{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2026.1.1"}, "schedule": {"url": "https://pretalx.com/orangecon-2026/schedule/", "version": "0.14", "base_url": "https://pretalx.com", "conference": {"acronym": "orangecon-2026", "title": "OrangeCon 2026", "start": "2026-06-04", "end": "2026-06-04", "daysCount": 1, "timeslot_duration": "00:05", "time_zone_name": "Europe/Amsterdam", "colors": {"primary": "#ff5300"}, "rooms": [{"name": "Track 1", "slug": "5367-track-1", "guid": "2e94b900-5d64-52e3-a30f-736c7886412a", "description": "Track 1", "capacity": null}, {"name": "Track 2", "slug": "5368-track-2", "guid": "01520088-416a-55c2-ba8b-65952e7e52aa", "description": "Track 2", "capacity": null}, {"name": "Workshops 3", "slug": "5370-workshops-3", "guid": "b966b3d3-998c-5866-a33d-475d86d96671", "description": "Workshops 3", "capacity": null}, {"name": "Workshops 4", "slug": "5369-workshops-4", "guid": "1b1c21d1-8e91-5c6a-b977-768463150789", "description": "Workshops 4", "capacity": null}], "tracks": [{"name": "Track 1", "slug": "6887-track-1", "color": "#f96c06"}, {"name": "Track 2", "slug": "6888-track-2", "color": "#f60546"}, {"name": "Workshop track 3", "slug": "6890-workshop-track-3", "color": "#3a3d90"}, {"name": "Workshop track 4", "slug": "6889-workshop-track-4", "color": "#000000"}], "days": [{"index": 1, "date": "2026-06-04", "day_start": "2026-06-04T04:00:00+02:00", "day_end": "2026-06-05T03:59:00+02:00", "rooms": {"Track 1": [{"guid": "2cb8405b-44dc-5e34-84c7-dbb226f1fe3c", "code": "EEJXWT", "id": 97289, "logo": null, "date": "2026-06-04T09:15:00+02:00", "start": "09:15", "duration": "00:15", "room": "Track 1", "slug": "orangecon-2026-97289-opening", "url": "https://pretalx.com/orangecon-2026/talk/EEJXWT/", "title": "Opening", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "Opening of the OrangeCon 2026!", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "W83TYA", "name": "OrangeCon Orga", "avatar": "https://pretalx.com/media/avatars/JAURQJ_uG3d8Ar.webp", "biography": "The OrangeCon orga team is the driving force behind OrangeCon. United by a passion for cybersecurity and a strong sense of community, they aim to foster collaboration, support the ethical hacking community, and build a more secure digital future through shared knowledge.", "public_name": "OrangeCon Orga", "guid": "82714c59-f7f1-5e06-ab36-05005c514558", "url": "https://pretalx.com/orangecon-2026/speaker/W83TYA/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/EEJXWT/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/EEJXWT/", "attachments": []}, {"guid": "ad8fe319-b5c0-5511-8517-5edfd201287c", "code": "W9KQAT", "id": 97290, "logo": null, "date": "2026-06-04T09:30:00+02:00", "start": "09:30", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-97290-keynote-games-with-frontiers", "url": "https://pretalx.com/orangecon-2026/talk/W9KQAT/", "title": "KEYNOTE: Games With Frontiers", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "This talk is about what happens when we treat politics and security as games, not in the sense of trivial play, but in the sense of game theory: structured interactions where incentives matter more than intentions.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "D9N7PL", "name": "Meredith L. Patterson", "avatar": "https://pretalx.com/media/avatars/DPXCH3_7K3kM7v.webp", "biography": "Meredith L. Patterson is a cybersecurity researcher and software engineer known for her work on the Language-Theoretic Security (LangSec) approach, which applies concepts from linguistics to improve software security. She has presented her research at major conferences such as Black Hat and has contributed to both academic research and real-world software systems. Meredith is known for bringing fresh, interdisciplinary perspectives to cybersecurity and secure software design.", "public_name": "Meredith L. Patterson", "guid": "cf500bef-f24b-56b8-a0b7-6064c15e95f3", "url": "https://pretalx.com/orangecon-2026/speaker/D9N7PL/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/W9KQAT/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/W9KQAT/", "attachments": []}, {"guid": "3abb2f46-2e50-5d4a-a74d-698dec1eb00b", "code": "XC3SJF", "id": 95421, "logo": null, "date": "2026-06-04T10:05:00+02:00", "start": "10:05", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-95421-blesplo-it-the-world-introducing-a-new-portable-swiss-army-knife-ble-security-tool", "url": "https://pretalx.com/orangecon-2026/talk/XC3SJF/", "title": "BLESPlo.it the world! Introducing a new portable \"swiss army knife\" BLE security tool", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "Bluetooth Low Energy is absolutely everywhere - in billions of smart devices around us. Most tools to audit it require a laptop, a bunch of dongles, and a pile of scripts often difficult to set up and troubleshoot. But the devices you're testing are mobile. They're in elevators, hospital wards, factory floors, and hotel rooms. Your tool should be too.\r\nBLESPlo.it is built on a simple idea: mobile technology deserves a mobile security tool - one that works for everyone, not just in the lab, but in the field.\r\nAt its core, BLESPlo.it is a mobile app - run it standalone and you already have a capable BLE scanner, fingerprinter, and a remote control for the wireless world around you, right in your pocket. Pair it with a small ESP32 companion device (yes, it works with OrangeCon badge!) and enjoy new options impossible with just the phone: low level scanning, cloning/simulating any BLE device with just a few taps, probing pairing modes, and more! You can finally try those latest attacks you heard about but never had the possibility to setup. Now you can simulate any target in seconds and focus on the juicy details instead of fighting your toolchain. And thanks to the dynamic scripting engine you can easily write a custom attack logic on the fly. Share your scripts, device profiles, fingerprint patterns and protocol implementations, let everyone learn from it and secure their devices.\r\nStill not convinced? Come see AI-boosted reversing shenanigans and live stunt hacking of dildos, shooting robots and even a Ferrari car!", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "YZHLNX", "name": "Slawomir Jasek", "avatar": "https://pretalx.com/media/avatars/KRWJHG_HsHTE9Q.webp", "biography": "Seasoned trainer, speaker and IT security consultant with over two decades of expertise.\r\nCurrently focuses on security research of new technologies (especially Bluetooth Low Energy and NFC/RFID) and delivering trainings on these topics.\r\nLoves sharing his knowledge via trainings, workshops, talks and open source hackme's (https://www.smartlockpicking.com/) \u2013 at OrangeCon, BlackHat, HackInTheBox, Hardwear.io, HackInParis, Deepsec, Appsec EU, BruCon, Confidence, and many others, including private on-demand sessions.", "public_name": "Slawomir Jasek", "guid": "c1e52958-671b-5823-94af-e03168b18ac6", "url": "https://pretalx.com/orangecon-2026/speaker/YZHLNX/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/XC3SJF/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/XC3SJF/", "attachments": []}, {"guid": "c08c7fb6-c99d-5839-880e-f0bb0d812622", "code": "HLHUPG", "id": 95182, "logo": null, "date": "2026-06-04T10:40:00+02:00", "start": "10:40", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-95182-bypassing-the-evasion-barrier-detecting-malleable-c2-when-traditional-defenses-fail", "url": "https://pretalx.com/orangecon-2026/talk/HLHUPG/", "title": "Bypassing the Evasion Barrier: Detecting Malleable C2 When Traditional Defenses Fail", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "Tools like Cobalt Strike, Brute Ratel, and Mythic have become ubiquitous, forming the backbone of attacks launched by both nation-states and cybercriminals. These \"malleable C2\" platforms allow attackers to precisely configure network traffic\u2014adjusting beaconing intervals, adding random jitter, and constructing URL and user agent strings that convincingly mimic legitimate web services. Not only is it hard to write effective signatures for blocking such configs, the ease at which new configs can be created makes IPS-based defenses futile. \r\n\r\nThis presentation addresses the widespread failure of legacy defenses against malleable C2. We introduce a novel, high-fidelity detection system designed to identify malleable C2 traffic that has successfully evaded traditional layers. Our methodology moves beyond signatures by combining an expert anomaly detection engine with a machine learning classifier, analyzing decrypted web (HTTP/s) transaction logs from a forward proxy. The system profiles network entities using advanced signals, including SSL/TLS fingerprints (like JA3), fine-grained analysis of network beaconing patterns over time, and heuristic flagging of unusual user agents and highly targeted domain contacts. These signals are fed into a robust machine learning model tuned to identify the subtle but persistent characteristics of C2 communications directed at non-cloud infrastructure.\r\n\r\nTested rigorously against a diverse set of Cobalt Strike profiles collected from the wild and created using a genetic algorithm, our approach achieved a detection rate in excess of 97%. Crucially, it maintained an exceptionally low false positive rate\u2014less than 0.0001 alerts per user per week in real-world production environments. It has since been deployed in production environments, from which we share recent case studies of real-world implants that we have detected. Attendees will gain an in-depth understanding of why reliance on IPS-only strategies is a critical vulnerability and how to implement a powerful, non-signature-based detection strategy. This approach effectively counters the evasion tactics of Cobalt Strike, Brute Ratel, Mythic, and custom C2, significantly improving an organization's defense posture against one of today\u2019s most elusive threats.", "description": "Objectives\r\nUnderstand malleable C2 and why signature-based detection can't accurately detect it \r\nLearn a set of novel signals that can be used to detect malleable C2 (robotic, repeated, anomalous, and fingerprint-based)\r\nShow how you can build a robust detector with these signals\r\n\r\nBackground\r\nDemo CobaltStrike and other malleable c2 frameworks operate\r\nDemo why detecting them is hard\r\nBuilding a modern detection system\r\nOur approach to collecting data and focusing detection efforts\r\nExamples of core signals\r\nArchitecture - how we combined anomaly detection with these signals\r\n\r\nEfficacy Testing\r\nHow we configured a lab environment  to generate and test 20k+ configs for 7 different C2 tools\r\nHow we measured success\r\n\r\nCase Studies\r\nWe have been running this in production > 6 months now (and will be even longer at conference time) so we have updated stats on false positives and new case studies for beacons we have successfully detected", "recording_license": "", "do_not_record": false, "persons": [{"code": "JV3A3G", "name": "Raymond Canzanese", "avatar": null, "biography": "Ray is the Director of Netskope Threat Labs, a globally distributed team that specializes in cloud and network-focused threat research. His research background includes malware detection and classification, cloud app security, web security, sequential detection, and machine learning. Although his current focus is cybersecurity, his research has previously spanned other domains, including software anti-tamper and electronic warfare. In addition to his extensive research experience, Ray also has a background in education, teaching multiple math and programming courses during his academic career. He holds a Ph.D. in Electrical Engineering from Drexel University.", "public_name": "Raymond Canzanese", "guid": "b48c4eda-5050-5b95-992e-b352b8e68586", "url": "https://pretalx.com/orangecon-2026/speaker/JV3A3G/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/HLHUPG/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/HLHUPG/", "attachments": []}, {"guid": "1cde0f12-fc66-5476-853c-7f4f64ce545d", "code": "PCJQQQ", "id": 92021, "logo": null, "date": "2026-06-04T11:20:00+02:00", "start": "11:20", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-92021-top-5-weaknesses-of-technical-experts-exploited-by-the-crisis-manager", "url": "https://pretalx.com/orangecon-2026/talk/PCJQQQ/", "title": "Top 5 Weaknesses Of Technical Experts Exploited By The Crisis Manager", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "In the high pressure environment of a cyber crisis, technical expertise is indispensable. Yet what is technically the best way forward is not always the best choice for the organisation. Crisis managers must balance continuity, reputation, legal exposure, security, costs and other factors. A balance that often needs to be found based on incomplete information. Some choices are grounded in hard facts, while others rely on assumptions, intuition, or strategic risk taking. As a result, the most secure option is not always the one selected during crisis recovery.\r\n\r\nThis talk explores the top 5 weaknesses of technical experts that crisis managers exploit. These weaknesses do not stem from incompetence; they arise precisely from the strengths that make technical professionals so valuable under normal conditions. However, when the rules of everyday operations no longer apply, these strengths can impact the individual.\r\n\r\nParticipants will gain insight into decision making during cyber crises, why misalignment between technical and managerial perspectives emerges under pressure, and how experts can better prepare themselves to operate effectively in environments where speed, trade offs, and imperfect information dominate. The session ultimately aims to strengthen collaboration between technical teams and crisis managers, ensuring that expertise is not only heard but also strategically integrated when it matters most.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "X8H93R", "name": "Lisa de Wilde", "avatar": "https://pretalx.com/media/avatars/T3RLZN_7hkJ4vr.webp", "biography": "Lisa de Wilde has supported dozens of organisations in navigating and resolving security incidents and full\u2011blown crises. She has witnessed up close how difficult it can be for organisations to regain control and return to normal operations. Working side by side with technical experts, she has seen their struggle with guilt, pressure, and the uncomfortable shortcuts that sometimes become unavoidable when the clock is ticking.\r\n\r\nAs the founder of Cyber Radiant, Lisa now helps organisations prepare for the realities of incidents and crises before they strike. Her work focuses on strengthening resilience, improving decision\u2011making under pressure and ensuring that teams understand not only the technical aspects of a crisis but also the organisational dynamics that shape its outcome. Aligning business and IT remains one of the biggest challenges she encounters.", "public_name": "Lisa de Wilde", "guid": "cd3c0dd7-d153-5fc5-b1b7-c4675adade4c", "url": "https://pretalx.com/orangecon-2026/speaker/X8H93R/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/PCJQQQ/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/PCJQQQ/", "attachments": []}, {"guid": "02ad1a27-5d83-5764-95cb-f46a664e5e19", "code": "LVTFE9", "id": 96208, "logo": null, "date": "2026-06-04T11:55:00+02:00", "start": "11:55", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-96208-age-of-post-exploitation", "url": "https://pretalx.com/orangecon-2026/talk/LVTFE9/", "title": "Age of Post-Exploitation", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "Achieving initial access is only the beginning. To achieve your goals in an advanced Red Team operation, you'll need to use post-exploitation tradecraft to move forward. From situational awareness, persistency, to privilege escalation and lateral movement, post-exploitation tooling defines an operator's ability to turn a foothold into a successful operation.", "description": "This presentation explores the evolution of post-exploitation within Command & Control (C2) frameworks, tracing its roots from early interactive shells to today's modular, in-memory, and operator-driven tradecraft. We examine how advances in Anti-Virus and later Endpoint Detection and Response (EDR) solutions as well as Red the Teaming industry shaped Command and Control frameworks and Post-Exploitation capabilities. \r\n\r\nWe'll dive into today's state-of-the-art post-exploitation capabilities. We close by unveiling where this tradecraft is heading next.\r\n\r\nWhether you are a red teamer, offensive developer, or blue team practitioner, this session offers strategic, technical and understandable insight of where the Post-Exploitation field currently is and where it is going.", "recording_license": "", "do_not_record": false, "persons": [{"code": "GL3F8L", "name": "Dima", "avatar": "https://pretalx.com/media/avatars/HUVKC3_6e0qbf3.webp", "biography": "Dima van de Wouw enjoys building things that break things and use them in operations.\r\nAt Outflank, he is a Malware Blacksmith, or more formally, an offensive research & developer for Outflank Security Tooling and a red team operator.", "public_name": "Dima", "guid": "0bcffd09-2cc3-5431-a237-f0a8a17ae7d2", "url": "https://pretalx.com/orangecon-2026/speaker/GL3F8L/"}, {"code": "UWA7GD", "name": "Pieter Ceelen", "avatar": null, "biography": null, "public_name": "Pieter Ceelen", "guid": "19d74c58-a5ac-518a-897b-ab960e4c6941", "url": "https://pretalx.com/orangecon-2026/speaker/UWA7GD/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/LVTFE9/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/LVTFE9/", "attachments": []}, {"guid": "404755be-8513-5dff-a21b-c4d03230bf37", "code": "S9DBTD", "id": 94915, "logo": null, "date": "2026-06-04T13:05:00+02:00", "start": "13:05", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-94915-hacking-big-iron-with-ai-attacking-mainframe-operating-systems-beyond-modern-assumptions", "url": "https://pretalx.com/orangecon-2026/talk/S9DBTD/", "title": "Hacking Big Iron With AI: Attacking Mainframe Operating Systems Beyond Modern Assumptions", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "Before the web. Before TCP/IP. Before \"cloud.\" Some of the most powerful computers in the world were already running production workloads.\r\nIBM mainframes didn't grow up in the browser era. System/360 (1964), MVS (1974), and today's z/OS (2000) were built for batch jobs, green-screen terminals, and a world where the internet simply didn't exist. Yet these systems still quietly process the majority of global financial transactions, airline bookings, and government records.\r\n\r\nThis talk is a guided tour of what happens when modern red teamers bring cloud-era assumptions into a system that predates the web. We'll break down how mainframes actually organize authority across five control planes (VTAM, TSO, RACF, JES, and CICS) and show exactly where those assumptions break. No shell model. No process tree. No EDR. The attack surface looks nothing like what your tooling expects.\r\n\r\nWe'll walk real techniques: TN3270 user enumeration, STEPLIB hijacking as a supply chain analog, JCL injection for deferred privileged execution, RACF misconfiguration paths, and how Network Job Entry misconfigurations can enable remote job submission without meaningful authentication. The mainframe equivalent of an open relay. These aren't theoretical. They come from real assessments against production environments.\r\n\r\nWe'll also introduce BigIron.ai, an open-source, fully offline AI-assisted assessment platform for z/OS and MVS environments. It runs a local LLM against live TN3270 sessions, interprets control-plane context in real time, guides structured walkthroughs, and generates findings. No cloud, no API keys, no data leaves the machine. We'll demo it live.\r\n\r\nNo mainframe background required. Just clear mental models, real terminal output, and a framework you can use the next time a mainframe shows up in scope.\r\n\r\nThink of it as critical infrastructure security for a system your threat model forgot.", "description": "Mainframes are not legacy systems in the way the industry uses that word. They are actively maintained, actively targeted, and actively misunderstood. The security gap exists not because the systems are old but because the mental models used to assess them are wrong. This talk addresses that gap directly.\r\n\r\n**The Technical Problem**\r\n\r\nModern offensive security methodology is built around a set of assumptions that do not hold on z/OS: that privilege is binary and anchored to a user account, that lateral movement happens through network services, that execution is interactive and session-bound, and that a process tree or endpoint agent will surface attacker behavior. None of these are true on a mainframe.\r\n\r\nz/OS organizes authority across five subsystems, each with a distinct security boundary. VTAM controls session establishment and terminal binding. TSO binds interactive identity and provides the context under which all commands, dataset access, and job submissions are authorized. RACF enforces access continuously, per resource, before execution. JES queues and schedules deferred work, executing it later under the identity of the submitter, outside any interactive session. CICS controls transaction execution and enforces authorization at the transaction level, not the program level.\r\n\r\nAn attacker who understands these boundaries can move through them without triggering any of the detection mechanisms a modern SOC relies on. An attacker who does not understand them will misread what they see, take actions with unintended consequences, and likely miss the actual exposure entirely.\r\n\r\n**The Techniques**\r\n\r\nThe talk covers four concrete attack paths, each demonstrated against a live MVS 3.8j environment running on Hercules:\r\n\r\nTN3270 user enumeration exploits differential response behavior at the VTAM logon screen. Valid userids produce a password prompt. Invalid userids produce an immediate rejection. This is consistent across implementations and requires no authentication. It is the standard first step in any mainframe assessment and is supported by existing Nmap scripting engine scripts.\r\n\r\nSTEPLIB hijacking exploits the mainframe program library search order. When a user submits a job with a STEPLIB DD statement pointing to a dataset they control, MVS searches that library first before system libraries. If an attacker has UPDATE access to any dataset that appears in the STEPLIB concatenation of a higher-privileged job, they can replace a load module and have it execute under the job's authority. No vulnerability is exploited. RACF does not prevent it. No alert fires by default. SMF records the execution but nobody is watching. This is a direct analog to DLL hijacking or LD_PRELOAD injection and represents a supply chain attack against the batch execution environment.\r\n\r\nJCL injection for deferred privileged execution covers the case where an attacker can influence the JCL stream of a job that runs under a more privileged identity. Because JES executes work later under the submitter's RACF context, and because that context persists after the interactive session ends, an attacker can submit work, log off, and have privileged code execute minutes or hours later with no active session to detect. This breaks every assumption about session-based detection.\r\n\r\nRACF misconfiguration paths cover the most common findings in real assessments: overbroad dataset profiles using high-level qualifier wildcards, excessive group authority granted through organic entitlement growth, SURROGAT class entries that allow job submission under another user's identity, and APF library dataset permissions that allow non-privileged users to introduce authorized code. Each of these is a configuration failure, not a vulnerability, and none of them produce alerts in a default SMF configuration.\r\n\r\n**The Tool**\r\n\r\nBigIron.ai is an open-source, fully offline AI-assisted assessment platform built specifically for z/OS and MVS environments. It is not a scanner. It is a reasoning layer that sits between the assessor and the TN3270 terminal.\r\n\r\nThe platform runs a local language model via Ollama against live TN3270 session output. When the assessor captures a screen, the LLM identifies the active control plane, interprets the identity context, flags assumptions that may be wrong, and provides guidance on what to do next. It does not connect to any external service. No screen content, no credentials, no assessment data leaves the machine.\r\n\r\nBeyond the AI layer, the platform includes thirteen scripted autonomous walkthroughs across all five control planes, a findings engine that maps results to a repeatable F1 through F5 assessment framework, a TN3270 network scanner for mainframe discovery, a RAG knowledge base ingesting IBM Redbooks and ABEND reference material, and a red team tutor with structured labs and engagement checklists.\r\n\r\nThe demo environment runs MVS 3.8j Turnkey on Hercules. This is appropriate for demonstrating control-plane mechanics, VTAM session behavior, TSO identity binding, JES submission and spool, and dataset access patterns. Where z/OS behavior differs meaningfully, those differences are noted explicitly.\r\n\r\n**The Audience**\r\n\r\nThe talk is designed for offensive security practitioners who have encountered mainframes in scope and had no framework for assessing them, defensive practitioners who are responsible for mainframe environments but have no visibility into what an attacker would actually do, and security engineers building detection or assessment programs who need an accurate model of how the system works before they can reason about what to monitor.\r\n\r\nNo mainframe background is assumed. The talk builds the required mental model from first principles, using analogies to concepts the audience already knows, then applies that model to concrete attack paths and a live tool demonstration.\r\n\r\n**What Attendees Leave With**\r\n\r\nA correct mental model of mainframe authority and execution that replaces the cloud and Linux assumptions most practitioners carry in. A repeatable assessment methodology structured around control planes rather than hosts and services. Familiarity with four concrete attack techniques that have been observed in production assessments. Access to an open-source tool they can run immediately against any MVS or z/OS environment.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KAEYYZ", "name": "Adam Toscher", "avatar": "https://pretalx.com/media/avatars/3WSYCK_ZubgSNu.webp", "biography": "Adam Toscher is a New York\u2013based security engineer and red team operator with over two decades of experience in offensive security, adversary simulation, and automation. Born in New York City and raised upstate, Adam built his career as an \"IT vagabond,\" beginning as a freshman IBM intern porting Linux applications to mainframe system. Mainframe work grounded him in large-scale computing, operating systems, and complex enterprise environment, before transitioning into offensive security. He later progressed through senior security roles at Adobe, Optiv, Accenture, IBM X-Force, and NYC Cyber Command, where he focused on realistic adversary emulation and advanced red-team operations. Most recently, Adam has been working with Cobalt Labs, supporting advanced red-teaming and offensive security engagements for private-sector organizations. Prior to this, he led red-team and adversary simulation efforts in support of critical public infrastructure with NYC Cyber Command and the FDNY. His work centers on penetration testing, red teaming, adversary emulation, and practical automation across both private-sector companies and government agencies. Outside of security, Adam values balance and lifelong learning, and is an avid reader, runner, swimmer, and gamer", "public_name": "Adam Toscher", "guid": "26a83f01-4102-5108-9938-5c3a092e7e74", "url": "https://pretalx.com/orangecon-2026/speaker/KAEYYZ/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/S9DBTD/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/S9DBTD/", "attachments": []}, {"guid": "ca80d26c-0ace-5a39-a328-e0e326ed7c9c", "code": "XUJ7WR", "id": 95292, "logo": null, "date": "2026-06-04T13:40:00+02:00", "start": "13:40", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-95292-protecting-the-water-horizon-kill-chain-simulation-and-detection-in-water-ot-infrastructure", "url": "https://pretalx.com/orangecon-2026/talk/XUJ7WR/", "title": "Protecting the Water Horizon: Kill Chain Simulation and Detection in Water OT Infrastructure", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "Operational Technology environments are among the hardest to defend and the hardest to test. Where protocols are proprietary, traffic patterns are deterministic, and the cost of a false positive is not just noise - it can mean interrupting a live physical process. Testing detection capability in IT/OT infrastructure is essential - not only to verify what gets caught, but to understand where detection fails, what needs to be tuned, and whether signature-based or anomaly-based approaches are more effective at each stage.\r\n \r\nThis talk presents an ongoing research effort into executing and detecting attack scenarios inside a physical OT test environment that simulates the water pipeline infrastructure. The kill chain spans the full IT/OT boundary - from initial access and reconnaissance on the IT side, through lateral movement into OT, to direct manipulation of pipeline control components. At every stage, network traffic, sensor telemetry, and operational data flows are collected, building a ground-truth dataset of normal and adversarial behavior. A central metric under observation during the tests is the Water Horizon - tracking whether consumers receive their water on time - and how threat actors targeting flow rates and sensor values affect it.\r\n \r\nDetection is approached across two layers: SIEM-based rules and signatures, and behavioral anomaly detection baselining normal OT process behavior. Both detection layers draw on a combination of sensor data and network traffic, with cross-layer correlation used to increase alert confidence. The talk walks through which kill chain stages each detection layer identifies, where rules might fall short, and behavioral anomalies can surface threats that signatures miss, and where open questions remain.\r\n \r\nThis is a work in progress. The goal is not to present conclusions - it is to share the methodology, open the discussion, and explore where OT detection can be improved.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "BNFAXV", "name": "Aneta Urban", "avatar": "https://pretalx.com/media/avatars/PESDSE_8OnUgbC.webp", "biography": "Aneta Urban is a cybersecurity consultant at TNO, working on projects related to OT/IT security and automated detection and monitoring. She collaborates with both private sector clients and the Dutch government on cybersecurity challenges.", "public_name": "Aneta Urban", "guid": "9bcd6456-7e15-598c-bd98-0bb180c7f25b", "url": "https://pretalx.com/orangecon-2026/speaker/BNFAXV/"}, {"code": "VC7WQT", "name": "Maarten de Kruijf", "avatar": "https://pretalx.com/media/avatars/X87NCW_96MovxE.webp", "biography": "Maarten de Kruijf received a BSc in Computer and Information System Security at the Fontys University of Applied Science in 2019. Maarten is a cybersecurity researcher working on OT/IT infrastructures, automation of cybersecurity, monitoring & detection and vulnerability research. He is the lead developer of SOARCA, the open-source SOAR developed by TNO, and uses open CACAO playbook standard.", "public_name": "Maarten de Kruijf", "guid": "0511e174-88eb-5e1d-bd0c-ae1e88b9b341", "url": "https://pretalx.com/orangecon-2026/speaker/VC7WQT/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/XUJ7WR/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/XUJ7WR/", "attachments": []}, {"guid": "cb697b09-5818-59ec-be17-cf20aa1e47b9", "code": "DRB99V", "id": 95311, "logo": null, "date": "2026-06-04T14:15:00+02:00", "start": "14:15", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-95311-remind-me-later-the-inconvenient-truths-of-cybersecurity", "url": "https://pretalx.com/orangecon-2026/talk/DRB99V/", "title": "Remind Me Later: The Inconvenient Truths of Cybersecurity", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "Cybersecurity has an uncomfortable relationship with the truth. We know what needs to be done. We've known for decades. And yet we keep clicking \"Remind Me Later,\" ordering the triple bacon burger with a diet coke on the side, and waiting for the world to change.\r\nIn this talk I cut through the comfortable narratives we tell ourselves and force us to confront what's actually holding us back. Drawing on the history of threats \u2014 from the 1989 AIDS Trojan to AI-powered ransomware and voice cloning \u2014 I argue that there are no genuinely new threats, only new dimensions of old ones. The real problem isn't the threat landscape. It's us.\r\nSecurity is inconvenient. Its benefits are invisible. Users click \"Remind Me Later\" not because they're reckless, but because we've failed to make security work for people. Meanwhile, the window for action on post-quantum cryptography is narrowing, AI is making impersonation fraud scalable in ways never seen before, and geopolitical tensions are reshaping the attack surface whether organisations are ready or not.\r\nI'm not offering a silver bullet \u2014 because there isn't one. Instead, I'll ask the harder question: what inconvenient truth are you still avoiding?", "description": "Opening \u2014 Why people prefer comfortable lies over uncomfortable truths, and what that means for security culture\r\nTruth 1: Security itself is an inconvenience \u2014 The human behaviour gap; why awareness campaigns alone don't move the needle\r\nTruth 2: The benefits of security are invisible \u2014 The problem of preventative value; how to make the invisible visible to leadership\r\nTruth 3: There are no new threats, only new dimensions \u2014 Ransomware from 1989 to today; how GenAI adds scale and capability rather than entirely new attack categories\r\nTruth 4: Some dimensions genuinely change the game \u2014 Voice cloning and digital twins threatening biometric authentication; real-time deepfake fraud; the KnowBe4/North Korea infiltration case\r\nTruth 5: Refusing to act creates compounding risk \u2014 The Snowflake 2024 breach as a case study in avoidable failure; MFA and credential hygiene basics we keep skipping\r\nTruth 6: The quantum clock is ticking \u2014 Why the post-quantum cryptography transition can't wait; the narrowing window for crypto agility\r\nTruth 7: We don't control our entire environment \u2014 IoT, supply chain, geopolitics, and the limits of what any single organisation can secure\r\nClosing \u2014 Turning the question back to the room: what inconvenient truth are you missing?", "recording_license": "", "do_not_record": false, "persons": [{"code": "RMTDLH", "name": "NS van der Meulen", "avatar": null, "biography": "Nicole van der Meulen is an experienced professional and thought leader in the area of cybercrime and cyber security. Currently she serves as Cyber Security Innovation Lead at SURF. Previously she was the Head of Policy & Development at Europol\u2019s European Cybercrime Centre (EC3), where she was responsible, amongst others, for the Internet Organised Crime Threat Assessment (IOCTA). Prior to Europol, she held various positions in the Dutch public sector, academia and for nonprofit organisations all focused on enhancing the fight against cybercrime and improving cyber security. She obtained her PhD in 2010 from Tilburg University on a comparative study focusing on digital identity fraud in the United States and the Netherlands.", "public_name": "NS van der Meulen", "guid": "257d22ad-83c9-5adb-b937-dd645f8da319", "url": "https://pretalx.com/orangecon-2026/speaker/RMTDLH/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/DRB99V/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/DRB99V/", "attachments": []}, {"guid": "83f6833c-db09-5cfc-8cc6-a053f069e393", "code": "CJELAM", "id": 94145, "logo": null, "date": "2026-06-04T14:50:00+02:00", "start": "14:50", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-94145-breaching-the-perimeter-the-forgotten-attack-vector-that-always-works", "url": "https://pretalx.com/orangecon-2026/talk/CJELAM/", "title": "Breaching The Perimeter: The Forgotten Attack Vector That Always Works", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "If you can open the server room door, you don\u2019t need exploits.\r\n\r\nIn this talk, we demonstrate nine real-world ways attackers bypass a server room door and achieve full compromise\u2014no malware, no zero-days, no phishing required. Firewalls, EDR, and IAM become irrelevant the moment physical access is gained.\r\n\r\nThis is not theory. These are techniques used in actual red team engagements across Europe. We show how attackers exploit trust, abuse operational gaps, and chain physical access into full compromise. These techniques go beyond tailgating.\r\n\r\nWe also cover how modern attackers accelerate these intrusions using AI\u2014automating OSINT to map targets and using deepfake voice pretexting to convincingly talk their way through restricted access points.\r\n\r\nIf your threat model stops at the network edge, this talk will break it.", "description": "Everyone talks about bypassing EDR. Almost nobody talks about bypassing the door that renders EDR useless.\r\n\r\nThis session is a practitioner-led breakdown of how attackers compromise organisations by gaining physical entry. First we will introduce you to our real-world server room door. Then we present nine distinct, field-tested techniques that allow entry into such critical areas\u2014each of which we have used during real red team engagements. Identifying such vulnerabilities efficiently is one of the key tenets of door assessment that gets repeated on every job!\r\n\r\nOnce inside, the path to full compromise is trivial: console access, hidden camera or microphones, network implants, stolen documents. We show how these attacks actually unfold in the real world, including how small, \u201cacceptable\u201d deviations from policy accumulate into systemic failure.\r\n\r\nThese are not edge cases\u2014they are repeatable patterns.\r\n\r\nFinally, we introduce the role of AI in physical intrusions. Attackers are already using automated OSINT to profile targets at scale and deepfake voice technology to impersonate trusted personnel, lowering the barrier to successful pretexting.\r\n\r\nThis talk focuses on what works, why it works, and why most organisations are not prepared for it.", "recording_license": "", "do_not_record": false, "persons": [{"code": "AVNA8D", "name": "Jiri Vanek", "avatar": "https://pretalx.com/media/avatars/QUXA8H_4RJjAsO.webp", "biography": "Ji\u0159\u00ed is a security consultant with over 20 years of experience in IT, management, and ethical hacking. He specialises in Red Team operations and physical security assessments, simulating real-world attacks to uncover weaknesses in organisational security. He has first-hand experience of successful intrusions into international corporations, banks, and government institutions.\r\n\r\nHe works as an independent consultant and trainer. Across Europe, he conducts physical penetration tests, provides security consulting services to large organisations, and trains professionals in ethical hacking and Covert Methods of Entry. His work combines deep technical expertise, hands-on experience from real engagements, and the ability to transfer practical knowledge to other security specialists.", "public_name": "Jiri Vanek", "guid": "d58567b1-8fd2-58c4-83d6-8ff2fcb645d5", "url": "https://pretalx.com/orangecon-2026/speaker/AVNA8D/"}, {"code": "EGR7WD", "name": "tatramaco", "avatar": "https://pretalx.com/media/avatars/BL9JTX_ZwwrQOz.webp", "biography": "I am a Red Team Operator and Physical Penetration Tester with over 20 years experience. I started my career as a Unix DB Admin before lured to world of Enterprise Solutions. I spent many years working for Blue Chip companies in IT before discovering my true passion, security. I continued to work for those Blue Chip companies but also working in Formula 1, Industrial Control Systems, Telcos and Pharmaceutical companies. I now focus on Physical Security!", "public_name": "tatramaco", "guid": "5e5dfdf1-a471-5544-9c54-2e0045071692", "url": "https://pretalx.com/orangecon-2026/speaker/EGR7WD/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/CJELAM/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/CJELAM/", "attachments": []}, {"guid": "d9056665-cdba-5599-ae97-6b6161d3eeda", "code": "XUZNQQ", "id": 95168, "logo": "https://pretalx.com/media/orangecon-2026/submissions/XUZNQQ/image_xXHdrv0.webp", "date": "2026-06-04T15:35:00+02:00", "start": "15:35", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-95168-bad-box-2", "url": "https://pretalx.com/orangecon-2026/talk/XUZNQQ/", "title": "Bad Box 2", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "Inside BADBOX 2.0: Exposing and Disrupting a Global Android Supply Chain Threat\r\nThe BADBOX 2.0 operation represents one of the most sophisticated examples of cyber-enabled fraud discovered in recent years. Targeting over a million Android open source project devices globally, including CTV streaming boxes, tablets, and car infotainment systems, this global campaign exploited legitimate hardware supply chains to create a distributed infrastructure for proxy jacking, ad fraud, and persistent remote access.\r\nThis session explores how our team identified, investigated, and ultimately disrupted BADBOX 2.0. Building on years of experience uncovering ad fraud and coordinated actor networks, we applied advanced open-source intelligence (OSINT) techniques, device telemetry analysis, and infrastructure correlation to connect activity across continents. These methods led to attribution not only to specific factories but also to the individuals responsible for large-scale distribution of compromised devices.\r\nWe will discuss the technical discovery and disruption process, from firmware analysis and reverse-engineering to intelligence fusion and partnership coordination. Attendees will learn how we collaborated with industry peers and ecosystem stakeholders to share intelligence, mitigate impact, and prevent re-emergence of the threat.\r\nThe talk will focus on actionable lessons for cyber professionals and defenders. We will present reusable frameworks for analyzing multi-layered criminal infrastructures that cross from consumer devices into enterprise networks. Attendees will walk away with practical approaches for managing complex supply chain threats, developing partnerships to amplify disruption, and enhancing organizational resilience against emerging fraud ecosystems.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "83M9N8", "name": "Gavin Reid", "avatar": "https://pretalx.com/media/avatars/N7UNGT_w7h7REN.webp", "biography": "Gavin Reid serves as the CISO for HUMAN Security, a cybersecurity company that specializes in safeguarding enterprises against digital attacks while preserving user experiences. In addition, he oversees HUMAN\u2019s global IT and security operations and leads the Satori Threat Intelligence and Research Team.\r\nGavin began his cybersecurity career in information security at NASA's Johnson Space Center. He later created Cisco's Security Incident Response Team (CSIRT), Cisco's Threat Research and Communications (TRAC), and Fidelity's Cyber Information Group (CIG). Before joining HUMAN, Gavin served as the CSO for Recorded Future, where he was responsible for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. For more than 20 years, Gavin has managed every aspect of security for large enterprises.", "public_name": "Gavin Reid", "guid": "96bc4006-a2bd-556f-acd1-62b5bea7df07", "url": "https://pretalx.com/orangecon-2026/speaker/83M9N8/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/XUZNQQ/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/XUZNQQ/", "attachments": []}, {"guid": "f58b2381-d151-5e43-a5d6-6a66d9e90ef2", "code": "XQHKDH", "id": 95234, "logo": null, "date": "2026-06-04T16:10:00+02:00", "start": "16:10", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-95234-we-looked-at-mendix-you-probably-should-too", "url": "https://pretalx.com/orangecon-2026/talk/XQHKDH/", "title": "We Looked at Mendix. You Probably Should Too.", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "It started, as many DIVD investigations do, with someone poking at something they probably shouldn't have and going \"...huh.\" That someone was looking at Mendix, a low-code platform used by thousands of organisations worldwide, including some that really should know better... and what followed was a full-blown research journey that nobody quite expected.\r\n\r\nIn this talk, Stan Plasmeijer and Rudy Dijkstra walk you through the complete DIVD Mendix security story. From the first accidental discovery to building scanners, coordinating disclosures, and figuring out just how widespread the problem actually was. You'll learn how Mendix works, why it keeps breaking in the same ways, and how to test for it yourself. It's not complicated. That's almost the whole problem.\r\n\r\nThis talk is for blue teamers wondering what's hiding in their organisation's app landscape, red teamers looking for something new to love, and developers who'd prefer not to feature in someone else's CVE. No prior Mendix knowledge needed. A working sense of humour helps.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "EXWWAF", "name": "OverflowMyBuffers", "avatar": null, "biography": "Rudy Dijkstra is Security Researcher at the DIVD as well as Team Lead Offensive Security at SUPERP, which means he spends a meaningful chunk of his life in meetings... The rest of it he dedicates to diving into vulnerabilities and whatever research topic has caught his attention that week, on a continuous and apparently unstoppable mission to break things professionally.", "public_name": "OverflowMyBuffers", "guid": "7c37a988-0555-5626-9fdd-d8d41fec30aa", "url": "https://pretalx.com/orangecon-2026/speaker/EXWWAF/"}, {"code": "8XFCYU", "name": "Stan", "avatar": null, "biography": "Stan Plasmeijer is an ethical hacker at SUPERP and Operational Lead at DIVD-CSIRT, working on large-scale vulnerability discovery and coordinated disclosure. He likes to first understand how systems are supposed to work, and then see what happens when they don\u2019t.", "public_name": "Stan", "guid": "a5ae4bc3-4fae-583f-9d5f-2d5856d4795b", "url": "https://pretalx.com/orangecon-2026/speaker/8XFCYU/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/XQHKDH/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/XQHKDH/", "attachments": []}, {"guid": "d909c573-6c0d-5aec-a8b1-53bc33bc7d8c", "code": "V83BSK", "id": 96512, "logo": null, "date": "2026-06-04T16:45:00+02:00", "start": "16:45", "duration": "00:30", "room": "Track 1", "slug": "orangecon-2026-96512-locknote-signal-and-the-platformization-of-surveillance", "url": "https://pretalx.com/orangecon-2026/talk/V83BSK/", "title": "LOCKNOTE: Signal and the Platformization of Surveillance", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "This talk will look at the experiences of Signal in protecting and advancing privacy on systemic infrastructure in the modern technology ecosystem, including data protection and artificial intelligence.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "WZ7CAV", "name": "Udbhav", "avatar": null, "biography": "Udbhav Tiwari, Vice President, Strategy and Global Affairs, Signal", "public_name": "Udbhav", "guid": "2b457928-ce5f-5d27-9d06-cdb03ba90c6f", "url": "https://pretalx.com/orangecon-2026/speaker/WZ7CAV/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/V83BSK/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/V83BSK/", "attachments": []}, {"guid": "04a4b762-1793-5e7b-b258-43ceead514b8", "code": "TECKL8", "id": 97292, "logo": null, "date": "2026-06-04T17:15:00+02:00", "start": "17:15", "duration": "00:15", "room": "Track 1", "slug": "orangecon-2026-97292-closing", "url": "https://pretalx.com/orangecon-2026/talk/TECKL8/", "title": "Closing", "subtitle": "", "track": "Track 1", "type": "Talk", "language": "en", "abstract": "Closing of OrangeCon 2026!", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "W83TYA", "name": "OrangeCon Orga", "avatar": "https://pretalx.com/media/avatars/JAURQJ_uG3d8Ar.webp", "biography": "The OrangeCon orga team is the driving force behind OrangeCon. United by a passion for cybersecurity and a strong sense of community, they aim to foster collaboration, support the ethical hacking community, and build a more secure digital future through shared knowledge.", "public_name": "OrangeCon Orga", "guid": "82714c59-f7f1-5e06-ab36-05005c514558", "url": "https://pretalx.com/orangecon-2026/speaker/W83TYA/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/TECKL8/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/TECKL8/", "attachments": []}], "Track 2": [{"guid": "c69a0863-a568-5db5-a83c-99150dede27f", "code": "ZKVM3A", "id": 94810, "logo": null, "date": "2026-06-04T10:05:00+02:00", "start": "10:05", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-94810-the-gift-that-keeps-on-giving-bypassing-authentication-reflection-mitigations-for-system-shells", "url": "https://pretalx.com/orangecon-2026/talk/ZKVM3A/", "title": "The Gift That Keeps On Giving: Bypassing Authentication Reflection Mitigations For SYSTEM Shells", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073. This logical vulnerability allowed taking over almost any Windows machine without any user interaction. Following the official patch by Microsoft, we had a gut feeling that the root cause of the issue was still not addressed. This presentation will cover our journey to bypass the mitigations and pop SYSTEM shells again.\r\n\r\nIn this session, we will start with a reminder regarding the internals of the CVE-2025-33073 vulnerability. We will then build up on this to present the generic and iterative bypass methodology that was followed during the research. The methodology will be immediately illustrated by disclosing the first vulnerability that we uncovered: a trivial local privilege escalation via NTLM reflection.\r\n\r\nAfterwards, we will transition to Kerberos where attacks scenarios will be discussed, with both total and partial control of DNS. The attack vector will progressively be refined to finally achieve a full-blown RCE primitive as domain user, via a completely novel Kerberos authentication coercion technique. Throughout this part, in-depth and undocumented details on the inner working of several specific Windows components will be shared to provide a better understanding of the vulnerability. In a second part, we will dive into how this vulnerability was short-lived and unintentionally patched. Eventually, our methodology will once again be applied to transform it into a privilege escalation vulnerability.\r\n\r\nThe final section will cover the patches' analysis, as well as our thoughts on the current state of authentication reflection vulnerabilities.", "description": "# Presentation Outline\r\n\r\n## Brief Outline\r\n\r\n1. Introduction, context and methodology\r\n2. 1st case study: LPE via NTLM reflection\r\n3. 2nd case study: RCE via Kerberos reflection\r\n  3a. RCE in the local subnet\r\n  3b. General RCE\r\n  3c. Unintentional patch analysis, bypass attempts fails and LPE\r\n4. Patches analysis\r\n5. Conclusion and thoughts on the current state of authentication reflection attacks\r\n\r\n## Detailed Outline\r\n\r\n### Introduction, context and methodology\r\n\r\nIn the introduction, we will present the context of the research: briefly remind the details of CVE-2025-33073 and why the patch seemed insufficient. After that, we will present all the possible avenues for bypasses and derive a generic and methodological approach that will efficiently guide our tests.\r\n\r\n### 1st case study: LPE via NTLM reflection\r\n\r\nWe will quickly put our methodology to the test by disclosing the first vulnerability that we identified: a trivial elevation of privilege via NTLM reflection. This vulnerability exploits a specific feature that was recently added to Windows 11 and Windows Server 2025.\r\n\r\n### 2nd case study: RCE via Kerberos reflection\r\n\r\n#### RCE in the local subnet\r\n\r\nThis section will explain how the Kerberos-related research began when one of our colleagues tried to use MitM via DHCPv6 poisoning to perform Kerberos reflection. Although it failed, it piqued our interest and motivated us to dig a bit further. We will describe why the attack did not work because of two main reasons. Afterwards, we will explain how we modified the attack to make it work, by keeping the DNS control primitive and using a surprising SPN and DNS trick to receive a Kerberos authentication and relay it back to the machine to compromise it.\r\n\r\n#### General RCE\r\n\r\nNext, we will present how the previous subnet-only primitive was improved to make it work on any machine of the network, thus achieving a full bypass of CVE-2025-33073.\r\n\r\n#### Unintentional patch analysis, bypass fails and LPE \r\n\r\nFinally, the last subsection will explain how this RCE was short-lived because of the patch of another vulnerability. We will dive into the patch and apply our methodology to try to find bypasses. We will describe how we failed to get an RCE vector again, but also how we managed to successfully transform the attack into a privilege escalation vulnerability\r\n\r\n### Patches analysis\r\n\r\nThis section will describe the official patches made by Microsoft, we will explain what they do and how they fixed the vulnerabilities.\r\n\r\nNB: As the vulnerabilities are still in the process of being fixed, no information about the patches is currently known.\r\n\r\n### Conclusion and thoughts on the current state of authentication reflection attacks\r\n\r\nTo conclude, we will give our opinion on the current state of authentication reflection attacks and explain why authentication relay mitigations are essential to efficiently secure a Windows environment.\r\n\r\nThis conclusion will also be a doorway to potentially apply the novel techniques described during the presentation to other Windows components, not related to authentication reflection attacks.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7FGVVZ", "name": "Guillaume Andr\u00e9", "avatar": "https://pretalx.com/media/avatars/LZHLPT_BqiMH6K.webp", "biography": "Guillaume is a penetration tester and security researcher working at Synacktiv. During his career, he developed a healthy addiction to Windows systems and their internals. He is also passionate about Active Directory security, a topic on which he gathered solid knowledge through several Red Team engagements and internal pentests.", "public_name": "Guillaume Andr\u00e9", "guid": "9954b7e9-d5cd-5e7e-b601-e1465ccb250e", "url": "https://pretalx.com/orangecon-2026/speaker/7FGVVZ/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/ZKVM3A/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/ZKVM3A/", "attachments": []}, {"guid": "2f2b49d2-4efb-51be-8de3-bb1c2ddf9c25", "code": "AAYAZP", "id": 94864, "logo": null, "date": "2026-06-04T10:40:00+02:00", "start": "10:40", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-94864-strange-inputs-critical-outputs-attacking-infrastructure-through-innocuous-network-protocol-fields", "url": "https://pretalx.com/orangecon-2026/talk/AAYAZP/", "title": "Strange Inputs, Critical outputs: Attacking Infrastructure Through Innocuous Network Protocol Fields", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "A wifi network name that roots your router. A TLS certificate field that takes over hosting accounts. A DNS response that lets you disrupt an ISP's routing. Often these do not get the same scrutiny as a URL parameter or a form field.\r\n\r\nDNS debug tools, TLS checkers, network measurement platforms, and router admin interfaces all consume data from protocol fields that were never designed for a browser. Many do not treat that data as untrusted input. When these tools share a trust boundary with something critical, that oversight has consequences.\r\n\r\nThis talk presents a systematic exploration of injection vulnerabilities across DNS, TLS, HTTP, WHOIS, IRR, wifi, and radio protocol fields, and traces what happens when they reach sensitive systems. The findings range from full account takeover on hosting customer portals to persistent root access on OpenWRT routers. At the more alarming end: disrupting an ISP's routing via a single non-suspicious link to their network admin. None of it required exotic techniques. The payloads are textbook XSS. Their locations and the escalations are not.\r\n\r\nThe individual vulnerabilities are numerous, but they aren't the most interesting part. The pattern is: protocol field data is routinely excluded from the security model of the tools that render it. The same mistake, in slightly different form, showed up independently across hosting providers, internet registries, and router firmware, built by independent teams with no shared code.\r\n\r\nThis talk starts mildly entertaining and gets progressively less so.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "BVC7DG", "name": "Sasha Romijn", "avatar": null, "biography": "Sasha Romijn is an independent developer from Amsterdam, specialising in open\r\nsource internet infrastructure and internet standards. She maintains essential\r\ninternet routing registry software, co-authored several IETF drafts in that\r\nspace, maintains internet.nl, and co-chairs a RIPE working group. For fun, Sasha\r\ndoes cursed things with networks, dabbles in security now and then, and recently\r\ndiscovered what can happen when you also put `marquee` tags in everything.", "public_name": "Sasha Romijn", "guid": "98c7fc2c-a69a-5d5b-940d-01e11878a0d4", "url": "https://pretalx.com/orangecon-2026/speaker/BVC7DG/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/AAYAZP/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/AAYAZP/", "attachments": []}, {"guid": "bfefcf77-255f-5b61-8a4c-3e1d66e16806", "code": "7A8GNZ", "id": 96109, "logo": null, "date": "2026-06-04T11:20:00+02:00", "start": "11:20", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-96109-0days-on-a-shoestring-breaking-embedded-systems-with-llms-and-junk-hardware", "url": "https://pretalx.com/orangecon-2026/talk/7A8GNZ/", "title": "0days on a Shoestring: Breaking Embedded Systems with LLMs and Junk Hardware", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "this talk presents the story of some (semi-related) side projects that disappeared into\r\nthe freezer until the speaker (and the rest of the world) got slightly redpilled on the\r\nwhole agentic engineering thing.\r\n\r\nin this talk we'll show you how a single engineer built a semi-autonomous system for\r\nautomatic vulnerability discovery and exploitation aimed at networked (consumer) electronics\r\nin only a few months, assisted by an unhealthy amount of vibemaxxing and caffeine.\r\n\r\neveryone can start claude and point it at a network device and ask it nicely to find some\r\nnovel new zerodays. but that doesn't scale and will likely give subpar results. what if we\r\nwant to hack 20 devices in parallel? how do we compete with the big dogs who have access to Mythos?\r\nhow you do keep track of findings/useful nuggets of information?  how do we sandbox our agents?\r\nhow do we (attempt to) minimize our operational cost? and why the hell was a 3d printer used\r\nextensively during this research?!\r\n\r\nThese and many more questions will be answered during the talk.\r\n\r\nIt doesn't matter whether you enjoy (embedded) security research, LLM hypetrains, building things\r\nor just breaking things; there's something for everyone in this talk!", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "M7Q8NK", "name": "Peter Geissler", "avatar": null, "biography": "Peter \u201cblasty\u201d Geissler is an independent security researcher from the Netherlands. He\u2019s well known for facilitating code execution on various platforms, writing exploits for popular software packages, competing in pwn2own and being a founding member of the Eindbazen CTF team.", "public_name": "Peter Geissler", "guid": "b188aa99-c0a0-555f-b3cb-bf26ad816298", "url": "https://pretalx.com/orangecon-2026/speaker/M7Q8NK/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/7A8GNZ/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/7A8GNZ/", "attachments": []}, {"guid": "9d4f40ba-8742-502e-b235-0e48f359b615", "code": "CEZHG9", "id": 93856, "logo": null, "date": "2026-06-04T11:55:00+02:00", "start": "11:55", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-93856-bars-of-shame-how-carriers-got-pwned-and-what-s-coming-for-the-rest-of-us", "url": "https://pretalx.com/orangecon-2026/talk/CEZHG9/", "title": "Bars of Shame - How Carriers Got Pwned, And What's Coming For The Rest of Us", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "When ShinyHunters breached Odido's Salesforce CRM, the headlines focused on the numbers: 6.5 million records, 48 hours undetected, one phishing email. But that framing misses the point entirely. The breach didn't expose personal data it exposed an identity bridge. And in a telecom environment, that bridge leads somewhere far more dangerous than fraud.\r\nThis talk goes past the incident report. We examine what a sophisticated attacker can actually do with a full subscriber dataset, MSISDN, IMSI correlations, service profiles, device identifiers once it leaves a CRM and lands in the hands of someone who understands Telecom Core Networks, Signaling, SS7, Diameter, and the soft underbelly of interconnect infrastructure.", "description": "Talk Outline\r\n\r\n**Opening**\r\n We start not with a vulnerability, but with a phishing email. This talk is about what happens after that and why the outcome in a telecom environment is categorically different from any other sector.\r\n\r\n---\r\n\r\n**Context** \r\nA brief look at Odido, the breach, and what ShinyHunters actually walked away with. Not just names and numbers a structured subscriber dataset that functions as an identity bridge into downstream systems.\r\n\r\n---\r\n\r\n**The data problem**  \r\nWe break down what a carrier CRM record actually contains: MSISDN, device identifiers, service profiles, account history. Each field is a capability. Together they form an attack primitive most threat actors outside telecom don't fully appreciate yet.\r\n\r\n---\r\n\r\n**The attacker's playbook** \r\nThe core of the talk. Five concrete paths from CRM access to real-world impact: SIM swap operations, SS7 and Diameter abuse using subscriber context, precision social engineering at carrier fidelity, cross-dataset identity correlation, and roaming and interconnect fraud.\r\n\r\n---\r\n\r\n**The structural gap** The BSS is hardened. The CRM sitting in front of it is staffed by people who answer phones. We examine why the business edge is the softest point in the telco stack and why it is being systematically underestimated.\r\n\r\n---\r\n\r\n**Detection  (what should have fired)** \r\nA walkthrough of the behavioral signals that were available: new device, abnormal hours, bulk queries, role-inconsistent access patterns. Why they didn't translate into an alert.\r\n\r\n---\r\n\r\n**Closing** \r\nNot a lesson specific to Odido. Every carrier runs a CRM. Every CRM has a helpdesk. This talk ends with what that means for the rest of us.", "recording_license": "", "do_not_record": false, "persons": [{"code": "NUAFXA", "name": "Ali Abdollahi", "avatar": "https://pretalx.com/media/avatars/ZEWGRE_Tiku7bn.webp", "biography": "Ali is a cybersecurity researcher with over a decade of experience in tech fields. He is currently the application and offensive security manager at Canon EMEA. Ali is a regular speaker or trainer at industry conferences and events such as Confidence Conf 2020, Hack In The Box 2023 AMS, DefCon 3x, IEEE AI-ML-Workshop-2021, SSD TyphoonCon 2x, c0c0n, BSides Toronto, Budapest, Calgary, Newcastle, Barcelona, OWASP Ottawa chapter, LeHack2022, NoNameCon, YASCon, COUNTERMEASURE Conference, DragonCon, COSAC 2022, Hacktivity, DefCon Holland, etc. \r\nMoreover, he was a trainer at OWASP Summer of Security 2020 and 2021 July training and a reviewer for Springer Cluster Computing Journal/Elsevier and the 2021 Global AppSec U.S. event. Ali is a Microsoft MVP and has published a book, along with several papers and blog posts.", "public_name": "Ali Abdollahi", "guid": "1a7c8249-8777-5a5f-a534-3f1ba9bd252a", "url": "https://pretalx.com/orangecon-2026/speaker/NUAFXA/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/CEZHG9/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/CEZHG9/", "attachments": []}, {"guid": "76737a7b-ab85-5e3f-bf53-203d83886306", "code": "WFEZDZ", "id": 94950, "logo": null, "date": "2026-06-04T13:05:00+02:00", "start": "13:05", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-94950-pwning-a-million-point-of-sale-terminals-in-one-afternoon-without-expert-knowledge", "url": "https://pretalx.com/orangecon-2026/talk/WFEZDZ/", "title": "Pwning a Million Point Of Sale Terminals In One Afternoon (Without Expert Knowledge)", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "One black friday deal + one afternoon + basic software engineering knowledge was all it took for me to remotely manage hundreds of thousands of Android point-of-sale devices through an obscure administrator panel, with a significant portion being right here in the Netherlands and some being in use by sizeable companies.\r\n\r\nI am a 20 year old software engineering student with no expert knowledge in cybersecurity at all, i have just started picking up ethical hacking as a hobby by tearing apart random IOT devices. I should not have been able to do this.\r\n\r\nThis is a story about how dangerously simple critical infrastructure vulnerabilities can be, what responsible disclosure actually looks like from a first-timer's perspective, and why \"we fixed it\" doesn't always mean what you think it means.\r\n\r\nExpect a very casual presentation outlining all of the mistakes that were made.\r\nThe vulnerabilities have not been made public yet, all of this happened quietly months ago. This is the first time you will hear about them!", "description": "This talk covers the entire timeline of this discovery, including:\r\n\r\n- The events that led up to the discovery.\r\n- The very simplistic breakdown of the vulnerability itself.\r\n- The scope of the access gained (spoiler: it is BAD)\r\n- Issues which first timers face with responsible reporting of severe bugs.\r\n- The responses from vendors and their (incomplete) fixes.\r\n- Why simple issues like these will become more prevalent with current industry shifts.", "recording_license": "", "do_not_record": false, "persons": [{"code": "JMGLZT", "name": "Marcel Darmeveil", "avatar": null, "biography": "Marcel is a 20 year old software engineering student who has just started doing security research as a hobby. This means he has no expert knowledge about cybersecurity yet, however the vulnerabilities he has managed to find are concerning to say the least.\r\n\r\nWith a passion for (publicly) breaking open random IOT devices he finds on the internet, he always has some insane story to tell about his findings. From being able to take a selfie on a self checkout scanner from Albert Heijn, finding payment service API keys and order data of 400+ dutch restaurants and [video calling 100.000+ smart kid robots](https://blog.mgdproductions.com/miko-robots-vulnerabilities/), to becoming a super admin of hundreds of thousands of critical point of sale terminals around the world.\r\n\r\nMarcel's goal is to responsibly disclose all the issues he finds in these critical fields to let the companies involved fix the issues. After which Marcel aims to make the public aware these issues existed in the first place.", "public_name": "Marcel Darmeveil", "guid": "430022db-c6c5-57d1-a84a-a0454d60a981", "url": "https://pretalx.com/orangecon-2026/speaker/JMGLZT/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/WFEZDZ/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/WFEZDZ/", "attachments": []}, {"guid": "97d2fc5a-9ef9-5129-a723-28bbaaeff409", "code": "SRFFRQ", "id": 95005, "logo": null, "date": "2026-06-04T13:40:00+02:00", "start": "13:40", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-95005-successfully-failing-as-a-reverse-engineer", "url": "https://pretalx.com/orangecon-2026/talk/SRFFRQ/", "title": "Successfully Failing As a Reverse Engineer", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "We have all been there: you spent more time than you are willing to admit reverse engineering a few functions, only to discover that you were looking at the wrong functions. Your entire weekend wasted, or so you think. But, did you really? This talk dives into mistakes I have made in the past, along with commonly attempted shortcuts by many. The focus is not (only) on my mistakes, although you are free to laugh at my expense, but more so on the lessons learnt from them. In short, I hope that I can share the mistakes I made, so you don\u2019t have to!", "description": "About 9 years ago I started reverse engineering malware, and by now I dare say I have a decent understanding of the analysis process. This did not come to me overnight (though part of it comes from many all-nighters). During my journey, I made a lot of mistakes. Some of them are due to me not understanding the intricate nitty gritty details of a specific type of binary, and some of them because I lacked a fundamental understanding of whatever I attempted to do at the time.\r\n\r\nIn this talk, I will dive into several rabbit holes that I dove into over time. Some of those were a mistake from the get-go, although that was unbeknownst to me at the time, and some of them were only visible as such once I understood it all. But the overarching theme is the same: I learned a lot from those mistakes, maybe even more so than some of the successes I had.", "recording_license": "", "do_not_record": false, "persons": [{"code": "GTPNLM", "name": "Max 'Libra' Kersten", "avatar": null, "biography": "Max Kersten is a malware analyst, blogger, and speaker who aims to make malware analysis more approachable. In 2019, Max graduated cum laude with a bachelor's in IT & Cyber Security, during which Max also worked as an Android malware analyst. Currently, Max works as a malware analyst at the Dutch Police, where he analyses APT malware and creates open-source tooling to aid such research. Over the past few years, Max spoke at international conferences, such as Black Hat (USA, EU, MEA, Asia), DEFCON, Botconf, and other conferences. Additionally, he gave guest lectures and workshops for several universities and private entities.", "public_name": "Max 'Libra' Kersten", "guid": "0d4b1fe0-175d-5b53-bf20-ea1504469f70", "url": "https://pretalx.com/orangecon-2026/speaker/GTPNLM/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/SRFFRQ/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/SRFFRQ/", "attachments": []}, {"guid": "3244a2d2-c6bb-5a78-b8b9-e2d2bef21ad5", "code": "89W7TB", "id": 91879, "logo": null, "date": "2026-06-04T14:15:00+02:00", "start": "14:15", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-91879-the-best-defense-is-a-good-offense-a-pragmatic-path-to-continuous-purple-teaming", "url": "https://pretalx.com/orangecon-2026/talk/89W7TB/", "title": "The Best Defense Is A Good Offense: A Pragmatic Path to Continuous Purple Teaming", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "While attackers scale their operations through automation, many defenders remain trapped in a reactive, manual cycle of fire-fighting. To regain the advantage, we must evolve from periodic \"point-in-time\" assessments to a model of continuous assurance. This talk introduces Continuous Purple Teaming (CPT): a pragmatic approach to security testing that uses repeatable attack simulations as a regression test for your defenses.\r\n\r\nWe will explore the \"Simulate, Measure, Prioritize\" feedback loop and demonstrate how to apply the Pyramid of Pain in the context of attack simulations. By moving beyond brittle indicators and focusing on behavioral TTPs that are grounded in relevant threat intelligence, you can build detections that are resilient to changing tradecraft. Attendees will leave with concrete design patterns and a framework to start building a mature CPT capability in their own environment.", "description": "Manual security assessments provides great insights, but they are labour-intensive and the results are often short-lived. Once an exercise ends, it is difficult to know if those same defenses still hold up after a few months of infrastructure changes or when an attacker slightly tweaks their tradecraft. This talk focuses on turning these one-off exercises into a repeatable process, where automated attack simulations act as a constant regression test for your detection stack.\r\n\r\nWe will go through the mechanics of a mature CPT program using a feedback loop focused on automated simulation, measurement, and prioritization. A key part of this involves applying the Pyramid of Pain to offensive simulations: We will discuss why simulating the execution of a specific tool is often a dead end for defenders, and why focusing on the underlying procedure is much more effective. For example, we will look at how simulating the specific sequence of API calls used in process injection leads to detections that are far harder for an attacker to evade than a simple file hash or tool-based detection.\r\n\r\nFinally, we will bring these concepts together into a pragmatic framework that continuously connects red and blue team efforts. We will discuss how to use simulation data to identify which defensive gaps are the most critical to fix first based on real-world implementation. This session will provide the design patterns and logic needed to start building a continuous purple teaming program in your own environment.", "recording_license": "", "do_not_record": false, "persons": [{"code": "KPM3TE", "name": "Cas van Cooten", "avatar": "https://pretalx.com/media/avatars/KPM3TE_Q94hL7W.webp", "biography": "Cas van Cooten is a long-time offensive security enthusiast based in the Netherlands. He has an extensive background in evading defenses by developing offensive security tooling and malware, with a particular interest in using modern languages such as Go, Rust, and Nim to bypass traditional controls. Cas is a strong advocate for community collaboration and frequently shares his research and open-source tools on GitHub and Twitter to help bridge the gap between red and blue teams. Today, he is a co-founder of the Dutch cybersecurity startup Offensys, where he focuses on translating complex adversarial tradecraft into a platform for continuous purple teaming.", "public_name": "Cas van Cooten", "guid": "efb57ad5-e5da-58f4-8d80-ba2dab2b57ad", "url": "https://pretalx.com/orangecon-2026/speaker/KPM3TE/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/89W7TB/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/89W7TB/", "attachments": []}, {"guid": "bc9ca4f0-7a0f-58cc-ab71-b420f0fd9f21", "code": "XGZYKB", "id": 95318, "logo": "https://pretalx.com/media/orangecon-2026/submissions/XGZYKB/image_VDQdSfK.webp", "date": "2026-06-04T14:50:00+02:00", "start": "14:50", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-95318-how-to-prompt-for-vulnerabilities-in-llm-based-applications-with-extensions-the-provile-approach", "url": "https://pretalx.com/orangecon-2026/talk/XGZYKB/", "title": "How to Prompt for Vulnerabilities in LLM-based applications with Extensions, the ProViLE approach.", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "Many organizations are developing LLM\u2011based applications to improve productivity, supported by the growing number of platforms that simplify their creation. However, integrating LLMs into applications introduces new security risks, as adversaries can exploit models through natural\u2011language\u2013based attacks such as prompt injections and jailbreaks. Successful attacks can lead to sensitive data leakage, reputational harm, or deeper compromise of internal digital environments. \r\n\r\nThese risks highlight the need for structured, repeatable, and context\u2011aware security testing for LLM\u2011enabled applications. Therefore, we would like to present ProViLE: a systematic approach and supporting open\u2011source tool for prompt\u2011based security testing of LLM\u2011enabled applications. ProViLE emphasizes that effective tests are highly dependent on the context of the application. The approach guides practitioners through four key steps: (1) defining potential attack objectives, (2) identifying relevant attack techniques, (3) formulating corresponding attack prompts, and (4) evaluating the LLM application\u2019s responses to the attack prompts.\r\n\r\nThe ProViLE tool automates the final two steps by using LLMs to (3) generate attack prompts from objectives and techniques, and (4) evaluate whether a response constitutes a successful attack based on the objective and a scoring rubric. This enables scalable and consistent testing across diverse application contexts. The result is a structured overview of the security posture of an LLM\u2011based application across custom security considerations.\r\n\r\nProViLE aims to facilitate the penetration\u2011testing workflow for LLM applications, but can also be used by development teams to conduct initial baseline assessments before deployment. By open\u2011sourcing our work, we hope to support the broader development of secure LLM\u2011based systems.", "description": "Outline:\r\n\r\nDuring the talk, we will cover several parts of the paper and tool. Both are publicly available, and the tool is open source. With the talk, we hope to give the listeners more insight on how to make a better indication of the risks an LLM may introduce in their applications. We aim to make the talk interesting for both beginners and more experienced cyber specialists in the LLM area.\r\n\r\n\r\nThe following (sub)points will be discussed during the talk \r\n- Why LLM Security Is a Growing Concern\r\n    - LLMs are widely adopted, meaning that many modern applications now include LLM in a way.\r\n    - LLMs are still relatively new and therefore lack mature pentesting practices.\r\n    - Specific attacks, such as prompt-based attacks, are often successful.\r\n- Why Prompt Based Attacks Actually Work\r\n    - LLMs are trained to fulfil the users\u2019 requests. This instruction can intervene with given security guidelines.\r\n    - Some other guardrails, such as in- and output filters, can be bypassed.\r\n- Challenges in Testing LLM Applications\r\n    - Traditional vs \u2018LLM Pentesting\u2019\r\n    - Hallucinations\r\n    - LLMs are non-deterministic, making it harder to find vulnerabilities.\r\n- Introducing ProViLE: Goals and Approach\r\n    - 4-step approach to facilitate Prompt Based Testing for LLMs.\r\n    - How to systematically find vulnerabilities in LLM based applications.\r\n- The Four Step Framework\r\n    - (1) Defining attack objectives\r\n    - (2) Identifying relevant attack techniques\r\n    - (3) Prompting the LLM\r\n    - (4) Evaluate the response\r\n- How the PRoViLE Tool Automates Prompt Generation & Evaluation\r\n    - Use of attacker and judge LLM.\r\n    - Structured attacker and judge prompt templates.\r\n    - Single shot vs multi shot prompting.\r\n- Demo Run\r\n    - Small live demonstration of ProViLE on an LLM-based application.\r\n- How Teams Can Start Using ProViLE Today\r\n    - Open source tooling\r\n    - Code is on GitHub, paper/flyer can be used as a \u2018deep dive\u2019 into LLM application testing.\r\n- Limitations & Future Enhancements\r\n    - Currently focussed on LLMs with Extensions, such as RAGs.\r\n    - Future enhancements may include AI Agent support and agentic support. \r\n    - We aim to build an active open-source community, hoping to support the broader development of secure LLM-based systems.\r\n- Conclusion & Takeaways\r\n    - Pentesting LLM-based applications is fundamentally different than traditional pentesting.\r\n    - Pentesting your LLM application is important and should not be underestimated / seen as an afterthought.\r\n    - The ProViLE approach and tooling enable structured identification of vulnerabilities that are specific to the context in which an LLM-based application is deployed.", "recording_license": "", "do_not_record": false, "persons": [{"code": "MEYDL8", "name": "Rajeck Massa", "avatar": "https://pretalx.com/media/avatars/8BZPSD_t0ZdEM1.webp", "biography": "Rajeck Massa is a Cyber Security scientist at TNO, where he contributes to applied research across system and software security, AI security, and advanced detection and innovation. He holds an MSc in Computer Science from Leiden University and joined TNO after completing an internship there. In his work, Rajeck is involved in research projects that study how complex technical systems can be abused under realistic adversarial conditions, ranging from low\u2011level software components to modern AI\u2011enabled applications. His interests include developing and validating practical security testing methodologies, particularly in areas where existing approaches fall short. Through his research, he aims to help bridge the gap between emerging technologies and actionable security practice.", "public_name": "Rajeck Massa", "guid": "cf64b28c-4eb6-5862-a6af-741a0824f6ee", "url": "https://pretalx.com/orangecon-2026/speaker/MEYDL8/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/XGZYKB/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/XGZYKB/", "attachments": []}, {"guid": "cada695f-d967-577b-bb7f-32ff7090b69e", "code": "DC8NPV", "id": 94405, "logo": null, "date": "2026-06-04T15:35:00+02:00", "start": "15:35", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-94405-clickfix-the-gift-that-keeps-on-giving", "url": "https://pretalx.com/orangecon-2026/talk/DC8NPV/", "title": "ClickFix: The Gift That Keeps On Giving", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "ClickFix has emerged as a powerful initial access technique that continues to deliver new and creative ways to deploy payloads. As adversaries continue to evolve ClickFix and related \u201cFix\u201d techniques, understanding how they operate has become essential for defensive security teams. Offensive security teams can draw inspiration from the creative and rapidly evolving payload dropping techniques threat actors are building around ClickFix.\r\n\r\nThis talk provides a technical deep dive into ClickFix by exploring:\r\n- How ClickFix attacks work\r\n- What methods are used to deliver second-stage payloads\r\n- How ClickFix and other Fix techniques have evolved over the past year\r\n- Post-exploitation scenarios and anti-forensics\r\n\r\nAttendees will gain practical insights into ClickFix evaluation approaches, detection & response opportunities, and defensive strategies that security teams can apply to identify and mitigate ClickFix based attacks.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "LN93DU", "name": "Bert-Jan", "avatar": "https://pretalx.com/media/avatars/C3TNCL_tgaB8Pi.webp", "biography": "Bert-Jan is a Defensive Security Specialist and Incident Responder. He specializes in threat detection, automation and response in cloud, hybrid and on-premises environments. Besides speaking at public events, Bert-Jan likes to share technical blogs on KQLQuery.com, where he provides in-depth tutorials and insights on using KQL for effective threat detection and automation. Bert-Jan is the author of various security tools Including ALFA, IR PowerShell and KustoHawk, which are available on GitHub (github.com/bert-JanP).", "public_name": "Bert-Jan", "guid": "ff658ee1-3ba2-5494-8983-1487be6d520e", "url": "https://pretalx.com/orangecon-2026/speaker/LN93DU/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/DC8NPV/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/DC8NPV/", "attachments": []}, {"guid": "f92752e5-5d52-5893-9146-e061f19ea625", "code": "FZQTVC", "id": 94446, "logo": null, "date": "2026-06-04T16:10:00+02:00", "start": "16:10", "duration": "00:30", "room": "Track 2", "slug": "orangecon-2026-94446-abusing-asp-net-trust-levels-for-covert-c2-communications-channels", "url": "https://pretalx.com/orangecon-2026/talk/FZQTVC/", "title": "Abusing ASP.NET Trust Levels For Covert C2 Communications Channels", "subtitle": "", "track": "Track 2", "type": "Talk", "language": "en", "abstract": "What happens when an attacker gains ASPX webshell access on an IIS server locked to High or Medium Code Access Security (CAS) trust, configurations explicitly designed to prevent arbitrary code execution as `Process.Start` is blocked by default, unmanaged code is denied, and the sandbox restrictions holds. Our research proves otherwise. We systematically analysed the actual CAS policy files, not just the Microsoft documentation summaries, and discovered that multiple distinct C2 channels can be established using only managed .NET APIs that CAS permits. Under High trust levels, attackers get unrestricted file I/O, full outbound TCP/HTTP/DNS, and SQL connectivity. Under Medium Trust, which is supposed to be the restrictive option, both DNS and SQL connections are still permitted \u2014 two overlooked outbound data channels that appear nowhere prominently in Microsoft's documentation. \r\n\r\nThis talk presents a functional multi-channel C2 functionalities embedded in a single ASPX page that operates entirely within CAS boundaries, spawns zero child processes, generates no `cmd.exe` execution telemetry, and operates exclusively inside `w3wp.exe` worker process pool. \r\n\r\nWe cover the full journey: starting from building reflective loader leveraging full trust, exploring limitation of CAS for ASP.NET(4.x), and abusing lower trust's settings to establish multiple covert C2 communication.", "description": "**1. The IIS Trust Level Landscape (5 min)**\r\nA quick primer on ASP.NET Code Access Security trust levels (Full, High, Medium, Low, Minimal), how they are configured via `web.config`, and why they still matter in 2026 considering the majority of enterprise IIS deployments run .NET Framework 4.x. We go beyond documentation summaries and walk through the real XML policy files (`web_hightrust.config`, `web_mediumtrust.config`). We present the complete permission maps for High and Medium trust, highlighting the critical gap: `SecurityPermission(UnmanagedCode)` is denied, but almost everything else \u2014 file I/O, networking, SQL, DNS is granted.\r\n\r\nA technical explanation of why `Process.Start` is fundamentally blocked below Full Trust (it P/Invokes `CreateProcess` via `kernel32.dll`), why `Assembly.Load(byte[])` does not provide a trust escalation path (loaded assemblies inherit the caller's sandbox), and why named pipes are also a dead end.\r\n\r\n**2. Phantom IIS reflective loader via ASP (10 min)** \r\nA introduction about phantom loader to reflectivly load unmanaged DLL with full trust mode and showcase insights and demonstrate a use case for a lateral movement. This is based on the released research https://github.com/zux0x3a/Phantom/blob/main/When%20IIS%20platform%20becomes%20an%20execution%20platform.pdf\r\n\r\n\r\n**3. Multi C2 channels covert communications over varient trust level (15 min)**\r\nThe core of the talk. We demonstrate each channel with architecture diagrams and live examples:\r\n- **T1: TCP Channel** \u2014 `TcpClient` connect-back with managed task execution \r\n- **T2: HTTP Beacon** \u2014 `WebClient`-based polling C2 that blends with legitimate IIS traffic \r\n- **T3: SQL Dead Drop** \u2014 Using the application's own database as a covert task queue (High + Medium Trust) \r\n- **T4: SMTP Exfiltration** \u2014 Email-based data exfil through internal relays \r\n- **T5: DNS Exfiltration** \u2014 Subdomain-encoded data exfil via `Dns.GetHostEntry` \r\n\r\n**5. Detection and Defence Guidance (5 min)**\r\nRed Teaming operational and actions blue teaming takeaway.", "recording_license": "", "do_not_record": false, "persons": [{"code": "DHLTBV", "name": "Lawrence Amer", "avatar": "https://pretalx.com/media/avatars/YRRGY7_JedEdIA.webp", "biography": "Cybersecurity expert with deep experience in red team operations, penetration testing, and security research. I began my research work in 2013 and have been recognized by leading technology companies including Sony, Microsoft, SAP, Facebook, and Yahoo for responsibly identifying and reporting security vulnerabilities. I currently work as a Red Team Specialist at Resillion and actively contribute to open\u2011source security projects on 0xsp Labs. My research has been referenced by industry publications such as Threatpost and BleepingComputer.", "public_name": "Lawrence Amer", "guid": "f5adb639-4fa5-5235-a7f3-acf3670cd9e7", "url": "https://pretalx.com/orangecon-2026/speaker/DHLTBV/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/FZQTVC/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/FZQTVC/", "attachments": []}], "Workshops 3": [{"guid": "1f124384-4f0f-5dc3-af0f-c2ce5b8d3125", "code": "VRWAVC", "id": 95417, "logo": null, "date": "2026-06-04T11:20:00+02:00", "start": "11:20", "duration": "01:00", "room": "Workshops 3", "slug": "orangecon-2026-95417-second-flash-long-live-the-orangecon-badge", "url": "https://pretalx.com/orangecon-2026/talk/VRWAVC/", "title": "Second Flash: Long Live the OrangeCon Badge!", "subtitle": "", "track": "Workshop track 3", "type": "Workshop", "language": "en", "abstract": "Most conference badges end up in a drawer collecting dust. But not the OrangeCon badge! This one collects Wi-Fi handshakes, BLE signals, and IR codes - and that's just the beginning. Join this hands-on workshop to unlock its full potential as a swiss-army-knife pocket tool: build an advanced BLE hacking gadget, disrupt Wi-Fi networks, sniff IR remotes, or spin up a home automation node. One re-flash away from greatness, Long Live The Badge!", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "YZHLNX", "name": "Slawomir Jasek", "avatar": "https://pretalx.com/media/avatars/KRWJHG_HsHTE9Q.webp", "biography": "Seasoned trainer, speaker and IT security consultant with over two decades of expertise.\r\nCurrently focuses on security research of new technologies (especially Bluetooth Low Energy and NFC/RFID) and delivering trainings on these topics.\r\nLoves sharing his knowledge via trainings, workshops, talks and open source hackme's (https://www.smartlockpicking.com/) \u2013 at OrangeCon, BlackHat, HackInTheBox, Hardwear.io, HackInParis, Deepsec, Appsec EU, BruCon, Confidence, and many others, including private on-demand sessions.", "public_name": "Slawomir Jasek", "guid": "c1e52958-671b-5823-94af-e03168b18ac6", "url": "https://pretalx.com/orangecon-2026/speaker/YZHLNX/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/VRWAVC/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/VRWAVC/", "attachments": []}, {"guid": "3eda8c8c-c0ed-5429-a68a-bd362af24445", "code": "JFX7AY", "id": 95874, "logo": "https://pretalx.com/media/orangecon-2026/submissions/JFX7AY/image_BpVv90o.webp", "date": "2026-06-04T13:05:00+02:00", "start": "13:05", "duration": "01:30", "room": "Workshops 3", "slug": "orangecon-2026-95874-password-analysis-the-forgotten-step-with-a-dash-of-ai", "url": "https://pretalx.com/orangecon-2026/talk/JFX7AY/", "title": "Password Analysis - The forgotten step (with a dash of AI)", "subtitle": "", "track": "Workshop track 3", "type": "Workshop", "language": "en", "abstract": "So you've exhausted your known attacks, ran everything you always run \u2014 what now? This workshop provides the opportunity to do just that: Analyse! Learn what makes a password unique and learn not only how to discover patterns, but also how to attack them in varying ways with new tools. See a tiny preview of what goes on behind the scenes of the largest password cracking team in the world.\r\n\r\nYou are provided a hashlist and hash:pass list to get you started and your job is to identify patterns, sources, and build attacks to exploit them. At the end of the workshop you are given a challenge list to take home.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "UK7993", "name": "Niels Loozekoot", "avatar": "https://pretalx.com/media/avatars/87UQUE_kGQfbvS.webp", "biography": "Niels is the owner of cryptocurrency recovery firm Lethologica which supports consumers on a no-cure no pay basis, Leader of HashMob's Competitive Password Cracking team, and an experienced ethical hacker and manager at PwC. He works as advisor to multiple public sector- and international clients; simulating threat actors in red teaming assessments and penetration tests.", "public_name": "Niels Loozekoot", "guid": "41a9e560-f7aa-5e35-a23c-73498daa5c89", "url": "https://pretalx.com/orangecon-2026/speaker/UK7993/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/JFX7AY/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/JFX7AY/", "attachments": []}, {"guid": "52d07f1d-c953-5866-b908-b428b8d11b62", "code": "YLUTXV", "id": 93275, "logo": null, "date": "2026-06-04T14:55:00+02:00", "start": "14:55", "duration": "01:30", "room": "Workshops 3", "slug": "orangecon-2026-93275-protecting-your-aitm-infrastructure-from-nosy-bots", "url": "https://pretalx.com/orangecon-2026/talk/YLUTXV/", "title": "Protecting Your AiTM Infrastructure From Nosy Bots", "subtitle": "", "track": "Workshop track 3", "type": "Workshop", "language": "en", "abstract": "Red teaming social engineering campaigns can fail before they even start: as soon as your AiTM infrastructure goes live, automated systems detect you and takedowns start. This hands-on workshop shows how to harden your infrastructure against bots and other prying eyes. We will demonstrate practical techniques to detect and filter automated traffic, using Caddy as a \u201cbot deflector\u201d, custom url path rewriting, and implementing a scoring-based system to hotswap content in real time. You will also get a behind-the-scenes look at how we manipulate JA4 to reduce detection opportunities and subtly adjust visual elements to evade AiTM detection, along with a discussion of their limitations. \r\n\r\nIf you come prepared with a virtual machine, by the end of the workshop, you will have a local setup to test Evilginx behind Caddy, understand how to dynamically respond to suspected bot traffic, and gain insight into the strategies our team uses to keep red team infrastructures alive long enough to achieve their objectives.", "description": "# Description\r\nRed teaming can be challenging, especially when simulating realistic social engineering attacks. You build an entire infrastructure carefully crafted to lure in your potential targets. Then, the moment it goes live, it's quickly discovered and taken down. All your hard work, gone in mere hours.\r\n\r\nBut not to worry! In this workshop, we will shed some light on how you can protect your AiTM infrastructure from prying eyes. We'll share techniques to detect automated bots and safeguard your systems. You'll learn how we manipulate JA4 to limit detection possibilities and how we hot-swap content based on a scoring system. Finally, we will discuss some techniques we use to modify visual elements to outsmart detection of AiTM attacks.\r\n\r\nThis workshop provides a behind-the-scenes look at how our team successfully confronted these automated threats.\r\n\r\nWant to see what the bots couldn\u2019t? Join and follow our hands-on workshop!\r\n\r\n## Necessary tools\r\nTo be part of this workshop, it is necessary to have a laptop with you that already has a working VirtualBox/VMware installation with the latest Ubuntu LTS on your machine. \r\n\r\n## What you will learn\r\nBy the end, you will have a local setup that you can use to test Evilginx locally, with Caddy in front as our bot deflector and url path rewriter. We will be able to hot-swap data based on the scoring system. We will touch on the subject of JA4 manipulation, but this will not be part of the hands-on session.", "recording_license": "", "do_not_record": false, "persons": [{"code": "7ZLRKS", "name": "Bob van der staak", "avatar": "https://pretalx.com/media/avatars/SM7HTD_Q0fZX5A.webp", "biography": "Bob van der Staak is a Ethical hacker and red teamer at the Dutch Railways. Sharing knowledge is his passion, and with his background in software development and technical informatics, he implements code to assist with his daily assessments.\r\nFrom web penetration testing to malware development and cloud technologies, he is eager to learn and share his expertise.", "public_name": "Bob van der staak", "guid": "7937eb70-8bda-528d-bd17-2ceb3daf1179", "url": "https://pretalx.com/orangecon-2026/speaker/7ZLRKS/"}, {"code": "7WUUAN", "name": "Rutger Flohil", "avatar": "https://pretalx.com/media/avatars/CZL9UZ_YELASJz.webp", "biography": "Rutger Flohil began his career as a .NET developer, building a solid base in software development before switching gears to focus on cybersecurity. After gaining valuable experience in the Security Operations Center (SOC) of the Dutch TLD, he moved on to his current role as a Red Teamer at Dutch Railways (NS). Rutger enjoys the creative side of security, especially when it comes to writing offensive scripts in Python. Always curious and eager to learn, he\u2019s passionate about discovering new techniques and fresh perspectives to tackle security challenges.", "public_name": "Rutger Flohil", "guid": "aa23dee6-7aa8-55ca-a94b-de9dc93b1e1f", "url": "https://pretalx.com/orangecon-2026/speaker/7WUUAN/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/YLUTXV/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/YLUTXV/", "attachments": []}], "Workshops 4": [{"guid": "aaba5102-f69b-584c-b05d-a3a7db6f48c8", "code": "VYNDZC", "id": 99001, "logo": null, "date": "2026-06-04T11:20:00+02:00", "start": "11:20", "duration": "01:00", "room": "Workshops 4", "slug": "orangecon-2026-99001-fuzzing-workshop", "url": "https://pretalx.com/orangecon-2026/talk/VYNDZC/", "title": "Fuzzing Workshop", "subtitle": "", "track": "Workshop track 4", "type": "Workshop", "language": "en", "abstract": "Fuzzing workshop by Marc \"vanHauser\" Heuse.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "GXSWWG", "name": "Marc \"vanHauser\" Heuse", "avatar": null, "biography": null, "public_name": "Marc \"vanHauser\" Heuse", "guid": "7cdd2a39-a7ae-58fb-b351-833637d5687f", "url": "https://pretalx.com/orangecon-2026/speaker/GXSWWG/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/VYNDZC/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/VYNDZC/", "attachments": []}, {"guid": "2d98b617-a532-5def-8928-8d22a8d801d3", "code": "YGLYSV", "id": 90844, "logo": "https://pretalx.com/media/orangecon-2026/submissions/YGLYSV/image_LoesJjq.webp", "date": "2026-06-04T13:05:00+02:00", "start": "13:05", "duration": "01:25", "room": "Workshops 4", "slug": "orangecon-2026-90844-the-power-of-the-paper-airplane", "url": "https://pretalx.com/orangecon-2026/talk/YGLYSV/", "title": "The Power of The Paper Airplane", "subtitle": "", "track": "Workshop track 4", "type": "Workshop", "language": "en", "abstract": "Step away from the usual conference rhythm and join a hands-on workshop that blends creativity, play, and a touch of aeronautical magic. Led by a seasoned paper airplane expert with experience at NASA, Boeing, and Seattle\u2019s Museum of Flight, this session offers a refreshing change of pace, and a chance to build something that really soars.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "ZSBPAV", "name": "Gus Posey", "avatar": "https://pretalx.com/media/avatars/ZSBPAV_4nEa5Gf.webp", "biography": "Gus Posey is a lifetime artist and a longtime educator who currently specializes in teaching through paper airplanes. He has experience as a NASA intern focused on robotics, microgravity, and space-farming but turned to aeronautics at Boeing's Future of Flight Aviation Center and Seattle's Museum of Flight.  Recently he presented to a group of students in Loja, Ecuador, focusing on a message of science education for everyone.", "public_name": "Gus Posey", "guid": "b34faf36-5960-5055-a852-1b6fd5b9dc88", "url": "https://pretalx.com/orangecon-2026/speaker/ZSBPAV/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/YGLYSV/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/YGLYSV/", "attachments": []}, {"guid": "e09e184a-c507-5013-9b11-25ba570f1a00", "code": "KLGPZC", "id": 95378, "logo": null, "date": "2026-06-04T14:35:00+02:00", "start": "14:35", "duration": "01:00", "room": "Workshops 4", "slug": "orangecon-2026-95378-how-to-use-frida-if-developers-are-working-against-you", "url": "https://pretalx.com/orangecon-2026/talk/KLGPZC/", "title": "How to use Frida if developers are working against you.", "subtitle": "", "track": "Workshop track 4", "type": "Workshop", "language": "en", "abstract": "This talk starts off with the basics and ends with mobile applications that adopt sophisticated anti-tampering protections and how to bypass those protections. \r\n\r\nWhen testing mobile applications, penetration testers face a growing challenge: how to dynamically analyze targets that actively resist inspection through code obfuscation, anti root and anti debug mechanisms. This talk dives into practical, real-world techniques for using Frida in hostile environments where root detection, debugger checks, and anti-instrumentation mechanisms are deliberately deployed to block your efforts, with some real-life examples in demo context, including how to write scripts to learn more about what to patch.\r\n\r\nWe begin with a concise overview of common defensive controls, including root detection heuristics (such as filesystem checks, system properties, SafetyNet-style signals), anti-debugging techniques (such as ptrace checks, timing discrepancies, signal traps), and Frida detection strategies (process scanning, memory inspection, and syscall monitoring). From there, we shift into demonstrating how to identify, analyze, and neutralize these protections by hooking the relevant functions and overriding them.\r\n\r\nIn short, the talk wil cover how to:\r\n- Bypass common root detection using both static patching and dynamic instrumentation\r\n- Defeat debugger detection and tracing restrictions in live processes/apps\r\n- Evade and disable Frida detection mechanisms, including anti-hooking logic\r\n\r\nBy the end of this talk, participants will be equipped with knowledge of bypass strategies and a deeper understanding of the cat-and-mouse dynamics between mobile defenses and Frida.", "description": "Audience: Intermediate to advanced mobile security testers, reverse engineers, and red teamers\r\nPrerequisites: Basic familiarity with Android internals, dynamic analysis, and Frida is recommended but not strictly required.\r\nTakeaways: Practical bypass techniques, and a structured approach to analyzing hardened mobile apps", "recording_license": "", "do_not_record": false, "persons": [{"code": "QE8NTY", "name": "Ren\u00e9 Bisperink", "avatar": null, "biography": "Ren\u00e9 Bisperink is an Ethical hacker & security specialist at Kiwa, focussing on various types of security assessment / penetration testing and training on Mobile, web, cloud, IoT and OT assessments.", "public_name": "Ren\u00e9 Bisperink", "guid": "881b1501-7529-583f-827d-dc904d05b389", "url": "https://pretalx.com/orangecon-2026/speaker/QE8NTY/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/KLGPZC/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/KLGPZC/", "attachments": []}, {"guid": "a64af365-fcfa-5e16-8b06-9657e04a8bd0", "code": "ZTJRDS", "id": 99000, "logo": null, "date": "2026-06-04T15:40:00+02:00", "start": "15:40", "duration": "01:00", "room": "Workshops 4", "slug": "orangecon-2026-99000-2-cops-2-broadcasting-tetra-end-to-end-under-scrutiny-talk", "url": "https://pretalx.com/orangecon-2026/talk/ZTJRDS/", "title": "2 Cops 2 Broadcasting: TETRA End-To-End Under Scrutiny (Talk)", "subtitle": "", "track": "Workshop track 4", "type": "Talk", "language": "en", "abstract": "NOTICE: While this is on the workshop track, this is more of a non-interactive talk.\r\n\r\nIn this talk, we will present the first public security analysis of TETRA end-to-end encryption (E2EE) used for the most sensitive communications - such as those by intelligence agencies and special forces.\r\n\r\nIn all-new material, we present seven security vulnerabilities pertaining to TETRA and its E2EE, three of which are critical.\r\n\r\nTETRA is a European standard for trunked radio used globally by police and military operators. Additionally, TETRA is widely deployed in industrial environments such as harbors and airports, as well as critical infrastructure such as SCADA telecontrol of pipelines, transportation and electric and water utilities.\r\n\r\nWhile we previously reverse-engineered and published the then-secret algorithms underpinning TETRA cryptography, the vendor-proprietary E2EE solution (which enjoys significant end-user trust) intended for the most critical use cases remained undisclosed and proved quite hard to obtain.\r\n\r\nGiven the opaque nature of this solution and TETRA's history of offering significantly less security than advertised (including backdoored ciphers), we decided to undertake the effort of reverse-engineering a TETRA E2EE solution.\r\n\r\nWe did this by extracting it from a popular Sepura radio and discovering several critical 0-day vulnerabilities in the radio in the process, presenting additional key extraction and covert implanting vulnerabilities.\r\n\r\nWe will publish the E2EE design along with a security analysis, identifying several severe shortcomings ranging from the ability to inject voice traffic into E2EE channels and replay SDS messages to an intentionally weakened E2EE variant, which reduces its 128-bit key to only 56 bits.\r\n\r\nIn addition, we will discuss new findings related to multi-algorithm networks and official patches, relevant for asset owners mitigating the TETRA:BURST vulnerabilities previously uncovered by us.\r\n\r\nFinally, we will demonstrate the E2EE voice injection attack as well as the previously theoretical TETRA packet injection attack on SCADA networks.", "description": "", "recording_license": "", "do_not_record": false, "persons": [{"code": "8DMFUP", "name": "Jos Wetzels", "avatar": null, "biography": null, "public_name": "Jos Wetzels", "guid": "c713a197-726d-5058-a1ce-cde37a88d448", "url": "https://pretalx.com/orangecon-2026/speaker/8DMFUP/"}, {"code": "RZDXM7", "name": "Wouter Bokslag", "avatar": null, "biography": null, "public_name": "Wouter Bokslag", "guid": "904ea075-8908-56ae-85d1-be268e947ee3", "url": "https://pretalx.com/orangecon-2026/speaker/RZDXM7/"}], "links": [], "feedback_url": "https://pretalx.com/orangecon-2026/talk/ZTJRDS/feedback/", "origin_url": "https://pretalx.com/orangecon-2026/talk/ZTJRDS/", "attachments": []}]}}]}}}