Opening words from the BSides Bristol directors.

When we talk about cyber security, we love our jargon, frameworks, and shiny dashboards. But behind every breach, bypass, and “click here” moment is a real person; your mum, your nan, your colleague… maybe even a sausage farmer trying to sell online without losing their life savings.

In this opening keynote, Jemma Davis takes a fast-paced, funny, and occasionally uncomfortable look at the people our security systems are meant to protect, and how those same systems can lock them out, drive workarounds, and quietly create the next big incident. Drawing on stories from her book Access Denied, she’ll show how human-centred security isn’t just nice to have, it’s the only kind that actually works.

You’ll leave with:
- A fresh perspective on why security fails when it forgets the humans
- Real-world examples that will make you laugh, wince, and rethink your own controls
- Practical ways to make security usable without dumbing it down

Come for the sausage farmers. Stay for the nans. Leave ready to build security people can actually use.

This talk exposes how a simple OPSEC mistake—a threat actor testing malware on his own production system—can unravel an entire cybercrime operation. By intercepting Telegram-based C2 communications, we’ll uncover the inner workings of infostealers, reveal infrastructure details, and discuss how these real-world insights can reshape threat intelligence and defensive strategies.

Curious about how industrial control systems (ICS) operate, and what happens when things go wrong? OT specialists will show you mini tabletop exercises, how to tackle ICS-themed CTF challenges, or see hardware in action.

InfoSec Battlebots

When Air Canada’s customer-service bot mis-quoted a non-existent bereavement fare, a tribunal forced the airline to refund the passenger’s ticket and pick up the costs. In a crypto “capture-the-coin” contest the Freysa trading agent, whose only rule was “never send money”, was persuaded into sending its entire 13 ETH balance to an attacker after 481 carefully crafted prompts. Political disinformation has caught up too: a deep-fake robocall that cloned President Biden’s voice urged New Hampshire voters to stay home, earning its creator a multi-million-dollar fine and pending criminal charges. LLMs are everywhere, and with that vast adoption, so too has the attack surface for their abuse expanded.

This village provides a space for participants to explore real world AI harms in scenarios hosted by the village, alongside developing and testing their skills against the village's LLM CTF. All participants need is an internet connected device (phone, tablet, laptop, etc) and they can engage with the scenarios and CTF.

Locking Picking Village

Learn how Machine Learning can be used to de-anonymise VPN and ToR traffic without decryption with a technique know as Website Fingerprinting Attacks.

Operational Technology (OT) underpins the critical infrastructures on which we rely everyday: those delivering water and power to our homes, driving manufacturing environments and safe, continued operation of transportation systems. OT includes specialist devices such as programmable logic controllers and remote terminal units, proprietary networking protocols and platforms that run SCADA and control systems. IT security professionals have ready access to open-source platforms such as Kali. But no such platform exists for OT. This talk will cover experience of architecting, building and releasing such an open-source platform for OT pentesting and security analysis. You will feel the chill of the Judderman's lair as we come face to face with legacy tools and challenges of incorporating them, hear tales of the horrors we encountered and how we escaped their dastardly clutches, and what we’d do differently knowing what we know now.

Tired of banging your head against the wall because users keep clicking dodgy links despite your brilliant phishing training? Fed up with SOC analysts burning out faster than you can hire them?
Yeah, I feel you. 95% of successful cyberattacks still involve human error despite us throwing billions at shiny security tech. But.. what if we've been solving the wrong problem this whole time?
This hands-on workshop offers a new framework for cybersecurity - techniques that treat humans as partners, not problems. Learn to map stakeholder emotions, redesign those cringe security moments that make everyone groan, and transform incident response from finger-pointing festivals into proper learning opportunities. Work through real exercises using your actual organizational challenges.
No vendor pitches. No expensive tools. Just human psychology applied to cybersecurity that actually works.

We reveal how to secure OT/IT aboard ships, the challenges involved and the lessons this holds for securing these systems in other environs.

This talk provides a concise overview of Radio Frequency Identification (RFID) technology and its vulnerabilities, focusing on the Chameleon Ultra, a powerful RFID emulation tool. Through a detailed explanation and live demonstration, we will explore how attackers can clone and write to RFID cards used in access control, simulating real-world security threats. Attendees will gain insights into RFID’s weaknesses and the critical need to protect emerging technologies from unauthorised exploitation.

You will have heard (I hope) about the UK Cyber Security Council and its remit to professionalise the cyber security industry, improving access to careers, standardising definitions and roles and helping align cyber security careers with those in established fields such as law and medicine. But do you care? What does it mean for those whose career path will be directly affected by the changes, and what does it mean for the organisations they work for, whether in support of Government, or in purely commercial settings?

This talk reveals a silent but critical misconfiguration in Microsoft Enterprise Enrollment that allows any authenticated user to export sensitive enterprise user data including emails, job roles, and contact info without elevated permissions. We'll uncover how this overlooked flaw can lead to data breaches and share best practices for securely configuring Azure to prevent similar risks.

Ever wonder how your phone keeps your data safe or how a smart card resists being hacked? The answer lies deep inside the tiny circuits that power our digital world. In this hands-on, beginner-friendly workshop, you'll step into the fascinating world of digital logic and secure design—the foundation of every secure device we use today.

What if your payload didn’t just appear legitimate — it was genuinely trusted, signed by a recognised third party, and allowed to execute without raising a single alarm?

In this talk, we expose how attackers can exploit the ClickOnce deployment framework to execute arbitrary code using legitimately signed binaries, backed by trusted third-party certificates. Through a stealthy sideloading technique, we preserve the integrity of the signature, bypass SmartScreen, application allowlisting, and endpoint defences, and gain initial access with a single user interaction — no privilege escalation required.

You’ll learn:

• How ClickOnce establishes trust based on digital signatures — and how that trust can be turned against defenders.
• How to leverage signed third-party binaries to deliver and run payloads without tampering.
• A live demonstration of this technique used to achieve code execution on a remote system.
• Detection strategies and controls that can help identify and mitigate this abuse.

If your security model assumes that signed equals safe, this talk will challenge that assumption. Whether you're red or blue, come see how third-party trust can become your biggest blind spot

This talk explores the importance of implementing robust access controls in GraphQL and REST APIs and the severe consequences when these controls are not properly enforced. GraphQL, a flexible data query language, allows clients to request exactly the data they need, but without proper access control mechanisms, sensitive data can be easily exposed. Using the Feeld mobile dating app as a case study, we will dive into a critical security review of how the lack of access controls in GraphQL and REST endpoints led to the exposure of users' personal data, including sensitive photos, videos and private messages. This session will highlight common access control vulnerabilities in GraphQL and REST implementations , real-world examples of security lapses, their impact and remediation.

Learn how Buffy's intuition and experience translate to real-world cyber defense, and why even The Chosen One needs a team. Because in cybersecurity, just like in Sunnydale, you're never fighting alone.

In recent years, interest in neurodiversity has grown, but awareness alone isn’t enough. It’s time to move beyond what and why, and focus on how. The future of cyber security depends on our ability to support brilliant, diverse minds and that means turning inclusion into action.

In high-stakes cyber environments, requests for reasonable adjustments are often misunderstood as risks. But failing to support neurodivergent professionals can lead to burnout, errors, and lost talent, issues that directly impact team performance and security outcomes. This talk explores how inclusive practice strengthens resilience and reduces organisational risk.

Learn to distinguish red flags from reasonable requests, and reframe adjustments as smart, strategic tools for building high-performing, future-ready cyber teams.

Closing words from the BSides Bristol directors.

Opening words from the BSides Bristol directors.

TBC

A short talk about how we can protect our children online in a fast paced digital world. How we should handle the risk and why do we not just avoid it. I’ll tell you what my research has taught me. Including the dark side of the internet for children and what we can do about it.

Curious about how industrial control systems (ICS) operate, and what happens when things go wrong? OT specialists from Immersive will be running hands-on activities and demonstrations exploring ICS environments' unique security challenges. Drop in to try a mini tabletop exercise, tackle ICS-themed CTF challenges, or see hardware in action.

InfoSec Battlebots

When Air Canada’s customer-service bot mis-quoted a non-existent bereavement fare, a tribunal forced the airline to refund the passenger’s ticket and pick up the costs. In a crypto “capture-the-coin” contest the Freysa trading agent, whose only rule was “never send money”, was persuaded into sending its entire 13 ETH balance to an attacker after 481 carefully crafted prompts. Political disinformation has caught up too: a deep-fake robocall that cloned President Biden’s voice urged New Hampshire voters to stay home, earning its creator a multi-million-dollar fine and pending criminal charges. LLMs are everywhere, and with that vast adoption, so too has the attack surface for their abuse expanded.

This village provides a space for participants to explore real world AI harms in scenarios hosted by the village, alongside developing and testing their skills against the village's LLM CTF. All participants need is an internet connected device (phone, tablet, laptop, etc) and they can engage with the scenarios and CTF.

Lock Picking Village

This talk explores how Attack Surface Management (ASM) helps security teams identify and mitigate risks by providing an outside-in view of what attackers see. Attendees will learn practical methods to stay ahead of threats in today's digital landscape.

Everyone interacts with the internet daily, yet not everyone is equipped with the knowledge to navigate technology safely. This talk will explore the current landscape of societal digital literacy and online safety, expose the invisible gaps, reframe cyber as a personal issue—not just a professional one—and spark a conversation about how we can build a cyber-savvy society that leaves no one behind.

A real compelling case study where an unknown ransomware actor's last-minute pivot revealed an entirely different threat group orchestrating the attack. This talk demonstrates how threat hunting analytics and infrastructure tracking techniques uncovered the deception, providing attendees with practical detection engineering methods and actionable insights for identifying threat actor misdirection in their own environments.

What if you didn’t need to go straight to hardware attacks to break embedded devices' protections? In this workshop, we will explore techniques that allow you to pull data out of microcontrollers with a £5 setup using software-based attacks

Most organisations still treat Cyber Incident Response as a reactive, technical activity - designed to contain chaos, not drive Cyber resilience. This session explores how to elevate Cyber Incident Response into a cross-functional, strategically aligned business capability.

Quantum Communication (or Quantum Key Distribution) is often called "unconditionally secure". But what if it wasn't? First we'll cover how QKD works, and then why it's not as secure as you might think. If you wanted to know how to hack quantum physics, this is your answer.

Our homes are increasingly interconnected, but without considering the supply chain of the "smart devices" we have in our homes (TBC)

The cybersecurity world moves fast but what happens when life asks you to pause? For many professionals, especially women, taking a career break can feel like stepping off a speeding train. In this talk, I’ll share my experience returning to cybersecurity after a break to support family and why technical ability wasn’t the hardest part. I’ll reveal the hidden hurdles that arise and why overhauling hiring and mentoring practices matters. Let’s revalue experience off the CV … and act like it.

In today’s threat landscape, cybersecurity leaders often face the impossible: defend against sophisticated attacks with limited resources. This immersive workshop challenges participants to step into that reality. Acting as teams within fictional companies, attendees must strategically allocate a constrained cybersecurity budget across tools, personnel, and risk management efforts.
As the session progresses, unexpected cyber incidents, ranging from phishing attempts and insider threats to ransomware attacks and compliance audits all disrupt their plans. Each team’s prior decisions shape how well they respond, forcing rapid judgment calls and real-time prioritization.
Blending strategy, collaboration, and gamified crisis management, this workshop offers a dynamic learning experience. Participants will walk away with a sharper understanding of the trade-offs in cybersecurity investment, the consequences of underfunding, and how business decisions directly affect an organization’s resilience to cyber threats.

In a world where children navigate digital platforms with more ease than caution, threat actors have evolved to exploit the blind spots in parenting, policy, and digital oversight. This talk bridges the technical and the human, showcasing how open-source intelligence (OSINT) techniques can uncover hidden criminal activity targeting youth, and how the very adults responsible for safeguarding children often lack awareness of these risks.

Drawing from real-world investigations, I will walk through how publicly available data - domain records, licensing registers, social media metadata, and more - can be leveraged to trace predators who hide in plain sight. We’ll explore a case study involving rebranded businesses tied to known offenders, and walk through the digital footprint analysis that led to their exposure.

In parallel, I’ll present original research surveying parental understanding of online chat behaviours and cybersecurity risks faced by teens. The findings reveal a significant disconnect between perceived and actual online safety - one that the security community is uniquely positioned to help address.

By combining deep-dive investigations with social context, this talk empowers attendees to expand their operational scope, apply OSINT for community protection, and challenge assumptions about where the real threats lie.

From discovering a low-severity vulnerability during a code review, to fingerprinting bug bounty programs that use the plugin, resulting in a critical vulnerability by going deep — creating impact with research and perseverance.

Should we be thinking about more than just cyber security? While cyber threats remain critical, the modern threat landscape is far broader with organisations facing multiple interconnected threats that go beyond the digital domain, including geopolitical risks, physical security threats and financial crime. Should we converge these disciplines into one Threat Intelligence function?

In 2018 at Bsides London, I presented The Basics of Social Engineering. That talk purposefully stayed away from psychology because I wanted to start with the absolute basics first.

6 years later, we're ready to level up your SE game with basic psychology.

The talk will cover:
Miller's Law
How to make an entrance
Body Language And Behaviour
Reciprocation
Friendship Signals
Isopraxism
A fun and engaging talk, with some funny war stories and real life examples from experience thrown in.

This talk examines how the crisis management principles of aviation "Aviate, Navigate, Communicate" can be effectively applied to cybersecurity. It highlights promoting a no-blame culture, empowering security culture across an organisation and preparing for unforeseen events, drawing on aviation’s century of safety advancements.

The proliferation of Internet of Things (IoT) devices necessitates advanced access control mechanisms that overcome the limitations of traditional static models. However, dynamic models employed suffer from subjectivity, high deployment burdens, frequently fail to consider comprehensive factors, or cold start issues. This research introduces a novel new ML framework that automates and initial risk assignment of new devices based on simulation. This research aimed to show whether ML can be used to automated, dynamic, and consistent initial risk assessments to make risk based access models (RBAC) more viable, with a focus on ITS systems.
A simulation platform was developed with Kathara, custom docker images and python. An evolutionary ML model was then used to assign initial risk factors which was leveraged by a generic fuzzy logic system to make predictions inside the simulation.
Results showed that whilst the ML model learnt the basic trends of the features that had a large influence on the reliability it struggled with the lower impact features due to the noisiness of the simulations. Further research is needed to both enhance simulation realism and for more robust and consistent performance.

Modern applications are powered by containers. It is important as security professionals to understand how container work and what are the possible attack vectors in containerised environment. In this talk we will talk briefly about internals and showcase case studies and real life attack examples involving containers.

Discover the critical impact of malware on Operational Technology (OT) systems through a live demonstration using a custom-built OT Cyber Security Demonstrator that mimics a nuclear power plant. Witness how a simple USB-delivered malware can compromise a Programmable Logic Controller (PLC), leading to hazardous situations and loss of control within the plant. This presentation will delve into the methods that threat actors are using to target OT systems, the severe consequences of poor cyber hygiene, and the essential security measures needed to protect these systems. Join us to gain valuable insights and practical strategies to enhance the security and resilience of your OT infrastructure. Don't miss this opportunity to stay ahead of the curve in OT cybersecurity!

There’s more to pentesting than exploits and screenshots. This talk dives into the other half of the job — writing reports that matter, delivering debriefs that get attention, and building the soft skills that turn findings into action. Whether you're a tester or a consultant, you’ll learn how to communicate with clients, structure reports for real-world impact, and become the kind of professional teams actually listen to. If you've ever wondered how to bridge the gap between payloads and people, this talk is for you.

Closing words from the BSides Bristol directors.