Adrian Bednarek

Adrian Bednarek is an ISE Labs researcher, and a Senior Security Analyst at Independent Security Evaluators (ISE). He specializes in reverse engineering proprietary software and communications protocols. He has been an invited speaker to DEF CON 25 and RSA Conference 2018 where he shared his previous experiences and custom tools in exploiting virtual economies and currencies in online gaming. At ISE he helps Fortune 100 companies secure complex software systems and prepare for emerging security threats by performing hands-on security assessments and providing guidance in developing secure software solutions.

  • Ethercombing - Blockchain brute force cryptanalysis
Alex Ivkin

Alex Ivkin is a Director of Solutions at Eclypsium, a Portland security company. With over a decade of security experience his focus is on secure deployments of (un)secure software, advisory and implementation of application security, container orchestration and IAM. Alex presented at numerous security industry conferences, trainings, co-authored the ISACA CSX Professional certification and has a Masters degree in Computer Science.

  • Down the sinkhole with Kubernetes
  • Jet Skiing
Ang Cui

Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security.
Dr. Cui received his PhD from Columbia University in 2015. His doctoral
dissertation, titled ”Embedded System Security: A Software-based
Approach”, focused exclusively on scientific inquiries concerning the
exploitation and defense embedded systems. Ang has focused on developing
new technologies to defend embedded systems against exploitation. During
the course of his research, he has uncovered a number of serious
vulnerabilities within ubiquitous embedded devices like Cisco routers,
HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and
the inventor of Software Symbiote technology. Ang has received various
awards on his work on reverse engineering commercial devices and is also
the recipient of the Symantec Graduate Fellowship and was selected as a
DARPA Riser in 2015.

  • 100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans
  • Hot Tub Island
Antonio Piazza

Antonio Piazza, hailing from Austin, TX. USA, is an Offensive Security Engineer on the Box Red Team. Following his stint as a US Army Human Intelligence Collector he worked as a Defense contractor/operator on an NSA Red Team so he is intimately familiar with spies, hacking, and everything nerdy. Antonio is passionate about all things related to MacOS security and thus spends his days researching MacOS internals and security as well as writing free, open-source security tools to help protect Mac users.

  • Gone Calishing: A Red Team Approach to Weaponizing Google Calendar and How to Stop It.
  • Scavenger Hunt
Aravind Sreenivasa

Aravind Sreenivasa is an Application Security Engineer at DocuSign. He started his career as a software developer and transitioned to security after obtaining a graduate degree in computer science. Aravind is passionate about making security developer friendly and integrating security with the software development process.

  • Static code analysis should work for developers, not for you
  • Scavenger Hunt
Beau Woods

Beau wears a lot of hats, all white. He has hacked medical devices, won Best Mustache at Movember London, evaded Russian Mafiosi near Moscow, brought members of Congress to DEF CON, and learned to throw a curve from a major league pitcher. Beau also helps lead I Am The Cavalry, holds a Fellowship with the Atlantic Council, is Founder/CEO of Stratigos Security, DEF CON Goon, Village organizer, BSidesLV staff, runs Hackers on the Hill, has a BS in Psychology from Georgia Tech, and lives in DC.

  • Blue Team Set Us Up The SBOM
Bruce Potter

Bruce Potter is the founder of The Shmoo Group, CISO at Expel, and helps run ShmooCon each year in Washington DC. Bruce has over 20 years (yikes!) of experience in hacking and cyber security including working with DoD an Intelligence Community clients as well as numerous finance, healthcare, and transportation companies. Bruce used to do a lot of wireless and network attack and defense work but lately focuses on risk management, threat categorization, and building more secure systems. Bruce likes to talk about himself in the third person, but usually only does it in bios.

  • Pen testing by asking questions: the Art of Elicitation
  • Bike Ride
Bryce Kunz (@TweekFawkes)

Bryce Kunz (@TweekFawkes) loves researching red team techniques for bleeding edge Cloud services. Currently, the President of Stage 2 Security ( ), previously supported the NSA (network exploitation & vulnerability research), Adobe (built red teaming program for cloud services), and DHS (incident response). Bryce holds numerous certifications (e.g. OSCP, CISSP, ...), has spoken at various security conferences (i.e. BlackHat, DerbyCon, BSidesLV, etc...) and teaches classes at BlackHat (e.g. AWS & Azure Exploitation).

  • May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
Caleb McGary

I am a senior security engineer on a Microsoft internal Red Team. I spend my days hacking Microsoft, writing software, and generally trying to not get fired while enjoying my job.

  • Using drivers for kernel operations during a Red Team operation
  • San Diego Zoo
Daniel Moghimi

Daniel Moghimi is a Computer Security Researcher working toward a Doctorate Degree in the Electrical & Computer Engineering (ECE) Department at Worcester Polytechnic Institute (WPI). Before that, He received a Master of Science Degree from Computer Science (CS) Department at WPI. His research interests include system security, side channels and applied cryptography.

He has been co-advised by Prof. Berk Sunar and Prof. Thomas Eisenbarth as a member of the Vernam Group. He has published a few papers on new CPU attacks: MemJam, SPOILER, ZombieLoad; Intel’s TEE environment, Intel SGX: CacheZoom and CacheQuote; and side-channel analysis and detection tools: MicroWalk and FortuneTeller.

Daniel enjoy reverse engineering, finding vulnerabilities and fuzzing things.

  • ZombieLoad: Leaking Data on Intel CPUs
  • Jet Skiing
David M. N. Bryan - Aka VideoMan

David M. N. Bryan is an penetration tester with X-Force Red, IBM’s elite security testing team. Responsibilities include establishing standardized tools and processes for our consultants and working with clients on penetration testing projects.

David has well over a decade of experience. From being a defender of security at a top ten banks, to securing the DEF CON network. David has been a participant in the information security community for over two decades. David has been the attacker in many scenarios as a penetration tester covering: ATMs, embedded devices, network, wireless, web applications, and physical security. David has presented at many security conferences including: BlackHat, DEF CON, ToorCon, LayerOne, ToorCamp, BSides Events, AppSecUSA, Etc. David lives in cold, but beautiful Minneapolis Minnesota.

  • Card cloning doesn't have to be hard.
  • Bike Ride
Erin Browning

Erin Browning is a senior security engineer at Latacora. She focuses on application and Android security and has an interest in cryptography. She loves cats and puns. You can find her on twitter @efrowning.

  • Token Up: Keeping Hands out of the Cookie Jar
Geo... Mark? Hardly!!


  • HACKER JEOPARDY: The Road to Vegas, Baby!
Jatin Kataria

Jatin Kataria is the Principal Research Scientist at Red Balloon
Security where he architects defensive technologies for embedded
systems. Playing both the role of cat and of mouse at Red Balloon has
many suggesting that he may be the first real source of perpetual
energy. He tires of n-days easily and is always looking for new and
exciting ELF shenanigans, caching complications, and the Fedex guy who
lost his engagement ring. Prior to his time at Red Balloon Security,
Jatin worked at a number of firms as a systems software developer and
earned his Master of Engineering at Columbia University.

  • 100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans
  • Hot Tub Island
Jesse (@bashexplode)

Jesse Nebling is a senior engineer and operator on an internal Red Team for a Big 4 firm, a guitarist of cult classic band Free Parking!, and an electronic music producer (@bashexplode) based out of Seattle. Jesse was a consultant for over 7 years that has done penetration tests and full scope red team operations for businesses in a ton of industry sectors including quite a few Fortune 100 businesses. Now that he is helping build out a new Red Team, he is refining and developing awesome new tactics and tools for all steps of the killchain.

  • Purple Haze: The SpearPhishing Experience
  • Skydiving
Karl Koscher

Karl Koscher is a research scientist working at the University of Washington where he specializes in wireless and embedded systems security. Previously, he was a postdoctoral scholar working with Stefan Savage at UC San Diego. He received his Ph.D. from the University of Washington in 2014, where he was advised by Tadayoshi Kohno.

  • Enabling HTTPS for home network devices
  • Micro Brewery Boat
Kashish Mittal

Kashish Mittal is a Security Researcher and Engineer. He currently is the Head of Security at MileIQ, a Microsoft startup. He has worked for companies such as Elevate Security, Duo Security, Bank of America, Deutsche Bank etc. By choice, he is an ethical hacker and an addicted CTF player. He is a member of PPP (CMU's elite CTF group). Prior to joining Duo, he did Security Research at Cylab, Pittsburgh. He has a BS and a MS from Carnegie Mellon University with a focus on Security. He is passionate about delivering Security awareness and training for employees, college students and high schoolers etc. He has been invited to presented his research and work at various national and International Security conferences.

  • Sea World
Kate Temkin & Mikaela Szekely

Kate Temkin leads the software development team at Great Scott Gadgets. Kate is a seasoned USB researcher, and maintains a variety of open-source hardware and software tools, including FaceDancer and GreatFET, and has discovered a number of well-known USB vulnerabilities– including CVE-2018-6242, which famously allowed full exploitation of the Nintendo Switch. When not researching hardware security herself, her passions include making hardware and reverse engineering more accessible to everyone who wants to learn.

Kate has given talks at venues including the CCC,, ShmooCon, ToorCon, TROOPERS, and many more-- including appearances as a keynote speaker. She also has authored full curricula for several university-level engineering courses, and routinely gives trainings on USB security.


Mikaela Szekely is an open-source software and hardware enthusiast with a long-standing interest in USB, embedded systems, and the (ab)use of arbitrary code execution vulnerabilities on video game consoles. At the confluence of these interests, she maintains “fusée-launcher”, an open-source USB exploit tool and firmware loader for the Nintendo Switch. When not maintaining her own tools, Mikaela contributes to a variety of open-source projects, makes truly terrible puns, and hones her computer science skills in scenic Colorado.

  • Hacking Even More USB with USB-Tools
Kirsten Sireci Renner

I started my career briefly in software development right out of high school, then went into IT, standing-up and managing help-desks.
I have been technical recruiting for nearly two decades and am now the Director of Recruiting at a thousand person advanced analytics and cyber security company specializing in defense and enablement products and services.
In our community I am possibly best known for being the co-organizer of the Car Hacking Village since its inception, and as a volunteer across many cons including speaking engagements at Shmoocon and Derbycon and many BSides nationwide.
My passion and reputation is for helping people whenever I can.

  • Navigating the Infosec Job Search
  • Mock Interview Resume Review Workshop
Kos (Kyle Osborn)

Kos has worked in infosec for most of the last decade, bouncing between web security consulting at AppSec Consulting, corp and product security at Tesla, and pentesting at Lares Consulting. He has previously spoken at the best security conferences in the world such as Toorcon San Diego and Toorcon Seattle Appearances at Derbycon, DefCon, and BlackHat too.

There's a joke about hating money and working for a government entity, but really he was just interested in some of the unique problems government faces.

  • From private to public, working in local government.
  • Escape Rooms
Margaret Fero

Margaret is a Technical Writer with a strong interest in information security, learning and education, and interdisciplinary connections. She has spoken at conferences including Write The Docs Day: Australia, the O'Reilly Open Source Convention (OSCON), and Abstractions II.

  • Mosaic Theory of Information Security
  • Lunch Break
  • Lunch Break
  • Red Day Registration & Reception Begins
  • Food and Chill
  • Beach Bonfire Luau & Fireside Closing Remarks
  • Party @ The Hard Rock
  • Registration
  • Registration
  • Opening Remarks
  • Opening Remarks
Megan DeBlois

I lead tech projects at Internews focused around improving civil society’s security literacy and resiliency. Currently working on enhancing threat info sharing capabilities of high risk communities around the globe, while advising on other infosec risks across Internews.

I am also a part time student at the University of Oxford studying for my MSc in Software and Systems Security. My current research and interests lie around better understanding malware operations targeting civil society, journalists, human rights groups, and other targeted communities globally. The more we know, the better we defend.

  • Blue Teaming for Human Rights
  • San Diego Zoo

Mike is the cofounder of MedCrypt, a medical device cybersecurity startup based in San Diego, CA.

  • Challenges of X.509 certs
Mike Arnoult

I'm a backend web programmer, who tries to make vidja games on the side, and is passionate about investing. It's way cooler than people think!

  • You're probably a young professional and you should probably be investing. Here's how.
Morgan Roman

Morgan Roman works on the application security team at DocuSign. He started his career writing integration tests for web applications and APIs as a software development engineer in test. He is passionate about finding ways to automate security testing and make it part of the deployment process.

  • Don’t run with scissors: how to standardize the way your developers use dangerous aspects of your framework

Pookie works for a regulated industry, that has recently expanded into the San Diego area! He works on the Security Operations Team where he helps with Security Engineering, Incident Response, and a wide variety of other activities. Pookie is the resident forensics expert for the team, in addition to being the preferred purveyor of spirits, and the designated Friday afternoon DJ.

  • Real Life Devsecops
  • Exploratory Penetration
Rick Housley

Rick Housley is a Principal Engineer at United Technologies Corp., where he works as part of UTC’s Cyber Security Center of Expertise. Previous to his time at UTC he worked as a Research Scientist at Red Balloon Security. His research has been showcased at numerous industry and academic conferences including Blackhat, Defcon, REcon, and WOOT. His most recent disclosure “Thrangrycat” was awarded a Pwnie for “Most Underhyped Research” earlier this year. When not designing secure-boot defeating EMPs and interposers, he is building axe handles and baby rattles in his woodshop.

  • PERCH: Adding a peripheral layer to Ghidra
  • Hot Tub Island
Samy Kamkar

Samy Kamkar is an independent security researcher, sometimes known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He attempts to illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded:
“Controversial” -The Wall Street Journal
“Horrific” -The New York Times
“Now I want to fill my USB ports up with cement” -Gizmodo

His open source software, hardware, and research highlight the insecurities and privacy implications in everyday technologies, from the Evercookie, which produces virtually immutable respawning cookies, to SkyJack, a drone that wirelessly hijacks and autonomously controls any other drones within wireless distance. His work has been cited by the NSA, triggered hearings on Capitol Hill, and has been the basis for security advancements across most web browsers, smartphones, and vehicles.

  • NAT Pinning 2.0: bypassing routers & firewalls via web+NAT abuse
  • Escape Rooms
Shea Polansky

Shea Polansky is a security analyst for Independent Security Evaluators, where he performs network and application security assessments. He uses his background in systems administration and software development to automate all the things, and teaches himself electrical engineering as a hobby.

  • Mocking HTTP Services with Burp
Soldier of FORTRAN

Philip Young, aka Soldier of FORTRAN, is a leading expert in all things mainframe hacking. Having spoken and taught at conferences around the world, including DEFCON, RSA, BlackHat and keynoting at both SHARE and GSE Europe, he has established himself as the thought leader in mainframe penetration testing. Since 2013 Philip has released tools to aid in the testing of mainframe security and contributed to multiple opensource projects including Nmap, allowing those with little mainframe capabilities the chance to test their mainframes. In addition to speaking, he has built mainframe security programs for multiple Fortune 100 organizations starting from the ground up to creating a repeatable testing program using both vendor and public toolsets. His hope is that through raising awareness about mainframe security more organizations will take their risk profile seriously.

  • Cutting Edge Techniques to Pwn the Gibson
Somerset Recon

Marcus is the President of Somerset Recon and over his carrier has worked on a variety of hardware and software security assessments. In his free time he enjoys reverse engineering, lock picking, web hacking, capture the flag competitions and board sports. He has spoken at a variety of security conferences including RSA conference and LayerOne. Marcus also helps host capture the flag competitions, lock picking villages and regularly guest lectures at several California universities.

  • Kiosk Red Pills
Thomas Roth and Josh Datko

Thomas Roth is an embedded and IoT security researcher and founder of leveldown security. Thomas was named as one of the 30 under 30 in Technology by the Forbes Magazine. His main focus is on IoT, automotive and embedded security, with published research on topics such as ARM TrustZone, payment terminals, hardware wallet security and industrial security.

Josh Datko is an embedded systems engineer, security researcher and former submarine officer. He’s been glitching hardware wallets since 2017, running Cryptotronix since 2013, operating ham radio since 2007, and telling amazing sea stories since before birth.

  • Sail Boat Racing
Tony Lauro

Tony is currently Director of Security Strategy for Akamai Technologies. He's been involved with Information Security since the late 90's when he worked for a large US based telecom provider. Since then Tony has worked with Akamai’s top global clients to provide cyber security guidance, architectural analysis, web application and network security expertise. With over 20 years of Information Security operations experience Tony has worked and consulted in many verticals including finance, automotive, medical/healthcare, enterprise, and mobile applications. He is currently responsible for Akamai’s North / Central / South American clients as well the training of an internal group whose focus is on Web Application Security / and adversarial resiliency disciplines. Tony’s previous responsibilities include consulting with public sector/government clients at Akamai, managing security operations and pen testing for a mobile payments company, and overseeing security and compliance responsibilities for a global financial software services organization. Tony enjoys skateboarding, competitive grappling, Brazillian Jiu Jitsu, and spending time with his wife and kids in Dallas, TX.

  • API's are not just the 21st century developers mullet, they're also how you are getting PWND
Topher Timzen

Michael Leibowitz
Michael (@r00tkillah) has done hard-time in real-time. An old-school computer engineer by education, he spends his days hacking the mothership for a fortune 100 company. Previously, he developed and tested embedded hardware and software, fooled around with strap-on boot roms, mobile apps, office suites, and written some secure software. On nights and weekends he hacks on electronics, writes CFPs, and contributes to the NSA Playset.

Twitter: @r00tkillah

Topher Timzen
Topher Timzen (@TTimzen) is currently a Principal Vulnerability Enthusiast and enjoys causing constructive mischief. Topher has spoken at conferences such as DEF CON, SecTor and BSidesPDX on offensive security research. Enjoying teaching, particularly about exploitation, he has been running the CTF at BSidesPDX for the past few years. Topher is located in the woods hiking or mountain biking when not computing.

Twitter: @TTimzen

Collectively they have pretended to be bears, slayed a dragon or two, and have managed to not bring down a production server (for long). In reality, they just want to write malware.

  • EDR Is Coming; Hide Yo Sh!t
  • Sail Boat Racing
Ulrich Lang, PhD

Ulrich Lang | Co-Founder and CEO | ObjectSecurity LLC

Ulrich received his Ph.D. from the University of Cambridge Computer Laboratory (Security Group) on conceptual aspects of middleware security in 2003 (sponsored by the UK Defence and Evaluation Research Agency (DERA), after having completed a Master’s Degree (M. Sc.) in Information Security with distinction from Royal Holloway College (University of London) in 1997.

On the management side, Ulrich has recently completed a Business Marketing Strategy course at the Kellogg School of Management (Northwestern University). Ulrich is a renowned thought leader in cybersecurity (incl. model-driven security, access control policy, and application platform security), big data analytics, artificial intelligence, and virtual/augmented reality. He is currently working on an intelligent big-data supply chain risk analytics solution, and numerous projects around policy automation and policy testing. He is on the Board of Directors of the Cloud Security Alliance (Silicon Valley Chapter) and is a technical expert witness. He is responsible for the development of the OpenPMF user interface, policy automation and testing features. Ulrich runs the U.S. office in sunny San Diego, CA – and sometimes finds the time to play his sax (->open).

  • AI HACKER! Automatic vulnerability assessment & pen-testing of embedded & other systems
Volodymyr Pikhur

Vold is based in Portland, Oregon and one of the initial founders of MDS vulnerabilities. Hes been working in computer security industry for over 10 years and started his career as Security Engineer working for anti-virus companies then following his passion with hardware joined major silicon manufacturer now he is doing hardware security audit for a cloud provider. He also previously presented his work on hardware hacking at REcon Brussels 2018. In his free time he enjoys even more hardware hacking sometimes snowboarding, riding motorcycles and brewing beer.

  • Writing PoCs for processor software side-channels
  • Skydiving