Loading…
Venue: TBA clear filter
Monday, November 2
 

8:15am PST

Breakfast
Monday November 2, 2026 8:15am - 9:00am PST
TBA

Monday November 2, 2026 8:15am - 9:00am PST
TBA
  Meals Provided by OWASP

9:00am PST

3 Day Training: Hacking Android, iOS and IoT apps by Example - 2026 Edition
Monday November 2, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Abraham Aranguren

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys, drones, wearables, vehicles, trackers, “smart” homes—and, in multiple countries, even government‑mandated and police apps. In these environments, attackers increasingly target the mobile app as the remote control for the device, often without ever touching the physical hardware.

This 3‑day, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten, using real‑world Android, iOS, and IoT applications as targets.

7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation, Mozilla, the Tor Project, and others—feed directly into the course material, labs, and case studies.

Across three intensive days you will:
Break down Android and iOS apps with static and dynamic analysis.
Discover IoT vulnerabilities using only the apps and APIs, no devices required.
Master practical instrumentation using Frida, Objection, Xposed, and related tooling to bypass protections and deeply inspect runtime behavior.

Ideal for penetration testers, red teamers, mobile developers, and anyone serious about mobile/IoT security, this course is all action, no fluff. It is packed with exercises, extra‑mile challenges, and CTFs, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings, updated labs, and unlimited email support, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4
Get a free taste of this training, including access to video recordings, slides, and vulnerable apps to play with:
https://7asecurity.com/free-workshop-mobile-practical
https://7asecurity.com/free-workshop-mobile-deeplinks-xss
Speakers
avatar for Abraham Aranguren

Abraham Aranguren

CEO, Security Trainer, Director of Penetration Testing, 7ASecurity

Abraham Aranguren is the founder and CEO of 7ASecurity (7asecurity.com), an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter specializing in high‑quality, manual penetration tests and secure code audits. He has more than 24 years of experience... Read More →
Monday November 2, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

3-Day Training: Adam Shostack's Threat Modeling Intensive With AI
Monday November 2, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Adam Shostack

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This is our popular Threat Modeling Intensive course, where you'll learn to Threat Model, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe
even to help your organization scale.
Speakers
AS
Monday November 2, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

3-Day Training: AppSec and AI Security for Developers with Jim Manico
Monday November 2, 2026 9:00am - 5:00pm PST
TBA

3-Day Training: November 2-4, 2026
Level: Beginner
Trainer: Jim Manico

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Description: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests, so you can dive deeper into the areas that matter most.

Students will choose from the following material:

Core Modules
  • 00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
  • 00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
  • 00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
  • 00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
  • 00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
  • 00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
  • 00-06 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
  • 00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices
  • 00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
  • 00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging
  • 00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
  • 00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
  • 00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows

API Security
  • 01-00 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
  • 01-01 Microservice Security (2 hrs): Security Architectures in Microservices
  • 01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
  • 01-03 gRPC Security (1 hr): gRPC Security Architecture

Foundations of AI Security
  • 02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts, Threats, and Mitigations
  • 02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications

AI Secure Development Practices
  • 02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation
  • 02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI

AI Architecture
  • 02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines
  • 02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure
  • 02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems
  • 02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems
  • 02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models, Especially in Response to Emerging Threats
  • 02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores

AI Adversarial Techniques
  • 02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems
  • 02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience

AI Supply Chain
  • 02-40 Integrating AI in Software (1 hr): Security architecture patterns, risks, and mitigation strategies for integrating LLMs and AI APIs into real-world applications
  • 02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem
  • 02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time
  • 02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models
  • 02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark

AI Regulatory and Ethical Frameworks
  • 02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments
  • 02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment

Standards
  • 03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks
  • 03-01 Introduction to GDPR (1 hr): European Data Privacy Law
  • 03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
  • 03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
  • 03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security
  • 04-00 XSS Defense (2 hrs): Client-Side Web Security
  • 04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
  • 04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML Client-Side Injection Attacks
  • 04-03 React Security (1 hr): Secure React Application Development
  • 04-04 Vue.js Security (1 hr): Secure Vue.js Application Development
  • 04-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
  • 04-06 Clickjacking (0.5 hr): UI Redress Attack Defense
  • 04-07 Flutter Security (0.5 hr): Flutter Security Basics

Identity & Access Management
  • 05-00 Authentication Best Practices (1.5 hrs): Web Authentication Practices
  • 05-01 Session Management Best Practices (1.5 hrs): Web Session Management Practices
  • 05-02 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
  • 05-03 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
  • 05-04 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
  • 05-05 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
  • 05-06 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol
  • 05-07 Brute Force Defense (0.5 hr): Stopping Brute Force Attacks

Crypto Modules
  • 06-00 Secrets Management (1 hr): Key and Credential Storage Strategies
  • 06-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
  • 06-02 Cryptography Fundamentals:
  • 06-02-00 Terminology and Basic Concepts (1 hr): Understanding Key Terms in Cryptography
  • 06-02-01 Steganography (1 hr): Techniques for Concealing Information
  • 06-02-02 Cryptographic Attacks (1 hr): Common Attacks and How to Defend Against Them
  • 06-02-03 Kerckhoffs's Principle and Perfect Forward Secrecy (1 hr): Fundamental Principles in Cryptographic Security
  • 06-02-04 Hash Functions (1 hr): Importance and Use Cases of Hash Functions
  • 06-02-05 Symmetric Cryptography (1 hr): Understanding Symmetric Key Algorithms
  • 06-02-06 Randomness in Cryptography (1 hr): Role and Generation of Randomness
  • 06-02-07 Digital Signatures (1 hr): Ensuring Integrity and Authenticity in Digital Communications

Process
  • 07-00 DevOps Best Practices (1 hr): DevOps and DevSecO
Speakers
avatar for Jim Manico
Monday November 2, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
Monday November 2, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level: Intermediate
Trainer: Dawid Czagan

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.
Speakers
avatar for Dawid Czagan

Dawid Czagan

Founder and CEO, Silesia Security Lab
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others.

Due to the severity of many bugs, he received numerous awards for his findings. Dawid Czagan shares his security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), OWASP 2025 Global AppSec EU (Barcelona), Hack In The... Read More →
Monday November 2, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

10:30am PST

AM Break
Monday November 2, 2026 10:30am - 11:00am PST
TBA

Monday November 2, 2026 10:30am - 11:00am PST
TBA
  Meals Provided by OWASP

12:30pm PST

Lunch
Monday November 2, 2026 12:30pm - 1:30pm PST
TBA

Monday November 2, 2026 12:30pm - 1:30pm PST
TBA
  Meals Provided by OWASP

3:00pm PST

PM Break
Monday November 2, 2026 3:00pm - 3:30pm PST
TBA

Monday November 2, 2026 3:00pm - 3:30pm PST
TBA
  Meals Provided by OWASP
 
Tuesday, November 3
 

8:15am PST

Breakfast
Tuesday November 3, 2026 8:15am - 9:00am PST
TBA

Tuesday November 3, 2026 8:15am - 9:00am PST
TBA
  Meals Provided by OWASP

9:00am PST

2-Day Training: AI SecureOps: Attacking & Defending AI Applications & Agents
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
2-Day Training: November 3-4, 2026
Level: Intermediate
Trainers: Abhinav Singh

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Can prompt injections lead to complete infrastructure takeovers? Could AI agents, MCP-connected tools, or poisoned external context be abused to compromise backend services? Can data poisoning in AI copilots impact a company’s stock? Can jailbreaks create false crisis alerts in security systems? This immersive, CTF-styled training in GenAI, LLM, agent, and MCP security dives into these pressing questions. Engage in realistic attack-and-defense scenarios focused on real-world threats, from prompt injection and remote code execution to backend compromise, tool abuse, unsafe agent orchestration, trust and authorization failures. Tackle hands-on challenges with live AI applications to understand vulnerabilities and build robust defenses. Learn how to build a comprehensive security pipeline, master AI red and blue team strategies, secure tool-connected and agentic systems, implement resilient guardrails for LLMs, and handle incident response for AI-based threats. You will also explore governance, Responsible AI, and enterprise security patterns for modern AI ecosystems.

By the end of this training, you will be able to:

- Exploit vulnerabilities in AI applications to achieve code and command execution, uncovering scenarios such as instruction injection, agent control bypass, remote code execution for infrastructure takeover, as well as chaining multiple agents for goal hijacking.
- Conduct AI red-teaming using adversary simulation, OWASP LLM Top 10, and MITRE ATLAS frameworks, while applying AI security and ethical principles in real-world scenarios.
- Execute and defend against adversarial attacks, including prompt injection, data poisoning, jailbreaks, agentic attacks, and insecure tool-connected workflows.
- Perform advanced AI red and blue teaming through multi-agent auto-prompting attacks, implementing a 3-way autonomous system consisting of attack, defend, and judge models.
- Build and deploy enterprise-grade LLM defenses, including custom guardrails for input/output protection, security benchmarking, penetration testing of LLM agents, and defensive controls for MCP-enabled integrations.
- Understand MCP fundamentals and assess how they expand the attack surface of modern AI systems.
- Establish a comprehensive LLM SecOps process to secure the supply chain from adversarial attacks and create a robust threat model for enterprise applications, including AI systems connected to external tools and data sources through MCP-like architectures.
- Implement an incident response and risk management plan for enterprises developing or using AI services.
Speakers
avatar for Abhinav Singh

Abhinav Singh

Cyber Security Research in AI,Cloud & Data., Wingback Security
Abhinav Singh is a security leader, founder of Wingback Security, and a globally recognized speaker and trainer focused on securing enterprise AI systems. He has been involved with AI fellowship and research communities including MATS, PIBBSS, CSA, AIUC, and the Foresight Institute... Read More →
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
  2-Day Training

9:00am PST

2-Day Training: Beyond Whiteboard Hacking: Embracing AI-Assisted Threat Modeling
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
2-Day Training: November 3-4, 2026
Level:Intermediate
Trainer: Robert Hurlbut

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This training immerses you in the practical world of threat modeling through hands-
on exercises and real-world scenarios. With 25 years of practical experience and
over a decade of delivering this training at Black Hat, it emphasizes an interactive
approach—70% of the course is dedicated to exercises that reinforce learning. By
the end, you'll gain not only knowledge but also the skills to effectively practice threat
modeling within your organization.


Updated annually, this revised training covers the latest threat intelligence and attack
methods expected for 2026 and beyond, including risks associated with LLMs and
other AI systems. Participants will engage in practical activities inspired by real
industry projects, such as integrating threat modeling into secure-by-design and
DevOps workflows. Key features include threat-informed defense using MITRE
frameworks like ATT&CK for real-world analysis, using threat libraries and
intelligence to deepen threat understanding, and tackling modern challenges such as
modeling threats for AI-driven systems—specifically, a machine-learning-powered
chatbot. 


Before the training, all participants will get access to our self-paced “introduction to
threat modeling” course, designed to bring participants up to speed.


As practitioners with hands-on experience, we understand the gap between book-
based threat modeling knowledge and the practical challenges faced in real-world
environments. To address this, we have created a comprehensive real-world case
study and exercises to help you build effective threat models.
In this course, you will work in teams of 3 or 4 to address the stages of threat
modeling across various technology stacks.


Examples include:
• Use case describing a home automation system
• Data flow diagramming and trust boundaries
• Identifying threats
• AI-Assisted STRIDE analysis
• Constructing an attack tree
• Mitigating threats
• AI-Assisted mitigations
• Applying GDPR Risk Patterns for Privacy by Design
• Using AI resources to threat model a machine learning powered
HomeAutomationBot
• Integrating the OWASP Threat Modeling Playbook into agile development
• Threat Modeling a CI/CD supply chain
• Red Team / Blue Team battle for control over an offshore wind turbine park


After each exercise, we encourage in-depth discussions and provide a documented
solution to reinforce your understanding. Additionally, participants are invited to
create and submit their “Bring Your Own Case” (BYOC) threat models after the
training and receive personalized feedback to improve their techniques.
To receive the “Certified Threat Modeling Practitioner” certificate, participants must
pass an exam and submit their BYOC threat model.


This training extends beyond the classroom: every participant gains access to our
Threat Modeling Playbook, one year of online learning resources, and invitations to
monthly Ask-Me-Anything sessions to help you keep improving your threat modeling
skills long after the course concludes.

Speakers
RH

Robert Hurlbut

Principal Product Security Architect and Threat Modeling Trainer, Toreon
Robert Hurlbut is a Principal Product Security Architect and Threat Modeling Trainer at
Toreon, has over 30 years of experience in secure coding and software architecture.
Prior to joining Toreon, he initiated and led threat modeling programs at Bank of America
and Aquia. Robert is... Read More →
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
  2-Day Training

9:00am PST

2-Day Training: Repeatable, Scalable and Valuable Code Security Scanning
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
2-Day Training: November 3-4, 2026
Level: Intermediate
Trainers: Josh Grossman

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Suddenly anyone and everyone in your organization can use AI assistants to write code. Meanwhile, your actual developers are putting out 100x their previous output , with “varying” levels of quality. So how are you going to secure code at this scale?

This course is designed to be a deep dive into state-of-the-art techniques for validating code security within an organization’s codebase. The course has a strong emphasis on how AI-driven analysis can drive this forward whilst also clearly highlighting where standard, deterministic techniques (albeit incorporating AI acceleration) will be more effective.

During the course, you will learn how to combine these techniques, in a scalable and repeatable way, based on our experience doing just this with real organizations and real teams and with a focus on the current state of the art in this fast-moving area.

This course goes beyond the scope of standard application security knowledge and is designed to make you a specialist in this area. Having spent several years perfecting this process, we are excited to impart the lessons we have learnt!

The course is structured as follows:

* Overview – setting out the basic details of what we will be talking about in terms of code scanning and SAST.
* Key techniques – Discuss the different techniques which can be used for this including generic “off the shelf” SAST, deterministic custom scanning rules, and LLM powered custom AI prompts
* Technique comparison - Advantages and disadvantages of each technique based on our in-depth experience with each and which technique you will want to use in different situations, to avoid wasting time trying to use a technique in an inappropriate use case.
* Organizational process – How to get these processes built into an organization’s existing software lifecycle
* Generic SAST – Using “off the shelf” rules effectively to catch “low hanging fruit” and avoid reinventing the wheel.
* Custom SAST – Introduce custom rule languages (e.g., Semgrep, CodeQL), writing rules from scratch, and scaling analysis across a codebase.
* Basic AI Code Security Scanning – Overview of AI-based scanning, platforms, principles, and initial single-shot prompts
Speakers
avatar for Josh Grossman

Josh Grossman

CTO, Bounce Security
Josh Grossman has worked as a consultant in IT and Application Security and Risk for 15 years now, as well as a Software Developer. This has given him an in-depth understanding of how to manage the balance between business needs, developer needs and security needs which goes into... Read More →
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
  2-Day Training

9:00am PST

2-Day Training: Secure Coding That Sticks: From Bad Code to Secure Design
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
1-Day Training: November 4, 2026
Level: Intermediate
Trainers:Tanya Janca

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Most developers have heard security advice before. The problem is, it rarely translates into what to actually do when you're writing code.

This two-day, hands-on training focuses on building secure coding skills that work in real life. Attendees learn how to recognize insecure patterns, fix them, and replace them with practical, repeatable approaches they can apply immediately. As AI-generated code becomes the norm, the ability to read code critically, spot security issues, and fix them confidently has never mattered more. This training builds this exact skill.

Day One covers secure coding fundamentals across the areas where vulnerabilities happen most often: input and output handling, data and secrets protection, authentication and authorization, infrastructure and application safety, resilience, supply chain risks, logging, and operational practices. Each topic is taught using a Bad / Better / Best approach, with real code examples and hands-on exercises so participants can clearly see what insecure code looks like, how it fails, and how to fix it properly.

Day Two applies those skills to APIs using the OWASP API Security Top 10. Participants work through each category of vulnerability using practical examples, learning how issues like broken object-level authorization, SSRF, and unsafe API consumption actually show up in code and how to remediate them effectively.

In the final section, the training moves into secure design. Attendees are introduced to core design principles and guided through a live threat modeling exercise, where they identify assets, trust boundaries, and risks in a realistic system, then prioritize and propose mitigations.

Attendees leave with 42 actionable secure coding rules, hands-on experience with the OWASP API Security Top 10, and a practical threat modeling approach they can use immediately. The goal is not a list of things to memorize. It's a new way of thinking about code and your everyday work.
Speakers
avatar for Tanya Janca

Tanya Janca

Security Trainer and Founder, She Hacks Purple & DevSec Station
Tanya Janca, known online as SheHacksPurple, is the best-selling author of Alice and Bob Learn Secure Coding and Alice and Bob Learn Application Security. She is the founder of DevSec Station, a modern learning platform and community built to help software developers master secure... Read More →
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
  2-Day Training

9:00am PST

3 Day Training: Hacking Android, iOS and IoT apps by Example - 2026 Edition
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Abraham Aranguren

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys, drones, wearables, vehicles, trackers, “smart” homes—and, in multiple countries, even government‑mandated and police apps. In these environments, attackers increasingly target the mobile app as the remote control for the device, often without ever touching the physical hardware.

This 3‑day, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten, using real‑world Android, iOS, and IoT applications as targets.

7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation, Mozilla, the Tor Project, and others—feed directly into the course material, labs, and case studies.

Across three intensive days you will:
Break down Android and iOS apps with static and dynamic analysis.
Discover IoT vulnerabilities using only the apps and APIs, no devices required.
Master practical instrumentation using Frida, Objection, Xposed, and related tooling to bypass protections and deeply inspect runtime behavior.

Ideal for penetration testers, red teamers, mobile developers, and anyone serious about mobile/IoT security, this course is all action, no fluff. It is packed with exercises, extra‑mile challenges, and CTFs, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings, updated labs, and unlimited email support, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4
Get a free taste of this training, including access to video recordings, slides, and vulnerable apps to play with:
https://7asecurity.com/free-workshop-mobile-practical
https://7asecurity.com/free-workshop-mobile-deeplinks-xss
Speakers
avatar for Abraham Aranguren

Abraham Aranguren

CEO, Security Trainer, Director of Penetration Testing, 7ASecurity

Abraham Aranguren is the founder and CEO of 7ASecurity (7asecurity.com), an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter specializing in high‑quality, manual penetration tests and secure code audits. He has more than 24 years of experience... Read More →
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

3-Day Training: Adam Shostack's Threat Modeling Intensive With AI
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Adam Shostack

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This is our popular Threat Modeling Intensive course, where you'll learn to Threat Model, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe
even to help your organization scale.
Speakers
AS
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

3-Day Training: AppSec and AI Security for Developers with Jim Manico
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level: Beginner
Trainer: Jim Manico

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Description: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests, so you can dive deeper into the areas that matter most.

Students will choose from the following material:

Core Modules
  • 00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
  • 00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
  • 00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
  • 00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
  • 00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
  • 00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
  • 00-06 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
  • 00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices
  • 00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
  • 00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging
  • 00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
  • 00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
  • 00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows

API Security
  • 01-00 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
  • 01-01 Microservice Security (2 hrs): Security Architectures in Microservices
  • 01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
  • 01-03 gRPC Security (1 hr): gRPC Security Architecture

Foundations of AI Security
  • 02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts, Threats, and Mitigations
  • 02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications

AI Secure Development Practices
  • 02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation
  • 02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI

AI Architecture
  • 02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines
  • 02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure
  • 02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems
  • 02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems
  • 02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models, Especially in Response to Emerging Threats
  • 02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores

AI Adversarial Techniques
  • 02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems
  • 02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience

AI Supply Chain
  • 02-40 Integrating AI in Software (1 hr): Security architecture patterns, risks, and mitigation strategies for integrating LLMs and AI APIs into real-world applications
  • 02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem
  • 02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time
  • 02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models
  • 02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark

AI Regulatory and Ethical Frameworks
  • 02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments
  • 02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment

Standards
  • 03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks
  • 03-01 Introduction to GDPR (1 hr): European Data Privacy Law
  • 03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
  • 03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
  • 03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security
  • 04-00 XSS Defense (2 hrs): Client-Side Web Security
  • 04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
  • 04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML Client-Side Injection Attacks
  • 04-03 React Security (1 hr): Secure React Application Development
  • 04-04 Vue.js Security (1 hr): Secure Vue.js Application Development
  • 04-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
  • 04-06 Clickjacking (0.5 hr): UI Redress Attack Defense
  • 04-07 Flutter Security (0.5 hr): Flutter Security Basics

Identity & Access Management
  • 05-00 Authentication Best Practices (1.5 hrs): Web Authentication Practices
  • 05-01 Session Management Best Practices (1.5 hrs): Web Session Management Practices
  • 05-02 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
  • 05-03 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
  • 05-04 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
  • 05-05 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
  • 05-06 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol
  • 05-07 Brute Force Defense (0.5 hr): Stopping Brute Force Attacks

Crypto Modules
  • 06-00 Secrets Management (1 hr): Key and Credential Storage Strategies
  • 06-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
  • 06-02 Cryptography Fundamentals:
  • 06-02-00 Terminology and Basic Concepts (1 hr): Understanding Key Terms in Cryptography
  • 06-02-01 Steganography (1 hr): Techniques for Concealing Information
  • 06-02-02 Cryptographic Attacks (1 hr): Common Attacks and How to Defend Against Them
  • 06-02-03 Kerckhoffs's Principle and Perfect Forward Secrecy (1 hr): Fundamental Principles in Cryptographic Security
  • 06-02-04 Hash Functions (1 hr): Importance and Use Cases of Hash Functions
  • 06-02-05 Symmetric Cryptography (1 hr): Understanding Symmetric Key Algorithms
  • 06-02-06 Randomness in Cryptography (1 hr): Role and Generation of Randomness
  • 06-02-07 Digital Signatures (1 hr): Ensuring Integrity and Authenticity in Digital Communications

Process
  • 07-00 DevOps Best Practices (1 hr): DevOps and DevSecO
Speakers
avatar for Jim Manico
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level: Intermediate
Trainer: Dawid Czagan

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.
Speakers
avatar for Dawid Czagan

Dawid Czagan

Founder and CEO, Silesia Security Lab
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others.

Due to the severity of many bugs, he received numerous awards for his findings. Dawid Czagan shares his security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), OWASP 2025 Global AppSec EU (Barcelona), Hack In The... Read More →
Tuesday November 3, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

10:30am PST

AM Break
Tuesday November 3, 2026 10:30am - 11:00am PST
TBA

Tuesday November 3, 2026 10:30am - 11:00am PST
TBA
  Meals Provided by OWASP

12:30pm PST

Lunch
Tuesday November 3, 2026 12:30pm - 1:30pm PST
TBA

Tuesday November 3, 2026 12:30pm - 1:30pm PST
TBA
  Meals Provided by OWASP

3:00pm PST

PM Break
Tuesday November 3, 2026 3:00pm - 3:30pm PST
TBA

Tuesday November 3, 2026 3:00pm - 3:30pm PST
TBA
  Meals Provided by OWASP
 
Wednesday, November 4
 

8:15am PST

Breakfast
Wednesday November 4, 2026 8:15am - 9:00am PST
TBA

Wednesday November 4, 2026 8:15am - 9:00am PST
TBA
  Meals Provided by OWASP

8:15am PST

Registration
Wednesday November 4, 2026 8:15am - 5:00pm PST
TBA

Wednesday November 4, 2026 8:15am - 5:00pm PST
TBA

9:00am PST

1-Day Training: How to build a Successful Security Champions Program
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
1-Day Training: November 4, 2026
Level: Intermediate
Trainers: Juliane Reimann and Marisa Fagan

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Do you feel a disconnect between your cybersecurity efforts and engineering activities? If so, a Security Champions Program could bridge the gap. By involving engineers in security topics that align with their work, a Security Champions program not only enhances security awareness but also fosters a culture of security across your organization. However, creating such a program requires careful planning, innovative strategies, and a solid understanding of what drives individuals to champion security initiatives.

This training will equip you with practical tools and actionable insights to design and launch a successful Security Champions Program. You'll explore key concepts, including how to:
- Develop a foundational understanding of what a Security Champions Programs is
- Plan and navigate the phases of program development, from launch to long-term growth.
- Learn about strategies to engage and motivate diverse personality types within the organization
- Acquire practical tools and a structured approach to establish a scalable and trackable Security Champions Program

Whether you're a security engineer, architect, or manager, this training will provide you with the tools and frameworks to collaborate effectively with your engineering teams and establish a thriving Security Champions Program.

The session is highly interactive, featuring hands-on exercises and team-based activities to encourage collaboration and networking with fellow professionals. Join us to gain the confidence and strategies you need to kickstart your journey toward a more secure organization.
Speakers
MF

Marisa Fagan

Head of Product, Katilyst
avatar for Juliane Reimann

Juliane Reimann

Founder and Security Community Expert, Full Circle Security
Juliane Reimann works as cyber security consultant for large companies since 2019 with focus on DevSecOps and Community Building. Her expertise includes building security communities of software developers and establishing developer centric communication about secure software development... Read More →
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  1-Day Training

9:00am PST

1-Day Training: OWASP AI Testing Guide (AITG): Enabling Trustworthy AI Through Structured Validation
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
1-Day Training: November 4, 2026
Level: Intermediate
Trainers: Marco Morana and Matteo Meucci

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

The OWASP AI Testing Guide (AITG) provides a structured, comprehensive framework for validating Trustworthy AI systems across their entire lifecycle. Designed to support QA teams, security engineers, developers, auditors, and governance stakeholders, AITG establishes practical testing methodologies to assess AI security, privacy, and responsible AI behaviors.

The framework defines Trustworthy AI as the integration of:
1) Security AI (SecAI): Testing resilience against adversarial attacks such as prompt injection, model poisoning, evasion, and extraction.
2) Privacy AI (PrivacyAI): Validating protection against sensitive data leakage, membership inference, and model inversion risks.
3) Responsible AI (RespAI): Assessing fairness, safety, harmful output prevention, hallucination risks, explainability, and alignment with ethical policies.

AITG organizes testing coverage across four core AI product domains:
1. Application & Agent Testing
2. Model Testing
3. Infrastructure Testing
4. Data Testing

This structured approach ensures that AI systems are evaluated holistically, not just at the model layer, but across agents, RAG pipelines, APIs, infrastructure components, and data flows.

The AITG Comprehensive AI Testing Suite maps AI-specific threats to recognized standards such as OWASP Top 10 for LLMs and the OWASP AI Exchange, providing actionable, test-driven validation methods rather than abstract principles.

By combining adversarial testing, privacy validation, and responsible AI assessments, supported by governance, transparency, and monitoring, AITG enables organizations to transition from experimental AI deployments to validated, production-ready, and defensible AI systems.
Speakers
avatar for Matteo Meucci

Matteo Meucci

Founder and CEO, Synapsed.ai
Matteo Meucci is the founder and CEO of Synapsed.ai, bringing over 23 years of experience in application security (AppSec) and AI systems development. Matteo has played a pivotal role in shaping the global security community, particularly through his work with OWASP, where he founded... Read More →
avatar for Marco Morana

Marco Morana

Founder, Threat Modeling Academy | Field CISO | Author & Instructor, Avocado Systems Inc

Marco Morana is the Founder of Threat Modeling Academy, a global training initiative dedicated to advancing threat modeling and secure-by-design engineering for AI, cloud, blockchain, and FinTech systems. He also serves as Field CISO at Avocado Systems Inc., where he advises enterprises... Read More →
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  1-Day Training

9:00am PST

1-Day Training: Shall we play a Game? LLM Security in Practice
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
1-Day Training: November 4, 2026
Level: Intermediate
Trainers: Joseph Katsioloudes

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Artificial Intelligence (AI) is no longer a futuristic concept. It's embedded in the systems we use daily. At the core of these innovations are Large Language Models (LLMs) and Autonomous AI Agents. These innovations have unlocked new capabilities but have also introduced novel security challenges due to their non-deterministic behavior and autonomous outputs, causing issues like data leakage and unintended model behavior from attacks such as prompt injection and rogue agents.

This training equips participants with the skills they need to build secure agentic and LLM-based applications through interactive, challenge-based exercises that gamify core security concepts. Prepare to level up your understanding of LLM security in a practical and fun way!
Speakers
avatar for Joseph Katsioloudes

Joseph Katsioloudes

GitHub Security Lab, Leading Cyber Security Specialist
Joseph is a leading voice in cybersecurity and AI, developing software and content that shape how developers build securely. His open source game gh.io/scg has helped 10K+ developers gain future-proof security skills. His videos, with 2.8M+ views, simplify complex security topics... Read More →
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  1-Day Training

9:00am PST

2-Day Training: 2-Day Training: Beyond Whiteboard Hacking: Embracing AI-Assisted Threat Modeling
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
2-Day Training: November 3-4, 2026
Level: Beginner

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This training immerses you in the practical world of threat modeling through hands-on exercises and real-world scenarios. With 25 years of practical experience and over a decade of delivering this training at Black Hat, it emphasizes an interactive approach—70% of the course is dedicated to exercises that reinforce learning. By the end, you'll gain not only knowledge but also the skills to effectively practice threat modeling within your organization.

Updated annually, this revised training covers the latest threat intelligence and attack methods expected for 2026 and beyond, including risks associated with LLMs and other AI systems. Participants will engage in practical activities inspired by real industry projects, such as integrating threat modeling into secure-by-design and DevOps workflows. Key features include threat-informed defense using MITRE frameworks like ATT&CK for real-world analysis, using threat libraries and
intelligence to deepen threat understanding, and tackling modern challenges such as modeling threats for AI-driven systems—specifically, a machine-learning-powered chatbot. 

Before the training, all participants will get access to our self-paced “introduction to threat modeling” course, designed to bring participants up to speed.

As practitioners with hands-on experience, we understand the gap between book-based threat modeling knowledge and the practical challenges faced in real-world environments. To address this, we have created a comprehensive real-world case study and exercises to help you build effective threat models. In this course, you will work in teams of 3 or 4 to address the stages of threat modeling across various technology stacks.

Examples include:
• Use case describing a home automation system
• Data flow diagramming and trust boundaries
• Identifying threats
• AI-Assisted STRIDE analysis
• Constructing an attack tree
• Mitigating threats
• AI-Assisted mitigations
• Applying GDPR Risk Patterns for Privacy by Design
• Using AI resources to threat model a machine learning powered
HomeAutomationBot
• Integrating the OWASP Threat Modeling Playbook into agile development
• Threat Modeling a CI/CD supply chain
• Red Team / Blue Team battle for control over an offshore wind turbine park


After each exercise, we encourage in-depth discussions and provide a documented solution to reinforce your understanding. Additionally, participants are invited to create and submit their “Bring Your Own Case” (BYOC) threat models after the training and receive personalized feedback to improve their techniques. To receive the “Certified Threat Modeling Practitioner” certificate, participants must pass an exam and submit their BYOC threat model.


This training extends beyond the classroom: every participant gains access to our
Threat Modeling Playbook, one year of online learning resources, and invitations to
monthly Ask-Me-Anything sessions to help you keep improving your threat modeling
skills long after the course concludes.

Speakers
RH

Robert Hurlbut

Principal Product Security Architect and Threat Modeling Trainer, Toreon
Robert Hurlbut is a Principal Product Security Architect and Threat Modeling Trainer at
Toreon, has over 30 years of experience in secure coding and software architecture.
Prior to joining Toreon, he initiated and led threat modeling programs at Bank of America
and Aquia. Robert is... Read More →
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  2-Day Training

9:00am PST

2-Day Training: AI SecureOps: Attacking & Defending AI Applications & Agents
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
2-Day Training: November 3-4, 2026
Level: Intermediate
Trainers: Abhinav Singh

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Can prompt injections lead to complete infrastructure takeovers? Could AI agents, MCP-connected tools, or poisoned external context be abused to compromise backend services? Can data poisoning in AI copilots impact a company’s stock? Can jailbreaks create false crisis alerts in security systems? This immersive, CTF-styled training in GenAI, LLM, agent, and MCP security dives into these pressing questions. Engage in realistic attack-and-defense scenarios focused on real-world threats, from prompt injection and remote code execution to backend compromise, tool abuse, unsafe agent orchestration, trust and authorization failures. Tackle hands-on challenges with live AI applications to understand vulnerabilities and build robust defenses. Learn how to build a comprehensive security pipeline, master AI red and blue team strategies, secure tool-connected and agentic systems, implement resilient guardrails for LLMs, and handle incident response for AI-based threats. You will also explore governance, Responsible AI, and enterprise security patterns for modern AI ecosystems.

By the end of this training, you will be able to:

- Exploit vulnerabilities in AI applications to achieve code and command execution, uncovering scenarios such as instruction injection, agent control bypass, remote code execution for infrastructure takeover, as well as chaining multiple agents for goal hijacking.
- Conduct AI red-teaming using adversary simulation, OWASP LLM Top 10, and MITRE ATLAS frameworks, while applying AI security and ethical principles in real-world scenarios.
- Execute and defend against adversarial attacks, including prompt injection, data poisoning, jailbreaks, agentic attacks, and insecure tool-connected workflows.
- Perform advanced AI red and blue teaming through multi-agent auto-prompting attacks, implementing a 3-way autonomous system consisting of attack, defend, and judge models.
- Build and deploy enterprise-grade LLM defenses, including custom guardrails for input/output protection, security benchmarking, penetration testing of LLM agents, and defensive controls for MCP-enabled integrations.
- Understand MCP fundamentals and assess how they expand the attack surface of modern AI systems.
- Establish a comprehensive LLM SecOps process to secure the supply chain from adversarial attacks and create a robust threat model for enterprise applications, including AI systems connected to external tools and data sources through MCP-like architectures.
- Implement an incident response and risk management plan for enterprises developing or using AI services.
Speakers
avatar for Abhinav Singh

Abhinav Singh

Cyber Security Research in AI,Cloud & Data., Wingback Security
Abhinav Singh is a security leader, founder of Wingback Security, and a globally recognized speaker and trainer focused on securing enterprise AI systems. He has been involved with AI fellowship and research communities including MATS, PIBBSS, CSA, AIUC, and the Foresight Institute... Read More →
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  2-Day Training

9:00am PST

2-Day Training: Repeatable, Scalable and Valuable Code Security Scanning
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
2-Day Training: November 3-4, 2026
Level: Intermediate
Trainers: Josh Grossman

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Suddenly anyone and everyone in your organization can use AI assistants to write code. Meanwhile, your actual developers are putting out 100x their previous output , with “varying” levels of quality. So how are you going to secure code at this scale?

This course is designed to be a deep dive into state-of-the-art techniques for validating code security within an organization’s codebase. The course has a strong emphasis on how AI-driven analysis can drive this forward whilst also clearly highlighting where standard, deterministic techniques (albeit incorporating AI acceleration) will be more effective.

During the course, you will learn how to combine these techniques, in a scalable and repeatable way, based on our experience doing just this with real organizations and real teams and with a focus on the current state of the art in this fast-moving area.

This course goes beyond the scope of standard application security knowledge and is designed to make you a specialist in this area. Having spent several years perfecting this process, we are excited to impart the lessons we have learnt!

The course is structured as follows:

* Overview – setting out the basic details of what we will be talking about in terms of code scanning and SAST.
* Key techniques – Discuss the different techniques which can be used for this including generic “off the shelf” SAST, deterministic custom scanning rules, and LLM powered custom AI prompts
* Technique comparison - Advantages and disadvantages of each technique based on our in-depth experience with each and which technique you will want to use in different situations, to avoid wasting time trying to use a technique in an inappropriate use case.
* Organizational process – How to get these processes built into an organization’s existing software lifecycle
* Generic SAST – Using “off the shelf” rules effectively to catch “low hanging fruit” and avoid reinventing the wheel.
* Custom SAST – Introduce custom rule languages (e.g., Semgrep, CodeQL), writing rules from scratch, and scaling analysis across a codebase.
* Basic AI Code Security Scanning – Overview of AI-based scanning, platforms, principles, and initial single-shot prompts
Speakers
avatar for Josh Grossman

Josh Grossman

CTO, Bounce Security
Josh Grossman has worked as a consultant in IT and Application Security and Risk for 15 years now, as well as a Software Developer. This has given him an in-depth understanding of how to manage the balance between business needs, developer needs and security needs which goes into... Read More →
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  2-Day Training

9:00am PST

2-Day Training: Secure Coding That Sticks: From Bad Code to Secure Design
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
1-Day Training: November 4, 2026
Level: Intermediate
Trainers:Tanya Janca

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Most developers have heard security advice before. The problem is, it rarely translates into what to actually do when you're writing code.

This two-day, hands-on training focuses on building secure coding skills that work in real life. Attendees learn how to recognize insecure patterns, fix them, and replace them with practical, repeatable approaches they can apply immediately. As AI-generated code becomes the norm, the ability to read code critically, spot security issues, and fix them confidently has never mattered more. This training builds this exact skill.

Day One covers secure coding fundamentals across the areas where vulnerabilities happen most often: input and output handling, data and secrets protection, authentication and authorization, infrastructure and application safety, resilience, supply chain risks, logging, and operational practices. Each topic is taught using a Bad / Better / Best approach, with real code examples and hands-on exercises so participants can clearly see what insecure code looks like, how it fails, and how to fix it properly.

Day Two applies those skills to APIs using the OWASP API Security Top 10. Participants work through each category of vulnerability using practical examples, learning how issues like broken object-level authorization, SSRF, and unsafe API consumption actually show up in code and how to remediate them effectively.

In the final section, the training moves into secure design. Attendees are introduced to core design principles and guided through a live threat modeling exercise, where they identify assets, trust boundaries, and risks in a realistic system, then prioritize and propose mitigations.

Attendees leave with 42 actionable secure coding rules, hands-on experience with the OWASP API Security Top 10, and a practical threat modeling approach they can use immediately. The goal is not a list of things to memorize. It's a new way of thinking about code and your everyday work.
Speakers
avatar for Tanya Janca

Tanya Janca

Security Trainer and Founder, She Hacks Purple & DevSec Station
Tanya Janca, known online as SheHacksPurple, is the best-selling author of Alice and Bob Learn Secure Coding and Alice and Bob Learn Application Security. She is the founder of DevSec Station, a modern learning platform and community built to help software developers master secure... Read More →
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  2-Day Training

9:00am PST

3 Day Training: Hacking Android, iOS and IoT apps by Example - 2026 Edition
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Abraham Aranguren

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern Android and iOS apps rarely operate alone. They sit at the center of rich ecosystems: phones talking to toys, drones, wearables, vehicles, trackers, “smart” homes—and, in multiple countries, even government‑mandated and police apps. In these environments, attackers increasingly target the mobile app as the remote control for the device, often without ever touching the physical hardware.

This 3‑day, 100% hands‑on course is a deep dive into the OWASP Mobile Security Testing Guide (MSTG) and relevant items of the OWASP Mobile Application Security Verification Standard (MASVS). The 2026 Edition fully covers and goes beyond the OWASP Mobile Top Ten, using real‑world Android, iOS, and IoT applications as targets.

7ASecurity is an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter that focuses on researcher‑led, heavily manual penetration tests and secure code audits. Lessons learned from these engagements—performed for organizations such as the Linux Foundation, Mozilla, the Tor Project, and others—feed directly into the course material, labs, and case studies.

Across three intensive days you will:
Break down Android and iOS apps with static and dynamic analysis.
Discover IoT vulnerabilities using only the apps and APIs, no devices required.
Master practical instrumentation using Frida, Objection, Xposed, and related tooling to bypass protections and deeply inspect runtime behavior.

Ideal for penetration testers, red teamers, mobile developers, and anyone serious about mobile/IoT security, this course is all action, no fluff. It is packed with exercises, extra‑mile challenges, and CTFs, and includes continued education via lifetime access to a training portal with step‑by‑step video recordings, updated labs, and unlimited email support, including all future updates for free.

Teaser Video: https://www.youtube.com/watch?v=Re5oqfVkgd4
Get a free taste of this training, including access to video recordings, slides, and vulnerable apps to play with:
https://7asecurity.com/free-workshop-mobile-practical
https://7asecurity.com/free-workshop-mobile-deeplinks-xss
Speakers
avatar for Abraham Aranguren

Abraham Aranguren

CEO, Security Trainer, Director of Penetration Testing, 7ASecurity

Abraham Aranguren is the founder and CEO of 7ASecurity (7asecurity.com), an ISO 27001 and SOC 2–certified cybersecurity consultancy and OWASP Platinum Supporter specializing in high‑quality, manual penetration tests and secure code audits. He has more than 24 years of experience... Read More →
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

3-Day Training: Adam Shostack's Threat Modeling Intensive With AI
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level:Intermediate
Trainer: Adam Shostack

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

This is our popular Threat Modeling Intensive course, where you'll learn to Threat Model, and then you'll revist and learn to complement those skills with a variety of AI systems. You need to know how to threat model to evaluate what the AIs hallucinate, and today you need AI (at least to get your AI loving boss to leave you alone) and maybe
even to help your organization scale.
Speakers
AS
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

3-Day Training: AppSec and AI Security for Developers with Jim Manico
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA

3-Day Training: November 2-4, 2026
Level: Beginner
Trainer: Jim Manico

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Description: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience. Throughout the class, you’ll select the topics that interest you most—ensuring that the content aligns with your individual needs and goals. We’ll honor every participant’s topic requests, so you can dive deeper into the areas that matter most.

Students will choose from the following material:

Core Modules
  • 00-00 Introduction to Application Security (1 hr): Goals and Threats in AppSec
  • 00-01 Input Validation Basics (1 hr): Allowlist Validation, Safe Redirects
  • 00-02 HTTP Security Basics (1.5 hrs): Response/Request Headers, Verbs, Secure Transport Basics
  • 00-03 SOP and CORS (1 hr): Same-Origin Policy, Cross-Origin Resource Sharing Security
  • 00-04 SQL and Other Injections (1.5 hrs): Parameterized Queries, Secure Database Configurations, Command Injection
  • 00-05 Cross-Site Request Forgery (1.5 hrs): CSRF Defenses for Various Architectures
  • 00-06 File Upload and File I/O Security (1 hr): Secure File Upload, File I/O Security
  • 00-07 Deserialization Security (0.5 hr): Safe Deserialization Practices
  • 00-08 Third-Party Library Security Management (1 hr): Ensuring Third-Party Library Security
  • 00-09 Security Logging and Monitoring (0.5 hr): Security-Focused Logging
  • 00-10 Application Layer Intrusion Detection (0.5 hr): Detecting App Layer Attacks
  • 00-11 Threat Modeling Fundamentals (1 hr): Security Design via Threat Modeling
  • 00-12 Forms and Workflows Security (0.5 hr): Secure Handling of Complex Form Workflows

API Security
  • 01-00 API and REST Security (2 hrs): REST Design, XML, XXE, JSON, API Access Control
  • 01-01 Microservice Security (2 hrs): Security Architectures in Microservices
  • 01-02 JSON Web Tokens (JWT) (1 hr): Addressing JWT Security Challenges
  • 01-03 gRPC Security (1 hr): gRPC Security Architecture

Foundations of AI Security
  • 02-00 Introduction to AI Security (1 hr): Overview of AI Security Concepts, Threats, and Mitigations
  • 02-01 OWASP Top 10 for Large Language Model (LLM) Applications (4 hrs): Top 10 Practices for Protecting Large Language Model Applications

AI Secure Development Practices
  • 02-10 AI for Code Creation (1 hr): Exploring the Security Implications of Using AI for Code Generation
  • 02-11 React Security Prompt Engineering (1 hr): Building Secure React Applications with AI

AI Architecture
  • 02-20 Threat Modeling for AI Systems (1 hr): Applying Threat Modeling Methodologies Specifically Tailored to AI Architectures and Pipelines
  • 02-21 Zero Trust Architectures for AI (1 hr): Adapting Zero Trust Principles in Designing and Deploying Secure AI Infrastructure
  • 02-22 Access Control Design for AI (1 hr): Building Access Control in Vector Database AI Systems
  • 02-23 AI for UI Development (1 hr): Building Access Control in Vector Database AI Systems
  • 02-24 AI Model Updates and Patching (1 hr): Best Practices for Securely Updating and Patching Deployed Models, Especially in Response to Emerging Threats
  • 02-25 Self Hosted Models (1 hr): Strategies for securely deploying and operating self-hosted LLMs and vector stores

AI Adversarial Techniques
  • 02-30 Adversarial Machine Learning (1 hr): Understanding and Mitigating Adversarial Attacks on AI Systems
  • 02-31 Red Teaming AI Systems (1 hr): Conducting Adversarial Testing and Red Teaming for AI Systems to Identify Vulnerabilities and Resilience

AI Supply Chain
  • 02-40 Integrating AI in Software (1 hr): Security architecture patterns, risks, and mitigation strategies for integrating LLMs and AI APIs into real-world applications
  • 02-41 Hugging Face OSS Model Security (1 hr): Securing the Hugging Face Ecosystem
  • 02-42 AI Model Drift and Security Monitoring (1 hr): Strategies for Monitoring Models in Production to Detect Security Drift and Performance Degradation Over Time
  • 02-43 AWS Bedrock (1 hr): Securely using AWS Bedrock to access and manage foundation models
  • 02-44 PySpark Security (1 hr): Securing large-scale data pipelines with PySpark

AI Regulatory and Ethical Frameworks
  • 02-50 Differential Privacy (1 hr): Principles and Practices for Ensuring Privacy and Ethical AI Usage in Business Environments
  • 02-51 European Union AI Act (1 hr): Detailed Examination of the EU AI Act and Its Implications for AI Development and Deployment

Standards
  • 03-00 OWASP Top Ten (1-4 hrs): Top Ten Web Security Risks
  • 03-01 Introduction to GDPR (1 hr): European Data Privacy Law
  • 03-02 OWASP ASVS (1 hr): Comprehensive Secure Coding Standard
  • 03-03 OWASP Top Ten Proactive Controls (1 hr): Web Security Defense Categories
  • 03-04 PCI Secure SDLC Standard (1 hr): Credit Card SDLC Requirements

User Interface Security
  • 04-00 XSS Defense (2 hrs): Client-Side Web Security
  • 04-01 Content Security Policy (1 hr): Advanced Client-Side Web Security
  • 04-02 Content Spoofing and HTML Hacking (0.5 hr): HTML Client-Side Injection Attacks
  • 04-03 React Security (1 hr): Secure React Application Development
  • 04-04 Vue.js Security (1 hr): Secure Vue.js Application Development
  • 04-05 Angular and AngularJS Security (1 hr): Secure Angular Application Development
  • 04-06 Clickjacking (0.5 hr): UI Redress Attack Defense
  • 04-07 Flutter Security (0.5 hr): Flutter Security Basics

Identity & Access Management
  • 05-00 Authentication Best Practices (1.5 hrs): Web Authentication Practices
  • 05-01 Session Management Best Practices (1.5 hrs): Web Session Management Practices
  • 05-02 Multi-Factor Authentication (1 hr): NIST SP-800-63 Compliant MFA Implementation
  • 05-03 Secure Password Policy and Storage (1 hr): Secure User Password Policy and Storage
  • 05-04 Access Control Design (1 hr): ABAC/Capabilities-Based Access Control
  • 05-05 OAuth2 Security (1 hr): OAuth2 Authorization Protocol
  • 05-06 OpenID Connect Security (1 hr): OpenID Connect Federation Protocol
  • 05-07 Brute Force Defense (0.5 hr): Stopping Brute Force Attacks

Crypto Modules
  • 06-00 Secrets Management (1 hr): Key and Credential Storage Strategies
  • 06-01 HTTPS/TLS Best Practices (1 hr): Transport Security Introduction
  • 06-02 Cryptography Fundamentals:
  • 06-02-00 Terminology and Basic Concepts (1 hr): Understanding Key Terms in Cryptography
  • 06-02-01 Steganography (1 hr): Techniques for Concealing Information
  • 06-02-02 Cryptographic Attacks (1 hr): Common Attacks and How to Defend Against Them
  • 06-02-03 Kerckhoffs's Principle and Perfect Forward Secrecy (1 hr): Fundamental Principles in Cryptographic Security
  • 06-02-04 Hash Functions (1 hr): Importance and Use Cases of Hash Functions
  • 06-02-05 Symmetric Cryptography (1 hr): Understanding Symmetric Key Algorithms
  • 06-02-06 Randomness in Cryptography (1 hr): Role and Generation of Randomness
  • 06-02-07 Digital Signatures (1 hr): Ensuring Integrity and Authenticity in Digital Communications

Process
  • 07-00 DevOps Best Practices (1 hr): DevOps and DevSecO
Speakers
avatar for Jim Manico
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
3-Day Training: November 2-4, 2026
Level: Intermediate
Trainer: Dawid Czagan

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack vectors and implement effective defensive countermeasures.

For each attack, vulnerability and technique presented in this training, there is a lab exercise to help you develop your skills step by step. What's more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I'll share my experience with you.

Key Learning Objectives
After completing this training, you will have learned about:

- Hacking cloud applications
- API hacking tips & tricks
- Data exfiltration techniques
- OSINT asset discovery tools
- Tricky user impersonation
- Bypassing protection mechanisms
- CLI hacking scripts
- Interesting XSS attacks
- Server-side template injection
- Hacking with Google & GitHub search engines
- Automated SQL injection detection and exploitation
- File read & file upload attacks
- Password cracking in a smart way
- Hacking Git repos
- XML attacks
- NoSQL injection
- HTTP parameter pollution
- Web cache deception attack
- Hacking with wrappers
- Finding metadata with sensitive information
- Hijacking NTLM hashes
- Automated detection of JavaScript libraries with known vulnerabilities
- Extracting passwords
- Hacking Electron applications
- Establishing reverse shell connections
- RCE attacks
- XSS polyglot
- and more …

What Students Will Receive
Students will be handed in a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training. When the training is over, students can take the complete lab environment home (after signing a non-disclosure agreement) to hack again at their own pace.

Special Bonus
The ticket price includes FREE access to my 6 online courses:

- Fuzzing with Burp Suite Intruder
- Exploiting Race Conditions with OWASP ZAP
- Case Studies of Award-Winning XSS Attacks: Part 1
- Case Studies of Award-Winning XSS Attacks: Part 2
- How Hackers Find SQL Injections in Minutes with Sqlmap
- Web Application Security Testing with Google Hacking

What Students Say About My Trainings
References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …

What Students Should Know
To get the most of this training intermediate knowledge of web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy or Zed Attack Proxy (ZAP), to analyze or modify the traffic.

What Students Should Bring
Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running x86_64 VMs.

Additional notes
This new 3-day training was sold out at top security conferences e.g. DEF CON 2024 (Las Vegas), Hack In Paris (Paris).

This is a 100% hands-on training: for each attack, vulnerability and technique presented in this training, there is a lab exercise to help students develop their skills step by step.
Speakers
avatar for Dawid Czagan

Dawid Czagan

Founder and CEO, Silesia Security Lab
Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others.

Due to the severity of many bugs, he received numerous awards for his findings. Dawid Czagan shares his security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), OWASP 2025 Global AppSec EU (Barcelona), Hack In The... Read More →
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  3-Day Training

9:00am PST

OWASP SAMM and DSOMM User Day
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
1-Day Training: November 4, 2026
Level: all
Trainers:Aram Hovsepyan and Timo Pagel 

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.

Advance Your Application Security Maturity with OWASP SAMM and DSOMM
Join us on November 4th, 2026 in San Francisco, CA, as part of Global AppSec USA, for a full-day event dedicated to real-world insights and practical guidance on application security maturity.During the User Day, we are bringing together the OWASP SAMM and DSOMM communities to:
  • Explore how leading organizations apply SAMM and DSOMM to drive meaningful security improvements
  • Get insights into the latest OWASP SAMM benchmark data
  • Participate in interactive sessions to learn from each other about how to advance application security maturity
Whether you’re new to software maturity models or leading enterprise-scale initiatives, you’ll leave with actionable strategies and peer-tested practices to level up your secure development lifecycle.
Wednesday November 4, 2026 9:00am - 5:00pm PST
TBA
  Project User Day

10:30am PST

AM Break
Wednesday November 4, 2026 10:30am - 11:00am PST
TBA

Wednesday November 4, 2026 10:30am - 11:00am PST
TBA
  Meals Provided by OWASP

12:30pm PST

Lunch
Wednesday November 4, 2026 12:30pm - 1:30pm PST
TBA

Wednesday November 4, 2026 12:30pm - 1:30pm PST
TBA
  Meals Provided by OWASP

3:00pm PST

PM Break
Wednesday November 4, 2026 3:00pm - 3:30pm PST
TBA

Wednesday November 4, 2026 3:00pm - 3:30pm PST
TBA
  Meals Provided by OWASP

5:00pm PST

Global Board of Directors Public Board Meeting
Wednesday November 4, 2026 5:00pm - 7:00pm PST
TBA

Wednesday November 4, 2026 5:00pm - 7:00pm PST
TBA
  Meeting
 
Thursday, November 5
 

7:30am PST

Women in AppSec Breakfast (Sign up required)
Thursday November 5, 2026 7:30am - 8:30am PST
TBA
Must already be registered for the conference and sign up for breakfast is required.

Come and enjoy a breakfast committeed to making conference friends and friends for life (AKA - professioinal networking) at the Women in AppSec Breakfast co-hosted by Tanya Janca, Juliane Reimann, Kim Wyuts, and Marisa Fagan.

RSVP now to enjoy great food, pick up your challenge coin early, and walk through the expo hall, if you choose, to start tackling the expo passport program and win prizes.
Speakers
MF

Marisa Fagan

Head of Product, Katilyst
avatar for Tanya Janca

Tanya Janca

Security Trainer and Founder, She Hacks Purple & DevSec Station
Tanya Janca, known online as SheHacksPurple, is the best-selling author of Alice and Bob Learn Secure Coding and Alice and Bob Learn Application Security. She is the founder of DevSec Station, a modern learning platform and community built to help software developers master secure... Read More →
avatar for Juliane Reimann

Juliane Reimann

Founder and Security Community Expert, Full Circle Security
Juliane Reimann works as cyber security consultant for large companies since 2019 with focus on DevSecOps and Community Building. Her expertise includes building security communities of software developers and establishing developer centric communication about secure software development... Read More →
avatar for Kim Wuyts

Kim Wuyts

Manager Cyber & Privacy, PwC Belgium

Dr. Kim Wuyts is a leading privacy engineer with over 15 years of experience in security and privacy. Before joining PwC Belgium as Manager Cyber & Privacy, Kim was a senior researcher at KU Leuven where she led the development and extension of LINDDUN, a popular privacy threat modeling... Read More →
Thursday November 5, 2026 7:30am - 8:30am PST
TBA
  Meals Provided by OWASP

8:15am PST

Expo Hall
Thursday November 5, 2026 8:15am - 9:00am PST
TBA

Thursday November 5, 2026 8:15am - 9:00am PST
TBA
  Expo Hall

8:15am PST

Start Up Sponsors
Thursday November 5, 2026 8:15am - 9:00am PST
TBA

Thursday November 5, 2026 8:15am - 9:00am PST
TBA
  Expo Hall

8:15am PST

Breakfast
Thursday November 5, 2026 8:15am - 9:00am PST
TBA

Thursday November 5, 2026 8:15am - 9:00am PST
TBA
  Meals Provided by OWASP

8:50am PST

Opening Remarks
Thursday November 5, 2026 8:50am - 9:00am PST
TBA

Thursday November 5, 2026 8:50am - 9:00am PST
TBA
  Keynote

10:00am PST

AM Break
Thursday November 5, 2026 10:00am - 10:30am PST
TBA

Thursday November 5, 2026 10:00am - 10:30am PST
TBA
  Meals Provided by OWASP

10:15am PST

CfP/CfTs for the Newcomer: How To Write A Good Submission
Thursday November 5, 2026 10:15am - 12:15pm PST
TBA
Ready to showcase your expertise? Don’t miss the chance to submit for a Call for Trainers or Call for Papers! Join the dynamic Izar Tarandach and Avi Douglen as they take you through the submission process and reveal insider tips on what the review team is looking for when selecting papers. This is your opportunity to shine and make a lasting impact—let’s make it happen!
Speakers
AD
avatar for Izar Tarandach

Izar Tarandach

Sr. Principal Architect, SiriusXM
Long-time security practitioner, Sr. Principal Security Architect at SiriusXM, previouslyDatadog,  at Squarespace, Bridgewater Associates to DellEMC via RSA, Autodesk, startup founder, investor and advisor. Founding member of the IEEE Center for Secure Design, holds a masters degree... Read More →
Thursday November 5, 2026 10:15am - 12:15pm PST
TBA
  Bonus Track
 

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Conference Scheduling Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Monday, November 2
Tuesday, November 3
Wednesday, November 4
Thursday, November 5
Friday, November 6
TBA
  • 1-Day Training
  • 2-Day Training
  • 3-Day Training
  • Bonus Track
  • Expo Hall
  • Keynote
  • Meals Provided by OWASP
  • Meeting
  • Project User Day
  • Audience
  • Beginner
  • Intermediate