Day 1 Keynote

Perri Adams (@perrib.us @perribus)

Perri Adams is a fellow at Dartmouth’s Institute for Security Technology Studies (ISTS) and former Special Assistant to the Director at the Defense Advanced Research Projects Agency (DARPA), where she advised stakeholders at the agency and across the U.S. government on the next generation of AI and cybersecurity technology.

Prior to this role, Ms. Adams was a DARPA Program Manager within the Information Innovation Office (I2O), where, among other programs, she created the AI Cyber Challenge (AIxCC). A frequent speaker on both technical and cyber policy issues, her written work has been published by Lawfare and the Council on Foreign Relations. She has advised and collaborated with think tanks such as the as Carnegie Endowment for International Peace and Georgetown’s Center for Security and Emerging Technology. She is also an adjunct professor at the Alperovitch Institute at Johns Hopkins School of Advanced International Studies and served for two years on the organizing committee of the DEF CON CTF, the world’s premier hacking competition.

Ms. Adams holds a Bachelor of Science degree in computer science from Rensselaer Polytechnic Institute and is a proud alumna of the computer security club, RPISEC.


Day 2 Keynote

Micah Lee (@micahflee.com @micahflee@infosec.exchange)

I’m an information security engineer, a software engineer, an investigative data journalist, and an author. I use he/him pronouns, and my name is pronounced “my-kah.”

I started the Lockdown Systems Collective where I help develop an open source app called Cyd that helps people claw back their data from Big Tech.

I worked for The Intercept for a decade, where I was director of information security. I also used to work as a staff technologist at Electronic Frontier Foundation, and I helped co-found Freedom of the Press Foundation. I did opsec for journalists while Edward Snowden was leaking NSA docs to them.

I’m the author of “Hacks, Leaks, and Revelations: The Art of Analyzing Hacked and Leaked Data”, a hands-on book that teaches journalists, researchers, and activists how download, research, analyze, and report on datasets. (No prior experience required.)

I develop open source security tools like OnionShare and Dangerzone. You can check out my GitHub activity (here).



Talks


Accidental Honeypot: How I Ended Up Receiving Tens of Thousands of Emails Meant for “No One”

In 2020, I registered a domain as a joke and privacy experiment. I never expected it to become a passive honeypot. But over the next five years, I received over 30,000 unsolicited emails. From pizza orders and job applications to password resets, IT tickets, and sensitive government faxes, it turns out a lot of systems assume that “noreply” means no one is actually watching.

In this 20-minute talk, I’ll walk through how I accidentally built a data-collecting black hole, what I’ve uncovered inside, and what it reveals about our collective assumptions around placeholder email addresses, dev defaults, and ghost domains. Spoiler: someone is reading the mail.

Interpünkt

An Unexpected Journey - Building a Cybersecurity Program from Scratch at a Risk-Taking State Agency

In a state agency responsible for fighting wildland fires (including a fleet of drones, aircraft, and firetrucks) and responding to regional natural disasters, securing sensitive data and IT infrastructure is critical and challenging. From protecting endangered species data to ensuring secure computing at the most remote locations, a cybersecurity program in such an agency requires speed, flexibility, and hand-tailored problem solving. This session will share how the Washington State Dept of Natural Resources built a cybersecurity program from the ground up, addressing unique challenges like risk tolerance, rapid deployment, and balancing security with mission-critical operations.

Liz Lewis-Lee

Liz Lewis-Lee is currently the CIO at the Washington State Department of Natural Resources. She has spent the majority of her career in state IT, from Operations to Security and now management. She was born and raised in the PNW, and has two kids, two dogs, a cat and a husband.

Ralph Hogaboom

He/him, from Aberdeen WA. Married, parent, state govt employee in cybersecurity. Interested in gaming, trans rights, writing music, recovery, cooking, esports, feminism, running, pop science, knitting, and baking a really nice loaf of bread.

From Pi to Pwnage: Building a Wearable Hacking Station

Ever dreamed of a portable hacking device that packs the punch of a full Linux system but is cool enough to wear on your arm? This talk is for you. We’ll dump the bulky laptops and dive into creating a powerful, Pip-Boy-inspired wearable from scratch, without breaking the bank. I’ll take you through my whole chaotic journey: from picking the right parts to the rage-inducing 3D modeling, cramming a jungle of wires into a tiny space, making a Linux GUI actually usable on a touchscreen, and keeping the thing powered for more than five minutes. I’ve already bricked the components, scoured the darkest corners of GitHub, and copy-pasted with pride, so you get the blueprint without the pain. You’ll leave ready to build your own rig for whatever digital mayhem you have in mind.

Stefan

Stefan is a middle school student with curiosity for computer security that borders on an obsession with digital mayhem. When he’s not in class, you can find him with a soldering iron and a keyboard. He got his start early diving deep into code, slinging Python, JavaScript, and GDScript, while also dabbling in C#. His proudest achievement to date? Getting his Flipper Zero banned from his middle school. He’s excited to be at BSides PDX to learn from the best and share his own discoveries.

Securing GraphQL from Design to Production

Learn to secure GraphQL interfaces by looking at design decisions and actual attacks. This talk dives into a half dozen GraphQL services that were deployed at a tech unicorn. You’ll learn practical defensive strategies, discover where common security controls fall short, and see the fall out from attack scenarios that were missed.

Corey Le

From Context-Switching Hell to AI-Powered Ops: Eliminating Security On-Call Toil with the Model Context Protocol

Context switching during incident response is a silent productivity killer that costs security engineers hours of valuable time and significant cognitive load. This talk shares a real-world case study of how we transformed our on-call experience at Databricks by implementing Model Context Protocol (MCP) servers to enable AI-assisted incident triage and investigation.

Attendees will learn how traditional incident response workflows—involving dozens of browser tabs, multiple tools, and constant context rebuilding—can be revolutionized through natural language interfaces. We’ll demonstrate how MCP servers provide a standardized way for AI assistants to interact with infrastructure tools like PagerDuty and Databricks, reducing incident investigation time from 15+ minutes to under 2 minutes.

Through real-world examples, we’ll show how this approach eliminated overhead during on-call rotations, enabled cross-cloud investigation capabilities without manual intervention, and allowed engineers to focus on actual problem-solving rather than tool navigation. The talk includes practical implementation details and lessons learned from production deployments across 55+ multi-cloud Databricks workspaces.

Will Urbanski

Will is the tech lead for detection and response at Databricks. His expertise lies at the intersection of threat detection and software engineering, specializing in detection engineering, attack simulation, and the practical applications of threat intelligence. Previously, Will drove detection and intelligence initiatives at Stripe, Datadog, and SecureWorks, where he played key technical leadership roles in shaping security strategies and mentoring teams. He has authored four patents in the cybersecurity space, and his research has been published in well-known academic journals, including IEEE Security & Privacy.

How Zero Trusty is Your Network Access?

Zero Trust is everywhere: on vendor datasheets, compliance frameworks, and executive roadmaps. But how do you separate real enforcement from marketing noise?

In this talk, I present a practical, adversary-informed evaluation of several leading ZTNA solutions tested across the five core pillars of Zero Trust: Identity, Device, Network, Application, and Data. Using a controlled lab environment, I simulated trusted and untrusted scenarios, configured granular access policies, and executed known attack patterns to test each vendor’s actual enforcement capabilities.

Some solutions successfully blocked unauthorized access, enforced policy based on device posture, and prevented common web exploits and data loss. Others fell short: failing to detect endpoint misconfigurations, bypassing service cloaking, or letting malware and sensitive data flow freely. In multiple cases, achieving basic Zero Trust behavior required purchasing additional modules outside the core ZTNA platform.

This session delivers clear results, testing methodology, and takeaways any security team can apply when evaluating ZTNA vendors. If you’re tired of buzzwords and want to see how “Zero Trust” actually performs under pressure, this talk is for you.

Derron Carstensen

Derron Carstensen is a cybersecurity architect with over 20 years of hands-on experience across network security, cloud security, offensive security, and Zero Trust architecture. His career spans roles in security engineering, penetration testing, and most recently, leading secure access and Zero Trust initiatives for complex enterprise environments. Derron specializes in Secure Access Service Edge (SASE) deployments, ZTNA validation, and building adversary-informed testing frameworks that bridge the gap between marketing promises and real-world security enforcement. He’s passionate about helping both defenders and assessors make evidence-based decisions in the face of growing vendor noise.

Drone Blind Spots: Pentesting the Airspace Above Critical Infrastructure

Critical-infrastructure sites have hardened perimeters, access controls, and robust camera systems that deter and catch ground-level intrusions. But what about the airspace above them? This talk addresses a gap many sectors share: detecting and responding to drones. We’ll walk through how airspace pentesting over critical infrastructure actually works, what on-site defenders can do to strengthen detection and response, and demystify how to legally and safely get started with aerial assessments. Attendees will leave with equipment recommendations, a clear runbook for performing this work, and a persuasive narrative to secure budget and buy-in for launching aerial assessment and drone-defense programs.

Alec Hunter (@brathadair)

Alec is a cyber-physical systems (CPS) security researcher specializing in Electromagnetic Spectrum Operations (EMSO), with extensive experience in drone-based Red Air engagements. He currently serves as a Security Consultant at SpookSec and was previously the Lead Offensive Security Engineer at Phoenix Technologies. He holds several certifications, including DSOC, DOCP, CSVA, CBBH, CDFP, OSWP, and FAA Part 107.

The tale of the CET Shadow Stack bypass that almost saw the light of day

Intel’s CET Shadow Stack is a CPU feature aimed at preventing Control-Flow Hijacking shenanigans by implementing a redundancy copy of the process stack, which can be verified for integrity through the program execution. Supporting CET Shadow Stacks in Linux applications is something that took a long long time to be implemented and deployed, and given the magnitude of changes required both in the kernel and in the toolchain, there was a reasonable chance that security details could be missed in the process. In this talk we’ll cover the interactions between a kernel engineer and a security researcher regarding a last minute security finding that ended-up surfacing an intricate trade-off discussion around safety, performance and compatibility. These discussions led into redesigns of the shadow stack support at the brink of its release and are still relevant as new feature designs still stumble on the gritty details of these trade-offs.

Besides the technical scope, this talk aims on emphasizing how the collaborations between software engineers and security researchers can be fruitful, fun and crucial to achieving more reliable security outcomes.

Joao Moreira

João Moreira is a systems security researcher passionate about compilers, OS internals, and digging deep into low-level bugs. At Microsoft, he works on securing cloud infrastructure by reviewing service designs, building secure architectures, and developing defenses against emerging threats. Prior to Microsoft, João worked at Intel, SUSE Linux, and spent time in academia, where he focused on low-level systems topics like control-flow integrity and binary live patching. His research was presented at conferences such as Black Hat Asia, the Linux Plumbers Conference, and the Linux Security Summit. Every now and then, João contributes to open-source projects like the LLVM compiler and the Linux kernel. More recently, he’s been trying to figure out this AI thingy — but he still struggles to write short conference bios with the help of chatbots.

CFAA Plus: Moving Computer Law Past the World of the Boombox and Magnetic Tape

A lot has changed since the 80s. Gone is the boom box with a cassette tape. You have a Flipper Zero instead of a magstripe writer. Forget ISDN: you can get better than an OC-24 at your house for less than your long distance bill. Viruses don’t put random text on your screen, they shut down hospitals. But you know what hasn’t changed? The CFAA. It’s about time we look at how our laws can transform the incentives and move us beyond the cyber-vandalism era to respond to real threats with real defenses. Let’s stop wringing our collective hands about evil hackers, and get real about how it actually works.

Falcon Darkstar Momot

Falcon (MBA, M.Sc., B.Acc.) is an infosec generalist currently managing product security at Aiven.io, and has over a decade of purple team experience at dozens of firms across a variety of industries. He does systems work, whether the systems are human or computer, and is as at home setting up a security program as figuring out how to verify application code, show immunity to an attack class, or model attackers across the value chain. He will be starting a PhD this winter at Dartmouth working on practical applications for LangSec.

Instant API Hacker

“Instant API Hacker” is a fast-paced, 20-minute presentation that demonstrates how quickly someone can learn to identify and exploit API vulnerabilities. Led by Corey Ball, author of “Hacking APIs” and founder of APIsec University and hAPI Labs. This talk provides a practical introduction to API security testing using real-world tools and techniques. Attendees will witness the exploitation of critical vulnerabilities from the OWASP API Security Top 10, including broken authentication, authorization flaws (BOLA), and excessive data exposure. Through live demos using the crAPI vulnerable lab, participants will see firsthand how APIs can be compromised and gain actionable insights they can apply immediately. The presentation concludes with free resources for continued learning, including access to vulnerable labs and APIsec University courses.

Corey Ball

Corey Ball is the author of Hacking APIs and founder of APIsec University a completely free learning platform with over 120,000 students. He was the winner of the SANS Difference Makers Award for book of the year. With over 15 years of experience in IT and Cybersecurity, Corey now leads penetration testing as the CEO of hAPI Labs.

From walkie-talkies to Meshtastic: an overview on communication platforms

When traditional infrastructure fails, as it often does in the PNW, we may lose power, water, and even accessible roads. How do you plan to check in with your friends, family, share resources, and help others? In this talk, we’ll cover what options are available for long-distance remote communications between individuals: FRS, GMRS, CB, Amateur Radio, as well as Meshtastic. For the second half of the talk, we’ll dive in deeper on Meshtastic: how it compares in terms of capabilities, legality, range, and ease of integration, as well as edge cases. By the end of the presentation, participants will be equipped with actionable knowledge to select affordable communication tools for their needs, ensuring they remain connected when it matters most.

Slava I. Maslennikov

Slava holds a general-level license for Amateur Radio. When away from Meshtastic and HF, he manages DevOps, SRE, and Cloud teams - or provides consulting services in these fields. He has two orange cats and by now is probably one himself. Either get him a beer or a job - he’s currently unemployed.

Portland Hacker Foundation : Asymmetric Impact Year 1

Last year at BSides Portland we started the conversation about creating the Portland Hacker Foundation, and by many measures it seems to have been a roaring success. This session will talk about what we’ve done, where we’re going, and what you can do to help.

Dean Pierce

Dean Pierce is a security researcher from Portland Oregon.

Beyond the Mask: The Snitchpuck

Most organizations that deploy surveillance / safety technology don’t actually know what they’re putting on their networks exactly. i got curious about one specific device i had found in my high school’s network. when i finally got my hands on one, it raised bigger questions then i expected, not just about the software or hardware. but about how widely it had been deployed without much scrutiny.

Sharing the research publicly showed me just how much people were questioning it, both inside and outside the security community. what really surprised me was realizing how tightly knit the Portland Infosec community is, and how many people helped me along this journey.

in this talk, I’ll share that story. from the initial discovery, to the struggles, and reflections.

Rey

Rey is an 18-year-old security researcher who started out finding bugs and holes in websites at 15. He began attending local infosec meetups in Portland, Oregon—like RainSec and PDX2600—soaking up everything he could. After stumbling across a creepy surveillance device at his high school, he drifted into hardware security and reverse engineering. He’s determined to keep learning and digging deeper.

A History of Fuzzing

Many a presenter, including myself, has talked about fuzzing. Usually, we touch on a small amount of theory and then show off what a cool tool we built or what a difficult target we fuzzed. Instead this talk will focus on fuzzing history. Where did we start? How did we get here? What were the turning points along the way? For each major development, we’ll cover a motivating example, the theory behind a solution, and a tiny implementation until we arrive at the modern day.

Rowan Hart

Rowan is a Senior Security Engineer at Microsoft and previously worked at Intel as a fuzzing researcher. He also dabbles in security tooling as a hobbyist and as a writer. When not at the computer, you can find him at the skate park, on Mt. Hood, or on the rock wall.

Hackers + AI: Faster, Smarter, More Dangerous

Hackers are turning AI into a force multiplier for cybercrime. In this 20-minute talk, we’ll demo real hacker AI tools such as WormGPT and show how criminals use them to uncover vulnerabilities, generate exploits, and even weaponize zero-days at unprecedented speed. These tools also churn out phishing emails and call scripts in any language, letting novice hackers attack like experts on a global scale. See how AI is reshaping cybercrime and what defenders must prepare for now.

Sherri Davidoff

Sherri Davidoff is the founder of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity.” As a recognized expert in cybersecurity, she has been called a “security badass” by The New York Times. Sherri is an instructor for Black Hat, where she serves on the Black Hat USA Review Board and trains security professionals from around the world. She is also a faculty member at the Pacific Coast Banking School, where she teaching bankers and regulators about cybercrime. She is a GIAC-certified forensic analyst (GCFA) and penetration tester (GPEN) and received her degree in computer science and electrical engineering from MIT.

Nintendon’t Look at my GitHub: Sidestepping DMCA Takedowns with a Feature, Not a Bug

GitHub forks are…weird. A couple implementation quirks lead to some funny (or alternatively, scary) consequences. And yeah, this is publicly documented, but who reads these days? This talk walks through real-world personal examples: recovering commits from a deleted project, brute forcing hidden commit history back into existence, and skirting a DMCA takedown by inserting hidden commits in a someone else’s repository.

James Martindale

James is a web/cloud penetration tester at Anvil Secure, based in Seattle. His research interests include API security, hardware hacking, and abuse cases. He spends too much of his free time in Grand Theft Auto Online, where the hacking minigames are much easier than his day job.

Towards Agentic Incident Handling

As automation and orchestration become key components in security operations, their limitations are becoming equally apparent. Static workflows and predefined playbooks often fall short when facing novel threats or when responders are overwhelmed by false positives and incident fatigue. Agentic solutions—where large language models (LLMs) operate as autonomous or semi-autonomous agents—arises then as a promising evolution.

This talk will explore the spectrum of AI-enabled assistance, starting with simple LLM usage for text-based tasks and moving toward autonomous multi-agent systems designed to handle complex, dynamic security scenarios. We will highlight both the opportunities and the challenges: while LLMs are accessible through simple chat interfaces, applying agentic solutions to real-world incident handling requires thoughtful orchestration, integration with tools, and recognition of inherent limitations.

Examples will be provided, including email Security Agents implemented on top of workflow orchestration frameworks.

Attendees will gain insight into the technical, operational, and human factors needed to responsibly adopt agentic solutions in security. By the end, they will better understand how to balance ambition with practicality, and how to begin experimenting with agent-driven incident response in their own environments.

Cristian Fiorentino

Cristian Fiorentino is a Systems Engineer with over 20 years of professional experience in designing, building, and securing enterprise distributed systems.

He specializes in cybersecurity and security detection systems, with a career spanning app-sec, security validation and architecture, as well as incident handling, automation and threat detection. As an enthusiast of artificial intelligence, he is particularly interested in the intersection of AI and security, exploring how agentic systems and large language models can enhance detection, response, and resilience.

Cracking the Domain: Evolution of Active Directory Password Attacks

From LM hashes and rainbow tables to GPU rigs and Kerberoasting, the art of cracking Active Directory (AD) passwords has changed dramatically over the past two decades. What once took hours on a desktop can now be achieved in seconds with cloud GPUs and smarter wordlists. At the same time, attackers have shifted tactics—favoring low-and-slow spraying, ticket roasting, and credential theft over brute force.

This talk traces the history of AD password cracking, exploring the techniques that defined each era and how defenses evolved in response. We’ll walk through legacy weaknesses, modern attacks like AS-REP roasting, and the growing role of hybrid AD/cloud identity. Along the way, you’ll see demos of cracking in action and gain a deeper appreciation of why old best practices (like complexity rules) don’t hold up today.

Most importantly, we’ll cover practical steps defenders can take right now: from smarter password policies and banned password lists to detection strategies and long-term mitigations like MFA and passwordless authentication.

Whether you’re red team, blue team, or somewhere in between, you’ll walk away with a clear understanding of how AD password cracking works, how it’s evolved, and what you can do to stay ahead of the curve.

Zach

Zach is the founder of Harbor’s Edge Consulting LLC, where he focuses on offensive security consulting and helping organizations strengthen their overall security posture. With over seven years of experience in the security world, he has worked across red teaming, penetration testing, and advisory roles to help organizations better understand and defend against modern threats. Zach is passionate about bridging the gap between offensive techniques and defensive strategies, and he enjoys sharing practical insights with the broader security community.

New phone, who dis? The quest for a true Burner Phone

Do burner phones really still exist, or are they the stuff of urban legend? Can you get a phone that’s untraceable any more? Why would you even want to?

Follow my journey as I find out, and maybe discover some privacy tips along the way.

Mike Niles

Mike works in Municipal Government IT, and has over 25 years of varied tech jobs under his belt ranging from end-user and application support to systems administration, patch management and cybersecurity.

Mike’s spare time is typically consumed with gaming with his kids, cybersecurity conferences, and referring to himself in the third person.

This is not a camera

Webcams secretly running Linux reveal embedded system vulnerabilities, insecure firmware, and broken update mechanisms. Tracing the tech stack from distributors to chipset manufacturers exposes supply chain issues, security oversights, and risks at the hardware-software boundary. The talk includes demos and highlights the need for transparency and responsibility.

Mickey Shkatov

Mickey has been involved in security research for over a decade, specializing in breaking down complex concepts and identifying security vulnerabilities in unusual places. His experience spans a variety of topics, which he has presented at security conferences worldwide. His talks have covered areas ranging from web penetration testing to the intricacies of BIOS firmware.

Jesse Michael

Jesse is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development. He has also presented research at DEF CON, Black Hat, PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.

Okta Detection Engineering: From Logs to Detections

Okta is at the heart of identity for many organizations, which also makes it a prime target for attackers. For security engineers, the real challenge isn’t just understanding Okta logs — it’s turning them into reliable detections that catch threats without overwhelming the SOC with noise.

This talk provides a hands-on roadmap for building Okta detections from the ground up. We’ll begin by breaking down the different types of Okta logs and classifying them into meaningful categories (authentication, application access, administrative actions, MFA events, etc.). From there, we’ll show how multiple log types can be grouped to reveal attack patterns such as account takeovers, suspicious MFA bypasses, or privilege escalations.

The core of the session focuses on the detection design process itself:

  • Researching and threat hunting to baseline your Okta environment.
  • Identifying the behaviors or signals you want to catch.
  • Mapping those behaviors back to specific log fields and event types.
  • Enriching with user, device, and IP context to reduce noise and add clarity.
  • Testing and tuning the detection to validate it in production.

Attendees will walk away not just knowing what data Okta provides, but how to use that data to design, build, and test an effective detection end-to-end. Whether you’re starting from zero or refining your existing Okta detections, this talk gives you a repeatable workflow for turning identity logs into actionable security signals.

Fevin George

Fevin George is a Senior Security Engineer on the Detection and Response Team at Remitly, where he focuses on building and refining detections, leading incident response, and driving proactive threat hunting initiatives across cloud-native infrastructure. With a background in digital forensics and incident response (DFIR), Fevin has investigated over 400 ransomware, insider threat, APT/nation-state intrusion, and cloud breach cases during his time as a Senior Consultant at Charles River Associates. His work also included supporting ransomware negotiations and advising clients across healthcare, finance, education, and technology sectors.

Fevin holds a Master’s degree in Cybersecurity from the University of Maryland and a Bachelor’s in Computer Engineering from the University of Mumbai. He is a GIAC Certified Forensic Analyst (GCFA), Offensive Security Certified Professional (OSCP), and a recipient of the SANS Lethal Forensicator Coin.

Redacted

Following the discovery of BadBox 1.0. I found another one disguised as a streaming device called ‘SuperBOX’. This one is incredibly nefarious, as it includes observed command and control traffic, a targeted social media campaign, a suspected targeted whisper campaign, ease of use, and direct targeting of key individuals in important sections of US Critical Infrastructure. This situation has created the need for further research into Cyber and Social Psychology and highlights the urgency of assisting the uninitiated in protecting themselves from products that provide a service that seems “too good to be true.” This talk has evolved into a full blown FBI investigation that has recently resulted in both an IC3 alert and an FBI PSA. I also discovered this in February 2024, well before the recently published article in March of 2025. In this talk, I’ll provide:

  • A walk-through of the device’s observed behavior.
  • An overview of the social media campaign.
  • Details of the whisper campaign.
  • Information on the shell company(ies) behind this
  • Other interesting stuff I have found along the way.

D3ada55

Ashley is a Senior Security Solutions Engineer at Censys, where she specializes in finding things on the internet that really shouldn’t be on the internet (spoiler: you know it’s everything). Her research has uncovered IoT botnets hiding in your “totally legitimate” streaming boxes, pig-butchering scam infrastructure masquerading as romance, and entire threat actor clusters that probably wish she’d just stop looking at the internet on the weekends.

When not teaching students how to blue team, red team, or “please stop clicking on that link” team, Ashley moonlights as a professional cat herder at BSides Las Vegas SafetyOps as the Chief Security Officer and BSides Albuquerque: wrangling volunteers, laptops, and chili-themed challenge coin designs all in the same day.

She has worn many hats: Army Taekwondo competitor, Army Band musician, SOC analyst, Palo Alto trainer, Google Cloud wrangler, WWE fanatic, and n00b security researcher (ask her about the latest exploits in breaking her own lab builds). If it’s a device that seems too good to be true, it probably is and she’s likely researching it.

Come for the IoT horror stories, stay for the leggings.

Kidnapping a Library: How Ransomware Taught the British Library to Follow Well-Known Best Practices

In 2023 one of the largest libraries in the world fell victim to a ransomware attack. Their online catalogs were down for months, and the cost of recovery exceeded eight million dollars. In March 2024 the Library posted a detailed 18-page account of what happened and what they learned from the experience. I studied the full report so you don’t have to.

If the analysis contains any surprises, it’s that there are no real surprises: the problems the British Library faced are common to many businesses, and the improvements the Library developed in response to the attack are reassuringly familiar best practices. We know how to reduce risk from ransomware.

This 35-minute talk draws from the Library’s report to summarize the attack and explain how security controls such as network monitoring capabilities, multi-factor authentication, defined intrusion response processes, holistic risk management, and cyber-risk awareness at senior levels would have made a difference for the British Library-–and might in your company too.

Brian Myers

Brian Myers (PhD, CISSP) has 20+ years of experience spanning software development and information security. He built the first application security program at WorkBoard and served as HIPAA Security Officer at WebMD Health Services, helping them achieve HITRUST certification. As an independent consultant, he assists organizations with SOC 2, HIPAA compliance, and secure development practices. He regularly speaks at security conferences about practical approaches to security implementation and governance.

More at https://safetylight.dev

Disaster Ready Digital Safety: Building resilient support systems for domestic violence survivors

Safety Net Project, the tech safety team at the National Network to End Domestic Violence (NNEDV) has seen a significant uptick in recent years with local organizations requiring additional aid and guidance on best practices to support survivors of domestic violence and continue critical communication, in the face of natural disaster events like fires, hurricanes, and flooding. This project was born out of a direct response to this need - inspired by literal natural disasters across the United States.

Graduate students from the University of Washington (UW) are conducting research on this critical topic of cyber security best practices and guidelines for local victim service providers in the context of disaster preparedness and response. Some key topics covered include: emergency response communication plans, privacy and digital protection during disasters, as well as location tracking (stalkerware, tracking through car, airtag, dog pet finder, children’s devices, etc.), detection, and prevention. The research presented will serve as a comprehensive guide that fills the current gap in NNEDV’s resources, by offering actionable recommendations to help local organizations continue critical communication and safeguard survivors during and after natural disasters.

Naomi Meyer

Naomi brings over a decade of expertise spanning software engineering, cybersecurity, and education leadership. She just graduated honors with her Master’s in Cybersecurity and Leadership from the University of Washington, while conducting ethical bug bounty research. During her 5 years at Adobe as a Software Development Engineer, she built large-scale features and served on technical committees while becoming a seasoned speaker at international engineering conferences. Before transitioning to tech, Naomi taught English as a foreign language in local classrooms across Asia and with the Peace Corps in West Africa. She enjoys weekends outside in the mountains with her dog.

From Suspicious Query to Real Incident: Deciding When Endpoint Alerts Really Matter

Security teams drown in endpoint telemetry: processes spawned, commands executed, binaries triggered. But not every log line should become an alert, and not every alert should trigger a 2 a.m. wake-up call. The real challenge is knowing when a query result crosses the line from “informational” to “actionable.”

In this talk, I’ll walk through how different types of endpoint queries; single-process anomalies, correlated multi-event queries, and time-bounded patterns; map to thresholds that determine whether engineers should escalate or suppress. We’ll explore practical heuristics for building alert thresholds that balance false positives and false negatives, tie signals back to MITRE ATT&CK techniques, and prioritize based on host and user context.

Using an open-source EDR as a demo environment, I’ll showcase how raw suspicious process data can be transformed into high-confidence detections. The goal: give engineers and SOC analysts a framework for deciding not just what they can detect, but when they should start worrying.

Udochi Nwobodo

Udochi Nwobodo is an Infrastructure and Product Security Engineer with over five years of experience securing large-scale systems at Adobe, Coinbase, and Juniper Networks. She has led efforts to design and deploy cloud security solutions, integrate security into product lifecycles, and build vulnerability management programs that scale with business needs.

Her work spans cloud, container, application security and modern detection engineering. Beyond technical execution, Udochi focuses on strategic impact: enabling teams to balance speed with security, aligning detection thresholds with business risk, and turning raw telemetry into meaningful decisions.

She holds a Master’s degree in Cybersecurity along with CISSP and CISM certifications. Udochi is passionate about bridging the gap between engineering and strategy, helping organizations move from reactive security to proactive resilience.

Quantum Computing: Hype, Hope, and the Cybersecurity Horizon

Quantum computing has sparked both excitement and alarm in the cybersecurity world and honestly, I’ve felt both. Between promises of solving problems previously thought impossible and fears of cracking RSA wide open, it’s hard to tell what’s real and what’s just well-dressed science fiction.

In this talk, I want to cut through the noise not from a purely academic standpoint, but from the perspective of someone who’s actively working on quantum readiness in the fintech world. I’ve been navigating the hype, hope, and hard truths that come with trying to future-proof sensitive systems against a threat that’s not quite here… but definitely not imaginary. We’ll look at quantum computing from a high level without drowning in math and break down what’s real vs. speculative. We’ll cover which cryptographic algorithms are truly at risk, where post-quantum cryptography (PQC) comes into play, and how to think about timelines without spiraling into paranoia.

Whether you’re in offensive security, defense, leadership, or just crypto-curious, this session will give you a clear picture of where things stand and how to start preparing without panicking (or overpaying a vendor with a quantum logo slapped on their pitch deck).

Neha Srivastava

With over 14 years of global experience at the intersection of cybersecurity, emerging tech, and financial services, Neha is a recognized leader shaping the future of secure digital infrastructure. As Vice President of Cybersecurity Products at J.P. Morgan Chase, she drives innovation in cryptographic systems and quantum-safe architectures that safeguard the next generation of financial technology.

Neha’s career journey includes leading roles at industry heavyweights like Deloitte, EY, Accenture, NVIDIA, Flagstar Bank, and Bank of America, spanning multiple countries and domains. Her work now centers on preparing for the quantum era with a strong focus on Post-Quantum Cryptography (PQC), Quantum readiness, quantum-safe protocols, and the ethical, sustainable design of cryptographic systems that can withstand tomorrow’s computing power.

Beyond her corporate work, Neha actively advises startups, helping founders navigate the complex intersection of security, compliance, and product strategy. She’s passionate about making sure innovation in quantum and cryptography is not just cutting-edge, but responsible, resilient, and ready for real-world impact.

From securing today’s digital economy to building quantum-resilient systems for the future, Neha brings a visionary yet grounded perspective to cybersecurity one that’s deeply technical, future-facing, and driven by purpose.

I’m not actually an SCCM admin…I just implied it

Microsoft’s Configuration Manager (more commonly known as System Center Configuration Manager or SCCM) has received a great deal of attention from the offensive security community in recent years. The service’s 30 year history includes a mountain of techincal debt that is still heavily relied on by enterprises across the globe. In fact, even with the industry’s shift to cloud, SCCM remains the most depended on solution for endpoint management. This presentation will publicly disclose how an attacker under the right circumstances can abuse this dependence to escalate to SCCM admin simply by implying it.

Garrett Foster

Garrett Foster is an offensive security researcher with over 6 years of experience in information technology. He has conducted successful engagements against organizations that include the finance, healthcare, and energy sectors. Garrett enjoys researching Active Directory and developing offensive security tools. His background also includes roles as a Security Operations Center Analyst and Systems Administrator.

PNW vs. Bay Area: Observations from the Seattle Startup Scene

In this raw, open, and honest session, I’ll pull from my own and fellow VC-backed founder experiences on the crazy journey to build a security startup based in the PNW. We’ll cover all major parts of the 0 -> 1 journey, including: ideation / idea validation, learning to sell, raising capital, building an MVP, finding PMF, and building a team. 1 year after graduating from the Y Combinator 2024 cohort, I’ll open up about the things I wish I knew sooner, and the secrets to YC’s success. I’ll specifically talk about the challenges and strengths of building a non-SF-based startup.

Emily Choi-Greene

Emily is the CEO and co-founder of Clearly AI, a YC-backed startup automating security and privacy reviews based in Seattle. Previously, she oversaw application security for Amazon’s Alexa AI organization and owned data security and privacy at Moveworks (an enterprise AI assistant).

Unwitting Hosts: How Residential Proxies Increase Risk

Residential proxy networks, which reroute user traffic through residential IP addresses, present unique risks to enterprise networks and individual users. These proxies, often bundled with low-reputation applications, enable external traffic to appear as if originating from legitimate endpoints, frequently without user consent. Cisco Security’s research highlights that residential proxies are 4.8 times more likely to connect to malicious domains compared to regular enterprise network traffic, underscoring the threats posed by such activity.

This research investigates the mechanics, detection, and prevalence of residential proxies, leveraging datasets from Cisco Network Visibility Module (NVM) and the open-source mercury tool. By analyzing billions of network flows and telemetry data from approximately 240,000 devices, researchers identified residential proxy activity linked to applications like Infatica and Rave Helper. These programs, while not inherently malicious, misuse enterprise resources and can serve as vectors for attacks, including click fraud, spam, and internal reconnaissance by adversaries. The research also presents a novel detection approach based on Transport Layer Security (TLS) random nonces enables robust identification of residential proxy behavior in network traffic.

This study underscores the risks posed by residential proxies and emphasizes the importance of addressing these threats to safeguard enterprise environments. By detailing threat detections for this behavior and some of the tools that exhibit it, it provides practical tools that can be leveraged to identify residential proxy behavior through network traffic analysis. These insights aim to empower organizations with actionable strategies to mitigate the misuse of their resources and reduce exposure to malicious activity.

Darin Smith

Darin is a security research leader at Cisco Talos, focused on mentorship, security management, cloud native security research and detection engineering. Former affiliations include Amazon, the FBI, UC Davis and King’s College London. In his spare time he loves playing music, hiking and travelling.

Blake Anderson

The Life and Death of a Municipal Surveillance Technology in Seattle

Seattle was one of the first USA cities to have a Surveillance Ordinance. This enables Seattle residents to pull back the curtain on a type of mass surveillance not as commonly discussed by the news media: a service that provides real-time travel time calculations using a system of WiFi/Bluetooth MAC address sniffers deployed across the city. I’ll bring you up to speed on this surveillance technology, the variety of issues that have been identified with it (both technical and non-technical), and its removal from Seattle. I’ll also discuss some aspects about privacy of mobile devices specific to challenges with MAC addresses (i.e. randomization, anonymization, etc). Lastly, I will give you pointers on how to get started reviewing surveillance technologies your local municipality has deployed, so that you too can put your technical/security skills to use to help your neighbors and community.

C.S.

I’m an independent security researcher & privacy advocate. Over the last 7 years, I’ve reviewed and given public comment on all of Seattle’s official surveillance technologies. I’ve worked closely with the Seattle Community Surveillance Working Group. I’ve also organized with various local non-profits and grassroots groups participating in the Seattle Surveillance Ordinance process and on state-level legislation spanning: civil liberties, data privacy, digital IDs, automated decision systems, right to repair, and other bills.

The Hardware Procurement Iceberg: A Framework For Keeping Embedded Research Fun, Cheap, and Ethical

The last decade has been revolutionary for making embedded security research intellectually and financially accessible for thousands of curious minds around the world. Just by watching YouTube recordings of talks and reading blogposts from individual tinkerers and security firms alike, one can quickly start making a splash in a research area that was formerly thought to be prohibitively expensive and required lots of prerequisite knowledge.

Pan back to you: you saw the title of this presentation, and thought it was interesting. You have a $5 multimeter, a crusty soldering iron, a few bootleg debug adapters, and a wallet full of lint and toothpicks, but not a lot of bread. Where to now?

This talk presents the Hardware Procurement Iceberg (not coincidentally modeled off of the iceberg meme template): three distinct visualizations that show off different ways to procure (see: legally purchase and own) hardware to probe and modify for the sake of vulnerability and security research. Each visualization lays out various procurement methods measured by cost effectiveness, ethicality, and ease, which is left to the audience as to which route they choose to take.

Whether it be eBay, GovDeals, or somewhere more obscure/exotic, this talk walks through all possible routes to find your desired router, medical equipment, ICS/SCADA device, or whatever you fancy to complete your end-to-end research testbed.

yltsi

yltsi spends his time during business hours conducting product security research for a large technology company. Outside of that, he spends an overwhelming amount of time quenching his curiosity with web, mobile, game, and embedded security research for the spirit of the craft, as well as electronics reverse engineering and repair. He is a pro-gratis bug hunter and live hacking enthusiast, having taken 1st place in DistrictCon’s inaugural Junkyard EOL PwNATHON competition in 2025 and given a talk at DEF CON Skytalks long ago.

Tag, You’re Leaked: Surviving the tj-actions Supply Chain Attack

In March 2025, the tj-actions/changed-files GitHub Action, which is used by 24,000 repositories, was weaponized to steal CI/CD secrets. All 361 version tags were pointed to malicious code that dumped credentials from memory directly into build logs. We were the first responders.

Come hear the untold story of the 72-hour incident response. You’ll learn how we detected an attack that traditional tools missed, built an IOC scanner over a weekend while the attack was live, and coordinated disclosure with dozens of organizations.

You’ll walk away with:

  • A tested incident response playbook you can adapt for your organization
  • Open-source tools: harden-runner (behavioral monitoring) and ghscan (IOC scanning)
  • Practical defenses for resilience against similar attacks

Mark Esler

Mark Esler works on software supply chain security, vulnerability disclosure, and system hardening.

Ashish Kurmi

Ashish Kurmi is the CTO and co-founder of StepSecurity, a cybersecurity startup securing CI/CD pipelines against supply chain attacks. Before StepSecurity, he was with Microsoft Corporation, Uber Technologies, and Plaid Inc. in security leadership roles. He primarily worked with software developers at these companies to understand their security pain points and built security systems to remediate security issues at scale. He has 15 years of experience in security and software engineering.

Ashish has previously spoken at several conferences such as BlackHat USA, (ISC)2 Security Congress, and Open Source 101.

Keeping PHI Out of the Model: Practical Patterns for Privacy Preserving LLMs in Healthcare

LLMs are racing into clinics and back offices, but a single prompt, log or misstep can leak Protected Health Information (PHI) and erode trust. This fast paced, vendor agnostic talk shows how to ship useful Large Language Model (LLM) features in healthcare without violating privacy or slowing delivery. Instead of theory, we’ll focus on what can go wrong across the LLM lifecycle (e.g. in training, prompts, logs, embeddings etc.) and how to think like an attacker. Then translate all of it into a pragmatic, privacy by design workflow you can adopt immediately. You’ll leave with a concise blueprint, a threat to control matrix you can copy into your program, and a simple decision rubric for on-premises versus cloud deployments. If you own security, ML or compliance and need practical patterns, this session is for you!

Snahil Singh

Anoop Nadig

I’m Anoop Nadig, a security engineer with seven years of experience. I specialize in Cloud and Application security, with professional interests in automation, threat modeling, and “shift-left” practices. Outside of work, you’ll often find me on a hiking trail, at a live concert, or supporting security conferences and community initiatives.

Automating Threat Modeling with Vision Models - Lesson learned

Threat modeling has always been critical but also slow, manual, and often skipped. What if your security champions could generate a first draft of a STRIDE analysis from architecture diagram itself ? In this talk, we’ll explore how vision models (like Gemini Vision) and LLMs can automate early threat modeling by “seeing” system diagrams and translating them into structured security insights. I’ll show how we built an agent that ingests architecture diagrams, interprets flows and trust boundaries, and outputs threat models in a developer-friendly format. We’ll cover practical benefits (speed, adoption, developer engagement) as well as real challenges: hallucinations, missing context, and having humans in the loop. Finally, I’ll share how we turn these outputs into generating adversarial test cases, making threat modeling more actionable. Attendees will leave with a framework to experiment with their own AI-assisted threat modeling pipeline, lessons learned from real reviews of AI agents, and a realistic sense of what today’s vision models can (and can’t) do for security.

Pankaj Upadhyay


Events


BSides PDX Quiz Show

This is the game where we take some BSides attendees and pit them against each other in a battle of wits to see who’s the smartest… who’s the fastest… who’s going to emerge with the ultimate alpha- geek status for the next year!

WHAT’S IT LIKE? Just like many TV game shows you’re probably already familiar with. We take three contestants, put them on stage and ask them a series of questions relating to aspects of system and network security, exploits, hacking, hardware, software, administration, history, and even some random bits of pop culture thrown in for hack value.

And then maybe we’ll do it again with three more contestants!

This event is for anyone with an interest in any or all of the topics that bring people to BSides. Questions for the quiz show are drawn from current events, information security, computer technology, hardware, software, geek culture, games, and general interest topics.

Steve Willoughby

Steve Willoughby is a Senior Software Developer currently focused on observability in Go. He discovered Version 7 Unix while in high school and, apart from brief forays into VMS in college and failed attempts to hide from other operating systems, he’s been spending most waking hours tinkering on UNIX in one form or another, either writing software or administering systems. He lives in the Portland, Oregon area and keeps a vintage Altair 8800 and COSMAC Elf as pets. In his spare time, he runs a MUD game and creates microcontroller gizmos to make his Christmas lights flash in the most over-engineered way possible.