The DEF CON 33 Thrunting Hot List
16 sessions every thrunter should have on their radar
As we gear up for DEF CON 33 (August 7-10, 2025) in Las Vegas, all the thrunters out there have made this last week of work nearly impossible. This year's lineup delivers a perfect blend of frameworks, hands on workshops, and real world adversary analysis that should have every threat hunter, detection engineer, and security researcher marking their calendars. After diving deep into the official schedule (and then some), here are the talks and workshops that have us most excited.
🚀 Frameworks and Tools
1. "Garuda Threat Hunting Framework"
Saturday, August 9, 3:00 PM - Demo Labs (LVCC - L2 - W211)
Monnappa "Monnappa22" K A (Co-Founder at Cysinfo) & Sajan Shetty
The rapid growth of cyber threats has made endpoint logging critical, but the sheer volume of Sysmon data often overwhelms analysts. Garuda addresses this challenge with a unified PowerShell framework providing advanced filtering, cross-event correlation, multiple contextual views, and precise time-based noise reduction. Its extensible nature supports threat hunting, investigation, anomaly detection, detection engineering, and malware analysis. And this is all within a single, scriptable environment.
Why we're excited: This represents the evolution of endpoint detection beyond basic log analysis toward intelligent, correlated threat hunting workflows. Most hunters struggle with Sysmon noise, Garuda's approach to contextual correlation and noise reduction could fundamentally change how we analyze endpoint telemetry at scale.
2. "Plug and Prey: Scanning and Scoring Browser Extensions"
Saturday, August 9, 2:20 PM - Recon Village (LVCC - L1 - Exhibit Hall West 2 - 603)
Shourya Pratap Singh & Nishant Sharma
Browser extensions represent an unmonitored threat surface in most enterprises. This talk introduces ExtHuntr, an open-source tool for scanning installed extensions, analyzing permissions and behavior, and generating risk scores. Includes live demos, permission abuse breakdowns, and fleet-wide deployment strategies.
Why we're excited: Addresses a major visibility gap that most security teams don't even know they have, as seen in Your Plugins and Extensions Are (Probably) Fine. Hunt Them Anyway, browser extension monitoring is long overdue. Extensions have massive privileges and update silently, yet most organizations have zero inventory or risk assessment. This could become a standard security practice.
🛠️ Workshops and Hands-On Training
3. "Weaponizing Kestrel: Red Team Tradecraft for Hunting"
Friday, August 8, 1:00 PM - Red Team Village (LVCC - L1 - Exhibit Hall West 1 - 405)
Ronald González & Daniel Benavides
This workshop explores using Kestrel for hunting advanced threats in critical infrastructures through offensive methodologies. Participants will learn to simulate real-world adversary attacks while identifying vulnerabilities and anomalous behaviors, then configure Kestrel to generate artifacts for active threat hunting and correlate patterns with MITRE ATT&CK tactics.
Why we're excited: The integration of offensive techniques with hunting frameworks provides new methodologies for advanced threat detection and proactive security. This bridges the gap between red team tradecraft and blue team detection and understanding how attackers use legitimate tools helps us build better hunting queries and detection logic.
4. "Practical YARA: Crafting Custom Rules for Targeted Malware Defense"
Saturday, August 9, 9:00 AM - 1:00 PM (LVCC - L2 - N257)
Jae Young Kim, Joshua "jstrosch" Stroschein & Francisco Perdomo (Google)
Move beyond generic signatures to build truly effective YARA rules. This hands-on workshop focuses on translating nuanced malware analysis understanding into powerful, human-authored detections through fast-paced labs covering static and behavioral analysis. Learn to identify unique malicious characteristics and express them efficiently in YARA.
Why we're excited: Custom YARA development remains one of the most effective ways to detect sophisticated threats that bypass commercial tools. This workshop moves beyond basic pattern matching to teach the art of behavioral analysis and characteristic identification, these are skills that separate good hunters from great ones. YARA is more than just detecting malware, figure out the language and watch your hunts evolve.
5. "Contextualizing Alerts with Relevant Logs and Events Without Queries or LLMs"
Friday, August 8, 2:00 PM - 4:00 PM (LVCC - L2 - N252)
Ezz Tahoun
This workshop addresses alert fatigue and fragmented telemetry using open-source, explainable ML to map alerts into contextualized attack stories. Work hands-on with real-world data to build kill chains and generate actionable tickets using the Attack Flow Detector tool running in Google Colab—no complex queries or black-box AI required.
Why we're excited: Practical solutions to one of SOC teams' biggest challenges, with transparent, open-source tools ready for real environments. Alert fatigue kills analyst effectiveness.This approach to automated correlation and context building could revolutionize how we handle high-volume security operations without losing analytical depth.
6. "Hands-On Threat Hunting with Wireshark"
Sat, Aug 9, 9:00 AM - 1:00 PM (LVCC - L2 - N253)
Chris Greer
Learn to spot malicious activity hiding in network traffic through hands-on analysis of real-world packet captures. This beginner-friendly session covers filtering noise, detecting C2 traffic, and uncovering stealthy attacks using practical network forensics techniques.
Why we're excited: Network-based threat hunting skills remain fundamental, and hands-on packet analysis provides crucial detection capabilities. While everyone focuses on endpoint and cloud telemetry, network analysis often reveals the clearest indicators of compromise and lateral movement patterns.
7. "pAWS: The Breach Has Happened. Can You Catch It?"
Friday, August 8, 4:00 PM - Cloud Village Labs (LVCC - L3 - W312)
Terrance DeJesus
This hands-on workshop deploys a simulated breach in a purpose-built AWS environment that models realistic organizational complexity. Participants trace adversary activity spanning AWS, identity, endpoints, and networks, including API abuse, privilege escalation, and data exfiltration. All correlated in Elastic Security using rich cross-domain telemetry.
Why we're excited: Real-world cloud hunting scenarios with full kill chain visibility—exactly what defenders need to understand modern attack patterns. Most cloud security training uses toy examples; pAWS provides realistic organizational complexity where you can actually see how attacks flow between systems and leave forensic evidence.
8. "Adversary Intel Lab: Build Your First Threat Emulation Plan"
Friday, August 8, 2:00 PM - Red Team Village (LVCC - L1 - Exhibit Hall West 1 - 405)
Fredrik Sandström (Basalt)
Hands-on workshop walking through real-world threat intelligence analysis, threat actor assessment, TTP identification, and red team emulation plan creation using ATT&CK Navigator. Participants leave with a completed adversary worksheet and mini playbook for immediate use.
Why we're excited: Practical threat intelligence application that bridges the gap between analysis and actionable defense strategies. Most threat intel stays in reports and briefings. This workshop teaches you to transform intelligence into concrete emulation plans that actually improve your defensive posture.
🎭 Threat Analysis and Advanced Techniques
9. "Identity Crisis: The Unmanaged World of Azure Managed Identities"
Friday, August 8, 2:40 PM - Cloud Village (LVCC - L3 - W311)
Alon Klayman & Eliraz Levi
This comprehensive research addresses a major defensive gap in Azure Managed Identity monitoring. The speakers will share 4 months of research focusing on proactive threat hunting techniques, advanced detection strategies, and practical tools for forensic investigation using diverse Microsoft log sources. Attendees will learn to quickly determine MI involvement, assess blast radius, and build targeted detections.
Why we're excited: Fills a critical gap in cloud threat hunting with practical detection strategies for one of the most overlooked attack vectors. Azure Managed Identities are everywhere in modern cloud environments, but most security teams have zero visibility into their abuse. This research provides the detection strategies and forensic techniques that have been desperately needed.
10. "Inside the Shadows: Tracking RaaS Groups and Evolving Cyber Threats"
Saturday, August 9, 3:05 PM - Recon Village (LVCC - L1 - Exhibit Hall West 2 - 603)
John Dilgen
This comprehensive exploration of advanced threat hunting strategies showcases methodologies from recent reporting on the Decline of Black Basta. Learn techniques for monitoring ransomware-as-a-service groups, tracking threat actor activity on dark web forums, and analyzing evolving TTPs to anticipate sophisticated campaigns and strengthen defensive strategies.
Why we're excited: Deep-dive into RaaS ecosystem analysis with actionable methodologies for staying ahead of rapidly evolving threats. Understanding how ransomware groups operate, recruit, and evolve their tactics gives threat hunters crucial intelligence for building proactive detections before attacks hit your organization.
11. "Ransomware vs EDR: Inside the Attacker's Mind"
Saturday, August 9, 11:00 AM - Red Team Village (LVCC - L1 - Exhibit Hall West 1 - 405)
Zoziel Freire
This Red Team Village talk provides crucial insight into how ransomware operators approach EDR evasion through live proof-of-concept demonstrations and technical walkthroughs. Covers persistent techniques, evasion strategies, and overlooked system behaviors that let ransomware thrive in well-defended environments.
Why we're excited: Understanding the attacker's decision-making process for EDR bypass helps us anticipate attack patterns and build more effective detection logic. This isn't just about tools, it's about the mindset and methodology that drives successful ransomware campaigns, giving defenders insight into the "why" behind evasion techniques.
12. "From Adversarial to Aligned: Redefining Purple Teaming for Maximum Impact"
Friday, August 8, 11:00 AM - Creator Stage 2 (LVCC - L2 - W232)
Nikhil (Altered Security), Adam Pennington (MITRE), Sydney Marrone (Splunk), Lauren Proehl (Marsh McLennan)
Purple teaming evolution from siloed operations to unified strategies that reflect real attacker behavior. Learn how modern security teams move from adversarial exercises to collaborative, intelligence-driven approaches that uncover detection gaps and drive measurable security improvements.
Why we're excited: Features ⅔ of THOR Collective founders and represents cutting-edge purple team methodology moving beyond traditional red vs. blue models. This evolution toward aligned, intelligence-driven collaboration reflects how the most mature security programs actually operate. It's about shared outcomes, not adversarial exercises.
13. "Ghost Calls: Abusing Web Conferencing for Covert Command & Control"
Friday, August 8, 12:00 PM - Main Track (LVCC - L1 - Exhibit Hall West 3 - Track 2)
Adam "UNC1739" Crosser (Praetorian)
This research introduces TURNt, an open-source tool automating covert traffic routing via trusted TURN servers. Since enterprises often whitelist conferencing IPs and exempt them from TLS inspection, these sessions appear as legitimate Zoom meetings while enabling high-bandwidth C2 channels for time-sensitive operations.
Why we're excited: Sophisticated C2 evolution that abuses trusted infrastructure, exactly the type of technique that challenges traditional detection approaches. Most network monitoring focuses on suspicious domains and IPs, but this technique hides in plain sight using services that security teams actively whitelist.
14. "From Spoofing to Tunneling: New Red Team's Networking Techniques for Initial Access and Evasion"
Friday, August 8, 3:00 PM - Main Track (LVCC - L1 - Exhibit Hall West 3 - Track 3)
Shu-Hao, Tung 123ojp
Introduction of techniques for gaining initial intranet access without phishing or exploiting public applications, leveraging stateless tunnels (GRE, VXLAN) widely used by cloud providers. Includes evasion techniques exploiting companies without source IP filtering and VXLAN vulnerabilities affecting ISPs and cloud customers.
Why we're excited: Novel attack vectors that bypass traditional security assumptions. essential intelligence for building robust detection strategies. These techniques challenge fundamental assumptions about network perimeter security and show how attackers exploit infrastructure protocols that most defenders don't even monitor.
15. "Bridge to Nowhere Good: When Azure Relay becomes a Red Teamer's highway"
Friday, August 8, 12:00 PM - Red Team Village (LVCC - L1 - Exhibit Hall West 1 - 405)
Edward Landers, Robert Pimentel & Josh Huff
Exposes critical offensive capabilities in Microsoft's azbridge tool for establishing covert C2 channels and lateral movement while evading perimeter defenses. Demonstrates persistent network access, security control bypass, and post-exploitation using legitimate Microsoft infrastructure.
Why we're excited: Novel abuse of legitimate Microsoft tools that likely flies under most organizations' detection radar and you can find some badness when you hunt in that area. When attackers weaponize vendor tools that have been sitting in public repos for years, it forces us to reconsider what "normal" activity really looks like in cloud environments.
16. "Command and KubeCTL: Kubernetes Security for Pentesters and Defenders"
Friday, August 8, 3:20 PM - Cloud Village (LVCC - L3 - W311)
Mark Manning
Drawing from hundreds of containerized environment reviews, this talk covers tactics, techniques, and tools for assessing Kubernetes clusters. Expect real-world attack paths, practical guidance for both offense and defense, and chain attacks from build environment compromise to production exploitation.
Why we're excited: Kubernetes security remains a major blind spot for many organizations, so practical guidance from extensive real-world experience is invaluable. Most K8s security content is theoretical; this draws from hundreds of actual assessments to show real attack paths and defensive strategies that work in production environments.
Don't Miss: The Threat Hunter's Cookbook Book Signing
Before DEF CON officially starts, there's a must-attend networking event: Splunk's SURGe Security Research Team will be signing copies of "The Threat Hunter's Cookbook" at the Splunk AfterParty on Wednesday, August 6 at Allegiant Stadium (6:30-9:30 PM). Get limited-edition signed copies of what promises to be an essential reference, plus network with the team behind cutting-edge threat hunting research. Black Hat badge is required for these two events…I know. Womp womp. 🙁
Blue Team Village: The Threat Hunter's Home Base
Blue Team Village remains the premier destination for threat hunting content at DEF CON. Expect their eighth year to deliver concentrated expertise across Cyber Threat Hunting, Detection Engineering, Incident Response, Forensics, Operational Technology, and Insider Threat/Risk. Project Obsidian initiative promises hands-on experiences and practical training that's consistently some of the highest quality content at the conference.
Our recommendation: Plan to spend significant time at Blue Team Village. Their workshops and talks typically provide immediately applicable skills and deep technical content that complements the broader conference offerings. Plus the village goers often can offer tons of practical advice if you just sit down and strike up a conversation.
Evening Activities: Keep the “Learning” Going
DEF CON's legendary evening activities are where real connections form and informal knowledge transfer happens. For the most comprehensive guide to parties, meetups, and networking events, check out defconparties.com, your essential resource for after-hours activities where threat hunters, researchers, and security professionals continue the conversations started during the day.
Go Brett!
One highlight this year: ELIPSCION’s DJ set on Friday at 8 PM on the DEF CON stage, a perfect way to reset after a full day of panels and workshops. You might even spot some of the THOR Collective crew there (with free swag).
These evening gatherings often provide the most valuable insights, as practitioners share real-world challenges and solutions over drinks in a more relaxed setting.
DEF CON 33 promises to be a landmark year for the threat hunting community. The combination of sophisticated adversary analysis, practical automation techniques, and advanced cloud detection strategies should provide fuel for hunting teams well into 2026.
The real magic happens in the hallway conversations between talks. where practical challenges meet innovative solutions and the threat hunting community continues to evolve. We look forward to seeing you all as we descend on the desert together next week.
Don’t forget to hydrate, shower, and read CON 101: How to Security Conference for everything else you need to know!
What talks are you most excited about? Join the discussion @THOR_Collective or connect with us in our community Discord.