2.0 -//Pentabarf//Schedule//EN PUBLISH VQAP9B@@pretalx.com -VQAP9B From Incident to Influence - Leading through the Unexpected en en 20260425T090000 20260425T094500 004500 From Incident to Influence - Leading through the Unexpected Beyond the technical playbooks, what are the component parts that actually hold a team together when the unexpected happens? This talk moves past the CV to explore the learned experiences, the essential soft skills, and the quiet influence required to lead when the playbooks end. Whether you are an aspiring leader or a seasoned security professional, you’ll leave with a clearer map of the component parts that turn a technical expert into a resilient leader. PUBLIC CONFIRMED Keynote https://pretalx.com/bsides-exeter-2026/talk/VQAP9B/ Auditorium Harriet Sharma PUBLISH QLU9FP@@pretalx.com -QLU9FP Quantify to Defend: Quantifying Risk to Drive Proactive Security Decisions en en 20260425T094500 20260425T102500 004000 Quantify to Defend: Quantifying Risk to Drive Proactive Security Decisions By the end of this session, attendees will be able to: 1. Explain how cyber risk quantification supports proactive cyber defence 2. Identify high-impact threat scenarios relevant to your business 3. Prioritise defensive controls based on measurable risk reduction PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/QLU9FP/ Auditorium Laurie Gibbett PUBLISH DYTZCY@@pretalx.com -DYTZCY How to Land Your First Cyber Role: A DIY Approach en en 20260425T103000 20260425T105000 002000 How to Land Your First Cyber Role: A DIY Approach Curiosity is more than just a trait for a security professional — it is a vital tool for navigating the job market. In this session, Gleb Tumanov from PureCyber Limited shares the battle-tested DIY blueprint he used to go from no industry background and no professional network in January 2025 to securing a SOC Analyst role within a year. This talk moves beyond vendor hype to address the reality of a hostile recruitment landscape where the hiring process itself is a threat surface. Whether you are an aspiring analyst, pentester, or GRC specialist, you will walk away with a pragmatic, research-driven strategy for breaking into the industry without becoming a perpetual student or falling for silver bullet solutions. PUBLIC CONFIRMED Rookie Talk https://pretalx.com/bsides-exeter-2026/talk/DYTZCY/ Auditorium Gleb Tumanov PUBLISH 3BVKMH@@pretalx.com -3BVKMH I Simulated Hacking a Car. Then I tried to defend It. Here's What Broke! en en 20260425T110000 20260425T112000 002000 I Simulated Hacking a Car. Then I tried to defend It. Here's What Broke! Most automotive security talks focus on the attack. Very few ask what happens when the defence itself causes harm. That is the question this talk explores. Attendees will leave understanding why detection accuracy is the wrong metric for safety critical systems and what a practical layered defence actually looks like. No prior automotive knowledge required, just curiosity about securing systems. PUBLIC CONFIRMED Rookie Talk https://pretalx.com/bsides-exeter-2026/talk/3BVKMH/ Auditorium Rakesh Elamaran PUBLISH U7BUHA@@pretalx.com -U7BUHA Web Of Deception en en 20260425T114000 20260425T122000 004000 Web Of Deception Attackers don’t just hack systems, they hack people. Phishing, vishing, deepfake impersonation, and influence operations exploit language, emotion, and trust to bypass even mature technical controls. Modern social engineering targets cognition and behaviour, turning the human layer into the easiest path inside. Web of Deception is a hands-on workshop built for Red, Blue, and Purple teams who want to understand and counter this tradecraft. Through realistic scenarios, adversarial role-play, and team challenges, participants deconstruct how attackers craft persuasive narratives, manipulate sentiment, and exploit cognitive bias. Teams practise analysing intent, spotting linguistic and behavioural indicators, and making decisions under pressure, applying the same analytical mindset used in detection and threat hunting. Blending behavioural science with threat modelling and creative problem-solving, the session strengthens adversarial thinking and cross-team collaboration. A cryptic challenge woven throughout reinforces observation, semantic reasoning, and lateral thinking. Attendees leave with practical techniques to test, harden, and defend the human attack surface. PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/U7BUHA/ Auditorium Anton Angione PUBLISH YNPP3Z@@pretalx.com -YNPP3Z Stopping account takeover at the recovery layer en en 20260425T122000 20260425T130000 004000 Stopping account takeover at the recovery layer This session treats account recovery as privileged access, not a simple form. It breaks down the most common real-world failure modes that turn password reset into an account takeover path, then replaces them with concrete patterns that teams can implement and test. The focus is defensive engineering with enough threat awareness to make the mitigations stick. No tool worship, no theory-only talk, and no step-by-step exploitation. It is a builder-friendly map of where recovery breaks and what good looks like. PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/YNPP3Z/ Auditorium Viola Lykova PUBLISH QK3D9Q@@pretalx.com -QK3D9Q Keynote: Life as a cyber security leader: advice to my former self en en 20260425T140000 20260425T144500 004500 Keynote: Life as a cyber security leader: advice to my former self PUBLIC CONFIRMED Keynote https://pretalx.com/bsides-exeter-2026/talk/QK3D9Q/ Auditorium Paul Watts PUBLISH YZZFKU@@pretalx.com -YZZFKU The Imposter Syndrome Security Gap en en 20260425T144500 20260425T152500 004000 The Imposter Syndrome Security Gap This session explores how imposter syndrome and hierarchy shape behaviour in security teams and wider organisations, especially during moments where early escalation matters most. From incident response calls to design reviews and risk sign-off meetings, we’ll look at how silence becomes normalised, how authority distorts decision-making, and why the industry’s obsession with expertise can actively undermine security outcomes. Rather than framing this as a confidence or well-being issue, this talk treats silence as what it really is: an operational vulnerability. PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/YZZFKU/ Auditorium Illyana Mullins PUBLISH CXDETW@@pretalx.com -CXDETW Vesta Admin Takeover - Exploiting reduced seed entropy in bash $RANDOM en en 20260425T153000 20260425T161000 004000 Vesta Admin Takeover - Exploiting reduced seed entropy in bash $RANDOM PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/CXDETW/ Auditorium Adrian Tiron PUBLISH W9ZHHG@@pretalx.com -W9ZHHG Curiosity made a CISO en en 20260425T163000 20260425T171500 004500 Curiosity made a CISO PUBLIC CONFIRMED Keynote https://pretalx.com/bsides-exeter-2026/talk/W9ZHHG/ Auditorium Keri Lewis PUBLISH 8ASG98@@pretalx.com -8ASG98 The First Hour of Incident Response - Every Second Logs! en en 20260425T094500 20260425T102500 004000 The First Hour of Incident Response - Every Second Logs! The first hour of incident response can set the course for everything that follows. This talk explores how to bring structure to that hour. Drawing on real-world incidents, it considers both the human and technical challenges, whilst also considering the complexity of working across a range of platforms. Against that, a practical framework is proposed to keep teams aligned when it matters most. Attendees will leave with concrete lessons and a first-hour playbook they can adapt to their own environment, giving them confidence that their response will be sharper, calmer, and more effective when every second counts. PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/8ASG98/ Seminar Room 1 George Chapman PUBLISH 7RKGYN@@pretalx.com -7RKGYN embedded Chromium everywhere! A security look at msedgewebview2 + CDP en en 20260425T103000 20260425T105000 002000 embedded Chromium everywhere! A security look at msedgewebview2 + CDP <see cref="Abstract" /> PUBLIC CONFIRMED Rookie Talk https://pretalx.com/bsides-exeter-2026/talk/7RKGYN/ Seminar Room 1 Ben Mullan PUBLISH FZSEVN@@pretalx.com -FZSEVN From Kerry Katona to Pen Testing. en en 20260425T110000 20260425T112000 002000 From Kerry Katona to Pen Testing. I want to tell my story of how I got into cyber. Not to say ooo look at me aren’t I wonderful. But to inspire other women, career changes and anyone else interested that if I can do it - so can they! PUBLIC CONFIRMED Rookie Talk https://pretalx.com/bsides-exeter-2026/talk/FZSEVN/ Seminar Room 1 Lisa Diaz PUBLISH WUWP3W@@pretalx.com -WUWP3W When Pen Testing is Not Enough en en 20260425T114000 20260425T122000 004000 When Pen Testing is Not Enough The audience should have beginner-to-intermediate software development experience, i.e., being able to understand small program snippets containing typical software vulnerabilities. No deep knowledge of security testing (or formal verification) is required. PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/WUWP3W/ Seminar Room 1 Achim D. Brucker PUBLISH EKSVGQ@@pretalx.com -EKSVGQ Share to Detect: Breaking the Privacy Deadlock in OT Threat Intelligence en en 20260425T122000 20260425T130000 004000 Share to Detect: Breaking the Privacy Deadlock in OT Threat Intelligence PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/EKSVGQ/ Seminar Room 1 Ahmed Elmesiry Ofir Manor PUBLISH WVQLAW@@pretalx.com -WVQLAW SOC: THE GOOD, THE BAD & THE UGLY en en 20260425T144500 20260425T152500 004000 SOC: THE GOOD, THE BAD & THE UGLY PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/WVQLAW/ Seminar Room 1 Harish Kumar Gopalakrishnan PUBLISH VUZCNS@@pretalx.com -VUZCNS Cloud & Containers: The Security Puzzle That Locks Tight, From Pipeline and Package to SOC Operations en en 20260425T153000 20260425T161000 004000 Cloud & Containers: The Security Puzzle That Locks Tight, From Pipeline and Package to SOC Operations The starting point is a misconception most teams carry: that containers are isolated. They are not. Every container shares the same kernel, and CVE-2025-31133 demonstrated exactly what that means in practice, with a race condition on bind-mount operations in runc enabling read-write access to host kernel parameters and lateral movement across containers. That shared kernel is the foundation the talk builds from, working up through each layer and the controls that belong at each one. 82% of cloud breaches stem from misconfiguration and human error across a surface of 15.6 million cloud-native developers, most of whom run containers in production. The problem is not a lack of tools. It is fragmented point solutions where each piece operates without the others. Foundations: The Shared Kernel Illusion Namespaces are sleight of hand. They trick processes into thinking they are isolated, but syscalls still reach the kernel directly. This section covers what that means practically: why root inside a container represents roughly 40 granular Linux privileges that need stripping, why CAP_SYS_ADMIN is near-root by another name, how Seccomp filters dangerous syscalls like setns, ptrace, and mount before they execute, and why user namespace remapping is the control that makes container-root map to an unprivileged host user. CI/CD: The Signed Malware Trap The 3CX attack is the central case study: a supply chain compromise that targeted the build environment directly, producing malware signed with a valid certificate that passed SAST, SBOMs, and standard scanning. Supply chain compromise now accounts for 15% of all breaches, and 83% of organisations still do not verify signatures. SLSA Level 3 is the provenance and attestation framework that addresses this, ephemeral hermetic build runners are the mechanism that prevents environment compromise, and Verification Summary Attestations are the missing piece that checks whether policy outcomes were correct rather than just whether tests ran. No VSA, no deployment. Guardrails: The Compliance Barrier 65% of clusters run flat networks, violating NIST 800-53 SC-7 boundary protection and enabling lateral movement when anything is compromised. Default-deny NetworkPolicies, service mesh with mTLS and SPIFFE workload identity for Layer 7 enforcement, and admission controllers via Kyverno or OPA Gatekeeper for policy-as-code that validates before anything reaches the cluster are the three layers that address this. Secrets management sits alongside them: 88% of breaches involve credential theft, and secrets in environment variables are visible in API server audit logs, process listings, and ServiceAccount token enumeration. External Secrets Operator injecting into tmpfs at runtime is the control. Runtime: The Build-Only Fallacy Static analysis is blind to zero-days, living-off-the-land attacks, and behavioural anomalies that only manifest at execution. CloudSiphon infected 150 organisations via a trojaned NGINX that ran malicious code purely at runtime, bypassing all static analysis entirely. Cluster-wide eBPF deployment gives real-time syscall, file access, and network monitoring at the kernel level. Behavioural baselining per workload type produces high-fidelity alerts with full process lineage, and drift detection runs continuously against the image manifest. The specific syscalls indicating container breakout attempts are covered in detail: setns, unshare, writes to /proc/sysrq-trigger, and writes to /proc/sys/kernel/core_pattern. Advanced evasion techniques including reflective code loading, eBPF rootkits using bpf_probe_write_user, and delayed execution via cron are each covered alongside their counters. Visibility, Assurance and Blue Team Operationalisation eBPF telemetry feeds OpenTelemetry, Falco picks up Kubernetes API audit events, and application traces and service mesh telemetry correlate across the stack to link user identity through pod creation to kernel execution. DORA, NIS2, and SEC requirements are mapped into policy-as-code rather than treated as point-in-time GRC snapshots. The closing section works through how a SOC operationalises the full framework: chaos engineering against security controls to validate detection, containment, and recovery; automated certificate rotation and revocation with MTTR targets measured in minutes; and VSA-driven cryptographic audit trails from commit to runtime stored in an immutable transparency log. It closes on the operational readiness questions defenders need answered before things go wrong: log preservation, forensic access to running infrastructure without destroying evidence, account auditability, and whether containment actions have been rehearsed. Three actions for Monday morning follow: mandate trust via VSAs and attestation controllers, enforce containment via policy-as-code and CAP_DROP, and deploy kernel-level visibility with behavioural baselines and automated drift response. PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/VUZCNS/ Seminar Room 1 Ashley Barker PUBLISH 3H7ZAT@@pretalx.com -3H7ZAT Unlocking the secrets of stripped Go binaries at runtime en en 20260425T094500 20260425T102500 004000 Unlocking the secrets of stripped Go binaries at runtime PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/3H7ZAT/ Seminar Room 7 Alex M PUBLISH G3FQ8F@@pretalx.com -G3FQ8F Buffer Overflows in the era of Gen-AI en en 20260425T103000 20260425T105000 002000 Buffer Overflows in the era of Gen-AI Buffer overflows are still considered a persistent threat five decades after their initial documentation, maintained by bad programming habits, legacy codebases, unsafe programming languages and the growing existence of IoT and embedded systems, which are often more inclined to be vulnerable due to their nature. Although defence mechanisms have been put in place and generally adopted, ASLR, DEP and SSP are not the perfect protection mechanisms, and always-evolving exploitation techniques are able to bypass them. Likewise, detection and mitigation using static and dynamic analysis tools are a good base to try to improve and find vulnerable code, but being generalised tools for all vulner- abilities, they still incur a lot of false positives, major overhead requirements and partial coverage for buffer overflows. Recent advances in artificial intelligence have facilitated innovation and demonstrated promising im- provements regarding this matter. Even if they seem to perform better than traditional techniques, the field is still immature, and there are still a lot of improvements to achieve to have a viable long-term solution. Their scope is often very narrow, and there is yet to be a way to adapt to new exploitation techniques in real time without redesigning the whole model from scratch. Gen-AI potential remains crucially unexplored in regard to buffer overflow mitigation and detection in real-world scenarios, constituting an opportunity for future work. PUBLIC CONFIRMED Rookie Talk https://pretalx.com/bsides-exeter-2026/talk/G3FQ8F/ Seminar Room 7 Maxime Reynaud PUBLISH T3H3JV@@pretalx.com -T3H3JV Autopwn or Auto-Fail? The Truth About AI in Offensive Security en en 20260425T110000 20260425T112000 002000 Autopwn or Auto-Fail? The Truth About AI in Offensive Security AI can generate payloads, summarise scans, and even suggest vulnerabilities, but it doesn’t understand risk. In the rush to adopt AI in penetration testing, many are producing faster results, but weaker outcomes. Findings are less validated, reports are less meaningful, and the gap between technical output and business impact is growing. This talk challenges the hype and focuses on what actually matters: using AI as a tool, not a crutch. By walking through real examples, we’ll explore how to turn raw AI-assisted output into clear, credible, and actionable security insights. Because in the end, the value of a pentest isn’t in the payload , it’s in the decision it drives. PUBLIC CONFIRMED Rookie Talk https://pretalx.com/bsides-exeter-2026/talk/T3H3JV/ Seminar Room 7 Dumisani Masimini PUBLISH MDYRPK@@pretalx.com -MDYRPK Shadow AI Is Your New Data Exfiltration Channel en en 20260425T114000 20260425T122000 004000 Shadow AI Is Your New Data Exfiltration Channel PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/MDYRPK/ Seminar Room 7 Chijioke Okoye PUBLISH 8E8ZK7@@pretalx.com -8E8ZK7 Open(ish) source: Adventures in edge device memory forensics en en 20260425T122000 20260425T130000 004000 Open(ish) source: Adventures in edge device memory forensics PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/8E8ZK7/ Seminar Room 7 Richard Tuffin PUBLISH FQDTGJ@@pretalx.com -FQDTGJ Your Browser is Snitching: Tracking Without Cookies en en 20260425T144500 20260425T152500 004000 Your Browser is Snitching: Tracking Without Cookies This talk explores the world of browser fingerprinting, how seemingly identical devices can be uniquely identified using subtle characteristics exposed by modern browsers. We will examine the specific attributes that contribute to fingerprint uniqueness, how these can be leveraged by tracking systems and demonstrating these signals inside a browser. Furthermore, the talk will dive into current evasion and anti-fingerprinting techniques, demonstrating what steps should be taken to reduce and avoid fingerprinting. Including ways to obfuscate or standardise signals. PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/FQDTGJ/ Seminar Room 7 Adam Crease PUBLISH YW3GZV@@pretalx.com -YW3GZV ⌘+ Ctrl: Introduction to macOS Red Teaming in 2026 en en 20260425T153000 20260425T161000 004000 ⌘+ Ctrl: Introduction to macOS Red Teaming in 2026 PUBLIC CONFIRMED Talk https://pretalx.com/bsides-exeter-2026/talk/YW3GZV/ Seminar Room 7 Matthew Lucas-Clarke Victor van der Helm