OWASP Global AppSec EU 2026 Vienna

New CVEs are released constantly, but in practice most teams never go beyond reading the advisory or relying on automated scanning. This POD is designed to change that by giving participants time and platform to hunt and exploit real-world critical CVEs.

Participants will have access to 10 hands-on challenges, each based on a real high or critical severity CVE commonly found in modern applications. Each challenge runs within a limited time window and can be attempted independently of the others.

For each challenge, participants can click a Deploy Lab option to spin up a temporary target system. The deployed application/system contains a previously undisclosed CVE to the participant, and the task is to identify the vulnerability, understand its behavior, and exploit it to demonstrate impact.

There is no fixed order or linear walkthrough. Participants are free to choose which CVEs to attempt, how deep they want to go with each one, and how long they want to stay in the activity. Some CVEs will allow participants to become admin, some might give a reverse shell. Labs are provisioned on demand using infrastructure-as-code, allowing participants to work independently on each challenge.

Some participants may focus on understanding a single CVE and reproducing it reliably. Others may try to exploit multiple issues or explore alternate attack paths. Both approaches are expected and encouraged.

The emphasis of this POD is on building practical intuition: how to read advisories critically, identify vulnerable attack surfaces, validate exploitability, and understand real impact beyond severity scores. The activity is fully hands-on, informal, and designed so people can join and leave at any time without falling behind.

“2001: Agentic Odyssey” is a hands-on, drop-in POD where we threat model the HAL 9000 system from 2001: A Space Odyssey as if it were a modern agentic AI system (LLM + tools + permissions + side effects). I bring a HAL DFD, and together we mark trust boundaries and do classic “what can go wrong?” threat identification. Participants then split into small groups to build attack-tree branches and translate them into Fault Tree Analysis (FTA) using AND/OR logic and minimal cut sets, including lightweight probability estimates to prioritise the most likely failure chains. We finish by turning those failure paths into automation-ready test ideas (fault injection, invariants, evidence), and optionally drafting a structured HAL threat model for submission to the OWASP Threat Model Library. Designed so anyone can contribute in 10-15 minutes, while advanced participants can go deep on FTA and prioritisation. Every stage is split into a way to enable drop-ins at any time.

LLMs are no longer standalone chatbots—they're increasingly embedded directly into application logic, with access to databases, APIs, file systems, and internal services. This architectural shift means the most dangerous LLM exploits don't just manipulate the model; they use the model as an attack vector to reach traditional AppSec targets. Prompt injection becomes a path to SQL injection. Conversational manipulation enables SSRF. The AI agent becomes an unwitting insider threat.

In this hands-on POD, participants will experience this convergence firsthand through a purpose-built vulnerable web application with an integrated AI agent. Through independent challenges, attendees will discover how attackers chain LLM manipulation with classic web exploitation—and why securing AI-integrated applications requires understanding both domains.

Challenges are designed for drop-in participation and cover multiple difficulty levels:
- Beginner-friendly: Basic prompt manipulation and information disclosure
- Intermediate: Chaining AI misuse with traditional web exploitation
- Advanced: Multi-stage attacks combining indirect prompt injection with server-side vulnerabilities

Each challenge is self-contained (under 15 minutes) with clear objectives, hints available on request, and facilitators ready to guide participants. Whether you're new to AI security or a seasoned pentester curious about LLM attack vectors, you'll walk away with practical techniques applicable to real-world assessments.

Challenges are mapped to multiple OWASP frameworks: the OWASP Top 10 for LLM Applications (covering risks like LLM01: Prompt Injection, LLM07: Insecure Plugin Design), the OWASP API Security Top 10, and the classic OWASP Web Application Top 10, helping participants connect new AI risks to established security knowledge.

No prior AI/ML experience required. Just curiosity and a laptop with a modern browser. All challenges run in-browser against our cloud-hosted lab environment.