OWASP Global AppSec USA 2026

3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Abraham Aranguren

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys, drones, wearables, vehicles, trackers, “smart” homes—and, in multiple countries, even government‑mandated and police apps. In these environments, attackers increasingly target the mobile app as the remote control for the device, often without ever touching the physical hardware.

This 3‑day, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten, using real‑world Android, iOS, and IoT applications as targets.

7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation, Mozilla, the Tor Project, and others—feed directly into the course material, labs, and case studies.

Across three intensive days you will:
Break down Android and iOS apps with static and dynamic analysis.
Discover IoT vulnerabilities using only the apps and APIs, no devices required.
Master practical instrumentation using Frida, Objection, Xposed, and related tooling to bypass protections and deeply inspect runtime behavior.

Ideal for penetration testers, red teamers, mobile developers, and anyone serious about mobile/IoT security, this course is all action, no fluff. It is packed with exercises, extra‑mile challenges, and CTFs, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings, updated labs, and unlimited email support, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4
Get a free taste of this training, including access to video recordings, slides, and vulnerable apps to play with:
https://7asecurity.com/free-workshop-mobile-practical
https://7asecurity.com/free-workshop-mobile-deeplinks-xss

3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Adam Shostack

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This is our popular Threat Modeling Intensive course, where you'll learn to Threat Model, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe
even to help your organization scale.

3-Day Training: November 2-4, 2026
Level: Intermediate
Trainer: Dawid Czagan

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.

2-Day Training: November 3-4, 2026
Level: Intermediate
Trainers: Abhinav Singh

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Can prompt injections lead to complete infrastructure takeovers? Could AI agents, MCP-connected tools, or poisoned external context be abused to compromise backend services? Can data poisoning in AI copilots impact a company’s stock? Can jailbreaks create false crisis alerts in security systems? This immersive, CTF-styled training in GenAI, LLM, agent, and MCP security dives into these pressing questions. Engage in realistic attack-and-defense scenarios focused on real-world threats, from prompt injection and remote code execution to backend compromise, tool abuse, unsafe agent orchestration, trust and authorization failures. Tackle hands-on challenges with live AI applications to understand vulnerabilities and build robust defenses. Learn how to build a comprehensive security pipeline, master AI red and blue team strategies, secure tool-connected and agentic systems, implement resilient guardrails for LLMs, and handle incident response for AI-based threats. You will also explore governance, Responsible AI, and enterprise security patterns for modern AI ecosystems.

By the end of this training, you will be able to:

- Exploit vulnerabilities in AI applications to achieve code and command execution, uncovering scenarios such as instruction injection, agent control bypass, remote code execution for infrastructure takeover, as well as chaining multiple agents for goal hijacking.
- Conduct AI red-teaming using adversary simulation, OWASP LLM Top 10, and MITRE ATLAS frameworks, while applying AI security and ethical principles in real-world scenarios.
- Execute and defend against adversarial attacks, including prompt injection, data poisoning, jailbreaks, agentic attacks, and insecure tool-connected workflows.
- Perform advanced AI red and blue teaming through multi-agent auto-prompting attacks, implementing a 3-way autonomous system consisting of attack, defend, and judge models.
- Build and deploy enterprise-grade LLM defenses, including custom guardrails for input/output protection, security benchmarking, penetration testing of LLM agents, and defensive controls for MCP-enabled integrations.
- Understand MCP fundamentals and assess how they expand the attack surface of modern AI systems.
- Establish a comprehensive LLM SecOps process to secure the supply chain from adversarial attacks and create a robust threat model for enterprise applications, including AI systems connected to external tools and data sources through MCP-like architectures.
- Implement an incident response and risk management plan for enterprises developing or using AI services.

2-Day Training: November 3-4, 2026
Level: Intermediate
Trainers: Josh Grossman

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Suddenly anyone and everyone in your organization can use AI assistants to write code. Meanwhile, your actual developers are putting out 100x their previous output , with “varying” levels of quality. So how are you going to secure code at this scale?

This course is designed to be a deep dive into state-of-the-art techniques for validating code security within an organization’s codebase. The course has a strong emphasis on how AI-driven analysis can drive this forward whilst also clearly highlighting where standard, deterministic techniques (albeit incorporating AI acceleration) will be more effective.

During the course, you will learn how to combine these techniques, in a scalable and repeatable way, based on our experience doing just this with real organizations and real teams and with a focus on the current state of the art in this fast-moving area.

This course goes beyond the scope of standard application security knowledge and is designed to make you a specialist in this area. Having spent several years perfecting this process, we are excited to impart the lessons we have learnt!

The course is structured as follows:

* Overview – setting out the basic details of what we will be talking about in terms of code scanning and SAST.
* Key techniques – Discuss the different techniques which can be used for this including generic “off the shelf” SAST, deterministic custom scanning rules, and LLM powered custom AI prompts
* Technique comparison - Advantages and disadvantages of each technique based on our in-depth experience with each and which technique you will want to use in different situations, to avoid wasting time trying to use a technique in an inappropriate use case.
* Organizational process – How to get these processes built into an organization’s existing software lifecycle
* Generic SAST – Using “off the shelf” rules effectively to catch “low hanging fruit” and avoid reinventing the wheel.
* Custom SAST – Introduce custom rule languages (e.g., Semgrep, CodeQL), writing rules from scratch, and scaling analysis across a codebase.
* Basic AI Code Security Scanning – Overview of AI-based scanning, platforms, principles, and initial single-shot prompts

1-Day Training: November 4, 2026
Level: Intermediate
Trainers:Tanya Janca

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Most developers have heard security advice before. The problem is, it rarely translates into what to actually do when you're writing code.

This two-day, hands-on training focuses on building secure coding skills that work in real life. Attendees learn how to recognize insecure patterns, fix them, and replace them with practical, repeatable approaches they can apply immediately. As AI-generated code becomes the norm, the ability to read code critically, spot security issues, and fix them confidently has never mattered more. This training builds this exact skill.

Day One covers secure coding fundamentals across the areas where vulnerabilities happen most often: input and output handling, data and secrets protection, authentication and authorization, infrastructure and application safety, resilience, supply chain risks, logging, and operational practices. Each topic is taught using a Bad / Better / Best approach, with real code examples and hands-on exercises so participants can clearly see what insecure code looks like, how it fails, and how to fix it properly.

Day Two applies those skills to APIs using the OWASP API Security Top 10. Participants work through each category of vulnerability using practical examples, learning how issues like broken object-level authorization, SSRF, and unsafe API consumption actually show up in code and how to remediate them effectively.

In the final section, the training moves into secure design. Attendees are introduced to core design principles and guided through a live threat modeling exercise, where they identify assets, trust boundaries, and risks in a realistic system, then prioritize and propose mitigations.

Attendees leave with 42 actionable secure coding rules, hands-on experience with the OWASP API Security Top 10, and a practical threat modeling approach they can use immediately. The goal is not a list of things to memorize. It's a new way of thinking about code and your everyday work.

3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Abraham Aranguren

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys, drones, wearables, vehicles, trackers, “smart” homes—and, in multiple countries, even government‑mandated and police apps. In these environments, attackers increasingly target the mobile app as the remote control for the device, often without ever touching the physical hardware.

This 3‑day, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten, using real‑world Android, iOS, and IoT applications as targets.

7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation, Mozilla, the Tor Project, and others—feed directly into the course material, labs, and case studies.

Across three intensive days you will:
Break down Android and iOS apps with static and dynamic analysis.
Discover IoT vulnerabilities using only the apps and APIs, no devices required.
Master practical instrumentation using Frida, Objection, Xposed, and related tooling to bypass protections and deeply inspect runtime behavior.

Ideal for penetration testers, red teamers, mobile developers, and anyone serious about mobile/IoT security, this course is all action, no fluff. It is packed with exercises, extra‑mile challenges, and CTFs, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings, updated labs, and unlimited email support, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4
Get a free taste of this training, including access to video recordings, slides, and vulnerable apps to play with:
https://7asecurity.com/free-workshop-mobile-practical
https://7asecurity.com/free-workshop-mobile-deeplinks-xss

3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Adam Shostack

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This is our popular Threat Modeling Intensive course, where you'll learn to Threat Model, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe
even to help your organization scale.

3-Day Training: November 2-4, 2026
Level: Intermediate
Trainer: Dawid Czagan

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.

1-Day Training: November 4, 2026
Level: Intermediate
Trainers: Pranav Saji

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

SaaS integrations are now a primary path for privilege creep, token sprawl, and silent exposure across an organization. In this hands-on training, participants learn how to assess and continuously monitor SaaS integrations using practical security signals such as over-scoped OAuth grants, non-expiring API tokens, dormant but valid credentials, admin privilege duration, environment token reuse, and public sharing risk.

We will turn these signals into an actionable review rubric and then into automation: how to pull audit-ready evidence from common SaaS APIs, normalize it into a consistent model, and generate security findings that are explainable to engineering and compliance teams. Participants will leave with a reusable signal checklist, a prioritization approach, and reference architectures to operationalize continuous monitoring without breaking least-privilege principles.

1-Day Training: November 4, 2026
Level: Intermediate
Trainers: Juliane Reimann and Marisa Fagan

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Do you feel a disconnect between your cybersecurity efforts and engineering activities? If so, a Security Champions Program could bridge the gap. By involving engineers in security topics that align with their work, a Security Champions program not only enhances security awareness but also fosters a culture of security across your organization. However, creating such a program requires careful planning, innovative strategies, and a solid understanding of what drives individuals to champion security initiatives.

This training will equip you with practical tools and actionable insights to design and launch a successful Security Champions Program. You'll explore key concepts, including how to:
- Develop a foundational understanding of what a Security Champions Programs is
- Plan and navigate the phases of program development, from launch to long-term growth.
- Learn about strategies to engage and motivate diverse personality types within the organization
- Acquire practical tools and a structured approach to establish a scalable and trackable Security Champions Program

Whether you're a security engineer, architect, or manager, this training will provide you with the tools and frameworks to collaborate effectively with your engineering teams and establish a thriving Security Champions Program.

The session is highly interactive, featuring hands-on exercises and team-based activities to encourage collaboration and networking with fellow professionals. Join us to gain the confidence and strategies you need to kickstart your journey toward a more secure organization.

1-Day Training: November 4, 2026
Level: Intermediate
Trainers: Marco Morana and Matteo Meucci

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

The OWASP AI Testing Guide (AITG) provides a structured, comprehensive framework for validating Trustworthy AI systems across their entire lifecycle. Designed to support QA teams, security engineers, developers, auditors, and governance stakeholders, AITG establishes practical testing methodologies to assess AI security, privacy, and responsible AI behaviors.

The framework defines Trustworthy AI as the integration of:
1) Security AI (SecAI): Testing resilience against adversarial attacks such as prompt injection, model poisoning, evasion, and extraction.
2) Privacy AI (PrivacyAI): Validating protection against sensitive data leakage, membership inference, and model inversion risks.
3) Responsible AI (RespAI): Assessing fairness, safety, harmful output prevention, hallucination risks, explainability, and alignment with ethical policies.

AITG organizes testing coverage across four core AI product domains:
1. Application & Agent Testing
2. Model Testing
3. Infrastructure Testing
4. Data Testing

This structured approach ensures that AI systems are evaluated holistically, not just at the model layer, but across agents, RAG pipelines, APIs, infrastructure components, and data flows.

The AITG Comprehensive AI Testing Suite maps AI-specific threats to recognized standards such as OWASP Top 10 for LLMs and the OWASP AI Exchange, providing actionable, test-driven validation methods rather than abstract principles.

By combining adversarial testing, privacy validation, and responsible AI assessments, supported by governance, transparency, and monitoring, AITG enables organizations to transition from experimental AI deployments to validated, production-ready, and defensible AI systems.

1-Day Training: November 4, 2026
Level: Intermediate
Trainers: Joseph Katsioloudes

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Artificial Intelligence (AI) is no longer a futuristic concept. It's embedded in the systems we use daily. At the core of these innovations are Large Language Models (LLMs) and Autonomous AI Agents. These innovations have unlocked new capabilities but have also introduced novel security challenges due to their non-deterministic behavior and autonomous outputs, causing issues like data leakage and unintended model behavior from attacks such as prompt injection and rogue agents.

This training equips participants with the skills they need to build secure agentic and LLM-based applications through interactive, challenge-based exercises that gamify core security concepts. Prepare to level up your understanding of LLM security in a practical and fun way!

2-Day Training: November 3-4, 2026
Level: Intermediate
Trainers: Abhinav Singh

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Can prompt injections lead to complete infrastructure takeovers? Could AI agents, MCP-connected tools, or poisoned external context be abused to compromise backend services? Can data poisoning in AI copilots impact a company’s stock? Can jailbreaks create false crisis alerts in security systems? This immersive, CTF-styled training in GenAI, LLM, agent, and MCP security dives into these pressing questions. Engage in realistic attack-and-defense scenarios focused on real-world threats, from prompt injection and remote code execution to backend compromise, tool abuse, unsafe agent orchestration, trust and authorization failures. Tackle hands-on challenges with live AI applications to understand vulnerabilities and build robust defenses. Learn how to build a comprehensive security pipeline, master AI red and blue team strategies, secure tool-connected and agentic systems, implement resilient guardrails for LLMs, and handle incident response for AI-based threats. You will also explore governance, Responsible AI, and enterprise security patterns for modern AI ecosystems.

By the end of this training, you will be able to:

- Exploit vulnerabilities in AI applications to achieve code and command execution, uncovering scenarios such as instruction injection, agent control bypass, remote code execution for infrastructure takeover, as well as chaining multiple agents for goal hijacking.
- Conduct AI red-teaming using adversary simulation, OWASP LLM Top 10, and MITRE ATLAS frameworks, while applying AI security and ethical principles in real-world scenarios.
- Execute and defend against adversarial attacks, including prompt injection, data poisoning, jailbreaks, agentic attacks, and insecure tool-connected workflows.
- Perform advanced AI red and blue teaming through multi-agent auto-prompting attacks, implementing a 3-way autonomous system consisting of attack, defend, and judge models.
- Build and deploy enterprise-grade LLM defenses, including custom guardrails for input/output protection, security benchmarking, penetration testing of LLM agents, and defensive controls for MCP-enabled integrations.
- Understand MCP fundamentals and assess how they expand the attack surface of modern AI systems.
- Establish a comprehensive LLM SecOps process to secure the supply chain from adversarial attacks and create a robust threat model for enterprise applications, including AI systems connected to external tools and data sources through MCP-like architectures.
- Implement an incident response and risk management plan for enterprises developing or using AI services.

2-Day Training: November 3-4, 2026
Level: Intermediate
Trainers: Josh Grossman

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Suddenly anyone and everyone in your organization can use AI assistants to write code. Meanwhile, your actual developers are putting out 100x their previous output , with “varying” levels of quality. So how are you going to secure code at this scale?

This course is designed to be a deep dive into state-of-the-art techniques for validating code security within an organization’s codebase. The course has a strong emphasis on how AI-driven analysis can drive this forward whilst also clearly highlighting where standard, deterministic techniques (albeit incorporating AI acceleration) will be more effective.

During the course, you will learn how to combine these techniques, in a scalable and repeatable way, based on our experience doing just this with real organizations and real teams and with a focus on the current state of the art in this fast-moving area.

This course goes beyond the scope of standard application security knowledge and is designed to make you a specialist in this area. Having spent several years perfecting this process, we are excited to impart the lessons we have learnt!

The course is structured as follows:

* Overview – setting out the basic details of what we will be talking about in terms of code scanning and SAST.
* Key techniques – Discuss the different techniques which can be used for this including generic “off the shelf” SAST, deterministic custom scanning rules, and LLM powered custom AI prompts
* Technique comparison - Advantages and disadvantages of each technique based on our in-depth experience with each and which technique you will want to use in different situations, to avoid wasting time trying to use a technique in an inappropriate use case.
* Organizational process – How to get these processes built into an organization’s existing software lifecycle
* Generic SAST – Using “off the shelf” rules effectively to catch “low hanging fruit” and avoid reinventing the wheel.
* Custom SAST – Introduce custom rule languages (e.g., Semgrep, CodeQL), writing rules from scratch, and scaling analysis across a codebase.
* Basic AI Code Security Scanning – Overview of AI-based scanning, platforms, principles, and initial single-shot prompts

1-Day Training: November 4, 2026
Level: Intermediate
Trainers:Tanya Janca

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Most developers have heard security advice before. The problem is, it rarely translates into what to actually do when you're writing code.

This two-day, hands-on training focuses on building secure coding skills that work in real life. Attendees learn how to recognize insecure patterns, fix them, and replace them with practical, repeatable approaches they can apply immediately. As AI-generated code becomes the norm, the ability to read code critically, spot security issues, and fix them confidently has never mattered more. This training builds this exact skill.

Day One covers secure coding fundamentals across the areas where vulnerabilities happen most often: input and output handling, data and secrets protection, authentication and authorization, infrastructure and application safety, resilience, supply chain risks, logging, and operational practices. Each topic is taught using a Bad / Better / Best approach, with real code examples and hands-on exercises so participants can clearly see what insecure code looks like, how it fails, and how to fix it properly.

Day Two applies those skills to APIs using the OWASP API Security Top 10. Participants work through each category of vulnerability using practical examples, learning how issues like broken object-level authorization, SSRF, and unsafe API consumption actually show up in code and how to remediate them effectively.

In the final section, the training moves into secure design. Attendees are introduced to core design principles and guided through a live threat modeling exercise, where they identify assets, trust boundaries, and risks in a realistic system, then prioritize and propose mitigations.

Attendees leave with 42 actionable secure coding rules, hands-on experience with the OWASP API Security Top 10, and a practical threat modeling approach they can use immediately. The goal is not a list of things to memorize. It's a new way of thinking about code and your everyday work.

3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Abraham Aranguren

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys, drones, wearables, vehicles, trackers, “smart” homes—and, in multiple countries, even government‑mandated and police apps. In these environments, attackers increasingly target the mobile app as the remote control for the device, often without ever touching the physical hardware.

This 3‑day, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten, using real‑world Android, iOS, and IoT applications as targets.

7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation, Mozilla, the Tor Project, and others—feed directly into the course material, labs, and case studies.

Across three intensive days you will:
Break down Android and iOS apps with static and dynamic analysis.
Discover IoT vulnerabilities using only the apps and APIs, no devices required.
Master practical instrumentation using Frida, Objection, Xposed, and related tooling to bypass protections and deeply inspect runtime behavior.

Ideal for penetration testers, red teamers, mobile developers, and anyone serious about mobile/IoT security, this course is all action, no fluff. It is packed with exercises, extra‑mile challenges, and CTFs, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings, updated labs, and unlimited email support, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4
Get a free taste of this training, including access to video recordings, slides, and vulnerable apps to play with:
https://7asecurity.com/free-workshop-mobile-practical
https://7asecurity.com/free-workshop-mobile-deeplinks-xss

3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Adam Shostack

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This is our popular Threat Modeling Intensive course, where you'll learn to Threat Model, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe
even to help your organization scale.

3-Day Training: November 2-4, 2026
Level: Intermediate
Trainer: Dawid Czagan

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.