1.0 bsides-exeter-2026 2026-04-25 2026-04-25 1 00:05 https://pretalx.com Europe/London Auditorium Keynote 2026-04-25T09:00:00+01:00 09:00 00:45 Security leadership isn’t a destination you reach; it’s a structure you build, one crisis at a time. Drawing on a twenty-year journey from the high-stakes environments of central government to the sharp end of security leadership, Harriet deconstructs the building blocks of a modern security leader. bsides-exeter-2026-94852-from-incident-to-influence-leading-through-the-unexpected Purple Harriet Sharma en Beyond the technical playbooks, what are the component parts that actually hold a team together when the unexpected happens? This talk moves past the CV to explore the learned experiences, the essential soft skills, and the quiet influence required to lead when the playbooks end. Whether you are an aspiring leader or a seasoned security professional, you’ll leave with a clearer map of the component parts that turn a technical expert into a resilient leader. false https://pretalx.com/bsides-exeter-2026/talk/VQAP9B/ https://pretalx.com/bsides-exeter-2026/talk/VQAP9B/feedback/ Auditorium Talk 2026-04-25T09:45:00+01:00 09:45 00:40 Proactive cyber defence relies on knowing where to act first - yet many security teams still depend on qualitative risk ratings that offer limited insight into likely loss, control effectiveness, or defensive impact. The session explores how cyber risk quantification enables a more proactive, intelligent-led approach to defence. By expressing cyber risk in measuravble terms, practitioners can anticipate where attacks are most likely to cause harm, focus defensive effort where it matters most, and justify security improvements before incidents occur. The talk positions cyber risk quantification as a practical decision-support capability that strengthens prevention, resilience, and preparedness. bsides-exeter-2026-88200-quantify-to-defend-quantifying-risk-to-drive-proactive-security-decisions Purple Laurie Gibbett en By the end of this session, attendees will be able to: 1. Explain how cyber risk quantification supports proactive cyber defence 2. Identify high-impact threat scenarios relevant to your business 3. Prioritise defensive controls based on measurable risk reduction false https://pretalx.com/bsides-exeter-2026/talk/QLU9FP/ https://pretalx.com/bsides-exeter-2026/talk/QLU9FP/feedback/ Auditorium Rookie Talk 2026-04-25T10:30:00+01:00 10:30 00:20 We all know the entry-level cybersecurity job market is a mess. What often gets less attention is that the recruitment pipeline itself has become a threat surface, with job seekers routinely targeted by phishing, credential harvesting, and outright fraud. This talk presents an intelligence-led approach to the job search, treating the hiring landscape as a target to be mapped, researched, and engaged with on your own terms. The approach was developed and tested during a journey that began in January 2025 as a foreign national in the UK with no IT background, no network, and no industry connections, and ended with a SOC Analyst role within a year. We will explore how to uncover opportunities that never appear on job boards and how to build a targeted pipeline of employers using publicly available data. This involves understanding how to prepare for the actual, day-to-day demands of the role to ensure you do not enter the market underprepared or fall into the trap of becoming a perpetual student who never starts applying. We will discuss how active community participation supports your career path and why understanding what companies actually need matters far more than simply collecting fancy achievements. No vendor pitches. No magic certifications. Just curiosity, methodology, and persistence. bsides-exeter-2026-93011-how-to-land-your-first-cyber-role-a-diy-approach Purple Gleb Tumanov en Curiosity is more than just a trait for a security professional — it is a vital tool for navigating the job market. In this session, Gleb Tumanov from PureCyber Limited shares the battle-tested DIY blueprint he used to go from no industry background and no professional network in January 2025 to securing a SOC Analyst role within a year. This talk moves beyond vendor hype to address the reality of a hostile recruitment landscape where the hiring process itself is a threat surface. Whether you are an aspiring analyst, pentester, or GRC specialist, you will walk away with a pragmatic, research-driven strategy for breaking into the industry without becoming a perpetual student or falling for silver bullet solutions. false https://pretalx.com/bsides-exeter-2026/talk/DYTZCY/ https://pretalx.com/bsides-exeter-2026/talk/DYTZCY/feedback/ Auditorium Rookie Talk 2026-04-25T11:00:00+01:00 11:00 00:20 Imagine your car's brakes **stop responding**. Not because of a mechanical fault, but because a **security system** is drowning out the signal. That is not science fiction. It is what can happen when intrusion detection goes wrong inside a **real-time vehicle network** built for speed, not security. While researching for my MSc dissertation, I simulated **five attacks** against a virtual CAN bus. Some were loud and obvious. Others slipped through silently, exactly as a real attacker would intend. But detecting the attacks was not the hardest part. **Doing it without destabilising the same safety-critical systems I was protecting** turned out to be. Rule-based detection missed the quiet ones. Machine learning flagged too much. **A hybrid approach combining both** was the only method that handled the full range reliably. This talk explores what actually happens when **security meets a moving car**, and why detecting attacks is meaningless if the **defence itself becomes the risk**. Attendees will leave with a clearer picture of what it actually takes to **defend a vehicle network** responsibly. bsides-exeter-2026-93090-i-simulated-hacking-a-car-then-i-tried-to-defend-it-here-s-what-broke Purple Rakesh Elamaran en Most automotive security talks focus on the attack. Very few ask what happens when the defence itself causes harm. That is the question this talk explores. Attendees will leave understanding why detection accuracy is the wrong metric for safety critical systems and what a practical layered defence actually looks like. No prior automotive knowledge required, just curiosity about securing systems. false https://pretalx.com/bsides-exeter-2026/talk/3BVKMH/ https://pretalx.com/bsides-exeter-2026/talk/3BVKMH/feedback/ Auditorium Talk 2026-04-25T11:40:00+01:00 11:40 00:40 Attackers hack people, not just systems. Phishing, vishing, deepfake, social engineering, and influence operations now bypass technical controls by exploiting psychology, trust, and cognitive bias. The human mind has become the primary attack surface, yet most awareness training still focuses on passive compliance. Web of Deception is an interactive workshop that builds practical, human-centred defences. Through realistic scenarios, adversarial role-play, and collaborative challenges, participants learn how modern manipulation works, how deepfake and social engineering attacks succeed, and how to recognise deception under pressure. Blending behavioural science, threat modelling, and creative problem-solving, the session develops adversarial thinking, emotional intelligence, and actionable techniques that can immediately strengthen teams and security culture. A cryptic analytical challenge reinforces observation and lateral thinking throughout. Because modern defence isn’t just technical, it’s cognitive. bsides-exeter-2026-90299-web-of-deception Purple /media/bsides-exeter-2026/submissions/U7BUHA/WebOfDeception_1_q9PBoeh.webp Anton Angione en Attackers don’t just hack systems, they hack people. Phishing, vishing, deepfake impersonation, and influence operations exploit language, emotion, and trust to bypass even mature technical controls. Modern social engineering targets cognition and behaviour, turning the human layer into the easiest path inside. Web of Deception is a hands-on workshop built for Red, Blue, and Purple teams who want to understand and counter this tradecraft. Through realistic scenarios, adversarial role-play, and team challenges, participants deconstruct how attackers craft persuasive narratives, manipulate sentiment, and exploit cognitive bias. Teams practise analysing intent, spotting linguistic and behavioural indicators, and making decisions under pressure, applying the same analytical mindset used in detection and threat hunting. Blending behavioural science with threat modelling and creative problem-solving, the session strengthens adversarial thinking and cross-team collaboration. A cryptic challenge woven throughout reinforces observation, semantic reasoning, and lateral thinking. Attendees leave with practical techniques to test, harden, and defend the human attack surface. true https://pretalx.com/bsides-exeter-2026/talk/U7BUHA/ https://pretalx.com/bsides-exeter-2026/talk/U7BUHA/feedback/ Auditorium Talk 2026-04-25T12:20:00+01:00 12:20 00:40 Teams keep hardening login. MFA is standard, SSO is common, and passkeys are rising. Yet account takeover still happens, because attackers rarely attack the strongest part of the system. They go around it. Account recovery is now one of the easiest paths to takeover. It is often weaker than login, treated as a one-off feature, and rarely threat-modeled after the first release. Password reset is only the visible surface. The real risk is the recovery chain including reset links, email changes, MFA reset paths, session invalidation, and subtle UX signals that reveal too much. This talk breaks down the production failure modes that turn recovery into a bypass. User enumeration through content and timing differences. Reset tokens that can be replayed or are scoped too broadly. Tokens leaking through link previews, logs, and instrumentation. Weak throttling that either does nothing or punishes real users. Missing post-reset cleanup that leaves attacker sessions alive even after the victim changes their password. You will leave with a practical hardening checklist you can take back to your product. Patterns for safe messaging, token lifecycle, rate limiting, monitoring signals, and a post-reset shutdown sequence that closes the gap without breaking UX. bsides-exeter-2026-93661-stopping-account-takeover-at-the-recovery-layer Purple Viola Lykova en This session treats account recovery as privileged access, not a simple form. It breaks down the most common real-world failure modes that turn password reset into an account takeover path, then replaces them with concrete patterns that teams can implement and test. The focus is defensive engineering with enough threat awareness to make the mitigations stick. No tool worship, no theory-only talk, and no step-by-step exploitation. It is a builder-friendly map of where recovery breaks and what good looks like. false LinkedIn Community Stack talk on Dec 11 2025 Cypress webinar on Nov 17 2025 London DevSecOps talk on Feb 26 2026 https://pretalx.com/bsides-exeter-2026/talk/YNPP3Z/ https://pretalx.com/bsides-exeter-2026/talk/YNPP3Z/feedback/ Auditorium Keynote 2026-04-25T14:00:00+01:00 14:00 00:45 In this presentation, Paul will reflect on his two decades in cyber security leadership (three in Information Technology), and offer his former self some advice: if I had my time again, what **would** I do differently - and what does the future hold for our amazing, but challenging, industry? I might even chuck in a couple of career anecdotes for good measure! bsides-exeter-2026-93703-keynote-life-as-a-cyber-security-leader-advice-to-my-former-self Purple Paul Watts en false https://pretalx.com/bsides-exeter-2026/talk/QK3D9Q/ https://pretalx.com/bsides-exeter-2026/talk/QK3D9Q/feedback/ Auditorium Talk 2026-04-25T14:45:00+01:00 14:45 00:40 Silence kills security. This session explores how confidence gaps, gatekeeping, and “expert culture” stops practitioners and wider teams from asking questions, challenging assumptions, or escalating concerns early. bsides-exeter-2026-88081-the-imposter-syndrome-security-gap Purple Illyana Mullins en This session explores how imposter syndrome and hierarchy shape behaviour in security teams and wider organisations, especially during moments where early escalation matters most. From incident response calls to design reviews and risk sign-off meetings, we’ll look at how silence becomes normalised, how authority distorts decision-making, and why the industry’s obsession with expertise can actively undermine security outcomes. Rather than framing this as a confidence or well-being issue, this talk treats silence as what it really is: an operational vulnerability. false https://pretalx.com/bsides-exeter-2026/talk/YZZFKU/ https://pretalx.com/bsides-exeter-2026/talk/YZZFKU/feedback/ Auditorium Talk 2026-04-25T15:30:00+01:00 15:30 00:40 Vesta is a lightweight, web-based control panel that simplifies Linux server management, appealing to users seeking an intuitive alternative to traditional platforms like cPanel and Plesk. This presentation will examine a critical flaw in Vesta: an admin takeover exploit resulting from reduced seed entropy in the Bash $RANDOM variable. By transforming what was once a theoretical attack into a practical one, we successfully reduced the brute force domain of the seed by over 98%. This allows attackers to generate predictable random values, compromising the security of passwords and tokens. We will discuss the implications of this vulnerability and highlight best practices for enhancing server security in real-world applications. bsides-exeter-2026-89323-vesta-admin-takeover-exploiting-reduced-seed-entropy-in-bash-random Purple Adrian Tiron en false https://pretalx.com/bsides-exeter-2026/talk/CXDETW/ https://pretalx.com/bsides-exeter-2026/talk/CXDETW/feedback/ Auditorium Keynote 2026-04-25T16:30:00+01:00 16:30 00:45 A Keynote presentation - How self-driven learning builds careers The presenter will expose a series of vignettes from a 30+ year career in the security industry, with the theme of taking a self-learning odyssey. bsides-exeter-2026-95110-curiosity-made-a-ciso Purple Keri Lewis en false https://pretalx.com/bsides-exeter-2026/talk/W9ZHHG/ https://pretalx.com/bsides-exeter-2026/talk/W9ZHHG/feedback/ Seminar Room 1 Talk 2026-04-25T09:45:00+01:00 09:45 00:40 The first hour of incident response is often the most important. It’s the point where initial contact is made and an effort to make sense of events begins. But it's also where early mistakes can turn a contained issue into a full-blown crisis. This talk focuses on how to manage that critical window and avoid common pitfalls. Especially where multiple systems, stakeholders, and streams of information all demand attention at once. We’ll explore the pitfalls that slow teams down and show how a simple framework can help keep order. Using case studies and lessons learned from the field, this session highlights how the first 60 minutes set the tone for the entire response, and how to ensure that tone is calm, structured, and effective. bsides-exeter-2026-88097-the-first-hour-of-incident-response-every-second-logs Blue /media/bsides-exeter-2026/submissions/8ASG98/First_Hour_Of_Ir_jimDHDy.webp George Chapman en The first hour of incident response can set the course for everything that follows. This talk explores how to bring structure to that hour. Drawing on real-world incidents, it considers both the human and technical challenges, whilst also considering the complexity of working across a range of platforms. Against that, a practical framework is proposed to keep teams aligned when it matters most. Attendees will leave with concrete lessons and a first-hour playbook they can adapt to their own environment, giving them confidence that their response will be sharper, calmer, and more effective when every second counts. false https://pretalx.com/bsides-exeter-2026/talk/8ASG98/ https://pretalx.com/bsides-exeter-2026/talk/8ASG98/feedback/ Seminar Room 1 Rookie Talk 2026-04-25T10:30:00+01:00 10:30 00:20 hello! Millions of desktop applications (eg: zoom, steam, & vscode) ship a full Chromium browser with a debug-socket backdoor baked in. I examine how CDP -- the protocol that powers devtools -- creates some err… _minor_ weaknesses in Electron- and MsEdgeWebView2-based software. **Live demo included!** bsides-exeter-2026-92190-embedded-chromium-everywhere-a-security-look-at-msedgewebview2-cdp Blue /media/bsides-exeter-2026/submissions/7RKGYN/image_eQCTSaR.webp Ben Mullan en <see cref="Abstract" /> false https://pretalx.com/bsides-exeter-2026/talk/7RKGYN/ https://pretalx.com/bsides-exeter-2026/talk/7RKGYN/feedback/ Seminar Room 1 Rookie Talk 2026-04-25T11:00:00+01:00 11:00 00:20 Cyber is an industry an everyone. Diversity of backgrounds and experience can only strengthen our course and enhance our industry. bsides-exeter-2026-92037-from-kerry-katona-to-pen-testing Blue /media/bsides-exeter-2026/submissions/FZSEVN/image_IAisEDr.webp Lisa Diaz en I want to tell my story of how I got into cyber. Not to say ooo look at me aren’t I wonderful. But to inspire other women, career changes and anyone else interested that if I can do it - so can they! true https://pretalx.com/bsides-exeter-2026/talk/FZSEVN/ https://pretalx.com/bsides-exeter-2026/talk/FZSEVN/feedback/ Seminar Room 1 Talk 2026-04-25T11:40:00+01:00 11:40 00:40 We’re often told "don't roll your own crypto" or "don't build your own auth." It’s great advice for most, but it begs the question: What about the people who have to build the stuff everyone else relies on? When you’re developing the core libraries, kernels, or protocols that the rest of the world trusts, "best effort" security testing is simply not enough. Standard tools like fuzzing and static analysis (SAST) are world-class at finding bugs, but they are inherently reactive. They can tell you that you have a vulnerability, but they can never prove that you don't. This raises the question of what we can, and should, do when we need to go beyond the "find-and-patch" cycle. In this talk, I will explain the ideas underlying widely used security testing techniques such as fuzzing and static analysis, examining their strengths and weaknesses. This will be contrasted with a plain-English look at how formal verification, which offers the promise of being "mathematically proven", allows us to show the absence of entire vulnerability classes. I will also discuss why "mathematically proven" isn't a silver bullet and address the practical limitations of verifying complex systems. If you’ve ever wondered how the foundations of the internet are secured, or if you are building a component where a single bug constitutes a catastrophic failure, this session will show you how to move beyond the "Whac-A-Mole" of bug hunting. bsides-exeter-2026-93653-when-pen-testing-is-not-enough Blue Achim D. Brucker en The audience should have beginner-to-intermediate software development experience, i.e., being able to understand small program snippets containing typical software vulnerabilities. No deep knowledge of security testing (or formal verification) is required. false https://pretalx.com/bsides-exeter-2026/talk/WUWP3W/ https://pretalx.com/bsides-exeter-2026/talk/WUWP3W/feedback/ Seminar Room 1 Talk 2026-04-25T12:20:00+01:00 12:20 00:40 Operational Technology (OT) environments face a critical paradox: sophisticated attacks like TRITON, CRASHOVERRIDE, and INCONTROLLER routinely target multiple facilities, yet operators remain blind to cross-site attack patterns due to privacy regulations, competitive secrecy, and lack of trust. The current "share after detection" model—where threat intelligence is exchanged only after a breach is confirmed—creates a deadly information asymmetry: attackers see the entire battlefield while defenders fight isolated skirmishes. This talk introduces a framework that flips the paradigm to "share to detect": enabling multiple OT sites (refineries, power plants, water utilities) to collaboratively identify globally significant threats before individual sites recognize them as attacks, all without exposing sensitive operational data, process telemetry, or even revealing which facility discovered which threat. Using software "hunter agents" deployed at historian databases and SCADA systems, the system leverages commutative encryption and secure multi-party computation to answer the question: "Is this weird PLC behavior I'm seeing actually a coordinated attack happening across our industry?"—without any site learning what "weird" looks like at competitor facilities. We'll demonstrate how an alliance of sites can collectively validate that a suspicious Modbus command sequence appearing at 15% local prevalence at your site is actually a global IoC appearing at 87% of participating refineries—triggering immediate coordinated defense—while mathematically guaranteeing that Site A never learns Site B's process parameters, alarm rates, or asset inventory. Attendees will learn: - Why traditional threat intel sharing fails in OT environments - The cryptographic primitives enabling secure threat artifact exchange - How to deploy autonomous threat hunting agents in ICS historian infrastructure - Real-world attack scenarios where collaborative detection provides 10-100x faster response bsides-exeter-2026-93347-share-to-detect-breaking-the-privacy-deadlock-in-ot-threat-intelligence Blue /media/bsides-exeter-2026/submissions/EKSVGQ/image_qVxfsiO.webp Ahmed ElmesiryOfir Manor en true https://pretalx.com/bsides-exeter-2026/talk/EKSVGQ/ https://pretalx.com/bsides-exeter-2026/talk/EKSVGQ/feedback/ Seminar Room 1 Talk 2026-04-25T14:45:00+01:00 14:45 00:40 This presentation is a realistic look at what it is like to work in a Security Operations Center, also known as a SOC. It breaks down the experience into four parts: The Reality, The Good, The Bad, and The Ugly. All of the points will be linked with real-life events. This talk is directed to people stepping into soc analyst field, entry level analysts and soc managers as some slides speak to people with certain levels of experience in the field. Beginning the talk by setting the stage with "The Reality" of a SOC environment. Next, the presentation covers "The Good" parts of the job. A simple view of known information, touched superficially. "The Bad" section discusses the downsides. Then, "The Ugly" reveals five harsh truths about SOCs. Going deep into what I learned about SOC environment and the mistakes the team does still after years with real life examples. Finishing off with a touch of AI and if integrating that makes it better? I explain it is not. bsides-exeter-2026-88385-soc-the-good-the-bad-the-ugly Blue Harish Kumar Gopalakrishnan en false https://pretalx.com/bsides-exeter-2026/talk/WVQLAW/ https://pretalx.com/bsides-exeter-2026/talk/WVQLAW/feedback/ Seminar Room 1 Talk 2026-04-25T15:30:00+01:00 15:30 00:40 Cloud and container security feels like a scattered puzzle: development standards, CI/CD pipelines, guardrails, runtime security, logging, monitoring, and assurance. Together they form a resilient system, but most teams run them as independent silos, and that gap is exactly where attackers operate. This talk assembles those pieces by showing their critical connections, the misconceptions that leave them exposed, and the pitfalls that trip teams up at each stage. Start with a question most developers get wrong: are containers isolated? They are not. Every container shares the same kernel, and that single misconception underpins a whole class of attacks that application-layer tooling cannot see. From there, the puzzle builds outward. CI/CD pipelines enforce automated checks, but signing does not mean secure. The 3CX attack produced validly signed malware that passed every test, and 83% of organisations still do not verify signatures. Guardrails maintain compliance, but 65% of clusters run flat networks, making lateral movement trivial once anything is compromised. Runtime security addresses the threats that static analysis is blind to entirely. Assurance binds it together, not as a GRC exercise, but as a cryptographic chain from commit to runtime that gives defenders something they can actually prove. With 82% of cloud breaches stemming from misconfiguration across a surface of 15.6 million cloud-native developers, the problem is not a shortage of tools. It is fragmented defences that do not reinforce each other. The talk closes by connecting the framework to blue team operations: mapping each control layer to realistic SIEM ingestion, showing how those signals connect to threat intelligence, and working through the operational questions around log preservation, forensic readiness, and account access that defenders need answered before an incident rather than during one. A cheat sheet maps every component to detection opportunities and three actions attendees can take the following morning. If you work in detection, response, or securing cloud infrastructure, this talk gives you the framework, the attack chains, and the operational questions to take back to your team. bsides-exeter-2026-93501-cloud-containers-the-security-puzzle-that-locks-tight-from-pipeline-and-package-to-soc-operations Blue Ashley Barker en The starting point is a misconception most teams carry: that containers are isolated. They are not. Every container shares the same kernel, and CVE-2025-31133 demonstrated exactly what that means in practice, with a race condition on bind-mount operations in runc enabling read-write access to host kernel parameters and lateral movement across containers. That shared kernel is the foundation the talk builds from, working up through each layer and the controls that belong at each one. 82% of cloud breaches stem from misconfiguration and human error across a surface of 15.6 million cloud-native developers, most of whom run containers in production. The problem is not a lack of tools. It is fragmented point solutions where each piece operates without the others. Foundations: The Shared Kernel Illusion Namespaces are sleight of hand. They trick processes into thinking they are isolated, but syscalls still reach the kernel directly. This section covers what that means practically: why root inside a container represents roughly 40 granular Linux privileges that need stripping, why CAP_SYS_ADMIN is near-root by another name, how Seccomp filters dangerous syscalls like setns, ptrace, and mount before they execute, and why user namespace remapping is the control that makes container-root map to an unprivileged host user. CI/CD: The Signed Malware Trap The 3CX attack is the central case study: a supply chain compromise that targeted the build environment directly, producing malware signed with a valid certificate that passed SAST, SBOMs, and standard scanning. Supply chain compromise now accounts for 15% of all breaches, and 83% of organisations still do not verify signatures. SLSA Level 3 is the provenance and attestation framework that addresses this, ephemeral hermetic build runners are the mechanism that prevents environment compromise, and Verification Summary Attestations are the missing piece that checks whether policy outcomes were correct rather than just whether tests ran. No VSA, no deployment. Guardrails: The Compliance Barrier 65% of clusters run flat networks, violating NIST 800-53 SC-7 boundary protection and enabling lateral movement when anything is compromised. Default-deny NetworkPolicies, service mesh with mTLS and SPIFFE workload identity for Layer 7 enforcement, and admission controllers via Kyverno or OPA Gatekeeper for policy-as-code that validates before anything reaches the cluster are the three layers that address this. Secrets management sits alongside them: 88% of breaches involve credential theft, and secrets in environment variables are visible in API server audit logs, process listings, and ServiceAccount token enumeration. External Secrets Operator injecting into tmpfs at runtime is the control. Runtime: The Build-Only Fallacy Static analysis is blind to zero-days, living-off-the-land attacks, and behavioural anomalies that only manifest at execution. CloudSiphon infected 150 organisations via a trojaned NGINX that ran malicious code purely at runtime, bypassing all static analysis entirely. Cluster-wide eBPF deployment gives real-time syscall, file access, and network monitoring at the kernel level. Behavioural baselining per workload type produces high-fidelity alerts with full process lineage, and drift detection runs continuously against the image manifest. The specific syscalls indicating container breakout attempts are covered in detail: setns, unshare, writes to /proc/sysrq-trigger, and writes to /proc/sys/kernel/core_pattern. Advanced evasion techniques including reflective code loading, eBPF rootkits using bpf_probe_write_user, and delayed execution via cron are each covered alongside their counters. Visibility, Assurance and Blue Team Operationalisation eBPF telemetry feeds OpenTelemetry, Falco picks up Kubernetes API audit events, and application traces and service mesh telemetry correlate across the stack to link user identity through pod creation to kernel execution. DORA, NIS2, and SEC requirements are mapped into policy-as-code rather than treated as point-in-time GRC snapshots. The closing section works through how a SOC operationalises the full framework: chaos engineering against security controls to validate detection, containment, and recovery; automated certificate rotation and revocation with MTTR targets measured in minutes; and VSA-driven cryptographic audit trails from commit to runtime stored in an immutable transparency log. It closes on the operational readiness questions defenders need answered before things go wrong: log preservation, forensic access to running infrastructure without destroying evidence, account auditability, and whether containment actions have been rehearsed. Three actions for Monday morning follow: mandate trust via VSAs and attestation controllers, enforce containment via policy-as-code and CAP_DROP, and deploy kernel-level visibility with behavioural baselines and automated drift response. false https://pretalx.com/bsides-exeter-2026/talk/VUZCNS/ https://pretalx.com/bsides-exeter-2026/talk/VUZCNS/feedback/ Seminar Room 7 Talk 2026-04-25T09:45:00+01:00 09:45 00:40 Reverse engineering Go binaries can be difficult, especially using existing dynamic tools to interrogate program state at runtime. This talk explains how metadata in Go binaries can be used to recover data type definitions, then combined with a debugger at runtime to display the contents of complex data structures such as arrays and custom structs, even on stripped binaries. These techniques are demonstrated in a recent release of LLEF, which is a free and open reverse engineering toolkit for LLDB developed by Foundry Zero. bsides-exeter-2026-93788-unlocking-the-secrets-of-stripped-go-binaries-at-runtime Red Alex M en false https://pretalx.com/bsides-exeter-2026/talk/3H7ZAT/ https://pretalx.com/bsides-exeter-2026/talk/3H7ZAT/feedback/ Seminar Room 7 Rookie Talk 2026-04-25T10:30:00+01:00 10:30 00:20 In today’s interconnected world, achieving complete software security is extremely challenging, as vulnerabilities continue to provide opportunities for exploitation. Buffer overflow attacks remain among the most enduring and impactful forms of software exploitation, enabling adversaries to manipulate program execution and gain unauthorized access. Although significant countermeasures such as stack canaries, Address Space Layout Randomisation (ASLR), and non-executable memory protections have been developed, buffer overflows persist due to legacy codebases, low-level programming practices, and the constant evolution of attack strategies. Recent advances in Generative Artificial Intelligence (Gen-AI) introduce a new dimension to defensive cybersecurity research and offers potential as a countermeasure through enhanced vulnerability detection, automated secure code generation, and the ability to adapt defensively to dynamic attack patterns. This project specifically evaluate the dangers of buffer overflows attacks and effectiveness of Gen-AI models in guarding against them, with a focus on recent vulnerabilities such as CVE-2025-6660 and CVE-2025-6191. bsides-exeter-2026-89479-buffer-overflows-in-the-era-of-gen-ai Red /media/bsides-exeter-2026/submissions/G3FQ8F/Buffer_Overflow__R5Fujlh.webp Maxime Reynaud en Buffer overflows are still considered a persistent threat five decades after their initial documentation, maintained by bad programming habits, legacy codebases, unsafe programming languages and the growing existence of IoT and embedded systems, which are often more inclined to be vulnerable due to their nature. Although defence mechanisms have been put in place and generally adopted, ASLR, DEP and SSP are not the perfect protection mechanisms, and always-evolving exploitation techniques are able to bypass them. Likewise, detection and mitigation using static and dynamic analysis tools are a good base to try to improve and find vulnerable code, but being generalised tools for all vulner- abilities, they still incur a lot of false positives, major overhead requirements and partial coverage for buffer overflows. Recent advances in artificial intelligence have facilitated innovation and demonstrated promising im- provements regarding this matter. Even if they seem to perform better than traditional techniques, the field is still immature, and there are still a lot of improvements to achieve to have a viable long-term solution. Their scope is often very narrow, and there is yet to be a way to adapt to new exploitation techniques in real time without redesigning the whole model from scratch. Gen-AI potential remains crucially unexplored in regard to buffer overflow mitigation and detection in real-world scenarios, constituting an opportunity for future work. false https://pretalx.com/bsides-exeter-2026/talk/G3FQ8F/ https://pretalx.com/bsides-exeter-2026/talk/G3FQ8F/feedback/ Seminar Room 7 Rookie Talk 2026-04-25T11:00:00+01:00 11:00 00:20 AI is rapidly becoming part of the penetration tester’s workflow, generating payloads, summarising scan results, and accelerating technical discovery. But while these tools increase speed, they also introduce a critical risk: confidence without validation. AI can suggest vulnerabilities that don’t exist, misinterpret context, and produce output that appears convincing but lacks accuracy. In the hands of an inexperienced tester — or under time pressure — this can lead to false positives, weak findings, and ultimately poor reporting. This talk explores how AI is actually being used in real-world pentesting, where it provides genuine value, and where it can go wrong. Through practical examples, it highlights common pitfalls and demonstrates how easily unverified AI output can make its way into reports. More importantly, it introduces a structured approach to using AI responsibly, combining speed with validation, and technical output with real-world context. Attendees will leave with a clear framework for integrating AI into their workflow without compromising credibility or impact. bsides-exeter-2026-92175-autopwn-or-auto-fail-the-truth-about-ai-in-offensive-security Red /media/bsides-exeter-2026/submissions/T3H3JV/image_miSqgE5.webp Dumisani Masimini en AI can generate payloads, summarise scans, and even suggest vulnerabilities, but it doesn’t understand risk. In the rush to adopt AI in penetration testing, many are producing faster results, but weaker outcomes. Findings are less validated, reports are less meaningful, and the gap between technical output and business impact is growing. This talk challenges the hype and focuses on what actually matters: using AI as a tool, not a crutch. By walking through real examples, we’ll explore how to turn raw AI-assisted output into clear, credible, and actionable security insights. Because in the end, the value of a pentest isn’t in the payload , it’s in the decision it drives. false https://pretalx.com/bsides-exeter-2026/talk/T3H3JV/ https://pretalx.com/bsides-exeter-2026/talk/T3H3JV/feedback/ Seminar Room 7 Talk 2026-04-25T11:40:00+01:00 11:40 00:40 Being responsible for designing and implementing DLP policies in my organisation, I have seen first hand how companies suffer data loss without even realising it. The individuals exfiltrating the data are unaware what they are doing is even exfiltration of data through legitimate workflows. Traditional Data Loss Prevention programs were built to monitor email gateways, USB devices, and cloud storage. But generative AI has introduced a new and largely unmonitored exfiltration channel. In many organisations, AI adoption is outpacing governance. Employees restricted from using approved AI tools often turn to personal accounts or unsanctioned platforms pasting sensitive board packs, proprietary source code, and client data into public models in order to work more efficiently. Existing DLP controls frequently fail to detect this behaviour because the activity appears legitimate and encrypted within normal web traffic. In this talk, I explore: How generative AI creates blind spots in traditional DLP architectures Real-world scenarios where sensitive data leaves the organisation without triggering alerts How red teams and malicious insiders can weaponize legitimate AI usage Why most DLP programs measure activity instead of risk Practical approaches to regaining visibility without shutting down innovation This session bridges red, blue, and governance perspectives to challenge what data loss prevention really means. bsides-exeter-2026-93002-shadow-ai-is-your-new-data-exfiltration-channel Red Chijioke Okoye en false https://pretalx.com/bsides-exeter-2026/talk/MDYRPK/ https://pretalx.com/bsides-exeter-2026/talk/MDYRPK/feedback/ Seminar Room 7 Talk 2026-04-25T12:20:00+01:00 12:20 00:40 As defenders, over the last few years we’ve seen a seemingly relentless stream of incidents, vulnerabilities and attack campaigns targeting network edge devices and appliances. Exposed at the edge of our networks defending these devices is critical, but their proprietary and locked down operating systems mean we often lack the detection and response tools we use every day to quickly triage, investigate and remediate commodity server and client operating systems. But under the hood, almost all modern network edge devices run some flavour of Linux. Memory collection and analysis on Linux is well supported by both commercial and open source tools such as Volatility 3. In this talk I’ll discuss some of the challenges of collecting and analysing memory on Linux-based appliances, and show how with some creativity (and a little reverse-engineering) you can often get the same level of visibility and analysis we get on more standard Linux operating systems. Whether you’re an incident responder, part of a security team responsible for these devices or a device vendor I’ll discuss how you can be better prepared for incidents involving these types of systems and use memory analysis as a part of your investigation. bsides-exeter-2026-92022-open-ish-source-adventures-in-edge-device-memory-forensics Red Richard Tuffin en false https://pretalx.com/bsides-exeter-2026/talk/8E8ZK7/ https://pretalx.com/bsides-exeter-2026/talk/8E8ZK7/feedback/ Seminar Room 7 Talk 2026-04-25T14:45:00+01:00 14:45 00:40 This talk explores the world of browser fingerprinting, how seemingly identical devices can be uniquely identified using subtle characteristics exposed by modern browsers. We will examine the specific attributes that contribute to fingerprint uniqueness, how tracking systems leverage them at scale, and the effectiveness of current evasion and anti-fingerprinting techniques. bsides-exeter-2026-92555-your-browser-is-snitching-tracking-without-cookies Red Adam Crease en This talk explores the world of browser fingerprinting, how seemingly identical devices can be uniquely identified using subtle characteristics exposed by modern browsers. We will examine the specific attributes that contribute to fingerprint uniqueness, how these can be leveraged by tracking systems and demonstrating these signals inside a browser. Furthermore, the talk will dive into current evasion and anti-fingerprinting techniques, demonstrating what steps should be taken to reduce and avoid fingerprinting. Including ways to obfuscate or standardise signals. false https://pretalx.com/bsides-exeter-2026/talk/FQDTGJ/ https://pretalx.com/bsides-exeter-2026/talk/FQDTGJ/feedback/ Seminar Room 7 Talk 2026-04-25T15:30:00+01:00 15:30 00:40 Your target runs macOS, but you don’t know your SIPs from your ESFs? And there’s no friendly Active Directory to fall back on? Where do you even begin? This talk will give you the fundamentals you need to adapt your red team methodology to macOS with confidence. You don’t need to be Patrick Wardle to get results, but by the end of this talk you will at least know who that is. We will cover: * Core macOS security concepts and how they will affect your operation * Offensive and defensive security tooling * The mindset shifts to pivot your Windows & Linux skills into operating in macOS environments bsides-exeter-2026-88150-ctrl-introduction-to-macos-red-teaming-in-2026 Red Matthew Lucas-ClarkeVictor van der Helm en false https://pretalx.com/bsides-exeter-2026/talk/YW3GZV/ https://pretalx.com/bsides-exeter-2026/talk/YW3GZV/feedback/