2026-04-26 –, Track 1
Organizations of all sizes face a growing but largely invisible threat: sensitive data exposures across their supply chain that are openly accessible on the clear web without their awareness. Through real-world disclosures and industry-wide research, we reveal how supply chain leakage has become normalized through misplaced trust in contracted vendors and disclosure processes that fail to enforce third-party accountability. Larger organizations often accept exposure as an implicit risk, while smaller organizations assume vendors follow best practices. Existing OSINT platforms frequently reinforce this gap by prioritizing internal visibility while overlooking externally discoverable data.
This talk reframes OSINT-driven leak discovery as more than evidence collection. We demonstrate how pairing exposure evidence with clear threat theory and actionable remediation guidance transforms vulnerability disclosures into effective risk-reduction outcomes.
Publicly exposed secrets, credentials, and configuration data are no longer edge cases. They are a systemic supply chain problem affecting organizations across industries, cloud platforms, and development ecosystems. Git repositories, API collaboration tools, CI pipelines, and third-party integrations routinely leak production-level secrets in ways that evade traditional security controls and commercial OSINT tooling.
This talk examines why supply chain leakage has become the industry norm and why traditional disclosure programs frequently fail to drive accountability or corrective action. Many OSINT tools focus on internal monitoring and assume limited external visibility, leaving clear web exposures unaddressed. As a result, organizations receive evidence without sufficient context, forcing internal teams to reconstruct the story and design remediation plans from scratch.
We will explore how operational security focused OSINT closes this gap by pairing discovery with insight. The session revisits classical reconnaissance techniques applied to modern platforms such as GitHub and API collaboration tools and demonstrates a repeatable approach for uncovering exposed data across supply chain domains. Attendees will learn how to protect repositories, establish exposure treatment plans, and integrate search based reconnaissance into existing security programs with minimal overhead.
Most importantly, the talk reframes disclosure as a strategic opportunity. When evidence is presented alongside clear risk interpretation and practical remediation guidance, disclosures shift from informational alerts to catalysts for action. This approach not only reduces exposure but also strengthens trust, accelerates response, and transforms discovery into measurable security outcomes.
Kaoru T. “Teddy” Katayama is the Chief Technology Officer and co-founder of Exploit Strike, where he leads offensive security operations and defines the technical strategy behind the firm’s penetration testing and adversary simulation engagements. With nearly two decades of experience in cybersecurity, Teddy blends deep technical expertise with a practical focus on real-world risk.
His interest in security began early. At age ten, he bypassed his elementary school’s door-lock system, and by eighth grade he had built a Java-based port scanner. In high school, his skills earned multiple SkillsUSA awards in network management and remote administration.
Teddy holds a Bachelor of Science in Computer Engineering and a Master of Engineering in Cybersecurity from the University of Delaware and is currently completing his Ph.D. in Electrical and Computer Engineering, specializing in cybersecurity and machine learning. His research focuses on applying machine learning to threat detection and security operations and has been supported by a $259,527 research grant from Cisco Systems.
Teddy has led security initiatives for organizations ranging from startups to large enterprises. Prior to Exploit Strike, he co-founded Golden Egg Labs, created the University of Delaware’s first VIP Red Team, and led penetration testing and compliance projects across the Mid-Atlantic. He also worked at Cisco Systems, developing machine learning tools for detecting malicious binaries in encrypted traffic.
