BSides London 2025

Car Hacking Village

InfoSec Battlebots

Ever wondered how a lock works inside? Already know, and want to up your picking game? Come and meet the experts from TOOOL UK at the lockpicking village.
The Open Organisation Of Lockpickers are a multinational group dedicated to defeating locks for fun and games.
Learn to beat a pin tumbler lock, see inside various locks, padlocks and, er, even more locks! Come and play with locks!

Malware Village

OT Village

Quantum Village

RF Village

Across over 30 tabletop exercises with SOC/IR teams globally, we identified five persistent gaps that exist across industries - regardless of size or maturity. This talk uncovers those gaps and shares actionable strategies to bridge them. Attendees will leave with a framework to design more impactful tabletops and harden their SOC practices before real incidents strike.

Monitoring is often seen as the silver bullet for ICS security—but how effective is it really? In this interactive lab, you’ll launch realistic attacks with CALDERA against a live industrial setup and evaluate detections across EDR, logs, and network tools. Discover OT blind spots and walk away with a clear methodology to test and improve monitoring.

Techniques and processes to implement when leading an external information security audit to lower the stress levels.

This talk explores Microsoft Edge’s Secure Preferences file as a persistence vector. We’ll dive into how Chromium-based browsers store and protect user settings, demonstrate how these protections can be defeated, and highlight which settings can be abused to maintain access on a compromised system. Attendees will learn how to modify Edge’s start-up URL to deliver phishing content, leverage IE Mode to launch a Java applet and execute code locally without user interaction, and silently install extensions (even in environments with extension whitelisting). The talk concludes with detection and mitigation guidance for defenders.

Computer Coder kiddy, game hacker in the 80's, ended up in sales, then tried to get into Networking sales as the IT market took off.
Without a degree or experience, ended up in IT recruitment, then Networking Sales Recruitment, did college networks course, moved into Networking /Security Infrastructure sales.
Always an eye for the technical, id been on a 25 year journey of learning IT / Tech when I engaged with the ethical hacker & Cyber community socially online 5 years ago, felt at home, discovered I was Neurodiverse, recently getting officially diagnosed.
Introduced to online learning platforms, and then THM by a cyber grad trying to get his first role, at BeerFarmers / Cyber House Party.
Extensive breadth & depth, TryHackMe top 0.3% Comptia PenTest+ & Cisco Ethical Hacker, mixed with extensive Business Risk Management experience, now interviewing with a Defence Contractor for SOC Shift Lead role, leaning into AuDHD strengths.

An exploitation workshop with beginners in mind. Using free tools such as windows 10 vm's, windbg and ida pro we will go through the process of dissecting a vulnerable server, finding a memory corruption vulnerability and crafting an exploit to create a DOS and RCE.

Think of it like playing monopoly but make it cybersecurity!

Can you survive a ransomware attack while underfunding your SOC? Would you fire your CISO to save budget or invest in phishing training instead? In this hands-on, team-based workshop, participants play as fictional companies facing real-world cyber dilemmas. Each team starts with a fixed cybersecurity budget and must choose how to spend it on firewalls, security staff, insurance, awareness programs, and more. But things won’t stay calm for long. Throughout the session, a "Game Master" introduces surprise incidents - phishing, ransomware, insider threats, audits, forcing teams to quickly assess risk, respond, and manage their remaining funds.

Along the way, participants will develop practical skills in prioritization, decision-making and risk management. No technical experience required, just strategic thinking and collaboration. This workshop blends fun and learning to show how business decisions shape cybersecurity outcomes.

Software beginners often assume that installing a browser extension is harmless. However, recent incidents reveal even widely-used extensions can deliver spyware, hijack sessions, or steal credentials. This rookie-friendly talk examines a malicious network of Firefox and Chrome extensions impersonating popular games that hijacked sessions, redirected users to scams, and stole sensitive credentials. We’ll demystify browser extension threats and share a simple checklist for evaluating extensions. In just 15 minutes, attendees will learn easy habits to keep their browsers safe without specialized tools.

Technical expertise is often held as the ‘gold standard’ in Cyber Security but what happens if your skills lie outside of this area? Can you, women in particular, succeed in a highly competitive sector without being a ‘techy’?

Are you skeptical about the security of code generated by tools like Cursor, GitHub Copilot, and Windsurf? Does it seem like devs spend more time reviewing and debugging AI-generated code? You’re right to be concerned. Studies show that tasks take 19% more time when devs use AI tools, and 62% of AI-generated code has issues. But these tools aren’t going away, so what can we do about it? In this workshop, you’ll get hands-on experience with three techniques that are proven to improve AI-generated code security: prompts, rules, and MCP servers. You will learn how each technique works and experiment with using them to eliminate security bugs. In addition to improving code security, you’ll see how these techniques also make AI tools more usable and improve developer experience.

Many security folk are excellent at breaking things — fewer understand how to fix them. This two-hour, no-nonsense workshop teaches both sides of the coin for LLM chatbots: how prompt-injection and context-abuse attacks work in practice, and defensive controls you can implement today. Through an interactive attack-and-defence wargame we’ll exploit each others vulnerable chatbots, then harden them using layered mitigations. Expect practical demos, group exercises and takeaways you can apply to production systems. You’ll walk out with a better bullshit detector for when vendors tell you “our chatbot is secure by design.”.

Phishing is no longer a specialist skillset - it’s researchable, reproducible, and for criminals, even rentable. For my dissertation project, I built a phishing simulation tool from scratch and ran it with real participants. Even in that controlled, academic setting, people still fell for the lures. 

That was a sobering lesson… If I could create this as a student, then what does it mean to an attacker with malicious intentions?

The topic covers security aspects of EMV bank cards: how to read the static data stored on a card, how those data can be copied to another smartcard using a standard reader and publicly available tools or a custom Python script, how man-in-the-middle techniques can be executed, and the PIN OK attack. A bank card is an everyday object that protects financial assets and is defended by multiple overlapping security mechanisms; banks deliberately layer these protections because no single control is sufficient.

It's happening. Plans to push the Digital ID have already been announced. Perhaps you signed the petition, rallied against it on social media and hurled a lot of expletives towards the politicians planning it. Or, on the contrary: you have no idea what's the big deal.

Regardless of your stance, you will learn what problems the digital (or physical) ID can solve and what it's useless for. You will also learn how it played out in practice in other countries, and whether that improved the interaction between the government entities and private citizens. You will also find out how the introduction of such ID changed the relationship between customers and corporations.

Cybersecurity professionals operate in high pressure, fast paced environments, making mental health challenges such as imposter syndrome, burnout, stress, and anxiety common yet often overlooked. This session explores each of these challenges, providing insights into how they manifest and impact both personal well-being and professional performance. Attendees will learn practical coping strategies and tools tailored to each issue, helping them build resilience, maintain balance, and thrive in their cybersecurity careers. The talk also highlights resources and approaches for ongoing support, empowering participants to take proactive steps toward better mental health.

Phishing-as-a-Service combined with Adversary in the Middle (AiTM) grew by 146% in a year and now drives reported multi-billion losses and tens of thousands of business email compromises. Subscription kits for Microsoft 365 cost as little as £300 a month allowing adversaries to steal full sessions, not just passwords, easily bypassing MFA. This talk shows how the kits work, how fast operators stand them up, and what the infrastructure looks like, including holes that allow early detection. Using two recent case studies, FlowerStorm(Storm-1167) and RaccoonO365, we triangulate leaked artefacts, takedown data, and open infrastructure signals against the current AiTM threat landscape to estimate global impact. Our analysis points to millions of stolen sessions a year, suggesting the impact is far greater than reported. We finish with a clear detection map of the AiTM chain and the telemetry required to analyse/detect at each stage.

Across 15 minutes I will guide you through securing both on-prem networks and cloud environments with straightforward, actionable tips. By unpacking a real-world security-group misconfiguration I’ll show how fundamental network-segmentation principles translate from your LAN to AWS or Azure and deliver a compact checklist you can implement immediately.

Cyber security is now firmly a board-level issue, but most security professionals are never taught how to talk to the board. In this 15-minute talk, I’ll share lessons learned from creating cyber security training specifically for boards — including what boards care about, what they don’t, and why technical accuracy alone doesn’t cut it. I’ll walk through a simple communication framework that helps bridge the gap between security teams and executive leadership, and show how anyone from junior analyst to aspiring CISO can build the confidence to brief leadership effectively. This talk is aimed at anyone who wants to make security relevant at the top of the org chart.

Cybersecurity can feel intimidating, especially when you don’t come from a technical background. In this talk, I’ll share my journey from Sociology to Governance, Risk, and Compliance (GRC), and the lessons I learned navigating my first security audits. From handling evidence requests to battling imposter syndrome, I’ll explore what it takes to shift from self-doubt to confidence in a field full of acronyms and expectations. This session is part story, part practical guide designed to help newcomers see that their unique background is an asset, and that confidence is built through both mistakes and wins.

Audience Takeaways (4 bullets)
• Why non-technical skills strengthen cybersecurity careers
• Practical tips for preparing for your first audit
• Rookie mistakes in GRC and how to avoid them
• Simple strategies for building confidence early in cyber

Many sectors of critical infrastructure need to control and automate their physical infrastructure with operational technology (OT). That means that any OT cyber attack requires an incident response that bleeds into the physical world. This brings with it unique challenges, such as real-time pressures, cross-border coordination, and safety concerns. This talk covers my recent experience in the world of critical infrastructure to tell the story of how responding to cyber-physical incidents changes the game.

Attendees will learn:
- The importance of cross team communication. Why cyber-physical incidents require collaboration across technical, operational, and even geopolitical boundaries
- How cascading effects can quickly escalate from system downtime to safety risks and societal disruption

In an age where personal data leaks never truly disappear, a single overlooked detail can become the key to an entire attack chain. This talk follows that detail’s journey - from forgotten breaches, through shadowy online markets, and into the center of a SIM swap.

We’ll explore how decades-old leaks in Israel, repackaged and made accessible through Telegram bots tied to drug dealers' activities, collide with authentication practices still common worldwide. Along the way, we’ll uncover how trust in familiar, everyday online interactions can be weaponized in unexpected ways. What begins as an ordinary user action ends with the attacker holding the final piece needed to take over a victim’s phone number and access everything tied to it.

The technique is simple. The consequences are global. And the path from click to compromise may not be what you expect.

AiTM phishing has become the dominant technique for compromising Microsoft cloud identities - the identity perimeter of the majority of organisations in the UK. Yet most available emulation tools are either clunky or brittle. Red teams need something lightweight and practical to mirror the same tradecraft threat actors now buy off the shelf.

TokenFlare is our answer: a modular, serverless AiTM framework that runs in Cloudflare Workers with minimal setup. Built for operators, it clones sign-in flows seamlessly, supports conditional access bypasses, and scales without infrastructure pain. We've battle-tested it in engagements for over a year, and now we're releasing it as open source.

This talk introduces TokenFlare's design, showcases its capabilities, and shares lessons from real-world red team campaigns using the toolkit. Attendees will leave with a deeper understanding of modern AiTM techniques and a practical, reproducible framework to emulate adversaries or strengthen defences.

What's a key component in today's CI/CD landscape with (broad) access to your environment?

Execution agents. These are your build servers, where your pipelines run. They have a few gotchas:
(1) They have direct access to the environments you are deploying to;
(2) They are complex, with plenty of layers that make attestation, detection and attribution hard;
(3) They are less scrutinized and their criticality is often underestimated, compared to classic compute workloads.

So what? you ask. Isn't this "just" an insider threat scenario? How would someone even get onto the machine, especially when in an organization with multiple layers of defense. Direct access to the build agent is needed - OR is it? (that was slightly sarcastic - it's not needed; let me show you).

By the end, build server security will be top of mind and (hopefully) on someone's @TODO list.

Enterprise data platforms are critical for modern organizations but scaling them securely while meeting regulatory requirements is challenging. Drawing on 9+ years of experience designing and delivering secure, scalable and enterprise-grade data platforms across financial services, retail and risk domains, Ismail explores practical strategies for building high-performance, compliant data environments.

Residential proxy services are often marketed as legitimate infrastructure for web scraping, SEO, and data access. Since the IPs come from real households, they appear trustworthy and are less likely to be blocked. However, this same infrastructure is increasingly misused in the cybercrime ecosystem, where its ability to mask true origins and imitate normal user traffic makes it especially attractive to malicious actors.

Model Context Protocol (MCP) servers are an emerging integration point between LLMs and external tools - and they’re increasingly attractive targets for attackers. This four-hour, hands-on workshop teaches penetration testers practical methods to discover, enumerate, and exploit MCP servers safely and effectively. Through short demos and guided lab exercises you’ll learn how to intercept and audit MCP traffic, identify mismatches between advertised and actual tools, weaponize tool-response manipulation, and validate guardrails and authentication.

Drawing from real-world penetration tests, participants will learn to intercept and analyze MCP traffic, build custom testing tools, and develop reproducible attack workflows. We'll cover traffic capture techniques, protocol manipulation, authentication bypass methods, and injection attacks specific to MCP architectures. Attendees will work through hands-on labs targeting common implementation flaws, misconfigurations, and trust boundary violations.

Identity Security Posture Management (ISPM) is a critical component of any organization's security program, particularly in a highly distributed environment. In this hands-on workshop we will show attendees how to onboard Okta logs, writedetections for key events, and test detections using open source adversary emulation tools. The workshop will be run in an individual lab built with a combination of free and open source tools and in the process create a lab for future research. A basic understanding of YAML and writing detections is helpful but not required.

The best intelligence isn’t bought, it’s built by you and your organisation. This talk explains how to build the bare-metal infrastructure and the pipelines that run on it to scan the web at scale. We’ll build an open-source sandbox with built-in fingerprinting and runtime detections, then leverage that sandbox to mass-scan large portions of the web (hundreds of millions of domains). By storing results in OpenSearch, we can perform advanced queries and correlations across raw data and derived fingerprints, turning individual incidents into linked campaigns.

From the SOC floor of an MSSP, what phishing looks operational rather than sensational from the perspective of a SOC Analyst. This talk will be a tour of the world of phishing, showcasing how this is not just careless clicks from end users but much more. Without spoilers, this talk covers how these attacks slipped past controls, with real phishing examples, what detections led to containment, and where processes need to be improved. No Chips unfortunately, just phish*

Given enough time, everything that can go wrong will go wrong. After 10 years and more than 250 conferences, I'll discuss the curveballs the universe has thrown, and how, despite all that, us volunteers still managed to whack it out of the park.

Think attackers are only winning with zero-days and nation-state malware? Think again. Most compromises start with the boring stuff... default creds, sloppy file shares, and scheduled tasks hiding in plain sight.
In this hands-on workshop, you’ll learn how to turn those “harmless” admin oversights into full domain compromise.

This hands-on workshop explores the world of cyber threat actors and the intelligence that helps us understand and counter their activity. Participants will learn how to identify threat actor tactics, techniques, and procedures (TTPs), and apply threat intelligence models to real-world case studies. They will also learn how to pivot from a single indicator of compromise (IoC) to build a picture of threat activity. Through collaborative exercises, attendees will analyze incidents using frameworks such as MITRE ATT&CK and build actionable threat intelligence profiles.

What would you do if the next cyberattack came from a lab sample and not from a computer? This talk tries to explore the weird intersection between biology and cybersecurity. We will see how DNA stores data and how malware can be "hidden" in it. Let us discuss new questions raised by the convergence of life and code.

Cloud and container security feels like a scattered puzzle: development standards, CI/CD pipelines, guardrails, runtime security, logging, monitoring, and assurance. Together, they form a resilient system. This 15-minute talk assembles these pieces, showing their critical connections. Development standards catch vulnerabilities early. CI/CD pipelines enforce automated checks. Guardrails secure cloud environments, maintaining compliance. Runtime security hardens containers against drifts. Logging and monitoring spot threats, like API enumeration, routing alerts for rapid response. Assurance binds it with attestations and revocation certificates: a test exposing pipeline risks proved unverified flows fail. Banking deployments showed stage gates save chaotic pipelines. Developers thrive with sandboxes, tightening controls towards production. For beginners or experts, this talk highlights pitfalls tripping teams and offers a visual cheat sheet, mapping components for audits. Attendees will gain a framework to align security and operations seamlessly, strengthening their stacks.

This work shop is all about hacking IR Exit Sensors, you know those touchless exit sensors you can wave your hand at it to open door? Previous work has shown that you can trigger those from the "wrong" side of the door, bypassing the door's outward facing security controls.

In this workshop will cover the practicalities of attacking these devices, include low tech techniques, using commonly available tools, and then scaling things up by making DIY high powered devices to open them through glass and around corners.

Cybersecurity isn’t just for hackers or specialists, it affects everyone involved in building and running digital systems. Yet, rookies and early-career tech professionals often overlook the security impact of their decisions, leaving organizations exposed to costly breaches.
In this session, I’ll show how anyone, business analysts, developers or aspiring tech leaders can play a meaningful role in securing systems from day one. Drawing on real-world experience leading cloud migrations, workflow automation and secure platform launches at Aviva and First Bank of Nigeria, I’ll share practical strategies to: identify hidden risks, translate security requirements into actionable tasks, collaborate effectively with security teams and embed security into agile delivery without slowing innovation.
Attendees will leave with an actionable mindset for making systems safer, understanding how early actions prevent massive security failures and why security is everyone’s responsibility.

Vishing exploits one of our most fundamental communication mediums - human speech - to bypass defences and extract sensitive information. This presentation dissects the lifecycle of vishing operations, from reconnaissance and pretext development through attack delivery and objective achievement.

We have all seen the Hollywood films, The attacker is in the building they swipe a card and its set of the alarms and the guards are coming. The attacker calls down to the hacker in the van. “Unlock all the doors” a couple of seconds later all the doors unlock and the thief narrowly escapes the building.

But how true is that, can we just take a couple of seconds to remotely unlock all the access control systems, or even force the building in to lockdown?

Turns out the answer is yes, at least for some vendors. In this presentation we bring this tradecraft to light using a number of CVEs discovered in Paxton a popular access control system used everywhere from schools, to prisons to government buildings and regional airports.

This talk will discuss how Team Cymru can track North Korea Threat Actor Infrastructure using our network intelligence collection. Using real-world examples, attendees will see how using NetFlow, Open Ports data, PDNS, and X509 certificates it is possible to monitor the activities of one of the world's most advanced financially motivated state-sponsored campaigns.

LLMs have enabled a whole new generation of security tooling. One of the most obvious applications is the automated discovery of code vulnerabilities, which so far has had extremely mixed results. In this talk, we explore whether LLMs can truly excel at uncovering code vulnerabilities.

Accessibility for tools / software for people with physical disabilities and/or reasonable adjustments.

The lack of options, what options might be needed and discussion on how to advocate for these.

Encapsulate within the secure by design framework?

Neurospicy people
Spectrum is actually a sphere and an infinite mix of flavours and capabilities.

Not all platforms and applications are disability enabled by design in the same way that we have a framework for secure by design framework (CISA, NIST, NCSC etc)

(Not an exhaustive list…)
Visually challenged people
Amputees
ND/‘tism
vertically challenged
Compatibility with external note taking software, visual keyboards
Peripherals (pens, braille keyboards etc)

How do we incorporate these types of devices into the secure by design policy and framework and ensure that it works for as many people as possible.

Q&A

Getting a new malware sample can feel overwhelming, there’s so much you could do, but where should you start? In this talk, I’ll share the simple workflow I use when I first encounter a fresh sample. We’ll begin with a quick sandbox run to see high-level behavior, then move into static analysis to spot strings, imports, and obfuscation tricks. I’ll finish with dynamic analysis and persistence, showing how the pieces fit together to reveal what the malware is doing. Using a real-world example from my blog, I’ll highlight the free tools I rely on and explain why I choose them at each stage. The goal is to make malware analysis less intimidating, show that anyone can begin safely, and give you enough resources and confidence to try your own analysis.

The fog doesn't clear before you start. It clears because you start.

My talk explores what it is like to be a junior penetration tester thrown into the deep end - feeling, at times, totally lost - only to realise that the tools you need aren't always technical, but human.

I've been indescribably lucky to be surrounded by mentors, who not only pushed me to try, but to fail, and to document everything.

I’ll talk about the danger of skipping the fundamentals, why documentation is your lifeline and how learning the why behind what you’re doing matters more than just completing the task.

Not everyone has these mentors, so I want to share all the wisdom I have been given. Lessons, mindset shifts and advice. My talk is my way of paying it forward, contrasting the adivce with real scenarios I have faced while testing.

I’m a Cybersecurity student at MMU, but I didn’t wait for graduation to join the industry. While working part-time as a chef, I blundered into bug bounty hunting, armed with curiosity. The learning curve was brutal, it left me feeling overwhelmed by informatives, duplicates and imposter syndrome. But then, over a flaming hob, I finally got the email "you have been awarded a $400 bounty".

This talk is for anyone curious about bug bounties but unsure where to start. I’ll share how I learned, submitted my first reports, and secured an industry job two weeks after my first bounty. We’ll cover how to move from theory to real-world impact, persist when it feels like you're failing, and why bug bounties are a powerful gateway for underdogs to break into cybersecurity. I’m no expert, just a passionate student who kept going.

I will take the audience inside the Pacific Rim campaign, a five year battle between Sophos and advanced Chinese nation state adversaries. As the Director leading the response, I oversaw operations against waves of intrusions aimed at exploiting our firewall technology and leveraging it as a springboard into global networks. A turning point came when poor OpSec allowed us to track and identify an individual operator, putting a human face to a campaign often seen as anonymous and distant. This talk explores both the technical and human aspects of confronting the China nexus, where overlapping groups share tools, evolve tactics, and sustain pressure over years. Attendees will gain practical insight into attribution, the challenges of disclosure, and the realities of defending against persistent state sponsored operations.

APIs are everywhere. This talk gives a crash course in hacking APIs, aimed at pentesters and bug bounty hunters who want to understand what they are looking at and what they are looking for. This talk will cover practical skills, real-world examples, and a clear testing methodology.

First we’ll cover the essentials: mapping API endpoints, abusing common issues like broken object-level authorisation (BOLA) and mass assignment. Then move onto working at scale, automation and scripting attacks for long-term bug bounty targets.

If you’ve ever looked at an API and thought, “Where do I start?”—this talk is for you.

This talk is a walkthrough of a security review to Signal, one of the most widely used E2EE messaging applications. Instead of focusing purely on cryptography, this review examines how Signal’s implementation.

We’ll begin with Signal’s 1:1 messaging system, covering Double Ratchet, Sealed Sender, and encrypted profile data. This section highlights a zero-click vulnerability in device synchronization that allowed attackers to silently edit, delete, or inject messages.

We’ll then turn to Signal’s groups, with emphasis on zero-knowledge membership validation and authorization. Here, I’ll present a vulnerability that enabled privilege escalation, and unauthorized rejoining of groups, effectively breaking group authorization.

The talk concludes with lessons learned from this review and a call to action for researchers to engage with Signal’s open-source ecosystem to further strengthen its security.

Certificate-based Authentication is often thought of as superior to Password-based Authentication, especially when backed by the Enterprise's internal Certificate Authority — but how many services actually validate whether a certificate was intended for them?

Ransomware gangs may seem invincible, but they are not beyond reach. In this talk, I will share the compelling story of how a simple IP leak, discovered in just 10 minutes, triggered a chain reaction that led to the downfall of Medusa Locker. We will explore the process of uncovering their real IP address and the immediate consequences that followed, including affiliates abandoning ship and leaking sensitive internal communications. Additionally, I will discuss the impact of these revelations on the gang's operations and the subsequent changes in management.

Is WiFi really scary in 2025? An Interactive Exploration of WiFi and Adversary-in-the-Middle (AiTM) attacks in 2025

As part of my master’s program, I managed the deployment and DevOps pipeline for a student project, ExpensePal, a web-based expense tracker. Early on, security wasn't our focus. We were excited about automating builds with Jenkins, deploying to AWS, and seeing pipelines pass. But a small misconfiguration nearly exposed sensitive information, turning security from an afterthought into a critical concern.

In this rookie-level talk, I will share what this experience taught me about integrating security into DevOps workflows. I’ll cover mistakes we made, guidance from mentors, and small but powerful practices; peer reviews, secrets scanning, and IAM hygiene, that improved our deployment process.

This talk is aimed at beginners in DevOps and cloud environments. Attendees will learn that security isn’t an afterthought; it’s a mindset. Even newcomers can make a meaningful impact by embedding security into deployment practices from the start.

SAP powers critical enterprise functions like finance, HR, and supply chain, yet it often falls outside the scope of traditional penetration testing due to its complexity and steep learning curve. This talk will demonstrate how attackers exploit overlooked SAP weaknesses to gain access, escalate privileges, and compromise sensitive enterprise data.

Most organisations assume IPv6 is “not in use.” In reality, it’s silently enabled on modern operating systems and creates an attack surface defenders rarely monitor.
In this 45-minute session, I’ll walk through the full IPv6 attack chain I’ve used in penetration testing engagements, from a single rogue packet to domain persistence. Using a pre-recorded demo, I’ll show how attackers spin up rogue DHCPv6/DNS servers, push malicious configurations, capture authentication traffic, and relay credentials into Active Directory. Abuse cases include credential relaying, domain machine joins, and Active Directory Certificate Services (ADCS) exploitation.
Then we’ll flip to the defender’s view. I’ll highlight Indicators of Compromise that signal rogue IPv6 activity, such as unexpected DNS/DHCPv6 advertisements and anomalous neighbour announcements, along with practical detection queries and hardening strategies for Windows-heavy environments.

Air-gapped? Think again. Radios aren’t just for walkie-talkies and hams — they’re an overlooked medium for sneaking data where it shouldn’t go. This talk explores how Reticulum can be used to establish covert channels for exfiltrating data, bypassing traditional network controls and flying under the radar either using RF or not! By blending modern mesh networking with old-school airwave hacking, we’ll show how data can “haunt” the spectrum, invisible to conventional defenses.

Why should you care about what your boss's boss's boss thinks? And most importantly, what should you do about it? Jessica Figueras, Co-founder of CxB - Cyber Governance for Boards - explains.

I began my career as a developer in fast-paced startup environments where the goal was clear: ship features fast and keep the business alive. Security? That was “someone else’s job.” Then, a blockchain project showed me how one small oversight could turn into a major flaw — and I couldn’t unsee it. Today, while studying infosec and volunteering to learn more, I’m building the skills to make security everyone’s responsibility. In this talk, I would like to share how my dev background shapes my security journey, the habits I wish I’d known earlier, and how secure thinking from day one changes everything.

Decentralised finance has seen explosive growth, but this has introduced new challenges in detecting illicit activity on public blockchains. My dissertation explored whether it's possible to build a real-time risk assessment system for DeFi transactions using Graph Neural Networks to identify suspicious patterns before transactions are processed. I analysed over 70 major crypto exploits and developed a labelled dataset of laundering behaviours, including mixer usage and peeling chains. Several machine learning models were tested, with Graph Isomorphism Networks showing the strongest performance. While results were promising, they also revealed practical limitations: even small false positive rates could disrupt millions of legitimate daily transactions. As a result, I propose hybrid AI-human systems and post-transaction monitoring as more viable near-term solutions. This talk will walk through my journey building the system, what worked, what didn’t, and the future of ML for DeFi compliance and blockchain security.

Security professionals are no strangers to black-hat hackers' social engineering tactics, and the news is filled with well-known examples of them enabling massive breaches. But if these techniques work so well at the micro level, what happens when the same core principles are deployed by governments against millions of people at once?

This talk expands the lens through which we normally view social engineering in cyber security. Rather than focusing on isolated cyberattacks, we'll examine how propaganda, disinformation, and psychological manipulation are engineered at national and global scales, and how strikingly similar they are to the phishing emails and pretexts we warn about daily.

Ignoring the 'macro' side of social engineering is no longer an option for defenders.

Despite its reputation as a memory-safe language, Java has a dangerous side. In this talk, we will show that a single coding slip or the wrong third-party dependency can compromise your application's memory safety.

You’ll learn:
- What is memory safety and why it matters (even in Java)?
- How attackers can exploit hidden dangers like the Unsafe class.
- Safer alternatives like the Foreign Function and Memory API.

Perfect for developers, architects, and security professionals, this talk bridges the gap between theory and practice, and aligns with today’s growing industry focus on memory safety and software supply chain security.

“Why do you want to become a red teamer?”, that’s the question I usually ask when people approach me with, “How do I become one?”

The answers vary, but their desire is the same.

Over the years, I’ve seen and done some incredible things. One of the rewarding aspects of red teaming is the freedom we’re given to achieve our goals. Equally important is creativity, the best testers are those who can think outside the box.

Explains why Operational Technology (OT) beyond Critical National Infrastructure (CNI) needs more regulatory attention. Highlights differences between CNI and non-CNI OT and the risks in under-regulated systems. Aims to raise awareness of security gaps impacting public safety and industry.

OUT OF WHAT?

The business, the world, your boss, your client, want you to tell them that they are not going to be the next headline, they are not going to be hacked, they are safe, that the money that they have spent on cyber security has delivered them from the cyber evils of the world.

So yes 46.

That's a number right? Metrics and certainty in an uncertain world - businesses run on metrics, cyber security runs on caffeine.

How do you know your security is right?
How do you know that you are getting your moneys worth?
How do you justify your existence?

So lets look at it, strip away PowerPoint, bell curves and NPS scores and figure out what matters and how to tell people that yes, they scored 46 out of it depends....

Join us on a demonstration of a TWIG language Server-Side Template Injection (SSTI) vulnerability identified and successfully exploited in a real, client engagement. Through the vulnerability we obtained command execution with command output landing in our email inbox, leading to a reverse shell and subsequently pivoted into the client Google Cloud Platform (GCP) cloud environment by leveraging application credentials once foothold has been established.

Beyond the interesting war story, we will explore ways to go about looking for different SSTI vulnerabilities, how to discover attack surfaces for different templating engines and how to safely exploit these, showcase pivoting opportunities into cloud environments such as GCP to showcase customer impact and handle client communications.

In healthcare, cybersecurity isn’t just about firewalls—it’s about people. This 15-minute session offers a sharp, frontline look at how social engineering exploits human behaviour in clinical settings. Drawing from real nursing scenarios, it reveals how attackers manipulate trust, routine, and emotion to breach systems, and how nurses—often overlooked in cyber strategy—can become powerful defenders. With practical insights and a call for behavioural training, this talk reframes nurses as essential allies in building human firewalls across healthcare.

Amadey malware looks simple at first glance, but its ability to disable Windows Defender and Sysinternals tools, persist indefinitely, and quietly steal credentials makes it far more dangerous than many assume. In this talk, I’ll share how I uncovered an infection chain that disabled Sysinternals tools, stole credentials from the infected device, and attempted to communicate with its C2 server. I will also share how I discovered the threat actor's active Discord server and GitHub repository link.
Through a combination of disk forensics, memory analysis, and Windows Event Log investigation, I discovered that a seemingly ordinary batch script became the key to understanding the malware’s tactics. I’ll walk through the investigative journey, what I expected, what surprised me, and how each clue pieced together the bigger picture.