Main conference (15 to 17 April 2026 in Reims, France), including all lunches, coffee breaks, gala dinner. Does not include the optional workshops on April 14th.

Main conference (15 to 17 April 2026 in Reims, France), including all lunches, coffee breaks, gala dinner. Does not include the optional workshops on April 14th.

Only available for law enforcement personnel. Specific checks will be made before payment.

Main conference (15 to 17 April 2026 in Reims, France), including all lunches, coffee breaks, gala dinner. Does not include the optional workshops on April 14th.

Only available for students or people registered as unemployed. Specific checks will be made before payment. Pleae use a student email when registering as a student.

This option allows you to bring a friend or a partner at the gala dinner (Thursday 16th April 2026)

Alessandro Strino

Android malware analysis can be intimidating, especially when samples employ aggressive obfuscation, layered encryption, anti-analysis techniques, and native code to conceal their behavior. This workshop is designed to guide analysts beyond these barriers and into a disciplined, scientific approach to understanding what modern Android malware actually does. Rather than treating obfuscation as a blocker, the workshop focuses on identifying it, understanding its purpose, and actively defeating it. Participants will learn how to recognize common and advanced obfuscation patterns, isolate relevant logic, and reconstruct the overall malware execution flow. The methodology presented combines static reverse engineering with dynamic analysis and runtime instrumentation, reflecting real-world workflows used by professional malware analysts.

A core theme of the workshop is analyst efficiency and automation. Attendees will explore techniques to dynamically resolve encrypted code paths, automatically identify and neutralize encryption routines, and interact with malware at runtime. This includes injecting into the execution flow, patching binaries or memory on the fly, and forcing the execution of specific instructions to extract hidden behavior.

The workshop begins with a custom-built Android application and progressively introduces techniques commonly found in modern Android malware. These techniques are applicable across malware families, including banking trojans, spyware, and more advanced threats, and are not tied to a single campaign or actor. To make the overall learning experience effective, the workshop includes a custom Capture the Flag (CTF) designed specifically for attendees. The challenges mirror real-world analysis scenarios, allowing participants to apply the techniques covered during the sessions immediately.

Max 'Libra' Kersten

Every time you open a malware sample in your favourite analysis tool and you are greeted with hundreds or thousands of functions with unknown names, you know it is time to find shortcuts and automate renaming steps whenever possible. This workshop dives into the recovery of function symbols. The examples in this workshop are all Golang related as the static compilation of Golang binaries serve as excellent examples.

During this four hour workshop, you will dive into two different malware families which were used in the wild by threat actors, and find out how function symbol recovery works and how to apply the theory in practice. You will also learn how to create your own symbol databases, allowing you to use your privately analysed malware as the starting point for further research into the development of those malware families. Additionally, you will better understand how source code and compiled code relate, especially with regards to Golang files.

Note that the taught techniques are applicable for any binary supported by Ghidra. You can reuse the techniques in other tools, albeit with (minor) changes depending on the specifics.

Éric Leblond and Peter Manev

This hands-on workshop provides an in-depth exploration of advanced techniques for maximizing network threat detection using Suricata. Building upon core Suricata capabilities, this session delves into critical areas such as effective utilization of metadata keywords, including MITRE and regular metadata, to enrich detection context.

Participants will learn practical methods for achieving fast Indicator of Compromise (IOC) matching and strategies for managing multiple Suricata versions within diverse environments.

The workshop will also cover leveraging the Suricata Language Server (SLS) for rule development and optimization, including interpreting performance hints and implementing Continuous Integration (CI) for rulesets using SLS in batch mode.

This session is designed for cybersecurity professionals seeking to enhance their Suricata expertise and implement cutting-edge threat detection strategies. Attendees will leave equipped with actionable techniques and practical examples to improve their organization's security posture.

Nicolas Collery & Vitaly Kamluk

Apple Silicon Macs introduce a radically different platform for digital investigations. Strong security controls, a closed boot chain, and limited support for external operating systems make traditional forensic workflows impractical. This workshop is designed for practitioners who need working techniques, not just theory, to analyze modern macOS systems in the field.

We start by reviewing core live forensics principles, including software write-blocking, and compare traditional dead-box acquisition with live approaches. Realistic investigation scenarios are discussed, from local device access to remote and cloud-based systems, highlighting when live analysis is the only viable option.

The workshop then focuses on booting strategies. After a brief comparison with PCs and servers, we dive into Apple Silicon-specific boot mechanics: standard boot, recovery mode, and failsafe recovery mode. Participants will learn how Apple’s boot design restricts custom OS loading and how these restrictions impact forensic workflows.

A key part of the workshop explores what methods exist to access to Apple Silicon hardware. We explain the chainloading model, installation steps, and practical challenges such as hardware device trees and external boot constraints.

[...]

Requirements:
1. Apple Silicon Macbook (M1 or M2)
2. USB-C flash drive (at least 64GB)
3. USB-C cable and a secondary laptop