RVAsec 2025 Video: Kyle King
Security Engineering Manager – Check Point Software Technologies Ltd.
Title: AI: Who’s watching whom?
Artificial Intelligence (AI) has intersected with cybercrime and cybersecurity that forces organizations to leverage the technology in order to benefit the industry while at the same time understanding how to protect against AI based threats. How will your organization use AI safely and securely?
RVAsec 2025 Video: Christina Johns
Principal Malware Analyst – Red Canary
Title: Look Ma, No IDA! Malware Analysis Without Reverse Engineering
Do you think malware analysis is out of your reach because assembly code looks like reading the matrix? Fear not, this talk will convince you that learning assembly code is not the best place to start your malware analysis journey. For starters, the modern malware landscape is diverse and malicious code isn’t always compiled into assembly. Not every use case for malware analysis requires a deep dive and there are many great tools and services that provide information about a malware sample you can build your analysis on.
If you work as an incident responder, detection engineer, threat hunter, or intel analyst, you probably already do some malware analysis but don’t realize it. And if you don’t but would like to, this talk will discuss the tools and knowledge you should focus on first before embarking on groking the intel x86 manual.
RVAsec 2025 Video: Dan Holden
CISO – BigCommerce
Title: CISO Of 2030 (a sequel of CISO of 2025)
The role of the CISO has never been more critical—or more complex. Six years after my original predictions, the cybersecurity landscape has shifted under the weight of evolving regulatory scrutiny, rising boardroom expectations, and the explosion of third-party risks. But there’s a new force at play: businesses are driving security forward through peer accountability, applying market pressure to elevate standards across the ecosystem.
In this session, we’ll explore the major forces shaping modern security programs, revisit past predictions to uncover lessons learned, and share insights into how CISOs are influencing strategy at the highest levels of organizations. Looking ahead to 2030, we’ll discuss how leaders must balance compliance, operational resilience, and innovation to meet the challenges of a hyper-connected world. Join me as we reflect on where we’ve been and chart a path toward the next era of cybersecurity leadership.
RVAsec 2025 Video: Ben Haynes
Data Science & Analytics Lead – Flashpoint
Title: Why There is No Casino Night at RVAsec This Year (Sorry)
Every year, RVAsec hosts an after-party to close out the first day of talks at the conference. For the last two years, that nightly entertainment has been CASINO NIGHT, an opportunity to bet fake money on games of chance in order to win some very real prizes. Unfortunately, through some fault of my own, Casino Night will not be returning this year.
Join me for a retrospective of the last two Casino Nights: what went right, what went wrong, how systems (and people) can be gamed, how to adapt to new information, how I managed to win numerous prizes, and more. We will discuss how to harness game theory, social engineering, statistics, and other things that will get you kicked out of a normal casino.
RVAsec 2025 Video: Olivia Gallucci
Senior Security Engineer – SECUINFRA
Title: Unlocking macOS Internals: A Beginner’s Guide to Apple’s Open Source Code
Have you ever wondered how macOS works under the hood? For researchers, learning how to navigate Apple’s open source code is a game-changer. This talk demystifies macOS internals through its open source ecosystem, giving you everything you need to start hacking these machines!
RVAsec 2025 Video: Matthew Fisher
Penetration Tester – StackTitan LLC
Title: The Lazy Pentester’s Guide to Coasting Through Internals
It’s been said that nobody wants to work anymore, and pentesters are certainly no exception to this rule. Internal pentests can be hard, time consuming drudgery. Pentesters may spend hours scanning hosts, looking for open ports and exploitable services only to find themselves with little time left to exploit anything, and a lack of focus on where to begin.
What if there was a better more efficient way? What if there was an 80% solution that will have you traipsing around the network with elevated privileges and creds in hand requiring a fraction of the time and effort using tools you’re already using?
In this talk we’ll cover multiple proven methods for obtaining creds, gaining footholds, and just generally wrecking up the place that are quick, relatively painless, and will leave you owning a client’s network fast.
RVAsec 2025 Video: Jeremy Dorrough
Client Director – Consortium
Title: How to Win Budgets and Influence Stakeholders: Articulate Cyber Value to Non Technical Audiences
Limited budgets are a reality we all must live with. Security tools are getting pricier, and management is demanding stronger justifications for every dollar spent. Often, we in cyber struggle to explain the return on investment for all this security technology. Risk management frameworks and heat maps are not the saving grace they are made out to be. We as cyber professionals need to be fluent in financial discussions to guide the business toward informed decisions. I’ll walk you through some proven methods to bridge the communication gap between security and the business.
RVAsec 2025 Video: Christopher Cruz
Cyber Program Manager – Virginia Fusion Center
Title: Hacker, Hipster, Hustler, Humanist: Establishing the Government’s Role in Public Interest Cybersecurity
Public interest cybersecurity is the application cybersecurity measures and strategies to protect critical infrastructure, non-profits, state & local governments, schools, healthcare facilities, and other institutes that primarily seek to serve the public good.
RVAsec 2025 Video: Caleb Crable
Staff Security Engineer – Red Team – Bill.com LLC
Title: SPF Shadowing: Give old services a chance to shine
In a world where Sender Policy Framework is meant to provide a first or second line of defense against impersonation and phishing, we instead find ourselves barely paying attention to it. Even after the MailChannels vulnerability was disclosed and thousands of companies found they could be impersonated via email through a service they paid thousands of dollars for, word really didn’t spread like it should have. Many domains are set and forget, from personal domains to fortune 500s, and I am going to take you on a journey where we use the forgotten for fun and profit.
RVAsec 2025 Video: Nick Copi
AppSec Engineer – CarMax
Title: Following The JSON Path: A Road Paved in RCE
Dive into researching JavaScript implementations of JSON path libraries, breaking out of JavaScript sandboxes, achieving code execution, and examining the blast radius of impacted components. This talk covers both the research process for the discovery of these novel vulnerabilities and footguns, as well as the process for identifying the blast radius, weaponizing the vulnerabilities against actual targets, and engaging impacted stakeholders. Join me to hear a harrowing tale of remote code execution in several widely used products, CVE assignments, and critical bounty payouts.
