Did you know that Las Vegas was named not for its neon skyline or gambling dens, but for its hidden underground springs? Spanish explorer Rafael Rivera called it Las Vegas, meaning “the meadows,” in 1821, inspired by the lush fields fed by natural wells that once defined this desert landscape. Before the concrete and casinos, it was a rare oasis in the Mojave, sustained by what lay unseen beneath the surface. Like the springs that once ran quietly beneath the sand, the real security work—the modeling, the hardening, the red teaming—flows under the surface of our digital infrastructures. That parallel makes this city of lights the perfect home for BSides Las Vegas 2025.

BSidesLV returned for a 14th year as an in-person event, this time for three days instead of the traditional two. The event brought together around 3,500 security professionals of all backgrounds and tenures in the space to share their knowledge and to learn from one another. There were ten different tracks, each acting as its own subconference within the event. Keynotes took place in Breaking Ground, while first-time speakers had the opportunity to address a larger audience in the Proving Ground track. Your author spent the majority of his time at PasswordsCon, where I had the opportunity to share two talks on the future of Non-Human Identites.

Throughout the event, there was an overall theme that we need to improve resilience in our systems while at the same time remembering that security is really all about protecting humans. Here are just a few highlights from this year's BSides Las Vegas. 

Password Entropy as a Hygienic Imperative

In the talk themed “The Weakest Link,” Mat Saulnier, Staff Program Manager (BHCE) at SpecterOps, deconstructed the illusion of compliance-based security, using real-world password spraying attacks to reveal how superficial policies often fail under active exploitation. By comparing three fictional organizations, "YOLO Corp," "CoolSec," and the deliberately negligent "EvilCats," he demonstrated how attackers gain rapid access using public breach data, automated tools, and simplistic tactics. The difference in outcomes was striking: YOLO Corp, compliant with PCI and GDPR, suffered an 80% password crack rate, while CoolSec, which implemented 15-character passphrases following NIST standards, saw less than 1% exposure. 

Mat emphasized that traditional practices, like rotating 7–12 character passwords every 30 to 90 days, offer little resistance against modern cracking tools. Attackers exploit the predictability of human-created passwords, leveraging rulesets and substitutions that rapidly compromise even “complex” credentials. Instead, organizations, like CoolSec, should adopt attacker tactics internally, using tools to simulate credential theft, identify reused or weak hashes, and enforce change protocols proactively. Password policies aligned with NIST 800-63B not only improve resilience but operationalize identity hygiene as a continuous process, not a static configuration.

The session concluded with a broader question of whether we are designing defenses to appease auditors or to frustrate adversaries. It is clear which one we should be doing.  

Cybercrime Culture & Redemption as Community Risk

In the talk "The Scene is Dead," Allison Nixon, Сhіеf Rеѕеаrсh Оffісеr аt Unіt 221В, painted a darker, cultural risk landscape. The myth of the misunderstood, principled hacker has given way to a more chaotic and often predatory reality. The pandemic cracked open the gates to online communities that romanticize cybercrime while embracing violence and coercion. With Tactics, Techniques, and Procedures (TTPs) lifted straight from research papers, headlines, and training programs, young people, many of whom are studying cybersecurity, are weaponizing what they’ve learned not to build, but to exploit. Sextortion, doxxing, and fraud have become social activities in some online spaces, and the lines between hacker, researcher, and criminal are more blurred than ever, especially to young people.

Allison's message wasn’t one of just shock and despair; it was a call to act. There are off-ramps we can build if we commit to doing so with purpose. Jobs, bug bounties, community mentorship, and even targeted intervention can reroute potential talent before it calcifies into harm. The industry needs to stop defaulting to blind optimism or punitive exclusion and start treating this as a pipeline problem. 

Allison reminded that while some offenders are beyond reach, many aren’t, and there is still hope. If we don’t create structures to guide and protect the next generation, we’ll be left reacting to threats we could have helped prevent. Cultural change, stemming from humans working with other humans, not just technical controls, is a security imperative.

Resilience Beyond Patches: Vulnerability as Systemic Fragility

In her talk "Vulnerabilities Beyond CVEs: Cyber Resilience and the Next Financial Crisis," Stacey Schreft, Senior Research Scholar, Center for Financial Policy, University of Maryland, argued that our conventional understanding of vulnerabilities, as discrete CVEs to be patched, is dangerously incomplete. She made the case that the real fragility in modern IT systems lies in the structure itself: the heavy use of automation, outsourcing, and consolidated service providers that create leveraged dependencies, just like financial markets did before the 2008 crash. Just as debt-fueled leverage amplified losses in finance, Stacey showed how automation without oversight magnifies risk in cybersecurity.

Liquidity, in financial terms, is the ability to absorb shocks by quickly converting assets. In tech, it manifests as staffing, expertise, and continuity capacity, which are things many organizations assume will be available until they’re not. She highlighted examples like Colonial Pipeline and Equifax, where small missteps escalated due to thin operational buffers, underfunded teams, and over-reliance on automated scanning. These gaps are structural and can turn minor vulnerabilities into full-blown operational disruptions when a crisis hits.

Stacey mapped the concept of systemic linkages from finance to cybersecurity, where the interconnected nature of digital supply chains introduces hidden risks. From SolarWinds to MOVEit, the pattern is consistent: a single compromise ripples outward, driven by trust assumptions embedded deep within vendor relationships. From a leadership perspective, short-term focus, poor cyber literacy at the board level, and unclear lines of risk ownership create blind spots. 

She ended by urging security leaders to think beyond patching and to develop living stress-tested resilience strategies that factor in leverage, liquidity, linkages, and leadership. She did remind us that CVEs do matter, but structural vulnerability defines whether your systems bend or break.

Black Swans, Passwordless Futures, and AI’s Triage Tensions

The session from Dave Lewis, Global Advisory CISO at 1Password, entitled "Lessons from Black Swan Events and Building Anti-Fragile Cybersecurity Systems," challenged the industry’s habit of reacting to breaches with postmortems instead of redesign. Drawing from Nassim Nicholas Taleb's book, "The Black Swan: The Impact of the Highly Improbable," he warned that major incidents often stem from predictable oversights, such as default credentials, unmanaged devices, and forgotten admin accounts. These smaller issues are made catastrophic by a lack of structural readiness when an attack comes. Whether it’s a misconfigured router connecting to a third party or a root account linked to someone who died five years ago, the common thread is fragility. Systems built for compliance, not resilience, continue to fail under stress because they weren’t designed to adapt when, not if, things go wrong.

To counter this, Dave advocated for proactive design principles that make systems stronger under pressure. Zero Trust, continuous authentication, FIDO2 adoption, microsegmentation, and breach simulations are not just technical upgrades; they’re philosophical shifts toward resilience engineering. 

Importantly, he reminded us that innovation often bypasses official IT due to speed and usability gaps, introducing hidden risk. True resilience includes mapping those informal systems, building response capacity, and cultivating “tenth person” thinking, where you need at least one in ten people challenging the group on what could go wrong with any plan.  Someone should always be tasked with imagining what will break next. As threats evolve, resilience is not just about bouncing back, but learning forward.

Guardrails, Not Gut Checks

In his entertaining yet thoughtful talk, "Risk it for the Biscuit: Crunching the Numbers on Cyber Threats," Sean Juroviesky, Senior Security Engineer at SoundCloud, emphasised that security isn’t theoretical, it’s operational. With 68% of breaches tied to users simply doing their jobs, and 99% preventable with multifactor authentication (MFA), the gap isn’t in threat awareness; it’s in execution. Without visibility, context, and commitment, controls like MFA remain optional lines of defense instead of foundational safeguards. Sean demonstrated that, from the Midnight Blizzard MFA reset compromise to Ticketmaster’s overlooked third-party database, the story remains the same: risk doesn’t reside in isolated events. It lives in our collective failure to connect what we build with how it can break.

This talk stitched together every theme from the week: credential hygiene, fragile infrastructure, cultural blind spots, and systems unready for stress. Sean’s push for structured threat modeling isn’t just a checklist; it's a call to embed resilience into the way we map systems, assign ownership, and accept risk. Knowing where your trust boundaries are, who owns which failure, and how your business operates under pressure is no longer optional. 

As every other session at BSidesLV echoed, resilience isn’t about avoiding failure. It’s about preparing, documenting, testing, doing the hard, often thankless work of making sure we don’t leave our strongest defenses sitting idle while our weakest links stay exposed.

Cyber Resilience Takes People Working Together

One of the overarching messages echoed throughout BSidesLV 2025 was the fact that cyber resilience isn’t a product or feature. It’s a posture, shaped by identity hygiene, organizational culture, systemic design, and our readiness for the unpredictable.

From Brittle To Adaptive

Brittle systems appear strong until they fail. For example, password complexity rules may satisfy auditors, but they don't deter real attackers. The fictional YOLO Corp’s breach was a case study in policy without posture. In contrast, CoolSec’s strategy, 15-character passphrases, live cracking tests, and enforced rotations showed what adaptive defense looks like in practice. Limiting vulnerability management to known CVEs ignores the deeper fragilities like supply chain complexity, staffing gaps, and automation that outpaced oversight. True resilience requires layered planning, redundancy, shared vendor accountability, and constant stress testing.

Humans As Attack Surface And As Defense

As Allison Nixon pushed us to see human behavior as both a threat vector and an opportunity. The post-pandemic rise in malicious cyber behavior among youth isn’t just a law enforcement issue; it is a failure of education, mentorship, and cultural awareness. Offering pathways to rehabilitation and integrating ethical talent can be both morally right and tactically smart. Ignoring this is more than a missed chance at recruiting the next generation; it’s negligence of our community to not deal with this toxic issue.

Resilience Is Designed, Not Declared

Resilience isn’t built with checklists or insurance; it’s cultivated through architecture. Systems that improve under stress, via microsegmentation, ZTA, and tabletop exercises, aren’t just hardened, they’re living systems. They anticipate chaos. Passwordless authentication, dynamic access, and disaster-ready thinking create antifragile defenses that learn, adapt, and grow stronger when tested.

Posture Over Policy

Ultimately, this isn’t about having the right tools, though tools do have a role to play. Making resilient systems is about weaving our processes, teams, and tools into a coherent, responsive system. When properly integrated, leveraged, and tested, technology like password managers, MFA, patching, and red teaming exercises forms the backbone of real security posture. Your identity policies, breach response plans, supply chain trust, and internal accountability must work as a complete system.

Ultimately, trust isn’t something just promised by vendors. Trust must be earned by showing how your organization performs under pressure. Stress-tested systems, cross-functional drills, and a security culture that expects the unexpected are the new trust anchors. We don’t build resilience by hoping for fewer breaches; we build it by preparing to break better.

Betting On Community For A Better Future

BSidesLV 2025 reminded us that cybersecurity isn't about silver bullets. Security is about shared effort, accountability, and the hard, often invisible work of making systems stronger together. Whether the focus was on password hygiene, systemic fragility, cultural risk, or incident response, the message was consistent: resilience is not something we buy, it’s something we build. It takes collaboration, a realistic view of our systems, and a willingness to learn from failure. The most effective controls aren’t just technical, they are human-centric, grounded in empathy, trust, and collective ownership of risk.

The spirit of BSidesLV has always been about more than talks and tools; it’s about the people behind them. In the same way Las Vegas began as a hidden oasis beneath a harsh desert, this community thrives on the quiet, consistent efforts beneath the surface in the form of mentorship, free exchange of ideas through public dialogue, open-source tools, and sharing what we learn. Looking ahead, the path to a more secure future won’t be walked alone. It will be shaped by this community, by these conversations, and by a commitment to prepare, not just for what we know, but for what we can’t yet see.