Security BSides Prague 2026

As macOS gains traction in enterprises, so do attacks. This workshop equips participants with the skills to perform effective macOS forensic analysis, uncovering and understanding modern threats to strengthen enterprise defences.

The goal of this workshop is to equip participants with the essential knowledge and practical skills needed to perform forensic analysis of macOS systems in the context of modern threats. Although macOS devices still represent a smaller share of enterprise environments compared to Windows, they are increasingly targeted by threat actors. As a result, macOS security and forensic analysis remain less mature and underrepresented in many organisations’ defensive strategies. Recent industry reports — including findings from Red Canary showing a 400% increase in macOS-related threats between 2023 and 2024 [1] — highlight the urgent need for improved visibility and expertise in this area.

This workshop will guide participants through the fundamental steps of conducting macOS forensic investigations, including:

• Creating logical and triage images of macOS devices

• Identifying and interpreting key system artefacts

• Investigating artefacts for evidence of threat actor activity

• Utilising common forensic tools to support analysis - Understanding the evolving macOS threat landscape

By the end of this workshop, participants will be able to independently conduct forensic investigations on macOS systems and will receive additional resources to support continued learning and future casework.

[1] https://redcanary.com/threat-detection-report/trends/mac-malware/

Since the core of this workshop involves hands-on forensic analysis of a compromised macOS system, each participant is required to bring a laptop. As the provided forensic data is designed for macOS, a MacBook is prefered for the exercises.
For those who do not have access to a MacBook, suitable alternatives will be made available, accessible from any operating system. Participants should have a basic understanding of cybersecurity concepts, though prior experience with macOS internals or forensic analysis is not required. The workshop is designed to build these skills through guided, practical exercises.

Decrypting agent–server communications is not a subject that can be easily researched (limited information available). Either you find corner cases debugging a binary or quite simple examples using Burp. This workshop covers them all and opens new topics that might be expanded in the future.

Description
Usually, as a pentester or a defender, when it comes to agent-server communications, we always struggle to intercept the data shared between peers. Sometimes, vendors include MITM support or provide an option to disable encryption. However, this is not as common as one might expect. Security by obscurity is still a thing and cannot be easily defeated. Nevertheless, as pentesters, finding workarounds is our job — and that’s the goal of this workshop.

During the workshop, attendees will: - Get a clear overview of the different encryption mechanisms used in the wild (HTTP, HTTPs, TCP, TLS over TCP, mutual TLS). - Learn how to circumvent each of them based on the characteristics of the binary and the protocols used: - Is the binary using HTTP or TPC? - Is it a Golang compiled? - Can we use our own self-signed certificate? - If not, do we have access to the legitimate CA? - Use Frida to dig deeper into more complex situations like mutual TLS. - Learn by practicing with custom binaries per protocol. - Obtain a mindmap for each scenario to speed up their tests - Intercept fast, test faster! - Apply this mindmap for facing a real world tool like Sliver (C2 framework).

If time permits, an extra binary will be launched at the end of the workshop as a miniCTF challenge.

Note: Slides and binaries used during the workshop will be available on GitHub.

DescriptionEnjoy the Lunch Break as an opportunity to step out, recharge, and grab something good to eat at one of the many nearby restaurants and cafés. Please note that lunch is not provided by the conference, so we encourage you to explore the local options around the venue. You can find a curated list of recommended restaurants in your attendee booklet, making it easy to choose a spot that fits your taste and schedule. Use this time not only to refuel, but also to continue conversations with fellow attendees before the afternoon sessions begin.

Internet is big and scary. Let’s ignore all the remote web apps for a while and stay cozy and warm on our localhost. Attack surface of Windows apps is also interesting!


What we’ll look into?

• OS Interaction Technologies: protocol handlers, COM/DCOM, named pipes, MSRPC, NTLM, handles, …

• Userland OS Weaknesses: ACLs, MSI, filesystem, TOCTOU, junctions

• 3 practical exercises on premade lab VMs: protocol handlers, COM and named pipes

After the workshop you should have basic idea of where to poke for cracks in attack surface of Windows apps and where to look for more information. We won’t have time to fully dive deep, but this approach lets us cover more ground and give you references to tear down the curtain hiding the details at your own pace. Who knows - maybe you’ll secure your code against attack surfaces you hadn’t considered or even get your own CVE-2026!


Requirements: laptop with RDP client, ability to write and understand code, basic knowledge of Windows OS (e.g., difference between EXE/DLL, the concept of a process)

No more drowning in checklists! Change “we should probably be more secure” into an actual, risk-prioritized engineering backlog. In this hands-on workshop you’ll learn to threat model systems using STRIDE + data-flow diagrams. You'll leave with a repeatable approach you can drop into product work.

No more drowning in checklists! Change “we should probably be more secure” into an actual, risk-prioritized engineering backlog. In this hands-on workshop you’ll learn to threat model systems using STRIDE + data-flow diagrams. You'll leave with a repeatable approach you can drop into product work.

What we’ll do
Working in small groups, we’ll threat model a software system end-to-end:

• sketch a data-flow diagram (DFD) and identify trust boundaries
• apply STRIDE to systematically enumerate threatsprioritize threats by risk, focusing on what matters most
• turn results into a well-scoped mitigation backlog
• identify reusable security patterns you can apply elsewhere

What you’ll learn / take home

• A repeatable workflow for running a threat modeling session with your team
• How to spend more effort on high-impact risks (and less on low-value busywork) without losing the plot with auditors
• A set of “next actions” you can implement immediately: mitigations, logging/monitoring hooks, and design changes expressed as backlog items

Who it’s for

• Developers/engineers who own services in production

• Security champions embedded in product teams

• Architects / tech leads responsible for system design

Prerequisites & logistics
No special tools required: either bring pen and paper for diagrams or laptop with a lightweight drawing tool. Basic familiarity with software architecture helps, but you don’t need prior threat modeling experience.