Expert-Led Sessions
Learn from industry leaders with deep technical expertise and real-world experience.
BSides events combine security expertise from a variety of platforms in search of the “next big thing” in information security. BSides is an open platform that gives security experts and industry professionals the opportunity so share ideas, insights, and develop longstanding relationships with others in the community. It is a rare opportunity to directly connect and create trusted relationships with key members of the community.
About UsLearn from industry leaders with deep technical expertise and real-world experience.
Stay ahead with the latest trends, techniques, and strategies in Cyber Security.
Connect with security professionals, developers, and decision-makers from everywhere in the World.
Enjoy a modern, comfortable venue designed to enhance your learning and networking experience.
Engage in practical demonstrations and case studies to reinforce key concepts.
Gain practical knowledge and best practices that you can apply immediately.
BSides Kraków Founder
Application Security Expert, Cássio Pereira is the host of Bsides Kraków.
PurpleBird Security, Founder and Technical Director
Jefferson is a cybersecurity expert with over 15 years of experience, currently serving as Technical Director and Founder of PurpleBird Security.
SecuRing
Julia performs penetration tests for a wide range of IT Projects as a Junior IT Security Specialist at SecuRing.
Security Engineer & Architect
Spyros has over 15 years of experience in the security world. Since the beginning of his career he has been an avid supporter and contributor of open source software and an OWASP volunteer.
Senior Penetration Tester at NVISO
Panagiotis is a Senior penetration tester @ NVISO, with multiple years of experience in ethical hacking and Red Teaming.
Cyber Threat Intelligence Manager and Cyber Mentor at NatWest Bank
Threat Intelligence Manager, Cyber Mentor, Penetration Tester, mainframe enthusiast, and author.
CTO and Co-Founder- SplxAI
Ante is the CTO & Co-Founder of SplxAI, specializing in Generative AI, cybersecurity, and cloud technologies.
Head Cyber Threat Intelligence
Thiago Bordini, Head Cyber Threat Intelligence, executive with more than 20 years of experience in the cyber intelligence market.
Threat Researcher at BforeAI
Aadesh Shinde is Threat Researcher at BforeAI, contributing to the forefront of predictive cybersecurity.
Brazil X-Force Incident Response Leader at IBM
More than 10 years of experience in cyber intelligence and counterintelligence operations.
Woman in Red
Dorota is passionate about the Red Team, and Black Ops part of the Cyber Universe.
Opitv Security, Senior Security Consultant, Attack and Pen
I am Rishabh Gupta, a Senior Security Consultant at Optiv Security with over seven years.
Information Security Research Engineer
Ruslan is a software engineer and cryptographer.
Eat, sleep, code, repeat.
Aivars Kalvāns is a FinTech developer, software architect, and consultant.
Security Engineer | Cybersecurity & Risk
Vlastimil Sindelar is a security engineer who has worked on NATO and EU space and defense programs.
Cloud Engineer - Nextuple Inc
Bodhisattva is passionate about cloud security and digital rights, and AI Governance.
Security Researcher & Software Architect
Technical lead with expertise in security research, full stack software engineering, and blockchain development.
Offensive Security Advisor
Former firefighter in France 🇫🇷 🚒, I decided to pursue my passion for computing and more specifically for offensive cybersecurity.
Cyber Security Analyst
I've been passionate about computers ever since I started "borrowing" my brother’s PC 💾 when I was about 10.
CTO at Warpnet
As a Chief Technolog Officer at Warpnet, Roald uses his acquired skills daily within a variety of context related to cybersecurity.
AI Security & Safety Researcher at Palisade Research
Reworr is an AI security and safety researcher at Palisade Research.
Cyber Security Researcher, Accenture Security
Chen Shiri is a cyber security researcher, hacker, known for his research on low-level security.
Security consultant at Securitum
Kamil Działowy – Penetration Tester at Securitum for 5+ years, conducting dozens of projects annually.
Chief Technology Officer
August Joseph is the Chief Technology Officer at KAZIMI, a cybersecurity firm specializing in pioneering solutions for verified data integrity.
VerSprite, CEO, Author
As the CEO & Founder of VerSprite Security, a global security, privacy, and risk management firm, Tony leads a team of ‘security hybrids’ who deliver tailored and innovative solutions to address the complex challenges faced by some of the world’s largest multi-national companies.
Security Engineer @ Pitch
Security Engineer. Sometimes I try to hack stuff. Investigated by the authorities due to an SQL injection, financed by the powers that be, someone said.
OWASP London Chapter Leader
Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 25 years of experience in IT.
Co-Founder, Sentry
Robert Shala is co-founder of Sentry, where he leads 50 security consultants and has delivered 2000-plus red-team and appsec engagements.
Managing Security Consultant at Sentry Cybersecurity
Armend Gashi is Managing Security Consultant at Sentry.
This is the moment to arrive and check-in to the conference. Get your badge, bag and all the gadgets available and prepare to the busy day ahead.
Here an overview of the conference will be provided, surprises announced and of course the next year plan already. Be prepare to meet new people at this moment.
In this talk we will learn about EDR evasion, in this quick and dirty workshop/overview from day2day Red Team exercises. We will unleash the power of C/C++ and the power of syscalls to evade commercial EDRs. Furthermore, we will learn all about how an EDR works.
This session provides an in-depth look at Generative AI (GenAI) red teaming, including its unique challenges and risks. We’ll explore the new attack surface GenAI creates, common security mistakes, and key areas to focus on during risk assessments.
In this groundbreaking presentation, we will delve into a series of case studies spanning 10 years of incident response in Brazil, where highly sophisticated cyberattacks used custom physical implants to infiltrate the network infrastructure of various companies. We will explore the timeline of these cases, highlighting both the evolution of defenses and attack tactics, and uncover a startling fact: how is it possible that cyberattacks known for a decade are still so effective? What are the critical failures companies are still making? This session is a call to rethink cybersecurity strategies, providing deep insights into where we are failing and how we can improve to face the advanced persistent threats of today and tomorrow.
Lunch break - might or not be included at the venue
TBD
n this session, we’ll dive into a multi-stage attack campaign that resulted in a major financial fraud in Brazil, where a threat group escalated from rudimentary network intrusions - leveraging compromised home and small business routers - to a highly effective social engineering operation targeting contact center operators.
Coffee break - might or not be included at the venue
Mainframes are definitely not relics of the past—they’re still the digital backbone of banks, governments, and Fortune 500s. In this talk, I’ll crack open the world of mainframe hacking, starting with targeted OSINT techniques and pivoting straight into terminal access. I'll demosntrate the scripts, REXX routines, and JCL tools used to gain access, plus demo my newly developed EBCDIC password capture tool.
In an era where digital transparency is expected—and weaponized—our skies are under silent siege. From spoofed military cargo planes to vanishing jets over warzones, modern airspace is no longer just about aviation. It's about deception, surveillance, and disinformation. This talk is a technical, hands-on journey into the aviation side of OSINT, where signals are intercepted, aircraft are tracked (or faked), and raw data tells stories no official statement ever will.
Join me to watch attacks on physical access control systems, showcased during multiple live demos alongside interesting stories from real-life physical Red Team assessments. As a Red Teamer I did a lot of engagements requiring me to break into buildings protected by RFID Access Control Systems. Normally I would start with access card cloning... but what if it's not an option? What are the other ways in which one could bypass these systems?
Here some spoilers of BSides Kraków 2026 will be provided, surprises announced and maybe something more. And the after party place reveled.
This is the moment to arrive and check-in to the conference. Get your badge, bag and all the gadgets available and prepare to the busy day ahead.
Here an overview of the conference will be provided, surprises announced and of course the next year plan already. Be prepare to meet new people at this moment.
Phishing remains one of the most effective tools for cybercriminals, leading to large-scale credential theft, malware infections, and data exfiltration. This workshop provides a hands-on approach to tracking phishing campaigns, analyzing malware distribution networks, and leveraging Threat Intelligence to uncover attacker infrastructure.
In this talk, we will address the growing threat of infostealers malwares designed to steal sensitive information, and how organizations can prepare to respond effectively to these incidents.
This presentation will explore the strategic use of social engineering in penetration testing, focusing on gaining covert access to a client's server room. I will outline how to perform reconnaissance, gather intelligence on company structure, employee behavior, and security vulnerabilities. Attendees will learn effective social engineering tactics such as pretexting, tailgating, baiting, and phishing, all designed to manipulate human behavior and bypass physical security.
Lunch break - might or not be included at the venue
Join me for an engaging session on AzurEye, a new tool I’ve developed to enhance security in Azure environments by scanning for vulnerabilities across various services. This session will provide a comprehensive look at AzurEye, its capabilities, and its potential to transform how Azure administrators and security professionals manage cloud security.
Every company is responsible for securing customer logins, yet there’s no standard approach to implementing effective and reliable authentication. Despite broad adoption, MFA quality varies widely — and poor choices can undermine its benefits.
Coffee break - might or not be included at the venue
Contactless payments by tapping your card are becoming widely accepted. Mobile phones were taught to emulate contactless payment cards by using HCE technology and now we are tapping our phones everywhere.
We rarely get to build from scratch. Many of us inherit legacy systems that were never designed for today’s threats — but still run critical operations. Securing them is not just a technical challenge; it is political, architectural, and deeply operational.
The high cost associated with enterprise Cybersecurity Solutions often mean that small and Medium Organisations are increasingly rely on open-source tools like Snort and Wazuh to detect and manage cyber threats, but these solutions often struggle with high false positives, limited automation, and manual response overhead. This not only is a pain point for the security teams, but also reduce the effectiveness of these solutions compared to the industry leading ones.
Here some spoilers of BSides Kraków 2026 will be provided, surprises announced and maybe something more.
This is the moment to arrive and check-in to the conference. Get your badge, bag and all the gadgets available and prepare to the busy day ahead.
Here an overview of the conference will be provided, surprises announced and of course the next year plan already. Be prepare to meet new people at this moment.
In an era where information is power, the wrong keystroke can mean the difference between security and catastrophe. Killing with Keyboards explores real-world scenarios where digital traces—social media posts, blockchain transactions, leaked metadata—become vulnerabilities exploited by hackers, corporations, and state actors.
In this talk, I will explore the fascinating world of hardware hacking, a domain that remains underappreciated by both security professionals and organizations when assessing their attack surface. My objective is to demystify hardware hacking techniques and demonstrate their significance in modern cybersecurity.
In this talk, we’ll take a deep dive into the world of phishing malware and the obfuscation techniques used to hide malicious JavaScript code. We'll explore how these techniques work and the countermeasures you can use to deobfuscate and expose the hidden threats in real time.
Lunch break - might or not be included at the venue
As modern vehicles evolve into complex networks of software and hardware, they become increasingly susceptible to cyber threats. This presentation delves into how Python can be utilized to both identify vulnerabilities and enhance the security of automotive systems. We will explore real-world scenarios where Python tools and techniques are applied to penetrate vehicle networks, analyze security flaws, and develop robust defenses against potential attacks.
I'll talk about the current state of LLM capabilities in offensive security, including their practical skills across various domains, benchmarks used for evaluation and how they work, and how these models can be misused by attackers. We'll examine the current offensive use of LLMs, including misuse by threat actors and specific real-world examples, and walk through concrete implementations of AI hacking agents and related misuse/abuse workflows. Finally, I'll discuss existing limitations, emerging threats, and future potential and directions of offensive AI capabilities.
Coffee break - might or not be included at the venue
This presentation delves into my new research and methodologies for attacking Deep Neural Networks (DNNs) and AI models in black-box environments (without access to internal parameters.).
Description TBD
Description TBD
Here some spoilers of BSides Kraków 2026 will be provided, surprises announced and maybe something more.
This is the moment to arrive and check-in to the conference. Get your badge, bag and all the gadgets available and prepare to the busy day ahead.
Here an overview of the conference will be provided, surprises announced and of course the next year plan already. Be prepare to meet new people at this moment.
Despite our collective efforts, we haven’t managed to harmonize tools and processes. Several projects like ASVS, SAMM and others have attempted information harmony but only the now defunct Glue has attempted tool orchestration harmonization and for good reason, it is a hard problem to solve, almost impossible by volunteers alone.
OWASP Nettacker project (a portmanteau of "Network Attacker") was created to automate the information gathering, vulnerability scanning and in general to aid the penetration testing engagements. Nettacker recently gained a lot of interest from the European and Asian penetration testing communities and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is able to run various recon and vulnerability detection scans using a variety of methods and generate scan reports for applications and networks, including open ports, services, vulnerabilities, misconfigurations, default credentials and many other cool features - for example an ability to chain different scan methods. This talk will feature a live demo and several practical usage examples of how organisations can benefit from this OWASP project for automated security testing
PDFs - rise, decline, and revival: a journey across how we have changed our way of viewing and editing PDF files by moving from offline clients to online services, and how this is changing the role of PDF files as attack vectors.
Lunch break - might or not be included at the venue
As AI agents increase in capability and autonomy, they introduce novel attack surfaces and threat vectors that traditional security approaches may miss. This presentation introduces a specialized adaptation of the Process for Attack Simulation & Threat Analysis (PASTA) methodology for AI red teaming, specifically tailored for development teams building agentive solutions.
Apps run on ads. Ad networks and analytics companies require an SDK to be installed in the app to run. These SDKs are riddled with exploits, vulnerabilities, unsolicitated tracking, and disgusting behaviours. In this talk, we'll go through some of those techniques and explain how everyone in this industry does not care about you: the actual users.
Coffee break - might or not be included at the venue
Most pentesters and defenders focus on the usual suspects: SSH, HTTP(S), and SMB. But what about the overlooked and obscure? In this talk, we’ll explore how unusual or “boring” ports can become goldmines for attackers. From printers exposing raw port 9100, to UPnP and IPMI exposing full control, to database services with weak auth on non-default ports — attackers are actively scanning beyond the top 10. We’ll walk through real-life examples and live-style demos of exploits against protocols like mDNS, WS-Discovery, VNC, Telnet, and even management ports hiding behind non-standard numbers. This talk is built for defenders and pentesters who want to think outside the port-scan box and understand what really happens when you look past the defaults.
Description TBD
The Chat Completions (ChatML) message schema [{role, content}, …] has become the lingua‑franca of large‑language‑model APIs. DeepSeek, xAI Grok, GroqCloud, NVIDIA NIM, and many self‑hosted gateways expose endpoints that promise “drop‑in OpenAI compatibility.” That convenience ships with a hidden threat: any client that can smuggle a message labelled role:"developer" or role:"system" silently outranks the end‑user and can re‑program the agent, invoke privileged tools, or drain tokens.
Here some spoilers of BSides Kraków 2026 will be provided, surprises announced and maybe something more.
This is the moment to arrive and check-in to the conference. Get your badge, bag and all the gadgets available and prepare to the busy day ahead.
Here an overview of the conference will be provided, surprises announced and of course the next year plan already. Be prepare to meet new people at this moment.
Description TBD
Description TBD
Description TBD
Lunch break - might or not be included at the venue
Description TBD
Description TBD
Coffee break - might or not be included at the venue
Description TBD
Description TBD
Here some spoilers of BSides Kraków 2026 will be provided, surprises announced and maybe something more.
zł 0,00
zł 100,00
zł 49,99
zł 0,00
zł 0,00
zł 1,00
Let's Connect!
Have questions, suggestions, or requests? I'm here to help! Feel free to reach out, and let's discuss how we can work together to improve application security.
📩 Get in Touch – Your insights and inquiries are always welcome!
You can send us an email that we will get back to you as soon as possible.
contact@bsideskrakow.plTickets for this event are free, but availability is limited. If you claim a ticket, please make sure you attend or let us know in advance if you can’t make it. This way, we can offer your spot to someone else who’s eager to join. Let’s make the most of this opportunity together! 🚀