Day 1 - Thursday

This panel features senior cybersecurity leaders and covers real security issues and priorities facing both private and public sector organizations.
Topics covered will range from Quantum to compliance to AI with an emphasis on what’s needed to make implementations successful.

Laptops have become ubiquitous in modern times. An all but guaranteed organizational asset that quite literally holds keys to the kingdom, in every employee’s hands. For an attacker, what’s not to love? From large government organizations to fortune 500 companies, these assets are constantly on the move and often poorly secured against advanced threat actors seeking to extract their secrets. Encryption at rest is NOT enough in 2025! And I can show you why.

This talk will showcase methodologies used by our offensive security team to penetrate well-hardened, modern laptops during engagements we call “stolen laptop scenarios”. No power? No credentials? No problem! We push the envelope to the limit of what can be realistically expected of next-generation adversaries. We begin by exploring the potential impact that a compromised laptop can have on an organization, briefly discussing potential lateral movement through extracted domain credentials, tickets, certificates, cookies, and sensitive data. After exposing the audience to the value obtained through physical compromise, we will discuss real attack vectors, with examples and video demos.

We will explore together direct-memory access attacks, the physical and logical implementations of these techniques, defenses, bypasses, and more. On the menu is an overview of PCI Express technology, DMA hardware including FPGA boards and what we do with them, practical demonstrations of attacks against modern laptops, countermeasures introduced by hardware vendors to protect against these attacks, and ways that attackers circumvent these protection mechanisms. Naturally, we will discuss BIOS/UEFI security, how it relates to DMA, and how we exploit pre-boot environments to gain access to a stolen computer. This includes showcasing physical attacks against BIOS EEPROM chips using a universal programmer.

Finally, we will talk about encryption at rest, specifically BitLocker, TPM implementation, and the potential implications of using these technologies for attackers, with a focus on why these are not sufficient for preventing attackers with physical access from compromising a PC. This section will culminate with an exploit demonstration compromising windows OS from UEFI via DMA when all modern countermeasures are enabled. Of course, we will discuss proper configuration that can limit or eliminate these attack vectors as well! We will discuss open-source tooling such as PCILeech, MemProcFS, UEFITool, etc, and some closed source tooling including XGPro.

Let’s be real. If you work in risk or compliance, your days probably involve spreadsheets, folders full of screenshots, chasing down evidence, and sitting through way too many status meetings. It’s how most of us manage risk registers, audits, and policies. And while that might work for a while, it quickly becomes messy and exhausting, especially as your organization grows and expectations increase.

At some point, someone will say, “We should automate this.”

The problem? Most of us didn’t get into GRC to become engineers. We’re great at managing policies, audits, and frameworks, but not everyone is comfortable with terms like “APIs” or “policy-as-code.” It can feel like automation is only for developers, and the rest of us have to keep clicking through spreadsheets.

This talk is here to change that.

“From Risk to Real-Time: Automating GRC Without Losing Your Mind” is a beginner-friendly introduction to automating your GRC work. No coding experience is required. Whether you’re a risk analyst, compliance lead, or internal auditor, this talk will help you understand what GRC automation actually looks like and how you can start small without feeling lost.

You’ll learn:

What GRC automation really means in plain language

Simple starter projects like checking if MFA is enabled or sending reminders in Slack

Easy-to-use tools for non-developers like Python, YAML, Zapier, and GitHub Actions

How to bring an automation mindset into your work without losing your risk focus

You don’t need to be technical to benefit from automation. You need a path to follow. This talk is based on real experience from someone who learned by doing. You’ll leave with tips, examples, and realistic ways to bring automation into your work, one small step at a time.

Whether you’re just curious or ready to improve your day-to-day tasks, this session will show you how to move from manual chaos to real-time clarity — all while keeping your brain (and your spreadsheets) intact.

What happens when a late-night napkin sketch turns into a mobile app that must pass TSA checkpoints and government audits?

This is the real-world story of how we partnered with an ambitious state government to transform the physical driver’s license into a Digital ID — a mobile identity platform trusted by police, retailers, and airport security. Built from the ground up, the app enables users to prove identity, purchase age-restricted items, and even board flights — all from their phone.

But this wasn’t just an app launch. It was a high-stakes journey where security was the product — and there was no playbook to follow.

In this 45-minute talk, we’ll walk through the technical and organizational gauntlet we faced, and share real artifacts, patterns, and missteps from taking a net-new product through:
– SOC2 certification (including the app, cloud stack, and even manufacturing plants),
– biometric verification challenges,
– evolving privacy regulations,
– and eventual TSA acceptance.

Updated in this version of the talk: We’ll highlight lessons learned post-launch — what worked, what didn’t, and how real-world usage patterns forced critical design changes. We’ll explore how some well-meaning security decisions, like one-time tokens or strict expiration windows, backfired by confusing users or blocking adoption — and how we course-corrected under pressure.

You’ll walk away with:
– A reusable blueprint for building certification-ready products from scratch.
– A DevSecOps pipeline pattern that enforces security, triages defects, and feeds directly back to developer queues.
– A proven threat modeling approach that builds cross-team trust fast.
– Tactics for executive risk scoring that move audits and legislation forward.
– Lessons from breaking (and fixing) facial recognition, blockchain-based claims, and 3rd-party identity verifiers.
– How to detect and resolve security features that hurt usability or adoption, including warning signs from live telemetry, user support channels, and conflicting 3rd-party expectations.

We’ll unpack key stories:
– How digital identity actually works — and how to test what can go wrong.
– Where real-world standards failed us — and how we adapted.
– The surprising ways 3rd-party assurance almost derailed launch.
– What happens when a production endpoint is stolen and taken to a dark alley.
– Getting TSA sign-off (and how our users helped us get there).

If you’ve ever been told “make it secure and ship it fast” with no roadmap and public scrutiny looming — this talk is your playbook

The rapid evolution of software engineering has transformed Application Security (AppSec) into a constantly shifting battlefield. Traditional security approaches are no longer enough—modern pipelines demand a strategic, multi-layered defense. In this talk, we’ll explore how AppSec practitioners must adapt to stay ahead of emerging threats.

I’ll introduce the three essential disciplines of AppSec:

Security In the Pipeline (SIP): Protecting the code, dependencies, and infrastructure as they move through the development lifecycle.
Security Of the Pipeline (SOP): Securing the CI/CD tooling, environments, and processes to prevent supply chain compromises.
Security Around the Pipeline (SAP): Addressing external threats, insider risks, and adversarial attacks targeting the entire ecosystem.
Drawing from real-world adversarial security research, I’ll highlight the biggest challenges in each domain and present practical mitigation techniques that security, DevOps, and engineering teams can apply immediately. Attendees will gain insights into common attack vectors, best practices for securing CI/CD workflows, and emerging trends shaping the future of AppSec.

By the end of this session, you’ll walk away with a holistic security framework that ensures your pipelines remain secure, resilient, and future-proof. Whether you’re an AppSec engineer, security beginner, or interested in DevSecOps practitioner, this talk will provide actionable strategies to help you navigate the ever-evolving AppSec landscape.

Don’t just secure your code—secure your entire pipeline!

For years, we tested forms. Then we tested APIs. Now we’re testing the brains inside your apps.

In this fast-paced, practical talk, we’ll walk through the emerging art of hacking AI chatbots from the perspective of a penetration tester. You’ll see how prompt injection works (and the many forms it can take), why indirect manipulation is especially dangerous, and what developers get wrong when embedding AI assistants into apps, especially when those assistants act as logic engines, personal coaches, or API middlemen.

We’ll break down the anatomy of a typical chatbot-powered feature, explore real-world examples, and walk step-by-step through how to bypass filters, extract sensitive data, and hijack intent. As automated tools and AI begin to catch traditional bugs, this emerging attack surface demands a new skillset. We’ll see how chatbot security isn’t just about filtering obvious words, it’s about detecting intent, even when that intent is buried or disguised.

If you’re testing modern apps and ignoring the chatbot, you’re leaving the brain unguarded.