Talks
The full schedule will go up closer to the day, for now, here is a list of speakers who have confirmed their talks.
Drinking from the same firehose – how red teams out run threat actors (Even @ydoow would be shocked)
Andy Gill / Craig Underhill
Red teaming has evolved — and so have threat actors. This talk explores what it’s like to red team at one of the world’s largest security vendors, where the pace is relentless and the information flow never stops. Collaboration across incident response, threat hunting, and endpoint intelligence teams is critical to replicating real-world adversaries with precision and creativity. We’ll dive into how cross-functional insights help uncover emerging attack paths, adapt to shifting techniques, and turn threat intelligence into actionable offensive strategies. From technical deep-dives into evolving attack surfaces to the practical realities of surviving the daily information tsunami, this talk shares hard-won lessons on staying ahead of both threat actors and the chaos of the modern security landscape.
Scams, Sextortion and Snapchats: Keeping Gen-Alpha Safe in a Digital Wild West (PG)
Adaora Uche-Ezennia
Gen-Alpha is that age group that is growing as digital native. Their world is a fully digital world and we cannot reverse it. While this digital fluency brings tremendous opportunities, it also exposes them to unprecedented risks. They are easy prey to predators, scammers via social platforms such as Snapchats, TikTok, Instagram and online gaming. Using real-world examples, we will unpack how attackers manipulate trust, exploit anonymity, and weaponize social media features to trap young users. Digitisation is here to stay and cannot be reversed, so we need to safeguard them. We will share simple, practical strategies for staying safe, spotting red flags, and having critical conversations with teens. This session is ideal for anyone interested in the human side of cybersecurity — educators, parents, and defenders alike. No deep tech required, just curiosity and care.
Living off the web of lies (PG)
James Williams
Modern red teams make extensive use of legitimate services for operations. This talk will look at how we build persona accounts, abuse free trials and make use of trusted third parties as part of red team engagements.
Fantastic crypto failures and where to find them (PG)
Jamie Riden
How to find, exploit and fix cryptography bugs, for normal people. We give six case studies where the basic cryptographic primitives were sound, but where the design and implementation has left the system as a whole exposed to abuse. Details of how to exploit and how to design out these issues are also included, for example: how encrypted passwords can be recovered from backups of popular helpdesk software (CVE-2024-28989).
My GRITT OS – Good Resilience In Testing Times Operating System (18)
Mo Amin
How to avoid and manage burn out when navigating the world of cyber security. This is a journey with personal insights gathered over 20+ years. This is how I operate, this is my GRITT Operating System.
This talk is aimed at rookies / newbies to the world of cyber security, though not exclusively.
1010 (PG)
Neil Lines
Ten Years of Steelcon. As they say, time flies. I remember my first Steelcon, which was in its second year. I was so excited to go, everyone I worked with was buzzing about it. We planned our accommodation, arrived early on Friday, and partied until Sunday. Steelcon has always been my favorite security conference, and it’s the one I’ve spoken at the most.
This year, I’ve requested to be in Track 2, the same room where I started. It’s also the room where I’ve seen the most people speak over the years.
I’ve spoken at Steelcon for nine years, and this will be my last talk for a while.
Expect Red Teaming techniques, old-school hacking, and random stuff about Steelcon and what it means to me.
Expanding Blast Radius After Kubernetes POD RCE (PG)
Roshan Guragain
So you got RCE on a Kubernetes POD, what’s will be the next step. How can the impact be maximized. We will be looking into ways to expand access to cloud resources could be compromised.
A Brief History of OT Security: From Air Gaps to Panic (PG)
Sam Maesschalck
Not so long ago, the systems that power our physical world, such as factories, water treatment plants, and energy grids, ran in relative isolation. These are examples of Operational Technology (OT) environments, systems that control industrial equipment and processes. Protected by the reassuring concept of the air gap, they operated with no internet connection and, seemingly, little risk.
Fast forward to today, and that separation has all but disappeared. OT environments are now connected, increasingly exposed, and becoming more frequent targets—yet many organisations still struggle to secure them effectively.
In this talk, we’ll explore how OT security has evolved, from the early days of relying on physical separation, to today’s complex landscape of cyber-physical threats, ransomware, and blurred lines between IT and OT. Using the metaphor of an ancient wall, we’ll consider why modern OT security requires more than just a strong perimeter. It calls for layered defences, thoughtful design, and, crucially, skilled people who understand how to apply the tools at their disposal.
We’ll also look at the cultural divide between OT engineers and cybersecurity professionals, highlight the value each side brings, and suggest ways to foster better collaboration. Whether you’re responsible for securing critical infrastructure, working with industrial systems, just curious about OT, or simply intrigued by how these environments are evolving, there should be something in this talk for you.
Plundering and pillaging password and passphrase plains for profit (PG)
Will Hunt
In this talk we’ll look beyond the basics of password cracking and arm you with further attacks when you feel you’re out of options. We’ll look at multiple paths for cracking delimited passphrases and review when you’d want to use these attacks and why. Target-specific Markov tables will be shown to illustrate how you could be missing out on elusive plains without even realising it, as well as getting the best bang for your buck out of your rule-based attacks by identifying non-efficient operations. After covering some password placebos in data breaches and looking at foreign language and transliterated password attacks, we’ll wrap up with a tool to help you automate the initial heavy lifting of your attack cycles.
Reviewing COBOL for Fun and Profit (PG)
Nick Dunn
Despite their dull reputation, mainframe systems offer fun-filled potential for security and sometimes have surprising levels of vulnerability considering the amounts of money being moved around. Also, using a terminal with green text on a black background will impress your friends.
This talk is being presented as despite their frequently predicted demise, mainframes are still here. This means that COBOL is also still here (despite similar predictions).
The talk covers the overlooked concept of COBOL code security reviews to compensate for a lack of publicly available information. For added amusement it also discusses how supposedly secure systems are sometimes more vulnerable than appreciated once a few basic things are understood.”
Amplify the hacker: offensive AI plugin development (PG)
Gareth Heyes
Web app testing is supposed to be fun – until you’re neck-deep in tabs, repeating the same payloads, rewriting the same report sections, and wondering what you missed by not trying just one more thing. In this session, I’ll bring the fun back by sharing tools that quietly transform manual testing into something smarter – and showing you how to build your own.
I’ve spent the last year experimenting with AI tool development to amplify my hacking efforts, building four open-source extensions: Shadow Repeater, Document My Pentest, AI Hackvertor, and Repeat Strike. While you’re hacking, these tools hack harder.
I’ll share what worked, what didn’t, what broke completely, and the tricks I wish I knew when I started. If you’re thinking of gluing AI into your own hacking workflow – or just want to see what’s possible now – this talk’s for you.
Hacking Stripe Integrations to Bypass E-Commerce Payments (15)
Ananda Dhakal
Stripe offers one of the simplest ways to integrate payments into e-commerce platforms. With just a ZIP file upload, some API keys, and a quick setup, developers can have a full payment gateway up and running on platforms like Adobe Commerce (Magento 2) and PrestaShop. But while the process looks seamless on the surface, is it secure enough to handle the payments flawlessly?
In this talk, I’ll share how I analyzed Stripe’s integration with these popular platforms—starting from a black-box approach to understanding its architecture, all the way down to digging through the source code of those extensions that connect Stripe with the platforms. I’ll walk through the specific oversights and vulnerabilities I discovered that allowed me to place orders without paying anything, get credit card information of other users, and so on. These weren’t extremely technical bugs, rather, they were logic flaws that emerged from how the integrations were implemented.
Cookie Chaos: Exploiting Parser Discrepancies (Even @ydoow would be shocked)
Zack Fedotkin
Cookies were never meant to be secure. Bolted awkwardly onto HTTP, they’ve long been a source of confusion, inconsistency, and catastrophic vulnerabilities. Despite countless RFC fixes, things still fall apart.
In this talk, I’ll uncover how fundamental flaws in cookie parsing continue to enable real-world bypasses of core security mechanisms. I’ll introduce previously unpublished techniques and new classes of cookie-based attacks that exploit discrepancies between client-side and server-side interpretations—allowing attackers to compromise session integrity at scale.
To wrap up, I’ll release an open-source toolkit to help security researchers detect and exploit these flaws in the wild.
If you think you know cookies, think again. This talk will uncover the most subtle RFC flaws.
Offensively Groovy (PG)
Brandon McGrath
Jenkins can be a gold mine for post-exploitation. From secrets gathering to Windows Services, Groovy lets you do whatever you want. In this talk, I will look at some techniques for abusing Jenkins via Groovy and WinAPI to further the attack path.
Examining Access Control Vulnerabilities in GraphQL – A Feeld Case Study (18)
Bogdan Tiron
This talk explores the importance of implementing robust access controls in GraphQL and REST APIs and the severe consequences when these controls are not properly enforced. GraphQL, a flexible data query language, allows clients to request exactly the data they need, but without proper access control mechanisms, sensitive data can be easily exposed. Using the Feeld dating app as a case study, we will dive into a critical security review of how the lack of access controls in GraphQL and REST endpoints led to the exposure of users’ personal data, including sensitive photos, videos and private messages. This session will highlight common access control vulnerabilities in GraphQL and REST implementations , real-world examples of security lapses, their impact and remediation.
Threat Modelling: Or How I Learned to Stop Worrying and Love Misconfigurations (PG)
Andrea Jones / Finux
Presented by Andrea Jones and Arron “finux” Finnon
Let’s be real — “threat modelling” sounds fancy. Like the sort of thing that involves flowcharts, frameworks, and someone insisting you need to ‘shift left’. But most of the time? It’s just asking whether you’ve accidentally left your cloud hanging out in the breeze. Again.
This talk brings threat modelling back down to earth. Andrea and finux will walk you through how it’s often less about predicting cyber doom, and more about spotting that someone’s enabled public access… again. We’ll look at real-world examples where basic missteps caused major headaches, and how just paying attention to the boring stuff can save you a world of pain.
We’ll also take a quick spin through a tool that might just help you catch those “oops” moments before they become incidents. Expect practical takeaways, a few sarcastic grins, and at least one moment where you’ll mutter, “Oh yeah, we totally do that…”
Because sometimes the most effective security posture is just not leaving the door wide open in the first place.