fwd:cloudsec Europe 2025

September 15-16, 2025 · Berlin, Germany · 26 talks

Non-profit cloud security conference featuring attack and defense research across major cloud platforms.

→ See editor’s top picks at fwd:cloudsec Europe 2025

• Introduction — Karim El-Melhaoui

  Karim El-Melhaoui, conference lead for **fwd:cloudsec**, opened the second edition of fwd:cloudsec Europe with a welcome address covering the conference's mission, logistics, and the broader context…

• Confidence Predicts Accuracy and Other Lies About Cloud Security — Kat Traxler

  Kat Traxler, a Principal Security Researcher at **Vectra AI** with a background in offensive cloud research across Google Cloud and AWS, delivered a provocative keynote arguing that the cloud…

• Cloud Abuse at Scale: How Cybercriminals Exploit Free Tiers for Profit — Miguel

  Miguel Hernandez, a Senior Threat Research Engineer at **Sysdig** with over a decade in security research, presented findings from an 18-month investigation into a sprawling underground ecosystem…

• Azure Arc: From a Heartbeat to Heart Attack — Sharan Patil

  Sharan Patil, a security consultant at **Reversec** (formerly F-Secure, formerly MWR), presented original exploit research demonstrating how an attacker with local access to an **Azure…

• A Candid Perspective on the Cloud Threat Landscape: What’s Real, What’s Not, and What Should Change — Curtis Hanson

  Curtis Hanson, Managing Partner at **Invictus Incident Response** and a threat intelligence professional with over 10 years of experience, presented a first-of-its-kind **cloud-specific threat…

• Connecting the Cloud-Dots: Constructing a Knowledge Layer from Autonomous Attack Simulation — Itay Gabbay

  Itay Gabbay, CTO and co-founder of **Brava Security**, introduced **CloudDots**, an open-source research system that uses AI-driven autonomous agents to simulate cloud attacks across AWS, Azure, and…

• Continuous Integration / Continuous Deception: Trying my luck as a malicious maintainer — Benedikt Haußner

  Benedikt Haußner, an internal red teamer based in Germany specializing in cloud and CI/CD security, presented a year's worth of research into how a **malicious open-source maintainer** can poison…

• From One to Hundreds: Reflections on a Decade of Building the Trenches — Joel Thompson

  Joel Thompson, co-founder of fwd:cloudsec, delivered a deeply practical retrospective on scaling an AWS footprint from a single test account to hundreds of production accounts over the course of a…

• SyncJacked - Hijacking Identities Through Entra Connect Synchronization — Tomer Nahum

  Tomer Nahum, a security researcher at Semperis, presented two identity takeover vulnerabilities in **Microsoft Entra Connect** — the synchronization engine that bridges on-premises Active Directory…

• Dealing with Storage Data Logs in the Cloud: A Hidden Challenge — Maayan Bentor, Zoe Rabi

  Maayan Bentor and Zoe Rabi, cloud security researchers at Wiz, delivered a comprehensive cross-cloud analysis of storage data logging — the high-volume, often-neglected logs that are essential for…

• Permission Impossible: Hidden Dangers of Azure RBAC and API Vulnerabilities — Ariel Simon

  Ariel Simon, a security researcher at Token Security, presented a two-part discovery in Azure's permission model that chains overprivileged built-in roles with an API vulnerability to achieve a…

• Ransomware protection with immutable AWS Backup - it's complicated ... — Paul Schwarzenberger, Kurtis Mash

  Paul Schwarzenberger and Kurtis Mash presented the National Archives UK's journey to implement a centralized, immutable **AWS Backup** solution to protect their digital archives — which include…

• The Cloud is a Spider Web: But with Broken Threads — Nitesh Surana, Nelson William Gamazo Sanchez

  Nitesh Surana and Nelson William Gamazo Sanchez, cloud threat researchers at Trend Micro, presented a sweeping investigation into two classes of cloud security vulnerabilities: **overly permissive…

• Console Hero to IAM Zero: Learn from Temporal's Just-In-Time Journey — Brandon Sherman 👾

  Brandon Sherman of Temporal Technologies delivered a practitioner-focused talk on eliminating static credentials across AWS and GCP by implementing **just-in-time (JIT) access** as a core security…

• And I Would've Gotten Away With It, Too, If It Wasn't For You Meddling Researchers — Rami McCarthy

  Rami McCarthy, who leads the cloud risk research team at Wiz, pulled back the curtain on the process of **rapid response research** — how a security research organization investigates, coordinates…

• EU Compliancy Cloud Framework-ish Smackdown — Rich Mogull

  Rich Mogull — a 25-year security veteran and newly appointed chief analyst at the **Cloud Security Alliance (CSA)** — delivered a practitioner-oriented guide to navigating the chaotic landscape of…

• Mistrusted Advisor: When AWS Tooling Leaves Public S3 Buckets Undetected — Jason Kao

  Jason Kao, founder of Fog Security and veteran cloud security researcher, disclosed a set of vulnerabilities in **AWS Trusted Advisor's S3 security checks** that allowed publicly accessible S3…

• Pods Without Borders: Lateral Movement in Azure Kubernetes Service — Nishaanth Guna

  Nishaanth Guna, a senior security consultant at **MDSec**, presented a series of real-world attack scenarios drawn from assumed-breach assessments against large-scale **Azure Kubernetes Service…

• Lurking in the (documentation) shadows: Why We Built the AWS Security Changes Project — Liad Eliyahu

  Liad Eliyahu, head of research at **Miggo Security**, presented the story behind the **AWS Security Changes** project — an automated system that monitors all AWS documentation for security-relevant…

• Source IP Spoofing in Cloud Logs: A Hands-On Look Across AWS, Azure, and GCP — Eliav Livneh

  Eliav Livneh, a security researcher at Token Security, presented a deep technical exploration of a **defense evasion technique** that allows attackers to spoof the source IP address recorded in…

• STRIFEBOT: Attacking and Defending Snowflake Data-lakes — James Henderson

  James Henderson from Reverse Sec delivered a comprehensive purple teaming framework for **Snowflake** data lake environments, covering the full attack lifecycle from initial access through…

• Sweet Deception: Mastering AWS Honey Tokens to Detect and Outsmart Attackers — Nick Frichette

  Nick Frichette, a security researcher at Datadog, delivered a technically deep examination of **AWS access key honey tokens** — their implementation mechanisms, detection capabilities, known…

• Security by Design: Lessons from Oracle Cloud Infrastructure — Ariel Septon

  Ariel Septon, a software engineer leading Oracle efforts at Native (formerly Rock Steady) and researcher at Stream Security, presented a comparative analysis of **Oracle Cloud Infrastructure (OCI)**…

• The File That Contained the Keys Has Been Removed: An Analysis of Secret Leaks in Cloud Buckets and Responsible Disclosure Outcomes — SOUFIAN EL YADMANI

  Soufian El Yadmani, CEO of Dutch security startup Modat and PhD candidate at Leiden University, presented peer-reviewed academic research analyzing secret leaks in publicly exposed cloud storage…

• Hello? Whose service account keys are these? — Lee Livsey

  Lee Livsey, a security consultant at Reverse Sec specializing in GCP assessments, presented a focused examination of **long-lived service account keys** in Google Cloud Platform and why they…

• Closing — Sochima Okoye

  Sochima Okoye, a member of the fwd:cloudsec Europe organizing committee and security consultant in the UK, delivered the closing remarks for the second annual **fwd:cloudsec Europe** conference held…