Red Teaming from outside: Identifying and exploiting SaaS systems for access
Rojan Rijal
BSidesSF 2026 · Day 2 · AMC Theatre 09
In this insightful talk, Rojan Rijal of Orphan Security delves into novel methods for **red teaming** organizations from an external perspective, specifically by identifying and exploiting common **SaaS systems**. The core premise challenges the conventional defensive posture of **email security vendors**, aiming to reverse their intended function – preventing **fishing attacks** – to instead facilitate them and gain internal access. Rijal demonstrates how misconfigurations or inherent design patterns in these systems, coupled with a deep understanding of email flow and SaaS identity verification mechanisms, can be weaponized by attackers to bypass security controls and infiltrate internal organizational resources.
AI review
Rijal brings genuine original research with real-world validation against a named target (Netflix, with permission) and a live-ish demo. The attack chains are non-obvious, operationally useful, and expose a class of SaaS trust-boundary problems that most defenders haven't internalized. BSides SF-level audience will walk out with concrete things to go fix on Monday.