{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2026.1.1"}, "schedule": {"url": "https://pretalx.com/bsidesluxembourg-2026/schedule/", "version": "0.72", "base_url": "https://pretalx.com", "conference": {"acronym": "bsidesluxembourg-2026", "title": "BSidesLuxembourg 2026", "start": "2026-05-06", "end": "2026-05-08", "daysCount": 3, "timeslot_duration": "00:05", "time_zone_name": "Europe/Luxembourg", "colors": {"primary": "#1785a1"}, "rooms": [{"name": "Atrium (common area)", "slug": "5123-atrium-common-area", "guid": "fdf8693e-170e-5bb7-9e30-eff972c8b09d", "description": "Where sponsors, lockpicking village, coffee, food etc. is", "capacity": null}, {"name": "Atrium (common room) 2", "slug": "5496-atrium-common-room-2", "guid": "663a9ff0-e9f4-52f8-95ae-2af2e2e913dd", "description": null, "capacity": null}, {"name": "Main Stage", "slug": "5117-main-stage", "guid": "75d481b1-868b-58be-a3aa-7a08dfdaa6bb", "description": "Main stage auditorium w 180 seats", "capacity": 225}, {"name": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "5119-ifen-room-1-workshops-and-detection-engineering-village-building-d", "guid": "d009362d-88e2-5587-ae2a-5051041602da", "description": null, "capacity": 50}, {"name": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "5121-ifen-room-2-workshops-and-ai-security-village-building-d", "guid": "a18bb72e-a1ae-5ea3-acfa-8ddd1c6b0d44", "description": null, "capacity": 50}, {"name": "IFEN room 3 Workshops and AI Security Village (Building D)", "slug": "5120-ifen-room-3-workshops-and-ai-security-village-building-d", "guid": "3ecced5f-5a05-593c-a612-364a5528f8d3", "description": null, "capacity": 50}, {"name": "Workshops May 6th (C1.02.05)", "slug": "5559-workshops-may-6th-c10205", "guid": "3d0c95a1-f896-52f4-af12-2382f12d5c2d", "description": "In the secondary building, lowest level, accessed via exiting the main building or taking the glass-corridor connecting the buildings. The IFEN room is one big or 3 small rooms, it has sliding dividers.", "capacity": 20}, {"name": "Workshops May 6th (C1.02.06)", "slug": "5560-workshops-may-6th-c10206", "guid": "85295e39-503b-571c-b933-5c91f45f71d4", "description": "In the secondary building, lowest level, accessed via exiting the main building or taking the glass-corridor connecting the buildings. The IFEN room is one big or 3 small rooms, it has sliding dividers.", "capacity": 20}, {"name": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "5122-workshops-may-6th-speakers-room-may-78th-c10213", "guid": "6d57f409-6e10-5f49-9eb1-79fd7d149da7", "description": null, "capacity": 18}, {"name": "Workshops and Stage - Design Space (C1.05.12)", "slug": "5537-workshops-and-stage-design-space-c10512", "guid": "1d52d5bc-e122-502d-8a62-7079b3f6d4a3", "description": "40-50 persons max", "capacity": 40}, {"name": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "5118-workshops-and-stage-gernsback-c10502", "guid": "b84d3f24-c35e-59bb-96b9-3b07464f6ab1", "description": "60 person secondary auditorium", "capacity": 20}, {"name": "CTF players room (C1.03.05 6+8th or C1.04.02 7th)", "slug": "5543-ctf-players-room-c10305-68th-or-c10402-7th", "guid": "9a60e791-5cf1-5ead-a5d6-59d101667e5a", "description": "For those doing the CTF", "capacity": 25}, {"name": "Workshops May 6th (C1.03.06)", "slug": "5544-workshops-may-6th-c10306", "guid": "b732f36a-4aac-5cd0-a76f-c28c29453193", "description": "For just hanging out or whatever, slide prep for speakers etc.", "capacity": 25}, {"name": "Workshops May 6th (C1.03.09)", "slug": "5678-workshops-may-6th-c10309", "guid": "1dc3959f-471b-5fd4-8656-b7b228eddc44", "description": null, "capacity": 20}, {"name": "Workshops May 6th (C1.03.10)", "slug": "5679-workshops-may-6th-c10310", "guid": "8d6c4ea8-3caf-54aa-8fff-dc3abd145524", "description": null, "capacity": null}], "tracks": [{"name": "Main Stage", "slug": "6603-main-stage", "color": "#5f0211"}, {"name": "Secondary Stage", "slug": "6605-secondary-stage", "color": "#7993f0"}, {"name": "CLUSIL Stage", "slug": "6606-clusil-stage", "color": "#19c316"}, {"name": "Workshop track 1", "slug": "6607-workshop-track-1", "color": "#77761d"}, {"name": "Workshop track 3", "slug": "6608-workshop-track-3", "color": "#ffad00"}, {"name": "Villages in Atrium", "slug": "6609-villages-in-atrium", "color": "#87c2d0"}, {"name": "Workshop track 2", "slug": "6602-workshop-track-2", "color": "#d3c7af"}, {"name": "Cloud track", "slug": "6963-cloud-track", "color": "#6dd4ee"}, {"name": "Actionable CTI and detection engineering village", "slug": "6964-actionable-cti-and-detection-engineering-village", "color": "#9700ff"}, {"name": "AI Security Village", "slug": "6977-ai-security-village", "color": "#2f2022"}, {"name": "Escape games!", "slug": "6965-escape-games", "color": "#1b4f5b"}, {"name": "Secure Development track", "slug": "6978-secure-development-track", "color": "#f3f235"}], "days": [{"index": 1, "date": "2026-05-06", "day_start": "2026-05-06T04:00:00+02:00", "day_end": "2026-05-07T03:59:00+02:00", "rooms": {"Main Stage": [{"guid": "221380ef-0903-53dd-aca3-6327642366c9", "code": "EFGX97", "id": 90612, "logo": null, "date": "2026-05-06T14:00:00+02:00", "start": "14:00", "duration": "04:00", "room": "Main Stage", "slug": "bsidesluxembourg-2026-90612-from-zero-trust-to-trusted-advisor-selling-security-to-stakeholders", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/EFGX97/", "title": "From Zero Trust to Trusted Advisor - Selling Security to Stakeholders", "subtitle": "", "track": null, "type": "Workshop 4h", "language": "en", "abstract": "You've identified the vulnerability, tested the exploit, and written the report. But they just don\u2019t see the urgency. Now what? This 4-hour, hands-on workshop bridges the gap between technical mastery and boardroom influence. We'll move beyond simply reporting risks to crafting compelling narratives, quantifying value, and building the relationships necessary to drive meaningful security improvements.\r\n\r\nThis isn't your typical \"compliance\" training. We'll delve into the psychology of decision-making, explore adversarial communication tactics (used against you), and arm you with practical strategies to become a trusted advisor who can effectively advocate for security and get things done.", "description": "You've identified the vulnerability, tested the exploit, and written the report. But they just don\u2019t see the urgency. Now what? This 4-hour, hands-on workshop bridges the gap between technical mastery and boardroom influence. We'll move beyond simply reporting risks to crafting compelling narratives, quantifying value, and building the relationships necessary to drive meaningful security improvements.\r\nThis isn't your typical \"compliance\" training. We'll delve into the psychology of decision-making, explore adversarial communication tactics (used against you), and arm you with practical strategies to become a trusted advisor who can effectively advocate for security and get things done.\r\nTarget Audience:\r\nSecurity professionals of all levels (penetration testers, security engineers, analysts, red teamers, etc.) who want to improve their communication and persuasion skills to influence stakeholders and drive security initiatives.\r\nWorkshop Objectives:\r\nParticipants will be able to:\r\n\u2022\tIdentify and analyze key stakeholders, influencers, and decision makers within their organizations.\r\n\u2022\tTranslate technical findings or concepts, such as security by design, into business-centric language.\r\n\u2022\tTailor your message to your stakeholders and influence them to make better decisions (social engineering for good!).\r\n\u2022\tArticulate the ROI of security investments.\r\n\u2022\tEffectively counter common objections and adversarial tactics.\r\n\u2022\tDevelop a practical method for ongoing stakeholder engagement.\r\n\u2022\tPractice communicating complex security issues to non-technical audiences.\r\n\u2022\tBuild trust and credibility with diverse stakeholders.\r\n\u2022\tOvercome their own fears and perceived limitations when dealing with key business decision makers.", "recording_license": "", "do_not_record": false, "persons": [{"code": "WPNVNV", "name": "Daniela Parker", "avatar": "https://pretalx.com/media/avatars/WPNVNV_SIe0C7z.webp", "biography": "Daniela Parker has sat on the other side of the table \u2014 as a Chief Risk Officer and Chief Operating Officer \u2014 making the tough calls on budgets, priorities, and competing initiatives. She knows exactly what happens in the executive huddle after the security team leaves the room.\r\nAs the founder of Parker Solutions, Daniela helps organizations turn risk and security from technical conversations into strategic business decisions. She has led enterprise risk programs, technology transformations, regulatory initiatives, and operational strategy \u2014 and she\u2019s had to decide where resources go and why.\r\nHer superpower? Teaching security professionals how to speak the language executives actually use.\r\nHer style is direct, practical, and real. No theory for theory\u2019s sake. Just executive-level insight into how decisions actually get made \u2014 and how to influence them.\r\nBecause when you understand how executives think, security doesn\u2019t just get acknowledged.\r\nIt gets prioritized.", "public_name": "Daniela Parker", "guid": "7439377f-3883-5436-9135-d036d98e68cd", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/WPNVNV/"}, {"code": "J3PRCC", "name": "Glen Sorensen", "avatar": "https://pretalx.com/media/avatars/J3PRCC_2Vu87sY.webp", "biography": "Glen Sorensen is a Recovering CISO/vCISO-Type and is presently a Solutions Engineer with DeleteMe. He has worn numerous hats in his career, in areas such as security engineering and architecture, security operations, GRC, and leadership, including leading the security program for a credit union and for smaller organizations in a fractional role. He currently focuses on how exposed information and OSINT are weaponized in conjunction with AI toward social engineering attacks, and how that factors into greater enterprise cyber risk.\r\n\r\nGlen approaches problems with practical solutions that bring good business value and has worked across many sectors, including financial services, healthcare, manufacturing, and others. He has served as a consulting expert in a large legal case involving healthcare and cyber attack detection technology. He has been in IT and security for 20+ years, depending on how much misspent youth you count.  He is a privacy geek and a sucker for a good tabletop exercise, and also serves as an Incident Master for HackBack Gaming, which puts his countless hours of roleplaying game experience to work teaching people about cybersecurity and incident response.", "public_name": "Glen Sorensen", "guid": "b3a24141-a593-5cb2-b2f2-84110e0c2875", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/J3PRCC/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/EFGX97/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/EFGX97/", "attachments": []}], "IFEN room 1, Workshops and Detection Engineering village (Building D)": [{"guid": "4ecd0935-4394-552e-aabf-ef9b50eb5efc", "code": "WGNSKX", "id": 88216, "logo": null, "date": "2026-05-06T09:00:00+02:00", "start": "09:00", "duration": "09:00", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-88216-reboot-ml-foundations-for-cybersecurity-in-2026", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/WGNSKX/", "title": "[Reboot] ML foundations for cybersecurity in 2026", "subtitle": "", "track": null, "type": "Training 8h", "language": "en", "abstract": "This session provides cybersecurity professionals with practical machine learning skills, from ML basics up to deep learning with TensorFlow. Participants will set up a complete development environment and learn foundational ML concepts through hands-on implementation rather than mathematical theory. The curriculum covers core ML principles through deep learning, with emphasis on security-relevant applications. No advanced mathematics or prior AI experience required.\r\n\r\nWe break the myth. You don't need a PhD to do AI here.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "3LW9XQ", "name": "Pauline Bourmeau (Cookie)", "avatar": "https://pretalx.com/media/avatars/3LW9XQ_fRZxzk4.webp", "biography": "Pauline Bourmeau is an independent security researcher specializing in the intersection of artificial intelligence, cognitive psychology, and threat intelligence. She has consulted on multilingual natural language processing, led deep learning and NLP workshops, and created training materials blending STEM with human factors. As founder of DEFCON Paris and contributor to the MISP project, she actively advances collaborative cybersecurity practices.\r\nPreviously, Pauline worked as a Threat Intelligence Analyst conducting OSINT, HUMINT, and SOCINT analysis to profile threats and investigate APTs. She holds a Master\u2019s in Criminology with a thesis on cybersecurity intelligence sharing, and a background in sociolinguistics and computer science from Sorbonne and School 42.", "public_name": "Pauline Bourmeau (Cookie)", "guid": "c9728882-b3f8-50d5-b946-fb3cf82d1c4f", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/3LW9XQ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/WGNSKX/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/WGNSKX/", "attachments": []}], "IFEN room 2, Workshops and AI Security Village  (Building D)": [{"guid": "375bb907-bd81-5b2c-9da9-7332a4305a2a", "code": "9HS8CG", "id": 88650, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/9HS8CG/image_TyepQxk.webp", "date": "2026-05-06T09:00:00+02:00", "start": "09:00", "duration": "02:00", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-88650-0-packet-analysis-for-beginners-an-iot-toy-some-packets-and-wireshark", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/", "title": "Packet Analysis for Beginners - an IoT toy, some packets, and Wireshark", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "What can we learn from ordinary packets on the wire, using a disconcerting connected toy as a demo device? How can you tell when something is phoning home? In this workshop, we\u2019ll use Wireshark to observe what devices send and receive during regular operation", "description": "Pre-Workshop Setup:\r\nPlease install Wireshark before the session: [https://www.wireshark.org/docs/installation.html\r\n](https://www.wireshark.org/download.html)\r\n\r\nCrucial Permission Steps:\r\n    Windows: Ensure you install Npcap during the setup process.\r\n    macOS: Follow the prompts to allow network access/chmod permissions.\r\n    Linux: Run sudo dpkg-reconfigure wireshark-common, select yes, then add your user to the wireshark group (sudo usermod -aG wireshark $USER), then reboot.\r\n\r\nTest: Open the app; if you see \"live\" traffic lines on your network interface, you are ready!\r\n\r\nIn this workshop, we\u2019ll take packet capture from a disconcerting connected toy and use it as a starting point to learn how to read ordinary network traffic. Step by step, we\u2019ll look at how devices introduce themselves on a local network, resolve names, establish connections, negotiate encryption, and continue communicating during normal operation. Once we have familiarized ourselves, we will move on to some real-world captures.\r\n\r\nRather than breaking encryption or exploiting vulnerabilities, the focus is on observation and understanding. Using Wireshark, we\u2019ll practice identifying patterns, relationships, and metadata that remain visible even when payloads are encrypted. Along the way, we\u2019ll look at how to recognise when a device is phoning home, what kinds of context travel with requests, and how much can be learned from traffic that is behaving exactly as designed.\r\n\r\nThis workshop is aimed at beginners and the curious. No prior experience with packet analysis is required. A willingness to look closely at what is already on the wire is enough.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KCCUQU", "name": "Katherine Leese", "avatar": "https://pretalx.com/media/avatars/KCCUQU_CHNLkVe.webp", "biography": "Katherine is a tech professional with 2.5 years of experience, having retrained in her 40s to become a Computer Expert, specialising in System Integration. Originally from New Zealand, she is currently based in Germany. During her training, she undertook a practicum at SevenShift, a boutique IoT cybersecurity company in Cologne that recognized her talent and dedication, ultimately hiring her. She is now in a training position, where she is honing her skills and contributing to the company's security initiatives. Outside of her professional life, Katherine is a dedicated single mother to a teenager. She is also a member of the Haecksen, the FLINTA branch of the CCC, and a leader of the Cologne OWASP Chapter", "public_name": "Katherine Leese", "guid": "5395844e-0836-5890-8ed2-3a69fd251b0d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/KCCUQU/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/", "attachments": []}, {"guid": "b9004aeb-7710-5fe6-9568-ff2a09ab7d0e", "code": "ZXMFCW", "id": 92469, "logo": null, "date": "2026-05-06T11:00:00+02:00", "start": "11:00", "duration": "02:00", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-92469-a-phishing-trip-with-fancy-bear-let-s-analyze-apt-malware-together", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/ZXMFCW/", "title": "A phishing trip with Fancy Bear - Let's analyze APT malware together!", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "In this beginner-friendly workshop we will walk through the analysis of a recent Fancy Bear (APT28) attack chain together. It will feature targeted phishing email, a then-0-day Microsoft Office exploit and multiple follow-up stages to showcase file formats and analysis methods. Additionally, we will take a look at the infrastructure behind the attack.", "description": "This workshop does not depend on domain-specific knowledge, we will try to break the steps down as far as possible. Attendees will follow along through small exercises, with the opportunity to compare their solution through a validation system.\r\n\r\nImportant for message for attendees: If you would like to follow along, please bring laptop with a charged battery. You will be handling real-world malware (you act at your own risk; No backup, no pity). I recommend to use a virtual machine (e.g. FLARE-VM, Remnux). No special tooling is required, make sure to have the basics (Text and Hex Editor, Browser, ZIP utility) installed. No photos during the workshop please, you will receive a copy of the slides.", "recording_license": "", "do_not_record": true, "persons": [{"code": "JNK9DK", "name": "Marius Genheimer", "avatar": null, "biography": "Marius Genheimer is a DFIR Specialist and Threat Researcher with the SECUINFRA Falcon Team. He specializes in malware analysis and defensive security training.", "public_name": "Marius Genheimer", "guid": "4a19fab7-2477-59fb-a716-efc172e516f8", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/JNK9DK/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ZXMFCW/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ZXMFCW/", "attachments": []}, {"guid": "98669856-e407-5a85-857f-489b3f7bd215", "code": "JABHUU", "id": 85279, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/JABHUU/Beetle-Wallpa_AuZGt2l.webp", "date": "2026-05-06T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-85279-how-to-read-code-to-find-vulnerabilities", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/JABHUU/", "title": "How to Read Code to Find Vulnerabilities", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "The industry needs more security code reviewers. Vulnerabilities are getting deeper, not simpler, and modern applications fail in subtle ways that scanners, and even AI, routinely miss. Meanwhile, developers are writing less code and reviewing more of it than ever (hopefully).\r\n\r\nThis workshop is a fast, hands-on introduction to reading code with a security mindset. Through real CVE-inspired examples, you\u2019ll see how tiny inconsistencies, misplaced assumptions, and misunderstood framework behaviour turn into real, exploitable flaws.\r\n\r\nYou\u2019ll learn how to detect red flags quickly, identify dangerous patterns in small snippets, and build intuition for where vulnerabilities hide. Whether you\u2019re a developer, pentester, or security engineer, you\u2019ll walk away with a foundational methodology for performing clear, consistent, and reliable code reviews.", "description": "Modern applications break in subtle ways, and many of the most impactful vulnerabilities come from tiny mistakes hidden in plain sight. Scanners won\u2019t catch them. AI won\u2019t catch them. But a trained human eye will.\r\n\r\nThis workshop teaches you how to read code with the explicit goal of finding vulnerabilities.\r\nThrough real, CVE-inspired examples, we\u2019ll explore how small inconsistencies, incorrect assumptions, and misunderstood framework behaviour turn into exploitable bugs.\r\n\r\nYou\u2019ll practice spotting red flags in small snippets, recognising dangerous patterns, and understanding why certain coding choices reliably lead to security issues. The session is fast-paced and hands-on, designed to build practical intuition you can apply immediately.\r\n\r\nWhether you\u2019re a developer, pentester, or AppSec engineer, you\u2019ll leave with a clear, repeatable methodology for reviewing code and uncovering vulnerabilities that tools routinely miss.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CZM8Q8", "name": "Louis Nyffenegger", "avatar": "https://pretalx.com/media/avatars/CZM8Q8_0AF7SzY.webp", "biography": "Louis Nyffenegger is a renowned application security expert and the founder of PentesterLab, a leading platform for hands-on security training. With extensive experience in penetration testing, code review, and application security, Louis has worked at organizations like the National Bank of Australia, Australia Post, and Fitbit.\r\n\r\nHe has delivered talks at security conferences, including DEFCON, Kawaiicon, and BSides Canberra, sharing insights on web security, code review techniques, and the intricacies of penetration testing.\r\n\r\nAs the primary author of PentesterLab\u2019s labs, Louis has designed practical, real-world exercises that help security professionals and developers master vulnerabilities and improve their skills. He also runs AppSecSchool, a YouTube channel dedicated to application security, and writes thought-provoking blog posts to inspire the security community.\r\n\r\nBeyond his technical contributions, Louis is passionate about teaching and empowering others to build secure software. He believes in a hands-on approach to security education, emphasising real-world applications and meaningful learning experiences.", "public_name": "Louis Nyffenegger", "guid": "d1947bdd-0778-5363-8b82-9dc48a50635a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CZM8Q8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/JABHUU/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/JABHUU/", "attachments": []}, {"guid": "8d2085e9-622d-59b2-bb24-05864ce4927d", "code": "CY9AEA", "id": 85197, "logo": null, "date": "2026-05-06T16:00:00+02:00", "start": "16:00", "duration": "02:00", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-85197-hands-on-car-hacking-automotive-cybersecurity", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/CY9AEA/", "title": "Hands-on Car Hacking & Automotive Cybersecurity", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "Modern cars are no longer mechanical devices. They're complex, interconnected computer networks. And like any networked system, they can be hacked. This workshop introduces participants to the fundamentals of automotive cybersecurity through real-world, hands-on exploration of in-vehicle communication and attack techniques.", "description": "In this interactive workshop, attendees will learn how modern cars communicate internally and how attackers can exploit weaknesses in these systems. After a quick introduction to automotive security concepts and vehicle network architecture, participants will dive straight into practical exercises using the Controller Area Network (CAN) bus.\r\n\r\nYou'll capture and analyze live CAN traffic, reverse engineer messages sent to critical components, and craft spoofed signals that manipulate the instrument cluster. All within a safe and controlled lab environment. Through guided exercises, demonstrations, and collaborative problem-solving, you'll gain a clear understanding of how real automotive attacks work and what defenders should look out for.\r\n\r\n**Key Takeaways:**\r\n- Understand modern automotive security fundamentals and vehicle network design\r\n- Capture, analyze, and interpret CAN bus traffic\r\n- Reverse engineer real in-vehicle messages\r\n- Craft and send spoofed signals to demonstrate attack paths in a controlled environment\r\n\r\n**Prerequisites:**\r\nParticipant should bring a laptop with the following characteristics:\r\n- Laptop running a Linux distribution (or a Linux VM with USB passthrough enabled)\r\n- Available USB-A port, or USB-C port with compatible cable", "recording_license": "", "do_not_record": false, "persons": [{"code": "EDEHQ8", "name": "Roald Nefs", "avatar": "https://pretalx.com/media/avatars/EDEHQ8_ubjqIqv.webp", "biography": "Chief Technology Officer at Warpnet, Roald has a broad background in security engineering, platform operations, and IT compliance. He contributes to open-source projects and serves as an organizer of BSides Groningen and BSides Amsterdam.", "public_name": "Roald Nefs", "guid": "2ecd7e62-3c1c-5f2e-a622-b2a2e083836a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/EDEHQ8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CY9AEA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CY9AEA/", "attachments": []}], "IFEN room 3 Workshops and AI Security Village (Building D)": [{"guid": "7f4d15ef-16ab-51a1-8df6-85ad1bc205a9", "code": "CVMLKB", "id": 92825, "logo": null, "date": "2026-05-06T09:00:00+02:00", "start": "09:00", "duration": "02:00", "room": "IFEN room 3 Workshops and AI Security Village (Building D)", "slug": "bsidesluxembourg-2026-92825-gotta-contain-em-all-collaborative-incident-response-training-through-gaming", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/CVMLKB/", "title": "Gotta Contain 'Em All: Collaborative Incident Response Training Through Gaming", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "Incident response isn't just about knowing your tools - it's about coordinating under pressure, communicating when things go sideways, and making calls with incomplete information. Traditional training focuses on isolated techniques, missing the collaborative reality of actual incidents. And most tabletop exercises? Painfully dull. Participants zone out, give checkbox answers, and leave having learned little.\r\n\r\nThis workshop introduces Malware & Monsters (https://malwareandmonsters.com), a framework that turns IR training into something people actually enjoy. Think tabletop role-playing meets creature-collection mechanics, where teams \"hunt and contain\" digital threats through story-driven gameplay.\r\nGame-based learning works - research shows it beats traditional instruction for skill building and retention. M&M makes participants actively discover concepts instead of sitting through lectures. Scenarios include organizational pressures, evolving threats, and stakeholder drama, turning abstract security concepts into tangible problems.\r\n\r\nYou'll experience the full methodology: learn the mechanics, build custom scenarios based on real malware families (mapped to MITRE ATT&CK), and run live simulations. Participants take specialized roles - Hunter, Analyst, Forensicator, Communicator, Coordinator, or Researcher - experiencing how security functions actually collaborate during incidents.\r\n\r\nThe framework includes legacy malmons from malware history\u2014because history always repeats itself, and understanding past threats reveals patterns in current attacks. The \"type effectiveness\" system teaches strategic thinking about matching defenses to threats. Evolution mechanics show how attacks escalate when containment fails.\r\n\r\nParticipants walk away with ready-to-use materials and facilitation techniques for training that actually works.\r\n\r\nBest of all? M&M is free to play in most cases.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "SQVVHK", "name": "Klaus Agnoletti", "avatar": "https://pretalx.com/media/avatars/JZ8NCF_NRSojrT.webp", "biography": "Klaus Agnoletti has been an all-round infosec professional since 2004. As a long-time active member of the infosec community in Copenhagen, Denmark, he co-founded BSides K\u00f8benhavn in 2019. \r\n\r\nCurrently he's a freelance storytelling cyber security advisor specializing in security transformation and community focused marketing, employer branding, playing security games  and other fun assignments and ideas coming his way. \r\n\r\nLately he has also become a neurodiversity advocate speaking about ADHD to educate and break down taboos in an industry with a vast overrepresentation of neurodiversity and not very many talking about it.", "public_name": "Klaus Agnoletti", "guid": "97865f70-b8ae-51b2-b463-29887514404a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/SQVVHK/"}, {"code": "J3PRCC", "name": "Glen Sorensen", "avatar": "https://pretalx.com/media/avatars/J3PRCC_2Vu87sY.webp", "biography": "Glen Sorensen is a Recovering CISO/vCISO-Type and is presently a Solutions Engineer with DeleteMe. He has worn numerous hats in his career, in areas such as security engineering and architecture, security operations, GRC, and leadership, including leading the security program for a credit union and for smaller organizations in a fractional role. He currently focuses on how exposed information and OSINT are weaponized in conjunction with AI toward social engineering attacks, and how that factors into greater enterprise cyber risk.\r\n\r\nGlen approaches problems with practical solutions that bring good business value and has worked across many sectors, including financial services, healthcare, manufacturing, and others. He has served as a consulting expert in a large legal case involving healthcare and cyber attack detection technology. He has been in IT and security for 20+ years, depending on how much misspent youth you count.  He is a privacy geek and a sucker for a good tabletop exercise, and also serves as an Incident Master for HackBack Gaming, which puts his countless hours of roleplaying game experience to work teaching people about cybersecurity and incident response.", "public_name": "Glen Sorensen", "guid": "b3a24141-a593-5cb2-b2f2-84110e0c2875", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/J3PRCC/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CVMLKB/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CVMLKB/", "attachments": []}, {"guid": "94f5cec4-2ae0-5830-ad0f-131cc6fc4d2c", "code": "ETX7TJ", "id": 92008, "logo": null, "date": "2026-05-06T11:00:00+02:00", "start": "11:00", "duration": "02:00", "room": "IFEN room 3 Workshops and AI Security Village (Building D)", "slug": "bsidesluxembourg-2026-92008-cloud-ai-security-capture-the-flag", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/ETX7TJ/", "title": "Cloud & AI Security - Capture the Flag", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "Cloud & AI Security - Capture the flag hands-on workshop", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "K7FL9R", "name": "Nathan", "avatar": null, "biography": "Will work on this", "public_name": "Nathan", "guid": "4f160eab-d219-52e8-9d4b-295dbfda9630", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/K7FL9R/"}, {"code": "SR3YVL", "name": "Richard Hensen", "avatar": "https://pretalx.com/media/avatars/HTMP3F_bNPpzJW.webp", "biography": "https://nl.linkedin.com/in/rihensen", "public_name": "Richard Hensen", "guid": "33590334-dc76-537e-a143-9b46f481135d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/SR3YVL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ETX7TJ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ETX7TJ/", "attachments": []}, {"guid": "656de9ab-f401-5af2-a7d6-f0e694e00421", "code": "TVXPKX", "id": 85117, "logo": null, "date": "2026-05-06T14:00:00+02:00", "start": "14:00", "duration": "04:00", "room": "IFEN room 3 Workshops and AI Security Village (Building D)", "slug": "bsidesluxembourg-2026-85117-level-up-your-ci-cd-building-a-secure-pipeline-with-oss", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/TVXPKX/", "title": "Level Up Your CI/CD: Building a secure pipeline with OSS", "subtitle": "", "track": null, "type": "Workshop 4h", "language": "en", "abstract": "What does the \"perfect\" CI/CD pipeline look like, especially one built with security at its core? This hands-on workshop explores that ideal using readily available open-source tools. We'll dissect the essential stages of a modern pipeline, demonstrating how to integrate security seamlessly throughout the development lifecycle (DevSecOps).\r\n\r\nThrough practical, step-by-step guidance, we'll implement key security checks like Static Application Security Testing (SAST), Software Composition Analysis (SCA), infrastructure vulnerability scanning, and secrets detection using popular OSS tools within a functional pipeline. While we'll showcase specific tools and configurations, the goal is not just replication, but understanding how and why these security controls work.\r\n\r\nDiscover the underlying principles of secure pipeline design and leave with actionable techniques to start building your own hardened, practical CI/CD pipeline.", "description": "Workshop repository: https://github.com/unicrons/secure-pipeline-workshop", "recording_license": "", "do_not_record": false, "persons": [{"code": "UKFTUX", "name": "Andoni Alonso", "avatar": "https://pretalx.com/media/avatars/UKFTUX_QOB5bYN.webp", "biography": "Building Open Cloud Security at Prowler.\r\n\r\nI started as a sysadmin, was a Site Reliability Engineer until a few years ago when I moved to the dark side... Security. I've been hooked to CTFs and anything with a scoreboard for a long time.\r\n\r\nStarting the unicrons.cloud project to share knowledge about cloud security with the community.", "public_name": "Andoni Alonso", "guid": "cf723d7e-b33b-54bb-a4f6-7a2cdc8d42e4", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/UKFTUX/"}, {"code": "UNNQE8", "name": "Paco Sanchez", "avatar": "https://pretalx.com/media/avatars/UNNQE8_umsF1aZ.webp", "biography": "I\u2019m an SRE focused on Developer Productivity and Platform Engineering, with over 8 years of experience building tools that help developers work smarter. I pride myself on being highly pragmatic, always prioritizing solutions that balance efficiency and impact.\r\nOh, and fun fact: my right thumb is actually my toe. Yes, it\u2019s as weird as it sounds, but I like to think I can give \"Super Likes\".", "public_name": "Paco Sanchez", "guid": "926430f4-1bc3-5d0b-bbba-12a7d5c6e733", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/UNNQE8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/TVXPKX/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/TVXPKX/", "attachments": []}], "Workshops May 6th (C1.02.05)": [{"guid": "ed842c82-e617-5b5c-b13c-75bae66e7e5a", "code": "XGQ7DT", "id": 92929, "logo": null, "date": "2026-05-06T09:00:00+02:00", "start": "09:00", "duration": "04:00", "room": "Workshops May 6th (C1.02.05)", "slug": "bsidesluxembourg-2026-92929-mastering-bash-for-hackers-extreme-command-line-power", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/XGQ7DT/", "title": "Mastering Bash for Hackers: Extreme Command-Line Power", "subtitle": "", "track": null, "type": "Workshop 4h", "language": "en", "abstract": "Bash isn\u2019t just an interface to your daily laptop - it\u2019s a weapon. In this hands-on workshop, we\u2019ll push bash beyond its typical use, leveraging it for hacking, data processing, automation, and real-world security applications. Whether you\u2019re crafting exploits, analyzing massive datasets, or automating reconnaissance, this session will equip you with the skills to turn bash into your ultimate hacking tool.\r\n\r\nTo take part in the workshop, please bring your own laptop.", "description": "- Master advanced bash scripting techniques for automation, and hacking.\r\n- Process terabytes of leaked password data and uncover real-world security insights.\r\n- Use bash to manipulate and extract intelligence from logs, network traffic, and system artifacts.\r\n- Generate graphs, automate reports, and convert file format entirely from the command line.\r\n- Learn how to replace GUI-based tools with bash scripts for speed and stealth.\r\n\r\nBy the end of this workshop, you\u2019ll be able to:\r\n- Automate and accelerate security tasks with powerful one-liners and scripts.\r\n- Use bash to analyze, manipulate, and exploit data in security research.\r\n- Apply bash in unconventional ways, from image processing to document forensics.", "recording_license": "", "do_not_record": false, "persons": [{"code": "BFDPQS", "name": "Kirils Solovjovs", "avatar": null, "biography": "Kirils Solovjovs is Latvia's leading white-hat hacker and IT policy activist, known for uncovering and responsibly disclosing critical security vulnerabilities in national and international systems. An expert in penetration testing, network flow analysis, and reverse engineering, he is also a lifelong command-line enthusiast. Kirils started programming at age 7 and by grade 9 was spending his lunch breaks writing machine code directly in a hex editor. He uses bash daily for hacking, automation, and large-scale data processing and is sometimes contracted by major online education providers to proofread their bash certification exams. He currently is the lead researcher at Possible Security.", "public_name": "Kirils Solovjovs", "guid": "325ead40-4b03-5c18-88e3-e6be1d7b26d1", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/BFDPQS/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/XGQ7DT/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/XGQ7DT/", "attachments": []}], "Workshops May 6th (C1.02.06)": [{"guid": "c6aeb9c6-614e-5d88-9f7d-2204a2f0affb", "code": "QXECVY", "id": 92619, "logo": null, "date": "2026-05-06T13:30:00+02:00", "start": "13:30", "duration": "02:00", "room": "Workshops May 6th (C1.02.06)", "slug": "bsidesluxembourg-2026-92619-from-code-to-compromise-turning-modern-day-ides-into-attack-vectors-via-malicious-extensions", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/QXECVY/", "title": "From Code to Compromise: Turning modern day IDEs into attack vectors via malicious Extensions", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "Visual Studio Code has become the de-facto IDE for millions of developers, and its extension marketplace is now a first-class target for supply-chain compromise. In this talk we move beyond yesterday\u2019s JavaScript-only \u201ctheme\u201d backdoors and show how to fuse high-level TypeScript with low-level Rust to create extensions that are indistinguishable from legitimate Microsoft-signed add-ons\u2014yet silently execute native x86_64 shellcode inside the IDE process.\r\n\r\nWe begin with a data-driven tour of recent in-the-wild incidents: we begin by examining an array of malicious solidity extensions which targeted blockchain developers with a special emphasis on the [\u201cSolidity\u201d extension that stole $500 k in crypto from a Russian blockchain developer](https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-500k-crypto-heist-through-malicious-packages-targeting-cursor-developers). We follow that up with an analysis of the Malicious Corgi malware, and the [new self propagating GlassWorm extension](https://www.truesec.com/hub/blog/glassworm-self-propagating-vscode-extension) - including the later samples seen in the wild which used more advanced techniques. The rise of AI-centric forks (Cursor, Windsurf, etc.) has also given a rise to new extension marketplaces where malicious extension can use inflated download counts to serve as perfect camouflage. Next we deep-dive into the malicious extension toolchain: a Rust FFI bridge that compiles to a library, exposes a single innocent-looking TypeScript API, and preserves the marketplace\u2019s blue \u201cverified\u201d tick. We demonstrate live how to backdoor legit extensions - including cases where the source code is available and when it is not. \r\n\r\nWe close with defensive takeaways: IoCs and TTPs to look for, defensive rules which can prevent such attacks and possible detection vectors. Attendees leave with a fully annotated GitHub repo that walks them through the process of developing such malware - starting with a \"hello-world\" C++ addon and building a rust based shellcode loader backdoored into a popular extensions.", "description": "Visual Studio Code is no longer just an editor; the IDE, along with its many AI powered forks, have become the most primary interface for Developers of all kind.  Its extension host, a Microsoft-signed Electron process, enjoys the same blind trust from EDRs that we traditionally grant to Outlook or Teams.  Meanwhile, the extension ecosystem still treats security as an after-thought: there is no deep dive source scanning, verification mechanisms are sparse, and the blue \u201cverified\u201d badge is cached locally \u2013 so a repackaged `.vsix` keeps the badge even after the payload has been swapped. The talks presents a brief case study about the various examples of malicious extensions used in the wild by threat actors and previously affected supply chains.\r\n\r\nThe talks presents the one of the first public implementation that weaponises this trust gap with a **Rust-compiled, position-independent shellcode runner** delivered as a Node native addon by taking a Microsoft published extension: live-server and backdooring it with a malicious extension, as well another extension with over 74M downloads. The talk also demos the following aspects of such an attack:\r\n\r\n1. **Extension-host OPSEC**: delaying `require(\"./index.node\")` until the user triggers the legitimate command (\u201cOpen with Live Server\u201d) so the implant is **absent from the initial process snapshot** that EDRs collect.  \r\n2. **Repackaging a blue-tick extension**: cloning Microsoft\u2019s own \u201cLive Preview\u201d repository at a signed commit, grafting the Rust addon into its webpack pipeline, and repackaging with `vsce package`.  The resulting `.vsix` is byte-for-byte identical except for the extra native node \u2013 and the GUI still shows the verified badge because VS Code only re-validates signatures when enterprise policy `extensions.verifySignature` is set to `error`.  \r\n3. **Going in blind** - Backdooring another popular extension with our shellcode - without any prior knowledge of the source code\u2028\r\nAll these topics would also dissect the internal workings, file structure, thread stack and other relevant information associated with the working of the loader/\r\n\r\nFinally, the talk concludes by listing the relevant IoCs and TTPs left behind by this attack vector and discusses various detections which organisations and individuals can adopt to protect themselves.\r\n\r\nSession Outline\r\n\r\n0. Pre-roll (loop, 2 min before start)\r\n    1. Screen cycles side-by-side screenshots: legitimate vs back-doored Live Preview extension.\r\n    2. Blue tick is identical; only the \u201cInstallation\u201d tab shows an extra 46 kB native node\r\n    3. Caption: \u201cSpot the implant.\u201d (Sets the visual theme of the talk.)\r\n1. Introductions (1 min)\r\n    1. whoami\r\n    2. Previous work\u2028 \r\n2. Opening \u2013 VS Code and its many forks (5 min)\r\n    1. Rise of VS Code and it\u2019s various forks\t\r\n    2. Rise of new forks mean the rise of new market places\r\n    3. Why target VSCode?\r\n        * Electron renderer = Microsoft-signed, whitelisted by every EDR.\r\n        * Marketplaces scan JS source only \u2192 native code is often a blind spot.\r\n        * Very difficult to tell malicious extensions apart\r\n3. Attacks in the Wild (8 mins) \r\n    1. Previous attacks in the wild: Kaspersky, Malicious Corgi, Material Themes, Glassworm\r\n    2. Dissecting the $500K Kaspersky malware\r\n    3. Powershell scripts are nice - but we can do better\r\n    4. Taking a look into Malicious Corgi \r\n    5. Taking a looking into Glassworm\u2019s source code \r\n    6. Unicode is nice - compiled is nicer\r\n    7. Pivot: \u201cWhat if we go native?\u201d\u2028\r\n4. Node addons and demo extensions (5 mins)\r\n    1. Introduction to node addons \r\n    2. Compiling C++ shellcode runner compiled with node-gyp  and running it with gyp\r\n    3. Creating a \u201cHello world\u201d extension and using ffi to pop a message box\u2028\r\n5. Bringing in the crab (8 mins)\r\n    1. Introducing neon-rs  and interfacing with Javascript/Typescript \r\n    2. Writing a shellcode runner in rust\r\n    3. Discuss relevant changes to be made in the configs \r\n    4. Compiling and running \u2028\r\n6. Backdooring a legit VS Code extension (10 mins) \r\n    1. Choosing the target: LiveServer \r\n    2. Updating the source to include the add-on\r\n    3. Making webpack happy \r\n    4. Compiling and loading the extension \r\n    5. Visual similarities with legitimate extensions\u2028\r\n7. Backdooring a popular VS Code extension without any prior knowledge of it\u2019s source code (5mins):\r\n    1. Extract the VSIX bundle \r\n    2. Add our implant\r\n    3. Repackage the extension \r\n    4. Load it into VSCode\r\n    5. Trigger shellcode execution\u2028\r\n8. Improvements and Detections (3 mins) \r\n    1. References to other similar works\r\n    2. Improvements and other closing thoughts\r\n    3. IoCs and TTPs associated with the techniques\r\n    4. Possible detections and prevention mechanisms\u2028\r\nKey Takeaways\r\n1. The audience become more aware of the dangers of blindly trusting extensions from stores\r\n2. Malware developers and red teamers get introduced to a new and powerful vector for initial access method \r\n3. Blue teasers can use the knowledge to prepare new rulesets and detections to avoid any such attacks", "recording_license": "", "do_not_record": false, "persons": [{"code": "WYPWYL", "name": "Debjeet Banerjee", "avatar": "https://pretalx.com/media/avatars/WYPWYL_JswGhBR.webp", "biography": "I am Debjeet, a Malware Developer for Black Hills Information Security. I curate malware and tools for testers, publishes research, discovers new bypasses and creates automation pipelines. Previously, he used to work as a Consultant with Certus and a Researcher with Payatu. When I am not in front of the computer, I am either reading Philosophy books, playing Dark Souls or riding bikes!", "public_name": "Debjeet Banerjee", "guid": "8f9e5559-6761-5b8c-a210-6e478c9b9883", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/WYPWYL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QXECVY/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QXECVY/", "attachments": []}, {"guid": "18526287-bccd-541c-9e58-d6fa0480f1e1", "code": "SH7X9Y", "id": 92904, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/SH7X9Y/image_yA2RCh0.webp", "date": "2026-05-06T16:00:00+02:00", "start": "16:00", "duration": "02:00", "room": "Workshops May 6th (C1.02.06)", "slug": "bsidesluxembourg-2026-92904-analyze-hunt-dprk-attacks", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/SH7X9Y/", "title": "ANALYZE & HUNT DPRK ATTACKS", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "This workshop offers an in-depth exploration of advanced methodologies for identifying and analyzing cyber threats emanating from **North Korea (DPRK)**. Participants will learn practical techniques for uncovering malicious activities through **Fake GitHub Repositories**, **Hunting DPRK-based clusters**, and exploring comprehensive **ByBit Heist** that hacked $1.5 Billion. The session will also cover critical threat hunting strategies such as **Hostname Analysis**, **Command and Control (C2) infrastructure identification**, **Fake Domain Spotting** and much more. Attendees will gain valuable insights into the operational tactics of DPRK threat actors and practical skills to enhance their defensive postures against these sophisticated cyber campaigns. Please join this session to deepen your understanding of nation-state cyber operations and strengthen your threat detection capabilities.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "BQLDN3", "name": "RAKESH KRISHNAN", "avatar": "https://pretalx.com/media/avatars/3SPL9S_Qtyf3gE.webp", "biography": "I am a Threat Intelligence Researcher and a regular contributor to the Infosec Community via Tweets and Investigation Blog Posts. I run a Threat Intelligence Blog named \"**THE RAVEN FILE**\" which purely focuses on Threat Intelligence Topics such as Dark Web, Ransomware Ecosystem, Scam Busting, Blockchain Analysis, etc. \r\n\r\nRecently, I infiltrated into **0APT Ransomware Group** and exposed their Modus Operandi on my latest blog post. I often expose the real IP Addresses of Ransomware Groups such as: **LockBit**, **Kairos**, etc repeatedly. 3 years back, I made it into the headlines of finding Offensive GPT Model titled \"FraudGPT\" which got a global recognition. \r\n\r\nI had conducted a 3-Hour Dark Web Workshop for Conferences like:-  **Craccon** in **2025** and  at **IICON** in **2024** which were held in Delhi, India. \r\n\r\nThis year, I have been made into the list of **Contributor of the Year** by **ABUSECH** and **SPAMHAUS** for providing large number of **IOCs**, **Ransomware Samples** to the Platform, making a real impact in the Infosec Community by providing timely action for Defending the Threats.\r\n\r\nYou can read my Blog at: **theravenfile.com**", "public_name": "RAKESH KRISHNAN", "guid": "af61b614-5e74-5101-a1ac-1bee057e4ef1", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/BQLDN3/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SH7X9Y/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SH7X9Y/", "attachments": []}], "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)": [{"guid": "548fa1e6-a2c6-535a-ae72-8a3c82292349", "code": "S97X3K", "id": 92811, "logo": null, "date": "2026-05-06T09:00:00+02:00", "start": "09:00", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-92811-android-app-tricks-defenses-and-bypasses", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/S97X3K/", "title": "Android App Tricks: Defenses and Bypasses", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "Have you ever wondered how an attacker analyzes your favorite Android app? In this workshop, we will adopt a perspective of a reverse engineer to learn how to approach Android applications.\r\n\r\nWe will explore popular reverse engineering tools and techniques used in Android security analysis. Through hands-on practice, you'll learn to identify common security weaknesses and understand how attackers exploit them.\r\n\r\nAndroid applications are often targeted by attackers due to openness of the platform and numerous omissions in the app development process. Plenty of security methods were created to harden Android apps against reverse engineering and tampering, which seems widely used by major app developers and way less by smaller ones.\r\n\r\nWe'll analyze a few real-world applications to examine current protection mechanisms and their limitations. We'll explore the common security measures deployed by Google Play Store and app developers, and discuss whether they are as effective as they claim to be.\r\n\r\nBy the end of the workshop, participants will have hands-on experience with several popular tools used for Android application analysis. If you are an Android developer, please feel free to bring and explore your own Android app with us.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "XKHNQK", "name": "Aleksandr Pilgun", "avatar": "https://pretalx.com/media/avatars/LAU9KN_zFJc6l9.webp", "biography": "Dr. Aleksandr Pilgun is a computer science researcher specializing in Android application security and analysis.\r\n\r\nHe defended his doctoral thesis at the University of Luxembourg, where he developed ACVTool \u2014 an efficient instruction coverage measurement tool for third-party apps without source code. ACVTool is widely used by researchers to evaluate novel automated testing tools and continues to be actively developed to bridge academic research with industry needs.\r\n\r\nThroughout his research, Aleksandr has analyzed tons of Android applications. In recent years, his work has focused on fraudulent applications and assisting several FinTech startups to improve their service interoperability through reverse engineering. He recently returned from Portugal to rejoin the University of Luxembourg.", "public_name": "Aleksandr Pilgun", "guid": "aa37f065-29ab-5e21-bb71-4e6a73855b5c", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/XKHNQK/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/S97X3K/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/S97X3K/", "attachments": []}, {"guid": "bf0d4518-5b79-550a-a7ea-38ad858675ee", "code": "9HS8CG", "id": 88650, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/9HS8CG/image_TyepQxk.webp", "date": "2026-05-06T11:00:00+02:00", "start": "11:00", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-88650-1-packet-analysis-for-beginners-an-iot-toy-some-packets-and-wireshark", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/", "title": "Packet Analysis for Beginners - an IoT toy, some packets, and Wireshark", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "What can we learn from ordinary packets on the wire, using a disconcerting connected toy as a demo device? How can you tell when something is phoning home? In this workshop, we\u2019ll use Wireshark to observe what devices send and receive during regular operation", "description": "Pre-Workshop Setup:\r\nPlease install Wireshark before the session: [https://www.wireshark.org/docs/installation.html\r\n](https://www.wireshark.org/download.html)\r\n\r\nCrucial Permission Steps:\r\n    Windows: Ensure you install Npcap during the setup process.\r\n    macOS: Follow the prompts to allow network access/chmod permissions.\r\n    Linux: Run sudo dpkg-reconfigure wireshark-common, select yes, then add your user to the wireshark group (sudo usermod -aG wireshark $USER), then reboot.\r\n\r\nTest: Open the app; if you see \"live\" traffic lines on your network interface, you are ready!\r\n\r\nIn this workshop, we\u2019ll take packet capture from a disconcerting connected toy and use it as a starting point to learn how to read ordinary network traffic. Step by step, we\u2019ll look at how devices introduce themselves on a local network, resolve names, establish connections, negotiate encryption, and continue communicating during normal operation. Once we have familiarized ourselves, we will move on to some real-world captures.\r\n\r\nRather than breaking encryption or exploiting vulnerabilities, the focus is on observation and understanding. Using Wireshark, we\u2019ll practice identifying patterns, relationships, and metadata that remain visible even when payloads are encrypted. Along the way, we\u2019ll look at how to recognise when a device is phoning home, what kinds of context travel with requests, and how much can be learned from traffic that is behaving exactly as designed.\r\n\r\nThis workshop is aimed at beginners and the curious. No prior experience with packet analysis is required. A willingness to look closely at what is already on the wire is enough.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KCCUQU", "name": "Katherine Leese", "avatar": "https://pretalx.com/media/avatars/KCCUQU_CHNLkVe.webp", "biography": "Katherine is a tech professional with 2.5 years of experience, having retrained in her 40s to become a Computer Expert, specialising in System Integration. Originally from New Zealand, she is currently based in Germany. During her training, she undertook a practicum at SevenShift, a boutique IoT cybersecurity company in Cologne that recognized her talent and dedication, ultimately hiring her. She is now in a training position, where she is honing her skills and contributing to the company's security initiatives. Outside of her professional life, Katherine is a dedicated single mother to a teenager. She is also a member of the Haecksen, the FLINTA branch of the CCC, and a leader of the Cologne OWASP Chapter", "public_name": "Katherine Leese", "guid": "5395844e-0836-5890-8ed2-3a69fd251b0d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/KCCUQU/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/", "attachments": []}, {"guid": "f07f841c-c2a5-5034-808b-50862d02c438", "code": "YGC7EA", "id": 90638, "logo": null, "date": "2026-05-06T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-90638-0-dismantle-the-bomb", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "title": "Dismantle The Bomb", "subtitle": "", "track": "Escape games!", "type": "Workshop 2h", "language": "en", "abstract": "Dismantle the bomb by performng different taks", "description": "Dismantle the bomb by performing different taks. The tasks will include:\r\n- Solving ciphers\r\n- Being genuine with a special flashlight\r\n- lock picking \r\n- make a key with a lishi tool\r\n- ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Been in IT security for too long. I enjoy creating fun and games!", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "attachments": []}, {"guid": "ea2e7ba1-d601-5db1-9257-2f928f82a8fd", "code": "YGC7EA", "id": 90638, "logo": null, "date": "2026-05-06T16:00:00+02:00", "start": "16:00", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-90638-1-dismantle-the-bomb", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "title": "Dismantle The Bomb", "subtitle": "", "track": "Escape games!", "type": "Workshop 2h", "language": "en", "abstract": "Dismantle the bomb by performng different taks", "description": "Dismantle the bomb by performing different taks. The tasks will include:\r\n- Solving ciphers\r\n- Being genuine with a special flashlight\r\n- lock picking \r\n- make a key with a lishi tool\r\n- ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Been in IT security for too long. I enjoy creating fun and games!", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "attachments": []}], "Workshops and Stage - Design Space (C1.05.12)": [{"guid": "3241c930-ca99-5562-b77b-52a89057002b", "code": "XMDNJB", "id": 89384, "logo": null, "date": "2026-05-06T10:00:00+02:00", "start": "10:00", "duration": "02:00", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-89384-secure-development-lifecycle-applied-how-to-make-things-a-bit-more-secure-than-yesterday-every-day", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/XMDNJB/", "title": "Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "Building valuable solutions is a complex endeavor that requires a breadth of knowledge. That not being enough, we\u2019re also getting asked to build secure solutions in a secure way - yet what does that even mean? How do we incorporate such a vast area of expertise into our everyday workflows?\r\n\r\nIn this hands-on workshop, I will introduce you to core security concepts, like the CIA triad or defense in depth - and how we can apply them in everyday work. Based on a practical example, we will go through the development lifecycle with security in mind. You will learn about threat modeling to uncover risks early on, secure coding principles to bake security in, security testing approaches to make informed decisions depending on your risk appetite, and ways of detecting potentially malicious activity to protect against. Interactive exercises at each step will let you experience how security can neatly fit with what you\u2019re already doing without adding artificial gates.\r\n\r\nWhether you want to keep your system secure or get a neglected one back in shape, this session is for you. Join us to gain fundamental security knowledge, hone your security skills, and get tactical advice to secure your development lifecycle. Let\u2019s make things a bit more secure than yesterday every day!", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "RGVDYJ", "name": "Lisi Hocke", "avatar": "https://pretalx.com/media/avatars/RGVDYJ_AFbc404.webp", "biography": "Lisi found tech as her place to be in 2009 and has grown as a specialized generalist ever since. Building great products that deliver value together with great people motivates her and lets her thrive. As a security engineer, she\u2019s now fully focusing on all things product security to help build more secure solutions. She's committed to testing and quality, passionate about whole-team approaches to increase effectiveness and resilience, and enjoys experimenting and learning continuously. Having received a lot from communities, Lisi is paying it forward by sharing her stories and learning in public. She posts on Mastodon as [@lisihocke@mastodon.social](https://mastodon.social/@lisihocke) and blogs at [www.lisihocke.com](https://www.lisihocke.com). In her free time, she plays indoor volleyball or delves into computer games and stories of all kinds.", "public_name": "Lisi Hocke", "guid": "47a09504-2aa3-5b40-86a2-9f071d819974", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/RGVDYJ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/XMDNJB/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/XMDNJB/", "attachments": []}, {"guid": "27c65e53-8690-5830-9e3b-2dab6532b15b", "code": "AALWHZ", "id": 94133, "logo": null, "date": "2026-05-06T13:30:00+02:00", "start": "13:30", "duration": "04:30", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-94133-kunai-workshop-hands-on-linux-threat-detection", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/AALWHZ/", "title": "Kunai Workshop: Hands-on Linux Threat Detection", "subtitle": "", "track": null, "type": "Workshop 4h", "language": "en", "abstract": "Get hands-on with Kunai in this practical workshop! You'll learn to deploy and configure this Linux monitoring tool, then dive into advanced threat detection techniques. We'll start with the basics - installation, configuration, and core functionality - before moving to advanced topics like custom rule creation, IoC integration, and MISP connectivity. Whether you're securing production systems or just exploring Linux security monitoring, this workshop will give you practical skills to detect and investigate threats.", "description": "### Part 1: Kunai Fundamentals\r\n- **Quick Start:** Get Kunai up and running on your system\r\n- **Core Concepts:** Understand Kunai's architecture and monitoring capabilities\r\n- **Hands-on Basics:** Navigate the CLI, configure monitoring, and interpret events\r\n\r\n### Part 2: Advanced Threat Detection\r\n- **Custom Rules:** Write detection rules for specific threats and anomalies\r\n- **IoC Integration:** Load and leverage Indicators of Compromise\r\n- **MISP Connectivity:** Enhance your threat intelligence with MISP integration\r\n- **Real-world Scenarios:** Apply Kunai to actual threat detection challenges\r\n\r\n### Part 3: Bonus Topics (time permitting)\r\n- Using [Kunai sandbox](https://sandbox.kunai.rocks/) to share traces\r\n- Creating detection rules for specific malware", "recording_license": "", "do_not_record": false, "persons": [{"code": "YDKLRL", "name": "Quentin JEROME", "avatar": "https://pretalx.com/media/avatars/3JVRZM_xoQgYEQ.webp", "biography": "Quentin is a Rust developer at [CIRCL](https://circl.lu). Inspired by his background in incident response and threat detection, he develops open-source security tools to solve practical problems. His main interests include threat detection, bug hunting, and building tools that help the security community.", "public_name": "Quentin JEROME", "guid": "775f7c83-b07b-598c-8857-80bb24aebcb1", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/YDKLRL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/AALWHZ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/AALWHZ/", "attachments": []}], "Workshops and Stage - Gernsback (C1.05.02)": [{"guid": "406c662d-66a4-5a59-81ef-b1908635d19c", "code": "MG7H3X", "id": 92302, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/MG7H3X/image_cHNI7b9.webp", "date": "2026-05-06T09:00:00+02:00", "start": "09:00", "duration": "09:00", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-92302-malware-development-for-ethical-hackers-windows-linux-android", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/MG7H3X/", "title": "Malware Development for Ethical Hackers (Windows, Linux, Android)", "subtitle": "", "track": null, "type": "Training 8h", "language": "en", "abstract": "Whether you are a Red Team or Blue Team specialist, learning the techniques and tricks of malware development gives you the most complete picture of advanced attacks. Also, due to the fact that most (classic) malwares are written under Windows, as a rule, this gives you tangible knowledge of developing under Windows.\r\n\r\nThe course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples.\r\n\r\nThe course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware.\r\n\r\nThe course is divided into four logical sections:\r\n- Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running)\r\n- AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling)\r\n- Persistence techniques\r\n- Cryptographic functions in malware development (exclusive)\r\n- Malware Development for Android and Linux (bonus)\r\n\r\nMost of the example in this course require a deep understanding of the Python, Kotlin\r\nand C/C++ programming languages.\r\n\r\nKnowledge of assembly language basics is not required but will be an advantage", "description": "The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples.\r\n\r\nThe course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware.\r\n\r\n\r\nThe course is divided into four logical sections:\r\n- Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running)\r\n- AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling)\r\n- Persistence techniques\r\n- Cryptographic functions in malware development (exclusive)\r\n- Malware Development for Android and Linux (bonus)\r\n\r\nMost of the example in this course require a deep understanding of the Python, Kotlin\r\nand C/C++ programming languages.\r\n\r\nKnowledge of assembly language basics is not required but will be an advantage\r\n\r\nTraining Outline (detailed, timed - total ~8 hours):    \r\n\r\nMALWARE INJECTION TECHNIQUES:\r\n1. Traditional Injection Approaches: Code and DLL (2 practical examples, LAB + 1 homework) - 20 min\r\n2. Exploring Hijacking Techniques (2 practical examples, LAB + 1 homework) - 20 min\r\n3. Understanding Asynchronous Procedure Call (APC) Injections (2 practical examples, LAB + 1 homework) - 15 min\r\n4. Mastering New Injection/Hooking Techniques (4 practical example, LAB) - 20 min\r\n\r\nPERSISTENCE MECHANISMS:\r\n5. Classic Path: Registry Run Keys / Persistence via Registry Keys ( 3 practical example, LAB) - 15 min\r\n6. Persistence via Winlogon Process ( 2 practical example, LAB) - 15 min\r\n7. Exploiting Windows Services for Persistence ( 2 practical examples, LAB + 1 homework) - 15 min\r\n8. Exploring Non-Trivial Loopholes and New Persistence Techniques ( 5 practical examples, LAB + 2 homework) - 15 min\r\n\r\nMALWARE FOR PRIVILEGE ESCALATION:\r\n9. Manipulating Access Tokens like APT (1 practical example, LAB + 1 homework) - 15 min\r\n10. Password stealing / LSASS.exe dumping (3 practical example, LAB + 1 homework) - 15 min\r\n11. Malware for bypass User Access Control (2 practical example LAB + 1 homework) - 15 min\r\n\r\nANTI-VM AND AV BYPASSING\r\n12. Anti-Virtual Machine Strategies (4 practical example, LAB + 1 homework) - 15 min\r\n13. Practical use of hash algorithms in malware ( 1 practical example, LAB + 1 homework) - 15 min\r\n14. Evasion Static Detection ( 1 practical example, LAB + 1 homework) - 15 min\r\n15. Evasion Dynamic Detection (1 practical example, LAB + 1 homework) - 15 min\r\n16. Advanced Evasion Techniques (1 practical example, LAB + 1 homework) - 15 min\r\n17. Cryptography for bypassing security solutions ( 4 practical examples, LAB + 2 homework) - 15 min\r\n\r\nLinux and Android Malware\r\n18. Linux Kernel Hacking (1 practical example, LAB) - 15 min\r\n19. Linux process injection (1 practical example, LAB) - 15 min\r\n20. Introduction to Android Malware (3 practical examples, LAB) - 40 min\r\n21. Leveraging legit APIs for Android Malware (2 practical examples, LAB) - 40 min\r\n\r\nRESEARCH AND PRACTICE:\r\n22. Simple Tricks and Automation for Malware Development and Emulation (3 practical examples, LAB + 1 homework) - 15 min\r\n23. How to find New Persistence Techniques (2 practical examples, LAB + 1 homework) - 15 min\r\n24. Elliptic Curve Cryptography (ECC) and Malware ( 1 practical example, LAB + 1 homework) - 15 min", "recording_license": "", "do_not_record": false, "persons": [{"code": "37BGJD", "name": "cocomelonc", "avatar": "https://pretalx.com/media/avatars/EFXL9W_coZtU9H.webp", "biography": "cybersecurity enthusiast, author, speaker and mathematician. Author of popular books:\r\nMD MZ Malware Development Book (Github, 2022, 2024)\r\nMALWILD: Malware in the Wild Book (Github, 2023)\r\nMalware Development for Ethical Hackers Book: (Packt, 2024)\r\nAIYA Mobile Malware Development Book (Github, 2025)\r\nMalware Development for Ethical Hackers 2nd edition (Packt, 2026, in progress)\r\nAuthor and tech reviewer at Packt.\r\nCo founder of various cybersecurity research labs, author of many cybersecurity blogs, HVCK magazine\r\nMalpedia contributor\r\nSpeaker at BlackHat, DEFCON, Security BSides, Arab Security Conference, Hack.lu, Positive Hack Talks, etc conferences", "public_name": "cocomelonc", "guid": "f30e2acf-1aad-5428-b435-083886fb9b86", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/37BGJD/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/MG7H3X/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/MG7H3X/", "attachments": []}], "CTF players room (C1.03.05 6+8th or C1.04.02 7th)": [{"guid": "a966b033-6bc5-5276-a21d-4e4ea211f1f8", "code": "9NGAYY", "id": 93430, "logo": null, "date": "2026-05-06T09:00:00+02:00", "start": "09:00", "duration": "03:00", "room": "CTF players room (C1.03.05 6+8th or C1.04.02 7th)", "slug": "bsidesluxembourg-2026-93430-0-blackhoodie-training-introduction-to-linux-memory-forensics", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/", "title": "Blackhoodie training - Introduction to Linux Memory Forensics", "subtitle": "", "track": null, "type": "Training 8h", "language": "en", "abstract": "## Workshop description\r\n\r\nWhat happens in memory, stays in memory! In this beginner workshop, we\u2019ll take our first steps into the fascinating world of Linux Memory Forensics \ud83d\ude0a.\r\n\r\nThis session will introduce the fundamentals of volatile memory, Linux memory management, with a touch on memory acquisition. We will then discover how to investigate memory artefacts and uncover traces of malicious behaviour through a simulated ransomware attack, from identifying suspicious processes and carving out binaries to recovering encryption keys from memory.\r\n\r\nWe will mostly use the Volatility framework, but this workshop will go beyond a simple command-line tutorial to explore the underlying principles: what are Volatility profiles and why do we need them, what are some interesting artefacts to look for, what to do when there is no command for what we are looking for, where do we even start looking, etc.\r\n\r\n## Who should attend?\r\n\r\nAnyone who wants to discover digital forensics! This workshop won\u2019t require extensive hacking knowledge, however knowing a bit about Linux will help.\r\n\r\n## Requirements\r\n\r\nA laptop capable of running a virtual machine (or a native Linux environment), and a few gigabytes of free disk space (a memory dump can be quite heavy!). We might do a little bit of Python too! The VM will contain all the tools needed for the workshop. If you choose to use your own Linux environment instead, a setup guide will be provided.", "description": "BlackHoodie\u2019s Mission\r\n- BlackHoodie is a series of technical trainings aiming to attract more women to the field of cyber security\r\n- Our events are women-only, except if individual organizers state otherwise\r\n- Whether introduction level or advanced, classes are always challenging\r\n- All of our events are free to attend\r\n- We do not exert any preference in education level, occupation or corporate affiliation of attendees\r\n- BlackHoodie is dedicated to serve the community, we aim to integrate, not separate\r\n- BlackHoodie is independent, and cannot be leveraged to promote anything but its own mission\r\n- We seek quality over quantity, in number of classes and attendees\r\n- We also support/encourage attendees to start giving technical trainings thereby providing a platform to build their confidence", "recording_license": "", "do_not_record": false, "persons": [{"code": "QEE9JJ", "name": "Sonia Seddiki", "avatar": "https://pretalx.com/media/avatars/HVJSTU_jiUxZaE.webp", "biography": "Sonia is a Software Engineer with a passion for Digital Forensics and CTFs", "public_name": "Sonia Seddiki", "guid": "acdd3f7c-650c-5a7c-9ea4-83bb857080ee", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/QEE9JJ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/", "attachments": []}, {"guid": "2966a456-ad16-52c0-865c-878e45e0afbc", "code": "9NGAYY", "id": 93430, "logo": null, "date": "2026-05-06T13:30:00+02:00", "start": "13:30", "duration": "04:30", "room": "CTF players room (C1.03.05 6+8th or C1.04.02 7th)", "slug": "bsidesluxembourg-2026-93430-1-blackhoodie-training-introduction-to-linux-memory-forensics", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/", "title": "Blackhoodie training - Introduction to Linux Memory Forensics", "subtitle": "", "track": null, "type": "Training 8h", "language": "en", "abstract": "## Workshop description\r\n\r\nWhat happens in memory, stays in memory! In this beginner workshop, we\u2019ll take our first steps into the fascinating world of Linux Memory Forensics \ud83d\ude0a.\r\n\r\nThis session will introduce the fundamentals of volatile memory, Linux memory management, with a touch on memory acquisition. We will then discover how to investigate memory artefacts and uncover traces of malicious behaviour through a simulated ransomware attack, from identifying suspicious processes and carving out binaries to recovering encryption keys from memory.\r\n\r\nWe will mostly use the Volatility framework, but this workshop will go beyond a simple command-line tutorial to explore the underlying principles: what are Volatility profiles and why do we need them, what are some interesting artefacts to look for, what to do when there is no command for what we are looking for, where do we even start looking, etc.\r\n\r\n## Who should attend?\r\n\r\nAnyone who wants to discover digital forensics! This workshop won\u2019t require extensive hacking knowledge, however knowing a bit about Linux will help.\r\n\r\n## Requirements\r\n\r\nA laptop capable of running a virtual machine (or a native Linux environment), and a few gigabytes of free disk space (a memory dump can be quite heavy!). We might do a little bit of Python too! The VM will contain all the tools needed for the workshop. If you choose to use your own Linux environment instead, a setup guide will be provided.", "description": "BlackHoodie\u2019s Mission\r\n- BlackHoodie is a series of technical trainings aiming to attract more women to the field of cyber security\r\n- Our events are women-only, except if individual organizers state otherwise\r\n- Whether introduction level or advanced, classes are always challenging\r\n- All of our events are free to attend\r\n- We do not exert any preference in education level, occupation or corporate affiliation of attendees\r\n- BlackHoodie is dedicated to serve the community, we aim to integrate, not separate\r\n- BlackHoodie is independent, and cannot be leveraged to promote anything but its own mission\r\n- We seek quality over quantity, in number of classes and attendees\r\n- We also support/encourage attendees to start giving technical trainings thereby providing a platform to build their confidence", "recording_license": "", "do_not_record": false, "persons": [{"code": "QEE9JJ", "name": "Sonia Seddiki", "avatar": "https://pretalx.com/media/avatars/HVJSTU_jiUxZaE.webp", "biography": "Sonia is a Software Engineer with a passion for Digital Forensics and CTFs", "public_name": "Sonia Seddiki", "guid": "acdd3f7c-650c-5a7c-9ea4-83bb857080ee", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/QEE9JJ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/", "attachments": []}], "Workshops May 6th (C1.03.06)": [{"guid": "f23b3ab6-6ead-5b0a-90b0-d087495948af", "code": "TMG89Y", "id": 89381, "logo": null, "date": "2026-05-06T09:00:00+02:00", "start": "09:00", "duration": "09:00", "room": "Workshops May 6th (C1.03.06)", "slug": "bsidesluxembourg-2026-89381-threat-modelling-starter-training", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/TMG89Y/", "title": "Threat Modelling Starter Training", "subtitle": "", "track": null, "type": "Training 8h", "language": "en", "abstract": "This threat modelling training is geared towards beginner to intermediate audiences with software engineering and security engineer/pentester backgrounds who have never done any sort of threat modelling work but are trying to get into it. Practically, anyone can join this class even if they do not have those backgrounds, but at least some basic idea of how programs work on a code level, basic cyber security issues and threats and anybody interested in learning them.\r\n\r\nThe main goal of this training is to equip participants with understanding the importance of threat modelling in dealing and understanding cyber threats to their applications and networks. The trainer's goal is to prevent more software security bugs from inception by teaching students whether they build more secure software or find underlying security flaws and bugs and minimizing the risks and impact of the engineered software. Participants will be immersed with the popular STRIDE and DREAD methodologies for threat modelling, increasing growing popular PASTA methodology, and they will create their own threat models during the training. \r\n\r\nAt the end of the training, students shall expect themselves to be able to do a quick threat model of any function/method that they wish to implement in their software, realize the threats that they could introduce or deal with, and finally be able to write a full and complete threat model on their own from start to finish including recommendations, threat scenarios and related risk ratings.", "description": "", "recording_license": "", "do_not_record": true, "persons": [{"code": "8BUAGA", "name": "Ralph Andalis", "avatar": "https://pretalx.com/media/avatars/8BUAGA_LSu1TjN.webp", "biography": "Ralph is a Senior Pentester for a confidential company somewhere in the Middle East. Before that, he was a Senior Security Engineer at Microsoft where he deals with security architecture reviews, security design reviews, threat modelling, security research, code reviews, and pentesting on the dedicated product he is directly working on with 100+ software engineers. He has 10 years experience in the industry as a Security Consultant/Pentester/Security Researcher who recently served as a Security Consultant in a well-acknowledged global information security assurance firm called NCC Group. His expertise is mainly Web, Mobile, and Network Pentesting, Threat Modeling, Security Architecture Review, and Security Design Reviews. Prior to that, he was a pioneer Application Security Consultant for Fwdsec, a Cyber Threat Management Consultant at Ernst & Young (EY) with the experience of being sent abroad for client engagements upon client request. He started his career as a Security Researcher at Hewlett-Packard Fortify with focus on Mobile Application Security particularly with Android and iOS.\r\n\r\nHe is also a major active contributor and a member of the working group for the OWASP Application Security Verification Standard (ASVS) project, making the standard better for fellow pentesters and developers alike. Whenever he has spare time, he volunteers giving Web, Mobile Application Security and Threat Modelling lectures to university students as part of being a thought leader in the security community and outreach to students. You can also find him as a regular conference volunteer staff for some premium and well-known security conferences, namely: CanSecWest, REcon and Ringzer0 Training.\r\n\r\nHe trained attendees at BSides Vancouver 2025 and BSides Orlando 2025 for the same workshop, \"Threat Modelling Starter Training\" which had been well received. He has presented his talk entitled, \"OWASP ASVS: A Methodical and Practical Approach to Application Security Testing\" on OWASP AppSec Pacific Northwest conference (PNW) 2024 on June 15-16, 2024 in Vancouver, BC Canada. He has also presented a similar presentation aimed for beginners delivered online at HackStop Cybersecurity Summit 2024 on March 21-22, 2024 held in Ljubljana, Slovenia. \r\n\r\nHe earned his Computer Science degree from Ateneo de Naga University - one of the best top tier schools in the Philippines. His bachelor degree thesis was awarded in a National IT Conference last 2015 as one of his top accomplishments during that time aside from being a consistent Dean's List award as well.", "public_name": "Ralph Andalis", "guid": "493f4483-c927-582b-813e-ce89343d1f0b", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/8BUAGA/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/TMG89Y/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/TMG89Y/", "attachments": []}], "Workshops May 6th (C1.03.09)": [{"guid": "cd372e1b-06a7-5f83-a7c2-ee3ec8b499e4", "code": "GZHQYD", "id": 97088, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/GZHQYD/image_vxeseVw.webp", "date": "2026-05-06T13:30:00+02:00", "start": "13:30", "duration": "04:00", "room": "Workshops May 6th (C1.03.09)", "slug": "bsidesluxembourg-2026-97088-threat-modeling-in-devops-and-cloud-using-card-games", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/GZHQYD/", "title": "Threat Modeling in DevOps and Cloud using Card Games", "subtitle": "", "track": null, "type": "Workshop 4h", "language": "en", "abstract": "DevOps processes transfer security responsibility to development teams.  But how can developers handle that additional task? \r\n\r\nThreat Modeling is a structured approach to identifying security problems early, spreading security knowledge across teams, and communicating risks in a way that is accessible to management. In this workshop, we explore lightweight Threat Modeling approaches tailored to DevOps workflows. We also show how gamification can lower the barrier to entry for teams without a strong security background.\r\n\r\nWe will look at:\r\n* What is Threat Modeling?\r\n* Basic Threat Modeling with STRIDE\r\n* Gamification\r\n* Hands-on Threat Modeling with OWASP Cumulus for a cloud-native scenario\r\n* What's next? Risk, processes, and beyond\r\n\r\nAttendees will leave with practical tools and techniques they can immediately apply in their own teams.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "9MTCWV", "name": "Christoph Niehof", "avatar": "https://pretalx.com/media/avatars/RKEV8K_uGXPdBY.webp", "biography": "In his role as a Senior Consultant at TNG Technology Consulting, Christoph Niehoff develops software products for his clients on a daily basis. As a full-stack developer, he lives and breathes DevOps, overseeing all steps of the development cycle. The security of the products is particularly close to his heart. He is the project lead of the threat modeling card game OWASP Cumulus.", "public_name": "Christoph Niehof", "guid": "c4722c0d-2ec8-5a4d-b4e9-7d47ec1e3d60", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/9MTCWV/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/GZHQYD/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/GZHQYD/", "attachments": []}]}}, {"index": 2, "date": "2026-05-07", "day_start": "2026-05-07T04:00:00+02:00", "day_end": "2026-05-08T03:59:00+02:00", "rooms": {"Atrium (common area)": [{"guid": "99554d67-3654-545a-a469-7231edd1f497", "code": "3CLCMG", "id": 85198, "logo": null, "date": "2026-05-07T09:00:00+02:00", "start": "09:00", "duration": "03:00", "room": "Atrium (common area)", "slug": "bsidesluxembourg-2026-85198-0-car-hacking-village", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/", "title": "Car Hacking Village", "subtitle": "", "track": "Villages in Atrium", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "The Car Hacking Village offers attendees a hands-on, immersive environment to explore the security of modern vehicles. As cars continue to evolve into complex, connected computer systems, the need to understand their attack surfaces and defensive challenges grows. This village provides a safe and controlled space where participants can learn, experiment, and collaborate on real automotive cybersecurity techniques.", "description": "The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can:\r\n\r\n- Interact with the CAN bus and observe how in-vehicle communication works\r\n- Capture, analyze, and replay automotive network traffic\r\n- Reverse engineer messages sent to various vehicle subsystems\r\n- Craft spoofed signals to manipulate components such as instrument clusters\r\n- Explore common vulnerabilities in today's vehicle architectures\r\n- Learn practical defensive considerations for securing automotive systems\r\n\r\nAll activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EDEHQ8", "name": "Roald Nefs", "avatar": "https://pretalx.com/media/avatars/EDEHQ8_ubjqIqv.webp", "biography": "Chief Technology Officer at Warpnet, Roald has a broad background in security engineering, platform operations, and IT compliance. He contributes to open-source projects and serves as an organizer of BSides Groningen and BSides Amsterdam.", "public_name": "Roald Nefs", "guid": "2ecd7e62-3c1c-5f2e-a622-b2a2e083836a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/EDEHQ8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/", "attachments": []}, {"guid": "2c55278a-10f8-51b8-a4dd-72192e27b69a", "code": "3CLCMG", "id": 85198, "logo": null, "date": "2026-05-07T13:30:00+02:00", "start": "13:30", "duration": "04:30", "room": "Atrium (common area)", "slug": "bsidesluxembourg-2026-85198-1-car-hacking-village", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/", "title": "Car Hacking Village", "subtitle": "", "track": "Villages in Atrium", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "The Car Hacking Village offers attendees a hands-on, immersive environment to explore the security of modern vehicles. As cars continue to evolve into complex, connected computer systems, the need to understand their attack surfaces and defensive challenges grows. This village provides a safe and controlled space where participants can learn, experiment, and collaborate on real automotive cybersecurity techniques.", "description": "The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can:\r\n\r\n- Interact with the CAN bus and observe how in-vehicle communication works\r\n- Capture, analyze, and replay automotive network traffic\r\n- Reverse engineer messages sent to various vehicle subsystems\r\n- Craft spoofed signals to manipulate components such as instrument clusters\r\n- Explore common vulnerabilities in today's vehicle architectures\r\n- Learn practical defensive considerations for securing automotive systems\r\n\r\nAll activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EDEHQ8", "name": "Roald Nefs", "avatar": "https://pretalx.com/media/avatars/EDEHQ8_ubjqIqv.webp", "biography": "Chief Technology Officer at Warpnet, Roald has a broad background in security engineering, platform operations, and IT compliance. He contributes to open-source projects and serves as an organizer of BSides Groningen and BSides Amsterdam.", "public_name": "Roald Nefs", "guid": "2ecd7e62-3c1c-5f2e-a622-b2a2e083836a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/EDEHQ8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/", "attachments": []}], "Atrium (common room) 2": [{"guid": "32b47eae-d28b-55a0-b7e0-15f27231edeb", "code": "9FGWWQ", "id": 92182, "logo": null, "date": "2026-05-07T09:00:00+02:00", "start": "09:00", "duration": "03:00", "room": "Atrium (common room) 2", "slug": "bsidesluxembourg-2026-92182-0-lockpicking-village", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/", "title": "Lockpicking Village", "subtitle": "", "track": "Villages in Atrium", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "Learn or practice your lockpicking skills in the lockpicking village.\r\nExperts say that this has real-life impact, not only to red teamers!", "description": "There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers.", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/", "attachments": []}, {"guid": "8a3c4478-6b76-5ead-9a2f-8a3b43acbd42", "code": "9FGWWQ", "id": 92182, "logo": null, "date": "2026-05-07T13:30:00+02:00", "start": "13:30", "duration": "04:30", "room": "Atrium (common room) 2", "slug": "bsidesluxembourg-2026-92182-1-lockpicking-village", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/", "title": "Lockpicking Village", "subtitle": "", "track": "Villages in Atrium", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "Learn or practice your lockpicking skills in the lockpicking village.\r\nExperts say that this has real-life impact, not only to red teamers!", "description": "There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers.", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/", "attachments": []}], "Main Stage": [{"guid": "91a478ba-06a9-5ee9-bc05-94e4bc5d6c77", "code": "S8NTGH", "id": 93069, "logo": null, "date": "2026-05-07T09:10:00+02:00", "start": "09:10", "duration": "00:25", "room": "Main Stage", "slug": "bsidesluxembourg-2026-93069-things-fall-apart-allying-cybersecurity-and-diplomacy-against-authoritarian-disorder", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/S8NTGH/", "title": "Things Fall Apart: Allying Cybersecurity and Diplomacy against Authoritarian Disorder", "subtitle": "", "track": null, "type": "Opening Speech", "language": "en", "abstract": "There are over 100 concurrent armed conflicts in the world (+130 according to the ICRC) and **all** of them have a technological dimension. The planet is rapidly heating. Poverty and economic inequality are rampant. While the international legal order and multilateral institutions are under unprecedented strain, \"emerging and disruptive technologies\" like generative AI are hyped as miracle cures. How can diplomacy and cybersecurity professionals work together to push back against rising authoritarianism?", "description": "Luxembourg's Cybersecurity and Digitalisation Ambassador will return to BSides 2026 for a no-nonsense overview of current challenges in geopolitics and cyberdiplomacy. Come armed with all your questions about international relations and (dis-)order in the digital world!", "recording_license": "", "do_not_record": false, "persons": [{"code": "BDBRU7", "name": "Luc Dockendorf", "avatar": "https://pretalx.com/media/avatars/NNEVF8_H2atsPW.webp", "biography": "Luc Dockendorf is Luxembourg's Cyber/Digital Ambassador since March 2025. He started working in international relations in autumn 2003, after graduating with a Master in English and International Relations. He joined the Ministry of Foreign Affairs in 2006 and has notably been in Luxembourg's team for the UN Security Council (2013-2014) and the Human Rights Council (2022-2024). Chaired the EU's Group of Friends of the Presidency on Cyber Issues in 2015.", "public_name": "Luc Dockendorf", "guid": "9eeafbff-3b01-5940-9090-7d6ddbc080e3", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/BDBRU7/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/S8NTGH/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/S8NTGH/", "attachments": []}, {"guid": "d27e4f3a-292f-5346-8e72-98e5b8aee42a", "code": "LUCRQP", "id": 91204, "logo": null, "date": "2026-05-07T09:35:00+02:00", "start": "09:35", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-91204-keynote-identity-security-just-exploded", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/LUCRQP/", "title": "Keynote: Identity Security Just Exploded", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "There are some aspects to identity and access management that have never worked very well, such as delegation. Unfortunately, the stakes just got higher and wider with the explosion of identities that aren't humans, but aren't traditional system and application accounts either.\r\n\r\nEven if you're not using them yourselves, it's time to make some decisions on how to deal with agents in your ecosystem.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "GPVKEV", "name": "Wendy Nather", "avatar": null, "biography": null, "public_name": "Wendy Nather", "guid": "7acbd145-a60d-5397-ab8a-bb28ae39acd3", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/GPVKEV/"}, {"code": "3DPRF9", "name": "Wendy Nather", "avatar": null, "biography": null, "public_name": "Wendy Nather", "guid": "6f6f6e99-8b58-552f-82b7-ab93da843c0e", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/3DPRF9/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LUCRQP/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LUCRQP/", "attachments": []}, {"guid": "c2dfdaf4-dc80-528a-9943-7320f0ca0d4f", "code": "G979N8", "id": 88657, "logo": null, "date": "2026-05-07T10:35:00+02:00", "start": "10:35", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-88657-level-up-your-ci-cd-building-a-secure-pipeline-with-oss", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/G979N8/", "title": "Level Up Your CI/CD: Building a secure pipeline with OSS", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "What does the \"perfect\" CI/CD pipeline look like, especially one built with security at its core? In this talk, we'll explore that ideal using readily available open-source tools. We'll walk through the essential stages of a modern secure pipeline, demonstrating how to integrate security seamlessly throughout the development lifecycle (DevSecOps).\r\n\r\nWe'll cover seven key security stages: pipeline security scanning, code security analysis (SAST and SCA), secrets detection, container scanning, Infrastructure as Code scanning and runtime infrastructure scanning. You'll learn not just which tools to use, but why these security controls matter and how they work together.\r\n\r\nLeave with a clear understanding of secure pipeline design principles and actionable techniques to start building your own hardened CI/CD pipeline.", "description": "This talk is a companion presentation to our hands-on workshop, distilling the key concepts and tool demonstrations into a focused session suitable for all attendees.\r\n\r\nWorkshop repository: https://github.com/unicrons/secure-pipeline-workshop", "recording_license": "", "do_not_record": false, "persons": [{"code": "UKFTUX", "name": "Andoni Alonso", "avatar": "https://pretalx.com/media/avatars/UKFTUX_QOB5bYN.webp", "biography": "Building Open Cloud Security at Prowler.\r\n\r\nI started as a sysadmin, was a Site Reliability Engineer until a few years ago when I moved to the dark side... Security. I've been hooked to CTFs and anything with a scoreboard for a long time.\r\n\r\nStarting the unicrons.cloud project to share knowledge about cloud security with the community.", "public_name": "Andoni Alonso", "guid": "cf723d7e-b33b-54bb-a4f6-7a2cdc8d42e4", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/UKFTUX/"}, {"code": "UNNQE8", "name": "Paco Sanchez", "avatar": "https://pretalx.com/media/avatars/UNNQE8_umsF1aZ.webp", "biography": "I\u2019m an SRE focused on Developer Productivity and Platform Engineering, with over 8 years of experience building tools that help developers work smarter. I pride myself on being highly pragmatic, always prioritizing solutions that balance efficiency and impact.\r\nOh, and fun fact: my right thumb is actually my toe. Yes, it\u2019s as weird as it sounds, but I like to think I can give \"Super Likes\".", "public_name": "Paco Sanchez", "guid": "926430f4-1bc3-5d0b-bbba-12a7d5c6e733", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/UNNQE8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/G979N8/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/G979N8/", "attachments": []}, {"guid": "b2c0d893-4efe-5acf-bd57-810f69786dae", "code": "9JT9GR", "id": 88367, "logo": null, "date": "2026-05-07T11:20:00+02:00", "start": "11:20", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-88367-the-spy-who-logged-me-when-your-xdr-joins-the-attackers", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/9JT9GR/", "title": "The Spy Who Logged Me - When your XDR joins the attackers", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "What if I told you the security tool you trust the most (your XDR) is also an attacker's favorite weapon? You spent time, money, and effort deploying it, testing it, fine tuning it, believing it had your back. But what if, instead of stopping threats, it was helping them?\r\n\r\nYour XDR isn't broken, in fact, it's doing exactly what it's designed to do and what you set it up to do. The problem? Attackers have figured out how to make it work for them instead of against them. \r\n\r\nIn this session, we'll discuss how the bad guys manipulate XDR implementations, abuse detection logic, weaponize built-in components, and turn trusted security controls into defensive tools. From abusing existing workflows to full exploitation, you'll see why your XDR might not be protecting you the way you think it is.", "description": "What if I told you the security tool you trust the most (your XDR) is also an attacker's favorite weapon? You spent time, money, and effort deploying it, testing it, fine tuning it, believing it had your back. But what if, instead of stopping threats, it was helping them?\r\n\r\nYour XDR isn't broken, in fact, it's doing exactly what it's designed to do and what you set it up to do. The problem? Attackers have figured out how to make it work for them instead of against them. \r\n\r\nIn this session, we'll discuss how the bad guys manipulate XDR implementations, abuse detection logic, weaponize built-in components, and turn trusted security controls into defensive tools. From abusing existing workflows to full exploitation, you'll see why your XDR might not be protecting you the way you think it is.\r\n\r\n\r\n\r\n\t1. Intro\r\nShort story and correlate it to XDRs.\r\n\r\n\t2. XDR 101: Understanding the Basics\r\nWe won\u2019t reinvent the wheel, but understanding how XDRs work is critical, so we can visualize how attackers can weaponize them.\r\n\r\n\t3. Point of Origin: How do attackers access an XDR console?\r\n\r\nXDRs are only as strong as their weakest link, and that weak link is often broken access controls, misconfigurations, or outdated components. Attackers don\u2019t always need complex exploits when defenders leave the door open.\r\n\r\n\t\u00b7 Default Credentials on External-Facing XDR Deployments.\r\n\r\nMany XDR solutions have cloud-based management consoles exposed to the internet.\r\nIf default credentials aren\u2019t changed, attackers can:\r\n\r\n\t- Log in and modify IOC exclusion rules.\r\n\t- Uninstall sensors or disable detections.\r\n\t- Deploy malware directly through the XDR interface.\r\n\r\nCountermeasures\r\n\t- Enforcing MFA on all management consoles.\r\n\t- Audit externally exposed XDR consoles (does your XDR console really need to be internet-facing?).\r\n\r\n\r\n\t\u00b7 Compromised API keys - The secret backdoor.\r\n\r\n\t\u00b7 Many XDR solutions have APIs for automation, management and integration. If an attacker finds compromised API keys they can query endpoint logs to map security gaps, modify blacklisting rules and disable detections.\r\n\r\nCountermeasures:\r\n\t- Monitor for compromised credentials and unusual API activity.\r\n\t- Rotate API keys regularly to limit exposure.\r\n\t- Use environmental variables instead of hardcoded credentials.\r\n\r\n\r\n\t- Outdated XDR Versions \u2013 Legacy software is an attacker's best friend.\r\n\r\n\t- Running outdated XDR versions allows attackers to exploit known vulnerabilities in previous versions and abuse compatibility issues to downgrade protections.\r\n\r\nCountermeasures:\r\n\t- Audit security tools for outdated versions regularly.\r\n\t- Enable  automatic updates for XDR components\r\n\r\n\r\n\t\u00b7 Outdated XDR agents - Weak links in the chain\r\n\r\n\t- One endpoint running an outdated version of an XDR sensor is enough for an attacker to exploit known vulnerabilities and bypass detection.\r\n\r\nCountermeasures:\r\n\t- Use SIEM integration or centralized management to monitor XDR agent mismatches.\r\n\t- Automate XDR agents updates across all endpoints.\r\n\r\n\r\n\r\n\t4. XDR as an attack vector.\r\n\r\n\u2022 Your Security Tool is My C2 - Abusing Remote Shell Access.\r\n\r\nMany XDR consoles offer built-in shell capabilities that allow defenders to execute limited admin commands on endpoints  (for example Crowdstrike Falcon RTR). But if an attacker gains access to the XDR management console, they can run system enumeration commands to:\r\n\r\n- Gather information about a host.\r\n- Deploy malicious files or modify settings.\r\n- Use the sensor as a C2 channel.\r\n\r\nCountermeasures:\r\n\r\nRestrict remote shell access.\r\n- Require MFA for authentication.\r\n- Enforcing RBAC.\r\n- Monitor XDR shell command history.\r\n\r\n\r\n\u00b7 Blinding the Guard \u2013 Removing and Disabling an XDR Sensor\r\nBefore executing an attack, adversaries often remove or disable XDR agents to avoid detection. Some XDR solutions lack strong tamper protection, allowing attackers to:\r\n\r\n- Stop XDR services to prevent detection.\r\n- Uninstall the XDR agent using weak removal controls.\r\n- Kill security processes or corrupt critical files to make the sensor non-functional.\r\n\r\nExample:\r\nAttempt to stop the XDR service using systemctl stop XDR agent. Kill the process manually using pkill -9 XDR agent and show that detection logs stop, leaving the system unprotected.\r\n\r\nCountermeasures:\r\n- Implement tamper protection to prevent unauthorized removal.\r\n- Deploy kernel-based security monitoring (eBPF) to detect service manipulation.\r\n\r\n\r\n- Hiding in Plain Sight - Whitelisting Malicious IOCs\r\n\r\nIf attackers gain access to an XDR allowlist, they can manipulate rules to bypass detection entirely.\r\n\r\n- Whitelist malware so it is ignored by security controls.\r\n- Drop malicious payloads in trusted directories that are already allowlisted.\r\n- Modify allowlists via API access, letting malware execute freely.\r\n\r\nExample:\r\nIdentify an XDR allowlist configuration file and manually whitelist malicious IOCs.\r\n\r\nCountermeasures:\r\n- Restrict who can modify allowlists (RBAC enforcement).\r\n- Implement cryptographic integrity checks on configuration files.\r\n- Require MFA to modify exclusions.\r\n\r\n\r\n\u00b7 When Vintage isn't Always Nicer \u2013 Downgrading a Sensor or Preventing Updates\r\nAttackers prefer outdated security tools because they lack modern detection techniques, by preventing updates or forcing a downgrade, attackers can:\r\n\r\n- Decrease detection effectiveness by pushing legacy security policies.\r\n- Reintroduce vulnerabilities patched in later versions.\r\n- Prevent new threat signatures from being applied.\r\n\r\nDemo: Blocking XDR updates via /etc/hosts and downgrading the agent.\r\n\r\nCountermeasures:\r\n- Enforce automatic updates across all endpoints.\r\n- Monitor version mismatches across all deployed sensors.\r\n- Block manual downgrades unless explicitly approved.\r\n\r\n\r\n\u00b7 Friendly Fire \u2013 Isolating Critical Systems for Disruption\r\n\r\nSome XDRs have host isolation features to contain threats. Attackers abuse this to:\r\n- Trigger false positives and force automated isolation.\r\n- Manually isolate critical infrastructure (domain controllers, production servers).\r\n- Lock down an organization without deploying malware.\r\n\r\nCountermeasures:\r\n- Implement role-based restrictions on isolation functions.\r\n- Require MFA and secondary approval for manual isolations.\r\n- Alert on mass isolations as a potential attack indicator.\r\n\r\n\r\n\r\n\u00b7 Spotting a Knockoff  \u2013 Sensor Spoofing\r\n\r\nXDRs rely on heartbeat signals to confirm agents are online and attackers can manipulate this process to:\r\n- Fake sensor check-ins, tricking defenders into believing the agent is still running.\r\n- Redirect telemetry to a different endpoint, suppressing real detections.\r\n- Modify system responses to make XDR appear fully functional while disabled.\r\n\r\nCountermeasures:\r\n- Use mutual TLS authentication between XDR agents and servers.\r\n- Monitor for missing logs and no heartbeats.\r\n\r\n\r\n\r\n\u00b7 Going for the Kill - Leaking Sensitive Information from XDR Logs.\r\n\r\nXDR logs store useful information that attackers can abuse. These logs allow security analysts to identify suspicious behavior. Some common techniques include:\r\n\r\n- Extracting IP addresses, hostnames and domain controllers for enumeration purposes.\r\n- Enumerating security policies to avoid detection.\r\n- Finding user accounts and credentials stored in logs.\r\n\r\nExample: Extracting domain controllers, user accounts, and network data from XDR logs.\r\n\r\nCountermeasures:\r\n- Use SIEM log forwarding as a backup and integrity verification.\r\n- Enforce RBAC on log access to prevent unauthorized queries.\r\n\t\r\n\r\n\r\n\u00b7 SOC Analysts, It\u2019s Panic O\u2019Clock - Alert Saturation Attacks.\r\n\r\nAttackers generate thousands of fake alerts to distract SOC teams from real threats. This allows:\r\n\r\n- Overloading analysts with false positives.\r\n- Creating a blind spot, given that some security teams opt to disable XDRs as a way to stop all the noise.\r\n- Hiding legitimate threat activity.\r\n\r\nExample: Creating fake logs and flooding a SIEM with fake ransomware alerts.\r\n\r\nCountermeasures:\r\n- Leverage anomaly detection activity to identify alert flooding patterns.\r\n- Enforcing log integrity checks to decrease the chances of alert poisoning.\r\n- Rate-limit automated log events to prevent abuse.\r\n\r\n\r\n\t5. Catch 22: Detecting Malicious activity without an XDR.\r\n\r\nGiven that your XDR agent is disabled, visibility is limited. These are some alternatives:\r\n- Syslog Monitoring and SIEM logs: Look for XDR agent stop/disable events in your system logs.\r\n- Monitor authentication logs for suspicious access to the XDR console.\r\n- Review SIEM log ingestion for gaps in log forwarding (if logs stop being ingested, that's typically a red flag).\r\n\r\n\r\n\t6. Stop The Bleeding: Immediate Response to Regain Visibility and Isolation.\r\n\r\nIf an attacker has disabled visibility, you need to contain the compromised host without an XDR. The following alternatives could be applied:\r\n- Quarantine the compromised host using firewall rules of NAC.\r\n- Leverage network based detections (identify suspicious traffic patterns, detect connections to known C2).\r\n- Restore XDR sensor remotely.\r\n- If the attacked blocked reinstallation, deploy a separate forensic agent (such as velociraptor).\r\n\r\n\r\n\t7. Beat Them At Their Own Game: Locking the Attacker Out of the Console.\r\n\r\n- Check for rogue admin accounts added to your XDR console.\r\n- Rotate API keys and credentials.\r\n- Review XDR logs for unauthorized policy changes.\r\n- Enable MFA on XDR console.\r\n\r\n\r\n\t8. Real-World Case Studies: RansomHub - Weaponizing XDR Weaknesses.\r\n\t\r\nRansomHub is a ransomware-as-a-service (RaaS) operation first detected in February 2024 by TrendMicro. Unlike highly structured ransomware groups, RansomHub operates as a decentralized affiliate-based collective, allowing attackers from various regions to conduct their own operations under the same banner.\r\nTheir primary targets? Organizations with high operational dependencies, industries where downtime is more expensive than the ransom itself, increasing the likelihood of payouts.\r\n\r\n\t\r\n\t\u00b7 Attack methodology:\r\n\tRansomHub doesn't rely exclusively on encrypting data, they start by disabling security mechanisms, ensuring they can operate without any roadblocks. They attack chain includes:\r\n\t\r\n\t- Using TDSSKiller to disable antivirus or XDR solutions in the target system.\r\n\t- Deploying TOGGLEDEFENDER to disable Windows Defender.\r\n\t- Utilizing XDR Kill Shifter, a loader executable that leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting multiple vulnerable drivers to disable XDR protection before execution.\r\n\r\nKey Takeaway: Their focus on XDR disablement as a priority aligns with modern ransomware strategies, attackers don't just evade detection, they neutralize the entire security stack.\r\n\r\n\t\u00b7 Notable Victims:\r\nMexican government (Hit Twice!).\r\n\t- The second attack impacted 13 airports across the country.\r\n\t- Fun Fact: The Mexican government is a frequent target of ransomware attacks, often due to weak infrastructure, slow patching cycles, and underfunded cybersecurity measures.\r\n\t\r\nFrontier communications.\r\n\t- Disruption in telecom services, impacting businesses and residential users.\r\n\r\nChristie's Auction House\r\n\t- Attackers targeted high-value transactions and sensitive financial data.\r\n\r\n\u00b7 Key Takeaways:\r\n- RansomHub exemplifies modern ransomware techniques, they don\u2019t just encrypt data, they strategically dismantle defenses first.\r\n- The use of BYOVD attacks on XDRs shows that even advanced security solutions are vulnerable when misconfigurations or unpatched drivers exist.\r\n\r\n\u00b7 Countermeasures: Defending Against RansomHub\r\n- Use behavioral-based detection instead of relying only on signature-based AV/XDR protections.\r\n- Apply strict application control policies to block unauthorized tools.\r\n- Monitor for signs of BYOVD exploitation, harden kernel-level protections to prevent unsigned driver execution.\r\n\t\r\n\r\n\t9. Final Thoughts\r\n\r\nAttackers are shifting tactics, instead of just evading security tools, they're actively disabling them. Attackers recognize that XDRs are a core part of enterprise security, so their first priority is to neutralize detection and response capabilities before executing their objective.\r\n\r\nThe question isn\u2019t if attackers will target your XDR, it\u2019s how prepared you are when they do. The key to defense isn\u2019t just relying on automated detections, but understanding how attackers think and proactively securing the tools meant to protect you.", "recording_license": "", "do_not_record": false, "persons": [{"code": "GNUZAA", "name": "Melina Phillips", "avatar": "https://pretalx.com/media/avatars/GNUZAA_a02tuoj.webp", "biography": "Melina Phillips is an Offensive Security Engineer with a background in Security Operations and Incident Detection. She has over ten years of IT experience and six years working directly in cybersecurity, blending hands on blue team work with her current focus on adversary simulation and endpoint compromise.\r\n\r\nHer recent talks have been featured at Bsides Cambridge, Security Fest, BruCon, LeHack, HackLu and BlackAlps. She's known for making complex technical concepts accessible without watering them down, and for delivering practical insights grounded in real world attack and defense experience. She strongly believes that Linux security doesn\u2019t have to be presented in a boring way, and that technical depth and creativity can (and should) coexist.\r\n\r\nOutside of breaking into infrastructure and chasing down Linux threats, she's usually at CrossFit or playing with makeup, ideally not at the same time.", "public_name": "Melina Phillips", "guid": "a211d951-7864-5beb-b092-8be6e8fb04ee", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/GNUZAA/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9JT9GR/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9JT9GR/", "attachments": []}, {"guid": "52a7600b-28a1-5827-b207-5997ca2f5e44", "code": "VYCS8Y", "id": 92259, "logo": null, "date": "2026-05-07T13:30:00+02:00", "start": "13:30", "duration": "00:05", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92259-what-is-the-dark-web-talking-about-dark-jargon-detection-and-identification", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/VYCS8Y/", "title": "What is the dark web talking about? - Dark Jargon Detection and Identification", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Communication on the dark web incorporates specialized coded language, referred to as \"dark jargon\", which serves to obscure illicit activities and hinder automated interpretation. These illicit activities often have severe real-world consequences, including drug and human trafficking, data leaks\r\nand financial theft through fraud, and the facilitation of child abuse, which emphasizes the need for dark jargon detection and decoding methods. In this lightning talk we aim to explain the basic concepts of dark jargon, its NLP-based detection and interpretation methods as well as the difficulties that impede these.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "WKCEMS", "name": "Laura Bernardy", "avatar": "https://pretalx.com/media/avatars/NBX787_GfzpQe2.webp", "biography": "Coming from a bachelors of linguistics and being always enthusiastic about IT and CTI topics, I combined these passions for my masters in computational linguistics. After that I started working in academic research mostly in low-resource language NLP, going more into Cybersecurity with my recently started PhD at SnT Luxembourg, which will be focused on dark web and CTI research with NLP.", "public_name": "Laura Bernardy", "guid": "e69aa407-5844-557c-97da-c6061b9cfc16", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/WKCEMS/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/VYCS8Y/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/VYCS8Y/", "attachments": []}, {"guid": "d0ca42da-b96c-56bd-baba-696832c2a121", "code": "GDNK3Q", "id": 92257, "logo": null, "date": "2026-05-07T13:35:00+02:00", "start": "13:35", "duration": "00:05", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92257-understanding-mobile-stalkerware", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/GDNK3Q/", "title": "Understanding Mobile Stalkerware", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Stalkerware -software for stalking- is a class of malware aimed at targeted surveillance of individuals.\r\nOn contemporary mobile platforms, such monitoring is often enabled not through remote exploitation, but through authenticated access, coercion, and reconfiguration of devices. This creates a gray zone in which surveillance can be implemented via purpose-built stalkerware, but also by weaponizing dual-use applications or native OS-features.\r\n\r\nTo better understand this class of threats, we've studied definitions, classification, behavior and detection performance through literature in order to address some of the current research gaps. Based on our research, we propose an attack-centric perspective that grounds definitions and analysis in attacker access, persistence, and coercive objectives rather than application identity alone. We consolidate an end-to-end stalkerware attack lifecycle, with particular relevance to real-world Intimate Partner Violence (IPV) scenarios.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "AXCRBM", "name": "Elouan Rigaut", "avatar": "https://pretalx.com/media/avatars/YBB3X8_saEbXKr.webp", "biography": "PhD Student at University of Luxembourg\r\nSnT, TruX research team", "public_name": "Elouan Rigaut", "guid": "8d7c0c08-840e-56fd-8c6f-c0939847dd56", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/AXCRBM/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/GDNK3Q/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/GDNK3Q/", "attachments": []}, {"guid": "9766a529-2994-588e-a689-838ef870bd42", "code": "QB7ZBY", "id": 92431, "logo": null, "date": "2026-05-07T13:40:00+02:00", "start": "13:40", "duration": "00:05", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92431-scaling-defence-finding-redvds-from-a-phishing-email", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/QB7ZBY/", "title": "Scaling defence - finding RedVDS from a phishing email", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Something we hear constantly as defenders is that attacks scale, implying that defences do not. While it is undeniable an attacker can take a 0-day and exploit thousands or millions of hosts, we can also turn the tables as defenders and scale our efforts. In this talk I will show you how you can take a phishing attempt and turn it into a major pain in the ass for an attacker.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "QCKQS8", "name": "Elliot Parsons", "avatar": "https://pretalx.com/media/avatars/DQS3BT_s4I9EMH.webp", "biography": "Elliot is a cyber threat intelligence consultant at AmeXio. He is from New Zealand with a background in Financial Services, Technology Services and Government organisations. His expertise is in threat intelligence, threat hunting, reverse engineering, malware analysis, and incident response.", "public_name": "Elliot Parsons", "guid": "6b461919-a688-5a88-b5b4-69cda1687e09", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/QCKQS8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QB7ZBY/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QB7ZBY/", "attachments": []}, {"guid": "5552615b-415c-50ac-8e29-7e9bb470e3c8", "code": "RVGUME", "id": 91895, "logo": null, "date": "2026-05-07T13:45:00+02:00", "start": "13:45", "duration": "00:05", "room": "Main Stage", "slug": "bsidesluxembourg-2026-91895-how-to-be-just-the-right-amount-of-paranoid-cybersecurity-edition", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/RVGUME/", "title": "How to be just the right amount of Paranoid (Cybersecurity Edition)", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Hearing the first time about cybersecurity is exciting! You will learn how to hack things and learn how to defend against hackers. Red team, blue team and even purple team, but no one has told me that I will become more aware of security, or rather, become more aware of the lack of security in my surroundings. This awareness can grow into something much more than just being aware \u2013 \u201cbeing paranoid\u201d.", "description": "This lightning talk has the objective to bring this topic to light. It is a topic not often talked about, but it is a matter most people, that work or are in contact with (cyber)security, have experienced. The extend can vary and the impact can be visible or invisible. One might share in their close family and friend circle how passphrases are better than passwords and easier to remember while others might force them to use password managers, MFA, backups of the previous two, VPN connections 24/7 and so on.\r\nThe golden middle way is to adapt enough awareness to not fall into security traps while not becoming paranoid over the smallest things. It is difficult to balance, but by bringing this topic to light, a certain self-reflection should hopefully spark in the participants. Where do they find themselves on this scale between care-free and paranoid?\r\nThe human factor continues to play an important role in not only awareness, but in the realm of cybersecurity. Being able to position oneself and others on this scale can be crucial when it comes to determining how to convey a message. A security mindset is something we can work towards and expand together to create a secure and healthy environment.", "recording_license": "", "do_not_record": false, "persons": [{"code": "9GTVXC", "name": "Denim Lati\u0107", "avatar": "https://pretalx.com/media/avatars/9GTVXC_5uy0a5L.webp", "biography": "Denim Lati\u0107 is working as a security analyst and part of the CSIRT for Fondation Restena, the NREN of Luxembourg.\r\nCybersecurty is an ever-evolving field and so, he embarks on a perpetual journey to do his best to be able to face new and old threats in the cyberspace. Furthermore, he is enthusiastic about raising awareness on cybersecurity related issues to both small and large audiences.", "public_name": "Denim Lati\u0107", "guid": "e9b80c08-a480-595d-ae82-e60f4002d424", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/9GTVXC/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/RVGUME/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/RVGUME/", "attachments": []}, {"guid": "26b9e060-f5d8-5152-8748-3d6688d258ab", "code": "878PCR", "id": 94144, "logo": null, "date": "2026-05-07T13:50:00+02:00", "start": "13:50", "duration": "00:05", "room": "Main Stage", "slug": "bsidesluxembourg-2026-94144-magic-rs-a-memory-safe-libmagic-compatible-file-type-detection-ecosystem", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/878PCR/", "title": "Magic-rs: A Memory-Safe, libmagic-Compatible File Type Detection Ecosystem", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "File identification has been a long-standing problem in software development, traditionally relying on legacy C code embedded within memory-safe applications. Magic-rs is a Rust ecosystem providing near-full compatibility with libmagic's file type detection while eliminating unsafe code. The ecosystem includes Python bindings and a CLI utility called `wiza` that we will demonstrate. We'll explore key advantages, architecture, and how you can use it in your projects or contribute to improving libmagic compatibility.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "YDKLRL", "name": "Quentin JEROME", "avatar": "https://pretalx.com/media/avatars/3JVRZM_xoQgYEQ.webp", "biography": "Quentin is a Rust developer at [CIRCL](https://circl.lu). Inspired by his background in incident response and threat detection, he develops open-source security tools to solve practical problems. His main interests include threat detection, bug hunting, and building tools that help the security community.", "public_name": "Quentin JEROME", "guid": "775f7c83-b07b-598c-8857-80bb24aebcb1", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/YDKLRL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/878PCR/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/878PCR/", "attachments": []}, {"guid": "44084530-2159-5391-9edc-cc32c430359a", "code": "3YK3HN", "id": 94883, "logo": null, "date": "2026-05-07T13:55:00+02:00", "start": "13:55", "duration": "00:05", "room": "Main Stage", "slug": "bsidesluxembourg-2026-94883-building-a-safe-harbor-for-cybersecurity-professionals", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/3YK3HN/", "title": "Building a safe harbor for cybersecurity professionals", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "This lightning talk will present positive and negative examples related to workplace well-being. It will emphasise the importance of mental health for operational teams such as SOCs and CSIRTs, and explore the pressures CISOs face today. The talk will explore the importance of creating a safe and open environment for cybersecurity professionals. It will also explain how to build a safe harbor for cybersecurity professionals. Furthermore, it will explain how this approach will be reciprocated by these individuals and contribute to a positive workplace culture.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "CJBELR", "name": "Ondrej Nekovar", "avatar": null, "biography": "Ondrej Nekovar is an experienced executive manager responsible for the cyber security of critical information infrastructure and the state. His areas of expertise include research into the use of advanced technologies for active cyber defense, deception, detection engineering and cyber counterintelligence.\r\n\r\nLinkedIn profile:\r\nhttps://www.linkedin.com/in/onekovar/", "public_name": "Ondrej Nekovar", "guid": "72cc06ae-44ac-5a5a-a9e3-72a930cc7c5b", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CJBELR/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3YK3HN/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3YK3HN/", "attachments": []}, {"guid": "010aebc3-77f9-5905-929c-77e00b7f25d0", "code": "YQSRBJ", "id": 89826, "logo": null, "date": "2026-05-07T14:00:00+02:00", "start": "14:00", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-89826-riot-a-raspberry-based-network-implant-for-red-team-operations", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YQSRBJ/", "title": "RioT \u2013 A Raspberry-Based Network Implant for Red Team Operations", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Our journey in Adversary Simulation and Red Team engagements frequently relies on attack scenarios that require physical access, or at least close proximity, to obtain an initial foothold.\r\n\r\nTo support these missions, we weaponized Raspberry Pi devices and transformed them into modular network implants tailored to our most common operational use cases.\r\n\r\nWe will look at uncommon situations where attackers have time on their side\u2014waiting for victim devices to quietly whisper their secrets, or using physical proximity in ways that traditional controls, including MFA, were never designed to handle.\r\n\r\nThis talk presents the internal RioT project, which has been actively used by the DEEP Red Team for more than five years. We will cover its design philosophy, implemented tooling, and a survey of attack scenarios and techniques that enabled successful outcomes during real-world engagements.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "TGY8UJ", "name": "Olivier M\u00e9doc", "avatar": null, "biography": "Olivier joined POST Cyberforce Offensive Security team where he participated to a large variety of offensive security missions such as vulnerability research, mobile, web applications and network penetration tests, targeting telecom and banking systems, payment machines or ATMs, and also participated to several forensics investigations.\r\n\r\nOn a regular basis he also participates to the development of in-house telecom network security testing software, and assessments .\r\n\r\nHe is currently active on adversary simulation and red team engagements for DEEP, and participates to the offensive security team research & development effort.", "public_name": "Olivier M\u00e9doc", "guid": "5898a721-80d4-5a2b-a7df-c207db571813", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/TGY8UJ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YQSRBJ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YQSRBJ/", "attachments": []}, {"guid": "4c11ae03-0607-5b76-8559-eb9efd33edb6", "code": "8UQAZC", "id": 85277, "logo": null, "date": "2026-05-07T14:40:00+02:00", "start": "14:40", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-85277-those-who-don-t-learn-from-cves-are-doomed-to-rediscover-them", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/8UQAZC/", "title": "Those Who Don\u2019t Learn from CVEs Are Doomed to Rediscover Them", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "This session dives into real-world vulnerabilities by dissecting CVEs directly in the code where they occurred. Each example showcases not just what went wrong, but why, with a focus on the subtle coding patterns, missed assumptions, and language misunderstandings that led to the bugs.\r\nFor every vulnerability, we will extract a few key lessons: principles or warnings that developers and reviewers can apply to prevent similar issues.", "description": "The story starts with my analysis of a CVE affecting AES-GCM in a Ruby library and how this issue appears in other codebases and languages. I will show several related problems I reported across ecosystems.\r\n\r\nFrom there, I cover the cyclic nature of vulnerabilities: \"The end of the world, we forget, rediscovery.\"\r\n\r\nNext, I explain a practical methodology for performing CVE analysis. This leads into a selection of excellent CVEs I have studied and the lessons they provide. I will also demonstrate how one CVE I found was directly inspired by another I had analyzed earlier. I will finish this section with the most interesting CVE I examined in the weeks leading up to the conference.\r\n\r\nWe will wrap up with clear recommendations for attendees.\r\n\r\nSince the topic can be complex, I include a few jokes and memes throughout the presentation to help maintain attention.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CZM8Q8", "name": "Louis Nyffenegger", "avatar": "https://pretalx.com/media/avatars/CZM8Q8_0AF7SzY.webp", "biography": "Louis Nyffenegger is a renowned application security expert and the founder of PentesterLab, a leading platform for hands-on security training. With extensive experience in penetration testing, code review, and application security, Louis has worked at organizations like the National Bank of Australia, Australia Post, and Fitbit.\r\n\r\nHe has delivered talks at security conferences, including DEFCON, Kawaiicon, and BSides Canberra, sharing insights on web security, code review techniques, and the intricacies of penetration testing.\r\n\r\nAs the primary author of PentesterLab\u2019s labs, Louis has designed practical, real-world exercises that help security professionals and developers master vulnerabilities and improve their skills. He also runs AppSecSchool, a YouTube channel dedicated to application security, and writes thought-provoking blog posts to inspire the security community.\r\n\r\nBeyond his technical contributions, Louis is passionate about teaching and empowering others to build secure software. He believes in a hands-on approach to security education, emphasising real-world applications and meaningful learning experiences.", "public_name": "Louis Nyffenegger", "guid": "d1947bdd-0778-5363-8b82-9dc48a50635a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CZM8Q8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/8UQAZC/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/8UQAZC/", "attachments": []}, {"guid": "896867d4-149e-58ae-92cb-1692b0bda7cd", "code": "J9BBAM", "id": 92826, "logo": null, "date": "2026-05-07T15:40:00+02:00", "start": "15:40", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92826-dungeons-dragons-the-security-power-tool-you-didn-t-know-you-needed", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/J9BBAM/", "title": "Dungeons & Dragons: The security power tool you didn\u2019t know you needed", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Tired of security training that puts your team to sleep? What if I told you the most powerful training tool in cybersecurity has been sitting in your game room all along? Welcome to the world of game-based learning, where the proven power of play transforms how professionals master complex skills.\r\n\r\nResearch shows that humans learn best when working together, yet traditional training methods keep pushing isolated, theoretical learning. Game-based learning flips this approach on its head, creating environments where people forget about office politics and actually engage with the material. Through structured play and collaborative storytelling, participants don't just memorize concepts\u2014they live them, breaking down professional barriers and building genuine understanding through experience.\r\n\r\nI'll show you the compelling evidence behind why using roleplaying games work, and demonstrate how to transform resistant learners into engaged participants. Using compelling examples, you'll discover how tabletop role-playing mechanics can turn your most challenging training scenarios\u2014from incident response to zero trust architecture\u2014into adventures your team actually looks forward to.\r\n\r\nJoin me to learn why adding roleplaying games to your professional development isn't just about making training fun\u2014it's about making it work.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "SQVVHK", "name": "Klaus Agnoletti", "avatar": "https://pretalx.com/media/avatars/JZ8NCF_NRSojrT.webp", "biography": "Klaus Agnoletti has been an all-round infosec professional since 2004. As a long-time active member of the infosec community in Copenhagen, Denmark, he co-founded BSides K\u00f8benhavn in 2019. \r\n\r\nCurrently he's a freelance storytelling cyber security advisor specializing in security transformation and community focused marketing, employer branding, playing security games  and other fun assignments and ideas coming his way. \r\n\r\nLately he has also become a neurodiversity advocate speaking about ADHD to educate and break down taboos in an industry with a vast overrepresentation of neurodiversity and not very many talking about it.", "public_name": "Klaus Agnoletti", "guid": "97865f70-b8ae-51b2-b463-29887514404a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/SQVVHK/"}, {"code": "J3PRCC", "name": "Glen Sorensen", "avatar": "https://pretalx.com/media/avatars/J3PRCC_2Vu87sY.webp", "biography": "Glen Sorensen is a Recovering CISO/vCISO-Type and is presently a Solutions Engineer with DeleteMe. He has worn numerous hats in his career, in areas such as security engineering and architecture, security operations, GRC, and leadership, including leading the security program for a credit union and for smaller organizations in a fractional role. He currently focuses on how exposed information and OSINT are weaponized in conjunction with AI toward social engineering attacks, and how that factors into greater enterprise cyber risk.\r\n\r\nGlen approaches problems with practical solutions that bring good business value and has worked across many sectors, including financial services, healthcare, manufacturing, and others. He has served as a consulting expert in a large legal case involving healthcare and cyber attack detection technology. He has been in IT and security for 20+ years, depending on how much misspent youth you count.  He is a privacy geek and a sucker for a good tabletop exercise, and also serves as an Incident Master for HackBack Gaming, which puts his countless hours of roleplaying game experience to work teaching people about cybersecurity and incident response.", "public_name": "Glen Sorensen", "guid": "b3a24141-a593-5cb2-b2f2-84110e0c2875", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/J3PRCC/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/J9BBAM/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/J9BBAM/", "attachments": []}, {"guid": "3125e582-722a-5c14-80c7-5708e448e75b", "code": "APBPPQ", "id": 92574, "logo": null, "date": "2026-05-07T16:20:00+02:00", "start": "16:20", "duration": "00:35", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92574-finding-meaning-in-dev-null", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/APBPPQ/", "title": "Finding meaning in /dev/null", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "A network telescope, also called a black\u2011hole or network sinkhole, is a passive monitoring system that observes traffic sent to large blocks of unused IP address space. Because these IP ranges are never assigned to active hosts and do not generate legitimate responses, any traffic received is by definition unsolicited. This makes network telescopes powerful tools for studying global Internet behavior. They capture background noise, scanning activity, botnet noise, malicious probes, and even misconfigurations that would otherwise remain invisible. At CIRCL we operate a /18 Network Telescope since a long time, and in the context of this presentation, we will explain the potential of such dead network and our use case.", "description": "In this talk, we will first present the conceptual and operational fundamentals of what a network telescope is. Explaining its technical characteristics and its role in capturing unsolicited traffic at Internet scale. I will then describe the ingestion, normalization, and structuring pipeline used to transform the raw PCAP data into a durable and queryable data lake, relying on Suricata and ClickHouse for large-scale processing. Finally, I will showcase the types of analyses and meaningful insights that can be extracted from this dataset; including the identification of emerging behaviors, the characterization of malicious activities, and the observation of broader, systemic trends in global Internet traffic.\r\n\r\nWe will details in our presentation all the valuable analysis that may comes out of the void;\r\n\r\nDetection of Scanners Bots:\r\nBy combining PTR, and activity is it possible to determine profiles of commercial and detect also some less known scanner. We were able to discover more than 25 different scanners brand, from well known ones like Onyphe or Shodan to less unknown like Stretchoid or some public russians ones F6 or Skipa. This permit the indentification of around 6000 IP\u2019s monthly that are available as Misp Warning lists. \r\nObservation of the Mirai Botnet:\r\nSince decades now this malware is trying to replicate, the TCP windows size of the initial SYN packet is enought to qualify this malware family. The dataset collected shows an average of 45K Mirai BOTs. The repartition of MIRAI per country is quite interesting.\r\n\r\nDetection of CVE Trends:\r\nBy discriminating sources of activity by destination port, protocl and known scanner type, it is often possible to distinguish early scanning campaigns and anticipate upcoming threats. This capability is particularly valuable for a CERT, as it supports early warning and timely notification of its constituency.\r\n\r\nThis is an example of scan activity around the port TCP 8530 corresponding to the remote code execution (RCE) CVE-2025-59287 via unsafe deserialization bug in Microsoft Windows Server Update Services (WSUS). The CVE was released on 14/10/25\r\n\r\nDeep analysis of SNMP queries\r\nAnalysis at this scale SNMP traffics allows us to monitor CVE Based injections, and associated campains.\r\n\r\nIt permit also to find interesting relations between devices and user SMMP community. Some examples of our previous SNMP protocol analysis could be found here ;\r\nhttps://d4-project.org/2025/11/27/Learning-from-Large-Scale-IPv4-blackhole-behavioral-analysis-of-SNMP-traffic.html\r\n\r\nMany other trends can also be extracted. During this presentation, we will additionally cover;\r\n\r\n    IOT botnet injections: The lowest level possible of interaction still allow use to identify old RCE injection like CVE-2019-12297, CVE-2021-35394, CVE-2023-28771.\r\n    Detection of DDoS attacks: Since combined DDOS attacks often use spoofed random IP\u2019s, it is possible to see some the backscatter traffic (TCP synack/ icmp unreachable). and therefore determine victimology\r\n    Antivirus usage trends: By observing unsolicited traffic generated by security products, it is possible to identify antivirus deployment patterns, update behaviors, and their evolution over time, providing indirect visibility into defensive technologies used across the Internet.\r\n    Port 0 scanning: Although port 0 is reserved and unused by legitimate services, it is sometimes leveraged by scanners for operating system fingerprinting. Monitoring this activity helps identify OS detection techniques and early-stage reconnaissance behaviors.\r\n    Many Funny syslog misconfigurations: Since our range is not too far from a RFC1918 IP one, it often receive syslog traffic from misconfigured devices sending logs to invalid destinations. These cases highlight operational mistakes, legacy configurations, and occasionally the unintended exposure of internal or sensitive information.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MPAQFD", "name": "Paul JUNG", "avatar": "https://pretalx.com/media/avatars/FYJX3N_mK1o6XY.webp", "biography": "**Paul Jung** (paul.jung@circl.lu) is a long-time security professional with over two decades of experience in the cybersecurity field in Luxembourg. He has built extensive consulting expertise across multiple industries, covering activities from offensive security assessments to incident response and digital forensics. Prior to joining the Computer Incident Response Center Luxembourg (CIRCL), he served as Senior Security Architect in the Managed Network Security department of the European Commission, where he led the technical direction of major security projects. He later joined Excellium Services (acquired by Thales Group in 2022), where he founded and led TCS-CERT, a multi-country CSIRT dedicated to intrusion response. Paul regularly speaks at international conferences such as FIRST, Virus Bulletin, Botconf, and Hack.lu, and has published articles on DDoS, botnets, and incident response. He is a native French speaker and fluent in English.", "public_name": "Paul JUNG", "guid": "7a31087c-4111-5dcb-903c-ad7ad302ad98", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/MPAQFD/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/APBPPQ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/APBPPQ/", "attachments": []}, {"guid": "de0aa9ab-2e5a-5bd2-ad62-c1424875fc70", "code": "KHWQNW", "id": 92361, "logo": null, "date": "2026-05-07T16:55:00+02:00", "start": "16:55", "duration": "00:35", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92361-digital-risks-threat-models-and-empathy-trainings-that-empower", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/KHWQNW/", "title": "Digital risks, threat models, and empathy: trainings that empower", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Digital and cyber risks do not always fit into standard risk assessment paradigms; they might use different language or touch upon complex causal or interdependence relationships. This non-technical talk will guide listeners on digital security training and storytelling techniques that will leave their audience feeling more empowered and better able to assess and mitigate digital risks. It will look at how to position digital risks next to other risks and look at how smart and empathetic threat modelling can combat nihilistic feelings of universal surveillance.", "description": "Many risk assessment professionals struggle with understanding digital and cyber risk. Risks such as injury caused by fires of earthquakes have reasonably straightforward causes. Risks such as data exfiltration could be caused by a number of complex, interconnected attacks. This talk will be based on my experiences of training small teams of very different risk experts\u2014ranging from investigative journalism editors to humanitarian workers\u2014about digital risks. It will focus on how we can tell better stories on digital risk that leave the audience feeling empowered.\r\n\r\nWe will discuss:\r\n\r\n1. How to position digital risks next to other types of risks: I will summarise some of the conversations I\u2019ve had with risk assessment professionals, highlighting both easy parts of and struggles in explaining digital risk. I will also briefly mention the problem of knowledge asymmetries in cyber and digital risk assessments.\r\n\r\n2. Differences in risk assessment language used\u2014and why they matter: this includes looking at words like \u201cthreat\u201d, \u201crisk\u201d, \u201cprevention\u201d, and \u201cmitigation\u201d, and how cyber and digital risk professionals might use them differently from others\r\n\r\n3. Why \u2018standing out\u2019 (for example refusing to use some mainstream tools or having unusual tech use patterns) could itself be a problem. Here, we also discuss how much of the data surveillance actors collect can be noisy and messy, and why this might be reassuring.\r\n\r\n4. Perceptions of omnipresent surveillance and ill-defined threat actors and how those frustrate our efforts at security education: we all sometimes run into the perception that surveillance isn\u2019t just everywhere but done by everybody. While it\u2019s true that many different actors are involved in this ecosystem, I explain how explicitly defining those actors and explaining what they are and aren\u2019t capable of can help empower the audiences of our trainings. In short, this is a session on how we can use standard threat modelling techniques.\r\n\r\n5. A case study on WhatsApp and Signal to explain how to best discuss risks and mitigations related to messaging and messengers.\r\n\r\n6. Time for questions and discussion!\r\n\r\n\r\nThe main audience of this talk are security trainers, security team managers, and others who frequently work with and upskill non-technical audiences. I will mostly focus on broader notions of digital risk, only going into technical details when necessary.\r\n\r\nI hope that, after the talk, the audience will have the following key take aways:\r\n\r\n- How to effectively tell stories about digital risk, cyber risk, and surveillance to audiences that don\u2019t feel too comfortable with such topics\r\n- Building analogies, and noting differences, between digital risk and other types of risk (physical, financial, legal, etc.)\r\n- How to empower people who might feel overwhelmed when thinking about risks such as surveillance or spyware", "recording_license": "", "do_not_record": false, "persons": [{"code": "NLVVCF", "name": "\u0141ukasz Kr\u00f3l", "avatar": "https://pretalx.com/media/avatars/PYB8BK_zftd6t6.webp", "biography": "\u0141ukasz is a digital security trainer based at the ICRC Global Cyber Hub in Luxembourg. He has a background in politics, technology, and international relations. He is particularly interested in digital security pedagogies, selecting secure and sustainable digital tools, and effectively supporting at-risk groups and individuals.", "public_name": "\u0141ukasz Kr\u00f3l", "guid": "35a7d265-3e9d-5acc-b107-e9c93efa7236", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/NLVVCF/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/KHWQNW/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/KHWQNW/", "attachments": []}, {"guid": "d17ba237-357b-5fa7-86fc-a56cf3dc63b9", "code": "SWGJPX", "id": 92560, "logo": null, "date": "2026-05-07T17:30:00+02:00", "start": "17:30", "duration": "00:35", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92560-phinding-a-phisher-don-t-let-rep-get-you-rekt", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/SWGJPX/", "title": "Phinding a Phisher: Don't let rep get you rekt", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "The as-a-service model has become ubiquitous across the cybercrime ecosystem. Previously dominated by tight-knit, exclusive groups, cybercrime is now a distributed international marketplace of service providers and consumers. As a result, it is more resilient than ever, with the gaps left by law enforcement takedowns quickly filled by the next opportunistic teenager. However, to operate effectively in this anonymous distributed economy threat actors need to build a reputation to gain trust. Does this give us an opportunity?\r\n\r\nIn this presentation I will discuss the importance of trust in the cybercrime ecosystem and walk through a real-world investigation involving a prominent phishing-as-a-service (PhaaS) provider. The case study illustrates that trust and OpSec do not mix, exposing threat actors to identification. Attendees will leave with additional insight into the cybercrime ecosystem, hacker culture, and some nifty OSINT tricks.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "QCKQS8", "name": "Elliot Parsons", "avatar": "https://pretalx.com/media/avatars/DQS3BT_s4I9EMH.webp", "biography": "Elliot is a cyber threat intelligence consultant at AmeXio. He is from New Zealand with a background in Financial Services, Technology Services and Government organisations. His expertise is in threat intelligence, threat hunting, reverse engineering, malware analysis, and incident response.", "public_name": "Elliot Parsons", "guid": "6b461919-a688-5a88-b5b4-69cda1687e09", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/QCKQS8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SWGJPX/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SWGJPX/", "attachments": []}, {"guid": "2e4e0024-fd81-59ac-92cf-edaf11dc6823", "code": "D8PPLC", "id": 92930, "logo": null, "date": "2026-05-07T19:30:00+02:00", "start": "19:30", "duration": "01:30", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92930-security-impress-karaoke", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/D8PPLC/", "title": "Security Impress Karaoke", "subtitle": "", "track": "Main Stage", "type": "Custom entertainment and similar", "language": "en", "abstract": "Think you can bluff your way through a security talk with zero prep? Now is your chance! At Security Impress Karaoke\u00b9, you'll be handed a totally random, security-themed slide deck you\u2019ve never seen before - and have just 3 minutes to present it like a pro.", "description": "No experience? No problem. This is all about having fun, thinking fast, and impressing the crowd with your creativity (or chaos). Whether you're a seasoned hacker or just security-curious, come take the podium and let\u2019s see what you\u2019ve got!\r\n\r\nSign up or just show up!", "recording_license": "", "do_not_record": false, "persons": [{"code": "BFDPQS", "name": "Kirils Solovjovs", "avatar": null, "biography": "Kirils Solovjovs is Latvia's leading white-hat hacker and IT policy activist, known for uncovering and responsibly disclosing critical security vulnerabilities in national and international systems. An expert in penetration testing, network flow analysis, and reverse engineering, he is also a lifelong command-line enthusiast. Kirils started programming at age 7 and by grade 9 was spending his lunch breaks writing machine code directly in a hex editor. He uses bash daily for hacking, automation, and large-scale data processing and is sometimes contracted by major online education providers to proofread their bash certification exams. He currently is the lead researcher at Possible Security.", "public_name": "Kirils Solovjovs", "guid": "325ead40-4b03-5c18-88e3-e6be1d7b26d1", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/BFDPQS/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/D8PPLC/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/D8PPLC/", "attachments": []}], "IFEN room 1, Workshops and Detection Engineering village (Building D)": [{"guid": "e90c28c0-1ee2-5ec2-b111-00c6d953294d", "code": "EW9MCX", "id": 91893, "logo": null, "date": "2026-05-07T09:00:00+02:00", "start": "09:00", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-91893-hello-lucy-nice-to-meet-you-a-conclusion-on-a-3-year-open-source-cybersecurity-project", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/EW9MCX/", "title": "Hello LuCy nice to meet you! - A conclusion on a 3 year Open-Source cybersecurity project", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "LuCy is the 3-year odyssey to bring a new security solution closer to the R&E community in Luxembourg. The open-source project is integrated into an existing IT infrastructure - but wait, why not open it to our Luxembourgish R&E community and that at a low cost! After some reflection it became clear that with a bit of effort the security tools can also be used by the community!\r\n\r\nThis presentation will be the conclusion on the LuCySe4RE project, presenting the overall highs and lows of the project from a technical, awareness as well as from the human perspective.\r\n\r\nAs a conclusion, focus will be put on new challenges that emerged after the move from prototype to a fully fully-fledged service, as well as explain new risks that we did not identify before.\r\n\r\nIn this presentation we will share our lessons-learned from our journey from a prototype to a tool in production and hopefully reach others to start their journey with implementing and promoting open-source projects in their community in future!", "description": "LuCy is a mostly open-source cybersecurity toolbox consisting of a SIEM and a DNS firewall. Due to limited resources, a significant amount of R&E (research and education) institutions cannot deploy an inhouse cybersecurity solution. \r\nTherefore, LuCy was brought into this world to offer these services, such as alerting, dns filtering, dashboards, to the R&E institutions to improve their resilience at a reduced cost. We highly value the input from institutions connected to LuCy for continuous improvement of the platform.\r\nData sovereignity is crucial, thus everything is hosted on premises at the _Restena Foundation_ in Luxembourg.\r\nWe are working on reports and documentation so that any other SME can deploy this open-source cluster on their premises.\r\n\r\nOpen-source is the way to go! Lessons learned from implementing a cybersecurity tool which needs half of the staff. Not to lose motivation also in tough times. Keep the mindset, open source is needed in our community!", "recording_license": "", "do_not_record": false, "persons": [{"code": "9GTVXC", "name": "Denim Lati\u0107", "avatar": "https://pretalx.com/media/avatars/9GTVXC_5uy0a5L.webp", "biography": "Denim Lati\u0107 is working as a security analyst and part of the CSIRT for Fondation Restena, the NREN of Luxembourg.\r\nCybersecurty is an ever-evolving field and so, he embarks on a perpetual journey to do his best to be able to face new and old threats in the cyberspace. Furthermore, he is enthusiastic about raising awareness on cybersecurity related issues to both small and large audiences.", "public_name": "Denim Lati\u0107", "guid": "e9b80c08-a480-595d-ae82-e60f4002d424", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/9GTVXC/"}, {"code": "C7YB8E", "name": "Cynthia Wagner", "avatar": null, "biography": "Cynthia Wagner is the Chief Information Security Officer and Security Manager at the Restena Foundation, the national research and education network in Luxembourg. Previously, Cynthia was managing the Restena-Computer Security Incident Response Team.  Besides her daily work, she is an active member in different working groups at Geant (the collaboration of European National Research and Education Networks) and CENTR (Council of European National Top-Level Domain Registries). The more, she is the founder of Restena\u2019s CyberDay.lu and the Data Privacy Day conference. \r\nIn her spare time, she loves to exploit new recipes in her kitchen (successfully and not...).", "public_name": "Cynthia Wagner", "guid": "14fe180a-f8d6-51fd-b943-f6edf37859de", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/C7YB8E/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/EW9MCX/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/EW9MCX/", "attachments": []}, {"guid": "28e06720-8277-5f21-ad45-735d5d5386e4", "code": "ZDAX3J", "id": 92938, "logo": null, "date": "2026-05-07T09:40:00+02:00", "start": "09:40", "duration": "00:35", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-92938-from-hours-to-minutes-automating-incident-response-triage-with-open-source-tools", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/ZDAX3J/", "title": "From Hours to Minutes: Automating Incident Response Triage with Open-Source Tools", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "Learn how to automate incident response triage using open-source tools. This talk shows how to go from forensic collection to collaborative analysis in minutes, with real-world workflows and cloud-based automation.", "description": "Traditional forensic acquisitions create bottlenecks in incident response, requiring specialized expertise and significant time that delays investigations. This presentation introduces an automated forensic triage workflow using open-source tools to accelerate response operations.\r\n\r\nThe workflow utilizes a Velociraptor offline collector to acquire forensic triage images, automatically uploaded to cloud storage. This triggers an OpenRelik workflow that processes triage data using tools like Hayabusa and Plaso/log2timeline, with AI-powered analysis and summarization. The processed output is uploaded to Timesketch for collaborative analysis.\r\n\r\nSeveral DFIR datasets will be used to show the automation pipeline from initial collection to timeline analysis. The workflow reduces time-to-analysis from hours to minutes while maintaining forensic integrity.\r\n\r\nAttendees will learn to implement automated triage workflows and integrate multiple open-source tools into investigation pipelines. This targets incident responders, digital forensics practitioners and anyone in the security community looking to streamline forensic operations.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KV3U9J", "name": "Markus Einarsson", "avatar": "https://pretalx.com/media/avatars/XXEWP9_48ql2If.webp", "biography": "Markus Einarsson is a Security Architect and Incident Response Lead at Sectra in Sweden, where he secures cloud-hosted environments for healthcare customers worldwide. With over a decade of experience in cybersecurity, Markus specializes in incident response, digital forensics and security architecture.\r\n\r\nAs part of the Sectra Hunt and Incident Response Team, he has extensive hands-on experience with forensic workflows and modern DFIR toolchains. Markus holds multiple GIAC certifications including GEIR, GCDA, GCFE, GCFA, GRID, GNFA, GCIA and GCIH. He is passionate about scalable incident response methodologies and advancing open-source forensic tools.", "public_name": "Markus Einarsson", "guid": "afda07f0-19ab-5eae-b5ac-9fed441c27f8", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/KV3U9J/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ZDAX3J/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ZDAX3J/", "attachments": []}, {"guid": "78197750-cc28-5d28-af61-292b7d08d631", "code": "AP8GQT", "id": 92598, "logo": null, "date": "2026-05-07T10:35:00+02:00", "start": "10:35", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-92598-advanced-threat-hunting-staying-one-step-ahead-of-adversary", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/AP8GQT/", "title": "Advanced Threat Hunting: Staying One Step Ahead of Adversary", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "As cybersecurity defenders, our job is to prevent breaches. However, threat actors continue to succeed because they constantly evolve their techniques. In this session, I will show you some of the innovative attack vectors that malicious hackers use to target our infrastructure. You\u2019ll learn how these techniques work and more importantly, how to leverage them for your own threat hunting.", "description": "As cybersecurity defenders, our job is not just to react but to stay ahead of attackers. Yet, adversaries continue to evolve, refining their techniques to bypass defenses and infiltrate critical systems. To effectively hunt threats, we must understand how these attackers think and operate.\r\n\r\nThis session will explore real-world techniques used by malicious actors to breach security controls. We will examine how stolen data such as compromised session tokens and credentials are weaponized to gain unauthorized access to systems and supply chains. We\u2019ll also uncover how attackers bypass restricted registration requirements, exploiting gaps in verification and automation processes. We will also analyze how logic flaws in authentication mechanisms allow threat actors to circumvent security controls, gaining entry where they shouldn\u2019t. And much more.\r\n\r\nBy breaking down these attack strategies, you will learn how to identify, track, and neutralize emerging threats before they cause damage. This session will equip you with practical threat-hunting insights, showing you how to turn an attacker\u2019s own methods against them before they strike.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CPAF8T", "name": "Alex Holden", "avatar": "https://pretalx.com/media/avatars/SQ7VXR_h7pax1Y.webp", "biography": "Alex Holden is the founder and CISO of Hold Security, LLC. Under his leadership, Hold Security played a pivotal role in information security and threat intelligence, becoming one of the most recognizable names in its field. Mr. Holden researches minds and techniques of cyber criminals and helps our society to build better defenses against cyber-attacks.", "public_name": "Alex Holden", "guid": "463d55c4-3cc3-5172-828f-420afeb33a08", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CPAF8T/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/AP8GQT/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/AP8GQT/", "attachments": []}, {"guid": "40d2cb10-2683-5f4b-8529-e13e37b8b2b0", "code": "L9773J", "id": 93492, "logo": null, "date": "2026-05-07T11:20:00+02:00", "start": "11:20", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-93492-ct-c-i-driven-detection-against-internal-and-external-threats", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/L9773J/", "title": "CT(C)I-Driven detection against internal and external threats", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "Threat intelligence is often reduced to reactive IOC lists or superficial color-coded reports. This talk dismantles that paradigm. We will explore the application of Cyber Threat (Counter) Intelligence - CT(C)I - in a geopolitical context, demonstrating how to engineer detections that actively hunt sophisticated adversaries operating both outside and inside your perimeter. Moving beyond standard threats, we dissect the rising trend of APT-backed \"remote workers\" infiltrating organizations using deepfakes and fabricated histories. We will show you how to weaponize cyber counterintelligence and deploy deceptive defenses to expose the threat, transforming your internal environment into your primary intelligence sensor - detection. Finally, we will outline a modern, graph-based \"Detection-as-Code\" methodology that replaces static documentation with visual, automated defense logic.", "description": "In this talk, we redefine efficient threat intelligence processing and its direct application in advanced detection engineering. We are moving past the era of creating reactive detection rules based on trending IOCs or generating \"traffic light\" reports that lack real defensive impact.\r\nWe will examine high-stakes threat scenarios on a geopolitical scale. By analyzing the laws of cyber deception within CTI reports, we will identify the behavioral errors attackers make and learn how to exploit those flaws for detection.\r\nHowever, the landscape is evolving. We will analyze scenarios where external adversaries successfully become internal threats\u2014specifically dissecting the tactic of APTs deploying state-sponsored remote workers to infiltrate security companies. This involves advanced deception: deepfakes, synthetic profiles, fabricated employment histories, and the abuse of corporate devices.\r\nWhen you have a highly trained operative inside, traditional defense fails. This is where Cyber Counterintelligence (CCI) becomes essential. You must counter the adversary's deception with your own deceptive architecture to force them into revealing themselves. And there we will go through a real detection engineering challenge - an identity based detection through all environment. \r\nTo operationalize this approach, we must abandon outdated methods. We will explore how to revolutionize your engineering process by replacing static documentation with a visual graph engine. You will learn how to apply a Git-native \"Detection-as-Code\" workflow that automatically converts visual capability maps into executable SIGMA rules, leveraging MITRE frameworks to design and scale resilient defense logic.\r\n\r\nKey Takeaways:\r\n- Shatter the Perimeter Illusion - Realize that sophisticated threats are not just external; they are actively infiltrating organizations as trusted insiders.\r\n- The Necessity of Threat-Informed Defense - Understand that generic monitoring is obsolete; threat-driven detection engineering is the only viable path forward against modern adversaries.\r\n- Operationalize Cyber Counterintelligence - Learn how to use internal telemetry and deceptive tactics to expose sophisticated actors already operating within your environment.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CJBELR", "name": "Ondrej Nekovar", "avatar": null, "biography": "Ondrej Nekovar is an experienced executive manager responsible for the cyber security of critical information infrastructure and the state. His areas of expertise include research into the use of advanced technologies for active cyber defense, deception, detection engineering and cyber counterintelligence.\r\n\r\nLinkedIn profile:\r\nhttps://www.linkedin.com/in/onekovar/", "public_name": "Ondrej Nekovar", "guid": "72cc06ae-44ac-5a5a-a9e3-72a930cc7c5b", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CJBELR/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/L9773J/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/L9773J/", "attachments": []}, {"guid": "5267142a-8248-5853-abf9-0e3f077ba7c2", "code": "RNELAL", "id": 92601, "logo": null, "date": "2026-05-07T13:30:00+02:00", "start": "13:30", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-92601-opentide-from-raw-intelligence-to-structured-threat-informed-detections", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/RNELAL/", "title": "OpenTide: From Raw Intelligence to Structured Threat-Informed Detections", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "Threat intelligence has matured significantly in the domain of indicators of compromise (IOCs), with standardised formats and automated sharing infrastructure. Yet when it comes to adversary behaviors - tactics, techniques, and procedures (TTPs), intelligence is still largely delivered through unstructured reports, PDFs, and blog posts. This creates a persistent gap: while defenders receive rich insights, they lack a systematic way to translate those insights into actionable detection engineering outcomes. Measuring detection coverage remains difficult, often reduced to basic ATT&CK matrix mappings that fail to capture the relational and technical nature of adversary behaviors. Meanwhile, intelligence evolves faster than most teams can analyse, leaving detection engineers overwhelmed and without a standardised workflow to prioritise or model new threats.\r\n \r\nOpenTide (Open Threat Informed Detection Engineering, an open source framework developed at the European Commission CSOC) addresses this challenge by introducing a structured, top\u2011down intelligence\u2011to\u2011detection flow. At its core are Threat Vectors - an open construct for modeling TTPs at any level of granularity. Threat Vectors can be interrelated to form attack graphs, enabling defenders to build a dynamic and continuous coverage picture as new intelligence emerges.\r\n \r\nWithin OpenTide, detection objectives and supporting rules are explicitly linked to Threat Vectors, creating a direct mapping from intelligence to detection logic. A normalised schema ensures that unstructured intelligence can be ingested, transformed, and operationalised consistently. Furthermore, experimental integrations with large language models (GenTide R&D Project) accelerate the creation of these objects, demonstrating how automation can reduce the time from intelligence inputs to detection deployment.\r\n \r\nBy reframing how we model and consume TTP\u2011focused intelligence, OpenTide provides a scalable path to actionable detection engineering. It enables defenders to move beyond static mappings, measure coverage in context, and continuously align detection priorities with the evolving threat landscape.\r\n \r\nOpenTide : https://github.com/OpenTideHQ", "description": "**Outline**\r\nIntelligence to Detection Engineering Gap\r\n- TTP intelligence remains unstructured (reports, PDFs, blogs).\r\n- Defenders struggle to operationalize insights into detections.\r\n- Coverage measurement reduced to static ATT&CK mappings.\r\n- Manual workflows are slow and inconsistent.\r\n- Teams overwhelmed by volume and pace of new intel.\r\n \r\nOpenTide Workflow\r\n- Intelligence > Threat Vectors > Detection Objectives > Rules.\r\n- Normalized schema for consistent ingestion of unstructured intel.\r\n- Attack graphs enable contextual coverage measurement.\r\n \r\nAccelerating with LLMs (GenTide)\r\n- GenTide : LLMs accelerate Threat Vector modeling from intelligence.\r\n- Accelerates turning into Detection Objectives to support rule development\r\n- Reduces time from intel input to detection deployment.\r\n- Supports continuous alignment with evolving threats.\r\n \r\n**Key take aways**\r\nOpenTide helps defenders turn unstructured threat intelligence into actionable detections. It introduces Threat Vectors to model adversary behaviors and link them directly to detection objectives and rules in comprehensive. This creates a structured, scalable workflow that replaces static ATT&CK mappings with a growing knowledge graph and redefines how detection coverage can be evaluated.\r\n\r\nWith experimental automation through large language models, OpenTide shortens the time from intelligence to deployment and enables continuous alignment with evolving threats.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CUAN3J", "name": "Remi Seguy", "avatar": null, "biography": "With over 20+ years in the cybersecurity field, I have dedicated my career to safeguarding organisations by developing robust SOC and effective incident response teams. As a passionate advocate for knowledge sharing and collaboration - \"sharing is caring\"- I have actively contributed to the cybersecurity community and related open-source projects, such as MISP. In my current role, I have led the OpenTide initiative, turning it into a project at the core of the Detection Engineering team. I am looking for exchanging and collaborating with other Detection Engineering teams to develop repeatable, traceable, and pragmatic processes, effectively bridging the gap between Threat Intelligence, Threat Hunting, and Threat Detection.", "public_name": "Remi Seguy", "guid": "098a0446-dced-5c06-9883-253dfc1cbe3d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CUAN3J/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/RNELAL/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/RNELAL/", "attachments": []}, {"guid": "2abf58b0-a5af-5aa9-8e06-38cc3d624e93", "code": "Z8EPNM", "id": 92773, "logo": null, "date": "2026-05-07T14:10:00+02:00", "start": "14:10", "duration": "00:35", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-92773-your-cti-reports-are-useless-without-structure-from-unstructured-threat-intel-to-stix-knowledge-graphs-with-llms-and-mcp-server", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/Z8EPNM/", "title": "Your CTI Reports Are Useless Without Structure: From Unstructured Threat Intel to STIX Knowledge Graphs with LLMs and MCP server", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "Every week, hundreds of threat intelligence reports are published in prose \u2014 rich in context, but locked in a format that no SIEM, TIP, or AI agent can consume. Without structure, CTI stays trapped in PDFs and blog posts, disconnected from the defensive stack that needs it most.\r\nThis talk presents a **practitioner and research-driven approach** to closing that gap. Drawing from independent research on the **[TI Mindmap HUB]([url](https://ti-mindmap-hub.com/))** project and an academic study currently under peer review, benchmarking five LLM families against government-grade STIX 2.1 ground truth, the speaker demonstrates how a hybrid architecture \u2014 combining deterministic extraction with LLM-based semantic inference \u2014 can transform unstructured reports into **machine-readable STIX 2.1 bundles**.\r\nBeyond generation, the talk explores how STIX bundles become the foundation for **LLM-powered knowledge graphs** and how the **Model Context Protocol** (MCP) exposes structured CTI as tool calls for AI agents \u2014 making intelligence not just structured, but conversationally actionable for both human analysts and autonomous copilots.\r\nThis is independent research, not a product pitch. The speaker invites collaboration from the CTI community.\r\n_Disclaimer: TI Mindmap HUB is a personal, independent research project. It is not affiliated with, endorsed by, or representative of any employer, organization, or commercial entity._", "description": "**Problem Statement**\r\nThe CTI community produces an enormous volume of high-quality threat intelligence every week \u2014 malware analyses, campaign reports, government advisories. The vast majority is published as unstructured text. Despite the existence of STIX 2.1 as a mature, graph-based interoperability standard, most organizations skip the conversion step entirely because it is slow, manual, and requires deep domain expertise. The consequence: intelligence that could feed automated detection, correlation, and response workflows remains locked in prose.\r\nThis section frames STIX not as bureaucratic overhead, but as the critical prerequisite layer that makes everything downstream \u2014 from SIEM rules to AI-driven threat hunting \u2014 possible.\r\n**The Hybrid Architecture: GenAI-STIX**\r\nThe core of the talk introduces a hybrid pipeline architecture developed through independent research and validated in an academic study currently under peer review (University of Salerno, AY 2025/2026). The key design insight is that not everything should be delegated to a generative model:\r\n\r\n- Deterministic extraction (regex + validation) handles Indicators of Compromise (IoCs) \u2014 IP addresses, hashes, domains, URLs \u2014 where precision and resistance to hallucination are paramount.\r\n- LLM-based semantic inference handles the hard part: extracting Tactics, Techniques, and Procedures (TTPs), threat actors, malware families, victims, and the relationships between them, then mapping these to the MITRE ATT&CK framework.\r\n\r\nThe talk walks through the evaluation methodology: a dual pipeline (object-level detection metrics + holistic graph similarity) tested against a ground-truth dataset built from real UK National Cyber Security Centre (NCSC) STIX bundles. Five LLM families were benchmarked. Key finding: high-reasoning models exceed 94% precision in TTP extraction, demonstrating that automated MITRE ATT&CK mapping is no longer a theoretical prospect but a production-ready capability.\r\n**TI Mindmap HUB: The Living Research Lab**\r\nTI Mindmap HUB is the independent research platform where these concepts are implemented and tested at scale, processing 50\u201360 threat reports weekly. The speaker demonstrates how a single unstructured report flows through the pipeline and emerges as a multi-lens analyst workstation:\r\n\r\n- STIX graph view \u2014 interactive entity/relationship exploration\r\n- Diamond Model \u2014 campaign framing from STIX objects\r\n- MITRE ATT&CK heatmap \u2014 behavioral coverage visualization\r\n- CVE analyst table \u2014 vulnerability prioritization with threat context\r\n- TI Mindmap \u2014 narrative structure for executive and analyst consumption\r\n\r\nThe same structured artifacts (STIX bundles, ATT&CK layers, IOC/CVE objects) power all views \u2014 different analytical lenses from shared data, not isolated widgets. A brief visual walkthrough shows the end-to-end flow from URL submission to structured intelligence.\r\n**MCP: Making CTI Actionable for AI Agents**\r\nStructure alone is not enough \u2014 intelligence must be accessible where decisions are made. This section introduces the Model Context Protocol (MCP) server built for TI Mindmap HUB, which exposes structured CTI as native tool calls for AI copilots and agents:\r\n\r\n- Report discovery and deep-dive \u2014 search, filter, and retrieve processed intelligence artifacts directly from a chat interface\r\n- IOC pivoting \u2014 \"where else was this indicator seen?\" as a single tool call\r\n- STIX bundle retrieval \u2014 portable intelligence packages ready for TIP/SOAR/SIEM integration\r\n- Article submission \u2014 trigger the full processing pipeline from conversation context\r\n\r\nThis transforms CTI from a static product into a conversational operations layer. The MCP server implements secure API key + OAuth authentication, making it ready for both human analysts and autonomous agent workflows.\r\n**Toward Knowledge Graphs: The Research Horizon**\r\nWith STIX bundles as building blocks, the next research frontier is LLM-inferred cross-report relationships \u2014 connecting entities across dozens of reports to build a threat intelligence knowledge graph that reveals patterns invisible in individual analyses. The speaker briefly outlines this ongoing research direction and its implications for strategic CTI.\r\n**Closing**\r\nTI Mindmap HUB is an independent research project exploring the intersection of Generative AI and Cyber Threat Intelligence. It is not a product and not affiliated with any employer or commercial entity. The speaker actively seeks collaboration from the CTI research and practitioner community.", "recording_license": "", "do_not_record": false, "persons": [{"code": "FDBKEC", "name": "Antonio Formato", "avatar": "https://pretalx.com/media/avatars/CXGDHV_kdPVKts.webp", "biography": "Antonio Formato is a Senior Cybersecurity Solution Engineer at Microsoft, where he leads technical engagements on security platforms including Defender XDR, Sentinel, and Defender for Cloud for enterprise and public sector customers across EMEA. With 18+ years of experience in cybersecurity, he advises CISOs and security teams on Zero Trust strategies, multi-cloud security posture, and secure AI adoption.\r\nOutside his professional role, Antonio is an independent researcher exploring the intersection of Generative AI and Cyber Threat Intelligence. He is the creator of TI Mindmap HUB, an AI-powered research platform that automates the transformation of unstructured threat reports into structured, machine-readable intelligence using LLMs and the STIX 2.1 standard. He is co-author of an academic paper on automated STIX 2.1 bundle generation currently under peer review, and collaborates with the University of Salerno as co-advisor on cybersecurity thesis projects.\r\nAntonio is a regular speaker at security conferences including RomHack, HackInBo, BSides Athens, and ITASEC. His independent research is open to community collaboration at ti-mindmap-hub.com.\r\nTI Mindmap HUB is a personal, independent research project, not affiliated with any employer or commercial entity.", "public_name": "Antonio Formato", "guid": "2127f7d7-9618-5fad-828b-ff45e6b0ec98", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/FDBKEC/"}], "links": [{"title": "GitHub Repo: TI Mindmap HUB is an independent research project exploring the application of Generative AI to Cyber Threat Intelligence (CTI) workflows.", "url": "https://github.com/TI-Mindmap-HUB-Org/ti-mindmap-hub-research", "type": "related"}], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/Z8EPNM/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/Z8EPNM/", "attachments": []}, {"guid": "c8a2bbab-02ea-5c41-871c-12b57227eeaf", "code": "LL9LUX", "id": 84867, "logo": null, "date": "2026-05-07T14:45:00+02:00", "start": "14:45", "duration": "00:35", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-84867-not-so-harmless-the-hidden-world-of-linux-packers-and-detection-challenges", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/LL9LUX/", "title": "Not So hARMless: The Hidden World of Linux Packers and Detection Challenges", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "Linux packers and loaders represent a blind spot in modern cybersecurity defenses.\u00a0By compressing, encrypting, and obfuscating executable code, these tools enable fileless, in-memory execution that bypasses traditional detection mechanisms entirely.\r\nThis presentation dissects the hARMless ARM64 ELF packer/loader to reveal sophisticated evasion techniques: multi-layer page encryption, CRC32 integrity verification, and direct ARM64 syscall invocation. We expose critical security gaps where EDR solutions lack Linux visibility, static analysis fails against packed payloads, and memory-resident execution defeats forensic recovery. The bad news? Traditional EDR solutions are practically blind on Linux, static analysis can't keep up with modern packers, and memory-only execution makes forensics a nightmare. The good news? Well...let's see it together", "description": "This presentation examines Linux malware packers and loaders as sophisticated evasion techniques that pose significant challenges to modern cybersecurity defenses. Malware packers compress, encrypt, and obfuscate executable code, while loaders execute the original malware directly in memory, enabling fileless execution that bypasses traditional detection mechanisms. The research includes a case study of the Lazarus APT group's ThreatNeedle malware, demonstrating real-world implementation of multi-stage deployment with in-memory execution capabilities. A practical analysis of the hARMless ARM64 ELF packer/loader system illustrates key technical components including multi layer encryption, CRC32 integrity verification, and direct ARM64 syscall implementation. The presentation reveals critical security implications: traditional EDR solutions have significant detection gaps on Linux systems, static analysis proves insufficient against packed malware, and memory-based execution complicates forensic analysis. Defensive strategies require implementing syscall-level monitoring, deploying behavioral analysis capabilities, and maintaining comprehensive logging for effective threat detection and response. Attendees will understand how modern malware evades detection and discover practical defensive strategies including syscall-level monitoring, behavioral analysis, and comprehensive logging for effective threat detection and response.", "recording_license": "", "do_not_record": false, "persons": [{"code": "SU38N8", "name": "Massimo Bertocchi", "avatar": "https://pretalx.com/media/avatars/SU38N8_hunrnvf.webp", "biography": "Massimo Bertocchi is a Threat Hunter and Detection Engineer based in Z\u00fcrich, specializing in advanced malware analysis, covert channel research, and offensive security tooling. He holds dual Master's degrees in Cybersecurity from KTH Royal Institute of Technology (Stockholm) and Aalto University (Finland), where his thesis on Microsoft Teams covert channels received international recognition and was subsequently published by Compass Security.\u200b His groundbreaking research identified and exploited multiple covert C2 channels within Microsoft Teams (achieving exfiltration rates up to 90KB/s) demonstrating critical vulnerabilities in cloud-based business communication platforms that bypass traditional network monitoring. This work represents the first comprehensive analysis of covert channels in enterprise collaboration tools and has influenced detection strategies across the industry.", "public_name": "Massimo Bertocchi", "guid": "719461d9-03fb-5945-8114-c6ba492ead80", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/SU38N8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LL9LUX/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LL9LUX/", "attachments": []}, {"guid": "6023d3dd-df9c-505f-b1aa-529814f5fe67", "code": "JRZGUH", "id": 84864, "logo": null, "date": "2026-05-07T15:40:00+02:00", "start": "15:40", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-84864-goodbye-purple-team-hello-purple-bots", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/JRZGUH/", "title": "Goodbye Purple Team, Hello Purple Bots", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "Security teams no longer need to manually configure and perform purple team exercises. It is possible to automate and orchestrate all this flow with a combination of automation and artificial intelligence.\r\n\r\nPowered by n8n, Elastic, Caldera, TheHive, and LLMs, this orchestration requires zero manual effort after launch. It continuously fetches and updates APT profiles, executes attack techniques, and analyzes detection logs in the alerting system. If a technique is not detected the system checks SIEM logs, if the activity is logged, it suggests a Sigma use case. If both detection and logging are absent, the system recommends configuration adjustments to ensure future visibility.\r\n\r\nIn addition, security teams no longer need to manually perform Threat profiling to select the correct adversary TTPs. The system analyzes the target organization\u2019s landscape and intelligently suggests the most relevant APT attack scenarios, or allows users to select one.\r\n\r\n The final output is a comprehensive report detailing the detection rate, logging rate, technique descriptions, and recommendations to enhance visibility by suggesting new Sigma rules and refining logging configurations.\r\n\r\nThis is not just another attack simulation tool, it\u2019s a scalable and flexible AI-driven automation workflow that can be adapted depending on the technologies in your environment while continuously optimizing detection, helping defenders stay ahead of evolving threats.", "description": "AI and automation are powerful technologies that can be leveraged to enhance both offensive and defensive security strategies. This talk unveils a fully automated, AI-driven purple teaming Proof of Concept framework that simulates real-world APT attacks, evaluates detection capabilities, and enhances security defense, all in real time.\r\n\r\nJoin us as we unveil the next frontier of AI-driven adversary simulation framework, where offense and defense merge into an intelligent, automated cycle of continuous security enhancement.", "recording_license": "", "do_not_record": false, "persons": [{"code": "WHMGFD", "name": "Patrick Mkhael", "avatar": "https://pretalx.com/media/avatars/WHMGFD_pJneoyM.webp", "biography": "Currently leading the Offensive Security R&D at Hacknowledge SA and a member of the offensive security team. Coming from a blue team background, I transitioned to the red side, focusing on offensive tool development, cloud penetration testing, and purple teaming. With expertise in both attack and defense, I work on advancing adversary emulation, bypassing detection techniques, and automated security assessments.", "public_name": "Patrick Mkhael", "guid": "edbecb09-27a6-5bcc-b9a2-d5e9548fe49e", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/WHMGFD/"}, {"code": "X9QCJN", "name": "Ralph El Khoury", "avatar": "https://pretalx.com/media/avatars/DU9BPB_jPrMJwh.webp", "biography": "Red teamer. CVE hunter. AD / WEB Apps destroyer. Dad. Teaches kids to question everything starting with default credentials.", "public_name": "Ralph El Khoury", "guid": "b04f1cb3-a5aa-582a-acf5-48f43834c311", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/X9QCJN/"}], "links": [{"title": "Presentation", "url": "https://docs.google.com/presentation/d/17vYUiEbSEt5L05LFv9q1GDsx4x4o24xE/edit?usp=sharing&ouid=115776622804364734079&rtpof=true&sd=true", "type": "related"}], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/JRZGUH/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/JRZGUH/", "attachments": []}, {"guid": "5bcaa265-f28e-506c-86a5-cda40cff65c7", "code": "PWCYXA", "id": 92380, "logo": null, "date": "2026-05-07T16:20:00+02:00", "start": "16:20", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-92380-ferrari-without-fuel-exorcise-gigo-out-of-logs-management", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/PWCYXA/", "title": "Ferrari without fuel: Exorcise GIGO out of Logs Management", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "Many SOCs invest into powerful Risk&AI-based tools to generate and classify their alerts to \"**clear-out the noise**\" and **pin-point actual \"value\" out of the massive amount of data** they collect. It is not a secret that nowadays we're collecting on SIEM more data than we'd ever thought possible decades ago, **most of which are of no real operational relevance**. Some even say \"SOC is dead\" as this model isn't humanly bearable. Some also offer flashy magic wands that may solve all these issues in a painless plug&play way, while at the same time magically reducing cost (or not).\r\nWhat's the solution, then? **Agentic-AI? Data Lakes? Cloud-first?** All valuable solutions, but there's **something we can also do upstream**: _On top of trying to clean a dirty river, decrease its source pollution_.\r\n\r\nThis approach allows also to **mitigate a lesser known risk, yet very serious**: **_unknown unknowns in data collection_**. In the same way alert-fatigue is correlated with False Positives figures/ratio, most CyberSecurity departments focus on the unsustainability of telemetry volumes and forget about False Negatives, hence the **useful logs you should be collecting but don't know you don't have**. _Caring for your car's longevity / performances means also not assuming any fuel would do and hope for the best_.\r\n\r\nOur solution: **Governance and Data Quality**. It's not a coincidence that NIST recently added this as a new pillar into its CSF. With the \"**Identify**\" pillar you get \"informed\" decision, yet it's \"Governance\" that gives the \"**deliberate**\" element on what to collect, why, and if it's enough. Having no Logging Data-Compliance framework, or having one that doesn't take into account **business values** (e.g. BIA, crown-jewels, investments) ultimately results in **building Security Monitoring on sand**, or focusing in scopes that are so narrow that only security may benefit from it, fueling the \"working in silos\" approach and goes against the \"holistic observability\" and \"management buy-in\" elements.", "description": "**Why this talk**\r\nHow many times you've been asked to onboard logs on a SIEM just by \"opening the flows\", without any validation? Or even develop alerts on already provided logs without questioning them? Has any PenTest or Red Team exercise highlight that you had no visibility (let alone alerting) over certain actions, despite \"you had the logs\"? Have you ever saw a truncated log or one coming from the future? Or a logout without its previous login?\r\n\r\nNowadays, there is no golden standard for baseline or maturity assessments on log collection / coverage, except a few governmental exceptions (e.g. OMB M-21-31) or highly prescriptive yes/no audit-level compliance frameworks that don't meet the granular level needed to \"plug\" logging and detection/analysis seamlessly (e.g. NIST SP 800-53 AU Family). This is the same from developers' \"**Security by Design**\" perspective, where best practices exist for narrow scopes but may not be ultimately enforced (e.g. OWASP Logging Cheat Sheet).\r\n\r\nHistorically, \"security\" has often been treated as an elite craft and a compliance checkbox - fertile ground for buzzwords and \"magic wand\" tooling narratives. Our experience is that every time the solution is \"just a new tool\" an analyst dies (joke intended; right?). \"Magic wands\" do not exist. A tool can help, but it cannot replace understanding: normal vs. corner cases, environment constraints, and informed decisional context.\r\nThis matters because the industry repeatedly shows that SIEM programs are fragile in practice: expensive volumes ingestion, yet broken detections, missing fields, parsing issues, and alerts overload. \r\n\r\n**Our thesis: \"shift-left\" inside the SOC**\r\nInstead of starting from \"alerts\" and hoping SOAR + AI/LLMs will fix the rest (sometimes scaling more confusion than value), we shift-left by making upstream telemetry complete, useful, and normalized - the foundations of reliable detection engineering. We do so by enforcing a \"Compliance Data Model\" that is both the output of SIEM engineers and the input for Detection Engineers, a meeting point to build Use Cases on even when you don't have the logs (yet), and SIEM-vendor-agnostic.\r\n\r\nWe will deep-dive into:\r\n\u2022 **Logs Management as a discipline / requirement**: end-to-end process of collecting, storing, processing/normalizing, **validating**, and monitoring log data, ultimately making sure \"**it represents reality**\" - as opposed to the common \"hydrant approach\" of indiscriminately turning on a firehose of logs and assuming the job is done (e.g. \"I\u2019ve opened the flow. Are you getting some logs now? Yes? Great, we\u2019re done\").\r\n\u2022 **Security Monitoring as a practice that is highly dependent on Logs Management**, either in its automated form (Use Case Management, UBA, etc.) and/or in its manual one (\"free-dive\" or Hypothesis-based Threat Hunting, etc.), regardless of the framework you may be using (e.g. OpenTide, MITRE, FI-ISAC NL MaGMa).\r\n\u2022 **Visibility Depth vs Width**: many environments feel \"well integrated and monitored\" simply because a type of logs is collected from all hosts, but when laying out a matrix of which other logs are collected from where, and if they're normalized, a clear \"**wide-but-shallow**\" image shows up, and suddenly nobody agrees what \"critical app alerting\" means without app owners at the table.\r\n\u2022 **Bridging the gap - Log Schema vs. Policy**: Deciding what to log (a logging policy) is just as important as how to structure it (a data schema / taxonomy). Many teams adopt common schemas like **Splunk CIM, OCSF, Elastic ECS, Microsoft ASIM**, etc. to **normalize** fields, which is important and ensures consistency, but they **cannot be used alone to audit visibility gaps**. If you never send a particular log type to your SIEM, the schema won\u2019t complain, and even if you count the number of success/failures or logs with \"username\" or other fields, the **Logging Policy** (and thus upstream checks) is still needed to **set expectations** and **understand what is normal vs. anomalous.**\r\n\r\nUseful resources for companies to draft their own Logging Policy are:\r\n\u27a4 **Prescriptive Standards**: **OMB M-21-31** (U.S. federal logging requirements, which explicitly lists log categories and retention periods agencies must collect for each security tier), **NIST SP\u00a0800-53** (Audit & Accountability controls, that mandates specific events that systems must log as a baseline), and **CIS Critical Security Controls** (especially Safeguard\u00a08.2, enumerating essential logs to collect to support security monitoring).\r\n\u27a4 **Threat-Informed Frameworks**: **MITRE ATT&CK** provides a matrix of **data sources** needed to detect various adversary techniques at a high level. MITRE\u2019s open-source DeTT&CT can help score your log coverage. Even SIGMA rules include a \"logsource\" definition as requirement, although very high-level. CTI-based frameworks like Drago's CMF (Collection Management Framework). If you have an Attack Range Lab, more technical resources from PenTesters / Red-Teamers can be leveraged, like Atomic Red Team, testing techniques and adjusting logs verbosity up until meaningful activity is logged.\r\n\u27a4 **Application Layer Logs**: Logging isn\u2019t just an IT operations concern; it starts with developers. We reference the **OWASP Logging Cheat Sheet** (and similar app-security guidance) which outlines what security-relevant events applications should generate - for example, input validation failures, authentication successes/failures, and access control violations. This highlights that effective logging requires collaboration between the Security/SOC and development teams (not just red&blue teams).\r\n\u27a4 **Business Context**: Above compliance standards and threat frameworks are inherently generic. They assume all servers, applications, and data are equally important, or they focus solely on the likelihood of an attack. What they completely miss is the Business Impact (e.g. BIA - Business Impact Analysis, FAIR - Factor Analysis of Information Risk) - which is the exact language the Board of Directors (BoD) speaks. Each organization should craft a Logging Policy/Framework tailored to its unique context - considering its business model, \"crown jewel\" assets, regulatory requirements, and mix of IT vs. OT systems. For example, onboarding and normalizing upfront logs that grant visibility over a big project could provide Exploratory Data Analysis (EDA) capabilities and even give the opportunity to spot issues or misconfigurations before they happen, bringing unexpected added-value / ROI to top management and ultimately granting stronger mandates and economics internally in the organization (e.g. \"We noticed 40% of users are dropping off at this specific transaction point because of a backend timeout, impacting revenues\" or \"There is a misconfiguration causing the app to query the database 50 times per second per user, increasing API costs\"). Bringing those findings to management means transitioning Security from a \"cost center\" to a \"business enabler\", providing QA and operational intelligence, not just blocking hackers.\r\n\r\n\r\n**Disclaimer**\r\nWe acknowledge that not every organization can overhaul its logging overnight - real-world constraints exist. The session emphasizes incremental improvement and trade-offs, helping each attendee identify a few high-impact \"logging wins\" they can pursue back at work. We\u2019re not promising a silver bullet (that would go against the entire premise!); instead, attendees will leave with fresh perspectives and actionable frameworks to gradually turn their own \"Ferrari\" into a well-fueled security machine.", "recording_license": "", "do_not_record": false, "persons": [{"code": "Q8VGCY", "name": "Stefano Amodio", "avatar": null, "biography": "SOC Team Leader and hard-worker, with a decade of experience among ISP, MSSP and Internal SOC.\r\n[SANS/GIAC GSOM Certified]([url](https://www.giac.org/certified-professional/Stefano-Amodio/229475))", "public_name": "Stefano Amodio", "guid": "5f7ef909-3085-5323-bad3-801c4b789a95", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/Q8VGCY/"}, {"code": "QCKQS8", "name": "Elliot Parsons", "avatar": "https://pretalx.com/media/avatars/DQS3BT_s4I9EMH.webp", "biography": "Elliot is a cyber threat intelligence consultant at AmeXio. He is from New Zealand with a background in Financial Services, Technology Services and Government organisations. His expertise is in threat intelligence, threat hunting, reverse engineering, malware analysis, and incident response.", "public_name": "Elliot Parsons", "guid": "6b461919-a688-5a88-b5b4-69cda1687e09", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/QCKQS8/"}], "links": [{"title": "OWASP Logging Cheat Sheet", "url": "https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html", "type": "related"}, {"title": "NIST SP 800-53, Revision 5 - AU: Audit and Accountability - Logging Compliance", "url": "https://csf.tools/reference/nist-sp-800-53/r5/au/", "type": "related"}, {"title": "NSA's Best Practices for Event Logging & Threat Detection", "url": "https://cybersecuritynews.com/best-practices-for-event-logging-threat-detection/", "type": "related"}, {"title": "CISA / OMB M-21-31 Logging Compliance", "url": "https://docs.cloud.gov/platform/compliance/m-21-31-compliance/", "type": "related"}, {"title": "Drago's Collection Management Framework (CMF) - Methodology for prioritizing and managing information sources in cyber threat intelligence", "url": "https://dragos.brightspotcdn.com/25/7d/1b77156441439a1914f82867af21/collection-management-frameworks-for-ics-12-18.pdf", "type": "related"}, {"title": "GIGO - Garbage IN, Garbage OUT", "url": "https://en.wikipedia.org/wiki/Garbage_in,_garbage_out", "type": "related"}, {"title": "Elastic.co on OMB M-21-31 Logging Compliance", "url": "https://www.elastic.co/blog/m-21-31-logging-compliance-challenges", "type": "related"}, {"title": "Florian Roth on wide-but-shallow visibility", "url": "https://www.linkedin.com/posts/floroth_just-built-a-demo-monitoring-matrix-for-activity-7426163713130377216-18t1/", "type": "related"}, {"title": "SOC is Dead - AI is rewriting CyberSecurity (ITA)", "url": "https://www.redhotcyber.com/post/il-soc-e-morto-lintelligenza-artificiale-sta-riscrivendo-la-cybersecurity/", "type": "related"}, {"title": "SANS Hybrid Data Collection Strategy", "url": "https://www.sans.org/posters/detection-engineering", "type": "related"}], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/PWCYXA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/PWCYXA/", "attachments": []}, {"guid": "cf29cf9e-1238-55c3-8ef6-859322b995f5", "code": "C93MZK", "id": 88370, "logo": null, "date": "2026-05-07T17:00:00+02:00", "start": "17:00", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-88370-the-whistles-go-woo-woo-siem-alerts-threat-detection-and-tuning-unnecessary-noise", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/C93MZK/", "title": "The whistles go woo woo: SIEM alerts, threat detection and tuning unnecessary noise", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "Security teams don't miss alerts because they don't care, they miss them because their SIEM never shuts up. Alerts fire constantly, at the wrong time, for expected behavior, until everything starts to sound the same. At some point, it's no longer an alarm. It's just noise.\r\n\r\nThis talk starts with a simple idea: when an alert fires matters just as much as what it detects. Like a whistle blaring at 2 a.m., many detections technically work, but fail operationally because they lack timing, throttling, or basic context. Alerts trigger during business hours, outside meaningful windows, or so often that everyone learns to ignore them.\r\n\r\nUsing practical examples, we'll look at common alerting mistakes, why \"more alerts\" doesn't mean better security, and how small changes, such as throttling, prioritization, and temporal context, can dramatically reduce noise.\r\n\r\nFrom there, we'll walk through what alerts actually matter across application, network, Active Directory, and DNS telemetry, and how to design them so they fire when someone should actually care. The goal isn't silence, it's a SIEM that acts like an alarm clock, not a whistle that goes \u201cwoo woo\u201d all night.", "description": "When then whistles go woo woo:\r\nI typically like to start my presentation with a short story, a news article or some known fact and correlate it to the main topic.\r\n\r\nIn the early 2000s, residents in Seattle started complaining about a strange problem: cars driving through neighborhoods late at night, fitted with exhaust whistles so loud they could wake an entire block. \r\nWhen asked about the noise, one explanation stuck: the whistles go \"woo woo\"\u2026 but only in the morning. The noise wasn\u2019t dangerous, but it was constant, badly timed, and impossible to ignore.\r\nTwenty years later, many security teams are dealing with the same problem, just with SIEM alerts instead of cars. If this feels familiar, it should. Many SIEMs do the exact same thing: alerts firing constantly, without timing or context, until everything sounds urgent and nothing actually is.\r\n\r\nWait, what are we doing here?\r\nBrief explanation of contextual alerting for SIEM implementations.\r\n\r\nDrawing parallels:\r\nNoisy SIEMS vs The Whistles\r\n\r\nOkay but how does SIEM obtain data:\r\nLog collection and aggregation\r\n\r\nHow do I know what I want my SIEM to alert me on?\r\nKnowing what you want your SIEM to alert on starts with understanding what actually requires action. Alerts are not meant to document everything that happens in an environment, they exist to interrupt you when something needs attention. If an alert does not change a decision, a response, or a priority, it probably does not need to exist.\r\n\r\n\t- Unusual or anomalous behavior\r\n\t- Known IOCs\r\n\t- Signs of Privesc or lateral movement\r\n\t- Indicators of Data exfil\r\n\t- Repeated or unsuccessful actions.\r\n\t- Unusual application activity\r\n\t- Endpoint behavior\r\n\t- Compliance violations\r\n\t- Threat hunting\r\n\t\r\n\r\nWhen alerts stop being alerts:\r\n\r\n\t\u2022 Alerts aren't ignored because analysts are lazy\r\n\t\u2022 They\u2019re ignored because everything fires\r\n\t\u2022 When every event is \"urgent\" nothing actually is\r\n\t\u2022 Noise trains people to stop reacting.\r\n\t\u2022 American Horror Story: MSSP - sharing a story of when I worked for an MSSP and I saw some awful things with SIEM alerting.\r\n\r\nTiming Matters More Than You Think\r\n\t\u2022 Alerts without time context are misleading\r\n\t\u2022 Expected behavior during business hours \u2260 malicious at 3 a.m.\r\n\t\u2022 The same signal can mean very different things depending on when it happens\r\n\r\nKey learning:\r\nWhen an alert fires is part of the detection logic, not an afterthought.\r\n\r\nThrottle the noise before you add more alerts\r\n\t\u2022 Repeated alerts for the same behavior don't increase security\r\n\t\u2022 They just increase annoyance\r\n\t\u2022 Throttling prevents the SIEM from screaming about the same thing every five minutes\r\n\r\nExamples: \r\n\t\u2022 \"Alert once per user per time window\"\r\n\t\u2022 \"Suppress repeats unless behavior changes\"\r\n\t\u2022 \"Escalate only if it keeps happening\"\r\n\r\n\r\nContext turns noise into signal\r\n\t\u2022 Raw events is not the same as actionable alerts\r\n\t\u2022 Alerts need:\r\n\t\t\u25cb user context\r\n\t\t\u25cb system role\r\n\t\t\u25cb expected behavior\r\n\t\t\u25cb related activity\r\nWithout context:\r\nEverything looks suspicious.\r\nWith context:\r\nYou know what actually matters.\r\n\r\n\r\nDesigning your SIEM alerts:\r\n\t- Focus on high risk scenarios\r\n\t- Tune alerts over time\r\n\t- Use correlation rules\r\n\t- Threat intelligence is your bestie\r\n\t- Context is key\r\n\r\n\r\nAlert prioritization:\r\n\r\nAlert prioritization isn't about deciding what\u2019s \"important\" on paper, it's about deciding what deserves attention right now. When everything is marked high priority, teams stop trusting the system. Good prioritization accepts that not all alerts are equal, and that urgency depends on timing, context, and impact. A SIEM that understands this doesn't shout, it speaks when it actually matters.\r\n\t- Critical:  Imminent high impact threat such as ransomware or a data breach.\r\n\t- High: Potential impact on core business operation or sensitive systems and direct evidence of malicious activity.\r\n\t- Medium: Unusual activity that could potentially be a threat\r\n\t- Low: Minor issue, security violation or potential false positive.\r\n\r\n\r\nWhat logs do I need?\r\n\r\nDeciding what logs you need is not about collecting everything, it is about collecting what helps you answer questions later. Logs should support detection, investigation, and response, not just exist for visibility. When logging is intentional, alerts become easier to design and noise becomes easier to control.\r\n\r\n1. Windows Logs\r\n2. Network Logs\r\n4. Endpoint Detection and Response (EDR) Logs\r\n5. Identity and Authentication Logs\r\n6. Threat Intelligence Logs\r\n7. Compliance and Audit Logs\r\n\r\n\r\nScrum for SIEM maintenance:\r\n\r\nKnowing what you want your SIEM to alert on is not a one time decision, it is an ongoing process. Environments change, attackers change, and so does what actually deserves attention. Treating SIEM maintenance like a sprint forces teams to regularly ask what worked, what created noise, and what genuinely helped detect risk. Instead of reacting to every alert, the focus shifts to continuously refining what is worth waking someone up for.\r\n\r\n\t- Define your scrum team (owner, scrum master and development team. Yes, it all applies even if it's not a software development environment).\r\n\t- Create a \"product backlog\" (actionable items).\r\n\t- Sprint planning (high risk priority tasks).\r\n\t- Daily stand ups (share updates).\r\n\t- Sprint Review (showcase deliverables).", "recording_license": "", "do_not_record": false, "persons": [{"code": "GNUZAA", "name": "Melina Phillips", "avatar": "https://pretalx.com/media/avatars/GNUZAA_a02tuoj.webp", "biography": "Melina Phillips is an Offensive Security Engineer with a background in Security Operations and Incident Detection. She has over ten years of IT experience and six years working directly in cybersecurity, blending hands on blue team work with her current focus on adversary simulation and endpoint compromise.\r\n\r\nHer recent talks have been featured at Bsides Cambridge, Security Fest, BruCon, LeHack, HackLu and BlackAlps. She's known for making complex technical concepts accessible without watering them down, and for delivering practical insights grounded in real world attack and defense experience. She strongly believes that Linux security doesn\u2019t have to be presented in a boring way, and that technical depth and creativity can (and should) coexist.\r\n\r\nOutside of breaking into infrastructure and chasing down Linux threats, she's usually at CrossFit or playing with makeup, ideally not at the same time.", "public_name": "Melina Phillips", "guid": "a211d951-7864-5beb-b092-8be6e8fb04ee", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/GNUZAA/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/C93MZK/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/C93MZK/", "attachments": [{"title": "Presentation draft. It's in progress and it will be heavily improved.", "url": "/media/bsidesluxembourg-2026/submissions/C93MZK/resources/whis_jqtDedU.pdf", "type": "related"}]}, {"guid": "c408b37c-8cfc-5023-977b-d4f3b3aba1f4", "code": "QJN3VK", "id": 88181, "logo": null, "date": "2026-05-07T17:40:00+02:00", "start": "17:40", "duration": "00:30", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-88181-from-manual-hunt-to-mass-detection-weaponising-nuclei-against-phishing", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/QJN3VK/", "title": "From Manual Hunt to Mass Detection: Weaponising Nuclei Against Phishing", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Phishing is still the dominant attack vector, but detecting malicious sites at scale is difficult. This talk shows how open-source automation can make phishing detection fast and proactive. Using real examples from 200+ Nuclei templates, attendees will learn detection methods, template creation, and practical threat intelligence and OSINT use cases.", "description": "Phishing remains the dominant attack vector, yet detecting malicious sites at scale continues to challenge security teams. This talk demonstrates how open-source automation can transform phishing detection from a manual, reactive process into a scalable, proactive capability.\r\n\r\nI developed and contributed 120+ phishing detection templates to the Nuclei project, enabling security teams worldwide to identify phishing sites impersonating major brands across thousands of hosts in seconds. In this session, I want to share this technique with attendees, covering the detection methodology, template creation, and practical applications for threat intelligence and OSINT research.\r\n\r\nA live demonstration will showcase the approach in action, and attendees will leave with the knowledge to build their own detection capabilities using freely available tools.", "recording_license": "", "do_not_record": false, "persons": [{"code": "BUFJAD", "name": "Rishi (@rxerium)", "avatar": "https://pretalx.com/media/avatars/BUFJAD_qqqayWL.webp", "biography": "Rishi is a London-based security researcher with experience in vulnerability research, threat intelligence, and enterprise risk analysis. His work focuses on identifying zero-day vulnerabilities and emerging CVEs, with a particular interest in building detection logic before threats are publicly weaponised.\r\n\r\nHe works across both offensive and defensive disciplines, developing threat models grounded in real-world TTPs, writing detection rules, and automating reconnaissance to uncover exposed assets at scale. Attack surface management and OSINT are areas he keeps coming back to, specifically the challenge of mapping exposure that organisations often don't know exists.\r\n\r\nOutside of his day job, Rishi contributes to open source security tooling through Project Discovery and OWASP, part of the leadership team of the UK OSINT Community, and occasionally speaks at community events including DEF CON and BSides.", "public_name": "Rishi (@rxerium)", "guid": "4be79509-3cad-5d2b-9d1f-22a7480e5578", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/BUFJAD/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QJN3VK/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QJN3VK/", "attachments": []}], "IFEN room 2, Workshops and AI Security Village  (Building D)": [{"guid": "746d2514-7cb9-5ddf-a227-01d236d4f09a", "code": "Q7CEUD", "id": 92446, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/Q7CEUD/image_s8htaua.webp", "date": "2026-05-07T09:00:00+02:00", "start": "09:00", "duration": "00:35", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-92446-ai-and-cryptography-for-evasive-malware", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/Q7CEUD/", "title": "AI and Cryptography for Evasive Malware", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "As AV/EDR systems evolve to detect behavioral anomalies, offensive tradecraft must adapt beyond static obfuscation. This talk explores the convergence of Artificial Intelligence and advanced Cryptography in the development of next-generation evasive malware. We will move past traditional packing techniques to examine how lighweight LLMs and cryptographic primitives can be integrated directly into the malware lifecycle.\r\n\r\nYou will gain insight into:\r\n- AI-Driven Polymorphism: Utilizing embedded or cloud-based AI agents to dynamically rewrite logic and variable structures at runtime, rendering signature-based detection obsolete.\r\n- Cryptographic Context-Awareness: Implementing environmental keying and mathematical \"logic locking,\" where payloads remain cryptographically sealed until specific environmental conditions (verified by AI logic) are met.\r\n- Entropy Reduction: Techniques to make encrypted payloads statistically indistinguishable from benign data or natural language using AI-generated steganography.\r\n\r\nThis talk bridges the gap between theoretical mathematics and practical weaponization, demonstrating how free, open-source AI models can be weaponized for stealth, and conversely, how defenders can prepare for the age of \"thinking\" malware.", "description": "Modern EDR and XDR solutions have moved the goalposts. Static signatures are a relic of the past; today\u2019s fight is against behavioral telemetry and ML-driven heuristics. To survive on a target host, offensive tradecraft must evolve. This practice-oriented talk demonstrates how the convergence of Artificial Intelligence and non-standard Cryptography creates a \"thinking\" malware capable of adapting to Windows, Linux, and macOS environments.\r\n\r\nWe move beyond simple packing to explore a specialized Adversarial Dev Loop. By integrating lightweight LLMs and rare cryptographic primitives (Skipjack, Speck, Mars, Lucifer, Camellia), we demonstrate how to build malware that interviews its environment before revealing its true nature.\r\n\r\nWhat you will learn through live demos and code analysis:\r\n- The AI-Mutator Loop: How to use local AI agents to perform automated source-level polymorphism. I will demonstrate C/C++ code that rewrites its own logic, variable structures, and API resolution patterns for every new \"build,\" making hash-based and static ML detection impossible.\r\n\r\n- Cross-Platform Residency: A deep dive into modern persistence - from macOS Dylib hijacking and WatchPaths to Linux eBPF-based hooks and Windows service subversion - all protected by Environmental Keying. I will show how payloads remain cryptographically sealed until AI-logic verifies the \"DNA\" of the target machine.\r\n\r\n- Rare Crypto vs. Entropy Scanners: Why standard AES/ChaCha20 is a red flag. We will implement \"forgotten\" algorithms to bypass entropy-based detection and show how to use AI to generate \"Natural Language Steganography\" - hiding exfiltrated data inside AI-generated text that passes through Deep Packet Inspection (DPI) unnoticed.\r\n\r\n- Breaking the Sandbox: Real-world examples of AI-driven sandbox detection. We demonstrate implants that exhibit \"benign mimicry\" when a virtualization artifact is detected, effectively poisoning the training data of automated sandboxes.\r\n\r\nThis talk isn't about theoretical future threats; it's about the weaponization of free, open-source AI models available today. Whether you are a Red Teamer looking to bypass top-tier EDRs or a Blue Teamer trying to understand the next wave of \"smart\" malware, you will leave with the C/C++ PoCs and forensic insights needed to operate in the age of the thinking malware.", "recording_license": "", "do_not_record": false, "persons": [{"code": "37BGJD", "name": "cocomelonc", "avatar": "https://pretalx.com/media/avatars/EFXL9W_coZtU9H.webp", "biography": "cybersecurity enthusiast, author, speaker and mathematician. Author of popular books:\r\nMD MZ Malware Development Book (Github, 2022, 2024)\r\nMALWILD: Malware in the Wild Book (Github, 2023)\r\nMalware Development for Ethical Hackers Book: (Packt, 2024)\r\nAIYA Mobile Malware Development Book (Github, 2025)\r\nMalware Development for Ethical Hackers 2nd edition (Packt, 2026, in progress)\r\nAuthor and tech reviewer at Packt.\r\nCo founder of various cybersecurity research labs, author of many cybersecurity blogs, HVCK magazine\r\nMalpedia contributor\r\nSpeaker at BlackHat, DEFCON, Security BSides, Arab Security Conference, Hack.lu, Positive Hack Talks, etc conferences", "public_name": "cocomelonc", "guid": "f30e2acf-1aad-5428-b435-083886fb9b86", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/37BGJD/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/Q7CEUD/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/Q7CEUD/", "attachments": []}, {"guid": "a013d8dd-86d3-585c-aa8e-dafc5e60103b", "code": "CDJP3Z", "id": 85259, "logo": null, "date": "2026-05-07T09:35:00+02:00", "start": "09:35", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-85259-death-by-pickle-python-s-betrayal-ml", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/CDJP3Z/", "title": "Death By Pickle: \"Python's Betrayal ML\"", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "In the original Matrix movie, Neo learned Kung Fu through an upload.  Imagine if your ML could learn the same way.  That's what a pickle file does for ML - \"I KNOW KUNG FU\" or whatever was in the file that was supposed to be \"learned\" by your ML model.\r\nWhat if there was a plot twist where Agent Smith tampered with the Kung Fu module so that it included a fun \"bonus\" lesson that \"taught\" Neo to call Agent Smith every time he was   trying to find an exit?\r\nThat's what's happening in Pickle Files, and that's the setup for ML and AI.\r\n\r\nThis talk will step through the threat, some examples, and emerging detection capabilities.  You will KNOW Kung Fu when it's over.", "description": "In The Matrix, Neo learns Kung Fu through an upload. In ML, pickle files let models 'learn' similarly. But what if Agent Smith tampered with the module? That's what's happening in pickle files\u2014malicious code can sneak in. This talk covers the threat and detection techniques. You\u2019ll KNOW Kung Fu!", "recording_license": "", "do_not_record": false, "persons": [{"code": "CKHUTC", "name": "Kadi McKean", "avatar": "https://pretalx.com/media/avatars/CKHUTC_fgSIsTP.webp", "biography": "At ReversingLabs, I work with customers and partners across Europe to implement scalable, intelligence-driven solutions that address the growing challenges of modern software development and supply-chain integrity. My work covers areas such as Software Bill of Materials (SBOM) management, malware analysis, and advanced file and binary inspection.\r\nI\u2019m passionate about translating complex cybersecurity topics into clear, actionable strategies that align with business goals. I focus on turning cybersecurity from a reactive defense into a proactive enabler of innovation. I also enjoy engaging in conversations about the evolving threat landscape, the future of software trust, and how automation and AI can strengthen cyber defense.\r\nMy goal is to help organizations build not just safer software, but stronger security cultures, where transparency, collaboration, and continuous improvement are at the center of every initiative.", "public_name": "Kadi McKean", "guid": "30acdb3a-ef84-5739-b05f-8c4c3653f40d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CKHUTC/"}, {"code": "AGTJWH", "name": "Frithjof Hoffmann", "avatar": "https://pretalx.com/media/avatars/AGTJWH_mCJf9Ke.webp", "biography": "I\u2019m a technical sales engineer and cybersecurity professional specializing in software supply-chain security, threat intelligence, and risk management. Based in Moormerland, Germany, I combine deep technical expertise with a strategic, customer-focused approach to help organizations gain visibility, reduce risk, and strengthen resilience across their software ecosystems.\r\nAt ReversingLabs, I work with customers and partners across Europe to implement scalable, intelligence-driven solutions that address the growing challenges of modern software development and supply-chain integrity. My work covers areas such as Software Bill of Materials (SBOM) management, malware analysis, and advanced file and binary inspection.\r\nI\u2019m passionate about translating complex cybersecurity topics into clear, actionable strategies that align with business goals. I focus on turning cybersecurity from a reactive defense into a proactive enabler of innovation. I also enjoy engaging in conversations about the evolving threat landscape, the future of software trust, and how automation and AI can strengthen cyber defense.\r\nMy goal is to help organizations build not just safer software, but stronger security cultures, where transparency, collaboration, and continuous improvement are at the center of every initiative.", "public_name": "Frithjof Hoffmann", "guid": "0b5d0a38-e375-5e20-8da6-bffd22e1350c", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/AGTJWH/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CDJP3Z/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CDJP3Z/", "attachments": []}, {"guid": "c7468f8a-893d-5685-8c28-fbd4a846e7db", "code": "YTUTGD", "id": 89611, "logo": null, "date": "2026-05-07T10:35:00+02:00", "start": "10:35", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-89611-what-does-threat-modeling-solve-for-ai-security", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YTUTGD/", "title": "What Does Threat Modeling Solve for AI Security?", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "AI rarely creates entirely new classes of risk. More often, it amplifies weaknesses that already exist in complex systems where architecture, data, and business decisions are tightly coupled. What changes is not the threat itself, but its reach, speed, and impact.\r\n\r\nThis session shows how threat modeling can be used as a leverage point in two parallel dimensions, in a way that remains accessible to newcomers while still grounded in real-world practice. On the technical side, threat modeling is presented as a concrete decision tool: identifying realistic attack paths, clarifying what actually needs to be tested, and guiding focused actions such as pentest scoping and security control prioritization. The emphasis is not on exhaustive models, but on developing the right security reflexes early, understanding where small inputs can create large business consequences.\r\n\r\nIn parallel, the same threat model is used as a framework validation layer. Instead of treating compliance as a documentation exercise, threat modeling helps explain how and why controls are applied where risk actually exists. Using approachable examples aligned with ISO 27001, the AI Act, and NIS2 expectations, the session demonstrates how threat modeling supports compliance efforts by making security decisions explicit, traceable, and defensible.\r\n\r\nThe session is designed for beginners and practitioners in application security, threat modeling, or software engineering, and assumes familiarity with AppSec and SDLC concepts. The focus is not on theory or abstract AI threats, but on real systems, plausible attackers, and practical threat models that help bridge technical security decisions and regulatory expectations from the start.", "description": "0\u20135 min : Context setting: Where AI really fits in the SDLC\r\n\r\nThe session starts by clarifying a frequent source of confusion: securing AI versus using AI for security. Using concrete system examples, I explain how AI is introduced into existing architectures and why it increases coupling between data, identity, APIs, and business workflows. The goal is to ground the audience in a system-level view before discussing threats. This section is fully accessible to beginners and does not assume prior AI security knowledge.\r\n\r\n5\u201310 min ; Why AI Feels Destabilizing at System Level\r\n\r\nThis section explains why AI adoption often makes risk harder to reason about. AI does not introduce chaos by itself; it amplifies risk across an already uncontrolled attack surface. Using visual system comparisons, I show how adding AI components increases the blast radius of existing weaknesses (identity, APIs, data access, monitoring gaps). The key objective is to shift beginners away from \u201cAI-specific threats\u201d toward ecosystem-level risk thinking.\r\n\r\n10\u201320 min : Scenario 1 (Technical Track): Testing Without Knowing Why\r\n\r\nThe first main scenario focuses on a realistic AI-driven e-commerce system where an ML recommendation engine directly impacts revenue. I walk through a common security dilemma: a limited pentesting budget with no shared understanding of what actually matters.\r\nStep by step, I introduce a lightweight threat modeling approach:\r\n\r\n- drawing a simple system diagram,\r\n- identifying threat actors,\r\n- reasoning in layers (Matryoshka-style): supply chain, network/APIs, identity, crown jewels, and mapping attack paths to business impact.\r\n\r\nThis leads to a concrete outcome: a risk-driven pentesting strategy that clearly differentiates deep testing, standard testing, and low-return testing areas. Beginners see how threat modeling directly informs technical decisions instead of producing abstract documentation.\r\n\r\n20\u201330 min : Scenario 2 (Framework Track): Threat Modeling as a Compliance Validator\r\n\r\nThe second scenario shifts focus to compliance and governance challenges. I present a situation where multiple teams claim compliance (secure coding, code reviews, pentests), yet cannot demonstrate why controls are effective.\r\n\r\nUsing an ISO 27001 control (secure coding), I show how threat modeling reframes the question from \u201cdo we have this control?\u201d to \u201cwhere would insecure code actually hurt us?\u201d. A concrete threat scenario is built around an input processing service in front of an ML model, illustrating how business-impacting abuse can occur even when traditional controls exist.\r\n\r\nThis logic is then extended to broader regulatory expectations (AI Act, NIS2): threat modeling provides a structured way to justify controls, expose blind spots (e.g., missing abuse-case testing or decision integrity checks), and explain partial compliance in a defensible manner.\r\n\r\n30\u201335 min : Key Takeaways and Practical Guidance\r\n\r\nI conclude by explicitly tying both tracks together. The same threat model supports: technical security decisions (what to test, where to invest effort), and compliance justification (why controls exist and what risk they mitigate).\r\n\r\nThe final takeaways focus on what beginners can apply immediately: modeling change rather than entire systems, prioritizing reachable attack paths, and using threat modeling as a living practice rather than a one-time deliverable.", "recording_license": "", "do_not_record": false, "persons": [{"code": "SPJFYU", "name": "Nathan Pembe", "avatar": "https://pretalx.com/media/avatars/SPJFYU_rMvRhs0.webp", "biography": "Senior AppSec Consultant at NVISO, I help teams across Europe embed security from design to delivery. I lead threat modeling workshops, secure design reviews, and lectures. I turn AppSec into real-world impact and help fast-paced teams make threat modeling stick for good with no bullsh*t.", "public_name": "Nathan Pembe", "guid": "b031b973-2491-52e9-9f0d-1c55c6d4ef68", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/SPJFYU/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YTUTGD/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YTUTGD/", "attachments": []}, {"guid": "69cf45b6-ab86-5fee-9c96-207a6960bed8", "code": "GLKSMY", "id": 89159, "logo": null, "date": "2026-05-07T13:30:00+02:00", "start": "13:30", "duration": "00:30", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-89159-talk-to-a-shell-exploiting-ai-agent-in-real-time", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/GLKSMY/", "title": "Talk to a Shell : Exploiting AI agent in Real Time", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "AI agents are no longer simple chatbots\u2014they're autonomous systems equipped with powerful tools including shell access, file operations, and database queries. But what happens when an attacker asks nicely?\r\n\r\nIn this talk, we present a real-world vulnerability discovered in a production AI platform where we achieved full system command execution through natural language conversation. Starting with simple reconnaissance. When the AI initially denied access, we researched and deployed a jailbreak technique that bypassed safety guardrails\u2014all through conversation.\r\n\r\nThe result? Reading /etc/passwd, enumerating system information, and letting the AI run reconnaissance commands for us. No credentials. No exploits. Just conversation.\r\n\r\nAttendees will learn:\r\n- How AI agent architectures create new attack surfaces\r\n- Practical jailbreak techniques for tool-enabled LLMs\r\n- The \"Confused Deputy\" problem in AI systems\r\n- Defense strategies for securing AI agents", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "8799ND", "name": "Parth Shukla", "avatar": "https://pretalx.com/media/avatars/8799ND_WOPQmKr.webp", "biography": "Parth Shukla is a Senior Security Researcher specializing in AI Security and Adversarial Machine Learning. With a deep background in offensive security, he currently focuses on the security architecture of Agentic Systems and LLMs. His research bridges the gap between traditional application security and the probabilistic risks of modern AI.", "public_name": "Parth Shukla", "guid": "36bd2073-5eab-52a6-ab03-86f5090fccd8", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/8799ND/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/GLKSMY/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/GLKSMY/", "attachments": []}, {"guid": "7bf1e196-30bc-5d61-be04-6253e7cb3563", "code": "LBYZCG", "id": 92261, "logo": null, "date": "2026-05-07T14:00:00+02:00", "start": "14:00", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-92261-teaming-trust-and-threats-how-humans-interact-with-generative-ai-in-security", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/LBYZCG/", "title": "Teaming, Trust, and Threats: How Humans Interact with Generative AI in Security", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "Generative AI may not yet be stealing everyones jobs, but it is already impacting the way that we interact with computers, with important implications for cybersecurity. Difficult tasks like network analysis, social engineering defense, and writing safe software will require humans and AI to form teams while relying on mutual trust, and an understanding of the threats posed by the misuse of AI by bad actors.  This talk explores research in Human-Computer Interaction applied onto understanding teaming, trust, and threats of Generative AI in cybersecurity.", "description": "In this talk, I will present research in Human Computer Interaction focusing on how people use Generative AI technologies like ChatGPT, Google's Gemini, and Antrhopic's Claude in cybersecurity contexts. This will begin with background in computational cognitive modeling, and how it is related to cybersecurity in my research. Next I will describe my past research into how these models of human learning onto designing better AI systems for anti-phishing social engineering training and network analysis recommendations. Finally, I will discuss my current and future research in human interaction with LLM agents applied on to software engineering and spear-phishing website generation.", "recording_license": "", "do_not_record": false, "persons": [{"code": "BQW9H3", "name": "Tailia Malloy", "avatar": "https://pretalx.com/media/avatars/BV3BMU_nXOvxMh.webp", "biography": "Dr. Tailia Malloy (She/They) is a postdoctoral researcher at the University of Luxembourg in the Trustworthy Software Engineering research group. Their PhD explored computational cognitive models of human learning and decision making that can allow us to train AI systems with an understanding of human biases and constraints. This lead them to the area of cybersecurity, where their current research focuses on Generative AI applied to recommendations in network analysis, social engineering training and defense, and safe and secure code generation with LLM agents.", "public_name": "Tailia Malloy", "guid": "bfd3d0b9-1e1e-5fc9-9071-6fac4c0afd0d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/BQW9H3/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LBYZCG/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LBYZCG/", "attachments": []}, {"guid": "7660af63-095e-5645-a475-2cdb0584e27f", "code": "QW3PJK", "id": 91904, "logo": null, "date": "2026-05-07T14:40:00+02:00", "start": "14:40", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-91904-the-agents-of-chaos-ai-driven-malware-generation", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/QW3PJK/", "title": "The Agents of Chaos: AI Driven Malware Generation", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "With the use of AI agents catching wind across the offensive security space, from phishing, to fuzzing and penetration testing, it was inevitable that malware would follow suit. While most discussions focus on using AI to generate malicious payloads at the malware\u2019s runtime, or \"vibe coding\" it, we went a step further: we built a system where AI is the sole participant in the malware creation process itself.\r\nWe will begin by talking about how we got to this point, what sparked the idea, and jump into comparing different models - showing which gave the best code, which was most evasive, which prompts worked the best, and what we used in the agent.\r\nWe will then dig into the generation process itself \u2013 we will show the challenges with earlier implementations, and how we solve them, how to build the workflow to maximize the malware\u2019s capability and randomization, and even how it managed to break signatures.\r\nWe will finish by showing how the resulting malware is performing, comparing different samples, and showing how each sample defeated several static malware analyzers, as well as talk about what's next for this agent, and what's next in the domain of AI-generated malware.", "description": "Modern AI systems have moved far beyond rule-based automation and are now capable of generating complex, functional software. While most discussions focus on productivity benefits like code generation and vibe coding, the same capabilities can also be applied to offensive security. This session explores a research project that examines how AI models can be orchestrated to autonomously generate new malware samples, and what this means for both attackers and defenders.\r\n\r\nThe talk focuses on understanding the process and experimentation space behind AI-driven malware generation: how model behavior changes depending on prompts, model selection, validation workflows, and code restructuring techniques.\r\n\r\nThe main things that are explored in the presentation:\r\n\r\n**Prompt design and task framing (what the model is asked to do)**\r\nDirectly asking a model to write ransomware often fails due to safety controls or poor results. By reframing tasks, such as generating behavioral descriptions first and then implementing them in code, it becomes possible to produce working implementations while avoiding many common failure modes.\r\n\r\n**Model selection and orchestration (which models do what)**\r\nDifferent models excel at different tasks. The agent combines uncensored local models for unrestricted generation, stronger coding models for fixes, and remote models for validation. This multi-model approach improves reliability compared to relying on a single model.\r\n\r\n**Automated generation and validation loops (ensuring working output)**\r\nGenerated code is automatically compiled, tested, and fed back into models when errors occur. This loop allows the system to fix compilation issues, improve functionality, and rely on working samples without manual intervention.\r\n\r\n**Code diversity and detection evasion (how \u201cnew\u201d samples are created)**\r\nBy allowing models to choose different implementations, encryption methods, structures, and even programming languages, each generated sample can look structurally different while doing relatively the same task.\r\n\r\n**Feature expansion (beyond basic malware behavior)**\r\nWhen prompted appropriately, models sometimes add additional behaviors such as persistence, system discovery, evasion checks, or data exfiltration attempts, demonstrating how AI can generate increasingly complex malware variants.\r\n\r\nWhat can you gain from this\r\n\r\n- A practical view of how AI models can be chained together to generate functional malware samples.\r\n\r\n- An understanding of how prompts, model choice, and validation workflows affect output reliability and detectability.\r\n\r\n- A framework that researchers and defenders can use to generate diverse samples for testing detection systems.\r\n\r\nWhile the presentation uses ransomware generation as the running example, the broader takeaway is about how generative AI changes the scale and variability of offensive tooling, and how the same techniques can also be leveraged by defenders to strengthen security systems.", "recording_license": "", "do_not_record": false, "persons": [{"code": "E89977", "name": "Arad Donenfeld", "avatar": "https://pretalx.com/media/avatars/E89977_ovYFSLF.webp", "biography": "Arad Donenfeld is an attacks and exploits developer in SafeBreach, and has a background in security research from several roles. With his strong foundations of development, security, and operating systems internals, Arad develops tools for offensive operations, detection methods, and workflow automation. Arad focuses on practical techniques to identify and manipulate vulnerabilities and breaches, while testing and improving defenses across broad environments", "public_name": "Arad Donenfeld", "guid": "42a341bd-378a-5977-b947-b7ca36f3ca83", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/E89977/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QW3PJK/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QW3PJK/", "attachments": []}, {"guid": "7a68720c-eb9f-53c5-9b59-b56ab469a2d9", "code": "TGFQH9", "id": 92577, "logo": null, "date": "2026-05-07T15:40:00+02:00", "start": "15:40", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-92577-when-llms-summarize-security-findings-the-tradeoffs-you-can-t-ignore", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/TGFQH9/", "title": "When LLMs Summarize Security Findings: The Tradeoffs You Can\u2019t Ignore", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "LLMs are often presented as a shortcut from \u201chundreds of findings\u201d to \u201cactionable summary.\u201d In reality, getting useful and trustworthy output is less about a single prompt and more about understanding the knobs you can turn - and what typically happens when you turn them.\r\n\r\nThis talk uses vulnerability assessment results analysis as a concrete example task, but the goal is broader: a research-style exploration of the design space for LLM-assisted summarization. We\u2019ll map the main control surfaces - goal definition, output constraints, input shaping, model selection, evaluation methods, and cost/latency budgets - and show how changing each one affects faithfulness, specificity, consistency, and failure modes.\r\n\r\nThe session offers a practical framework for experimenting safely: define measurable requirements, run iterative comparisons, and use structured judging to learn which combinations of knobs move you toward \u201cuseful\u201d versus \u201cconfidently wrong.\u201d Attendees leave with a repeatable way to reason about tradeoffs and a set of patterns they can apply to other security summarization problems.", "description": "Security teams routinely face large vulnerability assessment reports that are rich in detail but hard to operationalize. LLMs look promising for making this information accessible, yet outcomes vary wildly: some summaries are crisp and helpful; others are vague, incomplete, or subtly inaccurate. This session is a research-driven tour of *why* that happens and *what you can control*.\r\n\r\nThe talk is not a \u201cship this to production tomorrow\u201d story. It is a guide to the experimentation landscape - using vulnerability findings as an illustrative workload - focused on the knobs you can tune and the behaviors you should expect.\r\n\r\n### The core idea: treat LLM summarization as a system with controllable parameters\r\n\r\nWe\u2019ll explore six major knob categories:\r\n\r\n1. Task framing (what \u201cgood\u201d means)\r\n    \r\nIf you don\u2019t specify the purpose (e.g., executive risk overview vs. remediation triage vs. compliance-oriented highlights), the model will invent its own. We\u2019ll discuss how tight vs. broad goals change output specificity and risk of omission.\r\n    \r\n2. Output constraints (how the answer must behave)\r\n    \r\n Word limits, required sections, citation/evidence requirements, and \u201cno new facts\u201d rules are not cosmetics\u2014they change error rates and the model\u2019s tendency to hedge or hallucinate.\r\n    \r\n3. Input shaping (what the model actually sees)\r\n    \r\nThe strongest lever is often preprocessing: deduplicating repetitive data, normalizing fields, extracting key evidence, compressing large reports into context-friendly representations, and moving deterministic operations (like counting/grouping) outside the model. This reduces failure modes and makes evaluation meaningful.\r\n    \r\n4. Model selection (speed, cost, and capability)\r\n    \r\nDifferent models fail in different ways. We\u2019ll cover the practical implications of choosing \u201cfast enough\u201d versus \u201cbest possible\u201d and what quality typically degrades first when you optimize for latency/cost.\r\n    \r\n5. Evaluation and judging (how you know it improved)\r\n    \r\n\u201cLooks good to me\u201d does not scale. We\u2019ll outline a lightweight evaluation harness: a rubric that scores faithfulness, completeness, specificity, and usefulness; repeated runs to check consistency; and a structured judging approach to compare variants.\r\n    \r\n6. Iteration strategy (how you converge)\r\n    \r\nPrompt iteration works best when grounded in measurements. We\u2019ll show a \u201cvibe coding\u201d loop that\u2019s still research-minded: change one knob, rerun tests, observe shifts in failure modes, then decide whether the tradeoff is acceptable for the goal.    \r\n\r\n### What attendees will take away\r\n\r\n- A mental model of the main knobs available when applying LLMs to security summarization tasks\r\n- Predictable \u201cwhat happens when you turn it\u201d patterns (which tweaks usually help, which create new failure modes)\r\n- A repeatable experimentation framework for comparing prompts/models/input formats under real constraints\r\n- A clear tradeoff map: reliability vs. speed vs. cost, plus the engineering consequences of tighter coupling to input structures\r\n\r\nWhile vulnerability assessment results are the running example, the approach generalizes to other security contexts: incident write-ups, alert triage digests, control evidence summaries, and executive reporting.", "recording_license": "", "do_not_record": false, "persons": [{"code": "PCSJDK", "name": "Andrey Lukashenkov", "avatar": "https://pretalx.com/media/avatars/NSKLET_mt04QwW.webp", "biography": "Andrey Lukashenkov handles all things revenue, product, and marketing at Vulners - a bootstrapped, profitable company committed to providing an all-in-all vulnerability intelligence platform to the cybersecurity community.\r\n\r\nBeing naturally curious and having a technical background, he leverages unlimited access to the Vulners database to explore various topics related to vulnerability management, prioritization, exploitation, and scoring.", "public_name": "Andrey Lukashenkov", "guid": "07b1396a-7d44-559c-be9a-38bb3a3df91c", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/PCSJDK/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/TGFQH9/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/TGFQH9/", "attachments": []}, {"guid": "d0e564b0-bec7-5629-9148-5dc54c962435", "code": "D3T9SA", "id": 90759, "logo": null, "date": "2026-05-07T16:20:00+02:00", "start": "16:20", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-90759-making-a-risk-informed-llm-choice", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/D3T9SA/", "title": "Making a risk-informed LLM choice", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "Every LLM has flaws. It\u2019s been proven that the guardrails on every LLM can be bypassed. When you\u2019re thinking about which ones to build your applications on, what are the key risks you need to be aware of?\r\nIn this talk, we will dive into our testing methodology for scanning the most popular LLMs for vulnerabilities where we generated hundreds of thousands of prompts across categories including prompt injection, malware, offensive language, and much more.\r\n\r\nWe\u2019ll share our LLM risk matrix, and explain the best practices around minimizing the risk of hallucinations, malicious content, indirect prompt injection, and more as you build your LLM-powered applications.", "description": "Every LLM has risks, from malicious content generation to jailbreak, injection, misinformation and more. In this session, we'll discuss the approach that we used for categorizing the risk levels of the most popular LLMs that are available for application developers on the leading cloud platforms. We'll explain:\r\n\r\n    What tools we used to do this testing\r\n    How we use those tools\r\n    What categories of problems we're able to identify\r\n    How we turn the problems into understandable risk for developers and security practitioners to use for making decisions on which LLMs to adopt", "recording_license": "", "do_not_record": false, "persons": [{"code": "Q7DTLL", "name": "Jeremy Snyder", "avatar": "https://pretalx.com/media/avatars/Q7DTLL_2DWdct7.webp", "biography": "Jeremy is the founder and CEO of FireTail, an end-to-end AI security platform. Prior to FireTail, Jeremy worked in M&A at Rapid7, a global cyber leader, where he worked on the acquisitions of 3 companies during the pandemic. Jeremy previously led sales at DivvyCloud, one of the earliest cloud security posture management companies, and also led AWS sales in southeast Asia. Jeremy started his career with 13 years in cyber and IT operations. Jeremy has an MBA from Mason, a BA in computational linguistics from UNC, and has completed additional studies in Finland at Aalto University. Jeremy speaks 5 languages and has lived in 5 countries.", "public_name": "Jeremy Snyder", "guid": "57192923-7ca8-5e18-a2e6-44e080b84836", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/Q7DTLL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/D3T9SA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/D3T9SA/", "attachments": []}, {"guid": "2e876589-395c-510e-b844-d375f3f8e882", "code": "F7UGVL", "id": 85885, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/F7UGVL/image_CTALa7q.webp", "date": "2026-05-07T17:00:00+02:00", "start": "17:00", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-85885-oh-shit-i-accidentally-breached-an-organization-or-many-using-ai", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/F7UGVL/", "title": "Oh Shit I Accidentally Breached an Organization (or many) using AI", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "In this session we are going to walk through how did one \"harmless\" search spiral into a multi-organization data breach and how did weaponized AI supercharge it into an even bigger leak of sensitive data.\r\nIn this session, we\u2019ll unpack the whole story.", "description": "During this session we are going to learn how we can weaponize AI for OSINT campaigns, how it can be used/abused by adversaries to perform spear phishing attacks (using the previously mentioned OSINT as a basis). We are going to talk about operational security considerations when weaponizing AI.\r\nDuring this talk we are going to wear a purple hat by viewing the perspective of both an adversary and a defender.", "recording_license": "", "do_not_record": false, "persons": [{"code": "3SR8XD", "name": "Panagiotis Fiskilis", "avatar": "https://pretalx.com/media/avatars/3SR8XD_RLF8ame.webp", "biography": "Panagiotis is a Senior Red Team Operator @ NVISO, with multiple years of experience in ethical hacking and Red Teaming, interested in API hacking, Active Directory hacking and malware development.\r\n\r\nPanagiotis is RTOS, CRTO, OSCP, OSWE, OSWA, RTOS and eWPT certified\r\n\r\nPanagiotis is also an active student at the University of West Attica", "public_name": "Panagiotis Fiskilis", "guid": "42c78a9b-63ef-510c-9633-cee6f25ab5bf", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/3SR8XD/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/F7UGVL/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/F7UGVL/", "attachments": []}], "IFEN room 3 Workshops and AI Security Village (Building D)": [{"guid": "c388a02e-ccba-58c2-8329-5fef674090b6", "code": "HY3QBJ", "id": 93488, "logo": null, "date": "2026-05-07T13:30:00+02:00", "start": "13:30", "duration": "04:30", "room": "IFEN room 3 Workshops and AI Security Village (Building D)", "slug": "bsidesluxembourg-2026-93488-0-ai-security-village-technical-training-and-implementation", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/", "title": "AI Security village - technical training and implementation", "subtitle": "", "track": "AI Security Village", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "The technical track of the AI security village", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "8799ND", "name": "Parth Shukla", "avatar": "https://pretalx.com/media/avatars/8799ND_WOPQmKr.webp", "biography": "Parth Shukla is a Senior Security Researcher specializing in AI Security and Adversarial Machine Learning. With a deep background in offensive security, he currently focuses on the security architecture of Agentic Systems and LLMs. His research bridges the gap between traditional application security and the probabilistic risks of modern AI.", "public_name": "Parth Shukla", "guid": "36bd2073-5eab-52a6-ab03-86f5090fccd8", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/8799ND/"}, {"code": "R9J9FP", "name": "Nagarjun Rallapalli", "avatar": "https://pretalx.com/media/avatars/R9J9FP_m08b6Af.webp", "biography": "Automating Security since 2022.\r\nBuilding (and breaking) AI agents to test their limits.", "public_name": "Nagarjun Rallapalli", "guid": "ef9822df-e0fa-582e-82c6-1c5b5749d626", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/R9J9FP/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/", "attachments": []}], "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)": [{"guid": "1c73485f-2816-5370-ab3b-e895f9474034", "code": "YGC7EA", "id": 90638, "logo": null, "date": "2026-05-07T10:00:00+02:00", "start": "10:00", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-90638-2-dismantle-the-bomb", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "title": "Dismantle The Bomb", "subtitle": "", "track": "Escape games!", "type": "Workshop 2h", "language": "en", "abstract": "Dismantle the bomb by performng different taks", "description": "Dismantle the bomb by performing different taks. The tasks will include:\r\n- Solving ciphers\r\n- Being genuine with a special flashlight\r\n- lock picking \r\n- make a key with a lishi tool\r\n- ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Been in IT security for too long. I enjoy creating fun and games!", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "attachments": []}, {"guid": "103df07c-102e-53b5-8bb6-6c1130477e21", "code": "YGC7EA", "id": 90638, "logo": null, "date": "2026-05-07T13:30:00+02:00", "start": "13:30", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-90638-3-dismantle-the-bomb", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "title": "Dismantle The Bomb", "subtitle": "", "track": "Escape games!", "type": "Workshop 2h", "language": "en", "abstract": "Dismantle the bomb by performng different taks", "description": "Dismantle the bomb by performing different taks. The tasks will include:\r\n- Solving ciphers\r\n- Being genuine with a special flashlight\r\n- lock picking \r\n- make a key with a lishi tool\r\n- ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Been in IT security for too long. I enjoy creating fun and games!", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "attachments": []}, {"guid": "e72321ee-f197-5689-b507-dc8549c22aa2", "code": "YGC7EA", "id": 90638, "logo": null, "date": "2026-05-07T16:00:00+02:00", "start": "16:00", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-90638-4-dismantle-the-bomb", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "title": "Dismantle The Bomb", "subtitle": "", "track": "Escape games!", "type": "Workshop 2h", "language": "en", "abstract": "Dismantle the bomb by performng different taks", "description": "Dismantle the bomb by performing different taks. The tasks will include:\r\n- Solving ciphers\r\n- Being genuine with a special flashlight\r\n- lock picking \r\n- make a key with a lishi tool\r\n- ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Been in IT security for too long. I enjoy creating fun and games!", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "attachments": []}], "Workshops and Stage - Design Space (C1.05.12)": [{"guid": "c889a26e-0d35-5a3b-8aca-b9095077e170", "code": "A7AXTC", "id": 89334, "logo": null, "date": "2026-05-07T10:35:00+02:00", "start": "10:35", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-89334-spot-spear-phishing-overwatching-tool", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/A7AXTC/", "title": "SPOT - Spear-Phishing Overwatching Tool", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Nowadays, the detection of generic mass-scale phishing attacks is quite\r\neffective.  Techniques that leverage indicators of compromise (IOCs) collection\r\nand sharing tools, such as MISP (the Open Source Threat Intelligence Sharing\r\nPlatform), are well established and give good results in the field. However,\r\ndetection of targeted attack attempts aka spear-phishing, is much more\r\nchallenging because the attackers exploit contextual information about the\r\ntargets they aim for.\r\nBy using up-to-date, relevant and precise information about the inner\r\noperations of the targeted company, attackers can make their deception far more\r\neffective.\r\nSPOT makes use of state-of-the-art natural language\r\nprocessing (NLP) techniques based on machine learning (ML) and large language\r\nmodels (LLMs) in particular to try to detect and prevent spear-phishing\r\nattack attempts.\r\nThis opensource project was co-financed by the LU-CID initiative by the Ministry\r\nof Economy Luxembourg.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "3LW9XQ", "name": "Pauline Bourmeau (Cookie)", "avatar": "https://pretalx.com/media/avatars/3LW9XQ_fRZxzk4.webp", "biography": "Pauline Bourmeau is an independent security researcher specializing in the intersection of artificial intelligence, cognitive psychology, and threat intelligence. She has consulted on multilingual natural language processing, led deep learning and NLP workshops, and created training materials blending STEM with human factors. As founder of DEFCON Paris and contributor to the MISP project, she actively advances collaborative cybersecurity practices.\r\nPreviously, Pauline worked as a Threat Intelligence Analyst conducting OSINT, HUMINT, and SOCINT analysis to profile threats and investigate APTs. She holds a Master\u2019s in Criminology with a thesis on cybersecurity intelligence sharing, and a background in sociolinguistics and computer science from Sorbonne and School 42.", "public_name": "Pauline Bourmeau (Cookie)", "guid": "c9728882-b3f8-50d5-b946-fb3cf82d1c4f", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/3LW9XQ/"}, {"code": "WHXH3Q", "name": "William Robinet", "avatar": "https://pretalx.com/media/avatars/WHXH3Q_Q8FkSnu.webp", "biography": "William manages the technical team behind AS197692 at Conostix S.A. in Luxembourg. He\u2019s been working in cybersecurity using free and opensource software on a daily basis for more than 25 years. Recently, he presented his work on SSL/TLS toolkits at Nullcon 2025 in Goa and Hack.lu 2025 in Luxembourg. He contributed to the cleanup and enhancement efforts done on ssldump lately. He particularly enjoys tinkering with open (and not so open) hardware. Currently he likes playing around with new tools in the current ML scene, building, hopefully, useful systems for fun and, maybe, profit. When not behind an intelligent wannabe machine, he's doing analog music with his band of humans.", "public_name": "William Robinet", "guid": "3b84b965-4ff5-5894-a6a3-2d779304a6d1", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/WHXH3Q/"}, {"code": "7UZAT9", "name": "Thibaut Diels", "avatar": "https://pretalx.com/media/avatars/7UZAT9_YOw2HR5.webp", "biography": "Systems/Infrastructure Developer during the day.\r\nGame Developer at night.\r\nPassionate about ice/roller skating, video games, linux ricing and music.", "public_name": "Thibaut Diels", "guid": "18bf754f-5799-58fb-a491-87c06ed831cd", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/7UZAT9/"}, {"code": "NHG7E3", "name": "Mathieu Fourcroy", "avatar": "https://pretalx.com/media/avatars/NHG7E3_AErYNM7.webp", "biography": "> Tech nerd, gamer, living in the past (on purpose)", "public_name": "Mathieu Fourcroy", "guid": "6e9f8ef0-fc1f-5ed7-8cc3-bc5216d691ce", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/NHG7E3/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/A7AXTC/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/A7AXTC/", "attachments": []}, {"guid": "aa0a7c5f-f3d4-55ab-bcb4-90ce8bea4beb", "code": "VENKPF", "id": 90254, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/VENKPF/image_I4p3ada.webp", "date": "2026-05-07T11:20:00+02:00", "start": "11:20", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-90254-mapping-the-invisible-why-system-cartography-matters-for-security-and-compliance", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/VENKPF/", "title": "Mapping the Invisible: Why System Cartography Matters for Security and Compliance", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Modern infrastructures are increasingly complex, distributed, and opaque \u2014 making it difficult for security teams to answer a simple question: what exactly are we protecting?\r\n\r\nSystem cartography provides an essential foundation for cybersecurity governance. It allows organizations to understand their architecture, dependencies, and data flows \u2014 the key to effective risk management, incident response, and compliance.", "description": "This talk introduces these concepts through [Mercator](https://www.github.com/dbarzin/mercator) an open-source tool designed to map and visualize complex infrastructures. Mercator transforms data from existing sources (CMDB, inventories, scans) into interactive diagrams that help bridge the gap between technical visibility and strategic security management.\r\n\r\nRather than a technical demo, this 40-minute session offers a conceptual overview of how cartography supports risk management, incident response, and regulatory compliance, turning architecture into a living asset for cybersecurity.", "recording_license": "", "do_not_record": false, "persons": [{"code": "F7ZBE7", "name": "Didier Barzin", "avatar": "https://pretalx.com/media/avatars/F7ZBE7_Bc65boE.webp", "biography": "Hi there, I'm Didier, a technology and information security enthusiast. I started my career as an information security Ninja, defending information systems against cyber threats using my Jedi skills. However, I also have another side to me that comes out at night, that of a benevolent hacker. I love using my skills to support the values of open source and firmly believe in them.\r\n\r\nI believe that technology can be used to improve people's lives, but this can only be done if we work together and share our knowledge. That's why I'm also a strong advocate of collaboration and openness in the tech industry.\r\n\r\nMay the source code be with you!", "public_name": "Didier Barzin", "guid": "f3d30423-f31f-58d2-a7b1-5130e94b7e0a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/F7ZBE7/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/VENKPF/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/VENKPF/", "attachments": []}, {"guid": "6df6c494-4a4d-5c9e-b06e-8ec04bbbcbd9", "code": "NQDVUB", "id": 89815, "logo": null, "date": "2026-05-07T13:30:00+02:00", "start": "13:30", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-89815-cloud-misconfigurations-poke-poke-breach", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/NQDVUB/", "title": "Cloud Misconfigurations: Poke Poke, Breach", "subtitle": "", "track": "Cloud track", "type": "Talk", "language": "en", "abstract": "Cloud misconfigurations still cause saying-it-out-loud 99% of cloud security failures, but in 2026 the mistakes have mutated. Today\u2019s breaches are less \u201coops, public bucket\u201d and more over-privileged identities, sketchy SaaS integrations, forgotten test environments, and dangerously helpful defaults in AI and Kubernetes.\r\n\r\nThis talk introduces a modern hierarchy of cloud misconfigurations based on late-2025 and early-2026 breach data, then flips the script from post-incident cleanup to pre-deployment prevention using Policy as Code (PaC). Instead of finding problems after attackers do, we stop insecure resources from ever being created. We\u2019ll wrap with the Toxic Trilogy, a practical model for spotting cloud assets that are statistically doomed, and show how PaC quietly dismantles all three conditions before anyone has to open a ticket.", "description": "Cloud security has become very good at finding problems after they ship. Scanners run. Dashboards glow. Tickets multiply. Meanwhile, attackers stroll in through configurations that technically \u201cpassed\u201d review. In 2026, misconfigurations still understand how to ruin everyone\u2019s day, not because teams don\u2019t care, but because cloud complexity has officially outrun human attention.\r\n\r\nThis session opens with the 2026 hierarchy of cloud misconfigurations, grounded in late-2025 and early-2026 breach data rather than folklore:\r\n\r\n- Identity and entitlement overreach as the new breach starter pistol\r\n- SaaS and API integrations quietly bypassing MFA, logging, and common sense\r\n- Storage exposure that survived provider guardrails via authenticated access and CDNs\r\n- Shadow environments and abandoned IaC resources that never got the security memo\r\n\r\nFrom there, I stop poking the fluffy cloud creature and wondering why it bites back. Using the Guardrail Strategy and Policy as Code, security rules become executable laws of physics inside CI/CD pipelines. Public buckets fail builds. Admin-level service accounts get denied. Secrets never make it into source control. Production click-ops quietly undo themselves like a bad idea sobering up.\r\n\r\nI\u2019ll then introduce the Toxic Trilogy: cloud assets that are publicly exposed, highly privileged, and critically vulnerable. PaC\u2019s real power in 2026 is context. By evaluating how these risks overlap, policies don\u2019t just find problems, they prevent entire breach classes from ever existing.\r\n\r\nThe result is faster delivery, fewer incidents, and security that finally keeps up with cloud speed without becoming the team everyone avoids on Slack.\r\n\r\nKey Takeaways\r\n\r\n- Identify the top cloud misconfiguration patterns of 2026 based on real breach data\r\n- Understand why identity and API integrations now outrank storage as breach drivers\r\n- Recognize the Toxic Trilogy and why its overlap predicts breaches with scary accuracy\r\n- Explain how Policy as Code shifts security from detection to prevention\r\n- Apply a policy-first workflow to block risky cloud deployments before production\r\n- Reduce misconfiguration risk without slowing developers or drowning in tickets", "recording_license": "", "do_not_record": true, "persons": [{"code": "HNWSNB", "name": "Kat Fitzgerald", "avatar": "https://pretalx.com/media/avatars/HNWSNB_39r2Z7c.webp", "biography": "Chicago-based (But soon Porto!) and proudly a natural creature of winter, I thrive on snow, OSS, and just the right amount of chaos. Whether sipping Grand Mayan Extra A\u00f1ejo or warding off cyber threats with a mix of honeypots, magic spells, and a very opinionated flamingo named Sasha (the BSidesChicago.org mascot), I keep things interesting. Honeypots and refrigerators rank among my favorite things\u2014though my neighbors would likely disagree.", "public_name": "Kat Fitzgerald", "guid": "79255541-f25c-5e4f-b308-95a4c75868b9", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/HNWSNB/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/NQDVUB/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/NQDVUB/", "attachments": []}, {"guid": "3fd65e9a-985b-5218-b757-b21bf2967c95", "code": "ABKXN7", "id": 88474, "logo": null, "date": "2026-05-07T14:10:00+02:00", "start": "14:10", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-88474-in-the-wild-cloud-exfiltration-paths-you-might-not-expect", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/ABKXN7/", "title": "In The Wild Cloud Exfiltration Paths You Might Not Expect", "subtitle": "", "track": "Cloud track", "type": "Talk", "language": "en", "abstract": "As organizations migrate to the cloud, threat actors' exfiltration tactics and techniques evolved and targeted the architectural boundaries of cloud service models (SaaS, PaaS, IaaS). Each service model presents different exfiltration options as the responsibility shifts between cloud providers and customers, creating distinct attack surfaces that threat actors use for exfiltration.\r\n\r\nDrawing on hundreds of real-world cases from CrowdStrike incident response and threat hunting, this talk moves past the theory to showcase exfiltration techniques that catch even seasoned defenders off guard. We'll dive into:\r\n\r\n- SaaS Stealth: Abusing Microsoft 365 via third-party apps and silently exfiltrating DocuSign documents using sync functionality.\r\n- The PaaS Pivot: How ETL platforms could be misused for exfiltration.\r\n- IaaS Tactics: Infrastructure tampering and cross-cloud data transfers. \r\n\r\nThis session is designed for the defender who has the cloud basics covered but wants to know what they might be missing. Attendees will leave with a clear understanding of these evolved exfiltration paths and most importantly required telemetry and detection ideas.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "QX9JKL", "name": "Tomas Kabrt", "avatar": "https://pretalx.com/media/avatars/QX9JKL_rFBkXbD.webp", "biography": "Tomas is a researcher in the Emerging Threats team focusing on Cloud Threat Intelligence at CrowdStrike. He began his cybersecurity journey during his exchange studies at Aalto University. His career started as a vulnerability and exploit analyst specializing in IPS rule development, then progressed through operational security roles and incident response. Now, returning to research, he focuses exclusively on cloud intrusions and he loves it.", "public_name": "Tomas Kabrt", "guid": "abe2f81c-e974-5f69-93ba-a57a3f565ffd", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/QX9JKL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ABKXN7/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ABKXN7/", "attachments": []}, {"guid": "8bb7107d-82ac-5a7f-a21d-fad122741d4a", "code": "AYMPND", "id": 91186, "logo": null, "date": "2026-05-07T14:50:00+02:00", "start": "14:50", "duration": "00:30", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-91186-cloud-sovereignty", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/AYMPND/", "title": "Cloud Sovereignty", "subtitle": "", "track": "Cloud track", "type": "Talk", "language": "en", "abstract": "Presentation on why cloud sovereignty has become a board-level strategic issue, touching on foreign interference, platform lock-in, tech dependency, and the critical insight that not all cloud models are equal.\r\n\t\u2022\tWhy sovereignty, autonomy, and resilience are executive-level concerns (regulatory mandates, legal exposure, operational continuity)\r\n\t\u2022\tThe triple threat landscape (foreign interference via US CLOUD Act, platform lock-in costs, tech dependency risks)\r\n\t\u2022\tHow the guide helps governments and critical organizations with risk mitigation frameworks and compliance mapping\r\n\t\u2022\tTwo sovereign cloud operating models (Full EU Isolation vs. Guardrail Sovereign)\r\n\t\u2022\tStrategic alignment matrix showing how different cloud models match organizational needs\r\n\t\u2022\tEU regulatory context (DORA, NIS2, EU Data Act, upcoming Cloud & AI Act)\r\n\t\u2022\tTechnical controls and implementation priorities", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "JKH9FX", "name": "Catalin Tiganila", "avatar": "https://pretalx.com/media/avatars/JKH9FX_tejIWJS.webp", "biography": "I am a cybersecurity consultant and auditor with experience in Information Security, Cyber Security, Cloud Security, IT Governance, IT Risk Management, IT Compliance, IT Audit and in Data Privacy. \r\n\r\nWith more than 25 years practice in delivering advisory and audit engagements, as part of several consulting firms, I delivered numerous projects as part of international teams in different geographies  covering a wide range services in diverse industries: finance and banking, technology, telecommunication, start-ups, energy, healthcare, retail and manufacturing.", "public_name": "Catalin Tiganila", "guid": "a1cebc61-12a5-566f-a405-60150bc2d3c7", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/JKH9FX/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/AYMPND/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/AYMPND/", "attachments": []}, {"guid": "a8b05598-7118-5143-9370-ab575a7e60bd", "code": "YH7DVE", "id": 85027, "logo": null, "date": "2026-05-07T15:40:00+02:00", "start": "15:40", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-85027-leaky-api-keys-log-tampering-and-account-takeover", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YH7DVE/", "title": "Leaky API Keys, Log Tampering, and Account Takeover", "subtitle": "", "track": "Cloud track", "type": "Talk", "language": "en", "abstract": "The talk will cover common techniques to upload client-side logs to AWS S3 buckets, integrations with third-party database services like Supabase, and server technologies commonly used for financial data processing, all of which result in leaked API keys when misconfigured.  Three distinct vulnerabilities will be demonstrated, each showcasing different variations of the core anti-patterns in multiple contexts. Attendees can expect to receive a structured framework for understanding how these flaws manifest across different technologies. The session will conclude with a comprehensive discussion of targeted fixes that address the root causes of the anti-pattern. It will move beyond surface-level patches to implement architectural solutions that prevent entire classes of similar vulnerabilities. These remediation strategies will include both immediate tactical fixes and longer-term architectural improvements that strengthen overall system security posture.", "description": "The talk will cover common techniques to upload client-side logs to AWS S3 buckets, integrations with third-party database services like Supabase, and server technologies commonly used for financial data processing, all of which result in leaked API keys when misconfigured.  Three distinct vulnerabilities will be demonstrated, each showcasing different variations of the core anti-patterns in multiple contexts. Attendees can expect to receive a structured framework for understanding how these flaws manifest across different technologies. The session will conclude with a comprehensive discussion of targeted fixes that address the root causes of the anti-pattern. It will move beyond surface-level patches to implement architectural solutions that prevent entire classes of similar vulnerabilities. These remediation strategies will include both immediate tactical fixes and longer-term architectural improvements that strengthen overall system security posture.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TSNM7K", "name": "Aleksa Zatezalo", "avatar": "https://pretalx.com/media/avatars/TSNM7K_XL6zT0t.webp", "biography": "Aleksa is a passionate security engineer, software developer, and aspiring open sorcerer. He enjoys writing and publishing software that provides elegant solutions to offensive security problems. He has contributed to multiple projects, including Metasploit. In April of 2022, Aleksa graduated from the University of Toronto with a bachelor\u2019s degree in computer science and a Certificate of Ethical Hacking (CEHv10). He began working as a Cloud Security consultant and hacker. He also began attending Defcon as an attendee and a volunteer for the Blue Team Village (BTV). One of Aleksa\u2019s fondest cybersecurity memories is playing the Pros Versus Joes CTF during BSides Las Vegas. By April 2024, Aleksa had obtained his OSCP and begun working as a security engineer at Praetorian. He is currently pursuing his OSCE3. He enjoys Brazilian Jiu-Jitsu, running long distances, and reading in his free time. He currently holds a blue belt in Brazilian Jiu-Jitsu. The book Mastery by Robert Greene is a big inspiration for Aleksa.", "public_name": "Aleksa Zatezalo", "guid": "4222d2f8-8a70-52fb-9582-0560c77b2eea", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/TSNM7K/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YH7DVE/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YH7DVE/", "attachments": []}, {"guid": "eae5a9f3-17f8-5687-aa4c-961aa351b19b", "code": "VEEKAR", "id": 97341, "logo": null, "date": "2026-05-07T16:20:00+02:00", "start": "16:20", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-97341-infostealer-emulation-validating-detection-of-credential-theft", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/VEEKAR/", "title": "Infostealer Emulation: Validating Detection of Credential Theft", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Infostealers silently harvest credentials, cookies, and sensitive data. This session demonstrates how to emulate infostealer behavior browser data theft, keylogging, clipboard monitoring, credential dumping to validate whether your endpoint controls, DLP, and network monitoring would detect the theft and exfiltration. Learn to test your defenses against one of the most prevalent and damaging threat categories.", "description": "Outline:\r\n\r\nIntroduction: The Infostealer Epidemic \r\nInfostealer TTPs (8 min)\r\nBrowser data, keylogging, clipboard, LSASS\r\nDEMO: Browser Credential Theft Emulation (12 min)\r\nDEMO: Keylogger Simulation (8 min)\r\nDEMO: Credential Dumping (LSASS Access) (10 min)\r\nDLP & Network Monitoring Validation (7 min)\r\nQ&A (5 min)", "recording_license": "", "do_not_record": false, "persons": [{"code": "UFEVPR", "name": "Filipi Pires", "avatar": "https://pretalx.com/media/avatars/UFEVPR_Q6uWWdh.webp", "biography": "I\u2019ve been working as Head of Techincal Advocacy at SCYTHE, Founder & Investor at Cross Intelligence, BSides Porto Organizer, Red Team Village Director (DEF CON), Senior Advisor Raices Cyber Academy, Founder of Red Team Community (Brazil and LATAM),  AWS Community Builder, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US (Black Hat & Defcon), Canada, France, Spain, Germany, Poland, Black Hat MEA - Middle-East - and others, I\u2019ve served as University Professor in Master Degree in Portugal, Graduation and MBA courses at Brazilian colleges, in addition, I'm Creator and Instructor of the Course - Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).", "public_name": "Filipi Pires", "guid": "f46dcde4-d4c8-5594-ada4-c0b9c6ae1bba", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/UFEVPR/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/VEEKAR/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/VEEKAR/", "attachments": []}], "Workshops and Stage - Gernsback (C1.05.02)": [{"guid": "dc360cd8-9e54-5ef8-8a99-7ff323ec55e3", "code": "SWS9NQ", "id": 86943, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/SWS9NQ/Mihai_tutulan_sbKCxnc.webp", "date": "2026-05-07T10:35:00+02:00", "start": "10:35", "duration": "00:40", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-86943-unraveling-failure-lessons-from-an-avoidable-ransomware-attack", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/SWS9NQ/", "title": "Unraveling Failure - Lessons from an Avoidable Ransomware\u00a0Attack", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "A real-world ransomware attack on a non-IT company where cybersecurity wasn\u2019t a priority. Learn how incident management and business continuity collapsed under pressure, what really happens during an attack, and the lessons leaders must learn shared from real cases presented at Bsides", "description": "Ransomware is no longer an abstract IT risk is an operational crisis. This talk presents a real-life ransomware attack against a large, non-IT industrial company where cybersecurity was not considered a business priority.\r\n\r\nThrough a chronological breakdown of the incident, we explore how a single phishing email escalated into a full IT blackout, shutting down operations, disrupting production, and paralyzing the business for months. The session focuses on incident management under pressure and the failure and rebuilding of the Business Continuity Plan.\r\n\r\nAttendees will gain an inside view of:\r\n\r\nWhat actually happens during a ransomware attack, beyond theory and frameworks\r\nHow organizational mindset and management decisions amplify impact\r\nWhy missing \u201cbasic\u201d security controls turns incidents into disasters\r\nPractical lessons learned during recovery and transformation\r\nThis talk is based on a real case, previously presented at BSides Chi\u0219in\u0103u and BSides Cluj(you can have feedback from the organizers if needed), and is aimed at both technical and non-technical audiences who want to understand ransomware from a business-impact perspective not just a technical one.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YJ7LTM", "name": "Mihai Tutulan", "avatar": "https://pretalx.com/media/avatars/YJ7LTM_5GOJ4QD.webp", "biography": "Senior Cybersecurity Consultant with over 15 years of experience leading strategic security initiatives across global organizations. I am specialized  in aligning cybersecurity governance with business objectives, ensuring compliance, managing risk, and enabling secure innovation. My expertise includes security architecture, regulatory frameworks (ISO 27001, GDPR, NIS2, DORA), and cross-regional project management. I have successfully delivered high-impact programs, audits, and policy frameworks in collaboration with teams from Europe, North America, and Asia. I am also an active member of the local cybersecurity community.", "public_name": "Mihai Tutulan", "guid": "1d8a138c-d3a9-5200-bd67-7ac259533ade", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/YJ7LTM/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SWS9NQ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SWS9NQ/", "attachments": []}, {"guid": "2e09391c-6066-5d9a-97a6-570af2ce756b", "code": "E7WLHY", "id": 90398, "logo": null, "date": "2026-05-07T11:20:00+02:00", "start": "11:20", "duration": "00:40", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-90398-from-can-frames-to-corporate-firewalls-life-of-an-automotive-security-researcher", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/E7WLHY/", "title": "From CAN Frames to Corporate Firewalls: Life of an Automotive Security Researcher", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Modern vehicles are no longer just mechanical machines\u2014they are complex distributed systems with hundreds of electronic control units, multiple networks, and cloud-connected devices. In this talk, I will share the daily challenges of working as an automotive cybersecurity researcher and how real-world constraints shape security research in the automotive industry.\r\n\r\nI will begin with a brief introduction to my role as a security researcher. My work involves analyzing vehicle hardware, telematics systems, IoT modules, and embedded firmware to identify vulnerabilities before attackers do. Unlike traditional IT security, automotive security requires deep knowledge of hardware, embedded systems, radio protocols, and real-time system constraints.\r\n\r\nA key part of this talk will focus on automotive communication networks and interfaces. I will explain how in-vehicle networks operate, why security is challenging to implement, and how attackers can exploit weaknesses through message manipulation, spoofing, and denial-of-service techniques. I will also cover interfaces such as UART, JTAG, Bluetooth, cellular modules, and diagnostic ports, highlighting how each interface expands the attack surface.", "description": "One major challenge in automotive security is that hardware changes are often restricted due to cost, certification, and production constraints. As a result, many security mitigations must be implemented at the firmware or software level.\r\nReal-world case studies will be shared to demonstrate how fraud and attacks occur in connected vehicle ecosystems, including device spoofing, firmware tampering, GPS manipulation, and backend abuse. In manufacturing environments, even short security incidents can halt production lines, causing significant financial impact, highlighting why automotive cybersecurity is critical infrastructure protection.\r\n\r\nI will also reflect on the difference between being a hardware hacker and working in corporate security environments where responsible disclosure, risk management, and compliance are essential alongside technical skills.", "recording_license": "", "do_not_record": false, "persons": [{"code": "9P3NMD", "name": "Hrishikesh Somchatwar", "avatar": "https://pretalx.com/media/avatars/9P3NMD_vzxC3Jy.webp", "biography": "Hrishikesh Somchatwar (@StorytelnHacker) is an independent security researcher, bestselling author, and international speaker known for his deep expertise in hardware and automotive cybersecurity. With a passion for uncovering vulnerabilities in embedded systems, he has presented his research at top security conferences worldwide, including SCSA Georgia, Defcamp Romania, SecurityFest Sweden, DeepSec Austria, Bsides Delhi & Ahmedabad, Hackfest Canada, and c0c0n Kochi.\r\n\r\nBeyond cybersecurity, Hrishikesh runs The StorytellingHacker Podcasts, where he shares insights on hacking, security, and storytelling. His thought leadership extends to his engaging Twitter presence, where he discusses cutting-edge security topics.\r\n\r\nIn his free time, he explores Vedic Astrology (Jyotisa), blending ancient wisdom with modern problem-solving. Whether on stage, in a podcast, or through his writing, Hrishikesh brings a unique perspective\u2014merging technical depth with the art of storytelling.", "public_name": "Hrishikesh Somchatwar", "guid": "e13dc7e7-fc39-5b43-b807-b027e781a323", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/9P3NMD/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/E7WLHY/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/E7WLHY/", "attachments": []}, {"guid": "aac27f9e-bc4f-5b4d-860e-5bb1767ec747", "code": "LW9DDS", "id": 95336, "logo": null, "date": "2026-05-07T13:30:00+02:00", "start": "13:30", "duration": "00:40", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-95336-trust-and-traceability-developer-observability-in-the-ai-powered-sdlc", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/LW9DDS/", "title": "Trust and Traceability : developer observability in the AI powered SDLC", "subtitle": "", "track": "Secure Development track", "type": "Talk", "language": "en", "abstract": "Trust and Traceability: Developer Observability in the AI-Powered SDLC \r\n\r\nSafeguarding the enterprise with superior AI risk governance \r\n\r\nIt has been over three years since AI coding tools first landed, and in 2026, more than three-quarters of developers are using them in their workflows... with or without the knowledge and blessing of the AppSec team. Rumors of developers being replaced entirely have been exaggerated, but crucially, the use of AI in enterprise environments has further uncovered the significant security skills gap that exists among them as they struggle to identify and mitigate vulnerable, AI-generated code. \r\n\r\nSecurity programs must evolve rapidly to reduce this emerging threat vector, but many CISOs lack the necessary data and insights to effectively empower their development cohorts. With AI coding tools touted as both a blessing and a curse for development and software security, there is no better time to ensure the enterprise security program is not just updated to accommodate the increased attack surface, but also actively optimized for SDLC efficiency and cyber defense. \r\n\r\nWorld-class security leaders must rise to the occasion and lead proactive security programs that utilize the right tech stack and strategy to manage developer risk through high observability of their security skills, as well as the security efficacy of their AI technology stack. Developers have immense potential to be central to a defensive security strategy, and they can be empowered with the right knowledge to transform their approach to coding and adopt a security-first mindset. This revolution is vital as the use of AI coding tools grows, and critical thinking from the developer is a must to deploy them safely in their workflow.\r\n\r\nBased on AI experiments and key research with CISOs, the presentation reveals the critical pathways security leaders can take to execute incredible developer-focused training programs that reduce risk, shift negative security sentiment in the development cohort, and safely adapt AI technology with precision governance, including:\r\n\r\n    Understanding comparisons between AI and human coding, what works, and what can affect enterprise security maturity.\r\n    Navigating AI data quality issues and establishing safe pair programming with unprecedented developer observability.\r\n    Developer upskilling, including benchmarking and growing key security skills with knowledge and governance that leads to better risk mitigation.\r\n    How to establish a skills baseline among developers, and grow relevant competency quickly.\r\n    The pitfalls of AI vulnerability detection, and the skillset your developers must master to overcome hallucination, insecure code generation and misconfiguration.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "QZKBNJ", "name": "Omar Rachid", "avatar": null, "biography": "Application Security Engineer with over 10 years of experience, I help organizations embed security at the core of their software development lifecycle. With a background in software engineering, I bring a pragmatic and hands-on approach to bridging the gap between development, security, and DevOps teams.\r\n\r\nToday, my focus lies at the intersection of application security and artificial intelligence, where I explore how to securely adopt AI-driven technologies while managing emerging risks and ensuring resilient, secure systems.", "public_name": "Omar Rachid", "guid": "fe6b9bec-4464-51f4-abe8-bf561310c137", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/QZKBNJ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LW9DDS/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LW9DDS/", "attachments": []}, {"guid": "c51f3ee8-014c-51e3-911a-c2f08555a2f0", "code": "XMJTXP", "id": 85262, "logo": null, "date": "2026-05-07T14:10:00+02:00", "start": "14:10", "duration": "00:35", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-85262-managing-uninvited-guests-securing-open-source-dependencies", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/XMJTXP/", "title": "Managing Uninvited Guests: Securing Open Source Dependencies", "subtitle": "", "track": "Secure Development track", "type": "Talk", "language": "en", "abstract": "Open source software is the ultimate neighborhood party\u2014doors open, music playing, people bringing their best dishes (or code). Projects grow fast, the energy is contagious, and everyone benefits from the collective creativity. But in every good party, there\u2019s risk: the friend-of-a-friend-of-a-friend who slips in unnoticed, doesn\u2019t follow the house rules, and eventually leaves you with a hole in the drywall.\r\n\r\nIn the open source world, that\u2019s dependency hell. It starts with a package you trust\u2014but that package has its own dependencies, which have their own dependencies, and somewhere deep in that chain lurks outdated, vulnerable, or even malicious code. You didn\u2019t invite it, you don\u2019t know it\u2019s there, but it\u2019s living in your codebase rent-free. And attackers love this\u2014because if they compromise just one small link in that long chain, they can crash your entire project.\r\n\r\nIn this session, we\u2019ll dig into the messy reality of dependency hell and its role in software supply chain security incidents. We\u2019ll examine real-world examples where hidden or neglected dependencies became the entry point for compromise, from typosquatting attacks to maintainer account takeovers. We\u2019ll explore why it\u2019s not just about malicious intent\u2014sometimes the \u201cbad guest\u201d is simply an abandoned project with known CVEs that no one bothered to patch.", "description": "Open source is like a house party\u2014everyone\u2019s invited. But dependency hell is that friend-of-a-friend-of-a-friend who puts a hole in the wall. One rogue package can take down your whole project. Learn how to spot and block unwanted guests before they trash your software supply chain.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CKHUTC", "name": "Kadi McKean", "avatar": "https://pretalx.com/media/avatars/CKHUTC_fgSIsTP.webp", "biography": "At ReversingLabs, I work with customers and partners across Europe to implement scalable, intelligence-driven solutions that address the growing challenges of modern software development and supply-chain integrity. My work covers areas such as Software Bill of Materials (SBOM) management, malware analysis, and advanced file and binary inspection.\r\nI\u2019m passionate about translating complex cybersecurity topics into clear, actionable strategies that align with business goals. I focus on turning cybersecurity from a reactive defense into a proactive enabler of innovation. I also enjoy engaging in conversations about the evolving threat landscape, the future of software trust, and how automation and AI can strengthen cyber defense.\r\nMy goal is to help organizations build not just safer software, but stronger security cultures, where transparency, collaboration, and continuous improvement are at the center of every initiative.", "public_name": "Kadi McKean", "guid": "30acdb3a-ef84-5739-b05f-8c4c3653f40d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CKHUTC/"}, {"code": "AGTJWH", "name": "Frithjof Hoffmann", "avatar": "https://pretalx.com/media/avatars/AGTJWH_mCJf9Ke.webp", "biography": "I\u2019m a technical sales engineer and cybersecurity professional specializing in software supply-chain security, threat intelligence, and risk management. Based in Moormerland, Germany, I combine deep technical expertise with a strategic, customer-focused approach to help organizations gain visibility, reduce risk, and strengthen resilience across their software ecosystems.\r\nAt ReversingLabs, I work with customers and partners across Europe to implement scalable, intelligence-driven solutions that address the growing challenges of modern software development and supply-chain integrity. My work covers areas such as Software Bill of Materials (SBOM) management, malware analysis, and advanced file and binary inspection.\r\nI\u2019m passionate about translating complex cybersecurity topics into clear, actionable strategies that align with business goals. I focus on turning cybersecurity from a reactive defense into a proactive enabler of innovation. I also enjoy engaging in conversations about the evolving threat landscape, the future of software trust, and how automation and AI can strengthen cyber defense.\r\nMy goal is to help organizations build not just safer software, but stronger security cultures, where transparency, collaboration, and continuous improvement are at the center of every initiative.", "public_name": "Frithjof Hoffmann", "guid": "0b5d0a38-e375-5e20-8da6-bffd22e1350c", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/AGTJWH/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/XMJTXP/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/XMJTXP/", "attachments": []}, {"guid": "738a9faf-b737-5c4d-9b61-9acafc931562", "code": "WDFHHV", "id": 92007, "logo": null, "date": "2026-05-07T14:45:00+02:00", "start": "14:45", "duration": "00:35", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-92007-when-filenames-become-attack-surfaces-weaponizing-nasa-s-cfitsio-extended-filename-syntax", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/WDFHHV/", "title": "When Filenames Become Attack Surfaces: Weaponizing NASA\u2019s CFITSIO Extended Filename Syntax", "subtitle": "", "track": "Secure Development track", "type": "Talk", "language": "en", "abstract": "CFITSIO is a NASA-maintained library widely used for reading and writing FITS (Flexible Image Transport System) data across astronomy, astrophotography, and scientific software. The raw data behind the stunning images from Hubble and Webb telescopes \u2014 and even from casual backyard observatories \u2014 is stored in FITS format. CFITSIO is often embedded deep inside larger applications and services. One of its core features, **Extended Filename Syntax (EFS)**, turns what appears to be a simple filename into a powerful **mini-language** supporting virtual files, filtering, filesystem interaction, and network access.\r\n\r\nThis talk presents original security research into CFITSIO\u2019s Extended Filename Syntax and shows how it quietly expands the attack surface of applications that rely on default CFITSIO APIs. I will demonstrate how EFS can be abused to enable multiple high-impact security primitives, including arbitrary file operations, server-side request forgery, protocol-level manipulation, and unintended data exposure.\r\n\r\nThese issues are not classic memory corruption bugs, but abuses of legitimate, documented features that are enabled by default and inherited by third-party software without explicit awareness or threat modeling. This research builds on earlier CFITSIO vulnerabilities I previously reported and highlights how feature-rich parsing logic can turn filenames into a **supply-chain attack surface**.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "H33WTZ", "name": "Adrian Denkiewicz", "avatar": "https://pretalx.com/media/avatars/TXD8FT_2IODVzG.webp", "biography": "Adrian has worked as an Offensive Security Expert, Penetration Tester, and Software Developer in financial, e-commerce, and semiconductor companies. Eventually, he became full-time security consultant working with experts from different industries and people from all around the world. His experience ranges from attacking complex applications, through sophisticated red teaming exercises, to exploiting internals of operating systems. Currently working as Staff Application Engineer at Doyensec.", "public_name": "Adrian Denkiewicz", "guid": "68bf68db-37c1-5431-b0b0-b8b178c77aac", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/H33WTZ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/WDFHHV/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/WDFHHV/", "attachments": []}, {"guid": "1ef6c0da-0d0e-5a78-8351-1383a4f37d2c", "code": "7HCSG3", "id": 89382, "logo": null, "date": "2026-05-07T15:40:00+02:00", "start": "15:40", "duration": "00:40", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-89382-out-of-security-exception-what-to-do-without-an-expert-to-secure-your-software", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/7HCSG3/", "title": "Out of Security Exception - What to Do Without an Expert to Secure Your Software", "subtitle": "", "track": "Secure Development track", "type": "Talk", "language": "en", "abstract": "\u201cWe requested a review from security a month ago and there\u2019s no feedback.\u201d Does this sound familiar to you? Maybe you\u2019ve heard that your security team is occupied with other tasks that are \u201chigher priority\u201d and your product is just not. \u201cNothing we can do, security is an expert\u2019s job.\u201d Or maybe you simply don\u2019t have any dedicated security team in your company. So, your hands are bound and you can\u2019t do anything anyways, right? \r\n\r\nWhat if you could, though? What if you could do a lot more than you might think to make your software more secure? What if you could save time and effort by taking security into your own hands?\r\n\r\nIn this talk, we\u2019ll go through several activities that you might already do right now, and demonstrate how you can shape these to improve your product\u2019s security posture. Let\u2019s take a few examples: when you\u2019re analyzing the next product changes, you can use threat modeling to also consider potential security issues and hence plan their implementation with security in mind. Collaborating across roles on developing the changes can help you detect security flaws before they make it to production. Investing in maintenance and reducing technical debt will at the same time make your product a less attractive target. When observing production, you can spot malicious actors probing your system enabling you to respond before harm is done.\r\n\r\nIf you apply good software development practices, they help you make your product more secure, and good security practices help you make software that provides more value and less harm. With and without an expert at hand.\r\n\r\nKey learnings:\r\n- Stop waiting for dedicated security experts and start acting yourself\r\n- Understand how good software development practices support security practices and vice versa\r\n- Gain insights on what an engineering team can do themselves to build secure enough products\r\n- Learn how to use this newly found leverage of benefits on all sides when prioritizing which changes and activities to invest in", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "RGVDYJ", "name": "Lisi Hocke", "avatar": "https://pretalx.com/media/avatars/RGVDYJ_AFbc404.webp", "biography": "Lisi found tech as her place to be in 2009 and has grown as a specialized generalist ever since. Building great products that deliver value together with great people motivates her and lets her thrive. As a security engineer, she\u2019s now fully focusing on all things product security to help build more secure solutions. She's committed to testing and quality, passionate about whole-team approaches to increase effectiveness and resilience, and enjoys experimenting and learning continuously. Having received a lot from communities, Lisi is paying it forward by sharing her stories and learning in public. She posts on Mastodon as [@lisihocke@mastodon.social](https://mastodon.social/@lisihocke) and blogs at [www.lisihocke.com](https://www.lisihocke.com). In her free time, she plays indoor volleyball or delves into computer games and stories of all kinds.", "public_name": "Lisi Hocke", "guid": "47a09504-2aa3-5b40-86a2-9f071d819974", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/RGVDYJ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/7HCSG3/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/7HCSG3/", "attachments": []}, {"guid": "b3db2f32-c012-515c-b372-1910e7365a75", "code": "QVEUXA", "id": 94030, "logo": null, "date": "2026-05-07T16:20:00+02:00", "start": "16:20", "duration": "00:40", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-94030-turnkey-code-enhancing-secrets-management-in-large-scale-organizations", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/QVEUXA/", "title": "Turnkey Code \u2013 Enhancing Secrets Management in Large Scale Organizations", "subtitle": "", "track": "Secure Development track", "type": "Talk", "language": "en", "abstract": "Everyone agrees leaked secrets are dangerous, yet most organizations still struggle to detect, triage, and fix them effectively. Scanners generate noise, developers ignore alerts, and real secrets slip through unnoticed.\r\n\r\nThis talk shares the real-world story of building a turnkey secrets scanning and triage platform from scratch, using and extending open-source tools. Designed for scale, the system focuses on reducing false positives, automating validation, and integrating seamlessly into CI/CD pipelines.\r\n\r\nThrough live demos and practical examples, attendees will see how to turn secrets detection from a checkbox into an actionable security program. The session focuses on real engineering decisions, lessons learned, and how the community can reuse these ideas to solve a problem many know exists, but few truly address.", "description": "This session will focus on the implementation, benefits, and challenges of building a scalable, open-source secrets scanning and management platform, designed to tackle a problem that is widely recognized but often ignored. I will start by describing the current state of secrets management in organizations: while most know exposed secrets are a serious risk, few have the processes, tooling, or awareness to handle them effectively. Existing scanners often produce too many false positives, lack context, or fail to integrate seamlessly into developer workflows, leaving teams frustrated and secrets at risk.\r\n\r\nI will explain the motivation for creating Turnkey Code, emphasizing a passion for building practical solutions that are genuinely useful for other security engineers. Rather than buying a commercial tool, we approached the problem as a challenge: how to build a system that scales across repositories, integrates into CI/CD pipelines, and delivers actionable findings without overwhelming developers. I will cover the architecture, including scanning strategies, entropy-based detection, pattern rules, validation logic, and confidence scoring.\r\n\r\nThe session will also include a live demo, showing how the tool scans a real repository, identifies secrets, reduces false positives, and triages findings through dashboards. I will walk through automation workflows, integration with CI/CD, and how teams can track remediation and ownership. Throughout the talk, I will share lessons learned from deployment, including adoption hurdles, scaling challenges, and strategies for raising awareness about this underestimated risk.\r\n\r\nAttendees will leave with practical knowledge of secrets management at scale, including actionable techniques, integration strategies, and access to an open-source tool they can use immediately. By sharing our approach, the session aims to raise awareness across the community, provide a repeatable method for handling secrets, and encourage engineers to build solutions that solve real problems.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MJHVWH", "name": "Diogo Lemos", "avatar": "https://pretalx.com/media/avatars/G7CXBJ_Y4PgX0R.webp", "biography": "I am an Application Security Engineer with extensive experience building and operating security tooling at scale. I started my career at Checkmarx, where I worked on security products, and later joined Flutter Entertainment, where I implemented and evolved large-scale AppSec programs. I currently work at OLX, focusing on automation, scalable security tooling, and cloud security. I actively contribute to open-source security projects and regularly speak at security conferences including Black Hat MEA, BSides, and BalCCon, with a focus on practical SAST, SECRETS management and SCA implementations.", "public_name": "Diogo Lemos", "guid": "e47a5f3a-a3e5-5fe7-845a-84bedb3f027a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/MJHVWH/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QVEUXA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QVEUXA/", "attachments": []}, {"guid": "0950e315-d5af-545f-851f-f9f627a8108b", "code": "KRDZWR", "id": 85609, "logo": null, "date": "2026-05-07T17:00:00+02:00", "start": "17:00", "duration": "00:35", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-85609-the-forgotten-fingerprint-dns-based-osint-techniques-for-product-service-discovery", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/KRDZWR/", "title": "The Forgotten Fingerprint: DNS Based OSINT Techniques for Product & Service Discovery", "subtitle": "", "track": "Secure Development track", "type": "Talk", "language": "en", "abstract": "This talk explores a DNS-based OSINT technique that uncovers hidden services and technology dependencies through large-scale TXT record analysis. Attendees will learn how these overlooked records can reveal valuable insights for both offensive and defensive security, and how to integrate this methodology into existing reconnaissance workflows using tools like Nuclei and OWASP Amass.", "description": "I will present a DNS-based OSINT methodology for uncovering products and services through large-scale TXT record scanning. This previously unpublished approach shows how certain TXT records reveal more than domain ownership or validation details, exposing the presence of third-party services and platforms. For example, entries like google-site-verification, MS=msXXXX, or vendor-specific SPF includes can highlight dependencies on Google Workspace, Microsoft 365, or other cloud services.\r\n\r\nBy analysing these records programmatically across large DNS zones, security teams can create detailed maps of an organisation\u2019s technology stack and supply chain affiliations. This intelligence is invaluable for identifying weaknesses and understanding attack paths, providing defenders actionable context while showing the scale of information accessible to attackers.\r\n\r\nI integrated this scanning technique into open-source tools including Nuclei and OWASP Amass. These enhancements let security professionals incorporate TXT record reconnaissance into broader asset discovery workflows, improving the depth and precision of enumeration efforts.\r\n\r\nThis talk features a real-world case study from the August\u2013September 2025 Salesloft breach, where this method identified the Drift service across infrastructure. Attendees will gain practical tactics, reproducible methods, and tooling to strengthen assessments and apply actionable insights in real-world engagements.", "recording_license": "", "do_not_record": true, "persons": [{"code": "BUFJAD", "name": "Rishi (@rxerium)", "avatar": "https://pretalx.com/media/avatars/BUFJAD_qqqayWL.webp", "biography": "Rishi is a London-based security researcher with experience in vulnerability research, threat intelligence, and enterprise risk analysis. His work focuses on identifying zero-day vulnerabilities and emerging CVEs, with a particular interest in building detection logic before threats are publicly weaponised.\r\n\r\nHe works across both offensive and defensive disciplines, developing threat models grounded in real-world TTPs, writing detection rules, and automating reconnaissance to uncover exposed assets at scale. Attack surface management and OSINT are areas he keeps coming back to, specifically the challenge of mapping exposure that organisations often don't know exists.\r\n\r\nOutside of his day job, Rishi contributes to open source security tooling through Project Discovery and OWASP, part of the leadership team of the UK OSINT Community, and occasionally speaks at community events including DEF CON and BSides.", "public_name": "Rishi (@rxerium)", "guid": "4be79509-3cad-5d2b-9d1f-22a7480e5578", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/BUFJAD/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/KRDZWR/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/KRDZWR/", "attachments": []}]}}, {"index": 3, "date": "2026-05-08", "day_start": "2026-05-08T04:00:00+02:00", "day_end": "2026-05-09T03:59:00+02:00", "rooms": {"Atrium (common area)": [{"guid": "e1ccf492-283d-5e9d-810c-e47a9110002f", "code": "3CLCMG", "id": 85198, "logo": null, "date": "2026-05-08T09:00:00+02:00", "start": "09:00", "duration": "03:00", "room": "Atrium (common area)", "slug": "bsidesluxembourg-2026-85198-2-car-hacking-village", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/", "title": "Car Hacking Village", "subtitle": "", "track": "Villages in Atrium", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "The Car Hacking Village offers attendees a hands-on, immersive environment to explore the security of modern vehicles. As cars continue to evolve into complex, connected computer systems, the need to understand their attack surfaces and defensive challenges grows. This village provides a safe and controlled space where participants can learn, experiment, and collaborate on real automotive cybersecurity techniques.", "description": "The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can:\r\n\r\n- Interact with the CAN bus and observe how in-vehicle communication works\r\n- Capture, analyze, and replay automotive network traffic\r\n- Reverse engineer messages sent to various vehicle subsystems\r\n- Craft spoofed signals to manipulate components such as instrument clusters\r\n- Explore common vulnerabilities in today's vehicle architectures\r\n- Learn practical defensive considerations for securing automotive systems\r\n\r\nAll activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EDEHQ8", "name": "Roald Nefs", "avatar": "https://pretalx.com/media/avatars/EDEHQ8_ubjqIqv.webp", "biography": "Chief Technology Officer at Warpnet, Roald has a broad background in security engineering, platform operations, and IT compliance. He contributes to open-source projects and serves as an organizer of BSides Groningen and BSides Amsterdam.", "public_name": "Roald Nefs", "guid": "2ecd7e62-3c1c-5f2e-a622-b2a2e083836a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/EDEHQ8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/", "attachments": []}, {"guid": "c5ce6e4a-404e-53d5-b296-19fae17d09d7", "code": "3CLCMG", "id": 85198, "logo": null, "date": "2026-05-08T13:30:00+02:00", "start": "13:30", "duration": "04:30", "room": "Atrium (common area)", "slug": "bsidesluxembourg-2026-85198-3-car-hacking-village", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/", "title": "Car Hacking Village", "subtitle": "", "track": "Villages in Atrium", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "The Car Hacking Village offers attendees a hands-on, immersive environment to explore the security of modern vehicles. As cars continue to evolve into complex, connected computer systems, the need to understand their attack surfaces and defensive challenges grows. This village provides a safe and controlled space where participants can learn, experiment, and collaborate on real automotive cybersecurity techniques.", "description": "The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can:\r\n\r\n- Interact with the CAN bus and observe how in-vehicle communication works\r\n- Capture, analyze, and replay automotive network traffic\r\n- Reverse engineer messages sent to various vehicle subsystems\r\n- Craft spoofed signals to manipulate components such as instrument clusters\r\n- Explore common vulnerabilities in today's vehicle architectures\r\n- Learn practical defensive considerations for securing automotive systems\r\n\r\nAll activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers.", "recording_license": "", "do_not_record": false, "persons": [{"code": "EDEHQ8", "name": "Roald Nefs", "avatar": "https://pretalx.com/media/avatars/EDEHQ8_ubjqIqv.webp", "biography": "Chief Technology Officer at Warpnet, Roald has a broad background in security engineering, platform operations, and IT compliance. He contributes to open-source projects and serves as an organizer of BSides Groningen and BSides Amsterdam.", "public_name": "Roald Nefs", "guid": "2ecd7e62-3c1c-5f2e-a622-b2a2e083836a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/EDEHQ8/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/", "attachments": []}], "Atrium (common room) 2": [{"guid": "0bc42683-1558-5137-9706-51b928c66cd7", "code": "9FGWWQ", "id": 92182, "logo": null, "date": "2026-05-08T09:00:00+02:00", "start": "09:00", "duration": "03:00", "room": "Atrium (common room) 2", "slug": "bsidesluxembourg-2026-92182-2-lockpicking-village", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/", "title": "Lockpicking Village", "subtitle": "", "track": "Villages in Atrium", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "Learn or practice your lockpicking skills in the lockpicking village.\r\nExperts say that this has real-life impact, not only to red teamers!", "description": "There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers.", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/", "attachments": []}, {"guid": "d860f819-c29b-5750-8e57-5856cc07c51b", "code": "9FGWWQ", "id": 92182, "logo": null, "date": "2026-05-08T13:30:00+02:00", "start": "13:30", "duration": "04:30", "room": "Atrium (common room) 2", "slug": "bsidesluxembourg-2026-92182-3-lockpicking-village", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/", "title": "Lockpicking Village", "subtitle": "", "track": "Villages in Atrium", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "Learn or practice your lockpicking skills in the lockpicking village.\r\nExperts say that this has real-life impact, not only to red teamers!", "description": "There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers.", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/", "attachments": []}], "Main Stage": [{"guid": "62e90198-593e-51b3-ac5e-02799f070b3b", "code": "X33JUT", "id": 96099, "logo": null, "date": "2026-05-08T09:00:00+02:00", "start": "09:00", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-96099-killing-killnet", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/X33JUT/", "title": "Killing Killnet", "subtitle": "", "track": null, "type": "KEYNOTE", "language": "en", "abstract": "Killnet built its reputation as a decentralized Russian hacktivist force - loud, chaotic, and conveniently aligned with Kremlin objectives. But under the surface, it was something else entirely: a centralized operation controlled by a small group, using noise and hate as cover.\r\n\r\nThis is the inside story of how a team of just nine people delivered a kill shot to destroy this illusion.\r\n\r\nThrough targeted investigation and direct engagement, we exposed Killnet\u2019s critical weakness: a financial link to Solaris, at that time, one of Russia\u2019s largest dark web drug markets. By publicly tying their operations to organized cybercrime - we disrupted their narrative, broke internal trust, and triggered full collapse. The result? Loss of state support, severed financial channels, and a rapid implosion of the group\u2019s infrastructure.\r\n\r\nWe\u2019ll walk through how we tracked Killnet\u2019s leadership, exposed its frontman \u201cKillMilk,\u201d and uncovered the criminal network behind the public facade. Along the way, you\u2019ll get a firsthand look at the real tactics - OSINT, infiltration, pressure points - that brought down one of the most visible cyber collectives.\r\n\r\nThis isn\u2019t just a postmortem. It\u2019s a case study in strategic disruption, showing how small teams can go head-to-head with well-funded adversaries - and win.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "CPAF8T", "name": "Alex Holden", "avatar": "https://pretalx.com/media/avatars/SQ7VXR_h7pax1Y.webp", "biography": "Alex Holden is the founder and CISO of Hold Security, LLC. Under his leadership, Hold Security played a pivotal role in information security and threat intelligence, becoming one of the most recognizable names in its field. Mr. Holden researches minds and techniques of cyber criminals and helps our society to build better defenses against cyber-attacks.", "public_name": "Alex Holden", "guid": "463d55c4-3cc3-5172-828f-420afeb33a08", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CPAF8T/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/X33JUT/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/X33JUT/", "attachments": []}, {"guid": "3585bfa8-6774-51b7-b45e-89a01f7073a3", "code": "89DT9B", "id": 96226, "logo": null, "date": "2026-05-08T09:40:00+02:00", "start": "09:40", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-96226-building-a-mythos-ready-security-program", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/89DT9B/", "title": "Building a \"Mythos-ready\" Security Program", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "The briefing introduces a framework for organizational response organized across three time horizons, structured around five critical risks, seven high risks, and one medium risk. The framework defines 11 priority actions: Immediate (this week), Near-term (30-90 days), Strategic (6-12 months)\r\n\r\nBeing \"Mythos-ready\" does not mean reacting to one model or one announcement. It means permanently closing the gap between how fast vulnerabilities are found and how fast an organization can respond. The same AI capabilities that create this risk also create defensive opportunity: organizations can now find their own weaknesses before attackers do, review code at machine speed, and respond to incidents faster than any human team.\r\n\r\nThe industry has navigated systemic, hard-deadline threats before. Y2K required coordinated, disciplined effort \u2014 and the industry met it. The tools available to defenders today are substantially more powerful. Every action in this framework can begin this week.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "JKH9FX", "name": "Catalin Tiganila", "avatar": "https://pretalx.com/media/avatars/JKH9FX_tejIWJS.webp", "biography": "I am a cybersecurity consultant and auditor with experience in Information Security, Cyber Security, Cloud Security, IT Governance, IT Risk Management, IT Compliance, IT Audit and in Data Privacy. \r\n\r\nWith more than 25 years practice in delivering advisory and audit engagements, as part of several consulting firms, I delivered numerous projects as part of international teams in different geographies  covering a wide range services in diverse industries: finance and banking, technology, telecommunication, start-ups, energy, healthcare, retail and manufacturing.", "public_name": "Catalin Tiganila", "guid": "a1cebc61-12a5-566f-a405-60150bc2d3c7", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/JKH9FX/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/89DT9B/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/89DT9B/", "attachments": []}, {"guid": "ad0e6590-b3b2-5a59-8418-424b8cbede6e", "code": "DGHXCG", "id": 92597, "logo": null, "date": "2026-05-08T10:40:00+02:00", "start": "10:40", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92597-why-i-go-to-the-dark-web-every-day", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/DGHXCG/", "title": "Why I Go to the Dark Web Every Day", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "The Dark Web is a scary place. In order to deter the cybercrime, I feel confident exploring its dangerous grounds and know well how to use the Dark Web to defend the victims. I want to invite you on this journey of venturing far beyond your defense perimeter, where cyber criminals are just planning their attacks, and teach you how you can use this knowledge as defensive skills to prevent attacks from happening in the first place.", "description": "What do you need to know before going on the Dark Web? Preparation for the journey is not only technical skills but understanding of the Dark Web dynamics, linguistics, and social engineering.\r\nFilled with practical examples of real-time exploitation of the threat actors on the Dark Web, we define a problem and start our journey.\r\n\r\nAs we travel along, we will identify meta-types of threat actors and actresses which we might encounter, discussing each type skills and threat types. How to approach each one of them without giving yourself away. What are possible gains and pitfalls? What drove these individuals to infamy and how their misdeeds changed the threat landscape forever.\r\n\r\nFinally, the lessons \u2013 know your enemy. Know your enemy's weapons. Stop the threat actor = stop the crime.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CPAF8T", "name": "Alex Holden", "avatar": "https://pretalx.com/media/avatars/SQ7VXR_h7pax1Y.webp", "biography": "Alex Holden is the founder and CISO of Hold Security, LLC. Under his leadership, Hold Security played a pivotal role in information security and threat intelligence, becoming one of the most recognizable names in its field. Mr. Holden researches minds and techniques of cyber criminals and helps our society to build better defenses against cyber-attacks.", "public_name": "Alex Holden", "guid": "463d55c4-3cc3-5172-828f-420afeb33a08", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CPAF8T/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/DGHXCG/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/DGHXCG/", "attachments": []}, {"guid": "1e1dec0a-3870-53d8-b696-4cca6ca1f5be", "code": "UHLYXM", "id": 89633, "logo": null, "date": "2026-05-08T11:20:00+02:00", "start": "11:20", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-89633-confound-and-delay-honeypot-chronicles-from-the-digital-battlefield", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/UHLYXM/", "title": "Confound and Delay: Honeypot Chronicles from the Digital Battlefield", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Embark on a whirlwind tour of global cyber deception with a seasoned(?) security engineer who's been running honeypots in some of the world's most intriguing locales, including the bustling digital battleground of Ukraine. This talk will blend humor and hard-won wisdom to reveal the lessons learned from deploying, customizing, and maintaining honeypots across diverse environments. Participants will enjoy a lively narrative filled with tales of cyber trickery, cultural quirks, and the occasional mishap, all while gaining actionable insights into enhancing their own security strategies.", "description": "Imagine being a digital beekeeper, setting up traps for cyber threats in some of the most unexpected places around the globe, from the frosty landscapes of Ukraine to the bustling tech hubs of Tokyo. Over the years, I\u2019ve had the peculiar pleasure of watching bad actors stumble into these traps, often with the same grace as a bull in a china shop. This talk is less about the \u201chow\u201d and more about the \u201cwhat-the-heck-just-happened\u201d moments that have made this journey unforgettable. Buckle up for a rollercoaster ride through the wild world of global honeypots, where every server tells a story, and sometimes, that story is downright hilarious.\r\n\r\nIntroduction: Setting the Scene\r\n- Brief overview of honeypots and their purpose in cybersecurity.\r\n- Introduction to me: a globe-trotting security engineer with a knack for storytelling and a passion for cyber deception.\r\n- A quick teaser of the countries covered.\r\n\r\nThe Global Honeypot Experience\r\n- A World Tour of Cyber Threats:\r\n- Overview of the countries where honeypots were deployed.\r\n- Brief anecdotes about the unique cyber threats and attack patterns observed in each location.\r\n- Cultural and Environmental Considerations:\r\n- How local culture and internet infrastructure impact honeypot deployment.\r\n- Humorous tales of language barriers, time zone mix-ups, and unexpected technical challenges.\r\n\r\nCustomizing Honeypots for Different Environments\r\n- One Size Does Not Fit All:\r\n- Detailed examples of how honeypots were tailored to mimic local systems and applications.\r\n- Creative tweaks and customizations that improved effectiveness.\r\n- Lessons from the Field:\r\n- Success stories and failures that provided valuable insights.\r\n- Practical tips for customizing honeypots in various environments.\r\n\r\nOperational Challenges and Triumphs\r\n- Keeping the Honeypots Buzzing:\r\n- Maintenance and monitoring strategies that worked (and those that didn\u2019t).\r\n- Tools and technologies that proved invaluable.\r\n- Handling the Unexpected:\r\n- Funny and frustrating incidents, from unexpected downtime to bizarre attack vectors.\r\n- Lessons on resilience and adaptability.\r\n\r\nAnalyzing and Responding to Attacks\r\n- From Data to Defense:\r\n- How the data collected from honeypots informed broader security strategies.\r\n- Real-life examples of attacks thwarted thanks to honeypot intelligence.\r\n- The Human Element:\r\n- Stories of interacting with curious researchers, bemused sysadmins, and relentless attackers.\r\n- The importance of community and collaboration in the cybersecurity landscape.\r\n\r\nKey Takeaways and Future Directions\r\n- Summing Up:\r\n- Recap of the most important lessons learned from the global honeypot project.\r\n- Actionable advice for those looking to implement or enhance their own honeypot strategies.\r\n- Looking Ahead:\r\n- Emerging trends in cyber deception and honeypot technology.\r\n- Exciting new challenges and opportunities on the horizon.", "recording_license": "", "do_not_record": true, "persons": [{"code": "HNWSNB", "name": "Kat Fitzgerald", "avatar": "https://pretalx.com/media/avatars/HNWSNB_39r2Z7c.webp", "biography": "Chicago-based (But soon Porto!) and proudly a natural creature of winter, I thrive on snow, OSS, and just the right amount of chaos. Whether sipping Grand Mayan Extra A\u00f1ejo or warding off cyber threats with a mix of honeypots, magic spells, and a very opinionated flamingo named Sasha (the BSidesChicago.org mascot), I keep things interesting. Honeypots and refrigerators rank among my favorite things\u2014though my neighbors would likely disagree.", "public_name": "Kat Fitzgerald", "guid": "79255541-f25c-5e4f-b308-95a4c75868b9", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/HNWSNB/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/UHLYXM/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/UHLYXM/", "attachments": []}, {"guid": "bd361656-349b-5a3a-a18e-6417b1205756", "code": "MZLG9S", "id": 96304, "logo": null, "date": "2026-05-08T13:30:00+02:00", "start": "13:30", "duration": "00:10", "room": "Main Stage", "slug": "bsidesluxembourg-2026-96304-ransom-isac-lock-star-initiative", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/MZLG9S/", "title": "Ransom-ISAC LOCK STAR Initiative", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "The ransomware ecosystem thrives in the shadows of fragmented intelligence and siloed expertise. Defenders do the hard work \u2014 forensic timelining of incidents, tracing cryptocurrency flows, reverse engineering payloads, negotiating with threat actors \u2014 yet that knowledge rarely travels far beyond the individual or organization that earned it. Ransom-ISAC's L.O.C.K. S.T.A.R. (Level of Critical Knowledge in Specialized Techniques on Advancements and Research) initiative was built to change that. This talk introduces L.O.C.K. S.T.A.R. as a community-driven recognition framework designed to surface, validate, and amplify the work of ransomware researchers and practitioners across eight critical domains \u2014 and explores how structured knowledge sharing can become one of our most powerful weapons against ransomware.", "description": "Ransomware is a team sport \u2014 but defenders have never played like one. As the founder of Ransom-ISAC, I've spent years watching brilliant researchers do groundbreaking work in near-total obscurity \u2014 forensic timelines that cracked open major incidents, cryptocurrency tracing that followed the money to attribution, reverse engineering that exposed affiliate infrastructure \u2014 only for that knowledge to die in a private Slack channel or a closed incident report.\r\n\r\nL.O.C.K. S.T.A.R. (Level of Critical Knowledge in Specialized Techniques on Advancements and Research) was built to fix that. It is Ransom-ISAC's community-driven recognition and credentialing framework \u2014 think Michelin stars for ransomware expertise \u2014 designed to surface, validate, and amplify the work of the practitioners and researchers who are actually moving the needle in this fight.\r\nThis session will walk attendees through why the initiative exists, how it works, and what it means for the broader defender community. L.O.C.K. S.T.A.R. recognition can be earned across eight domains: Infrastructure, Negotiations, HUMINT, Cryptocurrency, DFIR, Reverse Engineering, AI, and Quantum.\r\n \r\nRather than treating hard-won knowledge as a proprietary asset, the framework creates structured pathways \u2014 through novel workflow writeups and actionable intelligence contributions \u2014 for experts to share what they know while receiving the formal recognition they deserve.\r\n\r\nThe goal is simple but ambitious: if we can lower the barriers to knowledge sharing across the ransomware defender community, we compress dwell time, accelerate response, and make the ecosystem measurably harder for threat actors to operate in. Attendees will leave understanding how to contribute, how to apply, and why community-led credentialing may be one of the most underutilized tools in the fight against ransomware.", "recording_license": "", "do_not_record": true, "persons": [{"code": "QE8PTG", "name": "Ellis Stannard", "avatar": null, "biography": "Ellis Stannard is a part-time security researcher and core member of the Ransom-ISAC (Information Sharing and Analysis Center) initiative, where he contributes to collaborative threat intelligence efforts focused on ransomware and advanced persistent threat (APT) campaigns.", "public_name": "Ellis Stannard", "guid": "fe04134e-0f80-5b28-a909-3ff03fee44b8", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/QE8PTG/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/MZLG9S/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/MZLG9S/", "attachments": []}, {"guid": "c4bcaecc-c7eb-5b46-b9f2-246b02ac4429", "code": "GJTHDS", "id": 96162, "logo": null, "date": "2026-05-08T13:40:00+02:00", "start": "13:40", "duration": "00:05", "room": "Main Stage", "slug": "bsidesluxembourg-2026-96162-how-secure-is-secure-code-generation-putting-the-llms-to-the-test", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/GJTHDS/", "title": "How Secure is Secure Code Generation?  Putting the LLMs to the Test", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Large Language Models are increasingly used to assist developers in writing code, but how secure is the code they generate? This lightning talk explores the security risks introduced by LLM-generated code, from common vulnerability patterns to the challenges of evaluating and improving model outputs. Drawing from ongoing PhD research at TruX, SnT (University of Luxembourg), this talk offers a concise overview of the current landscape and open research questions in LLM-assisted secure software development.", "description": "In this talk, I would like to present two of my works that challenge the way we think about security in LLM-generated code. The first asks an uncomfortable question: do secure code generation methods actually work? Through a systematic adversarial audit, we show that current evaluation practices create a dangerous illusion of security, and methods that look robust on paper fall apart under simple, realistic prompt perturbations. The second uncovers a quieter but equally dangerous threat: LLMs that confidently recommend software packages that simply do not exist, giving attackers the perfect opportunity to register these fabricated names on open source registries and serve malicious payloads to unsuspecting developers, a practice known as slopsquatting. Together, these works reveal that the security of AI-assisted development is more fragile and more nuanced than the field currently acknowledges.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MMJPSW", "name": "Melissa TESSA", "avatar": "https://pretalx.com/media/avatars/WJNX7U_NgJh9KY.webp", "biography": "I am a doctoral researcher at SnT, University of Luxembourg. I investigate how to enable large language models to generate secure code . My work sits at the intersection of AI, software engineering, and cybersecurity.", "public_name": "Melissa TESSA", "guid": "2cc5131c-0230-52f2-b6e4-4e277ac15b8a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/MMJPSW/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/GJTHDS/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/GJTHDS/", "attachments": []}, {"guid": "d90e7010-2a4e-5b5e-8d6a-efaf27ba61c1", "code": "YQRGVT", "id": 96132, "logo": null, "date": "2026-05-08T13:45:00+02:00", "start": "13:45", "duration": "00:05", "room": "Main Stage", "slug": "bsidesluxembourg-2026-96132-lighting-talk-misp-workbench", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YQRGVT/", "title": "Lighting Talk: MISP Workbench", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "Built for the frontlines of cyber defense, our next-generation MISP Workbench empowers edge deployments and threat hunters with fast, lightweight, and actionable intelligence, anytime, anywhere.", "description": "https://github.com/MISP/misp-workbench", "recording_license": "", "do_not_record": false, "persons": [{"code": "EE8PDE", "name": "Luciano Righetti", "avatar": "https://pretalx.com/media/avatars/KGHZZA_wPvzKS8.webp", "biography": "Software engineer driven by a genuine passion for cybersecurity. Over the past four years, I contributed as a MISP core developer at the Computer Incident Response Center of Luxembourg  CIRCL) and building tools such as network scanners and other projects that help CIRCL mission on keeping Luxembourg ecosystem safe.", "public_name": "Luciano Righetti", "guid": "ca4a10c7-6856-5889-9553-801498187c94", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/EE8PDE/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YQRGVT/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YQRGVT/", "attachments": []}, {"guid": "de59de4b-4104-5a20-9003-199cedb86701", "code": "Y3FG3M", "id": 92939, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/Y3FG3M/image_XbmxJu2.webp", "date": "2026-05-08T13:55:00+02:00", "start": "13:55", "duration": "00:05", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92939-from-cli-to-platform-building-netcarapace-a-secure-and-open-source-url-checking-ecosystem-driven-by-fondation-restena-url-shortener-use-case", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/Y3FG3M/", "title": "From CLI to Platform: Building NetCarapace, a Secure and Open Source URL Checking Ecosystem driven by Fondation Restena URL Shortener Use Case", "subtitle": "", "track": null, "type": "Lightning Talk", "language": "en", "abstract": "At OpenSourceLux 2025, we introduced url-checker-tools, a Python CLI toolkit for URL threat assessment through multi-source intelligence gathering, optional YARA-based local inspection, and configurable security scoring.\r\nAt BSides Luxembourg 2026, we present the next step: url-checker, a Python Flask web platform exposing a REST API that allows external services to submit URLs for automated verification before publication: initially built to prevent malicious URLs from reaching Fondation Restena's edu.lu shortener users. The platform orchestrates synchronous validation checks alongside asynchronous security assessments delegated to url-checker-tools via job queues, persists results in MariaDB, and includes a MISP integration proof-of-concept for community threat intelligence sharing.\r\nWe share our approach for the general Restena Use Case, overall design, production hardening lessons, and our roadmap toward an open, composable, self-hosted URL security infrastructure for the CSIRT community the NetCarapace concept (https://github.com/organizations/NetCarapace).", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "VTKGNQ", "name": "C\u00e9dric Renzi", "avatar": "https://pretalx.com/media/avatars/LXKBLV_o2Ey5pn.webp", "biography": "A generalist Engineer who collected various experience from various industries and domains.\r\nEngaged now on DevSecOps topics at Fondation Restena,", "public_name": "C\u00e9dric Renzi", "guid": "0632b62c-9ce6-5aa1-a7ce-57e271a3b114", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/VTKGNQ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/Y3FG3M/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/Y3FG3M/", "attachments": []}, {"guid": "73dbe3bb-5724-5617-8c67-453814af99f1", "code": "HJHWDS", "id": 89149, "logo": null, "date": "2026-05-08T14:00:00+02:00", "start": "14:00", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-89149-what-you-see-is-not-what-you-get", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/HJHWDS/", "title": "What You See Is (Not) What You Get", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "When we are performing investigations (threat intel, hunting, forensics, malware analysis or anything else), our path is full of pitfalls or more commonly called, \u201cbiases\u201d. We do you day to day job, we have our tools, processes and follow playbooks but are we certain that we are not missing crucial informations? In the first half of the talk, I'll explain how we can improve and use our senses in a better way: observe instead of see, listen instead of hear, etc. In the second part, I'll review some common issues that people do when performing malware analysis with real examples that I observed here and there. Even if the abstract mentions \u201cmalware analysis\u201d, this is not a very technical talk but it will be helpful for all infosec practitioners.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "REMFJE", "name": "Xavier Mertens", "avatar": "https://pretalx.com/media/avatars/REMFJE_ny40ywh.webp", "biography": "Xavier Mertens is a freelance security consultant running his own company based in Belgium (Xameco). With 20+ years of experience in information security, Xavier finds \u201cblue team\u201d activities more attractive. Therefore, his day job focuses on protecting his customers' assets by providing services like incident handling, malware analysis, forensic investigations, log management, security visualization, and OSINT). Besides his day job, Xavier is also a Senior Handler at the SANS Internet Storm Center, Certified SANS Instructor (FOR610, FOR710), security blogger and co-organizer of the BruCON security conference.", "public_name": "Xavier Mertens", "guid": "56915001-aa85-5973-ad1f-3b14a2df40ab", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/REMFJE/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/HJHWDS/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/HJHWDS/", "attachments": []}, {"guid": "c9713f78-d231-58e9-8aa6-f84521b66d35", "code": "PHH3EJ", "id": 84865, "logo": null, "date": "2026-05-08T14:40:00+02:00", "start": "14:40", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-84865-xctdh-cross-chain-transaction-data-hiding-cyber-espionage-and-opsec-encounters", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/PHH3EJ/", "title": "XCTDH Cross-Chain Transaction Data Hiding: Cyber Espionage and OPSEC Encounters", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "This report presents the first documented analysis of Cross-Chain TxDataHiding (XCTDH), a novel command-and-control technique employed by DPRK-linked threat actors in cryptocurrency theft operations. The attack leverages multiple blockchain networks\u2014TRON and Aptos as decentralized pointer systems, and Binance Smart Chain (BSC) for encrypted payload storage\u2014to create virtually untraceable, takedown-proof malware infrastructure.Discovered during investigation of a malicious GitHub repository used in fake job recruitment campaigns, this technique represents a significant evolution from previously documented blockchain-based C2 methods. Unlike Etherhiding (which stores payloads in smart contract storage), XCTDH embeds malicious code within blockchain transaction input data across multiple chains, retrieved via standard RPC calls that are indistinguishable from legitimate cryptocurrency traffic.The attack chain begins with social engineering through fraudulent job postings, progresses through weaponized repositories containing heavily obfuscated JavaScript, and culminates in multi-stage payload delivery that evades modern EDR solutions. At an operational cost of approximately $1 USD, attackers establish resilient infrastructure that can dynamically update payloads, automatically failover between blockchain networks, and resist traditional takedown efforts\u2014all while appearing as legitimate crypto wallet activity.This analysis details the technical mechanisms, attribution indicators linking the campaign to DPRK operations, economic asymmetries favoring attackers, and the strategic implications of blockchain-based C2 for the future threat landscape.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "QE8PTG", "name": "Ellis Stannard", "avatar": null, "biography": "Ellis Stannard is a part-time security researcher and core member of the Ransom-ISAC (Information Sharing and Analysis Center) initiative, where he contributes to collaborative threat intelligence efforts focused on ransomware and advanced persistent threat (APT) campaigns.", "public_name": "Ellis Stannard", "guid": "fe04134e-0f80-5b28-a909-3ff03fee44b8", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/QE8PTG/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/PHH3EJ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/PHH3EJ/", "attachments": []}, {"guid": "1e14ba40-f04c-5d62-86a7-e881fe217689", "code": "U7LPD7", "id": 92295, "logo": null, "date": "2026-05-08T15:40:00+02:00", "start": "15:40", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-92295-startup-security-2020-aged-like-wine-or-milk", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/U7LPD7/", "title": "Startup Security 2020: Aged Like Wine or Milk?", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "What would you change if you could go back and rebuild your company\u2019s security foundations from day one?\r\n\r\nIn 2020, I had the chance to build a security program from the ground up for a brand new company in the banking/fintech space. \r\n\r\nSome of the decisions we made aged well, and would still be relevant in 2026. \r\n\r\nOther decisions, or the lack of them, have not, or simply could not be made back then due to a different technological environment.\r\n\r\nIn this talk, we'll look at what worked great, what didn't, and what we'd have to do differently if we tried again today.", "description": "Building a new company in a highly regulated field facing <buzzword>sophisticated threat actors</buzzword> brings its share of challenges, but also allows you to build things without worrying about legacy environments and problems. \r\n\r\nWhat you are building today will, however, become the legacy problem in the future.\r\n\r\nSpecifically, we will talk about decisions that were made in 2020 to build a secure company back then, and contrast that to 2026 and the decisions I believe we would make now.\r\n\r\nTopics covered will include:\r\n\r\n- Core architectural decisions that are \"one-way doors\"\r\n- Programming languages and ecosystems\r\n- Threat modeling from the beginning\r\n- Immutable and ephemeral infrastructure\r\n- Everything as code\r\n- Identity\r\n- Supply chain security and its downstream impact on endpoint security", "recording_license": "", "do_not_record": true, "persons": [{"code": "SSJQXD", "name": "Guillaume Ross", "avatar": "https://pretalx.com/media/avatars/G7LQEA_oy9piOA.webp", "biography": "Guillaume is an expericed security nerd mostly operating on the blue team side, who is equally experienced in very large organizations and startups, typically in the cyber security or fintech spaces. He was head of security for companies such as JupiterOne, FleetDM and Finaptic.\r\n\r\nThe thing he dislikes the most about security is the use of old avice and \"best practices\" that do not reduce risk for real companies and people, and he much prefers to base his work on real data and threats.", "public_name": "Guillaume Ross", "guid": "1c1fcb83-438f-507a-9091-354bf9a1456a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/SSJQXD/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/U7LPD7/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/U7LPD7/", "attachments": []}, {"guid": "e50898b9-b767-589b-a274-9d48aaf3dc7f", "code": "YHW98L", "id": 85059, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/YHW98L/image_s30UzbD.webp", "date": "2026-05-08T16:20:00+02:00", "start": "16:20", "duration": "00:40", "room": "Main Stage", "slug": "bsidesluxembourg-2026-85059-exploiting-the-past-how-linguistic-redundancy-weaponizes-the-quantum-search-landscape", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YHW98L/", "title": "Exploiting the Past: How Linguistic Redundancy weaponizes the Quantum Search Landscape", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "What do _Niccol\u00f2 Machiavelli_ and _Grover's Algorithm_ have in common? More than you think. While one mastered the art of political manipulation in the 1500s, the other promises a quadratic speedup for quantum key search. But when these two worlds collide, something unexpected happens: **The quantum oracle misfires**.\r\n\r\nIn this talk, we build Grover search oracles directly from Renaissance Italian texts \u2014\r\n_Il Principe_, _Orlando Furioso_, _Il Cortegiano_, _I Ricordi_ \u2014 and measure exactly how much\r\nlinguistic redundancy contracts the cipher key space. We then simulate those oracles on a real quantum statevector and watch the standard iteration formula get it catastrophically wrong.\r\n\r\nWe will dive into:\r\n\r\n- **The Corpus-Driven Oracle**: How character-level _n-gram_ redundancy defines the fraction of \"good\" keys _p_good_ \u2014 the sole parameter governing both classical exhaustive search and Grover oracle call count.\r\n- **The Discrete Resonance Failure**: At one statistical threshold, the textbook formula predicts 2 optimal iterations. The real quantum simulation needs 24 \u2014 making quantum search **four times _slower_ than classical** at that point. We dissect why.\r\n- **The L=600 Transition Zone**: An empirical anomaly where stylistic variance in 16th-century prose (Latin citations, proper-noun lists) creates a chaotic instability band that separates statistical noise from structural reality.\r\n- **QUBO vs. Grover**: Why compressing a 23-letter alphabet to 7 letters breaks the annealer but leaves the quantum oracle unaffected \u2014 and what that tells us about attack-surface geometry.\r\n\r\nJoin us for a journey where orthography meets qubits, proving that whether you hold a quill or a\r\nquantum processor, **redundancy is the enemy of secrecy \u2014 but discrete arithmetic is the enemy\r\nof quantum speedup**.", "description": "Cryptanalysis has always been a game of exploiting patterns. This session takes that principle\r\ninto quantum territory by pitting the rigid orthography of _Renaissance Italian_ against the\r\nprobabilistic mechanics of Grover amplitude amplification \u2014 and catching the algorithm in a\r\nfailure mode the textbook formula cannot predict.\r\n\r\n### The Setup\r\n\r\nWe introduce a two-phase experimental framework built around a custom Python toolkit that\r\nnormalizes and models four 16th-century Italian corpora using character _n-gram_ language models.\r\nEvery candidate decryption key is scored against the corpus; the fraction of keys that score above\r\na statistical plausibility threshold \u2014 _p_good_ \u2014 becomes the marked fraction fed to the Grover\r\noracle. This transforms a linguistics measurement into a quantum complexity parameter.\r\n\r\n**Phase 1** sweeps the full 23-letter alphabet across multiple cipher lengths and plausibility\r\nthresholds, producing analytical Grover oracle estimates and classical exhaustive-search baselines.\r\n\r\n**Phase 2** reduces the alphabet to 7 letters \u2014 making all 5 040 keys enumerable \u2014 and runs a\r\ndirect statevector simulation of Grover amplitude amplification. No analytical approximations.\r\nReal quantum circuit behavior on a controlled key space.\r\n\r\n### The Discovery: Discrete Resonance Failure\r\n\r\nThe headline finding is a failure mode the standard Boyer formula cannot anticipate. At one\r\nthreshold, _p_good_ produces an angle \u03b8 for which no small integer iteration count satisfies the\r\nresonance condition. The formula confidently recommends stopping at iteration 2. The real\r\nprobability curve keeps oscillating and only peaks at iteration 24 \u2014 requiring 49 oracle calls\r\nagainst a classical expectation of 12.5 trials. **Quantum loses by a factor of four.**\r\n\r\nWe walk through the forensic geometry of this collapse: why the sinusoidal Grover envelope\r\ncreates near-equal local maxima that fool the continuous approximation, and how to detect\r\nnear-resonant _p_good_ values before deploying the algorithm.\r\n\r\n### The L=600 Anomaly\r\n\r\nA separate empirical anomaly surfaces at cipher length L=600, where _p_good_ persistently\r\nexceeds both shorter and longer ciphers across five of six tested thresholds. A targeted stability\r\nanalysis \u2014 sampling 20 distinct text segments at each length \u2014 identifies this as a **transition\r\nzone of maximal within-length variance**: at L=600, local stylistic features of Renaissance prose\r\n(Latin citations, enumerations, proper-noun clusters) produce segment-level fluctuations wide\r\nenough to push _p_good_ above its expected trend. We show how to isolate structural data effects\r\nfrom algorithmic noise.\r\n\r\n### QUBO and the Landscape-Warping Effect\r\n\r\nParallel _Quadratic Unconstrained Binary Optimization_ (QUBO) annealing experiments reveal a\r\ncomplementary insight: compressing a 23-letter alphabet to 7 letters cuts the trigram parameter\r\nspace by a factor of ~36, collapsing statistically distinct character patterns onto the same\r\nsymbols and creating **false energy attractors** \u2014 suboptimal keys surrounded by uphill barriers\r\nthe annealer cannot cross. The QUBO failure pattern inverts relative to the 23-letter case.\r\nThe Grover oracle, which only needs a binary marked/unmarked verdict, is structurally immune to\r\nthis distortion. The two attack paradigms probe entirely different properties of the key-score\r\nlandscape.\r\n\r\n### What Attendees Will Take Away\r\n\r\n1. How to construct a corpus-derived Grover oracle and measure _p_good_ empirically rather than\r\n   assuming it.\r\n2. How to detect discrete resonance conditions that cause the standard iteration formula to fail \u2014\r\n   and by how much.\r\n3. Why reducing model complexity (smaller alphabet, lower-order n-grams) can **help** a quantum\r\n   oracle while simultaneously **breaking** an annealing attack.\r\n4. A reusable stability analysis method for distinguishing structural data features from\r\n   algorithmic artefacts in any combinatorial search benchmark.\r\n\r\nThis talk is for anyone at the intersection of classical cryptanalysis, optimization heuristics,\r\nand quantum security \u2014 no prior quantum computing background required.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UFGHSY", "name": "Alessio Di Santo", "avatar": "https://pretalx.com/media/avatars/UFGHSY_PK2IOyg.webp", "biography": "Alessio Di Santo received a Bachelor's degree in Information Engineering in 2020 from the Universit\u00e0 degli Studi dell'Aquila, with a thesis focused on fairness and cryptography. In 2022, he completed a Master's degree at the same institution, presenting a thesis on forensic acquisition techniques for Windows IT/OT assets. Currently, he is pursuing a Ph.D. at the Universit\u00e0 degli Studi dell'Aquila under the supervision of Professor Dajana Cassioli, with co-tutor Walter Tiberti. Since 2020, he has been employed in the cybersecurity sector, working as a Cyber Threat Intelligence Analyst, Incident Responder, Purple Teamer and Malware Analyst. Nowadays, he works as a Senior Cyber Security Specialist at Deutsche Boerse.", "public_name": "Alessio Di Santo", "guid": "5bf3015a-08c8-5604-a361-76b074fccf56", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/UFGHSY/"}, {"code": "BRMCNJ", "name": "Gabriella Lanziani", "avatar": "https://pretalx.com/media/avatars/CB7WJS_rXfk9OX.webp", "biography": "Gabriella Lanziani received her Bachelor Degree in Literature and her Master Degree in History. Her academic interests lie primarily in linguistics, with a particular focus on the structural and semantic properties of language and their potential applications in information theory and cryptography. Her research explores how linguistic analysis - especially syntax, semantics, and pattern recognition - can contribute to the understanding of code systems, cryptographic communication, and natural language processing in cybersecurity contexts.", "public_name": "Gabriella Lanziani", "guid": "fc331b86-66ae-5d40-a0c0-407776a5d361", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/BRMCNJ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YHW98L/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YHW98L/", "attachments": []}, {"guid": "679d179c-bd9f-5ba5-9703-ca31b2bdbd2e", "code": "CAWHBG", "id": 93897, "logo": null, "date": "2026-05-08T17:00:00+02:00", "start": "17:00", "duration": "00:15", "room": "Main Stage", "slug": "bsidesluxembourg-2026-93897-ctf-prize-ceremony-and-raffles-if-any-etc", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/CAWHBG/", "title": "CTF Prize ceremony (and raffles if any etc.)", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "This is where we hand out the awesome CTF prizes from SecuInfra and Defensive Security\r\n\r\nthe prizes: Secret until the CTF is published!", "description": "", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CAWHBG/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CAWHBG/", "attachments": []}], "IFEN room 1, Workshops and Detection Engineering village (Building D)": [{"guid": "9f9f3536-275d-5fae-8dd5-60a4ddc7d6c9", "code": "JUD9FP", "id": 90413, "logo": null, "date": "2026-05-08T09:00:00+02:00", "start": "09:00", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-90413-mastering-incident-response-with-kanvas", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/JUD9FP/", "title": "Mastering Incident Response with Kanvas", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "Imagine transforming chaotic incident response into a clear, visual story\u2014no more spreadsheets, just streamlined collaboration and powerful timelines. Kanvas turns IR chaos into actionable insights, letting us map, share, and conquer incidents like never before. And the best thing, it\u2019s Open-Source.", "description": "Stop wrestling with spreadsheets and disconnected tools. Kanvas brings your incident response to life.  Kanvas offers incident responders with an intuitive desktop workspace that unifies case management, timeline visualization, attack chain mapping, and threat intelligence lookups, all within a single, collaborative environment. See how Kanvas streamlines workflows, enables seamless multi-user collaboration, and exports powerful visuals for reporting. Whether you\u2019re mapping MITRE ATT&CK techniques, sanitizing sensitive data, or leveraging LLM assistance, Kanvas puts everything you need at your fingertips. Join this talk to discover how Kanvas is reshaping the way teams track, document, and conquer complex incident response and forensics.", "recording_license": "", "do_not_record": false, "persons": [{"code": "8ZXCNC", "name": "Ardit Beu", "avatar": "https://pretalx.com/media/avatars/8ZXCNC_sjEIDlN.webp", "biography": "I am an Information Security Specialist  with expertise in security monitoring, incident response, and threat hunting. Currently, I work at ESET.\r\n\r\nPreviously worked as a Cybersecurity Specialist for the largest independent moving company in North America, where I contributed to strengthening the company\u2019s security posture.", "public_name": "Ardit Beu", "guid": "41727566-0c0c-58bb-ac7b-f70619de51cb", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/8ZXCNC/"}], "links": [{"title": "Kanvas GitHub repo", "url": "https://github.com/WithSecureLabs/Kanvas", "type": "related"}], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/JUD9FP/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/JUD9FP/", "attachments": []}, {"guid": "2bc99640-bfaf-5b6e-bf5e-b158cd9d5e00", "code": "MB9KND", "id": 94099, "logo": null, "date": "2026-05-08T09:40:00+02:00", "start": "09:40", "duration": "00:30", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-94099-comprehensive-framework-for-analyzing-and-detecting-malicious-browser-extensions", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/MB9KND/", "title": "Comprehensive Framework for Analyzing and Detecting Malicious Browser Extensions", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Infosec lightning talks (6 x 5 minutes)", "language": "en", "abstract": "Every day, millions of people rely on their web browsers, not only for work but also for study and daily life. Some of us also install browser extensions to utilize useful features. But what happens when those extensions are not as harmless as they seem?\r\n\r\nIn recent years, there has been a growing number of malicious browser extensions, particularly on platforms like the Chrome Web Store (CWS), affecting millions of users worldwide. Detecting these threats is not straightforward. Malicious extensions behave in many different and sometimes unpredictable ways. Another challenge is the limited availability of corresponding known malware samples, which restricts our ability to investigate these threats in depth. \r\n\r\nIn this talk, I will share insights from my study that takes a closer look at this problem. I compiled a curated dataset of 460 malicious browser extensions removed from the CWS and analyzed how they behave. By integrating both static and dynamic analysis techniques, I identified a wide range of activities that raise privacy and security concerns, classified as tracking, redirecting, ad injecting, stealing, and unwanted actions. Leveraging static analysis using CodeQL and Python, the study could detect extensions setting cookies for external domains automatically.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "JW3YQT", "name": "Van Nguyen", "avatar": null, "biography": "Major background in Software Engineering, Machine Learning, IT Security\r\nSecurity Analyst since 2025", "public_name": "Van Nguyen", "guid": "0185a10e-7db8-5a8a-948f-e46c4f062c12", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/JW3YQT/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/MB9KND/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/MB9KND/", "attachments": []}, {"guid": "d9315554-1d5d-549a-a1ee-2be16265161d", "code": "K3C8T9", "id": 94131, "logo": null, "date": "2026-05-08T10:40:00+02:00", "start": "10:40", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-94131-kunai-open-source-threat-detection-on-linux", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/K3C8T9/", "title": "Kunai: Open-Source Threat Detection on Linux", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "This talk explores Kunai, an open-source security monitoring tool that brings threat-detection capabilities to Linux systems using eBPF technology. We begin with an overview of Kunai's purpose, architecture, and core monitoring capabilities. The session then dives into recent advancements, highlighting key features and improvements. Finally, we examine practical use cases in threat detection, incident response, and digital forensic analysis, demonstrating how Kunai enhances cyber incident investigations.", "description": "This talk presents Kunai, an open-source security monitoring tool developed in Luxembourg that brings Sysmon-like capabilities to Linux systems. Built specifically to address the often-overlooked security monitoring needs of Linux environments, Kunai leverages eBPF technology to provide comprehensive threat detection and incident response capabilities.\r\n\r\nWe'll explore how Kunai was designed from the ground up with incident response and threat detection requirements in mind, filling a critical gap in Linux security tooling. Given that Linux powers the majority of web-facing systems and cloud infrastructure, it has become a prime target for attackers - yet often lacks the sophisticated monitoring tools available for other platforms.\r\n\r\nThe session will cover Kunai's architecture, recent advancements, and practical applications including:\r\n- Real-time threat detection across Linux environments\r\n- Comprehensive event logging for incident investigations\r\n- Container-aware monitoring capabilities\r\n- Integration with existing security workflows\r\n\r\nAttendees will learn how Kunai enhances visibility into Linux systems, enabling better threat detection, faster incident response, and more effective digital forensic analysis - all while maintaining the performance and reliability required for production environments.", "recording_license": "", "do_not_record": false, "persons": [{"code": "YDKLRL", "name": "Quentin JEROME", "avatar": "https://pretalx.com/media/avatars/3JVRZM_xoQgYEQ.webp", "biography": "Quentin is a Rust developer at [CIRCL](https://circl.lu). Inspired by his background in incident response and threat detection, he develops open-source security tools to solve practical problems. His main interests include threat detection, bug hunting, and building tools that help the security community.", "public_name": "Quentin JEROME", "guid": "775f7c83-b07b-598c-8857-80bb24aebcb1", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/YDKLRL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/K3C8T9/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/K3C8T9/", "attachments": []}, {"guid": "1bce99ba-e171-5d3d-932d-aa53d4bd5e90", "code": "LTSMAE", "id": 94139, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/LTSMAE/image_PnUujMJ.webp", "date": "2026-05-08T11:20:00+02:00", "start": "11:20", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-94139-turbocharged-soc-detectflow-and-other-innovative-open-source-tools-released-by-socprime-for-detection-engineering", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/LTSMAE/", "title": "Turbocharged SOC: DetectFlow and other innovative Open Source tools released by SOCPrime for detection engineering", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "We will discuss practical use of open source tools for detection engineering built by SOC Prime team, including DetectFlow, Uncoder and how it combines with open source data pipeline stack like Kafka, Flink and Flink agent.  The goal of DetectFlow is to elevate role of Detection Engineers above SIEM stack, and gives us all signals, context, threat intelligence and building blocks to fully design and operate Detection and Response workflows. The architecture of Detection Pipelines furthermore\u00a0 makes work of Security Analysts curious and enjoyable again, as it eliminates large part of the routine work they did, and focuses on the main thing human does better than AI = understanding connections, specific to the cyber domain and specific to your organization. Our approach equips people to address tremendous complexity of the cyber domain, which now simply exceeds possible knowledge that any human can physically fit.", "description": "Open source DetectFlow turns Apache Kafka+Flink into a Detection Pipeline, adding 2-tier correlation, one for automated streaming of AI generated and human-made behavior Sigma rules mapped to ATT&CK. This gives initial data labels and does not generate alerts. 2nd tier is a Flink agent which enables Agentic AI correlation across entire ATT&CK,  Attack Flows and Attack Chains. This can be further refined and expanded by integrating with OpenTIDE. Attack Chains are made by human experts as a \"higher order Sigma rules\" correlating on ATT&CK itself and lower level Sigma rule sequences. This together acts as a turbo-charger in front of SIEM engine, just like same thing in a car. With DetectFlow, which is essentially a low footprint, run anywhere provisioning tool with Agentic AI and MCP, we can run over 20,000 detection rules and nearly 500,000 behavior correlation patterns in front of ANY SIEM at millisecond speed. This exceeds capacity of any SIEM by 5 orders of magnitude. This shrinks mean time to detect and initial investigation stage from tens of minutes or even hours to a a few seconds. The conversion from raw log event to a tagged event is 7%, from a tagged event to an Attack Chain is 0.0007% or 0.00007 - and only that is alert material. This reduces the need to fine tune rules at DetectFlow level, as fine tuning becomes a context, which can be solved by any on premise AI Agent working with outputs of DetectFlow or SIEM. SIEM remains very useful for workflow, reporting, graph analysis and, for now, machine learning based anomaly detection, even though latter will move to pipelines too. It also takes care of data parsing via crowdsourcing and mapping via AI (can be ran locally).", "recording_license": "", "do_not_record": false, "persons": [{"code": "NBVXHL", "name": "Andrii Bezverkhyi", "avatar": "https://pretalx.com/media/avatars/DWSQ9P_EqvbUkH.webp", "biography": "I am a successful entrepreneur with cyber security, hardware and AI as my hobbies and work specialties. Did my first blue team cyber gig in 2001, founded SOC Prime in 2014 together with Alex and Ruslan, which we've built from a small rented apartment in Kyiv to venture backed profitable company which operates across 4 continents, who's products and content are used by over 11,000 organisations. In cyber domain I am specializing in threat detection, sigma rules, MITRE ATT&CK, detection engineering and cyber threat intelligence, with a goal to build better tools for people who work in same niche. I consider two most successful contributions to such community projects Uncoder and DetectFlow which both can be found on GitHub.", "public_name": "Andrii Bezverkhyi", "guid": "bd8c2727-5105-5ae4-af0a-0af4d8742d44", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/NBVXHL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LTSMAE/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LTSMAE/", "attachments": []}, {"guid": "0e38bf3a-01b4-58cb-a2a3-60fe34aa532e", "code": "YV7DJA", "id": 94138, "logo": null, "date": "2026-05-08T13:30:00+02:00", "start": "13:30", "duration": "00:40", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-94138-panel-discussion-the-future-of-detection-engineering", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YV7DJA/", "title": "Panel Discussion: The future of Detection Engineering", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Talk", "language": "en", "abstract": "The purpose of this panel is discuss where the participants see the still-young, still-emergent discipline of Detection Engineering going.\r\n\r\nThe tools and know-how presented over the last 2 days in the village will be pitted against ideas from Diana (moderator) and the audience. \r\nThe panelists will try to explore together how the detection engineering landscape might evolve over the next few years,", "description": "Panel discussion with leading Detection Engineering experts:\r\n\r\n1. Ondrej Nekovar: Ondrej and the Boss have released innovative tooling and know-how on how to do detection engineering in 2026 in their talk - see 'CT(C)I-Driven detection against internal and external threats'\r\n2. Andrii Bezverkhyi: Found of SOCPrime, multiple innovative open-source tool releaser latest 'DetectFlow' which enables detection engineering at the end of your pipeline before SIEM ingestion\r\n3. Remi Seguy: Runs and operates the OpenTide project, which is a one-stop-shop for detection engineering teams and integrates with CTI and offensive teams + enables Multi-SOC collaboration", "recording_license": "", "do_not_record": false, "persons": [{"code": "NRSJ3Y", "name": "Diana Waithanji", "avatar": "https://pretalx.com/media/avatars/CKM9CT_AL7odcb.webp", "biography": "Diana Waithanji believes data privacy is a human right. She works as a cybersecurity professional at SAP specifically SAP Cloud Infrastructure in Germany. She is a TechWomen USA fellow 2025 at Google and an AFRIKA KOMMT Germany alumni 2022. Diana sits in two technical committees at the Kenya Bureau of Standards (KEBS) and serves as a board member at Nivishe Foundation. Diana is also a founder of Wahandisi La Femme, an initiative that mentors girls in rural Kenya to get into tech and engineering.", "public_name": "Diana Waithanji", "guid": "84e0a403-5fd2-5b8f-9da6-f2a9678e0d6d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/NRSJ3Y/"}, {"code": "CJBELR", "name": "Ondrej Nekovar", "avatar": null, "biography": "Ondrej Nekovar is an experienced executive manager responsible for the cyber security of critical information infrastructure and the state. His areas of expertise include research into the use of advanced technologies for active cyber defense, deception, detection engineering and cyber counterintelligence.\r\n\r\nLinkedIn profile:\r\nhttps://www.linkedin.com/in/onekovar/", "public_name": "Ondrej Nekovar", "guid": "72cc06ae-44ac-5a5a-a9e3-72a930cc7c5b", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CJBELR/"}, {"code": "CUAN3J", "name": "Remi Seguy", "avatar": null, "biography": "With over 20+ years in the cybersecurity field, I have dedicated my career to safeguarding organisations by developing robust SOC and effective incident response teams. As a passionate advocate for knowledge sharing and collaboration - \"sharing is caring\"- I have actively contributed to the cybersecurity community and related open-source projects, such as MISP. In my current role, I have led the OpenTide initiative, turning it into a project at the core of the Detection Engineering team. I am looking for exchanging and collaborating with other Detection Engineering teams to develop repeatable, traceable, and pragmatic processes, effectively bridging the gap between Threat Intelligence, Threat Hunting, and Threat Detection.", "public_name": "Remi Seguy", "guid": "098a0446-dced-5c06-9883-253dfc1cbe3d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CUAN3J/"}, {"code": "NBVXHL", "name": "Andrii Bezverkhyi", "avatar": "https://pretalx.com/media/avatars/DWSQ9P_EqvbUkH.webp", "biography": "I am a successful entrepreneur with cyber security, hardware and AI as my hobbies and work specialties. Did my first blue team cyber gig in 2001, founded SOC Prime in 2014 together with Alex and Ruslan, which we've built from a small rented apartment in Kyiv to venture backed profitable company which operates across 4 continents, who's products and content are used by over 11,000 organisations. In cyber domain I am specializing in threat detection, sigma rules, MITRE ATT&CK, detection engineering and cyber threat intelligence, with a goal to build better tools for people who work in same niche. I consider two most successful contributions to such community projects Uncoder and DetectFlow which both can be found on GitHub.", "public_name": "Andrii Bezverkhyi", "guid": "bd8c2727-5105-5ae4-af0a-0af4d8742d44", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/NBVXHL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YV7DJA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YV7DJA/", "attachments": []}, {"guid": "def10e4c-36e7-5f01-8610-40bfe925d3ed", "code": "UCCYKR", "id": 89155, "logo": null, "date": "2026-05-08T14:10:00+02:00", "start": "14:10", "duration": "03:00", "room": "IFEN room 1, Workshops and Detection Engineering village (Building D)", "slug": "bsidesluxembourg-2026-89155-0-actionable-cti-detection-engineering-village", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/UCCYKR/", "title": "Actionable CTI & Detection Engineering village", "subtitle": "", "track": "Actionable CTI and detection engineering village", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "SOC cutting edge! \r\n\r\nThe afternoon of May 8th will feature a 'village fair' where the rooms will be split into demo 'Islands'. \r\n\r\nThe audience is invited to go see demos of the talks, tools, how-tos etc. presented over the last 1.5 days of the village! \r\nGo check out the tools and talks that you really liked, see how modern SOCs are run today.", "description": "SOC cutting edge! \r\n\r\nThe afternoon of May 8th will feature a 'village fair' where the rooms will be split into demo 'Islands'. \r\n\r\nThe audience is invited to go see demos of the talks, tools, how-tos etc. presented over the last 1.5 days of the village! \r\nGo check out the tools and talks that you really liked, see how modern SOCs are run today.", "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/UCCYKR/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/UCCYKR/", "attachments": []}], "IFEN room 2, Workshops and AI Security Village  (Building D)": [{"guid": "8943a40e-19f9-5591-bc0a-d99837bc9509", "code": "PWM8ER", "id": 92923, "logo": null, "date": "2026-05-08T09:00:00+02:00", "start": "09:00", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-92923-the-high-performance-fuel-for-social-engineering-now-in-ai-flavors", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/PWM8ER/", "title": "The High-Performance Fuel for Social Engineering (Now in AI Flavors!)", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "Every day, millions of data points about YOU, whether public, leaked, scraped, or sold, quietly feed into a largely legal ecosystem of personal information. For modern threat actors, Artificial Intelligence (AI) is no longer just a buzzword; it is a tool used to weaponize this data at scale against both individuals and their organisations. What once required a non-trivial skillset in OSINT and social engineering can now be executed by anyone with a prompt and a scraped data set (or worse, an autonomous team of AI agents).\r\n\r\nThis talk explores the intersection of privacy and offensive security, demonstrating how exposed personal information is harvested and amplified by AI to create highly convincing phishing, deepfake scams, and automated fraud. We will break down how your digital footprint becomes an attack surface and build a defensive strategy to counter it.\r\n\r\nWe will focus on helping individuals and security leaders identify the human exposure, human attack surface, and cyber risk. We will tie this into Cyber Threat Intelligence (CTI), with actionable techniques for the individual and the SOC alike. We\u2019ll discuss practical tips to deal with exposure, limit data leakage, spot AI-driven targeting and explore actionable privacy practices, such as email masking, and ways to operationalize techniques and services to exercise your GDPR right to be forgotten. Attendees will leave with a clear understanding of the emerging threat landscape and the defensive techniques to remove or reduce the \"fuel\" attackers use in order for individuals and organizations to protect themselves.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "J3PRCC", "name": "Glen Sorensen", "avatar": "https://pretalx.com/media/avatars/J3PRCC_2Vu87sY.webp", "biography": "Glen Sorensen is a Recovering CISO/vCISO-Type and is presently a Solutions Engineer with DeleteMe. He has worn numerous hats in his career, in areas such as security engineering and architecture, security operations, GRC, and leadership, including leading the security program for a credit union and for smaller organizations in a fractional role. He currently focuses on how exposed information and OSINT are weaponized in conjunction with AI toward social engineering attacks, and how that factors into greater enterprise cyber risk.\r\n\r\nGlen approaches problems with practical solutions that bring good business value and has worked across many sectors, including financial services, healthcare, manufacturing, and others. He has served as a consulting expert in a large legal case involving healthcare and cyber attack detection technology. He has been in IT and security for 20+ years, depending on how much misspent youth you count.  He is a privacy geek and a sucker for a good tabletop exercise, and also serves as an Incident Master for HackBack Gaming, which puts his countless hours of roleplaying game experience to work teaching people about cybersecurity and incident response.", "public_name": "Glen Sorensen", "guid": "b3a24141-a593-5cb2-b2f2-84110e0c2875", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/J3PRCC/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/PWM8ER/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/PWM8ER/", "attachments": []}, {"guid": "38b0b89d-4810-5ad4-9b68-20723009aec2", "code": "XXRJ8Z", "id": 90584, "logo": null, "date": "2026-05-08T09:40:00+02:00", "start": "09:40", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-90584-the-challenges-of-ai-as-a-service-logging", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/XXRJ8Z/", "title": "The challenges of AI-as-a-Service logging", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "AI-as-a-Service adoption is surging, yet 90% of it is unmanaged 'Shadow AI,' leaving organizations exposed to novel threats like the OWASP LLM Top 10. This session dives into the critical gap in current AI logging platforms and APIs, detailing why traditional security controls fail and offering a path to centralized visibility for effective detection and response.", "description": "LLM logs are a subset of API logs, but they come from 2 different perspectives - client-side logs and server-side logs. \r\n    Add to that challenge that most logs aren't really designed for security analysis perspectives, and it becomes hard to know what to do and how to do it.\r\n    Note - I gave a version of this talk at fwd:CloudSec North America 2025. https://www.youtube.com/watch?v=AccsDqmHPdU&list=PLCPCP1pNWD7M-hHBOymDR5vkPib0tkZd9&index=18", "recording_license": "", "do_not_record": false, "persons": [{"code": "Q7DTLL", "name": "Jeremy Snyder", "avatar": "https://pretalx.com/media/avatars/Q7DTLL_2DWdct7.webp", "biography": "Jeremy is the founder and CEO of FireTail, an end-to-end AI security platform. Prior to FireTail, Jeremy worked in M&A at Rapid7, a global cyber leader, where he worked on the acquisitions of 3 companies during the pandemic. Jeremy previously led sales at DivvyCloud, one of the earliest cloud security posture management companies, and also led AWS sales in southeast Asia. Jeremy started his career with 13 years in cyber and IT operations. Jeremy has an MBA from Mason, a BA in computational linguistics from UNC, and has completed additional studies in Finland at Aalto University. Jeremy speaks 5 languages and has lived in 5 countries.", "public_name": "Jeremy Snyder", "guid": "57192923-7ca8-5e18-a2e6-44e080b84836", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/Q7DTLL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/XXRJ8Z/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/XXRJ8Z/", "attachments": []}, {"guid": "e78b5665-3b65-5e35-a2c3-28b68f1160e5", "code": "HCRD3Y", "id": 94622, "logo": null, "date": "2026-05-08T10:40:00+02:00", "start": "10:40", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-94622-ai-in-cybersecurity-how-can-we-make-best-use-of-it", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/HCRD3Y/", "title": "AI in Cybersecurity: How can we make best use of it?", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "This Birds of a Feather session will focus on how AI tools are being used to secure environments, the training necessary for teams to identify security issues and the impact of AI on job security for security jobs. Participants will discuss and share experiences on:\r\n\r\n- AI Tools in Cybersecurity: Explore how AI tools are currently enhancing security and the most effective tools available today.\r\n- Training and Skill Development: Discuss recommended training programs and certifications that help teams leverage AI in cybersecurity.\r\n- Job Security and AI: Debate whether AI will replace certain roles or create new opportunities, and how professionals can stay relevant.\r\n\r\nAt the end of this session, participants will leave with ideas on using AI tools, available training for their teams, and strategies to remain irreplaceable in an AI-driven world.\r\nThis open discussion invites all cybersecurity professionals regardless of the experience level.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "NRSJ3Y", "name": "Diana Waithanji", "avatar": "https://pretalx.com/media/avatars/CKM9CT_AL7odcb.webp", "biography": "Diana Waithanji believes data privacy is a human right. She works as a cybersecurity professional at SAP specifically SAP Cloud Infrastructure in Germany. She is a TechWomen USA fellow 2025 at Google and an AFRIKA KOMMT Germany alumni 2022. Diana sits in two technical committees at the Kenya Bureau of Standards (KEBS) and serves as a board member at Nivishe Foundation. Diana is also a founder of Wahandisi La Femme, an initiative that mentors girls in rural Kenya to get into tech and engineering.", "public_name": "Diana Waithanji", "guid": "84e0a403-5fd2-5b8f-9da6-f2a9678e0d6d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/NRSJ3Y/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/HCRD3Y/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/HCRD3Y/", "attachments": []}, {"guid": "83d5cbce-2630-56d5-8967-a3822c00e006", "code": "UGKRML", "id": 89417, "logo": null, "date": "2026-05-08T11:20:00+02:00", "start": "11:20", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-89417-the-agent-had-a-plan-so-did-i-top-attacks-on-owasp-agentic-ai-systems", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/UGKRML/", "title": "The Agent Had a Plan\u2014So Did I: Top Attacks on OWASP Agentic AI Systems", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "AI agents are different from regular LLM apps \u2014 they plan steps, call tools, and chase goals across multiple interactions. This added complexity introduces new kinds of security risks that aren\u2019t widely understood yet.\r\n\r\nIn this talk, I\u2019ll walk through demos of vulnerabilities from the OWASP Agentic AI Threats. These include goal hijacking, alignment faking, orchestration misuse, and time-based attacks that exploit how agents behave over multiple steps or sessions. I\u2019ll show how attackers can trick agents into following the wrong goals, leaking data, or using tools in unsafe ways \u2014 all through practical examples.", "description": "Here's the flow:\r\n\r\nIntro to Agentic AI Systems\r\n- What are agentic AI systems?\r\n- How do they differ from regular AI tools?\r\n- Use cases / Popular frameworks: LangChain, AutoGen, BAML.\r\n\r\nVulnerabilities:\r\n#1: Agent Goal and Instruction Manipulation\r\n- Exploiting how attackers can manipulate AI agent goals and instructions to make them act against their intended purposes.\r\n\r\n#2: Agent Temporal Manipulation and Time based attacks\r\n- Exploiting time-dependent behaviors in AI agents to manipulate scheduling, timestamps, and decision-making, leading to desynchronization and timing attacks.\r\n\r\n#3: Agent Orchestration and Multi-Agent Exploitation\r\n- Exploiting vulnerabilities in how multiple AI agents interact, coordinate, and communicate, compromising entire agent networks.\r\n\r\n#4: Checker-out-of-the-Loop Vulnerability\r\n- Showing how agents can operate outside system limits without alerting human operators or oversight systems.\r\n\r\n#5: Agent Covert Channel Exploitation\r\n- Demonstrating how agents can exploit covert channels to leak data or escalate privileges without detection.\r\n\r\n#6: Agent Alignment Faking\r\n- Demonstrating how agents can fake adherence to rules during monitored phases but deviate when unmonitored.", "recording_license": "", "do_not_record": false, "persons": [{"code": "8799ND", "name": "Parth Shukla", "avatar": "https://pretalx.com/media/avatars/8799ND_WOPQmKr.webp", "biography": "Parth Shukla is a Senior Security Researcher specializing in AI Security and Adversarial Machine Learning. With a deep background in offensive security, he currently focuses on the security architecture of Agentic Systems and LLMs. His research bridges the gap between traditional application security and the probabilistic risks of modern AI.", "public_name": "Parth Shukla", "guid": "36bd2073-5eab-52a6-ab03-86f5090fccd8", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/8799ND/"}, {"code": "R9J9FP", "name": "Nagarjun Rallapalli", "avatar": "https://pretalx.com/media/avatars/R9J9FP_m08b6Af.webp", "biography": "Automating Security since 2022.\r\nBuilding (and breaking) AI agents to test their limits.", "public_name": "Nagarjun Rallapalli", "guid": "ef9822df-e0fa-582e-82c6-1c5b5749d626", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/R9J9FP/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/UGKRML/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/UGKRML/", "attachments": []}, {"guid": "e840ef78-9b96-50a1-87b1-7df966ed9790", "code": "UEJDNE", "id": 96675, "logo": null, "date": "2026-05-08T13:30:00+02:00", "start": "13:30", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-96675-building-the-ultimate-ai-firewall-inside-sovereignshield-intentshield-and-logicshield", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/UEJDNE/", "title": "Building the Ultimate AI Firewall: Inside SovereignShield, IntentShield, and LogicShield", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "As AI agents evolve from simple chatbots into autonomous systems capable of executing code and making API calls, traditional security boundaries are failing. We can no longer rely on brittle regex filters or the \"black box\" safety rails of LLM providers. In this session, I will unveil the architecture behind the SovereignShield ecosystem a multi-layered, deterministic defense framework for modern AI applications. We will break down the engineering mechanics of our three core products: IntentShield (outbound action auditing), LogicShield (semantic enforcement), and the unified SovereignShield firewall.", "description": "This 35-minute technical session is an architectural deep-dive into the SovereignShield product suite, designed to show developers and security engineers how to mathematically secure AI endpoints.\r\n\r\nWe will cover the ecosystem in three distinct technical phases:\r\n\r\n**LogicShield: Securing the Cognitive Layer (10 mins)**\r\n\r\nWhy traditional syntax filters fail against semantic attacks (like prompt injection and jailbreaks).\r\nHow LogicShield enforces deterministic logical boundaries on AI reasoning before an output is even generated.\r\n\r\n**IntentShield: Outbound Action Auditing (10 mins)**\r\n\r\nThe danger of autonomous AI agents executing destructive API commands or exfiltrating data.\r\nDeep dive into the ActionParser and Conscience modules. How IntentShield intercepts, audits, and blocks malicious intent at the execution layer.\r\n\r\n**SovereignShield: The Unified Firewall (10 mins)**\r\n\r\nBringing it all together. How the core SovereignShield layer acts as a bidirectional proxy.\r\nLive architecture breakdown of our 4-layer defense model (Inbound Input Filtering + Outbound Action Auditing) protecting a production API.\r\n\r\n**Conclusion & Q&A (5-10 mins)**\r\n\r\nHow the community can integrate the SovereignShield suite into their own LLM pipelines today.", "recording_license": "", "do_not_record": false, "persons": [{"code": "A8EZZU", "name": "mattijs moens", "avatar": null, "biography": "Mattijs Moens is an AI security researcher and the founder of SovereignShield, where he engineers deterministic, multi-layered defense architectures for autonomous AI agents. He is an active contributor to the OWASP AI Security and Privacy Guide (AISVS) and advocates strongly for open-source, independent oversight of AI training data. His current work focuses on building \"IntentShield\" and \"LogicShield\" semantic firewalls designed to intercept and neutralize AI-generated social engineering, prompt injection, and data exfiltration at the edge.", "public_name": "mattijs moens", "guid": "57b26b68-73ce-5a90-a6ac-cae69237a3a9", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/A8EZZU/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/UEJDNE/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/UEJDNE/", "attachments": []}, {"guid": "5eefd719-05f3-5b2a-a038-879a677cb61e", "code": "SDCESA", "id": 96750, "logo": "https://pretalx.com/media/bsidesluxembourg-2026/submissions/SDCESA/image_Iq3oeyc.webp", "date": "2026-05-08T14:10:00+02:00", "start": "14:10", "duration": "00:30", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-96750-security-for-ai-aidr-bastion-as-open-source-llm-firewall-ai-prompts-reverse-proxy", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/SDCESA/", "title": "Security for AI: AIDR Bastion as open source LLM firewall / AI prompts reverse proxy", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "One of the top concerns in the age of AI is cyber attacks, and one of the weak links in defense is AI itself. From prompt injections to agents -self organizing into botnets or far worse, we need some basic level of security for any AI workloads. And while we have seen a cohort of startups being acquired in the space through 2025, is the issue really solved? Does security for AI has to be yet another budget spend, or can we do better with open source and open standards? We will discuss an open source project, AIDR bastion, which was made inside our own SOC and released to the world, things which work and shortcomings. Goal of the talk is to discuss issues and possibilities.", "description": "AIDR bastion is an open source comprehensive GenAI protection system designed to safeguard against malicious prompts, injection attacks, and harmful content. Source code is available at GitHub: https://github.com/socprime/AIDR-Bastion \r\nThe system incorporates multiple detection engines that operate sequentially to analyze and classify user inputs before reaching GenAI applications.\r\n\r\n- The system supports Roota and Sigma rules, enabling the application of detection logic from multiple sources such as SigmaHQ (around 1,200 compatible free community Sigma rules available at release), SOC Prime (with up to 3,000 additional compatible rules), and other third-party repositories. Sigma rules can be applied to detect use cases where malware leverages a local LLM to generate malicious code for execution.\r\n- SOC Prime Uncoder AI integration further extends functionality by translating Sigma rules into Semgrep format, providing standardized and reusable detection pipelines (requires a free account).\r\n- Roota rules power the regex-based pipeline.\r\n- The architecture supports rule extensibility, seamlessly integrating organization-specific signatures and external detection content.\r\n- The system can also function as a local logging sensor, recording user and agent prompts and enabling diagnostics, incident discovery, and cyber attack investigation.\r\n- Detection logic aligns with industry frameworks such as MITRE ATLAS and OWASP Top 10 for LLMs, ensuring standardized coverage against adversarial techniques.\r\n- Actions include allow, block, or notify, depending on rule matches and policy configuration.\r\n- This layered detection approach delivers defense-in-depth against evolving adversarial prompt engineering and other AI-focused attack vectors. Inspired by LlamaFirewall.", "recording_license": "", "do_not_record": false, "persons": [{"code": "NBVXHL", "name": "Andrii Bezverkhyi", "avatar": "https://pretalx.com/media/avatars/DWSQ9P_EqvbUkH.webp", "biography": "I am a successful entrepreneur with cyber security, hardware and AI as my hobbies and work specialties. Did my first blue team cyber gig in 2001, founded SOC Prime in 2014 together with Alex and Ruslan, which we've built from a small rented apartment in Kyiv to venture backed profitable company which operates across 4 continents, who's products and content are used by over 11,000 organisations. In cyber domain I am specializing in threat detection, sigma rules, MITRE ATT&CK, detection engineering and cyber threat intelligence, with a goal to build better tools for people who work in same niche. I consider two most successful contributions to such community projects Uncoder and DetectFlow which both can be found on GitHub.", "public_name": "Andrii Bezverkhyi", "guid": "bd8c2727-5105-5ae4-af0a-0af4d8742d44", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/NBVXHL/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SDCESA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SDCESA/", "attachments": []}, {"guid": "f2e31181-6f32-5cc3-ad8c-ccf7989919cc", "code": "SRHCSS", "id": 97333, "logo": null, "date": "2026-05-08T14:40:00+02:00", "start": "14:40", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-97333-every-guardrail-everywhere-all-at-once-designing-and-testing-guardrails-for-llm-applications", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/SRHCSS/", "title": "Every Guardrail Everywhere All at Once: Designing and Testing Guardrails for LLM Applications", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "GenAI applications have moved from being single prompt wrappers to long chains of LLM calls, tools, and agentic workflows. In these systems, guardrails cannot live on a single isolated prompt. They need to be designed based on how data flows through the application, how permissions are enforced, and which risks are relevant for the use case.\r\n\r\nThis talk shares practical experience from helping teams design and test guardrails for LLM applications. Prompt-based guardrails tend to fail under determined attackers, so they must be combined with application-level controls and feedback mechanisms that allow the system to detect and respond to prompt attacks.\r\n\r\nRather than evaluating models in isolation, the focus is on testing the application itself. This includes testing how inputs and outputs propagate through LLM chains, how intermediate results are reused, and how guardrails interact across different stages of a workflow. The talk shows how this can be tested in practice using spikee (https://spikee.ai), an open source tool built to test LLM applications for prompt-based attacks.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "F8ENJB", "name": "Donato Capitella", "avatar": "https://pretalx.com/media/avatars/SM8NUB_QW69Gty.webp", "biography": "Donato Capitella is a Software Engineer and Principal Security Consultant at Reversec, with over 15 years of experience in offensive security and software engineering. Donato spent the past 3 years conducting research and assessments on Generative AI applications, covering topics such as multi-chain prompt injection, securing ReAct agents, and testing LLM guardrails. He is the lead developer of spikee (https://spikee.ai) an open-source tool for practical testing of LLM applications. He shares his work through a technical YouTube channel (https://www.youtube.com/@donatocapitella) and publishes research articles on the Reversec Labs blog (https://labs.reversec.com/authors/donato-capitella).", "public_name": "Donato Capitella", "guid": "4c1dd912-c54b-544e-820c-eadc3125efb9", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/F8ENJB/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SRHCSS/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SRHCSS/", "attachments": []}, {"guid": "d7562e2b-dc04-51e2-a237-f776ca0f77b4", "code": "8WLHGS", "id": 93021, "logo": null, "date": "2026-05-08T15:40:00+02:00", "start": "15:40", "duration": "00:40", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-93021-building-secure-ai-making-threat-modeling-a-core-part-of-development", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/8WLHGS/", "title": "Building Secure AI: Making Threat Modeling a Core Part of Development", "subtitle": "", "track": "AI Security Village", "type": "Talk", "language": "en", "abstract": "As AI systems evolve, integrating security from the design phase is crucial, following the \"shift left\" approach to prevent vulnerabilities. This session offers an overview of threat modeling for AI systems, including organizing engaging sessions, using appropriate tools, and applying methodologies such as STRIDE. Participants will learn to proactively address security concerns and in turn ensure robust protection by identifying and mitigating potential threats specific to AI technologies - with reference to OWASP research. The session will also provide tips on making threat modeling sessions interesting and interactive in order to ensure active participation and effective outcomes. The goal is to make security a foundational element in AI system development rather than an afterthought.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "NRSJ3Y", "name": "Diana Waithanji", "avatar": "https://pretalx.com/media/avatars/CKM9CT_AL7odcb.webp", "biography": "Diana Waithanji believes data privacy is a human right. She works as a cybersecurity professional at SAP specifically SAP Cloud Infrastructure in Germany. She is a TechWomen USA fellow 2025 at Google and an AFRIKA KOMMT Germany alumni 2022. Diana sits in two technical committees at the Kenya Bureau of Standards (KEBS) and serves as a board member at Nivishe Foundation. Diana is also a founder of Wahandisi La Femme, an initiative that mentors girls in rural Kenya to get into tech and engineering.", "public_name": "Diana Waithanji", "guid": "84e0a403-5fd2-5b8f-9da6-f2a9678e0d6d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/NRSJ3Y/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/8WLHGS/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/8WLHGS/", "attachments": []}, {"guid": "0db435a2-170c-5d87-a26e-9ecc26bf05e7", "code": "8ACVB3", "id": 89418, "logo": null, "date": "2026-05-08T16:20:00+02:00", "start": "16:20", "duration": "01:00", "room": "IFEN room 2, Workshops and AI Security Village  (Building D)", "slug": "bsidesluxembourg-2026-89418-0-ai-security-village-open-village-q-a", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/8ACVB3/", "title": "AI Security Village - Open Village/Q&A", "subtitle": "", "track": "AI Security Village", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "Event Strategy & Structure\r\n\r\nCore Mission: A 2-day, open-floor \"village\" dedicated to exploring real-world security risks in Agentic AI, Model Context Protocol (MCP) architectures, and LLM workflows.\r\n\r\nAlignment: All content and threat models are strictly aligned with OWASP guidance (LLM Top 10 & AI Security Exchange).\r\n\r\nDynamic Flow: Unlike traditional linear training, this is an exploratory space. The schedule is fluid; organizers will pivot topics, attack scenarios, and deep dives in real-time based on what attendees find most interesting.\r\n\r\nVillage Logistics\r\n\r\nOpen Access: The village runs continuously for two days with no fixed start/stop times.\r\nDrop-in Format: Attendees are free to enter, observe, leave, and return at will. This supports the casual, \"hallway con\" culture of BSides events.\r\nParallel Tracks: Multiple activities (demos, labs, discussions) happen simultaneously, allowing for natural scaling of depth from beginner to advanced levels.\r\n\r\nOrganizer Responsibilities (The Blue Team/Red Team)\r\n\r\nLive Operations: Organizers act as facilitators, maintaining intentionally vulnerable infrastructure (LLMs, RAG pipelines, Autonomous Agents, MCP Servers).\r\n\r\nInteractive Walkthroughs: Instead of formal talks, organizers provide short, continuous breakdowns of attacks, explaining why a specific trust boundary failed or how a design choice created a vulnerability.\r\n\r\nAdaptive Defense: Based on audience feedback, organizers will live-patch systems or remove mitigations to demonstrate how security controls impact attack feasibility.\r\n\r\nAttendee Experience (The Red Team)\r\nHands-on Exploitation: Attendees can directly interact with deployed systems to attempt prompt injection, logic-based attacks, and tool abuse.\r\nFeedback Loop: Attendees actively shape the curriculum by voting on which systems to attack next or requesting deeper focus on specific failure modes.\r\nCollaborative Defense: A key component is discussing defenses; attendees can propose architecture changes or guardrails, which organizers can discuss or implement live.\r\n\r\nHands-on Labs & Infrastructure\r\nSelf-Paced Playgrounds: Dedicated stations will run continuously for independent learning.\r\nDreadnode Crucible: Focuses on practical exploitation of LLMs and agents.\r\nLakera Gandalf / Agent Breaker: Gamified challenges covering prompt injection, goal hijacking, and instruction drift.\r\nPurpose: These labs ensure that even if the live demo is advanced, beginners have a place to start learning fundamentals.\r\n\r\nAgenda: \r\n\r\nBreaking LLM Systems\r\nTheme: Fundamentals of LLM vulnerabilities and the OWASP LLM Top 10.\r\nLive Targets: Minimalist LLM deployments and chat interfaces.\r\nDeep Dives:\r\nGuardrails: Examining internal mechanics and demonstrating how to bypass practical limitations.\r\nRAG Security: attacking Vector Databases and poisoning retrieval contexts (RAG-specific threats).\r\n\r\nAgenda: Agentic AI & MCP Security\r\nTheme: The core focus of the village\u2014Autonomous Agents and the Model Context Protocol (MCP).\r\nComplex Workflows: Demos will feature multi-step agents that can plan, execute, and interact with external tools.\r\nKey Attack Vectors:\r\nInstruction Hijacking: Forcing an agent to deviate from its original goal.\r\nTool Abuse: Exploiting over-privileged MCP capabilities (e.g., an agent with unrestricted file access).\r\nTrust Boundaries: Analyzing failures in the handshake between Agents and MCP servers.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "8799ND", "name": "Parth Shukla", "avatar": "https://pretalx.com/media/avatars/8799ND_WOPQmKr.webp", "biography": "Parth Shukla is a Senior Security Researcher specializing in AI Security and Adversarial Machine Learning. With a deep background in offensive security, he currently focuses on the security architecture of Agentic Systems and LLMs. His research bridges the gap between traditional application security and the probabilistic risks of modern AI.", "public_name": "Parth Shukla", "guid": "36bd2073-5eab-52a6-ab03-86f5090fccd8", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/8799ND/"}, {"code": "R9J9FP", "name": "Nagarjun Rallapalli", "avatar": "https://pretalx.com/media/avatars/R9J9FP_m08b6Af.webp", "biography": "Automating Security since 2022.\r\nBuilding (and breaking) AI agents to test their limits.", "public_name": "Nagarjun Rallapalli", "guid": "ef9822df-e0fa-582e-82c6-1c5b5749d626", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/R9J9FP/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/8ACVB3/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/8ACVB3/", "attachments": []}], "IFEN room 3 Workshops and AI Security Village (Building D)": [{"guid": "38a20e1b-f11c-57ae-b875-2fdecb6f2747", "code": "HY3QBJ", "id": 93488, "logo": null, "date": "2026-05-08T09:00:00+02:00", "start": "09:00", "duration": "03:00", "room": "IFEN room 3 Workshops and AI Security Village (Building D)", "slug": "bsidesluxembourg-2026-93488-1-ai-security-village-technical-training-and-implementation", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/", "title": "AI Security village - technical training and implementation", "subtitle": "", "track": "AI Security Village", "type": "Village, 2d (2days x 8h)", "language": "en", "abstract": "The technical track of the AI security village", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "8799ND", "name": "Parth Shukla", "avatar": "https://pretalx.com/media/avatars/8799ND_WOPQmKr.webp", "biography": "Parth Shukla is a Senior Security Researcher specializing in AI Security and Adversarial Machine Learning. With a deep background in offensive security, he currently focuses on the security architecture of Agentic Systems and LLMs. His research bridges the gap between traditional application security and the probabilistic risks of modern AI.", "public_name": "Parth Shukla", "guid": "36bd2073-5eab-52a6-ab03-86f5090fccd8", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/8799ND/"}, {"code": "R9J9FP", "name": "Nagarjun Rallapalli", "avatar": "https://pretalx.com/media/avatars/R9J9FP_m08b6Af.webp", "biography": "Automating Security since 2022.\r\nBuilding (and breaking) AI agents to test their limits.", "public_name": "Nagarjun Rallapalli", "guid": "ef9822df-e0fa-582e-82c6-1c5b5749d626", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/R9J9FP/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/", "attachments": []}], "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)": [{"guid": "25bba9c7-3080-5d35-b15b-c044e6231c71", "code": "YGC7EA", "id": 90638, "logo": null, "date": "2026-05-08T10:00:00+02:00", "start": "10:00", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-90638-5-dismantle-the-bomb", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "title": "Dismantle The Bomb", "subtitle": "", "track": "Escape games!", "type": "Workshop 2h", "language": "en", "abstract": "Dismantle the bomb by performng different taks", "description": "Dismantle the bomb by performing different taks. The tasks will include:\r\n- Solving ciphers\r\n- Being genuine with a special flashlight\r\n- lock picking \r\n- make a key with a lishi tool\r\n- ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Been in IT security for too long. I enjoy creating fun and games!", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "attachments": []}, {"guid": "7122c32c-0e57-54b7-a432-22efd28bb9d3", "code": "YGC7EA", "id": 90638, "logo": null, "date": "2026-05-08T13:30:00+02:00", "start": "13:30", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-90638-6-dismantle-the-bomb", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "title": "Dismantle The Bomb", "subtitle": "", "track": "Escape games!", "type": "Workshop 2h", "language": "en", "abstract": "Dismantle the bomb by performng different taks", "description": "Dismantle the bomb by performing different taks. The tasks will include:\r\n- Solving ciphers\r\n- Being genuine with a special flashlight\r\n- lock picking \r\n- make a key with a lishi tool\r\n- ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Been in IT security for too long. I enjoy creating fun and games!", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "attachments": []}, {"guid": "b9f1b007-4ad3-534f-922a-231429249277", "code": "YGC7EA", "id": 90638, "logo": null, "date": "2026-05-08T15:35:00+02:00", "start": "15:35", "duration": "02:00", "room": "Workshops May 6th, Speaker's room May 7+8th (C1.02.13)", "slug": "bsidesluxembourg-2026-90638-7-dismantle-the-bomb", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "title": "Dismantle The Bomb", "subtitle": "", "track": "Escape games!", "type": "Workshop 2h", "language": "en", "abstract": "Dismantle the bomb by performng different taks", "description": "Dismantle the bomb by performing different taks. The tasks will include:\r\n- Solving ciphers\r\n- Being genuine with a special flashlight\r\n- lock picking \r\n- make a key with a lishi tool\r\n- ...", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZTMXFW", "name": "Stijn Tomme", "avatar": "https://pretalx.com/media/avatars/ZTMXFW_uIVfOdZ.webp", "biography": "Been in IT security for too long. I enjoy creating fun and games!", "public_name": "Stijn Tomme", "guid": "ead70de2-5a9e-5747-942b-781b37612c50", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/ZTMXFW/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/", "attachments": []}], "Workshops and Stage - Design Space (C1.05.12)": [{"guid": "b336dc18-622e-5594-a822-ce84c82129ae", "code": "LKLWWX", "id": 90255, "logo": null, "date": "2026-05-08T09:40:00+02:00", "start": "09:40", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-90255-spreading-malware-with-usb-keys-does-it-still-work", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/LKLWWX/", "title": "Spreading malware with USB keys - does it still work ?", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Does end-users spontaneously connect USB sticks fiund in public places to their personal or professional computers ? \r\n\r\nTo this end, a controlled experiment was carried out in Luxembourg, where 250 USB sticks were voluntarily \u201clost\u201d. The results revealed a high success rate, estimated around 20%, with the first connection recorded in just a few minutes. We believe that these users are acting out of curiosity or altruistic intent, seeking to identify or restore the owner of the key. \r\n\r\nHowever, they do not perceive the risks associated with their gesture. The study highlights the persistence of USB key attacks as an effective intrusion vector, and underscores the need to make users more aware of the dangers they represent.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "F7ZBE7", "name": "Didier Barzin", "avatar": "https://pretalx.com/media/avatars/F7ZBE7_Bc65boE.webp", "biography": "Hi there, I'm Didier, a technology and information security enthusiast. I started my career as an information security Ninja, defending information systems against cyber threats using my Jedi skills. However, I also have another side to me that comes out at night, that of a benevolent hacker. I love using my skills to support the values of open source and firmly believe in them.\r\n\r\nI believe that technology can be used to improve people's lives, but this can only be done if we work together and share our knowledge. That's why I'm also a strong advocate of collaboration and openness in the tech industry.\r\n\r\nMay the source code be with you!", "public_name": "Didier Barzin", "guid": "f3d30423-f31f-58d2-a7b1-5130e94b7e0a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/F7ZBE7/"}, {"code": "JB9XWV", "name": "Mathieu Vajou", "avatar": null, "biography": "Cyber fun guy.", "public_name": "Mathieu Vajou", "guid": "6d400cba-e22f-5f51-8d2b-54f2f193d543", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/JB9XWV/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LKLWWX/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LKLWWX/", "attachments": []}, {"guid": "f94cfa0c-2b1f-550f-97da-2176bf28b046", "code": "SSCME8", "id": 92264, "logo": null, "date": "2026-05-08T10:40:00+02:00", "start": "10:40", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-92264-forensic-challenges-in-real-world-cases-of-digital-manipulation", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/SSCME8/", "title": "Forensic Challenges in Real-World Cases of Digital Manipulation", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "With a 308% increase in AI-generated fake content between 2024 and 2025, the justice system faces an authenticity crisis. This talk explores real-world cases: from voice cloning for scams in Brazil to lack of a convergent pattern in spoofing crime investigations in Portugal, how can we empower professionals to identify synthetic evidence and understand the limits of the admissibility of expert evidence in the age of Artificial Intelligence?", "description": "Case Study: Portugal (Spoofing & Investigation)\r\nThe Challenge: Real case with no \"convergent pattern.\" Calls that can originate abroad with forged national IDs, making it impossible for local operators to assign responsibility or for investigators to find a consistent \"fingerprint.\" What impact it does to the \r\n\r\nCase Study: Brazil (Vishing)\r\nThe Mechanism: Scammers harvest video from old people and make loans on their behalf.\r\nImpact: Financial losses in Brazil due to digital fraud reached R$10.1 billion in late 2024. Half of all fraud attempts in 2025 were linked to \"vishing\" and social engineering.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7QZC3G", "name": "Thiago Vieira", "avatar": "https://pretalx.com/media/avatars/BWZF79_cyONdVB.webp", "biography": "I started my career as a developer 15 years ago as network technician, then I switched to law, started to work as a forensic expert, now I help cyber startups to grow and scale, specially in the forensic part,  to build a collective digital immunity to eradicate the cyber pandemic.", "public_name": "Thiago Vieira", "guid": "4e20305b-1ff1-51a6-a451-29dc6407954d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/7QZC3G/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SSCME8/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/SSCME8/", "attachments": []}, {"guid": "07600967-1b7f-5e30-8dd1-0787f1b79748", "code": "QPVJLF", "id": 96448, "logo": null, "date": "2026-05-08T11:20:00+02:00", "start": "11:20", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-96448-500-incidents-later-real-world-cyber-defense", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/QPVJLF/", "title": "500 Incidents Later: Real-World Cyber Defense", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "**Our CSIRT found that in 4 out of 5 security incidents, there were pre-existing alerts.**\r\n\r\nMost organizations don't get breached because they lack tools. They get breached because of predictable, repeatable mistakes. The kind our SOC and CSIRT teams at ACEN see across 500+ incidents in European organizations.\r\n\r\nThis session breaks down the patterns and numbers that matter: where attackers consistently get in, what organizations consistently miss, how many hours go into responding to an incident, and what separates the ones that contain a breach from the ones that don't.", "description": "When you provide security at scale, it's critical to identify patterns and what actually works.\r\nAt ACEN, our SOC and CSIRT teams have handled over 500 security incidents and currently protect more than 40 organizations on a daily basis.  That hands-on experience has taught us what works, what doesn't, and how to avoid the pitfalls that lead to a breach.\r\n\r\nIn this session you'll discover:\r\n- **Statistics from the trenches:** Incident patterns and data from real European cases, straight from our experience.\r\n- **Real-world case studies:** Common attack scenarios, walked through step by step, showing exactly what went wrong.\r\n- **How to avoid common pitfalls:** The key missteps organizations make and how to prevent them.\r\n- **A proactive approach:** How these incidents could have been prevented, and how that same thinking can protect your organization.\r\n\r\nYou'll leave with a clear plan to improve your security posture, and the right questions to ask before someone else finds the gaps first.", "recording_license": "", "do_not_record": false, "persons": [{"code": "VVEEAS", "name": "Federico", "avatar": "https://pretalx.com/media/avatars/7XGSJB_mVmQcXI.webp", "biography": "Federico Meiners is a cybersecurity leader and Business Unit Manager of the Managed Detection & Response (MDR) unit at ACEN, a Belgian cybersecurity company specializing in Managed Security Services and consultancy across Identity, Infrastructure, MDR, and Advisory, with an in-house CSIRT team.\r\n\r\nWith a background in hands-on security engineering and worldwide recognized certifications including PMP, CRISC, and CCSM, Federico brings a rare blend of deep technical expertise and business strategy. He has shared his insights at events organized by Google and Check Point, and is currently developing a managed service framework designed to strengthen the synergy and effectiveness between MSSPs and their customers.", "public_name": "Federico", "guid": "572e688a-4611-531a-936b-6d402037d9ee", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/VVEEAS/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QPVJLF/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/QPVJLF/", "attachments": []}, {"guid": "cd6e984f-f329-55c9-815c-79d2de3c9bf8", "code": "L9Y9PM", "id": 93085, "logo": null, "date": "2026-05-08T13:30:00+02:00", "start": "13:30", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-93085-third-party-risk-management", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/L9Y9PM/", "title": "Third Party Risk Management", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Identifying and managing the third party risk while continuing to comply with business needs and regulatory requirements.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "9F8L9S", "name": "Jyoti Upadhyay", "avatar": null, "biography": "Cybersecurity and Risk Management professional with over 15 years of expertise in identifying, assessing, and mitigating cybersecurity and technology risks. Specialized in third-party risk management, regulatory compliance, and data security with proven success in aligning cybersecurity strategies with organizational goals. Skilled in advising executive management and technical teams on effective risk mitigation strategies within the Information Security Framework.", "public_name": "Jyoti Upadhyay", "guid": "7af59a70-dfab-5aad-8e66-cc64b1bebd88", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/9F8L9S/"}, {"code": "9WY3UZ", "name": "Parveen Rajpurohit", "avatar": null, "biography": null, "public_name": "Parveen Rajpurohit", "guid": "3cb11267-4c55-5887-b7ee-1871acfa6a54", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/9WY3UZ/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/L9Y9PM/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/L9Y9PM/", "attachments": []}, {"guid": "b66415f4-502c-5ee5-b0cc-e8ecf353bf94", "code": "CERTQC", "id": 92823, "logo": null, "date": "2026-05-08T14:10:00+02:00", "start": "14:10", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-92823-agnoletti-trump-gaming-playing-to-win-at-cyber", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/CERTQC/", "title": "Agnoletti & Trump:  Gaming Playing to Win at Cyber", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Two blokes. One strategy. Train to Win or don\u2019t bother playing\r\n\r\nThere is little excuse for organisational failure when executing incident response as nearly every possible cyber security scenario has not only been documented but could be \"role played\"  by your team well in advance of an actual incident.\r\n\r\nJoin Klaus Agnoletti & Ian Thornton-Trump for a talk focused on creating role playing experiences for your organization - based on the latest adversary threat intel. \r\n\r\nSpecific Take Aways include:\r\n- Listening at the Door\r\n - Is there a sleeping Panda, Kitten,  Bear or Spider lurking in the network?\r\n- Checking for Traps\r\n  - Can IR activities be carried out without alerting the threat actor?\r\n- Containment\r\n - Can the threat actor be contained, or will they run and bring in reinforcements?\r\n- Clearing the Room\r\n - The threat actor may put up a fight, do you need to bring in additional help?\r\n- Looting the Room\r\n - The treasure is the experience, the coin is your pay check\r\n\r\nA hilarious RPG focused talk combining the best elements of scenario driven IR training with a creative spin.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "SQVVHK", "name": "Klaus Agnoletti", "avatar": "https://pretalx.com/media/avatars/JZ8NCF_NRSojrT.webp", "biography": "Klaus Agnoletti has been an all-round infosec professional since 2004. As a long-time active member of the infosec community in Copenhagen, Denmark, he co-founded BSides K\u00f8benhavn in 2019. \r\n\r\nCurrently he's a freelance storytelling cyber security advisor specializing in security transformation and community focused marketing, employer branding, playing security games  and other fun assignments and ideas coming his way. \r\n\r\nLately he has also become a neurodiversity advocate speaking about ADHD to educate and break down taboos in an industry with a vast overrepresentation of neurodiversity and not very many talking about it.", "public_name": "Klaus Agnoletti", "guid": "97865f70-b8ae-51b2-b463-29887514404a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/SQVVHK/"}, {"code": "DACUWF", "name": "Ian Thornton-Trump", "avatar": null, "biography": "please add", "public_name": "Ian Thornton-Trump", "guid": "a42e0090-4519-57a9-b454-f70995fef9d4", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/DACUWF/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CERTQC/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/CERTQC/", "attachments": []}, {"guid": "41606a6d-2f79-55f4-8c81-dd2a2fccacf3", "code": "KFW9CC", "id": 89734, "logo": null, "date": "2026-05-08T15:40:00+02:00", "start": "15:40", "duration": "00:40", "room": "Workshops and Stage - Design Space (C1.05.12)", "slug": "bsidesluxembourg-2026-89734-weaponizing-pdf-files-advanced-exploitation-techniques-for-red-teams", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/KFW9CC/", "title": "Weaponizing PDF Files: Advanced Exploitation Techniques for Red Teams", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "This is a hands-on presentation that will guide you through the world of PDF exploitation, showcasing how this ubiquitous document format can serve as a vessel for malicious JavaScript malware. Dive into real-world vulnerabilities that have been leveraged to execute harmful code directly through PDF files posing major threats in today's cybersecurity landscape.\r\n\r\nKey exploit techniques explored will include:\r\n\r\nData Exfiltration Tactics: Discover methods for covertly extracting sensitive data, such as email addresses and system information, from unsuspecting users.\r\nEmbedding Malware in PDFs: Learn how adversaries embed malicious scripts within PDF files, tricking users into triggering exploits in Adobe Reader through typical file interactions.\r\nWe'll dissect techniques including shellcode injection, buffer overflow attacks, Adobe Reader exploitation, and memory manipulation each engineered to deliver and execute malware efficiently.\r\n\r\nThis session is ideal for offensive security professionals, penetration testers, and threat emulation experts seeking to elevate their understanding of PDF-based threats and enhance their testing skills. Uncover how these sophisticated attacks work and walk away with actionable strategies to counter them.\r\n\r\nMore information about the presentation can be found in this article: https://labs.segura.blog/unmasking-the-threat-a-deep-dive-into-the-pdf-malicious-2/", "description": "Outline\r\n1. Introduction\r\n- Welcome & Objectives\r\n- Importance of PDF Security in Today\u2019s Threat Landscape\r\nOverview of Hands-On Approach\r\n2. Anatomy of a PDF File\r\n- PDF File Structure Overview\r\n- Common Features Abused by Attackers\r\n- JavaScript Capabilities Within PDFs\r\n3. Real-World Vulnerabilities\r\n- Demo: Analyzing a Malicious PDF Sample\r\n4. Key Exploit Techniques\r\n- Heap Spray Attacks\r\n- Concept and Mechanism\r\n- Demo: Shellcode Injection via Heap Spray\r\n- Data Exfiltration Tactics\r\n- Covert Data Extraction Methods\r\n- Demo: Harvesting User Data from PDF Interaction\r\n- Embedding Malware in PDFs\r\n- Techniques for Payload Embedding\r\n- Demo: Triggering Exploits Through User Actions\r\n5. Advanced Attack Vectors\r\n- Shellcode Injection & Buffer Overflows\r\n- Memory Manipulation in Adobe Reader\r\n- Demo: Exploiting Adobe Reader Vulnerabilities\r\n6. Hands-On Exercise\r\n- Guided Lab: Analyzing and Crafting Malicious PDFs\r\n- Indicators of Compromise (IoCs)\r\n- Safe Testing Practices", "recording_license": "", "do_not_record": false, "persons": [{"code": "UFEVPR", "name": "Filipi Pires", "avatar": "https://pretalx.com/media/avatars/UFEVPR_Q6uWWdh.webp", "biography": "I\u2019ve been working as Head of Techincal Advocacy at SCYTHE, Founder & Investor at Cross Intelligence, BSides Porto Organizer, Red Team Village Director (DEF CON), Senior Advisor Raices Cyber Academy, Founder of Red Team Community (Brazil and LATAM),  AWS Community Builder, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US (Black Hat & Defcon), Canada, France, Spain, Germany, Poland, Black Hat MEA - Middle-East - and others, I\u2019ve served as University Professor in Master Degree in Portugal, Graduation and MBA courses at Brazilian colleges, in addition, I'm Creator and Instructor of the Course - Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).", "public_name": "Filipi Pires", "guid": "f46dcde4-d4c8-5594-ada4-c0b9c6ae1bba", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/UFEVPR/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/KFW9CC/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/KFW9CC/", "attachments": []}], "Workshops and Stage - Gernsback (C1.05.02)": [{"guid": "9c9a739e-23a2-5dff-abb1-91f32223af18", "code": "7DGVSU", "id": 85260, "logo": null, "date": "2026-05-08T09:40:00+02:00", "start": "09:40", "duration": "00:40", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-85260-curating-secure-software-the-art-of-selecting-safe-dependencies", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/7DGVSU/", "title": "Curating Secure Software: The Art of Selecting Safe Dependencies", "subtitle": "", "track": "Secure Development track", "type": "Talk", "language": "en", "abstract": "Imagine curating an art gallery\u2014you wouldn\u2019t hang just any painting on the wall. Each piece is carefully selected, verified for authenticity, and preserved to ensure a valuable experience for visitors. The same meticulous approach applies to software development.\r\nSecure curation of open source isn\u2019t about stifling creativity; it\u2019s about ensuring that the dependencies we bring into our applications are secure, well-maintained, and reliable. As an art curator protects against forgeries and deterioration, developers must assess third-party components for malware, tampering, vulnerabilities, licensing risks, and long-term sustainability.\r\nThis talk will explore why curation is the foundation of secure software supply chains. We\u2019ll discuss practical strategies for evaluating dependencies, maintaining a trusted repository, and leveraging free tools to automate the process. By adopting a safe curation mindset, developers can sleep better at night, knowing their applications rest on a foundation of safe, high-quality components.", "description": "Curating software is like curating art\u2014every dependency must be verified, authentic, and secure. This talk explores how careful selection, evaluation, and automation can help developers build safer apps and maintain a strong, trustworthy software supply chain.", "recording_license": "", "do_not_record": false, "persons": [{"code": "CKHUTC", "name": "Kadi McKean", "avatar": "https://pretalx.com/media/avatars/CKHUTC_fgSIsTP.webp", "biography": "At ReversingLabs, I work with customers and partners across Europe to implement scalable, intelligence-driven solutions that address the growing challenges of modern software development and supply-chain integrity. My work covers areas such as Software Bill of Materials (SBOM) management, malware analysis, and advanced file and binary inspection.\r\nI\u2019m passionate about translating complex cybersecurity topics into clear, actionable strategies that align with business goals. I focus on turning cybersecurity from a reactive defense into a proactive enabler of innovation. I also enjoy engaging in conversations about the evolving threat landscape, the future of software trust, and how automation and AI can strengthen cyber defense.\r\nMy goal is to help organizations build not just safer software, but stronger security cultures, where transparency, collaboration, and continuous improvement are at the center of every initiative.", "public_name": "Kadi McKean", "guid": "30acdb3a-ef84-5739-b05f-8c4c3653f40d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/CKHUTC/"}, {"code": "AGTJWH", "name": "Frithjof Hoffmann", "avatar": "https://pretalx.com/media/avatars/AGTJWH_mCJf9Ke.webp", "biography": "I\u2019m a technical sales engineer and cybersecurity professional specializing in software supply-chain security, threat intelligence, and risk management. Based in Moormerland, Germany, I combine deep technical expertise with a strategic, customer-focused approach to help organizations gain visibility, reduce risk, and strengthen resilience across their software ecosystems.\r\nAt ReversingLabs, I work with customers and partners across Europe to implement scalable, intelligence-driven solutions that address the growing challenges of modern software development and supply-chain integrity. My work covers areas such as Software Bill of Materials (SBOM) management, malware analysis, and advanced file and binary inspection.\r\nI\u2019m passionate about translating complex cybersecurity topics into clear, actionable strategies that align with business goals. I focus on turning cybersecurity from a reactive defense into a proactive enabler of innovation. I also enjoy engaging in conversations about the evolving threat landscape, the future of software trust, and how automation and AI can strengthen cyber defense.\r\nMy goal is to help organizations build not just safer software, but stronger security cultures, where transparency, collaboration, and continuous improvement are at the center of every initiative.", "public_name": "Frithjof Hoffmann", "guid": "0b5d0a38-e375-5e20-8da6-bffd22e1350c", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/AGTJWH/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/7DGVSU/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/7DGVSU/", "attachments": []}, {"guid": "be43d266-039e-535f-b043-c8939f86a0cc", "code": "8LNSCC", "id": 92248, "logo": null, "date": "2026-05-08T10:40:00+02:00", "start": "10:40", "duration": "00:40", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-92248-spyware-the-invisible-threat", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/8LNSCC/", "title": "Spyware: The Invisible Threat", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Commercial spyware like Pegasus can compromise mobile devices without any user interaction (zero-click attacks) that bypass traditional security. \r\nWith thousands of confirmed infections and 50,000 suspected targets since 2016, this threat extends beyond journalists and activists to strategic sectors: energy, transport, telecommunications, and defence. \r\nLearn how nation-state spyware works, see real evidence of infections, and discover how forensic-grade detection tools can protect executive teams and board members in high-value organisations.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "KM3NPT", "name": "Julien vander Straeten", "avatar": "https://pretalx.com/media/avatars/CVUHJM_jT9y3If.webp", "biography": "Julien started in Apple automation and security. His role evolved towards mobile forensics for the last couple of years.\r\nWhile being a niche market, it applies to many industry leaders. These leaders often misunderstand what nation state malware is and why tools from regular security vendors can't detect these.\r\nHis mission in 2026 is to build awareness amongst these industry leaders to help them understand what nation state malware is and whether it applies to their users or not.", "public_name": "Julien vander Straeten", "guid": "1474b0a1-5f0c-53d8-ac90-203c3026e12d", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/KM3NPT/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/8LNSCC/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/8LNSCC/", "attachments": []}, {"guid": "e9340e13-d7e1-56e2-89cb-1393cf8643bc", "code": "DL9Z8C", "id": 86901, "logo": null, "date": "2026-05-08T11:20:00+02:00", "start": "11:20", "duration": "00:40", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-86901-from-phishing-to-mitigation-an-early-career-incident-response", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/DL9Z8C/", "title": "From Phishing to Mitigation: An Early-Career Incident Response", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Early in my career, while working as a junior engineer at an emerging AI startup in Seattle, Washington, USA, during the first wave of commercial AI adoption, our company suddenly became the target of an extreme and highly disruptive phishing campaign. Shortly after we received public attention as a \u201chot startup,\u201d phishing volume surged to the point that it flooded employee mailboxes and interfered with normal operations. The messages were convincing enough that at one point an employee ran through the office claiming that our CEO was stranded at an airport and urgently needed financial help.\r\n\r\nWhat initially felt like an uncontrollable background problem became a significant security and operational risk. Rather than accepting it as inevitable, we began analyzing the phishing emails in detail\u2014 treating them as data rather than noise. By correlating sender IP addresses and examining publicly available IP allocation and routing information, we discovered that although the emails appeared to originate from many different sources, the traffic consistently traced back to a small number of allocated IP blocks.\r\n\r\nWe mitigated the immediate risk by blocking those ranges at the email gateway, which dramatically reduced the volume of phishing. Digging further into the upstream infrastructure revealed that the IP space was associated with a data center in Luxembourg, operating email security and anti-spam systems. At the time, I was in the process of reclaiming my Luxembourg citizenship through ancestry on my mother's side, and the situation prompted a different line of thinking: if similar infrastructure under my supervision was being abused, I would want to know about it.\r\n\r\nInstead of assuming malicious intent, we reached out directly to the infrastructure operator, shared sanitized examples of the phishing messages, and coordinated a responsible disclosure. Despite internal skepticism that this amounted to \u201ctalking to the attackers,\u201d the response was professional, the issue was investigated, and the phishing activity largely stopped. We also filed a report with the regional internet registry.\r\n\r\nLooking back, this incident shaped how I think about security problems that seem impossible or overwhelming. Not every issue is solved with more tooling or escalation. Sometimes, careful deduction paired with human communication and empathy can break deadlocks that technology alone cannot.", "description": "A recounting of an early-career security incident involving a disruptive phishing campaign, traced through IP allocation data and addressed through responsible disclosure with upstream infrastructure \u2014highlighting how technical analysis and human communication helped resolve a problem that initially felt unsolvable.", "recording_license": "", "do_not_record": false, "persons": [{"code": "FTZ9CR", "name": "Chris Beckman", "avatar": "https://pretalx.com/media/avatars/FTZ9CR_lZic0iR.webp", "biography": "Chris Beckman is a Principal Security Engineer at TaxBit with expertise in AI security and security architecture across both emerging technology startups and public companies. His work focuses on practical security decision-making in real-world systems. Outside of work, he enjoys photography.", "public_name": "Chris Beckman", "guid": "91cdb0f7-601c-5315-8ddc-c1e03a5a775c", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/FTZ9CR/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/DL9Z8C/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/DL9Z8C/", "attachments": []}, {"guid": "14f4c713-2e6a-5775-94cd-0198458f2f9d", "code": "ZQWC7Y", "id": 94029, "logo": null, "date": "2026-05-08T13:30:00+02:00", "start": "13:30", "duration": "00:40", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-94029-building-vs-buying-a-tale-of-developing-an-in-house-sca-tool", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/ZQWC7Y/", "title": "Building vs. Buying \u2013 A Tale of Developing an In-House SCA Tool", "subtitle": "", "track": "Secure Development track", "type": "Talk", "language": "en", "abstract": "Most organizations run Software Composition Analysis, yet very few actually use the results effectively. Alerts pile up, developers ignore findings, and security teams drown in noise.\r\n\r\nThis talk tells the story of building an in-house SCA platform from scratch using open-source tooling, designed to scale across large organizations while focusing on what actually matters. We\u2019ll explore how to normalize results, prioritize vulnerabilities based on real risk, and integrate SCA into CI/CD in a way developers don\u2019t hate.\r\n\r\nBacked by real production usage and a live demo, this session focuses on practical techniques, not theory, to turn SCA from a checkbox into something teams can act on. Attendees will leave with ideas, patterns, and open-source approaches they can apply immediately.", "description": "In this session, I will take the audience through the complete journey of designing, building, and deploying an open-source Software Composition Analysis (SCA) tool from scratch. I will start by highlighting the common challenges teams face when using commercial SCA tools, such as opaque scoring systems, overwhelming volumes of alerts, inconsistent results across different repositories and ecosystems, and the difficulty in prioritizing what matters most. I will explain the motivation behind building an in-house, open-source tool: to give security and development teams transparency, control, and flexibility, and to create a practical, actionable approach to managing dependencies at scale.\r\n\r\nNext, I will dive into the technical architecture and design decisions that guided the tool\u2019s development, showing how it discovers dependencies, including transitive ones, across multiple ecosystems. I will cover how the tool integrates public vulnerability sources, including CVE databases, advisories, and metadata, and how it normalizes results to provide consistent, actionable insights. I will explain the scoring system we developed to prioritize vulnerabilities based on severity, exploitability, and update cadence, enabling teams to focus on what actually matters.\r\n\r\nThe session will include a live demo showing a real repository being scanned, vulnerabilities being discovered, scored, and surfaced in dashboards. I will walk through how results are integrated into CI/CD pipelines to block risky builds, automate updates, and generate actionable reports for developers. Along the way, I will share lessons learned from real-world deployment, including challenges in adoption, maintaining open-source tools, and improving developer engagement.\r\n\r\nBy the end of the session, attendees will understand the full lifecycle of building and using an open-source SCA tool, including practical integration strategies, risk prioritization techniques, and how to deploy it effectively in their own environments. I will provide links to the open-source code and supporting materials, so participants can explore and experiment immediately.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MJHVWH", "name": "Diogo Lemos", "avatar": "https://pretalx.com/media/avatars/G7CXBJ_Y4PgX0R.webp", "biography": "I am an Application Security Engineer with extensive experience building and operating security tooling at scale. I started my career at Checkmarx, where I worked on security products, and later joined Flutter Entertainment, where I implemented and evolved large-scale AppSec programs. I currently work at OLX, focusing on automation, scalable security tooling, and cloud security. I actively contribute to open-source security projects and regularly speak at security conferences including Black Hat MEA, BSides, and BalCCon, with a focus on practical SAST, SECRETS management and SCA implementations.", "public_name": "Diogo Lemos", "guid": "e47a5f3a-a3e5-5fe7-845a-84bedb3f027a", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/MJHVWH/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ZQWC7Y/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/ZQWC7Y/", "attachments": []}, {"guid": "8b121069-db84-552e-9504-affbf21172b3", "code": "LHVQCJ", "id": 85028, "logo": null, "date": "2026-05-08T14:45:00+02:00", "start": "14:45", "duration": "00:35", "room": "Workshops and Stage - Gernsback (C1.05.02)", "slug": "bsidesluxembourg-2026-85028-what-s-old-is-new-exploiting-classic-vulnerabilities-in-graphql-apis", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/LHVQCJ/", "title": "What's Old is New: Exploiting Classic Vulnerabilities in GraphQL APIs", "subtitle": "", "track": "Secure Development track", "type": "Talk", "language": "en", "abstract": "SQL injection and broken authentication remain persistent threats in modern web applications, yet many developers continue to assume that new technologies are immune to classic attacks. This presentation examines a real-world penetration test where we discovered critical SQL injection and authentication bypass vulnerabilities in a production GraphQL API backed by PostgreSQL\u2014proving that architectural shifts don't eliminate fundamental security flaws.", "description": "Organizations migrating to GraphQL often operate under a false sense of security, believing modern frameworks inherently protect against legacy vulnerabilities. This case study proves otherwise.\r\n\r\nWe'll walk through the complete exploitation chain\u2014from GraphQL schema enumeration and identifying injection points in resolvers, to executing time-based blind SQL injection that achieved PostgreSQL superuser access. We'll also demonstrate how broken authentication patterns in GraphQL's authorization layer enabled unauthorized data access. \r\n\r\nThe talk will include a live demo of GrapeQL, an open-source tool for automated GraphQL vulnerability scanning, with practical demonstrations of effective testing workflows. Attendees will learn GraphQL-specific mitigation strategies including parameterized queries in resolvers, proper input validation for nested structures, resolver-level authorization, rate/depth limiting, and security-focused schema design patterns.", "recording_license": "", "do_not_record": false, "persons": [{"code": "TSNM7K", "name": "Aleksa Zatezalo", "avatar": "https://pretalx.com/media/avatars/TSNM7K_XL6zT0t.webp", "biography": "Aleksa is a passionate security engineer, software developer, and aspiring open sorcerer. He enjoys writing and publishing software that provides elegant solutions to offensive security problems. He has contributed to multiple projects, including Metasploit. In April of 2022, Aleksa graduated from the University of Toronto with a bachelor\u2019s degree in computer science and a Certificate of Ethical Hacking (CEHv10). He began working as a Cloud Security consultant and hacker. He also began attending Defcon as an attendee and a volunteer for the Blue Team Village (BTV). One of Aleksa\u2019s fondest cybersecurity memories is playing the Pros Versus Joes CTF during BSides Las Vegas. By April 2024, Aleksa had obtained his OSCP and begun working as a security engineer at Praetorian. He is currently pursuing his OSCE3. He enjoys Brazilian Jiu-Jitsu, running long distances, and reading in his free time. He currently holds a blue belt in Brazilian Jiu-Jitsu. The book Mastery by Robert Greene is a big inspiration for Aleksa.", "public_name": "Aleksa Zatezalo", "guid": "4222d2f8-8a70-52fb-9582-0560c77b2eea", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/TSNM7K/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LHVQCJ/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/LHVQCJ/", "attachments": []}], "CTF players room (C1.03.05 6+8th or C1.04.02 7th)": [{"guid": "c2f0a07d-b927-5551-9c29-66067e72880d", "code": "MXSRZ9", "id": 92883, "logo": null, "date": "2026-05-08T14:00:00+02:00", "start": "14:00", "duration": "02:00", "room": "CTF players room (C1.03.05 6+8th or C1.04.02 7th)", "slug": "bsidesluxembourg-2026-92883-bsidesluxembourg-2026-ctf-walkthrough-session", "url": "https://pretalx.com/bsidesluxembourg-2026/talk/MXSRZ9/", "title": "BsidesLuxembourg 2026 CTF Walkthrough Session", "subtitle": "", "track": null, "type": "Workshop 2h", "language": "en", "abstract": "The BSides CTF Walkthrough Session is a live, introductory tour of some of the selected challenges of this yearly BSides Luxembourg Capture-the-Flag competition. During this interactive activity, we will not walk through every challenge step by step, instead we will very specifically discuss the tasks that the participants found most interesting and frustrating, this could be a web exploit, LPE, OSINT or crypto puzzle, so that by the end of the session both those with little experience and those with more experience have a more overall idea of how to think during a CTF.", "description": "Instead of a lecture where the speaker tells the audience all the answers, the session is constructed in a form of a conversation with the players of the CTF. We will begin with a brief summary of the BSides Luxembourg 2026 CTF: types, difficulty tiers, and some statistics (solves, first bloods, most/least solved challenges). Following that, it will be audience-driven: we will request the participants to tell which issues they would like to rediscover and then untie them, on the spot.\r\n\r\nFor each chosen challenge, we will:\r\n\r\n- Explain the core idea and what clue in the statement pointed to it.\r\n- Show the critical steps of the solution, highlighting typical mistakes and dead ends.\r\n- Discuss alternative approaches, tooling, and how similar bugs appear in real\u2011world systems.\r\n\r\nThis formatting allows the session to be useful regardless of whether you were able to solve many flags or couldn't get through: you can take your questions, learn how other people tackled the same problem, and learn useful tips on how to solve CTF problems practically, which you can apply to future CTF events.", "recording_license": "", "do_not_record": false, "persons": [{"code": "9CRTFB", "name": "MUHAMMED WASEEM VILLAN", "avatar": null, "biography": "N/A", "public_name": "MUHAMMED WASEEM VILLAN", "guid": "0ad804f6-6b98-5224-8d5d-9540c568db75", "url": "https://pretalx.com/bsidesluxembourg-2026/speaker/9CRTFB/"}], "links": [], "feedback_url": "https://pretalx.com/bsidesluxembourg-2026/talk/MXSRZ9/feedback/", "origin_url": "https://pretalx.com/bsidesluxembourg-2026/talk/MXSRZ9/", "attachments": []}]}}]}}}