Richmond, VA

June 2nd - 3rd, 2016

Gold Sponsor Feature: Optiv



Optiv’s vision is to become the most advanced, most comprehensive and most trusted partner for cyber security solutions. We provide a full suite of information security services and solutions that help define cyber security strategy, identify and remediate threats and risks, select and deploy the right technology, and achieve operational readiness to protect from malicious attack.

Come see us at RVAsec! Register now.

Speaker Feature: Juan Carlos

Juan Carlos

Juan Carlos@kongo_86

Enjoys long walks with a debugger. As well as profound conversations with IDA. All while eating tacos and drinking redbull.

Reversing for humans.
This talk is about reversing malware in the easiest way possible. While the tactics and procedure for doing so are not new the goal is to show you how you can get the simple things out and quickly identify the ‘things’ you need to asses its threat in your environment. This talk is for those that like to get dirty

Register Now!

Speaker Feature: Evan Johnson

Evan Johnson


Evan Johnson is an engineer at CloudFlare in San Francisco. He previously worked at LastPass and can distinguish diet coke from diet pepsi by taste.

Staying Above A Rising Security Waterline
Security is not a destination, it’s a journey. At CloudFlare, the journey is taking place daily at light speed. More products, more features, more services, more attack surface. I’ll talk about the technical work and process we created to maintain a high standard of security internally without burdening our developers.

Register Now!

Speaker Feature: Andrew McNicol

Andrew McNicol


BreakPoint Labs
Andrew McNicol is driven by his passion for helping organizations identify exploitable vulnerabilities before an adversary. He is currently the CTO at BreakPoint Labs specializing in offensive security services, mentor for SANS, and one of the founders and lead authors of Primal Security. Previously, he lead a penetration testing team and worked on an incident response team focusing on malware analysis and network forensics for DoD, Law Enforcement, and Commercial companies.

Andrew holds an M.S. in Information Assurance, and variety of InfoSec qualifications (OSCE, OSCP, OSWP, GICSP, GCFA, GCIA, GCIH, GPEN, GREM, GSEC, GWAPT, GWEB, CISSP, CEH, etc.)

Beyond Automated Testing
Have you ever run a vulnerability scan and thought “Okay… now what?” This talk is all about how to go beyond automated testing to find vulnerabilities that scanners miss. The goal of the talk is to help inspire others to reach beyond Nessus and Burp Suite scans to help their organization identify vulnerabilities that expose high impact risk.

Register Now!

Speaker Feature: Ben Smith

Ben Smith


Ben Smith is Field Chief Technology Officer (Field CTO – US East) with RSA, The Security Division of EMC. He is a trusted advisor and consultant to RSA’s global financial services customers, as well as customers in other vertical markets. With over 25 years’ experience in the networking, information security and telecommunications industries, he is responsible for consulting on RSA’s strategic vision around architecture and technical roadmaps for the company’s security and risk management solutions. Prior to joining RSA, he held senior technical positions at UUNET, Intuit, CSC, and the US Government, along with a string of technology-oriented startups. He holds a number of professional technical certifications, including the Certified Information Systems Security Professional (CISSP) certificate, and has presented on RSA’s behalf, both domestically and internationally, at cybersecurity events sponsored by Gartner, FS-ISAC, ISSA, ICI, (ISC)2, ISACA, InfraGard, HTCIA and other organizations.

Measuring Security: How Do I Know What a Valid Metric Looks Like?
There is no universally accepted method to measure security. So how do we translate operational measurements into meaningful security metrics for the business? Doing so effectively is essential, because you can’t manage what you don’t measure. This session will touch on the following general questions: Why are security metrics important, from both a compliance and an operational perspective? What are some best practices to keep in mind when selecting security metrics? Does your audience(s) dictate which metrics to select? What behaviors are you trying to influence with these metrics? What are some unexpected sources of security metrics? How should you communicate those metrics internally within your organization for maximum impact? Are there any examples of poor metrics which should be avoided in most cases?

Register Now!

Speaker Feature: Andrew Hay

Andrew Hay

Andrew Hay

Andrew Hay


Andrew Hay is the CISO at DataGravity where he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy. Prior to that, Andrew was the Director of Research at OpenDNS (acquired by Cisco) and was the Director of Applied Security Research and Chief Evangelist at CloudPassage, Inc.

Maneuvering Management Madness
Why do practitioners have such a hard time convincing their management team about the value of investing in security training, tools, and other initiatives? Is it because they’re too stubborn or busy to take the time to assess the concerns or is it more likely that you haven’t found the best way to communicate the threat to the business in a language that they understand?

Business leaders have implemented their own language, much of which was learned in business school, to better communicate with shareholders, board members, partners, and peers. Unfortunately, this language is often as foreign to most security practitioners as yours is to them. So what can practitioners do to better communicate with management?

This session will discuss several tactics to help convince your management team that your concerns are valid with examples on how to justify requests for headcount, procedures, policies, and human, tool, and training investment.

Register Now!

Ticket Prices Go Up On 4/21!

Tickets for RV45ec are now on sale!

RV4sec’s base ticket price for 2015 is $150 and will be in place on 3/1–so don’t wait! And if that’s not enough incentive to purchase your tickets early, late registrations (after 4/21) will be $225!

Don’t forget all the things you get with registration, including 2 full days of talks, meals, snacks, drinks, reception, after party, prizes, a capture the flag contest, t-shirt & swag!

Once we sell out there will be no more tickets available.

So, to recap the conference prices:

  • $150 regular price until 4/20
  • $225 late registration until 5/26
  • $350 super late registration until 6/1


If you are unable to attend due to the price, please contact us to discuss as we do have stipends available and volunteer opportunities are a great way to get in for free! Once again there will be no tickets sold at the door, and don’t forget that RV4sec has sold out every year–so don’t wait!

Register now!

Hotel Information – Book now!

RVAsec has reserved a block of rooms at the Crowne Plaza for out of town guests. The rate is $121/night (which does NOT include parking).

You can either book online or call the hotel.

When you call (855-472-7802) the hotel please tell mention the block “RV3” to get the special rate.

  • Secure your reservation by 5/2/16 to ensure receiving the group rate
  • Discounted parking rate of $10.00 per car, per night.
  • Please note that the Booking Link will not work on a smartphone


Crowne Plaza Richmond Downtown
555 East Canal Street, Richmond VA 23219


View Larger Map
If for any reason you are unable to get the RVAsec rate or the block of rooms has been filled, please let us know so we can contact the hotel!

Once the block is full or expires we are not able to have it extended.

Make sure you check out information on getting to the conference.