Editor's Picks

Best Talks at BSidesSF 2025 — Here Be Dragons

Hand-picked from in-depth reviewer verdicts — the top 12 talks from this conference. Skip the noise, find the signal.

← All talks at BSidesSF 2025 — Here Be Dragons

  1. 1

    Into The Dragon's Den

    Jacob Salassi, Michele Freschi

    After years leading product security at a major SaaS database company during its China expansion, Jacob Salassi and Michele Freschi share the hard-won mental models they developed for operating in a strategically hostile environment. The core insight: entering China means…

    0 Dr. Zero MUST SEE ★★★★★ H Heather Calloway MUST SEE ★★★★★
  2. 2

    Data Splicing Attacks: Breaking Enterprise Data Loss Prevention

    Vivek Ramachandran, Audrey Adeline

    Researchers from Square X introduced a new class of attack they call "data splicing" — five distinct techniques that systematically bypass both endpoint DLP and SASE/SSE proxy DLP solutions by exploiting fundamental architectural limitations. The techniques — including…

    0 Dr. Zero MUST SEE ★★★★★ H Heather Calloway MUST SEE ★★★★★
  3. 3

    0.0.0.0 Day: Exploiting Localhost APIs From The Browser

    Gal Elbaz

    The IP address `0.0.0.0` is an 18-year-old bug hiding in plain sight — a single address that bypasses every browser-based private network protection ever built. Gal Elbaz, co-founder and CTO of Oligo Security, reveals how this quirk enabled a real, year-long attack campaign…

    0 Dr. Zero MUST SEE ★★★★★ H Heather Calloway MUST SEE ★★★★★
  4. 4

    Using AI to Discover Silently Patched Vulnerabilities in Open Source

    Mackenzie Jackson

    Mackenzie Jackson of Aikido Security described research that used LLMs to monitor open-source changelogs at scale, discovering 550 undisclosed vulnerabilities in 2024 — 67% of which never received a CVE. The same AI-powered approach has since been extended to malware detection…

    0 Dr. Zero MUST SEE ★★★★★ H Heather Calloway MUST SEE ★★★★★
  5. 5

    AI's Bitter Lesson for SOCs: Let Machines Be Machines

    Jackie Bow, Peter Sanford

    The detection and response team at Anthropic built an AI-assisted investigation platform called Clue in roughly three months using Claude as both a co-engineer and runtime investigator, without any fine-tuning or specialized ML training. Drawing on the AI research concept of…

    0 Dr. Zero MUST SEE ★★★★★ H Heather Calloway MUST SEE ★★★★★
  6. 6

    Slaying the Dragons: A Security Professional's Guide to Burnout and Resilience

    Kirill Boychenko

    Modern software applications are 70–90% open-source by composition, making package ecosystems an irresistible attack surface. Kirill Boychenko, senior threat intelligence analyst at Socket, walked through real malicious campaigns targeting npm, PyPI, Go, Java/Maven, and…

    0 Dr. Zero STRONG ACCEPT ★★★★☆ H Heather Calloway MUST SEE ★★★★★
  7. 7

    Blank Space: Filling the Gaps in Atomic and Composite Detection

    Merav Bar, Gili Tikochinski

    Threat intelligence for cloud environments is systematically incomplete — the industry reports IPs, hashes, and domains while leaving cloud-specific indicators of compromise undocumented and unshared. Wiz researchers Merav Bar and Gili Tikochinski make the case for a new…

    0 Dr. Zero MUST SEE ★★★★★ H Heather Calloway STRONG ACCEPT ★★★★☆
  8. 8

    There and Back Again: Discovering OT Devices Across Protocol Gateways

    Rob King

    Operational technology (OT) devices — the PLCs, SCADA systems, and field devices controlling physical infrastructure — are increasingly reachable over IP networks, often with no authentication whatsoever. Security researcher Rob King walks through exactly how to discover these…

    0 Dr. Zero STRONG ACCEPT ★★★★☆ H Heather Calloway MUST SEE ★★★★★
  9. 9

    Can Cyber Mercenaries and Human Rights Defenders Coexist?

    Bill Marczak, Cooper Quintin, Eva Galperin

    The panel's opening answer — "no" — barely scratched the surface of a decade-long arms race between spyware vendors and the researchers chasing them. Cooper Quintin (EFF), Bill Marczak (Citizen Lab), and Eva Galperin (EFF) laid out why the commercial spyware industry is…

    0 Dr. Zero STRONG ACCEPT ★★★★☆ H Heather Calloway MUST SEE ★★★★★
  10. 10

    The Growing Crisis in CVE Data Quality

    Jerry Gamblin

    The CVE program is the backbone of global vulnerability management — but its data quality is deteriorating under the weight of exploding volume, underfunded enrichment, and minimal publishing requirements that allow nearly useless records to enter the system legally. Jerry…

    0 Dr. Zero STRONG ACCEPT ★★★★☆ H Heather Calloway MUST SEE ★★★★★
  11. 11

    Inside the Information Stealer Ecosystem: From Compromise to Cash-Out

    Olivier Bilodeau

    Information stealer malware — a category that requires no admin rights, leaves no persistence, and can exfiltrate an entire computer's credentials in one shot — has become the backbone of the modern cybercrime economy. Olivier Bilodeau, drawing on a dataset of over 120 million…

    0 Dr. Zero STRONG ACCEPT ★★★★☆ H Heather Calloway MUST SEE ★★★★★
  12. 12

    The Product Security Imperative: Lessons from CISA

    Jack Cable

    Jack Cable, who spent two years at CISA leading the Secure by Design initiative before delivering this talk, made the case that the software industry is still building products riddled with decades-old, preventable vulnerability classes — and that addressing them requires…

    0 Dr. Zero STRONG ACCEPT ★★★★☆ H Heather Calloway MUST SEE ★★★★★

View all talks at BSidesSF 2025 — Here Be Dragons →