0.72 bsidesluxembourg-2026 2026-05-06 2026-05-08 3 00:05 https://pretalx.com Europe/Luxembourg Main Stage Workshop 4h 2026-05-06T14:00:00+02:00 14:00 04:00 You've identified the vulnerability, tested the exploit, and written the report. But they just don’t see the urgency. Now what? This 4-hour, hands-on workshop bridges the gap between technical mastery and boardroom influence. We'll move beyond simply reporting risks to crafting compelling narratives, quantifying value, and building the relationships necessary to drive meaningful security improvements. This isn't your typical "compliance" training. We'll delve into the psychology of decision-making, explore adversarial communication tactics (used against you), and arm you with practical strategies to become a trusted advisor who can effectively advocate for security and get things done. bsidesluxembourg-2026-90612-from-zero-trust-to-trusted-advisor-selling-security-to-stakeholders Daniela ParkerGlen Sorensen en You've identified the vulnerability, tested the exploit, and written the report. But they just don’t see the urgency. Now what? This 4-hour, hands-on workshop bridges the gap between technical mastery and boardroom influence. We'll move beyond simply reporting risks to crafting compelling narratives, quantifying value, and building the relationships necessary to drive meaningful security improvements. This isn't your typical "compliance" training. We'll delve into the psychology of decision-making, explore adversarial communication tactics (used against you), and arm you with practical strategies to become a trusted advisor who can effectively advocate for security and get things done. Target Audience: Security professionals of all levels (penetration testers, security engineers, analysts, red teamers, etc.) who want to improve their communication and persuasion skills to influence stakeholders and drive security initiatives. Workshop Objectives: Participants will be able to: • Identify and analyze key stakeholders, influencers, and decision makers within their organizations. • Translate technical findings or concepts, such as security by design, into business-centric language. • Tailor your message to your stakeholders and influence them to make better decisions (social engineering for good!). • Articulate the ROI of security investments. • Effectively counter common objections and adversarial tactics. • Develop a practical method for ongoing stakeholder engagement. • Practice communicating complex security issues to non-technical audiences. • Build trust and credibility with diverse stakeholders. • Overcome their own fears and perceived limitations when dealing with key business decision makers. false https://pretalx.com/bsidesluxembourg-2026/talk/EFGX97/ https://pretalx.com/bsidesluxembourg-2026/talk/EFGX97/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Training 8h 2026-05-06T09:00:00+02:00 09:00 09:00 This session provides cybersecurity professionals with practical machine learning skills, from ML basics up to deep learning with TensorFlow. Participants will set up a complete development environment and learn foundational ML concepts through hands-on implementation rather than mathematical theory. The curriculum covers core ML principles through deep learning, with emphasis on security-relevant applications. No advanced mathematics or prior AI experience required. We break the myth. You don't need a PhD to do AI here. bsidesluxembourg-2026-88216-reboot-ml-foundations-for-cybersecurity-in-2026 Pauline Bourmeau (Cookie) en false https://pretalx.com/bsidesluxembourg-2026/talk/WGNSKX/ https://pretalx.com/bsidesluxembourg-2026/talk/WGNSKX/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Workshop 2h 2026-05-06T09:00:00+02:00 09:00 02:00 What can we learn from ordinary packets on the wire, using a disconcerting connected toy as a demo device? How can you tell when something is phoning home? In this workshop, we’ll use Wireshark to observe what devices send and receive during regular operation bsidesluxembourg-2026-88650-0-packet-analysis-for-beginners-an-iot-toy-some-packets-and-wireshark /media/bsidesluxembourg-2026/submissions/9HS8CG/image_TyepQxk.webp Katherine Leese en Pre-Workshop Setup: Please install Wireshark before the session: [https://www.wireshark.org/docs/installation.html ](https://www.wireshark.org/download.html) Crucial Permission Steps: Windows: Ensure you install Npcap during the setup process. macOS: Follow the prompts to allow network access/chmod permissions. Linux: Run sudo dpkg-reconfigure wireshark-common, select yes, then add your user to the wireshark group (sudo usermod -aG wireshark $USER), then reboot. Test: Open the app; if you see "live" traffic lines on your network interface, you are ready! In this workshop, we’ll take packet capture from a disconcerting connected toy and use it as a starting point to learn how to read ordinary network traffic. Step by step, we’ll look at how devices introduce themselves on a local network, resolve names, establish connections, negotiate encryption, and continue communicating during normal operation. Once we have familiarized ourselves, we will move on to some real-world captures. Rather than breaking encryption or exploiting vulnerabilities, the focus is on observation and understanding. Using Wireshark, we’ll practice identifying patterns, relationships, and metadata that remain visible even when payloads are encrypted. Along the way, we’ll look at how to recognise when a device is phoning home, what kinds of context travel with requests, and how much can be learned from traffic that is behaving exactly as designed. This workshop is aimed at beginners and the curious. No prior experience with packet analysis is required. A willingness to look closely at what is already on the wire is enough. false https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/ https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Workshop 2h 2026-05-06T11:00:00+02:00 11:00 02:00 In this beginner-friendly workshop we will walk through the analysis of a recent Fancy Bear (APT28) attack chain together. It will feature targeted phishing email, a then-0-day Microsoft Office exploit and multiple follow-up stages to showcase file formats and analysis methods. Additionally, we will take a look at the infrastructure behind the attack. bsidesluxembourg-2026-92469-a-phishing-trip-with-fancy-bear-let-s-analyze-apt-malware-together Marius Genheimer en This workshop does not depend on domain-specific knowledge, we will try to break the steps down as far as possible. Attendees will follow along through small exercises, with the opportunity to compare their solution through a validation system. Important for message for attendees: If you would like to follow along, please bring laptop with a charged battery. You will be handling real-world malware (you act at your own risk; No backup, no pity). I recommend to use a virtual machine (e.g. FLARE-VM, Remnux). No special tooling is required, make sure to have the basics (Text and Hex Editor, Browser, ZIP utility) installed. No photos during the workshop please, you will receive a copy of the slides. true https://pretalx.com/bsidesluxembourg-2026/talk/ZXMFCW/ https://pretalx.com/bsidesluxembourg-2026/talk/ZXMFCW/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Workshop 2h 2026-05-06T14:00:00+02:00 14:00 02:00 The industry needs more security code reviewers. Vulnerabilities are getting deeper, not simpler, and modern applications fail in subtle ways that scanners, and even AI, routinely miss. Meanwhile, developers are writing less code and reviewing more of it than ever (hopefully). This workshop is a fast, hands-on introduction to reading code with a security mindset. Through real CVE-inspired examples, you’ll see how tiny inconsistencies, misplaced assumptions, and misunderstood framework behaviour turn into real, exploitable flaws. You’ll learn how to detect red flags quickly, identify dangerous patterns in small snippets, and build intuition for where vulnerabilities hide. Whether you’re a developer, pentester, or security engineer, you’ll walk away with a foundational methodology for performing clear, consistent, and reliable code reviews. bsidesluxembourg-2026-85279-how-to-read-code-to-find-vulnerabilities /media/bsidesluxembourg-2026/submissions/JABHUU/Beetle-Wallpa_AuZGt2l.webp Louis Nyffenegger en Modern applications break in subtle ways, and many of the most impactful vulnerabilities come from tiny mistakes hidden in plain sight. Scanners won’t catch them. AI won’t catch them. But a trained human eye will. This workshop teaches you how to read code with the explicit goal of finding vulnerabilities. Through real, CVE-inspired examples, we’ll explore how small inconsistencies, incorrect assumptions, and misunderstood framework behaviour turn into exploitable bugs. You’ll practice spotting red flags in small snippets, recognising dangerous patterns, and understanding why certain coding choices reliably lead to security issues. The session is fast-paced and hands-on, designed to build practical intuition you can apply immediately. Whether you’re a developer, pentester, or AppSec engineer, you’ll leave with a clear, repeatable methodology for reviewing code and uncovering vulnerabilities that tools routinely miss. false https://pretalx.com/bsidesluxembourg-2026/talk/JABHUU/ https://pretalx.com/bsidesluxembourg-2026/talk/JABHUU/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Workshop 2h 2026-05-06T16:00:00+02:00 16:00 02:00 Modern cars are no longer mechanical devices. They're complex, interconnected computer networks. And like any networked system, they can be hacked. This workshop introduces participants to the fundamentals of automotive cybersecurity through real-world, hands-on exploration of in-vehicle communication and attack techniques. bsidesluxembourg-2026-85197-hands-on-car-hacking-automotive-cybersecurity Roald Nefs en In this interactive workshop, attendees will learn how modern cars communicate internally and how attackers can exploit weaknesses in these systems. After a quick introduction to automotive security concepts and vehicle network architecture, participants will dive straight into practical exercises using the Controller Area Network (CAN) bus. You'll capture and analyze live CAN traffic, reverse engineer messages sent to critical components, and craft spoofed signals that manipulate the instrument cluster. All within a safe and controlled lab environment. Through guided exercises, demonstrations, and collaborative problem-solving, you'll gain a clear understanding of how real automotive attacks work and what defenders should look out for. **Key Takeaways:** - Understand modern automotive security fundamentals and vehicle network design - Capture, analyze, and interpret CAN bus traffic - Reverse engineer real in-vehicle messages - Craft and send spoofed signals to demonstrate attack paths in a controlled environment **Prerequisites:** Participant should bring a laptop with the following characteristics: - Laptop running a Linux distribution (or a Linux VM with USB passthrough enabled) - Available USB-A port, or USB-C port with compatible cable false https://pretalx.com/bsidesluxembourg-2026/talk/CY9AEA/ https://pretalx.com/bsidesluxembourg-2026/talk/CY9AEA/feedback/ IFEN room 3 Workshops and AI Security Village (Building D) Workshop 2h 2026-05-06T09:00:00+02:00 09:00 02:00 Incident response isn't just about knowing your tools - it's about coordinating under pressure, communicating when things go sideways, and making calls with incomplete information. Traditional training focuses on isolated techniques, missing the collaborative reality of actual incidents. And most tabletop exercises? Painfully dull. Participants zone out, give checkbox answers, and leave having learned little. This workshop introduces Malware & Monsters (https://malwareandmonsters.com), a framework that turns IR training into something people actually enjoy. Think tabletop role-playing meets creature-collection mechanics, where teams "hunt and contain" digital threats through story-driven gameplay. Game-based learning works - research shows it beats traditional instruction for skill building and retention. M&M makes participants actively discover concepts instead of sitting through lectures. Scenarios include organizational pressures, evolving threats, and stakeholder drama, turning abstract security concepts into tangible problems. You'll experience the full methodology: learn the mechanics, build custom scenarios based on real malware families (mapped to MITRE ATT&CK), and run live simulations. Participants take specialized roles - Hunter, Analyst, Forensicator, Communicator, Coordinator, or Researcher - experiencing how security functions actually collaborate during incidents. The framework includes legacy malmons from malware history—because history always repeats itself, and understanding past threats reveals patterns in current attacks. The "type effectiveness" system teaches strategic thinking about matching defenses to threats. Evolution mechanics show how attacks escalate when containment fails. Participants walk away with ready-to-use materials and facilitation techniques for training that actually works. Best of all? M&M is free to play in most cases. bsidesluxembourg-2026-92825-gotta-contain-em-all-collaborative-incident-response-training-through-gaming Klaus AgnolettiGlen Sorensen en false https://pretalx.com/bsidesluxembourg-2026/talk/CVMLKB/ https://pretalx.com/bsidesluxembourg-2026/talk/CVMLKB/feedback/ IFEN room 3 Workshops and AI Security Village (Building D) Workshop 2h 2026-05-06T11:00:00+02:00 11:00 02:00 Cloud & AI Security - Capture the flag hands-on workshop bsidesluxembourg-2026-92008-cloud-ai-security-capture-the-flag NathanRichard Hensen en false https://pretalx.com/bsidesluxembourg-2026/talk/ETX7TJ/ https://pretalx.com/bsidesluxembourg-2026/talk/ETX7TJ/feedback/ IFEN room 3 Workshops and AI Security Village (Building D) Workshop 4h 2026-05-06T14:00:00+02:00 14:00 04:00 What does the "perfect" CI/CD pipeline look like, especially one built with security at its core? This hands-on workshop explores that ideal using readily available open-source tools. We'll dissect the essential stages of a modern pipeline, demonstrating how to integrate security seamlessly throughout the development lifecycle (DevSecOps). Through practical, step-by-step guidance, we'll implement key security checks like Static Application Security Testing (SAST), Software Composition Analysis (SCA), infrastructure vulnerability scanning, and secrets detection using popular OSS tools within a functional pipeline. While we'll showcase specific tools and configurations, the goal is not just replication, but understanding how and why these security controls work. Discover the underlying principles of secure pipeline design and leave with actionable techniques to start building your own hardened, practical CI/CD pipeline. bsidesluxembourg-2026-85117-level-up-your-ci-cd-building-a-secure-pipeline-with-oss Andoni AlonsoPaco Sanchez en Workshop repository: https://github.com/unicrons/secure-pipeline-workshop false https://pretalx.com/bsidesluxembourg-2026/talk/TVXPKX/ https://pretalx.com/bsidesluxembourg-2026/talk/TVXPKX/feedback/ Workshops May 6th (C1.02.05) Workshop 4h 2026-05-06T09:00:00+02:00 09:00 04:00 Bash isn’t just an interface to your daily laptop - it’s a weapon. In this hands-on workshop, we’ll push bash beyond its typical use, leveraging it for hacking, data processing, automation, and real-world security applications. Whether you’re crafting exploits, analyzing massive datasets, or automating reconnaissance, this session will equip you with the skills to turn bash into your ultimate hacking tool. To take part in the workshop, please bring your own laptop. bsidesluxembourg-2026-92929-mastering-bash-for-hackers-extreme-command-line-power Kirils Solovjovs en - Master advanced bash scripting techniques for automation, and hacking. - Process terabytes of leaked password data and uncover real-world security insights. - Use bash to manipulate and extract intelligence from logs, network traffic, and system artifacts. - Generate graphs, automate reports, and convert file format entirely from the command line. - Learn how to replace GUI-based tools with bash scripts for speed and stealth. By the end of this workshop, you’ll be able to: - Automate and accelerate security tasks with powerful one-liners and scripts. - Use bash to analyze, manipulate, and exploit data in security research. - Apply bash in unconventional ways, from image processing to document forensics. false https://pretalx.com/bsidesluxembourg-2026/talk/XGQ7DT/ https://pretalx.com/bsidesluxembourg-2026/talk/XGQ7DT/feedback/ Workshops May 6th (C1.02.06) Workshop 2h 2026-05-06T13:30:00+02:00 13:30 02:00 Visual Studio Code has become the de-facto IDE for millions of developers, and its extension marketplace is now a first-class target for supply-chain compromise. In this talk we move beyond yesterday’s JavaScript-only “theme” backdoors and show how to fuse high-level TypeScript with low-level Rust to create extensions that are indistinguishable from legitimate Microsoft-signed add-ons—yet silently execute native x86_64 shellcode inside the IDE process. We begin with a data-driven tour of recent in-the-wild incidents: we begin by examining an array of malicious solidity extensions which targeted blockchain developers with a special emphasis on the [“Solidity” extension that stole $500 k in crypto from a Russian blockchain developer](https://www.kaspersky.com/about/press-releases/kaspersky-uncovers-500k-crypto-heist-through-malicious-packages-targeting-cursor-developers). We follow that up with an analysis of the Malicious Corgi malware, and the [new self propagating GlassWorm extension](https://www.truesec.com/hub/blog/glassworm-self-propagating-vscode-extension) - including the later samples seen in the wild which used more advanced techniques. The rise of AI-centric forks (Cursor, Windsurf, etc.) has also given a rise to new extension marketplaces where malicious extension can use inflated download counts to serve as perfect camouflage. Next we deep-dive into the malicious extension toolchain: a Rust FFI bridge that compiles to a library, exposes a single innocent-looking TypeScript API, and preserves the marketplace’s blue “verified” tick. We demonstrate live how to backdoor legit extensions - including cases where the source code is available and when it is not. We close with defensive takeaways: IoCs and TTPs to look for, defensive rules which can prevent such attacks and possible detection vectors. Attendees leave with a fully annotated GitHub repo that walks them through the process of developing such malware - starting with a "hello-world" C++ addon and building a rust based shellcode loader backdoored into a popular extensions. bsidesluxembourg-2026-92619-from-code-to-compromise-turning-modern-day-ides-into-attack-vectors-via-malicious-extensions Debjeet Banerjee en Visual Studio Code is no longer just an editor; the IDE, along with its many AI powered forks, have become the most primary interface for Developers of all kind. Its extension host, a Microsoft-signed Electron process, enjoys the same blind trust from EDRs that we traditionally grant to Outlook or Teams. Meanwhile, the extension ecosystem still treats security as an after-thought: there is no deep dive source scanning, verification mechanisms are sparse, and the blue “verified” badge is cached locally – so a repackaged `.vsix` keeps the badge even after the payload has been swapped. The talks presents a brief case study about the various examples of malicious extensions used in the wild by threat actors and previously affected supply chains. The talks presents the one of the first public implementation that weaponises this trust gap with a **Rust-compiled, position-independent shellcode runner** delivered as a Node native addon by taking a Microsoft published extension: live-server and backdooring it with a malicious extension, as well another extension with over 74M downloads. The talk also demos the following aspects of such an attack: 1. **Extension-host OPSEC**: delaying `require("./index.node")` until the user triggers the legitimate command (“Open with Live Server”) so the implant is **absent from the initial process snapshot** that EDRs collect. 2. **Repackaging a blue-tick extension**: cloning Microsoft’s own “Live Preview” repository at a signed commit, grafting the Rust addon into its webpack pipeline, and repackaging with `vsce package`. The resulting `.vsix` is byte-for-byte identical except for the extra native node – and the GUI still shows the verified badge because VS Code only re-validates signatures when enterprise policy `extensions.verifySignature` is set to `error`. 3. **Going in blind** - Backdooring another popular extension with our shellcode - without any prior knowledge of the source code
 All these topics would also dissect the internal workings, file structure, thread stack and other relevant information associated with the working of the loader/ Finally, the talk concludes by listing the relevant IoCs and TTPs left behind by this attack vector and discusses various detections which organisations and individuals can adopt to protect themselves. Session Outline 0. Pre-roll (loop, 2 min before start) 1. Screen cycles side-by-side screenshots: legitimate vs back-doored Live Preview extension. 2. Blue tick is identical; only the “Installation” tab shows an extra 46 kB native node 3. Caption: “Spot the implant.” (Sets the visual theme of the talk.) 1. Introductions (1 min) 1. whoami 2. Previous work
 2. Opening – VS Code and its many forks (5 min) 1. Rise of VS Code and it’s various forks 2. Rise of new forks mean the rise of new market places 3. Why target VSCode? * Electron renderer = Microsoft-signed, whitelisted by every EDR. * Marketplaces scan JS source only → native code is often a blind spot. * Very difficult to tell malicious extensions apart 3. Attacks in the Wild (8 mins) 1. Previous attacks in the wild: Kaspersky, Malicious Corgi, Material Themes, Glassworm 2. Dissecting the $500K Kaspersky malware 3. Powershell scripts are nice - but we can do better 4. Taking a look into Malicious Corgi 5. Taking a looking into Glassworm’s source code 6. Unicode is nice - compiled is nicer 7. Pivot: “What if we go native?”
 4. Node addons and demo extensions (5 mins) 1. Introduction to node addons 2. Compiling C++ shellcode runner compiled with node-gyp and running it with gyp 3. Creating a “Hello world” extension and using ffi to pop a message box
 5. Bringing in the crab (8 mins) 1. Introducing neon-rs and interfacing with Javascript/Typescript 2. Writing a shellcode runner in rust 3. Discuss relevant changes to be made in the configs 4. Compiling and running 
 6. Backdooring a legit VS Code extension (10 mins) 1. Choosing the target: LiveServer 2. Updating the source to include the add-on 3. Making webpack happy 4. Compiling and loading the extension 5. Visual similarities with legitimate extensions
 7. Backdooring a popular VS Code extension without any prior knowledge of it’s source code (5mins): 1. Extract the VSIX bundle 2. Add our implant 3. Repackage the extension 4. Load it into VSCode 5. Trigger shellcode execution
 8. Improvements and Detections (3 mins) 1. References to other similar works 2. Improvements and other closing thoughts 3. IoCs and TTPs associated with the techniques 4. Possible detections and prevention mechanisms
 Key Takeaways 1. The audience become more aware of the dangers of blindly trusting extensions from stores 2. Malware developers and red teamers get introduced to a new and powerful vector for initial access method 3. Blue teasers can use the knowledge to prepare new rulesets and detections to avoid any such attacks false https://pretalx.com/bsidesluxembourg-2026/talk/QXECVY/ https://pretalx.com/bsidesluxembourg-2026/talk/QXECVY/feedback/ Workshops May 6th (C1.02.06) Workshop 2h 2026-05-06T16:00:00+02:00 16:00 02:00 This workshop offers an in-depth exploration of advanced methodologies for identifying and analyzing cyber threats emanating from **North Korea (DPRK)**. Participants will learn practical techniques for uncovering malicious activities through **Fake GitHub Repositories**, **Hunting DPRK-based clusters**, and exploring comprehensive **ByBit Heist** that hacked $1.5 Billion. The session will also cover critical threat hunting strategies such as **Hostname Analysis**, **Command and Control (C2) infrastructure identification**, **Fake Domain Spotting** and much more. Attendees will gain valuable insights into the operational tactics of DPRK threat actors and practical skills to enhance their defensive postures against these sophisticated cyber campaigns. Please join this session to deepen your understanding of nation-state cyber operations and strengthen your threat detection capabilities. bsidesluxembourg-2026-92904-analyze-hunt-dprk-attacks /media/bsidesluxembourg-2026/submissions/SH7X9Y/image_yA2RCh0.webp RAKESH KRISHNAN en false https://pretalx.com/bsidesluxembourg-2026/talk/SH7X9Y/ https://pretalx.com/bsidesluxembourg-2026/talk/SH7X9Y/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-06T09:00:00+02:00 09:00 02:00 Have you ever wondered how an attacker analyzes your favorite Android app? In this workshop, we will adopt a perspective of a reverse engineer to learn how to approach Android applications. We will explore popular reverse engineering tools and techniques used in Android security analysis. Through hands-on practice, you'll learn to identify common security weaknesses and understand how attackers exploit them. Android applications are often targeted by attackers due to openness of the platform and numerous omissions in the app development process. Plenty of security methods were created to harden Android apps against reverse engineering and tampering, which seems widely used by major app developers and way less by smaller ones. We'll analyze a few real-world applications to examine current protection mechanisms and their limitations. We'll explore the common security measures deployed by Google Play Store and app developers, and discuss whether they are as effective as they claim to be. By the end of the workshop, participants will have hands-on experience with several popular tools used for Android application analysis. If you are an Android developer, please feel free to bring and explore your own Android app with us. bsidesluxembourg-2026-92811-android-app-tricks-defenses-and-bypasses Aleksandr Pilgun en false https://pretalx.com/bsidesluxembourg-2026/talk/S97X3K/ https://pretalx.com/bsidesluxembourg-2026/talk/S97X3K/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-06T11:00:00+02:00 11:00 02:00 What can we learn from ordinary packets on the wire, using a disconcerting connected toy as a demo device? How can you tell when something is phoning home? In this workshop, we’ll use Wireshark to observe what devices send and receive during regular operation bsidesluxembourg-2026-88650-1-packet-analysis-for-beginners-an-iot-toy-some-packets-and-wireshark /media/bsidesluxembourg-2026/submissions/9HS8CG/image_TyepQxk.webp Katherine Leese en Pre-Workshop Setup: Please install Wireshark before the session: [https://www.wireshark.org/docs/installation.html ](https://www.wireshark.org/download.html) Crucial Permission Steps: Windows: Ensure you install Npcap during the setup process. macOS: Follow the prompts to allow network access/chmod permissions. Linux: Run sudo dpkg-reconfigure wireshark-common, select yes, then add your user to the wireshark group (sudo usermod -aG wireshark $USER), then reboot. Test: Open the app; if you see "live" traffic lines on your network interface, you are ready! In this workshop, we’ll take packet capture from a disconcerting connected toy and use it as a starting point to learn how to read ordinary network traffic. Step by step, we’ll look at how devices introduce themselves on a local network, resolve names, establish connections, negotiate encryption, and continue communicating during normal operation. Once we have familiarized ourselves, we will move on to some real-world captures. Rather than breaking encryption or exploiting vulnerabilities, the focus is on observation and understanding. Using Wireshark, we’ll practice identifying patterns, relationships, and metadata that remain visible even when payloads are encrypted. Along the way, we’ll look at how to recognise when a device is phoning home, what kinds of context travel with requests, and how much can be learned from traffic that is behaving exactly as designed. This workshop is aimed at beginners and the curious. No prior experience with packet analysis is required. A willingness to look closely at what is already on the wire is enough. false https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/ https://pretalx.com/bsidesluxembourg-2026/talk/9HS8CG/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-06T14:00:00+02:00 14:00 02:00 Dismantle the bomb by performng different taks bsidesluxembourg-2026-90638-0-dismantle-the-bomb Escape games! Stijn Tomme en Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... false https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-06T16:00:00+02:00 16:00 02:00 Dismantle the bomb by performng different taks bsidesluxembourg-2026-90638-1-dismantle-the-bomb Escape games! Stijn Tomme en Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... false https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/ Workshops and Stage - Design Space (C1.05.12) Workshop 2h 2026-05-06T10:00:00+02:00 10:00 02:00 Building valuable solutions is a complex endeavor that requires a breadth of knowledge. That not being enough, we’re also getting asked to build secure solutions in a secure way - yet what does that even mean? How do we incorporate such a vast area of expertise into our everyday workflows? In this hands-on workshop, I will introduce you to core security concepts, like the CIA triad or defense in depth - and how we can apply them in everyday work. Based on a practical example, we will go through the development lifecycle with security in mind. You will learn about threat modeling to uncover risks early on, secure coding principles to bake security in, security testing approaches to make informed decisions depending on your risk appetite, and ways of detecting potentially malicious activity to protect against. Interactive exercises at each step will let you experience how security can neatly fit with what you’re already doing without adding artificial gates. Whether you want to keep your system secure or get a neglected one back in shape, this session is for you. Join us to gain fundamental security knowledge, hone your security skills, and get tactical advice to secure your development lifecycle. Let’s make things a bit more secure than yesterday every day! bsidesluxembourg-2026-89384-secure-development-lifecycle-applied-how-to-make-things-a-bit-more-secure-than-yesterday-every-day Lisi Hocke en false https://pretalx.com/bsidesluxembourg-2026/talk/XMDNJB/ https://pretalx.com/bsidesluxembourg-2026/talk/XMDNJB/feedback/ Workshops and Stage - Design Space (C1.05.12) Workshop 4h 2026-05-06T13:30:00+02:00 13:30 04:30 Get hands-on with Kunai in this practical workshop! You'll learn to deploy and configure this Linux monitoring tool, then dive into advanced threat detection techniques. We'll start with the basics - installation, configuration, and core functionality - before moving to advanced topics like custom rule creation, IoC integration, and MISP connectivity. Whether you're securing production systems or just exploring Linux security monitoring, this workshop will give you practical skills to detect and investigate threats. bsidesluxembourg-2026-94133-kunai-workshop-hands-on-linux-threat-detection Quentin JEROME en ### Part 1: Kunai Fundamentals - **Quick Start:** Get Kunai up and running on your system - **Core Concepts:** Understand Kunai's architecture and monitoring capabilities - **Hands-on Basics:** Navigate the CLI, configure monitoring, and interpret events ### Part 2: Advanced Threat Detection - **Custom Rules:** Write detection rules for specific threats and anomalies - **IoC Integration:** Load and leverage Indicators of Compromise - **MISP Connectivity:** Enhance your threat intelligence with MISP integration - **Real-world Scenarios:** Apply Kunai to actual threat detection challenges ### Part 3: Bonus Topics (time permitting) - Using [Kunai sandbox](https://sandbox.kunai.rocks/) to share traces - Creating detection rules for specific malware false https://pretalx.com/bsidesluxembourg-2026/talk/AALWHZ/ https://pretalx.com/bsidesluxembourg-2026/talk/AALWHZ/feedback/ Workshops and Stage - Gernsback (C1.05.02) Training 8h 2026-05-06T09:00:00+02:00 09:00 09:00 Whether you are a Red Team or Blue Team specialist, learning the techniques and tricks of malware development gives you the most complete picture of advanced attacks. Also, due to the fact that most (classic) malwares are written under Windows, as a rule, this gives you tangible knowledge of developing under Windows. The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples. The course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware. The course is divided into four logical sections: - Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running) - AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling) - Persistence techniques - Cryptographic functions in malware development (exclusive) - Malware Development for Android and Linux (bonus) Most of the example in this course require a deep understanding of the Python, Kotlin and C/C++ programming languages. Knowledge of assembly language basics is not required but will be an advantage bsidesluxembourg-2026-92302-malware-development-for-ethical-hackers-windows-linux-android /media/bsidesluxembourg-2026/submissions/MG7H3X/image_cHNI7b9.webp cocomelonc en The course will teach you how to develop malware, including classic tricks and tricks of modern ransomware found in the wild. Everything is supported by real examples. The course is intended for Red Team specialists to learn in more detail the tricks of malware development (also persistence and AV bypass) and will also be useful to Blue Team specialists when conducting investigations and analyzing malware. The course is divided into four logical sections: - Malware development tricks and techniques (classic injection tricks, DLL injection tricks, shellcode running) - AV evasion tricks (Anti-VM, Anti-Sandbox, Anti-disassembling) - Persistence techniques - Cryptographic functions in malware development (exclusive) - Malware Development for Android and Linux (bonus) Most of the example in this course require a deep understanding of the Python, Kotlin and C/C++ programming languages. Knowledge of assembly language basics is not required but will be an advantage Training Outline (detailed, timed - total ~8 hours): MALWARE INJECTION TECHNIQUES: 1. Traditional Injection Approaches: Code and DLL (2 practical examples, LAB + 1 homework) - 20 min 2. Exploring Hijacking Techniques (2 practical examples, LAB + 1 homework) - 20 min 3. Understanding Asynchronous Procedure Call (APC) Injections (2 practical examples, LAB + 1 homework) - 15 min 4. Mastering New Injection/Hooking Techniques (4 practical example, LAB) - 20 min PERSISTENCE MECHANISMS: 5. Classic Path: Registry Run Keys / Persistence via Registry Keys ( 3 practical example, LAB) - 15 min 6. Persistence via Winlogon Process ( 2 practical example, LAB) - 15 min 7. Exploiting Windows Services for Persistence ( 2 practical examples, LAB + 1 homework) - 15 min 8. Exploring Non-Trivial Loopholes and New Persistence Techniques ( 5 practical examples, LAB + 2 homework) - 15 min MALWARE FOR PRIVILEGE ESCALATION: 9. Manipulating Access Tokens like APT (1 practical example, LAB + 1 homework) - 15 min 10. Password stealing / LSASS.exe dumping (3 practical example, LAB + 1 homework) - 15 min 11. Malware for bypass User Access Control (2 practical example LAB + 1 homework) - 15 min ANTI-VM AND AV BYPASSING 12. Anti-Virtual Machine Strategies (4 practical example, LAB + 1 homework) - 15 min 13. Practical use of hash algorithms in malware ( 1 practical example, LAB + 1 homework) - 15 min 14. Evasion Static Detection ( 1 practical example, LAB + 1 homework) - 15 min 15. Evasion Dynamic Detection (1 practical example, LAB + 1 homework) - 15 min 16. Advanced Evasion Techniques (1 practical example, LAB + 1 homework) - 15 min 17. Cryptography for bypassing security solutions ( 4 practical examples, LAB + 2 homework) - 15 min Linux and Android Malware 18. Linux Kernel Hacking (1 practical example, LAB) - 15 min 19. Linux process injection (1 practical example, LAB) - 15 min 20. Introduction to Android Malware (3 practical examples, LAB) - 40 min 21. Leveraging legit APIs for Android Malware (2 practical examples, LAB) - 40 min RESEARCH AND PRACTICE: 22. Simple Tricks and Automation for Malware Development and Emulation (3 practical examples, LAB + 1 homework) - 15 min 23. How to find New Persistence Techniques (2 practical examples, LAB + 1 homework) - 15 min 24. Elliptic Curve Cryptography (ECC) and Malware ( 1 practical example, LAB + 1 homework) - 15 min false https://pretalx.com/bsidesluxembourg-2026/talk/MG7H3X/ https://pretalx.com/bsidesluxembourg-2026/talk/MG7H3X/feedback/ CTF players room (C1.03.05 6+8th or C1.04.02 7th) Training 8h 2026-05-06T09:00:00+02:00 09:00 03:00 ## Workshop description What happens in memory, stays in memory! In this beginner workshop, we’ll take our first steps into the fascinating world of Linux Memory Forensics 😊. This session will introduce the fundamentals of volatile memory, Linux memory management, with a touch on memory acquisition. We will then discover how to investigate memory artefacts and uncover traces of malicious behaviour through a simulated ransomware attack, from identifying suspicious processes and carving out binaries to recovering encryption keys from memory. We will mostly use the Volatility framework, but this workshop will go beyond a simple command-line tutorial to explore the underlying principles: what are Volatility profiles and why do we need them, what are some interesting artefacts to look for, what to do when there is no command for what we are looking for, where do we even start looking, etc. ## Who should attend? Anyone who wants to discover digital forensics! This workshop won’t require extensive hacking knowledge, however knowing a bit about Linux will help. ## Requirements A laptop capable of running a virtual machine (or a native Linux environment), and a few gigabytes of free disk space (a memory dump can be quite heavy!). We might do a little bit of Python too! The VM will contain all the tools needed for the workshop. If you choose to use your own Linux environment instead, a setup guide will be provided. bsidesluxembourg-2026-93430-0-blackhoodie-training-introduction-to-linux-memory-forensics Sonia Seddiki en BlackHoodie’s Mission - BlackHoodie is a series of technical trainings aiming to attract more women to the field of cyber security - Our events are women-only, except if individual organizers state otherwise - Whether introduction level or advanced, classes are always challenging - All of our events are free to attend - We do not exert any preference in education level, occupation or corporate affiliation of attendees - BlackHoodie is dedicated to serve the community, we aim to integrate, not separate - BlackHoodie is independent, and cannot be leveraged to promote anything but its own mission - We seek quality over quantity, in number of classes and attendees - We also support/encourage attendees to start giving technical trainings thereby providing a platform to build their confidence false https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/ https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/feedback/ CTF players room (C1.03.05 6+8th or C1.04.02 7th) Training 8h 2026-05-06T13:30:00+02:00 13:30 04:30 ## Workshop description What happens in memory, stays in memory! In this beginner workshop, we’ll take our first steps into the fascinating world of Linux Memory Forensics 😊. This session will introduce the fundamentals of volatile memory, Linux memory management, with a touch on memory acquisition. We will then discover how to investigate memory artefacts and uncover traces of malicious behaviour through a simulated ransomware attack, from identifying suspicious processes and carving out binaries to recovering encryption keys from memory. We will mostly use the Volatility framework, but this workshop will go beyond a simple command-line tutorial to explore the underlying principles: what are Volatility profiles and why do we need them, what are some interesting artefacts to look for, what to do when there is no command for what we are looking for, where do we even start looking, etc. ## Who should attend? Anyone who wants to discover digital forensics! This workshop won’t require extensive hacking knowledge, however knowing a bit about Linux will help. ## Requirements A laptop capable of running a virtual machine (or a native Linux environment), and a few gigabytes of free disk space (a memory dump can be quite heavy!). We might do a little bit of Python too! The VM will contain all the tools needed for the workshop. If you choose to use your own Linux environment instead, a setup guide will be provided. bsidesluxembourg-2026-93430-1-blackhoodie-training-introduction-to-linux-memory-forensics Sonia Seddiki en BlackHoodie’s Mission - BlackHoodie is a series of technical trainings aiming to attract more women to the field of cyber security - Our events are women-only, except if individual organizers state otherwise - Whether introduction level or advanced, classes are always challenging - All of our events are free to attend - We do not exert any preference in education level, occupation or corporate affiliation of attendees - BlackHoodie is dedicated to serve the community, we aim to integrate, not separate - BlackHoodie is independent, and cannot be leveraged to promote anything but its own mission - We seek quality over quantity, in number of classes and attendees - We also support/encourage attendees to start giving technical trainings thereby providing a platform to build their confidence false https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/ https://pretalx.com/bsidesluxembourg-2026/talk/9NGAYY/feedback/ Workshops May 6th (C1.03.06) Training 8h 2026-05-06T09:00:00+02:00 09:00 09:00 This threat modelling training is geared towards beginner to intermediate audiences with software engineering and security engineer/pentester backgrounds who have never done any sort of threat modelling work but are trying to get into it. Practically, anyone can join this class even if they do not have those backgrounds, but at least some basic idea of how programs work on a code level, basic cyber security issues and threats and anybody interested in learning them. The main goal of this training is to equip participants with understanding the importance of threat modelling in dealing and understanding cyber threats to their applications and networks. The trainer's goal is to prevent more software security bugs from inception by teaching students whether they build more secure software or find underlying security flaws and bugs and minimizing the risks and impact of the engineered software. Participants will be immersed with the popular STRIDE and DREAD methodologies for threat modelling, increasing growing popular PASTA methodology, and they will create their own threat models during the training. At the end of the training, students shall expect themselves to be able to do a quick threat model of any function/method that they wish to implement in their software, realize the threats that they could introduce or deal with, and finally be able to write a full and complete threat model on their own from start to finish including recommendations, threat scenarios and related risk ratings. bsidesluxembourg-2026-89381-threat-modelling-starter-training Ralph Andalis en true https://pretalx.com/bsidesluxembourg-2026/talk/TMG89Y/ https://pretalx.com/bsidesluxembourg-2026/talk/TMG89Y/feedback/ Workshops May 6th (C1.03.09) Workshop 4h 2026-05-06T13:30:00+02:00 13:30 04:00 DevOps processes transfer security responsibility to development teams. But how can developers handle that additional task? Threat Modeling is a structured approach to identifying security problems early, spreading security knowledge across teams, and communicating risks in a way that is accessible to management. In this workshop, we explore lightweight Threat Modeling approaches tailored to DevOps workflows. We also show how gamification can lower the barrier to entry for teams without a strong security background. We will look at: * What is Threat Modeling? * Basic Threat Modeling with STRIDE * Gamification * Hands-on Threat Modeling with OWASP Cumulus for a cloud-native scenario * What's next? Risk, processes, and beyond Attendees will leave with practical tools and techniques they can immediately apply in their own teams. bsidesluxembourg-2026-97088-threat-modeling-in-devops-and-cloud-using-card-games /media/bsidesluxembourg-2026/submissions/GZHQYD/image_vxeseVw.webp Christoph Niehof en false https://pretalx.com/bsidesluxembourg-2026/talk/GZHQYD/ https://pretalx.com/bsidesluxembourg-2026/talk/GZHQYD/feedback/ Atrium (common area) Village, 2d (2days x 8h) 2026-05-07T09:00:00+02:00 09:00 03:00 The Car Hacking Village offers attendees a hands-on, immersive environment to explore the security of modern vehicles. As cars continue to evolve into complex, connected computer systems, the need to understand their attack surfaces and defensive challenges grows. This village provides a safe and controlled space where participants can learn, experiment, and collaborate on real automotive cybersecurity techniques. bsidesluxembourg-2026-85198-0-car-hacking-village Villages in Atrium Roald Nefs en The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can: - Interact with the CAN bus and observe how in-vehicle communication works - Capture, analyze, and replay automotive network traffic - Reverse engineer messages sent to various vehicle subsystems - Craft spoofed signals to manipulate components such as instrument clusters - Explore common vulnerabilities in today's vehicle architectures - Learn practical defensive considerations for securing automotive systems All activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers. false https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/ https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/feedback/ Atrium (common area) Village, 2d (2days x 8h) 2026-05-07T13:30:00+02:00 13:30 04:30 The Car Hacking Village offers attendees a hands-on, immersive environment to explore the security of modern vehicles. As cars continue to evolve into complex, connected computer systems, the need to understand their attack surfaces and defensive challenges grows. This village provides a safe and controlled space where participants can learn, experiment, and collaborate on real automotive cybersecurity techniques. bsidesluxembourg-2026-85198-1-car-hacking-village Villages in Atrium Roald Nefs en The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can: - Interact with the CAN bus and observe how in-vehicle communication works - Capture, analyze, and replay automotive network traffic - Reverse engineer messages sent to various vehicle subsystems - Craft spoofed signals to manipulate components such as instrument clusters - Explore common vulnerabilities in today's vehicle architectures - Learn practical defensive considerations for securing automotive systems All activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers. false https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/ https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/feedback/ Atrium (common room) 2 Village, 2d (2days x 8h) 2026-05-07T09:00:00+02:00 09:00 03:00 Learn or practice your lockpicking skills in the lockpicking village. Experts say that this has real-life impact, not only to red teamers! bsidesluxembourg-2026-92182-0-lockpicking-village Villages in Atrium en There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers. false https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/ https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/feedback/ Atrium (common room) 2 Village, 2d (2days x 8h) 2026-05-07T13:30:00+02:00 13:30 04:30 Learn or practice your lockpicking skills in the lockpicking village. Experts say that this has real-life impact, not only to red teamers! bsidesluxembourg-2026-92182-1-lockpicking-village Villages in Atrium en There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers. false https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/ https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/feedback/ Main Stage Opening Speech 2026-05-07T09:10:00+02:00 09:10 00:25 There are over 100 concurrent armed conflicts in the world (+130 according to the ICRC) and **all** of them have a technological dimension. The planet is rapidly heating. Poverty and economic inequality are rampant. While the international legal order and multilateral institutions are under unprecedented strain, "emerging and disruptive technologies" like generative AI are hyped as miracle cures. How can diplomacy and cybersecurity professionals work together to push back against rising authoritarianism? bsidesluxembourg-2026-93069-things-fall-apart-allying-cybersecurity-and-diplomacy-against-authoritarian-disorder Luc Dockendorf en Luxembourg's Cybersecurity and Digitalisation Ambassador will return to BSides 2026 for a no-nonsense overview of current challenges in geopolitics and cyberdiplomacy. Come armed with all your questions about international relations and (dis-)order in the digital world! false https://pretalx.com/bsidesluxembourg-2026/talk/S8NTGH/ https://pretalx.com/bsidesluxembourg-2026/talk/S8NTGH/feedback/ Main Stage Talk 2026-05-07T09:35:00+02:00 09:35 00:40 There are some aspects to identity and access management that have never worked very well, such as delegation. Unfortunately, the stakes just got higher and wider with the explosion of identities that aren't humans, but aren't traditional system and application accounts either. Even if you're not using them yourselves, it's time to make some decisions on how to deal with agents in your ecosystem. bsidesluxembourg-2026-91204-keynote-identity-security-just-exploded Wendy NatherWendy Nather en false https://pretalx.com/bsidesluxembourg-2026/talk/LUCRQP/ https://pretalx.com/bsidesluxembourg-2026/talk/LUCRQP/feedback/ Main Stage Talk 2026-05-07T10:35:00+02:00 10:35 00:40 What does the "perfect" CI/CD pipeline look like, especially one built with security at its core? In this talk, we'll explore that ideal using readily available open-source tools. We'll walk through the essential stages of a modern secure pipeline, demonstrating how to integrate security seamlessly throughout the development lifecycle (DevSecOps). We'll cover seven key security stages: pipeline security scanning, code security analysis (SAST and SCA), secrets detection, container scanning, Infrastructure as Code scanning and runtime infrastructure scanning. You'll learn not just which tools to use, but why these security controls matter and how they work together. Leave with a clear understanding of secure pipeline design principles and actionable techniques to start building your own hardened CI/CD pipeline. bsidesluxembourg-2026-88657-level-up-your-ci-cd-building-a-secure-pipeline-with-oss Andoni AlonsoPaco Sanchez en This talk is a companion presentation to our hands-on workshop, distilling the key concepts and tool demonstrations into a focused session suitable for all attendees. Workshop repository: https://github.com/unicrons/secure-pipeline-workshop false https://pretalx.com/bsidesluxembourg-2026/talk/G979N8/ https://pretalx.com/bsidesluxembourg-2026/talk/G979N8/feedback/ Main Stage Talk 2026-05-07T11:20:00+02:00 11:20 00:40 What if I told you the security tool you trust the most (your XDR) is also an attacker's favorite weapon? You spent time, money, and effort deploying it, testing it, fine tuning it, believing it had your back. But what if, instead of stopping threats, it was helping them? Your XDR isn't broken, in fact, it's doing exactly what it's designed to do and what you set it up to do. The problem? Attackers have figured out how to make it work for them instead of against them. In this session, we'll discuss how the bad guys manipulate XDR implementations, abuse detection logic, weaponize built-in components, and turn trusted security controls into defensive tools. From abusing existing workflows to full exploitation, you'll see why your XDR might not be protecting you the way you think it is. bsidesluxembourg-2026-88367-the-spy-who-logged-me-when-your-xdr-joins-the-attackers Melina Phillips en What if I told you the security tool you trust the most (your XDR) is also an attacker's favorite weapon? You spent time, money, and effort deploying it, testing it, fine tuning it, believing it had your back. But what if, instead of stopping threats, it was helping them? Your XDR isn't broken, in fact, it's doing exactly what it's designed to do and what you set it up to do. The problem? Attackers have figured out how to make it work for them instead of against them. In this session, we'll discuss how the bad guys manipulate XDR implementations, abuse detection logic, weaponize built-in components, and turn trusted security controls into defensive tools. From abusing existing workflows to full exploitation, you'll see why your XDR might not be protecting you the way you think it is. 1. Intro Short story and correlate it to XDRs. 2. XDR 101: Understanding the Basics We won’t reinvent the wheel, but understanding how XDRs work is critical, so we can visualize how attackers can weaponize them. 3. Point of Origin: How do attackers access an XDR console? XDRs are only as strong as their weakest link, and that weak link is often broken access controls, misconfigurations, or outdated components. Attackers don’t always need complex exploits when defenders leave the door open. · Default Credentials on External-Facing XDR Deployments. Many XDR solutions have cloud-based management consoles exposed to the internet. If default credentials aren’t changed, attackers can: - Log in and modify IOC exclusion rules. - Uninstall sensors or disable detections. - Deploy malware directly through the XDR interface. Countermeasures - Enforcing MFA on all management consoles. - Audit externally exposed XDR consoles (does your XDR console really need to be internet-facing?). · Compromised API keys - The secret backdoor. · Many XDR solutions have APIs for automation, management and integration. If an attacker finds compromised API keys they can query endpoint logs to map security gaps, modify blacklisting rules and disable detections. Countermeasures: - Monitor for compromised credentials and unusual API activity. - Rotate API keys regularly to limit exposure. - Use environmental variables instead of hardcoded credentials. - Outdated XDR Versions – Legacy software is an attacker's best friend. - Running outdated XDR versions allows attackers to exploit known vulnerabilities in previous versions and abuse compatibility issues to downgrade protections. Countermeasures: - Audit security tools for outdated versions regularly. - Enable automatic updates for XDR components · Outdated XDR agents - Weak links in the chain - One endpoint running an outdated version of an XDR sensor is enough for an attacker to exploit known vulnerabilities and bypass detection. Countermeasures: - Use SIEM integration or centralized management to monitor XDR agent mismatches. - Automate XDR agents updates across all endpoints. 4. XDR as an attack vector. • Your Security Tool is My C2 - Abusing Remote Shell Access. Many XDR consoles offer built-in shell capabilities that allow defenders to execute limited admin commands on endpoints (for example Crowdstrike Falcon RTR). But if an attacker gains access to the XDR management console, they can run system enumeration commands to: - Gather information about a host. - Deploy malicious files or modify settings. - Use the sensor as a C2 channel. Countermeasures: Restrict remote shell access. - Require MFA for authentication. - Enforcing RBAC. - Monitor XDR shell command history. · Blinding the Guard – Removing and Disabling an XDR Sensor Before executing an attack, adversaries often remove or disable XDR agents to avoid detection. Some XDR solutions lack strong tamper protection, allowing attackers to: - Stop XDR services to prevent detection. - Uninstall the XDR agent using weak removal controls. - Kill security processes or corrupt critical files to make the sensor non-functional. Example: Attempt to stop the XDR service using systemctl stop XDR agent. Kill the process manually using pkill -9 XDR agent and show that detection logs stop, leaving the system unprotected. Countermeasures: - Implement tamper protection to prevent unauthorized removal. - Deploy kernel-based security monitoring (eBPF) to detect service manipulation. - Hiding in Plain Sight - Whitelisting Malicious IOCs If attackers gain access to an XDR allowlist, they can manipulate rules to bypass detection entirely. - Whitelist malware so it is ignored by security controls. - Drop malicious payloads in trusted directories that are already allowlisted. - Modify allowlists via API access, letting malware execute freely. Example: Identify an XDR allowlist configuration file and manually whitelist malicious IOCs. Countermeasures: - Restrict who can modify allowlists (RBAC enforcement). - Implement cryptographic integrity checks on configuration files. - Require MFA to modify exclusions. · When Vintage isn't Always Nicer – Downgrading a Sensor or Preventing Updates Attackers prefer outdated security tools because they lack modern detection techniques, by preventing updates or forcing a downgrade, attackers can: - Decrease detection effectiveness by pushing legacy security policies. - Reintroduce vulnerabilities patched in later versions. - Prevent new threat signatures from being applied. Demo: Blocking XDR updates via /etc/hosts and downgrading the agent. Countermeasures: - Enforce automatic updates across all endpoints. - Monitor version mismatches across all deployed sensors. - Block manual downgrades unless explicitly approved. · Friendly Fire – Isolating Critical Systems for Disruption Some XDRs have host isolation features to contain threats. Attackers abuse this to: - Trigger false positives and force automated isolation. - Manually isolate critical infrastructure (domain controllers, production servers). - Lock down an organization without deploying malware. Countermeasures: - Implement role-based restrictions on isolation functions. - Require MFA and secondary approval for manual isolations. - Alert on mass isolations as a potential attack indicator. · Spotting a Knockoff – Sensor Spoofing XDRs rely on heartbeat signals to confirm agents are online and attackers can manipulate this process to: - Fake sensor check-ins, tricking defenders into believing the agent is still running. - Redirect telemetry to a different endpoint, suppressing real detections. - Modify system responses to make XDR appear fully functional while disabled. Countermeasures: - Use mutual TLS authentication between XDR agents and servers. - Monitor for missing logs and no heartbeats. · Going for the Kill - Leaking Sensitive Information from XDR Logs. XDR logs store useful information that attackers can abuse. These logs allow security analysts to identify suspicious behavior. Some common techniques include: - Extracting IP addresses, hostnames and domain controllers for enumeration purposes. - Enumerating security policies to avoid detection. - Finding user accounts and credentials stored in logs. Example: Extracting domain controllers, user accounts, and network data from XDR logs. Countermeasures: - Use SIEM log forwarding as a backup and integrity verification. - Enforce RBAC on log access to prevent unauthorized queries. · SOC Analysts, It’s Panic O’Clock - Alert Saturation Attacks. Attackers generate thousands of fake alerts to distract SOC teams from real threats. This allows: - Overloading analysts with false positives. - Creating a blind spot, given that some security teams opt to disable XDRs as a way to stop all the noise. - Hiding legitimate threat activity. Example: Creating fake logs and flooding a SIEM with fake ransomware alerts. Countermeasures: - Leverage anomaly detection activity to identify alert flooding patterns. - Enforcing log integrity checks to decrease the chances of alert poisoning. - Rate-limit automated log events to prevent abuse. 5. Catch 22: Detecting Malicious activity without an XDR. Given that your XDR agent is disabled, visibility is limited. These are some alternatives: - Syslog Monitoring and SIEM logs: Look for XDR agent stop/disable events in your system logs. - Monitor authentication logs for suspicious access to the XDR console. - Review SIEM log ingestion for gaps in log forwarding (if logs stop being ingested, that's typically a red flag). 6. Stop The Bleeding: Immediate Response to Regain Visibility and Isolation. If an attacker has disabled visibility, you need to contain the compromised host without an XDR. The following alternatives could be applied: - Quarantine the compromised host using firewall rules of NAC. - Leverage network based detections (identify suspicious traffic patterns, detect connections to known C2). - Restore XDR sensor remotely. - If the attacked blocked reinstallation, deploy a separate forensic agent (such as velociraptor). 7. Beat Them At Their Own Game: Locking the Attacker Out of the Console. - Check for rogue admin accounts added to your XDR console. - Rotate API keys and credentials. - Review XDR logs for unauthorized policy changes. - Enable MFA on XDR console. 8. Real-World Case Studies: RansomHub - Weaponizing XDR Weaknesses. RansomHub is a ransomware-as-a-service (RaaS) operation first detected in February 2024 by TrendMicro. Unlike highly structured ransomware groups, RansomHub operates as a decentralized affiliate-based collective, allowing attackers from various regions to conduct their own operations under the same banner. Their primary targets? Organizations with high operational dependencies, industries where downtime is more expensive than the ransom itself, increasing the likelihood of payouts. · Attack methodology: RansomHub doesn't rely exclusively on encrypting data, they start by disabling security mechanisms, ensuring they can operate without any roadblocks. They attack chain includes: - Using TDSSKiller to disable antivirus or XDR solutions in the target system. - Deploying TOGGLEDEFENDER to disable Windows Defender. - Utilizing XDR Kill Shifter, a loader executable that leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting multiple vulnerable drivers to disable XDR protection before execution. Key Takeaway: Their focus on XDR disablement as a priority aligns with modern ransomware strategies, attackers don't just evade detection, they neutralize the entire security stack. · Notable Victims: Mexican government (Hit Twice!). - The second attack impacted 13 airports across the country. - Fun Fact: The Mexican government is a frequent target of ransomware attacks, often due to weak infrastructure, slow patching cycles, and underfunded cybersecurity measures. Frontier communications. - Disruption in telecom services, impacting businesses and residential users. Christie's Auction House - Attackers targeted high-value transactions and sensitive financial data. · Key Takeaways: - RansomHub exemplifies modern ransomware techniques, they don’t just encrypt data, they strategically dismantle defenses first. - The use of BYOVD attacks on XDRs shows that even advanced security solutions are vulnerable when misconfigurations or unpatched drivers exist. · Countermeasures: Defending Against RansomHub - Use behavioral-based detection instead of relying only on signature-based AV/XDR protections. - Apply strict application control policies to block unauthorized tools. - Monitor for signs of BYOVD exploitation, harden kernel-level protections to prevent unsigned driver execution. 9. Final Thoughts Attackers are shifting tactics, instead of just evading security tools, they're actively disabling them. Attackers recognize that XDRs are a core part of enterprise security, so their first priority is to neutralize detection and response capabilities before executing their objective. The question isn’t if attackers will target your XDR, it’s how prepared you are when they do. The key to defense isn’t just relying on automated detections, but understanding how attackers think and proactively securing the tools meant to protect you. false https://pretalx.com/bsidesluxembourg-2026/talk/9JT9GR/ https://pretalx.com/bsidesluxembourg-2026/talk/9JT9GR/feedback/ Main Stage Lightning Talk 2026-05-07T13:30:00+02:00 13:30 00:05 Communication on the dark web incorporates specialized coded language, referred to as "dark jargon", which serves to obscure illicit activities and hinder automated interpretation. These illicit activities often have severe real-world consequences, including drug and human trafficking, data leaks and financial theft through fraud, and the facilitation of child abuse, which emphasizes the need for dark jargon detection and decoding methods. In this lightning talk we aim to explain the basic concepts of dark jargon, its NLP-based detection and interpretation methods as well as the difficulties that impede these. bsidesluxembourg-2026-92259-what-is-the-dark-web-talking-about-dark-jargon-detection-and-identification Laura Bernardy en false https://pretalx.com/bsidesluxembourg-2026/talk/VYCS8Y/ https://pretalx.com/bsidesluxembourg-2026/talk/VYCS8Y/feedback/ Main Stage Lightning Talk 2026-05-07T13:35:00+02:00 13:35 00:05 Stalkerware -software for stalking- is a class of malware aimed at targeted surveillance of individuals. On contemporary mobile platforms, such monitoring is often enabled not through remote exploitation, but through authenticated access, coercion, and reconfiguration of devices. This creates a gray zone in which surveillance can be implemented via purpose-built stalkerware, but also by weaponizing dual-use applications or native OS-features. To better understand this class of threats, we've studied definitions, classification, behavior and detection performance through literature in order to address some of the current research gaps. Based on our research, we propose an attack-centric perspective that grounds definitions and analysis in attacker access, persistence, and coercive objectives rather than application identity alone. We consolidate an end-to-end stalkerware attack lifecycle, with particular relevance to real-world Intimate Partner Violence (IPV) scenarios. bsidesluxembourg-2026-92257-understanding-mobile-stalkerware Elouan Rigaut en false https://pretalx.com/bsidesluxembourg-2026/talk/GDNK3Q/ https://pretalx.com/bsidesluxembourg-2026/talk/GDNK3Q/feedback/ Main Stage Lightning Talk 2026-05-07T13:40:00+02:00 13:40 00:05 Something we hear constantly as defenders is that attacks scale, implying that defences do not. While it is undeniable an attacker can take a 0-day and exploit thousands or millions of hosts, we can also turn the tables as defenders and scale our efforts. In this talk I will show you how you can take a phishing attempt and turn it into a major pain in the ass for an attacker. bsidesluxembourg-2026-92431-scaling-defence-finding-redvds-from-a-phishing-email Elliot Parsons en false https://pretalx.com/bsidesluxembourg-2026/talk/QB7ZBY/ https://pretalx.com/bsidesluxembourg-2026/talk/QB7ZBY/feedback/ Main Stage Lightning Talk 2026-05-07T13:45:00+02:00 13:45 00:05 Hearing the first time about cybersecurity is exciting! You will learn how to hack things and learn how to defend against hackers. Red team, blue team and even purple team, but no one has told me that I will become more aware of security, or rather, become more aware of the lack of security in my surroundings. This awareness can grow into something much more than just being aware – “being paranoid”. bsidesluxembourg-2026-91895-how-to-be-just-the-right-amount-of-paranoid-cybersecurity-edition Denim Latić en This lightning talk has the objective to bring this topic to light. It is a topic not often talked about, but it is a matter most people, that work or are in contact with (cyber)security, have experienced. The extend can vary and the impact can be visible or invisible. One might share in their close family and friend circle how passphrases are better than passwords and easier to remember while others might force them to use password managers, MFA, backups of the previous two, VPN connections 24/7 and so on. The golden middle way is to adapt enough awareness to not fall into security traps while not becoming paranoid over the smallest things. It is difficult to balance, but by bringing this topic to light, a certain self-reflection should hopefully spark in the participants. Where do they find themselves on this scale between care-free and paranoid? The human factor continues to play an important role in not only awareness, but in the realm of cybersecurity. Being able to position oneself and others on this scale can be crucial when it comes to determining how to convey a message. A security mindset is something we can work towards and expand together to create a secure and healthy environment. false https://pretalx.com/bsidesluxembourg-2026/talk/RVGUME/ https://pretalx.com/bsidesluxembourg-2026/talk/RVGUME/feedback/ Main Stage Lightning Talk 2026-05-07T13:50:00+02:00 13:50 00:05 File identification has been a long-standing problem in software development, traditionally relying on legacy C code embedded within memory-safe applications. Magic-rs is a Rust ecosystem providing near-full compatibility with libmagic's file type detection while eliminating unsafe code. The ecosystem includes Python bindings and a CLI utility called `wiza` that we will demonstrate. We'll explore key advantages, architecture, and how you can use it in your projects or contribute to improving libmagic compatibility. bsidesluxembourg-2026-94144-magic-rs-a-memory-safe-libmagic-compatible-file-type-detection-ecosystem Quentin JEROME en false https://pretalx.com/bsidesluxembourg-2026/talk/878PCR/ https://pretalx.com/bsidesluxembourg-2026/talk/878PCR/feedback/ Main Stage Lightning Talk 2026-05-07T13:55:00+02:00 13:55 00:05 This lightning talk will present positive and negative examples related to workplace well-being. It will emphasise the importance of mental health for operational teams such as SOCs and CSIRTs, and explore the pressures CISOs face today. The talk will explore the importance of creating a safe and open environment for cybersecurity professionals. It will also explain how to build a safe harbor for cybersecurity professionals. Furthermore, it will explain how this approach will be reciprocated by these individuals and contribute to a positive workplace culture. bsidesluxembourg-2026-94883-building-a-safe-harbor-for-cybersecurity-professionals Ondrej Nekovar en false https://pretalx.com/bsidesluxembourg-2026/talk/3YK3HN/ https://pretalx.com/bsidesluxembourg-2026/talk/3YK3HN/feedback/ Main Stage Talk 2026-05-07T14:00:00+02:00 14:00 00:40 Our journey in Adversary Simulation and Red Team engagements frequently relies on attack scenarios that require physical access, or at least close proximity, to obtain an initial foothold. To support these missions, we weaponized Raspberry Pi devices and transformed them into modular network implants tailored to our most common operational use cases. We will look at uncommon situations where attackers have time on their side—waiting for victim devices to quietly whisper their secrets, or using physical proximity in ways that traditional controls, including MFA, were never designed to handle. This talk presents the internal RioT project, which has been actively used by the DEEP Red Team for more than five years. We will cover its design philosophy, implemented tooling, and a survey of attack scenarios and techniques that enabled successful outcomes during real-world engagements. bsidesluxembourg-2026-89826-riot-a-raspberry-based-network-implant-for-red-team-operations Olivier Médoc en false https://pretalx.com/bsidesluxembourg-2026/talk/YQSRBJ/ https://pretalx.com/bsidesluxembourg-2026/talk/YQSRBJ/feedback/ Main Stage Talk 2026-05-07T14:40:00+02:00 14:40 00:40 This session dives into real-world vulnerabilities by dissecting CVEs directly in the code where they occurred. Each example showcases not just what went wrong, but why, with a focus on the subtle coding patterns, missed assumptions, and language misunderstandings that led to the bugs. For every vulnerability, we will extract a few key lessons: principles or warnings that developers and reviewers can apply to prevent similar issues. bsidesluxembourg-2026-85277-those-who-don-t-learn-from-cves-are-doomed-to-rediscover-them Louis Nyffenegger en The story starts with my analysis of a CVE affecting AES-GCM in a Ruby library and how this issue appears in other codebases and languages. I will show several related problems I reported across ecosystems. From there, I cover the cyclic nature of vulnerabilities: "The end of the world, we forget, rediscovery." Next, I explain a practical methodology for performing CVE analysis. This leads into a selection of excellent CVEs I have studied and the lessons they provide. I will also demonstrate how one CVE I found was directly inspired by another I had analyzed earlier. I will finish this section with the most interesting CVE I examined in the weeks leading up to the conference. We will wrap up with clear recommendations for attendees. Since the topic can be complex, I include a few jokes and memes throughout the presentation to help maintain attention. false https://pretalx.com/bsidesluxembourg-2026/talk/8UQAZC/ https://pretalx.com/bsidesluxembourg-2026/talk/8UQAZC/feedback/ Main Stage Talk 2026-05-07T15:40:00+02:00 15:40 00:40 Tired of security training that puts your team to sleep? What if I told you the most powerful training tool in cybersecurity has been sitting in your game room all along? Welcome to the world of game-based learning, where the proven power of play transforms how professionals master complex skills. Research shows that humans learn best when working together, yet traditional training methods keep pushing isolated, theoretical learning. Game-based learning flips this approach on its head, creating environments where people forget about office politics and actually engage with the material. Through structured play and collaborative storytelling, participants don't just memorize concepts—they live them, breaking down professional barriers and building genuine understanding through experience. I'll show you the compelling evidence behind why using roleplaying games work, and demonstrate how to transform resistant learners into engaged participants. Using compelling examples, you'll discover how tabletop role-playing mechanics can turn your most challenging training scenarios—from incident response to zero trust architecture—into adventures your team actually looks forward to. Join me to learn why adding roleplaying games to your professional development isn't just about making training fun—it's about making it work. bsidesluxembourg-2026-92826-dungeons-dragons-the-security-power-tool-you-didn-t-know-you-needed Klaus AgnolettiGlen Sorensen en false https://pretalx.com/bsidesluxembourg-2026/talk/J9BBAM/ https://pretalx.com/bsidesluxembourg-2026/talk/J9BBAM/feedback/ Main Stage Talk 2026-05-07T16:20:00+02:00 16:20 00:35 A network telescope, also called a black‑hole or network sinkhole, is a passive monitoring system that observes traffic sent to large blocks of unused IP address space. Because these IP ranges are never assigned to active hosts and do not generate legitimate responses, any traffic received is by definition unsolicited. This makes network telescopes powerful tools for studying global Internet behavior. They capture background noise, scanning activity, botnet noise, malicious probes, and even misconfigurations that would otherwise remain invisible. At CIRCL we operate a /18 Network Telescope since a long time, and in the context of this presentation, we will explain the potential of such dead network and our use case. bsidesluxembourg-2026-92574-finding-meaning-in-dev-null Paul JUNG en In this talk, we will first present the conceptual and operational fundamentals of what a network telescope is. Explaining its technical characteristics and its role in capturing unsolicited traffic at Internet scale. I will then describe the ingestion, normalization, and structuring pipeline used to transform the raw PCAP data into a durable and queryable data lake, relying on Suricata and ClickHouse for large-scale processing. Finally, I will showcase the types of analyses and meaningful insights that can be extracted from this dataset; including the identification of emerging behaviors, the characterization of malicious activities, and the observation of broader, systemic trends in global Internet traffic. We will details in our presentation all the valuable analysis that may comes out of the void; Detection of Scanners Bots: By combining PTR, and activity is it possible to determine profiles of commercial and detect also some less known scanner. We were able to discover more than 25 different scanners brand, from well known ones like Onyphe or Shodan to less unknown like Stretchoid or some public russians ones F6 or Skipa. This permit the indentification of around 6000 IP’s monthly that are available as Misp Warning lists. Observation of the Mirai Botnet: Since decades now this malware is trying to replicate, the TCP windows size of the initial SYN packet is enought to qualify this malware family. The dataset collected shows an average of 45K Mirai BOTs. The repartition of MIRAI per country is quite interesting. Detection of CVE Trends: By discriminating sources of activity by destination port, protocl and known scanner type, it is often possible to distinguish early scanning campaigns and anticipate upcoming threats. This capability is particularly valuable for a CERT, as it supports early warning and timely notification of its constituency. This is an example of scan activity around the port TCP 8530 corresponding to the remote code execution (RCE) CVE-2025-59287 via unsafe deserialization bug in Microsoft Windows Server Update Services (WSUS). The CVE was released on 14/10/25 Deep analysis of SNMP queries Analysis at this scale SNMP traffics allows us to monitor CVE Based injections, and associated campains. It permit also to find interesting relations between devices and user SMMP community. Some examples of our previous SNMP protocol analysis could be found here ; https://d4-project.org/2025/11/27/Learning-from-Large-Scale-IPv4-blackhole-behavioral-analysis-of-SNMP-traffic.html Many other trends can also be extracted. During this presentation, we will additionally cover; IOT botnet injections: The lowest level possible of interaction still allow use to identify old RCE injection like CVE-2019-12297, CVE-2021-35394, CVE-2023-28771. Detection of DDoS attacks: Since combined DDOS attacks often use spoofed random IP’s, it is possible to see some the backscatter traffic (TCP synack/ icmp unreachable). and therefore determine victimology Antivirus usage trends: By observing unsolicited traffic generated by security products, it is possible to identify antivirus deployment patterns, update behaviors, and their evolution over time, providing indirect visibility into defensive technologies used across the Internet. Port 0 scanning: Although port 0 is reserved and unused by legitimate services, it is sometimes leveraged by scanners for operating system fingerprinting. Monitoring this activity helps identify OS detection techniques and early-stage reconnaissance behaviors. Many Funny syslog misconfigurations: Since our range is not too far from a RFC1918 IP one, it often receive syslog traffic from misconfigured devices sending logs to invalid destinations. These cases highlight operational mistakes, legacy configurations, and occasionally the unintended exposure of internal or sensitive information. false https://pretalx.com/bsidesluxembourg-2026/talk/APBPPQ/ https://pretalx.com/bsidesluxembourg-2026/talk/APBPPQ/feedback/ Main Stage Talk 2026-05-07T16:55:00+02:00 16:55 00:35 Digital and cyber risks do not always fit into standard risk assessment paradigms; they might use different language or touch upon complex causal or interdependence relationships. This non-technical talk will guide listeners on digital security training and storytelling techniques that will leave their audience feeling more empowered and better able to assess and mitigate digital risks. It will look at how to position digital risks next to other risks and look at how smart and empathetic threat modelling can combat nihilistic feelings of universal surveillance. bsidesluxembourg-2026-92361-digital-risks-threat-models-and-empathy-trainings-that-empower Łukasz Król en Many risk assessment professionals struggle with understanding digital and cyber risk. Risks such as injury caused by fires of earthquakes have reasonably straightforward causes. Risks such as data exfiltration could be caused by a number of complex, interconnected attacks. This talk will be based on my experiences of training small teams of very different risk experts—ranging from investigative journalism editors to humanitarian workers—about digital risks. It will focus on how we can tell better stories on digital risk that leave the audience feeling empowered. We will discuss: 1. How to position digital risks next to other types of risks: I will summarise some of the conversations I’ve had with risk assessment professionals, highlighting both easy parts of and struggles in explaining digital risk. I will also briefly mention the problem of knowledge asymmetries in cyber and digital risk assessments. 2. Differences in risk assessment language used—and why they matter: this includes looking at words like “threat”, “risk”, “prevention”, and “mitigation”, and how cyber and digital risk professionals might use them differently from others 3. Why ‘standing out’ (for example refusing to use some mainstream tools or having unusual tech use patterns) could itself be a problem. Here, we also discuss how much of the data surveillance actors collect can be noisy and messy, and why this might be reassuring. 4. Perceptions of omnipresent surveillance and ill-defined threat actors and how those frustrate our efforts at security education: we all sometimes run into the perception that surveillance isn’t just everywhere but done by everybody. While it’s true that many different actors are involved in this ecosystem, I explain how explicitly defining those actors and explaining what they are and aren’t capable of can help empower the audiences of our trainings. In short, this is a session on how we can use standard threat modelling techniques. 5. A case study on WhatsApp and Signal to explain how to best discuss risks and mitigations related to messaging and messengers. 6. Time for questions and discussion! The main audience of this talk are security trainers, security team managers, and others who frequently work with and upskill non-technical audiences. I will mostly focus on broader notions of digital risk, only going into technical details when necessary. I hope that, after the talk, the audience will have the following key take aways: - How to effectively tell stories about digital risk, cyber risk, and surveillance to audiences that don’t feel too comfortable with such topics - Building analogies, and noting differences, between digital risk and other types of risk (physical, financial, legal, etc.) - How to empower people who might feel overwhelmed when thinking about risks such as surveillance or spyware false https://pretalx.com/bsidesluxembourg-2026/talk/KHWQNW/ https://pretalx.com/bsidesluxembourg-2026/talk/KHWQNW/feedback/ Main Stage Talk 2026-05-07T17:30:00+02:00 17:30 00:35 The as-a-service model has become ubiquitous across the cybercrime ecosystem. Previously dominated by tight-knit, exclusive groups, cybercrime is now a distributed international marketplace of service providers and consumers. As a result, it is more resilient than ever, with the gaps left by law enforcement takedowns quickly filled by the next opportunistic teenager. However, to operate effectively in this anonymous distributed economy threat actors need to build a reputation to gain trust. Does this give us an opportunity? In this presentation I will discuss the importance of trust in the cybercrime ecosystem and walk through a real-world investigation involving a prominent phishing-as-a-service (PhaaS) provider. The case study illustrates that trust and OpSec do not mix, exposing threat actors to identification. Attendees will leave with additional insight into the cybercrime ecosystem, hacker culture, and some nifty OSINT tricks. bsidesluxembourg-2026-92560-phinding-a-phisher-don-t-let-rep-get-you-rekt Elliot Parsons en false https://pretalx.com/bsidesluxembourg-2026/talk/SWGJPX/ https://pretalx.com/bsidesluxembourg-2026/talk/SWGJPX/feedback/ Main Stage Custom entertainment and similar 2026-05-07T19:30:00+02:00 19:30 01:30 Think you can bluff your way through a security talk with zero prep? Now is your chance! At Security Impress Karaoke¹, you'll be handed a totally random, security-themed slide deck you’ve never seen before - and have just 3 minutes to present it like a pro. bsidesluxembourg-2026-92930-security-impress-karaoke Main Stage Kirils Solovjovs en No experience? No problem. This is all about having fun, thinking fast, and impressing the crowd with your creativity (or chaos). Whether you're a seasoned hacker or just security-curious, come take the podium and let’s see what you’ve got! Sign up or just show up! false https://pretalx.com/bsidesluxembourg-2026/talk/D8PPLC/ https://pretalx.com/bsidesluxembourg-2026/talk/D8PPLC/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T09:00:00+02:00 09:00 00:40 LuCy is the 3-year odyssey to bring a new security solution closer to the R&E community in Luxembourg. The open-source project is integrated into an existing IT infrastructure - but wait, why not open it to our Luxembourgish R&E community and that at a low cost! After some reflection it became clear that with a bit of effort the security tools can also be used by the community! This presentation will be the conclusion on the LuCySe4RE project, presenting the overall highs and lows of the project from a technical, awareness as well as from the human perspective. As a conclusion, focus will be put on new challenges that emerged after the move from prototype to a fully fully-fledged service, as well as explain new risks that we did not identify before. In this presentation we will share our lessons-learned from our journey from a prototype to a tool in production and hopefully reach others to start their journey with implementing and promoting open-source projects in their community in future! bsidesluxembourg-2026-91893-hello-lucy-nice-to-meet-you-a-conclusion-on-a-3-year-open-source-cybersecurity-project Actionable CTI and detection engineering village Denim LatićCynthia Wagner en LuCy is a mostly open-source cybersecurity toolbox consisting of a SIEM and a DNS firewall. Due to limited resources, a significant amount of R&E (research and education) institutions cannot deploy an inhouse cybersecurity solution. Therefore, LuCy was brought into this world to offer these services, such as alerting, dns filtering, dashboards, to the R&E institutions to improve their resilience at a reduced cost. We highly value the input from institutions connected to LuCy for continuous improvement of the platform. Data sovereignity is crucial, thus everything is hosted on premises at the _Restena Foundation_ in Luxembourg. We are working on reports and documentation so that any other SME can deploy this open-source cluster on their premises. Open-source is the way to go! Lessons learned from implementing a cybersecurity tool which needs half of the staff. Not to lose motivation also in tough times. Keep the mindset, open source is needed in our community! false https://pretalx.com/bsidesluxembourg-2026/talk/EW9MCX/ https://pretalx.com/bsidesluxembourg-2026/talk/EW9MCX/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T09:40:00+02:00 09:40 00:35 Learn how to automate incident response triage using open-source tools. This talk shows how to go from forensic collection to collaborative analysis in minutes, with real-world workflows and cloud-based automation. bsidesluxembourg-2026-92938-from-hours-to-minutes-automating-incident-response-triage-with-open-source-tools Actionable CTI and detection engineering village Markus Einarsson en Traditional forensic acquisitions create bottlenecks in incident response, requiring specialized expertise and significant time that delays investigations. This presentation introduces an automated forensic triage workflow using open-source tools to accelerate response operations. The workflow utilizes a Velociraptor offline collector to acquire forensic triage images, automatically uploaded to cloud storage. This triggers an OpenRelik workflow that processes triage data using tools like Hayabusa and Plaso/log2timeline, with AI-powered analysis and summarization. The processed output is uploaded to Timesketch for collaborative analysis. Several DFIR datasets will be used to show the automation pipeline from initial collection to timeline analysis. The workflow reduces time-to-analysis from hours to minutes while maintaining forensic integrity. Attendees will learn to implement automated triage workflows and integrate multiple open-source tools into investigation pipelines. This targets incident responders, digital forensics practitioners and anyone in the security community looking to streamline forensic operations. false https://pretalx.com/bsidesluxembourg-2026/talk/ZDAX3J/ https://pretalx.com/bsidesluxembourg-2026/talk/ZDAX3J/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T10:35:00+02:00 10:35 00:40 As cybersecurity defenders, our job is to prevent breaches. However, threat actors continue to succeed because they constantly evolve their techniques. In this session, I will show you some of the innovative attack vectors that malicious hackers use to target our infrastructure. You’ll learn how these techniques work and more importantly, how to leverage them for your own threat hunting. bsidesluxembourg-2026-92598-advanced-threat-hunting-staying-one-step-ahead-of-adversary Actionable CTI and detection engineering village Alex Holden en As cybersecurity defenders, our job is not just to react but to stay ahead of attackers. Yet, adversaries continue to evolve, refining their techniques to bypass defenses and infiltrate critical systems. To effectively hunt threats, we must understand how these attackers think and operate. This session will explore real-world techniques used by malicious actors to breach security controls. We will examine how stolen data such as compromised session tokens and credentials are weaponized to gain unauthorized access to systems and supply chains. We’ll also uncover how attackers bypass restricted registration requirements, exploiting gaps in verification and automation processes. We will also analyze how logic flaws in authentication mechanisms allow threat actors to circumvent security controls, gaining entry where they shouldn’t. And much more. By breaking down these attack strategies, you will learn how to identify, track, and neutralize emerging threats before they cause damage. This session will equip you with practical threat-hunting insights, showing you how to turn an attacker’s own methods against them before they strike. false https://pretalx.com/bsidesluxembourg-2026/talk/AP8GQT/ https://pretalx.com/bsidesluxembourg-2026/talk/AP8GQT/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T11:20:00+02:00 11:20 00:40 Threat intelligence is often reduced to reactive IOC lists or superficial color-coded reports. This talk dismantles that paradigm. We will explore the application of Cyber Threat (Counter) Intelligence - CT(C)I - in a geopolitical context, demonstrating how to engineer detections that actively hunt sophisticated adversaries operating both outside and inside your perimeter. Moving beyond standard threats, we dissect the rising trend of APT-backed "remote workers" infiltrating organizations using deepfakes and fabricated histories. We will show you how to weaponize cyber counterintelligence and deploy deceptive defenses to expose the threat, transforming your internal environment into your primary intelligence sensor - detection. Finally, we will outline a modern, graph-based "Detection-as-Code" methodology that replaces static documentation with visual, automated defense logic. bsidesluxembourg-2026-93492-ct-c-i-driven-detection-against-internal-and-external-threats Actionable CTI and detection engineering village Ondrej Nekovar en In this talk, we redefine efficient threat intelligence processing and its direct application in advanced detection engineering. We are moving past the era of creating reactive detection rules based on trending IOCs or generating "traffic light" reports that lack real defensive impact. We will examine high-stakes threat scenarios on a geopolitical scale. By analyzing the laws of cyber deception within CTI reports, we will identify the behavioral errors attackers make and learn how to exploit those flaws for detection. However, the landscape is evolving. We will analyze scenarios where external adversaries successfully become internal threats—specifically dissecting the tactic of APTs deploying state-sponsored remote workers to infiltrate security companies. This involves advanced deception: deepfakes, synthetic profiles, fabricated employment histories, and the abuse of corporate devices. When you have a highly trained operative inside, traditional defense fails. This is where Cyber Counterintelligence (CCI) becomes essential. You must counter the adversary's deception with your own deceptive architecture to force them into revealing themselves. And there we will go through a real detection engineering challenge - an identity based detection through all environment. To operationalize this approach, we must abandon outdated methods. We will explore how to revolutionize your engineering process by replacing static documentation with a visual graph engine. You will learn how to apply a Git-native "Detection-as-Code" workflow that automatically converts visual capability maps into executable SIGMA rules, leveraging MITRE frameworks to design and scale resilient defense logic. Key Takeaways: - Shatter the Perimeter Illusion - Realize that sophisticated threats are not just external; they are actively infiltrating organizations as trusted insiders. - The Necessity of Threat-Informed Defense - Understand that generic monitoring is obsolete; threat-driven detection engineering is the only viable path forward against modern adversaries. - Operationalize Cyber Counterintelligence - Learn how to use internal telemetry and deceptive tactics to expose sophisticated actors already operating within your environment. false https://pretalx.com/bsidesluxembourg-2026/talk/L9773J/ https://pretalx.com/bsidesluxembourg-2026/talk/L9773J/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T13:30:00+02:00 13:30 00:40 Threat intelligence has matured significantly in the domain of indicators of compromise (IOCs), with standardised formats and automated sharing infrastructure. Yet when it comes to adversary behaviors - tactics, techniques, and procedures (TTPs), intelligence is still largely delivered through unstructured reports, PDFs, and blog posts. This creates a persistent gap: while defenders receive rich insights, they lack a systematic way to translate those insights into actionable detection engineering outcomes. Measuring detection coverage remains difficult, often reduced to basic ATT&CK matrix mappings that fail to capture the relational and technical nature of adversary behaviors. Meanwhile, intelligence evolves faster than most teams can analyse, leaving detection engineers overwhelmed and without a standardised workflow to prioritise or model new threats. OpenTide (Open Threat Informed Detection Engineering, an open source framework developed at the European Commission CSOC) addresses this challenge by introducing a structured, top‑down intelligence‑to‑detection flow. At its core are Threat Vectors - an open construct for modeling TTPs at any level of granularity. Threat Vectors can be interrelated to form attack graphs, enabling defenders to build a dynamic and continuous coverage picture as new intelligence emerges. Within OpenTide, detection objectives and supporting rules are explicitly linked to Threat Vectors, creating a direct mapping from intelligence to detection logic. A normalised schema ensures that unstructured intelligence can be ingested, transformed, and operationalised consistently. Furthermore, experimental integrations with large language models (GenTide R&D Project) accelerate the creation of these objects, demonstrating how automation can reduce the time from intelligence inputs to detection deployment. By reframing how we model and consume TTP‑focused intelligence, OpenTide provides a scalable path to actionable detection engineering. It enables defenders to move beyond static mappings, measure coverage in context, and continuously align detection priorities with the evolving threat landscape. OpenTide : https://github.com/OpenTideHQ bsidesluxembourg-2026-92601-opentide-from-raw-intelligence-to-structured-threat-informed-detections Actionable CTI and detection engineering village Remi Seguy en **Outline** Intelligence to Detection Engineering Gap - TTP intelligence remains unstructured (reports, PDFs, blogs). - Defenders struggle to operationalize insights into detections. - Coverage measurement reduced to static ATT&CK mappings. - Manual workflows are slow and inconsistent. - Teams overwhelmed by volume and pace of new intel. OpenTide Workflow - Intelligence > Threat Vectors > Detection Objectives > Rules. - Normalized schema for consistent ingestion of unstructured intel. - Attack graphs enable contextual coverage measurement. Accelerating with LLMs (GenTide) - GenTide : LLMs accelerate Threat Vector modeling from intelligence. - Accelerates turning into Detection Objectives to support rule development - Reduces time from intel input to detection deployment. - Supports continuous alignment with evolving threats. **Key take aways** OpenTide helps defenders turn unstructured threat intelligence into actionable detections. It introduces Threat Vectors to model adversary behaviors and link them directly to detection objectives and rules in comprehensive. This creates a structured, scalable workflow that replaces static ATT&CK mappings with a growing knowledge graph and redefines how detection coverage can be evaluated. With experimental automation through large language models, OpenTide shortens the time from intelligence to deployment and enables continuous alignment with evolving threats. false https://pretalx.com/bsidesluxembourg-2026/talk/RNELAL/ https://pretalx.com/bsidesluxembourg-2026/talk/RNELAL/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T14:10:00+02:00 14:10 00:35 Every week, hundreds of threat intelligence reports are published in prose — rich in context, but locked in a format that no SIEM, TIP, or AI agent can consume. Without structure, CTI stays trapped in PDFs and blog posts, disconnected from the defensive stack that needs it most. This talk presents a **practitioner and research-driven approach** to closing that gap. Drawing from independent research on the **[TI Mindmap HUB]([url](https://ti-mindmap-hub.com/))** project and an academic study currently under peer review, benchmarking five LLM families against government-grade STIX 2.1 ground truth, the speaker demonstrates how a hybrid architecture — combining deterministic extraction with LLM-based semantic inference — can transform unstructured reports into **machine-readable STIX 2.1 bundles**. Beyond generation, the talk explores how STIX bundles become the foundation for **LLM-powered knowledge graphs** and how the **Model Context Protocol** (MCP) exposes structured CTI as tool calls for AI agents — making intelligence not just structured, but conversationally actionable for both human analysts and autonomous copilots. This is independent research, not a product pitch. The speaker invites collaboration from the CTI community. _Disclaimer: TI Mindmap HUB is a personal, independent research project. It is not affiliated with, endorsed by, or representative of any employer, organization, or commercial entity._ bsidesluxembourg-2026-92773-your-cti-reports-are-useless-without-structure-from-unstructured-threat-intel-to-stix-knowledge-graphs-with-llms-and-mcp-server Actionable CTI and detection engineering village Antonio Formato en **Problem Statement** The CTI community produces an enormous volume of high-quality threat intelligence every week — malware analyses, campaign reports, government advisories. The vast majority is published as unstructured text. Despite the existence of STIX 2.1 as a mature, graph-based interoperability standard, most organizations skip the conversion step entirely because it is slow, manual, and requires deep domain expertise. The consequence: intelligence that could feed automated detection, correlation, and response workflows remains locked in prose. This section frames STIX not as bureaucratic overhead, but as the critical prerequisite layer that makes everything downstream — from SIEM rules to AI-driven threat hunting — possible. **The Hybrid Architecture: GenAI-STIX** The core of the talk introduces a hybrid pipeline architecture developed through independent research and validated in an academic study currently under peer review (University of Salerno, AY 2025/2026). The key design insight is that not everything should be delegated to a generative model: - Deterministic extraction (regex + validation) handles Indicators of Compromise (IoCs) — IP addresses, hashes, domains, URLs — where precision and resistance to hallucination are paramount. - LLM-based semantic inference handles the hard part: extracting Tactics, Techniques, and Procedures (TTPs), threat actors, malware families, victims, and the relationships between them, then mapping these to the MITRE ATT&CK framework. The talk walks through the evaluation methodology: a dual pipeline (object-level detection metrics + holistic graph similarity) tested against a ground-truth dataset built from real UK National Cyber Security Centre (NCSC) STIX bundles. Five LLM families were benchmarked. Key finding: high-reasoning models exceed 94% precision in TTP extraction, demonstrating that automated MITRE ATT&CK mapping is no longer a theoretical prospect but a production-ready capability. **TI Mindmap HUB: The Living Research Lab** TI Mindmap HUB is the independent research platform where these concepts are implemented and tested at scale, processing 50–60 threat reports weekly. The speaker demonstrates how a single unstructured report flows through the pipeline and emerges as a multi-lens analyst workstation: - STIX graph view — interactive entity/relationship exploration - Diamond Model — campaign framing from STIX objects - MITRE ATT&CK heatmap — behavioral coverage visualization - CVE analyst table — vulnerability prioritization with threat context - TI Mindmap — narrative structure for executive and analyst consumption The same structured artifacts (STIX bundles, ATT&CK layers, IOC/CVE objects) power all views — different analytical lenses from shared data, not isolated widgets. A brief visual walkthrough shows the end-to-end flow from URL submission to structured intelligence. **MCP: Making CTI Actionable for AI Agents** Structure alone is not enough — intelligence must be accessible where decisions are made. This section introduces the Model Context Protocol (MCP) server built for TI Mindmap HUB, which exposes structured CTI as native tool calls for AI copilots and agents: - Report discovery and deep-dive — search, filter, and retrieve processed intelligence artifacts directly from a chat interface - IOC pivoting — "where else was this indicator seen?" as a single tool call - STIX bundle retrieval — portable intelligence packages ready for TIP/SOAR/SIEM integration - Article submission — trigger the full processing pipeline from conversation context This transforms CTI from a static product into a conversational operations layer. The MCP server implements secure API key + OAuth authentication, making it ready for both human analysts and autonomous agent workflows. **Toward Knowledge Graphs: The Research Horizon** With STIX bundles as building blocks, the next research frontier is LLM-inferred cross-report relationships — connecting entities across dozens of reports to build a threat intelligence knowledge graph that reveals patterns invisible in individual analyses. The speaker briefly outlines this ongoing research direction and its implications for strategic CTI. **Closing** TI Mindmap HUB is an independent research project exploring the intersection of Generative AI and Cyber Threat Intelligence. It is not a product and not affiliated with any employer or commercial entity. The speaker actively seeks collaboration from the CTI research and practitioner community. false GitHub Repo: TI Mindmap HUB is an independent research project exploring the application of Generative AI to Cyber Threat Intelligence (CTI) workflows. https://pretalx.com/bsidesluxembourg-2026/talk/Z8EPNM/ https://pretalx.com/bsidesluxembourg-2026/talk/Z8EPNM/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T14:45:00+02:00 14:45 00:35 Linux packers and loaders represent a blind spot in modern cybersecurity defenses. By compressing, encrypting, and obfuscating executable code, these tools enable fileless, in-memory execution that bypasses traditional detection mechanisms entirely. This presentation dissects the hARMless ARM64 ELF packer/loader to reveal sophisticated evasion techniques: multi-layer page encryption, CRC32 integrity verification, and direct ARM64 syscall invocation. We expose critical security gaps where EDR solutions lack Linux visibility, static analysis fails against packed payloads, and memory-resident execution defeats forensic recovery. The bad news? Traditional EDR solutions are practically blind on Linux, static analysis can't keep up with modern packers, and memory-only execution makes forensics a nightmare. The good news? Well...let's see it together bsidesluxembourg-2026-84867-not-so-harmless-the-hidden-world-of-linux-packers-and-detection-challenges Actionable CTI and detection engineering village Massimo Bertocchi en This presentation examines Linux malware packers and loaders as sophisticated evasion techniques that pose significant challenges to modern cybersecurity defenses. Malware packers compress, encrypt, and obfuscate executable code, while loaders execute the original malware directly in memory, enabling fileless execution that bypasses traditional detection mechanisms. The research includes a case study of the Lazarus APT group's ThreatNeedle malware, demonstrating real-world implementation of multi-stage deployment with in-memory execution capabilities. A practical analysis of the hARMless ARM64 ELF packer/loader system illustrates key technical components including multi layer encryption, CRC32 integrity verification, and direct ARM64 syscall implementation. The presentation reveals critical security implications: traditional EDR solutions have significant detection gaps on Linux systems, static analysis proves insufficient against packed malware, and memory-based execution complicates forensic analysis. Defensive strategies require implementing syscall-level monitoring, deploying behavioral analysis capabilities, and maintaining comprehensive logging for effective threat detection and response. Attendees will understand how modern malware evades detection and discover practical defensive strategies including syscall-level monitoring, behavioral analysis, and comprehensive logging for effective threat detection and response. false https://pretalx.com/bsidesluxembourg-2026/talk/LL9LUX/ https://pretalx.com/bsidesluxembourg-2026/talk/LL9LUX/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T15:40:00+02:00 15:40 00:40 Security teams no longer need to manually configure and perform purple team exercises. It is possible to automate and orchestrate all this flow with a combination of automation and artificial intelligence. Powered by n8n, Elastic, Caldera, TheHive, and LLMs, this orchestration requires zero manual effort after launch. It continuously fetches and updates APT profiles, executes attack techniques, and analyzes detection logs in the alerting system. If a technique is not detected the system checks SIEM logs, if the activity is logged, it suggests a Sigma use case. If both detection and logging are absent, the system recommends configuration adjustments to ensure future visibility. In addition, security teams no longer need to manually perform Threat profiling to select the correct adversary TTPs. The system analyzes the target organization’s landscape and intelligently suggests the most relevant APT attack scenarios, or allows users to select one. The final output is a comprehensive report detailing the detection rate, logging rate, technique descriptions, and recommendations to enhance visibility by suggesting new Sigma rules and refining logging configurations. This is not just another attack simulation tool, it’s a scalable and flexible AI-driven automation workflow that can be adapted depending on the technologies in your environment while continuously optimizing detection, helping defenders stay ahead of evolving threats. bsidesluxembourg-2026-84864-goodbye-purple-team-hello-purple-bots Actionable CTI and detection engineering village Patrick MkhaelRalph El Khoury en AI and automation are powerful technologies that can be leveraged to enhance both offensive and defensive security strategies. This talk unveils a fully automated, AI-driven purple teaming Proof of Concept framework that simulates real-world APT attacks, evaluates detection capabilities, and enhances security defense, all in real time. Join us as we unveil the next frontier of AI-driven adversary simulation framework, where offense and defense merge into an intelligent, automated cycle of continuous security enhancement. false Presentation https://pretalx.com/bsidesluxembourg-2026/talk/JRZGUH/ https://pretalx.com/bsidesluxembourg-2026/talk/JRZGUH/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T16:20:00+02:00 16:20 00:40 Many SOCs invest into powerful Risk&AI-based tools to generate and classify their alerts to "**clear-out the noise**" and **pin-point actual "value" out of the massive amount of data** they collect. It is not a secret that nowadays we're collecting on SIEM more data than we'd ever thought possible decades ago, **most of which are of no real operational relevance**. Some even say "SOC is dead" as this model isn't humanly bearable. Some also offer flashy magic wands that may solve all these issues in a painless plug&play way, while at the same time magically reducing cost (or not). What's the solution, then? **Agentic-AI? Data Lakes? Cloud-first?** All valuable solutions, but there's **something we can also do upstream**: _On top of trying to clean a dirty river, decrease its source pollution_. This approach allows also to **mitigate a lesser known risk, yet very serious**: **_unknown unknowns in data collection_**. In the same way alert-fatigue is correlated with False Positives figures/ratio, most CyberSecurity departments focus on the unsustainability of telemetry volumes and forget about False Negatives, hence the **useful logs you should be collecting but don't know you don't have**. _Caring for your car's longevity / performances means also not assuming any fuel would do and hope for the best_. Our solution: **Governance and Data Quality**. It's not a coincidence that NIST recently added this as a new pillar into its CSF. With the "**Identify**" pillar you get "informed" decision, yet it's "Governance" that gives the "**deliberate**" element on what to collect, why, and if it's enough. Having no Logging Data-Compliance framework, or having one that doesn't take into account **business values** (e.g. BIA, crown-jewels, investments) ultimately results in **building Security Monitoring on sand**, or focusing in scopes that are so narrow that only security may benefit from it, fueling the "working in silos" approach and goes against the "holistic observability" and "management buy-in" elements. bsidesluxembourg-2026-92380-ferrari-without-fuel-exorcise-gigo-out-of-logs-management Actionable CTI and detection engineering village Stefano AmodioElliot Parsons en **Why this talk** How many times you've been asked to onboard logs on a SIEM just by "opening the flows", without any validation? Or even develop alerts on already provided logs without questioning them? Has any PenTest or Red Team exercise highlight that you had no visibility (let alone alerting) over certain actions, despite "you had the logs"? Have you ever saw a truncated log or one coming from the future? Or a logout without its previous login? Nowadays, there is no golden standard for baseline or maturity assessments on log collection / coverage, except a few governmental exceptions (e.g. OMB M-21-31) or highly prescriptive yes/no audit-level compliance frameworks that don't meet the granular level needed to "plug" logging and detection/analysis seamlessly (e.g. NIST SP 800-53 AU Family). This is the same from developers' "**Security by Design**" perspective, where best practices exist for narrow scopes but may not be ultimately enforced (e.g. OWASP Logging Cheat Sheet). Historically, "security" has often been treated as an elite craft and a compliance checkbox - fertile ground for buzzwords and "magic wand" tooling narratives. Our experience is that every time the solution is "just a new tool" an analyst dies (joke intended; right?). "Magic wands" do not exist. A tool can help, but it cannot replace understanding: normal vs. corner cases, environment constraints, and informed decisional context. This matters because the industry repeatedly shows that SIEM programs are fragile in practice: expensive volumes ingestion, yet broken detections, missing fields, parsing issues, and alerts overload. **Our thesis: "shift-left" inside the SOC** Instead of starting from "alerts" and hoping SOAR + AI/LLMs will fix the rest (sometimes scaling more confusion than value), we shift-left by making upstream telemetry complete, useful, and normalized - the foundations of reliable detection engineering. We do so by enforcing a "Compliance Data Model" that is both the output of SIEM engineers and the input for Detection Engineers, a meeting point to build Use Cases on even when you don't have the logs (yet), and SIEM-vendor-agnostic. We will deep-dive into: • **Logs Management as a discipline / requirement**: end-to-end process of collecting, storing, processing/normalizing, **validating**, and monitoring log data, ultimately making sure "**it represents reality**" - as opposed to the common "hydrant approach" of indiscriminately turning on a firehose of logs and assuming the job is done (e.g. "I’ve opened the flow. Are you getting some logs now? Yes? Great, we’re done"). • **Security Monitoring as a practice that is highly dependent on Logs Management**, either in its automated form (Use Case Management, UBA, etc.) and/or in its manual one ("free-dive" or Hypothesis-based Threat Hunting, etc.), regardless of the framework you may be using (e.g. OpenTide, MITRE, FI-ISAC NL MaGMa). • **Visibility Depth vs Width**: many environments feel "well integrated and monitored" simply because a type of logs is collected from all hosts, but when laying out a matrix of which other logs are collected from where, and if they're normalized, a clear "**wide-but-shallow**" image shows up, and suddenly nobody agrees what "critical app alerting" means without app owners at the table. • **Bridging the gap - Log Schema vs. Policy**: Deciding what to log (a logging policy) is just as important as how to structure it (a data schema / taxonomy). Many teams adopt common schemas like **Splunk CIM, OCSF, Elastic ECS, Microsoft ASIM**, etc. to **normalize** fields, which is important and ensures consistency, but they **cannot be used alone to audit visibility gaps**. If you never send a particular log type to your SIEM, the schema won’t complain, and even if you count the number of success/failures or logs with "username" or other fields, the **Logging Policy** (and thus upstream checks) is still needed to **set expectations** and **understand what is normal vs. anomalous.** Useful resources for companies to draft their own Logging Policy are: ➤ **Prescriptive Standards**: **OMB M-21-31** (U.S. federal logging requirements, which explicitly lists log categories and retention periods agencies must collect for each security tier), **NIST SP 800-53** (Audit & Accountability controls, that mandates specific events that systems must log as a baseline), and **CIS Critical Security Controls** (especially Safeguard 8.2, enumerating essential logs to collect to support security monitoring). ➤ **Threat-Informed Frameworks**: **MITRE ATT&CK** provides a matrix of **data sources** needed to detect various adversary techniques at a high level. MITRE’s open-source DeTT&CT can help score your log coverage. Even SIGMA rules include a "logsource" definition as requirement, although very high-level. CTI-based frameworks like Drago's CMF (Collection Management Framework). If you have an Attack Range Lab, more technical resources from PenTesters / Red-Teamers can be leveraged, like Atomic Red Team, testing techniques and adjusting logs verbosity up until meaningful activity is logged. ➤ **Application Layer Logs**: Logging isn’t just an IT operations concern; it starts with developers. We reference the **OWASP Logging Cheat Sheet** (and similar app-security guidance) which outlines what security-relevant events applications should generate - for example, input validation failures, authentication successes/failures, and access control violations. This highlights that effective logging requires collaboration between the Security/SOC and development teams (not just red&blue teams). ➤ **Business Context**: Above compliance standards and threat frameworks are inherently generic. They assume all servers, applications, and data are equally important, or they focus solely on the likelihood of an attack. What they completely miss is the Business Impact (e.g. BIA - Business Impact Analysis, FAIR - Factor Analysis of Information Risk) - which is the exact language the Board of Directors (BoD) speaks. Each organization should craft a Logging Policy/Framework tailored to its unique context - considering its business model, "crown jewel" assets, regulatory requirements, and mix of IT vs. OT systems. For example, onboarding and normalizing upfront logs that grant visibility over a big project could provide Exploratory Data Analysis (EDA) capabilities and even give the opportunity to spot issues or misconfigurations before they happen, bringing unexpected added-value / ROI to top management and ultimately granting stronger mandates and economics internally in the organization (e.g. "We noticed 40% of users are dropping off at this specific transaction point because of a backend timeout, impacting revenues" or "There is a misconfiguration causing the app to query the database 50 times per second per user, increasing API costs"). Bringing those findings to management means transitioning Security from a "cost center" to a "business enabler", providing QA and operational intelligence, not just blocking hackers. **Disclaimer** We acknowledge that not every organization can overhaul its logging overnight - real-world constraints exist. The session emphasizes incremental improvement and trade-offs, helping each attendee identify a few high-impact "logging wins" they can pursue back at work. We’re not promising a silver bullet (that would go against the entire premise!); instead, attendees will leave with fresh perspectives and actionable frameworks to gradually turn their own "Ferrari" into a well-fueled security machine. false OWASP Logging Cheat Sheet NIST SP 800-53, Revision 5 - AU: Audit and Accountability - Logging Compliance NSA's Best Practices for Event Logging & Threat Detection CISA / OMB M-21-31 Logging Compliance Drago's Collection Management Framework (CMF) - Methodology for prioritizing and managing information sources in cyber threat intelligence GIGO - Garbage IN, Garbage OUT Elastic.co on OMB M-21-31 Logging Compliance Florian Roth on wide-but-shallow visibility SOC is Dead - AI is rewriting CyberSecurity (ITA) SANS Hybrid Data Collection Strategy https://pretalx.com/bsidesluxembourg-2026/talk/PWCYXA/ https://pretalx.com/bsidesluxembourg-2026/talk/PWCYXA/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T17:00:00+02:00 17:00 00:40 Security teams don't miss alerts because they don't care, they miss them because their SIEM never shuts up. Alerts fire constantly, at the wrong time, for expected behavior, until everything starts to sound the same. At some point, it's no longer an alarm. It's just noise. This talk starts with a simple idea: when an alert fires matters just as much as what it detects. Like a whistle blaring at 2 a.m., many detections technically work, but fail operationally because they lack timing, throttling, or basic context. Alerts trigger during business hours, outside meaningful windows, or so often that everyone learns to ignore them. Using practical examples, we'll look at common alerting mistakes, why "more alerts" doesn't mean better security, and how small changes, such as throttling, prioritization, and temporal context, can dramatically reduce noise. From there, we'll walk through what alerts actually matter across application, network, Active Directory, and DNS telemetry, and how to design them so they fire when someone should actually care. The goal isn't silence, it's a SIEM that acts like an alarm clock, not a whistle that goes “woo woo” all night. bsidesluxembourg-2026-88370-the-whistles-go-woo-woo-siem-alerts-threat-detection-and-tuning-unnecessary-noise Actionable CTI and detection engineering village Melina Phillips en When then whistles go woo woo: I typically like to start my presentation with a short story, a news article or some known fact and correlate it to the main topic. In the early 2000s, residents in Seattle started complaining about a strange problem: cars driving through neighborhoods late at night, fitted with exhaust whistles so loud they could wake an entire block. When asked about the noise, one explanation stuck: the whistles go "woo woo"… but only in the morning. The noise wasn’t dangerous, but it was constant, badly timed, and impossible to ignore. Twenty years later, many security teams are dealing with the same problem, just with SIEM alerts instead of cars. If this feels familiar, it should. Many SIEMs do the exact same thing: alerts firing constantly, without timing or context, until everything sounds urgent and nothing actually is. Wait, what are we doing here? Brief explanation of contextual alerting for SIEM implementations. Drawing parallels: Noisy SIEMS vs The Whistles Okay but how does SIEM obtain data: Log collection and aggregation How do I know what I want my SIEM to alert me on? Knowing what you want your SIEM to alert on starts with understanding what actually requires action. Alerts are not meant to document everything that happens in an environment, they exist to interrupt you when something needs attention. If an alert does not change a decision, a response, or a priority, it probably does not need to exist. - Unusual or anomalous behavior - Known IOCs - Signs of Privesc or lateral movement - Indicators of Data exfil - Repeated or unsuccessful actions. - Unusual application activity - Endpoint behavior - Compliance violations - Threat hunting When alerts stop being alerts: • Alerts aren't ignored because analysts are lazy • They’re ignored because everything fires • When every event is "urgent" nothing actually is • Noise trains people to stop reacting. • American Horror Story: MSSP - sharing a story of when I worked for an MSSP and I saw some awful things with SIEM alerting. Timing Matters More Than You Think • Alerts without time context are misleading • Expected behavior during business hours ≠ malicious at 3 a.m. • The same signal can mean very different things depending on when it happens Key learning: When an alert fires is part of the detection logic, not an afterthought. Throttle the noise before you add more alerts • Repeated alerts for the same behavior don't increase security • They just increase annoyance • Throttling prevents the SIEM from screaming about the same thing every five minutes Examples: • "Alert once per user per time window" • "Suppress repeats unless behavior changes" • "Escalate only if it keeps happening" Context turns noise into signal • Raw events is not the same as actionable alerts • Alerts need: ○ user context ○ system role ○ expected behavior ○ related activity Without context: Everything looks suspicious. With context: You know what actually matters. Designing your SIEM alerts: - Focus on high risk scenarios - Tune alerts over time - Use correlation rules - Threat intelligence is your bestie - Context is key Alert prioritization: Alert prioritization isn't about deciding what’s "important" on paper, it's about deciding what deserves attention right now. When everything is marked high priority, teams stop trusting the system. Good prioritization accepts that not all alerts are equal, and that urgency depends on timing, context, and impact. A SIEM that understands this doesn't shout, it speaks when it actually matters. - Critical: Imminent high impact threat such as ransomware or a data breach. - High: Potential impact on core business operation or sensitive systems and direct evidence of malicious activity. - Medium: Unusual activity that could potentially be a threat - Low: Minor issue, security violation or potential false positive. What logs do I need? Deciding what logs you need is not about collecting everything, it is about collecting what helps you answer questions later. Logs should support detection, investigation, and response, not just exist for visibility. When logging is intentional, alerts become easier to design and noise becomes easier to control. 1. Windows Logs 2. Network Logs 4. Endpoint Detection and Response (EDR) Logs 5. Identity and Authentication Logs 6. Threat Intelligence Logs 7. Compliance and Audit Logs Scrum for SIEM maintenance: Knowing what you want your SIEM to alert on is not a one time decision, it is an ongoing process. Environments change, attackers change, and so does what actually deserves attention. Treating SIEM maintenance like a sprint forces teams to regularly ask what worked, what created noise, and what genuinely helped detect risk. Instead of reacting to every alert, the focus shifts to continuously refining what is worth waking someone up for. - Define your scrum team (owner, scrum master and development team. Yes, it all applies even if it's not a software development environment). - Create a "product backlog" (actionable items). - Sprint planning (high risk priority tasks). - Daily stand ups (share updates). - Sprint Review (showcase deliverables). false Presentation draft. It's in progress and it will be heavily improved. https://pretalx.com/bsidesluxembourg-2026/talk/C93MZK/ https://pretalx.com/bsidesluxembourg-2026/talk/C93MZK/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-07T17:40:00+02:00 17:40 00:30 Phishing is still the dominant attack vector, but detecting malicious sites at scale is difficult. This talk shows how open-source automation can make phishing detection fast and proactive. Using real examples from 200+ Nuclei templates, attendees will learn detection methods, template creation, and practical threat intelligence and OSINT use cases. bsidesluxembourg-2026-88181-from-manual-hunt-to-mass-detection-weaponising-nuclei-against-phishing Rishi (@rxerium) en Phishing remains the dominant attack vector, yet detecting malicious sites at scale continues to challenge security teams. This talk demonstrates how open-source automation can transform phishing detection from a manual, reactive process into a scalable, proactive capability. I developed and contributed 120+ phishing detection templates to the Nuclei project, enabling security teams worldwide to identify phishing sites impersonating major brands across thousands of hosts in seconds. In this session, I want to share this technique with attendees, covering the detection methodology, template creation, and practical applications for threat intelligence and OSINT research. A live demonstration will showcase the approach in action, and attendees will leave with the knowledge to build their own detection capabilities using freely available tools. false https://pretalx.com/bsidesluxembourg-2026/talk/QJN3VK/ https://pretalx.com/bsidesluxembourg-2026/talk/QJN3VK/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-07T09:00:00+02:00 09:00 00:35 As AV/EDR systems evolve to detect behavioral anomalies, offensive tradecraft must adapt beyond static obfuscation. This talk explores the convergence of Artificial Intelligence and advanced Cryptography in the development of next-generation evasive malware. We will move past traditional packing techniques to examine how lighweight LLMs and cryptographic primitives can be integrated directly into the malware lifecycle. You will gain insight into: - AI-Driven Polymorphism: Utilizing embedded or cloud-based AI agents to dynamically rewrite logic and variable structures at runtime, rendering signature-based detection obsolete. - Cryptographic Context-Awareness: Implementing environmental keying and mathematical "logic locking," where payloads remain cryptographically sealed until specific environmental conditions (verified by AI logic) are met. - Entropy Reduction: Techniques to make encrypted payloads statistically indistinguishable from benign data or natural language using AI-generated steganography. This talk bridges the gap between theoretical mathematics and practical weaponization, demonstrating how free, open-source AI models can be weaponized for stealth, and conversely, how defenders can prepare for the age of "thinking" malware. bsidesluxembourg-2026-92446-ai-and-cryptography-for-evasive-malware AI Security Village /media/bsidesluxembourg-2026/submissions/Q7CEUD/image_s8htaua.webp cocomelonc en Modern EDR and XDR solutions have moved the goalposts. Static signatures are a relic of the past; today’s fight is against behavioral telemetry and ML-driven heuristics. To survive on a target host, offensive tradecraft must evolve. This practice-oriented talk demonstrates how the convergence of Artificial Intelligence and non-standard Cryptography creates a "thinking" malware capable of adapting to Windows, Linux, and macOS environments. We move beyond simple packing to explore a specialized Adversarial Dev Loop. By integrating lightweight LLMs and rare cryptographic primitives (Skipjack, Speck, Mars, Lucifer, Camellia), we demonstrate how to build malware that interviews its environment before revealing its true nature. What you will learn through live demos and code analysis: - The AI-Mutator Loop: How to use local AI agents to perform automated source-level polymorphism. I will demonstrate C/C++ code that rewrites its own logic, variable structures, and API resolution patterns for every new "build," making hash-based and static ML detection impossible. - Cross-Platform Residency: A deep dive into modern persistence - from macOS Dylib hijacking and WatchPaths to Linux eBPF-based hooks and Windows service subversion - all protected by Environmental Keying. I will show how payloads remain cryptographically sealed until AI-logic verifies the "DNA" of the target machine. - Rare Crypto vs. Entropy Scanners: Why standard AES/ChaCha20 is a red flag. We will implement "forgotten" algorithms to bypass entropy-based detection and show how to use AI to generate "Natural Language Steganography" - hiding exfiltrated data inside AI-generated text that passes through Deep Packet Inspection (DPI) unnoticed. - Breaking the Sandbox: Real-world examples of AI-driven sandbox detection. We demonstrate implants that exhibit "benign mimicry" when a virtualization artifact is detected, effectively poisoning the training data of automated sandboxes. This talk isn't about theoretical future threats; it's about the weaponization of free, open-source AI models available today. Whether you are a Red Teamer looking to bypass top-tier EDRs or a Blue Teamer trying to understand the next wave of "smart" malware, you will leave with the C/C++ PoCs and forensic insights needed to operate in the age of the thinking malware. false https://pretalx.com/bsidesluxembourg-2026/talk/Q7CEUD/ https://pretalx.com/bsidesluxembourg-2026/talk/Q7CEUD/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-07T09:35:00+02:00 09:35 00:40 In the original Matrix movie, Neo learned Kung Fu through an upload. Imagine if your ML could learn the same way. That's what a pickle file does for ML - "I KNOW KUNG FU" or whatever was in the file that was supposed to be "learned" by your ML model. What if there was a plot twist where Agent Smith tampered with the Kung Fu module so that it included a fun "bonus" lesson that "taught" Neo to call Agent Smith every time he was trying to find an exit? That's what's happening in Pickle Files, and that's the setup for ML and AI. This talk will step through the threat, some examples, and emerging detection capabilities. You will KNOW Kung Fu when it's over. bsidesluxembourg-2026-85259-death-by-pickle-python-s-betrayal-ml AI Security Village Kadi McKeanFrithjof Hoffmann en In The Matrix, Neo learns Kung Fu through an upload. In ML, pickle files let models 'learn' similarly. But what if Agent Smith tampered with the module? That's what's happening in pickle files—malicious code can sneak in. This talk covers the threat and detection techniques. You’ll KNOW Kung Fu! false https://pretalx.com/bsidesluxembourg-2026/talk/CDJP3Z/ https://pretalx.com/bsidesluxembourg-2026/talk/CDJP3Z/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-07T10:35:00+02:00 10:35 00:40 AI rarely creates entirely new classes of risk. More often, it amplifies weaknesses that already exist in complex systems where architecture, data, and business decisions are tightly coupled. What changes is not the threat itself, but its reach, speed, and impact. This session shows how threat modeling can be used as a leverage point in two parallel dimensions, in a way that remains accessible to newcomers while still grounded in real-world practice. On the technical side, threat modeling is presented as a concrete decision tool: identifying realistic attack paths, clarifying what actually needs to be tested, and guiding focused actions such as pentest scoping and security control prioritization. The emphasis is not on exhaustive models, but on developing the right security reflexes early, understanding where small inputs can create large business consequences. In parallel, the same threat model is used as a framework validation layer. Instead of treating compliance as a documentation exercise, threat modeling helps explain how and why controls are applied where risk actually exists. Using approachable examples aligned with ISO 27001, the AI Act, and NIS2 expectations, the session demonstrates how threat modeling supports compliance efforts by making security decisions explicit, traceable, and defensible. The session is designed for beginners and practitioners in application security, threat modeling, or software engineering, and assumes familiarity with AppSec and SDLC concepts. The focus is not on theory or abstract AI threats, but on real systems, plausible attackers, and practical threat models that help bridge technical security decisions and regulatory expectations from the start. bsidesluxembourg-2026-89611-what-does-threat-modeling-solve-for-ai-security AI Security Village Nathan Pembe en 0–5 min : Context setting: Where AI really fits in the SDLC The session starts by clarifying a frequent source of confusion: securing AI versus using AI for security. Using concrete system examples, I explain how AI is introduced into existing architectures and why it increases coupling between data, identity, APIs, and business workflows. The goal is to ground the audience in a system-level view before discussing threats. This section is fully accessible to beginners and does not assume prior AI security knowledge. 5–10 min ; Why AI Feels Destabilizing at System Level This section explains why AI adoption often makes risk harder to reason about. AI does not introduce chaos by itself; it amplifies risk across an already uncontrolled attack surface. Using visual system comparisons, I show how adding AI components increases the blast radius of existing weaknesses (identity, APIs, data access, monitoring gaps). The key objective is to shift beginners away from “AI-specific threats” toward ecosystem-level risk thinking. 10–20 min : Scenario 1 (Technical Track): Testing Without Knowing Why The first main scenario focuses on a realistic AI-driven e-commerce system where an ML recommendation engine directly impacts revenue. I walk through a common security dilemma: a limited pentesting budget with no shared understanding of what actually matters. Step by step, I introduce a lightweight threat modeling approach: - drawing a simple system diagram, - identifying threat actors, - reasoning in layers (Matryoshka-style): supply chain, network/APIs, identity, crown jewels, and mapping attack paths to business impact. This leads to a concrete outcome: a risk-driven pentesting strategy that clearly differentiates deep testing, standard testing, and low-return testing areas. Beginners see how threat modeling directly informs technical decisions instead of producing abstract documentation. 20–30 min : Scenario 2 (Framework Track): Threat Modeling as a Compliance Validator The second scenario shifts focus to compliance and governance challenges. I present a situation where multiple teams claim compliance (secure coding, code reviews, pentests), yet cannot demonstrate why controls are effective. Using an ISO 27001 control (secure coding), I show how threat modeling reframes the question from “do we have this control?” to “where would insecure code actually hurt us?”. A concrete threat scenario is built around an input processing service in front of an ML model, illustrating how business-impacting abuse can occur even when traditional controls exist. This logic is then extended to broader regulatory expectations (AI Act, NIS2): threat modeling provides a structured way to justify controls, expose blind spots (e.g., missing abuse-case testing or decision integrity checks), and explain partial compliance in a defensible manner. 30–35 min : Key Takeaways and Practical Guidance I conclude by explicitly tying both tracks together. The same threat model supports: technical security decisions (what to test, where to invest effort), and compliance justification (why controls exist and what risk they mitigate). The final takeaways focus on what beginners can apply immediately: modeling change rather than entire systems, prioritizing reachable attack paths, and using threat modeling as a living practice rather than a one-time deliverable. false https://pretalx.com/bsidesluxembourg-2026/talk/YTUTGD/ https://pretalx.com/bsidesluxembourg-2026/talk/YTUTGD/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-07T13:30:00+02:00 13:30 00:30 AI agents are no longer simple chatbots—they're autonomous systems equipped with powerful tools including shell access, file operations, and database queries. But what happens when an attacker asks nicely? In this talk, we present a real-world vulnerability discovered in a production AI platform where we achieved full system command execution through natural language conversation. Starting with simple reconnaissance. When the AI initially denied access, we researched and deployed a jailbreak technique that bypassed safety guardrails—all through conversation. The result? Reading /etc/passwd, enumerating system information, and letting the AI run reconnaissance commands for us. No credentials. No exploits. Just conversation. Attendees will learn: - How AI agent architectures create new attack surfaces - Practical jailbreak techniques for tool-enabled LLMs - The "Confused Deputy" problem in AI systems - Defense strategies for securing AI agents bsidesluxembourg-2026-89159-talk-to-a-shell-exploiting-ai-agent-in-real-time AI Security Village Parth Shukla en false https://pretalx.com/bsidesluxembourg-2026/talk/GLKSMY/ https://pretalx.com/bsidesluxembourg-2026/talk/GLKSMY/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-07T14:00:00+02:00 14:00 00:40 Generative AI may not yet be stealing everyones jobs, but it is already impacting the way that we interact with computers, with important implications for cybersecurity. Difficult tasks like network analysis, social engineering defense, and writing safe software will require humans and AI to form teams while relying on mutual trust, and an understanding of the threats posed by the misuse of AI by bad actors. This talk explores research in Human-Computer Interaction applied onto understanding teaming, trust, and threats of Generative AI in cybersecurity. bsidesluxembourg-2026-92261-teaming-trust-and-threats-how-humans-interact-with-generative-ai-in-security AI Security Village Tailia Malloy en In this talk, I will present research in Human Computer Interaction focusing on how people use Generative AI technologies like ChatGPT, Google's Gemini, and Antrhopic's Claude in cybersecurity contexts. This will begin with background in computational cognitive modeling, and how it is related to cybersecurity in my research. Next I will describe my past research into how these models of human learning onto designing better AI systems for anti-phishing social engineering training and network analysis recommendations. Finally, I will discuss my current and future research in human interaction with LLM agents applied on to software engineering and spear-phishing website generation. false https://pretalx.com/bsidesluxembourg-2026/talk/LBYZCG/ https://pretalx.com/bsidesluxembourg-2026/talk/LBYZCG/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-07T14:40:00+02:00 14:40 00:40 With the use of AI agents catching wind across the offensive security space, from phishing, to fuzzing and penetration testing, it was inevitable that malware would follow suit. While most discussions focus on using AI to generate malicious payloads at the malware’s runtime, or "vibe coding" it, we went a step further: we built a system where AI is the sole participant in the malware creation process itself. We will begin by talking about how we got to this point, what sparked the idea, and jump into comparing different models - showing which gave the best code, which was most evasive, which prompts worked the best, and what we used in the agent. We will then dig into the generation process itself – we will show the challenges with earlier implementations, and how we solve them, how to build the workflow to maximize the malware’s capability and randomization, and even how it managed to break signatures. We will finish by showing how the resulting malware is performing, comparing different samples, and showing how each sample defeated several static malware analyzers, as well as talk about what's next for this agent, and what's next in the domain of AI-generated malware. bsidesluxembourg-2026-91904-the-agents-of-chaos-ai-driven-malware-generation AI Security Village Arad Donenfeld en Modern AI systems have moved far beyond rule-based automation and are now capable of generating complex, functional software. While most discussions focus on productivity benefits like code generation and vibe coding, the same capabilities can also be applied to offensive security. This session explores a research project that examines how AI models can be orchestrated to autonomously generate new malware samples, and what this means for both attackers and defenders. The talk focuses on understanding the process and experimentation space behind AI-driven malware generation: how model behavior changes depending on prompts, model selection, validation workflows, and code restructuring techniques. The main things that are explored in the presentation: **Prompt design and task framing (what the model is asked to do)** Directly asking a model to write ransomware often fails due to safety controls or poor results. By reframing tasks, such as generating behavioral descriptions first and then implementing them in code, it becomes possible to produce working implementations while avoiding many common failure modes. **Model selection and orchestration (which models do what)** Different models excel at different tasks. The agent combines uncensored local models for unrestricted generation, stronger coding models for fixes, and remote models for validation. This multi-model approach improves reliability compared to relying on a single model. **Automated generation and validation loops (ensuring working output)** Generated code is automatically compiled, tested, and fed back into models when errors occur. This loop allows the system to fix compilation issues, improve functionality, and rely on working samples without manual intervention. **Code diversity and detection evasion (how “new” samples are created)** By allowing models to choose different implementations, encryption methods, structures, and even programming languages, each generated sample can look structurally different while doing relatively the same task. **Feature expansion (beyond basic malware behavior)** When prompted appropriately, models sometimes add additional behaviors such as persistence, system discovery, evasion checks, or data exfiltration attempts, demonstrating how AI can generate increasingly complex malware variants. What can you gain from this - A practical view of how AI models can be chained together to generate functional malware samples. - An understanding of how prompts, model choice, and validation workflows affect output reliability and detectability. - A framework that researchers and defenders can use to generate diverse samples for testing detection systems. While the presentation uses ransomware generation as the running example, the broader takeaway is about how generative AI changes the scale and variability of offensive tooling, and how the same techniques can also be leveraged by defenders to strengthen security systems. false https://pretalx.com/bsidesluxembourg-2026/talk/QW3PJK/ https://pretalx.com/bsidesluxembourg-2026/talk/QW3PJK/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-07T15:40:00+02:00 15:40 00:40 LLMs are often presented as a shortcut from “hundreds of findings” to “actionable summary.” In reality, getting useful and trustworthy output is less about a single prompt and more about understanding the knobs you can turn - and what typically happens when you turn them. This talk uses vulnerability assessment results analysis as a concrete example task, but the goal is broader: a research-style exploration of the design space for LLM-assisted summarization. We’ll map the main control surfaces - goal definition, output constraints, input shaping, model selection, evaluation methods, and cost/latency budgets - and show how changing each one affects faithfulness, specificity, consistency, and failure modes. The session offers a practical framework for experimenting safely: define measurable requirements, run iterative comparisons, and use structured judging to learn which combinations of knobs move you toward “useful” versus “confidently wrong.” Attendees leave with a repeatable way to reason about tradeoffs and a set of patterns they can apply to other security summarization problems. bsidesluxembourg-2026-92577-when-llms-summarize-security-findings-the-tradeoffs-you-can-t-ignore AI Security Village Andrey Lukashenkov en Security teams routinely face large vulnerability assessment reports that are rich in detail but hard to operationalize. LLMs look promising for making this information accessible, yet outcomes vary wildly: some summaries are crisp and helpful; others are vague, incomplete, or subtly inaccurate. This session is a research-driven tour of *why* that happens and *what you can control*. The talk is not a “ship this to production tomorrow” story. It is a guide to the experimentation landscape - using vulnerability findings as an illustrative workload - focused on the knobs you can tune and the behaviors you should expect. ### The core idea: treat LLM summarization as a system with controllable parameters We’ll explore six major knob categories: 1. Task framing (what “good” means) If you don’t specify the purpose (e.g., executive risk overview vs. remediation triage vs. compliance-oriented highlights), the model will invent its own. We’ll discuss how tight vs. broad goals change output specificity and risk of omission. 2. Output constraints (how the answer must behave) Word limits, required sections, citation/evidence requirements, and “no new facts” rules are not cosmetics—they change error rates and the model’s tendency to hedge or hallucinate. 3. Input shaping (what the model actually sees) The strongest lever is often preprocessing: deduplicating repetitive data, normalizing fields, extracting key evidence, compressing large reports into context-friendly representations, and moving deterministic operations (like counting/grouping) outside the model. This reduces failure modes and makes evaluation meaningful. 4. Model selection (speed, cost, and capability) Different models fail in different ways. We’ll cover the practical implications of choosing “fast enough” versus “best possible” and what quality typically degrades first when you optimize for latency/cost. 5. Evaluation and judging (how you know it improved) “Looks good to me” does not scale. We’ll outline a lightweight evaluation harness: a rubric that scores faithfulness, completeness, specificity, and usefulness; repeated runs to check consistency; and a structured judging approach to compare variants. 6. Iteration strategy (how you converge) Prompt iteration works best when grounded in measurements. We’ll show a “vibe coding” loop that’s still research-minded: change one knob, rerun tests, observe shifts in failure modes, then decide whether the tradeoff is acceptable for the goal. ### What attendees will take away - A mental model of the main knobs available when applying LLMs to security summarization tasks - Predictable “what happens when you turn it” patterns (which tweaks usually help, which create new failure modes) - A repeatable experimentation framework for comparing prompts/models/input formats under real constraints - A clear tradeoff map: reliability vs. speed vs. cost, plus the engineering consequences of tighter coupling to input structures While vulnerability assessment results are the running example, the approach generalizes to other security contexts: incident write-ups, alert triage digests, control evidence summaries, and executive reporting. false https://pretalx.com/bsidesluxembourg-2026/talk/TGFQH9/ https://pretalx.com/bsidesluxembourg-2026/talk/TGFQH9/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-07T16:20:00+02:00 16:20 00:40 Every LLM has flaws. It’s been proven that the guardrails on every LLM can be bypassed. When you’re thinking about which ones to build your applications on, what are the key risks you need to be aware of? In this talk, we will dive into our testing methodology for scanning the most popular LLMs for vulnerabilities where we generated hundreds of thousands of prompts across categories including prompt injection, malware, offensive language, and much more. We’ll share our LLM risk matrix, and explain the best practices around minimizing the risk of hallucinations, malicious content, indirect prompt injection, and more as you build your LLM-powered applications. bsidesluxembourg-2026-90759-making-a-risk-informed-llm-choice AI Security Village Jeremy Snyder en Every LLM has risks, from malicious content generation to jailbreak, injection, misinformation and more. In this session, we'll discuss the approach that we used for categorizing the risk levels of the most popular LLMs that are available for application developers on the leading cloud platforms. We'll explain: What tools we used to do this testing How we use those tools What categories of problems we're able to identify How we turn the problems into understandable risk for developers and security practitioners to use for making decisions on which LLMs to adopt false https://pretalx.com/bsidesluxembourg-2026/talk/D3T9SA/ https://pretalx.com/bsidesluxembourg-2026/talk/D3T9SA/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-07T17:00:00+02:00 17:00 00:40 In this session we are going to walk through how did one "harmless" search spiral into a multi-organization data breach and how did weaponized AI supercharge it into an even bigger leak of sensitive data. In this session, we’ll unpack the whole story. bsidesluxembourg-2026-85885-oh-shit-i-accidentally-breached-an-organization-or-many-using-ai AI Security Village /media/bsidesluxembourg-2026/submissions/F7UGVL/image_CTALa7q.webp Panagiotis Fiskilis en During this session we are going to learn how we can weaponize AI for OSINT campaigns, how it can be used/abused by adversaries to perform spear phishing attacks (using the previously mentioned OSINT as a basis). We are going to talk about operational security considerations when weaponizing AI. During this talk we are going to wear a purple hat by viewing the perspective of both an adversary and a defender. false https://pretalx.com/bsidesluxembourg-2026/talk/F7UGVL/ https://pretalx.com/bsidesluxembourg-2026/talk/F7UGVL/feedback/ IFEN room 3 Workshops and AI Security Village (Building D) Village, 2d (2days x 8h) 2026-05-07T13:30:00+02:00 13:30 04:30 The technical track of the AI security village bsidesluxembourg-2026-93488-0-ai-security-village-technical-training-and-implementation AI Security Village Parth ShuklaNagarjun Rallapalli en false https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/ https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-07T10:00:00+02:00 10:00 02:00 Dismantle the bomb by performng different taks bsidesluxembourg-2026-90638-2-dismantle-the-bomb Escape games! Stijn Tomme en Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... false https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-07T13:30:00+02:00 13:30 02:00 Dismantle the bomb by performng different taks bsidesluxembourg-2026-90638-3-dismantle-the-bomb Escape games! Stijn Tomme en Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... false https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-07T16:00:00+02:00 16:00 02:00 Dismantle the bomb by performng different taks bsidesluxembourg-2026-90638-4-dismantle-the-bomb Escape games! Stijn Tomme en Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... false https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-07T10:35:00+02:00 10:35 00:40 Nowadays, the detection of generic mass-scale phishing attacks is quite effective. Techniques that leverage indicators of compromise (IOCs) collection and sharing tools, such as MISP (the Open Source Threat Intelligence Sharing Platform), are well established and give good results in the field. However, detection of targeted attack attempts aka spear-phishing, is much more challenging because the attackers exploit contextual information about the targets they aim for. By using up-to-date, relevant and precise information about the inner operations of the targeted company, attackers can make their deception far more effective. SPOT makes use of state-of-the-art natural language processing (NLP) techniques based on machine learning (ML) and large language models (LLMs) in particular to try to detect and prevent spear-phishing attack attempts. This opensource project was co-financed by the LU-CID initiative by the Ministry of Economy Luxembourg. bsidesluxembourg-2026-89334-spot-spear-phishing-overwatching-tool Pauline Bourmeau (Cookie)William RobinetThibaut DielsMathieu Fourcroy en false https://pretalx.com/bsidesluxembourg-2026/talk/A7AXTC/ https://pretalx.com/bsidesluxembourg-2026/talk/A7AXTC/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-07T11:20:00+02:00 11:20 00:40 Modern infrastructures are increasingly complex, distributed, and opaque — making it difficult for security teams to answer a simple question: what exactly are we protecting? System cartography provides an essential foundation for cybersecurity governance. It allows organizations to understand their architecture, dependencies, and data flows — the key to effective risk management, incident response, and compliance. bsidesluxembourg-2026-90254-mapping-the-invisible-why-system-cartography-matters-for-security-and-compliance /media/bsidesluxembourg-2026/submissions/VENKPF/image_I4p3ada.webp Didier Barzin en This talk introduces these concepts through [Mercator](https://www.github.com/dbarzin/mercator) an open-source tool designed to map and visualize complex infrastructures. Mercator transforms data from existing sources (CMDB, inventories, scans) into interactive diagrams that help bridge the gap between technical visibility and strategic security management. Rather than a technical demo, this 40-minute session offers a conceptual overview of how cartography supports risk management, incident response, and regulatory compliance, turning architecture into a living asset for cybersecurity. false https://pretalx.com/bsidesluxembourg-2026/talk/VENKPF/ https://pretalx.com/bsidesluxembourg-2026/talk/VENKPF/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-07T13:30:00+02:00 13:30 00:40 Cloud misconfigurations still cause saying-it-out-loud 99% of cloud security failures, but in 2026 the mistakes have mutated. Today’s breaches are less “oops, public bucket” and more over-privileged identities, sketchy SaaS integrations, forgotten test environments, and dangerously helpful defaults in AI and Kubernetes. This talk introduces a modern hierarchy of cloud misconfigurations based on late-2025 and early-2026 breach data, then flips the script from post-incident cleanup to pre-deployment prevention using Policy as Code (PaC). Instead of finding problems after attackers do, we stop insecure resources from ever being created. We’ll wrap with the Toxic Trilogy, a practical model for spotting cloud assets that are statistically doomed, and show how PaC quietly dismantles all three conditions before anyone has to open a ticket. bsidesluxembourg-2026-89815-cloud-misconfigurations-poke-poke-breach Cloud track Kat Fitzgerald en Cloud security has become very good at finding problems after they ship. Scanners run. Dashboards glow. Tickets multiply. Meanwhile, attackers stroll in through configurations that technically “passed” review. In 2026, misconfigurations still understand how to ruin everyone’s day, not because teams don’t care, but because cloud complexity has officially outrun human attention. This session opens with the 2026 hierarchy of cloud misconfigurations, grounded in late-2025 and early-2026 breach data rather than folklore: - Identity and entitlement overreach as the new breach starter pistol - SaaS and API integrations quietly bypassing MFA, logging, and common sense - Storage exposure that survived provider guardrails via authenticated access and CDNs - Shadow environments and abandoned IaC resources that never got the security memo From there, I stop poking the fluffy cloud creature and wondering why it bites back. Using the Guardrail Strategy and Policy as Code, security rules become executable laws of physics inside CI/CD pipelines. Public buckets fail builds. Admin-level service accounts get denied. Secrets never make it into source control. Production click-ops quietly undo themselves like a bad idea sobering up. I’ll then introduce the Toxic Trilogy: cloud assets that are publicly exposed, highly privileged, and critically vulnerable. PaC’s real power in 2026 is context. By evaluating how these risks overlap, policies don’t just find problems, they prevent entire breach classes from ever existing. The result is faster delivery, fewer incidents, and security that finally keeps up with cloud speed without becoming the team everyone avoids on Slack. Key Takeaways - Identify the top cloud misconfiguration patterns of 2026 based on real breach data - Understand why identity and API integrations now outrank storage as breach drivers - Recognize the Toxic Trilogy and why its overlap predicts breaches with scary accuracy - Explain how Policy as Code shifts security from detection to prevention - Apply a policy-first workflow to block risky cloud deployments before production - Reduce misconfiguration risk without slowing developers or drowning in tickets true https://pretalx.com/bsidesluxembourg-2026/talk/NQDVUB/ https://pretalx.com/bsidesluxembourg-2026/talk/NQDVUB/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-07T14:10:00+02:00 14:10 00:40 As organizations migrate to the cloud, threat actors' exfiltration tactics and techniques evolved and targeted the architectural boundaries of cloud service models (SaaS, PaaS, IaaS). Each service model presents different exfiltration options as the responsibility shifts between cloud providers and customers, creating distinct attack surfaces that threat actors use for exfiltration. Drawing on hundreds of real-world cases from CrowdStrike incident response and threat hunting, this talk moves past the theory to showcase exfiltration techniques that catch even seasoned defenders off guard. We'll dive into: - SaaS Stealth: Abusing Microsoft 365 via third-party apps and silently exfiltrating DocuSign documents using sync functionality. - The PaaS Pivot: How ETL platforms could be misused for exfiltration. - IaaS Tactics: Infrastructure tampering and cross-cloud data transfers. This session is designed for the defender who has the cloud basics covered but wants to know what they might be missing. Attendees will leave with a clear understanding of these evolved exfiltration paths and most importantly required telemetry and detection ideas. bsidesluxembourg-2026-88474-in-the-wild-cloud-exfiltration-paths-you-might-not-expect Cloud track Tomas Kabrt en false https://pretalx.com/bsidesluxembourg-2026/talk/ABKXN7/ https://pretalx.com/bsidesluxembourg-2026/talk/ABKXN7/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-07T14:50:00+02:00 14:50 00:30 Presentation on why cloud sovereignty has become a board-level strategic issue, touching on foreign interference, platform lock-in, tech dependency, and the critical insight that not all cloud models are equal. • Why sovereignty, autonomy, and resilience are executive-level concerns (regulatory mandates, legal exposure, operational continuity) • The triple threat landscape (foreign interference via US CLOUD Act, platform lock-in costs, tech dependency risks) • How the guide helps governments and critical organizations with risk mitigation frameworks and compliance mapping • Two sovereign cloud operating models (Full EU Isolation vs. Guardrail Sovereign) • Strategic alignment matrix showing how different cloud models match organizational needs • EU regulatory context (DORA, NIS2, EU Data Act, upcoming Cloud & AI Act) • Technical controls and implementation priorities bsidesluxembourg-2026-91186-cloud-sovereignty Cloud track Catalin Tiganila en false https://pretalx.com/bsidesluxembourg-2026/talk/AYMPND/ https://pretalx.com/bsidesluxembourg-2026/talk/AYMPND/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-07T15:40:00+02:00 15:40 00:40 The talk will cover common techniques to upload client-side logs to AWS S3 buckets, integrations with third-party database services like Supabase, and server technologies commonly used for financial data processing, all of which result in leaked API keys when misconfigured. Three distinct vulnerabilities will be demonstrated, each showcasing different variations of the core anti-patterns in multiple contexts. Attendees can expect to receive a structured framework for understanding how these flaws manifest across different technologies. The session will conclude with a comprehensive discussion of targeted fixes that address the root causes of the anti-pattern. It will move beyond surface-level patches to implement architectural solutions that prevent entire classes of similar vulnerabilities. These remediation strategies will include both immediate tactical fixes and longer-term architectural improvements that strengthen overall system security posture. bsidesluxembourg-2026-85027-leaky-api-keys-log-tampering-and-account-takeover Cloud track Aleksa Zatezalo en The talk will cover common techniques to upload client-side logs to AWS S3 buckets, integrations with third-party database services like Supabase, and server technologies commonly used for financial data processing, all of which result in leaked API keys when misconfigured. Three distinct vulnerabilities will be demonstrated, each showcasing different variations of the core anti-patterns in multiple contexts. Attendees can expect to receive a structured framework for understanding how these flaws manifest across different technologies. The session will conclude with a comprehensive discussion of targeted fixes that address the root causes of the anti-pattern. It will move beyond surface-level patches to implement architectural solutions that prevent entire classes of similar vulnerabilities. These remediation strategies will include both immediate tactical fixes and longer-term architectural improvements that strengthen overall system security posture. false https://pretalx.com/bsidesluxembourg-2026/talk/YH7DVE/ https://pretalx.com/bsidesluxembourg-2026/talk/YH7DVE/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-07T16:20:00+02:00 16:20 00:40 Infostealers silently harvest credentials, cookies, and sensitive data. This session demonstrates how to emulate infostealer behavior browser data theft, keylogging, clipboard monitoring, credential dumping to validate whether your endpoint controls, DLP, and network monitoring would detect the theft and exfiltration. Learn to test your defenses against one of the most prevalent and damaging threat categories. bsidesluxembourg-2026-97341-infostealer-emulation-validating-detection-of-credential-theft Filipi Pires en Outline: Introduction: The Infostealer Epidemic Infostealer TTPs (8 min) Browser data, keylogging, clipboard, LSASS DEMO: Browser Credential Theft Emulation (12 min) DEMO: Keylogger Simulation (8 min) DEMO: Credential Dumping (LSASS Access) (10 min) DLP & Network Monitoring Validation (7 min) Q&A (5 min) false https://pretalx.com/bsidesluxembourg-2026/talk/VEEKAR/ https://pretalx.com/bsidesluxembourg-2026/talk/VEEKAR/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-07T10:35:00+02:00 10:35 00:40 A real-world ransomware attack on a non-IT company where cybersecurity wasn’t a priority. Learn how incident management and business continuity collapsed under pressure, what really happens during an attack, and the lessons leaders must learn shared from real cases presented at Bsides bsidesluxembourg-2026-86943-unraveling-failure-lessons-from-an-avoidable-ransomware-attack /media/bsidesluxembourg-2026/submissions/SWS9NQ/Mihai_tutulan_sbKCxnc.webp Mihai Tutulan en Ransomware is no longer an abstract IT risk is an operational crisis. This talk presents a real-life ransomware attack against a large, non-IT industrial company where cybersecurity was not considered a business priority. Through a chronological breakdown of the incident, we explore how a single phishing email escalated into a full IT blackout, shutting down operations, disrupting production, and paralyzing the business for months. The session focuses on incident management under pressure and the failure and rebuilding of the Business Continuity Plan. Attendees will gain an inside view of: What actually happens during a ransomware attack, beyond theory and frameworks How organizational mindset and management decisions amplify impact Why missing “basic” security controls turns incidents into disasters Practical lessons learned during recovery and transformation This talk is based on a real case, previously presented at BSides Chișinău and BSides Cluj(you can have feedback from the organizers if needed), and is aimed at both technical and non-technical audiences who want to understand ransomware from a business-impact perspective not just a technical one. false https://pretalx.com/bsidesluxembourg-2026/talk/SWS9NQ/ https://pretalx.com/bsidesluxembourg-2026/talk/SWS9NQ/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-07T11:20:00+02:00 11:20 00:40 Modern vehicles are no longer just mechanical machines—they are complex distributed systems with hundreds of electronic control units, multiple networks, and cloud-connected devices. In this talk, I will share the daily challenges of working as an automotive cybersecurity researcher and how real-world constraints shape security research in the automotive industry. I will begin with a brief introduction to my role as a security researcher. My work involves analyzing vehicle hardware, telematics systems, IoT modules, and embedded firmware to identify vulnerabilities before attackers do. Unlike traditional IT security, automotive security requires deep knowledge of hardware, embedded systems, radio protocols, and real-time system constraints. A key part of this talk will focus on automotive communication networks and interfaces. I will explain how in-vehicle networks operate, why security is challenging to implement, and how attackers can exploit weaknesses through message manipulation, spoofing, and denial-of-service techniques. I will also cover interfaces such as UART, JTAG, Bluetooth, cellular modules, and diagnostic ports, highlighting how each interface expands the attack surface. bsidesluxembourg-2026-90398-from-can-frames-to-corporate-firewalls-life-of-an-automotive-security-researcher Hrishikesh Somchatwar en One major challenge in automotive security is that hardware changes are often restricted due to cost, certification, and production constraints. As a result, many security mitigations must be implemented at the firmware or software level. Real-world case studies will be shared to demonstrate how fraud and attacks occur in connected vehicle ecosystems, including device spoofing, firmware tampering, GPS manipulation, and backend abuse. In manufacturing environments, even short security incidents can halt production lines, causing significant financial impact, highlighting why automotive cybersecurity is critical infrastructure protection. I will also reflect on the difference between being a hardware hacker and working in corporate security environments where responsible disclosure, risk management, and compliance are essential alongside technical skills. false https://pretalx.com/bsidesluxembourg-2026/talk/E7WLHY/ https://pretalx.com/bsidesluxembourg-2026/talk/E7WLHY/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-07T13:30:00+02:00 13:30 00:40 Trust and Traceability: Developer Observability in the AI-Powered SDLC Safeguarding the enterprise with superior AI risk governance It has been over three years since AI coding tools first landed, and in 2026, more than three-quarters of developers are using them in their workflows... with or without the knowledge and blessing of the AppSec team. Rumors of developers being replaced entirely have been exaggerated, but crucially, the use of AI in enterprise environments has further uncovered the significant security skills gap that exists among them as they struggle to identify and mitigate vulnerable, AI-generated code. Security programs must evolve rapidly to reduce this emerging threat vector, but many CISOs lack the necessary data and insights to effectively empower their development cohorts. With AI coding tools touted as both a blessing and a curse for development and software security, there is no better time to ensure the enterprise security program is not just updated to accommodate the increased attack surface, but also actively optimized for SDLC efficiency and cyber defense. World-class security leaders must rise to the occasion and lead proactive security programs that utilize the right tech stack and strategy to manage developer risk through high observability of their security skills, as well as the security efficacy of their AI technology stack. Developers have immense potential to be central to a defensive security strategy, and they can be empowered with the right knowledge to transform their approach to coding and adopt a security-first mindset. This revolution is vital as the use of AI coding tools grows, and critical thinking from the developer is a must to deploy them safely in their workflow. Based on AI experiments and key research with CISOs, the presentation reveals the critical pathways security leaders can take to execute incredible developer-focused training programs that reduce risk, shift negative security sentiment in the development cohort, and safely adapt AI technology with precision governance, including: Understanding comparisons between AI and human coding, what works, and what can affect enterprise security maturity. Navigating AI data quality issues and establishing safe pair programming with unprecedented developer observability. Developer upskilling, including benchmarking and growing key security skills with knowledge and governance that leads to better risk mitigation. How to establish a skills baseline among developers, and grow relevant competency quickly. The pitfalls of AI vulnerability detection, and the skillset your developers must master to overcome hallucination, insecure code generation and misconfiguration. bsidesluxembourg-2026-95336-trust-and-traceability-developer-observability-in-the-ai-powered-sdlc Secure Development track Omar Rachid en false https://pretalx.com/bsidesluxembourg-2026/talk/LW9DDS/ https://pretalx.com/bsidesluxembourg-2026/talk/LW9DDS/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-07T14:10:00+02:00 14:10 00:35 Open source software is the ultimate neighborhood party—doors open, music playing, people bringing their best dishes (or code). Projects grow fast, the energy is contagious, and everyone benefits from the collective creativity. But in every good party, there’s risk: the friend-of-a-friend-of-a-friend who slips in unnoticed, doesn’t follow the house rules, and eventually leaves you with a hole in the drywall. In the open source world, that’s dependency hell. It starts with a package you trust—but that package has its own dependencies, which have their own dependencies, and somewhere deep in that chain lurks outdated, vulnerable, or even malicious code. You didn’t invite it, you don’t know it’s there, but it’s living in your codebase rent-free. And attackers love this—because if they compromise just one small link in that long chain, they can crash your entire project. In this session, we’ll dig into the messy reality of dependency hell and its role in software supply chain security incidents. We’ll examine real-world examples where hidden or neglected dependencies became the entry point for compromise, from typosquatting attacks to maintainer account takeovers. We’ll explore why it’s not just about malicious intent—sometimes the “bad guest” is simply an abandoned project with known CVEs that no one bothered to patch. bsidesluxembourg-2026-85262-managing-uninvited-guests-securing-open-source-dependencies Secure Development track Kadi McKeanFrithjof Hoffmann en Open source is like a house party—everyone’s invited. But dependency hell is that friend-of-a-friend-of-a-friend who puts a hole in the wall. One rogue package can take down your whole project. Learn how to spot and block unwanted guests before they trash your software supply chain. false https://pretalx.com/bsidesluxembourg-2026/talk/XMJTXP/ https://pretalx.com/bsidesluxembourg-2026/talk/XMJTXP/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-07T14:45:00+02:00 14:45 00:35 CFITSIO is a NASA-maintained library widely used for reading and writing FITS (Flexible Image Transport System) data across astronomy, astrophotography, and scientific software. The raw data behind the stunning images from Hubble and Webb telescopes — and even from casual backyard observatories — is stored in FITS format. CFITSIO is often embedded deep inside larger applications and services. One of its core features, **Extended Filename Syntax (EFS)**, turns what appears to be a simple filename into a powerful **mini-language** supporting virtual files, filtering, filesystem interaction, and network access. This talk presents original security research into CFITSIO’s Extended Filename Syntax and shows how it quietly expands the attack surface of applications that rely on default CFITSIO APIs. I will demonstrate how EFS can be abused to enable multiple high-impact security primitives, including arbitrary file operations, server-side request forgery, protocol-level manipulation, and unintended data exposure. These issues are not classic memory corruption bugs, but abuses of legitimate, documented features that are enabled by default and inherited by third-party software without explicit awareness or threat modeling. This research builds on earlier CFITSIO vulnerabilities I previously reported and highlights how feature-rich parsing logic can turn filenames into a **supply-chain attack surface**. bsidesluxembourg-2026-92007-when-filenames-become-attack-surfaces-weaponizing-nasa-s-cfitsio-extended-filename-syntax Secure Development track Adrian Denkiewicz en false https://pretalx.com/bsidesluxembourg-2026/talk/WDFHHV/ https://pretalx.com/bsidesluxembourg-2026/talk/WDFHHV/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-07T15:40:00+02:00 15:40 00:40 “We requested a review from security a month ago and there’s no feedback.” Does this sound familiar to you? Maybe you’ve heard that your security team is occupied with other tasks that are “higher priority” and your product is just not. “Nothing we can do, security is an expert’s job.” Or maybe you simply don’t have any dedicated security team in your company. So, your hands are bound and you can’t do anything anyways, right? What if you could, though? What if you could do a lot more than you might think to make your software more secure? What if you could save time and effort by taking security into your own hands? In this talk, we’ll go through several activities that you might already do right now, and demonstrate how you can shape these to improve your product’s security posture. Let’s take a few examples: when you’re analyzing the next product changes, you can use threat modeling to also consider potential security issues and hence plan their implementation with security in mind. Collaborating across roles on developing the changes can help you detect security flaws before they make it to production. Investing in maintenance and reducing technical debt will at the same time make your product a less attractive target. When observing production, you can spot malicious actors probing your system enabling you to respond before harm is done. If you apply good software development practices, they help you make your product more secure, and good security practices help you make software that provides more value and less harm. With and without an expert at hand. Key learnings: - Stop waiting for dedicated security experts and start acting yourself - Understand how good software development practices support security practices and vice versa - Gain insights on what an engineering team can do themselves to build secure enough products - Learn how to use this newly found leverage of benefits on all sides when prioritizing which changes and activities to invest in bsidesluxembourg-2026-89382-out-of-security-exception-what-to-do-without-an-expert-to-secure-your-software Secure Development track Lisi Hocke en false https://pretalx.com/bsidesluxembourg-2026/talk/7HCSG3/ https://pretalx.com/bsidesluxembourg-2026/talk/7HCSG3/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-07T16:20:00+02:00 16:20 00:40 Everyone agrees leaked secrets are dangerous, yet most organizations still struggle to detect, triage, and fix them effectively. Scanners generate noise, developers ignore alerts, and real secrets slip through unnoticed. This talk shares the real-world story of building a turnkey secrets scanning and triage platform from scratch, using and extending open-source tools. Designed for scale, the system focuses on reducing false positives, automating validation, and integrating seamlessly into CI/CD pipelines. Through live demos and practical examples, attendees will see how to turn secrets detection from a checkbox into an actionable security program. The session focuses on real engineering decisions, lessons learned, and how the community can reuse these ideas to solve a problem many know exists, but few truly address. bsidesluxembourg-2026-94030-turnkey-code-enhancing-secrets-management-in-large-scale-organizations Secure Development track Diogo Lemos en This session will focus on the implementation, benefits, and challenges of building a scalable, open-source secrets scanning and management platform, designed to tackle a problem that is widely recognized but often ignored. I will start by describing the current state of secrets management in organizations: while most know exposed secrets are a serious risk, few have the processes, tooling, or awareness to handle them effectively. Existing scanners often produce too many false positives, lack context, or fail to integrate seamlessly into developer workflows, leaving teams frustrated and secrets at risk. I will explain the motivation for creating Turnkey Code, emphasizing a passion for building practical solutions that are genuinely useful for other security engineers. Rather than buying a commercial tool, we approached the problem as a challenge: how to build a system that scales across repositories, integrates into CI/CD pipelines, and delivers actionable findings without overwhelming developers. I will cover the architecture, including scanning strategies, entropy-based detection, pattern rules, validation logic, and confidence scoring. The session will also include a live demo, showing how the tool scans a real repository, identifies secrets, reduces false positives, and triages findings through dashboards. I will walk through automation workflows, integration with CI/CD, and how teams can track remediation and ownership. Throughout the talk, I will share lessons learned from deployment, including adoption hurdles, scaling challenges, and strategies for raising awareness about this underestimated risk. Attendees will leave with practical knowledge of secrets management at scale, including actionable techniques, integration strategies, and access to an open-source tool they can use immediately. By sharing our approach, the session aims to raise awareness across the community, provide a repeatable method for handling secrets, and encourage engineers to build solutions that solve real problems. false https://pretalx.com/bsidesluxembourg-2026/talk/QVEUXA/ https://pretalx.com/bsidesluxembourg-2026/talk/QVEUXA/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-07T17:00:00+02:00 17:00 00:35 This talk explores a DNS-based OSINT technique that uncovers hidden services and technology dependencies through large-scale TXT record analysis. Attendees will learn how these overlooked records can reveal valuable insights for both offensive and defensive security, and how to integrate this methodology into existing reconnaissance workflows using tools like Nuclei and OWASP Amass. bsidesluxembourg-2026-85609-the-forgotten-fingerprint-dns-based-osint-techniques-for-product-service-discovery Secure Development track Rishi (@rxerium) en I will present a DNS-based OSINT methodology for uncovering products and services through large-scale TXT record scanning. This previously unpublished approach shows how certain TXT records reveal more than domain ownership or validation details, exposing the presence of third-party services and platforms. For example, entries like google-site-verification, MS=msXXXX, or vendor-specific SPF includes can highlight dependencies on Google Workspace, Microsoft 365, or other cloud services. By analysing these records programmatically across large DNS zones, security teams can create detailed maps of an organisation’s technology stack and supply chain affiliations. This intelligence is invaluable for identifying weaknesses and understanding attack paths, providing defenders actionable context while showing the scale of information accessible to attackers. I integrated this scanning technique into open-source tools including Nuclei and OWASP Amass. These enhancements let security professionals incorporate TXT record reconnaissance into broader asset discovery workflows, improving the depth and precision of enumeration efforts. This talk features a real-world case study from the August–September 2025 Salesloft breach, where this method identified the Drift service across infrastructure. Attendees will gain practical tactics, reproducible methods, and tooling to strengthen assessments and apply actionable insights in real-world engagements. true https://pretalx.com/bsidesluxembourg-2026/talk/KRDZWR/ https://pretalx.com/bsidesluxembourg-2026/talk/KRDZWR/feedback/ Atrium (common area) Village, 2d (2days x 8h) 2026-05-08T09:00:00+02:00 09:00 03:00 The Car Hacking Village offers attendees a hands-on, immersive environment to explore the security of modern vehicles. As cars continue to evolve into complex, connected computer systems, the need to understand their attack surfaces and defensive challenges grows. This village provides a safe and controlled space where participants can learn, experiment, and collaborate on real automotive cybersecurity techniques. bsidesluxembourg-2026-85198-2-car-hacking-village Villages in Atrium Roald Nefs en The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can: - Interact with the CAN bus and observe how in-vehicle communication works - Capture, analyze, and replay automotive network traffic - Reverse engineer messages sent to various vehicle subsystems - Craft spoofed signals to manipulate components such as instrument clusters - Explore common vulnerabilities in today's vehicle architectures - Learn practical defensive considerations for securing automotive systems All activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers. false https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/ https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/feedback/ Atrium (common area) Village, 2d (2days x 8h) 2026-05-08T13:30:00+02:00 13:30 04:30 The Car Hacking Village offers attendees a hands-on, immersive environment to explore the security of modern vehicles. As cars continue to evolve into complex, connected computer systems, the need to understand their attack surfaces and defensive challenges grows. This village provides a safe and controlled space where participants can learn, experiment, and collaborate on real automotive cybersecurity techniques. bsidesluxembourg-2026-85198-3-car-hacking-village Villages in Atrium Roald Nefs en The village includes a fully equipped setup featuring simulated vehicle networks, CAN bus tooling, instrument clusters, ECUs, and other automotive components. Attendees can: - Interact with the CAN bus and observe how in-vehicle communication works - Capture, analyze, and replay automotive network traffic - Reverse engineer messages sent to various vehicle subsystems - Craft spoofed signals to manipulate components such as instrument clusters - Explore common vulnerabilities in today's vehicle architectures - Learn practical defensive considerations for securing automotive systems All activities are guided and designed to be accessible to beginners while still offering depth for more experienced researchers. false https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/ https://pretalx.com/bsidesluxembourg-2026/talk/3CLCMG/feedback/ Atrium (common room) 2 Village, 2d (2days x 8h) 2026-05-08T09:00:00+02:00 09:00 03:00 Learn or practice your lockpicking skills in the lockpicking village. Experts say that this has real-life impact, not only to red teamers! bsidesluxembourg-2026-92182-2-lockpicking-village Villages in Atrium en There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers. false https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/ https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/feedback/ Atrium (common room) 2 Village, 2d (2days x 8h) 2026-05-08T13:30:00+02:00 13:30 04:30 Learn or practice your lockpicking skills in the lockpicking village. Experts say that this has real-life impact, not only to red teamers! bsidesluxembourg-2026-92182-3-lockpicking-village Villages in Atrium en There will be all sorts of lockpicking equipment available for you to practice, guided by our volunteers. false https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/ https://pretalx.com/bsidesluxembourg-2026/talk/9FGWWQ/feedback/ Main Stage KEYNOTE 2026-05-08T09:00:00+02:00 09:00 00:40 Killnet built its reputation as a decentralized Russian hacktivist force - loud, chaotic, and conveniently aligned with Kremlin objectives. But under the surface, it was something else entirely: a centralized operation controlled by a small group, using noise and hate as cover. This is the inside story of how a team of just nine people delivered a kill shot to destroy this illusion. Through targeted investigation and direct engagement, we exposed Killnet’s critical weakness: a financial link to Solaris, at that time, one of Russia’s largest dark web drug markets. By publicly tying their operations to organized cybercrime - we disrupted their narrative, broke internal trust, and triggered full collapse. The result? Loss of state support, severed financial channels, and a rapid implosion of the group’s infrastructure. We’ll walk through how we tracked Killnet’s leadership, exposed its frontman “KillMilk,” and uncovered the criminal network behind the public facade. Along the way, you’ll get a firsthand look at the real tactics - OSINT, infiltration, pressure points - that brought down one of the most visible cyber collectives. This isn’t just a postmortem. It’s a case study in strategic disruption, showing how small teams can go head-to-head with well-funded adversaries - and win. bsidesluxembourg-2026-96099-killing-killnet Alex Holden en false https://pretalx.com/bsidesluxembourg-2026/talk/X33JUT/ https://pretalx.com/bsidesluxembourg-2026/talk/X33JUT/feedback/ Main Stage Talk 2026-05-08T09:40:00+02:00 09:40 00:40 The briefing introduces a framework for organizational response organized across three time horizons, structured around five critical risks, seven high risks, and one medium risk. The framework defines 11 priority actions: Immediate (this week), Near-term (30-90 days), Strategic (6-12 months) Being "Mythos-ready" does not mean reacting to one model or one announcement. It means permanently closing the gap between how fast vulnerabilities are found and how fast an organization can respond. The same AI capabilities that create this risk also create defensive opportunity: organizations can now find their own weaknesses before attackers do, review code at machine speed, and respond to incidents faster than any human team. The industry has navigated systemic, hard-deadline threats before. Y2K required coordinated, disciplined effort — and the industry met it. The tools available to defenders today are substantially more powerful. Every action in this framework can begin this week. bsidesluxembourg-2026-96226-building-a-mythos-ready-security-program Catalin Tiganila en false https://pretalx.com/bsidesluxembourg-2026/talk/89DT9B/ https://pretalx.com/bsidesluxembourg-2026/talk/89DT9B/feedback/ Main Stage Talk 2026-05-08T10:40:00+02:00 10:40 00:40 The Dark Web is a scary place. In order to deter the cybercrime, I feel confident exploring its dangerous grounds and know well how to use the Dark Web to defend the victims. I want to invite you on this journey of venturing far beyond your defense perimeter, where cyber criminals are just planning their attacks, and teach you how you can use this knowledge as defensive skills to prevent attacks from happening in the first place. bsidesluxembourg-2026-92597-why-i-go-to-the-dark-web-every-day Alex Holden en What do you need to know before going on the Dark Web? Preparation for the journey is not only technical skills but understanding of the Dark Web dynamics, linguistics, and social engineering. Filled with practical examples of real-time exploitation of the threat actors on the Dark Web, we define a problem and start our journey. As we travel along, we will identify meta-types of threat actors and actresses which we might encounter, discussing each type skills and threat types. How to approach each one of them without giving yourself away. What are possible gains and pitfalls? What drove these individuals to infamy and how their misdeeds changed the threat landscape forever. Finally, the lessons – know your enemy. Know your enemy's weapons. Stop the threat actor = stop the crime. false https://pretalx.com/bsidesluxembourg-2026/talk/DGHXCG/ https://pretalx.com/bsidesluxembourg-2026/talk/DGHXCG/feedback/ Main Stage Talk 2026-05-08T11:20:00+02:00 11:20 00:40 Embark on a whirlwind tour of global cyber deception with a seasoned(?) security engineer who's been running honeypots in some of the world's most intriguing locales, including the bustling digital battleground of Ukraine. This talk will blend humor and hard-won wisdom to reveal the lessons learned from deploying, customizing, and maintaining honeypots across diverse environments. Participants will enjoy a lively narrative filled with tales of cyber trickery, cultural quirks, and the occasional mishap, all while gaining actionable insights into enhancing their own security strategies. bsidesluxembourg-2026-89633-confound-and-delay-honeypot-chronicles-from-the-digital-battlefield Kat Fitzgerald en Imagine being a digital beekeeper, setting up traps for cyber threats in some of the most unexpected places around the globe, from the frosty landscapes of Ukraine to the bustling tech hubs of Tokyo. Over the years, I’ve had the peculiar pleasure of watching bad actors stumble into these traps, often with the same grace as a bull in a china shop. This talk is less about the “how” and more about the “what-the-heck-just-happened” moments that have made this journey unforgettable. Buckle up for a rollercoaster ride through the wild world of global honeypots, where every server tells a story, and sometimes, that story is downright hilarious. Introduction: Setting the Scene - Brief overview of honeypots and their purpose in cybersecurity. - Introduction to me: a globe-trotting security engineer with a knack for storytelling and a passion for cyber deception. - A quick teaser of the countries covered. The Global Honeypot Experience - A World Tour of Cyber Threats: - Overview of the countries where honeypots were deployed. - Brief anecdotes about the unique cyber threats and attack patterns observed in each location. - Cultural and Environmental Considerations: - How local culture and internet infrastructure impact honeypot deployment. - Humorous tales of language barriers, time zone mix-ups, and unexpected technical challenges. Customizing Honeypots for Different Environments - One Size Does Not Fit All: - Detailed examples of how honeypots were tailored to mimic local systems and applications. - Creative tweaks and customizations that improved effectiveness. - Lessons from the Field: - Success stories and failures that provided valuable insights. - Practical tips for customizing honeypots in various environments. Operational Challenges and Triumphs - Keeping the Honeypots Buzzing: - Maintenance and monitoring strategies that worked (and those that didn’t). - Tools and technologies that proved invaluable. - Handling the Unexpected: - Funny and frustrating incidents, from unexpected downtime to bizarre attack vectors. - Lessons on resilience and adaptability. Analyzing and Responding to Attacks - From Data to Defense: - How the data collected from honeypots informed broader security strategies. - Real-life examples of attacks thwarted thanks to honeypot intelligence. - The Human Element: - Stories of interacting with curious researchers, bemused sysadmins, and relentless attackers. - The importance of community and collaboration in the cybersecurity landscape. Key Takeaways and Future Directions - Summing Up: - Recap of the most important lessons learned from the global honeypot project. - Actionable advice for those looking to implement or enhance their own honeypot strategies. - Looking Ahead: - Emerging trends in cyber deception and honeypot technology. - Exciting new challenges and opportunities on the horizon. true https://pretalx.com/bsidesluxembourg-2026/talk/UHLYXM/ https://pretalx.com/bsidesluxembourg-2026/talk/UHLYXM/feedback/ Main Stage Lightning Talk 2026-05-08T13:30:00+02:00 13:30 00:10 The ransomware ecosystem thrives in the shadows of fragmented intelligence and siloed expertise. Defenders do the hard work — forensic timelining of incidents, tracing cryptocurrency flows, reverse engineering payloads, negotiating with threat actors — yet that knowledge rarely travels far beyond the individual or organization that earned it. Ransom-ISAC's L.O.C.K. S.T.A.R. (Level of Critical Knowledge in Specialized Techniques on Advancements and Research) initiative was built to change that. This talk introduces L.O.C.K. S.T.A.R. as a community-driven recognition framework designed to surface, validate, and amplify the work of ransomware researchers and practitioners across eight critical domains — and explores how structured knowledge sharing can become one of our most powerful weapons against ransomware. bsidesluxembourg-2026-96304-ransom-isac-lock-star-initiative Ellis Stannard en Ransomware is a team sport — but defenders have never played like one. As the founder of Ransom-ISAC, I've spent years watching brilliant researchers do groundbreaking work in near-total obscurity — forensic timelines that cracked open major incidents, cryptocurrency tracing that followed the money to attribution, reverse engineering that exposed affiliate infrastructure — only for that knowledge to die in a private Slack channel or a closed incident report. L.O.C.K. S.T.A.R. (Level of Critical Knowledge in Specialized Techniques on Advancements and Research) was built to fix that. It is Ransom-ISAC's community-driven recognition and credentialing framework — think Michelin stars for ransomware expertise — designed to surface, validate, and amplify the work of the practitioners and researchers who are actually moving the needle in this fight. This session will walk attendees through why the initiative exists, how it works, and what it means for the broader defender community. L.O.C.K. S.T.A.R. recognition can be earned across eight domains: Infrastructure, Negotiations, HUMINT, Cryptocurrency, DFIR, Reverse Engineering, AI, and Quantum. Rather than treating hard-won knowledge as a proprietary asset, the framework creates structured pathways — through novel workflow writeups and actionable intelligence contributions — for experts to share what they know while receiving the formal recognition they deserve. The goal is simple but ambitious: if we can lower the barriers to knowledge sharing across the ransomware defender community, we compress dwell time, accelerate response, and make the ecosystem measurably harder for threat actors to operate in. Attendees will leave understanding how to contribute, how to apply, and why community-led credentialing may be one of the most underutilized tools in the fight against ransomware. true https://pretalx.com/bsidesluxembourg-2026/talk/MZLG9S/ https://pretalx.com/bsidesluxembourg-2026/talk/MZLG9S/feedback/ Main Stage Lightning Talk 2026-05-08T13:40:00+02:00 13:40 00:05 Large Language Models are increasingly used to assist developers in writing code, but how secure is the code they generate? This lightning talk explores the security risks introduced by LLM-generated code, from common vulnerability patterns to the challenges of evaluating and improving model outputs. Drawing from ongoing PhD research at TruX, SnT (University of Luxembourg), this talk offers a concise overview of the current landscape and open research questions in LLM-assisted secure software development. bsidesluxembourg-2026-96162-how-secure-is-secure-code-generation-putting-the-llms-to-the-test Melissa TESSA en In this talk, I would like to present two of my works that challenge the way we think about security in LLM-generated code. The first asks an uncomfortable question: do secure code generation methods actually work? Through a systematic adversarial audit, we show that current evaluation practices create a dangerous illusion of security, and methods that look robust on paper fall apart under simple, realistic prompt perturbations. The second uncovers a quieter but equally dangerous threat: LLMs that confidently recommend software packages that simply do not exist, giving attackers the perfect opportunity to register these fabricated names on open source registries and serve malicious payloads to unsuspecting developers, a practice known as slopsquatting. Together, these works reveal that the security of AI-assisted development is more fragile and more nuanced than the field currently acknowledges. false https://pretalx.com/bsidesluxembourg-2026/talk/GJTHDS/ https://pretalx.com/bsidesluxembourg-2026/talk/GJTHDS/feedback/ Main Stage Lightning Talk 2026-05-08T13:45:00+02:00 13:45 00:05 Built for the frontlines of cyber defense, our next-generation MISP Workbench empowers edge deployments and threat hunters with fast, lightweight, and actionable intelligence, anytime, anywhere. bsidesluxembourg-2026-96132-lighting-talk-misp-workbench Luciano Righetti en https://github.com/MISP/misp-workbench false https://pretalx.com/bsidesluxembourg-2026/talk/YQRGVT/ https://pretalx.com/bsidesluxembourg-2026/talk/YQRGVT/feedback/ Main Stage Lightning Talk 2026-05-08T13:55:00+02:00 13:55 00:05 At OpenSourceLux 2025, we introduced url-checker-tools, a Python CLI toolkit for URL threat assessment through multi-source intelligence gathering, optional YARA-based local inspection, and configurable security scoring. At BSides Luxembourg 2026, we present the next step: url-checker, a Python Flask web platform exposing a REST API that allows external services to submit URLs for automated verification before publication: initially built to prevent malicious URLs from reaching Fondation Restena's edu.lu shortener users. The platform orchestrates synchronous validation checks alongside asynchronous security assessments delegated to url-checker-tools via job queues, persists results in MariaDB, and includes a MISP integration proof-of-concept for community threat intelligence sharing. We share our approach for the general Restena Use Case, overall design, production hardening lessons, and our roadmap toward an open, composable, self-hosted URL security infrastructure for the CSIRT community the NetCarapace concept (https://github.com/organizations/NetCarapace). bsidesluxembourg-2026-92939-from-cli-to-platform-building-netcarapace-a-secure-and-open-source-url-checking-ecosystem-driven-by-fondation-restena-url-shortener-use-case /media/bsidesluxembourg-2026/submissions/Y3FG3M/image_XbmxJu2.webp Cédric Renzi en false https://pretalx.com/bsidesluxembourg-2026/talk/Y3FG3M/ https://pretalx.com/bsidesluxembourg-2026/talk/Y3FG3M/feedback/ Main Stage Talk 2026-05-08T14:00:00+02:00 14:00 00:40 When we are performing investigations (threat intel, hunting, forensics, malware analysis or anything else), our path is full of pitfalls or more commonly called, “biases”. We do you day to day job, we have our tools, processes and follow playbooks but are we certain that we are not missing crucial informations? In the first half of the talk, I'll explain how we can improve and use our senses in a better way: observe instead of see, listen instead of hear, etc. In the second part, I'll review some common issues that people do when performing malware analysis with real examples that I observed here and there. Even if the abstract mentions “malware analysis”, this is not a very technical talk but it will be helpful for all infosec practitioners. bsidesluxembourg-2026-89149-what-you-see-is-not-what-you-get Xavier Mertens en false https://pretalx.com/bsidesluxembourg-2026/talk/HJHWDS/ https://pretalx.com/bsidesluxembourg-2026/talk/HJHWDS/feedback/ Main Stage Talk 2026-05-08T14:40:00+02:00 14:40 00:40 This report presents the first documented analysis of Cross-Chain TxDataHiding (XCTDH), a novel command-and-control technique employed by DPRK-linked threat actors in cryptocurrency theft operations. The attack leverages multiple blockchain networks—TRON and Aptos as decentralized pointer systems, and Binance Smart Chain (BSC) for encrypted payload storage—to create virtually untraceable, takedown-proof malware infrastructure.Discovered during investigation of a malicious GitHub repository used in fake job recruitment campaigns, this technique represents a significant evolution from previously documented blockchain-based C2 methods. Unlike Etherhiding (which stores payloads in smart contract storage), XCTDH embeds malicious code within blockchain transaction input data across multiple chains, retrieved via standard RPC calls that are indistinguishable from legitimate cryptocurrency traffic.The attack chain begins with social engineering through fraudulent job postings, progresses through weaponized repositories containing heavily obfuscated JavaScript, and culminates in multi-stage payload delivery that evades modern EDR solutions. At an operational cost of approximately $1 USD, attackers establish resilient infrastructure that can dynamically update payloads, automatically failover between blockchain networks, and resist traditional takedown efforts—all while appearing as legitimate crypto wallet activity.This analysis details the technical mechanisms, attribution indicators linking the campaign to DPRK operations, economic asymmetries favoring attackers, and the strategic implications of blockchain-based C2 for the future threat landscape. bsidesluxembourg-2026-84865-xctdh-cross-chain-transaction-data-hiding-cyber-espionage-and-opsec-encounters Ellis Stannard en false https://pretalx.com/bsidesluxembourg-2026/talk/PHH3EJ/ https://pretalx.com/bsidesluxembourg-2026/talk/PHH3EJ/feedback/ Main Stage Talk 2026-05-08T15:40:00+02:00 15:40 00:40 What would you change if you could go back and rebuild your company’s security foundations from day one? In 2020, I had the chance to build a security program from the ground up for a brand new company in the banking/fintech space. Some of the decisions we made aged well, and would still be relevant in 2026. Other decisions, or the lack of them, have not, or simply could not be made back then due to a different technological environment. In this talk, we'll look at what worked great, what didn't, and what we'd have to do differently if we tried again today. bsidesluxembourg-2026-92295-startup-security-2020-aged-like-wine-or-milk Guillaume Ross en Building a new company in a highly regulated field facing <buzzword>sophisticated threat actors</buzzword> brings its share of challenges, but also allows you to build things without worrying about legacy environments and problems. What you are building today will, however, become the legacy problem in the future. Specifically, we will talk about decisions that were made in 2020 to build a secure company back then, and contrast that to 2026 and the decisions I believe we would make now. Topics covered will include: - Core architectural decisions that are "one-way doors" - Programming languages and ecosystems - Threat modeling from the beginning - Immutable and ephemeral infrastructure - Everything as code - Identity - Supply chain security and its downstream impact on endpoint security true https://pretalx.com/bsidesluxembourg-2026/talk/U7LPD7/ https://pretalx.com/bsidesluxembourg-2026/talk/U7LPD7/feedback/ Main Stage Talk 2026-05-08T16:20:00+02:00 16:20 00:40 What do _Niccolò Machiavelli_ and _Grover's Algorithm_ have in common? More than you think. While one mastered the art of political manipulation in the 1500s, the other promises a quadratic speedup for quantum key search. But when these two worlds collide, something unexpected happens: **The quantum oracle misfires**. In this talk, we build Grover search oracles directly from Renaissance Italian texts — _Il Principe_, _Orlando Furioso_, _Il Cortegiano_, _I Ricordi_ — and measure exactly how much linguistic redundancy contracts the cipher key space. We then simulate those oracles on a real quantum statevector and watch the standard iteration formula get it catastrophically wrong. We will dive into: - **The Corpus-Driven Oracle**: How character-level _n-gram_ redundancy defines the fraction of "good" keys _p_good_ — the sole parameter governing both classical exhaustive search and Grover oracle call count. - **The Discrete Resonance Failure**: At one statistical threshold, the textbook formula predicts 2 optimal iterations. The real quantum simulation needs 24 — making quantum search **four times _slower_ than classical** at that point. We dissect why. - **The L=600 Transition Zone**: An empirical anomaly where stylistic variance in 16th-century prose (Latin citations, proper-noun lists) creates a chaotic instability band that separates statistical noise from structural reality. - **QUBO vs. Grover**: Why compressing a 23-letter alphabet to 7 letters breaks the annealer but leaves the quantum oracle unaffected — and what that tells us about attack-surface geometry. Join us for a journey where orthography meets qubits, proving that whether you hold a quill or a quantum processor, **redundancy is the enemy of secrecy — but discrete arithmetic is the enemy of quantum speedup**. bsidesluxembourg-2026-85059-exploiting-the-past-how-linguistic-redundancy-weaponizes-the-quantum-search-landscape /media/bsidesluxembourg-2026/submissions/YHW98L/image_s30UzbD.webp Alessio Di SantoGabriella Lanziani en Cryptanalysis has always been a game of exploiting patterns. This session takes that principle into quantum territory by pitting the rigid orthography of _Renaissance Italian_ against the probabilistic mechanics of Grover amplitude amplification — and catching the algorithm in a failure mode the textbook formula cannot predict. ### The Setup We introduce a two-phase experimental framework built around a custom Python toolkit that normalizes and models four 16th-century Italian corpora using character _n-gram_ language models. Every candidate decryption key is scored against the corpus; the fraction of keys that score above a statistical plausibility threshold — _p_good_ — becomes the marked fraction fed to the Grover oracle. This transforms a linguistics measurement into a quantum complexity parameter. **Phase 1** sweeps the full 23-letter alphabet across multiple cipher lengths and plausibility thresholds, producing analytical Grover oracle estimates and classical exhaustive-search baselines. **Phase 2** reduces the alphabet to 7 letters — making all 5 040 keys enumerable — and runs a direct statevector simulation of Grover amplitude amplification. No analytical approximations. Real quantum circuit behavior on a controlled key space. ### The Discovery: Discrete Resonance Failure The headline finding is a failure mode the standard Boyer formula cannot anticipate. At one threshold, _p_good_ produces an angle θ for which no small integer iteration count satisfies the resonance condition. The formula confidently recommends stopping at iteration 2. The real probability curve keeps oscillating and only peaks at iteration 24 — requiring 49 oracle calls against a classical expectation of 12.5 trials. **Quantum loses by a factor of four.** We walk through the forensic geometry of this collapse: why the sinusoidal Grover envelope creates near-equal local maxima that fool the continuous approximation, and how to detect near-resonant _p_good_ values before deploying the algorithm. ### The L=600 Anomaly A separate empirical anomaly surfaces at cipher length L=600, where _p_good_ persistently exceeds both shorter and longer ciphers across five of six tested thresholds. A targeted stability analysis — sampling 20 distinct text segments at each length — identifies this as a **transition zone of maximal within-length variance**: at L=600, local stylistic features of Renaissance prose (Latin citations, enumerations, proper-noun clusters) produce segment-level fluctuations wide enough to push _p_good_ above its expected trend. We show how to isolate structural data effects from algorithmic noise. ### QUBO and the Landscape-Warping Effect Parallel _Quadratic Unconstrained Binary Optimization_ (QUBO) annealing experiments reveal a complementary insight: compressing a 23-letter alphabet to 7 letters cuts the trigram parameter space by a factor of ~36, collapsing statistically distinct character patterns onto the same symbols and creating **false energy attractors** — suboptimal keys surrounded by uphill barriers the annealer cannot cross. The QUBO failure pattern inverts relative to the 23-letter case. The Grover oracle, which only needs a binary marked/unmarked verdict, is structurally immune to this distortion. The two attack paradigms probe entirely different properties of the key-score landscape. ### What Attendees Will Take Away 1. How to construct a corpus-derived Grover oracle and measure _p_good_ empirically rather than assuming it. 2. How to detect discrete resonance conditions that cause the standard iteration formula to fail — and by how much. 3. Why reducing model complexity (smaller alphabet, lower-order n-grams) can **help** a quantum oracle while simultaneously **breaking** an annealing attack. 4. A reusable stability analysis method for distinguishing structural data features from algorithmic artefacts in any combinatorial search benchmark. This talk is for anyone at the intersection of classical cryptanalysis, optimization heuristics, and quantum security — no prior quantum computing background required. false https://pretalx.com/bsidesluxembourg-2026/talk/YHW98L/ https://pretalx.com/bsidesluxembourg-2026/talk/YHW98L/feedback/ Main Stage Talk 2026-05-08T17:00:00+02:00 17:00 00:15 This is where we hand out the awesome CTF prizes from SecuInfra and Defensive Security the prizes: Secret until the CTF is published! bsidesluxembourg-2026-93897-ctf-prize-ceremony-and-raffles-if-any-etc en false https://pretalx.com/bsidesluxembourg-2026/talk/CAWHBG/ https://pretalx.com/bsidesluxembourg-2026/talk/CAWHBG/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-08T09:00:00+02:00 09:00 00:40 Imagine transforming chaotic incident response into a clear, visual story—no more spreadsheets, just streamlined collaboration and powerful timelines. Kanvas turns IR chaos into actionable insights, letting us map, share, and conquer incidents like never before. And the best thing, it’s Open-Source. bsidesluxembourg-2026-90413-mastering-incident-response-with-kanvas Actionable CTI and detection engineering village Ardit Beu en Stop wrestling with spreadsheets and disconnected tools. Kanvas brings your incident response to life. Kanvas offers incident responders with an intuitive desktop workspace that unifies case management, timeline visualization, attack chain mapping, and threat intelligence lookups, all within a single, collaborative environment. See how Kanvas streamlines workflows, enables seamless multi-user collaboration, and exports powerful visuals for reporting. Whether you’re mapping MITRE ATT&CK techniques, sanitizing sensitive data, or leveraging LLM assistance, Kanvas puts everything you need at your fingertips. Join this talk to discover how Kanvas is reshaping the way teams track, document, and conquer complex incident response and forensics. false Kanvas GitHub repo https://pretalx.com/bsidesluxembourg-2026/talk/JUD9FP/ https://pretalx.com/bsidesluxembourg-2026/talk/JUD9FP/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Infosec lightning talks (6 x 5 minutes) 2026-05-08T09:40:00+02:00 09:40 00:30 Every day, millions of people rely on their web browsers, not only for work but also for study and daily life. Some of us also install browser extensions to utilize useful features. But what happens when those extensions are not as harmless as they seem? In recent years, there has been a growing number of malicious browser extensions, particularly on platforms like the Chrome Web Store (CWS), affecting millions of users worldwide. Detecting these threats is not straightforward. Malicious extensions behave in many different and sometimes unpredictable ways. Another challenge is the limited availability of corresponding known malware samples, which restricts our ability to investigate these threats in depth. In this talk, I will share insights from my study that takes a closer look at this problem. I compiled a curated dataset of 460 malicious browser extensions removed from the CWS and analyzed how they behave. By integrating both static and dynamic analysis techniques, I identified a wide range of activities that raise privacy and security concerns, classified as tracking, redirecting, ad injecting, stealing, and unwanted actions. Leveraging static analysis using CodeQL and Python, the study could detect extensions setting cookies for external domains automatically. bsidesluxembourg-2026-94099-comprehensive-framework-for-analyzing-and-detecting-malicious-browser-extensions Actionable CTI and detection engineering village Van Nguyen en false https://pretalx.com/bsidesluxembourg-2026/talk/MB9KND/ https://pretalx.com/bsidesluxembourg-2026/talk/MB9KND/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-08T10:40:00+02:00 10:40 00:40 This talk explores Kunai, an open-source security monitoring tool that brings threat-detection capabilities to Linux systems using eBPF technology. We begin with an overview of Kunai's purpose, architecture, and core monitoring capabilities. The session then dives into recent advancements, highlighting key features and improvements. Finally, we examine practical use cases in threat detection, incident response, and digital forensic analysis, demonstrating how Kunai enhances cyber incident investigations. bsidesluxembourg-2026-94131-kunai-open-source-threat-detection-on-linux Actionable CTI and detection engineering village Quentin JEROME en This talk presents Kunai, an open-source security monitoring tool developed in Luxembourg that brings Sysmon-like capabilities to Linux systems. Built specifically to address the often-overlooked security monitoring needs of Linux environments, Kunai leverages eBPF technology to provide comprehensive threat detection and incident response capabilities. We'll explore how Kunai was designed from the ground up with incident response and threat detection requirements in mind, filling a critical gap in Linux security tooling. Given that Linux powers the majority of web-facing systems and cloud infrastructure, it has become a prime target for attackers - yet often lacks the sophisticated monitoring tools available for other platforms. The session will cover Kunai's architecture, recent advancements, and practical applications including: - Real-time threat detection across Linux environments - Comprehensive event logging for incident investigations - Container-aware monitoring capabilities - Integration with existing security workflows Attendees will learn how Kunai enhances visibility into Linux systems, enabling better threat detection, faster incident response, and more effective digital forensic analysis - all while maintaining the performance and reliability required for production environments. false https://pretalx.com/bsidesluxembourg-2026/talk/K3C8T9/ https://pretalx.com/bsidesluxembourg-2026/talk/K3C8T9/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-08T11:20:00+02:00 11:20 00:40 We will discuss practical use of open source tools for detection engineering built by SOC Prime team, including DetectFlow, Uncoder and how it combines with open source data pipeline stack like Kafka, Flink and Flink agent. The goal of DetectFlow is to elevate role of Detection Engineers above SIEM stack, and gives us all signals, context, threat intelligence and building blocks to fully design and operate Detection and Response workflows. The architecture of Detection Pipelines furthermore  makes work of Security Analysts curious and enjoyable again, as it eliminates large part of the routine work they did, and focuses on the main thing human does better than AI = understanding connections, specific to the cyber domain and specific to your organization. Our approach equips people to address tremendous complexity of the cyber domain, which now simply exceeds possible knowledge that any human can physically fit. bsidesluxembourg-2026-94139-turbocharged-soc-detectflow-and-other-innovative-open-source-tools-released-by-socprime-for-detection-engineering Actionable CTI and detection engineering village /media/bsidesluxembourg-2026/submissions/LTSMAE/image_PnUujMJ.webp Andrii Bezverkhyi en Open source DetectFlow turns Apache Kafka+Flink into a Detection Pipeline, adding 2-tier correlation, one for automated streaming of AI generated and human-made behavior Sigma rules mapped to ATT&CK. This gives initial data labels and does not generate alerts. 2nd tier is a Flink agent which enables Agentic AI correlation across entire ATT&CK, Attack Flows and Attack Chains. This can be further refined and expanded by integrating with OpenTIDE. Attack Chains are made by human experts as a "higher order Sigma rules" correlating on ATT&CK itself and lower level Sigma rule sequences. This together acts as a turbo-charger in front of SIEM engine, just like same thing in a car. With DetectFlow, which is essentially a low footprint, run anywhere provisioning tool with Agentic AI and MCP, we can run over 20,000 detection rules and nearly 500,000 behavior correlation patterns in front of ANY SIEM at millisecond speed. This exceeds capacity of any SIEM by 5 orders of magnitude. This shrinks mean time to detect and initial investigation stage from tens of minutes or even hours to a a few seconds. The conversion from raw log event to a tagged event is 7%, from a tagged event to an Attack Chain is 0.0007% or 0.00007 - and only that is alert material. This reduces the need to fine tune rules at DetectFlow level, as fine tuning becomes a context, which can be solved by any on premise AI Agent working with outputs of DetectFlow or SIEM. SIEM remains very useful for workflow, reporting, graph analysis and, for now, machine learning based anomaly detection, even though latter will move to pipelines too. It also takes care of data parsing via crowdsourcing and mapping via AI (can be ran locally). false https://pretalx.com/bsidesluxembourg-2026/talk/LTSMAE/ https://pretalx.com/bsidesluxembourg-2026/talk/LTSMAE/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Talk 2026-05-08T13:30:00+02:00 13:30 00:40 The purpose of this panel is discuss where the participants see the still-young, still-emergent discipline of Detection Engineering going. The tools and know-how presented over the last 2 days in the village will be pitted against ideas from Diana (moderator) and the audience. The panelists will try to explore together how the detection engineering landscape might evolve over the next few years, bsidesluxembourg-2026-94138-panel-discussion-the-future-of-detection-engineering Actionable CTI and detection engineering village Diana WaithanjiOndrej NekovarRemi SeguyAndrii Bezverkhyi en Panel discussion with leading Detection Engineering experts: 1. Ondrej Nekovar: Ondrej and the Boss have released innovative tooling and know-how on how to do detection engineering in 2026 in their talk - see 'CT(C)I-Driven detection against internal and external threats' 2. Andrii Bezverkhyi: Found of SOCPrime, multiple innovative open-source tool releaser latest 'DetectFlow' which enables detection engineering at the end of your pipeline before SIEM ingestion 3. Remi Seguy: Runs and operates the OpenTide project, which is a one-stop-shop for detection engineering teams and integrates with CTI and offensive teams + enables Multi-SOC collaboration false https://pretalx.com/bsidesluxembourg-2026/talk/YV7DJA/ https://pretalx.com/bsidesluxembourg-2026/talk/YV7DJA/feedback/ IFEN room 1, Workshops and Detection Engineering village (Building D) Village, 2d (2days x 8h) 2026-05-08T14:10:00+02:00 14:10 03:00 SOC cutting edge! The afternoon of May 8th will feature a 'village fair' where the rooms will be split into demo 'Islands'. The audience is invited to go see demos of the talks, tools, how-tos etc. presented over the last 1.5 days of the village! Go check out the tools and talks that you really liked, see how modern SOCs are run today. bsidesluxembourg-2026-89155-0-actionable-cti-detection-engineering-village Actionable CTI and detection engineering village en SOC cutting edge! The afternoon of May 8th will feature a 'village fair' where the rooms will be split into demo 'Islands'. The audience is invited to go see demos of the talks, tools, how-tos etc. presented over the last 1.5 days of the village! Go check out the tools and talks that you really liked, see how modern SOCs are run today. false https://pretalx.com/bsidesluxembourg-2026/talk/UCCYKR/ https://pretalx.com/bsidesluxembourg-2026/talk/UCCYKR/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-08T09:00:00+02:00 09:00 00:40 Every day, millions of data points about YOU, whether public, leaked, scraped, or sold, quietly feed into a largely legal ecosystem of personal information. For modern threat actors, Artificial Intelligence (AI) is no longer just a buzzword; it is a tool used to weaponize this data at scale against both individuals and their organisations. What once required a non-trivial skillset in OSINT and social engineering can now be executed by anyone with a prompt and a scraped data set (or worse, an autonomous team of AI agents). This talk explores the intersection of privacy and offensive security, demonstrating how exposed personal information is harvested and amplified by AI to create highly convincing phishing, deepfake scams, and automated fraud. We will break down how your digital footprint becomes an attack surface and build a defensive strategy to counter it. We will focus on helping individuals and security leaders identify the human exposure, human attack surface, and cyber risk. We will tie this into Cyber Threat Intelligence (CTI), with actionable techniques for the individual and the SOC alike. We’ll discuss practical tips to deal with exposure, limit data leakage, spot AI-driven targeting and explore actionable privacy practices, such as email masking, and ways to operationalize techniques and services to exercise your GDPR right to be forgotten. Attendees will leave with a clear understanding of the emerging threat landscape and the defensive techniques to remove or reduce the "fuel" attackers use in order for individuals and organizations to protect themselves. bsidesluxembourg-2026-92923-the-high-performance-fuel-for-social-engineering-now-in-ai-flavors AI Security Village Glen Sorensen en false https://pretalx.com/bsidesluxembourg-2026/talk/PWM8ER/ https://pretalx.com/bsidesluxembourg-2026/talk/PWM8ER/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-08T09:40:00+02:00 09:40 00:40 AI-as-a-Service adoption is surging, yet 90% of it is unmanaged 'Shadow AI,' leaving organizations exposed to novel threats like the OWASP LLM Top 10. This session dives into the critical gap in current AI logging platforms and APIs, detailing why traditional security controls fail and offering a path to centralized visibility for effective detection and response. bsidesluxembourg-2026-90584-the-challenges-of-ai-as-a-service-logging AI Security Village Jeremy Snyder en LLM logs are a subset of API logs, but they come from 2 different perspectives - client-side logs and server-side logs. Add to that challenge that most logs aren't really designed for security analysis perspectives, and it becomes hard to know what to do and how to do it. Note - I gave a version of this talk at fwd:CloudSec North America 2025. https://www.youtube.com/watch?v=AccsDqmHPdU&list=PLCPCP1pNWD7M-hHBOymDR5vkPib0tkZd9&index=18 false https://pretalx.com/bsidesluxembourg-2026/talk/XXRJ8Z/ https://pretalx.com/bsidesluxembourg-2026/talk/XXRJ8Z/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-08T10:40:00+02:00 10:40 00:40 This Birds of a Feather session will focus on how AI tools are being used to secure environments, the training necessary for teams to identify security issues and the impact of AI on job security for security jobs. Participants will discuss and share experiences on: - AI Tools in Cybersecurity: Explore how AI tools are currently enhancing security and the most effective tools available today. - Training and Skill Development: Discuss recommended training programs and certifications that help teams leverage AI in cybersecurity. - Job Security and AI: Debate whether AI will replace certain roles or create new opportunities, and how professionals can stay relevant. At the end of this session, participants will leave with ideas on using AI tools, available training for their teams, and strategies to remain irreplaceable in an AI-driven world. This open discussion invites all cybersecurity professionals regardless of the experience level. bsidesluxembourg-2026-94622-ai-in-cybersecurity-how-can-we-make-best-use-of-it AI Security Village Diana Waithanji en false https://pretalx.com/bsidesluxembourg-2026/talk/HCRD3Y/ https://pretalx.com/bsidesluxembourg-2026/talk/HCRD3Y/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-08T11:20:00+02:00 11:20 00:40 AI agents are different from regular LLM apps — they plan steps, call tools, and chase goals across multiple interactions. This added complexity introduces new kinds of security risks that aren’t widely understood yet. In this talk, I’ll walk through demos of vulnerabilities from the OWASP Agentic AI Threats. These include goal hijacking, alignment faking, orchestration misuse, and time-based attacks that exploit how agents behave over multiple steps or sessions. I’ll show how attackers can trick agents into following the wrong goals, leaking data, or using tools in unsafe ways — all through practical examples. bsidesluxembourg-2026-89417-the-agent-had-a-plan-so-did-i-top-attacks-on-owasp-agentic-ai-systems AI Security Village Parth ShuklaNagarjun Rallapalli en Here's the flow: Intro to Agentic AI Systems - What are agentic AI systems? - How do they differ from regular AI tools? - Use cases / Popular frameworks: LangChain, AutoGen, BAML. Vulnerabilities: #1: Agent Goal and Instruction Manipulation - Exploiting how attackers can manipulate AI agent goals and instructions to make them act against their intended purposes. #2: Agent Temporal Manipulation and Time based attacks - Exploiting time-dependent behaviors in AI agents to manipulate scheduling, timestamps, and decision-making, leading to desynchronization and timing attacks. #3: Agent Orchestration and Multi-Agent Exploitation - Exploiting vulnerabilities in how multiple AI agents interact, coordinate, and communicate, compromising entire agent networks. #4: Checker-out-of-the-Loop Vulnerability - Showing how agents can operate outside system limits without alerting human operators or oversight systems. #5: Agent Covert Channel Exploitation - Demonstrating how agents can exploit covert channels to leak data or escalate privileges without detection. #6: Agent Alignment Faking - Demonstrating how agents can fake adherence to rules during monitored phases but deviate when unmonitored. false https://pretalx.com/bsidesluxembourg-2026/talk/UGKRML/ https://pretalx.com/bsidesluxembourg-2026/talk/UGKRML/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-08T13:30:00+02:00 13:30 00:40 As AI agents evolve from simple chatbots into autonomous systems capable of executing code and making API calls, traditional security boundaries are failing. We can no longer rely on brittle regex filters or the "black box" safety rails of LLM providers. In this session, I will unveil the architecture behind the SovereignShield ecosystem a multi-layered, deterministic defense framework for modern AI applications. We will break down the engineering mechanics of our three core products: IntentShield (outbound action auditing), LogicShield (semantic enforcement), and the unified SovereignShield firewall. bsidesluxembourg-2026-96675-building-the-ultimate-ai-firewall-inside-sovereignshield-intentshield-and-logicshield AI Security Village mattijs moens en This 35-minute technical session is an architectural deep-dive into the SovereignShield product suite, designed to show developers and security engineers how to mathematically secure AI endpoints. We will cover the ecosystem in three distinct technical phases: **LogicShield: Securing the Cognitive Layer (10 mins)** Why traditional syntax filters fail against semantic attacks (like prompt injection and jailbreaks). How LogicShield enforces deterministic logical boundaries on AI reasoning before an output is even generated. **IntentShield: Outbound Action Auditing (10 mins)** The danger of autonomous AI agents executing destructive API commands or exfiltrating data. Deep dive into the ActionParser and Conscience modules. How IntentShield intercepts, audits, and blocks malicious intent at the execution layer. **SovereignShield: The Unified Firewall (10 mins)** Bringing it all together. How the core SovereignShield layer acts as a bidirectional proxy. Live architecture breakdown of our 4-layer defense model (Inbound Input Filtering + Outbound Action Auditing) protecting a production API. **Conclusion & Q&A (5-10 mins)** How the community can integrate the SovereignShield suite into their own LLM pipelines today. false https://pretalx.com/bsidesluxembourg-2026/talk/UEJDNE/ https://pretalx.com/bsidesluxembourg-2026/talk/UEJDNE/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-08T14:10:00+02:00 14:10 00:30 One of the top concerns in the age of AI is cyber attacks, and one of the weak links in defense is AI itself. From prompt injections to agents -self organizing into botnets or far worse, we need some basic level of security for any AI workloads. And while we have seen a cohort of startups being acquired in the space through 2025, is the issue really solved? Does security for AI has to be yet another budget spend, or can we do better with open source and open standards? We will discuss an open source project, AIDR bastion, which was made inside our own SOC and released to the world, things which work and shortcomings. Goal of the talk is to discuss issues and possibilities. bsidesluxembourg-2026-96750-security-for-ai-aidr-bastion-as-open-source-llm-firewall-ai-prompts-reverse-proxy AI Security Village /media/bsidesluxembourg-2026/submissions/SDCESA/image_Iq3oeyc.webp Andrii Bezverkhyi en AIDR bastion is an open source comprehensive GenAI protection system designed to safeguard against malicious prompts, injection attacks, and harmful content. Source code is available at GitHub: https://github.com/socprime/AIDR-Bastion The system incorporates multiple detection engines that operate sequentially to analyze and classify user inputs before reaching GenAI applications. - The system supports Roota and Sigma rules, enabling the application of detection logic from multiple sources such as SigmaHQ (around 1,200 compatible free community Sigma rules available at release), SOC Prime (with up to 3,000 additional compatible rules), and other third-party repositories. Sigma rules can be applied to detect use cases where malware leverages a local LLM to generate malicious code for execution. - SOC Prime Uncoder AI integration further extends functionality by translating Sigma rules into Semgrep format, providing standardized and reusable detection pipelines (requires a free account). - Roota rules power the regex-based pipeline. - The architecture supports rule extensibility, seamlessly integrating organization-specific signatures and external detection content. - The system can also function as a local logging sensor, recording user and agent prompts and enabling diagnostics, incident discovery, and cyber attack investigation. - Detection logic aligns with industry frameworks such as MITRE ATLAS and OWASP Top 10 for LLMs, ensuring standardized coverage against adversarial techniques. - Actions include allow, block, or notify, depending on rule matches and policy configuration. - This layered detection approach delivers defense-in-depth against evolving adversarial prompt engineering and other AI-focused attack vectors. Inspired by LlamaFirewall. false https://pretalx.com/bsidesluxembourg-2026/talk/SDCESA/ https://pretalx.com/bsidesluxembourg-2026/talk/SDCESA/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-08T14:40:00+02:00 14:40 00:40 GenAI applications have moved from being single prompt wrappers to long chains of LLM calls, tools, and agentic workflows. In these systems, guardrails cannot live on a single isolated prompt. They need to be designed based on how data flows through the application, how permissions are enforced, and which risks are relevant for the use case. This talk shares practical experience from helping teams design and test guardrails for LLM applications. Prompt-based guardrails tend to fail under determined attackers, so they must be combined with application-level controls and feedback mechanisms that allow the system to detect and respond to prompt attacks. Rather than evaluating models in isolation, the focus is on testing the application itself. This includes testing how inputs and outputs propagate through LLM chains, how intermediate results are reused, and how guardrails interact across different stages of a workflow. The talk shows how this can be tested in practice using spikee (https://spikee.ai), an open source tool built to test LLM applications for prompt-based attacks. bsidesluxembourg-2026-97333-every-guardrail-everywhere-all-at-once-designing-and-testing-guardrails-for-llm-applications AI Security Village Donato Capitella en false https://pretalx.com/bsidesluxembourg-2026/talk/SRHCSS/ https://pretalx.com/bsidesluxembourg-2026/talk/SRHCSS/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Talk 2026-05-08T15:40:00+02:00 15:40 00:40 As AI systems evolve, integrating security from the design phase is crucial, following the "shift left" approach to prevent vulnerabilities. This session offers an overview of threat modeling for AI systems, including organizing engaging sessions, using appropriate tools, and applying methodologies such as STRIDE. Participants will learn to proactively address security concerns and in turn ensure robust protection by identifying and mitigating potential threats specific to AI technologies - with reference to OWASP research. The session will also provide tips on making threat modeling sessions interesting and interactive in order to ensure active participation and effective outcomes. The goal is to make security a foundational element in AI system development rather than an afterthought. bsidesluxembourg-2026-93021-building-secure-ai-making-threat-modeling-a-core-part-of-development AI Security Village Diana Waithanji en false https://pretalx.com/bsidesluxembourg-2026/talk/8WLHGS/ https://pretalx.com/bsidesluxembourg-2026/talk/8WLHGS/feedback/ IFEN room 2, Workshops and AI Security Village (Building D) Village, 2d (2days x 8h) 2026-05-08T16:20:00+02:00 16:20 01:00 Event Strategy & Structure Core Mission: A 2-day, open-floor "village" dedicated to exploring real-world security risks in Agentic AI, Model Context Protocol (MCP) architectures, and LLM workflows. Alignment: All content and threat models are strictly aligned with OWASP guidance (LLM Top 10 & AI Security Exchange). Dynamic Flow: Unlike traditional linear training, this is an exploratory space. The schedule is fluid; organizers will pivot topics, attack scenarios, and deep dives in real-time based on what attendees find most interesting. Village Logistics Open Access: The village runs continuously for two days with no fixed start/stop times. Drop-in Format: Attendees are free to enter, observe, leave, and return at will. This supports the casual, "hallway con" culture of BSides events. Parallel Tracks: Multiple activities (demos, labs, discussions) happen simultaneously, allowing for natural scaling of depth from beginner to advanced levels. Organizer Responsibilities (The Blue Team/Red Team) Live Operations: Organizers act as facilitators, maintaining intentionally vulnerable infrastructure (LLMs, RAG pipelines, Autonomous Agents, MCP Servers). Interactive Walkthroughs: Instead of formal talks, organizers provide short, continuous breakdowns of attacks, explaining why a specific trust boundary failed or how a design choice created a vulnerability. Adaptive Defense: Based on audience feedback, organizers will live-patch systems or remove mitigations to demonstrate how security controls impact attack feasibility. Attendee Experience (The Red Team) Hands-on Exploitation: Attendees can directly interact with deployed systems to attempt prompt injection, logic-based attacks, and tool abuse. Feedback Loop: Attendees actively shape the curriculum by voting on which systems to attack next or requesting deeper focus on specific failure modes. Collaborative Defense: A key component is discussing defenses; attendees can propose architecture changes or guardrails, which organizers can discuss or implement live. Hands-on Labs & Infrastructure Self-Paced Playgrounds: Dedicated stations will run continuously for independent learning. Dreadnode Crucible: Focuses on practical exploitation of LLMs and agents. Lakera Gandalf / Agent Breaker: Gamified challenges covering prompt injection, goal hijacking, and instruction drift. Purpose: These labs ensure that even if the live demo is advanced, beginners have a place to start learning fundamentals. Agenda: Breaking LLM Systems Theme: Fundamentals of LLM vulnerabilities and the OWASP LLM Top 10. Live Targets: Minimalist LLM deployments and chat interfaces. Deep Dives: Guardrails: Examining internal mechanics and demonstrating how to bypass practical limitations. RAG Security: attacking Vector Databases and poisoning retrieval contexts (RAG-specific threats). Agenda: Agentic AI & MCP Security Theme: The core focus of the village—Autonomous Agents and the Model Context Protocol (MCP). Complex Workflows: Demos will feature multi-step agents that can plan, execute, and interact with external tools. Key Attack Vectors: Instruction Hijacking: Forcing an agent to deviate from its original goal. Tool Abuse: Exploiting over-privileged MCP capabilities (e.g., an agent with unrestricted file access). Trust Boundaries: Analyzing failures in the handshake between Agents and MCP servers. bsidesluxembourg-2026-89418-0-ai-security-village-open-village-q-a AI Security Village Parth ShuklaNagarjun Rallapalli en false https://pretalx.com/bsidesluxembourg-2026/talk/8ACVB3/ https://pretalx.com/bsidesluxembourg-2026/talk/8ACVB3/feedback/ IFEN room 3 Workshops and AI Security Village (Building D) Village, 2d (2days x 8h) 2026-05-08T09:00:00+02:00 09:00 03:00 The technical track of the AI security village bsidesluxembourg-2026-93488-1-ai-security-village-technical-training-and-implementation AI Security Village Parth ShuklaNagarjun Rallapalli en false https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/ https://pretalx.com/bsidesluxembourg-2026/talk/HY3QBJ/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-08T10:00:00+02:00 10:00 02:00 Dismantle the bomb by performng different taks bsidesluxembourg-2026-90638-5-dismantle-the-bomb Escape games! Stijn Tomme en Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... false https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-08T13:30:00+02:00 13:30 02:00 Dismantle the bomb by performng different taks bsidesluxembourg-2026-90638-6-dismantle-the-bomb Escape games! Stijn Tomme en Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... false https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/ Workshops May 6th, Speaker's room May 7+8th (C1.02.13) Workshop 2h 2026-05-08T15:35:00+02:00 15:35 02:00 Dismantle the bomb by performng different taks bsidesluxembourg-2026-90638-7-dismantle-the-bomb Escape games! Stijn Tomme en Dismantle the bomb by performing different taks. The tasks will include: - Solving ciphers - Being genuine with a special flashlight - lock picking - make a key with a lishi tool - ... false https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/ https://pretalx.com/bsidesluxembourg-2026/talk/YGC7EA/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-08T09:40:00+02:00 09:40 00:40 Does end-users spontaneously connect USB sticks fiund in public places to their personal or professional computers ? To this end, a controlled experiment was carried out in Luxembourg, where 250 USB sticks were voluntarily “lost”. The results revealed a high success rate, estimated around 20%, with the first connection recorded in just a few minutes. We believe that these users are acting out of curiosity or altruistic intent, seeking to identify or restore the owner of the key. However, they do not perceive the risks associated with their gesture. The study highlights the persistence of USB key attacks as an effective intrusion vector, and underscores the need to make users more aware of the dangers they represent. bsidesluxembourg-2026-90255-spreading-malware-with-usb-keys-does-it-still-work Didier BarzinMathieu Vajou en false https://pretalx.com/bsidesluxembourg-2026/talk/LKLWWX/ https://pretalx.com/bsidesluxembourg-2026/talk/LKLWWX/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-08T10:40:00+02:00 10:40 00:40 With a 308% increase in AI-generated fake content between 2024 and 2025, the justice system faces an authenticity crisis. This talk explores real-world cases: from voice cloning for scams in Brazil to lack of a convergent pattern in spoofing crime investigations in Portugal, how can we empower professionals to identify synthetic evidence and understand the limits of the admissibility of expert evidence in the age of Artificial Intelligence? bsidesluxembourg-2026-92264-forensic-challenges-in-real-world-cases-of-digital-manipulation Thiago Vieira en Case Study: Portugal (Spoofing & Investigation) The Challenge: Real case with no "convergent pattern." Calls that can originate abroad with forged national IDs, making it impossible for local operators to assign responsibility or for investigators to find a consistent "fingerprint." What impact it does to the Case Study: Brazil (Vishing) The Mechanism: Scammers harvest video from old people and make loans on their behalf. Impact: Financial losses in Brazil due to digital fraud reached R$10.1 billion in late 2024. Half of all fraud attempts in 2025 were linked to "vishing" and social engineering. false https://pretalx.com/bsidesluxembourg-2026/talk/SSCME8/ https://pretalx.com/bsidesluxembourg-2026/talk/SSCME8/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-08T11:20:00+02:00 11:20 00:40 **Our CSIRT found that in 4 out of 5 security incidents, there were pre-existing alerts.** Most organizations don't get breached because they lack tools. They get breached because of predictable, repeatable mistakes. The kind our SOC and CSIRT teams at ACEN see across 500+ incidents in European organizations. This session breaks down the patterns and numbers that matter: where attackers consistently get in, what organizations consistently miss, how many hours go into responding to an incident, and what separates the ones that contain a breach from the ones that don't. bsidesluxembourg-2026-96448-500-incidents-later-real-world-cyber-defense Federico en When you provide security at scale, it's critical to identify patterns and what actually works. At ACEN, our SOC and CSIRT teams have handled over 500 security incidents and currently protect more than 40 organizations on a daily basis. That hands-on experience has taught us what works, what doesn't, and how to avoid the pitfalls that lead to a breach. In this session you'll discover: - **Statistics from the trenches:** Incident patterns and data from real European cases, straight from our experience. - **Real-world case studies:** Common attack scenarios, walked through step by step, showing exactly what went wrong. - **How to avoid common pitfalls:** The key missteps organizations make and how to prevent them. - **A proactive approach:** How these incidents could have been prevented, and how that same thinking can protect your organization. You'll leave with a clear plan to improve your security posture, and the right questions to ask before someone else finds the gaps first. false https://pretalx.com/bsidesluxembourg-2026/talk/QPVJLF/ https://pretalx.com/bsidesluxembourg-2026/talk/QPVJLF/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-08T13:30:00+02:00 13:30 00:40 Identifying and managing the third party risk while continuing to comply with business needs and regulatory requirements. bsidesluxembourg-2026-93085-third-party-risk-management Jyoti UpadhyayParveen Rajpurohit en false https://pretalx.com/bsidesluxembourg-2026/talk/L9Y9PM/ https://pretalx.com/bsidesluxembourg-2026/talk/L9Y9PM/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-08T14:10:00+02:00 14:10 00:40 Two blokes. One strategy. Train to Win or don’t bother playing There is little excuse for organisational failure when executing incident response as nearly every possible cyber security scenario has not only been documented but could be "role played" by your team well in advance of an actual incident. Join Klaus Agnoletti & Ian Thornton-Trump for a talk focused on creating role playing experiences for your organization - based on the latest adversary threat intel. Specific Take Aways include: - Listening at the Door - Is there a sleeping Panda, Kitten, Bear or Spider lurking in the network? - Checking for Traps - Can IR activities be carried out without alerting the threat actor? - Containment - Can the threat actor be contained, or will they run and bring in reinforcements? - Clearing the Room - The threat actor may put up a fight, do you need to bring in additional help? - Looting the Room - The treasure is the experience, the coin is your pay check A hilarious RPG focused talk combining the best elements of scenario driven IR training with a creative spin. bsidesluxembourg-2026-92823-agnoletti-trump-gaming-playing-to-win-at-cyber Klaus AgnolettiIan Thornton-Trump en false https://pretalx.com/bsidesluxembourg-2026/talk/CERTQC/ https://pretalx.com/bsidesluxembourg-2026/talk/CERTQC/feedback/ Workshops and Stage - Design Space (C1.05.12) Talk 2026-05-08T15:40:00+02:00 15:40 00:40 This is a hands-on presentation that will guide you through the world of PDF exploitation, showcasing how this ubiquitous document format can serve as a vessel for malicious JavaScript malware. Dive into real-world vulnerabilities that have been leveraged to execute harmful code directly through PDF files posing major threats in today's cybersecurity landscape. Key exploit techniques explored will include: Data Exfiltration Tactics: Discover methods for covertly extracting sensitive data, such as email addresses and system information, from unsuspecting users. Embedding Malware in PDFs: Learn how adversaries embed malicious scripts within PDF files, tricking users into triggering exploits in Adobe Reader through typical file interactions. We'll dissect techniques including shellcode injection, buffer overflow attacks, Adobe Reader exploitation, and memory manipulation each engineered to deliver and execute malware efficiently. This session is ideal for offensive security professionals, penetration testers, and threat emulation experts seeking to elevate their understanding of PDF-based threats and enhance their testing skills. Uncover how these sophisticated attacks work and walk away with actionable strategies to counter them. More information about the presentation can be found in this article: https://labs.segura.blog/unmasking-the-threat-a-deep-dive-into-the-pdf-malicious-2/ bsidesluxembourg-2026-89734-weaponizing-pdf-files-advanced-exploitation-techniques-for-red-teams Filipi Pires en Outline 1. Introduction - Welcome & Objectives - Importance of PDF Security in Today’s Threat Landscape Overview of Hands-On Approach 2. Anatomy of a PDF File - PDF File Structure Overview - Common Features Abused by Attackers - JavaScript Capabilities Within PDFs 3. Real-World Vulnerabilities - Demo: Analyzing a Malicious PDF Sample 4. Key Exploit Techniques - Heap Spray Attacks - Concept and Mechanism - Demo: Shellcode Injection via Heap Spray - Data Exfiltration Tactics - Covert Data Extraction Methods - Demo: Harvesting User Data from PDF Interaction - Embedding Malware in PDFs - Techniques for Payload Embedding - Demo: Triggering Exploits Through User Actions 5. Advanced Attack Vectors - Shellcode Injection & Buffer Overflows - Memory Manipulation in Adobe Reader - Demo: Exploiting Adobe Reader Vulnerabilities 6. Hands-On Exercise - Guided Lab: Analyzing and Crafting Malicious PDFs - Indicators of Compromise (IoCs) - Safe Testing Practices false https://pretalx.com/bsidesluxembourg-2026/talk/KFW9CC/ https://pretalx.com/bsidesluxembourg-2026/talk/KFW9CC/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-08T09:40:00+02:00 09:40 00:40 Imagine curating an art gallery—you wouldn’t hang just any painting on the wall. Each piece is carefully selected, verified for authenticity, and preserved to ensure a valuable experience for visitors. The same meticulous approach applies to software development. Secure curation of open source isn’t about stifling creativity; it’s about ensuring that the dependencies we bring into our applications are secure, well-maintained, and reliable. As an art curator protects against forgeries and deterioration, developers must assess third-party components for malware, tampering, vulnerabilities, licensing risks, and long-term sustainability. This talk will explore why curation is the foundation of secure software supply chains. We’ll discuss practical strategies for evaluating dependencies, maintaining a trusted repository, and leveraging free tools to automate the process. By adopting a safe curation mindset, developers can sleep better at night, knowing their applications rest on a foundation of safe, high-quality components. bsidesluxembourg-2026-85260-curating-secure-software-the-art-of-selecting-safe-dependencies Secure Development track Kadi McKeanFrithjof Hoffmann en Curating software is like curating art—every dependency must be verified, authentic, and secure. This talk explores how careful selection, evaluation, and automation can help developers build safer apps and maintain a strong, trustworthy software supply chain. false https://pretalx.com/bsidesluxembourg-2026/talk/7DGVSU/ https://pretalx.com/bsidesluxembourg-2026/talk/7DGVSU/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-08T10:40:00+02:00 10:40 00:40 Commercial spyware like Pegasus can compromise mobile devices without any user interaction (zero-click attacks) that bypass traditional security. With thousands of confirmed infections and 50,000 suspected targets since 2016, this threat extends beyond journalists and activists to strategic sectors: energy, transport, telecommunications, and defence. Learn how nation-state spyware works, see real evidence of infections, and discover how forensic-grade detection tools can protect executive teams and board members in high-value organisations. bsidesluxembourg-2026-92248-spyware-the-invisible-threat Julien vander Straeten en false https://pretalx.com/bsidesluxembourg-2026/talk/8LNSCC/ https://pretalx.com/bsidesluxembourg-2026/talk/8LNSCC/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-08T11:20:00+02:00 11:20 00:40 Early in my career, while working as a junior engineer at an emerging AI startup in Seattle, Washington, USA, during the first wave of commercial AI adoption, our company suddenly became the target of an extreme and highly disruptive phishing campaign. Shortly after we received public attention as a “hot startup,” phishing volume surged to the point that it flooded employee mailboxes and interfered with normal operations. The messages were convincing enough that at one point an employee ran through the office claiming that our CEO was stranded at an airport and urgently needed financial help. What initially felt like an uncontrollable background problem became a significant security and operational risk. Rather than accepting it as inevitable, we began analyzing the phishing emails in detail— treating them as data rather than noise. By correlating sender IP addresses and examining publicly available IP allocation and routing information, we discovered that although the emails appeared to originate from many different sources, the traffic consistently traced back to a small number of allocated IP blocks. We mitigated the immediate risk by blocking those ranges at the email gateway, which dramatically reduced the volume of phishing. Digging further into the upstream infrastructure revealed that the IP space was associated with a data center in Luxembourg, operating email security and anti-spam systems. At the time, I was in the process of reclaiming my Luxembourg citizenship through ancestry on my mother's side, and the situation prompted a different line of thinking: if similar infrastructure under my supervision was being abused, I would want to know about it. Instead of assuming malicious intent, we reached out directly to the infrastructure operator, shared sanitized examples of the phishing messages, and coordinated a responsible disclosure. Despite internal skepticism that this amounted to “talking to the attackers,” the response was professional, the issue was investigated, and the phishing activity largely stopped. We also filed a report with the regional internet registry. Looking back, this incident shaped how I think about security problems that seem impossible or overwhelming. Not every issue is solved with more tooling or escalation. Sometimes, careful deduction paired with human communication and empathy can break deadlocks that technology alone cannot. bsidesluxembourg-2026-86901-from-phishing-to-mitigation-an-early-career-incident-response Chris Beckman en A recounting of an early-career security incident involving a disruptive phishing campaign, traced through IP allocation data and addressed through responsible disclosure with upstream infrastructure —highlighting how technical analysis and human communication helped resolve a problem that initially felt unsolvable. false https://pretalx.com/bsidesluxembourg-2026/talk/DL9Z8C/ https://pretalx.com/bsidesluxembourg-2026/talk/DL9Z8C/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-08T13:30:00+02:00 13:30 00:40 Most organizations run Software Composition Analysis, yet very few actually use the results effectively. Alerts pile up, developers ignore findings, and security teams drown in noise. This talk tells the story of building an in-house SCA platform from scratch using open-source tooling, designed to scale across large organizations while focusing on what actually matters. We’ll explore how to normalize results, prioritize vulnerabilities based on real risk, and integrate SCA into CI/CD in a way developers don’t hate. Backed by real production usage and a live demo, this session focuses on practical techniques, not theory, to turn SCA from a checkbox into something teams can act on. Attendees will leave with ideas, patterns, and open-source approaches they can apply immediately. bsidesluxembourg-2026-94029-building-vs-buying-a-tale-of-developing-an-in-house-sca-tool Secure Development track Diogo Lemos en In this session, I will take the audience through the complete journey of designing, building, and deploying an open-source Software Composition Analysis (SCA) tool from scratch. I will start by highlighting the common challenges teams face when using commercial SCA tools, such as opaque scoring systems, overwhelming volumes of alerts, inconsistent results across different repositories and ecosystems, and the difficulty in prioritizing what matters most. I will explain the motivation behind building an in-house, open-source tool: to give security and development teams transparency, control, and flexibility, and to create a practical, actionable approach to managing dependencies at scale. Next, I will dive into the technical architecture and design decisions that guided the tool’s development, showing how it discovers dependencies, including transitive ones, across multiple ecosystems. I will cover how the tool integrates public vulnerability sources, including CVE databases, advisories, and metadata, and how it normalizes results to provide consistent, actionable insights. I will explain the scoring system we developed to prioritize vulnerabilities based on severity, exploitability, and update cadence, enabling teams to focus on what actually matters. The session will include a live demo showing a real repository being scanned, vulnerabilities being discovered, scored, and surfaced in dashboards. I will walk through how results are integrated into CI/CD pipelines to block risky builds, automate updates, and generate actionable reports for developers. Along the way, I will share lessons learned from real-world deployment, including challenges in adoption, maintaining open-source tools, and improving developer engagement. By the end of the session, attendees will understand the full lifecycle of building and using an open-source SCA tool, including practical integration strategies, risk prioritization techniques, and how to deploy it effectively in their own environments. I will provide links to the open-source code and supporting materials, so participants can explore and experiment immediately. false https://pretalx.com/bsidesluxembourg-2026/talk/ZQWC7Y/ https://pretalx.com/bsidesluxembourg-2026/talk/ZQWC7Y/feedback/ Workshops and Stage - Gernsback (C1.05.02) Talk 2026-05-08T14:45:00+02:00 14:45 00:35 SQL injection and broken authentication remain persistent threats in modern web applications, yet many developers continue to assume that new technologies are immune to classic attacks. This presentation examines a real-world penetration test where we discovered critical SQL injection and authentication bypass vulnerabilities in a production GraphQL API backed by PostgreSQL—proving that architectural shifts don't eliminate fundamental security flaws. bsidesluxembourg-2026-85028-what-s-old-is-new-exploiting-classic-vulnerabilities-in-graphql-apis Secure Development track Aleksa Zatezalo en Organizations migrating to GraphQL often operate under a false sense of security, believing modern frameworks inherently protect against legacy vulnerabilities. This case study proves otherwise. We'll walk through the complete exploitation chain—from GraphQL schema enumeration and identifying injection points in resolvers, to executing time-based blind SQL injection that achieved PostgreSQL superuser access. We'll also demonstrate how broken authentication patterns in GraphQL's authorization layer enabled unauthorized data access. The talk will include a live demo of GrapeQL, an open-source tool for automated GraphQL vulnerability scanning, with practical demonstrations of effective testing workflows. Attendees will learn GraphQL-specific mitigation strategies including parameterized queries in resolvers, proper input validation for nested structures, resolver-level authorization, rate/depth limiting, and security-focused schema design patterns. false https://pretalx.com/bsidesluxembourg-2026/talk/LHVQCJ/ https://pretalx.com/bsidesluxembourg-2026/talk/LHVQCJ/feedback/ CTF players room (C1.03.05 6+8th or C1.04.02 7th) Workshop 2h 2026-05-08T14:00:00+02:00 14:00 02:00 The BSides CTF Walkthrough Session is a live, introductory tour of some of the selected challenges of this yearly BSides Luxembourg Capture-the-Flag competition. During this interactive activity, we will not walk through every challenge step by step, instead we will very specifically discuss the tasks that the participants found most interesting and frustrating, this could be a web exploit, LPE, OSINT or crypto puzzle, so that by the end of the session both those with little experience and those with more experience have a more overall idea of how to think during a CTF. bsidesluxembourg-2026-92883-bsidesluxembourg-2026-ctf-walkthrough-session MUHAMMED WASEEM VILLAN en Instead of a lecture where the speaker tells the audience all the answers, the session is constructed in a form of a conversation with the players of the CTF. We will begin with a brief summary of the BSides Luxembourg 2026 CTF: types, difficulty tiers, and some statistics (solves, first bloods, most/least solved challenges). Following that, it will be audience-driven: we will request the participants to tell which issues they would like to rediscover and then untie them, on the spot. For each chosen challenge, we will: - Explain the core idea and what clue in the statement pointed to it. - Show the critical steps of the solution, highlighting typical mistakes and dead ends. - Discuss alternative approaches, tooling, and how similar bugs appear in real‑world systems. This formatting allows the session to be useful regardless of whether you were able to solve many flags or couldn't get through: you can take your questions, learn how other people tackled the same problem, and learn useful tips on how to solve CTF problems practically, which you can apply to future CTF events. false https://pretalx.com/bsidesluxembourg-2026/talk/MXSRZ9/ https://pretalx.com/bsidesluxembourg-2026/talk/MXSRZ9/feedback/