Main conference (15 to 17 April 2026 in Reims, France), including all lunches, coffee breaks, gala dinner. Does not include the optional workshops on April 14th.

Main conference (15 to 17 April 2026 in Reims, France), including all lunches, coffee breaks, gala dinner. Does not include the optional workshops on April 14th.

Only available for law enforcement personnel. Specific checks will be made before payment.

Main conference (15 to 17 April 2026 in Reims, France), including all lunches, coffee breaks, gala dinner. Does not include the optional workshops on April 14th.

Only available for students or people registered as unemployed. Specific checks will be made before payment. Pleae use a student email when registering as a student.

This option allows you to bring a friend or a partner at the gala dinner (Thursday 16th April 2026)

Alessandro Strino

Android malware analysis can be intimidating, especially when samples employ aggressive obfuscation, layered encryption, anti-analysis techniques, and native code to conceal their behavior. This workshop is designed to guide analysts beyond these barriers and into a disciplined, scientific approach to understanding what modern Android malware actually does. Rather than treating obfuscation as a blocker, the workshop focuses on identifying it, understanding its purpose, and actively defeating it. Participants will learn how to recognize common and advanced obfuscation patterns, isolate relevant logic, and reconstruct the overall malware execution flow. The methodology presented combines static reverse engineering with dynamic analysis and runtime instrumentation, reflecting real-world workflows used by professional malware analysts.

A core theme of the workshop is analyst efficiency and automation. Attendees will explore techniques to dynamically resolve encrypted code paths, automatically identify and neutralize encryption routines, and interact with malware at runtime. This includes injecting into the execution flow, patching binaries or memory on the fly, and forcing the execution of specific instructions to extract hidden behavior.

The workshop begins with a custom-built Android application and progressively introduces techniques commonly found in modern Android malware. These techniques are applicable across malware families, including banking trojans, spyware, and more advanced threats, and are not tied to a single campaign or actor. To make the overall learning experience effective, the workshop includes a custom Capture the Flag (CTF) designed specifically for attendees. The challenges mirror real-world analysis scenarios, allowing participants to apply the techniques covered during the sessions immediately.

Max 'Libra' Kersten

Every time you open a malware sample in your favourite analysis tool and you are greeted with hundreds or thousands of functions with unknown names, you know it is time to find shortcuts and automate renaming steps whenever possible. This workshop dives into the recovery of function symbols. The examples in this workshop are all Golang related as the static compilation of Golang binaries serve as excellent examples.

During this four hour workshop, you will dive into two different malware families which were used in the wild by threat actors, and find out how function symbol recovery works and how to apply the theory in practice. You will also learn how to create your own symbol databases, allowing you to use your privately analysed malware as the starting point for further research into the development of those malware families. Additionally, you will better understand how source code and compiled code relate, especially with regards to Golang files.

Note that the taught techniques are applicable for any binary supported by Ghidra. You can reuse the techniques in other tools, albeit with (minor) changes depending on the specifics.

Éric Leblond and Peter Manev

This hands-on workshop provides an in-depth exploration of advanced techniques for maximizing network threat detection using Suricata. Building upon core Suricata capabilities, this session delves into critical areas such as effective utilization of metadata keywords, including MITRE and regular metadata, to enrich detection context.

Participants will learn practical methods for achieving fast Indicator of Compromise (IOC) matching and strategies for managing multiple Suricata versions within diverse environments.

The workshop will also cover leveraging the Suricata Language Server (SLS) for rule development and optimization, including interpreting performance hints and implementing Continuous Integration (CI) for rulesets using SLS in batch mode.

This session is designed for cybersecurity professionals seeking to enhance their Suricata expertise and implement cutting-edge threat detection strategies. Attendees will leave equipped with actionable techniques and practical examples to improve their organization's security posture.