Black Hat Europe 2025
Security conferences are everywhere, but in our industry they’re basically a seasonal migration. Most security engineers have at least heard of Black Hat[^ Black Hat: https://blackhat.com/], DEF CON[^ DEFCON: https://defcon.org/], RSA[^ RSA Conference: https://www.rsaconference.com/], CCC[^ Chaos Communication Congress: https://www.ccc.de/en/], AWS re:Inforce[^ AWS re:Inforce: https://reinforce.awsevents.com/], or Nullcon[^ Nullcon: https://nullcon.net/].
I’m no exception. I love going to conferences and try to attend at least one every year. Black Hat had been on my wish list for a while, but the ticket price kept pushing it down the priority list. Thanks to the generosity of my dear friend Kai, I finally secured a ticket for Black Hat Europe 2025[^ Black Hat Europe 2025 Official Website: https://blackhat.com/eu-25/].
In December, I flew to London for the first time and joined hundreds of security people who had travelled from all over for a multi-day, multi-track event. Over three days (9–11 December), I caught up on new tools, learned about exciting research, and did my best to dodge sales pitches.
Black Hat Europe packs in trainings, summits, and briefing days across the event. The 2025 edition included three summits (Executive, AI Security, and Financial Services Security) which took place on 9th December. My ticket provided me with access to the Financial Services Security Summit and the briefing days, so that’s where this story will focus (plus a few side-quests: the Business Hall, Arsenal, and whatever else I stumbled into at ExCeL London).
Now that it’s behind us, I’m going to share what it was like: the highlights, the oddities, the things I learned, the tools that stood out, and the little tidbits you only pick up by wandering conference corridors for long enough.
The Financial Services Security Summit
The Financial Services Security Summit[^ Financial Services Security Summit Overview: https://blackhat.com/eu-25/financial-summit.html#overview] is a one-day event taking place on the 9th of December (same time as other summits). The day is full of sessions, discussion panels and discussions focused on emerging threats, innovations, and cutting-edge technologies that are core to the financial sector security and resilience. As someone who works for a major financial company, this event was relevant and provided me with loads of new knowledge, interesting insights, and questions to explore further once I was back home. Here are a few of the talks that resonated with me.
Massimo Bertocchi discussed Linux packers and fileless malware as a serious threat to financial institutions. He presented a case study of the Lazarus APT group's ThreatNeedle malware and an analysis of the hARMless ARM64 ELF packer/loader system illustrated the evasion capabilities employed in contemporary threats. The talk left many wondering if their current detection and response capabilities are up to the challenge, and some further homework to do once we are all back to our day-to-day jobs.
Roi Panai and Maor Shaybet gave a talk titled From Stolen Keys to Root: How Attackers Move in AWS (and How to Stop Them) that delved into the various ways attackers leverage initial access successful actions to move deeper into AWS environments and compromise more services, elevate privileges, and cause bigger problems for organizations.
Jaap Van Oss discussed the ever-evolving cyber threat landscape, stressing the importance of sharing threat intelligence. He demonstrated how to do that using real-world examples, with a clear message: share intelligence, but prioritise what people can actually act on.
My favourite talk, though, is the one delivered by Joe Rooke right before the closing remarks for the summit. The talk titled The Convergence of Ransomware and Nation-State Threats: Protecting Financial Services from AI-Powered Social Engineering offered a rich and focused peek into the current state of affairs of Ransomware and Nation-State actors.
My favourite (and most concerning) part was the run-down of how North Korean IT workers are infiltrating organizations around the world. So many threat actors, so many ingenious methods and strategies, and the cat-and-mouse game keeps going.
The Briefings (aka Sessions)
A quote that kept jumping into my mind as I rushed between halls, rooms, and open-air lounges is the one from Frank Zappa where he says, “So many books, so little time.”, aptly put and rather relevant to my experience during the two days of briefings.
The schedule[^ Briefings Schedule: https://blackhat.com/eu-25/briefings/schedule/index.html] is packed with interesting and intriguing topics, but we can't have our cake and eat it too, so I had to make some hard choices when picking which session or talk to attend and which one to skip. Let's say, I learned some valuable lessons on better planning next time and leave it at that.
To make it easier for people to find talks or panels that are aligned with their interests, the schedule is split into numerous tracks (think AI/ML, Cloud Security, Cryptography, etc.) and one could filter the schedule using whichever track they wanted to attend.
Keynote: Who Gets to Point Fingers? Technical Capacity and International Accountability
I am very fond of AI/ML, cloud security, mobile security, and application security, and this was vividly reflected in my choices throughout the two days. Here are some of the interesting talks and panels I attended:
From Script Kiddie to Cyber Kingpin: Preventing the Predictable Progression: Joe Tidy took the stage first thing on Thursday and delivered a fantastic, deep, and reflection-inducing keynote telling the story of the cruellest hack in history and what it can tell us about the pathway to cybercrime. The first thing I did after going back to my hotel room, was to jump head-first into his book[^ Ctrl+Alt+Chaos: How Teenage Hackers Hijack the Internet: https://eandtbooks.com/books/ctrlaltchaos/], falling asleep was a struggle as every page made me want to read the next one, you should definitely check it out too.
Designing the Regulatory Details for the Cyber Security and Resilience Bill: This is one of two panels I attended, and it was an eye-opening one for me. It was a frank and open discussions on the Cyber Security and Resilience Bill, which is set to replace the UK's existing Network and Information Systems Regulations of 2018. The panel was meant to give attendees an opportunity to discuss and influence the secondary legislation, and I think it achieved that goal nicely and productively.
Breaking The Rails: Taking Control Over Legacy And ERTMS/ETCS Railroad Signalling Systems: Every security conference has a few mind-blowing talks that make everyone shudder for a moment as they ponder the real-life consequences, well, this talk certainly falls into that category. David Melendez and Gabriela Garcia presented[^ Breaking The Rails Slides: https://i.blackhat.com/BH-EU-25/eu-25-Melendez-Breaking-the-rails.pdf] their work researching, evaluating, and investigating security vulnerabilities affecting railroad signalling systems, some of which can be exploited using cheap or even hand-made hardware.
Token Injection: Crashing LLM Inference With Special Tokens: Pengyu Ding and Ziteng Xu introduced[^ Token Injection Slides: https://i.blackhat.com/BH-EU-25/eu-25-Ding-Token-Injection-Crashing-LLM-Inference-With-Special-Tokens-final.pdf] a new token injection attack model that uses a single specially crafted prompt to trigger uncaught exceptions, cause denial of service or outright crash the entire party (aka full-service crash). The researchers tested their attack against major LLM inference frameworks and platforms, you can guess the findings from these tests.
Unsafe Code Detection Benchmark: Stress-Testing SAST And LLMs On Modern Web Backends: Andrew Konstantinov and Irina Iarlykanova presented[^ Presentation for Unsafe Code Detection Benchmark: https://i.blackhat.com/BH-EU-25/eu-25-Konstantinov-UnsafeCodeDetectionBenchmark.pdf] their work on building the Unsafe Code Detection Benchmark, "a reproducible way to score both SAST and LLMs on intentionally vulnerable, minimal micro-apps across today's web frameworks." Two things surprised me, first being that in default configuration state and when looking for issues common in modern stacks, LLMs outperformed leading SAST tools. The second surprising finding was that using custom framework-aware rules, SAST tools outperformed the LLMs, showing why custom SAST rules remain a rather important part of any organization security tool chest.
Nation-Scale SecOps: How CERT PL Scans Poland: In this fun and engaging talk[^ Nation-Scale SecOps: Presentation Deck: https://i.blackhat.com/BH-EU-25/eu-25-Zajac-Nation-Scale-Sec-Ops.pdf], Krzysztof Zając from CERT PL shares a simple yet highly effective initiative they undertook in CERT PL to give public and private entities in Poland the tools to scan their assets for vulnerability and the lessons they learned along the way. Krzysztof also shared Artemis[^ The Artemis Security Scanner: https://cert.pl/en/posts/2024/01/artemis-security-scanner/], an open-source tool they built to achieve that exact purpose. I wholeheartedly applaud their work and hope other CERTs follow suit.
These are mere drops in a deep pond full of interesting talks about numerous security topics. For brevity reasons, I didn't mention all the talks or panels I attended, but I highly recommend you browse the schedule page and check out the slide deck for the talks you find interesting and watch the recordings on the Black Hat Europe 2025[^ Black Hat Europe 2025 Recordings: https://www.youtube.com/playlist?list=PLH15HpR5qRsWwc5RANR9knvWpotKVXPWm] YouTube channel.
The Arsenal
Arsenal[^ Black Hat Europe Arsenal Overview: https://blackhat.com/eu-25/arsenal-overview.html] was my favourite and the most fun part of Black Hat Europe, getting to learn and see new tools in action and interact with those who built them is akin to letting a child loose in a candy aisle in the supermarket.
The line-up[^ Arsenal Line-up: https://blackhat.com/eu-25/arsenal/schedule/index.html] for this edition was outstanding, the schedule was packed, and I had to hustle between the various booths to check as many tools as possible. Some of my favourites include:
- Flowlyt[^ Flowlyt GitHub Repository: https://github.com/harekrishnarai/flowlyt]: A Go-based static analysis tool that you can use to scan GitHub Actions workflows for malicious patterns, misconfigurations, and hardcoded secrets.
- AnonyMask[^AnonyMask: https://github.com/Caudrey/AnonyMask]: A privacy-preserving tool that allows users to anonymize both explicit and implicit privacy data before sending it to LLM or RAG for analysis.
- ThreatShield[^ThreatShield: https://github.com/threatshield/threatshield]: An AI-powered threat modelling and security analysis tool designed to automate and elevate threat modelling by processes raw documents like PRDs, architecture diagrams, confluence docs, etc. to generate structured STRIDE-based threat models, attack trees, DREAD scoring, and mitigations.
- SkyEye[^ SkyEye: https://github.com/0x7a6b4c/SkyEye]: A cloud reconnaissance framework that supports multiple users and roles for data collecting and dynamically chains and merges the various vantage points to unravel the full spectrum of permissions, resource authorizations, and hidden escalation paths. Of all the tools I got to check out, this is my most favourite, and the developers were an absolute delight.
- Cloud Sec AI BOT[^ Cloud Sec AI BOT: https://github.com/nandangupta-security/CloudSecAIBot]: An AI-powered multi-cloud security assistant that turns plain English into validated cloud commands through a secure MCP server with read-only permissions across your entire cloud estate.
- DNSBomb Toolkit[^ DNSBomb Homepage: https://dnsbomb.net/]: A new practical and powerful pulsing DoS attack that exploits multiple widely implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems
- AI-Infra-Guard[^ AI-Infra-Guard: https://github.com/Tencent/AI-Infra-Guard]: A comprehensive, intelligent, and user-friendly AI red teaming platform, designed to provide users with a one-stop solution for AI security risk self-assessment.
These are but a few among numerous mind-blowing and rather exciting new tools and platforms that were demonstrated in the Arsenal space, I suggest going through the full line-up[^ Arsenal full line-up: https://blackhat.com/eu-25/arsenal/schedule/index.html] and checking the tools that piques your interest, you won't be disappointed.
Arsenal is part of the business hall space, but unlike Arsenal, the rest of the business hall is a busy, crowded (in a good way), and buzzing space where vendors showcase their latest products and features, engage in discussions, give away swag, and collect email addresses (after asking nicely) for possible engagement opportunity. Let's delve into the business hall maze and see what caught my eye.
Business Hall Adventures
Let me share a secret with you. I don't like crowded or loud spaces, they just make me uncomfortable and hence the buzzing nature of the business hall presented a challenge (though not a major one) but thankfully, I had my friend Kai who joined me, and we explored the various booths together.
Whenever I had some time between talks or panels, I would venture into the business hall and walk around the maze-like floor packed with vendor booths, checking out some products that caught my eye, chatting with some of the people manning these booths, or collecting stickers and free swag (I somehow ended up getting a Bluetooth headset from one booth).
Some of the vendors I stopped at include: Push Security[^ Push Security: https://pushsecurity.com/], ThreatLocker[^ ThreatLocker: https://www.threatlocker.com/], HackerOne[^ HackerOne: https://www.hackerone.com/], Aikido Security [^Aikido Security: https://www.aikido.dev/], StrangeBee [^ StrangeBee: https://strangebee.com/], Orca Security [^ Orca Security: https://orca.security/], Huntress [^ Huntress: https://www.huntress.com/], PrimeSec [^ PrimeSec: https://www.primesec.ai/], and a few others. You can see the full list of exhibitors on the event website[^ Exhibitors List: https://blackhat.com/eu-25/event-sponsors.html].
The usual big players were all there, proudly demoing their latest and greatest. But the theme this year wasn’t subtle: AI everywhere. Startups selling “AI-powered security,” established vendors retrofitting LLM features, frantic attempts to stop sensitive data leaking into chatbots, and a few booths trying to point LLMs in the direction of offensive testing. Vendors have always chased the next wave, but this didn’t feel like pure buzzword gymnastics, it felt like everyone realising the ground has shifted and racing to catch up.
Between the AI demos and the hunt for stickers, the Business Hall became my version of sightseeing, which, in hindsight, explains a lot.
Safe to say, I left Black Hat Europe 2025 with a decent haul of stickers, new tools to look into, and a free headset. What I didn’t leave with, however, was any actual knowledge (or any pictures) of London. Let’s talk about that.
Exploring London
Despite living in Europe for more than nine years, and visiting more countries than my bank account would recommend, I’d never set foot in the UK. So landing in London came with a dangerously optimistic level of excitement.
You’d expect this section to be a cheerful montage of landmarks, museums, and dramatic overuse of the word “quaint”, and you would be 100% wrong. I explored precisely two locations, ExCeL London and my hotel. That’s it. No sightseeing. No wandering. Not even an accidental “Oops, I found Big Ben.”
The conference schedule was packed. After the last official session each day, there was no shortage of social activities and smaller events, and by the time I’d done the full circuit I had just enough energy to get back to the room and collapse into sleep.
So London remains unexplored. It bothers me more than it should, maybe because it was my first time in the UK. Regardless, I’ve already made plans to come back soon and fix this. Next time: a few holiday days, no work, no conference timetable, no social obligations, just pure exploration and enjoyment of whatever London has to offer (one of my friends insists that number is exactly zero, but I digress).
Final Thoughts
Attending a Black Hat conference has been a dream of mine for a long time, and it felt great to finally check it from my to-do list. But the good feeling of accomplishing this dream is minor compared to the many other benefits one gets from attending such an event.
I learned a lot of new cool things, saw awesome tools in action, had my curiosity piqued constantly, and met wonderful people who are at the forefront of this ever-lasting struggle between attackers and defenders.
Even though I didn't get to explore London, I still look back fondly on this trip and can wholeheartedly recommend attending Black Hat (or any of the many security conferences taking place now and then), it would be a positive experience, and a great push for personal growth.
One funny saying that kept playing in my mind as I lay on my bed in the hotel after the conference was over in a saying from a meme: the horrors persist, but so do we. It encompasses perfectly what I've seen at Black Hat Europe 2025, attackers are getting smarter, but so are defenders and builders, and life goes on.