Get your coffee, get oriented, and get prepared BSides Roanoke.
Anemoia is the feeling of nostalgia for a time you never actually lived through. Let’s play InfoSec anemoia: maybe you wish you’d been around when a single quote could own virtually every webapp (unclosed quotation mark, my old friend), or before the /GS flag killed buffer overflows (it didn’t really), or when you could trigger RCE in Windows with a single packet (MSRPC, you beautiful beast), or when SSH exploits actually worked — like that one from The Matrix Reloaded. Maybe it’s the good old days when now-seven-figure bugs were burned on worms, just because, or when SSRF in AWS handed you temporary creds.
However long you’ve worked in the industry, we’ve all felt the sense that we just missed the golden age — and unfortunately Claude Code can’t build us a time machine (yet). Back in the present though, the uncomfortable truth is that we’re standing at the dawn of an era unlike anything that has come before it. The shift to the AI era will be fast, disorienting and humbling.
So how do we sit with that? How do we accept that our hard-won knowledge and skills have a shelf life, and still show up energized? It’s not easy. To adapt, we need to be less defined by our tools, our exploits, and even our knowledge — you can keep your war stories, though — and more defined by our curiosity as we were when our eyes were first opened to a career in this crazy thing we call InfoSec.
In 1985, a software race condition in a radiation therapy device called the Therac-25 began quietly killing cancer patients by delivering radiation doses up to 100 times the therapeutic level. Six patients were overdosed, and three died. The root cause was nothing exotic: reused code, removed hardware interlocks, a single unreviewed programmer, and a manufacturer so confident in their software that they dismissed every patient complaint for nineteen months.
Almost fourty years later, the healthcare sector is deploying millions of connected medical devices such as insulin pumps, infusion systems, patient monitors (telemetry), diagnostic imaging, connected laboratory equipment and implantables. A surprising amount of which repeat every structural failure that the Therac-25 made famous. Software-only safety controls. Legacy firmware reused without re-testing. Security alert fatigue.
This talk takes attendees inside the Therac-25 Affair with deep technical details of the race conditions, the integer overflows, the missing hardware interlocks, and the regulatory blind spots.
Many experienced security professionals reach a point where independent consulting looks appealing: autonomy, flexibility, impact, and the opportunity to do meaningful work. What’s rarely discussed is how fundamentally different consulting is from being “good at security.”
This session is based on real-world lessons learned from building and operating an independent information security consulting practice, including virtual CISO engagements serving small and midsized organizations. It focuses on the realities that most aspiring consultants underestimate: running a business, finding and retaining clients, pricing services, managing time, navigating ethical challenges, and avoiding burnout.
Attendees will learn why technical expertise alone is insufficient for long-term success, how to think like both a security professional and a business owner, and how to make a risk-informed decision about whether independent consulting is truly the right path. Topics include defining your “why,” avoiding common early mistakes, balancing client work with business operations, establishing professional boundaries, and building trust as a long-term advisor rather than a short-term technician.
This is not a “get rich quick” talk, nor is it a vendor pitch. Instead, it is a candid discussion of what actually works—and what doesn’t—when transitioning from employment into independent information security consulting. Attendees will leave with practical guidance, realistic expectations, and a clearer understanding of whether this path aligns with their goals, values, and tolerance for risk.
Intended audience: Security practitioners, senior engineers, analysts, managers, and aspiring consultants considering independent or vCISO-style work.
In today’s organizations, the greatest vulnerability isn’t always in the network — it’s in communication. Security and IT professionals routinely identify serious risks that leadership ignores, minimizes, or delays. This talk explores how technical experts can navigate the political landscape of their organizations to turn warnings into action. Drawing from real-world experience in incident response and executive leadership, Jonathan shares practical strategies for building influence, framing messages that leadership actually hears, and surviving the frustrating gap between technical truth and executive decision-making.
Dysentery, snake bites, and drowning—classic ways to die in Oregon Trail. But how do you “die” in application development? Simple: a day-zero breach or cyberattack. Just one successful breach can land your organization on the front page of the news.
The question is: can you prevent it?
Yes.
Today, open source components make up 90% of modern application dependencies. With the software industry’s reliance on open source, it’s critical to choose well-maintained, community-driven projects to withstand disasters like Log4j.
In this session, learn how attackers embed malicious code that evades sandbox detection or masquerades as legitimate vendor software. We’ll explore real-world examples, from Log4j vulnerabilities to state-sponsored malware in macOS Flutter apps, dissecting what went wrong.
Discover emerging technologies that assess software risks without relying on source code, like automated static binary analysis and black-box testing. Gain actionable insights and best practices to uncover hidden threats in your software supply chain.
Many organizations fail compliance audits not because staff are careless, but because systems are fractured, responsibilities are unclear, and accountability is inconsistent. This session introduces a practical, repeatable governance model to strengthen compliance, reduce organizational risk, and build a culture of documentation, data integrity, and follow-through. Attendees will learn how to assess breakdown points, build aligned workflows, and implement a sustainable structure that supports teams without overwhelming them. This talk is ideal for professionals supporting regulated environments, high-risk systems, or any organization trying to move from reactive compliance to proactive governance.
This talk provides a technical deep dive into a Palo Alto PAN-OS vulnerability chain used to achieve lateral movement and potentially elevated domain privileges from an unauthenticated perspective. After analyzing the technical details of these vulnerabilities, we move beyond theory to examine real-world engagements where this chain was successfully deployed. We will explore the discovery methodology, the granular mechanics of both the exploitation and post-exploitation phases, and the development of a custom tool designed to streamline the attack. The session concludes with practical defensive countermeasures and a live demonstration of the full kill chain, environment and time permitting.
“Everyone has a plan until they get punched in the face.” Mike Tyson’s line sums up incident response better than any manual. You can draft the neatest IR plan in the world, but unless you have practised taking the hit, it will fold the moment reality lands a blow.
This talk is about building muscle memory before the breach. You will walk away with five practical steps to turn dusty plans into lived experience. These steps will minimise damage and improve your chances of getting back to BAU in a timely way. Remember, the best response isn’t necessarily the fastest, it’s the one that is the most coherent, calm, and well managed. Key takeaways:
Learn how to get complete coverage of NTLM relaying attack surfaces in a network environment. This session introduces RelayKing, a new tool Logan developed to comprehensively map relay exploitation paths across infrastructure. This talk will be useful for offensive and defensive practitioners alike for helping to identify and exploit, or identify and remediate NTLM relaying issues - all in the name of elevating your Active Directory security posture.
We’ve spent a decade treating alert fatigue as a tooling problem. Tune the SIEM. Add automation. Reduce the noise. But alert volumes keep climbing, analyst burnout and turnover continue, and we keep buying the next platform that promises to fix it. What if we’ve been treating the symptom and ignoring the disease?
This talk makes the case that alert fatigue is a misdiagnosis. The real condition is cognitive atrophy—the progressive erosion of deep-focus, creative, adversarial thinking—driven by years of consumption-mode work and reinforced by the same passive information habits that dominate our lives outside work.
The neuroscience is clear. Research on the prefrontal cortex shows that sustained passive consumption—whether it’s triaging alerts, scrolling threat feeds, or doomscrolling social media—trains the brain into a reactive, low-effort processing state. The same neural pathways that make someone efficient at high-volume, low-depth information processing make them measurably worse at sustained attention, pattern recognition, and creative problem-solving. This isn’t a metaphor; it’s measurable, and it just might be happening to your team right now.
Meanwhile, AI is automating the reactive work that has defined the analyst role for a decade. This should be good news, but it exposes a brutal gap: the work that remains—novel threat detection, creative defense-building, reading attacker intent in ambiguous situations—requires exactly the cognitive skills that consumption-mode work has been atrophying.
This is not just a SOC problem. Every technical team running on consumption-heavy workflows is building the same cognitive debt. The SOC is where the consequences are most visible and most dangerous.
The “Founding Apprentice” Perspective
I know because it happened to me. Despite being a CISSP with 20+ years in enterprise and emerging technology at GE and Genworth, and running a company built on value creation-first learning, I wasn’t immune. The collision of social media cycles, pandemic-era overload, and the relentless pace of AI developments put me into the same consumption spiral I now warn others about. I’ll share the specific neuroscience of why this “hijack” happens even to experts, and the specific practices I used to claw back my own cognitive capacity before it was too late.
The Practical Framework: From Consumption to Creation
Drawing on published neuroscience, my experience building a next-generation workforce at MAXX Potential, and early-stage experiments we’re running with our cybersecurity apprentices, I’ll present a practical framework any technical leader can implement Monday morning:
They say the “S” in IoT stands for security, but identifying and proving insecurity is still challenging. Static analysis of firmware can be insufficient, especially when all or part of the device’s firmware is obfuscated or encrypted.
In this talk, I’ll tell you how emulators can be used for dynamic analysis of embedded systems, and why the leading solution, QEMU, is insufficient. Then I’ll show you how Renode can be used to fuzz, debug, and simulate the firmware and wireless networks of embedded systems to help you find more vulnerabilities faster. Going beyond Renode’s demos, I’ll show emulation of a dev board’s Linux firmware, kernel and all, and explain my attempts to use Renode to find vulnerabilities.
People of all levels of expertise are invited to attend and learn something new.
Security teams are drowning in alerts while attackers are rapidly adopting automation and AI to accelerate reconnaissance, exploitation, and lateral movement. The future battlefield is no longer human vs. human — it is autonomous offense vs. autonomous defense.
This session explores the emergence of agentic AI security platforms capable of independently observing environments, making decisions, executing actions, and continuously adapting in real time. Attendees will see how offensive agents can autonomously discover assets, chain attack paths, validate exploitability, and pressure-test security controls — while defensive agents simultaneously detect behavioral anomalies, initiate containment, and execute incident response without waiting for human approval.
Rather than theoretical AI discussions, this talk focuses on operational architecture and real-world design patterns, including:
Attendees will leave with a clear blueprint for transitioning from reactive SOC models to self-driving security operations, along with a practical understanding of the risks, governance requirements, and strategic advantages of agentic AI.
If you believe attackers will automate faster than defenders — this session will show you how to reverse that equation.
The threat of quantum computing to classical cryptographic methods and the new algorithms that have been developed in response to this threat are topics that are now often alluded to, but rarely explained. This presentation aims to provide an accessible introduction to the motivations behind post-quantum cryptography, and to survey various approaches to quantum-safe algorithms. These algorithms will be selected from those that were recently standardized or are still under consideration in either the NIST PQC or the NIST Additional Digital Signatures competitions, which means they will likely be relevant to security practitioners in the next few years.
Awards and thank yous!
Also, the place to find where people are getting some food after the event.
