Africa is huge and complex place, with over 50 countries and more than 2,000 spoken languages - from Arabic and Swahili to Hausa and Zulu. It's also evolving, with technology impacting countries and their people in dramatic ways. All of this has significant implications for cybercrime and cybersecurity.

But is cybersecurity in Africa as unique as the continent itself, or does globalised technology imply globalised vulnerabilities and threats?

This talk presents the findings from a study of over 300 security incidents on the continent from the last five years, and uses a novel framework to surface a wholistic and comprehensive view of the scope and shape of cybersecurity on the African continent.

Mobile malware is no longer a fringe concern—it’s a fast-evolving threat that quietly compromises users across the globe. This session dives into two years of malware investigations, revealing how attackers exploit social engineering and impersonate trusted Android apps to gain full control of devices. Through a case study, we expose the inner workings of a repackaged RAT campaign and the critical phases of its attack: Delivery, Enablement, and Exploitation.

Attendees will gain insight into how threat actors manipulate Android Accessibility Services, bypass user defences, and adapt their tactics in response to improved detection. While not directly targeting South African institutions, the campaign’s techniques pose real risks to financial applications and user privacy. This talk offers insights into mobile malware campaigns and highlights the urgent need for collaboration, education, and smarter defences in the mobile threat landscape.

Scattered Spider kids figured it out. The bears and pandas figured it out. Your red team still dropping Cobalt Strike like it’s 2015?

Modern attackers aren't wasting time on your hardened endpoints anymore - they're walking straight into your cloud. Not AWS, the other cloud: the thousand SaaS apps your company married, divorced, but somehow still pays for.

Hold my beer as we speedrun the entire kill chain - initial access, persistence, lateral movement - across your favorite SaaS platforms. No zero-days. No malware. No "please disable your AV for this demo." No alerts, No logs.

Bring popcorn. Bring questions. Maybe bring your pearls, so you can clutch them.

Phishing and its variants remain one of the most persistent threats in cybersecurity, yet the focus often stays on end-user awareness or reactive responses after people have already been scammed and had their money stolen. What if we could identify them before they reach our inbox or SMS. In this talk, I’ll share my hands-on journey of discovering and analyzing phishing links and websites in the wild, from following suspicious URLs to getting them taken down. I’ll also dive into how you can get ahead of phishing threats by using open-source tools, recognizing patterns, and applying investigative techniques. This isn’t just about the analysis, it’s about shifting the mindset from reactive defense to proactive discovery.

This talk presents a fully open-source framework to achieve full disk encryption (FDE) for TPM-equipped Edge devices, balancing strong security guarantees with practical maintainability at scale. We address key features including automated disk unlocking and recovery, monitoring and remote access. The talk will cover the following:

• A fully verified boot chain, from EFI firmware through the initramfs. We'll cover which system components to verify and common pitfalls to avoid when setting up a secure boot chain.
• A newly-developed, open-source TPM PCR prediction mechanism enabling seamless reboots after kernel or initramfs updates.
• Automated disk encryption key onboarding and recovery using Tang and Clevis.
• Secure remote access and fleet observability while disks remain locked - using WireGuard, SSH, and Prometheus.
• Guidance on how to extend the initramfs (dracut) with your own tooling.
• Discussion of shortfalls and potential security risks

Our aim with this talk is to help you make FDE convenient, recoverable and monitored to make large-scale rollouts possible.

Race conditions are everywhere - so why haven't you seen one, and how bad are they really?
From cheating computer games, to flaws in big automation platforms, local privilege escalations, and stealing millions from web apps... even a look at a problem with birthdays, and how to freeze time!

Android Java Native Interface (JNI) provides a means to bridge the Java and C/++ world. While the Java Bytecode is relatively straightforward to decompile and analyse, these compiled JNI libraries (.lib, .so files) have pretty much been left in the shadows, especially with regards to reverse engineering broader aspects of the JNI API. This lack of vision on JNI Binary-fu, is a significant hurdle for security researchers and reverse engineers. Binaries can house sensitive logic, custom encryption algorithms, or even malware, making their analysis crucial for a comprehensive security assessment.

The talk presented here aims to shed some light on practical methodologies to reverse engineer and even automate vulnerability assessment for Android's JNI Libraries. Security Researchers and anyone looking to expand their Android mobile security assessment skill set should give this talk a listen.

Tired of Googling persistent XSS and being swamped with Stored XSS write-ups? Lets take a dive into what persistent XSS really means and how modern browsers try to prevent us from achieving it.

Modern web applications have outpaced traditional Cross-Site Scripting (XSS) techniques like stored XSS and iFrame traps, which falter against page navigation, X-Frame-Options headers, Content Security Policy, and EDR/AV detection. This talk explores why true persistent XSS is a complex challenge and introduces [REDACTED], a new open-source framework built to address these modern barriers.

We dive into the persistence problem, examining why simple framing no longer suffices in today’s browsers. Legacy tools like BeEF, while pioneering, rely on methods less effective against current browser standards and APIs. [REDACTED] builds on BeEF’s persistence foundation but takes a focus on making XSS a reliable vulnerability to exploit on red team engagements no matter the context, it integrates modern technologies, such as advanced DOM manipulation and lightweight payloads, to ensure stability and bypass defenses. [REDACTED] also introduces unique attacks, like live remote view, for real-time monitoring of infected web applications.

This session analyses legacy tool limitations and showcases [REDACTED]’s Command-and-Control functionality for red/purple team engagements. A live demo on a simulated banking app will highlight [REDACTED]’s innovative features, including its remote-view capability, and demonstrate its real-world impact. Attendees will understand why persistence remains a tough problem, how [REDACTED] redefines XSS exploitation, and why older approaches fall short, gaining a modern mental model for advanced attacks. Join us to rethink XSS and build on the legacy of tools like BeEF.

Take the cheapest quad-copter drone I could find, hack it and try fly it with my own software, because how hard could it be?

Learn how a 19 year old 1st Year Stellenbosch University student discovered a major fraud issue in the SASSA SRD R370 Grant System from a simple API Vulnerability

Modern Endpoint Detection and Response (EDR) solutions present one of the toughest challenges for red teamers and offensive tool developers. This talk showcases a methodology used to adapt an open-source shellcode loader to bypass a modern EDR solution. Rather than showcasing a novel evasion technique destined to be signatured, the focus is on a reproducible approach to evading both static and behavioural detections.

Attendees will gain insight into the full chain of the bypass methodology:
* Identifying static signatures on disk
* Modifying loader behaviour to evade runtime detection
* Iterative testing and validation
* Applying this workflow to other public offensive tooling

In this lightning talk I explore OpenINTEL from a offensive perspective. Digging into the terabytes of data made available, I examine whether it can be useful for OSINT purposes. I will also share ideas, tools and scripts that could help with handling this data set.

Large Language Models (LLMs) are trained on vast amounts of internet data, which means their understanding of what it means to be an expert is largely shaped by how that word is used in forums, blogs, and online arguments. Let's be honest, this isn't always positive. Despite this, we constantly preface our prompts with phrases like “You are a senior pentester…” or “You are the world’s best developer…”, thinking we’re nudging the LLM in the right direction.

But what if we’re actually setting it up to fail?

In this lightning talk, we’ll explore how the way we frame prompts contributes to the very problems we complain about: hallucinations, overconfidence, and incorrect output. More importantly, can we get better results by prompting LLMs to think more like real experts? The kind who research, collaborate, and aren’t afraid to say “I don’t know”?

Capture The Flag (CTF) competitions offer an interactive environment to promote cybersecurity education. One such initiative is the Cyber Security Challenge (CSC), organised by the South African National Research Network (SANReN), to stimulate interest and grow the next generation of cybersecurity specialists in South Africa. As the CSC prepares for the 10th edition of the competition, the question is: Has the CSC succeeded in growing South Africa's pool of cybersecurity specialists?

Android’s Zygote process is responsible for spawning every application on a device, making it one of the most sensitive targets in the mobile ecosystem. The Zygote Injection vulnerability (CVE-2024-31317) - discovered by researchers at Meta - exposes a flaw in Android’s Zygote process that lets attackers inject arbitrary arguments, making it possible to launch apps with elevated privileges, run them as debuggable apps, or spawn interactive system-level shells.

While this issue has been mitigated in newer Android versions, it remains highly relevant in the wild. Devices such as POS machines, kiosks, and other embedded Android systems often operate on outdated versions of Android, leaving them vulnerable.

This talk walks through how Zygote Injection works, explores its modern exploitation potential, and introduces open-source tooling we have developed to automate the attack chain. Attendees will walk away with both practical knowledge and a hands-on toolkit to test Android systems still vulnerable in 2025.

Security teams often need to balance what they want to implement with the security budgets available to them, running into the question “What is the ROI?” to sell the value to the business.

This talk bridges the gap between hacking and the boardroom by showing how to measure the Return on Security Investment (ROSI) of a bug bounty program.

Using real breach cost data from IBM, attack vectors from Verizon’s DBIR, security maturity insights from security maturity frameworks, and data from global bug bounty programs, this talk will walk you through a methodology to translate vulnerabilities into financial impact, avoided losses, and strategic value. Attendees will leave with a practical framework and examples they can use to justify, defend, or expand a bug bounty program inside their own organizations.

LTE modems are found in many embedded devices, basically anything that needs on-the-go communications. Did you know that many LTE modems are actually running a full-blown operating system, specifically, Linux? As a result, there are a number of opportunities for hacking these modems, and potentially the rest of the device it is embedded in. This talk will cover some of the things to be aware of if you are designing or hacking devices with these embedded modems.

This session explores how the internet has shifted from a tool of liberation to a militarized domain, shaped by mass surveillance, offensive cyber tools, commercial spyware markets, and how laws like the UK Online Safety Bill and EU Chat Control legislation threaten our privacy and rights.

A free croissant sounds harmless. But when our favourite local coffee shop introduced a new loyalty app, our curiosity as pentesters kicked in.

This talk is a light-hearted but deeply practical look at how poor security design can hide in plain sight, even in something as innocuous as a mobile-based rewards app. We'll walk through how we uncovered design flaws in a loyalty system that relied on pressing a physical object against your screen to register points. No hard-core exploitation techniques were needed. Just a croissant, a caffeine fix, and a feeling that something wasn't quite brewed right.

When was a webpage created?

BetaMeta is a free and open-source research tool designed to answer that question by combining multiple forensic techniques into a single workflow. From parsing HTML for multi-format embedded timestamps and comments, to inspecting SSL certificate chains, EXIF data of images, sitemap histories, server headers, and archive captures, the tool triangulates the likely “birth date” of a web page.

This session shows how BetaMeta works under the hood and demonstrates how journalists, investigators, and researchers can use it to place online content into context. Whether the challenge is disinformation, fraud investigations, or historical web research, the aim is to reverse entropy on the web and recover what time has effectively redacted.

We will also spend a few minutes on the journey of building the tool by vibe coding, before closing with a live demo on real pages that should deliver some surprising results.

Traditional red team operations depend on rigid scripts and brittle automation, forcing operators to spend more time managing tools than testing strategy. This talk explores how Large Language Model (LLM) driven agents transform red teaming by combining reasoning, memory, and tool execution. We’ll show how agents can adapt in real-time scanning, interpreting results, pulling live vulnerability intel, and autonomously exploiting targets. Attendees will see a live demonstration of an AI-powered red team agent completing a full attack chain, and walk away with a clear view of the opportunities of AI in offensive security.

Bloatware. We all hate it, and most of us are good at avoiding it. But some vendor tools – especially those managing critical drivers - are still necessary, often because the drivers available through Windows Update just aren’t good enough for performance-critical computing.

What started as a routine driver update took a sharp turn when I confirmed a reboot modal… from my browser. Wait, my browser shouldn’t be able to do that!? To my disappointment (and maybe some surprise), it turned out to be arbitrary code execution - right from the browser. This kicked off a week-long deep dive, uncovering seven trivial vulnerabilities in seven days across several vendors, all exploiting a common pattern: privileged services managing software on Windows with little regard for security.

In this talk, I’ll walk through the journey of discovery and exploitation of several vulnerabilities that lead to LPE/RCE, along with a tool to inspect and manipulate Windows Named Pipe communications.

Deception allows defenders to easily impose cost on an attacker in your environment. With cloud usage being commonplace in modern organisations, we will talk about deploying deception in your cloud environment - making it a hostile place for any unwanted visitors. From deploying fake credentials, to fake IdPs and entire fake infrastructures, we have you covered! Join us to learn more about equipping your cloud environment with breach detection that works.

Remember those Verimark infomercials — slick demos, glowing “customers,” and countdown clocks urging you to buy? They embodied a compact persuasion playbook built on urgency and social proof. In South Africa’s 2024 election, the same levers resurfaced; not via TV, but through social media narratives. In this talk, we unpack how political parties can be flipped overnight, how paid influence-for-hire markets steer online debate, and how foreign influence operations from Russia and the U.S. are reshaping public reality. Drawing on Murmur’s public work, I’ll surface what we’ve uncovered, what still lies redacted, and map out ethics-aware paths for attribution research.

SocVel Live: Command the Breach is a 45-minute interactive tabletop meets "choose-your-own-adventure" experience. Inspired by ongoing Chinese State Sponsored threat actor campaigns, the audience will guide a live breach investigation - voting on decisions, uncovering consequences, and tracking the impact on time, resources, and business reputation. No boring slides. No fixed-path. Just instinct, pressure, and collective response.