BEGIN:VCALENDAR
VERSION:2.0
X-WR-CALNAME:owaspglobalappsecusa2026
X-WR-CALDESC:Event Calendar
METHOD:PUBLISH
CALSCALE:GREGORIAN
PRODID:-//Sched.com OWASP Global AppSec USA 2026//EN
X-WR-TIMEZONE:UTC
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261102T161500Z
DTEND:20261103T010000Z
SUMMARY:Registration
DESCRIPTION:\n
CATEGORIES:
LOCATION:Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:63dba2f626c88ccda6fb6e4d998b1b12
URL:http://owaspglobalappsecusa2026.sched.com/event/63dba2f626c88ccda6fb6e4d998b1b12
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261102T161500Z
DTEND:20261102T170000Z
SUMMARY:Breakfast
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:fabec666773209e736cd5119daa48367
URL:http://owaspglobalappsecusa2026.sched.com/event/fabec666773209e736cd5119daa48367
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261102T170000Z
DTEND:20261103T010000Z
SUMMARY:3 Day Training: Hacking Android\, iOS and IoT apps by Example - 2026 Edition
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel:Intermediate\nTrainer:&nbsp\;Abraham Aranguren\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nModern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys\, drones\, wearables\, vehicles\, trackers\, “smart” homes—and\, in multiple countries\, even government‑mandated and police apps. In these environments\, attackers increasingly target the mobile app as the remote control for the device\, often without ever touching the physical hardware.\n\nThis 3‑day\, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten\, using real‑world Android\, iOS\, and IoT applications as targets.\n\n7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led\, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation\, Mozilla\, the Tor Project\, and others—feed directly into the course material\, labs\, and case studies.\n\nAcross three intensive days you will:\nBreak down Android and iOS apps with static and dynamic analysis.\nDiscover IoT vulnerabilities using only the apps and APIs\, no devices required.\nMaster practical instrumentation using Frida\, Objection\, Xposed\, and related tooling to bypass protections and deeply inspect runtime behavior.\n\nIdeal for penetration testers\, red teamers\, mobile developers\, and anyone serious about mobile/IoT security\, this course is all action\, no fluff. It is packed with exercises\, extra‑mile challenges\, and CTFs\, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings\, updated labs\, and unlimited email support\, including all future updates for free.\n\nTeaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4\nGet a free taste of this training\, including access to video recordings\, slides\, and vulnerable apps to play with:\nhttps://7asecurity.com/free-workshop-mobile-practical\nhttps://7asecurity.com/free-workshop-mobile-deeplinks-xss
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:bbd9d22abb33240afc6b13828ed06f22
URL:http://owaspglobalappsecusa2026.sched.com/event/bbd9d22abb33240afc6b13828ed06f22
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261102T170000Z
DTEND:20261103T010000Z
SUMMARY:3-Day Training: Adam Shostack's Threat Modeling Intensive With AI
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel:Intermediate\nTrainer:&nbsp\;Adam Shostack\n\nTo register\, please purchase your training ticket here. Training and conference are two separate ticket purchases.\n\nThis is our popular Threat Modeling Intensive course\, where you'll learn to Threat Model\, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate\, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe\neven to help your organization scale.
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:c76d46ee975d5e5989b0e58499495e77
URL:http://owaspglobalappsecusa2026.sched.com/event/c76d46ee975d5e5989b0e58499495e77
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261102T170000Z
DTEND:20261103T010000Z
SUMMARY:3-Day Training: AppSec and AI Security for Developers with Jim Manico
DESCRIPTION:\n3-Day Training: November 2-4\, 2026\nLevel: Beginner\nTrainer: Jim Manico\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nDescription: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class\, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests\, so you can dive deeper into the areas that matter most.\n\nStudents will choose from the following material:\n\nCore Modules\n00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec00-01 Input Validation Basics (1 hr): Allowlist Validation\, Safe Redirects00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers\, Verbs\, Secure Transport Basics00-03 SOP and CORS (1 hr): Same-Origin Policy\, Cross-Origin Resource Sharing Security00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries\, Secure Database Configurations\, Command Injection00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures00-06 File Upload and File I/O Security (1 hr): Secure File Upload\, File I/O Security00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows\nAPI Security\n01-00 API and REST Security (2 hrs): REST Design\, XML\, XXE\, JSON\, API Access Control01-01 Microservice Security (2 hrs): Security Architectures in Microservices01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges01-03 gRPC Security (1 hr): gRPC Security Architecture\nFoundations of AI Security\n02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts\, Threats\, and Mitigations02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications\nAI Secure Development Practices\n02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI\nAI Architecture\n02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models\, Especially in Response to Emerging Threats02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores\nAI Adversarial Techniques\n02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience\nAI Supply Chain\n02-40 Integrating AI in Software (1 hr): Security architecture patterns\, risks\, and mitigation strategies for integrating LLMs and AI APIs into real-world applications02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark\nAI Regulatory and Ethical Frameworks\n02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment\nStandards\n03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks03-01 Introduction to GDPR (1 hr): European Data Privacy Law03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements\nUser Interface Security\n04-00 XSS Defense (2 hrs): Client-Side Web Security04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML...
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:49e73cfe8fc940f97150a9e58481f6c7
URL:http://owaspglobalappsecusa2026.sched.com/event/49e73cfe8fc940f97150a9e58481f6c7
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261102T170000Z
DTEND:20261103T010000Z
SUMMARY:3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel: Intermediate\nTrainer: Dawid Czagan\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nModern IT systems are increasingly complex\, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.\n\nFor each attack\, vulnerability and technique presented in this training\, there is a lab exercise to help you develop your skills step by step. What's more\, when the training is over\, you can take the complete lab environment home to hack again at your own pace.\n\nI found security bugs in many companies including Google\, Yahoo\, Mozilla\, Twitter and in this training I'll share my experience with you.\n\nKey Learning Objectives\nAfter completing this training\, you will have learned about:\n\n- Hacking cloud applications\n- API hacking tips & tricks\n- Data exfiltration techniques\n- OSINT asset discovery tools\n- Tricky user impersonation\n- Bypassing protection mechanisms\n- CLI hacking scripts\n- Interesting XSS attacks\n- Server-side template injection\n- Hacking with Google & GitHub search engines\n- Automated SQL injection detection and exploitation\n- File read & file upload attacks\n- Password cracking in a smart way\n- Hacking Git repos\n- XML attacks\n- NoSQL injection\n- HTTP parameter pollution\n- Web cache deception attack\n- Hacking with wrappers\n- Finding metadata with sensitive information\n- Hijacking NTLM hashes\n- Automated detection of JavaScript libraries with known vulnerabilities\n- Extracting passwords\n- Hacking Electron applications\n- Establishing reverse shell connections\n- RCE attacks\n- XSS polyglot\n- and more …\n\nWhat Students Will Receive\nStudents will be handed in a VMware image with a specially prepared lab environment to play with all attacks\, vulnerabilities and techniques presented in this training. When the training is over\, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.\n\nSpecial Bonus\nThe ticket price includes FREE access to my 6 online courses:\n\n- Fuzzing with Burp Suite Intruder\n- Exploiting Race Conditions with OWASP ZAP\n- Case Studies of Award-Winning XSS Attacks: Part 1\n- Case Studies of Award-Winning XSS Attacks: Part 2\n- How Hackers Find SQL Injections in Minutes with Sqlmap\n- Web Application Security Testing with Google Hacking\n\nWhat Students Say About My Trainings\nReferences are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle\, Adobe\, ESET\, ING\, …\n\nWhat Students Should Know\nTo get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy\, such as Burp Suite Proxy or Zed Attack Proxy (ZAP)\, to analyze or modify the traffic.\n\nWhat Students Should Bring\nStudents will need a laptop with 64-bit operating system\, at least 8 GB RAM\, 35 GB free hard drive space\, administrative access\, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training\, make sure there are no problems with running x86_64 VMs.\n\nAdditional notes\nThis new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas)\, Hack In Paris (Paris).\n\nThis is a 100% hands-on training: for each attack\, vulnerability and technique presented in this training\, there is a lab exercise to help students develop their skills step by step.
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:b359c5637d22cfd2865e588850d00826
URL:http://owaspglobalappsecusa2026.sched.com/event/b359c5637d22cfd2865e588850d00826
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261102T183000Z
DTEND:20261102T190000Z
SUMMARY:AM Break
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:b05d942f3b761a9e0fd18823aa6fe492
URL:http://owaspglobalappsecusa2026.sched.com/event/b05d942f3b761a9e0fd18823aa6fe492
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261102T203000Z
DTEND:20261102T213000Z
SUMMARY:Lunch
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:2d1b5fa5e8953e007c7e6a0f895aefb4
URL:http://owaspglobalappsecusa2026.sched.com/event/2d1b5fa5e8953e007c7e6a0f895aefb4
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261102T230000Z
DTEND:20261102T233000Z
SUMMARY:PM Break
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:d63dd9001d79b18c2eb750a1f3f3a940
URL:http://owaspglobalappsecusa2026.sched.com/event/d63dd9001d79b18c2eb750a1f3f3a940
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T161500Z
DTEND:20261104T010000Z
SUMMARY:Registration
DESCRIPTION:
CATEGORIES:
LOCATION:Room: Meeting Room Level M1 Foyer\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:aac57619fcfcf0c2acf538d96735de54
URL:http://owaspglobalappsecusa2026.sched.com/event/aac57619fcfcf0c2acf538d96735de54
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T161500Z
DTEND:20261103T170000Z
SUMMARY:Breakfast
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:e81722c62f427bf75d2cb5d9f45fee6f
URL:http://owaspglobalappsecusa2026.sched.com/event/e81722c62f427bf75d2cb5d9f45fee6f
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T170000Z
DTEND:20261104T010000Z
SUMMARY:2-Day Training: AI SecureOps: Attacking & Defending AI Applications & Agents
DESCRIPTION:2-Day Training: November 3-4\, 2026Level:&nbsp\;IntermediateTrainers: Abhinav SinghTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nCan prompt injections lead to complete infrastructure takeovers? Could AI agents\, MCP-connected tools\, or poisoned external context be abused to compromise backend services? Can data poisoning in AI copilots impact a company’s stock? Can jailbreaks create false crisis alerts in security systems? This immersive\, CTF-styled training in GenAI\, LLM\, agent\, and MCP security dives into these pressing questions. Engage in realistic attack-and-defense scenarios focused on real-world threats\, from prompt injection and remote code execution to backend compromise\, tool abuse\, unsafe agent orchestration\, trust and authorization failures. Tackle hands-on challenges with live AI applications to understand vulnerabilities and build robust defenses. Learn how to build a comprehensive security pipeline\, master AI red and blue team strategies\, secure tool-connected and agentic systems\, implement resilient guardrails for LLMs\, and handle incident response for AI-based threats. You will also explore governance\, Responsible AI\, and enterprise security patterns for modern AI ecosystems.By the end of this training\, you will be able to:- Exploit vulnerabilities in AI applications to achieve code and command execution\, uncovering scenarios such as instruction injection\, agent control bypass\, remote code execution for infrastructure takeover\, as well as chaining multiple agents for goal hijacking.- Conduct AI red-teaming using adversary simulation\, OWASP LLM Top 10\, and MITRE ATLAS frameworks\, while applying AI security and ethical principles in real-world scenarios.- Execute and defend against adversarial attacks\, including prompt injection\, data poisoning\, jailbreaks\, agentic attacks\, and insecure tool-connected workflows.- Perform advanced AI red and blue teaming through multi-agent auto-prompting attacks\, implementing a 3-way autonomous system consisting of attack\, defend\, and judge models.- Build and deploy enterprise-grade LLM defenses\, including custom guardrails for input/output protection\, security benchmarking\, penetration testing of LLM agents\, and defensive controls for MCP-enabled integrations.- Understand MCP fundamentals and assess how they expand the attack surface of modern AI systems.- Establish a comprehensive LLM SecOps process to secure the supply chain from adversarial attacks and create a robust threat model for enterprise applications\, including AI systems connected to external tools and data sources through MCP-like architectures.- Implement an incident response and risk management plan for enterprises developing or using AI services.
CATEGORIES:2-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:6e8e3b8732b2bb3f569ae94c594b8ad3
URL:http://owaspglobalappsecusa2026.sched.com/event/6e8e3b8732b2bb3f569ae94c594b8ad3
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T170000Z
DTEND:20261104T010000Z
SUMMARY:2-Day Training: Beyond Whiteboard Hacking: Embracing AI-Assisted Threat Modeling
DESCRIPTION:2-Day Training: November 3-4\, 2026\nLevel:Intermediate\nTrainer: Robert Hurlbut\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nThis training immerses you in the practical world of threat modeling through hands-\non exercises and real-world scenarios. With 25 years of practical experience and\nover a decade of delivering this training at Black Hat\, it emphasizes an interactive\napproach—70% of the course is dedicated to exercises that reinforce learning. By\nthe end\, you'll gain not only knowledge but also the skills to effectively practice threat\nmodeling within your organization.\n\n\nUpdated annually\, this revised training covers the latest threat intelligence and attack\nmethods expected for 2026 and beyond\, including risks associated with LLMs and\nother AI systems. Participants will engage in practical activities inspired by real\nindustry projects\, such as integrating threat modeling into secure-by-design and\nDevOps workflows. Key features include threat-informed defense using MITRE\nframeworks like ATT&CK for real-world analysis\, using threat libraries and\nintelligence to deepen threat understanding\, and tackling modern challenges such as\nmodeling threats for AI-driven systems—specifically\, a machine-learning-powered\nchatbot.&nbsp\;\n\n\nBefore the training\, all participants will get access to our self-paced “introduction to\nthreat modeling” course\, designed to bring participants up to speed.\n\n\nAs practitioners with hands-on experience\, we understand the gap between book-\nbased threat modeling knowledge and the practical challenges faced in real-world\nenvironments. To address this\, we have created a comprehensive real-world case\nstudy and exercises to help you build effective threat models.\nIn this course\, you will work in teams of 3 or 4 to address the stages of threat\nmodeling across various technology stacks.\n\n\nExamples include:\n• Use case describing a home automation system\n• Data flow diagramming and trust boundaries\n• Identifying threats\n• AI-Assisted STRIDE analysis\n• Constructing an attack tree\n• Mitigating threats\n• AI-Assisted mitigations\n• Applying GDPR Risk Patterns for Privacy by Design\n• Using AI resources to threat model a machine learning powered\nHomeAutomationBot\n• Integrating the OWASP Threat Modeling Playbook into agile development\n• Threat Modeling a CI/CD supply chain\n• Red Team / Blue Team battle for control over an offshore wind turbine park\n\n\nAfter each exercise\, we encourage in-depth discussions and provide a documented\nsolution to reinforce your understanding. Additionally\, participants are invited to\ncreate and submit their “Bring Your Own Case” (BYOC) threat models after the\ntraining and receive personalized feedback to improve their techniques.\nTo receive the “Certified Threat Modeling Practitioner” certificate\, participants must\npass an exam and submit their BYOC threat model.\n\n\nThis training extends beyond the classroom: every participant gains access to our\nThreat Modeling Playbook\, one year of online learning resources\, and invitations to\nmonthly Ask-Me-Anything sessions to help you keep improving your threat modeling\nskills long after the course concludes.\n\n
CATEGORIES:2-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:3366e0cc1986dfe38b56f56a2b51642c
URL:http://owaspglobalappsecusa2026.sched.com/event/3366e0cc1986dfe38b56f56a2b51642c
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T170000Z
DTEND:20261104T010000Z
SUMMARY:2-Day Training: Repeatable\, Scalable and Valuable Code Security Scanning
DESCRIPTION:2-Day Training: November 3-4\, 2026Level:&nbsp\;IntermediateTrainers: Josh GrossmanTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nSuddenly anyone and everyone in your organization can use AI assistants to write code. Meanwhile\, your actual developers are putting out 100x their previous output \, with “varying” levels of quality. So how are you going to secure code at this scale?This course is designed to be a deep dive into state-of-the-art techniques for validating code security within an organization’s codebase. The course has a strong emphasis on how AI-driven analysis can drive this forward whilst also clearly highlighting where standard\, deterministic techniques (albeit incorporating AI acceleration) will be more effective.During the course\, you will learn how to combine these techniques\, in a scalable and repeatable way\, based on our experience doing just this with real organizations and real teams and with a focus on the current state of the art in this fast-moving area.This course goes beyond the scope of standard application security knowledge and is designed to make you a specialist in this area. Having spent several years perfecting this process\, we are excited to impart the lessons we have learnt!The course is structured as follows:* Overview – setting out the basic details of what we will be talking about in terms of code scanning and SAST.* Key techniques – Discuss the different techniques which can be used for this including generic “off the shelf” SAST\, deterministic custom scanning rules\, and LLM powered custom AI prompts* Technique comparison - Advantages and disadvantages of each technique based on our in-depth experience with each and which technique you will want to use in different situations\, to avoid wasting time trying to use a technique in an inappropriate use case.* Organizational process – How to get these processes built into an organization’s existing software lifecycle* Generic SAST – Using “off the shelf” rules effectively to catch “low hanging fruit” and avoid reinventing the wheel.* Custom SAST – Introduce custom rule languages (e.g.\, Semgrep\, CodeQL)\, writing rules from scratch\, and scaling analysis across a codebase.* Basic AI Code Security Scanning – Overview of AI-based scanning\, platforms\, principles\, and initial single-shot prompts
CATEGORIES:2-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:b37c92d203b336a8f05408f74640ecb1
URL:http://owaspglobalappsecusa2026.sched.com/event/b37c92d203b336a8f05408f74640ecb1
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T170000Z
DTEND:20261104T010000Z
SUMMARY:2-Day Training: Secure Coding That Sticks: From Bad Code to Secure Design
DESCRIPTION:1-Day Training: November 4\, 2026Level:&nbsp\;IntermediateTrainers:Tanya JancaTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nMost developers have heard security advice before. The problem is\, it rarely translates into what to actually do when you're writing code.This two-day\, hands-on training focuses on building secure coding skills that work in real life. Attendees learn how to recognize insecure patterns\, fix them\, and replace them with practical\, repeatable approaches they can apply immediately. As AI-generated code becomes the norm\, the ability to read code critically\, spot security issues\, and fix them confidently has never mattered more. This training builds this exact skill.Day One covers secure coding fundamentals across the areas where vulnerabilities happen most often: input and output handling\, data and secrets protection\, authentication and authorization\, infrastructure and application safety\, resilience\, supply chain risks\, logging\, and operational practices. Each topic is taught using a Bad / Better / Best approach\, with real code examples and hands-on exercises so participants can clearly see what insecure code looks like\, how it fails\, and how to fix it properly.Day Two applies those skills to APIs using the OWASP API Security Top 10. Participants work through each category of vulnerability using practical examples\, learning how issues like broken object-level authorization\, SSRF\, and unsafe API consumption actually show up in code and how to remediate them effectively.In the final section\, the training moves into secure design. Attendees are introduced to core design principles and guided through a live threat modeling exercise\, where they identify assets\, trust boundaries\, and risks in a realistic system\, then prioritize and propose mitigations.Attendees leave with 42 actionable secure coding rules\, hands-on experience with the OWASP API Security Top 10\, and a practical threat modeling approach they can use immediately. The goal is not a list of things to memorize. It's a new way of thinking about code and your everyday work.
CATEGORIES:2-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:82c0fae945f5a3654cac6138b6447f9a
URL:http://owaspglobalappsecusa2026.sched.com/event/82c0fae945f5a3654cac6138b6447f9a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T170000Z
DTEND:20261104T010000Z
SUMMARY:3 Day Training: Hacking Android\, iOS and IoT apps by Example - 2026 Edition
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel:Intermediate\nTrainer:&nbsp\;Abraham Aranguren\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nModern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys\, drones\, wearables\, vehicles\, trackers\, “smart” homes—and\, in multiple countries\, even government‑mandated and police apps. In these environments\, attackers increasingly target the mobile app as the remote control for the device\, often without ever touching the physical hardware.\n\nThis 3‑day\, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten\, using real‑world Android\, iOS\, and IoT applications as targets.\n\n7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led\, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation\, Mozilla\, the Tor Project\, and others—feed directly into the course material\, labs\, and case studies.\n\nAcross three intensive days you will:\nBreak down Android and iOS apps with static and dynamic analysis.\nDiscover IoT vulnerabilities using only the apps and APIs\, no devices required.\nMaster practical instrumentation using Frida\, Objection\, Xposed\, and related tooling to bypass protections and deeply inspect runtime behavior.\n\nIdeal for penetration testers\, red teamers\, mobile developers\, and anyone serious about mobile/IoT security\, this course is all action\, no fluff. It is packed with exercises\, extra‑mile challenges\, and CTFs\, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings\, updated labs\, and unlimited email support\, including all future updates for free.\n\nTeaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4\nGet a free taste of this training\, including access to video recordings\, slides\, and vulnerable apps to play with:\nhttps://7asecurity.com/free-workshop-mobile-practical\nhttps://7asecurity.com/free-workshop-mobile-deeplinks-xss
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:d26f9cb99b1d0c3a7ceed5b0a94f02ac
URL:http://owaspglobalappsecusa2026.sched.com/event/d26f9cb99b1d0c3a7ceed5b0a94f02ac
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T170000Z
DTEND:20261104T010000Z
SUMMARY:3-Day Training: Adam Shostack's Threat Modeling Intensive With AI
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel:Intermediate\nTrainer:&nbsp\;Adam Shostack\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nThis is our popular Threat Modeling Intensive course\, where you'll learn to Threat Model\, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate\, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe\neven to help your organization scale.
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:dbdd1fa36e6ef1d6ab7b3a1573e36035
URL:http://owaspglobalappsecusa2026.sched.com/event/dbdd1fa36e6ef1d6ab7b3a1573e36035
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T170000Z
DTEND:20261104T010000Z
SUMMARY:3-Day Training: AppSec and AI Security for Developers with Jim Manico
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel: Beginner\nTrainer: Jim Manico\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nDescription: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class\, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests\, so you can dive deeper into the areas that matter most.\n\nStudents will choose from the following material:\n\nCore Modules\n00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec00-01 Input Validation Basics (1 hr): Allowlist Validation\, Safe Redirects00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers\, Verbs\, Secure Transport Basics00-03 SOP and CORS (1 hr): Same-Origin Policy\, Cross-Origin Resource Sharing Security00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries\, Secure Database Configurations\, Command Injection00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures00-06 File Upload and File I/O Security (1 hr): Secure File Upload\, File I/O Security00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows\nAPI Security\n01-00 API and REST Security (2 hrs): REST Design\, XML\, XXE\, JSON\, API Access Control01-01 Microservice Security (2 hrs): Security Architectures in Microservices01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges01-03 gRPC Security (1 hr): gRPC Security Architecture\nFoundations of AI Security\n02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts\, Threats\, and Mitigations02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications\nAI Secure Development Practices\n02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI\nAI Architecture\n02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models\, Especially in Response to Emerging Threats02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores\nAI Adversarial Techniques\n02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience\nAI Supply Chain\n02-40 Integrating AI in Software (1 hr): Security architecture patterns\, risks\, and mitigation strategies for integrating LLMs and AI APIs into real-world applications02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark\nAI Regulatory and Ethical Frameworks\n02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment\nStandards\n03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks03-01 Introduction to GDPR (1 hr): European Data Privacy Law03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements\nUser Interface Security\n04-00 XSS Defense (2 hrs): Client-Side Web Security04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML C...
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:1b9b18d541d15c1faba9385be67dd783
URL:http://owaspglobalappsecusa2026.sched.com/event/1b9b18d541d15c1faba9385be67dd783
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T170000Z
DTEND:20261104T010000Z
SUMMARY:3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel: Intermediate\nTrainer: Dawid Czagan\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nModern IT systems are increasingly complex\, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.\n\nFor each attack\, vulnerability and technique presented in this training\, there is a lab exercise to help you develop your skills step by step. What's more\, when the training is over\, you can take the complete lab environment home to hack again at your own pace.\n\nI found security bugs in many companies including Google\, Yahoo\, Mozilla\, Twitter and in this training I'll share my experience with you.\n\nKey Learning Objectives\nAfter completing this training\, you will have learned about:\n\n- Hacking cloud applications\n- API hacking tips & tricks\n- Data exfiltration techniques\n- OSINT asset discovery tools\n- Tricky user impersonation\n- Bypassing protection mechanisms\n- CLI hacking scripts\n- Interesting XSS attacks\n- Server-side template injection\n- Hacking with Google & GitHub search engines\n- Automated SQL injection detection and exploitation\n- File read & file upload attacks\n- Password cracking in a smart way\n- Hacking Git repos\n- XML attacks\n- NoSQL injection\n- HTTP parameter pollution\n- Web cache deception attack\n- Hacking with wrappers\n- Finding metadata with sensitive information\n- Hijacking NTLM hashes\n- Automated detection of JavaScript libraries with known vulnerabilities\n- Extracting passwords\n- Hacking Electron applications\n- Establishing reverse shell connections\n- RCE attacks\n- XSS polyglot\n- and more …\n\nWhat Students Will Receive\nStudents will be handed in a VMware image with a specially prepared lab environment to play with all attacks\, vulnerabilities and techniques presented in this training. When the training is over\, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.\n\nSpecial Bonus\nThe ticket price includes FREE access to my 6 online courses:\n\n- Fuzzing with Burp Suite Intruder\n- Exploiting Race Conditions with OWASP ZAP\n- Case Studies of Award-Winning XSS Attacks: Part 1\n- Case Studies of Award-Winning XSS Attacks: Part 2\n- How Hackers Find SQL Injections in Minutes with Sqlmap\n- Web Application Security Testing with Google Hacking\n\nWhat Students Say About My Trainings\nReferences are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle\, Adobe\, ESET\, ING\, …\n\nWhat Students Should Know\nTo get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy\, such as Burp Suite Proxy or Zed Attack Proxy (ZAP)\, to analyze or modify the traffic.\n\nWhat Students Should Bring\nStudents will need a laptop with 64-bit operating system\, at least 8 GB RAM\, 35 GB free hard drive space\, administrative access\, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training\, make sure there are no problems with running x86_64 VMs.\n\nAdditional notes\nThis new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas)\, Hack In Paris (Paris).\n\nThis is a 100% hands-on training: for each attack\, vulnerability and technique presented in this training\, there is a lab exercise to help students develop their skills step by step.
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:113e24635aaa3eb5909f74bf6a65b725
URL:http://owaspglobalappsecusa2026.sched.com/event/113e24635aaa3eb5909f74bf6a65b725
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T183000Z
DTEND:20261103T190000Z
SUMMARY:AM Break
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:2ece2bee4d41337c38ac3839da93ff27
URL:http://owaspglobalappsecusa2026.sched.com/event/2ece2bee4d41337c38ac3839da93ff27
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T203000Z
DTEND:20261103T213000Z
SUMMARY:Lunch
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:11393dd5cbcdd9e6b13c219a7a17ea22
URL:http://owaspglobalappsecusa2026.sched.com/event/11393dd5cbcdd9e6b13c219a7a17ea22
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261103T230000Z
DTEND:20261103T233000Z
SUMMARY:PM Break
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:9c8c152215ee9f57b3abb2a595e7d4b5
URL:http://owaspglobalappsecusa2026.sched.com/event/9c8c152215ee9f57b3abb2a595e7d4b5
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T161500Z
DTEND:20261105T010000Z
SUMMARY:Registration
DESCRIPTION:\n
CATEGORIES:
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:ad9ef20213862712f982ca3f6fc84cfb
URL:http://owaspglobalappsecusa2026.sched.com/event/ad9ef20213862712f982ca3f6fc84cfb
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T161500Z
DTEND:20261104T170000Z
SUMMARY:Breakfast
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:4c2c4dfd690fd80df6b2ebaaead42517
URL:http://owaspglobalappsecusa2026.sched.com/event/4c2c4dfd690fd80df6b2ebaaead42517
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:1-Day Training: Building Continuous SaaS Integration Security: Signals\, Least Privilege\, and Evidence Automation
DESCRIPTION:1-Day Training: November 4\, 2026Level:&nbsp\;IntermediateTrainers:&nbsp\;Pranav Saji\n\nTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nSaaS integrations are now a primary path for privilege creep\, token sprawl\, and silent exposure across an organization. In this hands-on training\, participants learn how to assess and continuously monitor SaaS integrations using practical security signals such as over-scoped OAuth grants\, non-expiring API tokens\, dormant but valid credentials\, admin privilege duration\, environment token reuse\, and public sharing risk.We will turn these signals into an actionable review rubric and then into automation: how to pull audit-ready evidence from common SaaS APIs\, normalize it into a consistent model\, and generate security findings that are explainable to engineering and compliance teams. Participants will leave with a reusable signal checklist\, a prioritization approach\, and reference architectures to operationalize continuous monitoring without breaking least-privilege principles.
CATEGORIES:1-DAY TRAINING
LOCATION:Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:bb7dd281509bbe55b975658ce0af171b
URL:http://owaspglobalappsecusa2026.sched.com/event/bb7dd281509bbe55b975658ce0af171b
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:1-Day Training: How to build a Successful Security Champions Program
DESCRIPTION:1-Day Training: November 4\, 2026Level:&nbsp\;Intermediate\nTrainers: Juliane Reimann and Marisa FaganTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nDo you feel a disconnect between your cybersecurity efforts and engineering activities? If so\, a Security Champions Program could bridge the gap. By involving engineers in security topics that align with their work\, a Security Champions program not only enhances security awareness but also fosters a culture of security across your organization. However\, creating such a program requires careful planning\, innovative strategies\, and a solid understanding of what drives individuals to champion security initiatives.\n\nThis training will equip you with practical tools and actionable insights to design and launch a successful Security Champions Program. You'll explore key concepts\, including how to:\n- Develop a foundational understanding of what a Security Champions Programs is\n- Plan and navigate the phases of program development\, from launch to long-term growth.\n- Learn about strategies to engage and motivate diverse personality types within the organization\n- Acquire practical tools and a structured approach to establish a scalable and trackable Security Champions Program\n\nWhether you're a security engineer\, architect\, or manager\, this training will provide you with the tools and frameworks to collaborate effectively with your engineering teams and establish a thriving Security Champions Program.\n\nThe session is highly interactive\, featuring hands-on exercises and team-based activities to encourage collaboration and networking with fellow professionals. Join us to gain the confidence and strategies you need to kickstart your journey toward a more secure organization.
CATEGORIES:1-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:47f63c0fa1af0fb7ee435403c332237e
URL:http://owaspglobalappsecusa2026.sched.com/event/47f63c0fa1af0fb7ee435403c332237e
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:1-Day Training: OWASP AI Testing Guide (AITG): Enabling Trustworthy AI Through Structured Validation
DESCRIPTION:1-Day Training: November 4\, 2026Level:&nbsp\;IntermediateTrainers: Marco Morana and Matteo MeucciTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nThe OWASP AI Testing Guide (AITG) provides a structured\, comprehensive framework for validating Trustworthy AI systems across their entire lifecycle. Designed to support QA teams\, security engineers\, developers\, auditors\, and governance stakeholders\, AITG establishes practical testing methodologies to assess AI security\, privacy\, and responsible AI behaviors.The framework defines Trustworthy AI as the integration of:1) Security AI (SecAI): Testing resilience against adversarial attacks such as prompt injection\, model poisoning\, evasion\, and extraction.2) Privacy AI (PrivacyAI): Validating protection against sensitive data leakage\, membership inference\, and model inversion risks.3) Responsible AI (RespAI): Assessing fairness\, safety\, harmful output prevention\, hallucination risks\, explainability\, and alignment with ethical policies.AITG organizes testing coverage across four core AI product domains:1. Application & Agent Testing2. Model Testing3. Infrastructure Testing4. Data TestingThis structured approach ensures that AI systems are evaluated holistically\, not just at the model layer\, but across agents\, RAG pipelines\, APIs\, infrastructure components\, and data flows.The AITG Comprehensive AI Testing Suite maps AI-specific threats to recognized standards such as OWASP Top 10 for LLMs and the OWASP AI Exchange\, providing actionable\, test-driven validation methods rather than abstract principles.By combining adversarial testing\, privacy validation\, and responsible AI assessments\, supported by governance\, transparency\, and monitoring\, AITG enables organizations to transition from experimental AI deployments to validated\, production-ready\, and defensible AI systems.
CATEGORIES:1-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:f51b398ffa8925c9718f671c7dde01c9
URL:http://owaspglobalappsecusa2026.sched.com/event/f51b398ffa8925c9718f671c7dde01c9
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:1-Day Training: Shall we play a Game? LLM Security in Practice
DESCRIPTION:1-Day Training: November 4\, 2026Level:&nbsp\;IntermediateTrainers: Joseph KatsioloudesTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nArtificial Intelligence (AI) is no longer a futuristic concept. It's embedded in the systems we use daily. At the core of these innovations are Large Language Models (LLMs) and Autonomous AI Agents. These innovations have unlocked new capabilities but have also introduced novel security challenges due to their non-deterministic behavior and autonomous outputs\, causing issues like data leakage and unintended model behavior from attacks such as prompt injection and rogue agents.This training equips participants with the skills they need to build secure agentic and LLM-based applications through interactive\, challenge-based exercises that gamify core security concepts. Prepare to level up your understanding of LLM security in a practical and fun way!
CATEGORIES:1-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:698217f0027ca832bc43afd25de64713
URL:http://owaspglobalappsecusa2026.sched.com/event/698217f0027ca832bc43afd25de64713
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:2-Day Training: 2-Day Training: Beyond Whiteboard Hacking: Embracing AI-Assisted Threat Modeling
DESCRIPTION:2-Day Training: November 3-4\, 2026\nLevel: Beginner\n\nTo register\, please purchase your training ticket here. Training and conference are two separate ticket purchases.\n\nThis training immerses you in the practical world of threat modeling through hands-on exercises and real-world scenarios. With 25 years of practical experience and over a decade of delivering this training at Black Hat\, it emphasizes an interactive approach—70% of the course is dedicated to exercises that reinforce learning. By the end\, you'll gain not only knowledge but also the skills to effectively practice threat modeling within your organization.\n\nUpdated annually\, this revised training covers the latest threat intelligence and attack methods expected for 2026 and beyond\, including risks associated with LLMs and other AI systems. Participants will engage in practical activities inspired by real industry projects\, such as integrating threat modeling into secure-by-design and DevOps workflows. Key features include threat-informed defense using MITRE frameworks like ATT&CK for real-world analysis\, using threat libraries and\nintelligence to deepen threat understanding\, and tackling modern challenges such as modeling threats for AI-driven systems—specifically\, a machine-learning-powered chatbot.&nbsp\;\n\nBefore the training\, all participants will get access to our self-paced “introduction to threat modeling” course\, designed to bring participants up to speed.\n\nAs practitioners with hands-on experience\, we understand the gap between book-based threat modeling knowledge and the practical challenges faced in real-world environments. To address this\, we have created a comprehensive real-world case study and exercises to help you build effective threat models. In this course\, you will work in teams of 3 or 4 to address the stages of threat modeling across various technology stacks.\n\nExamples include:\n• Use case describing a home automation system\n• Data flow diagramming and trust boundaries\n• Identifying threats\n• AI-Assisted STRIDE analysis\n• Constructing an attack tree\n• Mitigating threats\n• AI-Assisted mitigations\n• Applying GDPR Risk Patterns for Privacy by Design\n• Using AI resources to threat model a machine learning powered\nHomeAutomationBot\n• Integrating the OWASP Threat Modeling Playbook into agile development\n• Threat Modeling a CI/CD supply chain\n• Red Team / Blue Team battle for control over an offshore wind turbine park\n\n\nAfter each exercise\, we encourage in-depth discussions and provide a documented solution to reinforce your understanding. Additionally\, participants are invited to create and submit their “Bring Your Own Case” (BYOC) threat models after the training and receive personalized feedback to improve their techniques. To receive the “Certified Threat Modeling Practitioner” certificate\, participants must pass an exam and submit their BYOC threat model.\n\n\nThis training extends beyond the classroom: every participant gains access to our\nThreat Modeling Playbook\, one year of online learning resources\, and invitations to\nmonthly Ask-Me-Anything sessions to help you keep improving your threat modeling\nskills long after the course concludes.\n\n
CATEGORIES:2-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:46f4b38efac2cdcdef1535d0147d4e3c
URL:http://owaspglobalappsecusa2026.sched.com/event/46f4b38efac2cdcdef1535d0147d4e3c
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:2-Day Training: AI SecureOps: Attacking & Defending AI Applications & Agents
DESCRIPTION:2-Day Training: November 3-4\, 2026Level:&nbsp\;IntermediateTrainers: Abhinav SinghTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nCan prompt injections lead to complete infrastructure takeovers? Could AI agents\, MCP-connected tools\, or poisoned external context be abused to compromise backend services? Can data poisoning in AI copilots impact a company’s stock? Can jailbreaks create false crisis alerts in security systems? This immersive\, CTF-styled training in GenAI\, LLM\, agent\, and MCP security dives into these pressing questions. Engage in realistic attack-and-defense scenarios focused on real-world threats\, from prompt injection and remote code execution to backend compromise\, tool abuse\, unsafe agent orchestration\, trust and authorization failures. Tackle hands-on challenges with live AI applications to understand vulnerabilities and build robust defenses. Learn how to build a comprehensive security pipeline\, master AI red and blue team strategies\, secure tool-connected and agentic systems\, implement resilient guardrails for LLMs\, and handle incident response for AI-based threats. You will also explore governance\, Responsible AI\, and enterprise security patterns for modern AI ecosystems.By the end of this training\, you will be able to:- Exploit vulnerabilities in AI applications to achieve code and command execution\, uncovering scenarios such as instruction injection\, agent control bypass\, remote code execution for infrastructure takeover\, as well as chaining multiple agents for goal hijacking.- Conduct AI red-teaming using adversary simulation\, OWASP LLM Top 10\, and MITRE ATLAS frameworks\, while applying AI security and ethical principles in real-world scenarios.- Execute and defend against adversarial attacks\, including prompt injection\, data poisoning\, jailbreaks\, agentic attacks\, and insecure tool-connected workflows.- Perform advanced AI red and blue teaming through multi-agent auto-prompting attacks\, implementing a 3-way autonomous system consisting of attack\, defend\, and judge models.- Build and deploy enterprise-grade LLM defenses\, including custom guardrails for input/output protection\, security benchmarking\, penetration testing of LLM agents\, and defensive controls for MCP-enabled integrations.- Understand MCP fundamentals and assess how they expand the attack surface of modern AI systems.- Establish a comprehensive LLM SecOps process to secure the supply chain from adversarial attacks and create a robust threat model for enterprise applications\, including AI systems connected to external tools and data sources through MCP-like architectures.- Implement an incident response and risk management plan for enterprises developing or using AI services.
CATEGORIES:2-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:df3d7e5101f69f8dc0c1e15910df917f
URL:http://owaspglobalappsecusa2026.sched.com/event/df3d7e5101f69f8dc0c1e15910df917f
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:2-Day Training: Repeatable\, Scalable and Valuable Code Security Scanning
DESCRIPTION:2-Day Training: November 3-4\, 2026Level:&nbsp\;IntermediateTrainers: Josh GrossmanTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nSuddenly anyone and everyone in your organization can use AI assistants to write code. Meanwhile\, your actual developers are putting out 100x their previous output \, with “varying” levels of quality. So how are you going to secure code at this scale?This course is designed to be a deep dive into state-of-the-art techniques for validating code security within an organization’s codebase. The course has a strong emphasis on how AI-driven analysis can drive this forward whilst also clearly highlighting where standard\, deterministic techniques (albeit incorporating AI acceleration) will be more effective.During the course\, you will learn how to combine these techniques\, in a scalable and repeatable way\, based on our experience doing just this with real organizations and real teams and with a focus on the current state of the art in this fast-moving area.This course goes beyond the scope of standard application security knowledge and is designed to make you a specialist in this area. Having spent several years perfecting this process\, we are excited to impart the lessons we have learnt!The course is structured as follows:* Overview – setting out the basic details of what we will be talking about in terms of code scanning and SAST.* Key techniques – Discuss the different techniques which can be used for this including generic “off the shelf” SAST\, deterministic custom scanning rules\, and LLM powered custom AI prompts* Technique comparison - Advantages and disadvantages of each technique based on our in-depth experience with each and which technique you will want to use in different situations\, to avoid wasting time trying to use a technique in an inappropriate use case.* Organizational process – How to get these processes built into an organization’s existing software lifecycle* Generic SAST – Using “off the shelf” rules effectively to catch “low hanging fruit” and avoid reinventing the wheel.* Custom SAST – Introduce custom rule languages (e.g.\, Semgrep\, CodeQL)\, writing rules from scratch\, and scaling analysis across a codebase.* Basic AI Code Security Scanning – Overview of AI-based scanning\, platforms\, principles\, and initial single-shot prompts
CATEGORIES:2-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:eb77d74355c0ccac457372ac7d03b2fc
URL:http://owaspglobalappsecusa2026.sched.com/event/eb77d74355c0ccac457372ac7d03b2fc
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:2-Day Training: Secure Coding That Sticks: From Bad Code to Secure Design
DESCRIPTION:1-Day Training: November 4\, 2026Level:&nbsp\;IntermediateTrainers:Tanya JancaTo register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nMost developers have heard security advice before. The problem is\, it rarely translates into what to actually do when you're writing code.This two-day\, hands-on training focuses on building secure coding skills that work in real life. Attendees learn how to recognize insecure patterns\, fix them\, and replace them with practical\, repeatable approaches they can apply immediately. As AI-generated code becomes the norm\, the ability to read code critically\, spot security issues\, and fix them confidently has never mattered more. This training builds this exact skill.Day One covers secure coding fundamentals across the areas where vulnerabilities happen most often: input and output handling\, data and secrets protection\, authentication and authorization\, infrastructure and application safety\, resilience\, supply chain risks\, logging\, and operational practices. Each topic is taught using a Bad / Better / Best approach\, with real code examples and hands-on exercises so participants can clearly see what insecure code looks like\, how it fails\, and how to fix it properly.Day Two applies those skills to APIs using the OWASP API Security Top 10. Participants work through each category of vulnerability using practical examples\, learning how issues like broken object-level authorization\, SSRF\, and unsafe API consumption actually show up in code and how to remediate them effectively.In the final section\, the training moves into secure design. Attendees are introduced to core design principles and guided through a live threat modeling exercise\, where they identify assets\, trust boundaries\, and risks in a realistic system\, then prioritize and propose mitigations.Attendees leave with 42 actionable secure coding rules\, hands-on experience with the OWASP API Security Top 10\, and a practical threat modeling approach they can use immediately. The goal is not a list of things to memorize. It's a new way of thinking about code and your everyday work.
CATEGORIES:2-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:02869cf21fb989697928ddaad37d221f
URL:http://owaspglobalappsecusa2026.sched.com/event/02869cf21fb989697928ddaad37d221f
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:3 Day Training: Hacking Android\, iOS and IoT apps by Example - 2026 Edition
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel:Intermediate\nTrainer:&nbsp\;Abraham Aranguren\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nModern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys\, drones\, wearables\, vehicles\, trackers\, “smart” homes—and\, in multiple countries\, even government‑mandated and police apps. In these environments\, attackers increasingly target the mobile app as the remote control for the device\, often without ever touching the physical hardware.\n\nThis 3‑day\, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten\, using real‑world Android\, iOS\, and IoT applications as targets.\n\n7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led\, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation\, Mozilla\, the Tor Project\, and others—feed directly into the course material\, labs\, and case studies.\n\nAcross three intensive days you will:\nBreak down Android and iOS apps with static and dynamic analysis.\nDiscover IoT vulnerabilities using only the apps and APIs\, no devices required.\nMaster practical instrumentation using Frida\, Objection\, Xposed\, and related tooling to bypass protections and deeply inspect runtime behavior.\n\nIdeal for penetration testers\, red teamers\, mobile developers\, and anyone serious about mobile/IoT security\, this course is all action\, no fluff. It is packed with exercises\, extra‑mile challenges\, and CTFs\, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings\, updated labs\, and unlimited email support\, including all future updates for free.\n\nTeaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4\nGet a free taste of this training\, including access to video recordings\, slides\, and vulnerable apps to play with:\nhttps://7asecurity.com/free-workshop-mobile-practical\nhttps://7asecurity.com/free-workshop-mobile-deeplinks-xss
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:d795662d3f9e1dbbcb2e9f23a1911a40
URL:http://owaspglobalappsecusa2026.sched.com/event/d795662d3f9e1dbbcb2e9f23a1911a40
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:3-Day Training: Adam Shostack's Threat Modeling Intensive With AI
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel:Intermediate\nTrainer:&nbsp\;Adam Shostack\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nThis is our popular Threat Modeling Intensive course\, where you'll learn to Threat Model\, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate\, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe\neven to help your organization scale.
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:aa15e20c01799feaeff05f05c1865ab4
URL:http://owaspglobalappsecusa2026.sched.com/event/aa15e20c01799feaeff05f05c1865ab4
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:3-Day Training: AppSec and AI Security for Developers with Jim Manico
DESCRIPTION:\n3-Day Training: November 2-4\, 2026\nLevel: Beginner\nTrainer: Jim Manico\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nDescription: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class\, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests\, so you can dive deeper into the areas that matter most.\n\nStudents will choose from the following material:\n\nCore Modules\n00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec00-01 Input Validation Basics (1 hr): Allowlist Validation\, Safe Redirects00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers\, Verbs\, Secure Transport Basics00-03 SOP and CORS (1 hr): Same-Origin Policy\, Cross-Origin Resource Sharing Security00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries\, Secure Database Configurations\, Command Injection00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures00-06 File Upload and File I/O Security (1 hr): Secure File Upload\, File I/O Security00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows\nAPI Security\n01-00 API and REST Security (2 hrs): REST Design\, XML\, XXE\, JSON\, API Access Control01-01 Microservice Security (2 hrs): Security Architectures in Microservices01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges01-03 gRPC Security (1 hr): gRPC Security Architecture\nFoundations of AI Security\n02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts\, Threats\, and Mitigations02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications\nAI Secure Development Practices\n02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI\nAI Architecture\n02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models\, Especially in Response to Emerging Threats02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores\nAI Adversarial Techniques\n02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience\nAI Supply Chain\n02-40 Integrating AI in Software (1 hr): Security architecture patterns\, risks\, and mitigation strategies for integrating LLMs and AI APIs into real-world applications02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark\nAI Regulatory and Ethical Frameworks\n02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment\nStandards\n03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks03-01 Introduction to GDPR (1 hr): European Data Privacy Law03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements\nUser Interface Security\n04-00 XSS Defense (2 hrs): Client-Side Web Security04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML...
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:3a75847aad61018fd7be7f90493b0612
URL:http://owaspglobalappsecusa2026.sched.com/event/3a75847aad61018fd7be7f90493b0612
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
DESCRIPTION:3-Day Training: November 2-4\, 2026\nLevel: Intermediate\nTrainer: Dawid Czagan\n\nTo register\, please purchase your training ticket here.&nbsp\;Training and conference are two separate ticket purchases.\n\nModern IT systems are increasingly complex\, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.\n\nFor each attack\, vulnerability and technique presented in this training\, there is a lab exercise to help you develop your skills step by step. What's more\, when the training is over\, you can take the complete lab environment home to hack again at your own pace.\n\nI found security bugs in many companies including Google\, Yahoo\, Mozilla\, Twitter and in this training I'll share my experience with you.\n\nKey Learning Objectives\nAfter completing this training\, you will have learned about:\n\n- Hacking cloud applications\n- API hacking tips & tricks\n- Data exfiltration techniques\n- OSINT asset discovery tools\n- Tricky user impersonation\n- Bypassing protection mechanisms\n- CLI hacking scripts\n- Interesting XSS attacks\n- Server-side template injection\n- Hacking with Google & GitHub search engines\n- Automated SQL injection detection and exploitation\n- File read & file upload attacks\n- Password cracking in a smart way\n- Hacking Git repos\n- XML attacks\n- NoSQL injection\n- HTTP parameter pollution\n- Web cache deception attack\n- Hacking with wrappers\n- Finding metadata with sensitive information\n- Hijacking NTLM hashes\n- Automated detection of JavaScript libraries with known vulnerabilities\n- Extracting passwords\n- Hacking Electron applications\n- Establishing reverse shell connections\n- RCE attacks\n- XSS polyglot\n- and more …\n\nWhat Students Will Receive\nStudents will be handed in a VMware image with a specially prepared lab environment to play with all attacks\, vulnerabilities and techniques presented in this training. When the training is over\, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.\n\nSpecial Bonus\nThe ticket price includes FREE access to my 6 online courses:\n\n- Fuzzing with Burp Suite Intruder\n- Exploiting Race Conditions with OWASP ZAP\n- Case Studies of Award-Winning XSS Attacks: Part 1\n- Case Studies of Award-Winning XSS Attacks: Part 2\n- How Hackers Find SQL Injections in Minutes with Sqlmap\n- Web Application Security Testing with Google Hacking\n\nWhat Students Say About My Trainings\nReferences are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle\, Adobe\, ESET\, ING\, …\n\nWhat Students Should Know\nTo get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy\, such as Burp Suite Proxy or Zed Attack Proxy (ZAP)\, to analyze or modify the traffic.\n\nWhat Students Should Bring\nStudents will need a laptop with 64-bit operating system\, at least 8 GB RAM\, 35 GB free hard drive space\, administrative access\, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training\, make sure there are no problems with running x86_64 VMs.\n\nAdditional notes\nThis new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas)\, Hack In Paris (Paris).\n\nThis is a 100% hands-on training: for each attack\, vulnerability and technique presented in this training\, there is a lab exercise to help students develop their skills step by step.
CATEGORIES:3-DAY TRAINING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:a12ef8b9f0e8a6b9c484791769fbcecb
URL:http://owaspglobalappsecusa2026.sched.com/event/a12ef8b9f0e8a6b9c484791769fbcecb
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T170000Z
DTEND:20261105T010000Z
SUMMARY:OWASP SAMM and DSOMM User Day
DESCRIPTION:1-Day Training: November 4\, 2026Level:&nbsp\;allTrainers:Aram Hovsepyan and Timo Pagel&nbsp\;To register\, please purchase your training ticket&nbsp\;here.&nbsp\;Training and conference are two separate ticket purchases.\n\nAdvance Your Application Security Maturity with OWASP SAMM and DSOMM\nJoin us on&nbsp\;November 4th\, 2026 in San Francisco\, CA\, as part of&nbsp\;Global AppSec USA\, for a full-day event dedicated to real-world insights and practical guidance on application security maturity.During the User Day\, we are bringing together the OWASP SAMM and DSOMM communities to:Explore how leading organizations apply SAMM and DSOMM to drive meaningful security improvementsGet insights into the latest OWASP SAMM benchmark dataParticipate in interactive sessions to learn from each other about how to advance application security maturityWhether you’re new to software maturity models or leading enterprise-scale initiatives\, you’ll leave with actionable strategies and peer-tested practices to level up your secure development lifecycle.
CATEGORIES:PROJECT USER DAY
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:e4fdd6993af2f17cb23f079b5795b0fe
URL:http://owaspglobalappsecusa2026.sched.com/event/e4fdd6993af2f17cb23f079b5795b0fe
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T183000Z
DTEND:20261104T190000Z
SUMMARY:AM Break
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:9dd3758fdefc69aa05560f508f8f11d3
URL:http://owaspglobalappsecusa2026.sched.com/event/9dd3758fdefc69aa05560f508f8f11d3
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T203000Z
DTEND:20261104T213000Z
SUMMARY:Lunch
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:3a2d645107262a6acb5949366f0de9bb
URL:http://owaspglobalappsecusa2026.sched.com/event/3a2d645107262a6acb5949366f0de9bb
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261104T230000Z
DTEND:20261104T233000Z
SUMMARY:PM Break
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:bf0a45e699806ed8c9b4988e7fb0803e
URL:http://owaspglobalappsecusa2026.sched.com/event/bf0a45e699806ed8c9b4988e7fb0803e
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T010000Z
DTEND:20261105T030000Z
SUMMARY:Global Board of Directors Public Board Meeting
DESCRIPTION:\n
CATEGORIES:MEETING
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:0ab0200b2933da590b5438c02eba45fc
URL:http://owaspglobalappsecusa2026.sched.com/event/0ab0200b2933da590b5438c02eba45fc
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T153000Z
DTEND:20261105T163000Z
SUMMARY:Women in AppSec Breakfast (Sign up required)
DESCRIPTION:Must already be registered for the conference and sign up for breakfast is required.\n\nCome and enjoy a breakfast committeed to making conference friends and friends for life (AKA - professioinal networking) at the Women in AppSec Breakfast co-hosted by Tanya Janca\, Juliane Reimann\, Kim Wyuts\, and Marisa Fagan.\n\nRSVP now to enjoy great food\, pick up your challenge coin early\, and walk through the expo hall\, if you choose\, to start tackling the expo passport program and win prizes.
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:af08da2701bb7e3914f63d7b34b524d7
URL:http://owaspglobalappsecusa2026.sched.com/event/af08da2701bb7e3914f63d7b34b524d7
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T160000Z
DTEND:20261106T020000Z
SUMMARY:Registration
DESCRIPTION:
CATEGORIES:
LOCATION:Room: Liberty and Independence Ballroom Foyer\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:5f565d2a3635f861879d449c0ebcae6f
URL:http://owaspglobalappsecusa2026.sched.com/event/5f565d2a3635f861879d449c0ebcae6f
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T161500Z
DTEND:20261105T170000Z
SUMMARY:Expo Hall
DESCRIPTION:\n
CATEGORIES:EXPO HALL
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:7d6a348485a8c9ce913dc1b2266251d2
URL:http://owaspglobalappsecusa2026.sched.com/event/7d6a348485a8c9ce913dc1b2266251d2
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T161500Z
DTEND:20261105T170000Z
SUMMARY:Start Up Sponsors
DESCRIPTION:\n
CATEGORIES:EXPO HALL
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:d8af45b9a28cfba94ebd5c7ae0bbd519
URL:http://owaspglobalappsecusa2026.sched.com/event/d8af45b9a28cfba94ebd5c7ae0bbd519
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T161500Z
DTEND:20261105T170000Z
SUMMARY:Breakfast
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:5cf2f581deae694a7db8d5811e808e2a
URL:http://owaspglobalappsecusa2026.sched.com/event/5cf2f581deae694a7db8d5811e808e2a
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T165000Z
DTEND:20261105T170000Z
SUMMARY:Opening Remarks
DESCRIPTION:\n
CATEGORIES:KEYNOTE
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:e8471128a46efb88c656aee165043339
URL:http://owaspglobalappsecusa2026.sched.com/event/e8471128a46efb88c656aee165043339
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T180000Z
DTEND:20261105T183000Z
SUMMARY:AM Break
DESCRIPTION:\n
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:1c1f8f0db5450128e2c832dc2a3878f5
URL:http://owaspglobalappsecusa2026.sched.com/event/1c1f8f0db5450128e2c832dc2a3878f5
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T181500Z
DTEND:20261105T201500Z
SUMMARY:CfP/CfTs for the Newcomer: How To Write A Good Submission
DESCRIPTION:Ready to showcase your expertise? Don’t miss the chance to submit for a Call for Trainers or Call for Papers! Join the dynamic Izar Tarandach and Avi Douglen as they take you through the submission process and reveal insider tips on what the review team is looking for when selecting papers. This is your opportunity to shine and make a lasting impact—let’s make it happen!
CATEGORIES:BONUS TRACK
LOCATION:TBA\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:f3eabdf0d5fab51dba5b1859f6fd9f66
URL:http://owaspglobalappsecusa2026.sched.com/event/f3eabdf0d5fab51dba5b1859f6fd9f66
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T191500Z
DTEND:20261105T211500Z
SUMMARY:Puppy Petting Room (Sponsored by Impart Security)
DESCRIPTION:Relax\, forget your worries\, and pet puppies! &nbsp\;These puppies are fully adoptable too!!
CATEGORIES:
LOCATION:Room: Archives\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:d9c5a88cdb81e7223dd2a7d4aa703ada
URL:http://owaspglobalappsecusa2026.sched.com/event/d9c5a88cdb81e7223dd2a7d4aa703ada
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T201500Z
DTEND:20261105T211500Z
SUMMARY:Lunch
DESCRIPTION:
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:Room: Liberty Ballroom\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:edf4dc04fa9d4276651fd83b6794624e
URL:http://owaspglobalappsecusa2026.sched.com/event/edf4dc04fa9d4276651fd83b6794624e
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T211500Z
DTEND:20261105T230000Z
SUMMARY:Meet the Mentor
DESCRIPTION:One more Global AppSec event.\nYou’re taking training\, you’re running between sessions\, you’re connecting with people over coffee or when talking to a vendor.\n\nWhat if you could use the event to also meet a potential mentor\, or mentee?\nWhat if you could connect face to face with someone who may help take your career to the next level\, or that you can help and make a difference with?\n\nWe are inviting you to an OWASP Lisbon Global AppSec activity\, first of its kind in an OWASP event: Meet The Mentor! A speed-dating activity between potential mentors and mentees where you can come face to face and see if it “clicks”\, start a conversation\, and see if it is a match.
CATEGORIES:BONUS TRACK
LOCATION:Room: Treasury\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:29848fc398c2a1c5871df03991a43514
URL:http://owaspglobalappsecusa2026.sched.com/event/29848fc398c2a1c5871df03991a43514
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T221500Z
DTEND:20261106T001500Z
SUMMARY:Puppy Lounge (Sponsored by Impart Security)
DESCRIPTION:Relax\, forget your worries\, and pet puppies! &nbsp\;These puppies are fully adoptable too!!
CATEGORIES:
LOCATION:Room: Archives\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:91d8eab47776210ff611f024d684cf67
URL:http://owaspglobalappsecusa2026.sched.com/event/91d8eab47776210ff611f024d684cf67
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T230000Z
DTEND:20261105T233000Z
SUMMARY:PM Break
DESCRIPTION:
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:Room: Liberty Ballroom\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:71303a665719101081ceb5f0087a2be9
URL:http://owaspglobalappsecusa2026.sched.com/event/71303a665719101081ceb5f0087a2be9
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261105T231500Z
DTEND:20261106T001500Z
SUMMARY:OWASP Leaders Meeting
DESCRIPTION:
CATEGORIES:BONUS TRACK
LOCATION:Room: Treasury\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:69937832b0f55027fcfe9ecc06977bcb
URL:http://owaspglobalappsecusa2026.sched.com/event/69937832b0f55027fcfe9ecc06977bcb
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261106T003000Z
DTEND:20261106T023000Z
SUMMARY:Networking Reception in Expo Hall
DESCRIPTION:
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:Room: Liberty Ballroom\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:69e41cfbfa9850d29d2ecfe6c3eff400
URL:http://owaspglobalappsecusa2026.sched.com/event/69e41cfbfa9850d29d2ecfe6c3eff400
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261106T161500Z
DTEND:20261107T010000Z
SUMMARY:Registration
DESCRIPTION:
CATEGORIES:
LOCATION:Room: Liberty and Independence Ballroom Foyer\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:92f5891ef8a70d951fccb1eb6012e549
URL:http://owaspglobalappsecusa2026.sched.com/event/92f5891ef8a70d951fccb1eb6012e549
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261106T161500Z
DTEND:20261106T170000Z
SUMMARY:Expo Hall
DESCRIPTION:
CATEGORIES:EXPO HALL
LOCATION:Room: Liberty Ballroom\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:7485194ec496ba8862c8b52e46e2e6e2
URL:http://owaspglobalappsecusa2026.sched.com/event/7485194ec496ba8862c8b52e46e2e6e2
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261106T161500Z
DTEND:20261106T170000Z
SUMMARY:Start Up Sponsors
DESCRIPTION:
CATEGORIES:EXPO HALL
LOCATION:Room: Liberty and Independence Ballroom Foyer\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:051e376c15c10f434c152fdd15df4521
URL:http://owaspglobalappsecusa2026.sched.com/event/051e376c15c10f434c152fdd15df4521
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261106T161500Z
DTEND:20261106T170000Z
SUMMARY:Breakfast
DESCRIPTION:
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:Room: Liberty Ballroom\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:5588082ee8f359a8301a1897d6edc541
URL:http://owaspglobalappsecusa2026.sched.com/event/5588082ee8f359a8301a1897d6edc541
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261106T180000Z
DTEND:20261106T183000Z
SUMMARY:AM Break
DESCRIPTION:
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:Room: Liberty Ballroom\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:cd08961ea0a40c90e22016ea173c2aae
URL:http://owaspglobalappsecusa2026.sched.com/event/cd08961ea0a40c90e22016ea173c2aae
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261106T201500Z
DTEND:20261106T211500Z
SUMMARY:Lunch
DESCRIPTION:
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:Room: Liberty Ballroom\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:866e9da8275ca8c25c230bfffa016793
URL:http://owaspglobalappsecusa2026.sched.com/event/866e9da8275ca8c25c230bfffa016793
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261106T230000Z
DTEND:20261106T233000Z
SUMMARY:PM Break
DESCRIPTION:
CATEGORIES:MEALS PROVIDED BY OWASP
LOCATION:Room: Liberty Ballroom\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:a34a035775b1ff7383dce3ed7b2d98be
URL:http://owaspglobalappsecusa2026.sched.com/event/a34a035775b1ff7383dce3ed7b2d98be
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260604T055048Z
DTSTART:20261107T003000Z
DTEND:20261107T013000Z
SUMMARY:Closing Ceremony and Raffle
DESCRIPTION:Come wrap up the conference with us\, hear special annoucements\, and win prizes!
CATEGORIES:BONUS TRACK
LOCATION:Room: Independence Ballroom A-E\, Hyatt Regency San Francisco\, CA 
SEQUENCE:0
UID:cd577eb02af6404fa04773948eeaf227
URL:http://owaspglobalappsecusa2026.sched.com/event/cd577eb02af6404fa04773948eeaf227
END:VEVENT
END:VCALENDAR