Threat Modeling with Vision Models - Lesson learned
Threat modeling has always been critical but also slow, manual, and often skipped. What if your security champions could generate a first draft of a STRIDE analysis from architecture diagram itself ? In this talk, we’ll explore how vision models (like Gemini Vision) and LLMs can automate early threat modeling by “seeing” system diagrams and translating them into structured security insights.
I’ll show how we built an agent that ingests architecture diagrams, interprets flows and trust boundaries, and outputs threat models in a developer-friendly format. We’ll cover practical benefits (speed, adoption, developer engagement) as well as real challenges: hallucinations, missing context, and having humans in the loop. Finally, I’ll share how we turn these outputs into generating adversarial test cases, making threat modeling more actionable.
Attendees will leave with a framework to experiment with their own AI-assisted threat modeling pipeline, lessons learned from real reviews of AI agents, and a realistic sense of what today’s vision models can (and can’t) do for security.
LLM Mayhem: Hands-On Red Teaming for LLM Applications
Join us in this workshop to engage in hands-on attacks to identify weaknesses in generative AI. If you’re interested in learning about getting started in red teaming generative AI systems, this is the workshop for you.
⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)
Travis Smith: Travis Smith is the Vice President of ML Threat Operations at HiddenLayer where he is responsible for the services offered by the organization, including red-teaming machine learning systems and teaching adversarial machine learning courses. He has spent the last 20 years building enterprise security products and leading world class security research teams. Travis has presented his original research at information security conferences around the world including Black Hat, RSA Conference, SecTor, and DEF CON Villages.
David Lu: David Lu is a Senior ML Threat Operations Specialist at HiddenLayer, focusing on ML red teaming exercises, adversarial ML instruction, and the development of security ontologies. With 8 years of experience in security research, David also brings over a decade of academic expertise, having taught computer science at Portland State University and philosophy at Syracuse University. His interdisciplinary background uniquely positions him at the intersection of AI/ML security and ethical technology development.
So you’d like to present at a conference
So, you’d like to present at a conference? Awesome - but making that decision is just the first step of a long journey. This workshop is primarily intended for people who already have ideas of things to present, but need some help fine-tuning them and understanding the process. We’ll start off in a lecture format covering all the parts of preparing, submitting and presenting your work, answering a lot of questions you might ask yourself. We’ll proceed into an extended question and answer session. Think of your questions ahead of time, and perhaps even ask them before the workshop. Finally, we’ll use the remaining time to team up in groups to share our ideas and give each other feedback. Hopefully you’ll leave with a better idea of how to navigate the process, as well as a clearer idea of how to structure your submission and presentation.
⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)
Joe FitzPatrick: Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent the past decade developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.
PentestMCP: A Toolkit for Agentic Penetration Testing
Advances in Generative AI have enabled the development of autonomous agents, combining large-language models (LLMs) and custom tools with plan generation, reasoning, and tool execution to automate security tasks. One drawback of initial agentic approaches has been their monolithic development. However, much like HTTP decoupled the development of web clients and servers by standardizing the communication protocol between them, the Model-Context-Protocol (MCP) has emerged to decouple the development of agents and their tools. This workshop will provide an introduction to LLM agents and their construction using MCP. Attendees will first walk through a set of simple MCP clients and servers for automating database and file system tasks to get an understanding of how agents and MCP work using labs from https://codelabs.cs.pdx.edu. They will then experiment with a range of MCP servers from the open-source PentestMCP project https://github.com/Craftzman7/pentest-mcp that leverage penetration testing tools such as nmap, nuclei, and metasploit to automatically find, exploit, and exfiltrate data from a vulnerable web application. Note: Due to the nature of the exercises, they will be hosted on a Google Cloud Project that registered attendees will be given access to during the workshop.
⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)
Wu-chang Feng: Wu-chang Feng is a professor at Portland State University where he focuses on applications of Generative AI in security.
Zachary Ezetta: Zachary Ezetta is a senior at Grant High School, network operator of AS214092, and the software lead for FIRST Robotics Competition Team 3636: Generals. He is also a former Intern for Portland State University's Department of Computer Science.
Binary Jiu-jitsu: White Belt Fundamentals
Abstract
Binary exploitation can feel overwhelming for beginners. With so many tools, techniques, and architectures to learn, it’s easy to get lost without a structured path. Binary Jiu-Jitsu is designed to guide students through the fundamentals of binary exploitation using a skill-based, hands-on approach inspired by martial arts training.
In this workshop, we’ll cover the essential building blocks for exploiting simple 64-bit Linux ELF binaries. Attendees will learn the fundamentals of computer architecture, reverse engineering with Ghidra, debugging with GDB, finding stack-based buffer overflows, and developing custom exploits using pwntools.
Throughout the session, participants earn “stripes” by completing progressively harder hands-on challenges in a live CTFd environment. By the end, students will have the knowledge — and practical skills — to identify vulnerabilities, write working exploits, and pop their first shell.
⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)
Joshua Connolly: I am a vulnerability researcher/reverse engineer focused on embedded devices. I love playing CTFs and teaching interesting topics to people.
Registration opens (all-day)
Registration opens at the registration room.
Registration Room: --
Opening remarks
Opening remarks
BSidesPDX 2025 Organizers: BSidesPDX 2025 Organizers
Day 2 Keynote
Day 2 Keynote
Micah Lee: I’m an information security engineer, a software engineer, an investigative data journalist, and an author. I use he/him pronouns, and my name is pronounced “my-kah.”
I started the Lockdown Systems Collective where I help develop an open source app called Cyd that helps people claw back their data from Big Tech.
I worked for The Intercept for a decade, where I was director of information security. I also used to work as a staff technologist at Electronic Frontier Foundation, and I helped co-found Freedom of the Press Foundation. I did opsec for journalists while Edward Snowden was leaking NSA docs to them.
I’m the author of “Hacks, Leaks, and Revelations: The Art of Analyzing Hacked and Leaked Data”, a hands-on book that teaches journalists, researchers, and activists how download, research, analyze, and report on datasets. (No prior experience required.)
I develop open source security tools like OnionShare and Dangerzone. You can check out my GitHub activity [here](https://github.com/micahflee/).
Meet the Sponsors (all-day)
Stop by the Registration Room to chat with our amazing sponsors, grab some swag, and learn about the cool things they’re building. They’ll be here throughout the day!
Registration Room: --
CTF live challenges open for the day (all-day)
BSidesPDX 2025 CTF
The annual BSidesPDX 2025 CTF competition, brought to you by an amazing group of volunteers!
Go to https://ctf.bsidespdx.org to register and play!
CTF Room: CTF Room
From Context-Switching Hell to AI-Powered Ops: Eliminating Security On-Call Toil with the Model Context Protocol
Context switching during incident response is a silent productivity killer that costs security engineers hours of valuable time and significant cognitive load. This talk shares a real-world case study of how we transformed our on-call experience at Databricks by implementing Model Context Protocol (MCP) servers to enable AI-assisted incident triage and investigation.
Attendees will learn how traditional incident response workflows—involving dozens of browser tabs, multiple tools, and constant context rebuilding—can be revolutionized through natural language interfaces. We'll demonstrate how MCP servers provide a standardized way for AI assistants to interact with infrastructure tools like PagerDuty and Databricks, reducing incident investigation time from 15+ minutes to under 2 minutes.
Through real-world examples, we'll show how this approach eliminated overhead during on-call rotations, enabled cross-cloud investigation capabilities without manual intervention, and allowed engineers to focus on actual problem-solving rather than tool navigation. The talk includes practical implementation details and lessons learned from production deployments across 55+ multi-cloud Databricks workspaces.
Will Urbanski: Will is the tech lead for detection and response at Databricks. His expertise lies at the intersection of threat detection and software engineering, specializing in detection engineering, attack simulation, and the practical applications of threat intelligence. Previously, Will drove detection and intelligence initiatives at Stripe, Datadog, and SecureWorks, where he played key technical leadership roles in shaping security strategies and mentoring teams. He has authored four patents in the cybersecurity space, and his research has been published in well-known academic journals, including IEEE Security & Privacy.
Tag, You're Leaked: Surviving the tj-actions Supply Chain Attack
In March 2025, the tj-actions/changed-files GitHub Action, which is used by 24,000 repositories, was weaponized to steal CI/CD secrets. All 361 version tags were pointed to malicious code that dumped credentials from memory directly into build logs. We were the first responders.
Come hear the untold story of the 72-hour incident response. You'll learn how we detected an attack that traditional tools missed, built an IOC scanner over a weekend while the attack was live, and coordinated disclosure with dozens of organizations.
You'll walk away with:
- A tested incident response playbook you can adapt for your organization
- Open-source tools: harden-runner (behavioral monitoring) and ghscan (IOC scanning)
- Practical defenses for resilience against similar attacks
Mark Esler: Mark Esler works on software supply chain security, vulnerability disclosure, and system hardening.
Ashish Kurmi: Ashish Kurmi is the CTO and co-founder of StepSecurity, a cybersecurity startup securing CI/CD pipelines against supply chain attacks. Before StepSecurity, he was with Microsoft Corporation, Uber Technologies, and Plaid Inc. in security leadership roles. He primarily worked with software developers at these companies to understand their security pain points and built security systems to remediate security issues at scale. He has 15 years of experience in security and software engineering.
Ashish has previously spoken at several conferences such as BlackHat USA, (ISC)2 Security Congress, and Open Source 101.
Keep Your Return Address Close and Your Enemies Closer. How a kernel engineer and security researcher collaborated to tighten up Linux shadow stack
Intel's CET Shadow Stack is a CPU feature aimed at preventing Control-Flow Hijacking shenanigans by implementing a redundancy copy of the process stack, which can be verified for integrity through the program execution. Supporting CET Shadow Stacks in Linux applications is something that took a long long time to be implemented and deployed, and given the magnitude of changes required both in the kernel and in the toolchain, there was a reasonable chance that security details could be missed in the process. In this talk we'll cover the interactions between a kernel engineer and a security researcher regarding a last minute security finding that ended-up surfacing an intricate trade-off discussion around safety, performance and compatibility. These discussions led into redesigns of the shadow stack support at the brink of its release and are still relevant as new feature designs still stumble on the gritty details of these trade-offs.
Besides the technical scope, this talk aims on emphasizing how the collaborations between software engineers and security researchers can be fruitful, fun and crucial to achieving more reliable security outcomes.
Joao Moreira: João Moreira is a systems security researcher passionate about compilers, OS internals, and digging deep into low-level bugs. At Microsoft, he works on securing cloud infrastructure by reviewing service designs, building secure architectures, and developing defenses against emerging threats. Prior to Microsoft, João worked at Intel, SUSE Linux, and spent time in academia, where he focused on low-level systems topics like control-flow integrity and binary live patching. His research was presented at conferences such as Black Hat Asia, the Linux Plumbers Conference, and the Linux Security Summit. Every now and then, João contributes to open-source projects like the LLVM compiler and the Linux kernel. More recently, he’s been trying to figure out this AI thingy — but he still struggles to write short conference bios with the help of chatbots.
Rick Edgecombe: Rick is a Linux kernel engineer who works on security related features, virtualization and memory management.
Nintendon't Look at my GitHub: DMCA Dodging and Other Shenanigans
GitHub forks are...weird. A couple implementation quirks lead to some funny (or alternatively, scary) consequences. And yeah, this is publicly documented, but who reads these days? This talk walks through real-world personal examples: recovering commits from a deleted project, brute forcing hidden commit history back into existence, and skirting a DMCA takedown by inserting hidden commits in a someone else's repository.
James Martindale: James is a web/cloud penetration tester at Anvil Secure, based in Seattle. His research interests include API security, hardware hacking, and abuse cases. He spends too much of his free time in Grand Theft Auto Online, where the hacking minigames are much easier than his day job.
Quantum Computing: Hype, Hope, and the Cybersecurity Horizon
Quantum computing has sparked both excitement and alarm in the cybersecurity world and honestly, I’ve felt both. Between promises of solving problems previously thought impossible and fears of cracking RSA wide open, it’s hard to tell what’s real and what’s just well-dressed science fiction.
In this talk, I want to cut through the noise not from a purely academic standpoint, but from the perspective of someone who's actively working on quantum readiness in the fintech world. I’ve been navigating the hype, hope, and hard truths that come with trying to future-proof sensitive systems against a threat that’s not quite here… but definitely not imaginary.
We'll look at quantum computing from a high level without drowning in math and break down what's real vs. speculative. We'll cover which cryptographic algorithms are truly at risk, where post-quantum cryptography (PQC) comes into play, and how to think about timelines without spiraling into paranoia.
Whether you're in offensive security, defense, leadership, or just crypto-curious, this session will give you a clear picture of where things stand and how to start preparing without panicking (or overpaying a vendor with a quantum logo slapped on their pitch deck).
Neha Srivastava: With over 14 years of global experience at the intersection of cybersecurity, emerging tech, and financial services, Neha is a recognized leader shaping the future of secure digital infrastructure. As Vice President of Cybersecurity Products at J.P. Morgan Chase, she drives innovation in cryptographic systems and quantum-safe architectures that safeguard the next generation of financial technology.
Neha’s career journey includes leading roles at industry heavyweights like Deloitte, EY, Accenture, NVIDIA, Flagstar Bank, and Bank of America, spanning multiple countries and domains. Her work now centers on preparing for the quantum era with a strong focus on Post-Quantum Cryptography (PQC), Quantum readiness, quantum-safe protocols, and the ethical, sustainable design of cryptographic systems that can withstand tomorrow’s computing power.
Beyond her corporate work, Neha actively advises startups, helping founders navigate the complex intersection of security, compliance, and product strategy. She’s passionate about making sure innovation in quantum and cryptography is not just cutting-edge, but responsible, resilient, and ready for real-world impact.
From securing today’s digital economy to building quantum-resilient systems for the future, Neha brings a visionary yet grounded perspective to cybersecurity one that’s deeply technical, future-facing, and driven by purpose.
This is not a camera
Webcams secretly running Linux reveal embedded system vulnerabilities, insecure firmware, and broken update mechanisms. Tracing the tech stack from distributors to chipset manufacturers exposes supply chain issues, security oversights, and risks at the hardware-software boundary. The talk includes demos and highlights the need for transparency and responsibility.
Mickey Shkatov: Mickey has been involved in security research for over a decade, specializing in breaking down
complex concepts and identifying security vulnerabilities in unusual places. His experience spans a
variety of topics, which he has presented at security conferences worldwide. His talks have covered
areas ranging from web penetration testing to the intricacies of BIOS firmware.
Jesse Michael: Jesse is an experienced security researcher focused on vulnerability detection and mitigation
who has worked at all layers of modern computing environments from exploiting worldwide
corporate network infrastructure down to hunting vulnerabilities inside processors at the
hardware design level. His primary areas of expertise include reverse engineering embedded
firmware and exploit development. He has also presented research at DEF CON, Black Hat,
PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.
Unwitting Hosts: How Residential Proxies Increase Risk
Residential proxy networks, which reroute user traffic through residential IP addresses, present unique risks to enterprise networks and individual users. These proxies, often bundled with low-reputation applications, enable external traffic to appear as if originating from legitimate endpoints, frequently without user consent. Cisco Security's research highlights that residential proxies are 4.8 times more likely to connect to malicious domains compared to regular enterprise network traffic, underscoring the threats posed by such activity.
This research investigates the mechanics, detection, and prevalence of residential proxies, leveraging datasets from Cisco Network Visibility Module (NVM) and the open-source mercury tool. By analyzing billions of network flows and telemetry data from approximately 240,000 devices, researchers identified residential proxy activity linked to applications like Infatica and Rave Helper. These programs, while not inherently malicious, misuse enterprise resources and can serve as vectors for attacks, including click fraud, spam, and internal reconnaissance by adversaries. The research also presents a novel detection approach based on Transport Layer Security (TLS) random nonces enables robust identification of residential proxy behavior in network traffic.
This study underscores the risks posed by residential proxies and emphasizes the importance of addressing these threats to safeguard enterprise environments. By detailing threat detections for this behavior and some of the tools that exhibit it, it provides practical tools that can be leveraged to identify residential proxy behavior through network traffic analysis. These insights aim to empower organizations with actionable strategies to mitigate the misuse of their resources and reduce exposure to malicious activity.
Darin Smith: Darin is a security research leader at Cisco Talos, focused on mentorship, security management, cloud native security research and detection engineering. Former affiliations include Amazon, the FBI, UC Davis and King's College London. In his spare time he loves playing music, hiking and travelling.
An Unexpected Journey - Building a Cybersecurity Program from Scratch at a Risk-Taking State Agency
In a state agency responsible for fighting wildland fires (including a fleet of drones, aircraft, and firetrucks) and responding to regional natural disasters, securing sensitive data and IT infrastructure is critical and challenging. From protecting endangered species data to ensuring secure computing at the most remote locations, a cybersecurity program in such an agency requires speed, flexibility, and hand-tailored problem solving. This session will share how the Washington State Dept of Natural Resources built a cybersecurity program from the ground up, addressing unique challenges like risk tolerance, rapid deployment, and balancing security with mission-critical operations.
Ralph Hogaboom: He/him, from Aberdeen WA. Married, parent, state govt employee in cybersecurity. Interested in gaming, trans rights, writing music, recovery, cooking, esports, feminism, running, pop science, knitting, and baking a really nice loaf of bread.
Liz Lewis-Lee: I am currently the CIO at the Washington State Department of Natural Resources. I have spent the majority of my career in state IT, from Operations to Security and now management. I was born and raised in the PNW, have two kids, two dogs, a cat and a husband.
Closing remarks
Closing remarks
BSidesPDX 2025 Organizers: BSidesPDX 2025 Organizers
After party
TBA
BSidesPDX 2025 Organizers: BSidesPDX 2025 Organizers
Cracking the Domain: Evolution of Active Directory Password Attacks
From LM hashes and rainbow tables to GPU rigs and Kerberoasting, the art of cracking Active Directory (AD) passwords has changed dramatically over the past two decades. What once took hours on a desktop can now be achieved in seconds with cloud GPUs and smarter wordlists. At the same time, attackers have shifted tactics—favoring low-and-slow spraying, ticket roasting, and credential theft over brute force.
This talk traces the history of AD password cracking, exploring the techniques that defined each era and how defenses evolved in response. We’ll walk through legacy weaknesses, modern attacks like AS-REP roasting, and the growing role of hybrid AD/cloud identity. Along the way, you’ll see demos of cracking in action and gain a deeper appreciation of why old best practices (like complexity rules) don’t hold up today.
Most importantly, we’ll cover practical steps defenders can take right now: from smarter password policies and banned password lists to detection strategies and long-term mitigations like MFA and passwordless authentication.
Whether you’re red team, blue team, or somewhere in between, you’ll walk away with a clear understanding of how AD password cracking works, how it’s evolved, and what you can do to stay ahead of the curve.
Zach Mead: Zach is the founder of Harbor's Edge Consulting LLC, where he focuses on offensive security consulting and helping organizations strengthen their overall security posture. With over seven years of experience in the security world, he has worked across red teaming, penetration testing, and advisory roles to help organizations better understand and defend against modern threats. Zach is passionate about bridging the gap between offensive techniques and defensive strategies, and he enjoys sharing practical insights with the broader security community.
From Suspicious Query to Real Incident: Deciding When Endpoint Alerts Really Matter
Security teams drown in endpoint telemetry: processes spawned, commands executed, binaries triggered. But not every log line should become an alert, and not every alert should trigger a 2 a.m. wake-up call. The real challenge is knowing when a query result crosses the line from “informational” to “actionable.”
In this talk, I’ll walk through how different types of endpoint queries; single-process anomalies, correlated multi-event queries, and time-bounded patterns; map to thresholds that determine whether engineers should escalate or suppress. We’ll explore practical heuristics for building alert thresholds that balance false positives and false negatives, tie signals back to MITRE ATT&CK techniques, and prioritize based on host and user context.
Using an open-source EDR as a demo environment, I’ll showcase how raw suspicious process data can be transformed into high-confidence detections. The goal: give engineers and SOC analysts a framework for deciding not just what they can detect, but when they should start worrying.
Udochi Nwobodo: Udochi Nwobodo is an Infrastructure and Product Security Engineer with over five years of experience securing large-scale systems at Adobe, Coinbase, and Juniper Networks. She has led efforts to design and deploy cloud security solutions, integrate security into product lifecycles, and build vulnerability management programs that scale with business needs.
Her work spans cloud, container, application security and modern detection engineering. Beyond technical execution, Udochi focuses on strategic impact: enabling teams to balance speed with security, aligning detection thresholds with business risk, and turning raw telemetry into meaningful decisions.
She holds a Master’s degree in Cybersecurity along with CISSP and CISM certifications. Udochi is passionate about bridging the gap between engineering and strategy, helping organizations move from reactive security to proactive resilience.
Okta Detection Engineering: From Logs to Detections
Okta is at the heart of identity for many organizations, which also makes it a prime target for attackers. For security engineers, the real challenge isn’t just understanding Okta logs — it’s turning them into reliable detections that catch threats without overwhelming the SOC with noise.
This talk provides a hands-on roadmap for building Okta detections from the ground up. We’ll begin by breaking down the different types of Okta logs and classifying them into meaningful categories (authentication, application access, administrative actions, MFA events, etc.). From there, we’ll show how multiple log types can be grouped to reveal attack patterns such as account takeovers, suspicious MFA bypasses, or privilege escalations.
The core of the session focuses on the detection design process itself:
Researching and threat hunting to baseline your Okta environment.
Identifying the behaviors or signals you want to catch.
Mapping those behaviors back to specific log fields and event types.
Enriching with user, device, and IP context to reduce noise and add clarity.
Testing and tuning the detection to validate it in production.
Attendees will walk away not just knowing what data Okta provides, but how to use that data to design, build, and test an effective detection end-to-end. Whether you’re starting from zero or refining your existing Okta detections, this talk gives you a repeatable workflow for turning identity logs into actionable security signals.
Fevin George: Fevin George is a Senior Security Engineer on the Detection and Response Team at Remitly, where he focuses on building and refining detections, leading incident response, and driving proactive threat hunting initiatives across cloud-native infrastructure. With a background in digital forensics and incident response (DFIR), Fevin has investigated over 400 ransomware, insider threat, APT/nation-state intrusion, and cloud breach cases during his time as a Senior Consultant at Charles River Associates. His work also included supporting ransomware negotiations and advising clients across healthcare, finance, education, and technology sectors.
Fevin holds a Master’s degree in Cybersecurity from the University of Maryland and a Bachelor’s in Computer Engineering from the University of Mumbai. He is a GIAC Certified Forensic Analyst (GCFA), Offensive Security Certified Professional (OSCP), and a recipient of the SANS Lethal Forensicator Coin.
Keeping PHI Out of the Model: Practical Patterns for Privacy Preserving LLMs in Healthcare
LLMs are racing into clinics and back offices, but a single prompt, log or misstep can leak Protected Health Information (PHI) and erode trust. This fast paced, vendor agnostic talk shows how to ship useful Large Language Model (LLM) features in healthcare without violating privacy or slowing delivery. Instead of theory, we’ll focus on what can go wrong across the LLM lifecycle (e.g. in training, prompts, logs, embeddings etc.) and how to think like an attacker. Then translate all of it into a pragmatic, privacy by design workflow you can adopt immediately. You’ll leave with a concise blueprint, a threat to control matrix you can copy into your program, and a simple decision rubric for on-premises versus cloud deployments. If you own security, ML or compliance and need practical patterns, this session is for you!
Anoop N.: I’m Anoop Nadig, a security engineer with seven years of experience. I specialize in Cloud and Application security, with professional interests in automation, threat modeling, and “shift-left” practices.
Outside of work, you’ll often find me on a hiking trail, at a live concert, or supporting security conferences and community initiatives.
The Hardware Procurement Iceberg: A Framework For Keeping Embedded Research Fun, Cheap, and Ethical
The last decade has been revolutionary for making embedded security research intellectually and financially accessible for thousands of curious minds around the world. Just by watching YouTube recordings of talks and reading blogposts from individual tinkerers and security firms alike, one can quickly start making a splash in a research area that was formerly thought to be prohibitively expensive and required lots of prerequisite knowledge.
Pan back to you: you saw the title of this presentation, and thought it was interesting. You have a $5 multimeter, a crusty soldering iron, a few bootleg debug adapters, and a wallet full of lint and toothpicks, but not a lot of bread. Where to now?
This talk presents the Hardware Procurement Iceberg (not coincidentally modeled off of the iceberg meme template): three distinct visualizations that show off different ways to procure (see: legally purchase and own) hardware to probe and modify for the sake of vulnerability and security research. Each visualization lays out various procurement methods measured by cost effectiveness, ethicality, and ease, which is left to the audience as to which route they choose to take.
Whether it be eBay, GovDeals, or somewhere more obscure/exotic, this talk walks through all possible routes to find your desired router, medical equipment, ICS/SCADA device, or whatever you fancy to complete your end-to-end research testbed.
yltsi: yltsi spends his time during business hours conducting product security research for a large technology company. Outside of that, he spends an overwhelming amount of time quenching his curiosity with web, mobile, game, and embedded security research for the spirit of the craft, as well as electronics reverse engineering and repair. He is a pro-gratis bug hunter and live hacking enthusiast, having taken 1st place in DistrictCon's inaugural Junkyard EOL PwNATHON competition in 2025 and given a talk at DEF CON Skytalks long ago.
Kidnapping a Library: How Ransomware Taught the British Library to Follow Well-Known Best Practices
In 2023 one of the largest libraries in the world fell victim to a ransomware attack. Their online catalogs were down for months, and the cost of recovery exceeded eight million dollars. In March 2024 the Library posted a detailed 18-page account of what happened and what they learned from the experience. I studied the full report so you don’t have to.
If the analysis contains any surprises, it’s that there are no real surprises: the problems the British Library faced are common to many businesses, and the improvements the Library developed in response to the attack are reassuringly familiar best practices. We know how to reduce risk from ransomware.
This 35-minute talk draws from the Library’s report to summarize the attack and explain how security controls such as network monitoring capabilities, multi-factor authentication, defined intrusion response processes, holistic risk management, and cyber-risk awareness at senior levels would have made a difference for the British Library-–and might in your company too.
Brian Myers: Brian Myers (PhD, CISSP) has 20+ years of experience spanning software development and information security. He built the first application security program at WorkBoard and served as HIPAA Security Officer at WebMD Health Services, helping them achieve HITRUST certification. As an independent consultant, he assists organizations with SOC 2, HIPAA compliance, and secure development practices. He regularly speaks at security conferences about practical approaches to security implementation and governance
More at https://safetylight.dev
From Assistant to Adversary: When Agentic AI Becomes an Insider Threat
This talk explores the converging risk factors that could transform helpful AI systems into potential security threats within organizations. We examine three critical ingredients that create this vulnerability: increasing capability, expanding agency, and exploitable motivation. As AI task capabilities surpass human performance in some domains, organizations naturally grant these systems greater autonomy and access privileges—mirroring how we treat valuable human employees. However, current AI systems remain fundamentally gullible, lacking robust skepticism when faced with indirect prompt injections and social engineering techniques. This talk will analyze how these three factors interact to create novel security challenges.
Jason Martin: Jason is Director of Adversarial Research at HiddenLayer, where he explores how the latest AI security research intersects with practical application. Jason was amongst the earliest researchers to recognize the need for AI security, founding the Secure Intelligence Team in Intel Labs in 2016 to research AI security and privacy threats and defenses. For 20+ years Jason has covered such diverse security topics as CPU microcode, authentication and biometrics, trusted execution environments, wearable technology, and network protocols, resulting in over 40 issued patents and several high profile research papers in adversarial machine learning and federated learning. When he’s not working Jason is either lost in the Pacific Northwest camping and hiking with his family; or he is lost in a technical project involving 3D printing, microcontrollers, or designing holiday lighting displays synchronized to music.
Towards Agentic Incident Handling
As automation and orchestration become key components in security operations, their limitations are becoming equally apparent. Static workflows and predefined playbooks often fall short when facing novel threats or when responders are overwhelmed by false positives and incident fatigue. Agentic solutions—where large language models (LLMs) operate as autonomous or semi-autonomous agents—arises then as a promising evolution.
This talk will explore the spectrum of AI-enabled assistance, starting with simple LLM usage for text-based tasks and moving toward autonomous multi-agent systems designed to handle complex, dynamic security scenarios. We will highlight both the opportunities and the challenges: while LLMs are accessible through simple chat interfaces, applying agentic solutions to real-world incident handling requires thoughtful orchestration, integration with tools, and recognition of inherent limitations.
Examples will be provided, including email Security Agents implemented on top of workflow orchestration frameworks.
Attendees will gain insight into the technical, operational, and human factors needed to responsibly adopt agentic solutions in security. By the end, they will better understand how to balance ambition with practicality, and how to begin experimenting with agent-driven incident response in their own environments.
Cristian Fiorentino: Cristian Fiorentino is a Systems Engineer with over 20 years of professional experience in designing, building, and securing enterprise distributed systems. He specializes in cybersecurity and security detection systems, with a career spanning app-sec, security validation and architecture, as well as incident handling, automation and threat detection.
As an enthusiast of artificial intelligence, he is particularly interested in the intersection of AI and security, exploring how agentic systems and large language models can enhance detection, response, and resilience.
Capture The Flag (CTF) With Hints
Capture the flag (CTF) exercises can be great practice and fun. However, sometimes things get complicated. Even the best of us may sometimes be lost, move in the wrong direction or get frustrated. In this workshop, not only are we giving you an overview and access to several CTF exercises, you are also provided hints (in case you need some). This way, everybody who shows up and spends some time can successfully complete some CTF exercises.
Instruction for attendees:
Bring a laptop.
(It is nice if you can ssh via terminal. Otherwise have a browser ready.)
⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)
Jens Mache: I teach cybersecurity at Lewis & Clark. My certifications include SANS/ GIAC Certified Intrusion Analyst (GCIA), Penetration Tester (GPEN), Incident Handler (GCIH).
Collaborators include Richard Weiss (Evergreen State), Jack Cook, Taylor Wolff, Ishan Abraham, Ryder Selikow, Julia Scott, Joseph Granville, and Justin Wang.
Richard Weiss: Richard Weiss has been at the Evergreen State College since 2005. He has a Ph.D. in mathematics from Harvard University. His research has included cybersecurity education, computer vision and robotics, applications of machine learning, computer architecture. He was a research faculty member in Computer Vision at the University of Massachusetts for 15 years.
Long range, cheap comms through Meshtastic
Learn how to configure, use, and abuse long-range, cheap communication devices through Meshtastic, without a license! Talk to friends, control remote devices, gather remote sensor data - all at low power use, low cost, with encryption.
This workshop is designed for experience levels ranging from 0/5 to 2/5:
* Beginner: never touched Meshtastic
* Intermediate: installed Meshtastic, played with the app, messaged people
Specifically, we’ll cover:
* Hardware involved, mild theory
* Configuration and set-up
* Messaging and interacting with others
* Working with telemetry and sensors
* Basic walkthrough of controlling remote devices
* Show and tell of several projects that use Meshtastic
* How to keep advancing after the workshop
For the price of admission ($50), you’ll receive hardware you’ll be working with at the workshop, that you will keep:
* Heltec v3
* 4000mAh battery
* Temperature/humidity/barometric pressure sensor
* GPS sensor
* A custom case to house all of the above
* An ultrasonic distance sensor
* Stickers
⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)
Slava I. Maslennikov: Slava holds a general-level license for Amateur Radio. When away from Meshtastic and HF, he manages DevOps, SRE, and Cloud teams - or provides consulting services in these fields. He has two orange cats and by now is probably one himself. Either get him a beer or a job - he’s currently unemployed.
Ryan: Ryan is a Senior Infrastructure Engineer in aerospace who spends his days keeping critical systems running and his nights tinkering with homelab projects that definitely don't always work on the first try. After years in the public sector and nonprofits learning that uptime matters most when the people are your end users and networks span multiple sites, he recently made the jump to the private sector where the stakes are just as high but the scale is... different.
He believes in learning by doing, especially by taking the hard way, and is always happy to chat about the "why" behind the tech we use every day, things like: why containerization, IaC, or why your homelab *really* needs 10Gb, 25Gb, or hell 100Gb networking. Fixing your motorcycles or car wrong is also part of the same journey, don't discount how deep the rabbit hole goes.
Tabletop Exercises De-Cryptid
In this hands-on workshop, you'll learn to design intelligence-driven exercises using the Hero's Journey storytelling format. We'll explore how to transform generic "bad thing happened, now what?" scenarios into compelling stories that energize players and highlight real gaps.
You'll walk away with:
• A draft tabletop scenario outline tailored to YOUR organization
• Practical techniques for incorporating adversary tradecraft using MITRE ATT&CK Navigator
• Facilitation skills for managing the room, asking the right questions, and avoiding common pitfalls
Please bring a laptop if possible.
⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)
Chloe Tucker: Chloe Tucker is an intelligence-driven information security professional with a focus on learning experience design. As a hybrid human risk and threat intelligence specialist, she spends most of her time trying to understand who's doing what, when, why, and how. She's designed & facilitated over 35 exercises in the past 3 years and is passionate about meeting people where they're at, facilitating conversations, and drinking tea. She also has a smattering of certifications (CISSP, GCTI, GCIH, GSEC).
Introductory firmware reverse engineering
We will be taking a look at a photo printer firmware for no particular purpose other than having fun and learning something. We will start by downloading a firmware update from the manufacturer's website, continue with figuring out firmware update format and start digging into the code. We will be using free and open tools, we will be introducing common reverse engineering principles and learning firmware and microcontroller concepts. We'll go as slow as necessary and will get as far as we can in the time allotted.
⚠️ Important:
Workshops require registration via this link: https://square.link/u/LYlZ89gC
(Registration will open at 12:00 Noon PDT, on Friday, October 10th)
Aleks Nikolic: Aleks is a security researcher with a primary focus on finding memory corruption vulnerabilities in widely used server-side and client-side software.
Aleks’ previous published research topics have included fuzzer augmentation techniques, mitigation bypass techniques, and Internet-wide vulnerability scans. In his spare time he likes to tinker with devices around him and has previously published writeups of his reverse engineering efforts of useless cameras, obsolete car systems and x-ray imaging.