Penetration testing is a cornerstone of cybersecurity, but it’s often constrained by manual workflows, fragmented tooling, and limited documentation. This keynote introduces VISTO, an OWASP prototype project that explores how portable LLMs (Large Language Models) can transform pentesting operations by running offline on compact devices like Raspberry Pi or Intel NUC.

It will begin by examining the operational pain points in traditional pentesting, particularly the challenge of maintaining detailed audit trails. While technical execution is often straightforward, tracking every command and decision manually can be time-consuming and error-prone, especially when most engagement time should be spent on actual testing.

VISTO proposes a solution: an AI-powered agent that integrates with open-source tools and scripts through a standardised interface, enabling testers to execute commands correctly and efficiently, reducing syntax errors and improving consistency. This opens the door to human-AI collaboration, where the agent assists but doesn’t replace the tester.

It will further explore how is the VISTO prototype concept (in future) may leverages Retrieval-Augmented Generation (RAG) to stay updated with the latest attack techniques (TTPs) and CVEs, making it a valuable assistant for junior pentesters. Imagine an AI that not only helps execute tests but also brainstorms attack vectors based on the outputs of previous scans, connecting dots that might otherwise be missed.

However, it will also address the limits of automation. Business logic flaws in web applications, such as bypassing multi-step approval flows or exploiting contextual access controls still heavily rely on human “reasoning” and domain understanding (at least for now). Examples will illustrate why AI must remain a co-pilot, not a solo pilot.

This session will be imaginative, and grounded in real-world pentesting challenges. It’s designed to provoke thought, inspire innovation, and invite the community to explore how AI can be responsibly and creatively integrated into offensive security workflows.

• Portable LLMs can run offline on small devices, enabling secure, local AI assistance in field operations.
• Audit trail automation helps testers focus on testing, not documentation.
• Open-source tool integration via standardised interfaces reduces errors and speeds up execution.
• AI is a co-pilot valuable for brainstorming and automation, but not a replacement for human judgment.
• Business logic flaws remain a frontier where human insight is irreplaceable.
• VISTO is an OWASP prototype, inviting community feedback and collaboration.
• Junior testers can benefit from AI-powered guidance and up-to-date threat knowledge via RAG.
• The future of pentesting is hybrid combining human expertise with intelligent automation.

As organisations embrace a digital-first ecosystem, data no longer stays confined within traditional perimeters. It flows across clouds, devices, and 3rd parties networks. Thus, creating both opportunity and risk. The challenge of data sprawl, shadow IT, and evolving regulatory requirements means that perimeter-based defenses are no longer sufficient. This talk explores how data-level control, embedded directly with the data itself, can provide continuous protection of data regardless of where it travels or where it resides. By adopting strategies such as access control, persistent obfuscation, security policies, and context -aware discovery & classification, organisations can balance security with usability. Attendees will gain insights into how to move beyond network and device centric defenses, toward a more holistic approach where security travels with the data, ensuring trust, compliance, and visibility in an increasingly borderless digital ecosystem.

Why Perimeters Fail in a Borderless World Understand how data sprawl, cloud adoption, and digital ecosystems contradict with traditional security boundaries.

As organizations rapidly adopt Large Language Models (LLMs) for everything from customer service chatbots to code generation, security vulnerabilities are emerging that traditional cybersecurity frameworks don’t address. This presentation provides a comprehensive overview of the OWASP Top 10 for LLMs, the security framework for AI applications.

Understand all 10 critical vulnerability categories from prompt injection to supply chain attacks.
Learn to identify these risks in real-world deployments.

This session will explore how to maintain effective security governance when AI and automated systems evolve beyond the traditional guardrails designed for static or predictable technology environments.

AI models — from LLMs & classifiers to reinforcement systems and computer-vision networks — are increasingly making decisions that were once made by humans. As these systems adapt and learn, they can drift from intended behaviour, exposing gaps in control, accountability and assurance.
The discussion will focus on practical techniques for recognising and managing this drift. It will examine how models can misalign with security baselines through issues such as reward-function manipulation, prompt injection, biased training data, or adversarial inputs, and how these weaknesses can be detected early through monitoring, validation pipelines, and behavioural telemetry.
From a governance perspective, the session will outline how to define ownership of AI outcomes, assign decision rights, and integrate model assurance into existing CI/CD or MLOps practices. This includes version control, reproducibility, and audit logging to ensure traceability when models influence risk or compliance outcomes.
A further emphasis will be placed on third-party and supply-chain dependencies — particularly external AI APIs and vendor-supplied models. The session will discuss how to extend internal governance frameworks to these external services through model provenance checks, contractual control testing, and continuous oversight of vendor performance and reliability.

• How to prioritise AI risks using a lens of business impact and data sensitivity, ensuring governance efforts are targeted where they matter most.
• How to identify early signals of model misalignment or control degradation before they translate into operational or compliance failures.
• How to streamline oversight across internal and vendor-provided AI models without adding unnecessary friction.
• Finally, this session will help organisations build AI governance that is measurable, adaptive, and grounded in technical reality — ensuring that models continue to operate safely, transparently, and in alignment with enterprise security objectives as they evolve.

We live in a world where the attack surface is constantly evolving with new threats emerging, exploiting vulnerabilities and utilising new attack techniques. In the constant battle to protect our people, organisations, and data, cyber professionals are often facing a challenging question:

Where do we start, where are our gaps, and what will make the biggest difference to reducing our cyber risk exposure?

In this session we’ll explore the challenges faced across various industries, and look at the strategies which enable cyber professionals take a proactive approach to protecting our people, organisations, and data.

An overview of:

• Evolution of the attack surface
• Vulnerabilities, gaps, and exploits
• Strategies to proactively protect organisations against exposures

With over 16 years of life and cyber adventures internationally (EU, SEA, EMEA, JAPAC, ANZ) and multi-sector experience; Puneeta offers management consulting, sales and business accelerated growth and cyber security experience with a pragmatic approach in implementing sustainable change. She is both a coach and advisor to clients across diverse industries advocating a 2-speed approach when navigating through their cyber, cloud, digital and innovation journey.

She has been leading and driving new regional offers tailored to sector-specific challenges—from financial services and critical infrastructure to retail and healthcare. She has also led cross-border capability builds, scaling talent and cyber defense delivery hubs that support both local responsiveness and global consistency.

Puneeta has been a cyber security Practitioner helping CISOs & CROs adopt pragmatic solutions that Reduce business & Compliance Risks; harnessing her exuberant skills & experience across consultative selling, building security business solutions, customer management, security advisory & roadmaps across large transformation programs.

She has provided leadership and managed large and distributed teams, managing a multi-vendor and rightshore delivery model, be seen as a cyber/technology enablement advisor in a diverse and geographically dispersed working environment partnering seamlessly across business and IT.

With more than two decades of experience in leading ICT and Cybersecurity functions across consulting, banking, and public sector industries, Krishna cares deeply about bridging the gap between technology and people. He has led numerous digital transformation projects worldwide.
He is all in, whether it’s translating cyber risks into business language, mentoring the next generation, or turning complex issues into relatable stories. He is an active volunteer and mentor in the ICT and Cybersecurity industry. He is also an author of multiple thought leadership articles for various international forums.

Cayley is a senior technology and cyber security leader with experience spanning defence, energy, and critical infrastructure. She has led major cyber transformation programs based on threat led architecture. Her focus is on aligning people, process, technology, and intelligence to build practical, resilient security operations that support both regional autonomy and global governance.

With 20+ years of experience in management and IT consulting, I am a cybersecurity leader who works with clients across Asia Pacific to help them improve their cyber resilience and reduce their attack surface. I have a strong focus on cloud, tech, and digital transformation which helped me successfully deliver tech projects and cyber uplift programs for global and local clients in various sectors, especially financial services and telecommunications.

As the Cybersecurity Leader for APAC at Infosys Consulting, I am responsible for the cybersecurity consulting practice that delivers high-quality and innovative solutions to meet the evolving needs and challenges of our clients in the region. I am passionate about solving problems, developing people, and promoting an inclusive workforce in tech and security.

I am an experienced information security professional with over 15 years of cumulative experience leading and delivering cybersecurity consulting engagements. I am currently one of the associate director in KPMG, helping our enterprise clients proactively protect their businesses by designing cyber controls and strategies.

I am passionate about meeting new people, nurturing talent and aspirations, learning every day, and positively impacting the community.

With over 17 years of experience in information technology and cyber security, I currently lead Sydney Local Health District’s cyber security initiatives as Head of Cyber Security. I oversee the design and delivery of a multimillion-dollar transformation program, focusing on enhancing cyber resilience and safeguarding critical infrastructure. My role includes managing compliance with Essential 8 strategies and implementing a Critical Infrastructure Risk Management Plan to ensure operational security.

Previously, I led the University of Otago’s Cyber Security and IT Assurance functions, successfully delivering a $20 million transformation program to elevate security maturity. My collaborative approach fosters trust among stakeholders, enabling teams to address complex security challenges while aligning with organizational goals. I am committed to driving strategic vision, operational excellence, and robust defense mechanisms in the ever-evolving cybersecurity landscape.