Chicago’s Irish American Heritage Center stands as a testament to the enduring spirit of community and resilience. Housed in a renovated early 20th-century building in the Mayfair neighborhood, this cultural hub has celebrated Irish and Irish American heritage through music, dance, literature, and art since 1985. Its transformation from a former public school into a vibrant center was made possible by the dedication of volunteers and community members, reflecting the collective effort to preserve cultural identity. This made it the perfect backdrop for hosting an event where members of another community came together to celebrate what unites us all in security at BSides312.
Hosting this newer BSides within these walls was more than symbolic; it was a convergence of tradition and innovation. Over 260 security professionals gathered amidst Celtic murals and the artifacts of traditional Irish music for two full talk tracks, multiple villages, and a MUD-themed CTF.
Here are just a few highlights from this amazing event, which was the b-side for THOTCON 2025.
Security Isn’t a Solo Mission
In the keynote "When the Night Has Come: Finding Belonging in a World That Doesn't Understand Us," Steve Shelton, CEO of Green Shoe Consulting, reminded us that hacking is fundamentally a human endeavor. And humans need to take care of themselves, Steve told us all through his session on neurodivergence, burnout, and the myth of the lone genius in security. The idea that any of us can handle the pressures of threat modeling, red teaming, or being on-call 24/7 for incident response alone is not just false, it's dangerous to your mental health.
The stories he shared, of friends who burned out in silence and ones who reached out for help, are all too familiar. The narrative that vulnerability is weakness runs deep in our industry, but as Steve said, “This tribe is not about conformity, it is about connection.” Our community, from hoodie-clad hackers to hoodie-optional CISOs, is built on resilience. But resilience is not stoicism. It's architecture, social, emotional, and operational.
This talk wasn’t a detour from security. It was a class in designing sustainable teams. In every IR runbook, in every SOC alert escalation, in every DevSecOps handoff, the connective tissue isn’t tools, it’s trust. Security leadership that fails to recognize that is flying blind.
Identity Is At The Heart Of Attacks
In "Misconfiguration-Driven Cloud Attacks: A Graph-Based Exploration," Filipi Pires, Head of Identity Threat Labs at Segura, walked us through misconfiguration-driven cloud attacks, reminding us that the next wave of attacks is converging on identity-based breaches. Pires walked through graph-based IAM visualizations that show how a single misconfigured attachUserPolicy
or overly permissive allow *
statement can ripple into privilege escalation across an entire organization.
Filipi said we’ve seen adversaries traverse cloud environments not through zero-days, but through forgotten service accounts, stale role bindings, and group-wide permissions nobody reviewed. In every one of those cases, the machines did exactly what they were told.
He underscored that without team-level awareness, cross-team conversations about identity hygiene and privilege boundaries, your misconfigured permissions are a disaster waiting to happen. This is where operational control meets operational empathy. Who created that policy? Who maintains it? Who reviews it? Not knowing means you need to tackle this risk as soon as possible.
The Mindset of the Active Defender
In her talk, “Defending Beyond Defense,” Dr. Catherine J. Ullman, Principal Security Technology Architect at The University at Buffalo, pushed the attendees to abandon the passive posture many security teams still default to. Firewalls, AV, and EDR aren't enough, not because they might ultimately fail or are defeatable, but because they cannot adapt quickly enough to the creativity of attackers.
Instead, she called for a more offensive mindset: not red teaming per se, but red empathy. Understanding how attackers think. Moving beyond the kill chain into continuous detection, graph-based attack mapping, and adversary simulation. Defenders must become curious, experimental, and willing to engage in cognitive hacking.
This is the community’s next frontier. Not everyone needs to be a BloodHound ninja or a malware developer. But every security team needs to cultivate threat modeling as a lived practice, not a checkbox. We must hire for it, train for it, and, crucially, give each other permission to learn it out loud, without shame.
Belonging As Security Architecture
Throughout all the sessions at BSides312, there was a throughline that security cannot scale without humans connecting to other humans.
We’ve spent decades building architectures of resilience for our systems, but almost none for our people. We harden endpoints, but are willing to leave teams brittle. We rotate credentials, but let burnout linger unspoken all too often. We monitor lateral movement in networks but tend to ignore its human analog in toxic organizations or siloed communications.
If there was a call to action unspoken, it was that it’s time we admit what we’ve known deep down: community is an operational control. And in an era of generative AI, machine identity explosion, and adversaries leveraging everything from deepfakes to supply chain manipulation, it’s probably our most critical one.
Privilege Delegation Risk Is A Human Problem
Technical privilege escalation often begins with a human failing. It means someone didn’t ask who else had access or didn’t document a decision. Someone assumed the IAM policy was inherited safely.
If the culture penalizes questions, you get more misconfigurations. If onboarding skips context, you get more overprivileged credentials. Every dangling service account, every Allow * policy, every silent failure of least privilege is ultimately a human breakdown, not a YAML one.
Communication Hygiene Is Security Hygiene
Security leaders must internalize that communication is a form of hygiene. Like patching or rotating secrets, maintaining trust through consistent, honest communication is what allows risk signals to propagate and land correctly.
When pentesters go quiet, the client loses trust. When DevOps teams feel ambushed, they get defensive. When feedback loops die, security suffers. This is not merely a “soft skill.” This is incident prevention, and it is at the heart of improving security.
Psychological Safety Improves Threat Modeling
To threat model effectively, teams must be able to admit what they don’t know, what they’re afraid of, and what they’ve messed up. That’s impossible in fear-driven cultures. It’s only possible when people believe that being wrong won’t get them punished, and being vulnerable won’t get them mocked.
So yes, build your graphs. Run your red teaming tools and attack your own infrastructure. But also, check in on your people. Are they burned out? Do they feel safe flagging a risky config? Can they say, “I don’t know what that policy does”?
Security culture is not about who can yell “risk” the loudest. It’s about who listens.
Be Human First
Walking out of BSides312, it was impossible not to reflect on the security teams that quietly carry so much of the operational risk burden across our industry. We triage every misconfiguration, every IAM oddity, every shadow deployment. But who triages the defenders?
Steve's message from the opening keynote echoed in every hallway: You are enough. But maybe more importantly: You are not alone.
Building on this theme, your author was there to give a talk on Non-Human Identites and how we need to better communicate risks with our developers. Everyone deploying code is human, and we need to keep this in mind always. We build zero-trust architectures, and then trust our people too little. We implement defense-in-depth, and then isolate the humans at the center. The next evolution of security maturity isn’t more automation, more dashboards, or more scans. It’s more connection. It’s better conversations. It’s a culture of care.
Let’s build that system together. If you are not already a member of your local security community, or an online one, we at GitGuardian encourage you to find your tribe. You might even see us there.
