Too Many Repos, Too Little Time: How We Learned to Security Test Smarter
Over four years, the speaker witnessed a security team grow from four people to nearly thirty — and with that growth came the challenge to build an Offensive Security Program and SSDLC essentially from scratch. This talk tells the real story: the messy iterations, the fast failures, and the cultural battles that mattered far more than any tool deployed. It covers the journey from the first customer-facing pentest report to a full Offensive Security Program powered by structured pentesting and a public bug bounty, including the mistakes made — like overwhelming engineering teams with mountains of vulnerabilities — and how those failures reshaped the approach to prioritization, communication, and partnership. To close, two open-source tools born directly from these struggles are introduced: pentest-scheduler and git-repo-downloader.
Speaker Bio
Arnau Estebanell Castellví is a Lead Security Engineer specializing in ethical hacking, application security, and DevSecOps. With experience leading offensive security work and helping engineering teams build secure software, he brings a practical, people-focused approach to modern AppSec. He holds several certifications including OSCP, OSWE, and CCSK.
Baseband: The Final (?) Frontier
Basebands, also called "modems," modulate and demodulate radio signals into/from data packets that get processed by your smartphone, smart car, smart meter — they allow your device to communicate with the world. Recently there has been a surge in baseband interest in cybersecurity, but it is still hard to find decent public information on this deep technical subject. This talk covers their inner workings, how vulnerabilities can be found, how exploits for them work, and much more.
Speaker Bio
Pedro Ribeiro is the Founder & Director of Research at Agile Information Security, a UK-based boutique cybersecurity firm specializing in highly technical subjects such as vulnerability research, reverse engineering, advanced penetration testing, red teaming, and incident response. He has over 7 years of working experience with basebands and regularly gives training courses on attacking them all over the world.
