The Line-Up
// one single track.
Two keynotes confirmed, more talks to come. Reviewed by a peer-review board of practising researchers. Click any talk for details — share the link with a colleague.
I Let A.I. Loose on Google. It Found RCE. Twice.
Google Cloud serves nearly one million businesses, generates over $58 billion in annual revenue, and operates across 200+ countries. What happens when you let an AI loose on its APIs?
This talk covers how I built an AI-powered fuzzing system to systematically hunt for vulnerabilities across Google's massive API surface. By reverse-engineering discovery documents, first-party authentication, and API key restrictions, I turned one of the world's most opaque targets into a structured attack surface - then handed it to an LLM.
The AI flagged an internal API that shouldn't have been public. Initial exploration revealed a protobuf definition leak that turned Google's entire infrastructure into a whitebox target, and hints of a workflow task capable of executing arbitrary internal Stubby RPCs. A month later, a message in a Discord group chat changed everything.
Another researcher had independently found the same vulnerability but was stuck at a different point. Racing Google's gradual fix rollout, we combined our findings and achieved RCE on Google Cloud's production environment with just one hour to spare. Three months later, it happened again.
Arvin Shivram
Arvin Shivram (@brutecat) is an independent security researcher and white hat hacker. He holds a global top 15 position in Google's all-time bug bounty leaderboard, with over $600k rewarded across 100+ submissions. His work has been featured in WIRED, TechCrunch, Forbes and The Register, covering disclosures that affected billions of users across YouTube and Google.