To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
09:30
09:30
10min
Opening
OrangeCon Orga

Conference opening by OrangeCon Orga

Main track
Main track
09:40
09:40
30min
Keynote: Geeks to Giants: The Journey from Hacking Subculture to Modern Cybersecurity
Marco Balduzzi

Modern cybersecurity, as we all know today, is the result of years of transformation. It was back in the 80s when pioneering hacking enthusiasts began aggregating in self-organized communities, exploring the boundaries and capabilities of computer systems and networks. These individuals, often seen as alternative personalities who struggled to fit into an increasingly globalized and controlled society, found their freedom within the hacking subculture.

Driven by passion and curiosity, this movement rapidly grew, creating digital communication platforms for virtual connections, and organizing hacking camps and conferences for social gatherings. Naturally, this initial wave of pioneering geeks matured, with many transitioning into responsible adults. Some went on to establish businesses, offering security services and developing products to meet the growing demands of a growing security market.

In this keynote, we explore this significant social transformation and reflect on its current state: a cybersecurity realm dominated by large-scale multinational corporations where individuals are not necessarily viewed as like-minded enthusiasts driven by passion and curiosity, but as part of a workforce that can be replaced by autonomous systems to cut costs and maximize profits.

Main track
Main track
10:15
10:15
30min
Calling Across the Fence: Exploiting Roaming Protocols from the Telco Next Door
Sebastiaan Groot, Frank Cozijnsen

A Steering of Roaming (SoR) solution in the telecom world is a component used by mobile network operators to manage which networks their subscribers connect to when roaming in other countries. While fuzzing a globally used SoR component, we discovered a remote code execution vulnerability that could be exploited from the position of other telecom operators. In this talk we want to take you with us on the journey from fuzzing setup to crash discovery, initial exploitation all the way to overcoming the network isolation and protocol constraints to craft a exploit that allows for two way communication.

Main track
Main track
10:15
30min
The Value of Digital Accessibility and Inclusivity in Cybersecurity
Annelies Verhelst

An insightful and practical talk about how accessibility and security are linked, how you can solve common problems that could arise for people using assistive devices or software, and what to gain from doing so.

Track 2
Second track
10:45
10:45
15min
Coffee Break
Main track
10:45
15min
Coffee Break
Second track
10:45
15min
Coffee Break
Workshops 1
10:45
15min
Coffee Break
Workshops 2
11:00
11:00
30min
Breaking and Remaking ESP32 Devices: A Practical Guide to Reverse Engineering and Patching
Wilco van Beijnum

When investigating the security of a smart device, we often encounter a very limited attack surface with no open ports, encrypted network traffic, and no logging. In this session, Wilco will show how to break through these barriers on an ESP32, a microcontroller widely used in IoT devices, such as smart switches, EV charging stations, and many other smart home devices.

Wilco will present techniques for obtaining, reverse engineering, and patching the firmware of an ESP32, and show these techniques in practice during demo sections by disabling certificate pinning and enabling debug logging on an ESP32 device.

After this session, you will have the knowledge and skills to start reverse engineering your own ESP32-based IoT devices, opening up new paths for vulnerability research.

Track 2
Second track
11:00
30min
From WAN to NAS: A Pwn2Own Journey Through the SOHO Attack Surface
Daan Keuper

The SOHO Smashup is a famous category in the IoT focused edition of Pwn2Own. Contestants are challenged to exploit a router from the WAN side and then use that device to exploit a second device on the internal LAN. Last year, we took them up on this challenge and successfully demonstrated a 0day exploit chain against a QNAP router and pivoting to a TrueNAS system. In this presentation, we'll describe how we performed our research and the vulnerabilities we found.

Main track
Main track
11:05
11:05
60min
AWS Enumeration for Purple Teams
Nikos Mantas

Designed for both Blue and Red teams, this hands-on workshop is designed to equip participants with a deep dive into AWS enumeration techniques and detection opportunities. Through guided labs, attendees will learn how attackers can use policy misconfigurations to identify paths to their objectives. For defenders, we will discuss real-world detection opportunities, log sources, and effective monitoring strategies to identify suspicious enumeration activity before it escalates into full-blown compromise.

Along the way we introduce dAWShund, a new tool designed to map and visualize AWS resource relationships, helping Red Teams identify attack paths and Blue Teams strengthen defenses to help put a leash on naughty permissions. The idea is to hold an interactive workshop fostering and encouraging discussions among participants.

By the end of the workshop, attendees would be able:
- Understand the differences between AWS resources and policy types. (TL;DR it’s a hot mess)
- Get a grasp of permissions validation (A bigger hot mess)
- Spot detection opportunities for enumeration (We' ll use Sentinel and KQL)
- Discuss areas of improvement for the future

Technical requirements for the audience:
- Don't forget to bring your own laptop
- Basic knowledge of AWS; although all terminology will be explained.

Workshop track 1
Workshops 2
11:05
60min
Analyzing Cobalt Strike Beacons, Servers and Traffic
Didier Stevens

In this workshop, we will use tools developed by Didier Stevens to deal (analysis & traffic decryption) with malicious Cobalt Strike beacons.

There used to be a time, that a blue teamer could say: "this sample I just analyzed is a Cobalt Strike beacon: I'm sure this is a pentest".
That is no longer the case: Cobalt Strike has become very popular with common criminals, and even some APT crews. Nowadays, if you encounter a Cobalt Strike sample, your organization is more likely to be under real attack than under simulated attack.

Workshop track 1
Workshops 1
11:35
11:35
30min
In Memory of In-Memory Detection
Tijme Gommers

Pack, obfuscate, or encrypt your malware as much as you want to prevent detection. This works reasonably well, but ultimately your malware always runs somewhere in the memory of a computer. This is an inherent problem with all of the aforementioned techniques. At some point during execution, the payload that you have tried to hide as much as possible is decrypted to plain text, because only then can it be executed properly.

In this presentation, you will learn more about the hurdles of such polymorphic malware and how to detect it. I then introduce you to the concept of modern metamorphic malware and how this type of malware circumvents static and in-memory detection. I demonstrate that static in-memory detection is now completely dead, and we can no longer rely on it, especially when practical implementations of metamorphic malware become publicly available.

As the icing on the cake, I publish such a practical implementation: Dittobytes. Dittobytes is a project for true metamorphic cross-compilation of C-code to Truly Position Independent Code (PIC). Malware compiled with Dittobytes runs everywhere natively — in any process, on Windows, Mac, and Linux, and both on X86 and ARM64. The best part? It's different every time you compile it!

Main track
Main track
11:35
30min
Silent Infiltration: Chromium Preference Attacks
Riadh Bouchahoua

This presentation introduces a stealthy technique for injecting arbitrary extensions into Chromium-based browsers by manipulating the Preferences file.

The method, which remains relatively obscure, expands on the groundwork laid by Pablo Picazo-Sanchez, Gerardo Schneider, and Andrei Sabelfeld in their 2020 whitepaper.

The focus of the presentation is on refining and enhancing this approach to circumvent recent security measures implemented in the latest Chromium versions. It demonstrates the automation of this process through an exploitation script and showcases various post-exploitation attacks that leverage the chromium API which permits :
- Stealing of cookies and Localstorage credentials
- Getting history of navigation
- Partial access to the FS
- And much more ...

Main track
Second track
12:05
12:05
60min
Lunch Break
Main track
12:05
60min
Lunch Break
Second track
12:05
60min
Lunch Break
Workshops 1
12:05
60min
Lunch Break
Workshops 2
13:05
13:05
30min
Inside NCSC’s CTI Team: Tracking Threat Actors Targeting the Netherlands
Talha Ucar, Juriaan Spierenburg

From covert state-backed espionage to financially motivated cybercrime, from politically charged hacktivism to digital sabotage—threat actors targeting the Netherlands come in many forms, and their tactics are constantly evolving.

In this talk, the Cyber Threat Intelligence (CTI) team of the Dutch National Cyber Security Centre (NCSC) offers a rare behind-the-scenes look at how they investigate and analyze these threats in support of the Dutch government and critical infrastructure sectors.

Through real-world case studies, we’ll demonstrate how our team monitors, classifies, and contextualizes activity from a wide range of threat actors—including nation-states, cybercriminal groups, hacktivists, and actors with sabotage-related intents. You’ll see how this intelligence fuels key NCSC products like the CTI-Report and the quarterly Threat Landscape Analysis, which provide essential context and action-oriented insights to our partners.

We’ll also present Pharos for the first time: a powerful, in-house developed tool that continuously scans the internet for signs of malicious infrastructure. By leveraging sources like Censys, Shodan, and VirusTotal through custom queries, Pharos helps us identify suspicious IPs, domains, certificates, and more—before they’re used in active campaigns. We will explain how we leverage this type of intelligence, not only for ourselves but within a broader cybersecurity ecosystem.

Join us for a deep dive into the operational world of national CTI: where strategic intelligence meets technical investigation, and where safeguarding the digital security of the Netherlands is a daily mission.

Main track
Main track
13:40
13:40
30min
Talk Nerdy To Me: Orchestrating Red Team Operations in Natural Language
Roy Reinders

Red Team operations often involve juggling dozens of tools, manual workflows, and fragile automation. Is AI finally going to save us and help us tie things together? Or are we adding yet another layer of unnecessary complexity? In this talk, I will share how we are using Large Language Models (LLMs) to orchestrate Red Team operations by integrating them directly into our infrastructure, using custom Model Context Protocol (MCP) servers.

MCP provides LLMs with access to in-house tools and data, providing a natural language interface between operators and backend systems. I will walk through how we wired it up to perform tasks like querying implant data, launching redirectors, checking logs, and flagging OPSEC risks in payloads. The focus will be on practical implementation details: what worked, what didn’t, and how we handled LLM limitations in the context of real operations.

You will learn how MCP works under the hood, what components are needed, how it interfaces with tools, and how we deal with model safety filters that can get in the way of offensive use cases. The goal is to show how accessible it is to build your own interface, and how LLMs can become a useful part of your Red Team toolkit today. I will conclude with ideas for where this kind of integration makes the most sense, and where it still falls short.

This talk is for anyone curious about leveraging LLMs to finally sweet-talk your tooling into doing what you want it to, whether in security, operations, or elsewhere.

Track 2
Second track
14:10
14:10
60min
Deep Dive into Container Security
Jorge Martínez

Containerizing an application unlocks a wealth of possibilities: in theory, containers can be easily scaled, managed, recreated, defined as code, and more. However, the convenience of these powerful tools sometimes leads us to overlook the underlying mechanics and the security implications involved. While many aspects of developing with containers resemble those of traditional applications, containers also introduce unique characteristics and challenges that must not be ignored.

Track 2
Workshops 2
14:10
120min
Hands-on Hacking Automotive Systems
Roald Nefs

As modern vehicles evolve into complex networks of software and hardware, they become increasingly susceptible to cyber threats. In this hands-on workshop, we will explore how vulnerabilities in automotive systems can be identified, analyzed, and demonstrated. Participants will dive into real-world scenarios using practical tools and techniques to penetrate vehicle networks, uncover security flaws, and experiment with live attacks. This workshop bridges the gap between theoretical knowledge and practical skills, empowering attendees to better understand the increasingly connected automotive landscape.

The session will begin with an introduction to automotive security concepts and the architecture of modern vehicle networks. Participants will then learn how to interact directly with the Controller Area Network (CAN) bus, the central communication system in most vehicles. Through guided, hands-on exercises, they will reverse engineer messages to the instrument cluster and send spoofed signals to manipulate displayed information.

Workshop track 1
Workshops 1
14:15
14:15
30min
From Phishing to Persistence: How Attackers Take Over Cloud Accounts
Yaniv Miron

Let me walk you through the modern techniques hackers use today to take over cloud accounts - methods that are far more stealthy and persistent than most users or security teams realize.
We'll examine how attackers steal session cookies from unsuspecting victims, silently modify email account settings to intercept or redirect messages, and leverage OAuth applications to maintain
long-term access even if the user changes their password or enables two-factor authentication. These tactics often leave no alerts or obvious signs, allowing the attacker to persist undetected for weeks or even months.
To better understand and replicate these threats, we've developed two custom red team tools: ATOLS and FASSA.
These tools simulate real-world attack paths used by adversaries, allowing organizations to test their detection capabilities and response processes in a controlled and safe environment.
Today, we’re going to show you exactly how they work and what you can do to stay ahead.

Main track
Main track
14:15
30min
Old Tricks, New Depths: Exploring the Hidden Relaying Capabilities of Local Name Resolution Poisoning
Quentin Roland

Local name resolution poisoning attacks are almost as old as Active Directory itself – and yet, the magic of Windows environments retro-compatibility makes them still effective in 2025.

One of the very first offensive actions carried out by an attacker with access to an internal network is to attempt exploiting the LLMNR, mDNS or NBNS protocols that are even today enabled by default, in order to gain an authenticated foothold into the Active Directory infrastructure.

To the pentesters thinking that local name resolution attacks are well-known exploit primitives that do not have any more surprises in store for us – this presentation is here to prove you wrong. We will dive into two new techniques recently introduced that enhance the NTLM and Kerberos relaying capabilities of local name resolution poisoning, and their implementation in open-source tools such as Responder and krbrelayx.

Discover how to trick Windows SMB clients into falling back to WebDav HTTP authentication that do not implement signing, or how to perform Kerberos relaying through LLMNR, all illustrated by concrete exploit demonstrations!

Main track
Second track
14:45
14:45
15min
Coffee Break
Main track
14:45
15min
Coffee Break
Second track
15:00
15:00
30min
The Fairytale of KPI's in the World of MDR
Robin Bruynseels

In today’s cybersecurity landscape, organizations are under constant pressure to defend against evolving threats. As a result, many turn to Managed Detection and Response (MDR) providers, who often promise peace of mind through glowing dashboards and polished Key Performance Indicators (KPIs). But behind the marketing sheen lies a critical question: Are these KPIs actually providing value?

This session will unpack the illusion of comfort that many MDR vendors create by highlighting surface-level metrics — response time, alert volume, SLA compliance — that often resonate with executives but fail to reflect operational reality. We’ll explore the disconnect between boardroom optics and SOC floor effectiveness, emphasizing that KPI’s must be more than impressive — they must be actionable.

Attendees will walk away with a critical lens for evaluating cybersecurity KPIs, a framework for identifying metrics that drive real security outcomes, and a renewed focus on tracking what truly matters in the fight against modern threats.

Track 2
Second track
15:10
15:10
90min
Not Just Email: Rethinking Phishing in a Hardened World
Ruben Homs

Phishing isn’t dead, but relying on email alone doesn't cut it anymore.

Spam filters are smarter than ever. Domain reputation matters. Content is scanned and scored. Automated tools scan domains as soon as they request a TLS certificate. Most phishing emails never even make it to the inbox due to automated scanners. And when they do, users are trained to be suspicious.

In this workshop, we’ll start by looking at email, which is still the most common channel for phishing. You’ll see the increasingly ridiculous hoops attackers have to jump through just to get a single message into a user’s inbox. From domain aging and sender reputation to anti bot detection, client-side obfuscation and spam filter scoring. It’s a game of constant trial and error. We will then focus on other ways to deliver your messages through alternative, unfiltered, channels such as Microsoft Teams, QR codes, SMS, LinkedIn or shared documents.

Participants will work with real-world personas to build convincing pretexts using OSINT, and then decide how they would deliver their phishing message. If email looks too risky or unlikely to succeed, you’ll explore alternative channels like Teams, SMS, LinkedIn, or even QR codes. The goal is to think like an attacker, adapt to defenses, and figure out how the message gets through.

Key Takeaways:
- Understand why phishing via email is harder than ever and what modern filters look for
- Learn the steps attackers take to bypass spam detection and deliver a single message
- Use open source intelligence to craft realistic, targeted phishing pretexts
- Explore the importance of timing, trust signals, and context in social engineering
- Compare multiple delivery channels beyond email and assess their trade-offs
- Think like an attacker when planning phishing campaigns, and identify where defenses can fail
- Gain practical insight into how phishing simulations can be made more realistic and impactful

Main track
Workshops 2
15:35
15:35
30min
(Deep-)dive to Entra ID Token Theft Protection
Dr Nestori Syynimaa

Token Theft attacks have risen during the past few years as organisations have moved to stronger authentication methods. Entra ID has built-in protections to mitigate these attacks. This session will cover how to use these protections and technical details of how they work under the hood.

Main track
Main track
16:10
16:10
30min
Flooding the Zone: Emotional Hijack, AI Bias & Critical Thinking in Cybersecurity
An Gaiser

In an era of information warfare, social engineering is no longer limited to isolated phishing emails. It’s about overwhelming minds. From misinformation to algorithmic overload, cyber professionals today face a new form of threat: emotional hijack. In this session, former intelligence officer and behavioral analyst An Gaiser unpacks how this invisible attack vector works, and how it hijacks more than just attention.

Using real-world examples from counter-terrorism, security screening, and AI-driven profiling systems, An reveals how "flooding the zone" disables our critical thinking and activates deep behavioral responses (fight, flight, freeze, affiliate). We will explore how this impacts decision-making in cybersecurity teams, especially in moments of ambiguity or pressure.

This talk challenges common assumptions in the security field, including outdated emotion recognition models still used in AI tools, and offers a grounded framework for detecting, interpreting, and de-escalating emotional flooding, both in ourselves and others.

Expect a mix of behavioral science, real-world intelligence cases, and practical takeaways you can use in your daily work. Whether you're a red teamer probing human error, a blue teamer navigating stress signals, or a leader seeking clarity in chaos: this session will give you a new lens to detect the invisible and stay cognitively sharp under pressure.

Main track
Main track
16:45
16:45
30min
Locknote: Digital Sovereignty
Ellen Mok

This keynote will explore not only why we need to become more digitally independent, but also how on earth we can make that happen.

Main track
Main track
17:15
17:15
10min
Closing
OrangeCon Orga

Closing of the conference

Main track
Main track