OWASP Global AppSec EU 2026 Vienna: Full Schedule

8:30am CEST

Coffee/tea

Monday June 22, 2026 8:30am - 9:00am CEST

Foyer D (Level -2)

Monday June 22, 2026 8:30am - 9:00am CEST
Foyer D (Level -2)

Meals Provided by OWASP

Audience All

9:00am CEST

3-Day Training: AppSec and AI Security for Developers with Jim Manico (Hybrid)

Monday June 22, 2026 9:00am - 5:00pm CEST

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.3-Day Training: June 22-24, 2026Level: BeginnerTrainer: Jim ManicoYou may attend this training course in person or virtuallyDescription: This three-day security course is designed for software engineers and AppSec professionals who want to tailor their learning experience....
See More →

Speakers

Jim Manico

Founder and CEO, Manicode Security

Jim Manico is the founder of Manicode Security, where he specializes in training software developers on secure coding and security engineering. He is actively involved in multiple ventures, serving as an investor/advisor for companies like 10Security, MergeBase, Nucleus Security... Read More →

Monday June 22, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Beginner

9:00am CEST

3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access

Monday June 22, 2026 9:00am - 5:00pm CEST

3-Day Training:June 22-24, 2026Level: IntermediateTrainer: Dawid CzaganTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.Modern IT systems are increasingly complex, making full-stack expertise more essential than ever. That's why diving into full-stack pentesting is crucial—you will gain the skills needed to master modern attack...
See More →

Speakers

Dawid Czagan

Founder and CEO, Silesia Security Lab

Dawid Czagan is an internationally recognized security researcher and trainer. He is listed among top hackers at HackerOne. Dawid Czagan has found security bugs in Apple, Google, Mozilla, Microsoft and many others.

Due to the severity of many bugs, he received numerous awards for his findings. Dawid Czagan shares his security experience in his hands-on trainings. He delivered trainings at key industry conferences such as DEF CON (Las Vegas), OWASP 2025 Global AppSec EU (Barcelona), Hack In The... Read More →

Monday June 22, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Intermediate

9:00am CEST

3-Day Training: Web Application Security Essentials

Monday June 22, 2026 9:00am - 5:00pm CEST

3-Day Training: June 22-24, 2026Level: Introductory and OverviewTrainer: Fabio CerulloTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.IntroductionModern organisations rely heavily on web applications, and attackers exploit their weaknesses daily.As AI tools accelerate software development, code is being generated...
See More →

Speakers

Fabio Cerullo

Managing Director, Cycubix

Fabio Cerullo is a seasoned cybersecurity trainer and consultant with over 15 years of industry experience across financial services, government, startups, and software companies. He has delivered training to thousands of developers and security professionals worldwide, with a focus... Read More →

Monday June 22, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Introductory and Overview

9:00am CEST

3-Day Training:AI Whiteboard Hacking aka Hands-on Threat Modeling Training

Monday June 22, 2026 9:00am - 5:00pm CEST

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.3-Day Training: June 22-24, 2026Level: BeginnerTrainer: Sebastien DeleersnyderDownload the complete training outline: AI Whiteboard Hacking Training DetailsTestimonial: "After years evaluating security trainings at Black Hat, including Toreon's Whiteboard Hacking...
See More →

Speakers

Sebastien Deelersnyder

Co-Founder and CEO, Toreon

Sebastien Deleersnyder, also known as Seba, is a highly accomplished individual in the field of cybersecurity. He is the CTO and co-founder of Toreon, as well as the COO and lead threat modeling trainer of Data Protection Institute. Seba holds a Master's degree in Software Engineering... Read More →

Monday June 22, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Intermediate

10:30am CEST

AM Break

Monday June 22, 2026 10:30am - 11:00am CEST

Meals Provided by OWASP

12:30pm CEST

Lunch

Monday June 22, 2026 12:30pm - 1:30pm CEST

Meals Provided by OWASP

3:00pm CEST

PM Break

Monday June 22, 2026 3:00pm - 3:30pm CEST

Meals Provided by OWASP

8:30am CEST

Coffee/tea

Tuesday June 23, 2026 8:30am - 9:00am CEST

Meals Provided by OWASP

Audience All

9:00am CEST

1-Day Training: Build your AppSec Program with OWASP SAMM (Tuesday only)

Tuesday June 23, 2026 9:00am - 5:00pm CEST

To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.1-Day Training: Tuesday, June 23 Trainer: Aram HovsepyanLevel: AllPlease note that this 1-day training course takes place on TUESDAY, not Wednesday like our other 1-day training courses. Application security has become synonymous with a vulnerability management program driven...
See More →

Speakers

Aram Hovsepyan

Founder and CEO, Codific

For the past 15 years Aram has been involved in application security as a researcher, industry expert, and core contributor to the OWASP SAMM project.

Aram is the founder and CEO of Codific, a Belgian cybersecurity product firm. At Codific, he works at the intersection of software... Read More →

Tuesday June 23, 2026 9:00am - 5:00pm CEST

1-Day Training

Audience Introductory and Overview

9:00am CEST

2-Day Training: Adam Shostack's Threat Modeling Intensive

Tuesday June 23, 2026 9:00am - 5:00pm CEST

2-Day Training: June 23-24, 2026Level: IntermediateTrainer: Adam ShostackTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start with a guided threat modeling exercise, and we'll then iterate and break down...
See More →

Speakers

Adam Shostack

Founder, Shostack & Associates

Adam Shostack is a leading expert on threat modeling. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft. His accomplishments include: Helped create the CVE. Now an Emeritus member... Read More →

Tuesday June 23, 2026 9:00am - 5:00pm CEST

2-Day Training

Audience Intermediate

9:00am CEST

2-Day Training: AI SecureOps: Attacking & Defending AI Applications and Agents (Hybrid)

Tuesday June 23, 2026 9:00am - 5:00pm CEST

2-Day Training: June 23-24, 2026Level: IntermediateTrainer:Abhinav SinghYou may attend this training course either in person or virutallyTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.Can prompt injections lead to complete infrastructure takeovers? Could AI agents be exploited to compromise backend services? Can...
See More →

Speakers

Abhinav Singh

Cyber Security Research in AI,Cloud & Data, Midfield Security

Abhinav Singh is an esteemed cybersecurity leader and researcher with over a decade of experience working with global technology leaders, startups, financial institutions, and as an independent trainer and consultant. He is the author of the widely acclaimed "Metasploit Penetration... Read More →

Tuesday June 23, 2026 9:00am - 5:00pm CEST

2-Day Training

Audience Intermediate

9:00am CEST

2-Day Training: Repeatable, Scalable and Valuable Code Security Scanning

Tuesday June 23, 2026 9:00am - 5:00pm CEST

2-Day Training: June 23-24, 2026Level: IntermediateTrainer:Josh GrossmanTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.To learn more about this training, please visit the link here. Suddenly anyone and everyone in your organization can use AI assistants to write code. Meanwhile, your actual developers are...
See More →

Speakers

Josh Grossman

CTO, Bounce Security

Josh Grossman has worked as a consultant in IT and Application Security and Risk for 15 years now, as well as a Software Developer. This has given him an in-depth understanding of how to manage the balance between business needs, developer needs and security needs which goes into... Read More →

Tuesday June 23, 2026 9:00am - 5:00pm CEST

2-Day Training

Audience Intermediate

9:00am CEST

2-Day Training: The Mobile Playbook - A guide for iOS and Android App Security (Hybrid)

Tuesday June 23, 2026 9:00am - 5:00pm CEST

2-Day Training: June 23-24, 2026Level: IntermediateTrainer:Sven SchleierYou may attend this training course in person or virtually.To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.This two-day, hands-on course is designed to teach penetration testers, developers, and engineers how to analyse Android and iOS applications for...
See More →

Speakers

Sven Schleier

Co-Founder, Bai7 GmbH

Sven is a co-founder of Bai7 GmbH in Austria, which is specialized in trainings and advisory. He has expertise in cloud security, offensive security engagements (Penetration Testing) and Application Security, notably in guiding software development teams across Mobile and Web Applications... Read More →

Tuesday June 23, 2026 9:00am - 5:00pm CEST

2-Day Training

Audience Intermediate, Advanced

9:00am CEST

3-Day Training: AppSec and AI Security for Developers with Jim Manico (Hybrid)

Tuesday June 23, 2026 9:00am - 5:00pm CEST

Speakers

Jim Manico

Founder and CEO, Manicode Security

Tuesday June 23, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Beginner

9:00am CEST

3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access

Tuesday June 23, 2026 9:00am - 5:00pm CEST

Speakers

Dawid Czagan

Founder and CEO, Silesia Security Lab

Tuesday June 23, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Intermediate

9:00am CEST

3-Day Training: Web Application Security Essentials

Tuesday June 23, 2026 9:00am - 5:00pm CEST

Speakers

Fabio Cerullo

Managing Director, Cycubix

Tuesday June 23, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Introductory and Overview

9:00am CEST

3-Day Training:AI Whiteboard Hacking aka Hands-on Threat Modeling Training

Tuesday June 23, 2026 9:00am - 5:00pm CEST

Speakers

Sebastien Deelersnyder

Co-Founder and CEO, Toreon

Tuesday June 23, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Intermediate

9:00am CEST

Private BOD Meeting

Tuesday June 23, 2026 9:00am - 5:00pm CEST

Room -2.11 (Level -2)

Tuesday June 23, 2026 9:00am - 5:00pm CEST
Room -2.11 (Level -2)

Meeting

Audience Private Meeting

10:30am CEST

AM Break

Tuesday June 23, 2026 10:30am - 11:00am CEST

Meals Provided by OWASP

12:30pm CEST

Lunch

Tuesday June 23, 2026 12:30pm - 1:30pm CEST

Meals Provided by OWASP

3:00pm CEST

PM Break

Tuesday June 23, 2026 3:00pm - 3:30pm CEST

Meals Provided by OWASP

7:30am CEST

Private Board Meeting

Wednesday June 24, 2026 7:30am - 9:00am CEST

Room -2.11 (Level -2)

Wednesday June 24, 2026 7:30am - 9:00am CEST
Room -2.11 (Level -2)

Meeting

Audience Private Meeting

8:30am CEST

Coffee/tea

Wednesday June 24, 2026 8:30am - 9:00am CEST

Meals Provided by OWASP

Audience All

9:00am CEST

1-Day Training: API Security: Hands-On Secure API Design & Hardening

Wednesday June 24, 2026 9:00am - 5:00pm CEST

1-Day Training: June 24, 2026Level: IntermediateTrainer: Tanya JancaTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.APIs are the backbone of modern applications—but they also introduce unique security risks. In this hands-on training, participants will deep-dive into API security threats using a "Bad, Better, Best"...
See More →

Speakers

Tanya Janca

Security Trainer and Founder, She Hacks Purple & DevSec Station

Tanya Janca, known online as SheHacksPurple, is the best-selling author of Alice and Bob Learn Secure Coding and Alice and Bob Learn Application Security. She is the founder of DevSec Station, a modern learning platform and community built to help software developers master secure... Read More →

Wednesday June 24, 2026 9:00am - 5:00pm CEST

1-Day Training

Audience Intermediate

9:00am CEST

1-Day Training: How to build a Successful Security Champions Program

Wednesday June 24, 2026 9:00am - 5:00pm CEST

1-Day Training: June 24, 2026Level: IntermediateTrainer:Juliane Reimann & Marisa FaganTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.Do you feel a disconnect between your cybersecurity efforts and engineering activities? If so, a Security Champions Program could bridge the gap. By involving engineers in security...
See More →

Speakers

Juliane Reimann

Founder and Security Community Expert, Full Circle Security

Juliane Reimann works as cyber security consultant for large companies since 2019 with focus on DevSecOps and Community Building. Her expertise includes building security communities of software developers and establishing developer centric communication about secure software development... Read More →

Marisa Fagan

Managing Consultant, Katilyst

Marisa Fagan is a managing consultant at Katilyst and has 16 years experience building security champion communities. She's dedicated her career to building security into the SDLC and empowering developers to own secure code. Marisa shares practical insights into what actually works... Read More →

Wednesday June 24, 2026 9:00am - 5:00pm CEST

1-Day Training

Audience Intermediate

9:00am CEST

1-Day Training: Master AI Security (Hybrid)

Wednesday June 24, 2026 9:00am - 5:00pm CEST

1-Day Training: June 24, 2026Level: IntermediateTrainer: Rob van der VeerYou may attend this training course either in person or virtuallyTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.The record-breaking Master AI security training is back!This training broke the OWASP record online and on-site.Your trainer is Rob van der...
See More →

Speakers

Rob van der Veer

Chief AI Officer, Software Improvement Group

Rob van der Veer is an AI pioneer with 33 years of AI experience, specializing in engineering, security and privacy. He is the lead author of the ISO/IEC 5338 standard on AI lifecycle, contributor to OWASP SAMM, co-founder of OWASP's digital bridge for security standards OpenCRE... Read More →

Wednesday June 24, 2026 9:00am - 5:00pm CEST

1-Day Training

Audience Intermediate

9:00am CEST

1-Day Training: Secure-by-Design AI Applications: Identifying, Testing, and Validating AI-Specific Threats Before Deployment

Wednesday June 24, 2026 9:00am - 5:00pm CEST

1-Day Training: June 24, 2026Level: IntermediateTrainer: Marco Morana**Threat Modeling book (85 euro value) free to the first 10 registrants**To register, please purchase your training ticket here. Training and conference are two separate ticket purchases.As organizations deploy LLMs, chatbots, RAG pipelines, and autonomous AI agents, new attack surfaces emerge that traditional...
See More →

Speakers

Marco Morana

Field CISO- Head of Application & Product Security Architecture, Avocado Systems Inc.

Marco Morana is the Field CISO at Avocado Systems Inc., specializing in threat modeling automation and Zero Trust Architecture for financial services. With over 15 years of leadership experience, he has held senior security roles at JP Morgan Chase and Citi, securing financial applications... Read More →

Wednesday June 24, 2026 9:00am - 5:00pm CEST

1-Day Training

Audience Intermediate

9:00am CEST

2-Day Training: Adam Shostack's Threat Modeling Intensive

Wednesday June 24, 2026 9:00am - 5:00pm CEST

Speakers

Adam Shostack

Founder, Shostack & Associates

Wednesday June 24, 2026 9:00am - 5:00pm CEST

2-Day Training

Audience Intermediate

9:00am CEST

2-Day Training: AI SecureOps: Attacking & Defending AI Applications and Agents (Hybrid)

Wednesday June 24, 2026 9:00am - 5:00pm CEST

2-Day Training: June 23-24, 2026Level: IntermediateTrainer:Abhinav SinghYou may attend this training course in person or virtuallyTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.Can prompt injections lead to complete infrastructure takeovers? Could AI agents be exploited to compromise backend services? Can jailbreaks...
See More →

Speakers

Abhinav Singh

Cyber Security Research in AI,Cloud & Data, Midfield Security

Wednesday June 24, 2026 9:00am - 5:00pm CEST

2-Day Training

Audience Intermediate

9:00am CEST

2-Day Training: Repeatable, Scalable and Valuable Code Security Scanning

Wednesday June 24, 2026 9:00am - 5:00pm CEST

2-Day Training: June 23-24, 2026Level: IntermediateTrainer:Josh GrossmanTo register, please purchase your training ticket here. Training and conference are two separate ticket purchases.To learn more about this training, please visit the link here.Suddenly anyone and everyone in your organization can use AI assistants to write code. Meanwhile, your actual developers are putting out...
See More →

Speakers

Josh Grossman

CTO, Bounce Security

Wednesday June 24, 2026 9:00am - 5:00pm CEST

2-Day Training

Audience Intermediate

9:00am CEST

2-Day Training: The Mobile Playbook - A guide for iOS and Android App Security (Hybrid)

Wednesday June 24, 2026 9:00am - 5:00pm CEST

Speakers

Sven Schleier

Co-Founder, Bai7 GmbH

Wednesday June 24, 2026 9:00am - 5:00pm CEST

2-Day Training

Audience Intermediate, Advanced

9:00am CEST

3-Day Training: AppSec and AI Security for Developers with Jim Manico (Hybrid)

Wednesday June 24, 2026 9:00am - 5:00pm CEST

Speakers

Jim Manico

Founder and CEO, Manicode Security

Wednesday June 24, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Beginner

9:00am CEST

3-Day Training: Full-Stack Pentesting Laboratory: 100% Hands-On + Lifetime LAB Access

Wednesday June 24, 2026 9:00am - 5:00pm CEST

Speakers

Dawid Czagan

Founder and CEO, Silesia Security Lab

Wednesday June 24, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Intermediate

9:00am CEST

3-Day Training: Web Application Security Essentials

Wednesday June 24, 2026 9:00am - 5:00pm CEST

Speakers

Fabio Cerullo

Managing Director, Cycubix

Wednesday June 24, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Introductory and Overview

9:00am CEST

3-Day Training:AI Whiteboard Hacking aka Hands-on Threat Modeling Training

Wednesday June 24, 2026 9:00am - 5:00pm CEST

Speakers

Sebastien Deelersnyder

Co-Founder and CEO, Toreon

Wednesday June 24, 2026 9:00am - 5:00pm CEST

3-Day Training

Audience Intermediate

9:00am CEST

1-Day Training: SAMM and DSOMM User Day

Wednesday June 24, 2026 9:00am - 5:00pm CEST

Project User Day

Audience All

10:30am CEST

AM Break

Wednesday June 24, 2026 10:30am - 11:00am CEST

Meals Provided by OWASP

12:30pm CEST

Lunch

Wednesday June 24, 2026 12:30pm - 1:30pm CEST

Meals Provided by OWASP

3:00pm CEST

PM Break

Wednesday June 24, 2026 3:00pm - 3:30pm CEST

Meals Provided by OWASP

5:30pm CEST

Global Board of Directors Public Meeting

Wednesday June 24, 2026 5:30pm - 7:00pm CEST

Meeting

Audience All

7:00pm CEST

Anti Magic Quadrant Club Sunset Drinks by Aikido

Wednesday June 24, 2026 7:00pm - 10:00pm CEST

For everyone who survived OWASP Global AppSec on Wednesday — join at the beach club for sunset drinks before vendor mayhem starts.Come, have a good time, catch up with old friends, and leave with a few new ones. Everyone is welcome!Two rules:No acronymsHave fun - and make the most of the open bar 🍹Why Anti-Magic Quadrant Club?This industry loves flashy quadrants and new acronyms....
See More →

Wednesday June 24, 2026 7:00pm - 10:00pm CEST

7:45am CEST

Women in AppSec Breakfast (Sign up Required)

Thursday June 25, 2026 7:45am - 8:45am CEST

Terrace G of Austria Center

Must already be registered for the conference and sign up for breakfast is required.Come and enjoy a breakfast committeed to making conference friends and friends for life (AKA - professioinal networking) at the Women in AppSec Breakfast co-hosted by Tanya Janca, Juliane Reimann, Kim Wyuts, and Marisa Fagan.RSVP now to enjoy great food, pick up your challenge coin early, and walk through the...
See More →

Thursday June 25, 2026 7:45am - 8:45am CEST
Terrace G of Austria Center

Meals Provided by OWASP

8:30am CEST

Coffee/tea

Thursday June 25, 2026 8:30am - 9:00am CEST

Expo Hall X1

Thursday June 25, 2026 8:30am - 9:00am CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

8:30am CEST

OWASP Official Store: Come explore books, games and merch (or Explore CyberSec Games, OWASP books and official merch)

Thursday June 25, 2026 8:30am - 4:00pm CEST

Come visit our table in the Expo Hall for books, games, and merch

Thursday June 25, 2026 8:30am - 4:00pm CEST

Bonus Track

Audience All

9:00am CEST

Opening Remarks

Thursday June 25, 2026 9:00am - 9:15am CEST

Hall D (Level -2)

Welcome to the OWASP Global AppSec EU 2026 conference! We are excited you are with us, not only to attend this amazing event, but also to celebrate our 25th anniversary!

Don't miss the opening remarks for the event as we welcome you and provide a few key details to provide you with a roadmap to a successful time with us!

Thursday June 25, 2026 9:00am - 9:15am CEST
Hall D (Level -2)

Keynote

Audience All

9:15am CEST

Keynote: The Reinvention of Software Engineering

Thursday June 25, 2026 9:15am - 10:00am CEST

Hall D (Level -2)

I don’t need to tell you that AI has changed software development forever. You know this. Whether you’re positive, negative or indifferent to this change, you can’t deny that the past 2 years have radically changed the role of the software developer. As an industry we have been obsessed with velocity. We wanted every second of “developer productivity” squeezed from every dev team and...
See More →

Speakers

Hannah Foxwell

Product Director, Snyk

With over a decade of experience in DevOps, DevSecOPs and Platform Engineering, Hannah Foxwell has always advocated for the human aspects of technology transformation and evolution. Hannah is relentlessly curious about the tools, technologies, processes and practices that make life... Read More →

Thursday June 25, 2026 9:15am - 10:00am CEST
Hall D (Level -2)

Keynote

10:00am CEST

AM Break in Expo Hall

Thursday June 25, 2026 10:00am - 10:30am CEST

Meals Provided by OWASP

Audience All

10:05am CEST

Hands-On: Building Security Guardrails for AI-Generated Code

Thursday June 25, 2026 10:05am - 12:05pm CEST

Room -2.92 (Level -2)

AI-assisted development is now responsible for a significant and growing portion of production code. However, most AppSec programs still treat AI as an external input to be scanned after code is written, rather than as a system that can be guided to produce safer code up front.In this Practical On-Demand session, participants will explore a secure-by-construction approach to AI coding using...
See More →

Speakers

David Archer

Solution Architect, Endor Labs

David is a long-time software practitioner who has spent the last two decades building, breaking, and fixing software across development, product, and consulting roles. After repeatedly seeing security treated as an afterthought in fast-moving teams, he shifted full-time into application... Read More →

Thursday June 25, 2026 10:05am - 12:05pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

10:05am CEST

Teaching Security Concepts Using Physical Analogies

Thursday June 25, 2026 10:05am - 12:05pm CEST

Room -2.92 (Level -2)

Understanding security fundamentals doesn’t have to be dry or abstract. In this interactive CF‑Pod, you’ll explore the core principles of confidentiality, integrity, and availability through surprising physical demonstrations and simple “magic‑like” activities that make each concept intuitive and memorable.Each station focuses on one security principle and offers a short, hands‑on...
See More →

Speakers

Mariia Denysenko

Cybersecurity Governance & Training Professional in IT, AI, and OT

Mariia is a cybersecurity governance and compliance professional with experience spanning IT security, AI security, and OT security. She focuses on developing secure processes, enabling teams, and translating complex security requirements into clear, actionable guidance.

Her backg... Read More →

Thursday June 25, 2026 10:05am - 12:05pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

10:05am CEST

The Old But Unforgettable Key

Thursday June 25, 2026 10:05am - 12:05pm CEST

Room -2.92 (Level -2)

Application security failures often stem from small, everyday oversights that quietly accumulate into serious risk. This Practical On-Demand (POD) activity lets participants explore how those issues surface in real applications by actively engaging with a deliberately vulnerable web app.Attendees can drop in at any time and participate in a self-paced, Capture the Flag (CTF) style challenge...
See More →

Speakers

Raul Cicos

Security Consultant, Intruder

Raul is an experienced information security professional specialising in offensive security. He brings deep expertise across the full penetration testing lifecycle, from reconnaissance and vulnerability analysis to exploitation and clear, actionable reporting. His work focuses on... Read More →

Tom Steer

Security Consultant, Intruder

Tom is an experienced security professional focused on offensive security, conducting high-quality penetration tests and identifying vulnerabilities across systems and applications. In his free time, he designs and hosts Capture The Flag (CTF) challenges using them to deepen his skills... Read More →

Thursday June 25, 2026 10:05am - 12:05pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Students and newcomers in AppSec

10:30am CEST

OWASP masCon - Introduction by OWASP MAS team to MAS Con

Thursday June 25, 2026 10:30am - 10:35am CEST

Room -2.33 (Level -2)

Speakers

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure

Carlos is a principal mobile security research engineer working with NowSecure and one of the core project leaders and authors of the OWASP Mobile Security Testing Guide (MASTG) and OWASP Mobile Application Security Verification Standard (MASVS), the industry standard for mobile app... Read More →

Sven Schleier

Co-Founder, Bai7 GmbH

Thursday June 25, 2026 10:30am - 10:35am CEST
Room -2.33 (Level -2)

MobileAppSecCon

10:30am CEST

OpenCRE.org: Uniting all standards and guidelines

Thursday June 25, 2026 10:30am - 11:00am CEST

Room -2.82 (Level 2)

In security, it is important to understand the whole chain: from regulation to business risk, to requirement, to code example, to vulnerability, to test method, to tool configurations. However, so far there hasn’t been a solid way to interconnect standards, documentation, and tooling. Standards writers often work in isolation, and tooling authors rightly focus on quality results instead of...
See More →

Speakers

Rob van der Veer

Chief AI Officer, Software Improvement Group

Thursday June 25, 2026 10:30am - 11:00am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Standards
Project Link https://owasp.org/www-project-ai-testing-guide/

10:30am CEST

Why Isn't the Fix in My Container? Tracking CVE Propagation Across 10,000 Projects

Thursday June 25, 2026 10:30am - 11:15am CEST

Hall K1 (Level -2)

We analyzed CVE remediation patterns across 10,000 open source projects to uncover a critical problem: vulnerabilities fixed upstream often take weeks or months to reach downstream containers. This lag creates massive security exposure windows in Kubernetes environments.In this talk, we'll present our findings showing how CVE fixes flow (or stall) across ecosystem layers, from upstream projects to...
See More →

Speakers

Lior Kaplan

Open Source evangelist, Open Source Security expert, Kaplan Open Source

As a Linux sysadmin for many years, Kaplan has being focused Open Source & Security from various perspectives - upstream projects, the Linux distributions and the DevOps / platform engineering teams who maintain the infrastructure.
Kaplan is a long time Open Source community membe... Read More →

Mor Weinberger

Software Architect, Echo

Mor is a Software Architect specializing in cloud-native security and software supply chain resilience. His work focuses on designing scalable systems to detect and mitigate emerging threats across modern cloud environments. Over the years, he has identified issues ranging from unsecured... Read More →

Thursday June 25, 2026 10:30am - 11:15am CEST
Hall K1 (Level -2)

Deployment and Maintenance

Audience Intermediate

10:30am CEST

Builders & Breakers Part II: Securing Agentic AI After the Death of LLM Wrappers

Thursday June 25, 2026 10:30am - 11:15am CEST

Hall G1 (Level -2)

Last year at OWASP Global AppSec Barcelona, we showed how to break and defend LLM-integrated apps: (indirect) prompt injection, jailbreaks, data poisoning. And what practical controls actually worked in production. But the game has changed.This follow-up talk picks up where we left off, focusing on the next generation of LLM-driven systems: agentic AI and e.g. MCP (Model Context Protocol) & A2A...
See More →

Speakers

Javan Rasokat

Senior Application Security Specialist, Sage

Javan is a DevOps Security Specialist at Sage, where he joined six years ago to lead Product Security for Central Europe and now supports products globally, contributing on the standardisation of security controls. He discovered his passion for security early in his career while identifying... Read More →

Rico Komenda

Senior Security Consultant

Rico is a senior product security engineer. His main security areas are in application security, cloud security, offensive security and AI security.

For him, general security intelligence in various aspects is a top priority. Today’s security world is constantly changing and you... Read More →

Thursday June 25, 2026 10:30am - 11:15am CEST
Hall G1 (Level -2)

Implementation

Audience Intermediate

10:30am CEST

AI Explainability Score Card

Thursday June 25, 2026 10:30am - 11:15am CEST

Hall D (Level -2)

AI is tightening its grip on security operations, but when no one can explain what a system is doing, accountability breaks down and attackers gain the edge. Regulations like the EU AI Act now require AI systems to be transparent, yet most organizations lack a concrete way to measure what “transparent” actually means. The AI Explainability Scorecard fills that gap by providing a fast,...
See More →

Speakers

Michael Novack

Solution Architect, Aiceberg

Michael is a product-minded security architect who loves turning tangled AI risks into clear, practical solutions. As Solution Architect at Aiceberg, he helps enterprises bake AI explainability and real-time monitoring straight into their systems, transforming real customer insights... Read More →

Thursday June 25, 2026 10:30am - 11:15am CEST
Hall D (Level -2)

Planning and Design

Audience Intermediate

10:30am CEST

Why AppSec Fails at Scale (and How to Fix It)

Thursday June 25, 2026 10:30am - 11:15am CEST

Hall K2 (Level -2)

As organizations grow, application security often becomes more painful but not more effective. Vulnerabilities recur, engineers feel blocked, and security teams struggle to scale. These failures are rarely caused by careless engineers or missing tools — they are symptoms of broken systems.In this talk, we examine why AppSec fails to scale, particularly in growing teams and startups, and why...
See More →

Speakers

Eduard Thamm

Eduard is a technical leader with a background in distributed systems, platform engineering, and security. He works in regulated environments, designing Kubernetes-based platforms where reliability, compliance, and developer experience must coexist. His focus is on architecture under... Read More →

Thursday June 25, 2026 10:30am - 11:15am CEST
Hall K2 (Level -2)

Process and Culture

Audience Advanced

10:30am CEST

Scanning Agentic AI Systems: Beyond Traditional LLM Red Teaming

Thursday June 25, 2026 10:30am - 11:15am CEST

Hall G2 (Level -2)

As agentic AI systems evolve from simple LLM interfaces into autonomous and multi-agent workflows. Given the high autonomy of agentic AI systems, there is a growing need to perform a detailed risk assessment, which means traditional LLM-focused red teaming is no longer enough. Unlike standalone LLMs with text input and output, agentic systems interact with tools, memory, external data, and other...
See More →

Speakers

Roman Vainshtein

Research Director, GenAI Trust, Fujitsu Research of Europe

I am Research Director of the Generative AI Trust and Security Research team at Fujitsu Research of Europe, where I lead efforts to enhance the security, trustworthiness, and resilience of Generative AI systems. My work focuses on bridging the gap between AI security, red-teaming... Read More →

Amit Giloni

Principal Researcher, GenAI Trust team, Fujitsu Research

Dr. Amit Giloni is a Principal Researcher at Fujitsu Research of Europe, where she is part of the GenAI Trust team.
Her research spans multiple areas of machine learning, including classical ML, deep learning, generative AI, and agentic AI. She focuses on key challenges in trustworthy AI, such as bias and fairness, explainability, adversarial machine learning, robustness to abnormalities, and confidentiality... Read More →

Roy Betser

Senior Researcher, GenAI Trust team, Fujitsu Research

Roy Betser is a PhD candidate int he Technion and an AI security senior researcher in Fujitsu Research of Europe, where heis part of the GenAI Trust team. His research focuses on analyzing representation and embedding spaces in foundation models and on developing practical trust and... Read More →

Thursday June 25, 2026 10:30am - 11:15am CEST
Hall G2 (Level -2)

Testing

Audience Advanced

10:30am CEST

Meet the Mentor

Thursday June 25, 2026 10:30am - 11:45am CEST

One more Global AppSec event.You’re taking training, you’re running between sessions, you’re connecting with people over coffee or when talking to a vendor.What if you could use the event to also meet a potential mentor, or mentee?What if you could connect face to face with someone who may help take your career to the next level, or that you can help and make a difference with?We are...
See More →

Speakers

Izar Tarandach

Sr. Principal Architect, SiriusXM

Long-time security practitioner, Sr. Principal Security Architect at SiriusXM, previouslyDatadog, at Squarespace, Bridgewater Associates to DellEMC via RSA, Autodesk, startup founder, investor and advisor. Founding member of the IEEE Center for Secure Design, holds a masters degree... Read More →

Avi Douglen

Software Security Consultant, Bounce Security

Avi Douglen is the founder and CEO at Bounce Security, a boutique consultancy specializing in software security, where he spends a lot of time with development teams of all sizes. He helps them integrate security methodologies and products into their development processes, and often... Read More →

Thursday June 25, 2026 10:30am - 11:45am CEST

Bonus Track

Audience All

10:35am CEST

OWASP masCon - Let's get frooky: Structured Mobile DAST with Frida

Thursday June 25, 2026 10:35am - 11:25am CEST

Room -2.33 (Level -2)

Mobile application penetration tests can be challenging. In order to find vulnerabilities in the OWASP MAS Testing Profile L2, security testers have to simulate attacks on compromised devices. When apps protect themselves with advanced static and dynamic hardening techniques, security testers often rely on instrumentation in order to assess the security of the app at runtime.This talk will present...
See More →

Speakers

Stefan Bernhardsgrütter

Lead Security Tester, Redguard

As a Security Tester at Redguard, Stefan puts a wide variety of IT systems, networks and applications to the test. He has an M.Sc. in Engineering with focus on IT-Security and more than 10 years experience in this field. At Redguard he is responsible for developing and maintaining... Read More →

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure

Thursday June 25, 2026 10:35am - 11:25am CEST
Room -2.33 (Level -2)

MobileAppSecCon

Audience All

11:00am CEST

OWASP AI Testing Guide in Practice: Securing LLM Applications

Thursday June 25, 2026 11:00am - 11:30am CEST

Room -2.82 (Level 2)

This talk presents the OWASP AI Testing Guide as a practical extension of traditional application security methodologies for AI and LLM-based systems. It shows how AppSec engineers can systematically identify, model, and test AI-specific risks using an OWASP-aligned approach, rather than relying on ad hoc assessments or vendor claims.The session starts with an architecture-driven threat modeling...
See More →

Speakers

Matteo Meucci

CEO, Synapsed.ai

Throughout his career, Matteo has played a pivotal role in the global cybersecurity community, particularly through his involvement with OWASP. He is the founder and leader of OWASP Italy and has contributed to the creation of foundational open-source projects such as the OWASP Testing Guide and the Software Security 5D Framework, establishing security standards that are now widely adopted worldwide.In the field of AI... Read More →

Marco Morana

Field CISO- Head of Application & Product Security Architecture, Avocado Systems Inc.

Thursday June 25, 2026 11:00am - 11:30am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject AI
Project Link https://owasp.org/www-project-ai-testing-guide/

11:30am CEST

OWASP masCon - Unveiling The Internals From Multiplatform Mobile Runtimes

Thursday June 25, 2026 11:30am - 11:55am CEST

Room -2.33 (Level -2)

Flutter, React and Unity are the main multiplatform runtimes of choice when developing mobile applications for iOS and Android. We will cover the main characteristics, starting with the programming language associated with the framework, the ecosystem, the toolchains and showcase some clever low level details in their implementations. Recovering code and data from the final release binaries with...
See More →

Speakers

Sergi Alvarez

Mobile Security Research Engineer, NowSecure

Pancake is a mobile security research engineer at NowSecure. It has more than 25 years of experience in the reverse engineering and security fields. Author and maintainer of tools like radare2, r2frida and other plugins around the radare ecosystem, he began working as a forensic analyst... Read More →

Thursday June 25, 2026 11:30am - 11:55am CEST
Room -2.33 (Level -2)

MobileAppSecCon

Audience Advanced

11:30am CEST

OWASP AI Security Verification Standard (AISVS)

Thursday June 25, 2026 11:30am - 12:00pm CEST

Room -2.82 (Level 2)

AI systems face threats that traditional application security standards weren't built to address. This includes prompt injection, training data poisoning, model extraction, agentic autonomy risks, and more. The OWASP AI Security Verification Standard (AISVS) provides 400+ testable requirements across 14 chapters, covering everything from input validation and model lifecycle management to MCP...
See More →

Speakers

Otto Sulin

Head of Security, Supermetrics

Russ Memisyazici

Aras “Russ” Memişyazıcı, M.Sc. is a senior technology and architecture leader specializing in AI security, cloud transformation, application security, and enterprise modernization. He currently serves as a Global Head of Reference Architecture at Aon, where his work focuses... Read More →

Jim Manico

Founder and CEO, Manicode Security

Rico Komenda

Senior Security Consultant

Thursday June 25, 2026 11:30am - 12:00pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject AI
Project Link https://owasp.org/www-project-artificial-intelligence-security-verification-standard-aisvs-docs/

11:30am CEST

Actionable Continuous SBOM Diffing

Thursday June 25, 2026 11:30am - 12:15pm CEST

Hall K1 (Level -2)

SBOMs are known to be at the forefront of modern strategies to ensure supply chain security. However, there are two key problems that traditional SBOM workflows do not solve: working with components that do not have well-established identifiers and the introduction of malware in the supply chain.This presents a significant gap between the expectations of SBOM adoption and the real value it can...
See More →

Speakers

Pavel Shukhman

CEO, Reliza

Pavel Shukhman is Co-Founder and CEO of Reliza, where he oversees the company's efforts in managing software and hardware releases, xBOMs, versioning and component identification. With over a decade of experience leading software teams, he has helped organizations implement DevOps... Read More →

Thursday June 25, 2026 11:30am - 12:15pm CEST
Hall K1 (Level -2)

Deployment and Maintenance

Audience Intermediate

11:30am CEST

The OWASP Top Ten 2025

Thursday June 25, 2026 11:30am - 12:15pm CEST

Hall G1 (Level -2)

The OWASP Top Ten has been one of the most influential resources in application security for more than two decades — shaping training, security programs, and procurement decisions around the world. In this session, we’ll unveil the newest edition of the OWASP Top Ten Critical Risks to Web Applications, explain how it was built through community input and real-world data, and show what these...
See More →

Speakers

Tanya Janca

Security Trainer and Founder, She Hacks Purple & DevSec Station

Torsten Gigler

Internal IT Security Advisor, OWASP Volunteer

Torsten Gigler is an Internal IT Security Advisor in a large-scale enterprise >25 years (Application and ICT-Infrastructure-Security). He has been volunteering for OWASP since more than 13 years: Among other things, Torsten has been
* co-lead of the OWASP Top 10 project since 2017... Read More →

Thursday June 25, 2026 11:30am - 12:15pm CEST
Hall G1 (Level -2)

Implementation

Audience Introductory and Overview

11:30am CEST

Authorization Is Where Your App Goes to Lie

Thursday June 25, 2026 11:30am - 12:15pm CEST

Hall D (Level -2)

Your authorization logic probably lives in code, while the rationale behind it lives only in people’s heads.That’s why authorization breaks in familiar ways: a missing check, an incorrect assumption, a copied snippet that made sense in one endpoint but was entirely wrong for another.This talk is about making authorization logic visible earlier, during design, so engineers have something...
See More →

Speakers

Eden Yardeni

Senior AppSec Engineer

Eden Yardeni works in application security, and contributes to OWASP projects including ASVS. She previously worked as a full-stack developer, but moved into application security when she heard there would be cookies. linkedin.com/in/eden-yardeni/
... Read More →

Thursday June 25, 2026 11:30am - 12:15pm CEST
Hall D (Level -2)

Planning and Design

Audience Intermediate

11:30am CEST

Admission of Guilt: I Exploited a Parking System for a Year (And What It Taught Me About AppSec)

Thursday June 25, 2026 11:30am - 12:15pm CEST

Hall K2 (Level -2)

If you’ve ever wanted to make AppSec relatable to your developers, your business stakeholders, etc…If you want to hear an example of security flaws in a digital-physical system and how AppSec practices apply…If you want to hear a funny story about my student-years shenanigans and maybe reminisce about your own…Then this is the talk for you.Security is often taught through theory, but some...
See More →

Speakers

Dimitar Raichev

Software Security Engineer, Codific

I am a software security engineer at Codific, where my responsibilities include the design and development of SAMMY — a Secure SDLC management tool that supports numerous security and quality frameworks such as SAMM, SSDF, CSF, multiple ISO standards, etc.
In this capacity, I be... Read More →

Thursday June 25, 2026 11:30am - 12:15pm CEST
Hall K2 (Level -2)

Process and Culture

Audience Introductory and Overview

11:30am CEST

Developing Effective Security Testing Skills with Objective Structured Assessments

Thursday June 25, 2026 11:30am - 12:15pm CEST

Hall G2 (Level -2)

Technical skill development and evaluation for application (software) security testers remains underdeveloped. There is no widely adopted framework defining core competencies, proficiency levels, or objective assessment criteria. In the absence of such standards, the industry has defaulted to a fragmented ecosystem of private organizations offering training and certifications that insufficiently...
See More →

Speakers

Ryan Armstrong

AppSec Manager, Tester, and Teacher, Digital Boundary Group (DBG)

Ryan Armstrong is the Manager of Application Security Services at Digital Boundary Group (DBG). Ryan began with DBG as an application penetration tester and security consultant following completion of his PhD in Biomedical Engineering at Western University in 2016. With a passion... Read More →

Thursday June 25, 2026 11:30am - 12:15pm CEST
Hall G2 (Level -2)

Testing

Audience Intermediate

12:15pm CEST

Lunch in Expo Hall

Thursday June 25, 2026 12:15pm - 1:15pm CEST

Expo Hall X1

Thursday June 25, 2026 12:15pm - 1:15pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

12:15pm CEST

Cybersecurity Awareness Card Game : Let's Play

Thursday June 25, 2026 12:15pm - 2:15pm CEST

Room -2.92 (Level -2)

Learn the foundations of cybersecurity through a card game.Participate in a tabletop, technology-free “capture the flag” experience where players gain practical insights into protecting digital information, responding to cyberattacks, and understanding core concepts such as the Cyber Kill Chain and the NIST Cybersecurity Framework.For less experienced practitioners, the game builds a strong...
See More →

Speakers

Michael Novack

Solution Architect, Aiceberg

Thursday June 25, 2026 12:15pm - 2:15pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

12:15pm CEST

Hunting Critical CVEs: A Hands-On, Pick-Your-Own Exploitation POD

Thursday June 25, 2026 12:15pm - 2:15pm CEST

Room -2.92 (Level -2)

New CVEs are released constantly, but in practice most teams never go beyond reading the advisory or relying on automated scanning. This POD is designed to change that by giving participants time and platform to hunt and exploit real-world critical CVEs.Participants will have access to 10 hands-on challenges, each based on a real high or critical severity CVE commonly found in modern applications....
See More →

Speakers

Abhinav Mishra

Founder, Cyber Security Guy

Abhinav Mishra is a cyber security practitioner with over 14 years of hands-on experience in vulnerability research, offensive security, and application security testing. He has carried out 1,000+ security reviews and penetration tests across web, mobile, API, and cloud-based systems... Read More →

Thursday June 25, 2026 12:15pm - 2:15pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience AppSec Engineers

12:15pm CEST

“2001: Agentic Odyssey” When threat modelling meets HAL, agentic AI, testing and safety engineering

Thursday June 25, 2026 12:15pm - 2:15pm CEST

Room -2.92 (Level -2)

“2001: Agentic Odyssey” is a hands-on, drop-in POD where we threat model the HAL 9000 system from 2001: A Space Odyssey as if it were a modern agentic AI system (LLM + tools + permissions + side effects). I bring a HAL DFD, and together we mark trust boundaries and do classic “what can go wrong?” threat identification. Participants then split into small groups to build attack-tree branches...
See More →

Speakers

Petra Vukmirovic

Head of Information Security at Numan and Fractional Head of Product, Devarmor

Petra is a technology enthusiast, leader and public speaker. A former emergency medicine doctor and competitive volleyball athlete, she thrives in challenging environments and loves creating order from chaos. Initially pursuing a medical career, Petra's passion for technology led... Read More →

Thursday June 25, 2026 12:15pm - 2:15pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience AppSec Engineers

1:15pm CEST

OWASP masCon - Recent Mobile App Security Incidents from Real-World Cases

Thursday June 25, 2026 1:15pm - 1:40pm CEST

Room -2.33 (Level -2)

This is a review of recent mobile app security incidents I work on day to day. We’ll walk through concrete cases from banking, food delivery, and e-commerce to break down how the breaches happened.By the end, you’ll have a clearer sense of which security practices hold up in modern mobile apps and which ones fail in practice. You’ll also learn what commonly introduces vulnerabilities and...
See More →

Speakers

Jan Seredynski

Mobile Application Security Engineer, Guardsquare

Jan Seredynski is a mobile security professional with seven years of app development experience. He specializes in secure architectures and anti-tampering techniques. With a keen eye for uncovering vulnerabilities, Jan actively contributes to identifying and resolving CVEs and bugs... Read More →

Thursday June 25, 2026 1:15pm - 1:40pm CEST
Room -2.33 (Level -2)

MobileAppSecCon

Audience Introductory and Overview

1:15pm CEST

OWASP ModSecurity

Thursday June 25, 2026 1:15pm - 1:45pm CEST

Room -2.82 (Level 2)

As the cornerstone of open-source Web Application Firewalls, OWASP ModSecurity has protected the web for decades. However, maintaining its relevance in today’s evolving threat landscape requires more than just incremental updates—it requires a fundamental modernization. This presentation dives deep into the recent engineering efforts aimed at transforming the ModSecurity codebase into a...
See More →

Speakers

Ervin Hegedus

Project Co-Lead, OWASP ModSecurity

I'm 54, system and software engineer. ModSecurity contributor since 2017, Coreruleset developer since 2019, OWASP member since 2021 and project co-leader since 2024.

Thursday June 25, 2026 1:15pm - 1:45pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience Intermediate
Subject Network Security, WAF
Project Link https://waf.owasp.org

1:15pm CEST

One IDE to Rule Them All - Securing Your Supply Chain’s Weakest Link

Thursday June 25, 2026 1:15pm - 2:00pm CEST

Hall K1 (Level -2)

Your API keys, business logic, database connections, sometimes even customer data and user information - might be all directly accessible from your IDE. This makes the IDE in one of the top spots for threat actors to try and break into.Because the IDE has direct access to so much data, it makes your entire software supply chain to be as secure as a single extension, turning it to the weakest link...
See More →

Speakers

Moshe Siman Tov Bustan

Security Research Team Leader, OX Security

Moshe is a Security Research Team Lead at OX Security, a company specializing in software supply chain security, and has worked in the security industry for 13 years. His work spans cloud security research, container security, memory forensics, and an in-depth understanding of programming... Read More →

Nir Zadok

OX Security

Nir Zadok is a rocket scientist who got a bit bored, so he moved to cybersecurity. Since then, as a Whitehat, he has managed to break dozens of mobile, web, and desktop applications. These days Nir is focused on software supply chain and innovative attack vector research via widely... Read More →

Thursday June 25, 2026 1:15pm - 2:00pm CEST
Hall K1 (Level -2)

Deployment and Maintenance

Audience Advanced

1:15pm CEST

Retiring CVE Chasing: Defending Against Application Exploit Techniques

Thursday June 25, 2026 1:15pm - 2:00pm CEST

Hall G1 (Level -2)

Vulnerability scanners are everywhere. CVE databases are growing exponentially. Yet vulnerability exploitation has surpassed phishing as the leading initial access vector. What's going wrong?The problem isn’t a lack of vulnerability data – it’s that defenders are solving last year’s problems. While teams drown in CVE backlogs, attackers use AI to rapidly weaponize exploit techniques that...
See More →

Speakers

Idan Elor

Field CTO, Oligo Security,

Idan Elor is Field CTO at Oligo Security, where he partners with large enterprises to solve complex application and cloud security challenges. He most recently served as Director of Solution Engineering & Tech-Alliances at Apiiro, where he empowered enterprises to secure their software... Read More →

Thursday June 25, 2026 1:15pm - 2:00pm CEST
Hall G1 (Level -2)

Implementation

Audience Advanced

1:15pm CEST

The Map of Artificial Treasures: What to Automate in Security - and Why?

Thursday June 25, 2026 1:15pm - 2:00pm CEST

Hall D (Level -2)

With the rise of AI, especially large language models, it seems every security workflow will soon be automated or heavily supported by automation - from LLM-powered threat-intelligence enrichment or compliance mappings to AI-written threat models, codefixes and complete CISO roadmaps. But which processes will truly benefit, and in which cases will AI just increase the risk of adding cost and...
See More →

Speakers

Michael Helwig

Senior Security Consultant, secureIO GmbH

I am security consultant and founder of secureIO GmbH, a consulting company that focuses on building application security programs and consulting clients from different industries on secure software development and compliance. I am focussing on DevSecOps, security testing, AI automation... Read More →

Thursday June 25, 2026 1:15pm - 2:00pm CEST
Hall D (Level -2)

Planning and Design

Audience Advanced

1:15pm CEST

The Velocity Paradox: Why Slow is Smooth and Smooth is Fast in AppSec

Thursday June 25, 2026 1:15pm - 2:00pm CEST

Hall K2 (Level -2)

Many AppSec programs fail because they try to run before they can walk. But in the world of ever changing attack surface, the truth is - Slow is smooth, smooth is fast, and 'smooth' is how we actually ship secure software at the speed of business.This presentation outlines our multi-phased methodology for establishing an AppSec program. This approach emphasizes incremental, measurable, and...
See More →

Speakers

Pramod Rana

Sr. Manager - Application Security Assurance, Netskope

Pramod Rana is author of below open source projects:
1) Omniscient - LetsMapYourNetwork: a graph-based asset management framework
2) CICDGuard - Orchestrating visibility and security of CICD ecosystem
3) vPrioritizer - Art of Risk Prioritization: a risk prioritization framework

He ha... Read More →

Thursday June 25, 2026 1:15pm - 2:00pm CEST
Hall K2 (Level -2)

Process and Culture

Audience Intermediate

1:30pm CEST

Private Board Meeting

Thursday June 25, 2026 1:30pm - 2:30pm CEST

Room -2.15 (Level -2)

Thursday June 25, 2026 1:30pm - 2:30pm CEST
Room -2.15 (Level -2)

Meeting

Audience Private Meeting

1:45pm CEST

OWASP masCon - Meet the New Frida Frontend on the Block

Thursday June 25, 2026 1:45pm - 2:10pm CEST

This talk introduces a new Frida frontend for macOS and iOS, designed as an interactive, persistent environment for exploring live processes.It supports local and remote targets, long-lived sessions that survive crashes, and saved documents you can return to later. Built around this core model are a REPL, a code tracer, a powerful editor with completion and inline documentation, a persistent...
See More →

Speakers

Ole André Vadla Ravnås

Security Researche, NowSecure

Creator of Frida · Security Researcher at NowSecure
@oleavr
no.linkedin.com/in/oleavr... Read More →

Thursday June 25, 2026 1:45pm - 2:10pm CEST

MobileAppSecCon

Audience All

1:45pm CEST

OWASP KubeFIM: Detecting File Integrity Threats with eBPF & AI in Kubernetes

Thursday June 25, 2026 1:45pm - 2:15pm CEST

Room -2.82 (Level 2)

IntroductionFile Integrity Monitoring is still a critical part of runtime security, but in Kubernetes it comes with new challenges. A single cluster can generate thousands of file system events per second across containers, nodes, and workloads. While eBPF allows us to safely and efficiently capture these events at the kernel level, interpreting them remains a hard problem.OWASP KubeFIM AI is...
See More →

Speakers

Abhijit Chatterjee

Co-Founder of Cyber Secure India (CSI), Cyber Secure India

Co-Founder of Cyber Secure India (CSI), a cybersecurity think tank focused on driving cybersecurity awareness, building a strong community through free education, sharing knowledge, and empowering young individuals to strengthen the digital infrastructure.

Thursday June 25, 2026 1:45pm - 2:15pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience Intermediate
Subject Kubernetes
Project Link https://owasp.org/www-project-kubefim/

2:15pm CEST

OWASP masCon - Attacking ART

Thursday June 25, 2026 2:15pm - 2:40pm CEST

When analyzing the security of mobile applications, we often have to overcome local security controls to perform a thorough audit. This can include obtaining access to the application’s internal storage, disabling TLS pinning or forcing the application to use our interception proxy.For many applications, this is straightforward. We can install the app on our rooted device, inject Frida and...
See More →

Speakers

Jeroen Beckers

Mobile Solution Lead, NVISO

I am the mobile solution lead at NVISO, where I am responsible for quality delivery, innovation and methodology for all mobile assessments. I am actively involved in the mobile security community, and I try to share my knowledge through open-source tools, blogposts, trainings and... Read More →

Thursday June 25, 2026 2:15pm - 2:40pm CEST

MobileAppSecCon

Audience Advanced
about be.linkedin.com/in/beckersjeroen

2:15pm CEST

Evil User Stories Modeling: Ensuring your User Stories in agile playing OWASP Cornucopia

Thursday June 25, 2026 2:15pm - 2:45pm CEST

Room -2.82 (Level 2)

In this session, I´ll show you how to sreamline the identification of security requirements associated with user stories in agile methodologies Using OWASP Cornucopia. Here you´ll se how to integrate User Stories with Cornucopia Cards and with ASVS as an security requirements and the defects that may arise if the security requirements are not properly considered or implemented. At the beginning...
See More →

Speakers

Max Alejandro Gomez Sanchez Vergaray

Application Security Program Leader, AppSec & DevSecOps Consultant | Risk-driven Security for real-world products | S-SDLC, DevSecOps, Secure Design & Threat Modeling Trainer

I designed and led the application security program during the digital transformation process of one of the largest banks in Latin America, training more than 3,000 people in secure software development, specially in Secure Design using OWASP Cornucopia, another tools for threat modeling... Read More →

Thursday June 25, 2026 2:15pm - 2:45pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Threat Modeling, Gamification
Project Link https://cornucopia.owasp.org/

2:15pm CEST

From 0 to SLSA Level 3: A Practitioner's Field Guide

Thursday June 25, 2026 2:15pm - 3:00pm CEST

Hall K1 (Level -2)

SLSA (Supply-chain Levels for Software Artifacts) promises to secure your software supply chain—but implementing it at enterprise scale is harder than the spec suggests. This talk shares our journey to SLSA Level 3, including the architectural decisions, performance trade-offs, and customer escalations that shaped our approach.You'll learn:- Provenance attestation architecture for multi-tenant...
See More →

Speakers

Mark Mishaev

Senior Engineering Manager, Software Supply Chain Security, Gitlab

Senior Manager of Software Supply Chain Security at GitLab, leading 40+ engineers across Authentication, Authorization, Pipeline Security, and Compliance teams. He drives GitLab's SLSA implementation and security architecture for CI/CD pipelines serving millions of developers.
Wit... Read More →

Thursday June 25, 2026 2:15pm - 3:00pm CEST
Hall K1 (Level -2)

Deployment and Maintenance

Audience Intermediate

2:15pm CEST

Beyond the Chatbox: Implementing Guardrails for Autonomous Agents and LLMs Using Tools

Thursday June 25, 2026 2:15pm - 3:00pm CEST

Hall G1 (Level -2)

As LLMs evolve from passive text generators to autonomous Agentic AI, the attack surface is shifting from simple prompt injection to Excessive Agency and Goal Hijacking. When we grant agents the power to execute shell commands, call sensitive APIs, or modify cloud infrastructure, we are essentially deploying "unattended administrators" into our environments.This session moves past theoretical AI...
See More →

Speakers

Rovindra Kumar

Security Architect, Google

Around 14+ years of experience in defining a Secure strategy, Architecture, and implementation of necessary security controls aligned with Security Services, including Cloud Security, Threat Protection, and implementation of cloud-native security controls. Providing thoughts leadership... Read More →

Mikesh Khanal

Security Engineer, Google

Mikesh is a senior cloud security engineer at Google with more than a decade experience, specializing in designing and implementing robust security architectures for organizations of all sizes. He is a recognized expert in cloud security design and architecture, compliance, and risk... Read More →

Thursday June 25, 2026 2:15pm - 3:00pm CEST
Hall G1 (Level -2)

Implementation

Audience Advanced

2:15pm CEST

Human Rights Threat Modeling

Thursday June 25, 2026 2:15pm - 3:00pm CEST

Hall D (Level -2)

Security and privacy threat models are fundamental tools in AppSec, but in modern systems, such as Identity and Access Management (IAM) and AI, they fail to intercept a growing class of threats: those that do not compromise the system but produce harm to people.In this talk, we show why traditional threat models fail to capture these problems and how the limitation is not technical but cognitive....
See More →

Speakers

Giovanni Corti

Cybersecurity Researcher, FBK

Cybersecurity professional specializing in cyber threat intelligence and in threat modeling for security, privacy, and user safety in high-risk systems.
linkedin.com/in/g-corti
... Read More →

Simone Onofri

Security Lead, W3C

Simone is the W3C Security Lead. He has 20+ years of expertise in red/blue Teaming and Web security. He has spoken at OWASP, TEDx, and other events and authored Attacking and Exploiting Modern Web Applications. linkedin.com/in/simoneonofri
... Read More →

Luca Lumini

Executive Security Advisor

Executive Security Advisor with more than 20 years of consulting experience focusing on corporate cyber strategy and security risk advisory, as Chief Security Officer Luca has been leading the Security Strategy and AI Innovation team for the AXA International Markets region. He is... Read More →

Thursday June 25, 2026 2:15pm - 3:00pm CEST
Hall D (Level -2)

Planning and Design

Audience Intermediate

2:15pm CEST

Taming the AppSec Data Deluge

Thursday June 25, 2026 2:15pm - 3:00pm CEST

Hall K2 (Level -2)

Application Security engineers face a critical challenge: information overload from disparate security tools create “decision paralysis”. How do you balance design reviews, threat modeling, code reviews, monitoring alerts and managing your bug bounty program in an intentional instead of ad-hoc or reactive way?This presentation demonstrates a novel approach using AI agents combined with Model...
See More →

Speakers

Ben Sleek

Security Engineer, Proof

I’m an ex-Developer turned Application Security Engineer currently employed by Proof. After 10 years of building applications, I discovered breaking them could be just as fun.
linkedin.com/in/ben-sleek-243aaa1/
... Read More →

Thursday June 25, 2026 2:15pm - 3:00pm CEST
Hall K2 (Level -2)

Process and Culture

Audience Intermediate

2:15pm CEST

This Build can Break You - Evil Runners and eBPF for Detection

Thursday June 25, 2026 2:15pm - 3:00pm CEST

Hall G2 (Level -2)

CI/CD pipelines play an important role in modern software development. From a security perspective, this methodology contributes to more secure products, as automated checks can be applied on every run. Developers define tasks in a metadata file, and the system executes the defined jobs automatically. But what if the build chain itself becomes the security problem, allowing attackers to manipulate...
See More →

Speakers

Reinhard Kugler

Principal Security Consultant, SBA Research

Reinhard’s focus relies on security testing of IT and industrial cyber-physical systems. Based on his prior experience in cyber defense, he works with companies to develop security capabilities and secure products. Reinhard is an experienced instructor and develops tailored security... Read More →

Thursday June 25, 2026 2:15pm - 3:00pm CEST
Hall G2 (Level -2)

Testing

Audience Intermediate

2:30pm CEST

AI for Code Security in Modern Codebases

Thursday June 25, 2026 2:30pm - 4:30pm CEST

Room -2.92 (Level -2)

Modern codebases are large, fast-moving, and increasingly AI-assisted, making traditional code security approaches hard to scale. This hands-on POD explores how AI can augment secure coding and code review workflows—without replacing human judgment.Participants will actively work through realistic code security scenarios drawn from modern APIs, cloud-native services, and GenAI-enabled...
See More →

Speakers

Rajnish Sharma

CEO, Precogs AI

Rajnish Sharma is the CEO and Founder of precogs.ai and a seasoned technology and security leader with experience in secure development, AI, and risk‑focused workflows. Previously, he served as Head of Investment Technology & AI at Allianz Global Investors, where he led strategic... Read More →

Thursday June 25, 2026 2:30pm - 4:30pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Developers

2:30pm CEST

Context & Cringe - Application Privacy through Play

Thursday June 25, 2026 2:30pm - 4:30pm CEST

Room -2.92 (Level -2)

Privacy risks are rarely obvious when looking at data, features, or apps in isolation. They emerge through changing context and are impacted by user perception.In this POD, participants play Context & Cringe, a discussion-driven card game where players build fictional app scenarios using real-world data and features, then judge how those designs feel from a user’s perspective.Rather than...
See More →

Speakers

Avi Douglen

Software Security Consultant, Bounce Security

Kim Wuyts

Manager Cyber & Privacy, PwC Belgium

Dr. Kim Wuyts is a leading privacy engineer with over 15 years of experience in security and privacy. Before joining PwC Belgium as Manager Cyber & Privacy, Kim was a senior researcher at KU Leuven where she led the development and extension of LINDDUN, a popular privacy threat modeling... Read More →

Thursday June 25, 2026 2:30pm - 4:30pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

2:30pm CEST

DDoS your friends

Thursday June 25, 2026 2:30pm - 4:30pm CEST

Room -2.92 (Level -2)

interactive DDoS competition - player on player!Each round players chooses to be an attacker or defender, matches up with an opponent and configures their attack/defense. The attack traffic is run (speed run), scores are given based on attack traffic stopped vs let through, and legit traffic blocked.Players gain points each round, and there is an ongoing scoreboard. Leading attacker and defender...
See More →

Speakers

Alex Marks-Bluth

Security Researcher, Akamai AppSec

Alex leads teams combining data science and security research in web application security, building security products for Akamai customers.

He enjoys watching and playing cricket, and every year he tries to learn Rust, for at least 2 weeks.
linkedin.com/in/alex-marks-bluth-06a81... Read More →

Thursday June 25, 2026 2:30pm - 4:30pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

2:30pm CEST

From Prompts to Payloads: Exploiting the AI-AppSec Intersection

Thursday June 25, 2026 2:30pm - 4:30pm CEST

Room -2.92 (Level -2)

LLMs are no longer standalone chatbots—they're increasingly embedded directly into application logic, with access to databases, APIs, file systems, and internal services. This architectural shift means the most dangerous LLM exploits don't just manipulate the model; they use the model as an attack vector to reach traditional AppSec targets. Prompt injection becomes a path to SQL injection....
See More →

Speakers

Dan Lisichkin

AI Security Researcher

Dan Lisichkin is the Cyber Security Researcher for Pillar Security, focusing on AI security, adversarial threats, and securing AI based systems. With over five years of experience in the cybersecurity and IT space, Dan has extensive knowledge in areas including malware analysis, reverse... Read More →

Ziv Karliner

CTO, Pillar Security

Ziv Karliner is the Co-Founder and CTO of Pillar Security, where he works on securing AI-powered applications and agent-based systems. With over a decade of experience in cybersecurity, Ziv has led research and engineering efforts across application security, cloud security, financial... Read More →

Eilon Cohen

AI Security Researcher, Pillar Security

That kid who took apart all his toys to see how they worked.
Currently breaking (and fixing) things in Pillar Security lab. Education spans from Mechanical Engineering and Robotics to Computer science, but a self-made security researcher and practitioner. Ex-IBM as a security engineer, securing multiple complex cloud and IT environments, now... Read More →

Ariel Fogel

Founding Engineer & Researcher, Pillar Security

Ariel Fogel is a founding engineer & researcher at Pillar Security, where he hardens AI applications against real-world attacks and compliance risks. Over the past decade, he has built production systems in Ruby, TypeScript, Python, and SQL, shipping everything from full-stack web... Read More →

Thursday June 25, 2026 2:30pm - 4:30pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience AppSec Engineers

2:45pm CEST

OWASP masCon - Closure of conference by OWASP MAS team

Thursday June 25, 2026 2:45pm - 3:00pm CEST

Speakers

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure

Sven Schleier

Co-Founder, Bai7 GmbH

Thursday June 25, 2026 2:45pm - 3:00pm CEST

MobileAppSecCon

Audience All

2:45pm CEST

OWASP MCP Top 10: When AI Agents Go Rogue, Securing the Model Context Protocol

Thursday June 25, 2026 2:45pm - 3:15pm CEST

Room -2.82 (Level 2)

The OWASP MCP Top 10 identifies the most critical security risks in MCP-enabled ecosystems. At the top of that list sits MCP Top 01: Untrusted Context Injection, a class of vulnerabilities where malicious inputs manipulate the context provided to AI agents, influencing their reasoning and actions.Unlike traditional vulnerabilities that exploit deterministic code paths, MCP attacks target the...
See More →

Speakers

Vandana Verma Sehgal

Vandana Verma is a Security Leader at Snyk, a podcast host, a Diversity and Inclusion Advocate, and an International speaker and influencer on a range of Information Security topics, including Application Security, DevSecOps, Cloud Security, and Security Careers.

From being the Chair of the OWASP Global Board of Directors to running various groups promoting security to organising conferences to even delivering keynote addresses at several of them, she is engaged continuously and proactively in making the global application security communit

... Read More →

Thursday June 25, 2026 2:45pm - 3:15pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

3:00pm CEST

PM Break in Expo Hall

Thursday June 25, 2026 3:00pm - 3:30pm CEST

Expo Hall X1

Thursday June 25, 2026 3:00pm - 3:30pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

3:15pm CEST

OWASP Leaders Meeting

Thursday June 25, 2026 3:15pm - 4:15pm CEST

Room -2.15 (Level -2)

Calling all OWASP Leaders! Join OWASP Foundation staff to discuss updates to Chapters, Projects, and the Foundation as a whole. This is your chance to receive updates and ask questions!

Thursday June 25, 2026 3:15pm - 4:15pm CEST
Room -2.15 (Level -2)

Meeting

3:30pm CEST

OWASP AI Exchange Showcase

Thursday June 25, 2026 3:30pm - 4:00pm CEST

Room -2.82 (Level 2)

OWASP's flagship project, AI Exchange, is the world's AI security guide.

300+ pages of free, constantly-evolving, practical guidance on securing AI systems. It covers the fundamentals and represents the closest publicly available alignment of global expert consensus, feeding directly into the AI Act and ISO standards through a unique SDO partnership.

Speakers

Rob van der Veer

Chief AI Officer, Software Improvement Group

Aruneesh Salhotra

Fractional CISO, Author, Podcaster, Blogger, Fractional CISO, Author, Podcaster, Blogger

Aruneesh Salhotra is a seasoned technologist and servant leader, renowned for his extensive expertise across cybersecurity, DevSecOps, AI, Business Continuity, Audit, Sales. His impactful presence as an industry thought leader is underscored by his contributions as a speaker and panelist... Read More →

Behnaz Karimi

Co-Lead / Leader AI Red Teaming / Creator RAID-AI Framework / Senior cyber security engineer, OWASP AI Exchange

Behnaz Karimi is AI Security Researcher and the Creator of the RAID-AI Framework. She is also a Co-Author, Co-Lead, Leader AI Red Teaming at OWASP AI Exchange, where she actively contributes to advancing security practices for AI systems.

She has played a key role in OWASP initiatives, including contributing to the GenAI Red Teaming Guide for the OWASP Top 10 for Large Language Model Applications & Generative AI. Behnaz is a speaker at Global AppSec Barcelona and has spoken at OWASP Chapter Germany. She was also invited

... Read More →

Thursday June 25, 2026 3:30pm - 4:00pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject AI, Standards
Project Link https://owaspsamm.org/

3:30pm CEST

Pragmatic least-privilege for cloud and Kubernetes: applying good advice to real systems

Thursday June 25, 2026 3:30pm - 4:15pm CEST

Hall K1 (Level -2)

Whichever public cloud you use, there are literally hundreds of assignable permissions — and while everyone quotes the ideal of “least privilege,” just when the deadline looms it becomes far too tempting to grant “just one more permission.” Before you know it, your developer teams and service accounts are swimming in high privileges.In this session we’ll start from the basics of...
See More →

Speakers

Mark Vinkovits

Chief Information Security Officer, XUND Solutions

Mark worked as software, security, and privacy engineer over the past decade. Since his research in user centered computing, he has been arguing that human behavior, beliefs, and motivations cannot be excluded from the design of any solution, including any SDLC that should be livable... Read More →

Thursday June 25, 2026 3:30pm - 4:15pm CEST
Hall K1 (Level -2)

Deployment and Maintenance

Audience Introductory and Overview

3:30pm CEST

The Devil is in the Defaults - what to do about XSS

Thursday June 25, 2026 3:30pm - 4:15pm CEST

Hall G1 (Level -2)

This session is about latest defenses against Cross-Site Scritping (XSS), the most prevalent security issue of all times. We will showcase typical XSS bugs and how they can be avoided. We will also explain why previous mechanisms fall short of protecting web sites at scale and why we believe Trusted Types and the Sanitizer API can help closing this gap.The presentation will also give hands-on...
See More →

Speakers

Frederik Braun

Security Engineer, Mozilla Firefox Berlin

Frederik Braun builds security for the web and for Mozilla Firefox from Berlin. As a contributor to standards, Frederik is also improving the web platform by bringing security into the defaults with specifications like the Sanitizer API and Subresource Integrity. Before Mozilla, Frederik... Read More →

Thursday June 25, 2026 3:30pm - 4:15pm CEST
Hall G1 (Level -2)

Implementation

Audience Intermediate

3:30pm CEST

AI and the Threat Modeling Manifesto: Conflicts, Failure Modes, and Better Patterns

Thursday June 25, 2026 3:30pm - 4:15pm CEST

Hall D (Level -2)

AI is becoming increasingly embedded in threat modeling processes. Some organizations now claim that threat modeling can be performed entirely by AI. This appears to be a natural progression, given the growing use of AI in software development itself.Before the current wave of AI adoption, the Threat Modeling Manifesto (TMM) was developed, drawing inspiration from the Agile Manifesto. It distilled...
See More →

Speakers

Vikramaditya Narayan

Creator of The Precogly Open Source Threat Modeling Platform

Vikramaditya Narayan is the creator of Precogly, an open-source, enterprise-grade threat modeling platform built for compliance-aware security teams. Previously, he designed the prototype for a YC-funded AI governance platform. Vikramaditya leads the Bangalore chapter of Threat Modeling... Read More →

Thursday June 25, 2026 3:30pm - 4:15pm CEST
Hall D (Level -2)

Planning and Design

Audience Introductory and Overview

3:30pm CEST

Agile Development and IT Security – From Conflict to Collaboration

Thursday June 25, 2026 3:30pm - 4:15pm CEST

Hall K2 (Level -2)

Agile software development and IT security share the goal of delivering reliable, robust software, yet they often collide in practice. Security validation is still frequently deferred to the end of the development lifecycle, producing findings too late to be effectively addressed. Under delivery pressure, this can lead to defensive reactions toward security activities and tools. This talk explores...
See More →

Speakers

Juliane Reimann

Founder and Security Community Expert, Full Circle Security

Elisa Erbe

Project Manager, FullCyrcle Security

Elisa Erbe has been working as a project manager in digital web solutions and cybersecurity companies since 2021, with a focus on agile planning and processes. Before transitioning into project management in the IT sector, she gained experience in teaching, research, and organizational... Read More →

Thursday June 25, 2026 3:30pm - 4:15pm CEST
Hall K2 (Level -2)

Process and Culture

Audience Intermediate

3:30pm CEST

Boiling the Ocean for Signal: Lessons from High-Volume OSS Malware Detection

Thursday June 25, 2026 3:30pm - 4:15pm CEST

Hall G2 (Level -2)

Malicious open source packages are on the rise, targeting more and more ecosystems. And while open source maintainers and users struggle to secure the immense attack surface of today’s software development practice, attackers continue to evolve their techniques.This talk presents lessons learned from developing and operating an end-to-end malware detection pipeline in an enterprise setup that...
See More →

Speakers

Henrik Plate

Security Researcher, Endor Labs

In his current position, Henrik aims at improving the security of today’s software supply chains, and in particular the secure consumption of open source. He formerly worked for SAP Security Research, where he led the focus topic "open source security" starting in 2014. He co-authored... Read More →

Thursday June 25, 2026 3:30pm - 4:15pm CEST
Hall G2 (Level -2)

Testing

Audience Intermediate

4:15pm CEST

Networking Reception in Expo Hall and OWASP Jeopardy!

Thursday June 25, 2026 4:15pm - 6:45pm CEST

Expo Hall X1

Come mingle with attendees and exhibitors AND have the chance to win prizes during OWASP Jeopardy with Jerry Hoff!

Thursday June 25, 2026 4:15pm - 6:45pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

8:30am CEST

Coffee/tea

Friday June 26, 2026 8:30am - 9:00am CEST

Expo Hall X1

Friday June 26, 2026 8:30am - 9:00am CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

9:00am CEST

Opening Remarks

Friday June 26, 2026 9:00am - 9:15am CEST

Hall D (Level -2)

Friday June 26, 2026 9:00am - 9:15am CEST
Hall D (Level -2)

Keynote

Audience All

9:15am CEST

Keynote: We Live in the Future: The Death and Rebirth of Application Security

Friday June 26, 2026 9:15am - 10:00am CEST

Hall D (Level -2)

Speakers

Gadi Evron

Founder and CEO, Knostic

Gadi Evron is Founder and CEO at Knostic, an AI agent security company, CISO-in-Residence for AI at CSA, and chairs the [un]prompted conference. Previously, he founded Cymmetria (acquired), was the Israeli National Digital Authority CISO, founded the Israeli CERT, and headed PwC's... Read More →

Friday June 26, 2026 9:15am - 10:00am CEST
Hall D (Level -2)

Keynote

Audience All

10:00am CEST

AM Break in Expo Hall

Friday June 26, 2026 10:00am - 10:30am CEST

Expo Hall X1

Friday June 26, 2026 10:00am - 10:30am CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

10:00am CEST

Bob the Breaker: Welcome to the Jungle! (Sponosored by Nokod Security)

Friday June 26, 2026 10:00am - 2:00pm CEST

TBA

The jungle is thick, the paths are tangled, and Bob the Breaker is already deep inside.Behind polished apps and smooth workflows lies a wild terrain of permissions, hidden data, andnewly unleashed AI agents roaming freely through the system.Vines of automation twist everywhere, secrets hide beneath the canopy, and Bob has beenswinging from one weak spot to the next, uncovering what was never meant...
See More →

Friday June 26, 2026 10:00am - 2:00pm CEST
TBA

Bonus Track

Audience All

10:00am CEST

OWASP Official Store: Come explore books, games and merch (or Explore CyberSec Games, OWASP books and official merch)

Friday June 26, 2026 10:00am - 4:00pm CEST

Come visit our table in the Expo Hall for books, games, and merch

Friday June 26, 2026 10:00am - 4:00pm CEST

Bonus Track

Audience All

10:05am CEST

Cybersecurity Awareness Card Game : Let's Play

Friday June 26, 2026 10:05am - 12:05pm CEST

Room -2.92 (Level -2)

Speakers

Michael Novack

Solution Architect, Aiceberg

Friday June 26, 2026 10:05am - 12:05pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

10:05am CEST

DDoS your friends

Friday June 26, 2026 10:05am - 12:05pm CEST

Room -2.92 (Level -2)

Speakers

Alex Marks-Bluth

Security Researcher, Akamai AppSec

Friday June 26, 2026 10:05am - 12:05pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

10:05am CEST

From Prompts to Payloads: Exploiting the AI-AppSec Intersection

Friday June 26, 2026 10:05am - 12:05pm CEST

Room -2.92 (Level -2)

Speakers

Eilon Cohen

AI Security Researcher, Pillar Security

Ariel Fogel

Founding Engineer & Researcher, Pillar Security

Ziv Karliner

CTO, Pillar Security

Dan Lisichkin

AI Security Researcher

Friday June 26, 2026 10:05am - 12:05pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience AppSec Engineers

10:05am CEST

Hunting Critical CVEs: A Hands-On, Pick-Your-Own Exploitation POD

Friday June 26, 2026 10:05am - 12:05pm CEST

Room -2.92 (Level -2)

Speakers

Abhinav Mishra

Founder, Cyber Security Guy

Friday June 26, 2026 10:05am - 12:05pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience AppSec Engineers

10:30am CEST

When Museums Get Hacked: OWASP Top 10 Lessons from Heists

Friday June 26, 2026 10:30am - 11:00am CEST

Room -2.82 (Level 2)

Historically (pun intended) the OWASP Top 10 has been a standard awareness document for developers and web application security. However its mitigation strategies can transcend history and be applied to critical infrastructures under attack, *exempli gratia* museums.In this talk, we’ll explore the newest OWASP Top 10 (released in November MMXXV) through the lens of famous Museum heists (Louvre,...
See More →

Speakers

Jose Carlos Chávez

Security Software Engineer, Okta

José Carlos Chávez is a Security Software Engineer at Okta, an OWASP Coraza co-leader and a Mathematics student at the University of Barcelona. He enjoys working in Security, compiling to WASM, designing APIs and building distributed systems. While not working with code, you can... Read More →

Friday June 26, 2026 10:30am - 11:00am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Project Link https://owasp.org/Top10/2025/

10:30am CEST

When AI Attacks AI: Inside the Self-Propagating Botnet Built on Compromised AI Infrastructure

Friday June 26, 2026 10:30am - 11:15am CEST

Hall K1 (Level -2)

ShadowRay did not disappear after disclosure.Despite extensive public reporting and technical analysis, the campaign remains active and continues to expand in scale, with more than 230,000 exposed Ray endpoints and an order-of-magnitude increase in observed exploitation.Enter a self-propagating botnet built from compromised machine-learning clusters, all running on Ray—the de facto execution...
See More →

Speakers

Gal Elbaz

Co-founder & CTO, Oligo Security

Co-founder & CTO at Oligo Security with 10+ years of experience in vulnerability research and practical hacking. He previously worked as a Security Researcher at CheckPoint and served in the IDF Intelligence. In his free time, he enjoys playing CTFs. linkedin.com/in/gal-elb... Read More →

Avi Lumelsky

AI Security Researcher, Oligo Security

Avi has a relentless curiosity about business, AI, security—and the places where all three connect. An experienced software engineer and architect, Avi’s cybersecurity skills were first honed in elite Israeli intelligence units. His work focuses on privacy in the age of AI and... Read More →

Friday June 26, 2026 10:30am - 11:15am CEST
Hall K1 (Level -2)

Deployment and Maintenance

Audience Advanced

10:30am CEST

DOMination - Abusing the Permission Model in Web Extensions

Friday June 26, 2026 10:30am - 11:15am CEST

Hall G1 (Level -2)

People in your organization might have a living-breathing backdoor right now, and you don’t even know it.EDR wouldn’t catch it - not because it employs a zero-day, but because it behaves harmlessly. It might be a malicious extension that wasn’t flagged yet that has excessive permissions, it might be an NPM package that reads .env files and sends them to a remote server, and it might be an...
See More →

Speakers

Moshe Siman Tov Bustan

Security Research Team Leader, OX Security

Nir Zadok

OX Security

Friday June 26, 2026 10:30am - 11:15am CEST
Hall G1 (Level -2)

Implementation

Audience Advanced

10:30am CEST

From ASVS to APVS: What Changes When You Treat Privacy as a System Property?

Friday June 26, 2026 10:30am - 11:15am CEST

Hall D (Level -2)

Privacy is increasingly expected to be “built in by design”, yet most privacy guidance remains legal, abstract, or disconnected from how systems are actually designed and reviewed. As a result, privacy is still treated as a compliance exercise rather than an engineering discipline.In this talk, we share early lessons from the OWASP Privacy Project and our work on the Application Privacy...
See More →

Speakers

Matthew Coles

Product Security Architect/Technologist

Matthew Coles is a Product Security Architect and Technologist with 20+ years experience working with business leaders and developers to secure hardware and software systems and processes. He is a technical contributor to community standard initiatives such as OpenSSF and OWASP, a... Read More →

Kim Wuyts

Manager Cyber & Privacy, PwC Belgium

Avi Douglen

Software Security Consultant, Bounce Security

Friday June 26, 2026 10:30am - 11:15am CEST
Hall D (Level -2)

Planning and Design

Audience All

10:30am CEST

Keep It Between Us: Manipulating Humans for Better AppSec (Ethically)

Friday June 26, 2026 10:30am - 11:15am CEST

Hall K2 (Level -2)

Most AppSec programs fail not because people disagree with security, but because security competes with habits that are already winning. Developers don’t wake up wanting to threat-model or review alerts - they wake up wanting to ship.In this talk, we’ll stop trying to “convince” people to care about security and instead learn how to design AppSec activities so they naturally stick. Using...
See More →

Speakers

Nariman Aga-Tagiyev

Founder & AppSec Architect, SecureHabits

Founder & AppSec Architect at SecureHabits, OWASP SAMM core team member, ISO/IEC 27034 working group liaisonNariman Aga-Tagiyev is an Application Security Architect with 20+ years of experience in software development. Since 2016, he has focused on advancing SSDLC maturity and building... Read More →

Friday June 26, 2026 10:30am - 11:15am CEST
Hall K2 (Level -2)

Process and Culture

Audience All

10:30am CEST

Your Localhost Is Lying to You: Trust Boundary Failures in Enterprise SSO

Friday June 26, 2026 10:30am - 11:15am CEST

Hall G2 (Level -2)

When an attacker lands on a user’s machine, your SSO should not hand them the keys to your network. Yet many enterprise systems do because they assume localhost subdomains are safe. They are not.This talk shows how a common DNS misconfiguration (localhost.target.com → 127.0.0.1), combined with domain-wide cookies (Domain=.target.com), allows a locally executed request context to inherit an...
See More →

Speakers

Rupesh Kumar

Application Security Researcher | Red Team Practitioner

Rupesh Kumar is an offensive security researcher with 1.5 years of experience in web application testing, vulnerability research, and red team operations. He has reported critical and high-severity vulnerabilities to organizations across government, defense, healthcare, and critical... Read More →

Friday June 26, 2026 10:30am - 11:15am CEST
Hall G2 (Level -2)

Testing

Audience Intermediate

10:30am CEST

Hands-On AI Security Assessment with OWASP AISVS (Workshop)

Friday June 26, 2026 10:30am - 12:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group SessionHow do you actually verify that an AI system is secure? In this workshop, the AISVS project leads walk through practical assessment scenarios using the OWASP AI Security Verification Standard. We'll work through real requirements from chapters on prompt injection defense, agentic action security, RAG/vector database hardening, and output...
See More →

Speakers

Jim Manico

Founder and CEO, Manicode Security

Rico Komenda

Senior Security Consultant

Otto Sulin

Head of Security, Supermetrics

Russ Memisyazici

Friday June 26, 2026 10:30am - 12:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject AI
Project Link https://owasp.org/www-project-artificial-intelligence-security-verification-standard-aisvs-docs/

10:30am CEST

OWASP Certified Secure-Software Developer (Call for Contributors)

Friday June 26, 2026 10:30am - 12:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group SessionZone 4OWASP Certified Secure-Software Developer Certification project is aimed at developing a certification program for developers. This presentation will take the audience through the journey of OCSD, the progress made so far and will include a call for contributions. This session seeks to answer common questions about the relevance of the...
See More →

Speakers

Shruti Kulkarni

OWASP OCSD, Information Security Architect

Shruti is an information security / enterprise security architect with experience in ISO27001, PCI-DSS, policies, standards, security tools, threat modelling, risk assessments. Shruti works on security strategies and collaborates with cross-functional groups to implement information... Read More →

Friday June 26, 2026 10:30am - 12:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

10:30am CEST

OWASP CycloneDX Sunshine: see CycloneDX SBOMs come to life & chat with them (Workshop)

Friday June 26, 2026 10:30am - 12:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group SessionZone 3 Ever looked at a CycloneDX file and thought, there’s gotta be a better way to read this? You're not alone. In late December 2024 OWASP CycloneDX unveiled a brand new SBOM visualization tool called Sunshine - a first-of-its-kind visualization tool that transforms static CycloneDX SBOM files into intuitive, interactive...
See More →

Speakers

Luca Capacci

Staff Application Security Engineer, Ivanti

Luca received his master's degree in Computer Engineering from the University of Bologna back in 2014 and he has been working in the cybersecurity field since then. Currently he is a Senior Application Security engineer at Ivanti. Since December 2024 he is also a maintainer at OWASP... Read More →

Friday June 26, 2026 10:30am - 12:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

11:00am CEST

From Maturity to Mastery: Accelerating Software Security with OWASP SAMM

Friday June 26, 2026 11:00am - 11:30am CEST

Room -2.82 (Level 2)

Are you looking to strengthen your organization’s software assurance program, prove compliance with industry frameworks, or simply level up your AppSec game? Join OWASP project leaders Sebastien and Aram for an engaging introduction and the latest updates on OWASP Software Assurance Maturity Model (SAMM) — the open, community-driven standard for building and measuring software security...
See More →

Speakers

Sebastien Deelersnyder

Co-Founder and CEO, Toreon

Aram Hovsepyan

Founder and CEO, Codific

Friday June 26, 2026 11:00am - 11:30am CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject CRA, SSDLC
Project Link https://owaspsamm.org

11:30am CEST

Using OWASP SAMM and OWASP DSOMM together in practice

Friday June 26, 2026 11:30am - 12:00pm CEST

Room -2.82 (Level 2)

Security is widely recognized as one of the top global risks, yet many organizations struggle managing that risk effectively. One of the key reasons is that application security efforts often consist of fragmented tools and isolated practices rather than a coherent program focused on people, processes, and tools.Within the OWASP community, two mature models exist to support application security...
See More →

Speakers

Aram Hovsepyan

Founder and CEO, Codific

Timo Pagel

Security architect, DevSecOps Consultant, DevSecOps Strategist

Timo has been in the IT industry for over twenty years. After being a system administrator and web developer in his early times, he became involved in OWASP. He now advises his clients on DevOps security, either as a strategist, hands on or as a trainer, with the focus on security... Read More →

Friday June 26, 2026 11:30am - 12:00pm CEST
Room -2.82 (Level 2)

Audience All
Subject CRA
Project Link https://owasp.org/www-project-devsecops-maturity-model/

11:30am CEST

Infrastructure Doesn’t Lie: Using Infrastructure Signals to Detect Shadow AI Built Applications

Friday June 26, 2026 11:30am - 12:15pm CEST

Hall K1 (Level -2)

AI app builders now enable production apps to ship without repositories, CI/CD, or security review, often by non-traditional developers outside established engineering workflows. These Shadow AI apps bypass AppSec pipelines and governance, creating a growing blind spot in enterprise environments. This talk demonstrates how DNS, TLS, and hosting signals can detect shadow AI apps that existing...
See More →

Speakers

Balachandra Shanabhag

Product Security Lead, Cerebras

Bala is working as Staff security Engineer for Cohesity. Bala has over 15 years of experience in various domains of cybersecurity. Bala Joined Cohesity as Founding Product Security Engineer and helped boot strap Appsec and other security initiatives. Before Cohesity Bala worked at... Read More →

Friday June 26, 2026 11:30am - 12:15pm CEST
Hall K1 (Level -2)

Deployment and Maintenance

Audience Intermediate

11:30am CEST

Q-Day is Cancelled: Practical Strategies to Defeat 'Harvest Now, Decrypt Later'

Friday June 26, 2026 11:30am - 12:15pm CEST

Hall G1 (Level -2)

The arrival of cryptographically relevant quantum computers (CRQC) is no longer a theoretical "if"—it is a question of "when." With the "Harvest Now, Decrypt Later" (HNDL) attack vector, adversaries are already stockpiling encrypted traffic today to decrypt it once quantum capability matures. In August 2024, NIST officially finalized the first set of Post-Quantum Cryptography (PQC) standards...
See More →

Speakers

Anshu Gupta

Founder, Fixin Security

Anshu Gupta is a hands on security professional with Fortune 500 security consulting experience at Ernst & Young and KPMG where he worked at companies like Microsoft, Salesforce, Oracle, Cisco, McAfee, Adobe, Yahoo, GAP, Kaiser among others. Based on advice from his mentors, he then... Read More →

Friday June 26, 2026 11:30am - 12:15pm CEST
Hall G1 (Level -2)

Implementation

Audience Advanced

11:30am CEST

Phishing for Passkeys - An Analysis of WebAuthn and CTAP

Friday June 26, 2026 11:30am - 12:15pm CEST

Hall D (Level -2)

WebAuthn was supposed to replace passwords on the web: uniform, secure, manageable authentication for everyone! One of its unique selling points was supposed to be the impossibility of phishing attacks. When Passkeys were introduced, some of WebAuthn's security principles were watered down in order to achieve some usability improvements and thus reach more widespread adoption.This presentation...
See More →

Speakers

Michael Kuckuk

Fullstack Developer, inovex

As a fullstack software developer, Michael's main expertise lies in simple software development. But since he is well aware that the happy path is the easy part, he's always had an interest for security and he's always been very security- and privacy-aware in his work. He enjoys developing... Read More →

Friday June 26, 2026 11:30am - 12:15pm CEST
Hall D (Level -2)

Planning and Design

Audience Intermediate

11:30am CEST

Enforcing Application Security Policies at Scale: Lessons from an Enterprise Rollout

Friday June 26, 2026 11:30am - 12:15pm CEST

Hall K2 (Level -2)

Enforcing security policies at enterprise scale is challenging, and it's becoming more so with rapid delivery cycles and AI-assisted development. Many organisations adopt policy-as-code to improve security and compliance but realise that, despite the solution’s technical soundness, exceptions multiply and teams quietly work around enforcement to meet delivery targets, with little real...
See More →

Speakers

Mehran Koushkebaghi

Head of Product Security, Nationwide Building Society

Mehran is a Chartered Engineer with over 18 years of experience across software, security, and civil engineering. He approaches application security as a systemic concern, using a systems-thinking lens to understand how technical controls, organisational structures, and human behaviour... Read More →

Friday June 26, 2026 11:30am - 12:15pm CEST
Hall K2 (Level -2)

Process and Culture

Audience All

11:30am CEST

Effort is All You Need: Testing LLM Applications in the Real World

Friday June 26, 2026 11:30am - 12:15pm CEST

Hall G2 (Level -2)

Security testing of GenAI systems is often reduced to "LLM red teaming": probing a model in isolation to see what unsafe/offensive content it will generate. In practice, this approach falls short. As security practitioners, we need to assess complete LLM application use cases, focusing on how inputs and outputs propagate through application logic and enable concrete security risks such as data...
See More →

Speakers

Donato Capitella

Principal Security Consultant, Reversec

Donato Capitella is a Software Engineer and Principal Security Consultant at Reversec, with over 15 years of experience in offensive security and software engineering. Donato spent the past 3 years conducting research and assessments on Generative AI applications, covering topics... Read More →

Thomas Cross

Security Consultant, Reversec

Friday June 26, 2026 11:30am - 12:15pm CEST
Hall G2 (Level -2)

Testing

Audience Intermediate

12:15pm CEST

Lunch in Expo Hall

Friday June 26, 2026 12:15pm - 1:15pm CEST

Expo Hall X1

Friday June 26, 2026 12:15pm - 1:15pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

12:15pm CEST

AI for Code Security in Modern Codebases

Friday June 26, 2026 12:15pm - 2:15pm CEST

Room -2.92 (Level -2)

Speakers

Rajnish Sharma

CEO, Precogs AI

Friday June 26, 2026 12:15pm - 2:15pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Developers

12:15pm CEST

Context & Cringe - Application Privacy through Play

Friday June 26, 2026 12:15pm - 2:15pm CEST

Room -2.92 (Level -2)

Speakers

Kim Wuyts

Manager Cyber & Privacy, PwC Belgium

Avi Douglen

Software Security Consultant, Bounce Security

Friday June 26, 2026 12:15pm - 2:15pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

12:15pm CEST

OWASP JuiceShop: Come and pwn me

Friday June 26, 2026 12:15pm - 2:15pm CEST

Room -2.92 (Level -2)

OWASP Juice Shop is probably the most modern and sophisticated insecure web application!Come over with a cup of coffee and pwn the Juice Shop and get points in the Capture the Flag.If you can show the “AppSec EU 2026” product description flag, you will get a special edition of the AppSec EU Juice Shop sticker.Get to know how to perform secure coding workshops with the Juice Shop and the Juice...
See More →

Speakers

Timo Pagel

Security architect, DevSecOps Consultant, DevSecOps Strategist

Jannik Hollenbach

Jannik is Project Lead of the OWASP Juice Shop and OWASP secureCodeBox projects. Working on anything from Kubernetes to Javascript and trying to make it a bit more secure.

Friday June 26, 2026 12:15pm - 2:15pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Developers

12:15pm CEST

Teaching Security Concepts Using Physical Analogies

Friday June 26, 2026 12:15pm - 2:15pm CEST

Room -2.92 (Level -2)

Speakers

Mariia Denysenko

Cybersecurity Governance & Training Professional in IT, AI, and OT

Friday June 26, 2026 12:15pm - 2:15pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

1:15pm CEST

OWASP Mobile Application Security (MAS) Project Updates

Friday June 26, 2026 1:15pm - 1:45pm CEST

Room -2.82 (Level 2)

In this talk, Carlos Holguera and Sven Schleier, the OWASP Mobile Application Security (MAS) Project Leaders, will take a hands-on look at some of the latest OWASP MAS developments.This session will provide key updates on the latest advancements in the Mobile Application Security (MAS) project, including the MASWE (Mobile Application Security Weakness Enumeration) Beta and the MASTG (Mobile...
See More →

Speakers

Carlos Holguera

OWASP Mobile App Security (MAS): MASVS, MASWE and MASTG, NowSecure

Sven Schleier

Co-Founder, Bai7 GmbH

Friday June 26, 2026 1:15pm - 1:45pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Mobile Security
Project Link https://mas.owasp.org

1:15pm CEST

The OG OWASP Top 10 Might Be Back Thanks to Agentic Browsers

Friday June 26, 2026 1:15pm - 2:00pm CEST

Hall G1 (Level -2)

Agentic browsers are quickly becoming one of the most powerful—yet dangerous—applications of agentic AI. By combining web navigation, content interpretation, and direct action taking, they act as a universal gateway to almost any service or application on the internet.That power quietly reintroduces web security risks many teams assumed were behind us. Agentic browsers read and react to...
See More →

Speakers

Lidan Hazout

CTO and Co-Founder, Capsule Security

Lidan has been programming since childhood, driven by a deep passion for data and AI. He previously served as VP of R&D at SecuredTouch, where he helped pioneer behavioral biometrics. Following the company’s acquisition by Ping Identity, the technology he led became a core component... Read More →

Bar Kaduri

Head of Research, Capsule Security

Bar Kaduri is a cybersecurity researcher, leader, and international speaker with over 14 years of experience in cloud security, software supply-chain risk, and emerging AI threats. With hands-on expertise in evaluating and stress-testing AI systems, Bar focuses on building practical... Read More →

Friday June 26, 2026 1:15pm - 2:00pm CEST
Hall G1 (Level -2)

Implementation

Audience Intermediate

1:15pm CEST

AI-Generated Code vs Human Code. Who Really Writes More Vulnerabilities

Friday June 26, 2026 1:15pm - 2:00pm CEST

Hall D (Level -2)

When AI coding tools entered mainstream development, the application security community reacted fast and loudly. Many warned that AI would dramatically increase vulnerabilities. The most common argument was simple and intuitive. AI models were trained on vast amounts of real-world code, including insecure and vulnerable code. Garbage in, garbage out. If AI learned from vulnerable code, it would...
See More →

Speakers

Eitan Worcel

CEO & Co-Founder, Mobb

Eitan Worcel is the co-founder and CEO of Mobb. He has close to 20 years of experience in application security, spanning hands-on software development, product leadership, and executive roles. Throughout his career, Eitan has worked closely with engineering and security teams to understand... Read More →

Friday June 26, 2026 1:15pm - 2:00pm CEST
Hall D (Level -2)

Planning and Design

Audience Intermediate

1:15pm CEST

Security Champions: Lessons from Opposite Trenches

Friday June 26, 2026 1:15pm - 2:00pm CEST

Hall K2 (Level -2)

Have you heard about “security champions programs” that seem to be gaining popularity these days? Maybe your company is running such a program, yet you doubt its effectiveness, wondering if it’s worth sustaining? The thing is, you might not be the only one asking these questions. Let’s hear from security and champions alike.Mireia is a security engineer focused on application security who...
See More →

Speakers

Lisi Hocke

Security Engineer, DocuWare GmbH

Lisi found tech as her place to be in 2009 and has grown as a specialized generalist ever since. Building great products that deliver value together with great people motivates her and lets her thrive. As a security engineer, she’s now fully focusing on all things product security... Read More →

Mireia Cano

Application Security Engineer, PPRO

I am a security engineer focused on application security, with over 7 years of experience. I have helped companies build their application security programs both as a consultant and as an in-house security engineer. I am passionate about fostering collaboration between development... Read More →

Friday June 26, 2026 1:15pm - 2:00pm CEST
Hall K2 (Level -2)

Process and Culture

Audience All

1:15pm CEST

What Our Pen Tests Never Found — And How Attackers Did

Friday June 26, 2026 1:15pm - 2:00pm CEST

Hall G2 (Level -2)

Penetration testing is a crucial part of application security practices, yet attackers often succeed in ways no test ever reported. No injection, no memory corruption, no failed authentication. The applications behaved exactly as designed — and that was enough.In this talk, we will explore what penetrating testing is intended to detect and how attackers actually compromise the systems. This talk...
See More →

Speakers

Ramya M

Application Analyst, Okta, Inc,

Ramya M is a cybersecurity professional, currently working at Okta, Inc., specializing in application security, product security, identity security, and secure SDLC automation. She has led enterprise-scale initiatives across secure coding, DevSecOps hardening, vulnerability triage... Read More →

Friday June 26, 2026 1:15pm - 2:00pm CEST
Hall G2 (Level -2)

Testing

Audience Intermediate

1:15pm CEST

CHAMELEON-REN: Advancing the OWASP Web Application Honeypot Project with Adaptive, Education-Sector (Workshop)

Friday June 26, 2026 1:15pm - 3:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group SessionZone 2The OWASP Web Application Honeypot Project provides foundational tooling to observe attacker activity against simulated web interfaces. CHAMELEON-REN extends this work with a stimulus-driven, Dockerised honeypot framework that dynamically adapts its identity, exposed paths, and technology stack in response to probing behaviours. By...
See More →

Speakers

Adrian Winckles

Cyber Security Academic, Security Researcher, Cyber Security Academic, Security Researcher

Adrian Winckles is an independent Cyber Security Academic, Security Researcher and IT Professional with over 32 years of experience in developing and implementing cyber security strategies and robust, resilient IT infrastructure solutions. A proven leader in driving digital transformation... Read More →

Gautam Mahesh Juvarajiya

Research Associate, The Open University, UK

Currently Working as a Research Associate at Open University with a Background in IT and a MSc in Cyber Security Engineering from University of Warwick, UK.

Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject Network Security

1:15pm CEST

Finding strange things in binaries (Workshop)

Friday June 26, 2026 1:15pm - 3:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group SessionZone 1Internal development teams and external suppliers love producing binaries for ease of deployment and distribution. Binary formats, however, make security analysis and compliance more complex for the security and OSPO teams. The good news is that the team behind OWASP dep-scan maintains a couple of binary analysis tools (OWASP blint and...
See More →

Speakers

Prabhu Subramanian

Founder at AppThreat, Distinguished security expert and active contributor to the open-source security community

Prabhu Subramanian is a distinguished security expert and active contributor to the open-source security community. Prabhu is the author and OWASP Leader behind projects such as OWASP CycloneDX Generator (cdxgen) and OWASP depscan. He specializes in Supply Chain Security and offers... Read More →

Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience Intermediate, Advanced
Subject SBOM, Dependancies

1:15pm CEST

Let's Play: OWASP Cumulus (Workshop)

Friday June 26, 2026 1:15pm - 3:00pm CEST

Room -2.33 (Level -2)

OWASP Demo Lab - Hands-On Workshop / Small Group Session
Zone 3

In this hands-on session we will demonstrate the threat modeling card game "Cumulus" and show how it can help you start threat modeling your cloud and DevOps processes.

Using a real live example scenario, we will discuss, laugh and increase security. And maybe the winner will even get a prize! :)

Speakers

Christoph Niehoff

Senior Consultant, TNG Technology Consulting

In his role as a Senior Consultant at TNG Technology Consulting, Christoph Niehoff develops software products for his clients on a daily basis. As a full-stack developer, he lives and breathes DevOps, overseeing all steps of the development cycle. The security of the products is particularly... Read More →

Friday June 26, 2026 1:15pm - 3:00pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject DevSecOps, Threat Modeling, Gamification
Project Link https://owasp.org/www-project-cumulus/

1:45pm CEST

Cloud Native Web Application Firewalls - How OWASP Coraza is coming to Kubernetes world

Friday June 26, 2026 1:45pm - 2:15pm CEST

Room -2.82 (Level 2)

Kubernetes features are moving fast, and its networking layer is constantly adapting for all new kinds of workloads. However we still lack a basic but essential feature: a way to filter and protect incoming web traffic.The Gateway API is the natural place to add security, and many enterprises mandate such a thing. In this session, we introduce a new project that connects OWASP Coraza WAF directly...
See More →

Speakers

Jose Carlos Chávez

Security Software Engineer, Okta

Ricardo Katz

Software Engineer, Red Hat

Engineer on OpenShift Ingress, Gateway API & DNS area at Red Hat. Kubernetes Gateway API maintainer, working across different areas. Likes Legos, Planes, Traveling and Infrastructure-related development

Friday June 26, 2026 1:45pm - 2:15pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience Intermediate, Advanced
Subject WAF, Network Security, Kubernetes
Project Link https://owasp.org/www-project-devsecops-maturity-model/

2:15pm CEST

Updates on the OWASP Automated Threats Project

Friday June 26, 2026 2:15pm - 2:45pm CEST

Room -2.82 (Level 2)

Project leaders Colin Watson and Tin Zaw announced the official release of the version 1.3 of the OWASP Automated Threat Handbook on March 12, 2026.Even after ten years, this handbook remains the go-to resource for security pros who want actionable information and resources to help defend against automated threats to web applications which abuse valid functionality. The handbook still defines...
See More →

Speakers

Tin Zaw

Director, Security Solutions, Project Leader, OWASP Automated Threats Project

Tin Zaw has been an OWASP volunteer since 2010, starting as the president of Los Angeles chapter for 3 years. Since 2015, he's been a co-leader of the OWASP Automated Threats Project. Along with Colin Watson, they have released versions 1.2 and 1.3 of the handbook and are working... Read More →

automated threat handbook EN v1.30 pdf

Friday June 26, 2026 2:15pm - 2:45pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All

2:15pm CEST

Marketplace Takeover: One Bug Away from Pwning 10 Million Developer Machines

Friday June 26, 2026 2:15pm - 3:00pm CEST

Hall K1 (Level -2)

This is the story of a single CI bug with the potential of compromising more than 10 million workstations - with a full takeover - for anyone using popular tools like Cursor and Windsurf (so every developer, really).Learn about a critical flaw - that will be shared by the team who first identified it - in [open-vsx.org](http://open-vsx.org/), the open-source marketplace powering nearly every...
See More →

Speakers

Oren Yomtov

Principal Security Researcher, Koi Security

Oren Yomtov is a Principal Security Researcher at Koi, where he focuses on advancing research in software and blockchain security. He brings extensive experience from his work at Fireblocks, contributing to research on digital asset security and blockchain infrastructure.

Previous... Read More →

Yuval Ronen

Security Researcher, Koi Security

Yuval Ronen leads the security research at Koi, focusing on vulnerability research, threat intelligence, and developing detection methods to strengthen defenses across modern software ecosystems. He brings over seven years of experience in both offensive and defensive cybersecurity... Read More →

Friday June 26, 2026 2:15pm - 3:00pm CEST
Hall K1 (Level -2)

Deployment and Maintenance

Audience Intermediate

2:15pm CEST

How to (Not) Isolate Untrusted Code in Scripting Languages

Friday June 26, 2026 2:15pm - 3:00pm CEST

Hall G1 (Level -2)

The need to isolate untrusted code or user-provided expressions is ubiquitous, even in backend systems, and there are many misconceptions around this practice. Workflow automation platforms allow users to provide complex constraints evaluated on the server, AI agents must securely execute synthesized code, and reused untrusted UI components might render on the server-side. In practice, many...
See More →

Speakers

Cristian-Alexandru Staicu

Senior Security Researcher, Endor Labs

Cristian-Alexandru Staicu is a senior security researcher at Endor Labs and an expert on software supply chain security, with more than ten years of experience at the highest level in both academia and industry. His work has been published in top-tier academic venues on cybersecurity... Read More →

Friday June 26, 2026 2:15pm - 3:00pm CEST
Hall G1 (Level -2)

Implementation

Audience Advanced

2:15pm CEST

Teaching AI Agents Like Guide Dogs: A Progressive Trust Framework

Friday June 26, 2026 2:15pm - 3:00pm CEST

Hall D (Level -2)

Your AI agent has access to your database, your APIs, and your users' data. But would you give a new hire admin credentials on day one? We do this with AI agents constantly - deploying them with full system access before they've proven they won't hallucinate a DROP TABLE or leak sensitive data to a prompt injection attack.Guide dog training programs solved this problem decades ago. They take...
See More →

Speakers

Bodhisattva Das

Security Engineer, RUDRA Cybersecurity

Bodhisattva Das is a Security Engineer at Rudra Cybersecurity, focused on securing non-human identities, AI agents, and automated workloads across cloud environments. He specialises in open-source threat detection using Wazuh, and builds practical solutions for identity governance... Read More →

Friday June 26, 2026 2:15pm - 3:00pm CEST
Hall D (Level -2)

Planning and Design

Audience Intermediate

2:15pm CEST

Using CTFs as a Community of Practice Content Machine

Friday June 26, 2026 2:15pm - 3:00pm CEST

Hall K2 (Level -2)

This session highlights our 6-year journey of building and sustaining a Security Community of Practice (CoP) from the ground up. We shifted from a project-centric organization with detailed, mandatory quality gates to an Agile model. This challenged us to scale and approach our self-reliant tribes in a new way. We will share which concepts worked and which were scrapped after initial trials....
See More →

Speakers

Marco Macala

Senior Security Manager, Raiffeisen Bank International AG

Marco Macala has spent the last eight years bridging the gap between complex financial regulations and Agile product delivery. He specializes in translating rigid security requirements into actionable, realistic goals for development teams. Together with his two colleagues Florian... Read More →

Florian Schier

Security Manager, RBI

Florian focuses on the human side of security, acting as an enabler for teams rather than a traditional gatekeeper. He specializes in translating dense security requirements into practical, day-to-day wins that actually work in an Agile environment.

He is dedicated to building a security collective that breaks down silos and makes cybersecurity accessible to everyone. When he isn't helping teams strengthen their security posture, he’s focused on fostering collaborative environments where security and DevOps actually speak the... Read More →

Christian Buchinger

Senior Security Manager

Christian collects real accomplishments, strong coffee, and an irrational hatred for the words “delivery,” “dedication,” and “great team” used as emotional support for mediocrity.

- Job: Senior Security Manager in a large European banking group
- Role: Professional doer... Read More →

Friday June 26, 2026 2:15pm - 3:00pm CEST
Hall K2 (Level -2)

Process and Culture

Audience Intermediate

2:15pm CEST

Trust No History: Why Every "Remembered" Interaction is a Potential Backdoor

Friday June 26, 2026 2:15pm - 3:00pm CEST

Hall G2 (Level -2)

As AI transitions from stateless tools to autonomous agents, the context window has become the primary attack surface. By giving agents the ability to remember, summarize, and collaborate, we have created a machine that can be gaslit. This session moves beyond transient prompt injections into the realm of persistent memory corruption. We explore how an adversary can rewrite an agent’s history,...
See More →

Speakers

Rico Komenda

Senior Security Consultant

Barno Kaharova

Senior Consultant, AI Security Expert, adesso SE

Barno is a expert specializing in data engineering, data modeling, and machine learning security. Driven by a passion for innovation, she develops cutting-edge methodologies to protect AI systems from adversarial threats, pushing the boundaries of what’s possible in AI security... Read More →

Friday June 26, 2026 2:15pm - 3:00pm CEST
Hall G2 (Level -2)

Testing

Audience Intermediate

2:30pm CEST

CfP/CfTs for the Newcomer: How To Write A Good Submission

Friday June 26, 2026 2:30pm - 3:15pm CEST

Ready to showcase your expertise? Don’t miss the chance to submit for a Call for Trainers or Call for Papers! Join the dynamic Izar Tarandach and Avi Douglen as they take you through the submission process and reveal insider tips on what the review team is looking for when selecting papers. This is your opportunity to shine and make a lasting impact—let’s make it happen!

Speakers

Izar Tarandach

Sr. Principal Architect, SiriusXM

Avi Douglen

Software Security Consultant, Bounce Security

Friday June 26, 2026 2:30pm - 3:15pm CEST

Bonus Track

Audience All
about <strong style=" color: rgb(65, 65, 65); font-family: sans-serif; font-size: 14px;">Izar Tarandach</strong> is Sr. Principal Architect at SiriusXM and co-author of <em style=" font-size: 14px; font-family: sans-serif; color: rgb(65, 65, 65);">Threat Modeling: A Practical Guide for Development Teams</em>. He pioneered Continuous Threat Modeling and contributes to projects like OWASP PyTM and the CycloneDX TMBOM. A frequent speaker and podcast host, Izar focuses on making security practical, scalable, and developer-friendly.

2:30pm CEST

Hands-On: Building Security Guardrails for AI-Generated Code

Friday June 26, 2026 2:30pm - 4:30pm CEST

Room -2.92 (Level -2)

Speakers

David Archer

Solution Architect, Endor Labs

Friday June 26, 2026 2:30pm - 4:30pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Security Champions

2:30pm CEST

The Old But Unforgettable Key

Friday June 26, 2026 2:30pm - 4:30pm CEST

Room -2.92 (Level -2)

Speakers

Raul Cicos

Security Consultant, Intruder

Tom Steer

Security Consultant, Intruder

Friday June 26, 2026 2:30pm - 4:30pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience Students and newcomers in AppSec

2:30pm CEST

“2001: Agentic Odyssey” When threat modelling meets HAL, agentic AI, testing and safety engineering

Friday June 26, 2026 2:30pm - 4:30pm CEST

Room -2.92 (Level -2)

Speakers

Petra Vukmirovic

Head of Information Security at Numan and Fractional Head of Product, Devarmor

Friday June 26, 2026 2:30pm - 4:30pm CEST
Room -2.92 (Level -2)

PODS (Hands-on Activities)

Audience AppSec Engineers

2:45pm CEST

OWASP Nettacker Project

Friday June 26, 2026 2:45pm - 3:15pm CEST

Room -2.82 (Level 2)

OWASP Nettacker project (a portmanteau of "Network Attacker") is a relatively new yet an awesome and powerful 'swiss-army-knife' automated penetration testing framework fully written in Python. Nettacker recently gained a lot of interest from the penetration testing community and was even included in the specialist Linux distribution for penetration testers and security researchers. Nettacker is...
See More →

Speakers

Sam Stepanyan

OWASP London Chapter Leader, OWASP London Chapter Leader

Sam Stepanyan is an OWASP London Chapter Leader and an Independent Application Security Consultant with over 20 years of experience in IT industry with a background in software engineering and web application development. Sam has worked for various financial services institutions... Read More →

Arkadii Yakovets

Cybersecurity Lead (OWASP Nest, OWASP Nettacker)

Arkadii Yakovets is a cybersecurity lead specializing in secure application development and DevSecOps. Since joining OWASP in 2023, he has served as a leader and active contributor to the OWASP Nest and OWASP Nettacker projects. Arkadii has mentored over 10 students through Google... Read More →

Friday June 26, 2026 2:45pm - 3:15pm CEST
Room -2.82 (Level 2)

Project Showcase (Lightning Talks)

Audience All
Subject Pentesting
Project Link https://owasp.org/www-project-nettacker/

3:00pm CEST

PM Break in Expo Hall

Friday June 26, 2026 3:00pm - 3:30pm CEST

Expo Hall X1

Friday June 26, 2026 3:00pm - 3:30pm CEST
Expo Hall X1

Meals Provided by OWASP

Audience All

3:15pm CEST

From Maturity to Mastery: Accelerating Software Security with OWASP SAMM (Workshop)

Friday June 26, 2026 3:15pm - 4:15pm CEST

Room -2.33 (Level -2)

Speakers

Sebastien Deelersnyder

Co-Founder and CEO, Toreon

Aram Hovsepyan

Founder and CEO, Codific

Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All
Subject Threat Modeling, CRA, SSDLC
Project Link https://owaspsamm.org/

3:15pm CEST

Hack Your Own Dockerfiles (Before Someone Else Does): Hands-On Container Security with OWASP DockSec (Workshop)

Friday June 26, 2026 3:15pm - 4:15pm CEST

Room -2.33 (Level -2)

Most teams don’t have a "container security problem." They have a "Dockerfile hygiene" problem that quietly becomes a supply chain problem. Dockerfiles are often treated as simple build instructions, but in practice they introduce real security risk. Even teams with mature AppSec programs regularly ship Dockerfiles that run as root, rely on untrusted base images, or hide supply-chain risks...
See More →

Speakers

Advait Patel

Senior Site Reliability Engineer, Broadcom

Advait Patel is a Senior Site Reliability Engineer at Broadcom and the creator of DockSec, an open-source, AI-powered Docker security analyzer. With over 8+ years of experience in cloud-native security, DevSecOps, and secure software supply chains, he is passionate about building... Read More →

Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience Intermediate

3:15pm CEST

Shaping International Security Standards: Get Involved with OWASP's ISO Working Group (Call for Contributors)

Friday June 26, 2026 3:15pm - 4:15pm CEST

Room -2.33 (Level -2)

The OWASP ISO Liaison Working Group is the bridge between OWASP's practitioner-driven security guidance and the international standards that govern how organizations worldwide implement security controls. Stop by to learn how ISO standards like 27034 (Application Security) and 27002 are developed, where OWASP is actively shaping that process as an official liaison organization, and — most...
See More →

Speakers

Matt Houseman

OWASP ISO Working Group Chair

Matt Houseman is the OWASP ISO Working Group Chair and the OWASP Liaison Representative to ISO/IEC JTC 1/SC 27/WG 4. With over 15 years of experience in software engineering and application security, Matt bridges the gap between hands-on practitioner guidance and formal international... Read More →

Friday June 26, 2026 3:15pm - 4:15pm CEST
Room -2.33 (Level -2)

Project Demo Lab (Hands-on)

Audience All

3:30pm CEST

OWASP GenAI Security Project (Placeholder)

Application Security Analyst, Checkmarx Ltd.

Divyansh Jain is a passionate security engineer with experience in building and enhancing automated vulnerability scanners, focusing on issues like IDOR, broken access control, and authentication flaws. He has contributed extensively to open-source security tools, improved detection... Read More →

Aditya Dixit

Application Security Analyst, Checkmarx Ltd.

Security Analyst with a hybrid background in software engineering, artificial intelligence, and cybersecurity. Experienced in developing AI/ML solutions and now focused on securing intelligent systems against emerging threats. Areas of interest include application security, adversarial... Read More →

Friday June 26, 2026 3:30pm - 4:15pm CEST
Hall G2 (Level -2)

Testing

Audience Advanced