With essential features like identity-based access control and cloud hosting, web password managers are being increasingly adopted in corporate environments, protecting credentials for millions of users.As a direct response to this shift, a new generation of malware, such as Raccoon and Meduza stealers, is beginning to target software like Bitwarden and Lastpass.For defenders to better understand how these type of malware operate, we will take the example of Bitwarden, a widely adopted open-source password manager. Our goal is to demonstrate a generic approach to password extraction, applicable to virtually any software on the market. This exploration will cover exclusive attack techniques ranging from malicious browser extensions to Chromium function hooking, as well as many other new techniques.While these techniques are almost impossible to prevent, we will share practical recommendations for a defense-in-depth strategy.To conclude, we will unveil PwnWarden, an open-source tool designed to help security professionals emulate password managers discovery and secret extraction in a corporate environment.

This session explores the rapidly evolving ransomware landscape through a cross-platform lens, focusing on critical developments in both macOS and Windows ecosystems. The session traces macOS ransomware’s transformation from early proof-of-concepts to sophisticated multi-architecture campaigns targeting Intel and Apple Silicon hardware, showcasing real-world threats like NotLockBit and FrigidStealer that bypass Apple’s advanced security features.Attendees will gain unique insights into the latest Apple security innovations, including Gatekeeper 3.0, enhanced transparency controls, and machine-learning driven threat detection, understanding how these reshape the attacker-defender dynamic. The presentation also bridges gaps between platforms by detailing tailored digital forensic and incident response strategies essential for modern mixed environments, emphasizing artifact collection, cloud exfiltration detection, and tooling adaptations.

In this talk, I’ll share the story of how our team built an open-source, in-house Software Composition Analysis (SCA) tool to better manage third-party dependencies across projects. Rather than relying on expensive, rigid commercial tools, we built something lightweight, free, and flexible designed to actually work within real engineering workflows.

This talk presents VSXPloit, the first publicly available framework that:- Automates Remote Tunnel exploitation, eliminating the need for manual setup and reverse connection via other mediums for exploitation.- Generates payloads that establish tunnels stealthily across Windows and Linux environments.- Exfiltrates tunnel/session details into GitHub repositories, leveraging trusted infrastructure for communication.- Customizable to match further updates and needs for red teamers with friendly YAML based templatesBy chaining Remote Tunnel abuse with GitHub as a covert exfiltration medium, VSXPloit enables stealthy red team operations that blend into normal traffic. The talk will cover:- How VS Code Remote Tunnels work and where the blind spots lie.- How VSXPloit automates payload generation and tunnel setup.- Demonstrations of cross-platform exploitation.

A powerful exploration of how trust, ethics, and human oversight must evolve as intelligent machines gain influence over decisions, systems, and society itself.

This session explores how a modern SIEM analyses events, makes decisions, and triggers real-time responses. Mohammed Tayyar outlines how detection logic, automation, and analyst workflows integrate inside a mature environment. The talk highlights use cases that improve triage speed, correlation accuracy, and operational efficiency.

In today’s volatile threat landscape, defense-in-depth is not just a layered stack of tools - it’s a mindset. Rooted in Sun Tzu’s enduring principle, “Know thy enemy, but first know thyself,” this presentation guides CISOs through practical, actionable strategies that begin with understanding their organization from the inside out.Devon Bryan - 5-time global CISO - will deliver a modern framework to help security leaders align internal visibility, asset prioritization, and cultural awareness with advanced threat modeling and adversarial behavior mapping.

As automation and AI take on more security tasks, the human element remains irreplaceable. This session explores why judgment, intuition, creativity, and ethical decision-making still matter - and how humans and machines can work together to build stronger, smarter defenses for the future.

This session explores preemptive cyber defence using DNS as a primary control. Tareq Momani explains how DNS telemetry reveals early attack signals and how security teams can act on them at scale. The talk outlines how DNS driven detection reduces exposure to new threats, improves visibility across distributed environments, and strengthens response planning with evidence teams already capture.

This session explores the growing threat of automated fake bank calls, where attackers use VoIP, caller ID spoofing, AI-generated voices, and automated IVR phishing systems to target thousands of victims. Attendees will gain an inside look at the “robocall factory,” including the technical setup, call automation workflow, and social engineering techniques. The session also covers practical strategies to defend against these scams, combining technical controls and awareness campaigns. By the end, participants will understand both how these attacks operate and how to effectively protect organizations, government entities, and the wider community.

The accelerating growth of China–Gulf technology partnerships, particularly under initiatives such as the Digital Silk Road, is reshaping the economic and digital landscape of the Middle East. This session examines the evolving dynamics of China–Saudi Arabia cooperation in technology and cybersecurity, highlighting both the opportunities and challenges arising from deeper digital integration.As the Kingdom advances its Vision 2030 goals and China continues to expand its global digital presence, their collaboration offers vast potential for innovation, infrastructure development, and knowledge exchange. Yet, it also brings to light important questions regarding cybersecurity governance, regulatory alignment, and digital sovereignty.Through an analytical exploration of current frameworks, policy approaches, and real-world case studies, this discussion sheds light on how differing cybersecurity standards between the two nations may influence trust, resilience, and long-term strategic alignment.

The pace of change in AI and cybersecurity makes it hard to keep up and maintain a basic level of competency in these subjects. One can quickly feel like an imposter. This deep dive will dig into five ways to understand these topics more deeply so that you can accelerate your level of competency, keep up, and maybe even get ahead.

This session examines how rigid compliance requirements can weaken real security. Mohammed Almarri explains how teams lose visibility when they focus on checklists instead of operational realities. The talk highlights failures seen in real attacks, including blind spots in network coverage, noise that hides true signals, and outdated controls that no longer match threat behavior. It also outlines practical steps to improve detection quality, strengthen visibility, and move from compliance driven security to threat driven security.

Tracing the Cyber Shift at Black Hat MEA

In an ever-evolving threat landscape, ensuring a strong security posture while meeting annual compliance regulations has never been more important. As organizations work to protect their data and systems, they must meet compliance standards while building real security processes on top. Traditionally, penetration testing (pen testing) has been the go-to method for assessing security posture, but it has its limitations. Enter Purple Team Exercises (PTE) – a more comprehensive and collaborative approach to cybersecurity testing. Introduction to the purple team process: free PTEF e-book created by the community, planning organizational scope, technical complexity, and frequency Threats: how to research, harvest, and develop cyber threat intelligence (CTI) Red: introduction to several approaches/tools to operationalize CTI Blue: detection engineering how to build telemetry for visibility and time to response, introduction to Sigma.

Erlang is the backbone of many high-availability systems in telecom, IoT, and distributed infrastructure. However, it remains largely unexplored by the reverse engineering and security research communities, particularly in scenarios where source code and metadata are unavailable. While existing tools offer some support for static bytecode analysis, dynamic introspection into running Erlang systems remains a blind spot.This research introduces a novel methodology for blackbox dynamic analysis of BEAM-based systems. We demonstrate how to trace, inspect, and manipulate live Erlang processes in production-like environments—without source code, symbols, or conventional debugging hooks. Through careful analysis of the BEAM virtual machine internals, we expose techniques to intercept function execution, reconstruct runtime behavior, and perform low-level process instrumentation.This work aims to open up Erlang as a viable target for dynamic reverse engineering, providing new pathways for security research on a historically under-analyzed platform.

The world is changing. So are the people leading it. In this panel, cybersecurity experts break down how they lead through disruption, nurture emerging talent, and build trust across teams.

In this session, we’ll walk through ten hard-earned lessons from the frontlines of building real-world AI agents for cybersecurity. From data hallucinations and prompt injection attacks to securing MCP servers and avoiding over-automation pitfalls, these insights come not from theory but from hundreds of hours of design, testing, failure, and iteration. Whether you’re experimenting with your first AI agent or scaling an entire fleet, this talk will ground you in the architectural, security, and operational realities of deploying AI responsibly in the cyber domain.