Siegfried Hollerer, Simon Rommer, Felix Eberstaller | BMI

*** Live stream via YouTube ***

Felix Eberstaller, Bernhard Rader | Limes Security

The digital transformation of agriculture has led to a change in technology. This includes modernized farming equipment with smart capabilities and the development and widespread adoption of retrofit automation systems for legacy farming equipment to extend the lifespan and use existing legacy resources, similar to security efforts for legacy systems in OT.

This research presents a security analysis of the FJ Dynamics Steering Kit, a leading aftermarket solution for autonomous tractor capabilities, which is sold under different labels in Asia, Europe and the United States. Our investigation revealed critical vulnerabilities enabling unauthorized global tracking of tractors, system manipulation, and potential safety compromises, highlighting significant risks to agricultural operations and public safety.

*** Live stream via YouTube ***

Philipp Kreimel-Haindl | OMV Exploration & Production GmbH

Operational Technology (OT) environments often pose significant challenges when it comes to logging and monitoring. Legacy systems, vendor lock-ins, non-standardized log formats, and forbidden agent installations are just a few of the issues practitioners face when setting up a centralized SIEM. In this talk, we’ll explore the full spectrum of OT log sources – the good (well-structured, accessible logs), the bad (limited, poorly documented outputs), and the ugly (proprietary binaries, CSVs). Based on hands-on experience integrating diverse sources into a SIEM solution, this session will highlight practical strategies, creative workarounds, and key lessons learned. Whether you're just starting your OT monitoring journey or knee-deep in legacy complexity, this talk will help you gain visibility without losing your sanity – or your systems.

*** Live stream via YouTube ***

Herbert Dirnberger | IKARUS Security Software GmbH

*** Live stream via YouTube ***

Thomas Weber | CyberDanube

In this talk, we provide an in-depth look into the internal workings of a commercially available drone. Using our in-house platform MEDUSA ("Scalable Firmware Runtime"), we emulated and analyzed the drone's control system. In the process, both the hardware architecture and critical security vulnerabilities were uncovered. The presentation offers a practical demonstration of how emulation can enable effective security analysis of complex systems like drones. We will showcase real-world attack scenarios, such as manipulating the Wi-Fi communication or taking over the controller. This session is intended for anyone interested in embedded security, (I)IoT forensics, and innovative analysis techniques - from penetration testers to researchers.

*** Live stream via YouTube ***

Ilyas Demirtas, Kai Starik | Deloitte Consulting GmbH

*** Live stream via YouTube ***

Harald Gattermeyer | anapur AG

*** Live stream via YouTube ***

Daniel Haslinger & Christoph Lang-Muhr | UAS St. Pölten 

*** Live stream via YouTube ***

Severin Winkler, Benjamin Petermaier | KPMG Security Services GmbH

Benjamin Floriani, Patrick Pongratz | SecCore GmbH

As security controls mature, traditional initial access techniques like macros and simple credential phishing are losing their effectiveness. To accurately simulate modern adversaries, red teams must evolve beyond the expected. This presentation dives into lesser-known and highly effective initial access vectors that bypass common defenses by exploiting overlooked file formats and user trust.

The core of this talk is a deep-dive into an attack chain starting with SVG images. We will demonstrate how a seemingly harmless and widely used image file can be weaponized to create a dynamic phishing lure capable of harvesting credentials and, crucially, bypassing Multi Factor Authentication in Microsoft Entra-ID.

Johannes Bär | Condignum, Andre Waldhoff

Florian Hehenberger, Akashpreet Wedech | PwC Austria

Niels Pfau | Mantodea Security GmbH

Florian Skopik, Benjamin Akhras, Peter Leitmann, Lukas Linauer |AIT Austrian Institute of Technology

Manuel Reinsperger| TU Wien - Interactive Programming & Analysis Lab

Matthias Kesenheimer | SySS GmbH

Modern system-on-chip (SoC) designs often boast advanced protections such as fault detectors to guard against fault injection attacks. But what happens when these defenses come up against a determined hacker? This talk dives into the world of fault injection, focusing on voltage glitching and electromagnetic fault injection (EMFI) - two powerful techniques for defeating hardware security.

The talk will introduce the Pico Glitcher, an easy-to-use voltage glitching tool controlled by findus, a custom Python library. Attendees will learn how this tool makes glitching accessible with minimal effort and cost. Through a live demonstration, the speaker will show the Pico Glitcher in action, highlighting how easy it is to perform voltage glitching attacks.

The talk will culminate with an attack against a newly released SoC, which has a built-in glitch detector. Despite this protection, the speaker successfully bypassed the glitch detection mechanism using an EMFI attack. This demonstration proves that even hardware with advanced defenses is not immune to sophisticated glitch injection techniques.

*** Live stream via YouTube ***

Alexander Aigner, Stephan Hutterer | CyberUp GmbH

*** Due to legal reasons, this lecture will not be streamed via YouTube. ***

Georg Ungerböck, Stephan Bauer |ARCANIX OG

*** Live stream via YouTube ***

Rainer Poisel, Stefan Riegler | honeytreeLabs Cooperation

*** Live stream via YouTube ***

Daniel Dorfmeister | Software Competence Center Hagenberg GmbH

Industrial-scale reverse engineering poses a significant threat to manufacturers of modern industrial systems, where replicating complex software is often faster and more cost-effective than developing it from scratch. We thus develop innovative protection mechanisms to safeguard the intellectual property embedded in software and AI models. Our approach binds correct program execution to unique and unclonable hardware properties, making unauthorized replication and reverse engineering significantly more difficult and resource intensive. Unlike traditional protections, our methods do not require specialized security hardware and thus work with legacy systems.

*** Due to legal reasons, this lecture will not be streamed via YouTube. ***

Jakob Heigl-Auer | insitu Software GmbH

*** Live stream via YouTube ***

Florian Plainer, André Meindorfer | Segmentation Vault St. Pölten

*** Due to legal reasons, this lecture will not be streamed via YouTube. ***

Bina Ramamurthy

Naghmeh Moradpoor| Edinburgh Napier University

As Connected Autonomous Vehicles (CAVs) become more common on public roads, ensuring the trustworthiness and verifiability of their real-time decisions, especially during coordination scenarios, has emerged as a critical and underexplored challenge.
While federated learning has improved the privacy of model training, it remains unclear how to verify what vehicles do with those models during real-world operation. This talk introduces a novel framework that enables CAVs to reason locally over knowledge graphs and regulatory rules, make context-aware decisions in dynamic environments, and generate zero-knowledge proofs (ZKPs) to attest to the correctness of those decisions without exposing sensitive data.

We present a lightweight, edge-compatible reasoning engine and ZKP module that supports privacy-preserving coordination in critical use cases like intersection negotiation, convoy formation, and emergency rerouting. This work bridges technical gaps between secure learning, explainable AI, and auditable autonomy, paving the way for transparent, compliant, and trustworthy AV ecosystems.

Kristaps Felzenbergs | Vidzeme University of Applied Sciences

The EU NIS2 directive introduces stringent cybersecurity requirements for critical infrastructure, demanding continuous monitoring and rapid incident response capabilities that traditional manual compliance approaches cannot sustain. This presentation explores how organizations can leverage automation technologies to transform NIS2 compliance from a periodic checkbox exercise into a continuous, integrated security posture.

We'll examine practical implementation strategies using Security Orchestration, Automation and Response (SOAR) platforms, automated vulnerability management systems, and AI-driven threat detection to meet NIS2's technical requirements. 

The session covers real-world case studies demonstrating automated incident reporting workflows, continuous risk assessment mechanisms, and supply chain monitoring solutions that ensure ongoing regulatory adherence.

Attendees will learn insights of scalable compliance architectures that reduce manual overhead while improving security outcomes, turning NIS2 obligations into competitive advantages through strategic automation implementation.

Constanze Roedig

We believe end users should not be responsible for writing security rules for third-party software, rather, we show how vendors can distribute benign runtime-behavior rules along their supply chain using a “Bill of Behavior” (BoB) inside OCI artifacts.

A BoB is a profile of known syscalls, fileaccess, network and capabilities generated using eBPF, and allows anomaly detection. Thus, users can infer both malicious behavior and tampering without writing/maintaining custom runtime rules.

We detail which parts of the BoB specification translate across ecosystems, languages, stacks, and tools and why the process must be transparent for users. We will also discuss the current scope and ongoing evolution of BoB, laying out a strategic roadmap as it progresses towards a de-facto standard, thus complementing our security ecosystem of seccomp profiles, SBOMs and policy engines.

A public on-demand lab of the reference implementation using well-known cloud native tools will be supplied.

Markus Gierlinger | CAST AI

Adopting an attackers mindset has shown clear benefits for security practitioners. Leveraging threat intelligence for threat hunting and detection engineering, doing attack path analysis or adversary emulation are prime examples.

All this is mostly enabled by experts analyzing adversary campaigns or security researchers uncovering new attack vectors and sharing that information.
Compared to other technologies the available adversarial tooling for K8s is fairly limited, which can pose a challenge when hardening these environments.

In this talk, we'll cover which approaches are generally available to security practitioners and how they can be used to level up the overall security of K8s environments.

Martin Schmiedecker, Markus Donko-Huber

In this talk we'll give an overview on how to effectively block online ads in 2025.

Not only since AI is allegedly taking over everything & Google changed the extension API for the most popular browser in the world to force-choke ads down their users throat, many still don't realize that they are foremost not a technology company but an online advertisement company before anything else.

We'll present how to block ads on a local machine, on an entire network, and for others.

Reinhard Kugler | SBA Research GmbH

Kernel Space, the final frontier. 
These are the voyages of SBA Research and its mission: to explore strange new technologies, to boldly go where only a few have gone before - using eBPF. 

The Cyberspace is vast and numerous threats are lurking in the dark. A new trend arises: abusing the Kernel to backdoor and assimilate sane Linux systems using the eBPF technology. The integration of eBPF in the Kernel allows attackers to change the behavior of the system. How can it be exploited and what can an attacker do with those capabilities? This talk explores the attacker's view on the eBPF technology and how to abuse it to their advantage. Set phasers to stun and learn about offensive techniques for defenders and analysts in SOCs.

Tomasz Haberny | German Telekom Security

On July 19th, 2024, a routine CrowdStrike update disrupted (security) operations globally, causing massive outages across all sectors.
As a Managed Security Service Provider (MSSP) responsible for managing a six-digit number of affected endpoints, we were on the front lines of the chaos.

In this talk, we’ll provide a behind-the-scenes look at modern Endpoint Detection and Response (EDR) systems, dissect CrowdStrike’s update mechanism, and analyze what went wrong that day. We’ll walk you through a detailed timeline of the incident from the perspective of an MSSP, share the challenges faced during remediation, highlight the pitfalls encountered, and discuss the tough lessons learned as well as key takeaways for MSSPs, vendors, and customers.

Arshia Reisi |KPMG Security Services GmbH

Modern cloud identity systems promise strong security but attackers know exactly where trust breaks down. This purple team–focused talk explores real-world techniques to bypass Conditional Access, defeat phishing-resistant MFA, and achieve stealthy remote code execution via Custom Script Extension abuse.

For every attack, we’ll cover the detection angles and practical defenses that matter. From covert sign-ins to silent API misuse, you'll see how these threats unfold and how to spot them before they escalate.

Mario Kahlhofer | Dynatrace Research

Techniques to deceive hackers are nothing new. You may be familiar with honeypots, which are used to lure and trick hackers. But are you also familiar with modern cyber deception techniques? This talk will explore how organizations of all sizes can deploy deception techniques within real production environments.

We will demonstrate traps for the application layer, such as fake “passwords.txt” files, or fake API routes like “/admin”, which are designed to attract and detect attackers. Drawing on empirical results from our Honeyquest study, we will invite the audience to interactively identify enticing cyber traps and learn what makes them effective.

We will also demonstrate Koney, our open-source tool that automates the deployment and monitoring of deception assets in Kubernetes using a policy-as-code strategy. Attendees will learn modern methods for tricking hackers and will leave equipped with the knowledge and tools to embed cyber deception into their own systems.

André Meindorfer | NVISO

Security Operations Centers (SOCs) are a cornerstone of modern cybersecurity; at least in theory. In practice, many SOCs fall into the same traps: adopting models and methods that seem promising on paper, but lead to inefficiency, frustration, or burnout when applied uncritically.

This talk takes a critical look at real-world anti-patterns in the SOC world: recurring design or operational choices that tend to fail despite good intentions. It challenges the idea that "more is always better" and questions the blind adoption of frameworks in contexts where they don't belong.

Whether you're planning to work in a SOC, build one, or just want to understand the difference between textbook and real world, this session will help you spot harmful habits before they cause real damage.

Sabine Kölly | EY Austria

Alexander Ressl, Stefan Pfeiffer | Accenture

This presentation critically examines the state of agentic AI by contrasting the ambitious visions of tech giants like Google, Microsoft, and ServiceNow with the practical realities of its current application. We will dissect the selling points of “a world of autonomous agents seamlessly managing our digital lives” and weigh them against the "real-life" challenges of implementation, reliability, and unforeseen consequences. 

The session will explore the concerns, questioning the black-box nature of agent decision-making, and the implications of delegating complex tasks to machines. By analyzing what these companies are promising versus what their technology can currently deliver, this talk aims to continue last year’s discussion about the true trajectory of AI with the new agentic AI approach.

Susanne Schön | Materna

After two presentations about SOC ServiThousand and One Suricata Alert: Scrolling and Clicking Through Over a Decade of Network Traffic

Following the presentations "1001 Scan" (2023) and "1001 Logline" (2024), this marks the third installment in our series showcasing the services offered by a Security Operations Center (SOC). Each part sheds light on the hidden corners of network infrastructure.

In recent years, we've observed a growing trend among our customers: Endpoint Detection and Response (EDR) is increasingly viewed as a viable alternative to traditional Network Traffic Monitoring for security purposes.

This presentation explores:

The evolution of network traffic over the past ten years
Shifts in the nature and frequency of network incidents
The development of tools used to monitor and analyze traffic

Finally, we address a key question: Is Network Traffic Analysis still a relevant and effective tool in the SOC toolkit today?