Schedule & Trainings


Monday, April 27

  • Free Lightning Conference
  • 12:00pm to 1:30pm EDT/1800pm to 2000pm CET
  • Register for login instructions
  • Will be livestreamed to our YouTube channel

Tuesday, April 28 and Wednesday, April 29

  • Virtual Training Courses
  • 12:00pm to 4:00pm EDT/1800pm to 2000pm CET

Thursday, April 30 to Saturday, May 1

  • Virtual Capture the Flag
  • 12:00pm (Apr 30) to 12:00pm (May 1) EDT/1800pm to 1800pm CET

Training subject to change based on trainer availability.


  • Applied Data Science and Machine Learning For Cyber Security

  • This interactive course will teach security professionals how to use data science techniques to quickly manipulate and analyze security data. The course will cover the entire data science process from data preparation, exploratory data analysis, data visualization, machine learning, and model evaluation—all with a focus on security related problems

    • Charles Givre recently joined JP Morgan Chase works as a data scientist and technical product manager in the cybersecurity and technology controls group. Prior to joining JP Morgan, Mr. Givre worked as a lead data scientist for Deutsche Bank. Mr. Givre worked as a Senior Lead Data Scientist for Booz Allen Hamilton for seven years where he worked in the intersection of cyber security and data science. At Booz Allen, Mr. Givre worked on one of Booz Allen's largest analytic programs where he led data science efforts and worked to expand the role of data science in the program. Mr. Givre is passionate about teaching others data science and analytic skills and has taught data science classes all over the world at conferences, universities and for clients. Mr. Givre taught data science classes at BlackHat, the O'Reilly Security Conference, the Center for Research in Applied Cryptography and Cyber Security at Bar Ilan University. He is a sought-after speaker and has delivered presentations at major industry conferences such as Strata-Hadoop World, Open Data Science Conference and others. One of Mr. Givre's research interests is increasing the productivity of data science and analytic teams, and towards that end, he has been working extensively to promote the use of Apache Drill in security applications and is a committer and PMC Member for the Drill project. Mr. Givre teaches online classes for O'Reilly about Drill and Security Data Science and is a coauthor for the O'Reilly book Learning Apache Drill. Prior to joining Booz Allen, Mr. Givre, worked as a counterterrorism analyst at the Central Intelligence Agency for five years. Mr. Givre holds a Masters Degree in Middle Eastern Studies from Brandeis University, as well as a Bachelors of Science in Computer Science and a Bachelor's of Music both from the University of Arizona. He speaks French reasonably well, plays trombone, lives in Baltimore with his family and in his non-existant spare time, is restoring a classic British sports car. Mr. Givre blogs at thedataist.com and tweets @cgivre.

  • Attacking and Defending Containers, Kubernetes and Serverless

  • Attacking and Securing an infrastructure or Applications leveraging containers, kubernetes and serverless technology requires specific skill set and a deep understanding of the underlying architecture. The Training will be filled with demos designed from real-world attacks to help understand all there is to attack and secure such applications.

    • Nithin Jois is a Solutions Engineer at we45 - a focused Application Security company. He has helped build ‘Orchestron’ - A leading Application Vulnerability Correlation and Orchestration Framework. He is experienced in Orchestrating containerized deployments securely to Production. Nithin and his team have extensively used Docker APIs as a cornerstone to most of we45 developed security platforms and he has also helped clients of we45 deploy their Applications securely.
      Nithin is a passionate Open Source enthusiast and is the co-lead-developer of ThreatPlaybook - An Open Source framework that facilitates Threat Modeling as Code married with Application Security Automation on a single Fabric. He has also written multiple libraries that complement ThreatPlaybook.
      Nithin is an automation junkie who has built Scalable Scanner Integrations that leverage containers to the hilt and is passionate about Security, Containers and Serverless technology. He speaks at meetup groups, webinars and training sessions. He participates in multiple CTF events and has worked on creating Intentionally Vulnerable Applications for CTF competitions and Secure Code Training.
      Nithin was a trainer and speaker at events like AppSecDC-2019, AppSecUS-2018, SHACK-2019, AppSecCali-2019, DefCon-2019, BlackHat USA 2019, AppSecCali-2020 and many more. In his spare time, he loves reading about personal finance, leadership, fitness, cryptocurrency, and other such topics. Nithin is an avid traveler and loves sharing stories over a cup of hot coffee.

  • Building Secure API's and Web Applications

  • The major cause of API and web application insecurity is a lack of secure software development knowledge and practices. This highly intensive and interactive 1-day workshop provides essential application security training for web application and API developers. This workshop is a combination of lecture, security testing, and code review

    • Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for BitDiscovery, Nucleus Security, Secure Circle and Signal Sciences. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from Oracle Press. Jim also volunteers for the OWASP foundation as the project co-lead for the OWASP Application Security Verification Standard and the OWASP Proactive Controls. For more information, see http://www.linkedin.com/in/jmanico.

  • DevOps for CISO

  • Interactive training with group exercises for better understanding of the following topics.
    • Agile and DevOps basics
    • The role of automation in development, deployment, and operations
    • Agile threat modeling
    • Patch management in DevOps environments
    • Incident handling feedback loops
    • Cloud challenges and advantages
    • Combining SRE and DevSecOps

    • Dave van Stein is security and privacy consultant and DevOps enthusiast at Xebia. Acting as trainer, mentor, coach, and technical consultant he helps clients achieving a higher maturity level by integrating security and privacy controls into the Agile and DevOps way of working.
      He has several publications to his name and is ISEB/ISTQB, CIEH and GWAPT certified. Dave teaches you how to hack web apps, automate Security, work in a DevOps way and much more during his courses!

  • DevSecOps - Automate Security in DevOps

  • Code gets shipped into a DevOps environment at a blazing speed, making it extremely difficult to address security at each new release.In this training we shall discuss how to address security issues by automating security in a DevOps environment utilising various tools and techniques. Attendees will also get a DevSecOps-Lab used during the course.

    • Rohit is an Associate Director with NotSoSecure, a Claranet Group company. He is a technology enthusiast with over 9+ years of experience in hacking anything that runs on binaries and is on the ground. He also delivers one of the bestselling classes by NotSoSecure titled 'Application Security for Developers' and ‘DevSecOps’. He has also trained and spoken at premier security conferences like Blackhat,OWASP AppSec and Nullcon.
      He is humbled to be part of the list of “50 Influential DevSecOps Professional - Peerlyst 2019”.
      He also loves to reverse engineer binaries and mobile applications and find and exploit vulnerabilities in them. He spends his free time learning new technologies,programming languages or maybe even tinkering with open source tools.

  • Hacking Android and IoT apps by Example

  • Learn about Android & IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.
    All action, no fluff, skills gained are 100% hands-on, includes lifetime access to training portal with detailed video recordings + all future updates for free.

    • After 13 years in itsec and 20 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews and training. Former senior penetration tester / team lead at Cure53 (cure53.de) and Version 1 (www.version1.com). Creator of “Practical Web Defense” - a hands-on eLearnSecurity attack / defense course (www.elearnsecurity.com/PWD), OWASP OWTF project leader, an OWASP flagship project (owtf.org), Major degree and Diploma in Computer Science, some certs: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+. As a shell scripting fan trained by unix dinosaurs, Abraham wears a proud manly beard. He writes on Twitter as @7asecurity @7a_ @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

  • Hands-on threat modeling and tooling for DevSecOps

  • Action-packed Threat Modeling course for DevOps to improve reliability & security of software. We teach a risk-based, iterative and incremental threat modeling method. At least 50% hands-on workshops covering the different stages of threat modeling on an incremental business driven CI/CD scenario for AWS. 94% satisfaction score O’Reilly Velocity.

    • Seba is co-founder and CEO of Toreon. He started the Belgian OWASP chapter, co-leads the OWASP SAMM project, and co-founded the yearly BruCON conference. With a background in development and many years of experience in security, Seba has trained countless developers to create more secure software. He adapts application security models to the evolving field of DevOps and brings Threat Modeling to a wider audience (including teaching Whiteboard Hacking at Black Hat).

  • Seth & Ken's Excellent Adventures (in Secure Code Review)

  • Have you been tasked with reviewing too much code in too little of time? What about new frameworks or languages you are unfamiliar with? This course addresses these common challenges in modern secure code review. Sharpen your code review techniques by gleaning from our adventures in code review and the lessons we’ve learned along the way.

    • Seth Law is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager and individual contributor. Seth has honed his application security skills using offensive and defensive techniques, including tool development. Seth is employed as a security consultant, hosts the Absolute AppSec podcast with Ken Johnson, and is a regular speaker at developer meetups and security events, including Blackhat, Defcon, CactusCon, and other regional conferences.

    • Ken Johnson, has been hacking web applications professionally for 11 years and given security training for 8 of those years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about appsec, devops security, and AWS security. Ken’s current projects are WeirdAAL, OWASP Railsgoat, and the Absolute AppSec podcast with Seth Law.

  • Threat Modeling: Getting from None to Done

  • This session offers an introduction to Threat Modeling (TM), based on the instructor's learning and experience developing a TM practice at his employer. We start with necessary background information, walk through techniques for building models for new and legacy systems, and wrap up with an approach for introducing TM into your SDLC.

    • Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter, and is employed as the Application Security Architect at Orion Health, a global company specialising in health information software. In his current role, he is responsible for developing and managing the enterprise's software assurance progam, with emphasis on governance, secure development practices, and security training.
      Before specialising in application security, John was active as a Java enterprise architect and Web application developer (mostly Java EE and LAMP). In an earlier life, had had specialised in developing discrete-event simulations of large distributed systems, in a variety of languages - including the Java-based language (FreeSML) he developed as part of his doctoral research.
      John is also a member of the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and a co-leader of the OWASP Application Security Curriculum Project.

  • Web Application Security Essentials

  • During this interactive training, the participants will be able to identify the top 5 critical vulnerabilities in web applications, understand how exploitation works and learn how to implement the necessary corrective measures. The students will utilize OWASP WebGoat 8.0 and OWASP ZAP to solve the exercises presented during the virtual class.

    • Fabio delivered this training to thousands of developers and security professionals. He also regularly delivers training to technical audiences on various topics such as application security, cloud security, and information security. Here is a reference from one attendee of his courses: "Fabio is an excellent instructor. I was lucky enough to attend one of the courses where he was the instructor. He was able to present the subject matter in an interesting way and at an appropriate pace. He encouraged interaction and was able to answer questions with ease by leveraging his extensive experience in the industry."
      Fabio Cerullo is an official certified instructor for (ISC)², the global leader in information security education and certification. Fabio has over 15 years of experience in the information security field gained across a diverse range of industries ranging from financial and government institutions to software houses and start-ups. He regularly trains professionals from different backgrounds in application security, cloud security, and information security. He is a regular speaker at events organized by OWASP, ISACA and (ISC)² among others; and provides commentary and written articles for specialized industry media (Computer Weekly, Infosecurity Magazine, SiliconRepublic.com, etc). He holds an MSc in Computer Engineering from UCA and the SSCP, CISSP, CSSLP & CCSP certifications from (ISC)².

  • Your Application Security Program

  • Bring your application Security Program from zero to hero with this 1/2 day planning course. We will learn; planning, scaling, and measuring your AppSec Program. We will cover; tooling, where to start, how to measure, creating a security champions program, developer education, and more. Course will include written exercises and discussion.

    • Tanya Janca, also known as ‘SheHacksPurple’, is the founder, security trainer and coach of SheHacksPurple.dev, specializing in software and cloud security. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years in Ottawa, co-founding a new OWASP chapter in Victoria, and co-founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops and talks, her focus is clear. Tanya is also an advocate for diversity and inclusion, co-founding the international women’s organization WoSEC, starting the online #CyberMentoringMonday initiative, and personally mentoring, advocating for and enabling countless other women in her field. As a professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.