BSides Las Vegas 2025

August 4-6, 2025 · Las Vegas, NV · 27 talks

Community-driven security conference in Las Vegas featuring practitioner talks across offensive, defensive, and governance topics.

→ See editor’s top picks at BSides Las Vegas 2025

• Broke but Breached: Secret Scanning at Scale on a Student Budget — Unknown

  This session presents a large-scale **secret scanning** research effort focused on **Visual Studio Code extensions** in the public marketplace. The speaker, who introduces herself as Ravita and…

• Avoiding Credential Chaos: Authenticating With No Secrets — Unknown

  Chitra Dhar Rajan and Steve Jarvis deliver a paired talk that reframes enterprise authentication and automation around a deliberately provocative **golden rule**: **“Thou shalt not have the burden…

• No IP, No Problem: Exfiltrating Data Behind IAP — Unknown

  Ariel Kalman presents an attack path against **Google Cloud Platform**’s **Identity-Aware Proxy (IAP)**, framed as an **identity firewall** that intercepts requests to protected applications…

• Human Attack Surfaces in Agentic Web: How I Learned to Stop Worrying and Love the AI Apocalypse — Unknown

  Matthew Canaham argues that **AI agents** are not a passing fad by drawing a parallel to the **internet’s** productivity gains—time saved on mundane tasks compounds into macroeconomic and behavioral…

• The Protocol Behind the Curtain: What MCP Really Exposes — Unknown

  Srajan Gupta and Vinkumar use **Model Context Protocol (MCP)** as a lens on why **AI agents** struggle to integrate safely with deterministic **APIs**. They argue **LLM** probabilism clashes with…

• Rewriting the Playbook: Smarter Vulnerability Management with EPSSv3, CVSSv4, SSVC & VEX Frameworks — Unknown

  Avin delivers an introductory-to-intermediate talk aimed at vulnerability management leaders who feel buried in **CVE** noise. The speaker, who identifies as a **vulnerability analyst** at…

• The Two Types of Fool – Generations in Cybersecurity — Unknown

  Casey Ellis delivers a reflective keynote on **generational knowledge transfer** in cybersecurity, anchored by a thesis borrowed from **John Brunner**’s novel *The Shockwave Rider*: there are two…

• Hardening Containers with Seccomp: Hands-On Profiles, Pitfalls, and Real Exploits — Unknown

  This session frames **seccomp** as an underused Linux kernel capability that can materially constrain attackers inside **containerized** environments—even when initial compromise succeeds. The…

• The Not So Boring Threat Model of CSP-Managed NHI’s — Unknown

  **Cat Traxler**, introducing herself as principal security researcher at **Vector AI**, delivers a comparative threat model of **cloud service provider (CSP) managed non-human identities (NHIs)**…

• PEBKAC Rebooted: A Hacker’s Guide to People‑Patching in 90 Days — Unknown

  **David Shipley** opens by reframing “**PEBKAC**” from an insult about user stupidity to a more constructive idea: people as **partners** between keyboard and chair—capable, human, and shaped by…

• The Scene is Dead — Unknown

  Allison opens her BSides Las Vegas keynote with a deliberate contradiction: she declares **the scene is dead**, then insists it is **more alive than it has ever been**—just **no longer…

• Opening Remarks, Tuesday: Breaking Ground — Unknown

  This recording captures **Tuesday opening remarks** for **BSides Las Vegas 2025**, framed by the host as the unusual “**day two**” experience of a Tuesday—reflecting the conference’s expanded…

• Advancing Network Threat Detection Thru Standardized Feature Extraction & Dynamic Ensemble Learning — Unknown

  **Jason Ford**, introducing himself as a **research engineer** at **Proofpoint** giving his **first BSides talk**, presents roughly two years of research on improving **network intrusion detection**…

• Hackers Kinda Like to Eat — Unknown

  This **I Am The Cavalry** track session pairs **Curtis Hansen** (in person), representing **Invictus Incident Response** and describing himself as a new **BioISAC** member, with **Andrew Rose**…

• The Age of Zygote Injection — Unknown

  This presentation makes a focused case for **zygote injection** as a powerful, comparatively **stealthy** way to instrument or subvert **Android** applications at scale. The speaker—who asks the…

• The World Famous Hire Ground Panel, Tuesday Edition — Unknown

  BSides Las Vegas’s **Higher Ground** hiring village anchors a long-running community effort to make **career navigation** in security more humane and more legible. This **Tuesday** panel, moderated…

• The Unbearable Weight of Commercial Licensing. Combining Closed Systems with Open Source Defense — Unknown

  Kia Ard’s talk uses **commercial licensing complexity** and **closed security products** as a launch point for a defender-centered argument: when procurement, entitlements, and opaque alert…

• Defending Our Water – Defending Our Lives — Unknown

  This **water and wastewater** panel connects **public health**, **civil engineering scale**, and **cyber risk** through the lens of **cyber-informed engineering (CIE)**—a discipline, championed in…

• Agentic AI Malware: Why the Cybersecurity Battle Isn’t Over — Unknown

  **Candid West** opens with a deliberately skeptical frame: headlines suggest **agentic AI malware** has ended the defensive game—**self-adapting** implants that bypass everything—yet **telemetry**…

• Malicious Packages – they’re gonna get ya! — Unknown

  **Meg Sage** delivers a BSides **Proving Grounds** talk aimed at developers and security engineers who treat **dependency installation** as a routine `npm install` or `pip install`—and therefore…

• RAG Against the Machine: Using Retrieval-Augmented Generation & MCP to Fortify Cybersecurity Defense — Unknown

  **Brennan Lodge** uses **BSides Las Vegas** as a venue to argue that **retrieval-augmented generation (RAG)** and the **Model Context Protocol (MCP)** are practical, mostly **open-source** building…

• Time is Running Out – Tying it All Together – What Will You Do in the Near Term? — Unknown

  This closing session for the I Am the Cavalry track at BSides Las Vegas is a synthesis talk and forward-looking briefing from **Josh Corman**, who describes himself as the founder of **I Am the…

• Rusty pearls: Postgres RCE on cloud databases — Unknown

  **Tal** (as introduced) and **Kobe Abrams** of **Veronus** (as transcribed) present a privilege-escalation style attack chain against **PostgreSQL** that starts from a surprising property of…

• Phish-Back: How to turn the problem into a solution. — Unknown

  **Gutier Bjon**, CEO of **Moken**, presents **“Phish-Back”** (spelled **“Fishbach”** by the host in the transcript): a strategy to recover visibility into **stolen credentials** by placing…

• XSS is dead – Browser Security Features that Eliminate Bug Classes — Unknown

  **Yavan** delivers a fast-paced survey arguing that **cross-site scripting (XSS)** remains a top bug class not because browsers lack defenses, but because organizations remain **reactive**…

• Let’s Go Shopping: Third-Party Vendors and CyberRisk — Unknown

  **Rafael Lyala** uses a **grocery shopping** metaphor to explain **third-party risk management (TPRM)** for mixed audiences: security professionals, coworkers, family, and friends. The talk…

• Hacking Secure Coding Into Education — Unknown

  **Osar** and **Yariv Ta** argue that **software remains insecure in 2025** because **education** still teaches dangerous patterns—using a real **high school** “internet programming” assignment as a…