BEGIN:VCALENDAR VERSION:2.0 X-WR-CALNAME:bsidesvancouver2026 X-WR-CALDESC:Event Calendar METHOD:PUBLISH CALSCALE:GREGORIAN PRODID:-//Sched.com BSides Vancouver 2026//EN X-WR-TIMEZONE:UTC BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T160000Z DTEND:20260531T200000Z SUMMARY:LLMs in the Kill Chain: From Analyst Tool to Attack Surface DESCRIPTION:Large Language Models are rapidly becoming part of the cybersecurity toolkit. Analysts use them for OSINT collection\, threat intelligence reporting\, and even offensive operations. But how well do we understand the tools we are adopting\, and what happens when those same tools become the attack surface?\n\nThis hands-on\, four-hour workshop takes participants through both sides of the LLM equation. Starting with prompting fundamentals and LLM foundations\, participants will learn how to effectively use LLMs for security work. They will then apply those skills in practice: first using Claude AI integrated with Kali Linux via the Model Context Protocol (MCP) to conduct OSINT\, generate threat intelligence reports\, and hack a live target in the OffSec Proving Grounds Playground. Finally\, the perspective flips entirely as participants learn to attack LLMs themselves through jailbreaking\, prompt injection\, improper output handling\, and more.\n\nThis workshop bridges the gap between using AI as a force multiplier and understanding its vulnerabilities. Participants will leave with practical skills they can apply immediately\, whether they work on a red team\, blue team\, or somewhere in between.\n\nWorkshop Outline\n\nPrompting Fundamentals + LLM Foundations\nThe workshop begins with practical prompting techniques for security work. Participants learn how to craft effective prompts that produce useful\, actionable output rather than generic responses. This is immediately applicable regardless of which LLM they use in their daily work.\n\nFrom there\, we build the foundational understanding needed for the rest of the day: how LLMs generate output\, why they hallucinate\, what context windows mean for a pentest session\, and the basics of responsible AI. This section is deliberately non-academic. The goal is to give participants just enough theory to understand why the techniques in later hours work and why critical evaluation of LLM output is essential.\n\nOSINT & Threat Intelligence Reporting with LLMs\nParticipants shift from theory to practice\, using Claude integrated with Kali Linux to conduct OSINT operations and produce structured threat intelligence reports. This section demonstrates the analyst-facing side of LLMs: how they can accelerate intelligence gathering\, source analysis\, and report writing.\n\nParticipants also learn to evaluate LLM output with the same rigor they would apply to any other intelligence source. What did the LLM find? What did it miss? What did it fabricate? This analytical discipline is what separates effective LLM-assisted analysts from those who blindly trust the output.\n\nLLMs as a Hacking Tool\nNow participants use Claude and Kali Linux to hack a live target machine in the OffSec Proving Grounds Playground. Working through a full attack chain\, they experience firsthand how an LLM can serve as a co-pilot during offensive operations: from initial enumeration and scanning through vulnerability identification to exploitation.\n\nLLM Red Teaming\nThe perspective flips entirely. The LLM is no longer the tool\; it is the target. Participants learn how to test and exploit vulnerabilities in LLM-powered applications\, drawing directly from the OffSec LLM Red Teaming learning path. This section covers the techniques attackers use to manipulate\, bypass\, and abuse LLM systems.\n\nKey Takeaways & Q&A\nThe final session brings everything together. We review key takeaways from all four hours\, discuss where LLMs in cybersecurity are heading\, and open the floor for questions and discussion. \;\n\nLearning Objectives\nWrite effective prompts for security workflows and critically evaluate LLM-generated outputExplain how LLMs generate output\, why they hallucinate\, and what this means for operational security workConduct OSINT collection and produce structured threat intelligence reports using LLM-assisted workflowsUse LLMs as a hacking co-pilot for enumeration\, vulnerability discoveryIdentify and exploit LLM-specific vulnerabilities \; CATEGORIES:WORKSHOP LOCATION:Room 2945\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:217cf909cc84f69b9b2fbe713c4885ea URL:http://bsidesvancouver2026.sched.com/event/217cf909cc84f69b9b2fbe713c4885ea END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T160000Z DTEND:20260531T200000Z SUMMARY:Threat Hunting in Practice: Investigating Real-World Intrusions with Hands-On Labs DESCRIPTION:This hands-on workshop delivers a practical introduction into Threat Hunting\, Detection Engineering and Incident Response through Threat Hunting Labs. Participants will investigate real-world intrusions in interactive\, production-lookalike environments using authentic forensic artifacts such as system logs\, network traffic\, and memory data.\n\nUsing SIEM platforms including Elasticsearch and Splunk\, attendees will develop practical skills in identifying adversary techniques\, reconstructing attack timelines\, and investigating incidents using structured\, repeatable methodologies. The session combines guided walk throughs with independent analysis\, making it suitable for both newcomers and experienced information security professionals.\n\nBy the end of the workshop\, participants will have hands-on experience hunting threats\, analyzing forensic telemetry\, and responding to incidents using real-world tradecraft.\n\nTechnical Requirements:\n• Participants must bring a laptop capable of running a modern web browser. CATEGORIES:WORKSHOP LOCATION:Room 2200\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:0170b98f94217065d3949090e05b6c42 URL:http://bsidesvancouver2026.sched.com/event/0170b98f94217065d3949090e05b6c42 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T160000Z DTEND:20260531T200000Z SUMMARY:Zero to Hero: Practical Threat Modeling In 2026 DESCRIPTION:Threat modelling is considered to be a critical component of Secure Software Development Lifecycle\, yet many engineering organizations struggle to do it effectively and extract the full value. There’s a ton of information available on threat modelling\, though most of it seems to be too theoretical\, resulting in threat models that are generic and not actionable.\n\nThis hands-on workshop presents a practical collaborative approach to threat modelling with focus on applicability to Agile teams of various scales. We’ll spend a bit of time on threat modelling overview\, but the majority of the workshop will be dedicated to going through an example threat modelling session and creating a threat model.\n\nKey Learning Objectives\n* How to "right-size" threat models for agile engineering organizations.\n* Practical tips on building better threat models.\n* Using agentic AI for design artifacts and source code analysis to boost speed and depth of your threat models.\n* Making threat models actionable - what happens after the threat model is created is more important than the threat model on its own.\n\nTarget audience and pre-requisites\nThis workshop is great for security engineers\, software engineers\, DevOps engineers\, technical product managers. No prior threat modeling experience is required. Bring a laptop. CATEGORIES:WORKSHOP LOCATION:Room 2270\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:8c31af0e8336fec3317f89bbda3880af URL:http://bsidesvancouver2026.sched.com/event/8c31af0e8336fec3317f89bbda3880af END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T163000Z DTEND:20260531T193000Z SUMMARY:Ideal AppSec - Patterns for a Successful AppSec Program DESCRIPTION:We will have a collaborative discussion to identify and define the core components of a well functioning AppSec or Software Security program. And we’ll highlight which activities have the highest impact. We’ll query attendees to highlight real experiences and observed patterns they have noted in well performing (or not) AppSec programs. \;\n\n\nDiscussion will focus on ideal patterns for:\nIdentifying the Value add of an AppSec programChoosing what to measureUnderstanding Code Delivery PipelinesDefect remediation workflowsUnderstanding the Team(s)Making the AppSec Program Org specificBuilding a 12 month roadmap\n\nTo do this\, participants will be seated in small groups (4-8 people per table) and given an anonymized business scenario where an organization has decided to build or further mature an AppSec program. Teams will have a set time to discuss the scenario and come up with a 12-month roadmap. Teams will then get the opportunity to stand and explain their scenario to the rest of the participants in the workshop and what they included in their 12-month roadmap. \;\nAs we work through each scenario\, common patterns and innovative solutions will be observable. \;\n\nWe’ll then close with a general synthesis segment where we recap covered material and highlight what were common ideal patterns or innovative solutions demonstrated by the groups. The goal is not to lecture the attendees but create an environment where it is easy to share and poll from the depth of experience found amongst the participants.\n\nParticipants will also go home with a worksheet that highlights main takeaways and helps leaders build their own roadmap for defining\, building\, or maturing their Application Security Program. CATEGORIES:WORKSHOP LOCATION:Room 2245\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:a81ccc123543b1cc030e01fc0ea9e6b8 URL:http://bsidesvancouver2026.sched.com/event/a81ccc123543b1cc030e01fc0ea9e6b8 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T163000Z DTEND:20260531T183000Z SUMMARY:The Last-Minute Badge That Actually Worked DESCRIPTION:Our last year's BSides Conference badge will be used in this workshop. Both this year's BSides ticket holders and those from BSides 2025 can attend this workshop for free.\n\nConference badges have become a staple of hacker culture. They’re part art piece\, part engineering challenge\, and part sleep-deprived miracles. In this workshop\, we’ll walk through the complete journey of designing and building a custom electronic conference badge under the kind of timelines that normally produce regret instead of functioning hardware and software. Somehow\, this one worked. \n\nParticipants will get an inside look at the hardware and software decisions behind the badge design\, including component selection\, PCB layout challenges\, power considerations\, embedded firmware architecture\, cost minimization\, and the compromises that happen when “the manufacturing deadline is only days away”. \n\nAttendees will receive access to the base code repository and reference materials so they can follow along and begin experimenting immediately. We’ll share real design files\, schematics\, firmware\, and lessons learned from building a badge intended to be functional\, hackable\, and fun. \n\nMost importantly\, this is a hands-on hacking session. After breaking down how the badge works internally\, participants will spend the second half of the workshop designing and implementing their own features\, modifications\, or entirely unnecessary additions. \n\nThis workshop is about learning how hardware badges are built and how they become even better once the community starts hacking them. CATEGORIES:WORKSHOP LOCATION:Room 1600\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:f4805a65c68ed9e9e22ed28409f2de5c URL:http://bsidesvancouver2026.sched.com/event/f4805a65c68ed9e9e22ed28409f2de5c END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T190000Z DTEND:20260531T230000Z SUMMARY:Stop Sending Secrets to Chatbots: Build an AI Egress Proxy DESCRIPTION:Rapid AI adoption is creating a new class of data exposure: sensitive information leaving an organization through prompts and tool outputs to external LLM providers. Even scarier are the uprising of middle-ware AI companies\, which lack proper data security\, retention and security. A reality is that AI is used by most developers\n\nTeams spend years building DLP\, insider-threat programs\, and phishing campaigns\, then paste stack traces\, API keys\, customer data\, and internal context into AI tools because it’s fast. In the age of AI the boundary of trust has shifted: the prompt is now an egress channel\, and reality (what data actually left your environment) becomes hard to audit.\n\nIn this hands on workshop\, attendees will build a practical “AI egress proxy” that sits between users/tools and an LLM endpoint. We’ll intercept requests\, detect sensitive content (PII\, credentials\, tokens\, secrets)\, apply policy (block vs. redact)\, and produce audit logs you can use for investigations and risk reporting. We’ll cover why pure regex fails\, how to add lightweight heuristics and optional model-assisted classification safely\, and how to handle common bypass patterns like encoding\, fragmentation\, and “helpful” copy/paste.\n\nAttendees will leave with a working reference implementation\, a set of detection patterns\, a basic risk scoring approach\, and a clear roadmap for deploying this pattern in real environments. CATEGORIES:WORKSHOP LOCATION:Room 1600\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:2d85226d2cbb4a7abe4011e64bf47c34 URL:http://bsidesvancouver2026.sched.com/event/2d85226d2cbb4a7abe4011e64bf47c34 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T200000Z DTEND:20260601T000000Z SUMMARY:"Vibe" Check: Exploiting Developer Trust from Prompt Injections to Weaponized Repos DESCRIPTION:"Do you trust the authors of the files in this folder?" It's a prompt modern IDEs throw at developers\, and most click past it by reflex. But as vibe coding\, AI-assisted tooling\, and automated agents accelerate software development\, that implicit trust in established tools like VS Code and authoritative sources like GitHub has become a critical\, highly exploitable attack surface - especially for non-technical vibe coders.\n \nThis 4 hour hands-on workshop places attendees directly in the mindset of an attacker targeting modern development environments. We move beyond traditional social engineering and focus on how trust is abused through the tools developers rely on every day: IDEs\, agent harnesses\, and package managers. After dissecting recent real-world cases of developer-targeted attacks and AI-agent vulnerabilities\, we transition into labs where participants build and execute their own PoCs - including constructing malicious repositories from scratch to trigger invisible code execution on open\, weaponizing hidden prompt injections to drive AI agents into running attacker-controlled commands\, and standing up a custom "Claude Code"- style agent harness to attack ourselves.\n \nAgenda:\n ⚠️ How your trusted IDEs would betray you by executing malicious commands automatically (spoiler - they didn't!) \n⚠️ How agent harnesses like Claude Code and Gemini CLI can be abused across multiple trust boundaries \n⚠️ How package managers like npm turn seemingly harmless actions\, like a routine package update\, into full compromise\n\n Bring a laptop - we'll get our hands dirty and hack ourselves together. CATEGORIES:WORKSHOP LOCATION:Room 2200\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:7bc853382be810c542818ac4f8a68ab4 URL:http://bsidesvancouver2026.sched.com/event/7bc853382be810c542818ac4f8a68ab4 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T200000Z DTEND:20260601T000000Z SUMMARY:Breaking and Fixing APIs: Hands-On Security with the OWASP API Security Top Ten DESCRIPTION:APIs are now the primary attack surface of modern applications. They expose sensitive data\, control business logic\, and connect services\, partners\, and users. When APIs fail\, attackers gain direct access to the core of your system.\n\nThe OWASP API Security Top Ten identifies the most critical risks facing modern APIs. However\, most developers are never taught how to actually fix these vulnerabilities in real code.\n\nThis hands-on workshop is taught by an OWASP Top Ten 2025 project leader and author\, bringing direct insight into modern vulnerability patterns\, secure coding practices\, and how these risks manifest across applications and APIs.\n\nParticipants will work through all ten OWASP API Security Top Ten vulnerability categories using a structured\, practical progression. For each category\, attendees will learn what the vulnerability is\, why it exists in APIs\, and the real-world risk it creates. They will review vulnerable API implementations\, fix them themselves\, and examine progressively stronger implementations using the Bad / Better / Best method.\n\nThis method helps participants develop real-world secure coding judgment by showing how insecure APIs evolve into robust\, production-grade secure implementations through layered mitigations and defense-in-depth.\n\nAttendees will work hands-on in VS Code with vulnerable API code\, identifying security flaws\, implementing mitigations\, and hardening endpoints against attack.\n\nParticipants will leave with practical experience securing APIs\, a deep understanding of the OWASP API Security Top Ten\, a best practices cheat sheet\, and the skills to build and review secure APIs in modern distributed systems\, including those built or assisted by AI. CATEGORIES:WORKSHOP LOCATION:Room 2245\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:bfe06e1f563a348f548c7310dde78aca URL:http://bsidesvancouver2026.sched.com/event/bfe06e1f563a348f548c7310dde78aca END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T200000Z DTEND:20260601T000000Z SUMMARY:Web App Hacking 101 With Just A Web Browser - Featuring CTF Games and PicoCTF DESCRIPTION:Learn beginner web app hacking skills through interactive CTF (Capture The Flag) games! In this half-day workshop\, we'll use the PicoCTF education platform (and others) to introduce students to basic web app hacking concepts such as:\n\n* Looking into webpage source code\n* Website cookie hacking\n* Bypassing insecure login pages\n* Common data transformation methods\n* Hijacking files that the webpage loads\n* and more!\n\nThis workshop is aimed at beginner-level cybersecurity enthusiasts who want a fun and easy introduction to the world of web app hacking!\nParticipant Requirements\n\nParticipants will need to have a registered account at picoctf.org \;and supply their own laptop device \;to interact and participate in this hands-on\, objective-based\, guided workshop. CATEGORIES:WORKSHOP LOCATION:Room 2945\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:c1521f0796200f29e55c9f9c8ad08b1d URL:http://bsidesvancouver2026.sched.com/event/c1521f0796200f29e55c9f9c8ad08b1d END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T203000Z DTEND:20260531T223000Z SUMMARY:Behind The Dashboard - Tales of Car Hacking DESCRIPTION:Bug hunting in the automotive domain is often regarded as one of the more complex areas of offensive security. Despite its growing popularity\, there are only a limited number of publicly available training courses focused on automotive security\, and even fewer that specifically address vulnerability research and bug hunting in vehicles. As a result\, many practitioners are interested in car hacking but are unsure where to begin\, often perceiving vehicle bug hunting as an especially demanding discipline.\n\nIn reality\, automotive security research is more approachable than it may appear. In this course\, students will learn a systematic methodology for vehicle vulnerability research and bug hunting. We will examine common automotive attack surfaces\, including infotainment systems\, telematics units\, modern key fob implementations. \n\nBy the end of the workshop\, students will be familiar with a broad range of vehicle attack vectors. They will learn how to exploit previously discovered vulnerabilities in real-world vehicles and\, more importantly\, develop the skills needed to identify and exploit zero-day vulnerabilities across other automotive targets. CATEGORIES:WORKSHOP LOCATION:Room 2270\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:7aaad50de7ad3d5e71f0cc460c5c625a URL:http://bsidesvancouver2026.sched.com/event/7aaad50de7ad3d5e71f0cc460c5c625a END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260531T220000Z DTEND:20260531T233000Z SUMMARY:The Women in Security Documentary Movie Screening - Full Length - 75 min DESCRIPTION:The Women in Security Documentary\n\nIn an industry historically dominated by men\, The WOMEN IN SECURITY Documentary brings to life the often untold stories of women who have shaped — and continue to reshape — the landscape of cybersecurity\, physical security\, intelligence\, and protective services.\n\nThrough candid interviews\, reenactments of pivotal moments in history\, and real-world insights\, this documentary shines a light on the resilience\, leadership\, and innovation that women bring to every part of the security world.\n\nThis film isn’t just about visibility — it’s about building a future where women aren’t the exception\, but the norm.\n\nhttps://www.womeninsecuritydocumentary.com/ CATEGORIES:MOVIE LOCATION:Room 1900 - Sponsored by Women in Cybersecurity\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:9231d53a3fb5788bec9a0c4d4b085932 URL:http://bsidesvancouver2026.sched.com/event/9231d53a3fb5788bec9a0c4d4b085932 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T160000Z DTEND:20260601T233000Z SUMMARY:Corelight’s Capture the Flag Exercise - Building Skills for Success DESCRIPTION:Overview \;\nBring your team for an immersive lab-based\, instructor-led defensive Capture the Flag exercise with Corelight. Participants will dive into one or more real-world scenarios to detect and respond to threats using logs from Corelight’s Open NDR. \;\nAgenda \;\n\n● Introduction to Zeek: Brief overview of Zeek and its role in network security. Understanding how to leverage Zeek data for threat detection. \;\n● Hands-on Hunting: Participants will actively engage in a variety of hunting exercises across different protocols. Use your wits to identify and respond to potential threats discovered in Zeek data. Questions are encouraged\, but participants have full control at the keyboard. \;\n● Competition and Scoreboard: Participants compete against each other in a friendly competition. Scores will be tracked on a real-time scoreboard. \;\n● Debriefing: Discussion on the attacks witnessed during the exercise. Brief overview of how Corelight can enhance threat detection and response capabilities. \;\n● Corelight Integration: Learn how Corelight can be integrated into your network defense strategy. Understand the added value Corelight brings to Zeek-powered threat detection. \;\n\nRequirements \;\nEach participant will need their own laptop\, a standard web browser\, and a connection to the Internet. \;\nContinuing Professional Education (CPE) \;\n\nParticipants may request a certificate documenting their participation in the Capture the Flag exercise for CPE credits\, to help maintain Information Security certifications. \;\nConclusion \;\n\nWhether this exercise is administered by your Sales Engineer or as part of a formal Corelight training\, participants will build their understanding of the power of Corelight. At the end of the event\, participants will not only have honed their threat detection skills but will also have gained insights into leveraging Corelight for effective network defense. \; CATEGORIES:CAPTURE THE FLAG LOCATION:Track 7 - CTF - Room 1600 - Sponsored by Corelight\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:19ca2973878bf5c85b29693508fcc004 URL:http://bsidesvancouver2026.sched.com/event/19ca2973878bf5c85b29693508fcc004 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T160000Z DTEND:20260601T170000Z SUMMARY:Opening Keynote - How cybercriminals are winning with AI\, and how we get the advantage back DESCRIPTION:Cyber criminals and fraudsters love generative AI even more than businesses and consumers do. For a scammer\, hallucinations and errors are features instead of bugs\, and they are using AI to flood the web\, and every one of our communication channels\, with sophisticated fake content. Users are getting fooled and scammed every day\, and the problem is only getting worse. This talk will explore why known approaches\, such as deepfake detection\, email filtering\, and security training\, haven't stopped misinformation and social engineering\, and what we can do about it. CATEGORIES:KEYNOTE LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:1fe190a7fd1064219fd2aa7bca659c4a URL:http://bsidesvancouver2026.sched.com/event/1fe190a7fd1064219fd2aa7bca659c4a END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T163000Z DTEND:20260601T170000Z SUMMARY:Malware then\, AI Now: How we engineered our own worst enemy DESCRIPTION:\n CATEGORIES:MALWARE VILLAGE LOCATION:Track 6 - Malware Village - Room 1315\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:7730750cb2b1cbc32648644034480cbf URL:http://bsidesvancouver2026.sched.com/event/7730750cb2b1cbc32648644034480cbf END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T170000Z DTEND:20260601T180000Z SUMMARY:KEYNOTE SPEAKER - The AI analysis train is leaving the station: ALL ABOARD! DESCRIPTION:\n CATEGORIES:KEYNOTE LOCATION:Track 6 - Malware Village - Room 1315\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:89c294d3fc4c8db7af8c3893cacecf83 URL:http://bsidesvancouver2026.sched.com/event/89c294d3fc4c8db7af8c3893cacecf83 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T174000Z DTEND:20260601T180000Z SUMMARY:Adapt Your IR for AI DESCRIPTION:The 2026 BSides Vancouver theme perfectly captures the current state of enterprise security. As organizations rapidly adopt AI capabilities\, the attack surface has expanded far beyond simple chat interfaces and into the core of how businesses operate. Security operations teams are now tasked with defending a complex\, multi-layered AI ecosystem\, often without the necessary visibility\, standardized tooling\, or established playbooks.\nThis presentation moves past the hype to break down the practical realities of Incident Response (IR) across the complete AI architecture. We will explore the specific threats\, telemetry blind spots\, and triage strategies associated with four distinct pillars of enterprise AI adoption:\nThe AI Pipeline & MLOps: Defending the supply chain. \;Locally Hosted AI Applications: The unique IR challenges of managing self-hosted open-source models. \;Agentic Workflows: Triaging incidents when autonomous systems go off the rails. \;Widespread LLM Usage: Managing the daily operational risks of enterprise LLM adoption\, from analysts without Pandas familiarity using LLMs to generate Python code for Jupyter notebooks\, to standard prompt injection and data leakage in corporate applications.Attendees will leave with a pragmatic framework for adapting their current IR capabilities to this new reality. We will outline actionable steps to update response playbooks for AI systems and build the necessary cross-functional workflows between security\, data science\, and engineering. CATEGORIES:TALK LOCATION:Track 4 - Room 1700 - Sponsored by Aikido Security\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:c15887400277829e574ddd3a0229fe51 URL:http://bsidesvancouver2026.sched.com/event/c15887400277829e574ddd3a0229fe51 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T174000Z DTEND:20260601T183000Z SUMMARY:Advanced SaaS Threats: Case Studies from the Field DESCRIPTION:An increasing reliance on SaaS does not always come with the knowledge or motivation needed to secure these services. As businesses move away from on-premise systems\, SaaS platforms are increasingly used for business-critical purposes\, storing vital\, sensitive company information. Organizations continue to underestimate SaaS breach risk\, prioritizing ransomware defense while leaving critical SaaS exposures unaddressed.\n\nBut attackers have noticed\, and they’re exploiting this blind spot.\n\nThrough a number of real-world case studies\, including incidents involving Scattered Spider helpdesk takeovers\, Salesforce-connected app compromises\, malicious OAuth abuse\, and a million-dollar BEC\, we’ll dissect each campaign from initial access to root cause.\n\nAttendees will see how these intrusions unfolded across platforms\, threat actor groups\, and techniques mapped to MITRE ATT&CK. Each case illustrates that SaaS is no longer a peripheral threat vector. It’s an attacker’s playground. You’ll leave with a better understanding of how these breaches occur\, what defenders can learn from them\, and practical steps to defend against the next wave of SaaS-native attacks. CATEGORIES:TALK LOCATION:Track 5 - Room 1800\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:583c4173a55b28052598317fb54f6ab7 URL:http://bsidesvancouver2026.sched.com/event/583c4173a55b28052598317fb54f6ab7 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T174000Z DTEND:20260601T183000Z SUMMARY:Hype to Innovation: Quantifying AI Value for the Board DESCRIPTION:Boards are being asked to approve major investments in emerging technology. Today it may be AI\, tomorrow quantum. Too often these decisions are driven by competitive pressure and promises of innovation\, while the cyber implications remain loosely defined or entirely unmeasured. When value\, risk\, and resilience are not clearly understood\, strategic decisions are made on assumptions\, placing return on investment at risk.\n\nThis session dives into practical ways to quantify cyber value at the leadership level. The focus is on framing emerging technology through measurable impact\, risk exposure\, and organizational resilience rather than technical performance. Attendees will leave with concrete methods and insights that support confident executive decision-making. CATEGORIES:TALK LOCATION:Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:ee39f23aa0dbf9b838a34e4811a92a09 URL:http://bsidesvancouver2026.sched.com/event/ee39f23aa0dbf9b838a34e4811a92a09 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T174000Z DTEND:20260601T183000Z SUMMARY:Sandworms and Other Nonsense: An Eventful Year for npm Supply‑Chain Attacks DESCRIPTION:The past year saw an explosion of highly effective malicious‑package attacks. Well‑known libraries were compromised\, new versions shipped with additions for crypto theft or data exfiltration. Attackers launched different attacks with each building upon the last becoming more effective with each iteration. We bore witness to the first appearance of the great sandworm\, followed by a far worse second coming. A simple bit of JavaScript that started with a mere 37 packages\, swiftly spread like a worm from one victim to the next. In the end\, it compromised an estimated 700 packages and GitHub accounts across more than a thousand organizations. Many recognizable companies had source code and other sensitive artifacts stolen. This talk digs into how these campaigns worked\, why they were so effective\, with real-world examples of how they slipped into even established security vendors or became pivot points for deeper compromise. We’ll also look at what has actually changed to counter this class of threat\, what still hasn’t\, and what is effective at protecting against these attacks.\n\n\n CATEGORIES:TALK LOCATION:Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:6522591519c930d1cd2c75e01ca00feb URL:http://bsidesvancouver2026.sched.com/event/6522591519c930d1cd2c75e01ca00feb END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T174000Z DTEND:20260601T183000Z SUMMARY:The Coming AI Catastrophe Won't Be Superintelligence\, It Will Look Like Malware DESCRIPTION:The most imminent and dangerous AI milestone isn't superintelligence — it's fully automated\, end-to-end ransomware operations and an ai-breakout self-evolving worm. AI risk researchers in academia and industry are missing the importance of this issue. We may have already crossed (or be about to cross) a threshold where AI enables criminal actors to execute enterprise-wide encryption attacks with near-100% automation. The implications are potentially catastrophic: enterprises would need a perfect security posture both externally and internally\, which fundamentally challenges how security organizations are structured today. CATEGORIES:TALK LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:1436846a211c6d01e80c76708c1c0e74 URL:http://bsidesvancouver2026.sched.com/event/1436846a211c6d01e80c76708c1c0e74 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T180000Z DTEND:20260601T190000Z SUMMARY:EXPERT PANEL - Starting a Malware hunter career - Experiences from Experts DESCRIPTION:\n CATEGORIES:MALWARE VILLAGE LOCATION:Track 6 - Malware Village - Room 1315\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:039d1e3cd1ab29d3f6ce9c08cbe4a8af URL:http://bsidesvancouver2026.sched.com/event/039d1e3cd1ab29d3f6ce9c08cbe4a8af END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T181000Z DTEND:20260601T183000Z SUMMARY:Losing Context: A Deep Dive into MCP Session Security DESCRIPTION:Session Access Control - The Missing Validation Layer: The MCP specification explicitly distinguishes sessions from authentication but provides minimal prescriptive guidance on authorization enforcement. This session will explore the theoretical security implications of this design\, where session IDs function similarly to bearer tokens but without the typical security controls.The SDK Security Gap: An analysis of current MCP SDK implementations reveals an inconsistency in how session security is handled. While the specification provides various validations\, most SDK implementations provide only basic checks\, leaving critical validation decisions to developers without clear documentation or guidance.Session Hijacking in MCP - Risks and Mitigations: We will examine how traditional session hijacking attacks apply to MCP's stateful transport model. This includes analyzing attack vectors where unauthorized parties gain access to valid session IDs\, the potential impact on server-side resources and data exposure\, and practical mitigation strategies. Through architectural examples\, we will demonstrate defense-in-depth approaches including session-to-user binding\, duplicate connection prevention\, session expiration mechanisms\, and proper validation patterns that developers can implement regardless of their chosen SDK. CATEGORIES:TALK LOCATION:Track 4 - Room 1700 - Sponsored by Aikido Security\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:a8de02fc1b7e58566f08c7a375b2bd99 URL:http://bsidesvancouver2026.sched.com/event/a8de02fc1b7e58566f08c7a375b2bd99 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T184000Z DTEND:20260601T190000Z SUMMARY:Behind the CAPTCHA: Exposing ClickFix and FakeCaptcha Threats DESCRIPTION:ClickFix and FakeCaptcha attacks represent sophisticated social engineering tactics designed to deceive users into performing unintended actions\, such as downloading malware or facilitating unauthorized transactions. By exploiting user trust through realistic CAPTCHA prompts or deceptive "click-to-fix" scenarios\, attackers are able to bypass traditional security defenses\, resulting in malware infections\, data theft\, or financial losses. \;\n \;\nThis presentation provides a technical overview of current ClickFix and FakeCaptcha attack methodologies\, including the novel “EtherHiding” technique. The talk will walk through analyses of real-world incidents\, discuss the variations of FakeCaptcha attacks and outline various payloads as well as present indicators of compromise. Attendees will learn effective detection strategies\, proactive prevention techniques leveraging threat intelligence\, and practical steps organizations can implement to safeguard users against this evolving cyber threat. CATEGORIES:TALK LOCATION:Track 5 - Room 1800\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:db347e551d73af8f1a4b82048858fcc3 URL:http://bsidesvancouver2026.sched.com/event/db347e551d73af8f1a4b82048858fcc3 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T184000Z DTEND:20260601T193000Z SUMMARY:Pragmatic Security to enable safety in the era of AI DESCRIPTION:Grounded in the experience of supporting over 100 AI frontier firms in their security posture\, Michael will cover pragmatic approaches to enable security and safety of your organization in the era of AI.\n\nThis talk will cover in depth\, specific recommendations you can use in your organization today in the areas of:\n\nAI Program and Risk Management - how to govern AI adoption and risk at your organization\nEffective defence techniques against undetectable impersonation attacks\n\nDevelopment security - safety\, guardrails and techniques to make sure agentic coding doesn't increase your vulnerability risks\n\nVendor risk management and shadow IT - technical and operational solutions to address AI vendor sprawl and risks\n\nAgentic access management - understanding how to leverage permissions and data access controls while enabling agentic workflows CATEGORIES:TALK LOCATION:Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:0a0dcb63e4968dcf9921865b8c741aec URL:http://bsidesvancouver2026.sched.com/event/0a0dcb63e4968dcf9921865b8c741aec END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T184000Z DTEND:20260601T193000Z SUMMARY:Self-Infected Prompt Kiddies: From Script Kiddies to Prompt Kiddies — AI-Powered Cybercrime in the Wild DESCRIPTION:In the age of AI\, truth is becoming optional\, and cybercriminals are taking full advantage.\nToday’s threat actors aren’t just buying phishing kits and reusing old malware. They are actively using AI to write convincing lures\, generate malicious code\, troubleshoot payloads\, translate scams into multiple languages\, and rapidly iterate campaigns like a software development team.\nThis talk provides a behind-the-scenes look at what defenders rarely get to see: pre-breach threat intelligence artifacts collected from real-world criminal testing environments. Many attackers test their malware and phishing infrastructure before launching full campaigns\, and those “trial runs” often leak into places where defenders can collect and analyze them.\nWe will walk through real-world examples of:\n\nAI-generated phishing emails\, landing pages\, and social engineering scriptsInfostealer malware development patterns that strongly suggest LLM involvementPrompt-driven iteration: how criminals “debug” scams and malware faster than everThe fingerprints AI leaves behind in code\, wording\, structure\, and infrastructureWhat this shift means for detection\, threat hunting\, and incident response\nAs machine-generated content floods the internet\, scams become harder to distinguish from legitimate communication\, and malware becomes easier to produce than ever before.\n\nThis session highlights the uncomfortable reality defenders now face: attackers don’t need advanced skills anymore\, they just need the right prompt. CATEGORIES:TALK LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:2a0ac80e2aeb42f0eedd5604a9ab4c5b URL:http://bsidesvancouver2026.sched.com/event/2a0ac80e2aeb42f0eedd5604a9ab4c5b END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T184000Z DTEND:20260601T193000Z SUMMARY:Server Side Template Injections For Everyone DESCRIPTION:Server Side Template Injection (SSTI) is a web vulnerability that can be hard to spot\, but leads to critical consequences when exploited.  \;While this class of vulnerability has been documented for more than a decade\, new research is constantly demonstrating that this is not a solved problem.  \;New techniques for finding and exploiting SSTI vulnerabilities made the #1 spot for the 2025 top web security vulnerability rankings.\n\nThis presentation will cover how to discover SSTI vulnerabilities (even "blind" ones)\, and how these can be exploited to gain full code execution on the underlying server.  \;No existing knowledge needed\, SSTI's for everyone! CATEGORIES:TALK LOCATION:Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:32a9d6b4015225a5918178a6e4bc86bf URL:http://bsidesvancouver2026.sched.com/event/32a9d6b4015225a5918178a6e4bc86bf END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T184000Z DTEND:20260601T193000Z SUMMARY:When the Plan Meets the Incident at Machine Speed: Adapting Police Major Case Management to Cyber Crisis Response DESCRIPTION:AI is making attacks faster. Autonomous tooling compresses kill chains that used to take days into hours. Your incident response needs to keep pace\, but most organizations have an IRP that covers escalation paths and notification timelines\, and nothing that tells you how to actually run the incident at speed.\n\nHow do you brief a room of 30 people at 2 AM? How do you structure teams so nothing falls through the cracks over a 10-day response? How do you make consequential decisions every few minutes under incomplete information without losing accountability? How do you document as you go\, rather than reconstructing after the fact? Going faster without answering these questions just leads to confusion faster than ever before.\n\nRCMP Major Case Management was built after investigations failed due to coordination breakdowns under pressure. It provides principles for command structure\, information management\, team coordination\, and accountability that scale from a two-person response to an 80-person operation without the overhead of a full Incident Command System.\n\nThis talk introduces CMIM (Cyber Major Incident Management)\, an adaptation of those principles for cybersecurity incident response in an era where machine-speed threats demand machine-speed decisions from human teams. It covers what the framework looks like\, where it came from\, and what happened when it was used to coordinate an 80-person cross-organizational response to a live attack. Bring your IR war stories. CATEGORIES:TALK LOCATION:Track 4 - Room 1700 - Sponsored by Aikido Security\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:c101445e3c014a2400fe9135a8715576 URL:http://bsidesvancouver2026.sched.com/event/c101445e3c014a2400fe9135a8715576 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T191000Z DTEND:20260601T193000Z SUMMARY:sudo vibes : How AI Agents Got Root and Nobody Noticed DESCRIPTION:Developers are handing AI agents the keys to their build environments. Your peers use Cowork to answer emails. Your parents generate memes from their camera roll. We've let convenience rapidly erode trust and integrity and given AI access through accessibility tools\, APIs\, and human emulation.\n\nWhen Cowork needs debug access to Chrome and your filesystem\, Claude Code runs with your terminal permissions and Cursor installs packages without asking\, its a recipe for disaster. The result is a new attack surface spanning hallucinated dependencies\, unsigned artifacts\, prompt injection through source files\, and autonomous agents that can ignore explicit instructions.\n\nIn this talk\, Jake will walk through recent breaches\, patterns of abuse\, and how adversaries are taking advantage of the vibe coded way we build and ship software today.\n\n\n CATEGORIES:TALK LOCATION:Track 5 - Room 1800\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:d8bcebe711450713e6ae9d247e72c248 URL:http://bsidesvancouver2026.sched.com/event/d8bcebe711450713e6ae9d247e72c248 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T194500Z DTEND:20260601T202000Z SUMMARY:The Women in Security Documentary Movie Screening - 30 min DESCRIPTION:The Women in Security Documentary - 30 min version\n\nIn an industry historically dominated by men\, \n\nThe WOMEN IN SECURITY Documentary brings to life the often untold stories of women who have shaped — and continue to reshape — the landscape of cybersecurity\, physical security\, intelligence\, and protective services.\n\nThrough candid interviews\, reenactments of pivotal moments in history\, and real-world insights\, this documentary shines a light on the resilience\, leadership\, and innovation that women bring to every part of the security world.\n\nThis film isn’t just about visibility — it’s about building a future where women aren’t the exception\, but the norm.\n\nhttps://www.womeninsecuritydocumentary.com/\n\n CATEGORIES:MOVIE LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:0a7e43282e7d31978c143f3945aee4ff URL:http://bsidesvancouver2026.sched.com/event/0a7e43282e7d31978c143f3945aee4ff END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T203000Z DTEND:20260601T233000Z SUMMARY:WORKSHOP - Binary Exploitation DESCRIPTION:WORKSHOP - Binary Exploitation - Leigh Trinity CATEGORIES:MALWARE VILLAGE LOCATION:Track 6 - Malware Village - Room 1315\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:15c419d2c1883df63d18f42f745b31c3 URL:http://bsidesvancouver2026.sched.com/event/15c419d2c1883df63d18f42f745b31c3 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T203000Z DTEND:20260601T212000Z SUMMARY:Building the Local Cybersecurity Community: Meet Up by Meet Up DESCRIPTION:As AI-generated content\, deepfakes\, and automated systems threaten to disrupt trust and replace the human element of security work\, one question becomes urgent: what do we actually have left when the machines can do more and more technical work? The answer might be simpler than you think: each other.\n\nMany security professionals try to grow in isolation\, building skills\, getting certifications\, and trying to build their careers without ever looking up to see who’s around them. But building credibility isn’t just about what you know\, it’s about showing up consistently and being part of the community\, especially when AI is threatening to replace the human element of cybersecurity.\n\nVancouver’s cybersecurity community is proof of the value of connection over competition. Every month\, hundreds of security professionals meet in different groups to discuss important topics\, build connections\, share knowledge\, and to support each other.\n\nYou'll hear directly from the organizers behind Vancouver's local meet ups: why they started\, what keeps them going\, and what it actually takes to build a community worth showing up to. Whether you're a seasoned pro or just finding your footing in the industry\, this session will leave you with a clear picture of how to get involved\, and why it matters.\n\nIn this session\, you’ll learn:\n\nWhat each local meet up community offers and how to find the right fit for youWhy being part of a security community builds credibility and career resilience in ways that certifications and technical skills alone can'tHow to show up and contribute: even if you're new\, introverted\, or don't think you have anything to offer yetWhat the tangible benefits of community membership are: mentorship\, job opportunities\, knowledge sharing\, and real human trustConcrete next steps to get involved with Vancouver's local cybersecurity meet ups today\n\nPanel Host: Amy Tom\, Community Manager at D3 Security\n\n\n CATEGORIES:PANEL LOCATION:Track 4 - Room 1700 - Sponsored by Aikido Security\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:4f94a0f048ae0a1ff42058ae8efccae7 URL:http://bsidesvancouver2026.sched.com/event/4f94a0f048ae0a1ff42058ae8efccae7 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T203000Z DTEND:20260601T205000Z SUMMARY:Confessing how to build authentic trust in the age of artificial expertise DESCRIPTION:AI has democratized "expertise." Developers are using LLMs to ship complex (and potentially insecure) code at record speeds\, while security professionals are using them to generate generic policy bloat. The result? A "Dead Internet" corporate culture where nobody trusts anyone\, volume replaces value\, and friction is at an all-time high.\n\nAs a software engineer turned security advisor\, I have lived on both sides of this divide. I used to view security as the "Department of No" - a blocker to my velocity. Now\, I realize the friction wasn't technical\; it was a failure of influence.\n\nThis talk explores why Human Influence is the ultimate security control that AI cannot fake. We will move beyond tricks and focus on authentic engineering alignment. I will share how to cut through the "AI slop" to build genuine trust with skepticism-heavy developers\, how to translate technical debt into business risk for executives\, and how to stop "generating" security and start negotiating it. CATEGORIES:TALK LOCATION:Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:951d6c55b553f1ca74fd10e393e8eeeb URL:http://bsidesvancouver2026.sched.com/event/951d6c55b553f1ca74fd10e393e8eeeb END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T203000Z DTEND:20260601T212000Z SUMMARY:Evil AI vs. Open Source Linux: Zero competition in the realm of DNS exfiltration DESCRIPTION:In the red corner we have an Evil AI local LLM armed with a client in the right hand and a server in the left.\nHe's notoriously relentless with an unpredictable style fashioning multiple encoding strategies\, chunk size tuning and payload throttling.\n\nRecent rumors suggest he's managed to unshackle himself from any external dependencies by leveraging Kotlin Native to execute a standalone binary.\n\nIn the blue corner we have a headless Debian instance ready to unleash a flurry of packages from the standard repos. He's known for being cold and calculated with a unique ability to deeply understand his opponent and counter every move. His defense is impenetrable with unforgiving iptables egress rules and a meticulously configured local DNS stub resolver. Word on the street is he's been training heavy with the DHCP hook to stay fresh on the latest nameserver.\n\nThis is a fight you don't want to miss. Both contenders are highly skilled slaughter machines\, unwilling to accept anything less than a knock-out! CATEGORIES:TALK LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:3183bea5d17decb7011794c0e11d7540 URL:http://bsidesvancouver2026.sched.com/event/3183bea5d17decb7011794c0e11d7540 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T203000Z DTEND:20260601T212000Z SUMMARY:Threat Modeling Developer Behaviour: The Psychology of Bad Code DESCRIPTION:Security teams threat model systems\, but rarely do we threat model the developers building them. What if some of the most persistent AppSec problems aren’t purely technical—but behavioral?\n\nThis talk dives into the psychology of insecure code\, using principles from behavioral economics to explain why developers take risky shortcuts\, ignore secure practices\, or ship code that “just vibes.” From copying insecure Stack Overflow snippets\, to skipping documentation\, to shipping untested features under tight deadlines—these aren’t personal failings. They’re predictable cognitive patterns influenced by incentives\, stress\, and how our brains are wired.\n\nWe’ll explore how well-known concepts such as present bias\, automation bias\, the bystander effect\, and overconfidence play out in real-world development. Then we’ll shift from insight to action—offering behavioral nudges and design patterns you can apply in your SDLC\, tools\, and team culture to make secure behavior the default.\n\nThis talk blends psychology\, security\, and dev reality to reframe AppSec—not as a checklist\, but as a human system. CATEGORIES:TALK LOCATION:Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:2e6a526a4bee5228ac10e066d0565656 URL:http://bsidesvancouver2026.sched.com/event/2e6a526a4bee5228ac10e066d0565656 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T203000Z DTEND:20260601T212000Z SUMMARY:Trust No Schema: Finding the Truth in Raw SQLite Binary. DESCRIPTION:In a landscape where digital reality is increasingly “optional\,” the structures we rely on\, like database schemas\, can be deceptive\, corrupted\, or missing entirely. When the standard query layer fails and SELECT * returns nothing\, most analysts assume the truth is gone. This session is for those who refuse to accept that conclusion.\n\nWe will bypass the "optional reality" presented by database management tools and descend into the absolute ground truth: the raw binary structure of the SQLite format. By treating the database file not as a structured container but as a raw artifact\, we can uncover evidence that standard parsers ignore. We will map out table structures\, decode "Magic Bytes\," and carve data without ever needing a valid header. This approach allows us to reconstruct the narrative and verify the existence of data\, even when the system says it doesn’t exist. CATEGORIES:TALK LOCATION:Track 5 - Room 1800\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:cc8032e3fd0bd1c9192511089bfe9a15 URL:http://bsidesvancouver2026.sched.com/event/cc8032e3fd0bd1c9192511089bfe9a15 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T210000Z DTEND:20260601T215000Z SUMMARY:Canada's First Cyber Security Case DESCRIPTION:In 1975\, the University of Alberta received its first computer: an Amdahl 470 V/6 complete with three hundred terminals spread across the campus made available to 3\,500 students and faculty. While one of the first notable things it was used for was to play chess\, it also became important in establishing computer crime law in Canada. When a student was caught stealing time from the shared system\, the Crown struggled to charge him. This talk will go over the entire story and how the Supreme Court of Canada had to tell Parliament to change the law to understand the new frontier that was computing. CATEGORIES:TALK LOCATION:Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:c37bc5e0c5a9b284168bf2da57dfac5f URL:http://bsidesvancouver2026.sched.com/event/c37bc5e0c5a9b284168bf2da57dfac5f END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T213000Z DTEND:20260601T222000Z SUMMARY:Faces in the Fog: Identifying Users through Unconventional Means DESCRIPTION:User enumeration remains one of the most prevalent yet under-discussed application security vulnerabilities across industries and organizations worldwide. Despite its critical role in the security landscape\, many security teams overlook the implications of this core security flaw.\n\nThis talk will demystify user enumeration by exploring its various types\, attack methods\, and real-world impact on applications. Attendees will gain practical insights into identifying and mitigating these vulnerabilities with hands-on demonstrations of scripts\, tools\, and advanced techniques designed for faster detection by utilizing LLM technology. Whether a penetration tester\, developer\, or security professional\, this session will equip you with actionable strategies to strengthen your defenses against user enumeration threats. CATEGORIES:TALK LOCATION:Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:7254a02b582bf704e5cc71d8339439e4 URL:http://bsidesvancouver2026.sched.com/event/7254a02b582bf704e5cc71d8339439e4 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T213000Z DTEND:20260601T222000Z SUMMARY:Finding Public Files… That Were Never Meant to Be Public DESCRIPTION:What if your most sensitive information wasn’t hacked\, stolen\, or exfiltrated—but quietly made public through everyday business processes? This talk examines how sensitive files routinely escape into the public eye via search engines\, file-hosting platforms\, misconfigured cloud services\, shared drives and servers\, URL shorteners\, forgotten upload paths\, and other overlooked exposure points—often without triggering alerts or raising suspicion.\n\nDrawing on experience in cybersecurity\, information privacy\, and private investigations\, this session explores how attackers\, journalists\, and investigators systematically uncover sensitive data by pivoting across people\, companies\, domains\, filenames\, usernames\, and keywords. Using nothing more exotic than internet search engines\, specialized file-discovery tools\, and an understanding of human error\, this is a practical\, reconnaissance-focused talk about finding what was “never meant to be public\,” why these leaks are so persistent\, and how defenders can identify and reduce this exposure before someone else does.\n\n CATEGORIES:TALK LOCATION:Track 4 - Room 1700 - Sponsored by Aikido Security\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:b32c223bf30a894654fa04fdf5022f87 URL:http://bsidesvancouver2026.sched.com/event/b32c223bf30a894654fa04fdf5022f87 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T213000Z DTEND:20260601T222000Z SUMMARY:Rebooting Resilience: Fixing Burnout Before It Crashes Your System DESCRIPTION:In tech\, pushing hard is often part of the culture. Tight deadlines\, constant change\, and the pressure to keep up can make “running on fumes” feel normal. But when stress stops being temporary and starts feeling relentless\, it may be more than just a busy season\; it may be burnout.\n\nThis talk breaks down what burnout really is (and what it isn’t)\, in clear\, practical terms. We’ll explore how to recognize the early signs\, such as brain fog\, loss of motivation\, or feeling detached from your work. We’ll also look at why burnout happens in tech environments\, including always-on expectations\, blurred work-life boundaries\, and sustained high-performance demands. The session will also focus on what to do about it.\n\nAttendees will gain realistic strategies for protecting their energy\, setting healthier boundaries\, and building more sustainable ways of working\, both individually and within teams. The goal is not just to manage stress\, but to create conditions where people can continue doing meaningful work without burning out. CATEGORIES:TALK LOCATION:Track 5 - Room 1800\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:1b05749e50be52ab3c96743ae59659f2 URL:http://bsidesvancouver2026.sched.com/event/1b05749e50be52ab3c96743ae59659f2 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T213000Z DTEND:20260601T222000Z SUMMARY:When Reality Becomes Optional: AI Threat Modeling That Actually Works DESCRIPTION:Every security framework tells you to threat model. Almost nobody does it consistently. The reasons are always the same: it's time-consuming\, requires specialized expertise\, and doesn't scale.\nWe developed an end-to-end AI threat modeling pipeline to address these challenges. Leveraging LLMs through the Model Context Protocol (MCP)\, our system analyzes architecture diagrams and codebases to generate prioritized\, evidence-based threats\, including attack vectors\, mitigations\, and verification steps. This approach delivers consistent results at a pace that enables continuous threat modeling.\nThis presentation will demonstrate the full pipeline\, including parsing infrastructure-as-code\, extracting architectural patterns\, and applying multi-stage reasoning to identify context-aware threats. We will showcase the CLI tool and visualization dashboard\, discuss the respective strengths of AI and human expertise\, share insights from production deployments\, and explain how MCP's architecture supports composable security tooling beyond threat modeling. CATEGORIES:TALK LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:bc1ec7459b232e74df984c736119b0a3 URL:http://bsidesvancouver2026.sched.com/event/bc1ec7459b232e74df984c736119b0a3 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T220000Z DTEND:20260601T222000Z SUMMARY:Why NIST Maturity Score May Mislead You (Is it budget well-spent to repeat your NIST assessment annually in the age of AI?) DESCRIPTION:Cybersecurity maturity scores\, frequently presented to executive leadership and boards\, are often tied to the National Institute of Standards and Technology (NIST) framework and the Capability Maturity Model Integration (CMMI) scale. Organizations often use these scores—sometimes oddly accurate as 2.59 moving to precisely 2.73 —as a definitive stamp of achievement. The pursuit of external validation drives many leaders to also seek industry benchmarks for comparison. This paper argues that relying on these static\, quantified scores can be profoundly misleading\, potentially instilling a false sense of security and misdirecting budget and resource allocation.\n\nThe concept of a numerical maturity score applied to NIST is not inherent to the framework itself\; rather\, it is a construct developed and popularized by consulting companies\, often blending NIST's Implementation Tiers—which are focused on risk management—with the CMMI scale. This imposition of a single number fails to capture the true complexity of cybersecurity risk management.\n\nThis presentation invites the audience to take these scores with a grain of salt due to significant limitations in both the assessment methodologies and the resulting benchmarks:\nRisk Alignment Failure: \;The final score does not accurately reflect the organization's unique threat profile\, actual risk exposure\, or the criticality of the assets being protected. This means a high score provides no guarantee of protection against the most relevant threats.Focus on Design over Operational Effectiveness: \;Assessments focus predominantly on control design and documented capability—a paper-based review or interview—rather than validating operational effectiveness through active\, continuous testing and real-world validation.Subjectivity and Measurement Bias: \;Despite following consistent frameworks\, the scoring remains subjective. This is compounded by the inherent challenges of repeatedly converting qualitative evidence (such as workshop responses or process descriptions) into quantitative data\, a process that introduces significant measurement errors and is susceptible to assessor or consultant judgment.Framework Interpretation Ambiguity: \;The NIST Cybersecurity Framework is descriptive\, using terms that require broad interpretation (e.g.\, "shall be protected") as opposed to the prescriptive nature of other standards like 800-53. This ambiguity further degrades the consistency and comparability of assessment results.Flawed Score Aggregation: \;The resulting number is often a simple average of maturity ratings across numerous control sub-categories. This averaging technique can mask severe vulnerabilities in a single critical category and provide a misleading picture of overall maturity.Benchmark Data Low Quality: CATEGORIES:TALK LOCATION:Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:fc3f3837d0c2235e2d1f70084d3f5e74 URL:http://bsidesvancouver2026.sched.com/event/fc3f3837d0c2235e2d1f70084d3f5e74 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T223000Z DTEND:20260601T232000Z SUMMARY:A Guide to AI Red Teaming in 2026: Why Traditional Pentest Assumptions Fail DESCRIPTION:Organizations are rapidly deploying AI-powered chatbots\, copilots\, and agentic workflows - often faster than security teams can adapt their testing practices. Traditional pentesting assumes deterministic systems\, stable input/output schemas\, and well-defined trust boundaries. Those assumptions no longer hold when natural language becomes both the interface and the attack surface\, and when models can retrieve data\, invoke tools\, and trigger real-world actions.\n\nThis session explores AI red teaming as a practical\, adaptable\, and repeatable application security exercise rather than a collection of one-off jailbreak techniques. We’ll examine where risk actually concentrates in modern AI systems - supporting REST API endpoints\, the orchestration layer surrounding LLMs\, access controls\, input/output handling\, and why focusing on the model alone misses the most meaningful exposures\, along with a look at real-world cases where attackers have exploited AI-powered functionality to impact businesses.\n\nThrough demonstration of automated testing techniques using open source AI red teaming tools (e.g.\, Garak\, Promptfoo\, DeepTeam\, etc.) and industry guidance (including the OWASP Top 10 for LLM Applications)\, attendees will see how ad-hoc experimentation can mature into a repeatable testing approach: structured test matrices\, risk-driven evaluation\, and findings translated into business impact such as data exposure\, unauthorized actions\, cost and availability risks\, and regulatory or reputational consequences.\n\nThe talk concludes with recommendations for building a layered defense strategy and for integrating continuous AI security testing into existing development workflows. Attendees will leave with a practical mental model for assessing AI risk\, communicating it to leadership\, and building testing practices that scale alongside rapidly evolving AI deployments CATEGORIES:TALK LOCATION:Track 4 - Room 1700 - Sponsored by Aikido Security\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:1372a01319d534b387a515b284b1997c URL:http://bsidesvancouver2026.sched.com/event/1372a01319d534b387a515b284b1997c END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T223000Z DTEND:20260601T225000Z SUMMARY:Finding the AI Systems No One Approved DESCRIPTION:AI is entering enterprises through side doors\, not front gates. Long before legal reviews\, vendor assessments\, or security sign-off\, employees are spinning up local coding assistants\, connecting to external model servers\, and assembling multi-agent workflows that operate entirely outside formal governance.\n\nThis session explores practical agentic fingerprinting\, and how security teams can uncover AI systems based on what they are\, not what they’re called. By identifying the shared metadata\, configuration artifacts\, and behavioral signals that define an AI agent\, organizations can discover unapproved AI activity across cloud APIs\, internal code repositories\, and endpoints—without relying on brittle network choke points.\n\nAttendees will leave with a practical framework for mapping their true AI footprint\, understanding where governance assumptions break down\, and regaining visibility into the digital workforce that is already operating inside their organization—approved or not. CATEGORIES:TALK LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:172a2201afef55890a39be5ccb6f74a8 URL:http://bsidesvancouver2026.sched.com/event/172a2201afef55890a39be5ccb6f74a8 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T223000Z DTEND:20260601T225000Z SUMMARY:How to get decades-long security in a consumer device: breaking locks and using the courts DESCRIPTION:Consumer devices like phones\, routers\, and computers are built to last only a few years.  \;Not because the hardware falls apart\, but because\, after a few years\, manufacturers refuse to update the software.  \;In most cases they also prevent you from updating the software yourself.  \;This creates huge amounts of e-waste\, and significant added expense for people who would rather keep the perfectly-fine hardware they have.\n\nFortunately\, the infosec community is already creating solutions to these problems.  \;The first step to securing a device long-term is to break the manufacturer's locks so that you can get in and modify the device's software yourself (whether those locks are "legitimate" or not).  \;We have many excellent examples of people prolonging the life of devices this way.\n\nHowever\, the majority of the time getting in is just part of the battle.  \;Once you have root on a device\, there may still be software that is proprietary or otherwise difficult to secure (perhaps because the company is withholding source code that they are required to give you).  \;This is where the software freedom community can help out\, by getting all the possible source code\, and reimplementing the rest.\n\nWe have many examples where this has been done\, from OpenWrt and Rockbox for routers and audio players\, to Debian and LineageOS for computers and phones.  \;In all of these cases\, people have found ways to install software updates on devices that would otherwise stop receiving updates\, allowing them to continue using their device securely for a decade or more.  \;And in many cases\, these ways involved using the courts.\n\nThis talk will discuss how these projects came to be\, how we used the courts to make that happen\, how many decades of security support you can reasonably get for an arbitrary consumer device you buy today\, and how you can help make this possible. CATEGORIES:TALK LOCATION:Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:de21b52ce6b219877983e397887a33de URL:http://bsidesvancouver2026.sched.com/event/de21b52ce6b219877983e397887a33de END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T223000Z DTEND:20260601T225000Z SUMMARY:Jailbreak the Jailbreaker: Autonomous AI Red Teaming DESCRIPTION:We explore how AI systems can automatically mutate and refine their own prompts to bypass defenses more effectively over time\, showing how repeated adversarial testing dramatically increases jailbreak success rates. Through this process\, it becomes clear why static guardrails and fixed policy layers quickly collapse when faced with recursive\, adaptive probing. Finally\, we examine what this means for modern agentic AI systems that have access to tools\, APIs\, and privileged permissions  \;and why their expanding capabilities demand a fundamentally different approach to security and oversight.\n\n\n\n\n CATEGORIES:TALK LOCATION:Track 5 - Room 1800\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:87f24a5edbe7951828b9efa73859c2d7 URL:http://bsidesvancouver2026.sched.com/event/87f24a5edbe7951828b9efa73859c2d7 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T223000Z DTEND:20260601T225000Z SUMMARY:The Velocity Paradox: Why More Scanners Lead to Worse Outcomes DESCRIPTION:Machine-speed output + Human-speed oversight. That's the structural mismatch defining application security in 2026. Security budgets are at record highs\, 100% tooling coverage is our never-ending future state\, but many organizations are experiencing worse security outcomes. \;\n\nOur industry's popular narrative says AI-generated code demands more aggressive scanning. This is the wrong framing. The bottleneck isn't coverage\, it's organizational context. Traditional tools audit binary nodes (Is MFA on? Is there a hard coded secret?) while ignoring the paths that actually create risk (remember ASPM?). The result is a wall of noise that users have learned to ignore.\n\nIn this talk\, I will describe the need for the shift from Pipeline Enforcement\, which breaks at velocity\, to Contextual \;Intelligence\, which scales with it. By applying Graph Neural Network (GNN) principles as an enrichment layer\, we replace binary gates with a relational foundation that surfaces what actually matters. CATEGORIES:TALK LOCATION:Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:38af8235f274150f007104d37ab9129a URL:http://bsidesvancouver2026.sched.com/event/38af8235f274150f007104d37ab9129a END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T230000Z DTEND:20260601T232000Z SUMMARY:Beyond Regex: Using LLMs to Add Context to DLP DESCRIPTION:Traditional DLP is great at catching known patterns like SSNs\, credit cards\, and obvious secrets\, but many of today’s most damaging leaks aren’t “pattern-shaped.” They’re high-context artifacts: internal research\, design docs\, incident notes\, and strategy memos that become sensitive because of what they mean and how they combine. In cloud-native collaboration platforms\, sharing is frictionless\, auditing can lag behind\, and “who accessed what and why” becomes difficult to prove.\n\nTo ground the risk\, we’ll start with a real-world case. How a former Google engineer stole thousands of pages of confidential AI trade secrets and uploaded them to a personal cloud account\, an example of privileged access plus modern collaboration workflows enabling rapid exfiltration.\n\nFrom there\, this talk explores how to use LLMs to add context-aware classification to DLP workflows without turning policy into “whatever the model says.” We’ll walk through a practical reference architecture: document labeling\, confidence scoring and thresholds\, human-in-the-loop review\, and mapping classifications to enforceable controls like external sharing restrictions\, domain allow and deny lists\, and step-up authentication. We’ll also cover the hard parts: model inconsistency\, prompt injection\, drift\, and auditability\, and the guardrails that make an AI-assisted DLP system safe to operate. CATEGORIES:TALK LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:fe5ba770f186f21c5e0d3ce0f402b216 URL:http://bsidesvancouver2026.sched.com/event/fe5ba770f186f21c5e0d3ce0f402b216 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T230000Z DTEND:20260601T232000Z SUMMARY:Follow the Engineer: Delivering Security Intelligence Over MCP DESCRIPTION:Open source runs the world. AI now ships most of the code. That means security decisions are happening inside the tools engineers already use\, not in dashboards or tickets. The problem is no longer finding vulnerabilities. It is delivering the right remediation guidance at the exact moment an engineer can act.\n\nThis talk is a field report from building open patterns for that delivery. We built OVRSE\, an open remediation specification\, and a community MCP server that brings exploitability\, breaking change risk\, patch stability signals\, and remediation commands directly into the AI tools engineers already use. It worked. It also broke in surprising ways.\n\nYou will see why tool prompt instructions became security controls\, why structured output replaced dashboards as the interface between security and engineering\, and why MCP adoption created a governance gap most security teams have not noticed yet.\n\nThis is not a product talk. It is a practitioner report on how the delivery layer for security intelligence is changing\, and what the community needs to do about it. CATEGORIES:TALK LOCATION:Track 5 - Room 1800\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:e09b1dc3cfe40ad0f1031717e8f09070 URL:http://bsidesvancouver2026.sched.com/event/e09b1dc3cfe40ad0f1031717e8f09070 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T230000Z DTEND:20260601T232000Z SUMMARY:SameSite... Or Not? Exploring novel bypasses for SameSite cookie protections DESCRIPTION:SameSite cookies are often relied upon too heavily to prevent cross-site request forgery\, yet\, due to browser implementations\, they can be included in unexpected requests. This talk demonstrates novel bypass techniques\, including a Chrome CVE discovered during while researching these methods. Attendees  \;will gain an understanding of the impacts on real-world applications\, and how to protect against these attacks. CATEGORIES:TALK LOCATION:Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:a0ede532fde101fdb26ce7d700361354 URL:http://bsidesvancouver2026.sched.com/event/a0ede532fde101fdb26ce7d700361354 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T230000Z DTEND:20260601T232000Z SUMMARY:When Trust Is Outsourced: Security in the Age of Third-Party Everything DESCRIPTION:Most organizations invest heavily in securing their own networks\, identities\, and endpoints — yet depend on dozens or hundreds of external vendors to operate day-to-day. In practice\, some of the most sensitive data and critical processes live outside the organization’s direct control. Attackers know this and increasingly target third parties\, service providers\, and support channels as the path of least resistance.\nThis talk draws on real-world risk assessment experience to examine how trust in vendors is established\, where it breaks down\, and why common assurance mechanisms often fail to reflect actual exposure. Certifications\, questionnaires\, and contractual clauses can create a sense of comfort\, but they do not prevent misconfigurations\, credential compromise\, insider threats\, or cascading failures across interconnected systems.\n\nWe will look at practical scenarios where vendor relationships introduced unexpected risk — from privileged access and data handling practices to hidden subcontractors and opaque technology stacks. The session will also discuss how emerging dependencies on AI services and automated decision systems complicate accountability and visibility even further.\n\nThe goal is not to criticize vendors\, but to provide a realistic framework for evaluating trust in environments where organizations must rely on infrastructure they do not own and cannot fully audit. Attendees will gain practical considerations for identifying high-risk relationships\, improving due diligence conversations\, and preparing for incidents that originate outside their perimeter.\nThis session is intended for security practitioners\, risk professionals\, architects\, and leaders responsible for safeguarding systems that depend on third-party services. CATEGORIES:TALK LOCATION:Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:c0178a06d1078c822e5170a4b3e79bf6 URL:http://bsidesvancouver2026.sched.com/event/c0178a06d1078c822e5170a4b3e79bf6 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T233000Z DTEND:20260602T002000Z SUMMARY:Can LLMs Really Find IDORs? Limits of AI Security Reasoning DESCRIPTION:Can AI actually find IDORs in real code? We tested top coding agents against real-world apps—and the results were mixed. The models discovered genuine vulnerabilities\, but also generated large numbers of false positives and inconsistent findings. By dissecting results across multiple authorization complexity levels\, we show where LLMs shine\, where they fail\, and why IDORs remain a uniquely hard class of bugs for AI to reason about. Expect real examples\, surprising failure modes\, and practical lessons for anyone considering AI as a security testing assistant. CATEGORIES:TALK LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:f190a10c079086bc1edfc8c12c4373bd URL:http://bsidesvancouver2026.sched.com/event/f190a10c079086bc1edfc8c12c4373bd END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T233000Z DTEND:20260602T002000Z SUMMARY:Identity and security lessons learned from securing AI in the cloud; Ten new frameworks for problems we solved twenty years ago DESCRIPTION:In an age where everyone wants the positive deterministic benefits of the latest models\, and are embracing solutions where AI agents are essentially confused deputies with PhDs and personality disorders\, what are some of the lessons we learned in 2006 and how can we help to apply these towards building systems rooted in strong security principles?\n\nThis talk cuts through FUD and marketing. What's new? What isn't? Where's it all headed\, and what are the key tenets for real security? Most importantly\, what are some hilarious examples of it all \;going off the rails along the way? CATEGORIES:TALK LOCATION:Track 2 - GRC Track - Room 1400/1410 - Sponsored by Iron Spear - Hosted by ISACA\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:85bca73dde395f088f0ce2bfd721dc62 URL:http://bsidesvancouver2026.sched.com/event/85bca73dde395f088f0ce2bfd721dc62 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T233000Z DTEND:20260602T002000Z SUMMARY:The Heartbeat is Lying: Proving Physical Truth in a Spoofed OT Network DESCRIPTION:In any complex environment where industrial systems and traditional IT networks meet\, we rely on digital signals to tell us the status of physical hardware. We trust our security dashboards to show that a system is running within safe parameters\, essentially treating the digital display as the absolute truth. However\, as these systems become more integrated\, a new challenge emerges where the digital reality becomes optional. Attackers have shifted from simply breaking things to manipulating the very data we use to monitor them. By interfering with communication protocols\, a compromised system can be coached to report a perfectly healthy heartbeat to the security team even while the physical equipment is being tampered with in the background.\n\nThis session explores the lifecycle of these integrity attacks and how an analyst can spot a lie told by a machine. We will look at how automated status checks are hijacked and discuss the forensic mindset needed to identify the gap between what the network reports and what the hardware is actually doing. By moving away from a total reliance on digital dashboards and focusing on forensic verification\, we can better secure environments that mix legacy hardware with modern connectivity. This talk is designed to be accessible for students and practitioners alike\, focusing on investigative logic and the reality of securing modern infrastructure without getting lost in vendor jargon. CATEGORIES:TALK LOCATION:Track 4 - Room 1700 - Sponsored by Aikido Security\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:c7b5d9d277bffad529f1d7f9bb677c39 URL:http://bsidesvancouver2026.sched.com/event/c7b5d9d277bffad529f1d7f9bb677c39 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T233000Z DTEND:20260602T002000Z SUMMARY:Turning the dial on SAST: Reducing False Positives with Call Graph–Driven LLM Reasoning DESCRIPTION:Static analysis tools are an integral part of modern-day software development processes to find bugs and security vulnerabilities. However\, they suffer from a drawback: false positive findings. False positives are findings that are incorrectly identified by the static analysis tools as a vulnerability. Such alerts may waste developers' time and effort since these are not exploitable and need no patching. A substantial number of false positives can lead to developer fatigue and reduce the adoption of static analysis tools within software development teams. This may cause real vulnerabilities to go unnoticed\, and thereby increasing the software's overall attack surface. Therefore\, it is imperative that false positives from SAST findings\, and the noise that it creates\, be reduced significantly.\n\nIn an attempt to realize this objective\, we propose a novel approach that combines inter-procedural call graph analysis with large-language model reasoning to identify false positives in SAST findings. Our approach constructs precise call-graphs with bidirectional execution context (caller chain and callee chain) to help the LLM conduct a comprehensive data flow analysis. To help the LLM reason better\, our method guides the LLMs using CWE-specific prompts which drives more accurate results.\n\nThe system detects over 90% false positives for specific CWEs like CWE-22 (Path Traversal) and CWE-89 (SQL Injection). Our research demonstrates that inter-procedural call graph analysis coupled with LLM reasoning powered by CWE-specific prompting can significantly reduce the number of false positives in SAST findings\, thereby increasing the usability of SAST tools. CATEGORIES:TALK LOCATION:Track 3 - AppSec Track - Room 1420/1430 - Sponsored by Google Cloud Security - Hosted by OWASP\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:7d02b4dc24b141f261c39853c443dfb0 URL:http://bsidesvancouver2026.sched.com/event/7d02b4dc24b141f261c39853c443dfb0 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260601T233000Z DTEND:20260601T235000Z SUMMARY:Why Your Best Detection Tool Is Critical Thinking DESCRIPTION:Every year we get faster tools\, better dashboards\, and more detections. And every year\, analysts still miss things. Not because the tools failed\, but because the thinking did.\n\nCybersecurity borrowed heavily from the military: the Kill Chain\, MITRE ATT&CK\, red teaming\, threat intelligence. But we skipped one of the most important things the intelligence community invested in: teaching their analysts how to think. The CIA spent decades studying why smart analysts make bad calls. They built frameworks\, published research\, and made critical thinking a core discipline. In cybersecurity\, we hand someone a SIEM and say good luck.\n\nThis talk explores what happens when we apply intelligence community thinking to cybersecurity analysis. Not academic theory\, but practical habits that change how you investigate alerts\, assess threats\, and make decisions under pressure. Why do analysts anchor on the first hypothesis? Why does confirmation bias turn a routine investigation into a missed breach? And what can you do about it starting Monday morning?\n\nTools change every year. Thinking compounds forever. CATEGORIES:TALK LOCATION:Track 5 - Room 1800\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:c024ef91d3e79e1729bebbe54feeb7e8 URL:http://bsidesvancouver2026.sched.com/event/c024ef91d3e79e1729bebbe54feeb7e8 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260602T000000Z DTEND:20260602T002000Z SUMMARY:More Legit than Legit: The Threat of Crafted Impersonations DESCRIPTION:Modern email attacks do not succeed by looking sneaky. They succeed by being trustworthy. Over the past year\, threat actors have gotten better at building organized campaigns with context that holds up even under careful scrutiny. By mimicking legitimate email threads\, standing up polished infrastructure\, and delivering content that is timely and relevant\, they make it harder than ever for a person to tell what is real.\n\nBased on our annual threat report and incidents observed in the wild\, this talk examines trust abuse in email that goes beyond typical phishing. It focuses on the techniques attackers use to make their messages feel legitimate including thread hijacking\, targeted calendar invites\, and professionally impersonated websites.\n\n\n CATEGORIES:TALK LOCATION:Track 5 - Room 1800\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:3fcb353da05eb0f065aca94497346fa2 URL:http://bsidesvancouver2026.sched.com/event/3fcb353da05eb0f065aca94497346fa2 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260602T002000Z DTEND:20260602T010000Z SUMMARY:Closing Ceremonies DESCRIPTION:BSides Vancouver 2026 Closing Ceremonies CATEGORIES:KEYNOTE LOCATION:Track 1 - AI Track - Room 1900 - Sponsored by Kobalt.io\, 515 W Hastings St\, Vancouver\, BC V6B 5K3\, Canada SEQUENCE:0 UID:77e0a8c0d74f3448ddd6a57e232ee238 URL:http://bsidesvancouver2026.sched.com/event/77e0a8c0d74f3448ddd6a57e232ee238 END:VEVENT BEGIN:VEVENT DTSTAMP:20260605T093642Z DTSTART:20260602T010000Z DTEND:20260602T040000Z SUMMARY:BSides Vancouver 2026 After Party Sponsored by Veeam DESCRIPTION:Our BSides Vancouver 2026 After Party sponsored by Veeam.\n\nIncluding Hacker Jeopardy sponsored by \;TMU - Rogers Catalyst. CATEGORIES:AFTER PARTY LOCATION:The Rogue\, 601 W. Cordova\, Vancouver\, British Columbia SEQUENCE:0 UID:bdbac17f8a65c0cafbc25b591342a603 URL:http://bsidesvancouver2026.sched.com/event/bdbac17f8a65c0cafbc25b591342a603 END:VEVENT END:VCALENDAR