WWHF @ Mile High 2025

As the world's largest cloud platform, Amazon Web Services (AWS) powers millions of applications and deployments, making it a common target for offensive security professionals. The complexity of AWS introduces a number of new attack surfaces, but actually exploiting them often requires niche knowledge or familiarity with arcane configurations. Navigating these nuances to identify and exploit vulnerabilities can be challenging, even for seasoned penetration testers.

In this talk, I'll share some of the things I wish I had known when I started pentesting AWS environments. We'll examine the AWS shared responsibility model and the pentester's role in it. We'll then cover the fundamentals of AWS Identity and Access Management (IAM), take a look at important classes of misconfigurations, and discuss important tradecraft for avoiding detection. Whether you're new to AWS penetration testing or an experienced cloud hacker seeking to deepen your expertise, this session will provide insights and practical skills applicable to real-world engagements.

2024 was the year of fear, uncertainty, and doubt about generative AI. Many organizations moved rapidly to deploy AI solutions for "fear of being left behind" while others struggled with understanding their security implications. Regardless of how you feel about AI, one thing is for sure: AI is being embedded in the products your organization deploys. That means stakeholders will be looking to you to secure it. In this talk, Jake will break down the real risks of generative AI applications while helping to dispel the FUD. You'll walk away better equipped to answer questions from stakeholders and the confidence you're focusing your limited security resources in the right places.