Best Talks at BSidesSF 2025 — Here Be Dragons
Hand-picked from in-depth reviewer verdicts. View all talks at BSidesSF 2025 — Here Be Dragons →
- 1. Into The Dragon's Den — Jacob Salassi, Michele Freschi
After years leading product security at a major SaaS database company during its China expansion, Jacob Salassi and Michele Freschi share the hard-won mental models they developed for operating in a strategically hostile environment. The…
- 2. Data Splicing Attacks: Breaking Enterprise Data Loss Prevention — Vivek Ramachandran, Audrey Adeline
Researchers from Square X introduced a new class of attack they call "data splicing" — five distinct techniques that systematically bypass both endpoint DLP and SASE/SSE proxy DLP solutions by exploiting fundamental architectural…
- 3. 0.0.0.0 Day: Exploiting Localhost APIs From The Browser — Gal Elbaz
The IP address `0.0.0.0` is an 18-year-old bug hiding in plain sight — a single address that bypasses every browser-based private network protection ever built. Gal Elbaz, co-founder and CTO of Oligo Security, reveals how this quirk…
- 4. Using AI to Discover Silently Patched Vulnerabilities in Open Source — Mackenzie Jackson
Mackenzie Jackson of Aikido Security described research that used LLMs to monitor open-source changelogs at scale, discovering 550 undisclosed vulnerabilities in 2024 — 67% of which never received a CVE. The same AI-powered approach has…
- 5. AI's Bitter Lesson for SOCs: Let Machines Be Machines — Jackie Bow, Peter Sanford
The detection and response team at Anthropic built an AI-assisted investigation platform called Clue in roughly three months using Claude as both a co-engineer and runtime investigator, without any fine-tuning or specialized ML training…
- 6. Slaying the Dragons: A Security Professional's Guide to Burnout and Resilience — Kirill Boychenko
Modern software applications are 70–90% open-source by composition, making package ecosystems an irresistible attack surface. Kirill Boychenko, senior threat intelligence analyst at Socket, walked through real malicious campaigns…
- 7. Blank Space: Filling the Gaps in Atomic and Composite Detection — Merav Bar, Gili Tikochinski
Threat intelligence for cloud environments is systematically incomplete — the industry reports IPs, hashes, and domains while leaving cloud-specific indicators of compromise undocumented and unshared. Wiz researchers Merav Bar and Gili…
- 8. There and Back Again: Discovering OT Devices Across Protocol Gateways — Rob King
Operational technology (OT) devices — the PLCs, SCADA systems, and field devices controlling physical infrastructure — are increasingly reachable over IP networks, often with no authentication whatsoever. Security researcher Rob King…
- 9. Can Cyber Mercenaries and Human Rights Defenders Coexist? — Bill Marczak, Cooper Quintin, Eva Galperin
The panel's opening answer — "no" — barely scratched the surface of a decade-long arms race between spyware vendors and the researchers chasing them. Cooper Quintin (EFF), Bill Marczak (Citizen Lab), and Eva Galperin (EFF) laid out why…
- 10. The Growing Crisis in CVE Data Quality — Jerry Gamblin
The CVE program is the backbone of global vulnerability management — but its data quality is deteriorating under the weight of exploding volume, underfunded enrichment, and minimal publishing requirements that allow nearly useless records…
- 11. Inside the Information Stealer Ecosystem: From Compromise to Cash-Out — Olivier Bilodeau
Information stealer malware — a category that requires no admin rights, leaves no persistence, and can exfiltrate an entire computer's credentials in one shot — has become the backbone of the modern cybercrime economy. Olivier Bilodeau…
- 12. The Product Security Imperative: Lessons from CISA — Jack Cable
Jack Cable, who spent two years at CISA leading the Secure by Design initiative before delivering this talk, made the case that the software industry is still building products riddled with decades-old, preventable vulnerability classes —…