RVAsec 15 Speaker Feature: Michael Darling

May 8, 2026
Speaker

Secure by Design, Trusted Through Compliance (<– add to your schedule)

This talk will challenge listeners to redifine the traditional technical vs compliance mindset and thing of security as risk management. Whether it’s technical or contractual risk we should all be focused on the same goal of reducing material impacts to our organizations. It will walk through a model in which compliance is built upon strong technical foundations and becomes a mechanism for communicating trust to your organization, customers, and regulators

Michael Darling:
Michael Darling is the founder and Principal Consultant at Solstice Security, where he provides fractional CISO services and helps high confidentiality industries like defense, legal, and financial services build strong security programs and navigate their compliance challenges.

He has spent 25+ years building security programs that actually work. He led the ground-up development of a cybersecurity program at one of the largest law firms in the country and helped shape national cyber policy at the White House budget office and CISA. A retired Marine Lieutenant Colonel and combat veteran, he served in infantry, physical security, IT, and cybersecurity roles.

Michael is passionate about closing the gap between what security frameworks promise on paper and actual security outcomes.

Come see Michael Darling at RVAsec 15!

RVAsec 15 Speaker Feature: Joanna Behan

May 8, 2026
Speaker

Unlocking Awareness: How an Escape Experience made Security Fun, Engaging, and Approachable (<– add to your schedule)

How do you turn security awareness from a check‑the‑box activity into a hands‑on, memorable experience for everyone? In this session, we’ll unpack a portable “escape room in a box” designed by our Information Security team to make learning approachable, collaborative, and fun.

Joanna Behan:
Joanna is an Information Security Analyst who brings a unique blend of creativity and expertise to the field. With a Bachelor of Fine Arts from James Madison University and industry-recognized certifications including CISSP and CGRC, Joanna’s career spans more than two decades of hands-on professional experience. Joanna thrives at the intersection of imaginative problem-solving, heightened awareness, and effective information security. She is dedicated to making information security accessible, and her creative approach enables her to address complex challenges while fostering a culture of safety and security in technology.

Come see Joanna Behan at RVAsec 15!

RVAsec 15 Speaker Feature: Ariyan Suroosh & Mike Bailey

May 8, 2026
Speaker

Initial Access in 2026 – The Power of the Spoken Word (<– add to your schedule)

A light/ medium technical talk discussing modern techniques and challenges to red team initial access.

Ariyan Suroosh:
Ariyan Bakhti-Suroosh is a Principal Security Consultant at Rotas Security, specializing in offensive security, social engineering, and physical facility penetration testing. With over seven years of experience, Ariyan has led enterprise-scale penetration tests, advanced adversary simulations, and purple team assessments.
He holds a Bachelor’s Degree in Information Security from the University of Richmond (Summa Cum Laude) and is a Certified Red Team Operator (CRTO). Ariyan has delivered talks at SANS Hackfest, RVASEC 2024, Optiv’s Source Zero Conference, and was the keynote speaker at COV IS 2024. Ariyan was also the recipient of Optiv’s President Club 2023 and the Green Jacket award for excellence in delivery. He has developed training resources on all facets of penetration testing with a focus on physical facility penetration tests and badge cloning.

Mike Bailey:

Mike brings nearly three decades of diverse experience spanning private industry, academia, U.S. government, and the financial sector. His focus is cybersecurity, with deep expertise in adversarial threat simulation, offensive and defensive security, and advanced technical assessments. Mike is an active contributor to the security community and has been a featured speaker at multiple conferences, presenting on threat research and network security.

Come see Ariyan Suroosh at RVAsec 15!

RVAsec 15 Speaker Feature: Paul Brownridge

May 7, 2026
Speaker

Flirting with AI: Pwning web sites through their AI chatbot agents and politely breaking guard rails (<– add to your schedule)

Find out how to penetration test an AI chatbot.

Paul Brownridge:
Paul Brownridge is Head of Technical Delivery at Pen Test Partners, the ethical hacking firm. Originally from an engineering background, Paul swapped his hard hat for a white hat and has been working in cyber security for the last 10 years. His practical experience of industrial environments and cyber security make for a capable and highly competent OT cyber engineer. Paul is a regular speaker at national and international technology and security events such as Defcon and the (ISC)2 Security Conference, highlighting key risks with the internet of things, automotive and maritime.

Come see Paul Brownridge at RVAsec 15!

RVAsec 15 Speaker Feature: Bhaumik Shah

May 7, 2026
Speaker

Breaking Tokens: Modern Attacks on OAuth, OIDC, and JWT Auth Flows (<– add to your schedule)

Modern authentication systems like OAuth and OIDC are often misunderstood. This talk demonstrates real-world attacks such as token replay and session hijacking, shows how weak configurations lead to compromise, and shares practical defense strategies to secure your auth flows.

Bhaumik Shah:
Bhaumik Shah is a cybersecurity leader and founder of Securify, where he helps organizations secure their cloud, applications, and infrastructure through penetration testing, red team operations, and compliance programs like SOC 2 and ISO 27001. With over a decade of experience uncovering vulnerabilities in complex environments — from AWS misconfigurations to API flaws — he has worked with startups, enterprises, and government agencies to strengthen their security posture. Bhaumik is passionate about sharing real-world lessons from the field, mentoring the next generation of security professionals, and occasionally sneaking in a pop-culture reference or two to make security just a little more fun.

Come see Bhaumik Shah at RVAsec 15!

RVAsec 15 Speaker Feature: Evan Typanski

May 7, 2026
Speaker

Building Custom Detections with Zeek and Spicy (<– add to your schedule)

Discover how to use Zeek in order to create custom detections for network threats. We will go over how to create a real detection using Zeek via scripting, protocol analysis, and log analysis.

Evan Typanski:
Evan is currently a software engineer at Corelight, a network monitoring startup. He is on the open source team, where he works as a maintaner for the Zeek project. His focus is on compilers and low level networking.

Before joining Corelight, Evan worked on static code analysis (SAST) for languages like C/C++, Swift, and Rust. He graduated from the University of Virginia with a BS in Computer Science in 2020.

Come see Evan Typanski at RVAsec 15!

RVAsec 15 Speaker Feature: Brian Markham

May 6, 2026
Speaker

Swatting flies with sledgehammers: broken TPRM programs and how to fix them (<– add to your schedule)

Third-party and supply chain risk is more important now than ever—but TPRM is also more broken and ineffective than ever. This session will review today’s common approaches to TPRM, how we got here, and how we can achieve better outcomes and reasonable assurance with less work. We’ll also explore what that shift could mean for our security programs—and for the industry as a whole. We need a hard reboot, and it has to start with each of us.

Brian Markham:
Brian Markham is an executive, advisor, hacker, and mentor with over 25 years of experience in IT and cybersecurity. Brian currently serves as the Chief Information Security Officer for EAB Global, a leading provider of software, marketing, and research services to institutions of higher education. Prior to joining EAB, he was a consultant at KPMG and PwC, and was on the security teams at the University of Maryland and George Washington University.

Come see Brian Markham at RVAsec 15!

RVAsec 15 Speaker Feature: Jason Ross

May 6, 2026
Speaker

Social Engineering The Machine: When Your Target Runs On Attention Instead Of Anxiety (<– add to your schedule)

Every AI talk this year will tell you prompt injection is a problem. This one gives you the methodology to actually exploit it. Borrowing from decades of adversarial human testing, we’ll move past “vibes” and “jailbreak screenshots” to build a working, repeatable framework for social engineering the machine.

Jason Ross:
With 20+ years in cyber security, Jason Ross now performs adversarial testing and defense of deployed generative AI applications, agentic systems, and the LLMs powering them at Salesforce. Jason’s work focuses on prompt injection attacks and defense, model governance and security, and agent exploitation on high-stakes, high-visibility production deployments. He is also a core contributor to the adversarial AI tooling and datasets used by engineering, AI research, and ethics teams across the company.

Outside Salesforce, Jason co-leads the OWASP GenAI Security Project Red Team Initiative and helped author the OWASP GenAI Red Teaming Guide. He speaks regularly at industry conferences, including NDC Security, the SANS AI Security Summit, the OWASP GenAI Summit at RSA, Skytalks, RVASec, and more.

When he’s not breaking AI, Jason gives back to the security community as a staff member at BSidesLV and a volunteer at DEF CON.

Come see Jason Ross at RVAsec 15!

RVAsec 15 Speaker Feature: Heather Antoinetti

May 6, 2026
Speaker

Breaking Your Silence: How to Build Influence Without Becoming a “Suit” (<– add to your schedule)

In security, we’re taught to let our work speak for itself. But in the real world, “silent” expertise usually gets ignored, underfunded, or misunderstood. Whether it’s imposter syndrome whispering that your latest exploit wasn’t “elite” enough or the hesitation to share a tool you built, these internal blockers limit your impact. This session is about moving past the “quiet professional” trap and building a reputation that matches your technical depth without losing your soul to corporate

Heather Antoinetti:
Heather Antoinetti is the CEO and founder of Ah-Ha Marketing, a boutique agency specializing in helping technical experts and thought leaders in the cybersecurity and technology sectors amplify their voices and establish authority. With nearly two decades of global marketing experience, Heather has built a reputation for transforming complex technical concepts into clear, compelling stories that build trust and inspire action.

Heather has worked alongside brilliant technical minds throughout her career, partnering with organizations like Elastic, AWS, IBM, and Accenture to help their experts translate deep expertise into impactful messaging. She is passionate about empowering engineers, security leaders, and innovators to overcome communication challenges, build authentic personal brands, and position themselves as trusted authorities.

One of Heather’s proudest achievements is creating a personal branding course tailored for cybersecurity professionals, enabling them to craft their narratives, share their expertise, and redefine their professional presence. Her approach combines storytelling, authenticity, and practical strategies to help leaders and technical contributors achieve bold career aspirations.

Heather’s own journey mirrors the challenges many technical experts face. She stepped into the cybersecurity industry with no prior experience, battled imposter syndrome, and earned the trust of industry leaders by connecting their technical skills to business growth. This experience has become the foundation of her work: helping others overcome similar hurdles and build confidence in sharing their unique value.

Heather believes that every professional’s story is their most powerful tool and that trust is cybersecurity’s most valuable currency. Her mission is to help others navigate their own quests to build authority, amplify their impact, and achieve lasting success.

Come see Heather Antoinetti at RVAsec 15!

RVAsec 15 Speaker Feature: Ryan O’Donnell

May 6, 2026
Speaker

Catching Collection in M365: Outlook and SharePoint Canary Tokens (<– add to your schedule)

After a stolen token grants access to M365, the next move is predictable: search for value before exfiltration. This talk shows how to detect that collection phase using canary tokens built on native telemetry across Outlook and SharePoint/OneDrive. We cover end-to-end implementation and results from live production deployments, including what produced high-fidelity signal and what created noise.

Ryan O’Donnell:
Ryan O’Donnell is a Senior Security Engineer at Microsoft. Over the last 13+ years, he’s been performing Penetration Tests, Red Team assessments, and Incident Response investigations. Ryan has presented at the followinhttg conferences: Wild West Hackin’ Fest, Saintcon, Hack Space Con, Hack Red Con, BSides Las Vegas, BSides NoVa, and BSides Roanoke. Ryan has a Masters in Cybersecurity from GMU and the following certifications: OSCP, OSEP, GCFA, and GREM.

Come see Ryan O’Donnell at RVAsec 15!