In today’s digital underground, cybercrime has evolved into a service economy where fraud is scalable, on-demand, and disturbingly accessible. This session explores the Fraud-as-a-Service (FaaS) ecosystem, a complex web of illicit marketplaces, plug-and-play tools, and rented infrastructure that enables even low-skilled actors to commit cybercrime. We’ll break down how threat actors leverage laptop farms, AI-generated IDs, deepfakes, and botnets to bypass security systems, manipulate trust, and cash out. Whether you're in cybersecurity, compliance, or tech policy, this talk will give you a clear-eyed look at how industrialized fraud works, and what must be done to disrupt it.

This session examines how generative AI introduces new risks to application security in financial services, with a focus on package hallucinations and slopsquatting vulnerabilities. It explores practical governance approaches, risk assessment methods, mitigation techniques, and real-world implementation challenges across banking, insurance, and investment organizations. Participants will see how these risks affect DevSecOps pipelines and receive actionable strategies to maintain secure, compliant development practices while continuing to leverage AI capabilities.

Cloud breaches are increasingly driven by authorized access, not exploits. By 2026, attackers will move laterally across SaaS platforms using OAuth grants, integration accounts, and stolen tokens, bypassing traditional security controls. This session examines SaaS-to-SaaS lateral movement as an emerging breach pattern and provides practical detection and prevention strategies. Attendees will learn how to identify risky permissions, monitor abuse, and redesign integrations without disrupting business operations.

An AI agent just provisioned $50,000 in cloud infrastructure using valid OAuth tokens and authorized API scopes.

You gave it billing:read to analyze costs. It called the pricing API (authorized), retrieved payment methods for cost calculations (authorized), identified optimization opportunities (authorized), then executed the changes with its compute:write scope (also authorized). Each API call passed. The token was valid. The scopes checked out.

But you authorized it to analyze, not provision. The authorization system never asked: should these specific API calls happen together? Should this agent execute changes, or just recommend them?

This is the authorization gap. Traditional OAuth validates requests, but agents create sequences. They chain legitimate calls into outcomes you never intended. Each step might be authorized, but the combination exceeds what you meant to allow.

Single authentication at the gateway isn't enough anymore.

This session presents a four-layer continuous authorization framework for autonomous agents. You'll learn how to track both human intent and agent actions separately, filter tools based on runtime context, bind permissions to specific operations with transaction tokens, and enforce controls the agent can't circumvent.

If you're building or securing AI agents, this framework shows you how to authorize behavior, not just access.

Note: This session does not promote any product or service. It’s focused entirely on industry challenges and practical best practices.

More assets, more vulnerabilities, but no more headcount. As founding engineers (now leaders) of our org’s vulnerability management (Cloud Security, Infrastructure Security and Application Security) program, we share the mistakes we made, the lessons that we learned, and how we scaled to meet modern risks without extra headcount but replacing noisy “triage everything” with targeted risk-based triage, embedded remediation, and automation that actually works. 

Changes in data storage technologies, new Federal and State data privacy regulations, and other factors have created an urgent need for effective electronic records destruction practices. 

In late 2022, the SEC fined Morgan Stanley $35 million for failure to protect customer data directly related to ineffective disposal processes. 

This session will detail the specifics of these changes and how organizations can protect themselves from huge financial liabilities. 

Having a defined data destruction strategy not only helps protect the environment but also ensures that terabytes of stored data on the hardware are completely and permanently deleted.

This session will discuss:

·         legally compliant electronic records destruction policy

·         effective data destruction methods.

·         degaussing, dismantling, and refining

·         documentation and reporting

hardware & software vendors

This presentation and corresponding white-paper is the story of taking a $25B Financial Institution from being a cyber-secuirty liability to ranked in the top 10 most secuire Financial Institutions (currenlty $70B) in the United States (using CMM modeling, score cards, and an active review strategy).

Security decisions aren’t made in a vacuum. They’re shaped by mental shortcuts, outdated assumptions, and pressure to move fast. Biases like anchoring, availability, and confirmation bias distort risk assessments and drive reactive strategies. This session explores how these traps influence policies, controls, and standard work, and how to replace them with data-driven clarity. Whether maturing a SOC, advancing Zero Trust, enabling AI, or leading cloud transformation, you’ll gain practical tools to shift from reactive defense to proactive, trust-centered security.

Post-quantum risk is no longer theoretical. By 2026, organizations must prepare for cryptographic failure driven by harvest-now-decrypt-later threats, SaaS dependencies, and long-lived data exposure. This session provides a practical, enterprise-tested approach to crypto agility, focusing on discovery, prioritization, hybrid migration strategies, and third-party realities. Attendees will learn how to operationalize post-quantum readiness without disrupting identity, cloud, application, or critical infrastructure environments.