You’re not secure by design, if you’re not memory safe!
What if 70% of all vulnerabilities in the critical infrastructure of tomorrow could be prevented with one simple decision? Memory safety is not just an implementation detail that only engineers should talk about; it is a crucial requirement for building software that is safer and more secure by design. In this talk, we’ll explore what […]
Security Through Trust Not Control: Europe’s Battle Plan
Europe is at war with its own digital legacy. Having pioneered data protection in 1995 and redefined global privacy standards with GDPR in 2016, the EU now risks undermining its achievements through increasingly absolutist regulatory proposals. The 2025 ProtectEU strategy aims to mandate encryption backdoors, France is pushing mandatory 72-hour data decryption for narcotrafficking investigations, […]
Bucket Leaks: From Exposure to Cloud Takeover
With the growing reliance on cloud services for storage and deployment, securing cloud environments has become critically important. Cloud storage solutions like AWS S3, Google Cloud Storage, and Azure Blob Storage are widely used to store vast amounts of data, including sensitive configuration files used in software development. These files often contain secrets such as […]
It only takes a beer coaster to measure cyber resilience
It only takes a beer coaster to measure your cyber resilience. By comparing your organization with four levels of maturity characteristics in three different themes (people, processes and technology), printed on the back side of a beer coaster, you can get a general idea of your maturity and corresponding cyber resilience.
SaaSified Crime: From AiTM to Banking Fraud
Adversary-in-the-Middle (AiTM) phishing attacks have evolved from niche exploits to scalable, SaaS-based crime tools. By bypassing MFA, these services enable attackers to gain access with minimal effort. Now, Dutch cybercriminals are mimicking this model: packaging banking fraud kits as subscription-based services. This talk highlights how the professionalization of phishing is lowering the barrier to entry […]
Scanning the Dutch Healthcare’s External Attack Surface
What are the riskiest technologies used in the Dutch healthcare sector? Do people still expose RDP? Is Dutch healthcare data processed inside the European Union? Z-CERT regularly scans many IPs and domains in use by the Dutch Healthcare sector. In this talk, we will share insights from performing External Attack Surface Management (EASM) on hundreds […]
Elevate Your API Testing Game: WuppieFuzz in Action
With many businesses depending on communications between digital services, well-specified application programming interfaces (APIs) are used to facilitate this. However, as these APIs form a point of entry to critical applications, they are an attractive target for malicious actors. Therefore, thorough testing of these APIs is desired. With the growing number of APIs available for […]
Hyperconnected Supply Chains: Attacking Cyber Resilience
Cyber resilience is under attack. As global supply chains become increasingly hyperconnected, the convergence of Operational Technology (OT), IT, AI, and Industrial IoT (IIoT) is exposing new vulnerabilities. The Netherlands, a key hub for maritime logistics, energy, and critical infrastructure, is at the centre of these risks, facing a growing wave of cyber threats—from state-sponsored […]
DORA TLPT: Strengthening financial cyber resilience
Abstract draft: The Digital Operational Resilience Act (DORA), which came into force on January 17, 2025, mandates financial institutions to conduct Threat Led Penetration Testing (TLPT) to enhance their cyber resilience within the European Union. TLPT simulates realistic cyber attacks based on the TIBER-EU framework, aiming to identify vulnerabilities and improve the institution’s detection and […]
Anyone Can Launch a DDoS: Gorilla botnet & DDoS-for-Hire
DDoS-for-hire services have plagued the Internet for years, and recently the “Gorilla botnet” gained notoriety for performing a large number of high-profile DDoS attacks, some of which were targeted at large Dutch organizations. In this talk we share insights of our ongoing investigations in DDoS-for-hire networks at the Delft University of Technology (TU Delft), and […]
