Speaker Gallery
Explore our speakers' insights and expertise for BSides DSM 2025! Please see the Schedule page for details on the event and when everyone is speaking!
Dean Neubauer
Dean Neubauer works cyber investigations as a Special Agent at the FBI. Prior to joining the FBI in 2020 Dean worked in IT / Infosec for 10 years.
Talk Details: FBI Incident Response - A brief look at the FBI cyber program, challenges with incident response / cyber investigations, and career opportunities
Greg Schaffer is an information security advisor, author, and former practicing virtual CISO with more than 35 years of experience in information technology and security. He is the founder and president of vCISO Services, LLC, a veteran-owned consulting firm that has provided fractional CISO and information security risk management services to small and midsized organizations since 2017. Greg has served as a CISO or vCISO across a wide range of industries including banking and financial services, healthcare, higher education, aviation, SaaS, and local government. His experience spans building and operating security programs aligned to frameworks such as NIST CSF, ISO 27001/2, FFIEC, PCI DSS, SOC 2, and CMMC. In addition to consulting, Greg is the host and producer of The Virtual CISO Moment podcast and the author of Information Security for Small and Midsized Businesses. He is currently writing a new book, So You Want To Be An Information Security Consultant, which draws on real-world lessons learned building and operating an independent consulting practice.
Talk details: So You Want To Be An Information Security Consultant: Many experienced security professionals reach a point where independent consulting looks appealing: autonomy, flexibility, impact, and the opportunity to do meaningful work. What’s rarely discussed is how fundamentally different consulting is from being “good at security.” This session is based on real-world lessons learned from building and operating an independent information security consulting practice, including virtual CISO engagements serving small and midsized organizations. It focuses on the realities that most aspiring consultants underestimate: running a business, finding and retaining clients, pricing services, managing time, navigating ethical challenges, and avoiding burnout.
Greg Schaffer
Nate Subra is a Red Team Lead at a Fortune 500 financial institution, where he gets paid to break things on purpose. Outside of work he picks locks with TOOOL, tinkers with mesh networks, and breaks whatever else holds still long enough. Based in Des Moines.
Talk Details: Integrating AI into your offensive workflows: Most AI-for-offense talks pick a side: chat-and-paste, or hand the keys to an autonomous agent. Neither fits how operators actually want to work. This talk covers a third path, a personalized interface where the operator and an AI assistant share the same CLI toolkit, session state, and view of the engagement, working side by side instead of taking turns. I'll walk through the interface I built for my own workflow: how tools are exposed to the model, how scope and safety are enforced at the tooling layer instead of the prompt, and how the operator stays in control of every action that touches a target. Expect practical decisions, honest failure modes, and a practical primer on human-in-the-loop offensive tooling.
Nate Subra
Skye Fugate is an Enterprise Technology Architect focused on cloud architecture, security, and AI. Skye is passionate about helping teams make complex systems feel simpler, leading to more understandable, reliable, and sustainable designs.
Talk details: The Autopsy of an Outage: Reconstructing and Diagnosing Failures with Telemetry and AI: Modern outages rarely have a single root cause. Instead, they usually are from a chain reaction of small failures spread across logs, metrics, alerts, design drift, and otherwise undocumented behavior. This talk explores how engineers can reconstruct outage timelines using telemetry correlation and AI-assisted analysis. By piecing together signals across distributed systems, we can better understand how minor issues evolve into major incidents. We'll walk through practical examples of incident reconstruction, learn common patterns for approaching failures or incidents, and explore how AI can help be your force multiplier during troubleshooting.
Skye Fugate
Nicholas Starke is a security researcher based in Des Moines who specializes in Firmware Security. When he is not hacking, he likes playing with modular synthesizers.
Talk details: JavaScript implementation of the TREE(3) algorithm: I developed a JavaScript implementation of the TREE(3) algorithm as part of a zany blog post on Denial of Service'ing the entire universe and all I got was a Denial of Service bug in chrome. Join me as I tell you what TREE(3) is, how it can be used to DoS the universe (theoretically), and how the JavaScript implementation uncovered a Denial of Service bug in Chrome.
Nicholas Starke
Isaiah Davis-Stober(CodeNeko)
I'm Isaiah, a hardware security researcher with six years of experience breaking things for fun and occasionally for work. I specialize in tearing apart white-labeled IoT devices, firmware extraction, and lock picking/bypassing. When I'm not desoldering eMMC chips or tracing wires, I'm writing Bash scripts that probably shouldn't exist and automating things in ways no one asked for. I also love cats. You can find me as codeneko or netcode in most places.
Talk details: eMMC Firmware Extraction: Firmware extraction is a critical first step in hardware security assessments, and eMMC storage is one of the most commonly encountered targets across "higher-end" embedded AI and IoT devices. This talk covers two practical approaches to extracting firmware from eMMC chips: in-circuit lead tapping and full chip-off removal. We walk through identifying eMMC pinouts, soldering to exposed test points, and interfacing with affordable readers for in-circuit extraction, then cover hot air desoldering, BGA reballing, and reading bare chips via socket adapters for chip-off. For each method, we discuss tooling, trade-offs, failure modes, and when to choose one approach over the other based on board layout, risk tolerance, and common obstacles like epoxy potting and locked partitions.
I’m a cybersecurity professional and Security Analyst who spends most of my time hunting threats, testing defenses, and occasionally making security tools question their life choices. I’m also the founder of Dosidicus, where I focus on purple-team operations that blend offensive tradecraft with defensive strategy to help organizations improve resilience and visibility. I enjoy breaking things, thinking like an attacker, and helping defenders stay one step ahead—preferably before the alerts start at 2 a.m
Talk details: AI in the SOC: Is AI Replacing My Job? Artificial Intelligence is rapidly transforming the modern Security Operations Center (SOC). In this talk, we’ll explore how AI is being integrated into daily security operations, how it is changing the role of analysts, and where it can genuinely improve efficiency and threat detection. We’ll also separate hype from reality by addressing the common fear of “AI taking our jobs,” and discuss what cybersecurity professionals can realistically expect over the next few years as AI continues to evolve within the industry.
JP Roth(Nito)
Khalid Mohammed is a recent Drake University graduate with a B.S. in Computer Science and Artificial Intelligence and a minor in Cybersecurity. He completed internships in data engineering at Waldinger Corporation and software engineering at Dwolla, placed 2nd at the CCSC Central Plains Conference for his work on VenomX, and was recognized as Drake's AI Student of the Year. His interests sit at the intersection of offensive security, AI systems, and security automation.
Nick Guyette is a senior at Drake University studying Computer Science, Artificial Intelligence, and Cybersecurity. He interned at LCS as an IT Security Intern and currently works at Wellmark as a UX Design Intern. In his free time he enjoys homelabbing.
Talk details: Abliterate, Augment, Automate: Building a Multi-Agent Penetration Testing System: VenomX is an autonomous penetration testing system built on a safety-abliterated large language model, a hybrid RAG pipeline drawing from nearly 500,000 records across NVD, Exploit-DB, MITRE ATT&CK, and other sources, and a multi-agent architecture that orchestrates 18 real security tools from reconnaissance through post-exploitation. This talk walks through how the system was designed and built, covering model abliteration as a targeted weight-space edit, the retrieval pipeline that grounds the model in current vulnerability data, and the agent coordination layer that turns LLM decisions into actual tool execution. We also discuss the safety architecture built to keep the system from being misused, including scope enforcement, prompt injection defense, and human-in-the-loop approval gates.
Khalid Mohammed & Nick Guyette
Sanjay Kodukula is a Senior Cyber Security Engineer at Visa Inc on the M&A Product Security Architecture team. He develops cybersecurity strategies, evaluates system designs, and advises organizations on improving security maturity. With expertise in Security Architecture, IAM, Network Security, Third‑Party Risk Management, and Application Security. He is dedicated to sharing knowledge, simplifying security concepts, and supporting the community in adapting to modern security and AI-related risks.
Talk details: Securing the AI Supply Chain Before Your Vendors Become Your Weakest Link: A comprehensive framework to evaluate and address AI risks originating from third-party dependencies, helping organizations elevate their security posture through aligned governance, operational, and technical control measures.
Sanjay Kodukula
Officer, Internal IT Auditor at Bankers Trust
Academic Relations Director, ISACA Central Iowa Board Member
DMACC graduate - Cyber Security AAS, Digital Forensics Investigation Certification
CompTIA Security+
23 years of experience in the Financial Institution Industry
Talk details: The Third Line of Defense - The Life of an IT Auditor: Talk about what an IT Auditor is and what they do. How I chose the career path of an IT Auditor (or it chose me). Discuss what is needed for someone to follow this path as well.
Chrissy Mohrhauser
Parady Boatwright is a senior recruiter with 15+ years of diverse, cross-industry experience (Including: Financial, Insurance, Banking, Ag, Legal, Manufacturing). She began her career utilizing her multilingual skills as a French translator for a Canadian aircraft acquisition, which sparked her lifelong passion for consulting. Parady expanded her expertise by consulting on a high-level compliance and audit project for a major mortgage company. In this role, she managed sensitive, confidential data and trained executive heads across multiple business units. Building on this success, she transitioned into IT recruitment in 2013. Serving as the sole recruiter for a boutique consulting firm, she worked directly with the President and Vice President to build out their newly launched IT division, successfully securing both permanent and contract placements. Parady's deep interest in the technology landscape continued to evolve, leading her to engage with the Des Moines cybersecurity community starting in 2018 through local user groups. Throughout her career, she has blended her sharp operational insights with talent acquisition strategy, working successfully as both an HR Consultant and a Corporate Recruiter to connect organizations with top-tier talent. When not learning, you can find her on the local Iowa bike trails or playing with her rescued Doberman Belle.
Talk details: The Dark (k)Night: Reinventing Life after a Layoff: Navigating a Layoff: Practical Tips for You (or a Friend/Family Member) Facing Job Loss From Anger and Grief to Healthy Coping – Building Inner Strength Through the Darkest Nights - Develop "Knight Strength" in Your Dark Nights
Parady Boatwright
DuoYu “Bryan” Zhang is a Cyber Operations student at the University of Arizona with interests in network security, traffic analysis, and cybersecurity education. He focuses on practical security learning through tools such as Wireshark, Python, and Splunk, and enjoys making cybersecurity concepts accessible to students and beginners.
Talk details: Detecting Suspicious Network Traffic Using Wireshark and Python: A Beginner-Friendly Approach: This beginner-friendly session introduces how Wireshark and Python can be used together to detect suspicious network traffic patterns. Attendees will learn basic packet analysis concepts, how to identify signs of abnormal network behavior, and simple approaches for automating traffic analysis using Python. Through practical examples and lightweight demonstrations, this talk aims to provide students and early-career cybersecurity learners with an accessible introduction to network traffic analysis and threat detection workflows.
DuoYu "Bryan" Zhang
Becky Mathisen is an Information Security Manager with over 15 years of leadership experience. She has led teams in Identity and Access Management, Cybersecurity, and Networking. When not working, Becky enjoys spending time with her 14-year-old daughter, husband, two cats, and a dog. Becky is also the author of five self-published books and a life coach.
Talk details: What's your identity? Security never stops. That’s the problem. When your identity is your job, burnout doesn’t just affect your work; it affects you. This talk shows how to break that cycle.
Becky Mathisen
Tom Pohl
Tom Pohl is a Principal Consultant and Penetration Testing Team Manager at LMG Security. Prior to LMG, he has spent most of his career on the blue team building and securing systems used by millions of people. And by night, he is a competitive CTF player and has won several black/gold badges including THOTCON, Circle City Con, Wild West Hackin’ Fest and DEF CON. He is good at what he does because he’s already made many of the mistakes that he encounters in client environments on a daily basis.
Talk details: From LinkedIn DM to Full Compromise: Inside an Interview Attack: Fake job interviews have become a favorite way to push malware onto developers. When a "coding challenge" landed in a friend's inbox, I took it apart end to end: tracing the lure, deobfuscating a multi-stage infostealer to reveal everything it grabs, then using what I recovered to knock on the attacker's own command-and-control server — monitoring live victims, mapping the operation, and reading the threat actor's mistakes. This talk is that walkthrough, plus what developers and defenders can actually do about it.
Jon Schnell
Jon is a Penetration Tester at Mandiant, part of Google Cloud, where he specializes in web application, cloud, and embedded security. He graduated from Iowa State University in 2022 with a B.S.E. in Cybersecurity. Early in his career, Jon discovered multiple CVEs in the open-source Kubeflow project, demonstrating how Server-Side Request Forgery (SSRF) could lead to complete AWS account takeover. This discovery sparked his deep interest in Kubernetes and cloud infrastructure security, which continues to drive his research today.
Talk details: The Blind Side of SSRF: Mastering the Response: Server-Side Request Forgery (SSRF) traditionally focuses on the request: a malicious actor forcing a web server to interact with an unintended remote system. But what happens after the connection is made? The full impact of SSRF is often missed because security teams overlook the response side, especially in complex downstream workflows like webhook integrations. In this session, we will briefly review standard SSRF categories and common defenses, before diving into the real threat: weaponizing forged responses as injection points into downstream software workflows. Finally, we will walk through a real-world case study discovered using this technique and introduce Frontpost—a new, open-source "Collaborator++" tool designed to give you ultimate control over response injections and replace restrictive testing defaults.