In this session, “Mapping Financial APT Threats to Cyber Risk Registers,” Asma Alqahtani and Ghazayil Alkhalifa explore the evolving threat landscape facing financial institutions through the lens of the top five Advanced Persistent Threat (APT) groups with current or historical targeting of the sector.The session introduces the APT Business Impact Matrix, a framework that links threat actor behavior to four critical dimensions of business impact:RevenueReputationRegulationResilienceBy analyzing recent TTPs, regional targeting, and intent, each threat actor is assessed for its strategic relevance. These insights are then mapped into a Cybersecurity Risk Register, empowering organizations to align cybersecurity priorities with actual threat exposure—not just compliance checklists.This matrix-based approach helps security teams communicate more effectively with executive leadership, enabling better resource allocation, stronger risk governance, and clearer regulatory justification.The presenters will demonstrate how operational threat intelligence, when shaped by strategic reporting and CISO-level oversight, becomes a vital tool for financial sector resilience and regulatory alignment.

This session explores how cyber threat hunting can be elevated by integrating threat intelligence and artificial intelligence. We’ll demonstrate how correlation across multiple data sources enables predictive defense mechanisms. The presentation includes a live PoC (Proof of Concept) of two applications showcasing real-time detection and AI-driven analysis.

No governance, no brakes. Learn how decision rights, contract controls, continuous assurance, and rehearsed response keep a single vendor issue from becoming a multi-party outage - and how to prove it with metrics that matter.

As networks stretch beyond traditional perimeters, Zero Trust has become a necessity - not a nice-to-have. This session walks through practical roadmaps for adopting Zero Trust in real environments, breaking down where to start, what to prioritise, and how to make it work in a boundaryless wo

This session explains how Splunk Cisco use AI to build an autonomous SOC. Rami Kamal outlines how AI drives alert correlation, investigation, and response logic inside modern SOC design. The talk covers integration challenges, decision accuracy, automation safety, and high-signal detection strategies for large cyber workloads.

Locker ransomware is a form of malware that blocks user access to their device by locking the screen, demanding a ransom to restore control. Unlike crypto-ransomware, it doesn’t encrypt files. However, because it shares behavioral traits . such as demanding payment and preventing normal system usage . it's often classified as ransomware. This session dives deep into the reverse engineering process of locker ransomware, focusing on how it operates, hides, and locks access. We begin with basic static analysis: examining the PE header, identifying the compiler used, scanning for suspicious strings, and evaluating the import address table. Tools like PE Studio, DIE, BinText, and 4n4lDetector are introduced for initial analysis. For .NET-based locker samples, we explore dnSpy, ILSpy, and dotPeek to view and analyze decompiled code. We also cover native binaries using tools like IDA Pro, Ghidra, and Radare2. You'll learn how to identify packers by section names and unpack them using utilities like UPX and de4dot. The session also explains the unlocking chain: how the ransomware checks for a key (hardcoded or file-based), the process of validation, and unlocking. We'll inspect features like VM/sandbox detection, persistence through registry or Task Scheduler, and USB spread mechanisms. Techniques to disable Task Manager, Registry Editor, and recovery options are also reviewed.Finally, we emphasize string analysis to locate embedded keys, understand behavior, and trigger unlock conditions. Real-world code snippets and logic breakdowns are shared to demonstrate how to defeat and reverse engineer locker ransomware effectively.

Join Gary Hayslip and William Lin at The Back Room Live as they close out Black Hat MEA with a final look at the day’s big moments, standout speakers, and the themes that defined this year’s conference. A sharp, lively recap to wrap up Day 3 and the event as a whole - happening at 4:00 PM.

HardPwn is a purpose-built hardware exploitation platform crafted for intermediate and advanced hardware hackers who want to push embedded devices, PCBs, and IoT gadgets to their limits. The toolkit elevates low-level hardware reconnaissance by automatically probing SPI, UART, I2C, and JTAG interfaces, performing chip-level reconnaissance where possible, executing NAND glitching on non-BGA chips, and dumping firmware—all with minimal setup. By automating over 90% of typical test cases, HardPwn transforms what traditionally takes months of manual exploration into a matter of hours.

This session explains how moving target defence disrupts attacker reconnaissance and exploitation. Bushra Alhetelah outlines the core techniques, including dynamic network changes, shifting attack surfaces, and unpredictable system configurations. The talk highlights how these methods increase attacker workload, reduce dwell time, and strengthen SOC defence strategies.

Working at the front lines of digital defense changes how you live your life—and for good reason. I'll take you behind the curtain to show you the daily, practical security tactics that seasoned professionals use to protect their own families, finances, and identities. This isn't about theory; it's about the essential, battle-tested digital hygiene that prevents disastrous breaches. Learn how a defensive mindset and a few simple habits can make you a hard target in a world of constant threats.

FalconEye represents a new era in AI-driven security analysis, blending the power of locally hosted Large Language Models (LLMs) with advanced audit methodologies. Unlike traditional static analysis tools that rely on predefined patterns and generic scanning, FalconEye is designed to think and operate like an expert security auditor. At its core, FalconEye employs a system of intelligent AI agents that collaborate much like human audit teams—building dynamic knowledge graphs, forming hypotheses, and conducting targeted investigations. This approach allows it to not only identify vulnerabilities but also to understand their broader context within the system architecture.One of FalconEye’s defining strengths is its privacy-first design. Through seamless integration with Ollama, all analysis is conducted locally, ensuring sensitive codebases and data remain under the user’s control. The system also emphasizes performance optimization, leveraging task-specific models—ranging from lightweight quick scans to heavyweight reasoning models for deep analysis. Over time, FalconEye accumulates knowledge across sessions, enabling richer, more insightful analysis that evolves with the project.This session will provide a deep dive into FalconEye’s architecture and capabilities, showcasing how dynamic knowledge graphs, hypothesis-driven analysis, and multi-agent collaboration come together to deliver professional-grade security audits. Attendees will see firsthand how FalconEye transforms code reviews into a living, evolving process, and how it generates detailed, actionable security reports tailored for real-world use. Whether you are a security researcher, developer, or engineering leader, this session will demonstrate how FalconEye bridges the gap between automated tools and human expertise.

AI has made social engineering attacks highly sophisticated, and rogue agents have yet again widened the threat landscape. Role-based training, posters, and annual compliance training don’t create automatic, resilient behaviours under pressure. Attackers, and now AI-accelerated workflows, exploit attention, stress, and habit. Where is our Human in the Middle when it comes to security defence? My briefing will show how to engineer secure behaviour using neuroscience and behavioural science. I will cover why techniques such as habit formation, cognitive load, and just-in-time nudges, delivered via embedded microlearning (email, chat, SSO, ticketing), are amongst your best methods of defence. I will translate proven behavioural models (spacing, B=MAP/COM-B) into production patterns that reduce phishing susceptibility, shorten the time to report, and improve MFA/task success without adding friction. Because modern workflows increasingly include AI assistants, we’ll also cover a practical slice on teaching staff to recognise off-policy or rogue AI behaviour (scope creep, credential grabs, unusual data pulls) using the same behaviour-change toolkit. I will cite real-life examples of how, when fear-based messaging is replaced with clear, compassionate prompts, it reduces shame and increases action. I will share how to use behavioural science to build psychological safety and social proof across the organisation, shifting the company toward an enterprise-wide security culture by embedding secure behaviours into day-to-day work.

Retrieval-Augmented Generation (RAG) is becoming the enterprise standard for deploying intelligent LLM-powered assistants, copilots, and bots — especially for sensitive tasks in finance, legal, healthcare, and national security. But as the adoption of RAG architectures explodes, so does the attack surface. This session explores how adversaries are already red-teaming the RAG stack, and what organizations must do to secure it.We introduce a structured attack taxonomy for RAG systems—covering prompt injection through vector stores, inference-time data poisoning, latent information leakage, and hallucination amplification via low-quality retrieval. Drawing from our security evaluations of real-world RAG deployments, we present offensive demonstrations of how manipulated document embeddings and malicious retrievers can compromise even fine-tuned LLMs.The session also walks through blue-team countermeasures: memory firewalls, query sanitizers, retriever-to-generator alignment scoring, and role-separated inference pipelines. Special focus is given to governance and audit mechanisms to meet AI compliance standards (e.g., ISO 42001, NIST AI RMF, and SDAIA Ethics).By the end of the talk, attendees will be equipped with a blueprint for red-teaming, defending, and continuously monitoring RAG-enabled LLM systems—transforming today’s AI copilots from black-box risk centers into secure enterprise knowledge systems.

This session demonstrates critical vulnerabilities in enterprise Data Loss Prevention (DLP) systems through Angry Magpie, an open-source toolkit that exposes how attackers can bypass endpoint DLP solutions using browser-based techniques. We'll explore the fundamental architectural limitations of current DLP implementations, which fail to provide adequate protection in browser environments. The presentation will showcase four primary "Data Splicing" attack techniques: data sharding, ciphering, transcoding, and channel smuggling. Through live demonstrations against leading DLP solutions, attendees will witness how easily these protections can be circumvented and learn practical countermeasures for strengthening their organization's data security posture.

Digital trust is emerging as one of the most valuable and scarce commodities in the global economy. This discussion reframes trust as an investment class where secure design, ethical AI, and data sovereignty yield both financial and reputational returns. It is a lens for investors and executives to evaluate not only cyber maturity but the long-term viability of digital ecosystems.

In this Arsenal session, we will showcase a new framework: SkyEye - The First Cooperative Multi-Principal IAM Enumeration Framework for AWS CloudSkyEye Framework proposed and developed two novel models: CPIEM and TCREM. Unlike conventional tools and frameworks, SkyEye is able to synchronize reconnaissance across multiple user and role sessions, dynamically chaining and merging their vantage points to unravel the full spectrum of permissions, resource authorizations, and hidden escalation paths. This methodology exposes not only what each principal can see, but also what they can achieve in combination, uncovering hidden attack vectors and privilege escalation paths invisible to traditional IAM enumeration.

Supply-chain threats often hide in plain sight. This session uncovers the unseen risks - shadow vendors, outdated integrations, and invisible dependencies - that quietly undermine security. Learn how to spot these “ghosts,” contain their impact, and build a supply chain that can’t be easily compromised.

This session explains how to engineer data pipelines for faster, high-signal threat hunting. George Merhej outlines collection gaps, poor indexing, incomplete enrichment, and inconsistent evidence flow that slow investigations. The talk covers practical methods to standardise ingestion, build detection-aligned datasets, test correlations early, and reduce signal loss across scale.

As AI systems become increasingly autonomous and embedded in business operations, cybersecurity and business leaders face new challenges in governing and securing these “agentic” AI models. In this session, David Cass, CISO at Keyrock, explores a full-lifecycle approach to securing agentic AI – from design and deployment to monitoring and mitigation.

From shirts and action figures to AI images and full-blown movies, Counterfeits are eating brand value in real time. In this keynote, Dan Meacham breaks down how his team hunted unlicensed content and flipped brand protection into a measurable revenue.

In this session, Yahya Khan explains how threat intelligence ingestion and processing must scale to terabyte and petabyte levels for real-time SOC outcomes. Vehere uses pipeline engineering, enrichment logic, and automation to turn raw intelligence into high-signal evidence. The talk highlights gaps in ingestion, indexing, correlation, and context building that weaken detection at scale. It outlines practical controls to improve feed quality, query efficiency, and threat alignment across large unstructured and structured datasets.

As attackers weaponize agentic AI and exploit the convergence of IT, OT and IoT, the threat landscape is changing faster than governance, compliance and enterprise security can respond. Burgess Cooper breaks down the new attack asymmetry, reveals why major global companies believed they were secure until a single touch point collapsed them, and outlines what leaders must change now to stay ahead. He challenges leaders to rethink resilience, reward speed over guidelines, and prepare for a world where one weak link can halt an entire sector.

This presentation explores how generative AI has transformed phishing through deepfakes and advanced deception, creating authoritative, human-targeting attacks that bypass traditional security layers. It proposes a modern defence model built on identity-first controls, adaptive user education, and real-time policy enforcement. The focus is on how security leaders can strengthen decision-making workflows, reduce reliance on human judgment under pressure, and build scalable protection against AI-driven manipulation that targets people, not systems.

As technology accelerates, the line between innovation and intrusion grows thinner. This session explores how organisations can advance responsibly - protecting user privacy while still enabling meaningful progress. Discover practical ways to strike the right balance without slowing down innovation.