BEGIN:VCALENDAR
VERSION:2.0
X-WR-CALNAME:bsidesknoxville2026
X-WR-CALDESC:Event Calendar
METHOD:PUBLISH
CALSCALE:GREGORIAN
PRODID:-//Sched.com BSides Knoxville 2026//EN
X-WR-TIMEZONE:UTC
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T123000Z
DTEND:20260522T130000Z
SUMMARY:Opening Remarks
DESCRIPTION:It's our 12th year! We'll chat a bit about:Organizer changes (and availabilities)How our finances are looking headed into 2027Introduce our platinum sponsors (Clayton Homes\, Cisco ASIG\, and Starseer)
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:db4305aa509cd5c7677137f1a0efaa30
URL:http://bsidesknoxville2026.sched.com/event/db4305aa509cd5c7677137f1a0efaa30
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T130000Z
DTEND:20260522T134500Z
SUMMARY:*ishing\, Tokens\, and Clouds...Oh My!
DESCRIPTION:Your office printer is a weapon. Watch how attackers weaponize forgotten network devices to bypass MFA\, steal tokens\, and infiltrate enterprise environments. Discover the attack chain\, why defenses fail\, and how to stop it.
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:e95b86ee222b4a11b15c67cfa5ef1848
URL:http://bsidesknoxville2026.sched.com/event/e95b86ee222b4a11b15c67cfa5ef1848
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T130000Z
DTEND:20260522T134500Z
SUMMARY:404: Cyber Career Not Found - The Beginner’s Guide to Cybersecurity
DESCRIPTION:Breaking into cybersecurity can feel overwhelming for beginners. Between choosing certifications\, figuring out what skills actually matter\, applying to jobs that require “3–5 years of experience\,” and navigating an industry full of advice\, many aspiring professionals feel like they’ve hit a wall (a firewall\, if you will.)\n \n This talk takes a different approach to explaining the early cybersecurity journey\, through the lens of teenage-style diary entries from my own experience entering the field. Throughout the session\, I’ll share moments from my teenage years in the field\, providing attendees with a different perspective of the field. \n \n Each “diary moment” will highlight a lesson learned along the way and translate it into practical advice for beginners. The goal is to demystify the early stages of a cybersecurity career and show that many of the challenges beginners face are shared experiences.\n \n By the end of the session\, attendees will gain a clearer understanding of how to start their cybersecurity journey\, including how to build hands-on skills\, leverage community and mentorship\, and use their existing interests and abilities to find their place in the field. This talk is designed for students\, career changers\, and anyone who has ever wondered if they’re “good enough” to break into cybersecurity.
CATEGORIES:TRACK 2
LOCATION:Track2 (Regas Square Events)\, 333 W Depot Ave\, Suite 120\, Knoxville\, TN 37917
SEQUENCE:0
UID:d11b84a5c31e2020d6baad60ca27f3fe
URL:http://bsidesknoxville2026.sched.com/event/d11b84a5c31e2020d6baad60ca27f3fe
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T140000Z
DTEND:20260522T144500Z
SUMMARY:Hillbilly Storytime: AI Hallucinations\, Faceplants\, and Other “Wait… That Ain’t Right” Moments
DESCRIPTION:Who is this talk for?\n Security folks\, tool builders\, and tinkerers who are using (or thinking about using) AI in their workflows—and have already noticed it can be equal parts genius and nonsense.\n \n \n Problem Statement\n LLMs are being dropped into security tooling everywhere—writing scripts\, reviewing findings\, generating reports\, even helping with exploitation. The problem is\, they don’t actually know anything. They predict what sounds right.\n \n And sometimes what sounds right… ain’t right.\n \n The real danger isn’t obvious failure. It’s when the output looks clean\, reads well\, and passes a quick glance—but is fundamentally wrong in a way that can waste time\, introduce risk\, or quietly break your workflow.\n \n This talk takes a practical\, slightly hillbilly approach: trust your tools\, but verify everything they do.\n \n \n Key Takeaways\n AI will be wrong\; and it will be confident about it\n “Looks right” is one of the most dangerous failure modes in security\n You need deterministic validation\, not vibes\n Treat AI like a junior: useful\, fast\, but needs supervision\n A little hillbilly common sense\; “that don’t smell right” is still one of your best defenses
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:65e7b555379e0f013d0ad275b6d2d348
URL:http://bsidesknoxville2026.sched.com/event/65e7b555379e0f013d0ad275b6d2d348
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T140000Z
DTEND:20260522T144500Z
SUMMARY:DNS Servers and Interrupting Cybercrime
DESCRIPTION:In November 2025\, I set up a DNS Server in DigitalOcean to demonstrate how to gain experience\, even without traditional "homelab" equipment. Everything was going well until my DNS Server started receiving 1\,500 requests a minute\, all targeting a regional bank's TXT records.
CATEGORIES:TRACK 2
LOCATION:Track2 (Regas Square Events)\, 333 W Depot Ave\, Suite 120\, Knoxville\, TN 37917
SEQUENCE:0
UID:0cdddd86755eb66cbbde04d8ccb7832b
URL:http://bsidesknoxville2026.sched.com/event/0cdddd86755eb66cbbde04d8ccb7832b
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T150000Z
DTEND:20260522T154500Z
SUMMARY:Rebuilding security strategy from breach lessons
DESCRIPTION:For nearly a decade\, I've been gathering and studying details from breaches. In the beginning\, there wasn't much\, but over the years\, more and more has emerged in the public record. There's enough data now that it's time to start talking about what we can learn from the failures of others.\n \n This will follow up on my RSAC 2026 talk\, which focused more on making the argument for breach transparency. This talk will focus almost exclusively on the specifics I've learned from a decade of studying breaches\, which the RSAC talk only shared a sample of.
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:e738494bf32adc61fc9bda4661a94f13
URL:http://bsidesknoxville2026.sched.com/event/e738494bf32adc61fc9bda4661a94f13
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T150000Z
DTEND:20260522T154500Z
SUMMARY:Game Hacking Bootcamp: Zero to Cheater in 45 Minutes
DESCRIPTION:Want to get started in game hacking without getting overwhelmed? Have you already dabbled in the subject and hit a wall? This talk offers a practical introduction for cybersecurity professionals and enthusiasts\, mixing hands-on demos\, theory\, and a learning roadmap designed to keep the curve manageable. Along the way you'll see how game hacking builds real skills in reverse engineering\, binary exploitation\, and malware detection and evasion using games you already own and want to play. You'll leave with the tools\, concepts\, and a concrete roadmap to start hacking real games today.
CATEGORIES:TRACK 2
LOCATION:Track2 (Regas Square Events)\, 333 W Depot Ave\, Suite 120\, Knoxville\, TN 37917
SEQUENCE:0
UID:497a7ad4c361529863044d2f827bad39
URL:http://bsidesknoxville2026.sched.com/event/497a7ad4c361529863044d2f827bad39
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T160000Z
DTEND:20260522T170000Z
SUMMARY:Lunch Break
DESCRIPTION:Check out Hamburger Hill or make a suggestion for next year's food truck!
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:55d9b973f6efcdd3d5de259094ca816e
URL:http://bsidesknoxville2026.sched.com/event/55d9b973f6efcdd3d5de259094ca816e
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T170000Z
DTEND:20260522T174500Z
SUMMARY:Brother\, Can You Spare A Token? What AI Means For the Security Poverty Line
DESCRIPTION:Described since 2011\, the security poverty line is that point below which an organization can’t effectively secure itself. This is due to a lot of factors\, and the recent popular trend of AI use (particularly LLMs) has muddied the waters even more. Is it going to save the vast majority of security have-nots? Will it only help the token-rich 1%? Or is it mostly just helping the attackers? \n\nIn this potentially contentious session\, we’ll talk about what’s really within reach.
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:dcaa24c608713e667731950d6b24b05e
URL:http://bsidesknoxville2026.sched.com/event/dcaa24c608713e667731950d6b24b05e
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T180000Z
DTEND:20260522T184500Z
SUMMARY:Graphing the Human Attack Surface
DESCRIPTION:Every organization has a human attack surface. Most have no idea how big it is. Using basic scraping methods against public social media platforms\, we built a graph database that disambiguates profiles across platforms and resolves fragmented online identities into confirmed employees. The graph maps organizational hierarchies\, team structures\, reporting relationships\, and personal details. This talk covers the architecture\, the data sources\, and how the disambiguation engine works at scale\, then shows what an entire organization looks like when you query it through the lens of someone building a target list.\n \n Armed with intelligence from the graph\, we deployed an AI voice agent to call a Fortune 100 help desk. The agent passed identity verification\, convinced the analyst to initiate a password reset\, and achieved account takeover without any technical exploitation. We'll play the distorted call recording and break down exactly where the verification process fell apart.\n \n Help desks were designed for a world where the caller was human and the information they had was hard to get. Neither of those things is true anymore. We'll cover practical steps security teams can take to harden their help desks\, reduce their human attack surface\, and prepare for a threat model where the attacker already knows everything about your employees before they ever pick up the phone.
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:989f61cbcd064a7a28771fdb7967445c
URL:http://bsidesknoxville2026.sched.com/event/989f61cbcd064a7a28771fdb7967445c
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T180000Z
DTEND:20260522T184500Z
SUMMARY:Password Reset Is Not Incident Response: Hunting OAuth Persistence in Microsoft 365
DESCRIPTION:Password Reset Is Not Incident Response: Hunting OAuth Persistence in Microsoft 365\n \n When a Microsoft 365 account is compromised\, most organizations follow a familiar script: disable the account\, reset the password\, enforce MFA\, and move on.\n \n That playbook is incomplete.\n \n Modern attackers do not rely solely on stolen credentials. They establish persistence using OAuth applications\, delegated Graph permissions\, refresh tokens\, mailbox rules\, and hidden forwarding mechanisms. In many cases\, access survives password resets and MFA enforcement because the real foothold is not the password. It is delegated trust.\n \n This session walks through a practical\, technical approach to Microsoft 365 compromise cleanup with a focus on OAuth abuse and token persistence. Attendees will see:\n • How malicious OAuth apps maintain access after credential resets\n • What refresh tokens and offline_access actually enable\n • Where to look in Entra ID and audit logs for non-interactive persistence\n • How to revoke sessions and consent properly\n • How to reduce tenant-wide exposure through consent policies and governance\n \n The session includes two demonstrations. First\, we'll show off the mechanics of a token theft AitM attack\, followed by a demo of gaining OAuth persistence using a controlled lab tenant\, showing how an attacker can read mailbox data even after a password reset\, and how defenders can fully remove that access. I don't trust live demos\, so I will pre-record these and narrate as we walk through screen recordings of the attacks. \n \n If your incident response process ends at password reset\, you are likely leaving the door open.
CATEGORIES:TRACK 2
LOCATION:Track2 (Regas Square Events)\, 333 W Depot Ave\, Suite 120\, Knoxville\, TN 37917
SEQUENCE:0
UID:1e135a918ba8a25b4766d619fae55c08
URL:http://bsidesknoxville2026.sched.com/event/1e135a918ba8a25b4766d619fae55c08
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T190000Z
DTEND:20260522T194500Z
SUMMARY:Words of the Wicked: How Language Divides and Unites Cybercriminals
DESCRIPTION:How cybercrime speaks matters. This talk compares English\, Spanish\, and Russian underground forums\, revealing how language shapes access\, hierarchy\, recruitment\, targets\, and tactics\, from open global hubs to regional networks and tightly controlled elite communities.
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:1fb7043119412c10ddfca64d8e5bf413
URL:http://bsidesknoxville2026.sched.com/event/1fb7043119412c10ddfca64d8e5bf413
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T190000Z
DTEND:20260522T194500Z
SUMMARY:The Myth of the Meteoric Rise in Vulnerabilities
DESCRIPTION:The Common Vulnerability and Exposures standard system is broken and I was part of the problem. I'll go through where we started documenting and correlating vulnerabilities across the industry\, and where we went wrong. Oh\, and why the US Government is only part of the problem.
CATEGORIES:TRACK 2
LOCATION:Track2 (Regas Square Events)\, 333 W Depot Ave\, Suite 120\, Knoxville\, TN 37917
SEQUENCE:0
UID:7f7e8153c09c944582e1430c64a10d32
URL:http://bsidesknoxville2026.sched.com/event/7f7e8153c09c944582e1430c64a10d32
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T194500Z
DTEND:20260522T200000Z
SUMMARY:Awards Ceremony
DESCRIPTION:\n
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:6cb49364a422bb1fda027cab34989ae9
URL:http://bsidesknoxville2026.sched.com/event/6cb49364a422bb1fda027cab34989ae9
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T200000Z
DTEND:20260522T204500Z
SUMMARY:Stacking the Deck: Agentic Workflows for Offensive Security
DESCRIPTION:Traditional offensive security is often a battle against the friction of manual reconnaissance\, repetitive infrastructure setup\, and the tedious translation of tool outputs into actionable reports. As Large Language Models evolve from static chat interfaces into autonomous agents\, the role of the security professional is shifting from Manual Operator to Systems Architect.\n\nThis session approaches offensive security through the lens of a deckbuilding card game. We will walk through a "Setup" phase for selecting the right agentic infrastructure\, an "Action" phase involving C2 infrastructure and application security use cases\, and a "Cleanup" phase using practical\, human-in-the-loop workflows to finalize deliverables.\n\n- Combos and setup: Automatically provisioning multi-cloud redirectors across Cloudflare\, AWS\, and Azure while maintaining origin secrecy.\n- Know your tools: Chaining playwright-mcp with automated script generation to transform a browser-based discovery into a persistent exploit.\n- Manage your mana: Strategies for maintaining a low-cost operation by "compiling" agentic reasoning into local CLI tools and offloading repetitive tasks to local models like Ollama.\n\nAttendees will leave with a blueprint for building their own "Security Deck\," enabling them to automate the grind\, preserve high-level strategy\, and execute complex engagements at machine speed without losing the critical oversight of the human operator.
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:ce066d9ff62c7641634e8dc656819835
URL:http://bsidesknoxville2026.sched.com/event/ce066d9ff62c7641634e8dc656819835
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T200000Z
DTEND:20260522T204500Z
SUMMARY:Keys to the Kingdom: Real World Initial Access Techniques
DESCRIPTION:Initial access is often portrayed as complex exploitation and zero-day vulnerabilities\, but in the real world attackers usually gain entry through much simpler methods such as social engineering\, credential harvesting\, and the abuse of common misconfigurations.\n\nThis talk walks through real world techniques used during red team engagements to gain initial access to enterprise environments. We will explore social engineering attacks\, physical access scenarios\, external attack surface opportunities\, and internal network techniques used to establish an initial foothold.\n\nThis is not a talk about hypothetical attacks or theoretical vulnerabilities. It focuses on the techniques that consistently work during real world red team engagements and what defenders can do to better detect and prevent them.
CATEGORIES:TRACK 2
LOCATION:Track2 (Regas Square Events)\, 333 W Depot Ave\, Suite 120\, Knoxville\, TN 37917
SEQUENCE:0
UID:64b8a1daded5a44c4d322ab446324231
URL:http://bsidesknoxville2026.sched.com/event/64b8a1daded5a44c4d322ab446324231
END:VEVENT
BEGIN:VEVENT
DTSTAMP:20260520T195932Z
DTSTART:20260522T210000Z
DTEND:20260522T211500Z
SUMMARY:Closing Remarks
DESCRIPTION:\n
CATEGORIES:TRACK 1
LOCATION:Track1 (The Mill & Mine)\, 227 W Depot Ave\, Knoxville\, TN 37917
SEQUENCE:0
UID:13d9dd024424c60d37e02ede57899d18
URL:http://bsidesknoxville2026.sched.com/event/13d9dd024424c60d37e02ede57899d18
END:VEVENT
END:VCALENDAR