Guarding Your Identity

IN PERSONMarch 11-15, 2024Arlington, VA

SO-CON 2024 is a one-day summit followed by adversary and fundamentals training courses.

REGISTER TO ATTEND SIGN UP FOR UPDATES
Countdown to SO-CON!
days : hours : minutes
OVERVIEW
Discover Cutting Edge Insights

Explore new approaches, tools, and techniques to combat identity-based attack paths. Discover the latest trends, research from frontline practitioners, case studies and firsthand experiences.

Learn Comprehensive Skills

Gain in-depth knowledge into how to attack, defend, and harden enterprise environments against advanced threat actors from our in-the-field experts.

Connect with Industry Peers

Connect in-person on the latest in the industry. Immerse yourself in interactive sessions, gain practical insights, and build lasting relationships.

Agenda

One Day Summit

Monday,
March 11

8 – 9 AM Breakfast
9 AM – 12 PM Talks
12 – 1 PM Lunch
1 – 5 PM Talks
6 PM Reception

Trainings

Tuesday,

March 12

Wednesday,

March 13

Thursday,

March 14

Friday,

March 15
8 – 9 AM Breakfast
9 AM – 12 PM Trainings
12 – 1 PM Lunch
1 – 5 PM Trainings
Luke Jennings

VP, Research & Development
Push Security

Once upon a time, we thought of cyber attacks in terms of recon, port scanning, enumeration, vulnerability identification and exploitation and we had various approaches we would use to frustrate attackers at every phase. As the cat and mouse game of security continued, this eventually morphed into an endpoint compromise focused process involving initial access, exploitation, persistence, command and control and lateral movement inside a complex internal network. But with the remote working and SaaS revolution, the way organizations work has changed radically – so what does the cyber kill chain look like now?

This talk will consider what a new SaaS cyber kill chain looks like for modern organizations that are fully SaaS native without any concept of an internal network, and the surprising number of attacks that are possible without touching company owned endpoints or infrastructure. We will consider topics like how the initial access stage is changing due to the availability of so many potential beachheads, what lateral movement looks like in a world with no internal infrastructure to migrate to and how persistence methods have changed and are much more resilient to common containment measures such as password resets and secure device wipes. Finally, we’ll consider how the open-source SaaS attacks matrix can be used by both red and blue teams to help navigate this new world.

Christopher Crowley

Founder
Montance®

In its 7th year, the SOC Survey continues to be a valuable source of peer comparison for Cybersecurity Operations Centers. Christopher Crowley, Founder of Montance®, has authored this survey for each of its editions. He will provide insights, unknowns, and some details of the analysis performed to author the document of more than six hundreds SOCs surveyed.

Crowley will review key findings from the 2023 survey: SOC capabilities, funding, staffing, and challenges. He’ll discuss how SOCs use Threat Intelligence, what technology gets good grades, and which technologies are failing to fulfill their promise.

After executive summary highlights of some survey findings, he’ll delve into details using the public release data from the survey responses. This includes a quick fundamentals review of the setup for jupyter notebook, pandas, and seaborn.

Then, using this environment he’ll discuss analysis considerations starting from data cleaning issues and moving into more advanced analysis. He’ll also provide instructions and code samples that would allow attendees to answer their own questions from the released data. Attendees can download the python Jupyter notebook and data set to follow along during the presentation, or work on afterward.

Then, using this environment he’ll discuss analysis considerations starting from data cleaning issues and moving into more advanced analysis. He’ll also provide instructions and code samples that would allow attendees to answer their own questions from the released data. Attendees can download the python Jupyter notebook and data set to follow along during the presentation, or work on afterward.

This session gives you the headlines, but also the skills to get into the details if you choose. Or, you can come watch and laugh along with him as he typos his way through the python and pandas code.

Joshua Prager

Principal Consultant
SpecterOps

Nico Shyne

Consultant
SpecterOps

We’ll dive into Active Directory domain persistence techniques focused on identifying attacks and reclaiming control over organizational domains after a breach. The presentation explores various advanced adversarial techniques such as credential theft on domain controllers, NTDS access, DCSync, and the creation of Golden and Diamond Tickets. It emphasizes the importance of detecting these methods to effectively triage and counteract them. The presentation highlights the need for organizations to be vigilant in monitoring and securing their domains, as adversaries continually seek innovative ways to maintain access, posing significant threats to data security.

Additionally we’ll cover post-compromise strategies, detailing the steps necessary for rotating domain secrets and enhancing Windows Security event auditing to better detect domain persistence activities. We’ll provide a comprehensive guide on resetting and securing various account types, including machine, user, and service accounts, and emphasizes the criticality of rotating the KRBTGT account to prevent the abuse of Golden Tickets. This presentation will serve as a starting guide for critical technique detection generation and organizational recovery scenarios.

Adam Chester

Principal Security Consultant
TrustedSec

It’s rare to find organisations who haven’t dipped their toe into the world of cloud-based Identity Providers. Whether it’s Okta, Ping, Entra ID, or the myriad of other providers gaining traction, the days of managing federated identities with on-premises solutions like ADFS are fading, instead replaced by third party services offering to offload the burden of securing the gates to critical assets.

However, as 2023 has continued to show us, attackers are quick to adapt. And with the rise in breaches coming from targeted attacks against Identity Providers, perhaps the Idp cloud-topia isn’t everything it was promised to be. Nevertheless, there remains a limited availability of information regarding the techniques used in these attacks.

In this talk I’ll aim to lift the lid on the methods we utilise during a Red Team assessment to target Identity Providers. I’ll show the tactics I’ve found to be effective, demonstrate tools and techniques that have proven useful when meeting objectives that lie beyond the Single Sign-On portal. We’ll look at why synchronisation servers should be treated with the same level of protection as domain controllers, look at how attackers within an organisation can pivot to external services protected by Identity Providers, and hopefully equip you with few new tools for your offensive arsenal.

Jeremy Fox

Senior Security Engineer
Datadog

The attack surface within modern cloud-native organisations is vast, with often tens or hundreds of thousands of application instances. Understanding interdependencies in a system of this scale, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. As such, the current mental model of defense remains list-based; attempting to identify vulnerable configurations of single resources. This illustrates the well-known adage: “Defenders think in lists, attackers think in graphs; as long as this is true, attackers win”

In this talk we will focus on Kubernetes security, using our open source attack path calculator – KubeHound – to pivot the mental model of defense from list-based thinking to graph-based thinking. We will first highlight some of the shortcomings of list-based approaches. We will then demonstrate how attack graphs can address these shortcomings using KubeHound as an example. Finally we will walk through the development process of KubeHound, how we created an abstract graph model of attacks in Kubernetes based on public research, and how the process could be expanded to other domains.

At the end of the talk you should have a good understanding of how graph-based techniques can help address the complexities of security in modern Kubernetes deployments, and a roadmap for creating your own graph based attack model in other domains.

Daniel Heinsen

Service Architect
SpecterOps

In the evolving landscape of cloud security, automating identity attack path discovery has emerged as a critical strategy for mitigating cyber threats. This talk delves into the concept of “Tier 0” security within the AWS ecosystem and introduces Apeman, a novel prototype tool designed to map and visualize AWS identity attack paths. The discussion will also delve into the challenges encountered during Apeman’s development.

Evan McBroom

Staff Software Engineer
SpecterOps

Accessing LSASS memory has been a common goal for attackers due to its management of user credential material. Microsoft has added multiple features to Windows to make gaining such access more difficult including Credential Guard, Remote Credential Guard, and Protected Processes Light (PPL). These features are helpful but irrelevant if an attacker is able to request credentials from the LSA directly. The presentation cover such an approach and how accessing LSASS memory is unneeded to recover a wealth of credential data and to perform other attacker tradecraft.

Duane Michael

Managing Consultant
SpecterOps

Chris Thompson

Principal Consultant
SpecterOps

Configuration Manager (SCCM) attack paths have become more and more common recently. The impact of these attack paths is significant, as they often directly lead to domain compromise, else enable it. In this talk we discuss some of the most critical and common SCCM attack paths we’ve discovered and abused in the wild and how to best mitigate and manage them. Additionally, we introduce a model for SCCM attack path management that can be used by both red and blue.

Elad Shamir

Director of R&D
SpecterOps

As we enter 2024, the legacy of NetNTLM, a 30-plus-year-old authentication protocol, continues looming over enterprise security. Despite Microsoft’s advice against its use since 2010, NTLM’s deprecation remains a challenge. Contrary to the belief of most security practitioners who consider NTLM-related attacks to be a solved problem or of negligible risk, attackers have been developing advanced adversary tradecraft abusing NTLM for decades, and it is now one of the most effective avenues for compromising internal systems, including Active Directory and the entire enterprise identity infrastructure.

In this talk, we delve deep into the world of NTLM, uncovering the most impactful techniques for exploiting its vulnerabilities. We’ ll review sophisticated NTLM-related attacks orchestrated by top-tier threat actors, highlighting tradecraft that remains largely unknown in the security community. Our journey will traverse the evolution of NTLM, from its basic concepts to advanced real-world relay scenarios, including subtle yet impactful abuses.

But there’s more than just exposing the problem. We’ll engage in a solution-oriented discussion, exploring effective mitigation strategies, Microsoft’s plans for addressing these vulnerabilities, and the practical challenges in eradicating NTLM’s legacy. Whether you’re a seasoned security professional or new to the field, this presentation will equip you with a nuanced understanding of NTLM’s current risks and prepare you to better attack or defend networks against these enduring threats.

John Hopper

Director of Engineering
SpecterOps

Rohan Vazarkar

Senior Software Developer
SpecterOps

Security domains like Microsoft Entra, Active Directory, AWS IAM and others are highly complex and difficult to examine. BloodHound is a tool that utilizes graph constructs to make these domains easier to reason with to shorten time to discovery of interesting attack vectors. Throughout SpecterOps’ journey in producing BloodHound with a focus on Attack Path Management there have been many engineering hurdles that we have had to overcome. This talk dissects several of the problems encountered and the engineering solutions employed to solve them.

Andy Robbins

Principal Product Architect
SpecterOps

Jonas Bülow Knudsen

Product Architect
SpecterOps

Active Directory Certificate Services (ADCS) is Microsoft’s native PKI solution, used by many organizations to facilitate smart card authentication, TLS certificate issuance and verification, code signing, and other tasks. ADCS is a complicated system with many moving parts and possible configurations, out of which privilege escalation opportunities often emerge. Discovering those opportunities by hand is a tedious, time-consuming, and error-prone process.

In this talk, we will explain and demonstrate how BloodHound dramatically simplifies the discovery, analysis, and execution of attack paths traversing ADCS objects. We will show how with just a few clicks, BloodHound reveals these attack paths in seconds that would otherwise take hours or even days to discover by hand. We will demonstrate how attackers execute these attack paths as well as using common tooling such as Rubeus and Certify.

We will also discuss practical, reliable remediation strategies that defenders can use to greatly mitigate the risks created by attack paths in ADCS. Due to the complexity of this system, there is no “one size fits all” solution to any particular ADCS attack path, so we will share our lessons from the field in helping organizations mitigate and eliminate those attack paths without causing any business disruption.

Olaf Hartong

Defense Specialist and Security Researcher
FalconForce

Dive deep into the world of BloodHound, a tool that has revolutionized the way we identify and analyze attack paths. Despite its benefits, we encounter many teams that struggle to maximize its potential due to time constraints or knowledge gaps. This talk aims to bridge these gaps, unveiling tips and tricks to keep your BloodHound database up-to-date and use it for automatic detection and enrichment.

We’re excited to introduce you to FalconHound, a toolkit designed to augment BloodHound’s capabilities. Discover how FalconHound integrates with a host of security tools, offering features like tracking sessions, environment changes, alerts, and incidents – all in near-real time!

Embrace the power of bi-directional contextual information to prioritize critical alerts better and stop attackers in their tracks before they reach their goal. Learn how tools like BloodHound and FalconHound can serve as extensions of your live monitoring capabilities, helping you catch attackers in real-time and limit the impact of breaches. One of the coolest features is the ability to track active lateral movement, which allows the possibility to stop an attacker in their tracks.

Will Pearce

Co-Founder
Dreadnode

Nick Landers

Co-Founder
Dreadnode

2023 was a breakthrough year for all things Machine Learning, especially for generative use cases. The community saw models and frameworks released at a blistering pace thanks to innovative solutions to fit LLMs onto smaller and smaller devices (LoRA, PEFT, etc). The industry saw the rise of risk assessment frameworks and legislative actions, leading to new requirements for organizations to follow.

Our talk will cover various pairing of these state of the art (SOTA) models and techniques with the traditional security and identity tools like Bloodhound, Seatbelt, and Mythic. We’ll introduce the framework of “Offensive ML” as a discipline and work to use machine learning to support better security solutions. AI promises massive change across cybersecurity, but rather than speculate in the abstract, we’ll focus on practical solutions and demonstrations.

Justin Kohler

Vice President of Products
SpecterOps

Three years after we published the Attack Path Management Manifesto, BloodHound Enterprise (BHE) has become a cornerstone of the Identity security strategy for hundreds of organizations, uncovering and mitigating billions of Attack Paths in the process.

Join this session to delve into the practical insights gained from real-world deployments and explore leading practices for managing Identity Attack Paths

Cody Thomas

Senior Software Engineer
SpecterOps

In this presentation, we delve into the uncharted territories of offensive security using the Mythic C2 platform. Moving beyond traditional red teaming approaches, we explore unconventional agents that redefine how operators interact with target environments. Discover the power of remotely controlling webshells seamlessly alongside beaconing agents from a unified interface, and the creation of agents designed not to act directly on victim systems but to intelligently interact with external services, such as Bloodhound, Ghostwriter, or Nemesis. Join us as we unravel Mythic’s versatility and uncover innovative strategies for achieving red teaming success in today’s dynamic cybersecurity landscape.

Adam Brown

Public Sector

Matt Creel

SpecterOps

Red team operators are often faced with the conundrum of running SharpHound and risking detection, or fighting the uphill battle of mapping Active Directory attack paths without BloodHound’s aid. In this talk, we’ll examine a workflow that grants operators granular control over the speed and depth of Active Directory enumeration, while still leveraging the power of BloodHound’s relationship mapping and Cypher queries. The discussion will also cover common SharpHound detection strategies and how to account for them when approximating a SharpHound data collection.

TRAININGS

Upgrade your skills by taking one of our four different courses.

Free Summit Pass Included

Engage with our Frontline Practitioners

Evening Social Events

Test Your Skills on Bonus Cyber Ranges

This intense course immerses students in a single simulated enterprise environment, with multiple networks, hardened endpoints, modern defenses, and active network defenders responding to red team activities. We will focus on in-depth attacker tradecraft post-initial access; braking out of the beachhead, establishing resilient command and control (C2) infrastructure, gain situational awareness through opsec aware host and network enumerations, perform advanced lateral movement and sophisticated Active Directory escalation, gain persistence (userland, elevated, and domain flavors), and perform advanced Kerberos attacks, data mining, and exfiltration.

Register Now

In Adversary Tactics: Tradecraft Analysis, we will present and apply a general tradecraft analysis methodology for offensive TTPs, focused on Windows components. We will discuss Windows attack techniques and learn to deconstruct how they work underneath the hood. For various techniques, we will identify the layers of telemetry sources and learn to understand potential detection choke points. Finally, the course will culminate with students creating their own technique evasion and detection strategy. You will be able to use the knowledge gained to both use your telemetry to create robust detection coverage across your organization, and truly assess the efficacy of that coverage.

Register Now

This course builds on standard network defense and incident response (which often focuses on alerting for known malware signatures) by focusing on abnormal behaviors and the use of adversary Tactics, Techniques, and Procedures (TTPs). We will teach you how to engineer detections based on attacker TTPs to perform threat hunting operations and detect attacker activity. In addition, you will learn use utilize free and/or open source data collection and analysis tools (such as Sysmon, Windows Event Logs, and ELK) to analyze large amounts of host information and build detections for malicious activity. You will use the techniques and toolsets you learn to create threat hunting hypotheses and build robust detections in a simulated enterprise network undergoing active compromise from various types of threat actors.

Register Now

Get Your Head in the Clouds! This course will teach participants the fundamentals of Azure, with a focus on security informed by attacker insight. Participants will build on this knowledge through an understanding of how Azure architectures, like solely cloud-based environments or hybridized on-premises and Azure environments, can affect the overall security of an environment. Participants reinforce what they learn through hands-on labs throughout the course and through guidance given by SpecterOps practitioners instructing the class.

Register Now

SPEAKERS

SPEAKER

Adam Brown

Public Sector

VIEW BIO
SPEAKER

Adam Chester

Principal Security Consultant
TrustedSec

VIEW BIO
SPEAKER

Andy Robbins

Principal Product Architect
SpecterOps

VIEW BIO
SPEAKER

Christopher Crowley

Founder
Montance®

VIEW BIO
SPEAKER

Chris Thompson

Principal Consultant
SpecterOps

VIEW BIO
SPEAKER

Daniel Heinsen

Service Architect
SpecterOps

VIEW BIO
SPEAKER

David McGuire

Chief Executive Officer
SpecterOps

VIEW BIO
SPEAKER

Duane Michael

Managing Consultant
SpecterOps

VIEW BIO
SPEAKER

Elad Shamir

Director of R&D
SpecterOps

VIEW BIO
SPEAKER

Evan McBroom

Staff Software Engineer
SpecterOps

VIEW BIO
SPEAKER

Jeremy Fox

Senior Security Engineer
Datadog

VIEW BIO
SPEAKER

John Hopper

Director of Engineering
SpecterOps

VIEW BIO
SPEAKER

Jonas Knudsen

Product Architect
SpecterOps

VIEW BIO
SPEAKER

Joshua Prager

Principal Consultant
SpecterOps

VIEW BIO
SPEAKER

Justin Kohler

Vice President of Products
SpecterOps

VIEW BIO
SPEAKER

Luke Jennings

VP, Research & Development
Push Security

VIEW BIO
SPEAKER

Matt Creel

SpecterOps

VIEW BIO
SPEAKER

Nick Landers

Co-Founder
Dreadnode

VIEW BIO
SPEAKER

Nicolas Shyne

Consultant
SpecterOps

VIEW BIO
SPEAKER

Olaf Hartong

Defense Specialist and Security Researcher
FalconForce

VIEW BIO
SPEAKER

Rohan Vazarkar

Senior Software Developer
SpecterOps

VIEW BIO
SPEAKER

Will Pearce

Co-Founder
Dreadnode

VIEW BIO
SPEAKER

Cody Thomas

Senior Software Engineer

VIEW BIO
Adam Brown

Public Sector

Adam Brown is a seasoned professional with almost a decade of experience in software engineering and offensive security. Holding a master’s degree in software engineering, he began his career in the public sector, specializing as a developer and expanding his skill set as a red team operator, ultimately assuming leadership in long-term red team operations. His journey continued at Fortalice Solutions, where he directed the Offensive Research and Development team, overseeing strategic research initiatives while continuing to lead and mentor in adversary emulation. Currently, Adam is dedicated to modernizing and advancing large-scale offensive security solutions in the public sector.

Adam Chester

Principal Security Consultant
TrustedSec

Adam has over 10 years of professional experience in offensive and defensive security, specializing in conducting intelligence-led attack simulations for a range of sectors.

As a firm believer in free and open information sharing, Adam has spent his career developing tools and techniques to help further the skills of the offensive security industry. From working with a range of companies to identify and remediate vulnerabilities, to researching novel methods that Red Teams can use to avoid detection, Adam has contributed research openly with the aim of helping the Information Security community assess and defend against a range of adversaries.

Andy Robbins

Principal Product Architect
SpecterOps

Andy’s background is in red teaming, where he performed numerous red team operations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world. He has presented at BlackHat USA, DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory and Azure security. And is a co-creator of BloodHound, and the Product Architect of BloodHound Enterprise.

Christopher Crowley

Founder
Montance®

Mr. Crowley has 20 years of industry experience managing and securing networks. His consultant company Montance® LLC , based in the Washington, DC area focuses on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis.

His current primary focus is cybersecurity operations. Montance® LLC is a trusted independent Information Security partner providing cybersecurity assessment, and framework development services enabling clients to create a new SOC, or improve existing security operations. We are committed to enhancing your SOC capabilities to execute its mission: to provide optimum security protection for digital assets. Montance® LLC has provided services to organizations large and small in the financial, industrial, energy, medical, and government sectors.

Chris Thompson

Principal Consultant
SpecterOps

Chris is an adversary simulation operator at SpecterOps with over ten years of experience in information security, serving numerous Fortune 500 clients in the retail, consumer products, financial, and telecom industries. He has extensive experience leading network, web application, and wireless penetration tests, social engineering engagements, and technical security assessments to provide actionable recommendations that align with each client’s security strategy and risk tolerance. Chris enjoys researching and applying new tradecraft to overcome technical challenges and writing tools to automate tasks and improve efficiency.

Daniel Heinsen

Service Architect
SpecterOps

Daniel Heinsen is a red team operator, offensive tools developer, and security researcher at SpecterOps. Prior to working at SpecterOps, Daniel spent over 10 years within the U.S. Department of Defense as a software developer and capabilities specialist. Daniel has experience in offensive tool development, Windows internals, and web application exploitation. Since joining SpecterOps, Daniel has directed his research focus to novel initial access vectors and AWS. He maintains several projects at https://github.com/hotnops and posts to his blog at https://medium.com/@hotnops.

David McGuire

Chief Executive Officer
SpecterOps

David specializes in building enterprise adversary-focused assessment teams, which have performed thousands of engagements for large private-sector organizations and major government agencies. David has extensive experience in conducting highly specialized, large-scale adversarial operations against a variety of targets. In addition, he has built several training courses focused on red team operations methodologies. In his previous life, David was a senior technical lead for the National Security Agency Red Team, providing mission direction through numerous large-scale operations.

Duane Michael

Managing Consultant
SpecterOps

Duane is an adversary simulation operator at SpecterOps and a veteran of the US Marine Corps with 10+ well-rounded years in IT and information security. His experience spans across private and federal sectors and includes time spent in security operations, engineering, incident response, and penetration testing. Duane enjoys collaborating with clients through both an offensive and defensive lens to improve the detection and response capability of security programs, an activity he has performed at scales ranging from focused, boutique engagements to the extensive enterprise networks of numerous Fortune 500 organizations.

Elad Shamir

Director of R&D
SpecterOps

Elad has over a decade of experience across the different domains of information security and spent most of his career focusing on security research and delivering offensive security services. Previously, Elad served in the Israeli intelligence and worked in the private sector in Israel and Australia. Elad specializes in identifying security flaws in complex systems and weaponizing intended functionality for offensive capabilities, particularly in Windows and Active Directory environments. Elad occasionally blogs at https://eladshamir.com.

Evan McBroom

Staff Software Engineer
SpecterOps

Evan McBroom is an operationally focused cyber security engineer with a background in offensive computer network operations. Evan has previously worked as an analyst and operator at HORNE Cyber and as a software developer at the Department of Defense directly supporting fast paced operations for all prioritized mission sets. Evan blogs occasionally at https://gist.github.com/EvanMcBroom.

Jeremy Fox

Senior Security Engineer
Datadog

Jeremy Fox is a cybersecurity specialist with 10 years experience across government and private sector. Following a career change from the finance industry, he developed a wide range of skills in offensive security from reverse engineering and exploit development to red team operations and cloud security.

He is an engineer at heart, having programmed in everything from C/C++ and ASM, through Python and .NET, to Golang. Although his first love was, and always will be, low-level Windows internals, he now works as a Senior Security Engineer at Datadog developing automated offensive security tooling to detect vulnerabilities in large scale cloud environments. His most recent project is KubeHound, an automated Kubernetes attack path calculator.

John Hopper

Director of Engineering
SpecterOps

John is a software engineer with 15 years of experience stretching from low-level Linux implementation work to hyper scale services an industry cloud provider. He has experience in a wide array of technologies with a focus on systems and fleet management as well as distributed databases and storage solutions. He works on personal projects on GitHub at github.com/zinic and maintains them as a hobby.

Jonas Knudsen

Product Architect
SpecterOps

Jonas is a passionate IT security professional with experience in helping organizations improve their Windows and Active Directory security level through offensive and defensive services. He enjoys remediating attack paths using pragmatic approaches without breaking production systems. Jonas has developed a FOSS tool called ImproHound to identify attack paths breaking tier model implementation in Active Directory using Bloodhound data: https://github.com/JonasBK/ImproHound

Joshua Prager

Principal Consultant
SpecterOps

Josh Prager has over 9 years’ experience focusing on DoD red team infrastructure, cyber threat emulation and threat hunting. As a former threat hunter for Accenture’s Adversary Research and Reconnaissance Team he developed various cyber threat emulation and threat hunting programs within the Federal industry.

Justin Kohler

Vice President of Products
SpecterOps

Justin is an operations expert who has over a decade of experience in project and program development. After the Air Force, he worked for several consulting firms focused on process and workflow optimization. He enjoys building and leading teams focused on customer delivery at Fortune 500 companies.

Luke Jennings

VP, Research & Development
Push Security

Luke Jennings is a security researcher from the UK. He spent most of his early career focused on red teaming and offensive security research at MWR, before moving on to developing new detection and response techniques and designing EDR software as the Chief Research Officer for Countercept. He has now pivoted away from the endpoint to focusing on the emerging threats in SaaS security at Push Security.

Matt Creel

SpecterOps

Matt Creel is a Consultant on the Adversary Simulation team. His experience is concentrated in performing penetration tests and red team assessments for clients of varying sizes and industries. Matt is an avid Python developer, enjoys creating security-related tools, and is always learning more about Active Directory and Windows internals. Matt has previously spoken at DEF CON and holds the OCSP and CRTO certifications.

Nick Landers

Co-Founder
Dreadnode

Nick Landers is an established offensive engineer and researcher, with a focus on training, consulting, tool development, malware internals, and security research. He held the position of VP of Research at NetSPI after leading the Red Team at Silent Break Security. Notable for his “Dark Side Ops” course series, Nick has shared his expertise at industry conferences like Black Hat, as well as in private sessions for internal teams. His work combines deep technical knowledge with practical applications in cybersecurity.

Nicolas Shyne

Consultant
SpecterOps

Nico is an Associate Consultant on the Defensive Capability team. He graduated from the US Naval Academy (Beat Army) with a degree in Cyber Operations. Prior to joining SpecterOps Nico served as a Surface Warfare Officer and as an Information Professional Officer during his naval career. Nico loves finding new programming languages to play with and in his free time can be found working on two of his other passions: music and movies.

Olaf Hartong

Defense Specialist and Security Researcher
FalconForce

Olaf Hartong is a Defensive Specialist and security researcher at FalconForce. He specializes in understanding the attacker tradecraft and thereby improving detection. He has an extensive background in detection engineering and threat hunting. Olaf is the author of several open source security tools like sysmon-modular, Splunk Threathunting app and co-author of FalconHound.

Rohan Vazarkar

Senior Software Developer
SpecterOps

Rohan is an operator and developer for SpecterOps with extensive experience performing penetration tests and red team engagements. He has spoken at numerous security conferences including DEF CON, Black Hat, SANS Hackfest, and more. He also conducts research and releases tactics for leveraging security weaknesses in Windows based platforms. Rohan is the co-author of the BloodHound analysis platform and has contributed to other open source projects such as Empire and EyeWitness.

Will Pearce

Co-Founder
Dreadnode

Will Pearce is a prominent figure in the AI security and red teaming world, specializing in attacking machine learning systems and developing both tools and methodologies. He plays a key role on the steering committee for the AI Village and notably co-architected and hosted the AI Village Capture the Flag competition at DEFCON. Will has served as the AI Red Team Lead at both Microsoft Azure and NVIDIA, following his tenure as a Senior Security Consultant at Silent Break Security. His expertise in offensive machine learning is recognized at various industry and academic forums, including Blackhat, Defcon AI Village, WWHF, DerbyCon, LabsCon, and at events like the SAI Conference on Computing and IEEE.

Cody Thomas

Senior Software Engineer

Cody Thomas is a red team operator and developer focusing on macOS and *nix devices. He created the initial Mac and Linux ATT&CK matrices while he was working on the Adversary Emulation team at MITRE. Cody has spoken at a few conferences and works on his open source framework for Red Teaming called Mythic. He maintains his blog at its-a-feature.github.io.

Back to Team

SpecterOps Capture the Flag Challenge

  • Test your cybersecurity skills in the Capture the Flag exercise, which showcases challenges of varying difficulty.
  • No trivia to be found here! This CTF requires participants to execute an attack path in a simulated environment.
  • No setup is needed; simply use a browser for the competition.
  • Compete for points, learn new skills through hints, or choose to do both.
  • Prizes will be awarded for the highest scores.

SO-CON 2024 training participants can choose from three unique CTF scenarios:

The Last Ones

You have been hired by Joe and Ella to help save humanity and prevent the corrupt organization UDRA from developing a dangerous weapon. You will need to attack CI/CD and database systems, as well as reverse binaries to succeed. Stay safe, and don’t get infected!

Glass Turnip: A Spoons Out CTF

Follow the clues in this whodunit to solve a murder mystery through network post-exploitation challenges, binary exploitation, subverting defensive products, and some good old-fashioned enumeration and sleuthing.

The Takedown of G-Corp

Join hacktivists in a dystopian future to take down the evil G-Corp that oppresses the cyberpunk metropolis. Success will require all of your cunning, problem-solving skills, and perhaps some SCCM abuse and custom LSA security package reversing.

LOCATION

Questions? Email socon@specterops.io

Convene

1201 Wilson Blvd.

Arlington, VA 22209

HOTEL

Hyatt Centric Arlington

1325 Wilson Blvd,
Arlington, VA 22209

Secure Your Spot

Use this Email Template to help justify your attendance at SO-CON 2024

Subject: Request for Approval to Attend SO-CON 2024

Dear [Manager’s Name],

I am requesting approval to attend SO-CON 2024, a premier cybersecurity summit that is hosted by SpecterOps and is taking place in Arlington, VA on March 11, 2024.

The summit will be an invaluable opportunity for professional development, offering a comprehensive exploration of the latest trends, research, case studies and firsthand experiences from frontline practitioners. I believe that attending this event will greatly benefit our team and enhance our capabilities.

Here are some key points about SO-CON 2024 that highlight its significance:

  • In-depth Sessions: The talks offered will cover recent research and operational approaches to identifying, reducing, and detecting attack paths in the enterprise, including new techniques to combat identity-based attack paths. You can find the full list of talks here: https://specterops.io/so-con/#talks
  • Relevant Topics: The event will cover the latest trends in Attack Path Management, explore BloodHound attack paths, showcase offensive security research at SpecterOps, and demonstrate new attack path tooling for Kubernetes, AWS, and Okta.
  • Discounted Registration: For a limited time, we can secure our summit spot at a 50% discount off the full rate, making it a cost-effective investment in my professional growth.

OPTIONAL

I have estimated the cost of attendance to be approximately $XX:

  • Conference pass: $XX
  • (Optional) Training: $XX
  • Travel: $XX
  • Accommodations: $XX
  • Meals: $XX (breakfast and lunch will be provided at the event)

To secure the early bird rate, I need to register by <X date>. I would appreciate the opportunity to discuss this further at your earliest convenience. Thank you for considering my request, and I look forward to the possibility of representing our team at SO-CON 2024.

Best Regards,

[Your Name]
[Your Position]
[Your Contact Information]

Back Download Template