Modern web browsers are hardened and complex, yet remain high-value targets for attackers. While 0-day research dominates the headlines, building real-world, reliable exploits often involves chaining multiple vulnerabilities. Even when based on n-days, these exploit chains can offer a fast path to initial access during offensive engagements.

From patch diffing to modern mitigations bypass, this talk explores practical techniques for browser exploit development under real-world constraints. It introduces new methods and tools through the demonstration of an exploit chain leveraging three n-day vulnerabilities targeting recent versions of Google Chrome.

Lockpicking village and more!

This extended talk builds on my previous lightning talk (Hack.lu 2024) on the discovery and disclosure of vulnerabilities in an Electric Vehicle Smart Charging Point (CVE-2024-5313, CVE-2024-8070).

Pentesters, by the nature of their role, hold sensitive access to the information systems of their clients or employers. These accesses, their expertise, and their growing visibility within the cyber ecosystem make them prime targets for motivated attackers.

As the persistent migration to cloud infrastructures keeps growing, Microsoft Azure has become a mainstay of modern enterprise environments and, therefore, an increasingly attractive target for attackers. This talk covers Azure initial access, from beginner techniques to leading-edge offensive strategies. Attendees will hear about misconfigurations, identity-based attacks, and real-world exploitation scenarios threat actors utilize to gain a foothold in Azure environments. From security newcomers to Azure to red teamers looking to up their game, this session offers hands-on insight and actionable techniques for understanding and defending against modern cloud threats.

Luc Dockendorf, Luxembourg’s Ambassador for Cybersecurity and Digitalisation will do a horizon scan on all things digital and cyber diplomacy, 20 years after the World Summit on Information Society, at a time where the world – online and offline – seems to be falling apart.

1 minute per workshop organizer

Cyber Security is not only challenging to get into (build a solid technical foundation, often in your free time, proof your worth in exams and certifications, hackathons, hiring exams, etc) but also hard to stay healthy in (constant fire fighting mode, being the dark voice and the shining light of the company conscience). In addition to that, you are surrounded by people who all had to proof their worth in infosec at some point in their life and it's sometimes hard to find other interests in their life that you could talk about with them.
This talk is about how you can survive infosec, especially if you have had your touchpoint with Burnout, and how you can manage yourself if you are just starting out.

This workshop offers a hands-on presentation of two open-source tools from the CyFORT project, bridging the gap between state-of-the-art academic research and real-world SOC/CSIRT operations: IDPS-ESCAPE, a SOAR platform with an AI-driven anomaly detection toolbox (ADBox), and SATRAP, a platform for computer-aided analysis of Cyber Threat Intelligence (CTI) assisted by logic-based automated reasoning.

Participants will learn how to integrate an open-source SIEM (Wazuh) with ADBox and its Multivariate Time-Series Anomaly Detection via Graph Attention Networks (MTAD-GAT) algorithm, as well as how to configure anomaly detectors by training new ML models and using them on SIEM-level ingested data to respond to adversarial attacks, and automate response workflows. They will also gain hands-on experience setting up a CTI knowledge base and streamlining CTI analysis investigations using the CTI Analysis Toolbox of SATRAP.

In my workshop, I'll dive into the world of game-based learning in cybersecurity, showcasing HackBack - a unique framework loosely based on Dungeons & Dragons that blends role-playing game lements with security training. I'll start out explaining what HackBack is and how it works. Afterwards we’ll play a game together where we’ll play as teams and engage in passionate discussions on how to save our fictitious company from total disaster in a realistic scenario based on true events.

HackBack revolutionises traditional methods by providing immersive, risk-free simulations of security situations, both offensive and defensive, making it ideal for teaching concepts like Zero Trust and enhancing teamwork and empathy among participants. We'll explore the open-source nature of HackBack and how it fosters a community-driven approach to cybersecurity education, making it accessible and adaptable to various settings.
Join me to discover how game-based learning is a crucial, yet often overlooked tool in developing effective security professionals.

HackBack is designed for learning so it’s not necessary to know about neither Dungeons & Dragons nor Incident Response.

In today’s complex IT environments, understanding your information system's architecture is critical for ensuring security, resilience, and operational efficiency. Mercator, an open-source mapping tool, empowers organizations to visualize and analyze their IT ecosystems with precision. This workshop offers a practical introduction to Mercator, guiding participants through its core functionalities and real-world applications. Designed for IT and security professionals, the session will provide hands-on experience with mapping techniques, data integration, and use case exploration. Participants will leave with actionable knowledge and the skills needed to leverage Mercator for enhanced decision-making in their own environments.

Want to transform your homelab hobby into career gold? This session flips the script on traditional homelab talks, showing you how to build practical experience that catches recruiters' eyes – without melting your electric meter. We'll explore how to design meaningful projects, translate them into powerful resume bullets, and discuss them confidently in interviews. From virtualization to containers, security to automation, learn how to make your homelab work for your career (dancing flamingos included!).

• Target Audience: Early to mid-career IT professionals and career changers
• Experience Level: Beginner to Intermediate

Opening speech for the CLUSIL track

The data behind AI copilots is not only their most critical asset but also a key strategic consideration for enterprises and SMBs alike. This talk examines the challenges of securing diverse architectures at scale, offering practical insights into safeguarding sensitive data while enabling innovation. Learn how to align your AI strategy with robust security practices to maximize value without compromising trust.

Social engineering doesn't just exploit human nature — it thrives on the way we live. In a world shaped by digital overload, isolation, and hyperconnected technology, our psychological defenses are more exposed than ever. This talk explores how modern society amplifies human vulnerabilities, and what it takes to build real resilience at the human layer of security.

Unrestricted file uploads pose a significant threat to application security, allowing attackers to exploit various vulnerabilities and gain unauthorised access to systems and data. And there are some potential risks associated with unrestricted file uploads, such as: Triggering vulnerabilities in libraries/applications, abusing real-time security tools, executing malicious code and unauthorised access to sensitive files. In addition to the standard security best practices for file uploads, such as restricting file size, types, and extensions; experts recommends security controls to further enhance protection and validate files. These technologies include Content Disarm and Reconstruction (CDR), multi-AV scanning, sandboxing, and single-AV scanning. The aim of this presentation is to provide a detailed walkthrough of the risks and attacks associated with unrestricted file upload vulnerabilities, review the protective technologies available, outline proper mitigation strategies, and give practical examples on how to secure your environment against malicious uploads.

In today’s world, security without tool and information harmonization is impossible.

Sadly and understandably, most security projects excel at doing one thing very well, however this is insufficient for most projects and organizations who need a combination of tooling in order to efficiently implement a cybersecurity strategy.

This is why we built and open-sourced Smithy.

Smithy is a framework/SDK and an optional execution engine that allows practitioners to orchestrate any security tool and translate its information to the popular security results standard OCSF. Translating outputs to OCSF format is not an easy process as the standard can be loose in some parts.

In this talk we will walk the audience through our context, why we built Smithy, how the SDK works and our design decisions. We’ll also talk about how we leveraged protobuf to extend the OCSF format and accelerate our development thanks to its strong types, code generation capabilities and built in versioning.

Further we will show participants what are the supported components, how to create a sample component and of course pitfalls, tips and tricks.

At the end of the talk, participants will be able to orchestrate any security tool that provides an api or some sort of way to gather its results into any cybersecurity programme, for free.

The integration of Artificial Intelligence (AI) in businesses is now essential, but it comes with major compliance challenges, particularly regarding the AI Act and GDPR. Too often, companies believe they must choose between innovation and regulatory compliance.
This talk presents a pragmatic approach to balancing both: how to identify the right AI tools for your business, integrate them effectively while staying legally compliant, and anticipate future regulatory changes. We will share real-world cases and best practices to avoid common pitfalls and maximize the impact of AI initiatives.

This comprehensive workshop is designed to provide participants with a deep understanding of API security, its challenges, and best practices to mitigate risks. Spanning six engaging sessions, the program begins with an introduction to API security and real-world breaches, highlighting the critical importance of securing APIs.

Participants will explore reconnaissance techniques, including using tools like Shodan and Google Dorking, to identify API endpoints. The workshop delves into common API vulnerabilities, such as SQL Injection and XSS, complemented by practical hands-on scanning with Burp Suite.

Additionally, the sessions cover OSINT (Open Source Intelligence) techniques with tools like Maltego, theHarvester, and Wayback, empowering attendees to gather intelligence on API targets. The program culminates with guided vulnerability exploitation exercises and a collaborative group activity to identify and exploit API flaws.

Concluding with a wrap-up session and an open Q&A, this workshop equips participants with the knowledge and skills to secure APIs effectively while fostering a hands-on learning environment.

In the ever-evolving landscape of cybersecurity, automation has become a crucial tool in any security researcher's arsenal. While there's no shortage of open-source and commercial information security tools, the ability to write your own or modify existing ones remains an invaluable skill. This workshop aims to bring attendees up to date on various automation techniques for accomplishing cybersecurity tasks.

The workshop covers the techniques to cover a broad spectrum of security areas, such as vulnerability discovery & exploitation, network monitoring & security, and modifying existing tools. Targeted at security professionals—including penetration testers, bug hunters, red teamers, threat researchers, SOC analysts, and network/DevOps professionals—the workshop demonstrates and teaches how security tasks can be automated easily.

In the world of cybersecurity there is always a threat lurking. Waiting in the shadows for the perfect moment to strike. You can sit back and relax and hope for the best and react when it’s too late… or before they even think about making a move you can take the control over and see everything coming from miles away. In this session, you’ll dive deep into the art of threat modeling—an essential skill that allows you to anticipate risks, identify vulnerabilities, and develop a proactive defense strategy.

Mike will guide you through the process and show you why threat modeling is an offer you simply can’t refuse. You’ll learn how to analyze threats with precision, build effective threat scenarios and develop a mindset that stays one step ahead of the attackers. Ultimately you won’t only understand threat modeling—you’ll lead it with confidence.

Join Mike in the family business, hone your expertise and become the Godfather of Threat Modeling. In this game only the wise and the prepared will survive.

The cyber threat landscape is evolving faster than security teams can keep up. Organisations are no longer just defending their own networks – they must also manage risks from cloud services, third-party providers, vulnerable identities and dark web exposures. The traditional security model, based on scheduled scans and compliance-driven patching, is failing to keep pace, leaving businesses vulnerable to the growing number of emerging attack vectors.

At the same time, remediation and management solutions struggle with the sheer scale of modern attack surfaces. Security teams are overwhelmed with alerts, yet critical exposures still go unnoticed. Organizations need to work smarter when managing their threat exposure, and in this way prioritise the risks that actually matter before they become incidents.

As a response during the last decade, we have seen several new frameworks, methodologies and solutions, from Identity Exposure to Attack Surface Management. Most recently, Gartner introduced Continuous Threat Exposure Management (CTEM), which was also named number two on their top 10 strategic technology trends for 2024. But what exactly do these buzzwords mean? What are the actual changes going from one methodology to the next? And how does this latest iteration, CTEM, fit into the bigger picture – and potentially offer the right approach for your organisation?

During this presentation, I will navigate the complex and evolving solution landscape of exposure management, describe where and why CTEM fits in, and offer recommendations on where organisations can start in modernising their approach. The aim is to go beyond general descriptions, and rather dive into concrete examples for a modern approach to exposure and attack surface management in 2025.

Hardcoded secrets remain a common practice in containerized environments, often used for convenience during testing or deployment, despite their significant, well-known security risks.

Docker images are not immune and can inadvertently leak secrets through Dockerfiles, configuration files, or image layers. Once pushed to registries such as DockerHub, these secrets become discoverable to attackers, putting environments at risk.

In this session, we will share insights from an extensive analysis of 15,000,000 public Docker images retrieved from DockerHub, uncovering a staggering number of secrets from. More than 100,000 of these secrets were valid when the study was conducted in late 2024, including AWS keys, GCP keys, OpenAI tokens, and GitHub tokens belonging to Fortune 500 companies.

Finally, we will discuss common misuses and pitfalls in Dockerfile files that lead to secrets being leaked, and describe best practices for handling secrets in Docker images.

Cyberattacks and data breaches are a common occurrence these days. Many businesses struggle to prioritize cybersecurity due to limited resources and budgets. Advanced security tools are often out of reach for organizations without significant cyber funds.

The Firewall Project, a open-source & community powered appsec platform, is dedicated to providing accessible, effective and enterprise grade cybersecurity solutions. Our mission is to empower organizations of all sizes with robust security tools that are both free, scalable and user-friendly.
In this talk, we're excited to unveil The Firewall Project’s Appsec Platform, our innovative secrets detection, software composition analysis, web application scanner and remediation product. Our Platform is designed to seamlessly integrate into development workflows, empowering security teams to proactively identify and mitigate security incidents hidden within your code.
Our Platform is packed with enterprise-grade features, making it a powerful tool for security teams. These features include incident tracking, customizable dashboards, automated remediation workflows, seamless integrations with popular development tools, and single sign-on (SSO) capabilities. By providing these advanced features, The Firewall Project not only simplifies the detection and remediation process but also enables security teams to effectively demonstrate progress to management and promote a shift-left security culture.
Join us as we demonstrate how the appsec platform by The Firewall Project can be easily configured and implemented within your organization. Discover the benefits of shifting left with our platform, including enhanced internal security, improved visibility, and streamlined collaboration between development and security teams.

The session will present how all drupal sites hosted using DIGIT drupal hosting service are protected from DDoS attacks. During the session, you will understand what is a DDoS, how our teams monitor and identify similar attacks and which measures we put in place for protecting drupal sites. The session will cover as well more detailed information on the good practices developers should follow in order to minimize impact of DDoS attacks as well as how the advanced DDoS protections could impact certain functionalities on drupal sites. One partial attention will be dedicated to the increment in bots and crawlers, particularly relevant following the launch of multiple generative AI models.

Have you noticed how security policies often read like legal documents rather than practical guides? In this talk, I'll show you how we've been inadvertently creating barriers by writing policies in legalese and passive, authoritarian language that makes security feel like something that happens TO people rather than WITH them. Drawing from my experience transforming security policies into clear, engaging documents, I'll demonstrate how combining readability science, inclusive language, and AI can revolutionize the way we communicate security requirements.

Using real examples and live demonstrations, I'll show you how shifting from "The System Administrator shall enforce..." to "We protect our systems by..." transforms policies from intimidating documents into collaborative guidance that shapes behavior. You'll learn how to measure policy readability using LIX scores, harness inclusive language to build shared responsibility, and leverage AI tools to scale these improvements across your organization.

Whether you're a security professional frustrated with writing policies that gather digital dust, or a leader wondering why your security initiatives aren't getting traction, you'll leave with practical tools to make policies that work for people, not lawyers. Join me to learn how we can make security policies speak human and make everyone feel that security is indeed their responsibility too.

There's a storm brewing in the SecOps world, from an ocean of noise, a new breed is emerging : the Detection and Response Engineers.

Once upon a time, an algorithm's task was to make the distinction between a chiwawa and a cookie... true story. Human, curiosity is a great thing, and this workshop is built around it.

Here total beginners in AI learn the fundamentals of deep learning, set up their environment, and apply it to image classification. By the end of the workshop, they are able to build a simple web application using Gradio that classifies images.

“Smart City” has been a trendy buzzphrase used by politicians, city planners, and tech companies for over a decade now — but their shiny promises gloss over dangerous realities.

Downtime and damages in municipalities due to cyberattacks regularly make the news, but we focus primarily on securing and recovering IT systems. Smart Cities by nature use a combination of IT and OT systems but have no established or holistic approach for managing overlapping risks to both. The consequences to security from varied stakeholders involved in Smart City planning and implementation go unexamined. Human hazards, vulnerable devices, and data management issues build on these to create diverse and creative attack paths for all sorts of threat actors.

Smart Cities present a ubiquitous and unique combination of risks which must be comprehensively assessed in order to improve procedural and operational security, reliability, and resilience. By reframing our understanding of what Smart Cities are, we can use and integrate pre-existing actionable strategies to prepare and defend against threats ranging from pandemics to nation-state attacks. As politically motivated cyberattacks expand in reach and collateral radius, we need to prepare our cities for when they become the next battlefield.

This talk aims to expand our definition of Smart Cities; discuss the data, human, and technological risks that they face; and share resources on how to deal with them.

The Cyber Resilience Act (CRA) marks a transformative step in the European Union’s cybersecurity regulatory landscape. Entering into force in December 2024, with full obligations applying from December 2027, the CRA introduces mandatory cybersecurity requirements for a wide range of products with digital elements including hardware, software, and remote data processing solutions—sold within the EU single market.

Loaders, integral tools in the malware ecosystem, have evolved from niche utilities to widely accessible commodities in underground markets, enabling threat actors to deploy payloads with ease. While cybersecurity efforts focus heavily on analyzing payloads, loaders, the mechanisms behind obfuscation and delivery, remain underexplored. This talk goes into the continuous battle between loaders innovations and cybersecurity defenses, highlighting techniques like in-memory execution and anti-analysis mechanisms that challenge detection solutions. Attendees will gain insights into the latest loader advancements, their impact on modern cyberattacks, and strategies for mitigating their threats, offering valuable perspectives for researchers and security professionals alike.

In this session, we’ll navigate the intricate landscape of distributed systems and discuss how Chaos Engineering offers a hands-on approach to gaining deeper insights into system behavior. We'll examine how teams leverage failure injection and error simulation to proactively identify weaknesses and strengthen resilience. From there, we'll dive into Gameday exercises, where teams deliberately push their systems to the limit to expose hidden resilience gaps. Finally, we’ll reflect on the current challenges of distributed systems and the realities teams face in maintaining resilience at scale.

Key success factors in combating cybercrime are well known and primarily focus on exchange of information. However, there remain significant constraints and hesitations that limit the willing of sharing and have yet to be adequately tackled. Explore some cutting-edge solutions and technologies to overcome these obstacles and enhance information sharing for a stronger collective security stance.

In this evolved version of my Living with ADHD in InfoSec talk, I integrate video interviews with John Strand (CEO of Black Hills Information Security), who shares both his personal journey with ADHD and his experience as an employer of neurodivergent professionals. This new perspective complements my ongoing exploration of how ADHD manifests in cybersecurity work.

After a year of deeper community engagement, it's become increasingly clear that neurodiversity is remarkably prevalent in InfoSec. Through our combined experiences and supported by recent research, John and I examine why our industry particularly attracts and benefits from neurodivergent thinking. The discussion includes both personal insights—from early diagnosis to workplace challenges—and practical strategies for leveraging diverse cognitive styles in security teams.

This presentation offers fresh perspectives on neurodiversity in cybersecurity and provides actionable insights for creating more effective, inclusive teams—whether you're familiar with the topic or exploring it for the first time.

The talk will focus on AI and cybersecurity.

Currently used by hackers for deep fakes, will it evolve into AI specialised in network attacks?
Will there be AI on the defence side?
Will we see a battle between the best AI (attack versus defence)?
What protection mechanisms could prevent hackers from using AI or compromising AI?
Are we in a dangerous transition phase where AI does not yet have sufficiently robust ethical mechanisms that cannot be circumvented?

These points will be addressed from a general, non-technical perspective.

At CIRCL, we're working to make sense of the ever-growing stream of vulnerability data—structured, unstructured, and everything in between. From public advisories, the data is rich but often inconsistent, fragmented, and difficult to navigate.

To help tackle this, we’re using Natural Language Processing (NLP) and large language models (LLMs) to extract insights—like estimating vulnerability severity from free-text descriptions when no CVSS score is available.

Our custom NLP model is trained on real-world data using our own infrastructure and updated regularly to reflect new trends. We’ve also released everything we’ve built: from raw datasets and training code to the final models, all available on Hugging Face. And with our ML-Gateway tool, anyone can easily retrieve an AI-generated severity score—no structured metadata required.

This session will walk through:

-The challenges of working with messy, real-world vulnerability data
-How we’re using AI to structure, score, and make sense of it
-What we've built, what we’ve learned, and what’s next

It’s an inside look at how we're combining human context with machine learning to improve how we understand and act on vulnerability information.

In this talk, we will dive into io_uring, the Linux kernel's groundbreaking I/O technology that is redefining asynchronous processing. We'll explore how io_uring dramatically enhances system performance by reducing overhead and enabling unprecedented efficiency in I/O operations. However, this increased power brings significant security considerations. We will review the current state of auditing and security controls within the Linux kernel for this powerful feature. Finally, we will demonstrate how security visibility tools such as Kunai can provide essential visibility into io_uring operations on Linux endpoints, helping to bridge the gap between performance and security.

For lightning talks on security topics. 5 minutes per speaker.

Nathaniel is a cybersecurity professional with over five years of cumulative experience. He has progressed from a cybersecurity analyst position at a private Managed Security Service Provider (MSSP) in Nigeria and later worked as a threat intelligence specialist role at the largest innovation hub in Africa. He has hosted workshops and presented at international conferences, including VirusBulletinCon 2021, Eset Security Day 2021, RightCon 2022, and DataFest 2022. Nathaniel holds cybersecurity-relevant certifications, including CISSP, CEH(Practical), and CompTIA Security+

He completed his dual Master's in Cybersecurity at UBS France in 2023 and at the University of Luxembourg in 2024 through the Erasmus EU program. Before this, he conducted graduate visiting research at RIT in the USA, where he focused on measuring the effectiveness of threat assessments by mapping the knowledge gaps or strengths of penetration testers relative to real-world threat actors. Additionally, he holds a Bachelor of Technology degree in Electronics and Electrical Engineering.

Nathaniel prides himself as an ecosystems enthusiast. He currently resides in Luxembourg.

DRINKS RECEPTION, we serve drinks, hopefully you stay and participate.

5 min lightning talks about any topic that ISN'T infosec/security/cybersecurity