Modern enterprises face escalating threats from sophisticated browser-based identity attacks that operate within legitimate authenticated sessions, bypassing traditional security controls like EDRs, SASE, and firewalls. This hands-on session equips blue team defenders with practical experience defending against ten real-world browser-based identity attack vectors using the open-source "Copycat" identity attack simulator extension.

Despite widespread adoption of third-party risk assessments, breaches stemming from vendors are still rising. This session explores the critical misalignments between third-party governance frameworks and real-world threat activity, particularly in highly regulated sectors such as banking, fintech, and government contracting. Drawing on 13 years of cybersecurity GRC experience and recent forensic investigations, the presentation breaks down the anatomy of actual incidents that bypassed “compliant” vendor checks.We’ll dissect how overreliance on checklist audits, misclassified criticality tiers, and weak contract clauses allow risky suppliers to persist. Using anonymized case studies, we trace the chain of exploitation ,from initial compromise in a vendor’s SaaS tool to downstream data exposure and regulatory fines for the primary organization.The session provides a maturity-aligned methodology for third-party cyber risk management that goes beyond surface-level due diligence. Key frameworks referenced will include NIST 800-161, ISO 27036, and country-specific mandates like Saudi Arabia’s NCA ECC and Egypt’s CBE cybersecurity standards.Attendees will gain insights on evolving threat modeling to factor in vendor behavior, conducting breach-driven reassessments, and building response plans that include third-party scenarios

SAIST (Static AI-powered Scanning Tool) is an open-source project that scans codebases for vulnerabilities using AI.It supports multiple LLMs, and can scan full codebases, diffs between commits, or even GitHub PRs automatically.The common use cases are:- Scan an entire application's code base with your favourite LLM (OpenAI, Deepseek etc) and get a PDF report- Scan a code change and comment on a pull requestSAIST allows you to control which LLM is used, such as AWS bedrock or Azure OpenAI. This provides you with greater control of your own data sovereignty, whilst giving you industry-leading capabilities.

Modern attacks rarely leave traces on a device they flow across the network.This session empowers participants to trace those footprints using advanced packet analysis techniques. Attendees will discover how to detect malicious traffic, reconstruct attacker behavior, extract indicators of compromise (IOCs), and preserve network evidence with cryptographic integrity. A hands-on live investigation using real-world tools (including Wireshark) demonstrates how network forensics can break a case open even when attackers believe they have erased their tracks.

As organizations embrace security transformation, businesses are entering a new era of AI-native economics. This transformation presents both a significant opportunity and a complex challenge for today’s security leaders. In this session, Anomali CEO Dr. Ahmed Rubaie shares how AI, automation, and intelligence are transforming security from a reactive cost center into a strategic engine that drives efficiency, resilience, and long term growth.This evolution does not come without challenges. As AI reshapes work, governance, and trust, enterprises must also defend against a new class of threats, requiring them to secure from AI, secure the AI, and secure with AI. Dr. Rubaie will explain how leaders can develop a “security enterprise brain”, a unified intelligence layer that integrates data, context, and autonomous decision making to detect, analyze and protect against threats.Finally, he emphasizes that no organization can navigate this shift alone. The balance between AI-native infrastructure and AI-enhanced enterprise value relies on deep collaboration to build intelligent and secure enterprises for the AI era.What You’ll Learn• Discover how AI-native economics is reshaping cybersecurity, shifting the value proposition from tools to outcomes and from reaction to autonomous resilience.• Learn how AI is redefining the enterprise security landscape and why leaders must adopt new security mindsets to protect from AI, the AI, and with AI, leveraging intelligence, automation, and governance to stay ahead of evolving risks.• Explore how collaboration across ecosystems will enable AI enhanced enterprises, integrating agentic intelligence and shared data to turn security into a competitive advantage.

A practical conversation about confidence, self-advocacy, and overcoming obstacles in male-dominated spaces. Panelists share personal strategies for turning imposter syndrome into a driver of growth and innovation.

This session examines digital identity compromise at scale, including deepfakes, phishing kits, social engineering fraud, and AI powered scams. Laith Samara outlines how attackers weaponise real user data, bypass supervision, and scale fraud using off-the-shelf kits and automated pipelines. The presentation covers gaps in identity boundaries, evidence collection, and threat signal quality that enable repeat compromise across enterprise environments.

This session introduces a structured methodology for LLM-specific threat modeling, tailored for security architects, AppSec engineers, and AI developers. Attendees will explore the unique threats posed by LLM integration—such as prompt injection, data leakage, output poisoning, over-permissioned APIs, and excessive LLM agency—and learn how to adapt STRIDE, attack trees, and misuse case analysis to these environments.Through real-world examples, architecture diagrams, and red team scenarios, the session will walk through how to systematically deconstruct LLM-enabled systems to uncover logic flaws and weak trust boundaries. We’ll also cover how threat modeling can be integrated early into the AI development lifecycle, enabling teams to reduce risk before deployment.By the end of the session, participants will leave with a practical threat modeling framework, a set of reusable checklists, and an understanding of the most pressing AI security concerns in 2024 and beyond. Whether your organization is experimenting with GPT-based assistants, building GenAI features into your SaaS platform, or deploying local models, this session will equip you to secure LLM applications by design.

We’ll explore why an estimated 95% of AI projects fail and what sets the successful ones apart - those that actually deliver business value. With that context, we’ll then take a deep dive into how CISOs and security practitioners can use AI to strengthen their security teams, streamline operations, and help their organisations innovate safely.

Black Hat MEA 2025 talk on proactive cyber defense amid phishing, malware & the rapid growth of malicious new domains. Shift to default deny-all Zero Trust at the network layer with enhanced visibility. New approaches like Don't Talk to Strangers & ZTDNS neutralize threats pre-execution, cut phishing to near-zero & ensure sovereign data custody.

Mobile payment workflows consist of a sequence of client-server interactions that hat manage critical operations like initiating payments, verifying transactions, confirming success, and managing refunds. When these workflows are not securely designed and enforced, attackers can exploit various weak points to manipulate payments, bypass verifications, or achieve unauthorized actions.This session explores the possible attack scenarios of mobile payment processes, extending beyond the usual vulnerabilities. We will dissect common flaws in session management, API communication, transaction state handling, and business logic that can be leveraged to compromise payment integrity.Through practical demonstrations and methodology breakdowns, this session will showcase how attackers systematically identify and exploit weaknesses in mobile payment processes. We will also discuss effective defense strategies, from server-side validations and idempotency controls to secure session lifecycle management and anomaly detection.

The Software Bill of Materials (SBOM) is used as a foundational tool for software supply chain visibility, yet it can also be used as a tool for deception. Recently, several security tools and papers have conducted vulnerability assessment research based on SBOM, but with a critically flawed practice that allows attackers to deliberately hide malicious dependencies in plain sight.This talk begins with an attack. We will demonstrate the exact techniques used to make a malicious dependency invisible to modern SBOM tools that follow this broken methodology, turning a trusted inventory into a security blind spot.Then, we show the first line of defense. By enforcing the use of definitive lock files, we can close this attack vector and generate a more accurate SBOM. Problem solved? Not even close. The second part of this talk reveals the deeper, architectural flaw: even a "perfect" lock-file-based SBOM is crippled by false positives since it works in the wrong granularity for vulnerability detection, making it impractical to distinguish a vulnerability hidden in the software versus tons of false positives reported by downstream tools. This flood of noise makes effective vulnerability management practically infeasible.Finally, we will present a set of software development best practices to harden the supply chain and, crucially, detail a specific migration path for legacy projects to adopt better dependency management. By demonstrating these attacks and their realistic mitigations, we aim to raise awareness and equip the community with the essential tactics needed to reduce risk in a broken ecosystem.

This session outlines the main operational and technical challenges facing modern MSSPs. Abdulaziz Alwashmi and Abdulrahman Alfaifi examine issues in service scalability, alert quality, talent retention, customer onboarding, and technology integration. The talk also highlights the market shifts creating new opportunities for MSSPs, including AI driven detection, automated response, and specialised industry focused services.

How to turn team diversity into measurable SOC performance: better signal detection, fewer investigation blind spots, clearer crisis comms. Concrete takeaways on hiring, rotations, playbooks, and metrics you can apply now.

Alex Levinson, Chief Information Security Officer at Scale AI, operates at the convergence of offensive tradecraft and defensive strategy. Drawing on a career that bridges the gap between high-stakes red teaming and the engineering of AI-native defense, Levinson presents a forward-looking roadmap for the next half-decade of cyber operations. This session charts the industry's treacherous journey from today’s assisted "Agentic" systems toward the "North Star" of Level 5—fully autonomous, self-defending networks that operate without human intervention. We will move beyond the hype to discuss the concrete signs of this transition: the emergence of "Deep Research" capabilities, the shifting metrics of success from "detection speed" to "outcome validity," and the new "digital exhaust" that defines machine-led operations. Levinson explores how the democratization of offensive AI necessitates a fundamental reshaping of defense, guiding the audience through the "Uncanny Valley" of autonomy where the risks of complacency and loss of control are highest.

Cyber defenders are already shaping the industry’s future. Learn how they build skills, respond to real-world threats, and collaborate to stay one step ahead.

As cyber threats move quickly and the volume and sophistication of attacks consistently increases to keep pace we need to ensure we don’t let cyber incidents through that aren’t treated inline with our SLA’s and cyber response playbooks.Challenge: Security Operations Centres are dealing with ever-increasing volume of events and alerts. Measuring the quality and accuracy of the security investigations is always a challenge as SOC Analyst follow their skills and knowledge which they build over time instead of defined playbooks to investigated less sophisticated alerts. We used a monthly and manual review process to examine 8% of cyber tickets per month and provide feedback to the responsible cyber defence analyst on if and how they were categorising tickets and whether they were following each of the cyber response playbook steps in the right order and for the right outcome, but this approach was not scalable.Solution: We build an Agentic AI solution which can perform the quality checks, improve accuracy in real time across all security investigations without augmenting any humans. The AI models are trained on our real-time security investigations which helped to maintain false positive less than 3% while providing 100% coverage across all incidents. It does not replace the cyber analyst as the AI solution only knows the data it has been trained on, it doesn’t therefore infer or can ascertain when things change outside of the training data✅ 60% reduction in alert triage time✅ 10x faster security incidents quality assurance✅ Happy analysts, less burned-out teams

This presentation introduces the A.B.C.D. framework, a comprehensive approach to Enterprise Security that unifies risk assessment across four critical domains:Application Security Posture Management (ASPM) - ASPM assesses and prioritizes the risks associated with applications. Understanding application vulnerabilities in context is crucial as they can significantly impact the overall security of an organization.Business Security Posture Management (BSPM) - BSPM is essential for ensuring compliance with critical business frameworks, such as PCI, HIPAA, SOC 2, ISO, and NIST. Compliance is not just about adhering to regulations; it's about maintaining business integrity and trust.Cloud Security Posture Management (CSPM) - With the shift toward cloud-based infrastructures, CSPM has become indispensable. It identifies risks related to cloud configurations, infrastructures, and workloads. Securing cloud environments is crucial in the modern digital landscape to prevent unauthorized access and data breaches.Data Security Posture Management (DSPM) - DSPM addresses the management of data security risks. Protecting data is paramount in preventing breaches and ensuring privacy. This component stresses the importance of robust data security practices to safeguard sensitive information from both internal and external threats

Modern supply chains are woven from countless vendors, tools, and hidden dependencies - making it easy for unseen risks to slip through the cracks. This session uncovers the “ghosts” lurking in interconnected ecosystems, from shadow suppliers to outdated integrations, and explores practical ways to spot weak links, close blind spots, and build a supply chain that’s truly secure in a connected world.

Security teams drown in signals while attacks move across cloud infrastructure. This hands-onArsenal Lab turns that reality into a capture-the-flag challenge on a live AWS environmentrunning Amazon EKS. Participants will use an AI investigation agent - backed by Multiple MCP(Model Context Protocol) tool servers to triage Falco runtime detections, correlate Kubernetesaudit events, map AWS-side activity, and reconstruct the attack path. The CTF simulates arealistic intrusion (Ports scanning -> vulnerability/misconfiguration exploit -> lateral movement ->data exfil), and the agent guides each step by orchestrating queries against the tool stack,explaining reasoning, and generating next-best actions. The top 3 scorers win prizes.

This session explains how OT cybersecurity risk prioritization shapes effective business continuity and incident response strategies. Samah Almatri outlines the factors that drive risk in industrial environments, including asset criticality, process impact, and threat likelihood. The talk highlights how structured prioritization improves planning, resource allocation, and long-term resilience across OT operations.

While business and data teams race ahead with AI, security and governance leaders are often hesitant, slowing enterprise AI adoption. This talk introduces an operationalizable AI Security Framework (DASF), an operational guide bridging this divide. You'll learn about the 12 components of a modern AI system, how its 4 subsystems interact, and the 62 risks and threats at each layer. The session details how to identify those risks and map each to 64 actionable controls—empowering organizations to rapidly and confidently adopt AI while managing security risks. While most business leaders and data teams are excited about AI, leaders of governance/risk functions (e.g.: security, privacy, legal, ethics, compliance, etc.) are concerned about the unintended adverse consequences (risk!) of AI. This lack of alignment is among the main reasons for the slow adoption of AI in many larger organizations. To address this chasm between AI supporters and detractors, this talk will walk through an operationalizable framework to confidently manage AI risks: What components make up an end-to-end AI system? How do the subsystems of AI work together as a cohesive AI system? What are the specific technical risks of using AI across each of these components? What threats can cause each risk to be realized? Which specific actionable controls can mitigate each risk? What is the key organizational (non-technical) risks of AI and how to mitigate them?

For more than two decades, Jeremiah Grossman has become widely recognized for his ability to see what’s coming next in cybersecurity long before the rest of the industry. From the emergence of application attacks to the rise of ransomware and the proliferation of exploitation of shadow assets, his foresight has never been a matter of luck. It comes from a mental model he developed called the Epoch Theory of Cybersecurity. In this session, Jeremiah explains how understanding attacker incentives, behavioral patterns, and evolutionary cycles enables security leaders to see where the threat landscape is headed and prepare for the future before it arrives.