May 26, 10:40-11:00

Let's Build an AI Red Teamer

What happens when you give an LLM access to real offensive security tools—and the ability to reason, plan, and act? In this talk, I’ll walk through the capabilities and implementation of an AI-powered red team agent using a custom sandboxed deployment. The system allows a reasoning LLM to drive tools like nmap and Metasploit autonomously, chaining recon, enumeration, and exploitation steps based on its own outputs.

We’ll explore the architecture, walk through a live demo against a simulated network, and talk through the implications. This isn’t just automated hacking—it’s something closer to APT-level behaviour emerging from open-source tools and open-access models. Adaptive, persistent, self-directed agents are about to become cheap and accessible to non-state actors.

Attendees will leave with a working knowledge of how to experiment with an AI red team agent safely, with open-source code to experiment for themselves, and an updated threat model they won’t be able to unsee.

May 26, 11:10-11:40

Phish Don’t Kill My Vibe: A Practical Guide to Going Passwordless

After building the passwordless stack at SpaceX and helping enterprises and governments go passwordless at 0pass, Noah Stanford shares a practical guide to going passwordless for startups and enterprises. 

80-90% of security breaches are caused by stolen credentials. While many enterprises build a fortress of security controls, they keep getting pwned by stolen passwords and 6 digit codes. What if you could make that impossible, and make login easier?

You can, by replacing passwords with passkeys. Passkeys are a form of phishing-resistant authentication that come in the form of biometrics (FaceID, TouchID, Windows Hello),or hardware keys (Yubikeys). The private key can be configured to never leave the hardware device, and can only be used for the website it was registered on.

You might not even need to buy additional tooling. Whether you're using Google, Okta, or even ADFS - you can probably go passwordless. There are even options to go passwordless for your OS and remote login.

We'll talk about what passkeys are, why they are better, basic to advanced passwordless implementations, and anecdotes I've gathered over the years. 

May 26, 11:40-12:0

Own your Value, Master your Negotiation in Cybersecurity 

You aced the interview, and the hiring manager offered a salary but it was less than what you expected! Do you accept it, do you ask for more or do you decline it?

Studies show that only 39% of professionals negotiate their salary despite 84% of employers expecting negotiations. Mastering negotiations is essential for personal and professional growth.

Whether you’ve recently graduated or you are returning back to the workforce, affected by a layoff or if you are considering your next move, negotiating what your next job offer, promotion, benefits, severance package or pay is important.

In this session attendees will learn:

1- WHY – Knowing your worth is key to pushing past limits and seizing opportunities

2- HOW - Use proven strategies to negotiate with confidence and break barriers

3- WHEN – To ask for that raise or when to turn down the offer

4- WHERE – Resources so you know what you’re worth

5- WHAT – simple tips on negotiation strategies and tactics for a successful outcome

May 26, 12:10-11:30

fiddleitm: Dynamic Web Threat Analysis with mitmproxy

In the ever-evolving landscape of web security, dynamic analysis plays a crucial role in identifying and understanding emerging threats. fiddleitm is a novel mitmproxy add-on designed to streamline and enhance web threat analysis workflows. By leveraging mitmproxy's powerful interception capabilities, fiddleitm provides real-time insights into network traffic, allowing security researchers and developers to dissect malicious payloads, analyze client-server interactions, and identify suspicious behaviors.

This talk will introduce fiddleitm's core features, demonstrating its ability to automate common analysis tasks such as payload extraction, request/response modification, and data visualization. We'll also discuss how fiddleitm can be customized and extended to fit specific research needs, empowering users to build tailored analysis pipelines. Attendees will gain valuable insights into leveraging mitmproxy and fiddleitm to efficiently analyze and mitigate web threats, contributing to a more secure web environment.

May 26, 1:30-1:50

Scarcity Signals: Are Rare Activities Red Flags?

This study investigates the hypothesis that domains infrequently contacted by the PowerShell utility are more likely to be malicious compared to frequently contacted domains. Analyzing six months of anonymized telemetry data from June 1, 2024, to December 31, 2024, encompassing 3,220,829 log events and 742 unique base domains, the research employs a percentile-based approach to define rare domains as those with an average of five or fewer contacts per full domain. This threshold identifies 550 rare domains, representing 74.1% of the total. Findings reveal that rare domains have a higher incidence of malicious activity, with 1.64% of rare domains identified as malicious, compared to 0.52% of non-rare domains. While the hypothesis was confirmed - rare domains are 3.18 times more likely to be malicious than non-rare domains - this trend lacks statistical significance and should be used as a correlating factor, not a standalone detection heuristic. A notable case study involving githubusercontent.com also demonstrated that frequently contacted base domains can host malicious subdomains, emphasizing the importance of subdomain-level analysis. Future research directions include using temporal analysis to uncover time-based patterns of domain contacts and behavioral analysis of process arguments to identify additional domains for analysis. Additionally, developing a risk scoring system that incorporates multiple factors such as contact frequency and malicious rates could enhance threat prioritization. This research provides valuable insights for security teams, promoting a data-driven approach to identifying potential threats and reinforcing strategies to safeguard network environments.

May 26, 2:00-2:20

Unlocking macOS Internals: A Beginner's Guide to Apple's Open Source Code

Have you ever wondered how macOS and iOS work under the hood? While Apple is known for its closed ecosystem, did you know that significant portions of macOS and iOS are open source—including security components? For security researchers, learning how to find, analyze, and use Apple's open source code is a game-changer.

In this talk, we'll demystify macOS internals for beginners by breaking down Apple's open source ecosystem—where to find it, how to navigate licensing limitations, and what components (continually) matter for security research. We'll explore techniques like binary analysis and extraction to uncover hidden references to source code. You'll also learn how macOS and iOS share a common codebase!

But it's not always easy—these open source releases are often incomplete, outdated, or missing files. We'll discuss challenges when compiling Apple's open-source projects, troubleshooting errors, and making the most of these resources for reverse engineering.

By the end of this session, you'll have a solid foundation in macOS internals, understand how this open-source model impacts security, and gain practical skills to explore macOS from the inside out. 

If you're curious about macOS internals, this talk will give you everything you need to know to start hacking these machines! 

May 26, 2:30-2:50

Scammer VS Senior Script Kiddie

Online scams are everywhere — but what happens when the scammer picks the wrong target? In this talk, we flip the script on a common online scam and walk through the step-by-step process of how a scammer was baited, tracked, and exposed using OSINT and social engineering tactics.

Using a real-life case study, Ali Alame shares how he posed as a typical victim in a Facebook Marketplace scam involving fake e-transfer confirmations.

This session dives into the psychology and flow of social engineering, how scammers manipulate urgency and trust, and the technical countermeasures used to track their location, gather intel, and ultimately expose them. From phishing the phisher to crafting convincing bait posts, attendees will walk away with real-world insights into how OSINT and social engineering can be used not only defensively, but offensively — to waste a scammer’s time and collect evidence.

Whether you're a security analyst, a red teamer, or just someone who's tired of scam messages, this talk offers a fun, practical, and slightly mischievous look at turning the tables — script kiddie style.

May 26, 3:00-3:20

Secure Cryptographic Architecture Review of Ente Photo Manager

AI routinely receive messages on LinkedIn and Twitter asking how to prepare for threat modeling and security system design review interviews. While there is a wealth of material available for software engineering system design, there is a noticeable lack of similar resources for security engineering. My goal is to analyze complex, real-world systems with publicly available architectures, focusing on security engineering.

Specifically we will focus on generating encryption keys (KDF), secure encryption algorithms, envelope encryption, secure storage of encryption keys, secure photo sharing, customer content privacy, and more. Ente is an open source photo manager. This talk breaks down how Ente provides interesting security properties through a clever use of cryptographic primities. Additionally, I will focus on Ente’s implementation, as its source code is open-source. I will provide snapshots and source code examples to demonstrate how someone can achieve a similar architecture using secure cryptographic libraries such as libsodium. 

By the end of this talk, newcomers to security will gain an understanding of security and cryptographic architecture of a real-world system.

May 26, 3:30-4:20

Mastering Identity and Access Management Strategy with Entra ID

The traditional network perimeters have evolved, and now, user identities serve as the new security boundary. If you are invested in Microsoft licensing, this session is a must-attend!

Dive into a dynamic, demo-packed session where we unveil the powerful capabilities of Entra ID. Discover how to master your identity and access management strategy, fortify your environment, streamline access to resources and applications, and safeguard your privileged accounts. 

Don't miss this opportunity to elevate your security posture and ensure robust protection for your organization.

May 26, 4:30-5:20pm

The LifeLabs Hack

In 2019 LifeLabs was hacked by a ransomware group, resulting in one of the largest Canadian healthcare breaches (publicly known) to date. 5 years later, the technical details of the hack have been made public. At the time of the breach, LifeLabs claimed that through "proactive surveillance" they identified a cyber-attack, but what really happened?

This presentation will walk through the vulnerability used to exploit LifeLabs and will demonstrate post-exploitation techniques.  All the tools you need to perform the LifeLabs hack yourself will be shared.

The circumstances before, during, and after this hack are just as important as the technical details.  This presentation will also explain what a data breach looks like from the perspective of the affected company, the attacker, and the DFIR team hired to clean up the damage.

Finally, after 5 years time, has anything improved? A review of LifeLabs current attack surface will be explored.