Track 4 Speakers

May 27, 10:40-11:00

What’s up with CVSS4?

The only thing that’s clear about prioritizing vulnerabilities is that we have not figured it out as an industry. We’ve got CVSS, EPSS, CISA KEV, and more scoring systems to work with – these have not solved our challenges. This talk looks at the updates in CVSS4 that offer a new path forward. What has changed, why, and how can we utilize the updated system to work smarter at prioritizing vulnerabilities within our organizations? This new approach provides opportunities to customize the scoring more to the actual environments we work in, influencing the final score for a vulnerability. Supplemental metrics provide further context that does not impact the scoring. We’ll start with an overview of the current systems before diving into the new changes, taking a look at some practical examples of recent vulnerabilities.

Zach Wasserman

Zach is a serial entrepreneur, engineer, co-founder and Technology Evangelist at Fleet, where he works to unlock the full potential of osquery for enterprise and open-source customers. He brings the vision and experience of co-creating and working with osquery since the earliest design documents at Facebook in 2014. He has served as a member of the Linux Foundation osquery Technical Steering Committee since its inception in 2019. Prior to Fleet, Zach founded open-source security consultancy Dactiv, and co-founded endpoint security company Kolide. Zach graduated Summa Cum Laude with a BSE in computer science from the University of Pennsylvania where he conducted wireless security research and lectured on the Python programming language.


May 27, 11:10-11:30

Zero Trust in a Zero-Office World: Rethinking IAM for the Remote-First Enterprise 

Traditional "castle walls" security crumbles in today's decentralized workplace. This session will look into the challenges of outdated IAM in a remote-first world, highlighting data breaches, inflexible access controls, and shadow IT risks. It will also show the transformative power of Zero Trust, a framework emphasizing continuous verification, least privilege access, and data-centric security using MFA, CAAC, UEBA, micro-segmentation, and DLP to secure remote work. It will also highlight practical solutions like ZTNA, secure collaboration platforms, and SSO for seamless and secure access and collaboration.

Femi Ogunji

Femi is a seasoned Information Security Consultant with a passion for building and deploying next-generation technology and security solutions. With a track record of developing and implementing robust technology and information security strategies, I bring a wealth of experience in the realm of cybersecurity, and I've successfully led the charge in managing security services in the public, private and non-profit sector, focusing on identity and access management, risk management, and process enhancement. My commitment to improving IT governance, compliance, and threat response is evident with several projects I have been a part of throughout my career. I believe in the power of collaboration and love to focus on innovative solutions that enhance data and IT security posture. In addition to my wealth of practical experience, I hold certifications from Microsoft, CompTIA, ISC2 and ISACA.

Femi is not just passionate about securing information; I'm equally enthusiastic about mentoring aspiring professionals in the field. As an industry mentor with several post-secondary institutions, immigrant-serving societies, and within the corporate environment, I'm dedicated to sharing insights, fostering growth, and helping individuals navigate the dynamic landscape of information and cybersecurity. I want to ensure that the next generation of Cybersecurity leaders have what it takes and are ready to put on the shoes which they will have to fill.

Current Affiliations:

International Information System Security Certification Consortium – (ISC)2

Information Systems Audit and Control Association - ISACA


May 27, 11:40-12:00

Do Not Find Bugs; Bugs Find You

All conference talks we hear about vulnerability hunting and exploitations are so cool -- so much so that it appears as if you would never get there unless you have been hacking since 14 years old. Will you not ever find cool bugs if you do not like setting up fuzzers or grinding with disassemblers? You are mistaken. In this talk, I will introduce the mindset that will slowly but organically yield the discovery of vulnerabilities without daunting learning curves or too many emotional rollercoasters often associated with “vulnerability research.” That is, let us do “security research” instead. As a case, I will discuss how I found vulnerabilities in the Windows Hypervisor. Throughout it, we will review the hardware-assisted virtualization technology the hypervisor relies on and Windows’ unique security boundary that is less scrutinized. Finally, the talk gives a few ideas to extend this work for more bug discoveries. You should attend this talk if you want to start bug hunting casually and naturally. You may not find bugs immediately, but bugs may find you soon.

Satoshi Tanda

Satoshi is a security researcher, software engineer, and trainer with over 15+ years of experience. He works as a platform engineer for virtualization and security at Sony Interactive Entertainment and previously worked at security software vendors as a developer, researcher, and reverse engineer. In his spare time, he enjoys studying system software security and has discovered vulnerabilities in hypervisors, drivers, and UEFI firmware.



May 27, 12:10-12:30

Decomposing a Malware Symphony: When Malware Work Together to Deliver a Powerful Infection

There are numerous families of malware out there, each with its own unique features. Some can steal sensitive data and exfiltrate it using specific protocols, some can introduce additional malware into the system, some can encrypt or destroy files, and many more. Despite their differences, these various malware families can collaborate in a symphonic manner to deliver a powerful infection. I've started referring to this as a “malware symphony” to describe how different types of malware contribute to the symphony of infections, much like instruments in an orchestra. One such example is CrackedCantil, which I named after Cracked Software and the Cantil Viper. In this particular malware campaign that originated from Cracked Software, at least nine different malware types were involved, including PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, and STOP. Here, the Loaders (PrivateLoader, Smoke) introduced several notorious malware into the system. The Infostealers (Lumma, RedLine, RisePro, Amadey, Stealc) exfilterated various sensitive information before the ransomware encrypted the files. The Proxy Bot malware (Socks5Systemz) transformed the system into a proxy bot, and the Ransomware (STOP) encrypted the files, demanding a ransom for their recovery. The full analysis can be found here: This talk will delve into the malware symphonies, exploring how they are orchestrated to wreak havoc on systems.

 Lena Yu

Lena is a malware analyst and researcher from Japan, and the author of the ANY.RUN malware analysis articles. She has investigated several cyber threats including the Roaming Mantis Smishing Campaigns, IPFS phishing campaigns and international scam operations, and has written numerous articles for open-source education. She has also created the MARC I (Malware Analysis Report Competition), fostering contributions to open-source education in malware analysis.

She has spoken at events such as IEICE Technical Committee on Computer Systems, AVTokyo, Nippon CSIRT Association on topics related to computer systems, phishing, malware analysis, and threat hunting. She will also be speaking at Virus Bulletin 2024. Additionally, she has played a role in organizing and teaching at various cybersecurity events. Before venturing into malware analysis, Lena was a low-level developer specializing in computer architecture and RISC-V TEE research, and won research awards.



May 27, 1:30-1:50

Techniques to Exfiltrate Data

You are the proverbial bad guy, and need to exfiltrate data out of a company. What are the various techniques you can employ to fly under the radar of all software modules designed to prevent you from doing that? If you are a blue teamer and need to guard your defenses against exfiltration, what are the various techniques you can employ to prevent this?

Sundar Krishnamurthy

Following #infosec stories and trying to understand the threat landscape for the last 10 years keeps me Sleepless in Seattle. I have been a Senior Security Architect with Expedia Group for the last 5 years, managing application security and cloud security reviews. This mugshot of mine is on the Disney Magic cruise ship in the waters off Canada Place in 2018.

I visit Vancouver BC often and hope to get close to MARS and BSides YVR over the near future. Playing offense in information security is the easiest thing, but playing defense is where we need to focus all our efforts and energies. There is an old Indian saying, "The door of the fort always opens from the inside!". We need to evangelize information security and teach everyone to guard their data at all times.



May 27, 2:00-2:20

What We Mean When We Say Internet Measurement, and Why it Matters So Much for Security

Often when folks think of security research, they think of things like reverse engineering, tracking threat actors, or pentesting. While these are all valid, there’s one side of security research that is often forgotten or misunderstood – Internet Measurement, or evidence-based science. In order to improve the world, we need to quantify it first, and that’s where Internet Measurement comes into play.

In this talk, I’ll use my 8 years of hands-on experience to dive deep into the world of Internet Measurement and show attendees why we should care MORE about Internet Measurement as a security research tool. To start, I’ll discuss the details of three very different measurement projects: evaluating attacker behavior in a niche market, quantifying Internet Scanning completeness, and improving vulnerability notifications. In discussing these projects, I’ll clarify the questions we were trying to answer, how we thought about our measurements, and the impact the outcomes had. Most importantly, I’ll hypothesize what we would have missed had the work NOT happened. 

By discussing these three disparate projects, I hope attendees will walk away understanding what Internet Measurement is, why it’s so useful in the world of security, and how security practitioners can apply these lessons to their own environments. We don’t know what we don’t know and the unknown can seem daunting. Internet Measurement is a way for us to step into (and through) that unknown.

Ariana Mirian

Ariana currently works as a Senior Security Researcher at Censys, where she works on understanding and bettering the Internet via empirical measurements. She completed her Ph.D in 2023 in Computer Science and Engineering at the University of California - San Diego, where her focus was on using large-scale data analysis to prioritize security processes in various domains. She is broadly interested in all things Internet measurement, networking, and security, and outside of her professional interests Ariana is an avid aerialist and birder.





May 27, 2:30-2:50

A How To Guide: Hunting Clearweb Fentanyl Distributors

On the clearweb, hundreds of sites operate in the open which have been used to fuel the spread of Fentanyl and it’s precursors. These operators have stepped out of the shadows of the darkweb to increase the accessibility to their highly addictive drugs.

Sit down for this talk and discover how to identify a seller, track them down across the web, and find the links back to shell corporations based out of the United States. I will demonstrate all of this using real world examples; by following this guide you too will be able to use these OSINT tactics to take down a drug network.

Julian B.

Penetration tester by day, Julian identifies vulnerabilities to exploit for a wide range of clients. OSINT enthusiast by night, Julian follows emerging threats to the Western world.


May 27, 3:00-3:20

Unveiling Deception - Catching a Catfish

This talk covers an introduction to catfishing, providing a real-life example. It outlines the Signs of a Catfish, focusing on Red Flags and Warning Signs. The role of OSINT is highlighted, showcasing techniques to unmask catfishers.

Introduction to Catfishing, Case example, Signs of a Catfish, Red Flags and Warning Signs , How can OSINT help?, OSINT techniques to unmask catfishers, Prevent Catfishing / Education 


Ritu Gill is an Intelligence Analyst with 17 years of experience working in open-source intelligence (OSINT). After a 12-year career with the Royal Canadian Mounted Police (RCMP), Ritu set up a consulting business providing OSINT training and research to law enforcement and related entities across North America. In 2023 Ritu Co-founded, Forensic OSINT, a screen capture tool.

Ritu holds a Bachelor’s Degree in Criminology from Kwantlen Polytechnic University, and is actively involved in the OSINT community.





May 27, 3:30-3:50

Blockchain DevSecOps

Blockchain technology can have a revolutionary effect on many important industries like finance and health. A security vulnerability in a smart contract can lead to a hack that would be more damaging than the biggest heists in history. We have proven DevSecOps methods in the classic software building industry that we can leverage to develop blockchain projects and improve smart contracts qualities and security. Moreover, there is a lack of consensus and guidance regarding leveraging DevSecOps in developing blockchain projects. This talk will list common smart contract vulnerabilities and how we can avoid them by building a secure CI/CD pipeline and following best security practices.

Iman Sharafaldin

Passionate about all things code, Iman has more than 8 years of cybersecurity and software related experience. He is also a PhD candidate in computer science with more than 1000 citations on his cybersecurity related publications. Iman enjoys hiking in his spare time. Designations & Certifications: PhD Comp. Sci., AWS Solutions Architect, OSWE, AWS Certified Security – Specialty


May 27, 4:00-4:20

Securing the AI Pipeline

The rapid rise of AI presents organizations with both opportunity and risk. This talk demystifies the AI pipeline, providing a framework and actionable steps to secure AI solutions throughout their lifecycle. Learn how to address the unique security challenges of AI and safeguard your organization's investment in this transformative technology.

Muhammad Muneer

Muhammad Muneer is a Principal Incident Response Consultant and global lead for Threat Hunting Program Development at Mandiant. He has also led the development of the Securing AI Solutions service. With extensive experience in incident response, compromise assessments, and threat hunting, Muhammad guides organizations through cybersecurity crises and proactively identifies emerging threats. His leadership extends to developing and transforming security programs, specializing in incident response preparedness, ransomware defense, and securing AI solutions for diverse clientele.

May 27, 4:30-4:50

Security Recruitment: Four Challenges Candidates Face and Four Areas You Can Improve to Impress Candidates

Deep dive into both candidate and hiring manager perspectives during interviews. What levers can you pull as a hiring manager to increase your offer acceptance rate?

Four main challenges candidates face that will make them turn you down.

Four areas to focus on so you and your team can crush it. 

PABLO vidal bouza

Pablo Vidal Bouza is the Head of Security Operations at Rippling, spanning threat detection and response, cloud and corporate security. He’s been focused on kickstarting these functions from the ground up, working to create world class security teams that foster psychological safety, empathy and a unique enthusiasm for problem solving across the organization.


May 27, 5:00-5:20

SOC Staffing and Scheduling - Justifying Headcount and Meeting the Mission 

Looking to quickly determine how many analysts your SOC needs? Wondering what the tradeoffs are between 5x8, 4x10, 2-2-3? Curious what's the right SlA & when to use an on-call? If so then this is the track for you.


•From Cincinnati Ohio, Living in the Northern Virginia Area.

•Currently at Oracle working in Cloud Security Operations 

•Previous Security Operations work:

Microsoft – Where we went from an outsourced T1, Small T2 model to a robust multi-team/multi-country SOC with ancillary supporting teams.

KeyBank – Where we built a Security Operations Center using MSSP and Internal Staffing from the ground up.

US Army – Where we built out Security Operations Planning and Staffing to support Incident Response, and Ancillary teams.

Twitter/X @ch_breakthrough