[DEF_CON_33]
talks_2025
Las Vegas Convention Center, Las Vegas, USA · 8th, 9th and 10th August 2025
> speakers_2025
Imagine discovering critical intelligence hidden inside live video streams faster than any human analyst could. We'll begin with a compelling hypothetical scenario: a breaking news livestream unintentionally captures crucial clues about a missing person's location, but overwhelmed human investigators miss the moment. Inspired by real world challenges investigators face daily, this scenario motivated us to build Autonomous Video Hunter (AVH), a system of AI powered agents that scour video content in real time to extract actionable OSINT. Technical core: We'll showcase how AVH combines open source AI models for image recognition and audio transcription, orchestrated by custom Python based agents. These agents autonomously analyze video streams, detect critical visuals, logos, speech keywords, and quickly cross reference these clues against online databases and OSINT repositories. Live demo: Experience AVH live as it identifies a target logo and relevant context (e.g., social media profiles and geolocation clues) from a random video clip in mere seconds. We'll also address practical challenges, from reducing false positives to scaling efficiently across multiple simultaneous streams. By the end of this lightning talk, attendees will understand how autonomous agents transform overwhelming video data into OSINT insights rapidly and effectively. We'll also share a lightweight open source AVH tool for the OSINT community to use and build upon.
Traditional OSINT collection faces two critical challenges: public APIs throttle queries to prevent abuse, and each query potentially reveals investigative interests to service providers. This talk presents a practical solution using Knowledge Graph technology combined with RDF (Resource Description Framework) to build queryable, offline OSINT repositories. We demonstrate how to scrape multi-source OSINT data, transform it into RDF format, align it with common ontologies, and store it in local data packages. Once built, analysts can run complex SPARQL queries against their local triplestore without external dependencies or operational security concerns.
Threat intelligence reports from reputed parties contain a wealth of OSINT including threat actor details, campaign information, IOCs (indicators of compromise), and TTPs (Tactics, Techniques and Procedures). Such threat intelligence is predominantly consumed with a human in the loop due to several challenges posed: Threat intelligence is often in natural language and difficult to extract automatically; These reports may have incomplete information and may require synthesizing multiple reports to construct a better view of the attack; Some intelligence such as TTPs are often implicit in the report and requires language comprehension; Not all indicators in a report are malicious and further they could have different degrees of confidence on the level of maliciousness and what they define as malicious. The labor intensive manual process not only makes it difficult/error prone to identify actionable threat intelligence in the form of battlecards but also leave users vulnerable to mentioned attacks due to the increased time gap threat reports and manual extraction of intelligence. The problem is exacerbated by the fact that many similar threat reports with different pieces of intelligence scattered across reports especially for emerging attacks. We build an agentic system to automate the collection and synthesis of cyber threat intelligence from threat reports using LLM Agents and unsupervised machine learning techniques into battlecards. At a high-level, CTI-Agent first extracts threat actor, campaign, TTPs and IOCs from recently published threat reports from reputed parties using specially crafted prompts on LLMs (Large Language Models) as well as using regular expressions/known knowledge which we refer to as signature based techniques. The agent also generates concise summaries for each threat report using LLMs. After performing a round of validation, the agent uses the summaries and extracted intelligence to synthesize multiple reports together and provide a battlecard with easily digestible threat intelligence. The agent follows the proven ReAct (Reason Action) framework to plan tasks autonomously and achieve the final goal of producing accurate battlecards by reasoning and then acting (i.e. calling various tools) multiple times. We plan to share our experience and lessons learnt during the process of build the CTI-Agent. The outline of the presentation is as follows: CTI to Battlecards How battlecards are used to help protect networks Manual, time consuming, error-prone Multiple threat reports with inconsistent descriptions May contain conflicting IOCs/TTPs Modeling CTI Reports Converting unstructured or semi-structured data into structured threat information Challenges involved Three key LLM patterns Prompting LLMs (simple and CoT prompting) RAG (Retrieval Augmented Generation) Agents Prompting LLMs How to effectively prompt LLMs to elicit best output Examples RAG Describe a RAG system using a diagram Agents Describe an magnetic system using a diagram Evals Evaluating LLM/Agentic systems is a challenging task Show how one can incrementally build an eval dataset to evaluate Agent Tool Calling Introduce Agent tool calling Introduce MCP protocol Multi-Agent Systems Common patterns Introduce A2A protocol Popular Agent Planning Techniques Introduce what agent planning is Introduce patterns like Reflection and ReAct Guardrails Explain the need to have guardrails Provide examples Multi-Agentic System Overview Monitor and collect recent threat reports from reputed parties Agentic System to extract Threat Actor, Campaign, TTPs and IOCs Extract using CoT prompted LLMs Extract using signature based methods Validate the collected threat intelligence information via reflection and LLM-as-a-Judge Create threat report summaries for each threat report prompting LLMs Collect additional IOCs related to campaigns using in-house intelligence Save reports, summaries, threat intelligence data to a database Cluster threat reports to identify related threat reports (i.e. those reports discussing the same threat or campaign) Generate language embeddings for the threat summaries for threat reports Generate graph embeddings by modeling threat reports and threat intelligence extracted as a graph and using unsupervised graph learning algorithm Combine both embeddings together and perform unsupervised learning to cluster embeddings together The embeddings in the same cluster correspond to threat reports discussing the same threat or campaign Generate battlecards that can be readily used by security operations professionals Note: The above steps will be visualized into multiple slides and showed how to realize them in practice. Agentic System Evaluation Dataset Experimental results Lessons Learned Various lessons learned during the construction and evaluation of this system plus several other agentic systems that the author built Summary Key take aways from the presentation
Open-source intelligence in Discord may seem surface level. Some techniques include searching through chat history using search operators similar to Google dorking and reviewing a user’s profile to look for any linked accounts tied to their Discord account. Going beyond this and analyze the servers that a user is a part of, more assumptions and inferences can be made based on those servers. I applied what I saw and experienced with Student Hubs and applied it to cybersecurity within Discord. The information from knowing what cybersecurity servers a person is in informed me of what their experience level was, the type of field they were interested / worked in, and potentially even where they lived. However, you can only reach a certain point by joining servers within Discord. This type of approach can only be done at scale and this presents its own set of problems. Scaling this seemed unlikely to happen until a service known as Spy.pet was publicly disclosed in April 2024. Spy.pet was marketed as a data broker that was inadvertently a very capable OSINT tool that could be used for Discord. Knowing that it would be available for a short time before it got shut down, I was able to access Spy.pet to use and document what capabilities it had. Since then, there have been more data scrapers that have appeared with their own reasons. These include third-parties (malicious or not), academic researchers, and cybercrime groups. I will cover the capabilities and OPSEC failures from some of the data scrapers in the past year as well as how it could possibly be approached in the future. Most importantly, I will go over protections at the user and server level.
Remember that soul-crushing moment when you opened an 8.9 GB of burp suite file? Yeah, fun times. But here’s something even more annoying: reading a random blog post where someone casually mentions a $5,000 bug-an unauthenticated admin panel hidden on some obscure, unpredictable URL of a well known target. I feel you, it’s hard to deal with huge attack surfaces, endless URLs and thousands of subdomains. And it’s even harder to expand your attack surface to find pages that no one ever looked at it before. Don’t get me wrong-I still think AI sucks at pentesting (sue me). It won’t chain exploits, think creatively, or outsmart a well-configured WAF. But here we are. It’s really good at generating path/subdomains, and picking out the most important targets from a massive list. And lastly, AI can be a smart assistant that is specifically configured for the target app’s test. It handles the boring stuff, so you can focus on breaking things. In this talk, we’re not glorifying AI-we’re putting it to work. Smart, sharp, and right where it counts.
What started as a weekend gaming session and a friendly dare evolved into discovering critical vulnerabilities affecting OpenVPN endpoints on a global scale. This talk demonstrates a comprehensive reconnaissance methodology that combines traditional OSINT techniques with modern cloud-based intelligence gathering to map and exploit critical infrastructure at scale. The presentation follows a complete attack chain that showcases advanced reconnaissance techniques: Phase 1: Intelligence Discovery & Infrastructure Mapping 1. VirusTotal RetroHunt OSINT: Writing custom YARA signatures to discover 50+ vulnerable drivers across the internet, demonstrating how one vulnerability discovery can reveal widespread systemic issues 2. Supply Chain Intelligence: OSINT techniques to identify that OpenVPN (the world's most popular open-source VPN) was the common denominator, affecting thousands of companies and numerous endpoints 3. Target Profiling: Understanding OpenVPN's multi-process architecture, plugin mechanisms, and Windows internals through open-source research Phase 2: Remote Reconnaissance & Credential Harvesting 1. Network Enumeration: SMB enumeration, null session exploitation, and remote named pipe discovery 2. Credential Intelligence: Capturing NTLMv2 hashes through network reconnaissance and social engineering techniques 3. Cloud-Powered Cracking: Leveraging cloud GPU infrastructure (VAST.AI + Hashcat) to crack enterprise credentials at scale, demonstrating how modern attackers use accessible cloud resources Phase 3: Remote-to-Local Attack Chain 1. Remote Code Execution: Using UNC paths and OpenVPN's plugin mechanism to execute code remotely 2. Local Privilege Escalation: "Open Potato" attack - exploiting named pipe hijacking and Windows impersonation for LPE 3. Security Product Bypass: Bring Your Own Vulnerable Driver (BYOVD) techniques to achieve kernel code execution and bypass security solutions Reconnaissance Applications: The methodologies demonstrated can be repurposed for legitimate security activities: 1. Red Team Operations: Comprehensive target profiling and credential harvesting techniques 2. Bug Bounty Research: Systematic vulnerability discovery across software ecosystems 3. Threat Intelligence: Understanding how threat actors chain reconnaissance techniques 4. Infrastructure Assessment: Mapping organizational VPN deployments and security postures The talk includes live demonstrations of: - Custom YARA signature development for vulnerability hunting - Cloud-based credential cracking workflows - Remote service enumeration and exploitation - Building comprehensive target profiles through passive reconnaissance - Security product evasion techniques applicable to red team scenarios Attendees will learn practical reconnaissance methodologies that can be immediately applied to their own security research, with emphasis on the intelligence gathering processes that enable sophisticated attack chains.
HUMINT is one of the most powerful, yet least understood tools in cyber threat intelligence. This talk will walk through the full lifecycle of a deep cover HUMINT operation-from identifying high-value sources, to crafting believable personas, navigating forum dynamics, and extracting intelligence through direct engagement with threat actors. We’ll explore how these operations provide early warning of attacks, insights into actor motivations, and access to tools before they’re deployed. But going undercover isn’t without risk. We’ll cover the technical and psychological challenges, OPSEC fundamentals, and ethical dilemmas that define this high-stakes work. Attendees will learn how to map underground communities, build credibility, and collect actionable intelligence without blowing cover. With real-world examples and field-tested strategies, this session offers a rare look inside the human side of CTI-where trust, deception, and tradecraft matter more than tooling. For anyone serious about adversary engagement, this is where the automation ends-and infiltration begins.
This comprehensive talk will provide an in-depth exploration of advanced threat hunting strategies, showcasing the methodologies employed in our recent reporting on the Decline of Black Basta. Attendees will learn how we tracked threat actor activity on the dark web, specifically focusing on Black Basta, to uncover emerging tactics, affiliations, and operational insights through analysis of illicit forums and marketplaces. The presentation will delve into techniques for monitoring the activities of ransomware-as-a-service (RaaS) groups, including how shifts in membership and operational practices occur after disbandment. Further, we will discuss how to harness investigation telemetry to detect and analyze evolving tactics, techniques, and procedures (TTPs). These approaches enable organizations to anticipate sophisticated cyber campaigns and proactively bolster their defensive strategies. By the end of this session, attendees will have actionable insights and practical methodologies to strengthen their threat detection capabilities, ensuring they stay ahead in the rapidly evolving cybersecurity landscape.
We live in a time where we can buy practically anything online. It's very tempting to buy cheap products online, including electronics. While saving money can be great, what are we really getting here? Where did it really come from, is it safe to use, and what is really going on behind the scenes? Let's find out! In this talk, we'll track the supply chain of a foreign smartwatch on Amazon using various OSINT techniques. After going down the rabbit hole, we’ll perform a hardware/software breakdown with automated and manual analyses (and further OSINT based on our findings). By the end of the talk, you will have a better understanding of some of the tools and processes you can use for performing your own due diligence.
Over the past decade and a half, the tactics of threat actors have quietly but fundamentally transformed. What began as slow, targeted intelligence gathering has evolved into automated, scalable exploitation of exposed assets-often before defenders even notice. In this keynote, we’ll trace the journey of threat actor innovation, highlighting shifts in recon methods, asset targeting, and speed of attack. We’ll dissect common attack surface mistakes that open the door for breaches, especially in the last couple of years, and challenge assumptions around visibility and control. The attack surface is always in motion-are you keeping up?
Since 2007, Russia has increasingly blurred the lines between cyber operations and conventional warfare. From the takedown of Estonian infrastructure to the full-scale invasion of Ukraine, state-sponsored threat groups have played a central role in shaping modern conflict. This talk explores the evolution of Russian hybrid warfare through an OSINT lens - identifying cyber-military units, understanding their affiliations, and tracking their operations across conflicts. Using publicly available sources, leaked documents, social media, and infrastructure metadata, this session walks through the investigative workflows used to map Russian cyber-military entities, analyze their digital footprint, and connect the dots between cybercrime and geopolitical objectives. We'll also examine how the war in Ukraine has reshaped the cybercrime ecosystem and offer predictions about future state-actor behavior in conflict zones. This talk blends technical OSINT techniques with geopolitical analysis, providing practical frameworks and tools for analysts, threat hunters, and researchers focused on adversary attribution and long-term strategic tracking. Key Topics Covered: • Evolution of Russian hybrid warfare: Estonia (2007) to Ukraine (2022-2025) • OSINT methods to identify Russian cyber-military units and affiliations • Social media and metadata exploitation of military and GRU-linked personnel • Infrastructure recon: domains, TLS certificates, passive DNS, and comms patterns • War’s impact on the cybercrime underground and ransomware ecosystem • Predictive indicators for future state-linked cyber operations
This is a fun and informative test to see if the audience can identify potential "Open Source" Signals that are meant to be interpreted by those "in the know". Her hair is tied differently every Tuesday. He is wearing his watch on the opposite wrist today. Why is that? Let's see if the audience knows without Googling!
Browser extensions are an unmonitored threat surface in most enterprises. Security teams have tools for endpoints, networks, and identities, but the browser is often left out. Extensions can access sensitive data, run arbitrary scripts, and update silently. Most organizations have no idea what's installed across their fleet. This talk introduces ExtHuntr, an open source tool that scans for installed browser extensions, analyzes their permissions and behavior, and generates a risk score. It gives defenders visibility where they currently have none. We will walk through how extensions are abused in the wild, how even well-known plugins can turn malicious, and why relying on store reputation is not enough. The talk includes: A live demo of ExtHuntr Breakdown of extension permission abuse Risk scoring logic Fleet-wide deployment strategies for enterprise use Attackers already know what your users are running. This talk shows how you can know first.
This will be your field guide for hunting down and finding the complex plumbing of integration servers. From Webmethods, Oracle Integrations and other similar integration servers, we are going to look at ways to find them exposed to the internet and how to identify common misconfigurations through reconnaissance. Toolkit - Discover methods to identify various integration technologies in the wild, even those trying to stay hidden Endpoints - learn about forgotten management consoles, exposed API's and how these mostly forgotten plumbing can lead to big wins (bug bounty) Actionable - Walk away with recon techniques that you can immediately apply for offensive assessments or bolster your defensive posture finding your own organizations hidden infrastructure. My A-Z approach will cover techniques from dorking, Shodan/Censys queries, HTTP header analysis, and favicon hashing, demonstrating the immense value (both offensive and defensive) of meticulously hunting these hubs. I'll showcase 4-5 distinct methodologies to effectively find these servers. To aid your hunts, I will also share a custom tool developed for identifying and fingerprinting exposed integration servers."
On the dark net reputation is currency and operational security is necessary for long-term survival. Vendors selling hacking tools, stolen data, and cracking services swear by Pretty Good Privacy (PGP) encryption to verify their identity while also protecting correspondence with potential buyers. But what if one of the tools they trust the most is also what eventually gets them burned? Despite years of busts, leaks, and veteran "OPSEC guides", dark net vendors continue to make the same basic mistakes when creating PGP key pairs, mistakes that OSINT investigators can readily exploit. This talk is the result of an investigation into over 700 dark net vendor profiles across ten dark net markets (DNMs) to take a closer look at the PGP key pair creation habits of DNM vendors and will cover: An overview of PGP encryption and its value both to dark net vendors as well as OSINT investigators Example investigative methodology for analyzing PGP public keys at scale Case examples that showcase common mistakes DNM vendors make when creating their PGP key pairs and the potential consequences of doing so
When exploring the Dark Web for OSINT or CTI investigations, you may be overwhelmed with numerous onion links, questionable marketplaces, and numerous search engines. With time constraints, how do you make sense of all this information and prioritize what truly matters? Enter Robin, an AI-powered Dark Web OSINT tool to streamline your investigations. Robin takes your query, automatically searches across multiple Dark Web search engines, scrapes relevant onion sites, and uses AI to generate clear, actionable investigative summaries. No more juggling five different tools or wasting hours validating dead links. In this talk, I'll walk you through the real pain points of today's Dark Web OSINT tools and show how Robin was built to solve them. I'll cover the architecture, the scraping and summarization pipeline, and how Robin fits into real-world investigation workflows. By the end of this talk, you will have a fresh perspective on Dark Web OSINT, a practical tool to use right away, and insights into how AI can simplify the investigative process.
Modern vehicles have evolved into sophisticated, internet-connected computing platforms with attack surfaces spanning cloud infrastructure, telematics systems, and over-the-air update mechanisms. With the automotive industry generating over $11 billion in cyberattack losses in 2023 alone, security researchers struggle to comprehensively map connected vehicle ecosystems using traditional OSINT methodologies that lack automotive-specific knowledge. This presentation introduces a systematic OSINT methodology designed for automotive threat intelligence, combining conventional reconnaissance techniques with automotive-focused discovery methods to identify exposed automotive APIs, misconfigured cloud infrastructure, vulnerable telematics endpoints, and supply chain weaknesses that standard assessments typically miss. Through live demonstrations using real automotive manufacturer targets, attendees will learn to adapt existing OSINT tools like Shodan, Censys, and certificate transparency logs with automotive-focused data sources to build complete attack surface maps of connected vehicle ecosystems. Participants will gain practical skills for discovering OTA update infrastructure, fleet management systems, and connected vehicle APIs while learning to transform raw reconnaissance data into actionable automotive threat intelligence that can be immediately applied whether entering the automotive security space or expanding traditional pentesting expertise into the rapidly growing connected vehicle market.
The OWASP Amass Project has long been a staple in the open-source reconnaissance ecosystem, enabling security researchers, red teamers, and defenders to map attack surfaces through passive and active discovery techniques. Traditionally, tools like Amass have relied on DNS, certificate transparency logs, web scraping, and other data sources to infer the digital footprint of an organization. However, this approach often begins with known domains and struggles to comprehensively uncover the broader infrastructure-especially when initial input is minimal or obfuscated. This talk introduces a major advancement in the Amass discovery model: leveraging legal entity information as a pivot point for infrastructure enumeration. By incorporating corporate legal names, the project now enables users to query the Registration Data Access Protocol (RDAP) for associated IP address ranges directly linked to specific organizations. This evolution allows for a powerful “outside-in" discovery strategy-one that begins with an organization’s registered presence in global ICANN records and regional internet registries (RIRs). We will walk through how this process functions end-to-end within Amass, including: How legal entity names are normalized, enriched, and used to perform RDAP queries across multiple registries. How this approach facilitates infrastructure discovery even when no initial domain names or IPs are known. Ways in which the newly discovered CIDRs and netblocks are fed into the broader Amass enumeration engine for DNS sweeps, and passive data correlation. Importantly, this capability allows researchers to identify internet-connected assets that might otherwise be missed through traditional means-especially helpful for uncovering legacy infrastructure, misconfigured services, and shadow IT. It also helps bypass the inefficiency of wide-scale internet scanning by using authoritative registry data as a precise targeting mechanism. This talk will include practical demonstrations of the feature in action, guidance on using it effectively in both red and blue team workflows, and a look at where the project is heading next-including potential integrations with open corporate registries, LEI databases, and expanded RDAP coverage. Takeaways for Recon Village Attendees: Learn how legal entity metadata can be leveraged to scale reconnaissance beyond domains and WHOIS lookups. Gain an understanding of how RDAP reveals registered network ownership and how Amass now uses this for bottom-up discovery. See live examples of uncovering unknown IP ranges and infrastructure linked to an organization-without scanning the full IPv4 space. Understand the implications of this technique for external asset management, third-party risk analysis, and adversarial recon. By advancing outside-in discovery with deeper legal and registration context, Amass continues to push the boundaries of OSINT tooling-bridging the gap between traditional internet reconnaissance and more strategic, organizationally-aware approaches to mapping the modern attack surface.
As AI accelerates the creation and spread of synthetic media, the disinformation threat landscape is evolving. From deepfaked political speeches to fabricated news sites, the weaponization of AI is eroding public trust in truth itself. This talk explores how OSINT offers a verifiable countermeasure to AI-driven falsehoods to detect, investigate, and debunk AI-generated content in the wild. Whether you’re an analyst or simply trying to protect the signal from the noise, this session will equip you to challenge synthetic narratives with verifiable evidence. In the age of artificial deception, OSINT is not just a tool set-it’s a digital duty. It takes all of us to verify the truth.
What if you could earn bounties without ever touching the app? This panel explores how top hackers use Recon-First Thinking to silently uncover shadow assets, misconfigured SaaS, and forgotten APIs - all without triggering alerts or waking up firewalls. Less noise. More signal. Bigger payouts.
In today’s threat landscape, people are often the weakest link-and attackers are aware of it. From phishing and impersonation to executive targeting and account compromise, adversaries increasingly use open-source intelligence (OSINT) to build detailed profiles of individuals long before launching an attack. This session dives into the evolving art of people-focused reconnaissance, demonstrating how seemingly harmless public data can be weaponized into precise social engineering campaigns, identity spoofing, and credential pivoting. We’ll cover: Identity tracing techniques using breach data, professional directories, dark web leaks, and forgotten digital breadcrumbs Building detailed social graphs across platforms like LinkedIn, GitHub, Twitter/X, Facebook, and academic/industry conference rosters Tools and techniques to identify executive targets, their digital habits, exposed credentials, and behavioral patterns Mapping corporate org structures and vendor relationships through public filings, social posts, and collaboration tools How to uncover personal infrastructure (GitHub repos, sandbox environments, demo servers) tied to specific developers or architects Cross-referencing usernames, email handles, avatars, and metadata to track digital identities across platforms Using automation to generate identity maps and behavioral timelines using OSINT scripts and browser automation frameworks You’ll also learn how attackers combine this recon with voice deepfakes, domain typosquatting, and AI-generated emails to execute convincing social engineering attacks-especially against high-value individuals. While this session is grounded in offensive techniques, it’s highly actionable for blue teams, threat intel analysts, and enterprise security leaders. We’ll walk through real-world case studies where simple recon led to large-scale breaches, compromised business email accounts, and insider attacks. Takeaways will include: A checklist for assessing your organization’s exposed human attack surface Tools and workflows to replicate attacker tactics in your threat modeling and phishing simulations Guidance on proactive identity protection and executive exposure management Strategies to anonymize or reduce OSINT footprint without undermining productivity In an era where people are increasingly the payload-not just the target-understanding how digital identities are discovered, mapped, and exploited is critical to building a truly defensible organization.
Discovering subdomains is an important practical skill and the first step in attack surface management. Solutions that are both comprehensive and fast (“find ALL the subdomains and do it QUICKLY!”) are particularly prized. But like much of infosec-easier said than done! Our team won the DEF CON 31 Recon-Aacharva subdomain challenge and our passion for Reconnaissance drove us to go further. A post-hoc review identified an alternative approach that yielded 100 times more raw domains than our original winning submission, and that approach took just a couple of hours. The key? Rather than relying on the open source “subfinder” tool, we used a passive DNS tool that returned only RRnames and RRtypes, along with relatively tight time fencing and parallel query streams. Enumerating subdomains that way is a straightforward task-but there’s a catch! The real challenge for accurate enumeration turns out to be excluding DNS wildcards-domains that will resolve any arbitrary hostname, even random gibberish. For example, “aiuojad.tumblr.com” resolves because tumblr.com is a DNS wildcard. Typical DNS wildcards usually arise at the 2nd-level, and even some entire TLDs (such as .ph) are wildcarded. What’s less-well known is that “deep” wildcards also exist further left in the FQDN, or exist only for specific RRtypes. While obscure, deep wildcards are surprisingly prevalent and exploitable for reflective DDoS purposes. While they can be used carefully for legitimate objectives, they can also devolve into abusable nuisances, capable of producing large volumes of cache-defeating response traffic when hit with spoofed/randomized DNS queries. They can even be abused to make it appear that a benign site has CSAM content or supports terrorism, etc., since arbitrary queries for such labels will find their way into the passive DNS record for all to see. If your site has any deep wildcards, they add an attack surface exposure you may not have been aware of; we recommend reconsidering the need for the wildcards and if they are truly necessary, carefully monitoring how those names are getting (ab)used. Our presentation demonstrates some methods for efficiently assessing a domain’s DNS wildcard status, and suggests a new “standard of care” for routine testing and logging of the wildcard status of ALL (FQDN, RRtype) combinations, much as you might log, geolocate, and port scan IPs you interact with. Join us as we share the technique that yielded more than 100x the number of subdomains we found in our winning entry.