BSidesPDX-2025

Alec (@brathadair) is a cyber-physical systems (CPS) security researcher specializing in Electromagnetic Spectrum Operations (EMSO), with extensive experience in drone-based Red Air engagements. He currently serves as a Security Consultant at SpookSec and was previously the Lead Offensive Security Engineer at Phoenix Technologies. He holds several certifications, including DSOC, DOCP, CSVA, CBBH, CDFP, OSWP, and FAA Part 107.

Aleks is a security researcher with a primary focus on finding memory corruption vulnerabilities in widely used server-side and client-side software.

Aleks’ previous published research topics have included fuzzer augmentation techniques, mitigation bypass techniques, and Internet-wide vulnerability scans. In his spare time he likes to tinker with devices around him and has previously published writeups of his reverse engineering efforts of useless cameras, obsolete car systems and x-ray imaging.

I’m Anoop Nadig, a security engineer with seven years of experience. I specialize in Cloud and Application security, with professional interests in automation, threat modeling, and “shift-left” practices.

Outside of work, you’ll often find me on a hiking trail, at a live concert, or supporting security conferences and community initiatives.

Ashish Kurmi is the CTO and co-founder of StepSecurity, a cybersecurity startup securing CI/CD pipelines against supply chain attacks. Before StepSecurity, he was with Microsoft Corporation, Uber Technologies, and Plaid Inc. in security leadership roles. He primarily worked with software developers at these companies to understand their security pain points and built security systems to remediate security issues at scale. He has 15 years of experience in security and software engineering.

Ashish has previously spoken at several conferences such as BlackHat USA, (ISC)2 Security Congress, and Open Source 101.

BSidesPDX 2025 Organizers

Room at the back of Talk 1

Brian Myers (PhD, CISSP) has 20+ years of experience spanning software development and information security. He built the first application security program at WorkBoard and served as HIPAA Security Officer at WebMD Health Services, helping them achieve HITRUST certification. As an independent consultant, he assists organizations with SOC 2, HIPAA compliance, and secure development practices. He regularly speaks at security conferences about practical approaches to security implementation and governance

More at https://safetylight.dev

I'm an independent security researcher & privacy advocate. Over the last 7 years, I've reviewed and given public comment on all of Seattle's official surveillance technologies. I've worked closely with the Seattle Community Surveillance Working Group. I've also organized with various local non-profits and grassroots groups participating in the Seattle Surveillance Ordinance process and on state-level legislation spanning: civil liberties, data privacy, digital IDs, automated decision systems, right to repair, and other bills.

CTF Room

Chloe Tucker is an intelligence-driven information security professional with a focus on learning experience design. As a hybrid human risk and threat intelligence specialist, she spends most of her time trying to understand who's doing what, when, why, and how. She's designed & facilitated over 35 exercises in the past 3 years and is passionate about meeting people where they're at, facilitating conversations, and drinking tea. She also has a smattering of certifications (CISSP, GCTI, GCIH, GSEC).

Corey Ball is the author of Hacking APIs and founder of APIsec University a completely free learning platform with over 120,000 students. He was the winner of the SANS Difference Makers Award for book of the year. With over 15 years of experience in IT and Cybersecurity, Corey now leads penetration testing as the CEO of hAPI Labs.

Corey has been in the Information Security space for over 20 years and building software applications even longer. He spent years on the east coast as a principle security consultant with the Interpidus Group before joining the in-house security teams at places like Etsy and Simple. He spent 6 years at a unicorn tech company becoming their Director of Product Security. Currently living on the Oregon Coast, he enjoys tinkering with PCB designs in KiCad, signing off-key punk songs with his son, and trying to convince people that video games can be art.

Corey has previously presented at BlackHat, CanSecWest, Yandex, and BSidesRoc.

Cory Solovewicz spent over a decade as a full-stack web developer before realizing breaking things was even more fun than building them. During COVID, he made the jump to the dark side (legally), and has spent the past four years as a cyber security consultant hacking web apps, APIs, mobile apps, and the occasional thick client.

When he’s not poking at authentication logic or accidentally discovering new ways companies leak personal data, he’s racing bikes, going on long walks with his awesome partner, or hacking random gadgets in his free time. He's passionate about digital privacy, human error, and making security just a little more relatable (and a lot more fun).

contact@cory.so

Cristian Fiorentino is a Systems Engineer with over 20 years of professional experience in designing, building, and securing enterprise distributed systems. He specializes in cybersecurity and security detection systems, with a career spanning app-sec, security validation and architecture, as well as incident handling, automation and threat detection.

As an enthusiast of artificial intelligence, he is particularly interested in the intersection of AI and security, exploring how agentic systems and large language models can enhance detection, response, and resilience.

Ashley is a Senior Security Solutions Engineer at Censys, where she
specializes in finding things on the internet that really shouldn’t be
on the internet (spoiler: you know it’s everything). Her research has
uncovered IoT botnets hiding in your “totally legitimate” streaming
boxes, pig-butchering scam infrastructure masquerading as romance, and
entire threat actor clusters that probably wish she’d just stop
looking at the internet on the weekends.

When not teaching students how to blue team, red team, or “please stop
clicking on that link” team, Ashley moonlights as a professional cat
herder at BSides Las Vegas SafetyOps as the Chief Security Officer and
BSides Albuquerque: wrangling volunteers, laptops, and chili-themed
challenge coin designs all in the same day.

She has worn many hats: Army Taekwondo competitor, Army Band musician,
SOC analyst, Palo Alto trainer, Google Cloud wrangler, WWE fanatic,
and n00b security researcher (ask her about the latest exploits in
breaking her own lab builds). If it's a device that seems too good to
be true, it probably is and she’s likely researching it.

Come for the IoT horror stories, stay for the leggings.

Darin is a security research leader at Cisco Talos, focused on mentorship, security management, cloud native security research and detection engineering. Former affiliations include Amazon, the FBI, UC Davis and King's College London. In his spare time he loves playing music, hiking and travelling.

David Lu is a Senior ML Threat Operations Specialist at HiddenLayer, focusing on ML red teaming exercises, adversarial ML instruction, and the development of security ontologies. With 8 years of experience in security research, David also brings over a decade of academic expertise, having taught computer science at Portland State University and philosophy at Syracuse University. His interdisciplinary background uniquely positions him at the intersection of AI/ML security and ethical technology development.

Dean Pierce is a security researcher from Portland Oregon.

Derron Carstensen is a cybersecurity architect with over 20 years of hands-on experience across network security, cloud security, offensive security, and Zero Trust architecture. His career spans roles in security engineering, penetration testing, and most recently, leading secure access and Zero Trust initiatives for complex enterprise environments. Derron specializes in Secure Access Service Edge (SASE) deployments, ZTNA validation, and building adversary-informed testing frameworks that bridge the gap between marketing promises and real-world security enforcement. He’s passionate about helping both defenders and assessors make evidence-based decisions in the face of growing vendor noise.

Emily is the CEO and co-founder of Clearly AI, a YC-backed startup automating security and privacy reviews based in Seattle. Previously, she oversaw application security for Amazon's Alexa AI organization and owned data security and privacy at Moveworks (an enterprise AI assistant).

Falcon (MBA, M.Sc., B.Acc.) is an infosec generalist currently managing product security at Aiven.io, and has over a decade of purple team experience at dozens of firms across a variety of industries. He does systems work, whether the systems are human or computer, and is as at home setting up a security program as figuring out how to verify application code, show immunity to an attack class, or model attackers across the value chain. He will be starting a PhD this winter at Dartmouth working on practical applications for LangSec.

Fevin George is a Senior Security Engineer on the Detection and Response Team at Remitly, where he focuses on building and refining detections, leading incident response, and driving proactive threat hunting initiatives across cloud-native infrastructure. With a background in digital forensics and incident response (DFIR), Fevin has investigated over 400 ransomware, insider threat, APT/nation-state intrusion, and cloud breach cases during his time as a Senior Consultant at Charles River Associates. His work also included supporting ransomware negotiations and advising clients across healthcare, finance, education, and technology sectors.

Fevin holds a Master’s degree in Cybersecurity from the University of Maryland and a Bachelor’s in Computer Engineering from the University of Mumbai. He is a GIAC Certified Forensic Analyst (GCFA), Offensive Security Certified Professional (OSCP), and a recipient of the SANS Lethal Forensicator Coin.

Garrett Foster is an offensive security researcher with over 6 years of experience in information technology. He has conducted successful engagements against organizations that include the finance, healthcare, and energy sectors. Garrett enjoys researching Active Directory and developing offensive security tools. His background also includes roles as a Security Operations Center Analyst and Systems Administrator.

James is a web/cloud penetration tester at Anvil Secure, based in Seattle. His research interests include API security, hardware hacking, and abuse cases. He spends too much of his free time in Grand Theft Auto Online, where the hacking minigames are much easier than his day job.

Jason is Director of Adversarial Research at HiddenLayer, where he explores how the latest AI security research intersects with practical application. Jason was amongst the earliest researchers to recognize the need for AI security, founding the Secure Intelligence Team in Intel Labs in 2016 to research AI security and privacy threats and defenses. For 20+ years Jason has covered such diverse security topics as CPU microcode, authentication and biometrics, trusted execution environments, wearable technology, and network protocols, resulting in over 40 issued patents and several high profile research papers in adversarial machine learning and federated learning. When he’s not working Jason is either lost in the Pacific Northwest camping and hiking with his family; or he is lost in a technical project involving 3D printing, microcontrollers, or designing holiday lighting displays synchronized to music.

I teach cybersecurity at Lewis & Clark. My certifications include SANS/ GIAC Certified Intrusion Analyst (GCIA), Penetration Tester (GPEN), Incident Handler (GCIH).
Collaborators include Richard Weiss (Evergreen State), Jack Cook, Taylor Wolff, Ishan Abraham, Ryder Selikow, Julia Scott, Joseph Granville, and Justin Wang.

Jesse is an experienced security researcher focused on vulnerability detection and mitigation
who has worked at all layers of modern computing environments from exploiting worldwide
corporate network infrastructure down to hunting vulnerabilities inside processors at the
hardware design level. His primary areas of expertise include reverse engineering embedded
firmware and exploit development. He has also presented research at DEF CON, Black Hat,
PacSec, Hackito Ergo Sum, Ekoparty, and BSides Portland.

João Moreira is a systems security researcher passionate about compilers, OS internals, and digging deep into low-level bugs. At Microsoft, he works on securing cloud infrastructure by reviewing service designs, building secure architectures, and developing defenses against emerging threats. Prior to Microsoft, João worked at Intel, SUSE Linux, and spent time in academia, where he focused on low-level systems topics like control-flow integrity and binary live patching. His research was presented at conferences such as Black Hat Asia, the Linux Plumbers Conference, and the Linux Security Summit. Every now and then, João contributes to open-source projects like the LLVM compiler and the Linux kernel. More recently, he’s been trying to figure out this AI thingy — but he still struggles to write short conference bios with the help of chatbots.

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent the past decade developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

I am a vulnerability researcher/reverse engineer focused on embedded devices. I love playing CTFs and teaching interesting topics to people.

I am currently the CIO at the Washington State Department of Natural Resources. I have spent the majority of my career in state IT, from Operations to Security and now management. I was born and raised in the PNW, have two kids, two dogs, a cat and a husband.

Mark Esler works on software supply chain security, vulnerability disclosure, and system hardening.

Matt Durrin is the Director of Training and Research at LMG Security and a Senior Consultant with the organization. He is an instructor at the international Black Hat USA conference, where he has taught classes on ransomware and data breaches. Matt has conducted cybersecurity seminars, tabletop exercises and classes for thousands of attendees in all sectors, including banking, retail, healthcare, government, and more. He is also the co-author of a new book, Ransomware and Cyber Extortion: Response and Prevention. A seasoned cybersecurity and IT professional, Matt specializes in ransomware response and research, as well as deployment of proactive cybersecurity solutions. Matt holds a bachelor’s degree in computer science from the University of Montana, and his malware research has been featured on NBC Nightly News.

I’m an information security engineer, a software engineer, an investigative data journalist, and an author. I use he/him pronouns, and my name is pronounced “my-kah.”

I started the Lockdown Systems Collective where I help develop an open source app called Cyd that helps people claw back their data from Big Tech.

I worked for The Intercept for a decade, where I was director of information security. I also used to work as a staff technologist at Electronic Frontier Foundation, and I helped co-found Freedom of the Press Foundation. I did opsec for journalists while Edward Snowden was leaking NSA docs to them.

I’m the author of “Hacks, Leaks, and Revelations: The Art of Analyzing Hacked and Leaked Data”, a hands-on book that teaches journalists, researchers, and activists how download, research, analyze, and report on datasets. (No prior experience required.)

I develop open source security tools like OnionShare and Dangerzone. You can check out my GitHub activity here.

Mickey has been involved in security research for over a decade, specializing in breaking down
complex concepts and identifying security vulnerabilities in unusual places. His experience spans a
variety of topics, which he has presented at security conferences worldwide. His talks have covered
areas ranging from web penetration testing to the intricacies of BIOS firmware.

Mike works in Municipal Government IT, and has over 25 years of varied tech jobs under his belt ranging from end-user and application support to systems administration, patch management and cybersecurity.

Mike's spare time is typically consumed with gaming with his kids, cybersecurity conferences, and referring to himself in the third person.

Naomi brings over a decade of expertise spanning software engineering, cybersecurity, and education leadership. She just graduated honors with her Master's in Cybersecurity and Leadership from the University of Washington, while conducting ethical bug bounty research. During her 5 years at Adobe as a Software Development Engineer, she built large-scale features and served on technical committees while becoming a seasoned speaker at international engineering conferences. Before transitioning to tech, Naomi taught English as a foreign language in local classrooms across Asia and with the Peace Corps in West Africa. She enjoys weekends outside in the mountains with her dog.

With over 14 years of global experience at the intersection of cybersecurity, emerging tech, and financial services, Neha is a recognized leader shaping the future of secure digital infrastructure. As Vice President of Cybersecurity Products at J.P. Morgan Chase, she drives innovation in cryptographic systems and quantum-safe architectures that safeguard the next generation of financial technology.

Neha’s career journey includes leading roles at industry heavyweights like Deloitte, EY, Accenture, NVIDIA, Flagstar Bank, and Bank of America, spanning multiple countries and domains. Her work now centers on preparing for the quantum era with a strong focus on Post-Quantum Cryptography (PQC), Quantum readiness, quantum-safe protocols, and the ethical, sustainable design of cryptographic systems that can withstand tomorrow’s computing power.

Beyond her corporate work, Neha actively advises startups, helping founders navigate the complex intersection of security, compliance, and product strategy. She’s passionate about making sure innovation in quantum and cryptography is not just cutting-edge, but responsible, resilient, and ready for real-world impact.

From securing today’s digital economy to building quantum-resilient systems for the future, Neha brings a visionary yet grounded perspective to cybersecurity one that’s deeply technical, future-facing, and driven by purpose.

Perri Adams is a fellow at Dartmouth’s Institute for Security Technology Studies (ISTS) and former Special Assistant to the Director at the Defense Advanced Research Projects Agency (DARPA), where she advised stakeholders at the agency and across the U.S. government on the next generation of AI and cybersecurity technology.

Prior to this role, Ms. Adams was a DARPA Program Manager within the Information Innovation Office (I2O), where, among other programs, she created the AI Cyber Challenge (AIxCC). A frequent speaker on both technical and cyber policy issues, her written work has been published by Lawfare and the Council on Foreign Relations. She has advised and collaborated with think tanks such as the as Carnegie Endowment for International Peace and Georgetown’s Center for Security and Emerging Technology. She is also an adjunct professor at the Alperovitch Institute at Johns Hopkins School of Advanced International Studies and served for two years on the organizing committee of the DEF CON CTF, the world’s premier hacking competition.

Ms. Adams holds a Bachelor of Science degree in computer science from Rensselaer Polytechnic Institute and is a proud alumna of the computer security club, RPISEC.

He/him, from Aberdeen WA. Married, parent, state govt employee in cybersecurity. Interested in gaming, trans rights, writing music, recovery, cooking, esports, feminism, running, pop science, knitting, and baking a really nice loaf of bread.

--

Rey is an 18-year-old security researcher who started out finding bugs and holes in websites at 15. He began attending local infosec meetups in Portland, Oregon—like RainSec and PDX2600—soaking up everything he could. After stumbling across a creepy surveillance device at his high school, he drifted into hardware security and reverse engineering. He’s determined to keep learning and digging deeper.

Richard Weiss has been at the Evergreen State College since 2005. He has a Ph.D. in mathematics from Harvard University. His research has included cybersecurity education, computer vision and robotics, applications of machine learning, computer architecture. He was a research faculty member in Computer Vision at the University of Massachusetts for 15 years.

Rowan is a Senior Security Engineer at Microsoft and previously worked at Intel as a fuzzing researcher. He also dabbles in security tooling as a hobbyist and as a writer. When not at the computer, you can find him at the skate park, on Mt. Hood, or on the rock wall.

Ryan is a Senior Infrastructure Engineer in aerospace who spends his days keeping critical systems running and his nights tinkering with homelab projects that definitely don't always work on the first try. After years in the public sector and nonprofits learning that uptime matters most when the people are your end users and networks span multiple sites, he recently made the jump to the private sector where the stakes are just as high but the scale is... different.

He believes in learning by doing, especially by taking the hard way, and is always happy to chat about the "why" behind the tech we use every day, things like: why containerization, IaC, or why your homelab really needs 10Gb, 25Gb, or hell 100Gb networking. Fixing your motorcycles or car wrong is also part of the same journey, don't discount how deep the rabbit hole goes.

Sherri Davidoff is the founder of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity.” As a recognized expert in cybersecurity, she has been called a “security badass” by The New York Times. Sherri is an instructor for Black Hat, where she serves on the Black Hat USA Review Board and trains security professionals from around the world. She is also a faculty member at the Pacific Coast Banking School, where she teaching bankers and regulators about cybercrime. She is a GIAC-certified forensic analyst (GCFA) and penetration tester (GPEN) and received her degree in computer science and electrical engineering from MIT.

Slava holds a general-level license for Amateur Radio. When away from Meshtastic and HF, he manages DevOps, SRE, and Cloud teams - or provides consulting services in these fields. He has two orange cats and by now is probably one himself. Either get him a beer or a job - he’s currently unemployed.

Stefan is a middle school student with curiosity for computer security that borders on an obsession with digital mayhem. When he's not in class, you can find him with a soldering iron and a keyboard. He got his start early diving deep into code, slinging Python, JavaScript, and GDScript, while also dabbling in C#. His proudest achievement to date? Getting his Flipper Zero banned from his middle school. He's excited to be at BSides PDX to learn from the best and share his own discoveries.

Steve Willoughby is a Senior Software Developer currently focused on observability in Go. He discovered Version 7 Unix while in high school and, apart from brief forays into VMS in college and failed attempts to hide from other operating systems, he’s been spending most waking hours tinkering on UNIX in one form or another, either writing software or administering systems. He lives in the Portland, Oregon area and keeps a vintage Altair 8800 and COSMAC Elf as pets. In his spare time, he runs a MUD game and creates microcontroller gizmos to make his Christmas lights flash in the most over-engineered way possible.

Travis Smith is the Vice President of ML Threat Operations at HiddenLayer where he is responsible for the services offered by the organization, including red-teaming machine learning systems and teaching adversarial machine learning courses. He has spent the last 20 years building enterprise security products and leading world class security research teams. Travis has presented his original research at information security conferences around the world including Black Hat, RSA Conference, SecTor, and DEF CON Villages.

Udochi Nwobodo is an Infrastructure and Product Security Engineer with over five years of experience securing large-scale systems at Adobe, Coinbase, and Juniper Networks. She has led efforts to design and deploy cloud security solutions, integrate security into product lifecycles, and build vulnerability management programs that scale with business needs.

Her work spans cloud, container, application security and modern detection engineering. Beyond technical execution, Udochi focuses on strategic impact: enabling teams to balance speed with security, aligning detection thresholds with business risk, and turning raw telemetry into meaningful decisions.

She holds a Master’s degree in Cybersecurity along with CISSP and CISM certifications. Udochi is passionate about bridging the gap between engineering and strategy, helping organizations move from reactive security to proactive resilience.

Will is the tech lead for detection and response at Databricks. His expertise lies at the intersection of threat detection and software engineering, specializing in detection engineering, attack simulation, and the practical applications of threat intelligence. Previously, Will drove detection and intelligence initiatives at Stripe, Datadog, and SecureWorks, where he played key technical leadership roles in shaping security strategies and mentoring teams. He has authored four patents in the cybersecurity space, and his research has been published in well-known academic journals, including IEEE Security & Privacy.

Wu-chang Feng is a professor at Portland State University where he focuses on applications of Generative AI in security.

Zachary Ezetta is a senior at Grant High School, network operator of AS214092, and the software lead for FIRST Robotics Competition Team 3636: Generals. He is also a former Intern for Portland State University's Department of Computer Science.

yltsi spends his time during business hours conducting product security research for a large technology company. Outside of that, he spends an overwhelming amount of time quenching his curiosity with web, mobile, game, and embedded security research for the spirit of the craft, as well as electronics reverse engineering and repair. He is a pro-gratis bug hunter and live hacking enthusiast, having taken 1st place in DistrictCon's inaugural Junkyard EOL PwNATHON competition in 2025 and given a talk at DEF CON Skytalks long ago.

Zach is the founder of Harbor's Edge Consulting LLC, where he focuses on offensive security consulting and helping organizations strengthen their overall security posture. With over seven years of experience in the security world, he has worked across red teaming, penetration testing, and advisory roles to help organizations better understand and defend against modern threats. Zach is passionate about bridging the gap between offensive techniques and defensive strategies, and he enjoys sharing practical insights with the broader security community.