Program

Compliance now requires incident response exercises. NIS2, DORA, ISO 27001: they all say the exercises have to happen, and the auditors want them documented. The problem is not the requirement. The problem is that the exercises are boring and everyone knows it. You spend more time chasing calendar slots than running scenarios. Fix the boring problem and the rest collapses: people book themselves, the chasing stops, and you close the compliance gap with something that actually works instead of a checkbox.

That is why I built Malware & Monsters: a free tabletop role-playing game for incident response. Your team has to contain a real malware family before it evolves into something worse. One twenty-sided die, defined roles, an Incident Master running the table. Discussion is free. Actions roll. Modifiers stack the odds. Engagement is not a nice-to-have: it is the mechanism. Fun is what gets there first. When people are having fun they stop performing competence and start thinking out loud, which is the only state where the learning actually lands.

This is a practical talk: what Malware & Monsters is, what it is for, and how to run it yourself. It is free and fully documented. I will run a short round live, so you can feel what happens when a room of practitioners starts arguing about containment strategy in real time. If you want to know whether this would work for your team, that is your answer.

Get rid of passwords, I’ll show you and your application how.

This hands-on talk will guide you through implementing a WebService and a client application that leverages public key encryption to remove passwords from your authentication process.

You might have heard about Passkeys, one of the uses of the WebAuthn specification, we will show you how you can use, configure and store them.

Be prepared for some cryptography basics, some specification reading and to write some lines of code to make the web a safer place.

“False positives burn out analysts. False negatives burn down businesses.” Modern SOCs and security teams live in this tension, and most detection rules make it worse. Every analyst has a “hall of shame”: rules that fire hundreds of times a day and are ignored just as often. These aren’t just noisy; they actively hide real attacks.

This session is a hands-on deep dive into high-fidelity detection engineering. We move beyond simple “if X then Y” logic to focus on designing detections that produce meaningful signals in real-world environments. Drawing on practical frameworks, we will explore the core tradeoffs of defense; from deciding where to set the “sensitivity dial” of rules to understanding why perfect detection rules are impossible.

The session includes a live-style walkthrough of refactoring a noisy detection rule into a high-confidence, context-aware alert by applying enrichment, correlation, and better logic. We will look at how to move a detection from a raw, low-value event to a surgical alert that provides the stage, technique, and data validation an analyst needs instantly.

I will close by giving a repeatable workflow for high-count alerts; deciding when to fix the rule, when to group/aggregate, and when to disable detection rules that shouldn’t exist.

This is not a talk about tuning alerts, it’s about redesigning how detection rules are built.

Imagine a cozy winter evening, it is snowing outside and you chill on the couch with a cup of tea in your hand.

Then suddenly.. someone hacks your heat pump and turns your home into an igloo. The only thing keeping you warm now is your tea.

I will present my journey into reverse engineering of Orca heat pump and present communication between heat pump’s controller and Orca web portal, how the controller is authenticated, and how the web portal validates and renders controller’s data. A remote takeover of any heat pump was discovered due to multiple weaknesses.

We built a passive exposure profiling engine, originally for insurance underwriters who were tired of self-reported security questionnaires.

Then we pointed it at Danish critical infrastructure at national scale. No active scanning, no exploitation. Just OSINT, pattern recognition and knowledge from thousands of incidents and access to insurance claim data. It gives us the same outside view as the attackers have.

The most interesting finding wasn’t any single vulnerability or scan. It was what the outside view turned out to predict about the inside. That pattern has now repeated across thousands of organizations, and it changes what you can actually infer from passive recon alone. What does an open port 22 whisper about your AD and backup?

I’ll show what repeats: which external signals predict real compromise risk and which ones are noise, why shared hosting with vulnerable neighbors is one of the most underestimated indicators we see, and how a handful of passive signals cluster together in ways that tell you more than you’d expect.

Some of these findings led to published investigations that forced vendors to patch or shut down parts of their operation.

I’ll share those stories. But the point of this talk isn’t the headlines. It’s the methodology and the patterns, and what you can do with them whether you’re scoping a red team engagement, benchmarking your own org, or trying to understand supply chain risk.

The session includes a live demo on stage: sector picked by the audience to full exposure profile, using simple LLMs for target identification.

Takeaways:

• What the outside predicts about the inside, and the evidence behind it
• Which passive signals matter and which ones are noise
• Shared-infrastructure risk as a leading indicator
• Live demo: audience picks the sector, we go live

The long-term success of cryptocurrencies largely depends on the incentive compatibility provided to the validators. Bribery attacks, facilitated trustlessly via smart contracts, threaten this foundation. In this talk I introduce and evaluate three novel and efficient bribery contracts targeting Ethereum validators. The first bribery contract enables a briber to fork the blockchain by buying votes on their proposed blocks. The second contract incentivizes validators to voluntarily exit the consensus protocol, thus increasing the adversary’s relative staking power. The third contract builds a trustless bribery market that enables participants to auction off their manipulative power over the RANDAO, Ethereum’s distributed randomness beacon. Finally, I provide an incentive analysis of our proposed attacks. Unlike traditional exploits that target software vulnerabilities, these attacks weaponize the protocol’s own economic logic. By leveraging smart contracts it creates a trustless ‘attack-as-a-service’ platform, where an adversarial user can coordinate massive protocol deviations without ever trusting a single co-conspirator.

Misconfigurations persist in enterprises despite widespread awareness - with AD CS being the prime example. This talk explores how vendors guide users into deploying critical misconfigurations, a large-scale responsible disclosure journey, and the shared responsibilities between us all.

A technical introduction to Post-Quantum Cryptography with a focus on what practitioners need to know.

We start with the why: Shor’s algorithm efficiently solves the factoring, discrete logarithm, and period-finding problems — breaking RSA, Diffie-Hellman, and Elliptic Curve cryptography. For everything else, Grover’s algorithm gives a square-root speedup over classical brute force, meaning symmetric keys and hashes need to roughly double in size.

From there we look at which of today’s algorithms are at risk, what the NIST PQC standards bring to the table, and how to start preparing your systems for a crypto-agile, post-quantum world.

Building malware involves creative thinking in the effort of making something hostile seem legit to a computer system. A strong plan ensures the room is cleared before anyone knows Rainbow was there.

Feeding on the fine reputation of others is often a great strategy. Sometimes however, you might find yourself sharing the construction yard with the very warden itself. The side quest of “Whodunit?” traps you in a remote manor among reputable party guests unaware of your secret intentions; will you draw the hidden blade and assassinate?

In this session, we will spectate some of the hidden storylines of grand theft admin as they have unintentionally unfolded during freeze-time and before tactical operation start.

By the end of this session, you will have your own IDS setup including a SIEM integration. Attending this session you will put your sysadmin skills in use and upskill your custom detection and threat hunting capabilities. The session relies on free technologies (hyper-v, suricata, free license of ELK).