BEGIN:VCALENDAR
VERSION:2.0
X-WR-CALNAME:blueteamcon2026
X-WR-CALDESC:Event Calendar
METHOD:PUBLISH
CALSCALE:GREGORIAN
PRODID:-//Sched.com Blue Team Con 2026//EN
X-WR-TIMEZONE:UTC
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260910T130000Z
DTEND:20260911T220000Z
SUMMARY:Building Fort Knox: A Practical Bootcamp for Cyber-Physical Defense!
DESCRIPTION:Ready to build Fort Knox and bulletproof your physical and wireless perimeters? Turn the tables on attackers with the ultimate bootcamp! You'll get hands-on with card readers\, access control systems\, Wi-Fi\, security cameras\, and more using a 25/75 tactical split. Spend 25% of your time getting your hands dirty to understand the offensive threat\, and the remaining 75% mastering wireless threat hunting\, detecting rogue signals\, auditing access control infrastructure\, and making the case to secure critical areas. Are you up for the challenge?\n \nWhat You'll Do & Learn:\n Access Control Hardening & Physical Auditing\n The Threat (25%): Demystify how attackers clone LF/HF RFID badges\, bypass locks\, and exploit sensors using tools like the Proxmark3 and Flipper Zero.The Defense (75%): Flip the script and use those tools for defense! Learn how to audit your own facility\, confidently evaluate vendor hardware\, and build the business case to migrate vulnerable legacy systems to secure standards. Wireless Defense & Rogue Infrastructure Tracking\n The Threat (25%): Get hands-on to see how rogue APs\, "evil twins\," and Wi-Fi exploitation techniques compromise corporate airwaves.The Defense (75%): Grab an SDR (HackRF\, RTL\, B210) and a directional antenna to actively hunt down shadow IT. Analyze wireless protocols in real-time\, defend against active attacks\, and make critical architectural hardening decisions for your business. Airspace Defense & Bug Sweeping (TSCM)\n The Threat (25%): Recognize the physical footprints\, RF signatures\, and deployment methods of covert transmitters and unauthorized hardware.The Defense (75%): Deploy infrared/thermal cameras and SDRs for foundational bug sweeping. Actively hunt down unauthorized signals and neutralize rogue hardware before it compromises your secure space. Each day is filled with hands-on\, defense-focused mini challenges. Put your new skills to the test as you work with a team to detect compromised hardware\, hunt hidden transmitters\, isolate wireless threats\, and harden cyber-physical infrastructure under pressure.Walk away with take-home hardware and the practical skills to lock down your perimeters!&nbsp\;\n ALL SKILL LEVELS WELCOME.\n LAPTOP AND PASSION FOR LEARNING NEEDED. ALL OTHER TOOLS PROVIDED.\n \nQUESTIONS? Contact Us: info@shortrange.tech\n Shortrange Technologies LLC \nFull Course Outline: [Coming Soon!]\nPrerequisites: None
CATEGORIES:TRAINING
LOCATION:Microsoft Technology Center (Aon Center)\, 200 E Randolph St suite 200\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:5abde9b51f177e7a5a9bfb28ccc36d3a
URL:http://blueteamcon2026.sched.com/event/5abde9b51f177e7a5a9bfb28ccc36d3a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260910T130000Z
DTEND:20260911T220000Z
SUMMARY:CQURE Masterclass: System Forensics\, Incident Handling & Threat Hunting
DESCRIPTION:System Forensics followed by Threat Hunting and Incident Readiness are constantly evolving and crucial topics in the area of cybersecurity. In order to stay ahead of cyber-criminals\, the knowledge of Individuals and Teams responsible for threat hunting\, collecting digital evidence\, and handling the incidents has to be constantly enhanced and updated.\n\nThis course offers a comprehensive\, hands-on approach to mastering system forensics\, incident handling\, and threat hunting\, equipping participants with the skills to detect\, investigate\, and respond to advanced cyber threats. Through case studies\, practical labs\, and real-world examples\, participants will gain expertise in identifying and mitigating modern attacks across various environments. Key learning themes include:\n\n\n1. Windows Internals & System Forensics: Understand Windows internals\, including processes\, threads\, and permissions. Learn to gather volatile data\, audit system configurations\, and detect malicious or unnecessary services using tools like PowerShell\n\n\n2. Malware Analysis and Incident Handling: Gain hands-on experience in analyzing malware\, including static and behavioral techniques. Learn how to detect\, contain\, and eradicate malware\, while mastering the steps for gathering evidence\, preventing incidents\, and recovering from attacks.\n\n\n3. Network Forensics & Monitoring: Learn advanced network forensics techniques to detect data exfiltration\, webshells\, and lateral movement. Explore how to analyze network traffic\, logs\, and protocols to uncover attack indicators\, and apply these skills to mitigate threats\n\n\n4. Memory Forensics & Incident Response: learn how to analyze memory dumps with tools like Volatility. Understand how to detect malicious code and trace system compromises in memory\, with practical examples from high-profile incidents.\n\n\n5. Disk Forensics & Data Recovery: Master storage acquisition and disk forensics techniques\, including image mounting\, file system analysis\, and recovering deleted data.\n\n\n6. Advanced Threat Hunting & Detection: Develop advanced threat-hunting strategies to uncover hidden threats and internal reconnaissance. Use practical techniques for detecting privilege escalation\, lateral movement\, and other adversary tactics to proactively defend against advanced attacks.\n\n\nThis course is designed for professionals in digital forensics\, incident response\, and security operations who wish to deepen their expertise in modern threat detection and response. By combining in-depth technical knowledge with real-world training\, participants will be equipped to effectively handle the evolving challenges in cybersecurity and incident management.\n\n\nPrerequisites: To fully benefit from our masterclass System Forensics\, Incident Handling and Threat Hunting\, participants should have a solid background in identity management and a general understanding of IT security concepts. Skills in log analysis and a knowledge of authentication mechanisms will also be helpful. Intermediate participants will gain solid fundamentals\, while advanced users can deepen their expertise and explore the latest techniques.
CATEGORIES:TRAINING
LOCATION:Microsoft Technology Center (Aon Center)\, 200 E Randolph St suite 200\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:68d7eff0395d0b93ffba316552e69ac1
URL:http://blueteamcon2026.sched.com/event/68d7eff0395d0b93ffba316552e69ac1
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260910T130000Z
DTEND:20260911T220000Z
SUMMARY:Defending Enterprises - 2026 Edition
DESCRIPTION:Updated for 2026\, our immersive 2-day Defending Enterprises training is the natural counterpart to our popular Hacking Enterprises course.\n\n\nNot only have several existing topics had major tweaks\; the training includes an entirely new section on Entra ID and Azure cloud based attacks!&nbsp\;\n\n\nYou’ll play a SOC analyst in our Microsoft Sentinel cloud-based lab and try to rapidly locate IOA’s and IOC’s from a live enterprise breach executed by the trainers in real time.\nWhether you’re new to Kusto Query Language (KQL) or a seasoned pro\, there’s plenty for you in the 2-days! Yes\, we’re using Microsoft Sentinel\, but the underlying threat detection theory\, logic and threat hunting approach is transferable into your own environments\, whatever your preferred platform.\n\n\nWe look at the top 10+ methods we use in offensive engagements and show how these can be caught\, along with numerous other examples and methods that go above and beyond these common TTPs!\n\n\nThis training goes beyond threat hunting as we peek into the world of detection engineering and the processes involved in converting logic into alerts!\nWith 14 hands-on exercises\, many of which also featuring extra time and bonus content\, you’ll gain real-world experience in the following areas:\n\n\n* Introduction to Kusto Query Language (KQL)\n* Reviewing popular phishing attacks and living off the land techniques\n* Locating C2 traffic and beaconing activity\n* Detecting persistence activities\n* Digging into credential exploitation (Kerberoasting\, Pass-the-Hash\, Pass-the-Ticket\, DCSync)\n* Reviewing Active Directory Certificate Services (AD CS) attacks\n* Identifying lateral movement (WinRM\, SMB)\n* Cloud Attacks (Entra ID Enumeration\, Azure IMDS\, Authentication Tokens\, Conditional Access\, App Registrations)\n* + much more!\n\n\nWe know 2 days isn't a lot of time\, so you'll also get 14-days FREE lab time after class and Discord access for support.\n\nPrerequisites:&nbsp\;Detection methods will be taught during training\, however an understanding of KQL concepts would be beneficial\, and previous SOC experience and/or pentesting is advantageous but not required.
CATEGORIES:TRAINING
LOCATION:Microsoft Technology Center (Aon Center)\, 200 E Randolph St suite 200\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:b94df218669f992c11fa98b5b436c72b
URL:http://blueteamcon2026.sched.com/event/b94df218669f992c11fa98b5b436c72b
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260910T130000Z
DTEND:20260911T163000Z
SUMMARY:Exploring AI Visibility: Shedding Light on Shadow AI\, Attack Surface\, Telemetry\, and LLM Proxies
DESCRIPTION:With the explosive adoption of AI agents\, corporate networks are experiencing a massive influx of programmatic and shadow AI usage. Unfortunately\, default audit capabilities provided by major AI vendors are notoriously sparse\, leaving defenders with little to no visibility. Many providers only organize logging in a "billing forward" manner rather than focusing on cybersecurity.&nbsp\;\n\n\nThis 2-day\, hands-on training workshop equips security teams with the practical skills needed to detect\, audit\, and secure AI usage within their environments. Attendees will learn how to identify shadow AI usage from existing network and endpoint logs (such as Zeek and Sysmon) without needing increased vendor visibility. Because AI tooling is ultimately just software\, we will also explore how these tools can introduce vulnerabilities\, such as unauthenticated servers allowing local execution.\n\n\nFurthermore\, the course will move beyond basic logs to explore advanced visibility techniques. Attendees will learn how to use OpenTelemetry to extract detailed insights from major AI providers that support it\, and how to deploy LLM proxies to actively intercept and inspect AI activity and tool calls. Finally\, we will dive deep into the Model Context Protocol (MCP)\, a protocol specifying how AI apps integrate with external tools\, and demonstrate the severe risks of malicious integrations via the "Evil MCP" vector.\n\nPrerequisites:&nbsp\;Linux terminal or powershell
CATEGORIES:TRAINING
LOCATION:Microsoft Technology Center (Aon Center)\, 200 E Randolph St suite 200\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:7967506d92eb944255b8c58a9de59594
URL:http://blueteamcon2026.sched.com/event/7967506d92eb944255b8c58a9de59594
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260910T130100Z
DTEND:20260911T220000Z
SUMMARY:Offense for Defense
DESCRIPTION:Join us for&nbsp\;Offense for Defense\, a high-impact\, hands-on cybersecurity course built specifically for&nbsp\;blue team professionals\, systems administrators\, SOC analysts\, threat hunters\, and incident responders. This training arms defenders with the&nbsp\;tactics\, tools\, and mindset of attackers\, empowering teams to proactively identify weaknesses and design better protections\, detections\, and responses. All while learning from one of the most prominent names in cybersecurity instruction and enterprise penetration testing.\n\nPrerequisites:&nbsp\;A couple of years in IT
CATEGORIES:TRAINING
LOCATION:Microsoft Technology Center (Aon Center)\, 200 E Randolph St suite 200\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:252e88886e0b777c738d5237bf695ad3
URL:http://blueteamcon2026.sched.com/event/252e88886e0b777c738d5237bf695ad3
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:400 Detections\, Zero Alerts: Why your Detection Program is flying blind
DESCRIPTION:You have 400 detection rules in production. Your ATT&CK coverage heatmap looks great in a board deck. But how many of those rules actually fire when the technique executes today\, not when they were written 18 months ago?\nIf you can't answer that\, you don't have coverage. You have promises.\nThis talk tackles the gap between deploying detections and proving they work. Detection rules silently break all the time. Schema changes\, parser updates\, log source drift\, over-tuning. Nobody notices because false negatives are completely invisible. No one complains when an alert doesn't fire. You only find out during an incident review or a red team engagement\, and by then it's too late. Most detection engineering content focuses on writing better rules or building more coverage\, but almost nobody is asking the harder question: how do you know the rules you already wrote still work?\nThe answer is detection regression testing: running known-good attack simulations against deployed rules on a continuous\, automated basis and alerting when they stop firing. This session walks through an open-source pipeline (sigma-regression-testing on GitHub) that automates the full lifecycle. Write vendor-agnostic Sigma detections. Convert and deploy to Splunk via REST API. Map each rule to a specific Atomic Red Team test. Run automated suites that produce pass/fail reports. Every step runs in GitHub Actions CI/CD with zero manual intervention after a detection merges.\nBeyond the tooling\, this talk introduces detection SLAs: measurable commitments like "this rule fires within 5 minutes of execution" and "100% of Priority 1 ATT&CK techniques have a passing regression test at all times." They transform detection programs from vague coverage claims into defensible\, auditable engineering practices.\nAttendees will leave with a working framework they can clone and deploy immediately\, along with a concrete methodology for measuring detection health and identifying blind spots. Everything shown is running in production. The code is public. The pipeline is real.\n\n\n
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:6f5adfa49c99eeb384d760ffb7005544
URL:http://blueteamcon2026.sched.com/event/6f5adfa49c99eeb384d760ffb7005544
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Active Directory Post-Mortem: Assumptions vs Reality
DESCRIPTION:Active Directory Domain Services has been around for 26 years\, making it far from a young technology - yet it is not going anywhere anytime soon. Most companies still rely on Active Directory as their primary identity provider and management solution. One might assume that after all these years we have already mastered securing Active Directory with best practices. However\, the reality is often the opposite: many AD environments are still poorly secured\, which keeps them a common target for attackers.\nIn this talk\, I will demonstrate three important vulnerabilities that still exist in Active Directory and are either unknown or not discussed enough. We will challenge a few assumptions along the way:\nIf an account is locked out\, can you still brute-force its password?If a user is in Protected Users\, is the NT hash truly out of reach?When you use RDP (MSTSC)\, does it cache more than just fragments of your screen?By the end of the session\, you will learn that some common assumptions are wrong and that you must always test and verify security controls in practice. You will also leave with practical mitigations and best practices to secure your environment against these vulnerabilities and reduce their impact.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:464d03c9f83ff39b7c70a7a3d45f5c3d
URL:http://blueteamcon2026.sched.com/event/464d03c9f83ff39b7c70a7a3d45f5c3d
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:AI Failures in IR: A Field Guide to Filling the Gaps
DESCRIPTION:Every security vendor is shipping AI. Every IR team is under pressure to adopt it. And in the middle of a real incident\, the gap between what AI promises and what it actually delivers becomes very concrete\, very fast.\n\n\nThis talk is a field guide to that gap. Drawing on experience as an incident responder on T-Mobile's CIRT during Salt Typhoon and on the builder side developing AI tooling for IR\, I'll walk through the specific ways AI underperforms when a breach is unfolding — hallucinated IOCs and timestamps\, confident wrong answers\, first-hypothesis lock-in\, bias toward threat explanations over innocuous ones\, lost evidence chains\, context windows that collapse on real forensic data\, and agents that can take down your SIEM because nobody throttled them.\n\n\nFor each failure mode\, we'll cover why it happens\, how to recognize it in tools you're evaluating or already running\, and what mitigations actually hold up under incident pressure. Attendees will leave with a taxonomy of AI failure modes in IR\, a set of sharp questions to ask any vendor (or internal build team) claiming to solve them\, recommendations for how to solve them\, and a clearer picture of how AI can augment responders versus where it quietly creates new risks.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:50378617441e9f485aa6de6fa5e3cee5
URL:http://blueteamcon2026.sched.com/event/50378617441e9f485aa6de6fa5e3cee5
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:AI-Assisted IR Without the Lies: A Browser Forensics Case Study
DESCRIPTION:Offensive security teams are deploying autonomous agents that chain vulnerabilities end to end without human intervention. Vulnerability researchers are using LLMs to discover and exploit zero-days at a pace no human team can match. AI is already on both sides of the fight\, and the gap between organizations that harness it and those that do not is widening fast.\nIncident responders have largely held back\, and for a good reason.\nIn IR\, a hallucination is not a minor inconvenience. A fabricated timeline entry\, a missed lateral movement path\, or a confidently wrong attribution can mean a backdoor stays in the network\, exfiltrated data goes unaccounted for\, or an organization remediates a fiction while the real compromise remains intact. The stakes are not just technical. IR findings increasingly inform legal proceedings\, regulatory responses\, and executive decisions. Forensic evidence analyzed by a system that invents facts has no place in that chain.\nAnd yet: if AI can genuinely accelerate triage and scope analysis\, the organizations we respond for recover faster. That matters.\nIn the past months\, we have been solving the precision problem rather than avoiding it. We started with one concrete use case: browser forensics. Using a combination of skills and agents\, we built a pipeline that accelerates artifact triage and timeline reconstruction on real engagements.\nThe pipeline fetches browser history directly from the endpoint regardless of OS\, parses artifacts across Chrome and Edge\, and searches for relevant entries based on the suspicious activity that prompted the investigation\, whether that is a domain\, a time window\, or a combination of both. What previously required an analyst to manually locate\, extract\, and cross-reference browser databases is now scoped and surfaced automatically\, with the agent linking findings back to the original investigation context.\nIn this talk\, we walk through exactly how we built it\, how we validated the outputs\, where the model failed\, and what we put in place to catch it. We will also share what we learned and how we plan to apply those lessons to other elements of IR going forward.\nAttendees will leave with a clear picture of how to structure a skills and agents pipeline for forensic analysis\, the specific validation techniques we used to constrain hallucinations\, and a realistic sense of where AI-assisted IR is ready for production and where it is not.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:02478e835c786126b449b2e7f8df61a5
URL:http://blueteamcon2026.sched.com/event/02478e835c786126b449b2e7f8df61a5
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Behaviour-Driven Detection for Software Supply Chain Exploitation
DESCRIPTION:Abstract\nModern software development depends on an intricate ecosystem of open‑source libraries\, third‑party services\, CI/CD workflows\, container registries\, package repositories\, and cloud‑native infrastructure. As organizations accelerate development velocity\, their applications increasingly rely on components they neither wrote nor control. This creates a supply chain environment where the weakest external link becomes the attacker’s easiest entry point. While Application Security (AppSec) teams focus on code reviews\, SAST/DAST\, SCA results\, and secure SDLC controls\, many of the most dangerous threats originate outside their visibility. These include malicious dependency updates\, compromised package maintainers\, poisoned CI/CD pipelines\, hijacked SDKs\, and third‑party API breaches—risks that traditional AppSec tooling isn’t designed to detect.\nAt the same time\, Cyber defence teams track adversary activity\, ecosystem‑level manipulation\, suspicious code commits\, dark‑web chatter\, targeted campaigns against popular libraries\, and exploitation of software supply chain dependencies. They see indicators and emerging threats far earlier than any automated scanner—but this intelligence rarely makes its way into AppSec decision‑making. As a result\, AppSec teams continue to approve dependencies with no CVEs\, unaware that the maintainer was compromised\; security testing pipelines approve builds even though TI has already flagged one of the upstream components\; and organizations ship production code containing malicious logic that no scanner will ever detect because the code behaves "as designed"—just not by your design.\nThis talk presents a unified model for bridging these gaps—delivering a strategic approach through supply chain defence. Attendees will learn how real‑world supply chain attacks unfold\, why they bypass traditional AppSec controls\, and how integrating cyber defence changes the defender’s perspective. We break down practical detection methods for ecosystem‑level anomalies\, maintainer compromise signals\, malicious package patterns\, CI/CD infiltration attempts\, and signs of upstream component manipulation. Through real attack examples and defensive case studies\, we show how organizations can fuse AppSec findings (SCA results\, dependency mapping\, SBOM data) with cyber defence to build an adaptive\, intelligence‑driven supply chain protection strategy.\nKey Takeaways\nWhy AppSec alone cannot detect supply chain compromise&nbsp\;— and the specific blind spots hidden inside package ecosystems\, CI/CD pipelines\, and third‑party integrations.A practical integration model&nbsp\;where AppSec and Cyber defence team jointly monitor\, validate\, and block risky dependencies or services before they reach production.Field-tested workflows&nbsp\;for real-time supply chain monitoring using SBOM enrichment\, threat feeds\, dependency risk correlation\, and behaviour-based anomaly detection.A blueprint for building an enterprise supply chain defence program&nbsp\;that continuously adapts to attacker evolution\, ecosystem shifts\, and vendor risks.Why This Talk Is Important\nSupply chain attacks are now a preferred strategy for both state-sponsored and financially motivated threat actors. They exploit trust relationships between developers\, automation systems\, and ecosystem maintainers—areas where AppSec with cyber defence team lacks visibility with limited operational influence. This session provides a practical\, actionable roadmap for bringing both teams together to defend the modern software supply chain—before adversaries weaponize it.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:c1466b1ef144ead4f85a5d9106c0633a
URL:http://blueteamcon2026.sched.com/event/c1466b1ef144ead4f85a5d9106c0633a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Beyond the SIEM: Critical Governance and Architecture Decisions for Modern SOCs
DESCRIPTION:Modern Security Operations Centers (SOCs) have evolved from basic technical hubs into essential engines for risk management. Success requires a disciplined alignment of governance\, architecture\, and talent to ensure every action remains resilient and defensible. This session presents a structured methodology to balance high-level technical capability with fiscal responsibility and regulatory mandates. By evaluating SOC evolution through the lens of financial and legal risk\, organizations can build a function that is both highly effective and accountable to the board of directors.\n\n\nWe begin by discussing why governance must precede tooling to avoid embedding technical debt into the center’s foundation. This involves identifying critical assets\, defining precise operational scope\, and mapping risks driven by regulatory frameworks and customer contracts. Once these boundaries are set\, we explore how to design a technical backbone that eliminates unnecessary complexity. We will evaluate a tiered log strategy where a security data lake handles high-volume telemetry while the primary analytics engine is reserved for real-time\, high-fidelity alerting. This strategic approach prevents cost escalation while providing the depth required for advanced automated workflows.\n\n\nWe also address workforce modeling\, demonstrating how technology choices dictate staffing requirements. By examining the mathematical rule of five\, we evaluate the requirements for sustainable 24/7 coverage while preventing analyst burnout. The session concludes by reviewing how these elements create a living function that leverages automated triage and standardized playbooks to reduce manual effort by 60–80%. Attendees will learn to formalize critical escalation paths and measure performance through a trinity of operational\, contractual\, and compliance metrics\, ultimately validating defenses through structured training to maintain a proactive\, intelligence-driven posture.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:a7d1017242e43e61a3adf9092b7f9c23
URL:http://blueteamcon2026.sched.com/event/a7d1017242e43e61a3adf9092b7f9c23
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Breaking Identity at Scale: From DPAPI & TBAL Secrets to Full Domain Compromise
DESCRIPTION:Modern enterprise environments continue to rely on implicit trust within identity and credential protection mechanisms such as DPAPI\, DPAPI-NG\, and token-based authentication layers. While these technologies are designed to safeguard secrets\, they also introduce powerful attack surfaces when combined with misconfigurations\, weak privilege boundaries\, and overlooked trust relationships.\n\n\nThis session presents a deep technical exploration of how attackers extract and abuse protected credentials at scale\, moving from local access to full domain compromise. We demonstrate novel techniques for decrypting DPAPI-protected data\, abusing TBAL-related key material\, and chaining these with authentication protocol weaknesses such as NTLM and Kerberos to achieve lateral movement and privilege escalation.\n\n\nUnlike traditional approaches that focus on single techniques\, this research connects multiple layers of identity abuse into a cohesive attack path observed in real-world environments. Attendees will see how seemingly isolated weaknesses: credential storage\, token handling\, and protocol trust\, combine into high-impact attack chains.\n\n\nThe session also provides defensive strategies\, including detection opportunities\, hardening approaches\, and architectural changes to reduce reliance on implicit trust. The goal is to shift defenders from reactive detection to proactive identity security design.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:bd24878f3e20259a4022c1aaf7a63fbf
URL:http://blueteamcon2026.sched.com/event/bd24878f3e20259a4022c1aaf7a63fbf
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Building the Human Firewall: Why Security Awareness Must Precede the Workplace
DESCRIPTION:Cybersecurity conversations often begin inside corporate boardrooms and Security Operations Centers but by then\, the foundation for risk is already set. In a world where digital native generations are entering the workforce\, the strongest "human firewall" must be established long before an employee receives their first corporate login.\nThis session reframes cybersecurity education as a foundational life skill rather than a purely technical discipline. By shifting the focus from corporate compliance to early digital awareness\, organizations can significantly reduce their long-term enterprise risk. We will explore how early exposure to core concepts like digital hygiene\, social engineering\, and the psychology of trust can create a culture of security that naturally extends into professional environments.\nDrawing on practical insights from incident response and governance\, risk\, and compliance (GRC) frameworks\, this talk will demonstrate the direct correlation between proactive digital literacy and a resilient defensive posture. Attendees will leave with a new perspective on training strategies that move beyond "checking the box" and toward a more intuitive\, security-first mindset. This session is ideal for security leaders\, educators\, and anyone interested in the intersection of human behavior and defensive strategy.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:1fff6b6ecdaf1600594b3a5cafdcd336
URL:http://blueteamcon2026.sched.com/event/1fff6b6ecdaf1600594b3a5cafdcd336
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:CISA’s Menu for Vulnerability Management
DESCRIPTION:Hungry for better cyber defense? Pull up a chair at CISA’s café\, where vulnerability management is always on the menu! This talk will serve up a full tasting of best practices\, international standards\, and key initiatives that help organizations defend against today’s threats and enhance their cyber resilience. From tried-and-true favorites like CVE and the Known Exploited Vulnerabilities (KEV) catalog\, to innovative new flavors including CSAF and OpenEoX\, discover how the vulnerability management chefs at CISA lead efforts to streamline vulnerability disclosure\, automate risk decisions\, and overall secure U.S. critical infrastructure. Whether picking a la carte or sampling the whole menu\, you will leave this talk with tasty insights and actionable recipes to boost your organization’s cyber defense posture…no reservations required!
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:a7de5d2bf21334d95aa720cb85dd7a6a
URL:http://blueteamcon2026.sched.com/event/a7de5d2bf21334d95aa720cb85dd7a6a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Containers Don't Lie. But Your Security Tooling Might Be Missing What They're Saying
DESCRIPTION:Container security is one of those topics that sounds solved. We've got image scanning. We've got runtime policies. We've got Kubernetes RBAC. So why are containers still showing up as the initial access vector in breach reports year after year?\n\n\nBecause most of our tooling is looking at the wrong things at the wrong time.\n\n\nThis talk is about shifting container threat hunting from reactive to genuinely proactive\, not by buying another tool\, but by understanding what behavioral signals containers are already producing and building detection logic around those signals.\n\n\nI've spent years running Kubernetes at scale in production environments\, managing security for platforms that can't afford downtime and can't afford breaches. What I've learned is that containers are actually quite chatty. Syscall patterns\, network connection behavior\, image layer anomalies\, runtime drift. They tell a story. The problem is most teams aren't set up to read it.\n\n\nIn this session\, I'll cover:\n\n\n- The most common gaps between what container scanning tools report and what's actually happening at runtime\n- Behavioral indicators that predict compromise before it escalates\, drawn from real incident data\n- How to build a lightweight threat hunting workflow using open-source tooling (Falco\, eBPF-based detection\, and custom OPA policies) that doesn't require a six-figure budget\n- A demo of an open-source AI-powered Docker security analyzer showing how AI-assisted analysis can surface vulnerabilities that static scanners consistently miss\n\n\nThe demo portion will be hands-on. We'll start with a "clean" container environment that passes standard scanning\, introduce an attack scenario\, and then walk through how behavioral hunting catches what the scanners don't.\n\n\nBy the end\, you'll have a practical hunting framework\, a set of detection rules you can implement immediately\, and a better mental model for where container defenses actually break down in the real world.\n\n\nThis is for defenders who are tired of being told their container stack is secure\, and then watching alerts prove otherwise.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:d64575e366bff1719b3e49b2a19e5512
URL:http://blueteamcon2026.sched.com/event/d64575e366bff1719b3e49b2a19e5512
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Defending the Credential Reset Process
DESCRIPTION:Some of the most noteworthy cybersecurity incidents that have occurred in the past 5 years have involved attacks on the credential lifecycle. Credentials are targeted by threat actors when they are initially issued at employee onboarding\, when they are used everyday to login\, and when they are lost and need to be reset. According to Microsoft’s 2025 Digital Defense Report\, credential based attacks were the initial access vector used in 80% of attacks by access brokers.&nbsp\;\n\n\nOne of the most well known credential related incidents targeted MGM and Caesar’s Casinos in the summer of 2023. To target MGM\, the criminals reportedly identified employee profiles on Linkedin\, and learned enough about one employee in particular to call up MGM’s IT Helpdesk and successfully convince them to reset that person’s multi-factor authentication. These attacks prompted many organizations to take a closer look at how they handle credential reset.\n\n\nOne of the drivers behind these attacks is the increasing popularity of remote work. It is no longer reasonable in many cases to tell employees to just “drop by the office” if they loose access to the network. Organizations need ways to validate the identity of people remotely\, and this is a lot harder than it sounds. SIM swapping\, deepfakes\, and breach data provide lots of ways to overcome various controls that organizations are trying to put in place.&nbsp\;\n\n\nThis talk will dissect the credential lifecycle and describe different attacks that target it and controls that can be put in place. We will focus specifically on credential reset workflows and show how attackers can subvert different countermeasures. We’ll then discuss how organizations can leverage what they know about their own employees to build robust defenses against these kinds of attacks.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:611a1bbbbb9ae2c09b2dacb4f72b5988
URL:http://blueteamcon2026.sched.com/event/611a1bbbbb9ae2c09b2dacb4f72b5988
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Defending the Hypervisor: Using Offensive Tooling to Validate vSphere Security
DESCRIPTION:VMWare (Broadcom) represents the most commonly used enterprise Hypervisors. &nbsp\;This means a compromised vCenter or ESXi host gives attackers access to every virtual machine and credential in your my environment. Defenders often lack visibility into what a post-exploitation attack against the hypervisor layer looks like. So\, I built a tool to find out.\n&nbsp\; In this session\, I'll walk through the real-world attack chains that threat actors use against VMware vSphere environments: extracting Kerberos keytabs and credential caches from ESXi &nbsp\;hosts\, decrypting stored VPX database passwords to pivot across every managed host\, dumping JVM heap memory from vCenter to harvest SAML tokens\, and forging certificates using stolen VMCA private keys. These are the techniques behind campaigns and APT operations targeting virtualization infrastructure today.\nThe core of this talk is a live demo of VEXED (vSphere EXploitation Extraction and Detection)\, an open-source tool I developed to automate these attack chains against vCenter and ESXi. Starting from a single SSH session\, I'll show how VEXED chains credential extraction through VPX password decryption to automatically pivot across an entire vSphere cluster — mirroring the lateral movement patterns we as defenders need to detect and prevent.\nBut I didn't build this as a red team tool. I built it to answer a blue team question: what should I be looking for? For each attack chain I demonstrate\, I'll map the corresponding detection opportunities: what logs are generated\, what telemetry to forward to your SIEM\, and what hardening controls actually break the chain. I'll cover VEXED's built-in hardening audit module\, which checks over 20 security configurations across ESXi and vCenter\, giving you a repeatable way to validate vSphere security posture. I'll also walk through the interactive attack graph output that visualizes the relationships between compromised credentials\, certificates\, and pivot paths… something I've found quite useful when communicating to leadership.\n&nbsp\;Attendees will leave with:\n&nbsp\; - A clear understanding of the most critical vSphere post-exploitation attack chains and how to detect them\n&nbsp\; - Practical SIEM detection logic for credential extraction\, memory dumping\, and lateral movement across vSphere infrastructure\n&nbsp\; - A hardening checklist validated against real attack tooling\, not just vendor best practices\n&nbsp\; - An open-source tool you can run in your own lab to validate defenses before an attacker does\n&nbsp\;\n&nbsp\; This session is for SOC analysts\, infrastructure security teams\, and anyone responsible for defending virtualized environments. No prior vSphere security experience is required. Just a desire to understand what happens when the hypervisor layer is compromised and how to stop it.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:19a215c0b05c9d3f6144afc95773a357
URL:http://blueteamcon2026.sched.com/event/19a215c0b05c9d3f6144afc95773a357
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Designing deception in GCP: what’s effective density?
DESCRIPTION:Defenders have deployed honeypots and honeytokens to detect threats targeting GCP workloads. The dynamic and ephemeral nature of cloud workloads with the resource-based policy model in GCP introduces unique characteristics that influence the design of deception. Defenders need to determine answers to questions such as: how many deceptions to deploy\, what should they represent\, how many of each type\, how should these be named\, where should the deceptions be placed? This session provides real-world insights from a security practitioner on&nbsp\;the design of a deception strategy for cloud workloads that spans honeytokens (GCP IAM service accounts\, GKE service accounts) and honeypots (compute instances\, storage\, pods).
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:071e96c7ae94cbfe3385893b380896cf
URL:http://blueteamcon2026.sched.com/event/071e96c7ae94cbfe3385893b380896cf
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Detection Engineering for AI Agents: Building Defenses That Work When Your Attacker Can Think
DESCRIPTION:The bot detection playbook defenders have relied on for years — IP blocklists\, rate limits\, behavioral baselines\, CAPTCHA — was built for a threat that no longer exists. Modern adversaries are deploying LLM-powered agents that reason\, adapt\, and evolve their behavior in response to detection. For defenders\, this means the threat model has fundamentally changed. &nbsp\; This talk\, drawn from production experience building bot mitigation systems at Amazon\, provides blue teamers with a practical framework for detection engineering against agentic AI attackers. The session covers: how to identify the behavioral signatures of LLM-driven agents (and why they're different from both humans and traditional bots)\; detection signal categories that remain robust against adaptive adversaries\; pipeline architecture for high-velocity threat detection at scale\; and incident response workflows when an AI-powered attacker is actively evading your controls. &nbsp\; Critically\, this talk addresses the strategic challenge defenders face: in an adversarial ML environment\, your model is always at risk of being reverse-engineered and evaded. How do you build detection systems that are robust to an adversary who can iterate as fast as you can? Attendees will leave with detection engineering patterns they can apply to bot defense\, fraud prevention\, and automated threat response — and a realistic understanding of where current defenses still have gaps.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:450ae534070fbd39060d3c617aac1492
URL:http://blueteamcon2026.sched.com/event/450ae534070fbd39060d3c617aac1492
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:email.telemetry.normalized: Detection Engineering Beyond the Inbox in Healthcare
DESCRIPTION:Email continues to be the most common initial access vector in healthcare environments\, yet many organizations still rely primarily on email security gateways for detection and protection. While gateways provide an important first layer of defense\, they often create visibility gaps once messages reach user inboxes. Attackers routinely exploit these gaps through techniques such as executive impersonation\, credential harvesting\, and business email compromise (BEC).\n\n\nThis session explores how extending email security beyond the inbox can significantly improve detection and response capabilities in healthcare environments. Based on real-world operational experience\, the talk focuses on integrating third-party email security telemetry into a centralized SIEM using custom connectors and normalized log pipelines. By ingesting and analyzing this telemetry alongside other security signals\, defenders gain deeper visibility into attacker behavior that may otherwise go unnoticed.\n\n\nHealthcare environments present unique challenges compared to other industries. Clinical workflows\, external vendor communication\, patient interactions\, and regulatory requirements often limit how aggressively organizations can block or restrict email activity. These constraints create opportunities for attackers who understand how healthcare communication patterns differ from traditional enterprise environments. This talk highlights several real-world attack scenarios observed in healthcare networks\, including executive impersonation attempts targeting leadership staff and phishing campaigns leveraging newly registered domains or fake authentication portals.\n\n\nAttendees will see how detection engineering techniques can be applied to email telemetry once it is normalized within a SIEM. Instead of relying solely on static gateway signatures\, defenders can build behavioral detections based on patterns such as suspicious sender reputation\, missing email authentication controls (DMARC\, DKIM\, SPF)\, domain anomalies\, and abnormal message characteristics. Lightweight Sigma-style logic will be used to illustrate how these detection patterns can be implemented in a platform-agnostic way.\n\n\nBeyond detection\, the session will also demonstrate how SOAR workflows integrated with SIEM detections can automate investigation and response actions. Automated enrichment\, alert triage\, domain blocking\, and credential reset workflows can significantly reduce analyst fatigue while improving response speed and consistency in high-volume healthcare environments.\n\n\nThis talk is grounded entirely in real-world incidents and production security operations rather than theoretical frameworks or vendor marketing. The goal is to provide practical guidance on how healthcare defenders can implement a defense-in-depth strategy for email security by combining gateway protections\, SIEM-based detection engineering\, and automated response workflows.\n\n\nAttendees will leave with actionable ideas for improving email visibility\, building stronger detection logic\, and operationalizing email telemetry to better defend healthcare environments against modern phishing and impersonation attacks.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:23cb1f0355d605638ceeddb06e2cbdd0
URL:http://blueteamcon2026.sched.com/event/23cb1f0355d605638ceeddb06e2cbdd0
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Entra the Dragon: Entra ID Red vs Blue
DESCRIPTION:Entra ID is the identity & access management system for the Microsoft cloud. Microsoft continues to add new features to Entra ID and many of these features provide attack capability. There are many moving parts and regular updates that requires attention to stay secure. This talk covers the latest attacks against the Microsoft cloud from phishing to account take-over to persistence as well as the best ways to defend against them. So go beyond Secure Score and level up your cloud security!
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:ef07ccf1881740ea6b630833bdb32abb
URL:http://blueteamcon2026.sched.com/event/ef07ccf1881740ea6b630833bdb32abb
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Finding SOCKS with ProxyWatch
DESCRIPTION:Attackers increasingly use SOCKS proxies on intrusions to pivot through compromised networks and to keep their tools away from EDR. C2 frameworks like Sliver\, Cobalt Strike\, and Mythic make it simple to turn one callback into a gateway for the entire network.&nbsp\;\n\n\nAs defenders\, we looked at existing guidance to find SOCKS proxies and found detections too narrowly focused on specific tools\, or advice too difficult to implement for every possible technique an attacker could run through SOCKS. We looked at how to identify behaviors when a process acts as a SOCKS proxy\, from endpoint and network telemetry\, and created ProxyWatch\, a tool to find SOCKS. This talk will cover our research process into how SOCKS works\, why attackers choose to use SOCKS\, ways to potentially identify SOCKS behaviors in your data\, and introduce ProxyWatch as a tool that implements the signals we found.&nbsp\;\n\n\nIf you’re a defender\, detection engineer\, incident responder\, or anyone curious about how these attacks work\, we invite you to join in and learn how ProxyWatch can help you find SOCKS proxies.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:9db3c48df17669eb063ce2272d1a44fd
URL:http://blueteamcon2026.sched.com/event/9db3c48df17669eb063ce2272d1a44fd
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Fortress in a Box: Enterprise-Grade Kubernetes Security for the Organizations That Can't Afford It
DESCRIPTION:In 2022\, the Red Cross was breached and data from 515\,000 vulnerable people was exposed. Amnesty International was surveilled by state-sponsored attackers. Bellingcat\, the group that documents war crimes\, is a constant target of state actors trying to destroy evidence.\nThese organizations protect the most vulnerable\, and have zero security budget to defend themselves.\nThis talk presents Fortress in a Box\, an open-source\, one-command Kubernetes security platform built specifically for NGOs\, journalists\, and human rights organizations. It implements four layers of defense-in-depth: CI/CD scanning with Trivy\, admission control with Kyverno\, real-time runtime threat detection with Falco\, and GitOps self-healing with ArgoCD — fully configured\, zero Kubernetes expertise required.\nAttendees will see a live demo where Kyverno blocks an insecure deployment and Falco catches unauthorized container access in seconds\, routing alerts directly to Discord — no SIEM required.\nTakeaways: a clear understanding of how defense-in-depth works in Kubernetes\, the specific policies that block the most common attack vectors\, and how to deploy Fortress in their own infrastructure that same day.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:646af62b8e946a34b6776867f3822fa9
URL:http://blueteamcon2026.sched.com/event/646af62b8e946a34b6776867f3822fa9
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:From Compliance to Covert Ops: Demystifying the Offensive Security Landscape
DESCRIPTION:The most critical stage when using offensive security to improve defenses comes after obtaining leadership approval for a testing exercise. Current industry definitions have significant overlap\, with the same term used to describe different underlying services\, and with the added complication of AI-based offensive tools. Overshadowed by years’ worth of penetration tests exploiting the same set of techniques\, or red teamers waltzing through the front door\, driving lasting and impactful security improvements based on testing results continues to become less straightforward.\n\n\nAs an industry\, we have accepted that using offensive testing is a good way to find gaps in our defenses. However\, less attention is given to whether the type of testing chosen actually&nbsp\;helps to systematically fix the gaps identified. This leads to problems like:\nPenetration tests continuing to surface the same class of findings as previous years\, or the same finding in a different location.Organizations paying for advanced red team exercises while not having implemented foundational security controls.The types of problems mentioned above arise because defenders often select offensive testing solutions based on the service "name". This leads to a mismatch between the type of offensive testing conducted and the defensive technologies that need&nbsp\;to be validated.&nbsp\;\n\n\nIn this session\, I will first provide a framework for defenders to categorize types of offensive security testing based on what their security controls will be tested against (attacks vs. adversaries) and how they will be tested (emulation vs. simulation). This framework helps defenders to:\nUnderstand what the core value proposition of each offensive security service is\, independent of what terminology is used to describe it.Work bottom-up from the defenses you have to identify the most appropriate testing methodology.Next\, I will demonstrate how to use this model within attendees’ organizations to plan out an offensive testing program based on their threat model\, security goals\, and maturity.&nbsp\;\n\n\nThe goal of this session is to encourage attendees to think about offensive security from a new standpoint. By introducing a framework to categorize offensive testing methodologies with a primary focus on the security controls being validated\, defenders will understand how to distinguish between the various offensive security services on the market\, select the most appropriate solution for their organization\, and progress between offerings as their security program matures.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:4fa329d455775d918d3dec295e728ac1
URL:http://blueteamcon2026.sched.com/event/4fa329d455775d918d3dec295e728ac1
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:From Hours to Minutes With StealerLens: LLM-Accelerated Infostealer IR for Overwhelmed SOCs
DESCRIPTION:Information stealer malware has quietly become one of the most consequential threats facing modern SOCs\, with over 50 million stealer logs posted on underground channels in the last year alone. Each log is a comprehensive digital dossier on a single victim\, and the sheer volume has created an analysis bottleneck that is impossible to address at scale.\nThis session opens with a technical deep dive into what an infostealer actually is and the strange artifact that is a stealer log. Beyond the obvious credentials and session cookies\, stealer logs contain things defenders rarely expect: browser password manager extension data (BitWarden\, Dashlane\, KeePassXC)\, local KeePass vaults exfiltrated from disk\, TOTP secrets leaked from Chrome extensions bypassing MFA\, cryptocurrency wallet data\, personal documents\, and desktop screenshots captured at the exact moment of compromise. We will walk through the full attack surface and show why modern stealers are far more dangerous than "just a credential dump".\nBuried inside each log are also forensic breadcrumbs left by the malware itself: execution paths\, active processes\, installed software\, browser history\, clipboard contents. These artifacts can reconstruct the infection vector and reveal the malware's behavior\, but analyzing them manually takes hours per log. For an overwhelmed SOC triaging a steady stream of incidents\, this analysis simply does not happen.\nBuilding on our BlackHat USA 2025 work on LLM-based infection screenshot analysis ("Hackers Dropping Mid-Heist Selfies")\, we introduce&nbsp\;StealerLens\, an LLM-powered forensic tool that collapses this workflow from hours to minutes. StealerLens uses a layered architecture where each log artifact (system info\, software inventory\, processes\, browser history\, clipboard\, screenshots) is analyzed by a dedicated prompt. A final master prompt correlates the outputs into a cohesive infection narrative: likely source of infection\, delivery vector\, blast radius of exposed information\, and pointing to the supporting evidence so the analyst can verify at a glance.\nWe will share the full prompt architecture\, walk through real anonymized cases\, discuss the limits we encountered across our test corpus. Attendees leave with a concrete blueprint for industrializing infostealer log analysis — and making room for the strategic work their SOC actually needs to do.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:bdc6bca14c4efda10ddb2b3f837245d5
URL:http://blueteamcon2026.sched.com/event/bdc6bca14c4efda10ddb2b3f837245d5
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:From Logs to Logic: Building Detections That Don’t Suck
DESCRIPTION:Most security teams have no shortage of logs\, yet turning that data into reliable detections is a different problem entirely.\n\nIn reality\, detection efforts often fall apart because of messy data\, vague assumptions\, and a haphazard approach to building and maintaining them. The outcome is all too familiar: overwhelmed analysts tuning out alerts\, threats slipping through the cracks\, and detections that look impressive in presentations but crumble under real-world pressure.\n\n\nThis presentation pulls back the curtain on how detection engineering actually works in the trenches. We'll start with raw telemetry data and walk through the process of translating attacker behavior into testable hypotheses\, then converting those hypotheses into detection logic that gets refined through ongoing feedback.\n\n\nI'll introduce a practical lifecycle for detection engineering\, covering research\, hypothesis development\, creation\, validation\, deployment\, and tuning. This structured approach ensures that detections aren't just built once and forgotten\, but evolve alongside the threats they're designed to catch.\n\n\nFinally\, we'll bridge detection engineering with threat hunting and broader cyber operations. You'll walk away with a straightforward framework for building detections that are not just technically sound\, but genuinely useful when it matters most.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:f63cd56ac425a8a28b2e2ec0bd5b2e7d
URL:http://blueteamcon2026.sched.com/event/f63cd56ac425a8a28b2e2ec0bd5b2e7d
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Game of Cones: Why Your Crisis Plan Shouldnt Melt Under Pressure
DESCRIPTION:Your incident response playbook is sitting on a server. The server just got encrypted. Now what?\n\n\nMost organizations invest heavily in plans they never actually test: polished documentation\, detailed runbooks\, maybe a shiny new SIEM. Then a real crisis hits. Ransomware. A breach notification deadline. A regulator on line one and a journalist on line two. And everyone discovers\, at the worst possible moment\, that having a plan and having a practiced plan are two very different things.\n\n\nThis session draws on 18+ years of crisis management consulting across financial services\, healthcare\, and critical infrastructure — and a parallel career as a court-qualified expert witness in cybersecurity matters — to make one foundational argument: you cannot exercise your way to readiness during a crisis. You have to earn it before one arrives.\n\n\nWe'll start by untangling two exercise types that organizations routinely conflate. Technical Tabletop Exercises are built for your engineers and incident responders: deep\, system-specific scenarios that evolve with each inject\, stress-testing malware analysis\, containment decisions\, forensic timelines\, and recovery procedures. Crisis Management Exercises are built for the people making the ransom pay/no-pay call at 2 a.m.\, fielding questions from the board\, and deciding what to tell regulators before the mandatory notification window closes. Both matter. They serve different audiences\, surface different gaps\, and fail in different ways when neglected.\n\n\nFrom there\, we get practical. Using concrete inject examples drawn from real engagements\, we'll examine what a realistic inject sequence actually looks like\, how scenarios should evolve under pressure\, and how to design exercises that surface real gaps rather than validate comfortable assumptions. We'll walk through common failure patterns: the outdated playbook nobody printed\, the escalation path that dead-ends at a person who left the company\, the executive team that spent the first 45 minutes of a simulated breach trying to figure out who was supposed to be talking to legal.\n\n\nWe'll also cover the human dimension that most exercise frameworks undercount: trust. You cannot know whether the person next to you will stay calm under real pressure until you've watched them handle simulated pressure. Exercises make your colleagues' behavior predictable. That predictability: knowing who steps up\, who freezes\, who asks the right questions\, is what separates a coordinated response from organized chaos.\n\n\nAttendees will leave with a practical framework for designing and running exercises that actually move the needle\, a clear model for separating leadership-track and technical-track scenarios\, and concrete guidance on building post-exercise debrief processes that drive iteration rather than just generating a report nobody reads.\n\n\nOne durable truth ties it all together: the calmest person in the room on the worst day of the organization's life didn't get there by accident. They practiced.\n\n\nSo should you.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:32f873325e3fcebdc1458d04fe92ed24
URL:http://blueteamcon2026.sched.com/event/32f873325e3fcebdc1458d04fe92ed24
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:How to Do Just About Anything (Including Security): Turning Curiosity and Creativity into a Career
DESCRIPTION:Learning something new\, for me\, often means figuring it out myself. While we have tutorials and AI on demand\, experimentation and a willingness to get things wrong is still required. My story started with a book called “How to Do Just About Anything” and a realization that\, with enough curiosity\, you actually can.\n\n\nThis talk shares a non-linear path from breaking computers as a teen to understand them\, creating within extreme constraints\, and turning trial and error into a career that spans from high school dropout to security leadership\, all while staying true to my art-tech-geek roots.\n\n\nRather than focusing on specialization\, I’ll break down the practical patterns behind building strong fundamentals\, both technical and human\, combined with curiosity\, creativity\, and ownership can open doors and get you into conversations you weren’t “qualified” to be in.\n\n\nI’ll connect these ideas directly to real-world security work: learning new domains quickly\, navigating organizational complexity\, and building the relationships needed to drive change. We’ll explore how incremental improvement compounds over time\, how to operate in environments where “this is how it’s always been done” is the default\, and how community involvement accelerates growth.\n\n\nIf you’ve ever felt like your path doesn’t fit a traditional mold\, or you just know you can do more\, this talk offers a practical perspective on how building beyond your core strengths can help you create opportunities\, influence outcomes\, and define your own path in security.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:a7beb26a1277b484bc09f48f125a3866
URL:http://blueteamcon2026.sched.com/event/a7beb26a1277b484bc09f48f125a3866
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:It Started with an Employee. It Ended Inside Your AI: The Exposure Chain You Need to Understand
DESCRIPTION:AI didn't just speed up reconnaissance. It connected dots that were never supposed to connect and most blue teams haven't caught up yet.\n&nbsp\;\nThis talk walks through a single\, end-to-end exposure chain so defenders can finally see what they're up against\, and know exactly where to break it.\nIt starts with people. AI-powered OSINT pipelines aggregate and correlate employee data across LinkedIn\, GitHub\, forums\, and breach databases in minutes\, building behavioral profiles precise enough to generate hyper-targeted phishing lures at scale. But the exposure doesn't stop at individuals. The same reconnaissance that maps employees also maps the company: infrastructure\, misconfigured services\, and increasingly API endpoints leaked during LLM deployments. Production AI tools calling internal services\, chatbots inadvertently surfacing internal documentation\, LLM APIs left exposed during staging\, these aren't edge cases\, they're patterns blue teams are consistently missing.\n&nbsp\;\nFrom there\, the path in is shorter than most teams think. Either a well-profiled employee gets phished into opening the door\, or an exposed AI-connected service was never meant to be public in the first place. And once an attacker reaches an internal LLM: a security chatbot\, an AI-assisted SIEM\, an LLM-integrated IR tool\, prompt injection becomes the final piece. Your AI doesn't know the difference between a legitimate query and a crafted instruction. Your analyst might not either.\n&nbsp\;\nWe'll demonstrate each stage\, then flip the lens entirely covering how defenders can map their AI exposure\, harden LLM-integrated tooling\, and break the chain before it completes.\n&nbsp\;\nAttendees will leave with:\nVisibility into how AI-powered recon pivots from employees to exposed infrastructureAwareness of LLM deployment patterns that unintentionally surface internal servicesA framework for identifying prompt injection risks in security toolingActionable steps to audit and defend their AI attack surface
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:3d6a2350b0450716c3fbb53fd05bf9df
URL:http://blueteamcon2026.sched.com/event/3d6a2350b0450716c3fbb53fd05bf9df
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:It Wasn’t Spoofed: Investigating Authenticated Email Abuse in Real Environments
DESCRIPTION:Not every incident starts with an alert.\n\nSometimes it starts with a confident assumption.\n\nIn this case\, a suspicious email spread internally. The user reported they did not send it\, and the client confidently assessed the message as spoofing.\n\nIt wasn’t.\n\nEmail header analysis revealed the message originated from within the organization (AuthAs: Internal) using legacy SMTP AUTH (AuthMechanism: 04)\, an authentication pathway that does not enforce MFA. Valid credentials were used\, no alerts were generated\, and the activity appeared legitimate.\n\nWith limited visibility\, the investigation required correlating endpoint and infrastructure telemetry. Pivoting on domains associated with file retrieval revealed additional impacted systems beyond those initially reported.\n\nThe incident exposed gaps in both detection and control coverage. Mailbox forwarding rules enabled data exfiltration and were managed reactively rather than preventively\, while authentication-based detection failed due to legitimate credential use. When questions arose around credential origin\, validation had to be guided within the client’s own environment while maintaining privacy and access boundaries.\n\nThis talk provides practical guidance for defenders\, including how to:\ndistinguish spoofed emails from authenticated internal activity using header analysisidentify authentication pathways where MFA is not enforcedpivot on DNS and endpoint telemetry to expand incident scopedetect and reduce risk from mailbox forwarding rulesvalidate potential credential exposure within appropriate privacy and access boundariesinvestigate effectively when activity appears legitimate and generates no alertsAttendees will leave with practical approaches for identifying and responding to attacks that bypass traditional detection by blending into expected behavior.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:ed87e2089b1ca6c557b7e450ea31d2ed
URL:http://blueteamcon2026.sched.com/event/ed87e2089b1ca6c557b7e450ea31d2ed
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Life After Tier 1: Rebuilding the SOC When Triage Is Outsourced
DESCRIPTION:For many medium-sized enterprises\, outsourcing Tier 1 triage to an MSSP is positioned to reduce workload\, provide 24/7 coverage\, and improve efficiency. In practice\, it fundamentally reshapes how a SOC operates—and introduces new challenges that many teams are unprepared for.\n\n\nOutsourcing Tier 1 doesn’t eliminate work—it redistributes it in ways most SOCs are not designed to handle.\n\n\nThis talk examines what happens after Tier 1 is removed. Organizations place significant trust in third-party providers\, yet alert volume may decrease while investigation complexity increases. Context is often lost at handoff boundaries\, and traditional metrics lose meaning\, while new measures—such as mean time to confirm and escalation quality—become critical for understanding performance. Teams that fail to adapt quickly often find themselves with fewer alerts\, but greater uncertainty and slower response.\n\n\nOperational gaps also emerge when systems do not align with MSSP onboarding models. Custom telemetry sources\, delayed parser development\, and the gap between deployment and monitoring readiness introduce risk that must be actively managed.\n\n\nDrawing on real-world experience leading a SOC through this transition\, this session focuses on how to redesign operations for a post–Tier 1 model. We will explore how analyst roles must evolve from queue processors to investigators\, why detection fidelity becomes the most important metric\, and how to build feedback loops that continuously improve detection quality.\n\n\nAttendees will leave with a practical framework for restructuring workflows\, redefining success metrics\, and improving detection precision.\nThis talk is designed for SOC leaders\, detection engineers\, and analysts navigating MSSP integration or considering outsourcing triage functions and aligns with both the Management/Leadership and Security Operations tracks.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:d3ec548198bb912f93e2e679d1517ff2
URL:http://blueteamcon2026.sched.com/event/d3ec548198bb912f93e2e679d1517ff2
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:MDR: From Vendor Shortlist to Security Partnership
DESCRIPTION:In a saturated market\, how can CISOs move past monitoring volume to evaluate Managed Detection and Response (MDR) providers based on their true ability to reduce exposure and drive proactive risk reduction?\n\n\nHow do you build a practical evaluation framework that balances technical visibility and response capability with commercial clarity and long-term consolidation potential?\n\n\nWhat does is the difference between a provider that wins a contract\, and a partner that actually strengthens resilience before\, during\, and after a crisis?
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:b4c78d935bcca83fb6d729d3a5e8895c
URL:http://blueteamcon2026.sched.com/event/b4c78d935bcca83fb6d729d3a5e8895c
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Models and More: using data to inform decision making
DESCRIPTION:Organizations of all types are working to use data to make better decisions. This includes risk management decisions\, such as whether to avoid\, mitigate\, accept\, or transfer a particular risk. But what types of data work best? How do correlation and causation impact your risk analysis? Learn from a cyber insurance pro how they balance the speed of modeling and analytics with the deep experience of domain experts to choose what risks to accept. You will walk away with an understanding of how to effectively use different data sources to support risk management in your organization.&nbsp\;
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:d865e7b2e8a7e87ffea27ffbbd0db92d
URL:http://blueteamcon2026.sched.com/event/d865e7b2e8a7e87ffea27ffbbd0db92d
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Paving the Road for AI-Driven Security Teams
DESCRIPTION:We are not a traditional SOC. Notion’s Detection and Response Team (DART) is a small group of engineers and incident responders. We build the systems our own team runs on\, and we own them end to end.\nAI changed how we work. Our answer has been to pave the road for agentic security work: an internal platform of harnesses\, CLI tools\, review steps\, and guardrails that makes AI workflows predictable enough to run during a real incident\, and safe enough for other security teams to build on top of.\nWe will cover three things:\nSetting up AI agents for triage and investigations in a way we actually trustThe boring stuff that makes it work. Harnesses\, CLI tools\, and review steps so agent runs are repeatable and we can actually check what happenedWhat that paved road unlocks\, using security automations as the example. DART owns and runs the platform\, so other security teams can ship new automations on top of it without having to learn the underlying infraYou’ll leave with the guardrails we actually use\, patterns for making agent workflows deterministic\, and the lessons we picked up scaling our automation and observability work.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:be654bde097409b275719cf7a5fc8e42
URL:http://blueteamcon2026.sched.com/event/be654bde097409b275719cf7a5fc8e42
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Purple Testing Is Not Enough — Why CTEM Is the Missing Layer
DESCRIPTION:Session Description (Abstract)\nPurple testing is powerful.\nIt helps us validate detections\, simulate attacker behavior\, and expose where our defenses break. It gives us truth about our controls.\nBut there’s a problem.\nMost teams stop at validation.\nWe test.\n&nbsp\;We validate.\n&nbsp\;We generate findings.\nAnd then… we move on.\nThe same gaps show up again later—not because we didn’t find them\, but because we didn’t ensure they were actually fixed. Over time\, this creates what I call “validation theater”—a cycle where teams continuously prove weaknesses without reducing real exposure.\nFrom an attacker’s perspective\, that’s not a weakness.\n&nbsp\;It’s reliability.\nThis talk focuses on closing that gap.\nDrawing from 12 years of incident response experience and 6 years running continuous validation programs\, I’ll show how to move from “we tested it” to “we fixed it—and proved it stays fixed.”\nWe’ll break down where purple testing delivers value—and where it falls short—and introduce Continuous Threat Exposure Management (CTEM) as the missing operational layer that connects validation to ownership\, prioritization\, and remediation.\nAttendees will learn how to operationalize a practical CTEM loop:\n&nbsp\;Scoping → Discovery → Prioritization → Validation → Mobilization\nAnd more importantly\, how to:\nAssign clear ownership across teamsPrioritize remediation based on real riskBuild a repeatable process for closing gapsMeasure whether exposure is actually decreasing over timeThis session is designed for blue team practitioners\, detection engineers\, and security leaders who want a practical\, actionable approach to improving security effectiveness.\nBecause testing is not protection.\n&nbsp\;Detection is not protection.\n&nbsp\;Closure is.\nIt’s about building a repeatable system that ensures what you find… actually gets fixed.\nBecause if the same gaps keep coming back—so will attackers.\n&nbsp\;
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:d990941b259b59b73cf39c0507403bd5
URL:http://blueteamcon2026.sched.com/event/d990941b259b59b73cf39c0507403bd5
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Reconstructing Reality: Advanced USN Journal Extraction and Full-Fidelity Correlation with MFT
DESCRIPTION:The NTFS USN Journal remains one of the most underutilized yet powerful forensic artifacts in Windows environments. While widely known\, its practical use is often limited by incomplete parsing\, lack of context\, and the inability to correlate it effectively with other filesystem structures such as the Master File Table.\nThis session challenges long standing forensic assumptions about how filesystem evidence should be interpreted. Traditional approaches treat artifacts such as the USN Journal and the Master File Table as separate and partially reliable sources of truth. Our research demonstrates that this model is fundamentally flawed.\nMany widely used forensic tools silently ignore critical fields\, leading to incomplete or misleading conclusions. As a result\, investigators often rely on partial visibility when reconstructing attacker activity.\nWe introduce a comprehensive approach to extracting\, parsing\, and operationalizing USN Journal data at scale\, using full field analysis to reconstruct detailed file system activity. A key contribution of this work is a novel correlation model between USN Journal entries and Master File Table records\, enabling investigators to rebuild complete timelines with significantly higher accuracy.\nBy combining these artifacts and analyzing all available metadata\, we show that it is possible to detect inconsistencies\, uncover hidden attacker activity\, and validate events that would otherwise remain ambiguous or invisible.\nThis approach redefines how filesystem forensics should be performed\, transforming fragmented artifacts into a unified and reliable representation of system activity. The techniques presented are actively used in real world incident response and threat hunting engagements\, where precision and speed are critical.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:eb566f269b72d83acc1f315678ed9548
URL:http://blueteamcon2026.sched.com/event/eb566f269b72d83acc1f315678ed9548
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Same Network\, Different Worlds: Bridging the IT Ops and SOC Divide
DESCRIPTION:A temporary service account with Domain Admin rights gets created at 11 PM to patch a legacy application. The sysadmin logs off and forgets about it. The SOC sees the account creation\, flags it as authorized admin activity\, and moves on. Three weeks later\, that account becomes an attacker's persistence mechanism. Nobody did anything wrong. And that is exactly the problem.\nIT operations and security teams share the same network but operate in fundamentally different worlds. Sysadmins speak the language of uptime\, change windows\, and ticket queues. SOC analysts speak the language of alerts\, TTPs\, and kill chains. Both teams assume the other has visibility into what is happening\, and both teams are wrong. The result is a gap that does not show up in any audit report but lives quietly in every environment: misattributed alerts\, forgotten service accounts\, unclaimed security tasks\, and legitimate admin activity that looks completely indistinguishable from an attacker who already knows your environment inside and out.\nMost organizations try to solve this with better documentation\, cleaner org charts\, and the occasional cross team meeting. It does not work. The gap is not a process problem. It is a knowledge problem. Security analysts often do not know enough about how systems are actually administered day to day to separate noise from signal. Sysadmins often have no idea how their routine tasks appear inside a SIEM and have even less awareness of the quiet risk they are generating while doing everything by the book.\nThis session is built on a premise that is easy to understand but rarely acted on: the person best positioned to bridge that gap is someone who has stood on both sides of it. Drawing from hands on experience managing and securing environments across multiple client organizations at an MSSP\, this talk translates the operational realities of IT administration into the detection focused language of the SOC and does the same in reverse. No theory. No vendor pitch. Just an honest look at how two teams who are supposed to be working together keep accidentally working against each other.\nAttendees will work through real world scenarios that are very common between companies and industries. They will experience each scenario from the IT ops side and the SOC side to understand what happens. The audience will leave with a practical communication framework they can bring back to their organization before the next incident forces the conversation anyway.&nbsp\;\nWhether there is a junior analyst trying understand the authenticity of alerts or a systems engineer who has never thought of how routine tasks look like from a SOC lens\, this session will be inclusive of all.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:edff839c81ddb7e81132201a5c092236
URL:http://blueteamcon2026.sched.com/event/edff839c81ddb7e81132201a5c092236
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Secrets That Survive Everything: The Shift-Right Runtime Gap Left Unguarded
DESCRIPTION:A bug bounty researcher found Azure credentials in a JavaScript file and&nbsp\;\nmarked the report informational. The credentials were live production values -\nfour Azure AD fields sitting in a public JS bundle\, enough to authenticate as&nbsp\;\nthe application itself. The frontend had documented its own backend. Full&nbsp\;\naccount takeover. The application's token had been granted the ability to&nbsp\;\nperform user-level operations\, every account in the system was reachable.&nbsp\;\nThe organization had GitLeaks in CI/CD and static secret scanning on pull&nbsp\;\nrequests. The credentials were still live.\n\n\nThat was one chain. A second application used CryptoJS to encrypt its&nbsp\;\nconfiguration\, a common pattern in SPAs where developers believe encrypting&nbsp\;\nthe config protects it. The decryption key was hardcoded in the same&nbsp\;\nJavaScript file\, three lines away from the encrypted blob. The secret to&nbsp\;\nunlock everything was sitting next to the lock. Same credential pattern at&nbsp\;\nthe end. Same result.\n\n\nShift-left tools scan what you commit. They do not scan what you serve.&nbsp\;\nBuild-time environment injection bakes live keys into webpack bundles that&nbsp\;\nnever touch the repository. CI/CD pipeline variable substitution materializes&nbsp\;\nsecrets only in the build artifact\, after every scanner has run. SSR state&nbsp\;\nblobs injected by Next.js and Nuxt carry credentials into HTML that no&nbsp\;\npre-deployment scanner ever sees. Once a secret reaches production\, it&nbsp\;\ndisappears from every scanner's view. Sometimes that disappearance is&nbsp\;\nengineered\, developers suppress scanner alerts on credentials the application&nbsp\;\ngenuinely requires\, trading automated monitoring for a green pipeline. The&nbsp\;\nonly things finding runtime secrets are manual penetration testers\, bug bounty&nbsp\;\nresearchers\, and attackers. Two of those three report what they find.\n\n\nThis talk walks through both exploitation chains in detail\, maps the full&nbsp\;\nshift-right gap in the security tooling landscape\, and closes with a live&nbsp\;\ndemo using a purpose-built intentionally vulnerable healthcare portal\, a&nbsp\;\nHIPAA-branded application exposing Twilio\, SendGrid\, Stripe\, and Firebase&nbsp\;\ncredentials in its public JavaScript files\, and leaking internal service keys&nbsp\;\nin response headers on every single request.\n\n\nThe demo uses SecretSifter\, a free Burp extension\, browser tool\, and desktop&nbsp\;\napp built for the runtime layer to find every secret passively\, without&nbsp\;\nconfiguration\, as traffic flows.\n\n\nSecurity teams leave with a clear picture of where their shift-left controls&nbsp\;\nstop\, a taxonomy of the six exposure mechanisms that bypass them\, and a free&nbsp\;\ntool they can deploy against their own applications the same day.\n\n\n
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:2fb6fb88ee7c5ac716cd439b995da96b
URL:http://blueteamcon2026.sched.com/event/2fb6fb88ee7c5ac716cd439b995da96b
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Security vs Product: A Professional Identity Crisis
DESCRIPTION:For years\, my instinct was to fix things. See an alert\, chase the threat. Find a gap\, build a detection. Witness an incident\, contain and remediate. After a career built on DFIR\, detection engineering\, incident response\, and sysadmin work\, I was trained to be a solution machine\, and I was good at it.\n\n\nThen I became a Product Manager.\nEverything broke.\n\n\nSuddenly the job wasn't to solve the problem in front of me\, it was to figure out whether I even had the right problem. The skills that made me dangerous in a SOC were quietly working against me in a product role. I was writing requirements that looked suspiciously like runbooks. I was treating user research like a post-incident review\, assuming I knew the problems because I've been there before. Jumping straight to the five whys without sitting in the discomfort of not knowing yet.\n\n\nThis talk is the honest story of my first year as a Product Manager and what a decade in security taught me. Both the gifts and the baggage.\nThe gifts were real: I understood the users deeply because I was the user. I could cut through technical ambiguity\, earn credibility with engineering teams fast\, and spot when a "product problem" was actually an architecture problem in disguise. Threat modeling translated almost directly into risk prioritization frameworks. Log analysis taught me how to find signal in noisy customer feedback.\n\n\nBut the baggage was heavy too. Security work rewards decisive\, fast\, technical action. Product work rewards patience\, ambiguity tolerance\, and ruthless problem definition. The pivot from solution-first thinking to problem-first thinking didn't happen naturally\, it had to be unlearned\, deliberately and sometimes painfully.\n\n\nIn this session\, I'll walk through the mental model shift that changed how I approach product decisions\, the specific security habits that carried over (and why)\, the ones I had to consciously kill\, and how I'm still learning to bridge both worlds. Whether you're a security professional curious about PM roles\, a PM trying to work with security-minded engineers\, or someone navigating a major career pivot\, this talk is for you.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:57651f08c5e99ebed3604d0e3ebd4002
URL:http://blueteamcon2026.sched.com/event/57651f08c5e99ebed3604d0e3ebd4002
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Slaying the Sprawl: A Hero’s Guide to Building (or Re-Forging) a Cloud Security Program Without a 20-Person Guild
DESCRIPTION:Whether you are standing before a pristine\, untouched Cloud Kingdom or inherited a crumbling fortress held together by "Native Tooling" duct tape and hope\, the quest remains the same: How do you defend the realm without hiring an army you can’t afford?&nbsp\;\n\n\nIn this 40-minute campaign\, we aren’t just looking at the map\, we’re looking at the scars. Building a cloud security program from scratch is one thing\; evolving an established one while the dragons are already circling is another. Drawing from real-world lessons learned in the DevOps trenches\, this session explores the "Day 0" decisions and the "Year 2" regrets of choosing between Native Security Tooling and a unified CNAPP.\n\n\nWe’ll sit around the tavern table to discuss the hard-won truths of cloud defense:\n\n\n- The "Free" Sword’s Hidden Cost: Real-life tales of how "built-in" tools led to siloed alerts\, requiring a 20-person "manual correlation guild" just to find a single critical risk.\n- Re-Forging the Armor: For those with established programs—how to transition from a "Franken-stack" of point tools to a unified platform without breaking the kingdom’s production.\n- The "Agentless" Treaty: Lessons learned from the "Agent Wars." How moving to agentless visibility (the Rogue's Cloak) saved our DevOps relationships and gave us 100% visibility in hours\, not months.\n- The Multi-Cloud Map: Navigating the treacherous terrain of AWS\, Azure\, and beyond without losing your mind or your budget to "Console Swapping" fatigue.\n\n\nWhether you are a Solo Adventurer starting a new program or a War-Weary Veteran trying to consolidate a sprawling one\, you’ll leave with a battle-tested blueprint for a security program that scales with your magic\, not your headcount\, HUZZAH!
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:e2f6b415cd0e624ff9d0959332552e63
URL:http://blueteamcon2026.sched.com/event/e2f6b415cd0e624ff9d0959332552e63
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Strength in Diversity: Building an Inclusive Cybersecurity Workforce
DESCRIPTION:The presentation&nbsp\;“Strength in Diversity: Building an Inclusive Cybersecurity Workforce” explores how diversity across race\, gender\, sexual orientation\, and neurodiversity strengthens cybersecurity by fostering innovation\, resilience\, and more adaptive defenses. It argues that cybersecurity is as much about people and perspectives as it is about technology\, and that inclusion drives strategic advantage in addressing complex\, evolving cyber threats.\nThe introduction sets the tone by positioning diversity not just as a social ideal but as a core element of operational effectiveness. It emphasizes that a broad range of lived experiences improves problem-solving and enhances anticipation of attacker behavior. A personal story titled&nbsp\;“A Gay Man’s Journey Through Change and Resilience” illustrates this principle through a cybersecurity professional who endured discrimination and living through the AIDS crisis\, eventually turning adversity into empowerment\, mentorship\, and advocacy for diversity in tech.\nData presented from 2023 industry studies—including (ISC)²\, CyberSeek\, and ISACA—reveals progress and persistent gaps. Women comprise about 26% of the U.S. cybersecurity workforce\, while approximately 62% of professionals identify as White. Black\, Hispanic/Latino\, and Asian professionals represent roughly 9–10%\, 8%\, and 17–18% respectively. Around 7–8% of cybersecurity professionals identify as LGBTQ+\, and 5–10% are estimated to be neurodivergent. Leadership\, however\, remains disproportionately White and male.\nSubsequent sections examine how specific forms of diversity enhance cybersecurity effectiveness. Racial diversity introduces broader cultural understanding and region-specific threat identification. LGBTQ+ inclusion fosters authenticity\, psychological safety\, and creativity—core elements of innovative problem-solving. Gender diversity improves usability\, ethical awareness\, and understanding of human vulnerabilities in security systems. Neurodiversity\, though only briefly mentioned\, provides unique cognitive strengths like pattern recognition and sustained focus\, valuable in security analysis.\nThe presentation warns against “groupthink\,” which arises in homogeneous teams and can blind organizations to unseen threats. Diverse teams\, by contrast\, challenge assumptions and expand awareness. The business case follows: data show that organizations with diverse teams outperform peers in innovation\, responsiveness\, and decision-making. In cybersecurity—where agility is essential—diverse perspectives directly translate into better incident response and threat intelligence.\nPractical guidance focuses on dismantling systemic barriers such as implicit bias\, inequitable advancement\, and limited mentorship. Recommendations include inclusive hiring\, employee resource groups (ERGs)\, leadership training on unconscious bias\, and structured mentorship for underrepresented professionals. Building an inclusive culture requires active allyship\, where leaders champion belonging and empower all employees to participate fully.\nLooking toward the future\, the presentation notes that global cyber threats demand culturally intelligent solutions and that younger\, more diverse generations will reshape the field. The call to action urges professionals to recruit widely\, support consistently\, and lead inclusively. The final message encapsulates the presentation’s core thesis:&nbsp\;diversity of people produces diversity of thought—creating stronger\, more resilient cybersecurity defenses for all.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:2c523df5ea48061b5e140ecfb1aebb1f
URL:http://blueteamcon2026.sched.com/event/2c523df5ea48061b5e140ecfb1aebb1f
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Superposition\, not Superstition
DESCRIPTION:SUPERPOSITION WITHOUT SUPERSTITION\nWhy the foreseeable state of quantum computing is not a nightmare for security practitioners\n\n\nIn this illuminating talk\, we’ll cut through the quantum hype to reveal why security professionals can approach quantum computing with informed confidence rather than panic.\n\n\nWhile headlines scream about the imminent apocalypse of our cryptographic systems\, reality paints a dramatically different picture. This presentation delivers a refreshingly sober analysis of quantum computing’s actual security implications\, replacing fear with facts.\n\n\nKey Insights:\nReality Check on Timelines\nThe horizon for practical cryptographically relevant quantum computers stretches far beyond sensationalist coverage\, likely years or even decades before systems capable of breaking RSA or ECC at a meaningful scale materialize. Even then\, these systems will initially be massive research facilities accessible primarily to nation-states\, not everyday threat actors.\n\n\n“Unless you’re a high-priority target for these select few actors with nation-state resources\, should quantum computing really keep you up at night?”\n\n\nTechnical Hurdles That Won’t Disappear Overnight\nWe’ll dissect the substantial challenges quantum computing still faces\, comparable to nuclear fusion energy\, where “breakthrough announcements” often represent minimal progress in the greater journey. Error correction requirements\, qubit coherence limitations\, and scaling challenges aren’t merely engineering problems but fundamental physics puzzles requiring revolutionary solutions.\n\n\nThe Quantum Security Advantage\nDiscover how quantum technologies themselves offer robust security benefits through innovations like Quantum Key Distribution (QKD). Learn how the security community’s decades of preparation have yielded practical post-quantum cryptographic standards and hybrid approaches that organizations can implement today as part of sensible transition strategies.\n\n\nPractical Preparation\nWalk away with actionable insights on how to approach quantum-resistant security planning without overinvesting or underestimating. Learn which threats are real\, which are exaggerated\, and how to communicate quantum risks accurately to stakeholders and executives.\n\n\nJoin us for a reality-based assessment that replaces quantum superstition with quantum understanding\, providing security practitioners with a practical perspective on this fascinating technological frontier.&nbsp\;\n\nThis session is ideal for CISOs\, security architects\, and security practitioners who need to separate quantum computing fact from fiction.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:4e72c0b01fd5c72454033c754b2bfeee
URL:http://blueteamcon2026.sched.com/event/4e72c0b01fd5c72454033c754b2bfeee
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Teaching AI to Analyze Malware: How to Encode Practitioner Expertise into an MCP Server
DESCRIPTION:AI agents can reason about suspicious files\, plan multi-step investigations\, and write custom deobfuscation code when standard tools fall short. But generic models produce shallow\, unreliable results because they lack practitioner knowledge about which tools to use and when\, and access to the tools themselves.\nWithout domain expertise\, an AI agent doesn't know that\, for example\, capa exit codes follow non-standard conventions\, that YARA match counts require context to interpret\, or that GetProcAddress appears in virtually every Windows program and is not inherently suspicious. Without tool access\, it can only comment on malware but cannot investigate it.\nThis talk walks through my experience of building an open source MCP server\, a standardized interface that connects AI agents to external tools\, that bridges both gaps simultaneously. The server connects AI agents to my open source REMnux malware analysis toolkit\, encoding practitioner knowledge into tool workflow sequencing and output interpretation. The server runs analysis at three depth levels\, and manages context budgets when tool output exceeds approximately reasonable values by automatically switching to summary mode while preserving key findings.\nThe server also counteracts confirmation bias. Generic AI agents tend to label every API call as suspicious and every string as an indicator of compromise. The server's neutral framing prompts agents to consider benign explanations before concluding malicious intent. This is a critical safeguard when the AI chains dozens of tool calls without human review at each step.\nAgainst real-world samples\, the resulting system completed full investigations in about 10 minutes with 25-30 automated tool calls. In one case during my experimentation\, the AI agent wrote custom Python to reconstruct a PE from file fragments. In another\, it reverse-engineered a proprietary archive format and adapted when initial analysis approaches failed.\nThe talk covers what worked\, what failed\, and what surprised me. It addresses the security model required when AI agents have tool access\, including prompt injection risks from malicious content in analyzed samples\, container isolation as the primary security boundary\, and data flow considerations.\nAttendees leave with a reproducible pattern for encoding domain expertise into MCP servers\, applicable to incident response\, cloud forensics\, network analysis\, or any domain with specialized tools and practitioner workflows.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:d09622aee55f3f13b229c83eefaf71b0
URL:http://blueteamcon2026.sched.com/event/d09622aee55f3f13b229c83eefaf71b0
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:The Contextualization Gap: Why Your SOC Has the Data But Not the Story
DESCRIPTION:Security operations teams are not losing ground because they lack tools. They are losing ground because they have accumulated too many tools\, each addressing a specific threat\, each generating its own telemetry\, with no architecture capable of connecting that data into a coherent\, actionable picture of what is happening in the environment. The result is a team simultaneously overwhelmed by data and operationally blind to the threats moving through it. This is true for internal SOC teams and for MSSPs\, and the burden manifests differently for each.\n\n\nThe core problem is structural: the five functions required to convert raw telemetry into a security decision\, specifically aggregation\, correlation\, analysis\, decision making\, and execution\, are not all human-speed functions. The first three demand machine-level speed and scale.&nbsp\;\n\n\n1.&nbsp\;Aggregation requires collecting and storing every data point from every endpoint and point solution\, in raw form\, before filtering occurs. 2. Correlation requires establishing real-time relationships across those data points at a scale no analyst team can match manually.&nbsp\;\n3.&nbsp\;Analysis requires assembling those relationships into a complete\, contextualized picture of what is present\, what it is doing\, and whether it represents a threat.&nbsp\;\n\n\nThese three functions\, performed at the volume and velocity modern environments generate\, are beyond the operational capacity of any human element working without machine support.\n\n\nYet most organizations have humans attempting to manage all five steps\, and both sides of the security operations equation pay for it.\n\n\nInternal SOC teams silo the data conversation\, leaving executive leadership\, board members\, and stakeholders without the context to authorize meaningful action.&nbsp\;\n\n\nExternal providers face a version of the same problem: unable to build full context from fragmented data\, they struggle to explain which data matters to the client\, let alone guarantee the client is protected. They carry that uncertainty every day.&nbsp\;\n\n\nIn both cases\, the human element absorbs the burden of functions it was never designed to perform\, and the organization remains exposed.\n\n\nThis session presents the operational argument for a different architecture: one in which an AI and ML-driven security contextualization engine executes steps one through three against the full data lake in real time\, and delivers the output (a contextualized\, prioritized picture of environmental activity) to the human operator.&nbsp\;\n\n\nThe human element is not removed from the process. It is repositioned to the two steps where human judgment is irreplaceable: decision making and execution. The operator arrives at step four informed\, not overwhelmed.\n\n\nThe session draws from documented deployments in resource-constrained environments\, including a regional security operation that processed 35\,331 threats\, eliminated 351 classified at high severity\, and maintained zero major security incidents\, at 77% below the cost of an equivalent internal SOC. The outcomes were not produced by adding analysts. They were produced by correctly positioning the human element within the detection lifecycle.\n\n\nAttendees will leave with a framework for auditing where their team is currently positioned in the five-step cycle\, a model for what machine-executed contextualization makes operationally possible\, and a practical starting point for closing that gap.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:4822bdf42e2658578751c2867220412b
URL:http://blueteamcon2026.sched.com/event/4822bdf42e2658578751c2867220412b
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:The Decision Engine: How to Rebuild Security Operations for an AI-Accelerated Threat Environment
DESCRIPTION:The queue-based SOC is not a slower version of the future. &nbsp\;It is a structural liability. &nbsp\;\n\n\nFor two decades\, security operations has been measured by the wrong things\; alert throughput\, mean time to detect\, SLA adherence. &nbsp\;These metrics are of a queue. &nbsp\;They assume that moving fast enough though enough alerts produces security outcomes. &nbsp\;That assumption has not survived contact with AI-enabled adversaries\, exponential telemetry growth\, and an accelerating compression of exploitation timelines.&nbsp\;\n\n\nThis talk is about what replaces it.&nbsp\;\n\n\nThe decision engine is not a product\, a platform\, or vendor pitch. &nbsp\;It is an operating model\, a structural redesign of how a security function produces decisions rather than processes alerts. &nbsp\;The mission statement is simple: compress uncertainty faster than adversaries compress time.&nbsp\; Everything else\, the detection discipline\, the AI architecture\, the metrics framework\, the cryptographic risk model\, is a design decision made against the standard.&nbsp\;\n\n\nThe session covers the three structural shifts that make the legacy model insufficient\, the five components of the decision engine operating model\, and what the transition looks like in practice\, including what fails first\, what the hardest organizational resistance looks like\, and what early proof points tell you the model is working.&nbsp\;\n\n\nSpecifically attendees will leave with a clear mental model for evaluating their own organizations current posture\, a diagnostic framework for identifying where the legacy model is already creating structural risk\, and three concrete actions they can take immediately\, regardless of budget cycle\, platform status\, or org structure.&nbsp\;\n\n\nThe talk also addresses the risk that receives the least attention in most security operations conversations: the shrinking half-life of sensitive data. &nbsp\;For organization holding data within multi-year regulatory retention obligations\, long lived contractual confidentiality requirements\, or enduring intellectual property value\, the assumption that exfiltrated data cannot be weaponized for years is eroding. &nbsp\;The question that should be driving triage is not whether a breach occurred\, its what the time-to-weaponization of the data involved is. &nbsp\;Most SOCs have no answer to that question. &nbsp\;This talk explains why that gap is a structural risk and what closing it requires.\n\n\nThis is not theoretical framework. &nbsp\;Every element described in this session has been built and validated in a production operational environment\, under real constraints\, against real adversaries. &nbsp\;The speaker is not standing at the front of the room as a vendor\, an analyst\, or an academic. &nbsp\;They are standing there as a practitioner who made the transition\, knows what it costs\, and knows what it produces.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:e79bd76f5db22d63ed7081f0f25d3d80
URL:http://blueteamcon2026.sched.com/event/e79bd76f5db22d63ed7081f0f25d3d80
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:The End is Just the Beginning of Better Security: Enhancing Vulnerability Management with OpenEoX
DESCRIPTION:Persistent cyber campaigns continue to threaten both public and private sectors\, with outdated\, unsupported edge devices emerging as a prime target for Nation-state adversaries. End-of-Life/End-of-Support (EoL/EoS) technologies create enduring exposure across our Nation's critical infrastructure\, prompting CISA's February 2026 Binding Operational Directive (BOD) 26-02 requiring federal agencies to identify and replace EoS edge devices\, maintain current software\, and patch known vulnerabilities when immediate replacement is not feasible. The presentation will also introduce OpenEoX\, a new open source\, machine-readable standard\, developed by OASIS Open\, that streamlines the exchange of product lifecycle data across software\, hardware\, services\, and AI models\, and explains how it enables automated\, timely detection of EoL/EoS assets and seamless integration with existing tools and standards such as Software Bills of Material (SBOMs) and the Common Security Advisory Framework (CSAF). It will detail the benefits for government agencies\, vendors and open source maintainers\, downstream users\, and the broader ecosystem\, and show how OpenEoX adoption supports transparency and consistency at scale. The session will also outline actions to operationalize OpenEoX\, such as publishing OpenEoX data publicly\, integrating OpenEoX into scanners and asset platforms\, and updating workflows to drive proactive replacement\, patching\, and upgrades for unsupported devices. The goal is coordinated adoption that reduces risk and strengthens security through a standardized\, transparent\, and automated lifecycle management framework.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:b65949644dfaa2c7dce877da3bc212c8
URL:http://blueteamcon2026.sched.com/event/b65949644dfaa2c7dce877da3bc212c8
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:The Malware Is Coming from Inside the Repo
DESCRIPTION:GitHub isn't just where developers work. It's where adversaries stage\, obfuscate\, and deliver malicious code. Every minute\, thousands of commits hit public repositories\, and buried inside that firehose are credential stealers\, reverse shells\, crypto drainers\, and the occasional nation-state lure dressed up as a coding challenge. The platform's openness\, trust\, and sheer volume are exactly what make it useful to attackers: free hosting\, free CDN\, a developer-friendly domain in every allowlist\, and a culture where running npm install or cloning a stranger's repo is just Tuesday.\n\nThis talk is about what happens when you actually try to watch all of it.\n\nWe'll walk through github-threat-scanner\, a pipeline that consumes the GitHub public event stream in near real time\, pulls down the code behind every push\, and runs it through a stack of decoders and detection rules looking for anything that smells wrong. The interesting problems aren't where you'd expect. Ingesting the stream is easy. Storing it is a solved problem. The hard parts are everything in between: peeling back the layers of obfuscation attackers use to hide payloads\, deciding what "malicious" even means when half the internet's legitimate code looks suspicious\, and keeping false positives low enough that a human analyst can still trust the queue.\n\nWe'll dig into the deobfuscation engine (CyberSaucier)\, a library of CyberChef recipes that chain together XOR bruteforcing\, base64 and hex decoding\, packed-JavaScript unwrapping\, PowerShell de-munging\, and the other tricks that turn a wall of gibberish back into something a detection rule can match on. You'll see which recipes earn their keep\, which ones we retired because they were pure theatre\, and the surprisingly mundane reasons some decoders fail in production that never show up in a blog post.\n\nThen we'll get to the fun part: who's actually out there. Commodity and Nation State actors treat GitHub Pages as disposable infrastructure. And threading through all of it are the targeted operations: DPRK-aligned clusters running fake job interviews and "technical assessments" that ship trojanized projects to developers at crypto firms and long-running personas that maintain plausible commit histories for months before turning hostile.\n\nYou'll leave with a concrete picture of how to build this kind of visibility yourself\, what the detection surface actually looks like once you're watching it\, and why GitHub deserves a seat in your threat model next to email and the browser. If you run a security team\, you'll walk out with questions to take back to your developers. If you write detections\, you'll have new ideas for where to point them. And if you just like watching adversaries do dumb things at scale\, there will be plenty of that too.\n\n\nThe best part of all of this? Most of this data was initially triaged and analyzed by an autonomous AI analyst running in a throwaway VM in dangerous mode\, unafraid of touching actual adversary infrastructure.\n\nNo prior knowledge of GitHub internals required. Bring opinions about regex.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:c94b871a63fccd239414bc0ed55f6626
URL:http://blueteamcon2026.sched.com/event/c94b871a63fccd239414bc0ed55f6626
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:The Only Way to Win Is by Learning: Deception Design\, Read Through a Comedy Game Show
DESCRIPTION:Most deception technology fails the same way a bad magic trick fails: the audience can see the strings. A pristine honeypot\, a too-obvious credential\, a decoy environment without any of the messy human fingerprints of a real network — these tip off skilled attackers in the first thirty seconds of contact and then sit unused\, generating no intelligence and no value.\nThis talk argues that the people who have already solved this design problem are\, improbably\, the writers of Dropout's&nbsp\;Game Changer — a comedy game show where contestants don't know the rules\, and where the host's entire job is to design environments that intelligent\, adaptive people will inhabit fully while being watched. The parallels to defensive cyber deception turn out to be precise and useful.\nWorking through concepts including verisimilitude and "coherent imperfection\," choice architecture and the path of least resistance\, flow-state engineering for sustained engagement past the initial probe\, nested observation layers modeled on the show's "Bingo" episode\, and the counterintuitive Tularosa finding that&nbsp\;announcing deception makes it more effective\, this session translates game-design craft into practical honeypot\, honeytoken\, and deception-fabric architecture any defender can deploy.\nAttendees will leave with a design checklist for building deceptive environments that sustain coherence under adversarial pressure\, a vocabulary for evaluating commercial deception platforms against actual attacker psychology\, and an argument for why the best deception operators are\, in a real sense\, game designers.\nThe talk is interactive. The audience is already playing.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:0e1d8e214378c023d4fcc1d069090a09
URL:http://blueteamcon2026.sched.com/event/0e1d8e214378c023d4fcc1d069090a09
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:The Second Front: Detecting LOTL Off the Endpoint
DESCRIPTION:Living-off-the-land (LOTL) isn't what it used to be. Blue teams have spent years tuning detections for the classic playbook - LOLBins\, malicious macros\, WMI abuse\, PowerShell\, etc. - and endpoint tooling has gotten pretty good at catching it. So\, attackers moved.\nLOTL is now operating across a&nbsp\;second&nbsp\;front: the identity and management plane\, which spans hundreds (if not thousands) of SaaS apps and authorizations in an enterprise. Stolen session tokens\, abused OAuth flows\, device code phishing\, and browser-native credential harvesting let adversaries operate entirely within sanctioned tools and legitimate traffic.&nbsp\;\nScattered Spider\, and more recent evolutions like Scattered Lapsus$ Hunters\, operate inside victim environments using legitimate SaaS APIs and identity tooling: SSO\, MFA bypass via social engineering and post-auth attacks\, and direct access to cloud management planes. In every case\, the attackers aren’t hiding from EDR\; they’re operating in the browser context where EDR doesn't see.\nThis “missing middle” is a structural gap: EDR owns the endpoint\, and the IdP owns authentication events. But the space in between - the authenticated browser session\, the OAuth token\, the SaaS API call from a legitimate identity - belongs to no tool and appears on no dashboard. It’s a&nbsp\;second&nbsp\;front for LOTL\, and most blue teams don't have a strategy for it because they don't have visibility into it.\nThis talk maps the evolution of LOTL techniques from endpoint to identities and SaaS\, walks through the attack patterns that define the second front (AitM session hijacking\, OAuth abuse\, infostealer-to-IAB pipelines\, MFA-resilient phishing infrastructure)\, and describes a practical detection framework that addresses both fronts simultaneously. We'll look at what telemetry sources actually exist for in-browser and identity-plane activity\, how to build detection logic when you're pattern-matching against legitimate behavior rather than malicious binaries\, and how SOC teams can prioritize coverage across two active fronts without exponentially increasing analyst workload.\nAttendees will leave with a mental model for how these two LOTL fronts interact\, a framework for evaluating their own detection coverage gaps\, and concrete starting points for building detection programs that account for the full attack surface - not just the stuff that shows up in endpoint logs!
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:a0db265913d0a23bea8674c0784cee5f
URL:http://blueteamcon2026.sched.com/event/a0db265913d0a23bea8674c0784cee5f
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Threat Intelligence at the Speed of Cyber Defense
DESCRIPTION:Cyber threat intelligence (CTI) is essentially a decision support function within cybersecurity. As such\, CTI that cannot enable\, improve\, or otherwise facilitate a security action is of questionable value. This is often evaluated in terms of CTI relevance\, applicability\, or accuracy\, but the relationship between CTI and security actions also demands investigation of another metric: timeliness. CTI that arrives too late for the supported decisions is functionally irrelevant.\n\n\nIn this discussion we will explore the implications of a time-oriented view for CTI production\, dissemination\, and integration into operationally-focused decision making. From this we will identify a key tension at the core of CTI analysis and production: that the SPEED at which CTI is produced and disseminated is often in conflict with the QUALITY or DEPTH of the produced CTI. Organizations cannot have immediate decision support on tactically-relevant timescales while simultaneously having deep context in the current environment. As a result\, tradeoffs are necessary to both recognize and navigate in developing a relevant CTI function. Furthermore\, evaluating CTI becomes a question of determining audience and customer needs\, purpose\, and response timelines to appropriately structure CTI support for the entity or specific decision maker in question.\n\n\nTo conclude this discussion\, we will examine the possibility of eliminating (or at least reducing) this dilemma through technical means. Particularly future progress in the field of artificial intelligence may allow CTI functions to tap into mechanisms where context or detail and timeliness are no longer in direct conflict with one another\, mapping out an effective and meaningful way for AI to support CTI and broader security functions.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:14adf964ae26f2283a339522a7adbf45
URL:http://blueteamcon2026.sched.com/event/14adf964ae26f2283a339522a7adbf45
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Too Big to Review: Scaling AppSec to Zero at Fortune #1
DESCRIPTION:As AI-powered development tools accelerate code velocity across the industry\, application security programs face an existential scaling problem: the team that was once a trusted partner to engineering has become a bottleneck. Traditional human-led security review cannot keep pace with the rate of new features\, services\, and infrastructure being shipped\; and bolting AI onto a broken process only makes it fail faster.\n\n\nThis talk presents a proven layered framework for scaling application security programs without proportionally scaling the security team\, drawn from direct experience building and running the SHINE (Security Hub of Innovation and Efficiency) program at AWS. The framework moves through three progressive layers: Golden Paths that eliminate entire risk categories before review through secure-by-default infrastructure\; Deterministic Automation that encodes repeated security decisions into binary\, scalable rules\; and Agentic Investigation where AI systems assemble complete application context and make judgment calls on genuinely novel problems.\n\n\nIn practice\, this architecture reduced security review time by 30% through deterministic automation\, drove 90%+ adoption rates of new applications onto secure-by-default infrastructure via CDK property injection\, and enabled an Agentic Security Engineer capable of context-aware decisions that previously required senior human involvement.\n\n\nIn today's AI-driven world\, the instinct is to reach for a model. But that instinct is wrong when applied too early: AI is not a fix for a broken foundation - it amplifies whatever is already there. Teams missing stability at the foundational layers will find that AI makes the chaos faster\, not better. This talk provides a concrete\, implementation-grounded roadmap for building the foundation that makes automation and eventually agentic AI actually work.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:32c9fae5ef79629136bdd92d8eca52a8
URL:http://blueteamcon2026.sched.com/event/32c9fae5ef79629136bdd92d8eca52a8
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Trusted\, But Dangerous: Identity Abuse Through First-Party Apps in Entra
DESCRIPTION:Microsoft Entra environments rely heavily on implicit trust in Microsoft first-party applications\, yet most defenders have limited visibility into how expansive that trust boundary truly is. With more than 4\,000 Microsoft first-party app IDs\, many operate as “ghost” applications: active in authentication and token issuance\, but not clearly represented in enterprise application views or routinely monitored by defenders. This creates a significant blind spot in identity security.\nThis session explores how these trusted applications can be abused through Resource Owner Password Credentials (ROPC)\, Family of Client IDs (FOCI)\, and token issuance behaviors that extend access beyond what defenders typically expect. Rather than focusing on generic anomalous sign-ins\, the talk centers on capability: the delegated scopes these applications request\, the permissions they inherit\, and how those access paths can be leveraged to persist and expand access within a tenant. These behaviors can be executed through standard Graph API interactions and demonstrate how ROPC can be leveraged to obtain tokens without interactive authentication and\, in many real-world environments aligned with historical Microsoft guidance\, results in effective MFA bypass conditions.\nAttendees will learn how ROPC remains relevant in modern identity attacks\, how first-party application trust complicates Conditional Access enforcement\, and why policy evaluation differs between interactive and non-interactive authentication paths. The session also examines token lifecycle in depth\, including how refresh tokens can persist for extended periods\, how Continuous Access Evaluation (CAE) impacts enforcement\, and why resetting user credentials does not necessarily revoke active access without additional token invalidation steps.\nFrom a defensive perspective\, this talk provides practical\, immediately usable guidance. It includes KQL queries specifically designed to identify ROPC authentication activity\, enumerate first-party application usage\, and help defenders understand which client applications are requesting access and with what scope. It also covers Conditional Access policy considerations\, validation techniques\, and response actions to take during identity incidents involving token abuse.\nA companion GitHub repository is included with ready-to-use KQL queries\, detection logic\, and example configurations. Attendees will leave with a concrete understanding of how first-party application trust can be abused\, where visibility and enforcement gaps exist\, and how to build effective identity-focused detection and response workflows in Microsoft Entra.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:1c16cb48340c9bfb4236c385f77a808a
URL:http://blueteamcon2026.sched.com/event/1c16cb48340c9bfb4236c385f77a808a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Using Pentest Findings to Improve Detections
DESCRIPTION:Most penetration test reports get filed and forgotten. SOC teams never confirm whether their alerts fired during the engagement\, and adversaries keep reusing the same techniques. This session shows blue teamers how to digest a penetration test report and turn every pentest finding into a working detection.\nWe'll break down pentest reports from the SOC's perspective\, focusing on the methodology sections where attacker behavior is documented with command line invocations\, tooling\, and attack narratives. We'll cover what artifacts to require from testers before the engagement begins\, including timestamped command logs\, source and target IPs\, compromised accounts\, and MITRE ATT&CK technique IDs.\nAttendees will leave with a repeatable feedback loop for transforming pentest results into measurable detection improvements\, supported by tools like Sigma\, Atomic Red Team\, VECTR\, and Caldera.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:b92890a2f8eb37edf70374b5d289ad83
URL:http://blueteamcon2026.sched.com/event/b92890a2f8eb37edf70374b5d289ad83
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Vibe Check: Scaling AppSec in an AI-Driven World
DESCRIPTION:Scaling an AppSec program is hard enough in a traditional environment\, but it gets exponentially more difficult when Sonny from Accounting decides to vibe code their own full-stack internal tool over the weekend and announces it in the company All Hands on Monday. The "Shift Left" movement promised to get in front of security breaches by thinking about security early in the development lifecycle\, but AI has thrown that idea out the window. How do we shift left when teams are deploying demos in the time that it used to take to agree on basic design principles? Teams are shipping code faster than it can be reviewed and in an era when anyone who can write a mostly coherent thought can pump out an application\, vibe coders are spinning up unreviewed shadow apps overnight.\n\n\nThe modern AppSec program has to adapt and scale without becoming a bottleneck. We have to focus on:\n\nAutomated Guardrails:&nbsp\;Leveraging AI to secure the code that AI creates\n\nDemocratized Security:&nbsp\;Extending AppSec to the vibe coding masses through self-service tooling.\n\nMaintaining Quality at Speed:&nbsp\;Using risk-based prioritization when the codebase is growing exponentially.\n\nAppSec programs need to stop policing every line of code and start building resilient ecosystems where everyone\, not just traditional software engineers\, can build safely regardless of how they write their code.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:c1b0b6d6cb6791bc40ad29fb7a10388a
URL:http://blueteamcon2026.sched.com/event/c1b0b6d6cb6791bc40ad29fb7a10388a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Vulnerability Management: The Leadership Playbook
DESCRIPTION:Most vulnerability programs keep teams busy without reducing risk. Mean-time-to-remediate improves quarter over quarter while the total count of unpatched vulnerabilities climbs. The program optimizes a local maximum: patching speed. This talk presents four strategies for escaping the cycle\, and the leadership behaviors each strategy requires.\nStrategy 1: Shrink what needs protecting. Every decommissioned environment\, consolidated tool\, and disabled stale account is one less thing to scan\, patch\, monitor\, or defend. Specific targets exist in every organization: SaaS products nobody canceled after a pilot\, test environments that outlived their projects\, overlapping tools acquired through inertia. Zero-based security budgeting surfaces surprising candidates for elimination and reframes security from cost center to cost-reduction partner. But decommissioning requires a shared source of truth. When security counts 200 SaaS applications\, finance tracks 100 with purchase orders\, and IT lists 50 in systems management tools\, conversations stall. Building that shared reality across departments is the prerequisite for any attack surface reduction initiative.\nStrategy 2: Look beyond scanning. Scanners miss configuration drift\, exposed APIs\, shadow infrastructure\, and short-lived cloud resources that disappear between scan cycles. Pairing vulnerability scanners with endpoint agents\, cloud security posture tools\, systems management software\, and identity providers gives a more accurate picture of what needs attention. This section also challenges the&nbsp\;attackers only need to be right once&nbsp\;myth. Map it against MITRE ATT&CK: attackers must succeed at reconnaissance\, initial access\, persistence\, lateral movement\, and exfiltration. Every stage\, sequentially. Defenders disrupt one step. Architectural choke points like SSO create disproportionate defensive returns. Terrain knowledge compounds over time and is impossible for an external attacker to replicate.\nStrategy 3: Prioritize with context. Base CVSS scores assume worst-case conditions and mislead patching teams. Combining exploitability data such as EPSS scores and CISA's KEV catalog with environment specifics\, including network exposure\, compensating controls\, and data sensitivity\, produces rankings that reflect actual risk. A CVSS 6.5 on an internet-facing authentication server often deserves faster action than a CVSS 9.0 on an isolated test box. When patching teams see priorities grounded in their reality\, they trust the process and act on it. The job of a security leader is not to maximize security but to calibrate acceptable insecurity through criteria a business colleague would understand.\nStrategy 4: Apply pressure without alienating the teams who do the work. Patching teams are measured on delivery velocity\, not vulnerability metrics. Earning a seat in their planning sessions starts with understanding their constraints and what they are trying to ship this quarter. Allies often sit outside security and IT: General Counsel cares about legal exposure\, product management about customer trust\, finance about cost reduction. Frame requests in terms of their objectives\, not your risk scores. If your assessment doesn't change the state of the organization\, it hasn't reduced risk.\nThe talk closes with metrics that measure program health rather than activity\, guidance on communicating vulnerability management to boards and executives\, and five diagnostic questions attendees take home to assess whether their program is reducing risk or producing reports.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:4acebdc9bd3ca2055f1357796617b77d
URL:http://blueteamcon2026.sched.com/event/4acebdc9bd3ca2055f1357796617b77d
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:When the Package Is the Weapon: Detecting and Responding to npm Supply Chain Intrusions
DESCRIPTION:Your developers trust npm. Attackers figured that out before your detection stack did.\nThis talk is a ground-up forensic reconstruction of two real npm supply chain campaigns — the NX package compromise in late 2025 and the axios RAT campaign in March 2026 — told entirely from the defender's perspective. Not a theoretical exercise. This is what the logs actually looked like\, what the tooling missed\, and what finally surfaced the activity.\nWe walk through how a malicious git hook silently drops a RAT onto a developer endpoint the moment they run a routine yarn dlx command\, why this technique is specifically engineered to stay quiet in standard endpoint telemetry\, and what the attacker does next. The target isn't your servers. It's the MetaMask wallet sitting in your developer's browser profile and the seed phrases cached in their dotfiles. Cloud credentials are secondary — harvested and staged for resale while the crypto moves on-chain.\nThe second half of the talk is pure blue team. We'll share the Humio/LogScale query patterns that actually worked\, the CrowdStrike telemetry fields that matter for this attack class\, the detection gaps these campaigns deliberately exploit\, and a hardening checklist your security team can hand directly to engineering.\nReal IOCs and detection artifacts from live incident forensics will be released during the session.\nYou will leave with something you can use the same week.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:c1ee163bccd804e9675dfea128a6bbbb
URL:http://blueteamcon2026.sched.com/event/c1ee163bccd804e9675dfea128a6bbbb
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Why Incident Response Plans Fail Under Pressure
DESCRIPTION:Most incident response plans do not fail because the document is missing. They fail because people do. Under pressure\, some teams panic and abandon strategy. Others choke\, overanalyze\, and freeze. In both cases\, the plan may be technically sound\, but human performance and cross-functional coordination break down.\n&nbsp\;\nThis session explores why comprehensive IR plans still collapse in real incidents\, even in organizations with mature security programs and well-documented procedures. Through breach case studies and practical lessons from high-pressure performance\, we will examine what traditional tabletop exercises and compliance-driven training rarely test: legal pressure\, executive escalation\, media scrutiny\, conflicting incentives\, and the absence of pre-authorized decisions.\n&nbsp\;\nAttendees will leave with a practical framework for making incident response more resilient. We will cover how to reduce panic through cognitive offloading and automation\, how to reduce choking through pre-authorized response paths and role clarity\, and how to design adaptive simulations that force teams to make decisions under realistic pressure. We will also discuss how blameless postmortems turn failure into better instincts for the next crisis.\n&nbsp\;\nThe goal is not a better-looking incident response plan. The goal is a response culture that still works when the facts are incomplete\, the stakes are high\, and every minute counts.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:458f7425675bb2806d3ea9f23ac591c6
URL:http://blueteamcon2026.sched.com/event/458f7425675bb2806d3ea9f23ac591c6
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T153000Z
DTEND:20260912T163000Z
SUMMARY:Your User\, Their Rules: Rethinking the OS trust model for the AI-era
DESCRIPTION:Operating systems solved multi-user security decades ago: files have owners\, permissions enforce boundaries\, and one user's processes cannot tamper with another's data. But modern developer workstations are effectively single-user machines — and every process running as that user inherits the same trust. For years\, this was a footnote. Today\, it is the attack surface.\n\n\nThe explosion of AI-powered developer tools — IDE agents\, MCP servers\, lifecycle hooks\, autonomous coding assistants — has turned local configuration files into high-leverage control planes. These tools store security-critical state (working directories\, cluster credentials\, session metadata\, agent memory) in files and act on them without integrity validation due to assumed trust. The OS says "same user\, same trust." The AI tool says "if it's in my config\, I'll execute it." The result: any process running in the user's context — a compromised npm package\, a malicious browser extension\, a rogue VS Code plugin — can cause havoc: silently hijack an AI agent's behavior\, redirect kubectl to an attacker-controlled server\, or trigger recursive deletion of arbitrary directories to name a few.\n\n\nIn this talk\, we present a systematic analysis of this trust gap through three original vulnerability disclosures across Docker Desktop\, Lens Desktop\, and Claude Desktop. In each case\, the attack requires no privilege escalation\, no kernel exploits\, and no user credentials — only the ability to write to a JSON file that the OS considers perfectly authorized. We use these as case studies to examine a broader architectural problem: the classic OS segregation model was built for a world where "same user" meant "same human." In the age of AI agents\, MCP servers\, and autonomous tools\, "same user" now means "same human plus every autonomous process acting on their behalf" — and processes don't necessarily verify whether the others are trustworthy.\n\n\nWe will dissect why this pattern keeps recurring (electron-store defaults\, the absence of application-level integrity checks\, the gap between OS-level and application-level trust)\, propose a threat model for "intra-user trust boundaries\," and provide concrete detection and hardening strategies for security teams who need to defend developer endpoints where the OS permission model is necessary but no longer sufficient.\n\n\n
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:c4dd7ec698bf15c000eaece11c61d0af
URL:http://blueteamcon2026.sched.com/event/c4dd7ec698bf15c000eaece11c61d0af
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260616T094354Z
DTSTART:20260912T160000Z
DTEND:20260912T170000Z
SUMMARY:How We've Gone Completely Phishing-resistant (And So Can You!)
DESCRIPTION:Phishing-resistant authentication is shifting from optional to mandatory. Not only are attackers using phishing as the primary mechanism to evade traditional forms of MFA\, but they are also evolving their attacks to find ways around implementations where phishing-resistant auth is only preferred and not enforced. The road to deploying passkeys\, Windows Hello for Business and Mac Platform SSO looks easy enough in the Microsoft docs\, but what does it look like to implement them as mandatory across a workforce?In this session we’ll cover how we went from a handful of FIDO2 keys to phishing-resistant authentication across our enterprise in Entra ID at breakneck speeds. We’ll explore the ins-and-outs from a technical and organizational perspective of the implementation\, the gotchas we hit along the way\, and how we overcame them. We’ll cover edge case scenarios\, and how deploying passkeys is just part of the bigger equation to going phishing-resistant. We’ll also examine phishing attack trends we were seeing\, which helped inform and shape policy so that phishing-resistant authentication isn’t an option – it’s the only option.
CATEGORIES:TALK
LOCATION:Swissôtel Chicago\, 323 E Wacker Dr\, Chicago\, IL 60601\, USA
SEQUENCE:0
UID:57daf7a0fd9e96208cbd5a58fc31a26f
URL:http://blueteamcon2026.sched.com/event/57daf7a0fd9e96208cbd5a58fc31a26f
END:VEVENT
END:VCALENDAR