Keynote Speakers

Matthew Green

Matthew Green  

Matthew D. Green, an associate professor of computer science and member of the Johns Hopkins University Information Security Institute, is a nationally recognized expert on applied cryptography and cryptographic engineering. His research includes techniques for privacy-enhanced information storage, anonymous payment systems, and bilinear map-based cryptography. He is one of the creators of the Zerocash protocol, which is used by the Zcash cryptocurrency, and a founder of an encryption startup Zeutro. He is the author of a popular blog, “A Few Thoughts on Cryptographic Engineering.”

Elissa Shevinsky is a CTO known for her work in privacy, security and cryptocurrency. She is currently working with Paragon Tech as a fractional CTO. She was previously CTO and Interim CSO at Cointelegraph, a leading crypto news organization. Shevinsky has led several security and privacy startups, including roles as Head of Product at Brave and CEO at Soho Token Labs. In her free time, she explores wildlife sanctuaries and watches sci-fi reruns.

Elissa Shevinksy

Elissa Shevinsky 


AD and DNS: A Match Made in Heck

Active Directory combines DNS functionality (with an LDAP database, Kerberos authentication, and some other stuff) to create a unified directory service platform. As such, the fates of AD and DNS will be forever linked. In fact, you might say they are now married. In this talk you will learn how to keep that marriage happy and healthy!

Jim Sykora, Jake Hildreth

Jim Sykora is a Security Consultant at Trimarc focused on identity security. Jim started his sysadmin path in 3rd grade & did a bunch of gigs before starting to blend operational experience & rampant curiosity with security knowledge.

Jake Hildreth is the Service Lead for the Active Directory Security Assessment (ADSA) at Trimarc & maintainer of the Locksmith AD CS remediation tool. His work at Trimarc focuses on assessing AD for F500 companies. He holds the CISSP and Security+ certs.




Baby Steps to the Future – Evolving into the Next-Gen SOC

Most SOCs are unable to keep up with the attacks of today because they are constrained by a structure designed for the needs of yesterday. SOCs must evolve to become ‘Next-Gen’. This talk will discuss what that means and present concrete steps organizations can take to evolve from today’s rigid structures into a dynamic, agile entity that can quickly react to threats of today and tomorrow.

Craig Bowser

Craig Bowser is an Infosec professional with over 20 years of experience in the field. After ten years in the Air Force, he has worked as an Information Security Manager, Security Engineer, Security Analyst and Information System Security Officer for various government contractors. Currently he is a Senior Security Architect at GuidePoint Security. He has spoken at Black Hat, DerbyCon, BSides, and multiple SANS Summits. He holds the CISSP and multiple SANS GIAC certifications.





Blackbox Containers: Container Security in the Enterprise

Containers are essential in modern software development, but they come with security considerations. This talk will cover container foundations, operational impact, and security considerations throughout their lifecycle. Best practices for securing containerized apps will also be discussed.

Kenny Parsons

Kenny Parsons is a Security Consultant for Set Solutions with over 15 years of experience in IT and Security. His passion for security started with an early interest in hacking and social engineering. Now, Kenny advises clients on complex environments, helping them to secure their infrastructure and microservice/container architectures. He provides clients with proper design, build, and runtime best practices for a rapidly changing container and cloud-first world.Kenny’s expertise has been recognized by industry leaders, and he was recently a guest speaker at DEFCON DC940 in DFW, Texas, and on the “Ready. Set. Secure.” podcast. 



Complexity for complexity’s sake: The bane of cybersecurity programs

More tools! More frameworks! More security controls! Let’s add all the things and stack them on top of each other! Nope, nope, and nope. This has been ineffective against major attacks like Solarwinds and Log4j. We need to keep security simple, not just for our security teams who are managing a menagerie of security tools, vulnerabilities, and threats, but also for our users.

Nikki Robinson

Dr. Nikki Robinson is a Security Architect with IBM, as well as an Adjunct Professor with Capitol Technology University. She holds a DSc in Cybersecurity and a PhD in Human Factors, specializing research in vulnerability chaining. She is the co-host of the Resilient Cyber Podcast, holds several industry certifications and is also a Fellow with ICIT. With a background in IT operations, she focuses on solving large-scale cybersecurity problems in vulnerability management, and risk analysis.



Detecting and Triaging Modern Windows Rootkits

Since Windows 10, Microsoft has added many new security features aimed at disrupting kernel level malware. To stay viable, rootkit developers have evolved how they load into the kernel, gain system control, and monitor activity. This talk walks through such techniques observed in the wild and how they are detectable through a combination of memory forensics and event log analysis.

Andrew Case

Andrew Case is the Director of Research at Volexity, and has significant experience in incident response handling and malware analysis. He has conducted numerous large-scale investigations that span enterprises and industries. Case is a core developer of the Volatility memory analysis framework, and a co-author of the highly popular and technical forensics analysis book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory.”



Don’t Panic! A Guide to Proactive Security for Small Businesses

This talk will explore the importance of proactive cybersecurity measures for small and medium-sized businesses and provide practical strategies and resources. Topics covered will include playbook development, tabletop exercises, threat intelligence, and open-source or low-cost resources.

Ryan St. Germain and Clarissa Bury

Ryan St. Germain and Clarissa Bury work together on CrowdStrike’s Strategic Advisory Services team where they create bespoke tabletop exercises and perform cybersecurity maturity assessments. Prior to becoming consultants, Ryan was the Manager of Security and Infrastructure and Clarissa was the Security Engineer for a small software and services company in the DC area.



Driving Your Own Vulnerability: How to Navigate the Road of BYOD Attacks

Windows device drivers are often considered boring, complicated, and requiring endless effort, but this doesn’t have to be the case. At the end of 2022, Bring Your Own Vulnerable Driver (BYOVD) techniques gained popular visibility and were observed in use by less sophisticated actors than normally associated with driver-based attacks. The introduction of Microsoft’s Device Guard and its successor Virtualization-Based Security (VBS) should make these types of attacks far more complicated and by extension less frequent and less visible. This talk addresses this discrepancy by introducing common categories of drivers and demonstrating the vulnerabilities prone to each. It explains how Microsoft kernel security has paradoxically made BYOVD techniques both more and less complicated. Recent examples of vulnerable drivers with code samples are used to show the strengths and weaknesses of the current security model, and how Windows device drivers can be interesting, straightforward, and easy to understand.


Dana Behling

Dana Behling is a highly esteemed senior threat researcher at VMware Carbon Black, renowned for her exceptional skills in identifying and researching new and emerging cyber threats. With her vast knowledge and experience, she is a driving force in ensuring the security and safety of countless organizations. Before joining the world-renowned VMware Carbon Black team, Dana served in numerous public sector cybersecurity roles, where she was instrumental in enhancing national security. Her invaluable contributions to the field have garnered the respect and admiration of her peers, making her a sought-after authority in the world of cybersecurity.



Entering the Cybersecurity Field as a 17 Year Old

Entering the cybersecurity field can often be frustrating and challenging. Sit it on this talk to hear about the experiences of a 17-year-old whos currently entering the cybersecurity field. What his suggestions are for others entering the field, possible changes for the field, and what companies can support future cybersecurity professionals.

Sully Vickers

Sully Vickers is a 17-year-old cybersecurity enthusiast who works as an independent contractor for MetaCTF, where he assists with privacy policy research and development and creates CTF challenges. Over the past few years, he has developed a keen interest in cybersecurity and has participated in several Capture the Flag (CTF) events, consistently ranking high in the competitions. Additionally, he has spoken with various CIOs, CISOs, and cyber executives to gain a better understanding of the field.



Hack Your Brain: Using IR skills to help recover from grief

Incident responders use some variation of the PICERL framework (Preparation, Isolation, Containment, Eradication, Recovery, and Lessons Learned) when handling a problem. When the mind is dealing with grief, it uses a similar response pattern of Denial, Anger, Bargaining, Depression, and Acceptance. Identifying where you in these stages may help you deal with loss.

Marc Muher

I have Master’s degrees in both Social Work and Cybersecurity.
Gifted in making spreadsheets about meetings
Talented at making meetings about spreadsheets
10 time Polar Bear Plunger.



Hunting Mustang Panda: Exploiting PlugX DAT File Encryption with YARA

YARA rules are an industry standard for identifying malware, but what about when the malware is encrypted with a custom encryption algorithm using mixed boolean-arithmetic? Understanding custom encryption algorithms enables analysts to craft YARA rules to target them. This talk walks through understanding Mustang Panda’s custom encryption scheme for hiding PlugX and how to target it using YARA.

Sean Sabo

Sean is a cyber security professional with over 10 years of experience. For the last 5 years, he has been reverse-engineering malware and tracking various APT groups. He enjoys writing YARA rules and has contributed to the YARA code base. He currently works as a Senior Cyber Security Researcher at Recorded Future. Prior to that, he was at ThreatConnect and on the ASERT team at Arbor Networks.



It’s all Magic(RAT) – A look into recent North Korean nation-state attacks

This presentation will illustrate the entire cyber-kill chain, hands-on-keyboard activity and corresponding MITRE ATT&CK mappings for a series of successful intrusions carried out by the North Korean APT group “Lazarus” against energy companies across the world. We also provide an analysis of MagicRAT and associated, bespoke malware families used by the APT group.

Asheer Malhotra

Asheer Malhotra is a threat researcher specializing in malware analysis, reversing, detection technologies and threat disclosures within Cisco Talos. He has been researching malware threats for about a decade now at FireEye, Intel, McAfee and now at Talos. His key focus is tracking nation state attacks (APTs) across the world. Asheer holds an M.S in Computer Science with a focus on Cyber Security.



Make Better Risk Decisions to Prevent Future Cyber Attacks

As security practitioners, we’re always trying to find ways to get ahead of attackers and mitigate threats before they wreak havoc in our environments. But, traditional defense-in-depth strategies rely more on reactive controls to build walls that we hope will stop attacks from being successful. However, time and again, we see news headlines proving how often and how easily these reactive approaches are defeated.

Today’s attack surface requires a different approach, focusing on preventative risk mitigation strategies that give more visibility, more context and a better mechanism to tie technical risk to business context. While reactive controls are still necessary, the more we can identify areas of risk before the attackers do and close the gaps in our defenses, the fewer attacks will take place and the more effective those reactive controls will be.

Preventative security strategies are driven by making better decisions about how, when and where to mitigate risks. In this talk, we’ll review techniques to implement within your security program that will give a better understanding of the technical and business risk across your attack surface, how to identify the areas to focus on first and ways to drive a more meaningful approach to mitigating risks before cyberattacks exploit your weaknesses.

Nathan Wenzler

Nathan Wenzler is the Chief Security Strategist at Tenable, the Exposure Management company. Nathan has over 25 years of experience both in the trenches of and as executive management of Information Security programs for government agencies and private sector firms alike, often building them from scratch. He has served as an executive management consultant and vCISO for C-suite execs across a wide array of Fortune 1000, non-profit and government organizations looking to optimize and improve their security programs focusing on process, program and personnel improvements to mature and accelerate their Information Security and risk management efforts. Nathan’s focus areas include vulnerability management, privileged access management, incident response, process and workflow improvements, executive level program management and the human-focused aspects of InfoSec.




Measuring Your Zero Trust Maturity (Invited, pending confirmation)

Zero Trust is all the rage in security these days. Where do you begin when trying to move towards a more mature zero trust architecture for your organization? Using the CISA Zero Trust Maturity Model, the Zero Trust team at Centers for Medicare and Medicaid Services customized a framework for our environments to better track progress across various axes. We want to share how we did this with you.

Elizabeth Schweinsberg (Invited, pending confirmation)

Elizabeth Schweinsberg is a Digital Services Expert with the US Digital Service after 9 years in corporate threat detection and incident response with Facebook and Google. She works to keep the internal networks safe from malware, hackers, and the Internet. Ms. Schweinsberg has been in the computer industry for over a decade and in digital forensics since 2005 in both the Government and private sector. When not behind the computer, she can often be found behind a book or sewing machine.



Protecting Yourself From Supply Chain Attacks – Trust Is Overrated

How can you trust all of the hardware and software you use on a daily basis? Hardware, firmware, and software have a unique (often complex) supply chain. I believe we extend far too much trust to the supply chain and do not verify the integrity of our hardware and software components. Using open-source and free tools learn how to enumerate and validate the integrity of your devices in this talk!

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul is the host of one of the longest-running security podcasts, Paul’s Security Weekly, and enjoys coding in Python, telling everyone he uses Linux as his daily driver, poking at the supply chain, & reading about UEFI.



Securing React Components

In this talk I will provide a brief overview of secure coding practices for developing web applications with ReactJS by presenting common software vulnerabilities and detailing ways to remediate and prevent insecure code being pushed to production.

Tae’lur Myers Lambert

I am a self-taught front-end developer and budding security enthusiast based out of Jacksonville, Florida. I am passionate about helping people break into tech from non-traditional background and love to share my love for tech through tutorials and social media.



Security Misconfigurations in the Cloud – “Oh Look, something fluffy!” (Presentation not recorded)

Threat modeling the human security risk, or as others might call it, Security Misconfigurations in the cloud and all the fun attack vectors they create. Yep, it’s clobberin time and this is what makes this job fun – helping others to find their own security problems before others do!

Kat Fitzgerald

Based in Chicago and a natural creature of winter, you can typically find me sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Chicago area.



Settle the Score: CVSS Fundamentals

How do we, as an intelligence community, understand and distribute the severity of widespread vulnerabilities? On that note, how do we even categorize them? After years of developing a need for a widespread and company ambiguous importance monitoring system, CVE and CVSS was born. Knowing how exactly how to understand and use these systems is fundamental for defending and exploiting.

Beth Moseng

Beth Moseng is a young cybersecurity developer, who has been working in the contracting cyber space since she was 17, both with incident response and tool development. She regularly attends cyber conferences like BSides, ShmooCon, and Defcon.



Shakespeare, Bacon, and the NSA

A code-breaking Quaker poet who hunted Nazi spies?  Truth is stranger than fiction, and the life of Elizebeth Smith Friedman is no exception. She broke codes during both World Wars and is credited as a founder of modern cryptology.

In this talk, we’ll follow Elizebeth’s journey, learn the history of cryptography, and apply those lessons to how we should view technology and technologists today.

Brendan O’Leary

Brendan O’Leary is Head of Community at Project Discovery, and spends his time connecting with developers, security engineers, contributing to open source projects, and sharing his thoughts on cutting-edge technologies on conference panels, meetups, in contributed articles and on blogs.



Stop the Leak! Adversarial Thinking in Cybersecurity with PRE-ATT&CK

File and data leakage have been responsible for some of the largest press-worthy cyber security incidents to date, and in recently, appear to be increasing in volume. This talk will propose a more authentic approach to adversarial thinking (informed by MITRE PRE-ATT&CK) designed to inform defensive priorities using the same exact techniques that adversaries are actually employing in the wild.

Nick Ascoli

Nick Ascoli is a cybersecurity researcher and the founder and CEO of Foretrace, an External Attack Surface Management (EASM) solution. Nick has been a guest on the Cyber Wire podcast, and a speaker at GrrCON, Shmoocon, Defcon Skytalks, Blackhat Arsenal, SANS, and B-Sides conferences on SIEM, Recon, and UEBA topics.



Ten Ways to Frustrate Attackers in 2023

Some misconfigurations and security oversights are so egregious they can allow attackers to compromise a network in hours or minutes, while some controls or architecture decisions just make attackers’ lives miserable. I’ll provide an attacker’s view of what makes a network easy or hard for us to attack, including showing some tools you can use to ID these issues yourself before getting a pentest.

Justin Palk

Justin Palk has more than 16 years of experience in IT and information security, working in the academic, federal civilian government and health research sectors. He has held a variety of roles including sysadmin, developer, auditor, assessment team lead and now pentester. In the middle of his technical career Justin took a seven-year detour into state and local journalism. He regularly competes in CTFs. When not hacking or developing tools, Justin plays TTRPGs, writes cosmic horror, and brews.



The Action Group Model for Incident Response

Ever feel like you just don’t know what to do when the bad stuff happens? You can’t get the support needed in the middle of an incident? Come chat about an action group model for incident response, a framework which provides coordination, ownership, and flexibility to account for the variable nature of incidents, all while encouraging development of employees at all experience levels.

Shawn Thomas

Director of Forensics and Incident Response at Yahoo

Taylor Johnson

Director of Threat Detection and Response at Yahoo.


Training courses are available on a first-come, first-served seat assignment only to current BSidesCharm ticket holders.

At this time, all training slots have been occupied. There will be a physical waitlist queue in the morning outside each training in case any ticket holder does not show up in time for class.

An Introduction to Fuzzing

Fuzzing is still one of the leading methods for finding vulnerabilities in applications. And it doesn’t have to be hard. This course gives both a high-level overview on the theory of fuzz testing as well as concrete practical exercises. Students will learn how to fuzz real-world applications to uncover actual software vulnerabilities in applications still shipped in 2023.

Course Objectives:

  • Students conceptually understand the meaning of fuzz testing (fuzzing).
  • Students understand the history of fuzzing.
  • Students can instrument targets when source code is available with the AFL compilers.
  • Students understand address sanitization.
  • Students can fuzz an instrumented application.
  • Students can generate a sample corpus as input for the fuzzer.
  • Students can generate a dictionary as input for the fuzzer.
  • Students can generate and understand coverage metrics.
  • Students understand the different types of coverage metrics (ie. line, block,
  • Students understand different types of fuzzers and the benefits of each.

Students might not complete every exercise. And that’s OK! All of the exercises are included as Docker containers on GitHub so students can always revisit missed topics.


  • A basic understanding of C and compilation.
  • Working knowledge of git and how to clone repositories.
  • An understanding of Docker is helpful, though not necessary, as all of the exercises are included as Docker containers.
  • Without Docker, students are encouraged to build AFL++ on their host before the class.
  • AFL++ supports macOS (Intel and Apple Silicon) and Linux. Windows users should have a Linux VM or Docker installed.

Sean Deaton (@WhatTheFuzz), Ryan O’Neal

Sean is an alumnus of the United States Military Academy (B.S. 2017) and Georgia Tech (M.S. 2021), where he studied Computer Science. After commissioning as a Cyber Officer in the U.S. Army, Sean served as a developer with the 780th MI BDE. He now works as a vulnerability researcher for Blue Star and Bogart Associates, with particular interests in fuzzing, data flow analysis, and decompilation theory.

When he’s not finding bugs or working on training material, he spends his time at the dog park trying to burn off his corgi’s seemingly unlimited energy.

Ryan O’Neal is a vulnerability researcher employed by the US Army. His research focuses on static analysis, symbolic execution and fuzzing, and he draws upon his experience as a web developer, cloud application developer and devops engineer to create innovative solutions. His passion is discovering and developing new techniques to address difficult questions in program security, and seeing which databases are vulnerable to SQL injection by entering his last name.




Building (and Validating) Detections with Adversary Intelligence

We will demonstrate workflows & use publicly available tools to gather & process intelligence on key current threats (top infostealers), identify potential TTP detection gaps, and close those gaps with new detections & validation tests. We’ll also show how teams can be more proactive by considering defenses for technique implementations beyond just those reported in public intelligence.

The term “threat-informed defense” has gained recent popularity, but what does it actually look like in practice? This session will provide highly practical tips & guidance for members of virtually any security team – regardless of size or maturity level – to help kickstart (or advance) their threat-informed journey.Relying entirely on publicly available resources, we will jump into the weeds of workflows used to gather & process intelligence on key current threats (in this example, top recently-active infostealer malware), identify potential TTP detection gaps, and close those gaps with new detections & security tests. We will also show how teams can take steps to be more proactive and consider defenses & tests for technique implementations beyond just the immediate ones reported in recent public intelligence. The host anticipates attendees will walk away with a renewed appreciation for a threat-informed approach to security, and inspiration for their next work sprint or side project!

  • Laptops with internet connection, Sysmon, Atomic Red Team (& Invoke-Atomic Powershell framework), Chainsaw log parsing tool (Github)

Scott Small

Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He is currently CTI Director at Tidal Cyber. Scott has advised enterprise & public sector security teams across maturity levels on technical & strategic intelligence applications and using technology to identify & mitigate risk. He actively contributes to the professional community & open source security projects.




Defensive PowerShell

This Defensive PowerShell workshop is an immersive, hands-on learning experience. You will use PowerShell Remoting (PowerShell v7) to parse text base and Windows Event logs. You will also query both local and remote registries. You will learn about an additional Windows firewall log and enable and create a custom object.

Defensive PowerShell is a follow-on workshop from my PowerShell Crash Course. Unlike my PowerShell Crash Course, this workshop is primarily hands-on. We start with a presentation to discuss what you will do in the lab/walkthrough. We will disable PowerShell v2, enabling some additional PowerShell and Firewall logs. By default, you remote into PowerShell v5; you will enable PowerShell v7 remoting and use it to query and modify a remote registry. We will also use PowerShell v7 remoting to query both Windows texts based and evtx based logs. You will convert the text-based logs into a custom object. You will use PowerShell techniques to analyze the custom object. You will spend a lot of time learning different techniques to parse the Windows event logs.


The course will require a virtualized Windows 10 on your host machine. It is recommended that your host machine be a Windows machine. If you show up with a Mac or Linux, we will set up PowerShell Remoting over SSH instead of PowerShell v7 Remoting. That will be the only difference; everything else will be the same.


James Honeycutt

Mr. Honeycutt has served in the military for 26 years. He has spent most of that time working in IT Operations in various positions, from helpdesk to a Microsoft Windows systems administrator. He currently works for the Maryland National Guard Cyber Protection Team (CPT) as a Cyber Operations Technician focusing on incident response, forensics, and being the resident “Windows Expert.” He likes to give back to the community by presenting at local events




Using containers to analyze malware at scale

This workshop will focus on teaching participants how to handle malware and analyze samples using both Windows and Linux containers. The workshop will focus leveraging open-source tools, and techniques to build out a simple analysis queue pipeline to allow students to analyze multiple samples at scale within a controlled environment.

The workshop will give students experience in creating repeatable workflows to not only perform malware analysis, but also how to leverage automation for similar tasks using boilerplate workflows.


  • Laptop with WiFi capabilities

Jose Fernandez

José Fernández (@jfersec) is the President & owner of CompSec Direct. He is an InfoSec researcher with over 20 years of experience in the IT field. Jose specializes in InfoSec research by applying offensive methodologies towards practical defensive measures. Jose’s background in CNO, CND & engineering has allowed him to work in some of the most technically demanding environments throughout his career in both private & public sector. Mr. Fernandez is a Veteran & a Puertorrican Hacker Dude.