“Coverage-guided Fuzzing”
Sebastiaan Groot, Frank Cozijnsen;
Workshop 120 minutes
Coverage-guided fuzzing is a software testing methodology that is effective at finding vulnerabilities by automatically and continually making small changes to the program's input and observing its effect on the path a program takes. This hands-on workshop aims to give you the tools needed to set up a simple working fuzzing environment for your own targets.
“CTF introduction workshop with Challenge the Cyber”
Maja Reissner;
Workshop 120 minutes
Get to know the Capture the flag (CTF) game without stressing out!
In this workshop, we'll look at a couple of examples of CTF categories. After a short tech introduction, you'll practice solving a challenge. You can work togethere, there's people to help, the only thing you need to do is be brave and start hacking!
“Hauntology in the Machine: Reanimating a Dead Language to Blindside Modern Security”
Marijke Moolenaar;
Talk - 50 minutes
Jacques Derrida’s philosophy of hauntology shows that the ghosts of the past always return to life. We explore this concept through FORTH, an ancient programming language from the 1970s. By injecting a minimalist FORTH compiler into just 5KB of shellcode, attackers can operate on the lowest architectural floor. This talk serves as a spooky reminder that our most advanced systems are still governed by the very ghosts we thought we buried.
“How to capitalise on other people’s popularity to distribute malware: Weaponizing CI/CD Pipelines”
Garance;
Talk - 50 minutes
I am going to talk about software supply chain security, more precisely about exploiting CI/CD pipelines in GitHub so as to publish malicious versions of popular open source packages (just for example, on npmjs), write arbitrary code in GitHub repos or steal secrets.
“Humour, your Secret Weapon for more effective Cybersecurity Awareness”
Rosanne Pouw;
Talk - 25 minutes
Humour can be a powerful tool in cybersecurity awareness because it makes messages more memorable and engaging, ultimately supporting real behavior change. In this presentation you'll learn why humour is useful for more effective awareness campaigns. Research shows that humour can enhance understanding and retention when applied thoughtfully. However, it must be used carefully as misunderstanding and different viewpoints on what is considered funny can have the opposite effect of what you want to achieve. The presentation closes with a short summary of do’s and dont’s for using humour in your next awareness campaign.
“I jailbroke a scam bot with 1 prompt, and so can you”
Yianna Paris;
Talk - 50 minutes
Getting an LLM to spill its secrets is a subtle artform, part social engineering of the application, and part social engineering of the humans (and other LLMs) who built it. It's witchy magic that's both gentle and assertive: you ask nicely to stay under the abuse radar, then tell the bot to step outside its role entirely. In this talk I'll walk through what I've learned testing LLMs across chatbots, lifestyle assistants, and enterprise tools - from leaking system prompts and hunting indirect, no-authentication prompt injection, to chaining an AI's own "legitimate" tools into something destructive. I'll cover real attacks like using the AI's own tools to ransom a company, turning connected integrations into exfiltration channels, and the crossover where this all starts to look a lot like traditional web application testing. They told us SQL injection was dead, and we just reimagined it, gave it a new name, and pointed it at the model. Expect practical techniques, a healthy respect for how confidently these systems lie, and a reminder that organisations need people who think this way because people with worse intentions are already doing it.
“Misbehaving while awake: nRF52810 Runtime EM Fault Injection APPROTECT Bypass - (CVE-2025-9709)”
g0mb4ck;
Talk - 50 minutes
Fault injection campaigns normally require a lengthy, complex process that can be difficult to reproduce. Finding trigger timings often requires extended research on the target's power consumption and side-channel analysis. While trying to reproduce CVE-2020-27211 by LimitedResults, I discovered a novel, triggerless runtime attack on Nordic Semi's nRF52810 System-on-Chip (SoC) using electromagnetic (EM) fault injection. Unlike conventional approaches, this technique requires neither precise timing nor accurately synchronized EM pulses, making it remarkably simple and reproducible. Given the correct injection location, the attack succeeds on average with the first pulse. This is the first triggerless runtime attack ever reported. I will walk you through the research process and discuss where this work could lead next. This issue was recognized by Toreon as CVE-2025-9709.
“No IT is no IT problem”
Kim van Wilgen;
Talk - 50 minutes
At 7:42 a.m., the call comes in. A critical supplier is no longer available. A regulation changes overnight. A platform your business depends on suddenly becomes a geopolitical liability. In that moment, one question matters more than any other: Do you still have a choice?
This keynote examines how organizations gradually lose strategic flexibility through everyday architectural decisions, vendor dependencies, operational complexity, and governance structures optimized for stability rather than adaptability.
“Shadow Protocol: Sector Three – Ransomware Escape Room Edition”
Willemijn Rodenburg;
Workshop 60 minutes
This interactive 40 minutes escape room immerses participants in a ransomware scenario that can only be solved through collaboration and shared insights. Small teams work together in solving the escape room. Following the escape room, participants receive information about Project Melissa. This project a collaboration focused on reducing the attractiveness of the Netherlands as a target for ransomware attacks and maintaining that reduced risk over time.
“Social engineering techniques of hacking a human being”
Dorota Kozlowska;
Workshop 120 minutes
- What is social engineering? Examples.
- Becoming Anyone you want to be - Pretexting.
- Four Phases of Social Engineering (Reconnaissance, Engagement, Exploitation, Closure);
- Building your artwork: What is elicitation? Elicitation Techniques.
- I know how to make you like me: Building Rapport.
- Examples of Real Social Engineering Attacks.
- Now What? Skills you need to become a social engineer, and how to defend yourself.
- Conclusion, final thoughts
The person listening to my talk will end it with tangible knowledge on social engineering and places to go if they want to learn more. This workshop will include working in groups, and challenges for attendees - to gain some real skills, and better memorization of the techniques presented.
“Supabase Shenaningans: Extended Edition”
Eden Stroet;
Talk - 25 minutes
In one week, Eden pentested two completely separate applications built on Supabase, and both had Row-Level Security disabled. This talk walks through both engagements, the surprising ways developers misunderstand Supabase's security model, and why this vulnerability class keeps appearing even when the documentation warns you plainly. If you've ever shipped a Supabase app and didn't think twice about RLS, this one's for you.
“The Attacker Posted First: The Breach Wasn't the Expensive Part”
Ieva Salnaite;
Talk - 50 minutes
During a major cyber incident, who actually controls the story? Increasingly, it's not the victim. Threat actors have figured out that narrative damage, like reputational collapse or a stock price in freefall, can hurt worse than the breach itself and it can be built in parallel to the attack. By the time legal has cleared a statement, the attacker may have already spread a confident, detailed account of catastrophic impact, and the media has run with it. This talk looks at case studies like the 2014 Ukraine elections and the 2023 MGM Resorts breach to discuss how cyber operations and narrative attacks can get synchronized on purpose, asking who in your crisis structure is actually responsible for closing that gap.
“The Dark Spell of Trust: How Secure Systems become Enablers of Financial Crime”
Caroline;
Talk - 25 minutes
In today’s threat landscape, the most dangerous scenarios are not the ones you detect—but the ones that look perfectly normal.
Cyber Security assumes systems can be compromised. Financial crime frameworks assume systems can be trusted. But what happens when those assumptions collide?
This session explores the hidden intersection where identity compromise, data manipulation, and legitimate system access transform secure environments into enablers of financial crime. Across AML, fraud, sanctions, and corruption risk, attackers are no longer just bypassing controls—they are operating within them.
It challenges the belief that “secure systems produce safe outcomes,” and introduces a new perspective: financial crime risk as a direct consequence of broken trust in identity, data, and behaviour.
“The end of human pentesting?”
An Van Leuven;
Talk - 50 minutes
I built a homemade offensive pipeline from free tools, a few hundred lines of Python, and an LLM that reads attack data and tells you where to strike next. In this talk I show what it can do, where it fails, and what that gap reveals about the future of offensive security. Every tool is free, every concept is reproducible, and the answer to the title question is more interesting than you expect.
“The largest social engineering attack ever? The hidden effects of AI on the human mind”
Monika Stewart;
Talk - 25 minutes
Social engineers aim at one target: a human whose judgement has gone offline. They pull known levers, like authority, liking and urgency, to make their target compliant. Generative AI frequently pulls the same levers, whether by design or accident, while slowly eroding the very skills we would use to protect ourselves. Coming at this from an odd mix of social engineering, a year of psychology, some basic knowledge of tradecraft, and the AI work I do now, I will lay out the eerie overlap between long-game social engineering and everyday LLM use, the research on how it erodes human skill and what it does to our judgement. While cyber security’s usual defences were built for louder, one-shot attacks, tradecraft may have some useful techniques that could apply here.
“War and Unpeace: How Russia became one of the world's most advanced cyber threat actors”
Dominique Heuff;
Talk - 50 minutes
One cannot open an annual report on advanced persistent threats without finding Russia listed as one of the top threats in the cyberdomain. This talk examines Russia's evolution as a threat actor from a broader perspective, drawing on historical, socio-economic and cultural factors. Viewed through this broad lens, the tactics, techniques and procedures of Russian APTs emerge not as random aggression, but as the expression of a coherent - if at times failing - doctrine.
“What Negotiation Chats Reveal About Ransomware-as-a-Service”
Becky Stacey;
Talk - 50 minutes
Ransomware is no longer the work of isolated hackers, but an organised criminal ecosystem operating on a service-based model. This talk explores the realities of ransomware-as-a-service (RaaS), where developers, affiliates and negotiators work together to deliver attacks. Using real data from ransomware leak sites, including ransom notes and negotiation chats, I'll examines how these groups operate and the psychology behind their attacks. The talk cuts through common misconceptions and shows why organisations should be more prepared than ever.
“Will the train stop running? The value of responsible disclosure.”
Ola Jankowska, Catharine de Jong;
Talk - 25 minutes
In this talk, we share the story of how we almost got breached.
Long before the report came in, we were busy phasing out a legacy system that was used in train operations. A system that multiple internal and external stakeholders used in their primary traffic management processes.
We had already conducted a risk analysis that highlighted several severe cybersecurity risks, and even though the risks were known, everyone was still surprised when an actual responsible disclosure message came in, notifying us about the vulnerability.
We will show you how we handled this incident, what we learned, and how responsible disclosure helped accelerate the mitigation of cybersecurity risks.