2.0 -//Pentabarf//Schedule//EN PUBLISH EFGX97@@pretalx.com -EFGX97 From Zero Trust to Trusted Advisor - Selling Security to Stakeholders en en 20260506T140000 20260506T180000 040000 From Zero Trust to Trusted Advisor - Selling Security to Stakeholders You've identified the vulnerability, tested the exploit, and written the report. But they just don’t see the urgency. Now what? This 4-hour, hands-on workshop bridges the gap between technical mastery and boardroom influence. We'll move beyond simply reporting risks to crafting compelling narratives, quantifying value, and building the relationships necessary to drive meaningful security improvements. This isn't your typical "compliance" training. We'll delve into the psychology of decision-making, explore adversarial communication tactics (used against you), and arm you with practical strategies to become a trusted advisor who can effectively advocate for security and get things done. Target Audience: Security professionals of all levels (penetration testers, security engineers, analysts, red teamers, etc.) who want to improve their communication and persuasion skills to influence stakeholders and drive security initiatives. Workshop Objectives: Participants will be able to: • Identify and analyze key stakeholders, influencers, and decision makers within their organizations. • Translate technical findings or concepts, such as security by design, into business-centric language. • Tailor your message to your stakeholders and influence them to make better decisions (social engineering for good!). • Articulate the ROI of security investments. • Effectively counter common objections and adversarial tactics. • Develop a practical method for ongoing stakeholder engagement. • Practice communicating complex security issues to non-technical audiences. • Build trust and credibility with diverse stakeholders. • Overcome their own fears and perceived limitations when dealing with key business decision makers. PUBLIC CONFIRMED Workshop 4h https://pretalx.com/bsidesluxembourg-2026/talk/EFGX97/ Main Stage Daniela Parker Glen Sorensen PUBLISH WGNSKX@@pretalx.com -WGNSKX [Reboot] ML foundations for cybersecurity in 2026 en en 20260506T090000 20260506T180000 090000 [Reboot] ML foundations for cybersecurity in 2026 PUBLIC CONFIRMED Training 8h https://pretalx.com/bsidesluxembourg-2026/talk/WGNSKX/ IFEN room 1, Workshops and Detection Engineering village (Building D) Pauline Bourmeau (Cookie) PUBLISH 9HS8CG@@pretalx.com -9HS8CG Packet Analysis for Beginners - an IoT toy, some packets, and Wireshark en en 20260506T090000 20260506T110000 020000 Packet Analysis for Beginners - an IoT toy, some packets, and Wireshark Pre-Workshop Setup: Please install Wireshark before the session: [https://www.wireshark.org/docs/installation.html ](https://www.wireshark.org/download.html) Crucial Permission Steps: Windows: Ensure you install Npcap during the setup process. macOS: Follow the prompts to allow network access/chmod permissions. Linux: Run sudo dpkg-reconfigure wireshark-common, select yes, then add your user to the wireshark group (sudo usermod -aG wireshark $USER), then reboot. Test: Open the app; if you see "live" traffic lines on your network interface, you are ready! In this workshop, we’ll take packet capture from a disconcerting connected toy and use it as a starting point to learn how to read ordinary network traffic. Step by step, we’ll look at how devices introduce themselves on a local network, resolve names, establish connections, negotiate encryption, and continue communicating during normal operation. Once we have familiarized ourselves, we will move on to some real-world captures. Rather than breaking encryption or exploiting vulnerabilities, the focus is on observation and understanding. Using Wireshark, we’ll practice identifying patterns, relationships, and metadata that remain visible even when payloads are encrypted. Along the way, we’ll look at how to recognise when a device is phoning home, what kinds of context travel with requests, and how much can be learned from traffic that is behaving exactly as designed. This workshop is aimed at beginners and the curious. No prior experience with packet analysis is required. A willingness to look closely at what is already on the wire is enough. PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/ IFEN room 2, Workshops and AI Security Village (Building D) Katherine Leese PUBLISH ZXMFCW@@pretalx.com -ZXMFCW A phishing trip with Fancy Bear - Let's analyze APT malware together! en en 20260506T110000 20260506T130000 020000 A phishing trip with Fancy Bear - Let's analyze APT malware together! This workshop does not depend on domain-specific knowledge, we will try to break the steps down as far as possible. Attendees will follow along through small exercises, with the opportunity to compare their solution through a validation system. Important for message for attendees: If you would like to follow along, please bring laptop with a charged battery. You will be handling real-world malware (you act at your own risk; No backup, no pity). I recommend to use a virtual machine (e.g. FLARE-VM, Remnux). No special tooling is required, make sure to have the basics (Text and Hex Editor, Browser, ZIP utility) installed. No photos during the workshop please, you will receive a copy of the slides. PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/ZXMFCW/ IFEN room 2, Workshops and AI Security Village (Building D) Marius Genheimer PUBLISH JABHUU@@pretalx.com -JABHUU How to Read Code to Find Vulnerabilities en en 20260506T140000 20260506T160000 020000 How to Read Code to Find Vulnerabilities Modern applications break in subtle ways, and many of the most impactful vulnerabilities come from tiny mistakes hidden in plain sight. Scanners won’t catch them. AI won’t catch them. But a trained human eye will. This workshop teaches you how to read code with the explicit goal of finding vulnerabilities. Through real, CVE-inspired examples, we’ll explore how small inconsistencies, incorrect assumptions, and misunderstood framework behaviour turn into exploitable bugs. You’ll practice spotting red flags in small snippets, recognising dangerous patterns, and understanding why certain coding choices reliably lead to security issues. The session is fast-paced and hands-on, designed to build practical intuition you can apply immediately. Whether you’re a developer, pentester, or AppSec engineer, you’ll leave with a clear, repeatable methodology for reviewing code and uncovering vulnerabilities that tools routinely miss. PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/JABHUU/ IFEN room 2, Workshops and AI Security Village (Building D) Louis Nyffenegger PUBLISH CY9AEA@@pretalx.com -CY9AEA Hands-on Car Hacking & Automotive Cybersecurity en en 20260506T160000 20260506T180000 020000 Hands-on Car Hacking & Automotive Cybersecurity In this interactive workshop, attendees will learn how modern cars communicate internally and how attackers can exploit weaknesses in these systems. After a quick introduction to automotive security concepts and vehicle network architecture, participants will dive straight into practical exercises using the Controller Area Network (CAN) bus. You'll capture and analyze live CAN traffic, reverse engineer messages sent to critical components, and craft spoofed signals that manipulate the instrument cluster. All within a safe and controlled lab environment. Through guided exercises, demonstrations, and collaborative problem-solving, you'll gain a clear understanding of how real automotive attacks work and what defenders should look out for. **Key Takeaways:** - Understand modern automotive security fundamentals and vehicle network design - Capture, analyze, and interpret CAN bus traffic - Reverse engineer real in-vehicle messages - Craft and send spoofed signals to demonstrate attack paths in a controlled environment **Prerequisites:** Participant should bring a laptop with the following characteristics: - Laptop running a Linux distribution (or a Linux VM with USB passthrough enabled) - Available USB-A port, or USB-C port with compatible cable PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/CY9AEA/ IFEN room 2, Workshops and AI Security Village (Building D) Roald Nefs PUBLISH CVMLKB@@pretalx.com -CVMLKB Gotta Contain 'Em All: Collaborative Incident Response Training Through Gaming en en 20260506T090000 20260506T110000 020000 Gotta Contain 'Em All: Collaborative Incident Response Training Through Gaming PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/CVMLKB/ IFEN room 3 Workshops and AI Security Village (Building D) Klaus Agnoletti Glen Sorensen PUBLISH ETX7TJ@@pretalx.com -ETX7TJ Cloud & AI Security - Capture the Flag en en 20260506T110000 20260506T130000 020000 Cloud & AI Security - Capture the Flag PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/ETX7TJ/ IFEN room 3 Workshops and AI Security Village (Building D) Nathan Richard Hensen PUBLISH TVXPKX@@pretalx.com -TVXPKX Level Up Your CI/CD: Building a secure pipeline with OSS en en 20260506T140000 20260506T180000 040000 Level Up Your CI/CD: Building a secure pipeline with OSS Workshop repository: https://github.com/unicrons/secure-pipeline-workshop PUBLIC CONFIRMED Workshop 4h https://pretalx.com/bsidesluxembourg-2026/talk/TVXPKX/ IFEN room 3 Workshops and AI Security Village (Building D) Andoni Alonso Paco Sanchez PUBLISH XGQ7DT@@pretalx.com -XGQ7DT Mastering Bash for Hackers: Extreme Command-Line Power en en 20260506T090000 20260506T130000 040000 Mastering Bash for Hackers: Extreme Command-Line Power - Master advanced bash scripting techniques for automation, and hacking. - Process terabytes of leaked password data and uncover real-world security insights. - Use bash to manipulate and extract intelligence from logs, network traffic, and system artifacts. - Generate graphs, automate reports, and convert file format entirely from the command line. - Learn how to replace GUI-based tools with bash scripts for speed and stealth. By the end of this workshop, you’ll be able to: - Automate and accelerate security tasks with powerful one-liners and scripts. - Use bash to analyze, manipulate, and exploit data in security research. - Apply bash in unconventional ways, from image processing to document forensics. PUBLIC CONFIRMED Workshop 4h https://pretalx.com/bsidesluxembourg-2026/talk/XGQ7DT/ Workshops May 6th (C1.02.05) Kirils Solovjovs PUBLISH QXECVY@@pretalx.com -QXECVY From Code to Compromise: Turning modern day IDEs into attack vectors via malicious Extensions en en 20260506T133000 20260506T153000 020000 From Code to Compromise: Turning modern day IDEs into attack vectors via malicious Extensions Visual Studio Code is no longer just an editor; the IDE, along with its many AI powered forks, have become the most primary interface for Developers of all kind. Its extension host, a Microsoft-signed Electron process, enjoys the same blind trust from EDRs that we traditionally grant to Outlook or Teams. Meanwhile, the extension ecosystem still treats security as an after-thought: there is no deep dive source scanning, verification mechanisms are sparse, and the blue “verified” badge is cached locally – so a repackaged `.vsix` keeps the badge even after the payload has been swapped. The talks presents a brief case study about the various examples of malicious extensions used in the wild by threat actors and previously affected supply chains. The talks presents the one of the first public implementation that weaponises this trust gap with a **Rust-compiled, position-independent shellcode runner** delivered as a Node native addon by taking a Microsoft published extension: live-server and backdooring it with a malicious extension, as well another extension with over 74M downloads. The talk also demos the following aspects of such an attack: 1. **Extension-host OPSEC**: delaying `require("./index.node")` until the user triggers the legitimate command (“Open with Live Server”) so the implant is **absent from the initial process snapshot** that EDRs collect. 2. **Repackaging a blue-tick extension**: cloning Microsoft’s own “Live Preview” repository at a signed commit, grafting the Rust addon into its webpack pipeline, and repackaging with `vsce package`. The resulting `.vsix` is byte-for-byte identical except for the extra native node – and the GUI still shows the verified badge because VS Code only re-validates signatures when enterprise policy `extensions.verifySignature` is set to `error`. 3. **Going in blind** - Backdooring another popular extension with our shellcode - without any prior knowledge of the source code
 All these topics would also dissect the internal workings, file structure, thread stack and other relevant information associated with the working of the loader/ Finally, the talk concludes by listing the relevant IoCs and TTPs left behind by this attack vector and discusses various detections which organisations and individuals can adopt to protect themselves. Session Outline 0. Pre-roll (loop, 2 min before start) 1. Screen cycles side-by-side screenshots: legitimate vs back-doored Live Preview extension. 2. Blue tick is identical; only the “Installation” tab shows an extra 46 kB native node 3. Caption: “Spot the implant.” (Sets the visual theme of the talk.) 1. Introductions (1 min) 1. whoami 2. Previous work
 2. Opening – VS Code and its many forks (5 min) 1. Rise of VS Code and it’s various forks 2. Rise of new forks mean the rise of new market places 3. Why target VSCode? * Electron renderer = Microsoft-signed, whitelisted by every EDR. * Marketplaces scan JS source only → native code is often a blind spot. * Very difficult to tell malicious extensions apart 3. Attacks in the Wild (8 mins) 1. Previous attacks in the wild: Kaspersky, Malicious Corgi, Material Themes, Glassworm 2. Dissecting the $500K Kaspersky malware 3. Powershell scripts are nice - but we can do better 4. Taking a look into Malicious Corgi 5. Taking a looking into Glassworm’s source code 6. Unicode is nice - compiled is nicer 7. Pivot: “What if we go native?”
 4. Node addons and demo extensions (5 mins) 1. Introduction to node addons 2. Compiling C++ shellcode runner compiled with node-gyp and running it with gyp 3. Creating a “Hello world” extension and using ffi to pop a message box
 5. Bringing in the crab (8 mins) 1. Introducing neon-rs and interfacing with Javascript/Typescript 2. Writing a shellcode runner in rust 3. Discuss relevant changes to be made in the configs 4. Compiling and running 
 6. Backdooring a legit VS Code extension (10 mins) 1. Choosing the target: LiveServer 2. Updating the source to include the add-on 3. Making webpack happy 4. Compiling and loading the extension 5. Visual similarities with legitimate extensions
 7. Backdooring a popular VS Code extension without any prior knowledge of it’s source code (5mins): 1. Extract the VSIX bundle 2. Add our implant 3. Repackage the extension 4. Load it into VSCode 5. Trigger shellcode execution
 8. Improvements and Detections (3 mins) 1. References to other similar works 2. Improvements and other closing thoughts 3. IoCs and TTPs associated with the techniques 4. Possible detections and prevention mechanisms
 Key Takeaways 1. The audience become more aware of the dangers of blindly trusting extensions from stores 2. Malware developers and red teamers get introduced to a new and powerful vector for initial access method 3. Blue teasers can use the knowledge to prepare new rulesets and detections to avoid any such attacks PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/QXECVY/ Workshops May 6th (C1.02.06) Debjeet Banerjee PUBLISH SH7X9Y@@pretalx.com -SH7X9Y ANALYZE & HUNT DPRK ATTACKS en en 20260506T160000 20260506T180000 020000 ANALYZE & HUNT DPRK ATTACKS PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/SH7X9Y/ Workshops May 6th (C1.02.06) RAKESH KRISHNAN PUBLISH S97X3K@@pretalx.com -S97X3K Android App Tricks: Defenses and Bypasses en en 20260506T090000 20260506T110000 020000 Android App Tricks: Defenses and Bypasses PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/S97X3K/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Aleksandr Pilgun PUBLISH 9HS8CG@@pretalx.com -9HS8CG Packet Analysis for Beginners - an IoT toy, some packets, and Wireshark en en 20260506T110000 20260506T130000 020000 Packet Analysis for Beginners - an IoT toy, some packets, and Wireshark Pre-Workshop Setup: Please install Wireshark before the session: [https://www.wireshark.org/docs/installation.html ](https://www.wireshark.org/download.html) Crucial Permission Steps: Windows: Ensure you install Npcap during the setup process. macOS: Follow the prompts to allow network access/chmod permissions. Linux: Run sudo dpkg-reconfigure wireshark-common, select yes, then add your user to the wireshark group (sudo usermod -aG wireshark $USER), then reboot. Test: Open the app; if you see "live" traffic lines on your network interface, you are ready! In this workshop, we’ll take packet capture from a disconcerting connected toy and use it as a starting point to learn how to read ordinary network traffic. Step by step, we’ll look at how devices introduce themselves on a local network, resolve names, establish connections, negotiate encryption, and continue communicating during normal operation. Once we have familiarized ourselves, we will move on to some real-world captures. Rather than breaking encryption or exploiting vulnerabilities, the focus is on observation and understanding. Using Wireshark, we’ll practice identifying patterns, relationships, and metadata that remain visible even when payloads are encrypted. Along the way, we’ll look at how to recognise when a device is phoning home, what kinds of context travel with requests, and how much can be learned from traffic that is behaving exactly as designed. This workshop is aimed at beginners and the curious. No prior experience with packet analysis is required. A willingness to look closely at what is already on the wire is enough. PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Katherine Leese PUBLISH YGC7EA@@pretalx.com -YGC7EA Dismantle The Bomb en en 20260506T140000 20260506T160000 020000 Dismantle The Bomb Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Stijn Tomme PUBLISH YGC7EA@@pretalx.com -YGC7EA Dismantle The Bomb en en 20260506T160000 20260506T180000 020000 Dismantle The Bomb Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Stijn Tomme PUBLISH XMDNJB@@pretalx.com -XMDNJB Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day en en 20260506T100000 20260506T120000 020000 Secure Development Lifecycle Applied - How to Make Things a Bit More Secure than Yesterday Every Day PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/XMDNJB/ Workshops and Stage - Design Space (C1.05.12) Lisi Hocke PUBLISH AALWHZ@@pretalx.com -AALWHZ Kunai Workshop: Hands-on Linux Threat Detection en en 20260506T133000 20260506T180000 043000 Kunai Workshop: Hands-on Linux Threat Detection ### Part 1: Kunai Fundamentals - **Quick Start:** Get Kunai up and running on your system - **Core Concepts:** Understand Kunai's architecture and monitoring capabilities - **Hands-on Basics:** Navigate the CLI, configure monitoring, and interpret events ### Part 2: Advanced Threat Detection - **Custom Rules:** Write detection rules for specific threats and anomalies - **IoC Integration:** Load and leverage Indicators of Compromise - **MISP Connectivity:** Enhance your threat intelligence with MISP integration - **Real-world Scenarios:** Apply Kunai to actual threat detection challenges ### Part 3: Bonus Topics (time permitting) - Using [Kunai sandbox](https://sandbox.kunai.rocks/) to share traces - Creating detection rules for specific malware PUBLIC CONFIRMED Workshop 4h https://pretalx.com/bsidesluxembourg-2026/talk/AALWHZ/ Workshops and Stage - Design Space (C1.05.12) Quentin JEROME PUBLISH MG7H3X@@pretalx.com -MG7H3X Malware Development for Ethical Hackers (Windows, Linux, Android) en en 20260506T090000 20260506T180000 090000 Malware Development for Ethical Hackers (Windows, Linux, Android) The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples. The course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware. The course is divided into four logical sections: - Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running) - AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling) - Persistence techniques - Cryptographic functions in malware development (exclusive) - Malware Development for Android and Linux (bonus) Most of the example in this course require a deep understanding of the Python, Kotlin and C/C++ programming languages. Knowledge of assembly language basics is not required but will be an advantage Training Outline (detailed, timed - total ~8 hours): MALWARE INJECTION TECHNIQUES: 1. Traditional Injection Approaches: Code and DLL (2 practical examples, LAB + 1 homework) - 20 min 2. Exploring Hijacking Techniques (2 practical examples, LAB + 1 homework) - 20 min 3. Understanding Asynchronous Procedure Call (APC) Injections (2 practical examples, LAB + 1 homework) - 15 min 4. Mastering New Injection/Hooking Techniques (4 practical example, LAB) - 20 min PERSISTENCE MECHANISMS: 5. Classic Path: Registry Run Keys / Persistence via Registry Keys ( 3 practical example, LAB) - 15 min 6. Persistence via Winlogon Process ( 2 practical example, LAB) - 15 min 7. Exploiting Windows Services for Persistence ( 2 practical examples, LAB + 1 homework) - 15 min 8. Exploring Non-Trivial Loopholes and New Persistence Techniques ( 5 practical examples, LAB + 2 homework) - 15 min MALWARE FOR PRIVILEGE ESCALATION: 9. Manipulating Access Tokens like APT (1 practical example, LAB + 1 homework) - 15 min 10. Password stealing / LSASS.exe dumping (3 practical example, LAB + 1 homework) - 15 min 11. Malware for bypass User Access Control (2 practical example LAB + 1 homework) - 15 min ANTI-VM AND AV BYPASSING 12. Anti-Virtual Machine Strategies (4 practical example, LAB + 1 homework) - 15 min 13. Practical use of hash algorithms in malware ( 1 practical example, LAB + 1 homework) - 15 min 14. Evasion Static Detection ( 1 practical example, LAB + 1 homework) - 15 min 15. Evasion Dynamic Detection (1 practical example, LAB + 1 homework) - 15 min 16. Advanced Evasion Techniques (1 practical example, LAB + 1 homework) - 15 min 17. Cryptography for bypassing security solutions ( 4 practical examples, LAB + 2 homework) - 15 min Linux and Android Malware 18. Linux Kernel Hacking (1 practical example, LAB) - 15 min 19. Linux process injection (1 practical example, LAB) - 15 min 20. Introduction to Android Malware (3 practical examples, LAB) - 40 min 21. Leveraging legit APIs for Android Malware (2 practical examples, LAB) - 40 min RESEARCH AND PRACTICE: 22. Simple Tricks and Automation for Malware Development and Emulation (3 practical examples, LAB + 1 homework) - 15 min 23. How to find New Persistence Techniques (2 practical examples, LAB + 1 homework) - 15 min 24. Elliptic Curve Cryptography (ECC) and Malware ( 1 practical example, LAB + 1 homework) - 15 min PUBLIC CONFIRMED Training 8h https://pretalx.com/bsidesluxembourg-2026/talk/MG7H3X/ Workshops and Stage - Gernsback (C1.05.02) cocomelonc PUBLISH 9NGAYY@@pretalx.com -9NGAYY Blackhoodie training - Introduction to Linux Memory Forensics en en 20260506T090000 20260506T120000 030000 Blackhoodie training - Introduction to Linux Memory Forensics BlackHoodie’s Mission - BlackHoodie is a series of technical trainings aiming to attract more women to the field of cyber security - Our events are women-only, except if individual organizers state otherwise - Whether introduction level or advanced, classes are always challenging - All of our events are free to attend - We do not exert any preference in education level, occupation or corporate affiliation of attendees - BlackHoodie is dedicated to serve the community, we aim to integrate, not separate - BlackHoodie is independent, and cannot be leveraged to promote anything but its own mission - We seek quality over quantity, in number of classes and attendees - We also support/encourage attendees to start giving technical trainings thereby providing a platform to build their confidence PUBLIC CONFIRMED Training 8h https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/ CTF players room (C1.03.05 6+8th or C1.04.02 7th) Sonia Seddiki PUBLISH 9NGAYY@@pretalx.com -9NGAYY Blackhoodie training - Introduction to Linux Memory Forensics en en 20260506T133000 20260506T180000 043000 Blackhoodie training - Introduction to Linux Memory Forensics BlackHoodie’s Mission - BlackHoodie is a series of technical trainings aiming to attract more women to the field of cyber security - Our events are women-only, except if individual organizers state otherwise - Whether introduction level or advanced, classes are always challenging - All of our events are free to attend - We do not exert any preference in education level, occupation or corporate affiliation of attendees - BlackHoodie is dedicated to serve the community, we aim to integrate, not separate - BlackHoodie is independent, and cannot be leveraged to promote anything but its own mission - We seek quality over quantity, in number of classes and attendees - We also support/encourage attendees to start giving technical trainings thereby providing a platform to build their confidence PUBLIC CONFIRMED Training 8h https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/ CTF players room (C1.03.05 6+8th or C1.04.02 7th) Sonia Seddiki PUBLISH TMG89Y@@pretalx.com -TMG89Y Threat Modelling Starter Training en en 20260506T090000 20260506T180000 090000 Threat Modelling Starter Training PUBLIC CONFIRMED Training 8h https://pretalx.com/bsidesluxembourg-2026/talk/TMG89Y/ Workshops May 6th (C1.03.06) Ralph Andalis PUBLISH GZHQYD@@pretalx.com -GZHQYD Threat Modeling in DevOps and Cloud using Card Games en en 20260506T133000 20260506T173000 040000 Threat Modeling in DevOps and Cloud using Card Games PUBLIC CONFIRMED Workshop 4h https://pretalx.com/bsidesluxembourg-2026/talk/GZHQYD/ Workshops May 6th (C1.03.09) Christoph Niehof PUBLISH 3CLCMG@@pretalx.com -3CLCMG Car Hacking Village en en 20260507T090000 20260507T120000 030000 Car Hacking Village The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can: - Interact with the CAN bus and observe how in-vehicle communication works - Capture, analyze, and replay automotive network traffic - Reverse engineer messages sent to various vehicle subsystems - Craft spoofed signals to manipulate components such as instrument clusters - Explore common vulnerabilities in today's vehicle architectures - Learn practical defensive considerations for securing automotive systems All activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers. PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/ Atrium (common area) Roald Nefs PUBLISH 3CLCMG@@pretalx.com -3CLCMG Car Hacking Village en en 20260507T133000 20260507T180000 043000 Car Hacking Village The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can: - Interact with the CAN bus and observe how in-vehicle communication works - Capture, analyze, and replay automotive network traffic - Reverse engineer messages sent to various vehicle subsystems - Craft spoofed signals to manipulate components such as instrument clusters - Explore common vulnerabilities in today's vehicle architectures - Learn practical defensive considerations for securing automotive systems All activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers. PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/ Atrium (common area) Roald Nefs PUBLISH 9FGWWQ@@pretalx.com -9FGWWQ Lockpicking Village en en 20260507T090000 20260507T120000 030000 Lockpicking Village There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers. PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/ Atrium (common room) 2 PUBLISH 9FGWWQ@@pretalx.com -9FGWWQ Lockpicking Village en en 20260507T133000 20260507T180000 043000 Lockpicking Village There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers. PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/ Atrium (common room) 2 PUBLISH S8NTGH@@pretalx.com -S8NTGH Things Fall Apart: Allying Cybersecurity and Diplomacy against Authoritarian Disorder en en 20260507T091000 20260507T093500 002500 Things Fall Apart: Allying Cybersecurity and Diplomacy against Authoritarian Disorder Luxembourg's Cybersecurity and Digitalisation Ambassador will return to BSides 2026 for a no-nonsense overview of current challenges in geopolitics and cyberdiplomacy. Come armed with all your questions about international relations and (dis-)order in the digital world! PUBLIC CONFIRMED Opening Speech https://pretalx.com/bsidesluxembourg-2026/talk/S8NTGH/ Main Stage Luc Dockendorf PUBLISH LUCRQP@@pretalx.com -LUCRQP Keynote: Identity Security Just Exploded en en 20260507T093500 20260507T101500 004000 Keynote: Identity Security Just Exploded PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/LUCRQP/ Main Stage Wendy Nather Wendy Nather PUBLISH G979N8@@pretalx.com -G979N8 Level Up Your CI/CD: Building a secure pipeline with OSS en en 20260507T103500 20260507T111500 004000 Level Up Your CI/CD: Building a secure pipeline with OSS This talk is a companion presentation to our hands-on workshop, distilling the key concepts and tool demonstrations into a focused session suitable for all attendees. Workshop repository: https://github.com/unicrons/secure-pipeline-workshop PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/G979N8/ Main Stage Andoni Alonso Paco Sanchez PUBLISH 9JT9GR@@pretalx.com -9JT9GR The Spy Who Logged Me - When your XDR joins the attackers en en 20260507T112000 20260507T120000 004000 The Spy Who Logged Me - When your XDR joins the attackers What if I told you the security tool you trust the most (your XDR) is also an attacker's favorite weapon? You spent time, money, and effort deploying it, testing it, fine tuning it, believing it had your back. But what if, instead of stopping threats, it was helping them? Your XDR isn't broken, in fact, it's doing exactly what it's designed to do and what you set it up to do. The problem? Attackers have figured out how to make it work for them instead of against them. In this session, we'll discuss how the bad guys manipulate XDR implementations, abuse detection logic, weaponize built-in components, and turn trusted security controls into defensive tools. From abusing existing workflows to full exploitation, you'll see why your XDR might not be protecting you the way you think it is. 1. Intro Short story and correlate it to XDRs. 2. XDR 101: Understanding the Basics We won’t reinvent the wheel, but understanding how XDRs work is critical, so we can visualize how attackers can weaponize them. 3. Point of Origin: How do attackers access an XDR console? XDRs are only as strong as their weakest link, and that weak link is often broken access controls, misconfigurations, or outdated components. Attackers don’t always need complex exploits when defenders leave the door open. · Default Credentials on External-Facing XDR Deployments. Many XDR solutions have cloud-based management consoles exposed to the internet. If default credentials aren’t changed, attackers can: - Log in and modify IOC exclusion rules. - Uninstall sensors or disable detections. - Deploy malware directly through the XDR interface. Countermeasures - Enforcing MFA on all management consoles. - Audit externally exposed XDR consoles (does your XDR console really need to be internet-facing?). · Compromised API keys - The secret backdoor. · Many XDR solutions have APIs for automation, management and integration. If an attacker finds compromised API keys they can query endpoint logs to map security gaps, modify blacklisting rules and disable detections. Countermeasures: - Monitor for compromised credentials and unusual API activity. - Rotate API keys regularly to limit exposure. - Use environmental variables instead of hardcoded credentials. - Outdated XDR Versions – Legacy software is an attacker's best friend. - Running outdated XDR versions allows attackers to exploit known vulnerabilities in previous versions and abuse compatibility issues to downgrade protections. Countermeasures: - Audit security tools for outdated versions regularly. - Enable automatic updates for XDR components · Outdated XDR agents - Weak links in the chain - One endpoint running an outdated version of an XDR sensor is enough for an attacker to exploit known vulnerabilities and bypass detection. Countermeasures: - Use SIEM integration or centralized management to monitor XDR agent mismatches. - Automate XDR agents updates across all endpoints. 4. XDR as an attack vector. • Your Security Tool is My C2 - Abusing Remote Shell Access. Many XDR consoles offer built-in shell capabilities that allow defenders to execute limited admin commands on endpoints (for example Crowdstrike Falcon RTR). But if an attacker gains access to the XDR management console, they can run system enumeration commands to: - Gather information about a host. - Deploy malicious files or modify settings. - Use the sensor as a C2 channel. Countermeasures: Restrict remote shell access. - Require MFA for authentication. - Enforcing RBAC. - Monitor XDR shell command history. · Blinding the Guard – Removing and Disabling an XDR Sensor Before executing an attack, adversaries often remove or disable XDR agents to avoid detection. Some XDR solutions lack strong tamper protection, allowing attackers to: - Stop XDR services to prevent detection. - Uninstall the XDR agent using weak removal controls. - Kill security processes or corrupt critical files to make the sensor non-functional. Example: Attempt to stop the XDR service using systemctl stop XDR agent. Kill the process manually using pkill -9 XDR agent and show that detection logs stop, leaving the system unprotected. Countermeasures: - Implement tamper protection to prevent unauthorized removal. - Deploy kernel-based security monitoring (eBPF) to detect service manipulation. - Hiding in Plain Sight - Whitelisting Malicious IOCs If attackers gain access to an XDR allowlist, they can manipulate rules to bypass detection entirely. - Whitelist malware so it is ignored by security controls. - Drop malicious payloads in trusted directories that are already allowlisted. - Modify allowlists via API access, letting malware execute freely. Example: Identify an XDR allowlist configuration file and manually whitelist malicious IOCs. Countermeasures: - Restrict who can modify allowlists (RBAC enforcement). - Implement cryptographic integrity checks on configuration files. - Require MFA to modify exclusions. · When Vintage isn't Always Nicer – Downgrading a Sensor or Preventing Updates Attackers prefer outdated security tools because they lack modern detection techniques, by preventing updates or forcing a downgrade, attackers can: - Decrease detection effectiveness by pushing legacy security policies. - Reintroduce vulnerabilities patched in later versions. - Prevent new threat signatures from being applied. Demo: Blocking XDR updates via /etc/hosts and downgrading the agent. Countermeasures: - Enforce automatic updates across all endpoints. - Monitor version mismatches across all deployed sensors. - Block manual downgrades unless explicitly approved. · Friendly Fire – Isolating Critical Systems for Disruption Some XDRs have host isolation features to contain threats. Attackers abuse this to: - Trigger false positives and force automated isolation. - Manually isolate critical infrastructure (domain controllers, production servers). - Lock down an organization without deploying malware. Countermeasures: - Implement role-based restrictions on isolation functions. - Require MFA and secondary approval for manual isolations. - Alert on mass isolations as a potential attack indicator. · Spotting a Knockoff – Sensor Spoofing XDRs rely on heartbeat signals to confirm agents are online and attackers can manipulate this process to: - Fake sensor check-ins, tricking defenders into believing the agent is still running. - Redirect telemetry to a different endpoint, suppressing real detections. - Modify system responses to make XDR appear fully functional while disabled. Countermeasures: - Use mutual TLS authentication between XDR agents and servers. - Monitor for missing logs and no heartbeats. · Going for the Kill - Leaking Sensitive Information from XDR Logs. XDR logs store useful information that attackers can abuse. These logs allow security analysts to identify suspicious behavior. Some common techniques include: - Extracting IP addresses, hostnames and domain controllers for enumeration purposes. - Enumerating security policies to avoid detection. - Finding user accounts and credentials stored in logs. Example: Extracting domain controllers, user accounts, and network data from XDR logs. Countermeasures: - Use SIEM log forwarding as a backup and integrity verification. - Enforce RBAC on log access to prevent unauthorized queries. · SOC Analysts, It’s Panic O’Clock - Alert Saturation Attacks. Attackers generate thousands of fake alerts to distract SOC teams from real threats. This allows: - Overloading analysts with false positives. - Creating a blind spot, given that some security teams opt to disable XDRs as a way to stop all the noise. - Hiding legitimate threat activity. Example: Creating fake logs and flooding a SIEM with fake ransomware alerts. Countermeasures: - Leverage anomaly detection activity to identify alert flooding patterns. - Enforcing log integrity checks to decrease the chances of alert poisoning. - Rate-limit automated log events to prevent abuse. 5. Catch 22: Detecting Malicious activity without an XDR. Given that your XDR agent is disabled, visibility is limited. These are some alternatives: - Syslog Monitoring and SIEM logs: Look for XDR agent stop/disable events in your system logs. - Monitor authentication logs for suspicious access to the XDR console. - Review SIEM log ingestion for gaps in log forwarding (if logs stop being ingested, that's typically a red flag). 6. Stop The Bleeding: Immediate Response to Regain Visibility and Isolation. If an attacker has disabled visibility, you need to contain the compromised host without an XDR. The following alternatives could be applied: - Quarantine the compromised host using firewall rules of NAC. - Leverage network based detections (identify suspicious traffic patterns, detect connections to known C2). - Restore XDR sensor remotely. - If the attacked blocked reinstallation, deploy a separate forensic agent (such as velociraptor). 7. Beat Them At Their Own Game: Locking the Attacker Out of the Console. - Check for rogue admin accounts added to your XDR console. - Rotate API keys and credentials. - Review XDR logs for unauthorized policy changes. - Enable MFA on XDR console. 8. Real-World Case Studies: RansomHub - Weaponizing XDR Weaknesses. RansomHub is a ransomware-as-a-service (RaaS) operation first detected in February 2024 by TrendMicro. Unlike highly structured ransomware groups, RansomHub operates as a decentralized affiliate-based collective, allowing attackers from various regions to conduct their own operations under the same banner. Their primary targets? Organizations with high operational dependencies, industries where downtime is more expensive than the ransom itself, increasing the likelihood of payouts. · Attack methodology: RansomHub doesn't rely exclusively on encrypting data, they start by disabling security mechanisms, ensuring they can operate without any roadblocks. They attack chain includes: - Using TDSSKiller to disable antivirus or XDR solutions in the target system. - Deploying TOGGLEDEFENDER to disable Windows Defender. - Utilizing XDR Kill Shifter, a loader executable that leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting multiple vulnerable drivers to disable XDR protection before execution. Key Takeaway: Their focus on XDR disablement as a priority aligns with modern ransomware strategies, attackers don't just evade detection, they neutralize the entire security stack. · Notable Victims: Mexican government (Hit Twice!). - The second attack impacted 13 airports across the country. - Fun Fact: The Mexican government is a frequent target of ransomware attacks, often due to weak infrastructure, slow patching cycles, and underfunded cybersecurity measures. Frontier communications. - Disruption in telecom services, impacting businesses and residential users. Christie's Auction House - Attackers targeted high-value transactions and sensitive financial data. · Key Takeaways: - RansomHub exemplifies modern ransomware techniques, they don’t just encrypt data, they strategically dismantle defenses first. - The use of BYOVD attacks on XDRs shows that even advanced security solutions are vulnerable when misconfigurations or unpatched drivers exist. · Countermeasures: Defending Against RansomHub - Use behavioral-based detection instead of relying only on signature-based AV/XDR protections. - Apply strict application control policies to block unauthorized tools. - Monitor for signs of BYOVD exploitation, harden kernel-level protections to prevent unsigned driver execution. 9. Final Thoughts Attackers are shifting tactics, instead of just evading security tools, they're actively disabling them. Attackers recognize that XDRs are a core part of enterprise security, so their first priority is to neutralize detection and response capabilities before executing their objective. The question isn’t if attackers will target your XDR, it’s how prepared you are when they do. The key to defense isn’t just relying on automated detections, but understanding how attackers think and proactively securing the tools meant to protect you. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/9JT9GR/ Main Stage Melina Phillips PUBLISH VYCS8Y@@pretalx.com -VYCS8Y What is the dark web talking about? - Dark Jargon Detection and Identification en en 20260507T133000 20260507T133500 000500 What is the dark web talking about? - Dark Jargon Detection and Identification PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/VYCS8Y/ Main Stage Laura Bernardy PUBLISH GDNK3Q@@pretalx.com -GDNK3Q Understanding Mobile Stalkerware en en 20260507T133500 20260507T134000 000500 Understanding Mobile Stalkerware PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/GDNK3Q/ Main Stage Elouan Rigaut PUBLISH QB7ZBY@@pretalx.com -QB7ZBY Scaling defence - finding RedVDS from a phishing email en en 20260507T134000 20260507T134500 000500 Scaling defence - finding RedVDS from a phishing email PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/QB7ZBY/ Main Stage Elliot Parsons PUBLISH RVGUME@@pretalx.com -RVGUME How to be just the right amount of Paranoid (Cybersecurity Edition) en en 20260507T134500 20260507T135000 000500 How to be just the right amount of Paranoid (Cybersecurity Edition) This lightning talk has the objective to bring this topic to light. It is a topic not often talked about, but it is a matter most people, that work or are in contact with (cyber)security, have experienced. The extend can vary and the impact can be visible or invisible. One might share in their close family and friend circle how passphrases are better than passwords and easier to remember while others might force them to use password managers, MFA, backups of the previous two, VPN connections 24/7 and so on. The golden middle way is to adapt enough awareness to not fall into security traps while not becoming paranoid over the smallest things. It is difficult to balance, but by bringing this topic to light, a certain self-reflection should hopefully spark in the participants. Where do they find themselves on this scale between care-free and paranoid? The human factor continues to play an important role in not only awareness, but in the realm of cybersecurity. Being able to position oneself and others on this scale can be crucial when it comes to determining how to convey a message. A security mindset is something we can work towards and expand together to create a secure and healthy environment. PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/RVGUME/ Main Stage Denim Latić PUBLISH 878PCR@@pretalx.com -878PCR Magic-rs: A Memory-Safe, libmagic-Compatible File Type Detection Ecosystem en en 20260507T135000 20260507T135500 000500 Magic-rs: A Memory-Safe, libmagic-Compatible File Type Detection Ecosystem PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/878PCR/ Main Stage Quentin JEROME PUBLISH 3YK3HN@@pretalx.com -3YK3HN Building a safe harbor for cybersecurity professionals en en 20260507T135500 20260507T140000 000500 Building a safe harbor for cybersecurity professionals PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/3YK3HN/ Main Stage Ondrej Nekovar PUBLISH YQSRBJ@@pretalx.com -YQSRBJ RioT – A Raspberry-Based Network Implant for Red Team Operations en en 20260507T140000 20260507T144000 004000 RioT – A Raspberry-Based Network Implant for Red Team Operations PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/YQSRBJ/ Main Stage Olivier Médoc PUBLISH 8UQAZC@@pretalx.com -8UQAZC Those Who Don’t Learn from CVEs Are Doomed to Rediscover Them en en 20260507T144000 20260507T152000 004000 Those Who Don’t Learn from CVEs Are Doomed to Rediscover Them The story starts with my analysis of a CVE affecting AES-GCM in a Ruby library and how this issue appears in other codebases and languages. I will show several related problems I reported across ecosystems. From there, I cover the cyclic nature of vulnerabilities: "The end of the world, we forget, rediscovery." Next, I explain a practical methodology for performing CVE analysis. This leads into a selection of excellent CVEs I have studied and the lessons they provide. I will also demonstrate how one CVE I found was directly inspired by another I had analyzed earlier. I will finish this section with the most interesting CVE I examined in the weeks leading up to the conference. We will wrap up with clear recommendations for attendees. Since the topic can be complex, I include a few jokes and memes throughout the presentation to help maintain attention. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/8UQAZC/ Main Stage Louis Nyffenegger PUBLISH J9BBAM@@pretalx.com -J9BBAM Dungeons & Dragons: The security power tool you didn’t know you needed en en 20260507T154000 20260507T162000 004000 Dungeons & Dragons: The security power tool you didn’t know you needed PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/J9BBAM/ Main Stage Klaus Agnoletti Glen Sorensen PUBLISH APBPPQ@@pretalx.com -APBPPQ Finding meaning in /dev/null en en 20260507T162000 20260507T165500 003500 Finding meaning in /dev/null In this talk, we will first present the conceptual and operational fundamentals of what a network telescope is. Explaining its technical characteristics and its role in capturing unsolicited traffic at Internet scale. I will then describe the ingestion, normalization, and structuring pipeline used to transform the raw PCAP data into a durable and queryable data lake, relying on Suricata and ClickHouse for large-scale processing. Finally, I will showcase the types of analyses and meaningful insights that can be extracted from this dataset; including the identification of emerging behaviors, the characterization of malicious activities, and the observation of broader, systemic trends in global Internet traffic. We will details in our presentation all the valuable analysis that may comes out of the void; Detection of Scanners Bots: By combining PTR, and activity is it possible to determine profiles of commercial and detect also some less known scanner. We were able to discover more than 25 different scanners brand, from well known ones like Onyphe or Shodan to less unknown like Stretchoid or some public russians ones F6 or Skipa. This permit the indentification of around 6000 IP’s monthly that are available as Misp Warning lists. Observation of the Mirai Botnet: Since decades now this malware is trying to replicate, the TCP windows size of the initial SYN packet is enought to qualify this malware family. The dataset collected shows an average of 45K Mirai BOTs. The repartition of MIRAI per country is quite interesting. Detection of CVE Trends: By discriminating sources of activity by destination port, protocl and known scanner type, it is often possible to distinguish early scanning campaigns and anticipate upcoming threats. This capability is particularly valuable for a CERT, as it supports early warning and timely notification of its constituency. This is an example of scan activity around the port TCP 8530 corresponding to the remote code execution (RCE) CVE-2025-59287 via unsafe deserialization bug in Microsoft Windows Server Update Services (WSUS). The CVE was released on 14/10/25 Deep analysis of SNMP queries Analysis at this scale SNMP traffics allows us to monitor CVE Based injections, and associated campains. It permit also to find interesting relations between devices and user SMMP community. Some examples of our previous SNMP protocol analysis could be found here ; https://d4-project.org/2025/11/27/Learning-from-Large-Scale-IPv4-blackhole-behavioral-analysis-of-SNMP-traffic.html Many other trends can also be extracted. During this presentation, we will additionally cover; IOT botnet injections: The lowest level possible of interaction still allow use to identify old RCE injection like CVE-2019-12297, CVE-2021-35394, CVE-2023-28771. Detection of DDoS attacks: Since combined DDOS attacks often use spoofed random IP’s, it is possible to see some the backscatter traffic (TCP synack/ icmp unreachable). and therefore determine victimology Antivirus usage trends: By observing unsolicited traffic generated by security products, it is possible to identify antivirus deployment patterns, update behaviors, and their evolution over time, providing indirect visibility into defensive technologies used across the Internet. Port 0 scanning: Although port 0 is reserved and unused by legitimate services, it is sometimes leveraged by scanners for operating system fingerprinting. Monitoring this activity helps identify OS detection techniques and early-stage reconnaissance behaviors. Many Funny syslog misconfigurations: Since our range is not too far from a RFC1918 IP one, it often receive syslog traffic from misconfigured devices sending logs to invalid destinations. These cases highlight operational mistakes, legacy configurations, and occasionally the unintended exposure of internal or sensitive information. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/APBPPQ/ Main Stage Paul JUNG PUBLISH KHWQNW@@pretalx.com -KHWQNW Digital risks, threat models, and empathy: trainings that empower en en 20260507T165500 20260507T173000 003500 Digital risks, threat models, and empathy: trainings that empower Many risk assessment professionals struggle with understanding digital and cyber risk. Risks such as injury caused by fires of earthquakes have reasonably straightforward causes. Risks such as data exfiltration could be caused by a number of complex, interconnected attacks. This talk will be based on my experiences of training small teams of very different risk experts—ranging from investigative journalism editors to humanitarian workers—about digital risks. It will focus on how we can tell better stories on digital risk that leave the audience feeling empowered. We will discuss: 1. How to position digital risks next to other types of risks: I will summarise some of the conversations I’ve had with risk assessment professionals, highlighting both easy parts of and struggles in explaining digital risk. I will also briefly mention the problem of knowledge asymmetries in cyber and digital risk assessments. 2. Differences in risk assessment language used—and why they matter: this includes looking at words like “threat”, “risk”, “prevention”, and “mitigation”, and how cyber and digital risk professionals might use them differently from others 3. Why ‘standing out’ (for example refusing to use some mainstream tools or having unusual tech use patterns) could itself be a problem. Here, we also discuss how much of the data surveillance actors collect can be noisy and messy, and why this might be reassuring. 4. Perceptions of omnipresent surveillance and ill-defined threat actors and how those frustrate our efforts at security education: we all sometimes run into the perception that surveillance isn’t just everywhere but done by everybody. While it’s true that many different actors are involved in this ecosystem, I explain how explicitly defining those actors and explaining what they are and aren’t capable of can help empower the audiences of our trainings. In short, this is a session on how we can use standard threat modelling techniques. 5. A case study on WhatsApp and Signal to explain how to best discuss risks and mitigations related to messaging and messengers. 6. Time for questions and discussion! The main audience of this talk are security trainers, security team managers, and others who frequently work with and upskill non-technical audiences. I will mostly focus on broader notions of digital risk, only going into technical details when necessary. I hope that, after the talk, the audience will have the following key take aways: - How to effectively tell stories about digital risk, cyber risk, and surveillance to audiences that don’t feel too comfortable with such topics - Building analogies, and noting differences, between digital risk and other types of risk (physical, financial, legal, etc.) - How to empower people who might feel overwhelmed when thinking about risks such as surveillance or spyware PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/KHWQNW/ Main Stage Łukasz Król PUBLISH SWGJPX@@pretalx.com -SWGJPX Phinding a Phisher: Don't let rep get you rekt en en 20260507T173000 20260507T180500 003500 Phinding a Phisher: Don't let rep get you rekt PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/SWGJPX/ Main Stage Elliot Parsons PUBLISH D8PPLC@@pretalx.com -D8PPLC Security Impress Karaoke en en 20260507T193000 20260507T210000 013000 Security Impress Karaoke No experience? No problem. This is all about having fun, thinking fast, and impressing the crowd with your creativity (or chaos). Whether you're a seasoned hacker or just security-curious, come take the podium and let’s see what you’ve got! Sign up or just show up! PUBLIC CONFIRMED Custom entertainment and similar https://pretalx.com/bsidesluxembourg-2026/talk/D8PPLC/ Main Stage Kirils Solovjovs PUBLISH EW9MCX@@pretalx.com -EW9MCX Hello LuCy nice to meet you! - A conclusion on a 3 year Open-Source cybersecurity project en en 20260507T090000 20260507T094000 004000 Hello LuCy nice to meet you! - A conclusion on a 3 year Open-Source cybersecurity project LuCy is a mostly open-source cybersecurity toolbox consisting of a SIEM and a DNS firewall. Due to limited resources, a significant amount of R&E (research and education) institutions cannot deploy an inhouse cybersecurity solution. Therefore, LuCy was brought into this world to offer these services, such as alerting, dns filtering, dashboards, to the R&E institutions to improve their resilience at a reduced cost. We highly value the input from institutions connected to LuCy for continuous improvement of the platform. Data sovereignity is crucial, thus everything is hosted on premises at the _Restena Foundation_ in Luxembourg. We are working on reports and documentation so that any other SME can deploy this open-source cluster on their premises. Open-source is the way to go! Lessons learned from implementing a cybersecurity tool which needs half of the staff. Not to lose motivation also in tough times. Keep the mindset, open source is needed in our community! PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/EW9MCX/ IFEN room 1, Workshops and Detection Engineering village (Building D) Denim Latić Cynthia Wagner PUBLISH ZDAX3J@@pretalx.com -ZDAX3J From Hours to Minutes: Automating Incident Response Triage with Open-Source Tools en en 20260507T094000 20260507T101500 003500 From Hours to Minutes: Automating Incident Response Triage with Open-Source Tools Traditional forensic acquisitions create bottlenecks in incident response, requiring specialized expertise and significant time that delays investigations. This presentation introduces an automated forensic triage workflow using open-source tools to accelerate response operations. The workflow utilizes a Velociraptor offline collector to acquire forensic triage images, automatically uploaded to cloud storage. This triggers an OpenRelik workflow that processes triage data using tools like Hayabusa and Plaso/log2timeline, with AI-powered analysis and summarization. The processed output is uploaded to Timesketch for collaborative analysis. Several DFIR datasets will be used to show the automation pipeline from initial collection to timeline analysis. The workflow reduces time-to-analysis from hours to minutes while maintaining forensic integrity. Attendees will learn to implement automated triage workflows and integrate multiple open-source tools into investigation pipelines. This targets incident responders, digital forensics practitioners and anyone in the security community looking to streamline forensic operations. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/ZDAX3J/ IFEN room 1, Workshops and Detection Engineering village (Building D) Markus Einarsson PUBLISH AP8GQT@@pretalx.com -AP8GQT Advanced Threat Hunting: Staying One Step Ahead of Adversary en en 20260507T103500 20260507T111500 004000 Advanced Threat Hunting: Staying One Step Ahead of Adversary As cybersecurity defenders, our job is not just to react but to stay ahead of attackers. Yet, adversaries continue to evolve, refining their techniques to bypass defenses and infiltrate critical systems. To effectively hunt threats, we must understand how these attackers think and operate. This session will explore real-world techniques used by malicious actors to breach security controls. We will examine how stolen data such as compromised session tokens and credentials are weaponized to gain unauthorized access to systems and supply chains. We’ll also uncover how attackers bypass restricted registration requirements, exploiting gaps in verification and automation processes. We will also analyze how logic flaws in authentication mechanisms allow threat actors to circumvent security controls, gaining entry where they shouldn’t. And much more. By breaking down these attack strategies, you will learn how to identify, track, and neutralize emerging threats before they cause damage. This session will equip you with practical threat-hunting insights, showing you how to turn an attacker’s own methods against them before they strike. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/AP8GQT/ IFEN room 1, Workshops and Detection Engineering village (Building D) Alex Holden PUBLISH L9773J@@pretalx.com -L9773J CT(C)I-Driven detection against internal and external threats en en 20260507T112000 20260507T120000 004000 CT(C)I-Driven detection against internal and external threats In this talk, we redefine efficient threat intelligence processing and its direct application in advanced detection engineering. We are moving past the era of creating reactive detection rules based on trending IOCs or generating "traffic light" reports that lack real defensive impact. We will examine high-stakes threat scenarios on a geopolitical scale. By analyzing the laws of cyber deception within CTI reports, we will identify the behavioral errors attackers make and learn how to exploit those flaws for detection. However, the landscape is evolving. We will analyze scenarios where external adversaries successfully become internal threats—specifically dissecting the tactic of APTs deploying state-sponsored remote workers to infiltrate security companies. This involves advanced deception: deepfakes, synthetic profiles, fabricated employment histories, and the abuse of corporate devices. When you have a highly trained operative inside, traditional defense fails. This is where Cyber Counterintelligence (CCI) becomes essential. You must counter the adversary's deception with your own deceptive architecture to force them into revealing themselves. And there we will go through a real detection engineering challenge - an identity based detection through all environment. To operationalize this approach, we must abandon outdated methods. We will explore how to revolutionize your engineering process by replacing static documentation with a visual graph engine. You will learn how to apply a Git-native "Detection-as-Code" workflow that automatically converts visual capability maps into executable SIGMA rules, leveraging MITRE frameworks to design and scale resilient defense logic. Key Takeaways: - Shatter the Perimeter Illusion - Realize that sophisticated threats are not just external; they are actively infiltrating organizations as trusted insiders. - The Necessity of Threat-Informed Defense - Understand that generic monitoring is obsolete; threat-driven detection engineering is the only viable path forward against modern adversaries. - Operationalize Cyber Counterintelligence - Learn how to use internal telemetry and deceptive tactics to expose sophisticated actors already operating within your environment. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/L9773J/ IFEN room 1, Workshops and Detection Engineering village (Building D) Ondrej Nekovar PUBLISH RNELAL@@pretalx.com -RNELAL OpenTide: From Raw Intelligence to Structured Threat-Informed Detections en en 20260507T133000 20260507T141000 004000 OpenTide: From Raw Intelligence to Structured Threat-Informed Detections **Outline** Intelligence to Detection Engineering Gap - TTP intelligence remains unstructured (reports, PDFs, blogs). - Defenders struggle to operationalize insights into detections. - Coverage measurement reduced to static ATT&CK mappings. - Manual workflows are slow and inconsistent. - Teams overwhelmed by volume and pace of new intel. OpenTide Workflow - Intelligence > Threat Vectors > Detection Objectives > Rules. - Normalized schema for consistent ingestion of unstructured intel. - Attack graphs enable contextual coverage measurement. Accelerating with LLMs (GenTide) - GenTide : LLMs accelerate Threat Vector modeling from intelligence. - Accelerates turning into Detection Objectives to support rule development - Reduces time from intel input to detection deployment. - Supports continuous alignment with evolving threats. **Key take aways** OpenTide helps defenders turn unstructured threat intelligence into actionable detections. It introduces Threat Vectors to model adversary behaviors and link them directly to detection objectives and rules in comprehensive. This creates a structured, scalable workflow that replaces static ATT&CK mappings with a growing knowledge graph and redefines how detection coverage can be evaluated. With experimental automation through large language models, OpenTide shortens the time from intelligence to deployment and enables continuous alignment with evolving threats. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/RNELAL/ IFEN room 1, Workshops and Detection Engineering village (Building D) Remi Seguy PUBLISH Z8EPNM@@pretalx.com -Z8EPNM Your CTI Reports Are Useless Without Structure: From Unstructured Threat Intel to STIX Knowledge Graphs with LLMs and MCP server en en 20260507T141000 20260507T144500 003500 Your CTI Reports Are Useless Without Structure: From Unstructured Threat Intel to STIX Knowledge Graphs with LLMs and MCP server **Problem Statement** The CTI community produces an enormous volume of high-quality threat intelligence every week — malware analyses, campaign reports, government advisories. The vast majority is published as unstructured text. Despite the existence of STIX 2.1 as a mature, graph-based interoperability standard, most organizations skip the conversion step entirely because it is slow, manual, and requires deep domain expertise. The consequence: intelligence that could feed automated detection, correlation, and response workflows remains locked in prose. This section frames STIX not as bureaucratic overhead, but as the critical prerequisite layer that makes everything downstream — from SIEM rules to AI-driven threat hunting — possible. **The Hybrid Architecture: GenAI-STIX** The core of the talk introduces a hybrid pipeline architecture developed through independent research and validated in an academic study currently under peer review (University of Salerno, AY 2025/2026). The key design insight is that not everything should be delegated to a generative model: - Deterministic extraction (regex + validation) handles Indicators of Compromise (IoCs) — IP addresses, hashes, domains, URLs — where precision and resistance to hallucination are paramount. - LLM-based semantic inference handles the hard part: extracting Tactics, Techniques, and Procedures (TTPs), threat actors, malware families, victims, and the relationships between them, then mapping these to the MITRE ATT&CK framework. The talk walks through the evaluation methodology: a dual pipeline (object-level detection metrics + holistic graph similarity) tested against a ground-truth dataset built from real UK National Cyber Security Centre (NCSC) STIX bundles. Five LLM families were benchmarked. Key finding: high-reasoning models exceed 94% precision in TTP extraction, demonstrating that automated MITRE ATT&CK mapping is no longer a theoretical prospect but a production-ready capability. **TI Mindmap HUB: The Living Research Lab** TI Mindmap HUB is the independent research platform where these concepts are implemented and tested at scale, processing 50–60 threat reports weekly. The speaker demonstrates how a single unstructured report flows through the pipeline and emerges as a multi-lens analyst workstation: - STIX graph view — interactive entity/relationship exploration - Diamond Model — campaign framing from STIX objects - MITRE ATT&CK heatmap — behavioral coverage visualization - CVE analyst table — vulnerability prioritization with threat context - TI Mindmap — narrative structure for executive and analyst consumption The same structured artifacts (STIX bundles, ATT&CK layers, IOC/CVE objects) power all views — different analytical lenses from shared data, not isolated widgets. A brief visual walkthrough shows the end-to-end flow from URL submission to structured intelligence. **MCP: Making CTI Actionable for AI Agents** Structure alone is not enough — intelligence must be accessible where decisions are made. This section introduces the Model Context Protocol (MCP) server built for TI Mindmap HUB, which exposes structured CTI as native tool calls for AI copilots and agents: - Report discovery and deep-dive — search, filter, and retrieve processed intelligence artifacts directly from a chat interface - IOC pivoting — "where else was this indicator seen?" as a single tool call - STIX bundle retrieval — portable intelligence packages ready for TIP/SOAR/SIEM integration - Article submission — trigger the full processing pipeline from conversation context This transforms CTI from a static product into a conversational operations layer. The MCP server implements secure API key + OAuth authentication, making it ready for both human analysts and autonomous agent workflows. **Toward Knowledge Graphs: The Research Horizon** With STIX bundles as building blocks, the next research frontier is LLM-inferred cross-report relationships — connecting entities across dozens of reports to build a threat intelligence knowledge graph that reveals patterns invisible in individual analyses. The speaker briefly outlines this ongoing research direction and its implications for strategic CTI. **Closing** TI Mindmap HUB is an independent research project exploring the intersection of Generative AI and Cyber Threat Intelligence. It is not a product and not affiliated with any employer or commercial entity. The speaker actively seeks collaboration from the CTI research and practitioner community. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/Z8EPNM/ IFEN room 1, Workshops and Detection Engineering village (Building D) Antonio Formato PUBLISH LL9LUX@@pretalx.com -LL9LUX Not So hARMless: The Hidden World of Linux Packers and Detection Challenges en en 20260507T144500 20260507T152000 003500 Not So hARMless: The Hidden World of Linux Packers and Detection Challenges This presentation examines Linux malware packers and loaders as sophisticated evasion techniques that pose significant challenges to modern cybersecurity defenses. Malware packers compress, encrypt, and obfuscate executable code, while loaders execute the original malware directly in memory, enabling fileless execution that bypasses traditional detection mechanisms. The research includes a case study of the Lazarus APT group's ThreatNeedle malware, demonstrating real-world implementation of multi-stage deployment with in-memory execution capabilities. A practical analysis of the hARMless ARM64 ELF packer/loader system illustrates key technical components including multi layer encryption, CRC32 integrity verification, and direct ARM64 syscall implementation. The presentation reveals critical security implications: traditional EDR solutions have significant detection gaps on Linux systems, static analysis proves insufficient against packed malware, and memory-based execution complicates forensic analysis. Defensive strategies require implementing syscall-level monitoring, deploying behavioral analysis capabilities, and maintaining comprehensive logging for effective threat detection and response. Attendees will understand how modern malware evades detection and discover practical defensive strategies including syscall-level monitoring, behavioral analysis, and comprehensive logging for effective threat detection and response. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/LL9LUX/ IFEN room 1, Workshops and Detection Engineering village (Building D) Massimo Bertocchi PUBLISH JRZGUH@@pretalx.com -JRZGUH Goodbye Purple Team, Hello Purple Bots en en 20260507T154000 20260507T162000 004000 Goodbye Purple Team, Hello Purple Bots AI and automation are powerful technologies that can be leveraged to enhance both offensive and defensive security strategies. This talk unveils a fully automated, AI-driven purple teaming Proof of Concept framework that simulates real-world APT attacks, evaluates detection capabilities, and enhances security defense, all in real time. Join us as we unveil the next frontier of AI-driven adversary simulation framework, where offense and defense merge into an intelligent, automated cycle of continuous security enhancement. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/JRZGUH/ IFEN room 1, Workshops and Detection Engineering village (Building D) Patrick Mkhael Ralph El Khoury PUBLISH PWCYXA@@pretalx.com -PWCYXA Ferrari without fuel: Exorcise GIGO out of Logs Management en en 20260507T162000 20260507T170000 004000 Ferrari without fuel: Exorcise GIGO out of Logs Management **Why this talk** How many times you've been asked to onboard logs on a SIEM just by "opening the flows", without any validation? Or even develop alerts on already provided logs without questioning them? Has any PenTest or Red Team exercise highlight that you had no visibility (let alone alerting) over certain actions, despite "you had the logs"? Have you ever saw a truncated log or one coming from the future? Or a logout without its previous login? Nowadays, there is no golden standard for baseline or maturity assessments on log collection / coverage, except a few governmental exceptions (e.g. OMB M-21-31) or highly prescriptive yes/no audit-level compliance frameworks that don't meet the granular level needed to "plug" logging and detection/analysis seamlessly (e.g. NIST SP 800-53 AU Family). This is the same from developers' "**Security by Design**" perspective, where best practices exist for narrow scopes but may not be ultimately enforced (e.g. OWASP Logging Cheat Sheet). Historically, "security" has often been treated as an elite craft and a compliance checkbox - fertile ground for buzzwords and "magic wand" tooling narratives. Our experience is that every time the solution is "just a new tool" an analyst dies (joke intended; right?). "Magic wands" do not exist. A tool can help, but it cannot replace understanding: normal vs. corner cases, environment constraints, and informed decisional context. This matters because the industry repeatedly shows that SIEM programs are fragile in practice: expensive volumes ingestion, yet broken detections, missing fields, parsing issues, and alerts overload. **Our thesis: "shift-left" inside the SOC** Instead of starting from "alerts" and hoping SOAR + AI/LLMs will fix the rest (sometimes scaling more confusion than value), we shift-left by making upstream telemetry complete, useful, and normalized - the foundations of reliable detection engineering. We do so by enforcing a "Compliance Data Model" that is both the output of SIEM engineers and the input for Detection Engineers, a meeting point to build Use Cases on even when you don't have the logs (yet), and SIEM-vendor-agnostic. We will deep-dive into: • **Logs Management as a discipline / requirement**: end-to-end process of collecting, storing, processing/normalizing, **validating**, and monitoring log data, ultimately making sure "**it represents reality**" - as opposed to the common "hydrant approach" of indiscriminately turning on a firehose of logs and assuming the job is done (e.g. "I’ve opened the flow. Are you getting some logs now? Yes? Great, we’re done"). • **Security Monitoring as a practice that is highly dependent on Logs Management**, either in its automated form (Use Case Management, UBA, etc.) and/or in its manual one ("free-dive" or Hypothesis-based Threat Hunting, etc.), regardless of the framework you may be using (e.g. OpenTide, MITRE, FI-ISAC NL MaGMa). • **Visibility Depth vs Width**: many environments feel "well integrated and monitored" simply because a type of logs is collected from all hosts, but when laying out a matrix of which other logs are collected from where, and if they're normalized, a clear "**wide-but-shallow**" image shows up, and suddenly nobody agrees what "critical app alerting" means without app owners at the table. • **Bridging the gap - Log Schema vs. Policy**: Deciding what to log (a logging policy) is just as important as how to structure it (a data schema / taxonomy). Many teams adopt common schemas like **Splunk CIM, OCSF, Elastic ECS, Microsoft ASIM**, etc. to **normalize** fields, which is important and ensures consistency, but they **cannot be used alone to audit visibility gaps**. If you never send a particular log type to your SIEM, the schema won’t complain, and even if you count the number of success/failures or logs with "username" or other fields, the **Logging Policy** (and thus upstream checks) is still needed to **set expectations** and **understand what is normal vs. anomalous.** Useful resources for companies to draft their own Logging Policy are: ➤ **Prescriptive Standards**: **OMB M-21-31** (U.S. federal logging requirements, which explicitly lists log categories and retention periods agencies must collect for each security tier), **NIST SP 800-53** (Audit & Accountability controls, that mandates specific events that systems must log as a baseline), and **CIS Critical Security Controls** (especially Safeguard 8.2, enumerating essential logs to collect to support security monitoring). ➤ **Threat-Informed Frameworks**: **MITRE ATT&CK** provides a matrix of **data sources** needed to detect various adversary techniques at a high level. MITRE’s open-source DeTT&CT can help score your log coverage. Even SIGMA rules include a "logsource" definition as requirement, although very high-level. CTI-based frameworks like Drago's CMF (Collection Management Framework). If you have an Attack Range Lab, more technical resources from PenTesters / Red-Teamers can be leveraged, like Atomic Red Team, testing techniques and adjusting logs verbosity up until meaningful activity is logged. ➤ **Application Layer Logs**: Logging isn’t just an IT operations concern; it starts with developers. We reference the **OWASP Logging Cheat Sheet** (and similar app-security guidance) which outlines what security-relevant events applications should generate - for example, input validation failures, authentication successes/failures, and access control violations. This highlights that effective logging requires collaboration between the Security/SOC and development teams (not just red&blue teams). ➤ **Business Context**: Above compliance standards and threat frameworks are inherently generic. They assume all servers, applications, and data are equally important, or they focus solely on the likelihood of an attack. What they completely miss is the Business Impact (e.g. BIA - Business Impact Analysis, FAIR - Factor Analysis of Information Risk) - which is the exact language the Board of Directors (BoD) speaks. Each organization should craft a Logging Policy/Framework tailored to its unique context - considering its business model, "crown jewel" assets, regulatory requirements, and mix of IT vs. OT systems. For example, onboarding and normalizing upfront logs that grant visibility over a big project could provide Exploratory Data Analysis (EDA) capabilities and even give the opportunity to spot issues or misconfigurations before they happen, bringing unexpected added-value / ROI to top management and ultimately granting stronger mandates and economics internally in the organization (e.g. "We noticed 40% of users are dropping off at this specific transaction point because of a backend timeout, impacting revenues" or "There is a misconfiguration causing the app to query the database 50 times per second per user, increasing API costs"). Bringing those findings to management means transitioning Security from a "cost center" to a "business enabler", providing QA and operational intelligence, not just blocking hackers. **Disclaimer** We acknowledge that not every organization can overhaul its logging overnight - real-world constraints exist. The session emphasizes incremental improvement and trade-offs, helping each attendee identify a few high-impact "logging wins" they can pursue back at work. We’re not promising a silver bullet (that would go against the entire premise!); instead, attendees will leave with fresh perspectives and actionable frameworks to gradually turn their own "Ferrari" into a well-fueled security machine. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/PWCYXA/ IFEN room 1, Workshops and Detection Engineering village (Building D) Stefano Amodio Elliot Parsons PUBLISH C93MZK@@pretalx.com -C93MZK The whistles go woo woo: SIEM alerts, threat detection and tuning unnecessary noise en en 20260507T170000 20260507T174000 004000 The whistles go woo woo: SIEM alerts, threat detection and tuning unnecessary noise When then whistles go woo woo: I typically like to start my presentation with a short story, a news article or some known fact and correlate it to the main topic. In the early 2000s, residents in Seattle started complaining about a strange problem: cars driving through neighborhoods late at night, fitted with exhaust whistles so loud they could wake an entire block. When asked about the noise, one explanation stuck: the whistles go "woo woo"… but only in the morning. The noise wasn’t dangerous, but it was constant, badly timed, and impossible to ignore. Twenty years later, many security teams are dealing with the same problem, just with SIEM alerts instead of cars. If this feels familiar, it should. Many SIEMs do the exact same thing: alerts firing constantly, without timing or context, until everything sounds urgent and nothing actually is. Wait, what are we doing here? Brief explanation of contextual alerting for SIEM implementations. Drawing parallels: Noisy SIEMS vs The Whistles Okay but how does SIEM obtain data: Log collection and aggregation How do I know what I want my SIEM to alert me on? Knowing what you want your SIEM to alert on starts with understanding what actually requires action. Alerts are not meant to document everything that happens in an environment, they exist to interrupt you when something needs attention. If an alert does not change a decision, a response, or a priority, it probably does not need to exist. - Unusual or anomalous behavior - Known IOCs - Signs of Privesc or lateral movement - Indicators of Data exfil - Repeated or unsuccessful actions. - Unusual application activity - Endpoint behavior - Compliance violations - Threat hunting When alerts stop being alerts: • Alerts aren't ignored because analysts are lazy • They’re ignored because everything fires • When every event is "urgent" nothing actually is • Noise trains people to stop reacting. • American Horror Story: MSSP - sharing a story of when I worked for an MSSP and I saw some awful things with SIEM alerting. Timing Matters More Than You Think • Alerts without time context are misleading • Expected behavior during business hours ≠ malicious at 3 a.m. • The same signal can mean very different things depending on when it happens Key learning: When an alert fires is part of the detection logic, not an afterthought. Throttle the noise before you add more alerts • Repeated alerts for the same behavior don't increase security • They just increase annoyance • Throttling prevents the SIEM from screaming about the same thing every five minutes Examples: • "Alert once per user per time window" • "Suppress repeats unless behavior changes" • "Escalate only if it keeps happening" Context turns noise into signal • Raw events is not the same as actionable alerts • Alerts need: ○ user context ○ system role ○ expected behavior ○ related activity Without context: Everything looks suspicious. With context: You know what actually matters. Designing your SIEM alerts: - Focus on high risk scenarios - Tune alerts over time - Use correlation rules - Threat intelligence is your bestie - Context is key Alert prioritization: Alert prioritization isn't about deciding what’s "important" on paper, it's about deciding what deserves attention right now. When everything is marked high priority, teams stop trusting the system. Good prioritization accepts that not all alerts are equal, and that urgency depends on timing, context, and impact. A SIEM that understands this doesn't shout, it speaks when it actually matters. - Critical: Imminent high impact threat such as ransomware or a data breach. - High: Potential impact on core business operation or sensitive systems and direct evidence of malicious activity. - Medium: Unusual activity that could potentially be a threat - Low: Minor issue, security violation or potential false positive. What logs do I need? Deciding what logs you need is not about collecting everything, it is about collecting what helps you answer questions later. Logs should support detection, investigation, and response, not just exist for visibility. When logging is intentional, alerts become easier to design and noise becomes easier to control. 1. Windows Logs 2. Network Logs 4. Endpoint Detection and Response (EDR) Logs 5. Identity and Authentication Logs 6. Threat Intelligence Logs 7. Compliance and Audit Logs Scrum for SIEM maintenance: Knowing what you want your SIEM to alert on is not a one time decision, it is an ongoing process. Environments change, attackers change, and so does what actually deserves attention. Treating SIEM maintenance like a sprint forces teams to regularly ask what worked, what created noise, and what genuinely helped detect risk. Instead of reacting to every alert, the focus shifts to continuously refining what is worth waking someone up for. - Define your scrum team (owner, scrum master and development team. Yes, it all applies even if it's not a software development environment). - Create a "product backlog" (actionable items). - Sprint planning (high risk priority tasks). - Daily stand ups (share updates). - Sprint Review (showcase deliverables). PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/C93MZK/ IFEN room 1, Workshops and Detection Engineering village (Building D) Melina Phillips PUBLISH QJN3VK@@pretalx.com -QJN3VK From Manual Hunt to Mass Detection: Weaponising Nuclei Against Phishing en en 20260507T174000 20260507T181000 003000 From Manual Hunt to Mass Detection: Weaponising Nuclei Against Phishing Phishing remains the dominant attack vector, yet detecting malicious sites at scale continues to challenge security teams. This talk demonstrates how open-source automation can transform phishing detection from a manual, reactive process into a scalable, proactive capability. I developed and contributed 120+ phishing detection templates to the Nuclei project, enabling security teams worldwide to identify phishing sites impersonating major brands across thousands of hosts in seconds. In this session, I want to share this technique with attendees, covering the detection methodology, template creation, and practical applications for threat intelligence and OSINT research. A live demonstration will showcase the approach in action, and attendees will leave with the knowledge to build their own detection capabilities using freely available tools. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/QJN3VK/ IFEN room 1, Workshops and Detection Engineering village (Building D) Rishi (@rxerium) PUBLISH Q7CEUD@@pretalx.com -Q7CEUD AI and Cryptography for Evasive Malware en en 20260507T090000 20260507T093500 003500 AI and Cryptography for Evasive Malware Modern EDR and XDR solutions have moved the goalposts. Static signatures are a relic of the past; today’s fight is against behavioral telemetry and ML-driven heuristics. To survive on a target host, offensive tradecraft must evolve. This practice-oriented talk demonstrates how the convergence of Artificial Intelligence and non-standard Cryptography creates a "thinking" malware capable of adapting to Windows, Linux, and macOS environments. We move beyond simple packing to explore a specialized Adversarial Dev Loop. By integrating lightweight LLMs and rare cryptographic primitives (Skipjack, Speck, Mars, Lucifer, Camellia), we demonstrate how to build malware that interviews its environment before revealing its true nature. What you will learn through live demos and code analysis: - The AI-Mutator Loop: How to use local AI agents to perform automated source-level polymorphism. I will demonstrate C/C++ code that rewrites its own logic, variable structures, and API resolution patterns for every new "build," making hash-based and static ML detection impossible. - Cross-Platform Residency: A deep dive into modern persistence - from macOS Dylib hijacking and WatchPaths to Linux eBPF-based hooks and Windows service subversion - all protected by Environmental Keying. I will show how payloads remain cryptographically sealed until AI-logic verifies the "DNA" of the target machine. - Rare Crypto vs. Entropy Scanners: Why standard AES/ChaCha20 is a red flag. We will implement "forgotten" algorithms to bypass entropy-based detection and show how to use AI to generate "Natural Language Steganography" - hiding exfiltrated data inside AI-generated text that passes through Deep Packet Inspection (DPI) unnoticed. - Breaking the Sandbox: Real-world examples of AI-driven sandbox detection. We demonstrate implants that exhibit "benign mimicry" when a virtualization artifact is detected, effectively poisoning the training data of automated sandboxes. This talk isn't about theoretical future threats; it's about the weaponization of free, open-source AI models available today. Whether you are a Red Teamer looking to bypass top-tier EDRs or a Blue Teamer trying to understand the next wave of "smart" malware, you will leave with the C/C++ PoCs and forensic insights needed to operate in the age of the thinking malware. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/Q7CEUD/ IFEN room 2, Workshops and AI Security Village (Building D) cocomelonc PUBLISH CDJP3Z@@pretalx.com -CDJP3Z Death By Pickle: "Python's Betrayal ML" en en 20260507T093500 20260507T101500 004000 Death By Pickle: "Python's Betrayal ML" In The Matrix, Neo learns Kung Fu through an upload. In ML, pickle files let models 'learn' similarly. But what if Agent Smith tampered with the module? That's what's happening in pickle files—malicious code can sneak in. This talk covers the threat and detection techniques. You’ll KNOW Kung Fu! PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/CDJP3Z/ IFEN room 2, Workshops and AI Security Village (Building D) Kadi McKean Frithjof Hoffmann PUBLISH YTUTGD@@pretalx.com -YTUTGD What Does Threat Modeling Solve for AI Security? en en 20260507T103500 20260507T111500 004000 What Does Threat Modeling Solve for AI Security? 0–5 min : Context setting: Where AI really fits in the SDLC The session starts by clarifying a frequent source of confusion: securing AI versus using AI for security. Using concrete system examples, I explain how AI is introduced into existing architectures and why it increases coupling between data, identity, APIs, and business workflows. The goal is to ground the audience in a system-level view before discussing threats. This section is fully accessible to beginners and does not assume prior AI security knowledge. 5–10 min ; Why AI Feels Destabilizing at System Level This section explains why AI adoption often makes risk harder to reason about. AI does not introduce chaos by itself; it amplifies risk across an already uncontrolled attack surface. Using visual system comparisons, I show how adding AI components increases the blast radius of existing weaknesses (identity, APIs, data access, monitoring gaps). The key objective is to shift beginners away from “AI-specific threats” toward ecosystem-level risk thinking. 10–20 min : Scenario 1 (Technical Track): Testing Without Knowing Why The first main scenario focuses on a realistic AI-driven e-commerce system where an ML recommendation engine directly impacts revenue. I walk through a common security dilemma: a limited pentesting budget with no shared understanding of what actually matters. Step by step, I introduce a lightweight threat modeling approach: - drawing a simple system diagram, - identifying threat actors, - reasoning in layers (Matryoshka-style): supply chain, network/APIs, identity, crown jewels, and mapping attack paths to business impact. This leads to a concrete outcome: a risk-driven pentesting strategy that clearly differentiates deep testing, standard testing, and low-return testing areas. Beginners see how threat modeling directly informs technical decisions instead of producing abstract documentation. 20–30 min : Scenario 2 (Framework Track): Threat Modeling as a Compliance Validator The second scenario shifts focus to compliance and governance challenges. I present a situation where multiple teams claim compliance (secure coding, code reviews, pentests), yet cannot demonstrate why controls are effective. Using an ISO 27001 control (secure coding), I show how threat modeling reframes the question from “do we have this control?” to “where would insecure code actually hurt us?”. A concrete threat scenario is built around an input processing service in front of an ML model, illustrating how business-impacting abuse can occur even when traditional controls exist. This logic is then extended to broader regulatory expectations (AI Act, NIS2): threat modeling provides a structured way to justify controls, expose blind spots (e.g., missing abuse-case testing or decision integrity checks), and explain partial compliance in a defensible manner. 30–35 min : Key Takeaways and Practical Guidance I conclude by explicitly tying both tracks together. The same threat model supports: technical security decisions (what to test, where to invest effort), and compliance justification (why controls exist and what risk they mitigate). The final takeaways focus on what beginners can apply immediately: modeling change rather than entire systems, prioritizing reachable attack paths, and using threat modeling as a living practice rather than a one-time deliverable. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/YTUTGD/ IFEN room 2, Workshops and AI Security Village (Building D) Nathan Pembe PUBLISH GLKSMY@@pretalx.com -GLKSMY Talk to a Shell : Exploiting AI agent in Real Time en en 20260507T133000 20260507T140000 003000 Talk to a Shell : Exploiting AI agent in Real Time PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/GLKSMY/ IFEN room 2, Workshops and AI Security Village (Building D) Parth Shukla PUBLISH LBYZCG@@pretalx.com -LBYZCG Teaming, Trust, and Threats: How Humans Interact with Generative AI in Security en en 20260507T140000 20260507T144000 004000 Teaming, Trust, and Threats: How Humans Interact with Generative AI in Security In this talk, I will present research in Human Computer Interaction focusing on how people use Generative AI technologies like ChatGPT, Google's Gemini, and Antrhopic's Claude in cybersecurity contexts. This will begin with background in computational cognitive modeling, and how it is related to cybersecurity in my research. Next I will describe my past research into how these models of human learning onto designing better AI systems for anti-phishing social engineering training and network analysis recommendations. Finally, I will discuss my current and future research in human interaction with LLM agents applied on to software engineering and spear-phishing website generation. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/LBYZCG/ IFEN room 2, Workshops and AI Security Village (Building D) Tailia Malloy PUBLISH QW3PJK@@pretalx.com -QW3PJK The Agents of Chaos: AI Driven Malware Generation en en 20260507T144000 20260507T152000 004000 The Agents of Chaos: AI Driven Malware Generation Modern AI systems have moved far beyond rule-based automation and are now capable of generating complex, functional software. While most discussions focus on productivity benefits like code generation and vibe coding, the same capabilities can also be applied to offensive security. This session explores a research project that examines how AI models can be orchestrated to autonomously generate new malware samples, and what this means for both attackers and defenders. The talk focuses on understanding the process and experimentation space behind AI-driven malware generation: how model behavior changes depending on prompts, model selection, validation workflows, and code restructuring techniques. The main things that are explored in the presentation: **Prompt design and task framing (what the model is asked to do)** Directly asking a model to write ransomware often fails due to safety controls or poor results. By reframing tasks, such as generating behavioral descriptions first and then implementing them in code, it becomes possible to produce working implementations while avoiding many common failure modes. **Model selection and orchestration (which models do what)** Different models excel at different tasks. The agent combines uncensored local models for unrestricted generation, stronger coding models for fixes, and remote models for validation. This multi-model approach improves reliability compared to relying on a single model. **Automated generation and validation loops (ensuring working output)** Generated code is automatically compiled, tested, and fed back into models when errors occur. This loop allows the system to fix compilation issues, improve functionality, and rely on working samples without manual intervention. **Code diversity and detection evasion (how “new” samples are created)** By allowing models to choose different implementations, encryption methods, structures, and even programming languages, each generated sample can look structurally different while doing relatively the same task. **Feature expansion (beyond basic malware behavior)** When prompted appropriately, models sometimes add additional behaviors such as persistence, system discovery, evasion checks, or data exfiltration attempts, demonstrating how AI can generate increasingly complex malware variants. What can you gain from this - A practical view of how AI models can be chained together to generate functional malware samples. - An understanding of how prompts, model choice, and validation workflows affect output reliability and detectability. - A framework that researchers and defenders can use to generate diverse samples for testing detection systems. While the presentation uses ransomware generation as the running example, the broader takeaway is about how generative AI changes the scale and variability of offensive tooling, and how the same techniques can also be leveraged by defenders to strengthen security systems. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/QW3PJK/ IFEN room 2, Workshops and AI Security Village (Building D) Arad Donenfeld PUBLISH TGFQH9@@pretalx.com -TGFQH9 When LLMs Summarize Security Findings: The Tradeoffs You Can’t Ignore en en 20260507T154000 20260507T162000 004000 When LLMs Summarize Security Findings: The Tradeoffs You Can’t Ignore Security teams routinely face large vulnerability assessment reports that are rich in detail but hard to operationalize. LLMs look promising for making this information accessible, yet outcomes vary wildly: some summaries are crisp and helpful; others are vague, incomplete, or subtly inaccurate. This session is a research-driven tour of *why* that happens and *what you can control*. The talk is not a “ship this to production tomorrow” story. It is a guide to the experimentation landscape - using vulnerability findings as an illustrative workload - focused on the knobs you can tune and the behaviors you should expect. ### The core idea: treat LLM summarization as a system with controllable parameters We’ll explore six major knob categories: 1. Task framing (what “good” means) If you don’t specify the purpose (e.g., executive risk overview vs. remediation triage vs. compliance-oriented highlights), the model will invent its own. We’ll discuss how tight vs. broad goals change output specificity and risk of omission. 2. Output constraints (how the answer must behave) Word limits, required sections, citation/evidence requirements, and “no new facts” rules are not cosmetics—they change error rates and the model’s tendency to hedge or hallucinate. 3. Input shaping (what the model actually sees) The strongest lever is often preprocessing: deduplicating repetitive data, normalizing fields, extracting key evidence, compressing large reports into context-friendly representations, and moving deterministic operations (like counting/grouping) outside the model. This reduces failure modes and makes evaluation meaningful. 4. Model selection (speed, cost, and capability) Different models fail in different ways. We’ll cover the practical implications of choosing “fast enough” versus “best possible” and what quality typically degrades first when you optimize for latency/cost. 5. Evaluation and judging (how you know it improved) “Looks good to me” does not scale. We’ll outline a lightweight evaluation harness: a rubric that scores faithfulness, completeness, specificity, and usefulness; repeated runs to check consistency; and a structured judging approach to compare variants. 6. Iteration strategy (how you converge) Prompt iteration works best when grounded in measurements. We’ll show a “vibe coding” loop that’s still research-minded: change one knob, rerun tests, observe shifts in failure modes, then decide whether the tradeoff is acceptable for the goal. ### What attendees will take away - A mental model of the main knobs available when applying LLMs to security summarization tasks - Predictable “what happens when you turn it” patterns (which tweaks usually help, which create new failure modes) - A repeatable experimentation framework for comparing prompts/models/input formats under real constraints - A clear tradeoff map: reliability vs. speed vs. cost, plus the engineering consequences of tighter coupling to input structures While vulnerability assessment results are the running example, the approach generalizes to other security contexts: incident write-ups, alert triage digests, control evidence summaries, and executive reporting. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/TGFQH9/ IFEN room 2, Workshops and AI Security Village (Building D) Andrey Lukashenkov PUBLISH D3T9SA@@pretalx.com -D3T9SA Making a risk-informed LLM choice en en 20260507T162000 20260507T170000 004000 Making a risk-informed LLM choice Every LLM has risks, from malicious content generation to jailbreak, injection, misinformation and more. In this session, we'll discuss the approach that we used for categorizing the risk levels of the most popular LLMs that are available for application developers on the leading cloud platforms. We'll explain: What tools we used to do this testing How we use those tools What categories of problems we're able to identify How we turn the problems into understandable risk for developers and security practitioners to use for making decisions on which LLMs to adopt PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/D3T9SA/ IFEN room 2, Workshops and AI Security Village (Building D) Jeremy Snyder PUBLISH F7UGVL@@pretalx.com -F7UGVL Oh Shit I Accidentally Breached an Organization (or many) using AI en en 20260507T170000 20260507T174000 004000 Oh Shit I Accidentally Breached an Organization (or many) using AI During this session we are going to learn how we can weaponize AI for OSINT campaigns, how it can be used/abused by adversaries to perform spear phishing attacks (using the previously mentioned OSINT as a basis). We are going to talk about operational security considerations when weaponizing AI. During this talk we are going to wear a purple hat by viewing the perspective of both an adversary and a defender. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/F7UGVL/ IFEN room 2, Workshops and AI Security Village (Building D) Panagiotis Fiskilis PUBLISH HY3QBJ@@pretalx.com -HY3QBJ AI Security village - technical training and implementation en en 20260507T133000 20260507T180000 043000 AI Security village - technical training and implementation PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/ IFEN room 3 Workshops and AI Security Village (Building D) Parth Shukla Nagarjun Rallapalli PUBLISH YGC7EA@@pretalx.com -YGC7EA Dismantle The Bomb en en 20260507T100000 20260507T120000 020000 Dismantle The Bomb Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Stijn Tomme PUBLISH YGC7EA@@pretalx.com -YGC7EA Dismantle The Bomb en en 20260507T133000 20260507T153000 020000 Dismantle The Bomb Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Stijn Tomme PUBLISH YGC7EA@@pretalx.com -YGC7EA Dismantle The Bomb en en 20260507T160000 20260507T180000 020000 Dismantle The Bomb Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Stijn Tomme PUBLISH A7AXTC@@pretalx.com -A7AXTC SPOT - Spear-Phishing Overwatching Tool en en 20260507T103500 20260507T111500 004000 SPOT - Spear-Phishing Overwatching Tool PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/A7AXTC/ Workshops and Stage - Design Space (C1.05.12) Pauline Bourmeau (Cookie) William Robinet Thibaut Diels Mathieu Fourcroy PUBLISH VENKPF@@pretalx.com -VENKPF Mapping the Invisible: Why System Cartography Matters for Security and Compliance en en 20260507T112000 20260507T120000 004000 Mapping the Invisible: Why System Cartography Matters for Security and Compliance This talk introduces these concepts through [Mercator](https://www.github.com/dbarzin/mercator) an open-source tool designed to map and visualize complex infrastructures. Mercator transforms data from existing sources (CMDB, inventories, scans) into interactive diagrams that help bridge the gap between technical visibility and strategic security management. Rather than a technical demo, this 40-minute session offers a conceptual overview of how cartography supports risk management, incident response, and regulatory compliance, turning architecture into a living asset for cybersecurity. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/VENKPF/ Workshops and Stage - Design Space (C1.05.12) Didier Barzin PUBLISH NQDVUB@@pretalx.com -NQDVUB Cloud Misconfigurations: Poke Poke, Breach en en 20260507T133000 20260507T141000 004000 Cloud Misconfigurations: Poke Poke, Breach Cloud security has become very good at finding problems after they ship. Scanners run. Dashboards glow. Tickets multiply. Meanwhile, attackers stroll in through configurations that technically “passed” review. In 2026, misconfigurations still understand how to ruin everyone’s day, not because teams don’t care, but because cloud complexity has officially outrun human attention. This session opens with the 2026 hierarchy of cloud misconfigurations, grounded in late-2025 and early-2026 breach data rather than folklore: - Identity and entitlement overreach as the new breach starter pistol - SaaS and API integrations quietly bypassing MFA, logging, and common sense - Storage exposure that survived provider guardrails via authenticated access and CDNs - Shadow environments and abandoned IaC resources that never got the security memo From there, I stop poking the fluffy cloud creature and wondering why it bites back. Using the Guardrail Strategy and Policy as Code, security rules become executable laws of physics inside CI/CD pipelines. Public buckets fail builds. Admin-level service accounts get denied. Secrets never make it into source control. Production click-ops quietly undo themselves like a bad idea sobering up. I’ll then introduce the Toxic Trilogy: cloud assets that are publicly exposed, highly privileged, and critically vulnerable. PaC’s real power in 2026 is context. By evaluating how these risks overlap, policies don’t just find problems, they prevent entire breach classes from ever existing. The result is faster delivery, fewer incidents, and security that finally keeps up with cloud speed without becoming the team everyone avoids on Slack. Key Takeaways - Identify the top cloud misconfiguration patterns of 2026 based on real breach data - Understand why identity and API integrations now outrank storage as breach drivers - Recognize the Toxic Trilogy and why its overlap predicts breaches with scary accuracy - Explain how Policy as Code shifts security from detection to prevention - Apply a policy-first workflow to block risky cloud deployments before production - Reduce misconfiguration risk without slowing developers or drowning in tickets PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/NQDVUB/ Workshops and Stage - Design Space (C1.05.12) Kat Fitzgerald PUBLISH ABKXN7@@pretalx.com -ABKXN7 In The Wild Cloud Exfiltration Paths You Might Not Expect en en 20260507T141000 20260507T145000 004000 In The Wild Cloud Exfiltration Paths You Might Not Expect PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/ABKXN7/ Workshops and Stage - Design Space (C1.05.12) Tomas Kabrt PUBLISH AYMPND@@pretalx.com -AYMPND Cloud Sovereignty en en 20260507T145000 20260507T152000 003000 Cloud Sovereignty PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/AYMPND/ Workshops and Stage - Design Space (C1.05.12) Catalin Tiganila PUBLISH YH7DVE@@pretalx.com -YH7DVE Leaky API Keys, Log Tampering, and Account Takeover en en 20260507T154000 20260507T162000 004000 Leaky API Keys, Log Tampering, and Account Takeover The talk will cover common techniques to upload client-side logs to AWS S3 buckets, integrations with third-party database services like Supabase, and server technologies commonly used for financial data processing, all of which result in leaked API keys when misconfigured. Three distinct vulnerabilities will be demonstrated, each showcasing different variations of the core anti-patterns in multiple contexts. Attendees can expect to receive a structured framework for understanding how these flaws manifest across different technologies. The session will conclude with a comprehensive discussion of targeted fixes that address the root causes of the anti-pattern. It will move beyond surface-level patches to implement architectural solutions that prevent entire classes of similar vulnerabilities. These remediation strategies will include both immediate tactical fixes and longer-term architectural improvements that strengthen overall system security posture. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/YH7DVE/ Workshops and Stage - Design Space (C1.05.12) Aleksa Zatezalo PUBLISH VEEKAR@@pretalx.com -VEEKAR Infostealer Emulation: Validating Detection of Credential Theft en en 20260507T162000 20260507T170000 004000 Infostealer Emulation: Validating Detection of Credential Theft Outline: Introduction: The Infostealer Epidemic Infostealer TTPs (8 min) Browser data, keylogging, clipboard, LSASS DEMO: Browser Credential Theft Emulation (12 min) DEMO: Keylogger Simulation (8 min) DEMO: Credential Dumping (LSASS Access) (10 min) DLP & Network Monitoring Validation (7 min) Q&A (5 min) PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/VEEKAR/ Workshops and Stage - Design Space (C1.05.12) Filipi Pires PUBLISH SWS9NQ@@pretalx.com -SWS9NQ Unraveling Failure - Lessons from an Avoidable Ransomware Attack en en 20260507T103500 20260507T111500 004000 Unraveling Failure - Lessons from an Avoidable Ransomware Attack Ransomware is no longer an abstract IT risk is an operational crisis. This talk presents a real-life ransomware attack against a large, non-IT industrial company where cybersecurity was not considered a business priority. Through a chronological breakdown of the incident, we explore how a single phishing email escalated into a full IT blackout, shutting down operations, disrupting production, and paralyzing the business for months. The session focuses on incident management under pressure and the failure and rebuilding of the Business Continuity Plan. Attendees will gain an inside view of: What actually happens during a ransomware attack, beyond theory and frameworks How organizational mindset and management decisions amplify impact Why missing “basic” security controls turns incidents into disasters Practical lessons learned during recovery and transformation This talk is based on a real case, previously presented at BSides Chișinău and BSides Cluj(you can have feedback from the organizers if needed), and is aimed at both technical and non-technical audiences who want to understand ransomware from a business-impact perspective not just a technical one. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/SWS9NQ/ Workshops and Stage - Gernsback (C1.05.02) Mihai Tutulan PUBLISH E7WLHY@@pretalx.com -E7WLHY From CAN Frames to Corporate Firewalls: Life of an Automotive Security Researcher en en 20260507T112000 20260507T120000 004000 From CAN Frames to Corporate Firewalls: Life of an Automotive Security Researcher One major challenge in automotive security is that hardware changes are often restricted due to cost, certification, and production constraints. As a result, many security mitigations must be implemented at the firmware or software level. Real-world case studies will be shared to demonstrate how fraud and attacks occur in connected vehicle ecosystems, including device spoofing, firmware tampering, GPS manipulation, and backend abuse. In manufacturing environments, even short security incidents can halt production lines, causing significant financial impact, highlighting why automotive cybersecurity is critical infrastructure protection. I will also reflect on the difference between being a hardware hacker and working in corporate security environments where responsible disclosure, risk management, and compliance are essential alongside technical skills. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/E7WLHY/ Workshops and Stage - Gernsback (C1.05.02) Hrishikesh Somchatwar PUBLISH LW9DDS@@pretalx.com -LW9DDS Trust and Traceability : developer observability in the AI powered SDLC en en 20260507T133000 20260507T141000 004000 Trust and Traceability : developer observability in the AI powered SDLC PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/LW9DDS/ Workshops and Stage - Gernsback (C1.05.02) Omar Rachid PUBLISH XMJTXP@@pretalx.com -XMJTXP Managing Uninvited Guests: Securing Open Source Dependencies en en 20260507T141000 20260507T144500 003500 Managing Uninvited Guests: Securing Open Source Dependencies Open source is like a house party—everyone’s invited. But dependency hell is that friend-of-a-friend-of-a-friend who puts a hole in the wall. One rogue package can take down your whole project. Learn how to spot and block unwanted guests before they trash your software supply chain. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/XMJTXP/ Workshops and Stage - Gernsback (C1.05.02) Kadi McKean Frithjof Hoffmann PUBLISH WDFHHV@@pretalx.com -WDFHHV When Filenames Become Attack Surfaces: Weaponizing NASA’s CFITSIO Extended Filename Syntax en en 20260507T144500 20260507T152000 003500 When Filenames Become Attack Surfaces: Weaponizing NASA’s CFITSIO Extended Filename Syntax PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/WDFHHV/ Workshops and Stage - Gernsback (C1.05.02) Adrian Denkiewicz PUBLISH 7HCSG3@@pretalx.com -7HCSG3 Out of Security Exception - What to Do Without an Expert to Secure Your Software en en 20260507T154000 20260507T162000 004000 Out of Security Exception - What to Do Without an Expert to Secure Your Software PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/7HCSG3/ Workshops and Stage - Gernsback (C1.05.02) Lisi Hocke PUBLISH QVEUXA@@pretalx.com -QVEUXA Turnkey Code – Enhancing Secrets Management in Large Scale Organizations en en 20260507T162000 20260507T170000 004000 Turnkey Code – Enhancing Secrets Management in Large Scale Organizations This session will focus on the implementation, benefits, and challenges of building a scalable, open-source secrets scanning and management platform, designed to tackle a problem that is widely recognized but often ignored. I will start by describing the current state of secrets management in organizations: while most know exposed secrets are a serious risk, few have the processes, tooling, or awareness to handle them effectively. Existing scanners often produce too many false positives, lack context, or fail to integrate seamlessly into developer workflows, leaving teams frustrated and secrets at risk. I will explain the motivation for creating Turnkey Code, emphasizing a passion for building practical solutions that are genuinely useful for other security engineers. Rather than buying a commercial tool, we approached the problem as a challenge: how to build a system that scales across repositories, integrates into CI/CD pipelines, and delivers actionable findings without overwhelming developers. I will cover the architecture, including scanning strategies, entropy-based detection, pattern rules, validation logic, and confidence scoring. The session will also include a live demo, showing how the tool scans a real repository, identifies secrets, reduces false positives, and triages findings through dashboards. I will walk through automation workflows, integration with CI/CD, and how teams can track remediation and ownership. Throughout the talk, I will share lessons learned from deployment, including adoption hurdles, scaling challenges, and strategies for raising awareness about this underestimated risk. Attendees will leave with practical knowledge of secrets management at scale, including actionable techniques, integration strategies, and access to an open-source tool they can use immediately. By sharing our approach, the session aims to raise awareness across the community, provide a repeatable method for handling secrets, and encourage engineers to build solutions that solve real problems. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/QVEUXA/ Workshops and Stage - Gernsback (C1.05.02) Diogo Lemos PUBLISH KRDZWR@@pretalx.com -KRDZWR The Forgotten Fingerprint: DNS Based OSINT Techniques for Product & Service Discovery en en 20260507T170000 20260507T173500 003500 The Forgotten Fingerprint: DNS Based OSINT Techniques for Product & Service Discovery I will present a DNS-based OSINT methodology for uncovering products and services through large-scale TXT record scanning. This previously unpublished approach shows how certain TXT records reveal more than domain ownership or validation details, exposing the presence of third-party services and platforms. For example, entries like google-site-verification, MS=msXXXX, or vendor-specific SPF includes can highlight dependencies on Google Workspace, Microsoft 365, or other cloud services. By analysing these records programmatically across large DNS zones, security teams can create detailed maps of an organisation’s technology stack and supply chain affiliations. This intelligence is invaluable for identifying weaknesses and understanding attack paths, providing defenders actionable context while showing the scale of information accessible to attackers. I integrated this scanning technique into open-source tools including Nuclei and OWASP Amass. These enhancements let security professionals incorporate TXT record reconnaissance into broader asset discovery workflows, improving the depth and precision of enumeration efforts. This talk features a real-world case study from the August–September 2025 Salesloft breach, where this method identified the Drift service across infrastructure. Attendees will gain practical tactics, reproducible methods, and tooling to strengthen assessments and apply actionable insights in real-world engagements. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/KRDZWR/ Workshops and Stage - Gernsback (C1.05.02) Rishi (@rxerium) PUBLISH 3CLCMG@@pretalx.com -3CLCMG Car Hacking Village en en 20260508T090000 20260508T120000 030000 Car Hacking Village The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can: - Interact with the CAN bus and observe how in-vehicle communication works - Capture, analyze, and replay automotive network traffic - Reverse engineer messages sent to various vehicle subsystems - Craft spoofed signals to manipulate components such as instrument clusters - Explore common vulnerabilities in today's vehicle architectures - Learn practical defensive considerations for securing automotive systems All activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers. PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/ Atrium (common area) Roald Nefs PUBLISH 3CLCMG@@pretalx.com -3CLCMG Car Hacking Village en en 20260508T133000 20260508T180000 043000 Car Hacking Village The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can: - Interact with the CAN bus and observe how in-vehicle communication works - Capture, analyze, and replay automotive network traffic - Reverse engineer messages sent to various vehicle subsystems - Craft spoofed signals to manipulate components such as instrument clusters - Explore common vulnerabilities in today's vehicle architectures - Learn practical defensive considerations for securing automotive systems All activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers. PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/ Atrium (common area) Roald Nefs PUBLISH 9FGWWQ@@pretalx.com -9FGWWQ Lockpicking Village en en 20260508T090000 20260508T120000 030000 Lockpicking Village There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers. PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/ Atrium (common room) 2 PUBLISH 9FGWWQ@@pretalx.com -9FGWWQ Lockpicking Village en en 20260508T133000 20260508T180000 043000 Lockpicking Village There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers. PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/ Atrium (common room) 2 PUBLISH X33JUT@@pretalx.com -X33JUT Killing Killnet en en 20260508T090000 20260508T094000 004000 Killing Killnet PUBLIC CONFIRMED KEYNOTE https://pretalx.com/bsidesluxembourg-2026/talk/X33JUT/ Main Stage Alex Holden PUBLISH 89DT9B@@pretalx.com -89DT9B Building a "Mythos-ready" Security Program en en 20260508T094000 20260508T102000 004000 Building a "Mythos-ready" Security Program PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/89DT9B/ Main Stage Catalin Tiganila PUBLISH DGHXCG@@pretalx.com -DGHXCG Why I Go to the Dark Web Every Day en en 20260508T104000 20260508T112000 004000 Why I Go to the Dark Web Every Day What do you need to know before going on the Dark Web? Preparation for the journey is not only technical skills but understanding of the Dark Web dynamics, linguistics, and social engineering. Filled with practical examples of real-time exploitation of the threat actors on the Dark Web, we define a problem and start our journey. As we travel along, we will identify meta-types of threat actors and actresses which we might encounter, discussing each type skills and threat types. How to approach each one of them without giving yourself away. What are possible gains and pitfalls? What drove these individuals to infamy and how their misdeeds changed the threat landscape forever. Finally, the lessons – know your enemy. Know your enemy's weapons. Stop the threat actor = stop the crime. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/DGHXCG/ Main Stage Alex Holden PUBLISH UHLYXM@@pretalx.com -UHLYXM Confound and Delay: Honeypot Chronicles from the Digital Battlefield en en 20260508T112000 20260508T120000 004000 Confound and Delay: Honeypot Chronicles from the Digital Battlefield Imagine being a digital beekeeper, setting up traps for cyber threats in some of the most unexpected places around the globe, from the frosty landscapes of Ukraine to the bustling tech hubs of Tokyo. Over the years, I’ve had the peculiar pleasure of watching bad actors stumble into these traps, often with the same grace as a bull in a china shop. This talk is less about the “how” and more about the “what-the-heck-just-happened” moments that have made this journey unforgettable. Buckle up for a rollercoaster ride through the wild world of global honeypots, where every server tells a story, and sometimes, that story is downright hilarious. Introduction: Setting the Scene - Brief overview of honeypots and their purpose in cybersecurity. - Introduction to me: a globe-trotting security engineer with a knack for storytelling and a passion for cyber deception. - A quick teaser of the countries covered. The Global Honeypot Experience - A World Tour of Cyber Threats: - Overview of the countries where honeypots were deployed. - Brief anecdotes about the unique cyber threats and attack patterns observed in each location. - Cultural and Environmental Considerations: - How local culture and internet infrastructure impact honeypot deployment. - Humorous tales of language barriers, time zone mix-ups, and unexpected technical challenges. Customizing Honeypots for Different Environments - One Size Does Not Fit All: - Detailed examples of how honeypots were tailored to mimic local systems and applications. - Creative tweaks and customizations that improved effectiveness. - Lessons from the Field: - Success stories and failures that provided valuable insights. - Practical tips for customizing honeypots in various environments. Operational Challenges and Triumphs - Keeping the Honeypots Buzzing: - Maintenance and monitoring strategies that worked (and those that didn’t). - Tools and technologies that proved invaluable. - Handling the Unexpected: - Funny and frustrating incidents, from unexpected downtime to bizarre attack vectors. - Lessons on resilience and adaptability. Analyzing and Responding to Attacks - From Data to Defense: - How the data collected from honeypots informed broader security strategies. - Real-life examples of attacks thwarted thanks to honeypot intelligence. - The Human Element: - Stories of interacting with curious researchers, bemused sysadmins, and relentless attackers. - The importance of community and collaboration in the cybersecurity landscape. Key Takeaways and Future Directions - Summing Up: - Recap of the most important lessons learned from the global honeypot project. - Actionable advice for those looking to implement or enhance their own honeypot strategies. - Looking Ahead: - Emerging trends in cyber deception and honeypot technology. - Exciting new challenges and opportunities on the horizon. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/UHLYXM/ Main Stage Kat Fitzgerald PUBLISH MZLG9S@@pretalx.com -MZLG9S Ransom-ISAC LOCK STAR Initiative en en 20260508T133000 20260508T134000 001000 Ransom-ISAC LOCK STAR Initiative Ransomware is a team sport — but defenders have never played like one. As the founder of Ransom-ISAC, I've spent years watching brilliant researchers do groundbreaking work in near-total obscurity — forensic timelines that cracked open major incidents, cryptocurrency tracing that followed the money to attribution, reverse engineering that exposed affiliate infrastructure — only for that knowledge to die in a private Slack channel or a closed incident report. L.O.C.K. S.T.A.R. (Level of Critical Knowledge in Specialized Techniques on Advancements and Research) was built to fix that. It is Ransom-ISAC's community-driven recognition and credentialing framework — think Michelin stars for ransomware expertise — designed to surface, validate, and amplify the work of the practitioners and researchers who are actually moving the needle in this fight. This session will walk attendees through why the initiative exists, how it works, and what it means for the broader defender community. L.O.C.K. S.T.A.R. recognition can be earned across eight domains: Infrastructure, Negotiations, HUMINT, Cryptocurrency, DFIR, Reverse Engineering, AI, and Quantum. Rather than treating hard-won knowledge as a proprietary asset, the framework creates structured pathways — through novel workflow writeups and actionable intelligence contributions — for experts to share what they know while receiving the formal recognition they deserve. The goal is simple but ambitious: if we can lower the barriers to knowledge sharing across the ransomware defender community, we compress dwell time, accelerate response, and make the ecosystem measurably harder for threat actors to operate in. Attendees will leave understanding how to contribute, how to apply, and why community-led credentialing may be one of the most underutilized tools in the fight against ransomware. PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/MZLG9S/ Main Stage Ellis Stannard PUBLISH GJTHDS@@pretalx.com -GJTHDS How Secure is Secure Code Generation? Putting the LLMs to the Test en en 20260508T134000 20260508T134500 000500 How Secure is Secure Code Generation? Putting the LLMs to the Test In this talk, I would like to present two of my works that challenge the way we think about security in LLM-generated code. The first asks an uncomfortable question: do secure code generation methods actually work? Through a systematic adversarial audit, we show that current evaluation practices create a dangerous illusion of security, and methods that look robust on paper fall apart under simple, realistic prompt perturbations. The second uncovers a quieter but equally dangerous threat: LLMs that confidently recommend software packages that simply do not exist, giving attackers the perfect opportunity to register these fabricated names on open source registries and serve malicious payloads to unsuspecting developers, a practice known as slopsquatting. Together, these works reveal that the security of AI-assisted development is more fragile and more nuanced than the field currently acknowledges. PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/GJTHDS/ Main Stage Melissa TESSA PUBLISH YQRGVT@@pretalx.com -YQRGVT Lighting Talk: MISP Workbench en en 20260508T134500 20260508T135000 000500 Lighting Talk: MISP Workbench https://github.com/MISP/misp-workbench PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/YQRGVT/ Main Stage Luciano Righetti PUBLISH Y3FG3M@@pretalx.com -Y3FG3M From CLI to Platform: Building NetCarapace, a Secure and Open Source URL Checking Ecosystem driven by Fondation Restena URL Shortener Use Case en en 20260508T135500 20260508T140000 000500 From CLI to Platform: Building NetCarapace, a Secure and Open Source URL Checking Ecosystem driven by Fondation Restena URL Shortener Use Case PUBLIC CONFIRMED Lightning Talk https://pretalx.com/bsidesluxembourg-2026/talk/Y3FG3M/ Main Stage Cédric Renzi PUBLISH HJHWDS@@pretalx.com -HJHWDS What You See Is (Not) What You Get en en 20260508T140000 20260508T144000 004000 What You See Is (Not) What You Get PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/HJHWDS/ Main Stage Xavier Mertens PUBLISH PHH3EJ@@pretalx.com -PHH3EJ XCTDH Cross-Chain Transaction Data Hiding: Cyber Espionage and OPSEC Encounters en en 20260508T144000 20260508T152000 004000 XCTDH Cross-Chain Transaction Data Hiding: Cyber Espionage and OPSEC Encounters PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/PHH3EJ/ Main Stage Ellis Stannard PUBLISH U7LPD7@@pretalx.com -U7LPD7 Startup Security 2020: Aged Like Wine or Milk? en en 20260508T154000 20260508T162000 004000 Startup Security 2020: Aged Like Wine or Milk? Building a new company in a highly regulated field facing <buzzword>sophisticated threat actors</buzzword> brings its share of challenges, but also allows you to build things without worrying about legacy environments and problems. What you are building today will, however, become the legacy problem in the future. Specifically, we will talk about decisions that were made in 2020 to build a secure company back then, and contrast that to 2026 and the decisions I believe we would make now. Topics covered will include: - Core architectural decisions that are "one-way doors" - Programming languages and ecosystems - Threat modeling from the beginning - Immutable and ephemeral infrastructure - Everything as code - Identity - Supply chain security and its downstream impact on endpoint security PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/U7LPD7/ Main Stage Guillaume Ross PUBLISH YHW98L@@pretalx.com -YHW98L Exploiting the Past: How Linguistic Redundancy weaponizes the Quantum Search Landscape en en 20260508T162000 20260508T170000 004000 Exploiting the Past: How Linguistic Redundancy weaponizes the Quantum Search Landscape Cryptanalysis has always been a game of exploiting patterns. This session takes that principle into quantum territory by pitting the rigid orthography of _Renaissance Italian_ against the probabilistic mechanics of Grover amplitude amplification — and catching the algorithm in a failure mode the textbook formula cannot predict. ### The Setup We introduce a two-phase experimental framework built around a custom Python toolkit that normalizes and models four 16th-century Italian corpora using character _n-gram_ language models. Every candidate decryption key is scored against the corpus; the fraction of keys that score above a statistical plausibility threshold — _p_good_ — becomes the marked fraction fed to the Grover oracle. This transforms a linguistics measurement into a quantum complexity parameter. **Phase 1** sweeps the full 23-letter alphabet across multiple cipher lengths and plausibility thresholds, producing analytical Grover oracle estimates and classical exhaustive-search baselines. **Phase 2** reduces the alphabet to 7 letters — making all 5 040 keys enumerable — and runs a direct statevector simulation of Grover amplitude amplification. No analytical approximations. Real quantum circuit behavior on a controlled key space. ### The Discovery: Discrete Resonance Failure The headline finding is a failure mode the standard Boyer formula cannot anticipate. At one threshold, _p_good_ produces an angle θ for which no small integer iteration count satisfies the resonance condition. The formula confidently recommends stopping at iteration 2. The real probability curve keeps oscillating and only peaks at iteration 24 — requiring 49 oracle calls against a classical expectation of 12.5 trials. **Quantum loses by a factor of four.** We walk through the forensic geometry of this collapse: why the sinusoidal Grover envelope creates near-equal local maxima that fool the continuous approximation, and how to detect near-resonant _p_good_ values before deploying the algorithm. ### The L=600 Anomaly A separate empirical anomaly surfaces at cipher length L=600, where _p_good_ persistently exceeds both shorter and longer ciphers across five of six tested thresholds. A targeted stability analysis — sampling 20 distinct text segments at each length — identifies this as a **transition zone of maximal within-length variance**: at L=600, local stylistic features of Renaissance prose (Latin citations, enumerations, proper-noun clusters) produce segment-level fluctuations wide enough to push _p_good_ above its expected trend. We show how to isolate structural data effects from algorithmic noise. ### QUBO and the Landscape-Warping Effect Parallel _Quadratic Unconstrained Binary Optimization_ (QUBO) annealing experiments reveal a complementary insight: compressing a 23-letter alphabet to 7 letters cuts the trigram parameter space by a factor of ~36, collapsing statistically distinct character patterns onto the same symbols and creating **false energy attractors** — suboptimal keys surrounded by uphill barriers the annealer cannot cross. The QUBO failure pattern inverts relative to the 23-letter case. The Grover oracle, which only needs a binary marked/unmarked verdict, is structurally immune to this distortion. The two attack paradigms probe entirely different properties of the key-score landscape. ### What Attendees Will Take Away 1. How to construct a corpus-derived Grover oracle and measure _p_good_ empirically rather than assuming it. 2. How to detect discrete resonance conditions that cause the standard iteration formula to fail — and by how much. 3. Why reducing model complexity (smaller alphabet, lower-order n-grams) can **help** a quantum oracle while simultaneously **breaking** an annealing attack. 4. A reusable stability analysis method for distinguishing structural data features from algorithmic artefacts in any combinatorial search benchmark. This talk is for anyone at the intersection of classical cryptanalysis, optimization heuristics, and quantum security — no prior quantum computing background required. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/YHW98L/ Main Stage Alessio Di Santo Gabriella Lanziani PUBLISH CAWHBG@@pretalx.com -CAWHBG CTF Prize ceremony (and raffles if any etc.) en en 20260508T170000 20260508T171500 001500 CTF Prize ceremony (and raffles if any etc.) PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/CAWHBG/ Main Stage PUBLISH JUD9FP@@pretalx.com -JUD9FP Mastering Incident Response with Kanvas en en 20260508T090000 20260508T094000 004000 Mastering Incident Response with Kanvas Stop wrestling with spreadsheets and disconnected tools. Kanvas brings your incident response to life. Kanvas offers incident responders with an intuitive desktop workspace that unifies case management, timeline visualization, attack chain mapping, and threat intelligence lookups, all within a single, collaborative environment. See how Kanvas streamlines workflows, enables seamless multi-user collaboration, and exports powerful visuals for reporting. Whether you’re mapping MITRE ATT&CK techniques, sanitizing sensitive data, or leveraging LLM assistance, Kanvas puts everything you need at your fingertips. Join this talk to discover how Kanvas is reshaping the way teams track, document, and conquer complex incident response and forensics. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/JUD9FP/ IFEN room 1, Workshops and Detection Engineering village (Building D) Ardit Beu PUBLISH MB9KND@@pretalx.com -MB9KND Comprehensive Framework for Analyzing and Detecting Malicious Browser Extensions en en 20260508T094000 20260508T101000 003000 Comprehensive Framework for Analyzing and Detecting Malicious Browser Extensions PUBLIC CONFIRMED Infosec lightning talks (6 x 5 minutes) https://pretalx.com/bsidesluxembourg-2026/talk/MB9KND/ IFEN room 1, Workshops and Detection Engineering village (Building D) Van Nguyen PUBLISH K3C8T9@@pretalx.com -K3C8T9 Kunai: Open-Source Threat Detection on Linux en en 20260508T104000 20260508T112000 004000 Kunai: Open-Source Threat Detection on Linux This talk presents Kunai, an open-source security monitoring tool developed in Luxembourg that brings Sysmon-like capabilities to Linux systems. Built specifically to address the often-overlooked security monitoring needs of Linux environments, Kunai leverages eBPF technology to provide comprehensive threat detection and incident response capabilities. We'll explore how Kunai was designed from the ground up with incident response and threat detection requirements in mind, filling a critical gap in Linux security tooling. Given that Linux powers the majority of web-facing systems and cloud infrastructure, it has become a prime target for attackers - yet often lacks the sophisticated monitoring tools available for other platforms. The session will cover Kunai's architecture, recent advancements, and practical applications including: - Real-time threat detection across Linux environments - Comprehensive event logging for incident investigations - Container-aware monitoring capabilities - Integration with existing security workflows Attendees will learn how Kunai enhances visibility into Linux systems, enabling better threat detection, faster incident response, and more effective digital forensic analysis - all while maintaining the performance and reliability required for production environments. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/K3C8T9/ IFEN room 1, Workshops and Detection Engineering village (Building D) Quentin JEROME PUBLISH LTSMAE@@pretalx.com -LTSMAE Turbocharged SOC: DetectFlow and other innovative Open Source tools released by SOCPrime for detection engineering en en 20260508T112000 20260508T120000 004000 Turbocharged SOC: DetectFlow and other innovative Open Source tools released by SOCPrime for detection engineering Open source DetectFlow turns Apache Kafka+Flink into a Detection Pipeline, adding 2-tier correlation, one for automated streaming of AI generated and human-made behavior Sigma rules mapped to ATT&CK. This gives initial data labels and does not generate alerts. 2nd tier is a Flink agent which enables Agentic AI correlation across entire ATT&CK, Attack Flows and Attack Chains. This can be further refined and expanded by integrating with OpenTIDE. Attack Chains are made by human experts as a "higher order Sigma rules" correlating on ATT&CK itself and lower level Sigma rule sequences. This together acts as a turbo-charger in front of SIEM engine, just like same thing in a car. With DetectFlow, which is essentially a low footprint, run anywhere provisioning tool with Agentic AI and MCP, we can run over 20,000 detection rules and nearly 500,000 behavior correlation patterns in front of ANY SIEM at millisecond speed. This exceeds capacity of any SIEM by 5 orders of magnitude. This shrinks mean time to detect and initial investigation stage from tens of minutes or even hours to a a few seconds. The conversion from raw log event to a tagged event is 7%, from a tagged event to an Attack Chain is 0.0007% or 0.00007 - and only that is alert material. This reduces the need to fine tune rules at DetectFlow level, as fine tuning becomes a context, which can be solved by any on premise AI Agent working with outputs of DetectFlow or SIEM. SIEM remains very useful for workflow, reporting, graph analysis and, for now, machine learning based anomaly detection, even though latter will move to pipelines too. It also takes care of data parsing via crowdsourcing and mapping via AI (can be ran locally). PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/LTSMAE/ IFEN room 1, Workshops and Detection Engineering village (Building D) Andrii Bezverkhyi PUBLISH YV7DJA@@pretalx.com -YV7DJA Panel Discussion: The future of Detection Engineering en en 20260508T133000 20260508T141000 004000 Panel Discussion: The future of Detection Engineering Panel discussion with leading Detection Engineering experts: 1. Ondrej Nekovar: Ondrej and the Boss have released innovative tooling and know-how on how to do detection engineering in 2026 in their talk - see 'CT(C)I-Driven detection against internal and external threats' 2. Andrii Bezverkhyi: Found of SOCPrime, multiple innovative open-source tool releaser latest 'DetectFlow' which enables detection engineering at the end of your pipeline before SIEM ingestion 3. Remi Seguy: Runs and operates the OpenTide project, which is a one-stop-shop for detection engineering teams and integrates with CTI and offensive teams + enables Multi-SOC collaboration PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/YV7DJA/ IFEN room 1, Workshops and Detection Engineering village (Building D) Diana Waithanji Ondrej Nekovar Remi Seguy Andrii Bezverkhyi PUBLISH UCCYKR@@pretalx.com -UCCYKR Actionable CTI & Detection Engineering village en en 20260508T141000 20260508T171000 030000 Actionable CTI & Detection Engineering village SOC cutting edge! The afternoon of May 8th will feature a 'village fair' where the rooms will be split into demo 'Islands'. The audience is invited to go see demos of the talks, tools, how-tos etc. presented over the last 1.5 days of the village! Go check out the tools and talks that you really liked, see how modern SOCs are run today. PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/UCCYKR/ IFEN room 1, Workshops and Detection Engineering village (Building D) PUBLISH PWM8ER@@pretalx.com -PWM8ER The High-Performance Fuel for Social Engineering (Now in AI Flavors!) en en 20260508T090000 20260508T094000 004000 The High-Performance Fuel for Social Engineering (Now in AI Flavors!) PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/PWM8ER/ IFEN room 2, Workshops and AI Security Village (Building D) Glen Sorensen PUBLISH XXRJ8Z@@pretalx.com -XXRJ8Z The challenges of AI-as-a-Service logging en en 20260508T094000 20260508T102000 004000 The challenges of AI-as-a-Service logging LLM logs are a subset of API logs, but they come from 2 different perspectives - client-side logs and server-side logs. Add to that challenge that most logs aren't really designed for security analysis perspectives, and it becomes hard to know what to do and how to do it. Note - I gave a version of this talk at fwd:CloudSec North America 2025. https://www.youtube.com/watch?v=AccsDqmHPdU&list=PLCPCP1pNWD7M-hHBOymDR5vkPib0tkZd9&index=18 PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/XXRJ8Z/ IFEN room 2, Workshops and AI Security Village (Building D) Jeremy Snyder PUBLISH HCRD3Y@@pretalx.com -HCRD3Y AI in Cybersecurity: How can we make best use of it? en en 20260508T104000 20260508T112000 004000 AI in Cybersecurity: How can we make best use of it? PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/HCRD3Y/ IFEN room 2, Workshops and AI Security Village (Building D) Diana Waithanji PUBLISH UGKRML@@pretalx.com -UGKRML The Agent Had a Plan—So Did I: Top Attacks on OWASP Agentic AI Systems en en 20260508T112000 20260508T120000 004000 The Agent Had a Plan—So Did I: Top Attacks on OWASP Agentic AI Systems Here's the flow: Intro to Agentic AI Systems - What are agentic AI systems? - How do they differ from regular AI tools? - Use cases / Popular frameworks: LangChain, AutoGen, BAML. Vulnerabilities: #1: Agent Goal and Instruction Manipulation - Exploiting how attackers can manipulate AI agent goals and instructions to make them act against their intended purposes. #2: Agent Temporal Manipulation and Time based attacks - Exploiting time-dependent behaviors in AI agents to manipulate scheduling, timestamps, and decision-making, leading to desynchronization and timing attacks. #3: Agent Orchestration and Multi-Agent Exploitation - Exploiting vulnerabilities in how multiple AI agents interact, coordinate, and communicate, compromising entire agent networks. #4: Checker-out-of-the-Loop Vulnerability - Showing how agents can operate outside system limits without alerting human operators or oversight systems. #5: Agent Covert Channel Exploitation - Demonstrating how agents can exploit covert channels to leak data or escalate privileges without detection. #6: Agent Alignment Faking - Demonstrating how agents can fake adherence to rules during monitored phases but deviate when unmonitored. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/UGKRML/ IFEN room 2, Workshops and AI Security Village (Building D) Parth Shukla Nagarjun Rallapalli PUBLISH UEJDNE@@pretalx.com -UEJDNE Building the Ultimate AI Firewall: Inside SovereignShield, IntentShield, and LogicShield en en 20260508T133000 20260508T141000 004000 Building the Ultimate AI Firewall: Inside SovereignShield, IntentShield, and LogicShield This 35-minute technical session is an architectural deep-dive into the SovereignShield product suite, designed to show developers and security engineers how to mathematically secure AI endpoints. We will cover the ecosystem in three distinct technical phases: **LogicShield: Securing the Cognitive Layer (10 mins)** Why traditional syntax filters fail against semantic attacks (like prompt injection and jailbreaks). How LogicShield enforces deterministic logical boundaries on AI reasoning before an output is even generated. **IntentShield: Outbound Action Auditing (10 mins)** The danger of autonomous AI agents executing destructive API commands or exfiltrating data. Deep dive into the ActionParser and Conscience modules. How IntentShield intercepts, audits, and blocks malicious intent at the execution layer. **SovereignShield: The Unified Firewall (10 mins)** Bringing it all together. How the core SovereignShield layer acts as a bidirectional proxy. Live architecture breakdown of our 4-layer defense model (Inbound Input Filtering + Outbound Action Auditing) protecting a production API. **Conclusion & Q&A (5-10 mins)** How the community can integrate the SovereignShield suite into their own LLM pipelines today. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/UEJDNE/ IFEN room 2, Workshops and AI Security Village (Building D) mattijs moens PUBLISH SDCESA@@pretalx.com -SDCESA Security for AI: AIDR Bastion as open source LLM firewall / AI prompts reverse proxy en en 20260508T141000 20260508T144000 003000 Security for AI: AIDR Bastion as open source LLM firewall / AI prompts reverse proxy AIDR bastion is an open source comprehensive GenAI protection system designed to safeguard against malicious prompts, injection attacks, and harmful content. Source code is available at GitHub: https://github.com/socprime/AIDR-Bastion The system incorporates multiple detection engines that operate sequentially to analyze and classify user inputs before reaching GenAI applications. - The system supports Roota and Sigma rules, enabling the application of detection logic from multiple sources such as SigmaHQ (around 1,200 compatible free community Sigma rules available at release), SOC Prime (with up to 3,000 additional compatible rules), and other third-party repositories. Sigma rules can be applied to detect use cases where malware leverages a local LLM to generate malicious code for execution. - SOC Prime Uncoder AI integration further extends functionality by translating Sigma rules into Semgrep format, providing standardized and reusable detection pipelines (requires a free account). - Roota rules power the regex-based pipeline. - The architecture supports rule extensibility, seamlessly integrating organization-specific signatures and external detection content. - The system can also function as a local logging sensor, recording user and agent prompts and enabling diagnostics, incident discovery, and cyber attack investigation. - Detection logic aligns with industry frameworks such as MITRE ATLAS and OWASP Top 10 for LLMs, ensuring standardized coverage against adversarial techniques. - Actions include allow, block, or notify, depending on rule matches and policy configuration. - This layered detection approach delivers defense-in-depth against evolving adversarial prompt engineering and other AI-focused attack vectors. Inspired by LlamaFirewall. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/SDCESA/ IFEN room 2, Workshops and AI Security Village (Building D) Andrii Bezverkhyi PUBLISH SRHCSS@@pretalx.com -SRHCSS Every Guardrail Everywhere All at Once: Designing and Testing Guardrails for LLM Applications en en 20260508T144000 20260508T152000 004000 Every Guardrail Everywhere All at Once: Designing and Testing Guardrails for LLM Applications PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/SRHCSS/ IFEN room 2, Workshops and AI Security Village (Building D) Donato Capitella PUBLISH 8WLHGS@@pretalx.com -8WLHGS Building Secure AI: Making Threat Modeling a Core Part of Development en en 20260508T154000 20260508T162000 004000 Building Secure AI: Making Threat Modeling a Core Part of Development PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/8WLHGS/ IFEN room 2, Workshops and AI Security Village (Building D) Diana Waithanji PUBLISH 8ACVB3@@pretalx.com -8ACVB3 AI Security Village - Open Village/Q&A en en 20260508T162000 20260508T172000 010000 AI Security Village - Open Village/Q&A PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/8ACVB3/ IFEN room 2, Workshops and AI Security Village (Building D) Parth Shukla Nagarjun Rallapalli PUBLISH HY3QBJ@@pretalx.com -HY3QBJ AI Security village - technical training and implementation en en 20260508T090000 20260508T120000 030000 AI Security village - technical training and implementation PUBLIC CONFIRMED Village, 2d (2days x 8h) https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/ IFEN room 3 Workshops and AI Security Village (Building D) Parth Shukla Nagarjun Rallapalli PUBLISH YGC7EA@@pretalx.com -YGC7EA Dismantle The Bomb en en 20260508T100000 20260508T120000 020000 Dismantle The Bomb Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Stijn Tomme PUBLISH YGC7EA@@pretalx.com -YGC7EA Dismantle The Bomb en en 20260508T133000 20260508T153000 020000 Dismantle The Bomb Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Stijn Tomme PUBLISH YGC7EA@@pretalx.com -YGC7EA Dismantle The Bomb en en 20260508T153500 20260508T173500 020000 Dismantle The Bomb Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Stijn Tomme PUBLISH LKLWWX@@pretalx.com -LKLWWX Spreading malware with USB keys - does it still work ? en en 20260508T094000 20260508T102000 004000 Spreading malware with USB keys - does it still work ? PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/LKLWWX/ Workshops and Stage - Design Space (C1.05.12) Didier Barzin Mathieu Vajou PUBLISH SSCME8@@pretalx.com -SSCME8 Forensic Challenges in Real-World Cases of Digital Manipulation en en 20260508T104000 20260508T112000 004000 Forensic Challenges in Real-World Cases of Digital Manipulation Case Study: Portugal (Spoofing & Investigation) The Challenge: Real case with no "convergent pattern." Calls that can originate abroad with forged national IDs, making it impossible for local operators to assign responsibility or for investigators to find a consistent "fingerprint." What impact it does to the Case Study: Brazil (Vishing) The Mechanism: Scammers harvest video from old people and make loans on their behalf. Impact: Financial losses in Brazil due to digital fraud reached R$10.1 billion in late 2024. Half of all fraud attempts in 2025 were linked to "vishing" and social engineering. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/SSCME8/ Workshops and Stage - Design Space (C1.05.12) Thiago Vieira PUBLISH QPVJLF@@pretalx.com -QPVJLF 500 Incidents Later: Real-World Cyber Defense en en 20260508T112000 20260508T120000 004000 500 Incidents Later: Real-World Cyber Defense When you provide security at scale, it's critical to identify patterns and what actually works. At ACEN, our SOC and CSIRT teams have handled over 500 security incidents and currently protect more than 40 organizations on a daily basis. That hands-on experience has taught us what works, what doesn't, and how to avoid the pitfalls that lead to a breach. In this session you'll discover: - **Statistics from the trenches:** Incident patterns and data from real European cases, straight from our experience. - **Real-world case studies:** Common attack scenarios, walked through step by step, showing exactly what went wrong. - **How to avoid common pitfalls:** The key missteps organizations make and how to prevent them. - **A proactive approach:** How these incidents could have been prevented, and how that same thinking can protect your organization. You'll leave with a clear plan to improve your security posture, and the right questions to ask before someone else finds the gaps first. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/QPVJLF/ Workshops and Stage - Design Space (C1.05.12) Federico PUBLISH L9Y9PM@@pretalx.com -L9Y9PM Third Party Risk Management en en 20260508T133000 20260508T141000 004000 Third Party Risk Management PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/L9Y9PM/ Workshops and Stage - Design Space (C1.05.12) Jyoti Upadhyay Parveen Rajpurohit PUBLISH CERTQC@@pretalx.com -CERTQC Agnoletti & Trump: Gaming Playing to Win at Cyber en en 20260508T141000 20260508T145000 004000 Agnoletti & Trump: Gaming Playing to Win at Cyber PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/CERTQC/ Workshops and Stage - Design Space (C1.05.12) Klaus Agnoletti Ian Thornton-Trump PUBLISH KFW9CC@@pretalx.com -KFW9CC Weaponizing PDF Files: Advanced Exploitation Techniques for Red Teams en en 20260508T154000 20260508T162000 004000 Weaponizing PDF Files: Advanced Exploitation Techniques for Red Teams Outline 1. Introduction - Welcome & Objectives - Importance of PDF Security in Today’s Threat Landscape Overview of Hands-On Approach 2. Anatomy of a PDF File - PDF File Structure Overview - Common Features Abused by Attackers - JavaScript Capabilities Within PDFs 3. Real-World Vulnerabilities - Demo: Analyzing a Malicious PDF Sample 4. Key Exploit Techniques - Heap Spray Attacks - Concept and Mechanism - Demo: Shellcode Injection via Heap Spray - Data Exfiltration Tactics - Covert Data Extraction Methods - Demo: Harvesting User Data from PDF Interaction - Embedding Malware in PDFs - Techniques for Payload Embedding - Demo: Triggering Exploits Through User Actions 5. Advanced Attack Vectors - Shellcode Injection & Buffer Overflows - Memory Manipulation in Adobe Reader - Demo: Exploiting Adobe Reader Vulnerabilities 6. Hands-On Exercise - Guided Lab: Analyzing and Crafting Malicious PDFs - Indicators of Compromise (IoCs) - Safe Testing Practices PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/KFW9CC/ Workshops and Stage - Design Space (C1.05.12) Filipi Pires PUBLISH 7DGVSU@@pretalx.com -7DGVSU Curating Secure Software: The Art of Selecting Safe Dependencies en en 20260508T094000 20260508T102000 004000 Curating Secure Software: The Art of Selecting Safe Dependencies Curating software is like curating art—every dependency must be verified, authentic, and secure. This talk explores how careful selection, evaluation, and automation can help developers build safer apps and maintain a strong, trustworthy software supply chain. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/7DGVSU/ Workshops and Stage - Gernsback (C1.05.02) Kadi McKean Frithjof Hoffmann PUBLISH 8LNSCC@@pretalx.com -8LNSCC Spyware: The Invisible Threat en en 20260508T104000 20260508T112000 004000 Spyware: The Invisible Threat PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/8LNSCC/ Workshops and Stage - Gernsback (C1.05.02) Julien vander Straeten PUBLISH DL9Z8C@@pretalx.com -DL9Z8C From Phishing to Mitigation: An Early-Career Incident Response en en 20260508T112000 20260508T120000 004000 From Phishing to Mitigation: An Early-Career Incident Response A recounting of an early-career security incident involving a disruptive phishing campaign, traced through IP allocation data and addressed through responsible disclosure with upstream infrastructure —highlighting how technical analysis and human communication helped resolve a problem that initially felt unsolvable. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/DL9Z8C/ Workshops and Stage - Gernsback (C1.05.02) Chris Beckman PUBLISH ZQWC7Y@@pretalx.com -ZQWC7Y Building vs. Buying – A Tale of Developing an In-House SCA Tool en en 20260508T133000 20260508T141000 004000 Building vs. Buying – A Tale of Developing an In-House SCA Tool In this session, I will take the audience through the complete journey of designing, building, and deploying an open-source Software Composition Analysis (SCA) tool from scratch. I will start by highlighting the common challenges teams face when using commercial SCA tools, such as opaque scoring systems, overwhelming volumes of alerts, inconsistent results across different repositories and ecosystems, and the difficulty in prioritizing what matters most. I will explain the motivation behind building an in-house, open-source tool: to give security and development teams transparency, control, and flexibility, and to create a practical, actionable approach to managing dependencies at scale. Next, I will dive into the technical architecture and design decisions that guided the tool’s development, showing how it discovers dependencies, including transitive ones, across multiple ecosystems. I will cover how the tool integrates public vulnerability sources, including CVE databases, advisories, and metadata, and how it normalizes results to provide consistent, actionable insights. I will explain the scoring system we developed to prioritize vulnerabilities based on severity, exploitability, and update cadence, enabling teams to focus on what actually matters. The session will include a live demo showing a real repository being scanned, vulnerabilities being discovered, scored, and surfaced in dashboards. I will walk through how results are integrated into CI/CD pipelines to block risky builds, automate updates, and generate actionable reports for developers. Along the way, I will share lessons learned from real-world deployment, including challenges in adoption, maintaining open-source tools, and improving developer engagement. By the end of the session, attendees will understand the full lifecycle of building and using an open-source SCA tool, including practical integration strategies, risk prioritization techniques, and how to deploy it effectively in their own environments. I will provide links to the open-source code and supporting materials, so participants can explore and experiment immediately. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/ZQWC7Y/ Workshops and Stage - Gernsback (C1.05.02) Diogo Lemos PUBLISH LHVQCJ@@pretalx.com -LHVQCJ What's Old is New: Exploiting Classic Vulnerabilities in GraphQL APIs en en 20260508T144500 20260508T152000 003500 What's Old is New: Exploiting Classic Vulnerabilities in GraphQL APIs Organizations migrating to GraphQL often operate under a false sense of security, believing modern frameworks inherently protect against legacy vulnerabilities. This case study proves otherwise. We'll walk through the complete exploitation chain—from GraphQL schema enumeration and identifying injection points in resolvers, to executing time-based blind SQL injection that achieved PostgreSQL superuser access. We'll also demonstrate how broken authentication patterns in GraphQL's authorization layer enabled unauthorized data access. The talk will include a live demo of GrapeQL, an open-source tool for automated GraphQL vulnerability scanning, with practical demonstrations of effective testing workflows. Attendees will learn GraphQL-specific mitigation strategies including parameterized queries in resolvers, proper input validation for nested structures, resolver-level authorization, rate/depth limiting, and security-focused schema design patterns. PUBLIC CONFIRMED Talk https://pretalx.com/bsidesluxembourg-2026/talk/LHVQCJ/ Workshops and Stage - Gernsback (C1.05.02) Aleksa Zatezalo PUBLISH MXSRZ9@@pretalx.com -MXSRZ9 BsidesLuxembourg 2026 CTF Walkthrough Session en en 20260508T140000 20260508T160000 020000 BsidesLuxembourg 2026 CTF Walkthrough Session Instead of a lecture where the speaker tells the audience all the answers, the session is constructed in a form of a conversation with the players of the CTF. We will begin with a brief summary of the BSides Luxembourg 2026 CTF: types, difficulty tiers, and some statistics (solves, first bloods, most/least solved challenges). Following that, it will be audience-driven: we will request the participants to tell which issues they would like to rediscover and then untie them, on the spot. For each chosen challenge, we will: - Explain the core idea and what clue in the statement pointed to it. - Show the critical steps of the solution, highlighting typical mistakes and dead ends. - Discuss alternative approaches, tooling, and how similar bugs appear in real‑world systems. This formatting allows the session to be useful regardless of whether you were able to solve many flags or couldn't get through: you can take your questions, learn how other people tackled the same problem, and learn useful tips on how to solve CTF problems practically, which you can apply to future CTF events. PUBLIC CONFIRMED Workshop 2h https://pretalx.com/bsidesluxembourg-2026/talk/MXSRZ9/ CTF players room (C1.03.05 6+8th or C1.04.02 7th) MUHAMMED WASEEM VILLAN