NorthSec 2025

May 15-16, 2025 · Montreal, Canada · 25 talks

Canada's premier security conference. Two days of practitioner-focused offensive research, threat intelligence, and defensive tooling — from physical access attacks and EDR evasion to cryptographic vulnerabilities and APT tradecraft.

→ See editor’s top picks at NorthSec 2025

• A Pirate's Guide to Snake Oil and Security — HD Moore

  HD Moore, creator of Metasploit and now principal at runZero, dissects the vulnerability management industry with two decades of hard-won credibility. He demonstrates that most commercial vuln…

• A Tabletop As Big As the World — Wendy Nather

  Wendy Nather, one of the most experienced incident response practitioners in the field, uses the NorthSec 2025 closing keynote to argue that tabletop exercises are systematically underdesigned — too…

• Living Off the Pipeline: From Supply Chain 0-Days to Predicting the next XZ-like attacks — François Proulx

  François Proulx, VP of Security Research at Montreal-based BoostSecurity, presents a systematic taxonomy of CI/CD attack vectors, a live walk-through of vulnerable GitHub Actions workflow patterns…

• Nice to meet you! That will be 20 million please — David Décary-Hétu

  David Décary-Hétu, criminologist at the University of Montreal, presents the first large-scale qualitative analysis of ransomware negotiation transcripts: 195 conversations comprising roughly 6,300…

• Salesforce Snafus: Unveiling and Exploiting Security Misconfigurations Using Commonly Used Widgets — Jessa Riley Gegax

  Jessa Riley Gegax, a penetration tester at a large US healthcare company, walks through a practical attack surface map of Salesforce's declarative development features — Flow Builder, page layouts…

• Exploring MSIX Threat Landscape — Teruki Yoshikawa, Syogo Hayashi

  SOC analysts Teruki Yoshikawa and Syogo Hayashi of NTT Security Holdings examined how attackers are evolving beyond known MSIX-based malware delivery to exploit deeper Windows internals. The talk…

• UNO Reverse Card: Exposing C2 Operators Through Their Own Logs — Estelle Ruellan

  Flare CTI analyst Estelle Ruellan presented a structured analysis of infostealer logs in which the infected devices belonged not to ordinary victims, but to the criminals operating the C2…

• Red Team Road Rage: Weaponizing Vulnerable Drivers to Blind EDR — Jake Mayhew

  Jake Mayhew, Director of Offensive Operations at White Knight Labs, walked through the architecture of Windows kernel-mode EDR components and demonstrated how a red teamer can exploit vulnerable…

• One certificate to rule them all: the story of a Chinese-nexus botnet — Amaury-Jacques Garçon

  Sequoia CTI analyst Amaury-Jacques Garçon presented a two-year investigation into a Chinese-nexus Operational Relay Box (ORB) network that grew to approximately 70,000 compromised devices. The…

• Weaponizing XSS: Cyberespionage tactics in webmail exploitation — Matthieu Faou

  ESET Senior Malware Researcher Matthieu Faou presented two years of research into XSS exploitation in on-premises webmail applications — Roundcube, MDaemon, Zimbra, and Horde. The research…

• Social Engineering for Physical Pentesting Assignments — Dorota Kozlowska

  Dorota Kozlowska walks through a complete social-engineering-driven physical penetration test, from OSINT reconnaissance to gaining covert access to a client's server room. She maps the four phases…

• Linux and IoT malware analysis with r2ai — Axelle Apvrille

  Axelle Apvrille demonstrates how r2ai — a plugin connecting the Radare2 disassembler to large language models — can dramatically accelerate Linux and IoT malware analysis. Using live demos against a…

• From Security to Safety: Navigating the Ethics of AI as Red Teamers and Penetration Testers — Jeremy Miller

  Jeremy Miller argues that security practitioners — particularly red teamers and penetration testers — are better equipped than they realize to take on AI safety work, despite that domain's grounding…

• Stolen Laptops - A brief overview of modern physical access attacks — Pierre-Nicolas Allard-Coutu

  Pierre-Nicolas Allard-Coutu, senior penetration tester at Bell Canada's STIRT team, delivers a fast-paced, technically detailed breakdown of how modern laptops are compromised in physical access…

• Why preventing phishing is so difficult, and what we can do about it — Michael Joyce

  Michael Joyce, Executive Director of the Human-Centric Cybersecurity Partnership (HC2P) and a PhD researcher at the Université de Montréal, presents findings from one of Canada's largest independent…

• Noise Pollution is Damaging Your SOC: Prevent IoCs From Turning Into Indication of Cacophony — Joey D

  Joey D, team lead of a detection engineering team at the Canadian Centre for Cyber Security (CCCS), argues that alert fatigue in Security Operations Centres is not just a tooling problem — it is a…

• When the threat actor lives under your roof: Fighting Technological Violence in Domestic Abuse Cases — CatherineDG

  Catherine Duborg-Agnon, co-founder of the association Cybercitoyen, presents a sobering intersection of cybersecurity and intimate partner violence (IPV). Drawing on real case work, she documents…

• Oops, I Hacked It Again: Tales and disclosures — Ignacio Navarro

  Ignacio Navarro, an application security engineer from Argentina, walks through a series of real-world vulnerability discoveries across a supermarket chain, a ticketing platform, a loyalty card…

• Vulnerability Haruspicy: Using Woo To Confirm Your Biases — Tod Beardsley

  Tod Beardsley of runZero dissects the three dominant vulnerability scoring systems — CVSS, EPSS, and SSVC — with the same sceptical rigor he would apply to reading sheep livers. His central…

• Exploring Azure Logic Apps and Turning Misconfigurations into Attack Opportunities — Chirag Savla, Raunak Parmar

  Chirag Savla and Raunak Parmar of White Knight Labs methodically map the attack surface of Azure Logic Apps — Microsoft's low-code workflow automation service — demonstrating how Logic App…

• Enhancing Identity Credential Privacy with Zero-Knowledge Proofs — Christian Paquin

  Mobile driver's licenses and digital identity credentials are rolling out across North America, but existing standards like SD-JWT and mDL still leave a critical gap: every credential presentation…

• Exploiting the not so misuse-resistant AES-GCM API of OpenSSL — Félix Charette

  AES-GCM is theoretically sound, but OpenSSL's bindings for Ruby and PHP contain a well-documented — yet widely overlooked — flaw: neither language's standard decrypt function validates that the…

• How not to do ML: Showing the Negative Impact of Improper CVE Feature Selection in a Live Exploit Prediction Model — François Labrèche

  A machine learning model that scores 93% accuracy and 83% recall on historical CVE data can drop to 2% recall the moment it goes live. François Labrèche of Sophos describes exactly how that happened…

• Uplevel your security program with AI — Aditi Bhatnagar

  Security teams are chronically understaffed, buried in manual triage work, and struggling to communicate across organizational lines. Aditi Bhatnagar, a product security veteran who has led security…

• Persōna Theory: Infiltration and Deception of Emerging Threat Groups — Tammy Harper

  Threat intelligence teams that want to infiltrate emerging ransomware and cybercrime groups need more than technical skill — they need operationally coherent digital personas built on a systematic…