BSides Vancouver 2026: Full Schedule

arrow_back View All Dates

10:40am PDT

Monday June 1, 2026 10:40am - 11:00am PDT

Track 4 - Room 1700 - Sponsored by Aikido Security

The 2026 BSides Vancouver theme perfectly captures the current state of enterprise security. As organizations rapidly adopt AI capabilities, the attack surface has expanded far beyond simple chat interfaces and into the core of how businesses operate. Security operations teams are now tasked with defending a complex, multi-layered AI ecosystem, often without the necessary visibility, standardized tooling, or established playbooks.
This presentation moves past the hype to break down the practical realities of Incident Response (IR) across the complete AI architecture. We will explore the specific threats, telemetry blind spots, and triage strategies associated with four distinct pillars of enterprise AI adoption:

The AI Pipeline & MLOps: Defending the supply chain.
Locally Hosted AI Applications: The unique IR challenges of managing self-hosted open-source models.
Agentic Workflows: Triaging incidents when autonomous systems go off the rails.
Widespread LLM Usage: Managing the daily operational risks of enterprise LLM adoption, from analysts without Pandas familiarity using LLMs to generate Python code for Jupyter notebooks, to standard prompt injection and data leakage in corporate applications.

Attendees will leave with a pragmatic framework for adapting their current IR capabilities to this new reality. We will outline actionable steps to update response playbooks for AI systems and build the necessary cross-functional workflows between security, data science, and engineering.

Speakers

Ryan Clarke

Principal Incident Response Consultant, Mandiant (Google Cloud)

Ryan is a Principal Incident Response Consultant for Mandiant (Google Cloud). As part of the Incident Response team, he provides emergency services to clients when a security breach occurs. He also conducts purple teams, threat hunts, table top exercises, forensic investigations and... Read More →

Muhammad Muneer

Principal Consultant - Incident Response, Mandiant (Now Part of Google Cloud)

As a Principal Incident Response Consultant and the global lead for Threat Hunting Program Development at Mandiant, Muhammad Muneer guides organizations through cybersecurity crises and proactively identifies emerging threats. He has also pioneered and led the development of the Securing... Read More →

Monday June 1, 2026 10:40am - 11:00am PDT
Track 4 - Room 1700 - Sponsored by Aikido Security

Talk, Track 4

Topic AI

10:40am PDT

Advanced SaaS Threats: Case Studies from the Field

Monday June 1, 2026 10:40am - 11:30am PDT

Track 5 - Room 1800

An increasing reliance on SaaS does not always come with the knowledge or motivation needed to secure these services. As businesses move away from on-premise systems, SaaS platforms are increasingly used for business-critical purposes, storing vital, sensitive company information. Organizations continue to underestimate SaaS breach risk, prioritizing ransomware defense while leaving critical SaaS exposures unaddressed.

But attackers have noticed, and they’re exploiting this blind spot.

Through a number of real-world case studies, including incidents involving Scattered Spider helpdesk takeovers, Salesforce-connected app compromises, malicious OAuth abuse, and a million-dollar BEC, we’ll dissect each campaign from initial access to root cause.

Attendees will see how these intrusions unfolded across platforms, threat actor groups, and techniques mapped to MITRE ATT&CK. Each case illustrates that SaaS is no longer a peripheral threat vector. It’s an attacker’s playground. You’ll leave with a better understanding of how these breaches occur, what defenders can learn from them, and practical steps to defend against the next wave of SaaS-native attacks.

Speakers

Damien Miller-McAndrews

Threat Researcher, Obsidian Security

Damien Miller-McAndrews is a Threat Researcher at Obsidian Security, investigating how attackers turn SaaS, identity, and social engineering into fast-moving breaches. He publishes research and practical insights to help security and IT teams better detect, respond to, and... Read More →

Monday June 1, 2026 10:40am - 11:30am PDT
Track 5 - Room 1800

Talk

10:40am PDT

Hype to Innovation: Quantifying AI Value for the Board

Monday June 1, 2026 10:40am - 11:30am PDT

Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA

Boards are being asked to approve major investments in emerging technology. Today it may be AI, tomorrow quantum. Too often these decisions are driven by competitive pressure and promises of innovation, while the cyber implications remain loosely defined or entirely unmeasured. When value, risk, and resilience are not clearly understood, strategic decisions are made on assumptions, placing return on investment at risk.

This session dives into practical ways to quantify cyber value at the leadership level. The focus is on framing emerging technology through measurable impact, risk exposure, and organizational resilience rather than technical performance. Attendees will leave with concrete methods and insights that support confident executive decision-making.

Speakers

Greg Ahira

CEO, Fullspeed Technology Inc.

Greg Ahira leads enterprise security transformation at scale across global enterprises including Lundin Mining, GE, Cisco and Webex. He governs product, cloud, OT, incident response, identity and vulnerability programs that align security strategy with measurable business outcomes... Read More →

Kevin Sahota

Kevin Sahota is a cybersecurity leader with more than 30 years of experience across security operations, threat intelligence, risk, digital forensics, and incident response within highly regulated industries, including financial services, insurance, and critical infrastructure. He... Read More →

Monday June 1, 2026 10:40am - 11:30am PDT
Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

10:40am PDT

Sandworms and Other Nonsense: An Eventful Year for npm Supply‑Chain Attacks

Monday June 1, 2026 10:40am - 11:30am PDT

Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP

The past year saw an explosion of highly effective malicious‑package attacks. Well‑known libraries were compromised, new versions shipped with additions for crypto theft or data exfiltration. Attackers launched different attacks with each building upon the last becoming more effective with each iteration. We bore witness to the first appearance of the great sandworm, followed by a far worse second coming. A simple bit of JavaScript that started with a mere 37 packages, swiftly spread like a worm from one victim to the next. In the end, it compromised an estimated 700 packages and GitHub accounts across more than a thousand organizations. Many recognizable companies had source code and other sensitive artifacts stolen. This talk digs into how these campaigns worked, why they were so effective, with real-world examples of how they slipped into even established security vendors or became pivot points for deeper compromise. We’ll also look at what has actually changed to counter this class of threat, what still hasn’t, and what is effective at protecting against these attacks.

Speakers

Megg Sage

Senior Security Engineer, PagerDuty

Megg is an application security engineer who started out as a web developer. Security drew her in with the endless puzzles and challenges put forth by the field. She loves sharing knowledge, particularly when she can both educate and frighten her audience at the same time. After all... Read More →

Monday June 1, 2026 10:40am - 11:30am PDT
Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

10:40am PDT

The Coming AI Catastrophe Won't Be Superintelligence, It Will Look Like Malware

Monday June 1, 2026 10:40am - 11:30am PDT

Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io

The most imminent and dangerous AI milestone isn't superintelligence — it's fully automated, end-to-end ransomware operations and an ai-breakout self-evolving worm. AI risk researchers in academia and industry are missing the importance of this issue. We may have already crossed (or be about to cross) a threshold where AI enables criminal actors to execute enterprise-wide encryption attacks with near-100% automation. The implications are potentially catastrophic: enterprises would need a perfect security posture both externally and internally, which fundamentally challenges how security organizations are structured today.

Speakers

Geoff McDonald

Monday June 1, 2026 10:40am - 11:30am PDT
Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

Topic AI

11:10am PDT

Losing Context: A Deep Dive into MCP Session Security

Monday June 1, 2026 11:10am - 11:30am PDT

Track 4 - Room 1700 - Sponsored by Aikido Security

Session Access Control - The Missing Validation Layer: The MCP specification explicitly distinguishes sessions from authentication but provides minimal prescriptive guidance on authorization enforcement. This session will explore the theoretical security implications of this design, where session IDs function similarly to bearer tokens but without the typical security controls.

The SDK Security Gap: An analysis of current MCP SDK implementations reveals an inconsistency in how session security is handled. While the specification provides various validations, most SDK implementations provide only basic checks, leaving critical validation decisions to developers without clear documentation or guidance.

Session Hijacking in MCP - Risks and Mitigations: We will examine how traditional session hijacking attacks apply to MCP's stateful transport model. This includes analyzing attack vectors where unauthorized parties gain access to valid session IDs, the potential impact on server-side resources and data exposure, and practical mitigation strategies. Through architectural examples, we will demonstrate defense-in-depth approaches including session-to-user binding, duplicate connection prevention, session expiration mechanisms, and proper validation patterns that developers can implement regardless of their chosen SDK.

Speakers

Srikanth Ramu

Principal Product Security Engineer

I am an Application Security professional with extensive experience in product security, built on a solid foundation in development and QA. During the COVID-19 pandemic, I developed an interest in hunting bugs in open-source libraries specifically targeting Java Deserialization vulnerabilities... Read More →

Monday June 1, 2026 11:10am - 11:30am PDT
Track 4 - Room 1700 - Sponsored by Aikido Security

Talk, AI

11:40am PDT

Behind the CAPTCHA: Exposing ClickFix and FakeCaptcha Threats

Monday June 1, 2026 11:40am - 12:00pm PDT

Track 5 - Room 1800

ClickFix and FakeCaptcha attacks represent sophisticated social engineering tactics designed to deceive users into performing unintended actions, such as downloading malware or facilitating unauthorized transactions. By exploiting user trust through realistic CAPTCHA prompts or deceptive "click-to-fix" scenarios, attackers are able to bypass traditional security defenses, resulting in malware infections, data theft, or financial losses.

This presentation provides a technical overview of current ClickFix and FakeCaptcha attack methodologies, including the novel “EtherHiding” technique. The talk will walk through analyses of real-world incidents, discuss the variations of FakeCaptcha attacks and outline various payloads as well as present indicators of compromise. Attendees will learn effective detection strategies, proactive prevention techniques leveraging threat intelligence, and practical steps organizations can implement to safeguard users against this evolving cyber threat.

Speakers

Greg Leah

Founder, PrecisionSec

Greg Leah is the Founder of PrecisionSec, a Threat Intelligence startup based in Victoria, British Columbia. Drawing on nearly 20 years of experience in the security industry, Greg has gained a wide range of expertise ranging from reverse engineering and creating complex malware detections... Read More →

Monday June 1, 2026 11:40am - 12:00pm PDT
Track 5 - Room 1800

Talk

11:40am PDT

Pragmatic Security to enable safety in the era of AI

Monday June 1, 2026 11:40am - 12:30pm PDT

Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA

Grounded in the experience of supporting over 100 AI frontier firms in their security posture, Michael will cover pragmatic approaches to enable security and safety of your organization in the era of AI.

This talk will cover in depth, specific recommendations you can use in your organization today in the areas of:

AI Program and Risk Management - how to govern AI adoption and risk at your organization
Effective defence techniques against undetectable impersonation attacks

Development security - safety, guardrails and techniques to make sure agentic coding doesn't increase your vulnerability risks

Vendor risk management and shadow IT - technical and operational solutions to address AI vendor sprawl and risks

Agentic access management - understanding how to leverage permissions and data access controls while enabling agentic workflows

Speakers

Michael Argast

Co-Founder and CEO of Kobalt.io, Kobalt.io

Michael is an experienced cybersecurity professional with over 25 years of industry experience. He is the co-founder and CEO of Kobalt Security Inc., a global leader in security, privacy and compliance that builds security programs for small and mid-sized business. Kobalt.io works with over 1000 technology and startup companies to help ensure the security of their organization and cloud infrastructure, address client requirements... Read More →

Monday June 1, 2026 11:40am - 12:30pm PDT
Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

11:40am PDT

Self-Infected Prompt Kiddies: From Script Kiddies to Prompt Kiddies — AI-Powered Cybercrime in the Wild

Monday June 1, 2026 11:40am - 12:30pm PDT

Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io

In the age of AI, truth is becoming optional, and cybercriminals are taking full advantage.
Today’s threat actors aren’t just buying phishing kits and reusing old malware. They are actively using AI to write convincing lures, generate malicious code, troubleshoot payloads, translate scams into multiple languages, and rapidly iterate campaigns like a software development team.
This talk provides a behind-the-scenes look at what defenders rarely get to see: pre-breach threat intelligence artifacts collected from real-world criminal testing environments. Many attackers test their malware and phishing infrastructure before launching full campaigns, and those “trial runs” often leak into places where defenders can collect and analyze them.
We will walk through real-world examples of:

AI-generated phishing emails, landing pages, and social engineering scripts
Infostealer malware development patterns that strongly suggest LLM involvement
Prompt-driven iteration: how criminals “debug” scams and malware faster than ever
The fingerprints AI leaves behind in code, wording, structure, and infrastructure
What this shift means for detection, threat hunting, and incident response

As machine-generated content floods the internet, scams become harder to distinguish from legitimate communication, and malware becomes easier to produce than ever before.

This session highlights the uncomfortable reality defenders now face: attackers don’t need advanced skills anymore, they just need the right prompt.

Speakers

Ali Alame

CTO and Co-Founder, CyberArmor

Ali Alame is a cybersecurity professional and co-founder of CyberArmor, leading threat-hunting initiatives across higher education, municipalities, and enterprise. His work focuses on pre-breach intelligence - detecting phishing kits, compromised credentials, and infostealer telemetry... Read More →

Monday June 1, 2026 11:40am - 12:30pm PDT
Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

11:40am PDT

Server Side Template Injections For Everyone

Monday June 1, 2026 11:40am - 12:30pm PDT

Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP

Server Side Template Injection (SSTI) is a web vulnerability that can be hard to spot, but leads to critical consequences when exploited. While this class of vulnerability has been documented for more than a decade, new research is constantly demonstrating that this is not a solved problem. New techniques for finding and exploiting SSTI vulnerabilities made the #1 spot for the 2025 top web security vulnerability rankings.

This presentation will cover how to discover SSTI vulnerabilities (even "blind" ones), and how these can be exploited to gain full code execution on the underlying server. No existing knowledge needed, SSTI's for everyone!

Speakers

Wesley Wineberg

Hacker

Wesley Wineberg is a full time bug bounty hunter, and has over 15 years experience working in information security. Wes has had various security roles during his career, covering everything from web apps to hardware security but primarily enjoys the offense side of security.

Monday June 1, 2026 11:40am - 12:30pm PDT
Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

11:40am PDT

When the Plan Meets the Incident at Machine Speed: Adapting Police Major Case Management to Cyber Crisis Response

Monday June 1, 2026 11:40am - 12:30pm PDT

Track 4 - Room 1700 - Sponsored by Aikido Security

AI is making attacks faster. Autonomous tooling compresses kill chains that used to take days into hours. Your incident response needs to keep pace, but most organizations have an IRP that covers escalation paths and notification timelines, and nothing that tells you how to actually run the incident at speed.

How do you brief a room of 30 people at 2 AM? How do you structure teams so nothing falls through the cracks over a 10-day response? How do you make consequential decisions every few minutes under incomplete information without losing accountability? How do you document as you go, rather than reconstructing after the fact? Going faster without answering these questions just leads to confusion faster than ever before.

RCMP Major Case Management was built after investigations failed due to coordination breakdowns under pressure. It provides principles for command structure, information management, team coordination, and accountability that scale from a two-person response to an 80-person operation without the overhead of a full Incident Command System.

This talk introduces CMIM (Cyber Major Incident Management), an adaptation of those principles for cybersecurity incident response in an era where machine-speed threats demand machine-speed decisions from human teams. It covers what the framework looks like, where it came from, and what happened when it was used to coordinate an 80-person cross-organizational response to a live attack. Bring your IR war stories.

Speakers

Brad Edwards

Domain Consultant, Security Operations Transformation, Palo Alto Networks

Brad Edwards is a Domain Consultant at Palo Alto Networks, specializing in security operations. He has 15 years of law enforcement experience as an RCMP constable, including digital forensics and economic crime. After leaving the RCMP, Brad worked as an enterprise software developer... Read More →

Monday June 1, 2026 11:40am - 12:30pm PDT
Track 4 - Room 1700 - Sponsored by Aikido Security

Talk

12:10pm PDT

sudo vibes : How AI Agents Got Root and Nobody Noticed

Monday June 1, 2026 12:10pm - 12:30pm PDT

Track 5 - Room 1800

Developers are handing AI agents the keys to their build environments. Your peers use Cowork to answer emails. Your parents generate memes from their camera roll. We've let convenience rapidly erode trust and integrity and given AI access through accessibility tools, APIs, and human emulation.

When Cowork needs debug access to Chrome and your filesystem, Claude Code runs with your terminal permissions and Cursor installs packages without asking, its a recipe for disaster. The result is a new attack surface spanning hallucinated dependencies, unsigned artifacts, prompt injection through source files, and autonomous agents that can ignore explicit instructions.

In this talk, Jake will walk through recent breaches, patterns of abuse, and how adversaries are taking advantage of the vibe coded way we build and ship software today.

Speakers

Jake King

Founder, minimal.dev

Jake is the former founder of Cmd (a linux endpoint security company) and now founder of Minimal.dev building secure, reproducible and fast dev environments. Jake is a frequent speaker on the topic of Linux & Cloud Security at BSides, RSA, MITRE, and other conferences, as well as an active member of the Vancouver cybersecurity community. An Australian native, Jake studied cybe... Read More →

Monday June 1, 2026 12:10pm - 12:30pm PDT
Track 5 - Room 1800

Talk

1:30pm PDT

Confessing how to build authentic trust in the age of artificial expertise

Monday June 1, 2026 1:30pm - 1:50pm PDT

Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA

AI has democratized "expertise." Developers are using LLMs to ship complex (and potentially insecure) code at record speeds, while security professionals are using them to generate generic policy bloat. The result? A "Dead Internet" corporate culture where nobody trusts anyone, volume replaces value, and friction is at an all-time high.

As a software engineer turned security advisor, I have lived on both sides of this divide. I used to view security as the "Department of No" - a blocker to my velocity. Now, I realize the friction wasn't technical; it was a failure of influence.

This talk explores why Human Influence is the ultimate security control that AI cannot fake. We will move beyond tricks and focus on authentic engineering alignment. I will share how to cut through the "AI slop" to build genuine trust with skepticism-heavy developers, how to translate technical debt into business risk for executives, and how to stop "generating" security and start negotiating it.

Speakers

Noris Buriac

Application Security & DevSecOps Advisor, Forward Security

Known to friends as "NorisGPT", I'm a recovering software engineer turned Security Solutions Consultant at Forward Security. After writing code for the RCMP, Disney, Microsoft, and HP, I transitioned from building enterprise software to driving AppSec and DevSecOps growth. I specialize... Read More →

Monday June 1, 2026 1:30pm - 1:50pm PDT
Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

1:30pm PDT

Evil AI vs. Open Source Linux: Zero competition in the realm of DNS exfiltration

Monday June 1, 2026 1:30pm - 2:20pm PDT

Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io

In the red corner we have an Evil AI local LLM armed with a client in the right hand and a server in the left.
He's notoriously relentless with an unpredictable style fashioning multiple encoding strategies, chunk size tuning and payload throttling.

Recent rumors suggest he's managed to unshackle himself from any external dependencies by leveraging Kotlin Native to execute a standalone binary.

In the blue corner we have a headless Debian instance ready to unleash a flurry of packages from the standard repos. He's known for being cold and calculated with a unique ability to deeply understand his opponent and counter every move. His defense is impenetrable with unforgiving iptables egress rules and a meticulously configured local DNS stub resolver. Word on the street is he's been training heavy with the DHCP hook to stay fresh on the latest nameserver.

This is a fight you don't want to miss. Both contenders are highly skilled slaughter machines, unwilling to accept anything less than a knock-out!

Speakers

Alan Ilicic

Staff Android Developer, Rivian Automotive

Alan Ilicic is a Staff Android app/OS developer at Rivian with 8 years of experience, specializing in reactive architectures, security and performance optimization. He has a Ph.D. in electrochemical engineering and formerly was a chemistry professor for 8 years where he managed the... Read More →

Monday June 1, 2026 1:30pm - 2:20pm PDT
Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

1:30pm PDT

Threat Modeling Developer Behaviour: The Psychology of Bad Code

Monday June 1, 2026 1:30pm - 2:20pm PDT

Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP

Security teams threat model systems, but rarely do we threat model the developers building them. What if some of the most persistent AppSec problems aren’t purely technical—but behavioral?

This talk dives into the psychology of insecure code, using principles from behavioral economics to explain why developers take risky shortcuts, ignore secure practices, or ship code that “just vibes.” From copying insecure Stack Overflow snippets, to skipping documentation, to shipping untested features under tight deadlines—these aren’t personal failings. They’re predictable cognitive patterns influenced by incentives, stress, and how our brains are wired.

We’ll explore how well-known concepts such as present bias, automation bias, the bystander effect, and overconfidence play out in real-world development. Then we’ll shift from insight to action—offering behavioral nudges and design patterns you can apply in your SDLC, tools, and team culture to make secure behavior the default.

This talk blends psychology, security, and dev reality to reframe AppSec—not as a checklist, but as a human system.

Speakers

Tanya Janca

Security Trainer and Founder, She Hacks Purple & DevSec Station

Tanya Janca, known online as SheHacksPurple, is the best-selling author of Alice and Bob Learn Secure Coding and Alice and Bob Learn Application Security. She is the founder of DevSec Station, a modern learning platform and community built to help software developers master secure... Read More →

Monday June 1, 2026 1:30pm - 2:20pm PDT
Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

1:30pm PDT

Trust No Schema: Finding the Truth in Raw SQLite Binary.

Monday June 1, 2026 1:30pm - 2:20pm PDT

Track 5 - Room 1800

In a landscape where digital reality is increasingly “optional,” the structures we rely on, like database schemas, can be deceptive, corrupted, or missing entirely. When the standard query layer fails and SELECT * returns nothing, most analysts assume the truth is gone. This session is for those who refuse to accept that conclusion.

We will bypass the "optional reality" presented by database management tools and descend into the absolute ground truth: the raw binary structure of the SQLite format. By treating the database file not as a structured container but as a raw artifact, we can uncover evidence that standard parsers ignore. We will map out table structures, decode "Magic Bytes," and carve data without ever needing a valid header. This approach allows us to reconstruct the narrative and verify the existence of data, even when the system says it doesn’t exist.

Speakers

Marcelo Caiado

Cybersecurity Leader and Digital Forensics Expert, MPF

Marcelo Caiado is a seasoned cybersecurity expert and educator with over 25 years of experience in digital forensics, incident response, and information security leadership. He currently serves as an Adjunct Professor at the New York Institute of Technology (NYIT) in Vancouver, where he teaches Dig... Read More →

Monday June 1, 2026 1:30pm - 2:20pm PDT
Track 5 - Room 1800

Talk

2:00pm PDT

Canada's First Cyber Security Case

Monday June 1, 2026 2:00pm - 2:50pm PDT

Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA

In 1975, the University of Alberta received its first computer: an Amdahl 470 V/6 complete with three hundred terminals spread across the campus made available to 3,500 students and faculty. While one of the first notable things it was used for was to play chess, it also became important in establishing computer crime law in Canada. When a student was caught stealing time from the shared system, the Crown struggled to charge him. This talk will go over the entire story and how the Supreme Court of Canada had to tell Parliament to change the law to understand the new frontier that was computing.

Speakers

Cariad Heather Keigher

Lead, Logging & Analytics, Security Infrastructure, Teck Resources Ltd.

Cariad has worked in the cyber security field for a decade and a half and is a technology lead at an international natural resources company. Her career has had her engaging in digital forensics, incident response, engineering, penetration testing, and consulting. In her spare time... Read More →

Monday June 1, 2026 2:00pm - 2:50pm PDT
Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

2:30pm PDT

Faces in the Fog: Identifying Users through Unconventional Means

Monday June 1, 2026 2:30pm - 3:20pm PDT

Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP

User enumeration remains one of the most prevalent yet under-discussed application security vulnerabilities across industries and organizations worldwide. Despite its critical role in the security landscape, many security teams overlook the implications of this core security flaw.

This talk will demystify user enumeration by exploring its various types, attack methods, and real-world impact on applications. Attendees will gain practical insights into identifying and mitigating these vulnerabilities with hands-on demonstrations of scripts, tools, and advanced techniques designed for faster detection by utilizing LLM technology. Whether a penetration tester, developer, or security professional, this session will equip you with actionable strategies to strengthen your defenses against user enumeration threats.

Speakers

Justin Larson

Principal Application Security Engineer, Redpoint Security

Justin Larson is a Principal Application Security Consultant with Redpoint Security. He started his career bouncing servers in the NOC of a SaaS company. He moved to the information security team within the same organization and then transitioned to specialize in application security... Read More →

Seth Law

Monday June 1, 2026 2:30pm - 3:20pm PDT
Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

2:30pm PDT

Finding Public Files… That Were Never Meant to Be Public

Monday June 1, 2026 2:30pm - 3:20pm PDT

Track 4 - Room 1700 - Sponsored by Aikido Security

What if your most sensitive information wasn’t hacked, stolen, or exfiltrated—but quietly made public through everyday business processes? This talk examines how sensitive files routinely escape into the public eye via search engines, file-hosting platforms, misconfigured cloud services, shared drives and servers, URL shorteners, forgotten upload paths, and other overlooked exposure points—often without triggering alerts or raising suspicion.

Drawing on experience in cybersecurity, information privacy, and private investigations, this session explores how attackers, journalists, and investigators systematically uncover sensitive data by pivoting across people, companies, domains, filenames, usernames, and keywords. Using nothing more exotic than internet search engines, specialized file-discovery tools, and an understanding of human error, this is a practical, reconnaissance-focused talk about finding what was “never meant to be public,” why these leaks are so persistent, and how defenders can identify and reduce this exposure before someone else does.

Speakers

Ionatan Waisgluss

OSINT Analyst, C3SA Cyber Security & Audit | Shadow Investigations Ltd.

Monday June 1, 2026 2:30pm - 3:20pm PDT
Track 4 - Room 1700 - Sponsored by Aikido Security

Talk

2:30pm PDT

Rebooting Resilience: Fixing Burnout Before It Crashes Your System

Monday June 1, 2026 2:30pm - 3:20pm PDT

Track 5 - Room 1800

In tech, pushing hard is often part of the culture. Tight deadlines, constant change, and the pressure to keep up can make “running on fumes” feel normal. But when stress stops being temporary and starts feeling relentless, it may be more than just a busy season; it may be burnout.

This talk breaks down what burnout really is (and what it isn’t), in clear, practical terms. We’ll explore how to recognize the early signs, such as brain fog, loss of motivation, or feeling detached from your work. We’ll also look at why burnout happens in tech environments, including always-on expectations, blurred work-life boundaries, and sustained high-performance demands. The session will also focus on what to do about it.

Attendees will gain realistic strategies for protecting their energy, setting healthier boundaries, and building more sustainable ways of working, both individually and within teams. The goal is not just to manage stress, but to create conditions where people can continue doing meaningful work without burning out.

Speakers

Nicole Che

Co-Clinical Director, Registered Clinical Counsellor, Brentwood Counselling Centre

Nicole is a Registered Clinical Counsellor with the BC Association of Clinical Counsellors and holds a Master's Degree in Counselling Psychology, who works with anxiety, depression, relationships and trauma. Nicole helps individuals strengthen their boundary-setting skills, identify... Read More →

Leah Liu

Co-Clinical Director, Registered Clinical Counsellor, Brentwood Counselling Centre

Leah holds a Master of Arts in Counselling Psychology degree, and she is a Registered Clinical Counsellor of the BC Association of Clinical Counsellors. Leah has vast experience in supporting people with stress management, anxiety and depression regulation, boundary-setting, and relationship... Read More →

Monday June 1, 2026 2:30pm - 3:20pm PDT
Track 5 - Room 1800

Talk

2:30pm PDT

When Reality Becomes Optional: AI Threat Modeling That Actually Works

Monday June 1, 2026 2:30pm - 3:20pm PDT

Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io

Every security framework tells you to threat model. Almost nobody does it consistently. The reasons are always the same: it's time-consuming, requires specialized expertise, and doesn't scale.
We developed an end-to-end AI threat modeling pipeline to address these challenges. Leveraging LLMs through the Model Context Protocol (MCP), our system analyzes architecture diagrams and codebases to generate prioritized, evidence-based threats, including attack vectors, mitigations, and verification steps. This approach delivers consistent results at a pace that enables continuous threat modeling.
This presentation will demonstrate the full pipeline, including parsing infrastructure-as-code, extracting architectural patterns, and applying multi-stage reasoning to identify context-aware threats. We will showcase the CLI tool and visualization dashboard, discuss the respective strengths of AI and human expertise, share insights from production deployments, and explain how MCP's architecture supports composable security tooling beyond threat modeling.

Speakers

Sebastian Finch

Student, Associate Ethical Hacker, SFU, PacketLabs

Seb is an Ethical Hacker with a keen interest in offensive and defensive security who is pursuing his Masters in Cybersecurity. He is an engaging speaker who has done several talks on campus, as well as facilitating recurring university groups for cybersecurity.

Oliver Stutz

Student, CTO, SFU, Priverion

Oliver is a CTO who assists enterprises and startups in safeguarding their security, with a background in building banking-grade systems. Drawing on extensive hands-on experience with real-world threats, he integrates risk management and compliance into practical, resilient solutions... Read More →

Monday June 1, 2026 2:30pm - 3:20pm PDT
Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

3:00pm PDT

Why NIST Maturity Score May Mislead You (Is it budget well-spent to repeat your NIST assessment annually in the age of AI?)

Monday June 1, 2026 3:00pm - 3:20pm PDT

Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA

Cybersecurity maturity scores, frequently presented to executive leadership and boards, are often tied to the National Institute of Standards and Technology (NIST) framework and the Capability Maturity Model Integration (CMMI) scale. Organizations often use these scores—sometimes oddly accurate as 2.59 moving to precisely 2.73 —as a definitive stamp of achievement. The pursuit of external validation drives many leaders to also seek industry benchmarks for comparison. This paper argues that relying on these static, quantified scores can be profoundly misleading, potentially instilling a false sense of security and misdirecting budget and resource allocation.

The concept of a numerical maturity score applied to NIST is not inherent to the framework itself; rather, it is a construct developed and popularized by consulting companies, often blending NIST's Implementation Tiers—which are focused on risk management—with the CMMI scale. This imposition of a single number fails to capture the true complexity of cybersecurity risk management.

This presentation invites the audience to take these scores with a grain of salt due to significant limitations in both the assessment methodologies and the resulting benchmarks:

Risk Alignment Failure: The final score does not accurately reflect the organization's unique threat profile, actual risk exposure, or the criticality of the assets being protected. This means a high score provides no guarantee of protection against the most relevant threats.
Focus on Design over Operational Effectiveness: Assessments focus predominantly on control design and documented capability—a paper-based review or interview—rather than validating operational effectiveness through active, continuous testing and real-world validation.
Subjectivity and Measurement Bias: Despite following consistent frameworks, the scoring remains subjective. This is compounded by the inherent challenges of repeatedly converting qualitative evidence (such as workshop responses or process descriptions) into quantitative data, a process that introduces significant measurement errors and is susceptible to assessor or consultant judgment.
Framework Interpretation Ambiguity: The NIST Cybersecurity Framework is descriptive, using terms that require broad interpretation (e.g., "shall be protected") as opposed to the prescriptive nature of other standards like 800-53. This ambiguity further degrades the consistency and comparability of assessment results.
Flawed Score Aggregation: The resulting number is often a simple average of maturity ratings across numerous control sub-categories. This averaging technique can mask severe vulnerabilities in a single critical category and provide a misleading picture of overall maturity.
Benchmark Data Low Quality:

Speakers

Golnaz Elahi

Principal Strategic Security Consultant, Mandiant (Google Cloud)

Golnaz is a principal strategic cybersecurity advisor with Mandiant Canada (part of Google Cloud). Golnaz has 15 years of experience in the cybersecurity field, from early years in ethical hacking to technical and executive level consulting at Big4 firms, inhouse security office officer... Read More →

Monday June 1, 2026 3:00pm - 3:20pm PDT
Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

3:30pm PDT

Finding the AI Systems No One Approved

Monday June 1, 2026 3:30pm - 3:50pm PDT

Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io

AI is entering enterprises through side doors, not front gates. Long before legal reviews, vendor assessments, or security sign-off, employees are spinning up local coding assistants, connecting to external model servers, and assembling multi-agent workflows that operate entirely outside formal governance.

This session explores practical agentic fingerprinting, and how security teams can uncover AI systems based on what they are, not what they’re called. By identifying the shared metadata, configuration artifacts, and behavioral signals that define an AI agent, organizations can discover unapproved AI activity across cloud APIs, internal code repositories, and endpoints—without relying on brittle network choke points.

Attendees will leave with a practical framework for mapping their true AI footprint, understanding where governance assumptions break down, and regaining visibility into the digital workforce that is already operating inside their organization—approved or not.

Speakers

Giuseppe Trovato

Head of Research, Geordie AI

Giuseppe Trovato is Head of Research at Geordie AI, where he focuses on AI-driven security and the intersection of agentic AI and software security. Previously, he spent over a decade at leading vulnerability research and application security initiatives. Originally from Sicily... Read More →

Monday June 1, 2026 3:30pm - 3:50pm PDT
Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

3:30pm PDT

How to get decades-long security in a consumer device: breaking locks and using the courts

Monday June 1, 2026 3:30pm - 3:50pm PDT

Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA

Consumer devices like phones, routers, and computers are built to last only a few years. Not because the hardware falls apart, but because, after a few years, manufacturers refuse to update the software. In most cases they also prevent you from updating the software yourself. This creates huge amounts of e-waste, and significant added expense for people who would rather keep the perfectly-fine hardware they have.

Fortunately, the infosec community is already creating solutions to these problems. The first step to securing a device long-term is to break the manufacturer's locks so that you can get in and modify the device's software yourself (whether those locks are "legitimate" or not). We have many excellent examples of people prolonging the life of devices this way.

However, the majority of the time getting in is just part of the battle. Once you have root on a device, there may still be software that is proprietary or otherwise difficult to secure (perhaps because the company is withholding source code that they are required to give you). This is where the software freedom community can help out, by getting all the possible source code, and reimplementing the rest.

We have many examples where this has been done, from OpenWrt and Rockbox for routers and audio players, to Debian and LineageOS for computers and phones. In all of these cases, people have found ways to install software updates on devices that would otherwise stop receiving updates, allowing them to continue using their device securely for a decade or more. And in many cases, these ways involved using the courts.

This talk will discuss how these projects came to be, how we used the courts to make that happen, how many decades of security support you can reasonably get for an arbitrary consumer device you buy today, and how you can help make this possible.

Speakers

Denver Gingerich

Director of Compliance, Software Freedom Conservancy

Denver is a software right-to-repair activist who is currently Director of Compliance at Software Freedom Conservancy, where he enforces software right-to-repair licenses such as the GPL, and is also a director of the worker co-operative that runs JMP.chat, a FOSS phone number (texting/calling... Read More →

Monday June 1, 2026 3:30pm - 3:50pm PDT
Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

3:30pm PDT

Jailbreak the Jailbreaker: Autonomous AI Red Teaming

Monday June 1, 2026 3:30pm - 3:50pm PDT

Track 5 - Room 1800

We explore how AI systems can automatically mutate and refine their own prompts to bypass defenses more effectively over time, showing how repeated adversarial testing dramatically increases jailbreak success rates. Through this process, it becomes clear why static guardrails and fixed policy layers quickly collapse when faced with recursive, adaptive probing. Finally, we examine what this means for modern agentic AI systems that have access to tools, APIs, and privileged permissions and why their expanding capabilities demand a fundamentally different approach to security and oversight.

Speakers

Mrigakshi Goel

Finning International

Jailbreak the Jailbreaker: Autonomous AI Red Teaming

Monday June 1, 2026 3:30pm - 3:50pm PDT
Track 5 - Room 1800

Talk

3:30pm PDT

The Velocity Paradox: Why More Scanners Lead to Worse Outcomes

Monday June 1, 2026 3:30pm - 3:50pm PDT

Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP

Machine-speed output + Human-speed oversight. That's the structural mismatch defining application security in 2026. Security budgets are at record highs, 100% tooling coverage is our never-ending future state, but many organizations are experiencing worse security outcomes.

Our industry's popular narrative says AI-generated code demands more aggressive scanning. This is the wrong framing. The bottleneck isn't coverage, it's organizational context. Traditional tools audit binary nodes (Is MFA on? Is there a hard coded secret?) while ignoring the paths that actually create risk (remember ASPM?). The result is a wall of noise that users have learned to ignore.

In this talk, I will describe the need for the shift from Pipeline Enforcement, which breaks at velocity, to Contextual Intelligence, which scales with it. By applying Graph Neural Network (GNN) principles as an enrichment layer, we replace binary gates with a relational foundation that surfaces what actually matters.

Speakers

Francis Ofungwu

CEO, Efeeo

Francis Ofungwu is the CEO and Founder of Efeeo, where he is building the relational foundation for the AI era. With over 20 years of experience leading cybersecurity at scale for organizations like GitLab, Salesforce, and Rackspace, Francis has spent his career threading the needle between "move fast" engineering cultures and the rigorous mandates of highly regulated industries... Read More →

Monday June 1, 2026 3:30pm - 3:50pm PDT
Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

3:30pm PDT

A Guide to AI Red Teaming in 2026: Why Traditional Pentest Assumptions Fail

Monday June 1, 2026 3:30pm - 4:20pm PDT

Track 4 - Room 1700 - Sponsored by Aikido Security

Organizations are rapidly deploying AI-powered chatbots, copilots, and agentic workflows - often faster than security teams can adapt their testing practices. Traditional pentesting assumes deterministic systems, stable input/output schemas, and well-defined trust boundaries. Those assumptions no longer hold when natural language becomes both the interface and the attack surface, and when models can retrieve data, invoke tools, and trigger real-world actions.

This session explores AI red teaming as a practical, adaptable, and repeatable application security exercise rather than a collection of one-off jailbreak techniques. We’ll examine where risk actually concentrates in modern AI systems - supporting REST API endpoints, the orchestration layer surrounding LLMs, access controls, input/output handling, and why focusing on the model alone misses the most meaningful exposures, along with a look at real-world cases where attackers have exploited AI-powered functionality to impact businesses.

Through demonstration of automated testing techniques using open source AI red teaming tools (e.g., Garak, Promptfoo, DeepTeam, etc.) and industry guidance (including the OWASP Top 10 for LLM Applications), attendees will see how ad-hoc experimentation can mature into a repeatable testing approach: structured test matrices, risk-driven evaluation, and findings translated into business impact such as data exposure, unauthorized actions, cost and availability risks, and regulatory or reputational consequences.

The talk concludes with recommendations for building a layered defense strategy and for integrating continuous AI security testing into existing development workflows. Attendees will leave with a practical mental model for assessing AI risk, communicating it to leadership, and building testing practices that scale alongside rapidly evolving AI deployments

Speakers

Jugal Lad

Security Analyst, Application Security, Mirai Security Inc.

I am a Security Analyst at Mirai Security Inc., taking my early steps in cybersecurity and aiming to help organizations strengthen their security posture. My work involves conducting security assessments, identifying vulnerabilities, and providing actionable security insights and... Read More →

Monday June 1, 2026 3:30pm - 4:20pm PDT
Track 4 - Room 1700 - Sponsored by Aikido Security

Talk

4:00pm PDT

Beyond Regex: Using LLMs to Add Context to DLP

Monday June 1, 2026 4:00pm - 4:20pm PDT

Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io

Traditional DLP is great at catching known patterns like SSNs, credit cards, and obvious secrets, but many of today’s most damaging leaks aren’t “pattern-shaped.” They’re high-context artifacts: internal research, design docs, incident notes, and strategy memos that become sensitive because of what they mean and how they combine. In cloud-native collaboration platforms, sharing is frictionless, auditing can lag behind, and “who accessed what and why” becomes difficult to prove.

To ground the risk, we’ll start with a real-world case. How a former Google engineer stole thousands of pages of confidential AI trade secrets and uploaded them to a personal cloud account, an example of privileged access plus modern collaboration workflows enabling rapid exfiltration.

From there, this talk explores how to use LLMs to add context-aware classification to DLP workflows without turning policy into “whatever the model says.” We’ll walk through a practical reference architecture: document labeling, confidence scoring and thresholds, human-in-the-loop review, and mapping classifications to enforceable controls like external sharing restrictions, domain allow and deny lists, and step-up authentication. We’ll also cover the hard parts: model inconsistency, prompt injection, drift, and auditability, and the guardrails that make an AI-assisted DLP system safe to operate.

Speakers

Alex Vazquez

Senior Security Engineer, Snap Inc

Raised in Vancouver and based in Seattle, I graduated from UBC in Electrical Engineering and got into security through CTFs and pentesting. I’m currently a Security Engineer at Snap Inc and previously a Security Engineer at Microsoft. I focus on AI security and data protection... Read More →

Monday June 1, 2026 4:00pm - 4:20pm PDT
Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

4:00pm PDT

Follow the Engineer: Delivering Security Intelligence Over MCP

Monday June 1, 2026 4:00pm - 4:20pm PDT

Track 5 - Room 1800

Open source runs the world. AI now ships most of the code. That means security decisions are happening inside the tools engineers already use, not in dashboards or tickets. The problem is no longer finding vulnerabilities. It is delivering the right remediation guidance at the exact moment an engineer can act.

This talk is a field report from building open patterns for that delivery. We built OVRSE, an open remediation specification, and a community MCP server that brings exploitability, breaking change risk, patch stability signals, and remediation commands directly into the AI tools engineers already use. It worked. It also broke in surprising ways.

You will see why tool prompt instructions became security controls, why structured output replaced dashboards as the interface between security and engineering, and why MCP adoption created a governance gap most security teams have not noticed yet.

This is not a product talk. It is a practitioner report on how the delivery layer for security intelligence is changing, and what the community needs to do about it.

Speakers

Ankit Kumar

Co-Founder & CEO, Emphere

Ankit Kumar is a security software engineer and cofounder of Emphere, building automation that closes the gap between vulnerability discovery and applied fix. His work focuses on dependency reachability and fix synthesis across application code, language runtimes, native libraries... Read More →

Monday June 1, 2026 4:00pm - 4:20pm PDT
Track 5 - Room 1800

Talk

4:00pm PDT

SameSite... Or Not? Exploring novel bypasses for SameSite cookie protections

Monday June 1, 2026 4:00pm - 4:20pm PDT

Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP

SameSite cookies are often relied upon too heavily to prevent cross-site request forgery, yet, due to browser implementations, they can be included in unexpected requests. This talk demonstrates novel bypass techniques, including a Chrome CVE discovered during while researching these methods. Attendees will gain an understanding of the impacts on real-world applications, and how to protect against these attacks.

Speakers

Vincent Dragnea

Application Security Consultant, Forward Security

Vincent is an application security consultant at Forward Security. He has 7 years of experience as a security researcher, since making the leap to cybersecurity from a software development background. Always eager to learn more, and OSWE-certified, Vincent loves to find creative exploits... Read More →

Monday June 1, 2026 4:00pm - 4:20pm PDT
Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

4:00pm PDT

When Trust Is Outsourced: Security in the Age of Third-Party Everything

Monday June 1, 2026 4:00pm - 4:20pm PDT

Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA

Most organizations invest heavily in securing their own networks, identities, and endpoints — yet depend on dozens or hundreds of external vendors to operate day-to-day. In practice, some of the most sensitive data and critical processes live outside the organization’s direct control. Attackers know this and increasingly target third parties, service providers, and support channels as the path of least resistance.
This talk draws on real-world risk assessment experience to examine how trust in vendors is established, where it breaks down, and why common assurance mechanisms often fail to reflect actual exposure. Certifications, questionnaires, and contractual clauses can create a sense of comfort, but they do not prevent misconfigurations, credential compromise, insider threats, or cascading failures across interconnected systems.

We will look at practical scenarios where vendor relationships introduced unexpected risk — from privileged access and data handling practices to hidden subcontractors and opaque technology stacks. The session will also discuss how emerging dependencies on AI services and automated decision systems complicate accountability and visibility even further.

The goal is not to criticize vendors, but to provide a realistic framework for evaluating trust in environments where organizations must rely on infrastructure they do not own and cannot fully audit. Attendees will gain practical considerations for identifying high-risk relationships, improving due diligence conversations, and preparing for incidents that originate outside their perimeter.
This session is intended for security practitioners, risk professionals, architects, and leaders responsible for safeguarding systems that depend on third-party services.

Speakers

Ankan Garg

Senior GRC Analyst, Lululemon

Ankan Garg is a cybersecurity practitioner specializing in Third-Party Risk Management (TPRM), cloud security, and governance. He works with organizations to evaluate the security posture of vendors, SaaS platforms, and supply chains that underpin modern digital services.In addition... Read More →

Monday June 1, 2026 4:00pm - 4:20pm PDT
Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

4:30pm PDT

Why Your Best Detection Tool Is Critical Thinking

Monday June 1, 2026 4:30pm - 4:50pm PDT

Track 5 - Room 1800

Every year we get faster tools, better dashboards, and more detections. And every year, analysts still miss things. Not because the tools failed, but because the thinking did.

Cybersecurity borrowed heavily from the military: the Kill Chain, MITRE ATT&CK, red teaming, threat intelligence. But we skipped one of the most important things the intelligence community invested in: teaching their analysts how to think. The CIA spent decades studying why smart analysts make bad calls. They built frameworks, published research, and made critical thinking a core discipline. In cybersecurity, we hand someone a SIEM and say good luck.

This talk explores what happens when we apply intelligence community thinking to cybersecurity analysis. Not academic theory, but practical habits that change how you investigate alerts, assess threats, and make decisions under pressure. Why do analysts anchor on the first hypothesis? Why does confirmation bias turn a routine investigation into a missed breach? And what can you do about it starting Monday morning?

Tools change every year. Thinking compounds forever.

Speakers

Klaus Wunder

Principal Cyber Defence Analyst, SECUINFRA

With nearly two decades in cybersecurity, Klaus has gone from configuring firewalls to protecting industrial control systems where breaches cost safety, not just data. That journey gives him a full-spectrum perspective on security operations. He guides teams through complex incidents... Read More →

Monday June 1, 2026 4:30pm - 4:50pm PDT
Track 5 - Room 1800

Talk

4:30pm PDT

Can LLMs Really Find IDORs? Limits of AI Security Reasoning

Monday June 1, 2026 4:30pm - 5:20pm PDT

Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io

Can AI actually find IDORs in real code? We tested top coding agents against real-world apps—and the results were mixed. The models discovered genuine vulnerabilities, but also generated large numbers of false positives and inconsistent findings. By dissecting results across multiple authorization complexity levels, we show where LLMs shine, where they fail, and why IDORs remain a uniquely hard class of bugs for AI to reason about. Expect real examples, surprising failure modes, and practical lessons for anyone considering AI as a security testing assistant.

Speakers

Vasilii Ermilov

Senior Security Researcher, Semgrep

Vasilii Ermilov (@ermil0v) is a Senior Security Researcher at Semgrep, a startup working on open source static analysis tools that fit the modern developer workflow. Having more than a decade of experience in web application development for enterprises, governments and startups he... Read More →

Monday June 1, 2026 4:30pm - 5:20pm PDT
Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

4:30pm PDT

Identity and security lessons learned from securing AI in the cloud; Ten new frameworks for problems we solved twenty years ago

Monday June 1, 2026 4:30pm - 5:20pm PDT

Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA

In an age where everyone wants the positive deterministic benefits of the latest models, and are embracing solutions where AI agents are essentially confused deputies with PhDs and personality disorders, what are some of the lessons we learned in 2006 and how can we help to apply these towards building systems rooted in strong security principles?

This talk cuts through FUD and marketing. What's new? What isn't? Where's it all headed, and what are the key tenets for real security? Most importantly, what are some hilarious examples of it all going off the rails along the way?

Speakers

Brodie McRae

Principal Security Engineer, AWS

A returning speaker, Brodie's been in the Vancouver security community since before our first BSides; a simpler time, when people worked in "security" and anyone who said the word "crypto" knew it meant cryptography. From national network core security, to radio hacking, to OWASP... Read More →

Monday June 1, 2026 4:30pm - 5:20pm PDT
Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

4:30pm PDT

The Heartbeat is Lying: Proving Physical Truth in a Spoofed OT Network

Monday June 1, 2026 4:30pm - 5:20pm PDT

Track 4 - Room 1700 - Sponsored by Aikido Security

In any complex environment where industrial systems and traditional IT networks meet, we rely on digital signals to tell us the status of physical hardware. We trust our security dashboards to show that a system is running within safe parameters, essentially treating the digital display as the absolute truth. However, as these systems become more integrated, a new challenge emerges where the digital reality becomes optional. Attackers have shifted from simply breaking things to manipulating the very data we use to monitor them. By interfering with communication protocols, a compromised system can be coached to report a perfectly healthy heartbeat to the security team even while the physical equipment is being tampered with in the background.

This session explores the lifecycle of these integrity attacks and how an analyst can spot a lie told by a machine. We will look at how automated status checks are hijacked and discuss the forensic mindset needed to identify the gap between what the network reports and what the hardware is actually doing. By moving away from a total reliance on digital dashboards and focusing on forensic verification, we can better secure environments that mix legacy hardware with modern connectivity. This talk is designed to be accessible for students and practitioners alike, focusing on investigative logic and the reality of securing modern infrastructure without getting lost in vendor jargon.

Speakers

Parisa Saqib

Parisa Saqib is a Cybersecurity Analyst at BCIT and the Associate Director of Communication for ISACA Vancouver. She holds a Bachelor’s Degree in Digital Forensics and Cybersecurity and a diploma in Industrial Network Cybersecurity. As an ISACA Scholar, her work is driven by a commitment... Read More →

Monday June 1, 2026 4:30pm - 5:20pm PDT
Track 4 - Room 1700 - Sponsored by Aikido Security

Talk

4:30pm PDT

Turning the dial on SAST: Reducing False Positives with Call Graph–Driven LLM Reasoning

Monday June 1, 2026 4:30pm - 5:20pm PDT

Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP

Static analysis tools are an integral part of modern-day software development processes to find bugs and security vulnerabilities. However, they suffer from a drawback: false positive findings. False positives are findings that are incorrectly identified by the static analysis tools as a vulnerability. Such alerts may waste developers' time and effort since these are not exploitable and need no patching. A substantial number of false positives can lead to developer fatigue and reduce the adoption of static analysis tools within software development teams. This may cause real vulnerabilities to go unnoticed, and thereby increasing the software's overall attack surface. Therefore, it is imperative that false positives from SAST findings, and the noise that it creates, be reduced significantly.

In an attempt to realize this objective, we propose a novel approach that combines inter-procedural call graph analysis with large-language model reasoning to identify false positives in SAST findings. Our approach constructs precise call-graphs with bidirectional execution context (caller chain and callee chain) to help the LLM conduct a comprehensive data flow analysis. To help the LLM reason better, our method guides the LLMs using CWE-specific prompts which drives more accurate results.

The system detects over 90% false positives for specific CWEs like CWE-22 (Path Traversal) and CWE-89 (SQL Injection). Our research demonstrates that inter-procedural call graph analysis coupled with LLM reasoning powered by CWE-specific prompting can significantly reduce the number of false positives in SAST findings, thereby increasing the usability of SAST tools.

Speakers

Vrushal Nedungadi

Application Security Analyst, Forward Security

Vrushal is a cybersecurity practitioner and researcher with a strong interest in software supply-chain security. With a strong background as a software developer in industry, he is now transitioning into offensive security. Outside of work, Vrushal enjoys reading and writing works... Read More →

Iman Sharafaldin

Application Security Lead, Forward Security

Iman specializes in analyzing, designing, testing, and optimizing secure systems across a wide range of business and technical environments. He has more than ten years of experience in cybersecurity, and his work has garnered over 8,000 citations, reflecting his significant contributions... Read More →

Monday June 1, 2026 4:30pm - 5:20pm PDT
Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP 515 W Hastings St, Vancouver, BC V6B 5K3, Canada

Talk

5:00pm PDT

More Legit than Legit: The Threat of Crafted Impersonations

Monday June 1, 2026 5:00pm - 5:20pm PDT

Track 5 - Room 1800

Modern email attacks do not succeed by looking sneaky. They succeed by being trustworthy. Over the past year, threat actors have gotten better at building organized campaigns with context that holds up even under careful scrutiny. By mimicking legitimate email threads, standing up polished infrastructure, and delivering content that is timely and relevant, they make it harder than ever for a person to tell what is real.

Based on our annual threat report and incidents observed in the wild, this talk examines trust abuse in email that goes beyond typical phishing. It focuses on the techniques attackers use to make their messages feel legitimate including thread hijacking, targeted calendar invites, and professionally impersonated websites.

Speakers

Brian Baskin

Threat Researcher, Sublime Security

Brian Baskin is a Threat Researcher with a specialty in incident response, threat intel, and malware analysis. Baskin was previously an intrusions analyst for the US Defense Cyber Crime Center (DC3) and a threat research lead at Carbon Black's Threat Analysis Unit (TAU). He has studied... Read More →

Monday June 1, 2026 5:00pm - 5:20pm PDT
Track 5 - Room 1800

Talk

10:40am PDT

10:40am PDT

10:40am PDT

10:40am PDT

10:40am PDT

11:10am PDT

11:40am PDT

11:40am PDT

11:40am PDT

11:40am PDT

11:40am PDT

12:10pm PDT

1:30pm PDT

1:30pm PDT

1:30pm PDT

1:30pm PDT

2:00pm PDT

2:30pm PDT

2:30pm PDT

2:30pm PDT

2:30pm PDT

3:00pm PDT

3:30pm PDT

3:30pm PDT

3:30pm PDT

3:30pm PDT

3:30pm PDT

4:00pm PDT

4:00pm PDT

4:00pm PDT

4:00pm PDT

4:30pm PDT

4:30pm PDT

4:30pm PDT

4:30pm PDT

4:30pm PDT

5:00pm PDT

Get help with the event