Security BSides Las Vegas 2025

Version 0.8 June 13, 2025

We released a new schedule version!
“Nonprofit (In)security: Creative Protections for Service Organizations” still needs to either move or have the speaker's availability updated.
The other availability warnings are all the best fit we can make to the speaker's stated availability. They will have to adjust or withdraw.
The 8 session overlaps are all OK (none of them are talks).

We have new sessions!

• “Hardening Containers with Seccomp: Hands-On Profiles, Pitfalls, and Real Exploits” by Ben Hirschberg
• “From Code to Cloud: Securing Your Stack with Open-Source Tools” by Mackenzie Jackson
• “(03) The Remote Grift: Cunning Meets Naivete, and the Victims Become the Criminals” by Ira Victor
• “Infiltrating Like a Ninja: Unveiling Detection Gaps in Physical Security Across Japan and the U.S” by FUMIYA IMAI, You Nakatsuru, Viet Luu
• “Who Scans the Scanner? Exploiting Trend Micro Mobile Security” by Lucas Carmo
• “Cyber Incident Command System (CICS) A people orchestration layer” by Blake Scott, Scott Fraser
• “RAGnarok: Assisting Your Threat Hunting with Local LLM” by Jun Miura
• “.e'X'es and 'O'auths (They Haunt Me): In-Depth Analysis of OAuth/OIDC Misconfigurations and Token Replay Attacks” by Darryl G. Baker
• “So... You want to build your own hacking device...” by Alex Thines
• “What to Tell Your Developers About NHI Secrets Security and Governance” by Dwayne McDaniel
• “Don't be LLaMe - The basics of attacking LLMs in your Red Team exercises” by Brent Harrell, Alex Bernier
• “The Art of Concealment: CVE's Challenge with Transparency” by Jerry Gamblin
• “Dungeons & Dragons: The security tool you didn’t know you needed” by Klaus Agnoletti, Glen Sorensen
• “The Not So Boring Threat Model of CSP-Managed NHI’s” by Kat Traxler
• “Rewriting the Playbook: Smarter Vulnerability Management with EPSSv3, CVSSv4, SSVC & VEX Frameworks” by Avinash Nutalapati
• “I'm A Machine, And You Should Trust Me: The Future Of Non-Human Identity” by Dwayne McDaniel
• “Active Directory Attacks and Defense 101” by Darryl G. Baker
• “LLM Mayhem: Hands-On Red Teaming for LLM Applications” by Travis Smith, Kasimir Schulz
• “Harnessing AI and Post-Quantum Cryptography for Cybersecurity in the Quantum Era” by Anushka Khare
• “Keeping Our History Alive: The Hacker’s Guide to Sticker Preservation” by Brian Baskin
• “From interview questions to cluster damage: Adventures in k8s cluster shenanigans” by Amit Serper, Travis Lowe
• “Multi-Cloud (AWS, Azure & GCP) Security [25 Edition], Day One, PM” by Yash Bharadwaj, Manish Gupta
• “My friend Ben: solid employee, DPRK agent” by Chris Merkel
• “Azazel System: Tactical Delaying Action via the Cyber-Scapegoat Gateway” by Makoto SUGITA
• “Indexing the Chaos: Extract PII from Ransomware Leaks” by juanma
• “Time is Running Out - Tying it All Together - What Will You Do in the Near Term?” by Josh Corman
• “Shorts Begone: Modding YouTube on iOS (without jailbreaking)” by Navan
• “Cyber Threat Landscaping Workshop” by Alexis Womble
• ““PEBKAC Rebooted: A Hacker’s Guide to People‑Patching in 90 Days”” by David Shipley
• “Workshop on Cybersecurity Policy in Practice” by Jayati Dev, Vaibhav Garg
• “The Scene is Dead” by allisonnixon
• “Building your own CA infrastructure on cheap HSMs” by Ted Hahn, Mark Hahn
• “Wi-Fi-So-Serious” by James Hawk
• “Manufacturing Breakthroughs: How Conflict Leads to Innovation” by Munish Walther-Puri
• “A Winning Competition” by wasabi
• “Malicious Packages - they're gonna get ya!” by Megg Sage
• “Laser Beams & Light Streams: Letting Hackers Go Pew Pew, Building Affordable Light-Based Hardware Security Tooling” by Larry Trowell, Sam. "PANTH13R" Beaumont
• “The Hackbot Builder's Guide to IDOR Detection” by Taha Biyikli
• “Unawakened Wakeup: A Novel PHP Object Injection Technique to Bypass __wakeup()” by Hiroki MATSUKUMA
• “Power Play: AI Dominance Depends on Energy Resilience” by Munish Walther-Puri, Emma M Stewart
• “Where’s Waldo? Why Recruiters Can’t Find You (and What To Do About It)” by Ricki Burke
• “When the Breach Hits the Fan: Understanding Cyber Insurance” by Mea Clift
• “RAG Against the Machine: Using Retrieval-Augmented Generation and MCP to Fortify Cybersecurity Defenses” by Brennan Lodge
• “Agentic AI Malware: Why the Cybersecurity Battle Isn’t Over” by candid wuest
• “Emergency & Urgent Care Remains in Critical Condition” by Christian Dameff, Beau Woods
• “Your Interview Game is Weak: Gamifying Technical Interviews through Role-Playing” by Matt Torbin
• “Inside the Open-Source Kill Chain: How LLMs Helped Catch Lazarus and Stop a Crypto Backdoor” by Mackenzie Jackson
• “Locking Hands: Ransomware Meets Bioimplants” by Mauro Eldritch
• “Taking down the power grid!” by John-André Bjørkhaug
• “Hack Your Network: Career Connections for Cyber Pros” by Heather Morris
• “No IP, No Problem: Exfiltrating Data Behind IAP” by Ariel Kalman
• “Bridge to Nowhere Good: When `Azure Relay` becomes a Red Teamer's highway” by Robert Pimentel
• “Root To CISO or not?” by Jake Bernardes, Ray Espinoza, Kris Rides
• “Defending Our Water - Defending Our Lives” by Dean Ford, Virginia “Ginger” Wright
• “Hire Ground Resume Reviews, Wednesday Morning” by Kirsten Renner
• “(13) Advanced BioTerrorism Methods for the Discerning Practitioner” by Dr. Mixael S. Laufer
• “A Framework for Evaluating the Security of AI Model Infrastructures” by Fred Heiding, AndrewKao
• “Cascading Failure, Unified Defense: Defending Water, Power, Healthcare, & EMS” by Alexander Vanino, Ruslan Karimov
• “Breaking the Guest List: Hacking Invitation Systems for Fun and Profit” by Ali Kabeel
• “SIGMA, one rule to find them all” by Rain Baker
• “Innovative, Shiny, and Vulnerable: Four Ways to Exploit Modern SaaS Data Platforms” by Ben Kofman
• “Lessons from Black Swan Events and Building Anti-Fragile Cybersecurity Systems” by Dave Lewis
• “Breaking the Illusion: Bypassing Endpoint Security Controls with Simple Tactics” by Blake Hudson, Caleb
• “Gremlin Hunting with SIGMA rules” by Rain Baker, Nicholas Carroll
• “From Help Desk to CISO” by Nicholas Carroll
• “Multi-Cloud (AWS, Azure & GCP) Security [25 Edition], Day One, AM” by Yash Bharadwaj, Manish Gupta
• “XSS is dead - Browser Security Features that Eliminate Bug Classes” by Javan Rasokat
• “AI Governance in Action: Fundamentals & Tabletop Workshop” by Josh Harguess, Chris Ward
• “Hazard Analysis of Military AI Systems Using STPA-Sec: A Systems-Theoretic Approach to Secure and Assured Autonomy” by Josh Harguess, Chris Ward
• “WhoAmI.exe - Can You Find The Threat?” by Reanna Schultz
• “Craps, Clout, and Career Chaos: The Game They Forgot to Explain” by Nicole Beckwith, Jake Lorz
• “Poison in the Wires: Interactive Network Visualization of Data Attacks” by Anya
• “Writing Windows Kernel Drivers for Power and Visibility, AM” by Pavel Yosifovich
• “Introduction to Cryptographic Attacks” by Matt Cheung
• “Creating the Torment Nexus: Using Machine Learning to Defeat Machine Learning” by Noah Grosh
• “Multi-Cloud (AWS, Azure & GCP) Security [25 Edition], Day Two, AM” by Yash Bharadwaj, Manish Gupta
• “Threat and adversary emulation operational exercises” by Abhijith "Abx" B R
• “The Age of Zygote Injection” by Tricta
• “SOC Like a Genius: Cognitive Agents Delivering Wisdom at Scale” by Oudy Even Haim
• “(02) The Botnet Strikes Back: how we assembled a coalition to take down a criminal network & their all-out response” by Ryan English
• “Hackers Kinda Like to Eat” by Whitney Bowman-Zatzkin, Andrew Rose
• “Community Defense in Depth: Teaching digital security and privacy practices for the public good” by Melanie Gonzalez
• “The Rise of Synthetic Passwords in Botnet & Attack Operations” by Dimitri Fousekis
• “Turbo Tactical Exploitation: 22 Tips for Tricky Targets” by HD Moore
• “Hands on DuckyScript: Introduction to HID Attacks with O.MG Devices” by wasabi, Kalani Helekunihi
• “Avoiding Credential Chaos: Authenticating With No Secrets” by Steve Jarvis, Chitra Dharmarajan
• “Machine Identity & Attack Path: The Danger of Misconfigurations” by Filipi Pires
• “Desktop Applications: Yes, We Still Exist in the Era of AI!!!” by Uday Bhaskar Seelamantula
• “Advancing Network Threat Detection Through Standardized Feature Extraction and Dynamic Ensemble Learning” by Jason Ford
• “Prompt Hardener - Automatically Evaluating and Securing LLM System Prompts” by Junki Yuasa, Yoshiki Kitamura
• “(11) Crossing the Border Again with a Burner Phone” by Wendy Knox Everette
• “(04) Real Life Needs an ESP Overlay — So we Made One!” by Alex Thines, Brad "Sno0ose" Ammerman
• “The Perfect BLEnd: Reverse engineering a bluetooth controlled blender for better smoothies” by Ryan Mast
• “I Didn’t Register for This: What’s Really in Google’s Artifact Registry?” by Moshe Bernstein
• “Root Cause and Attack Flows: Interpretable ML for Alert & Log Correlation” by Ezz Tahoun
• “Detecting, Deobfuscating, and Preventing Obfuscated Script Execution with Tree-sitter” by David McDonald
• “Writing Windows Kernel Drivers for Power and Visibility, PM” by Pavel Yosifovich
• “Shedding Light on Web Isolation Technologies and Their Bypass Techniques: C2 Communication via Outlook Using SMTP and IMAP” by Terada Yu
• “(06) Indexing the Chaos: Extracting PII from Ransomware Leaks” by juanma
• “Beyond the Command Line: Transitioning from Individual Contributor to Leader” by Leo Pate
• “Predicting the Lifespans of Internet Services: Falling down the ML Rabbit Hole, and What We Learned From The Thud” by Ariana Mirian
• “Reversing F5 Service Password Encryption” by Dustin Heywood
• “Boost Your Career: Get Practical InfoSec Experience in Your Community!” by Ashley Cihak
• “Beyond the Breach: Why Your Tabletop Exercise Should be Your Worst Nightmare” by Madison Rocha
• “Casting Light on Shadow Cloud Deployments” by Brittney Argirakis, Chapin Bryce
• “So You Want to Give A Talk: How to Write a CFP” by Phil Young aka Soldier of FORTRAN
• “The Protocol Behind the Curtain: What MCP Really Exposes” by Srajan Gupta
• “Eliminating Bug Classes at Scale: Leveraging Browser Features for Proactive Defense” by Javan Rasokat
• “Hacking Secure Coding Into Education” by Or Sahar, Yariv Tal
• “Vibe Check: The dark side of vibe coding” by Chloe Potsklan
• “(08) Mapping the Gaps: How Disconnects in Critical Infrastructure Leave Cities Vulnerable” by QuietRoar
• “Russian Nesting Dolls: when Turla got into the ISI who was into an Indian Embassy, and how we found them” by Danny Adamitis
• “(07) Sex Work Is Tech Work: What Technologists Should Know From the Sex Industry” by Gwyndolyn
• “New Protocol: Novel Threats--Exploring MCP’s Emerging Security Risks” by David Melamed
• “Human Attack Surfaces in Agentic Web: How I Learned to Stop Worrying and Love the AI Apocalypse” by Matthew Canham
• “Thinking Outside the SOC: Structured Analytics for the Overloaded Cyber Analyst” by Alina Thai, Haily Beem
• “Cracking 936 Million Passwords” by jeff deifik
• “Detect and Respond? Cool Story — or Just Don’t Let the Bad Stuff Start.” by Matthew Brown
• “Setting the Table - WarGames 2027 & Maslow's Hierarchy of Needs as Hybrid Warfare Nears” by Josh Corman
• “Interview Like a Legend: No Slides, Just Vibes” by CyberGuy
• “We Fight for the User's... Session” by Mark Hoopes
• “The Unbearable Weight of Commercial Licensing. Combining Closed Systems with Open Source Defense” by Keya Arestad
• “Cracking Hidden Identities: Understanding the Threat Surface of Hidden Identities and Protecting them Against Password Exposure” by Or Eshed
• “Nonprofit (In)security: Creative Protections for Service Organizations” by Grace Menna
• “Password ~Audit~ Cracking in AD: The Fun Part of Compliance” by Mat Saulnier
• “The (Un)Rightful Heir: My dMSA Is Your New Domain Admin” by Yuval Gordon
• “Security Theater, Now Playing: When Security Is a Sideshow Instead of a Strategy” by Mia Kralowetz
• “Mental Models to Anticipate the Next Stages of the AI and Cybersecurity Revolution” by Sounil Yu
• “(10) From Drone Strike to File Recovery, outsmarting a nation state” by Guy Barnhart-Magen, Brenton Morris
• “Password Expiry is Dead: Real-World Metrics on What Rotation Actually Achieves” by Dimitri Fousekis
• “Product Security: The Googley Way” by Ochaun Marshall
• “Let's Go Shopping: Third-Party Vendors and CyberRisk” by Rafael Ayala
• “Extending Password (in)Security to the Browser: How Malicious Browser Extensions Are Used to Steal User Passwords” by Or Eshed
• “UNION SELECT * FROM hackers: Why We Should Be Building InfoSec Worker Power Through the Labor Movement” by Logan Arkema
• “End of Life (EOL) Equipment should not mean End of Life (Your Life)” by Paul Roberts, Stacey Higginbotham, Silas Cutler
• “Automating Phishing Infrastructure Development Using AI Agents” by Fred Heiding, Simon Lermen
• “(08) Organizing Cyber: Why We Need More IT & Cybersecurity Unions” by CyberGuy
• “Multi-Cloud (AWS, Azure & GCP) Security [25 Edition], Day Two, PM” by Yash Bharadwaj, Manish Gupta
• “Securing Frontends at Scale: Paving our Way to the Post-XSS World” by Aaron Shim
• “From Zero Trust to Trusted Advisor: Selling Security to Stakeholders” by Glen Sorensen
• “Take all my money – penetrating ATMs” by Fredrik Sandström
• “(05) Oh Hotel No!: How A Hopeless Hooligan Helped A Homie From Homeless To Homeowner In 9 Months” by Justin Varner
• “Career Campaigns: A Tabletop RPG Workshop for Your Next Infosec Role” by Stryker
• “Household Resilience- A Month Without External Assistance.” by David Batz, Slava Maslennikov
• “Cybersecurity Roleplaying Training: Design & Implement Engaging Incident Response Exercises” by Klaus Agnoletti, Glen Sorensen
• “(09) Ask EFF” by Chris Vines
• “Ransomware As Canary For Societal Disruption” by Joe Slowik
• “Broke but Breached: Secret Scanning at Scale on a Student Budget” by Raviteja
• “(07) HR Hates My Mugs: Evading AI Censorship” by TerryBibbles
• “From Command Line to Center Stage: Hack Your Way to Confident Speaking” by James McQuiggan, Erich Kron
• “Hire Ground Resume Reviews, Monday Evening” by Kirsten Renner
• “(01) Ask the Fed” by Noah K, Unnamed user, Tim Weston, Matt, Donald McFarlane
• “Increasing Complexity and Frequency of Cyber Events: Trends, Costs, and Risk Mitigation Strategies” by Wendy Hou-Neely
• “Hire Ground Resume Reviews, Tuesday Evening” by Kirsten Renner
• “Engineering Cyber Resilience for the Water Sector” by Art Conklin, Virginia “Ginger” Wright, Andrew Ohrt
• “Thwarting Key Extraction and Supply Chain attacks by Detonating GPUs” by Mehmet Sencan
• “The HMAC Trap: Security or Illusion?” by Marluan Cleary (Izzny)

Sadly, we had to cancel sessions:

• “Skytalks Monday Panel Hour”
• “Skytalks Tuesday Panel Hour”
• “Hire Ground Resume Review”
• “The World Famous Hire Ground Panel, Monday Edition” by Kirsten Renner
• “Keynote, Monday”

We had to move some sessions, so if you were planning on seeing them, check their new dates or locations:

• “The World Famous Hire Ground Panel, Tuesday Edition” by Kirsten Renner (Aug. 5, 2025, 6 p.m. → Aug. 5, 2025, 4 p.m.)
• “(12) Bridge to Nowhere Good: When Azure Relay becomes a Red Teamer's highway” by Robert Pimentel, Edward Landers (0xflagplz), Josh Huff (Aug. 4, 2025, 6 p.m. → Aug. 5, 2025, 6 p.m.)
• “Skytalks Reception (Tentative)” (Aug. 4, 2025, 7 p.m., Foyer, Platinum Hotel Conference Center → Aug. 4, 2025, 8 p.m., Suite 1702)
• “Skytalks Token Drop 5” (Aug. 6, 2025, 9:30 a.m. → Aug. 6, 2025, 9 a.m.)
• “Skytalks Token Drop 1” (Aug. 4, 2025, 9:30 a.m. → Aug. 4, 2025, 9 a.m.)
• “Skytalks Token Drop 3” (Aug. 5, 2025, 9:30 a.m. → Aug. 5, 2025, 9 a.m.)
• “(11) Stopping the Nuclear Apocalypse with Threat Intel” by Paul Miller (Aug. 5, 2025, 10:55 a.m. → Aug. 5, 2025, 5 p.m.)
• “Hire Ground Mixer, Tuesday” (Aug. 5, 2025, 4 p.m. → Aug. 5, 2025, 4:30 p.m.)

Version 0.7 May 23, 2025

We released a new schedule version!

We had to move some sessions, so if you were planning on seeing them, check their new dates or locations:

• “Hire Ground Mixer, Tuesday” (Aug. 5, 2025, 5 p.m. → Aug. 5, 2025, 4 p.m.)
• “Hire Ground Mixer, Monday” (Aug. 4, 2025, 5 p.m. → Aug. 4, 2025, 4 p.m.)

Version 0.6 May 23, 2025

We released a new schedule version!

We have new sessions!

• “(11) Stopping the Nuclear Apocalypse with Threat Intel” by Paul Miller
• “(12) Bridge to Nowhere Good: When Azure Relay becomes a Red Teamer's highway” by Robert Pimentel, Edward Landers (0xflagplz), Josh Huff

We had to move some sessions, so if you were planning on seeing them, check their new dates or locations:

• “The World Famous Hire Ground Panel, Tuesday Edition” by Kirsten Renner (Aug. 5, 2025, 4 p.m. → Aug. 5, 2025, 6 p.m.)
• “The World Famous Hire Ground Panel, Monday Edition” by Kirsten Renner (Aug. 4, 2025, 4 p.m. → Aug. 4, 2025, 6 p.m.)

Version 0.5 May 14, 2025

We released a new schedule version!

We have moved a session around: “Early Speaker Reg” (Sept. 7, 2025, 10 a.m. → Aug. 3, 2025, 10 a.m.)

Version 0.4 May 14, 2025

We released a new schedule version!

We have new sessions!

• “EarlyBird Reg -- Only pre-sales.”
• “Early Speaker Reg”

Version 0.3 May 14, 2025

We released a new schedule version!

We have moved a session around: “Morning Trainings, Tuesday” (July 8, 2025, 10:30 a.m. → Aug. 5, 2025, 10:30 a.m.)

Version 0.2 May 14, 2025

We released a new schedule version!

We have new sessions!

• “Skytalks Tuesday Panel Hour”
• “Skytalks Monday Panel Hour”
• “Skytalks Token Drop 5”

Version 0.1 May 14, 2025

We released our first schedule!