2026 Schedule | September 19 | Bibliothèque et Archives nationales du Québec

8:30AM | Doors open

 

9:00AM – 9:05AM | Opening words

 

9:05AM – 12:00AM | Workshop “The Bug Hunter’s Methodology”

9:05AM – 9:30AM | Reconnaissance furtive : méthode, contraintes, et exécution sans bruit

Jonathan Nomed

 

9:30AM – 9:55AM | The Overlooked Playground: An Attacker’s Journey Through GCP

Clément Cruchet

 

9:55AM – 10:20AM | Graph All The Things: The Birth of Hound

Mathieu Saulnier

 

10:20AM – 10:45AM | COFFEE BREAK

 

10:45AM – 11:10AM | Emmerdissement, Érosion de plateforme… et si on en parlait?

Samuel B.G.

 

11:10AM – 11:35AM | Developing Your Own Local LLM (GenAI) for Cybersecurity GRC

Lee Yang Peng

 

11:35AM – 12:00PM | Agentic Access: OAuth Gets You In. Zero Trust Keeps You Safe

NIck Taylor

 

12:00PM – 1:10PM | LUNCH

1:10PM – 4:25PM | Workshop “Windows Forensics for Insider Threat

1:10PM – 1:35PM | Tinker Tailor LLM Spy: Investigate & Respond to Attacks on GenAI Chatbots

Allyn Stott

 

1:35PM – 2:00PM | Securing the Generative AI Pipeline from Data Ingestion to Model Inference

Ikhtear Bhuyan

 

2:00PM – 2:25PM | Proactive Bias Mitigation Against AI’s Unseen Vulnerabilities in Cybersecurity

Mina Movahedi

 

2:25PM – 2:50PM | AI in CTFs: How to Use AI Effectively Without Falling Down the Rabbit Hole?

Jie Wu & Pulkit Garg

 

2:50PM – 3:20PM | COFFEE BREAK

 

3:20PM – 3:45PM | Attribution of cyber operations: does it really matter?

Alexis Dorais-Joncas

 

3:45PM – 4:10PM | Tor sous contrôle : Vers une identification fiable des flux anonyme

Nabil Diab

 

4:10PM – 4:35PM | How Tor Works

David Goulet

 

4:35PM – 4:40PM | Closing words

 

4:40PM – 8:00PM | Cocktail & hommage to Michel Cusin

2026 Schedule ― Preliminary Detailed Program

can llms really

Vasilii Ermilov

Can LLMs Really Find IDORs? Limits of AI Security Reasoning

Can AI actually find IDORs in real code? We tested top coding agents against real-world apps—and the results were mixed. The models discovered genuine vulnerabilities, but also generated large numbers of false positives and inconsistent findings. LLMs show strong intuition for contextual bugs, but struggle with deeper dataflow and multi-file reasoning, often producing noisy or inconsistent results. A single prompt can yield different answers from run to run, making reliable benchmarking both essential and uniquely challenging. By dissecting results across multiple authorization complexity levels, we show where LLMs shine, where they fail, and why IDORs remain a uniquely hard class of bugs for AI to reason about. Expect real examples, surprising failure modes, and practical lessons for anyone considering AI as a security testing assistant. Attendees will leave with a grounded, data-driven understanding of where AI coding agents shine today, where they fail, and what it will take to reliably use LLMs for vulnerability discovery going forward.

Bio

Vasilii Ermilov (@ermil0v) is a Senior Security Researcher at Semgrep, a startup working on open source static analysis tools that fit the modern developer workflow. Vasilii spends his time digging through large attack surfaces, combining automation with hands-on testing to uncover real, exploitable issues. He’s interested in how AI can actually help find and validate real bugs, not just generate convincing-looking noise. Having more than a decade of experience in web application development for enterprises, governments and startups he now uses his knowledge for identifying weak and vulnerable parts in other people’s code. He has also shared his research and practical insights at international security conferences, including BSides Seattle, BSides Singapore, and OWASP SnowFroc. His talks focus on bridging the gap between theory and practice, demonstrating how modern security tooling can be applied to uncover meaningful vulnerabilities at scale. He is particularly interested in making security research actionable for developers, helping teams integrate security testing into everyday workflows without slowing down development velocity.

2000 packages later

Alessandra Rizzo

2,000 Packages Later: What Continuous npm Scanning Reveals About Supply Chain Attackers

Since November 2025, we’ve been continuously scanning the npm registry for malicious packages using a detection pipeline that combines static analysis and YARA signatures with LLM-assisted triage. To date, the scanner has flagged over 2,000 malicious packages.

Credential stealers and infostealers make up the majority, but the dataset tells a bigger story: npm is no longer just a typosquatting problem. It’s a multi-actor battleground where nation-states, criminal MaaS operators, and infrastructure-focused attackers all converge on the same entry point: npm install.

This talk breaks down what we learned by watching the registry at scale. We cover the landscape, including category breakdowns, monthly publication trends, and the exfiltration infrastructure we mapped, ranging from disposable webhooks to blockchain-based C2. We then deep-dive into three campaigns that illustrate where supply chain attacks are heading and how different threat actors are exploiting the same ecosystem for very different objectives.

The first is Koalemos, a modular RAT distributed under impersonated developer identities from a major US financial institution, with DNS-gated execution restricting payloads to the institution’s internal network. We assessed with moderate confidence that it is linked to the DPRK-attributed Contagious Interview campaign based on overlapping obfuscation techniques, distribution tactics, and identity spoofing patterns.

The second is Ghost Loader, a criminal MaaS infostealer operation that stores its C2 configuration in Binance Smart Chain smart contracts, uses split-key encryption with dead drop retrieval, and routes stolen credentials through partner-specific Telegram bots.

The third is Tunnel Vision, a cross-ecosystem attack published simultaneously to npm and PyPI that hides its entire payload in a precompiled binary disguised as a Node.js addon, deploying a Cloudflare-fronted reverse tunnel with SOCKS5 and SSH/SFTP access into the victim’s network before self-destructing within seconds.

Each campaign represents a different class of threat actor and a different end goal, but all three exploit the implicit trust developers place in package registries. Attendees will leave with a concrete understanding of the current npm threat landscape, the novel techniques defenders should be looking for, and actionable detection strategies for each campaign.

Bio

Alessandra Rizzo is a Senior Threat Researcher at Panther, where she builds detection content and researches emerging cloud and supply chain threats. She currently leads Panther’s npm registry scanning operation, which has flagged over 2,000 malicious packages since November 2025 and uncovered campaigns attributed to nation-state actors, criminal MaaS operators, and infrastructure-focused attackers. Her research has been covered by The Hacker News and other major security publications. Before joining Panther, Alessandra worked as a Threat Detection Engineer at Sysdig, where she focused on Linux and container security and investigated nation-state malware and botnets targeting cloud workloads. Prior to that, she served as a threat intelligence consultant for premier European financial institutions, investigating APTs and malware campaigns targeting the financial sector. Her current research interests span cloud security, software supply chain threats, and the intersection of LLMs with both offensive and defensive security. Alessandra holds an MSc in Advanced Cybersecurity from King’s College London.

edrs evasion

Charles F. Hamilton (Mr.Un1k0d3r)

EDRs evasion and bypass. What is working in 2026

This talk presents practical insights drawn from real-world red team engagements against modern Endpoint Detection and Response (EDR) solutions. Rather than focusing purely on techniques, the session emphasizes understanding: understanding how EDRs operate, how they collect telemetry, and why certain evasion and bypass strategies succeed or fail. By examining the underlying mechanics of detection systems, attendees will gain a clearer picture of the interaction between offensive tradecraft and defensive visibility.

The presentation will include discussions of reverse engineering concepts and practical code examples to build a stronger understanding of Windows internals. We will explore how compiled code behaves at runtime, how assembly instructions translate into higher-level logic, and how the .NET Framework operates under the hood. This foundational knowledge is essential not only for offensive practitioners seeking realism in engagements, but also for defenders who want to understand what their tools are actually monitoring.

We will also examine how EDRs leverage kernel callbacks, Etw and EtwTi, and other event collection mechanisms to generate telemetry. By analyzing these data sources conceptually, attendees will better understand the detection surface and the importance of visibility across user mode and kernel mode activities.

The talk further compares different approaches to privilege escalation, such as impersonation and credential access, highlighting the operational considerations and detection implications of each. In addition, we will discuss the challenges of operating in memory and the increasing role of memory analysis in modern security products.

Finally, we will look at how legitimate Windows functionalities and signed executables can be abused in controlled testing scenarios, along with common pitfalls that can undermine an operation.

The techniques and concepts discussed are intentionally designed to be broadly applicable rather than tied to a specific vendor, ensuring their relevance in diverse, real-world red team engagements and maximizing their usefulness across as many contexts and environment as possible.

Bio

Charles Hamilton is a Red Teamer with over twelve years of experience delivering offensive security assessments for government clients and organizations across the commercial sector. In recent years, he has specialized in covert red team operations targeting complex, highly secured environments. These engagements have enabled him to refine his ability to navigate client networks stealthily while avoiding detection. Since 2014, Charles has been the founder and operator of the RingZer0 Team platform, a website dedicated to teaching hacking fundamentals and hands-on security concepts. The RingZer0 community has grown to more than 50,000 members worldwide, making it a well-recognized resource within the security community. Charles is also a prolific tool developer and trainer, having delivered his training programs more than 20 times in both online and onsite formats. In addition to his consulting and training work, he is an active speaker in the information security industry, where he is known under the handle Mr.Un1k0d3r.

dead1

dead1nfluence

Let Him Cook! Hacking the Meatmeet BBQ Probe

With grilling season upon us, each and every grillmaster is eagerly preparing their tools… but little do some know, their “smart” meat probes may have some glaring vulnerabilities. In this 30 minute presentation we will disassemble, dump the flash, and decompile the mobile application of the Meatmeet BBQ probes to find a slew of vulnerabilities. We’ll walk through how the device was torn down, how to use ESP32knife to analyze the flash dump, and what fun secrets laid within the NVS partition. By analyzing the mobile application, we were able to identify an open S3 bucket with the profile photo of every grill master, and exploiting exported activities revealed never-before-seen devices. We even found that they were hashing the passwords with the modest MD5; they really needed to add some salt. Lastly, by assessing the BLE communications, we truly roasted the probe; achieving remote code execution on our device.

Julian will demonstrate each vulnerability he found, and teach you how you could do it too. Attendees will learn more about hacking IoT devices, the challenges of working with ESP32s, and how to interact with Bluetooth Low Energy. We will also cover the Rainmaker solution offered by Espressiff, it’s implementation on the BBQ probes, and it’s surprisingly high level of security—they did do some things right in the end.

To drill home the point, we build a custom ESP32 firmware image that turns our modest BBQ probe into a bot which can be orchestrated through a C2 server in a BLE BBQ botnet! By the end of the presentation, you’ll see how cooked the Meatmeet BBQ probe really is. All in all, we cleaned the plate and found over 15 vulnerabilities in the Meatmeet probe!

This presentation will illustrate the importance of IoT security measures, because the last thing you want is for your beautiful BBQ to be burnt to a crisp!

Bio

As a Penetration Tester at Software Secured, Julian hunts for vulnerabilities across a range of clients and products. Off hours, he spends his time performing vulnerability research against IoT devices and FOSS, amassing over 40 CVEs in the past several years. Previous work includes exploiting the Furbo devices, to find 20+ vulnerabilities, discovering more than 130,000 Claude, Grok, ChatGPT, and Other LLM Chats Readable on Archive.org, as well as being featured by 404Media in the article: Grok Exposes Underlying Prompts for Its AI Personas: ‘EVEN PUTTING THINGS IN YOUR ***’

Previously a speaker at the following conferences:
Speaker at:
– BSides Vancouver 2023 & 2024
– BSides Montreal 2023
– BSides Athens 2023
– BSides Copenhagen 2023
– BSides Bern 2024
– DeepSec 2022, 2023, 2024, 2025
– DeepIntel 2023, 2024
– Knock in the Night 2024
– BSides Toronto 2025

self-infected prompts

Ali Alame

Self-Infected Prompt Kiddies: From Script Kiddies to Prompt Kiddies, AI-Powered Cybercrime in the Wild Monday

In the age of AI, truth is becoming optional, and cybercriminals are taking full advantage.

Today’s threat actors are no longer limited to purchasing phishing kits, reusing commodity malware, or relying on pre-written attack templates. They are actively leveraging artificial intelligence to increase the speed, scale, and sophistication of their operations. AI is being used to write highly convincing phishing emails, generate malicious code, troubleshoot malware, translate scams into multiple languages, create realistic social engineering content, and rapidly iterate campaigns in ways that closely resemble modern software development practices.

What once required a team of skilled operators can now be accomplished by a single individual armed with the right AI tools. The result is a significant reduction in the barrier to entry for cybercrime and an increase in the volume and quality of attacks targeting organizations of all sizes.

This session provides a rare behind-the-scenes look at what defenders seldom get to see: pre-breach threat intelligence artifacts collected from real-world criminal testing environments. Before launching large-scale campaigns, many threat actors test their malware, phishing infrastructure, credential harvesting pages, and social engineering content. These trial runs often leave behind valuable evidence that defenders can collect, analyze, and use to gain insight into emerging threats before they become widespread incidents.

Drawing from real-world observations and investigations, we will explore:

* AI-generated phishing emails, landing pages, and social engineering scripts
* Infostealer malware development patterns that strongly suggest LLM involvement
* Prompt-driven iteration and how attackers use AI to debug, improve, and optimize campaigns
* The fingerprints AI leaves behind in code, language, structure, and infrastructure
* Emerging trends in AI-assisted cybercrime and what defenders should expect next
* Practical detection opportunities for security operations, threat hunting, and incident response teams

Attendees will leave with a deeper understanding of how AI is reshaping the threat landscape, how cybercriminals are operationalizing these technologies, and how defenders can identify and respond to the subtle indicators left behind by AI-assisted attacks before they evolve into full-scale compromises.

Bio

Ali Alame is a cybersecurity professional, threat hunter, and co-founder of CyberArmor, where he leads initiatives focused on identifying cyber threats before they become full-scale incidents. His work specializes in pre-breach intelligence, including the discovery of phishing kits, compromised credentials, infostealer malware activity, exposed cloud assets, and threat actor infrastructure before the data reaches underground markets or the dark web. With experience spanning enterprise, financial services, retail, and higher education, Ali has held cybersecurity and technology roles at IBM, Lululemon, the University of British Columbia (UBC), and the Royal Bank of Canada (RBC). Throughout his career, he has worked on security operations, threat detection, incident response, identity security, and cloud security initiatives supporting large-scale environments. Ali is a frequent speaker at cybersecurity conferences, industry meetups, and community events, where he shares practical insights from frontline investigations and threat-hunting operations. His presentations focus on emerging threats, cybercrime trends, identity compromise, and the growing role of artificial intelligence in both offensive and defensive security. By combining technical research with real-world case studies, Ali helps organizations better understand how modern threat actors operate and how defenders can identify indicators of compromise before attacks escalate into major security incidents.

dragonforce

Thibaut Passilly

DragonForce: the cartel makes a TURN in Ransomware Capabilities

The presentation details the DragonForce ransomware cartel, which has transitioned from a standard Ransomware-as-a-Service (RaaS) model. This structural shift signals elevated organizational maturity and a strategic focus on high-impact, targeted campaigns, positioning them as a major and persistent threat to global security. This analysis, presented by Thibaut Passilly, a Threat Researcher at Broadcom for Symantec, provides a granular look at the group’s advanced capabilities through a focused case study.

The core of this research is a detailed examination of an incident that started in December 2025 against a major US services company. The operational tactics observed demonstrate preparation: initial access (likely sold on the dark market) is rapidly leveraged to secure a long-term foothold through post-exploitation actions. These actions include system configurations like using LimitBlankPassword, performing user/group addition, and modifying firewall rules for persistence and C2 resilience. The attack chain itself was straightforward and effective: a payload downloaded via curl and executed by PowerShell, leading to a VirtualBox DLL Hijacking technique for code execution before the final DragonForce ransomware payload deployment.

However, the key differentiators lie in the group’s toolset for defense evasion and command-and-control (C2). DragonForce utilizes a Bring Your Own Vulnerable Driver (BYOVD) strategy to deploy Anti-Virus killers, bypassing security monitoring by exploiting legitimate, signed drivers. This includes exploiting known vulnerabilities (CVE-2025-61155 in Tower of Fantasy’s Gamedriverx64.sys and CVE-2023-52271 in Topaz Antifraud’s wsftprm.sys) and introducing a novel “Havoc Process Terminator” tool that leverages a Huawei driver (HWAuidoOs2Ec.sys) for process termination.

The signature weapon is a new, state-of-the-art Go-based remote access backdoor. Injected into the legitimate DbgView64.exe process for stealth, this tool represents a significant ‘TURN’ in C2 capability, inspired by the GhostCall technique. It achieves covertness by requesting an anonymous visitor token from the Teams/Skype backend and using a legitimate Microsoft server as a TURN relay during setup. This initial relay-assisted communication then transitions to a direct, malicious QUIC C2 channel, making it exceptionally difficult to profile and defend against. The backdoor grants comprehensive control, enabling command execution, process creation, network scanning (including TLS certificate capture), LDAP/AD search for domain mapping, credential-based lateral movement, and browser credential theft.

Effective defense against this threat requires security teams to move beyond traditional signatures and actively hunt for the specific BYOVD exploitation signatures and, crucially, to monitor network traffic for anomalous outbound TURN/QUIC C2 communications.

Bio

Thibaut is a Threat Researcher at Broadcom since 2022. He works for a subsidiary of Broadcom, Symantec, a leading provider of enterprise-level cybersecurity solutions, in a team specialised in Threat Research. His job mainly consists in hunting APT groups, and dissecting targeted ransomware actors. He publishes his work in blogposts in private reports, and on Symantec’s website: China-based Attackers Targeting Organizations in AsiaRansomware Attackers Using Zero-Day Privilege Escalation Vulnerability. In the past, Thibaut studied at EPITA in Paris, France, and worked for ESET Montréal, Canada, where he presented about a Chinese APT group at BSides Montréal in 2022, and wrote various blogposts on WeLiveSecurity mainly focused on Chinese APT actors. Thibaut lives in France, and on his spare time, his main hobbies are playing music and practicing bikepacking

why i go to

Alex Holden

Why I Go to the Dark Web Every Day

What do you actually need before stepping into the Dark Web? It is not just tooling. It is understanding how these ecosystems really function under pressure. Language, culture, trust models, reputation, and how quickly you can get identified as an outsider if you get any of it wrong.

This talk is built on real operations, not theory. We walk through practical examples where direct engagement and intelligence collection stopped Russian hacktivist activity such as Killnet, significantly slowed down Chinese pig butchering operations, and drove outcomes that had measurable impact beyond a single target or campaign. Using Dark Web-derived intelligence to make a small or a global change is not easy but it is a lofty goal that is attenable for many. These are not passive observations. These are cases where understanding the adversary environment allowed us to influence it.

You will see how access is gained, how credibility is established, and how conversations evolve when you are dealing with threat actors who assume you are one of them. We will break down mistakes that expose investigators instantly, signals that indicate you are being tested, and moments where a single wrong response ends the operation.

From there, we map out the meta-types of actors you will encounter. Not just roles, but behaviors. The opportunists, the professionals, the ideologues, and the ones who are just there for the chaos. How they communicate, how they validate each other, and how they decide who to trust. More importantly, how you can use that against them.

This is not a tour. It is not screenshots of forums. It is what actually happens when you are inside and the stakes are real.

No fluff. No recycled reporting. Just field-tested methods, failures, and outcomes.

Final takeaway is simple. Know your enemy. Know their tools. Stop the threat actor. Stop the crime.

Bio

Alex Holden is the founder and Chief Information Security Officer (CISO) of Hold Security, LLC. Under his leadership, Hold Security played a pivotal role in information security and threat intelligence becoming one of the most recognizable names in its field. Mr. Holden researches minds and techniques of cyber criminals and helps our society to build better defenses against cyber-attacks. Mr. Holden has been credited in uncovering high-profile breaches such as Adobe Systems, Target, J.P. Morgan Chase, parts of the Equifax breach, and many others. Mr. Holden has spearheaded efforts to infiltrate, monitor, and disrupt various ransomware gangs, including Trickbot and Conti. As an expert in his field, Alex Holden is continuously sharing his original research at numerous cybersecurity conferences and has provided expert commentary in prominent media outlets including CNN, The New York Times, Forbes Magazine, and The Wall Street Journal. His insights into current cybersecurity events and the evolving threat landscape are regularly featured in lectures available on Hold Security’s channel on the BrightTalk platform.

threat hunting

Faan Rossouw

Threat Hunting Was Always the Answer - It Just Couldn't Scale

Threat hunting has always been the most effective approach to improving organizational security posture. The evidence has been there for years: organizations that hunt consistently find threats faster, build better detections, and develop institutional knowledge that compounds over time.

So why isn’t everyone doing it? Why is Threat Hunting still seen as a luxury, why is it gravy and not potatoes? Quite simply – hunting doesn’t scale. Even the most skilled analyst can only cover so much ground, investigate so many leads, hold so much context in their head at once. The blueprint is right, but its been limited by the constraint of human bandwidth, and every attempt to “automate” hunting just turned it back into alerting with extra steps.

Agentic AI changes that equation. Not by replacing the hunter, but by removing the constraint that held hunting back for over a decade. Agents can investigate candidates in parallel, carry structured context across every analysis, follow formalized hunting procedures consistently, and build on each other’s findings through shared memory – all while the human retains direction and judgment.

But getting real results from agents requires more than dropping an LLM into your SOC. It requires engineering the complete environment the agent operates in – what the field calls harness engineering. The difference between an agent that produces useful investigations and one that hallucinate its way through your logs has almost nothing to do with the model, it has everything to do with the harness: how you prepare the data before agents see it, what context you deliver at inference time, how you structure hunting knowledge into executable procedures, and how you route outcomes back to improve the system.

This talk walks through the architecture of a purpose-built agentic hunting system – where deterministic code handles what it does best, agents handle the interpretive work, and humans direct and judge.

Bio

Independent Researcher, Instructor @ AntiSyphon Training, Builder AionSec.ai

Faan Rossouw is a threat hunting researcher and educator who has taught thousands of students how to find adversaries in network and endpoint telemetry. He instructs at Antisyphon Training, where he teaches courses on threat hunting and offensive security tooling. He sees the AI era as a genuine inflection point for threat hunting, and has built AionSec.ai to empower defenders for this new aeon – designing courses that help security practitioners leverage AI agents in their work. His current focus is on applied harness engineering: building the architecture that makes agentic AI actually useful for defensive operations, rather than just another layer of alerting. Originally from South Africa, Faan is now based in Val-David, Quebec.

Links:
– AionSec
– LinkedIn
– GitHub
– X
– YouTube

Diversity is a security

Chaimaa Mhab

Diversity Is a Security Control: Reducing Cognitive Blind Spots Through Diverse Perspectives

Cybersecurity teams invest heavily in technologies designed to detect, prevent, and respond to threats. We patch vulnerabilities, harden infrastructure, deploy advanced monitoring tools, and continuously improve technical controls. Yet one critical attack surface often remains overlooked: the human dynamics within the security team itself.

When teams are composed of individuals with similar educational backgrounds, career paths, problem-solving styles, or perspectives, they often develop shared assumptions about risk, threats, and response strategies. While alignment can improve speed and coordination, excessive homogeneity can create dangerous blind spots. Teams that think alike may investigate alike, escalate alike, and ultimately miss the same signals.

In cybersecurity, where adversaries constantly adapt and exploit overlooked weaknesses, these blind spots can become material business risks.

This talk explores diversity not as a human resources initiative, but as a strategic security control. More specifically, it examines how cognitive diversity, the presence of different ways of thinking, questioning, analyzing, and communicating, can strengthen security operations and improve organizational resilience.

Drawing from real-world observations in Business Information Security Office (BISO) functions and cross-functional security collaboration, this presentation will examine how diverse perspectives improve critical security outcomes, including threat modeling, incident response, risk communication, and decision-making under pressure. The session will also explore how organizational culture influences whether team members feel empowered to challenge assumptions, escalate concerns, or voice dissenting opinions during high-stakes situations.

The talk will highlight how strong team dynamics, open communication, and inclusive collaboration can reduce security risk and enhance security posture, even in technically mature organizations. Through practical examples, attendees will see how diverse perspectives help surface overlooked signals earlier, improve response speed, and strengthen decision-making and prioritization during security operations.

This session is intended for security practitioners, analysts, leaders, and anyone involved in cybersecurity and organizational resilience. Attendees will leave with a practical framework for recognizing and leveraging cognitive diversity within their teams, along with actionable ideas to foster stronger collaboration across technical and non-technical disciplines.

In an industry focused on securing systems, it is equally important to consider how we structure the teams responsible for defending them. Diversity of thought is not simply beneficial—it is a powerful enabler of stronger cyber resilience and more effective security outcomes.

Bio

Chaimaa Mhab is a Global Cybersecurity Advisor at CAE, where she has demonstrated strong technical growth, leadership capabilities, and a deep commitment to cybersecurity culture both inside and outside the organization. Her contributions have strengthened operational processes, enhanced cybersecurity training programs, elevated security testing strategies, and increased CAE’s visibility within the broader cybersecurity ecosystem. Chaimaa is also a strong advocate for inclusion, education, and collaboration. As an active member of CAE’s Women in Cyber group, she champions greater representation and supports initiatives that foster belonging and professional growth within cybersecurity. She has organized and participated in multiple initiatives aimed at encouraging women and introducing youth to the field. Her perspective is shaped by a unique combination of business education, cybersecurity expertise, and community engagement. In recognition of her contributions to cybersecurity education and outreach, Chaimaa received the 2025 CyberCap Educational Trophy. Her experience provides a compelling foundation for a talk on how diversity can be leveraged as a force multiplier in modern cybersecurity teams.

mina2.png

Mina Movahedi

Proactive Bias Mitigation Against AI's Unseen Vulnerabilities in Cybersecurity

Artificial Intelligence (AI) has revolutionized cybersecurity by enhancing threat detection and response capabilities. However, the presence of bias in AI systems poses significant challenges, potentially undermining the accuracy and fairness of cybersecurity measures. This presentation explores comprehensive initiatives aimed at mitigating AI bias in cybersecurity.

We examine the root causes of bias, including biased training data and algorithmic design flaws, and discuss the implications of biased threat detection, such as false positives and negatives, through real-world examples. Additionally, we address the issues of targeted surveillance, where certain user groups might be disproportionately monitored, and data-driven vulnerabilities that can result from biased training data.

This research proposal addresses the critical imperative of mitigating bias in AI detections and mitigation techniques within cybersecurity. We contend that AI bias, acknowledged by 62% of surveyed organizations as influenced by cultural context, stems from unrepresentative data.

35% of businesses—and inherent human biases, leading to issues like higher error rates for minorities in facial analysis technologies. Crucially, AI’s ability to interpret emotions across cultures degrades significantly when models are transferred, a vulnerability cybercriminals exploit given diverse emotional expressions (e.g., direct English vs. metaphorical Arabic, exaggerated Western vs. subtle East Asian facial cues).

Additionally, this work highlights the interplay between AI bias and adversarial exploitation, illustrating how cyber attackers can manipulate biased security models to create vulnerabilities. To address these risks, the study underscores the importance of human oversight and continuous monitoring, ensuring AI-driven threat detection remains transparent, fair, and resistant to bias-based manipulations. By providing actionable solutions for AI bias mitigation, this research contributes to the broader effort of developing trustworthy, equitable, and effective cybersecurity technologies.

Join us to gain insights into the importance of AI bias, learn from practical examples, and discover how you can contribute to mitigate and address biases in your incident response processes.

Bio

Mina Movahedi Shakib is a seasoned cybersecurity professional with over a decade of experience in the tech industry. Her foundation in wireless networking and cybersecurity, combined with her current role as a cyber threat investigator at Bell Canada’s Security Operations Center, makes her a vital asset in safeguarding digital landscapes. Mina thrives in the fast-paced world of threat detection, incident response, and security operations, always seeking innovative ways to advance security measures. Mina is not just about technical expertise; she is a dynamic speaker at numerous in-person and virtual cybersecurity conferences, including HackFest2024, LCL2025,CIS 2025, the Annual Cybersecurity Summit, and the WIT Global Summit. She is also deeply committed to mentorship, actively empowering women in technology and fostering the next generation of innovators. Passionate about exploring the intersection of cybersecurity and artificial intelligence, Mina believes in the transformative potential of AI-driven solutions to tackle real-world challenges, especially in enhancing security and efficiency.

ADJ-headshot-top-square222.png

Alexis Dorais-Joncas

Attribution of cyber operations: does it really matter?

Attribution of cyber operations: does it really matter? It depends on who’s asking. Based on real APT attack investigations made by Proofpoint researchers and attributed to Russia, Iran, North Korea and regions, we’ll demonstrate what details go into attribution work from the perspective of an email security vendor, why attribution can be useful for defenders and how Blue Teams can use it to better inform threat modeling and risk. We’ll define attribution, compare the concepts of attribution and Attribution and discuss how softer attribution elements should be paired with harder, more technical ones to get the best results. In closing, we will discuss potential pitfalls we’ve seen with attribution and even dare bring up the controversial topic of threat actor naming, Marketing gimmick, necessary evil, a little bit of both? Let’s find out.

Bio

Alexis Dorais-Joncas dirige l’équipe responsable de la recherche sur les attaques ciblées (APT) chez Proofpoint. Leur but : identifier et comprendre ces attaques pour protéger leurs clients contre ces attaquants dédiés et persistants. Avant de se joindre à Proofpoint, Alexis a été durant plus de 10 ans le directeur du centre de R&D montréalais de la firme ESET, dont le mandat était d’étudier les logiciels malveillants utilisés dans le cadre d’attaques ciblant ses clients.

dgoulet.png

David Goulet

How Tor Works

 This talk will begin with an overview of how Tor works —perfect for newcomers and a useful refresher for everyone else. We’ll then showcase the latest technology and development progress the Tor network has seen in recent  years. Special attention will be given to the motivations behind, and current state of, our new Rust implementation. Finally, we’ll talk about our newest software: a mobile VPN app for Android and iOS. This app lets you choose which applications use the Tor network — no device rooting required. All in all, expect a mostly technical deep dive into our technology. No fancy logos, no marketing nor any pie charts so please leave your buzzword bingo card at home.

Bio

David Goulet has been with the Tor Project for almost 15 years. He is part of the network team, which maintains the Tor network and its core software, such as the C implementation (tor) and the new Rust-based work in progress (Arti). He loves onions, gives garlic a chance, and sprinkles it all with scallions.

mathieu-saulnier222.png

Mathieu Saulnier

Graph All The Things: The Birth of *Hound

BloodHound Community Edition V8 was dropped right before BlackHat and it learned new tricks! The most significant of them is OpenGraph which allows you to expand the Graph to map any Attack Path you come across in your Offensive Engagements or that you need to Defend internally. In this session we’ll see how to leverage OpenGraph to craft and customize your own Attack Graphs and the elements to include in a great submission to this Open Source Project. SalesForceHound, OktaHound, why not SAPHound? The only limit is your imagination (and maybe your coffee/Red Bull budget).

Bio

Mathieu Saulnier is a cybersecurity leader with 20+ years in Threat Research, Detection Engineering, Threat Hunting, and Incident Response. He has led diverse, global teams to success and shared his expertise on stages at Derbycon, SANS Summits, RSAC, SecTor, and BSides worldwide. A dedicated community mentor with DEF CON’s Blue Team Village and co-organizer of NorthSec, DEATHcon and SkiCon, Mathieu now serves as Product Manager for BloodHound Community Edition, empowering attackers and defenders to audit and secure complex environments.

Scientific committee

Alain Yamin | Undisclosed
Alex Bouffard | Flare
Hugo Genesse | GE Vernova
Matthieu Faou | ESET
Michael Joyce | Université de Montréal
Pierre-Marc Bureau | Sabbatical
Thierry Marier-Bienvenue | Desjardins