Talks

My Talks

• The Hidden Access Paths to Smaug’s Cavern — BSidesSF 2025, Apr 2025
  security access-control

Talks I’ve Watched

Conference talks and recordings I’ve found worth watching.

BSidesSF 2026

• Your AI Agent Has Production Access, Now What? — Jack (Anthropic) (Mar 2026)

  Best talk of the day. The ‘lethal trifecta’ (egress + sensitive data + untrusted input) is a clean mental model. Tool proxies for credential isolation and using agent transcripts as ‘confessions’ during incident response were immediately actionable.

  ai-agents security sandboxing
• The Tyranny of Optimization and the Stability of Automated Governments — Katie Moussouris (Mar 2026)

  Bug bounties drowning in AI-generated ‘slop’ — curl shut down theirs entirely. The K-shaped economy framing and critique of the US ‘dominance over safety’ AI policy was sharp.

  ai policy bug-bounty
• The Great Credential Caper: How to Perform and Defend Against the Nearly Impossible to Defend — Dan Hollinger & Christo (Cloudflare) (Mar 2026)

  Live demo of Claude Code + Playwright solving CAPTCHAs autonomously was jaw-dropping. The ‘parfait model’ of layered defense across password, request, account, and agent layers is the right framing for the post-bot-score era.

  credentials ai bots
• The Epistemology of Trust — Mike Wilkes (Former CISO) (Mar 2026)

  Philosophical but grounded — shift focus from breach prevention to breach cadence. ‘Backups are useless, it’s restores that matter.’ The AI sandbagging research from Anthropic was a sobering addition.

  ai trust resilience
• Seeing the Forest Through the Trees: A Business Approach to Risk and Threat Modeling — Sean (SoundCloud) (Mar 2026)

  Practical framework for translating security risks into dollars for execs. 68% of breaches are non-malicious human factors, and 98% of those stopped by MFA. The layered data flow diagram approach was immediately useful.

  risk threat-modeling
• A Blueprint for Building a Generic Authorization Service — Ashwin & Fletcher (Roblox) (Mar 2026)

  Roblox built Guard, a centralized auth control plane using Topaz/OPA sidecars. The MCP server security angle was unexpected — same identity-agnostic framework for humans, agents, and workloads.

  authorization opa microservices