2026 Schedule

🎙 The talk
Back in the Artisanal era it took significant amounts of skill, time and effort to find security problems in software. With the rise of powerful AI tools used for this purpose, we have transitioned through a period with aggressive hallucinations into a time of high-volume, high-quality security reports flooding all Open Source projects. A vulnapocalypse.

Based on his experiences in the curl project, one of the world's most widely used software components, Daniel describes the current reality, backed by real-world numbers. This isn't a corporate pitch or a sanitized marketing deck. Just the cold truth, viewed from one Open Source developer's point of view. Daniel offers a candid look at the signal-to-noise crisis facing modern software developers.

No company mumbo-jumbo. No sales speak. Just the reality of Open Source security from a person living it.

👤 About the speaker
Daniel Stenberg is a Swedish Internet protocol expert and developer who has participated in and worked with Open Source for thirty years. Perhaps most known for being the founder and lead developer of the curl project, one of the world's most widely used software components. He participates in protocol development within the IETF and has authored books on curl, Open Source, HTTP/2, HTTP/3 and is a frequent public speaker. Daniel is the president of the European Open Source Academy and a three times medal receiver for his Open Source work. Employed by wolfSSL.

If you've ever felt like you're drowning in AI-generated noise, this is the reality check you've been waiting for. Don't miss it!

🎙 The talk
Preparing for a major event is like preparing for a theatre performance, where the team plans every detail - from coordination to rehearsals. Even with careful preparation, unexpected challenges can still arise. This was the case for NCSC Lithuania during the NATO Summit 2023. Although the team was ready for cyberattacks, they still faced an unanticipated threat - hybrid attacks. The NATO Summit 2023 case demonstrates how lessons learned today can strengthen our readiness for high‑stakes events in the future.

👤 About the speaker
Rūta Apeikytė is Head of Partnerships and Competence Development at the National Cyber Security Center, working at the intersection of strategic communication and cyber security. She has experience operating in challenging geopolitical contexts and was part of team efforts addressing hybrid incidents during the NATO Summit 2023. Rūta focuses on collaboration, learning, and strengthening practical cyber resilience through partnerships and shared expertise.

Join us to see what happens when the performance ends and reality takes over. See you there!

🎙 The talk
Pentesting a power grid is a high-stakes game where "move fast and break things" is a recipe for disaster. This talk breaks down on a regional grid, providing a transparent look at a safety-first methodology that balances deep technical discovery with 100% operational uptime.

We'll dive into the architecture, starting with how to map environments using digital twins and mirrored test benches before a single packet is sent. The core of the session focuses on the data: leveraging passive traffic analysis and protocol-specific inspection to identify firmware flaws and clear-text command paths without ever touching a live PLC.

The narrative follows a lateral movement scenario, testing if guest or corporate Wi-Fi can pivot into the heart of the control network. We'll wrap up with a blueprint for conducting OT assessments that satisfy both security auditors and plant engineers—revealing the "crown jewels" of an ICS network without risking a blackout.

👤 About the speakers
Blessen Thomas is an Independent Security Researcher with more than 13 years of experience in Red Teaming, offensive security, and testing specialized environments like OT, IoT, mainframes and telecoms. He holds a wide array of certifications, including SANS GPEN, CRTO, and OSCP, and is recognized in multiple corporate Halls of Fame for responsible disclosure. An active open-source contributor to projects like the OWASP Mobile Testing Guide, his research has been accepted at global conferences including Hack in the Box, CanSecWest, and numerous BSides events. He spends his leisure time playing drumkit and percussion.

Wojciech Poparda is a cybersecurity consultant who helps organizations proactively defend their digital infrastructure by thinking like an adversary. He specializes in building resilient security architectures that bridge complex attack vectors with enterprise defense, focusing closely on Cloud Security and Identity & Access Management (IAM). He holds elite credentials including OSCP, CRTE, and CISSP, and applies the same dedication to solving complex technical challenges as he does to competing in the IRONMAN European and World Championships.

Join us to learn how to audit critical infrastructure safely without risking a blackout. See you there!

🎙 The talk
"Cyber war in Ukraine has provided the harshest possible test of defensive security controls. This is a practical session about what happens when your systems are attacked during a real conflict where power is unreliable, communication channels fail, and the attacker's goal is to break things in the physical world. When reality hits, all security theatre disappears."

👤 About the speaker
Gediminas spent years across Europe, the UK, and the Middle East helping organisations sort out real security issues, then came back to Lithuania to lead the cybersecurity team at PwC Baltics. His work sits at the intersection of strategy, delivery, and avoiding regulatory pain, covering everything from national cyber programmes to IAM and SOC uplifts. He cares about practical resilience and getting rid of security theatre so things keep running when the situation turns bad.

When things get real, the performance ends. Join us to learn how to build resilience that actually holds up when it matters most. See you there!

🎙 The talk
"Model Context Protocol seems to be the current hot potato in cybersecurity. Business wants it (AI mantra), developers want it (new toys + new code to be written) and security has to help make it secure, squeezing this into an already tight schedule.

Like any shiny new tool or piece of tech (remember early cloud?) MCP is developed in a feature-first-security-comes-later manner. MCP, as a new tech, seems to mix new types of vulnerabilities with old, well known ones.

As an early adopter you have to acknowledge that MCP and its current implementations will be flawed and be prepared. In this talk we deal with current issues that companies are facing with and around MCP and we will leave you armed with remediations.

The topics that will be covered:
▪️ MCP protocol introduction and security aspects, including authentication.
▪️ New types of vulnerabilities like prompt injections, tool poisoning, rug pull attacks, and cross server tool shadowing.
▪️ Classic vulnerabilities which may appear around MCP, based on recently discovered CVEs.
▪️ Remediations and existing tooling."

👤 About the speaker
Mateusz Olejarka is a Principal Security Consultant at SecuRing with over 10 years of experience in IT security. His main focus is web application security. He has performed more than 90 application security trainings. Previously worked as a software developer, building software for the financial sector.

He has been a speaker at various conferences including Black Hat Asia, CONFidence, and Hacktivity. A casual bug bounty hunter, he is listed in the Halls of Fame of Adobe, Algolia, GM, Jet, Netflix, Tesla, Twitter, Uber, and Yahoo.

Come for the "AI mantra," stay for the actual security strategy. We look forward to seeing you all there!

🎙 The talk
"Prompt injections are inevitable, but impact is optional. This fast-paced talk is all about practical exploitation and you will learn how to build rapport, manipulate LLMs, and bypass restrictions in AI-powered web applications. We will demonstrate how to chain vulnerabilities to steal and exfiltrate sensitive data using malicious rendering techniques through indirect prompt injections. Finally, we will break down the reality of AI risk and show you exactly how to build the guardrails needed to stop these attacks dead in their tracks.

The most critical vulnerabilities aren't fundamentally flaws in the models themselves, but in the application layer, caused by insecure tool calls and improper data retrieval. Attendees will leave with a clear understanding of why treating LLM Input/Output (I/O) as untrusted data is critical, alongside how to implement the necessary sanitization and guardrails at the edges of the "AI Cage" to secure their applications."

👤 About the speakers
JOOHOI is a seasoned hacker with over two decades of experience bridging the gap between software development and information security. He is highly regarded for his significant contributions to the open-source community, most notably for his work on essential industry tools like ffuf, acme-dns, and certbot. By day, he leads the charge in securing hundreds of global applications as the Head of Security Testing at Visma.

STÖK is passionate about learning new things and sharing his curiosity with the world. Over the past three decades, he has professionally "hacked" everything from computers and web technology to marketing strategies, sustainable fashion, and even the human mind.

Known for his signature "Good Vibes Only" mentality, STÖK has a unique ability to ask the right questions and break down technically complex subjects in a highly entertaining way. Combined with his passion for novel security research and a keen eye for design, his relentless curiosity has inspired millions of people around the globe.

Grab a seat and make sure your chatbot doesn't start taking career advice from a rogue prompt injection. See you there!

🎙 The talk
"Git is embedded in many cloud services: source code management, CI/CD, deployment pipelines, cloud IDEs. These services run git operations on user-controlled repositories, but git assumes the local repo is trusted. Bugs live in that gap.

This talk discloses four vulnerabilities responsibly reported to Google Cloud Platform, all found by targeting git integrations. One of them, CVE-2025-9118, scored a perfect CVSS 10.0 and allowed full cross-tenant compromise. This finding contributed to winning the Most Valuable Hacker award at Google's bugSWAT 0x0g event. The bugs range from command injection and argument injection in git integrations to config injection and a multi-step chain abusing NPM package installation to escape the repository's filesystem boundary.

The talk also covers git as an exploitation primitive: turning a limited file write into RCE through git config and hooks, bare repositories buried in subdirectories that execute code silently, and the differences between git CLI-based and library-based implementations that create exploitable gaps. It looks at common ways cloud services integrate git and what makes each of them a target worth looking at.

Anyone doing bug bounty on cloud platforms or pentesting internal tools that integrate git should find this useful. The talk walks through a methodology for auditing git integrations: where to look, what exploitation primitives to hunt for, and how to chain multiple issues into high-impact bugs."

👤 About the speaker
Tomas is a senior offensive security professional who got into this career because breaking things is more fun than building them. Between pentests and appsec assessments, he's led red team operations, found cross-tenant vulnerabilities in Google Cloud, and collected a few certifications along the way to make it look official. Currently, he's hunting bugs for a living - and now he's worried AI will find them all before he does.

Come see why breaking things is always more fun than building them. We'll see you at the talk!

🎙 The talk
We are observing a significant spike in vulnerability data being generated recently. Open-Source maintainers are overwhelmed; security teams are busy triaging reports; CVE numbering authorities can barely keep up. LLMs are making waves, but is it just AI slop - security theatre with a neural network - or are we finding real bugs? Join Jaroslav Lobačevski to hear about the practical experience of using LLM agents for finding, triaging and reporting vulnerabilities in open-source software such as Signal or 7-Zip.

👤 About the speaker
Jaroslav Lobačevski is a Security Researcher at GitHub Security Lab working on the mission to make Open-Source we all rely on more secure. He is a recognized expert in GitHub Actions security and has a long track of found vulnerabilities in open-source software.

Come see why automating the hunt for vulnerabilities is a lot more complicated than the marketing decks claim. See you in the front row!