2026-04-26 –, Track 2
Managed compute removes bare metal infrastructures, not responsibility. In FaaS platforms, speed and elasticity make it easy to misconfigure, and ephemeral function chains with granular integrations create exposure points that legacy controls miss. This technical session unpacks real attacker tradecraft against function-based apps, including dependency flaws, credential leakage, overly broad permissions, and unsafe event bindings. Rather than slideware, we focus on field-tested playbooks: threat mapping, least-privilege design, guardrails for events, secrets handling, and observability that actually catches misuse while teams keep shipping. Built for engineers and defenders working on highly automated stacks where sightlines are thin and blast radius can grow quickly, the talk also introduces LynxLab, our open lab that lets you build a mini FaaS pipeline, probe it with realistic kill chains, and practice concrete countermeasures to harden managed runtimes without losing delivery speed
Behind the abstraction lies a misconception, that serverless means "less" responsibility. Spoiler alert - it doesn't! Fast and adaptable, serverless is also dangerously simple to configure incorrectly. In highly dynamic, event-driven Cloud environments, sporadic and fine-grained service integrations introduce unique attack surfaces that traditional security models fail to address.
This technical session dives deep into the tactics, techniques, and procedures (TTPs) adversaries use to exploit serverless applications via new attack vectors, including vulnerable libraries, leaky secrets, wildcard IAM roles, and insecure triggers. It also emphasizes actionable, tried-and-true methods over theory - equipping practitioners with the skills to defend modern serverless stacks while maintaining operational velocity.
This talk is designed for professionals building and securing cloud-native, serverless architectures, where visibility is limited, the blast radius is significant, and assumptions can be risky. We introduce LynxLab, an open-source home lab framework developed by us to simulate realistic attack and defense scenarios in serverless environments, enabling practitioners to better understand and mitigate evolving cloud security threats.
Results - driven Cybersecurity Engineer with diverse experience across Healthcare, Banking, Public, and Telecom sectors, cross-functional project guidance and stakeholder support, security architecture strategy, application security, predictive analytics, and enterprise risk management. Adept at designing and implementing scalable solutions, driving automation, and delivering quantifiable value and innovation.
With nearly a decade of experience across sectors such as e-commerce, healthcare, gaming, open-source, and cybersecurity, within both large enterprises and agile startups, Shivam brings a creative, solutions-driven approach to complex challenges. Committed to community engagement, he actively mentors early-career cybersecurity professionals, judges prestigious tech awards, peer-reviews academic research, speaks at cybersecurity conferences, and contributes to tech-for-good initiatives with nonprofit organizations. He currently leads cloud security efforts at JPMorganChase, driving robust solutions to support the firm’s ongoing growth.