Level: Low tech

Abstract:
This talk presents today’s AI security defense landscape and what’s coming next. It examines risks posed by autonomous agents, why existing controls are insufficient, and the emerging practices such as governance, monitoring, secure access, and intent based detection needed to safely scale agent driven systems.

Bio:
Raz Tel-Vered is a technological leader specializing in research and development of production grade solutions at the intersection of AI and cybersecurity. He has developed innovative solutions for addressing advanced security challenges and leveraging AI to detect and mitigate sophisticated threats.

Raz currently works at Zenity, where he focuses on defining and advancing the emerging field of AI Agents security. With extensive hands on experience in modern cybersecurity techniques and real world threat detection, he brings a unique blend of technical depth, innovation, and practical impact to securing AI driven environments.

Level: Tehnical

Abstract:
Password cracking is a well-established technique used to recover plaintext passwords from hashed or encrypted data. While extensive tutorials, tools, and methodologies exist, most approaches are optimized for English and other morphologically simpler languages. There is surprisingly little guidance on adapting these techniques for morphologically rich languages such as Slovenian, Turkish, Slavic languages and others where inflection, declension, and word variation significantly expand the password search space (like German).

This talk explores practical methods for optimizing password-cracking workflows for such languages. I will cover best practices, linguistic considerations, and tooling strategies, introduce a recently released toolkit designed specifically for this challenge, and demonstrate how these approaches improve real-world cracking effectiveness.

The session focuses on actionable techniques that have produced measurable improvements in realistic assessment scenarios, offering attendees both conceptual understanding and immediately applicable methods.

If you already know how to crack passwords, this session will show you how to crack them better when English assumptions stop working.

Bio:
Vlatko Kosturjak serves as the VP of Research at Marlink Cyber, boasting over two decades of dedicated experience in the realms of information security and cybersecurity. He have successful M&A experience in different fields of cyber security and in different roles.

Level: Tehnical

Abstract:
The focus of this presentation is the not so distant future. We are about to witness the death and rebirth of penetration testing, where the typical pentester shifts from a manual worker to a tool user, and finally to an “operator mode.” We saw pentesting emerge as a mostly manual discipline, then tools took over, and now we are entering a new era.
In this talk, I will demonstrate a “light” version of an AI agent. It doesn’t have every complex component of a full agent, but it has enough logic to do real pentesting jobs. I will show this software performing fully automated Linux privilege escalation. Then, we will use the same concept to automate OSINT tasks.
This might not sound like a huge innovation, since automation tools have existed for years. However, when you apply this concept to new problems and introduce an orchestrator, you get “hacking at scale.” This sounds optimistic, but it is already reality. The recent paper from Anthropic about “AI-orchestrated cyber espionage campaigns” shows that threat actors are already using this at scale. The bad guys are shifting to “Pentest Operator” mode. In this presentation, I will explain why this transition is inevitable and show you how it works in practice.

Technical Breakdown & Demos:
Agent Architecture: A look at the “light” agent logic and how it parses command output to make autonomous decisions without human input.
Auto-Privesc (Demo): The agent is dropped into a low-privilege Linux environment. We will watch it enumerate SUID binaries, kernel versions, and misconfigurations, select an exploit, and execute it to gain root.
Cognitive OSINT (Demo): Moving beyond scraping, the agent analyzes data and provides a nice report.
The Orchestrator: How these individual agents can be managed in a swarm to cover massive infrastructure simultaneously.

Bio:
Danijel Grah has over ten years of experience in cybersecurity. He began his career as a consultant before transitioning into research and later joined NIL (part of Conscia Group) as a Cyber Security Analyst in the Security Operations Center (SOC)/MDR. He eventually returned to Offensive Security and now serves as a Technical Lead. Danijel brings extensive expertise in penetration testing, security hardening, programming, consulting, and the development of cyber defense systems. He has published and presented research at various international information security conferences and has confirmed his knowledge and experience with industry certificates, such as GRID, GCFR and CRTO.

Level: Tehnical

Abstract:
Your security team has just painted a grim picture of cyber threats, and you’re aware that your web application is a full of vulnerabilities. Fixing these seems like it will take between forever and never.

But wait! There’s a solution, a Web Application Firewall, which catches common vulnerabilities like script injection and Distributed Denial of Service (DDoS). No coding needed. You just direct all web traffic to the WAF; the WAF inspects all HTTPS requests, and blocks the dangerous ones.

In my talk, I will explain how a WAF works, and tell some stories from my experience showing why you probably don’t want one, and when it can provide value anyway.

WAFs often block legitimate users by mistaking normal activity for an attack. When an ecommerce firm saw that a quarter of potential new customers couldn’t even see the web-app, that was good reason to abandon the WAF. But these false positives are accompanies by false negatives: attacks that are let through. There is no way to catch them all: The variety of possible attacks is beyond the imagination of WAF designers and yours; but not of the hackers. I’ll describe a tricky hack aimed at the specific weaknesses of a web-app; there was no way to handle it but thoughtfully secure coding. I will describe some cases in which, with a WAF in place, development teams became more complacent about proper security practices.

Despite these drawbacks, there are situations where using a WAF might be a good idea.

When my customers were asked for a WAF as a specific auditing requirement, they had no choice: But of course, in that case the WAF was not for security. And in rare cases where an enterprise deployed a not-so-secure third-party web-app whose code they couldn’t fix, the WAF added a bit of security.

That said, there is one good security reason to use a WAF: DDoS protection. Unlike string-matching, the DDoS is pretty effective, particularly with modern machine-learning based pattern detection.

This talk will leave you with the sense that the WAF is a lot less useful than you thought, but also with an understanding of when it’s the right choice to protect your systems.

Bio:
Joshua Fox has been a software architect in innovative technology companies for 20 years. Now, he advises tech startups and growth companies about Google Cloud Platform and Amazon Web Services; also writing open source and publishing and speaking to cloud engineers.

He has PhD from Harvard University and a BA in math from Brandeis.

Level: Advance Subject Matter

Abstract:
Binary instrumentation involves inserting code into compiled executables to monitor, analyze, or modify their behavior either at runtime (dynamic) or before execution (static) without altering the original source code. Static binary instrumentation (SBI) injects code before a binary runs, typically by modifying the file on disk, whereas dynamic binary instrumentation (DBI) operates in memory while the program runs. These techniques are widely used for profiling, debugging, tracing, security analysis, and reverse engineering.

Modern malware analysis often encounters obstacles when using traditional static or interactive methods. Dynamic Binary Instrumentation (DBI) offers an alternative by allowing researchers to monitor and modify a program’s instructions during runtime. This talk will introduce DynamoRIO, a framework designed for this purpose. It functions by intercepting code before it reaches the processor, providing a transparent view of malicious behavior that might otherwise be hidden by packing or obfuscation.

The presentation will cover the practical application of the framework, starting with its built-in tools for tasks such as code coverage and memory monitoring. We will then examine the process of writing custom clients using the provided API. This allows for the creation of specialized scripts that can automate the extraction of payloads or the logging of specific system calls, making the analysis process more efficient when dealing with complex samples.

A significant portion of the discussion will focus on how DynamoRIO performs when faced with common anti-analysis techniques. Malware frequently employs methods to detect debuggers or virtual environments to prevent execution. We will look at how the framework handles these challenges, specifically its ability to bypass timing-based checks and other detection mechanisms. This evaluation is based on research into the transparency of the instrumentation process and its effectiveness in maintaining a steady analysis environment.

By the end of the session, attendees will have a functional understanding of how to integrate DBI into their analysis workflows. The talk aims to provide a clear view of the framework’s capabilities and its practical use cases in the context of threat research. Participants will be familiar with the methods needed to deploy and customize DynamoRIO for their own investigative requirements.

Bio:
Vanja Svajcer works as a Threat Researcher at Cisco Talos. Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as FSec, Bsides, Virus Bulletin, RSA, CARO, AVAR, BalcCon and others.