Hack.Sydney 2022

November 21-22Art Gallery of NSW, Sydney, Australia
Australia's premium InfoSec Training Event and Conference
Offensive and Defensive Cyber Streams

ANNOUNCEMENT: Venue for this years HackSydney has been locked in - the iconic, prestigious and amazing Art Gallery of New South Wales!

CFT is now closed for this year.
CFP is now closed for this year.
Check out the FAQ page for more info: FAQ
Platinum Sponsor for 2022

Become a Sponsor for 2022

HackSydney aspires to be an inclusive, diverse and educational InfoSec Conferences in the APAC region.
To be held in Austalia's biggest city, Sydney, HackSydney aims to bring together professionals from all aspects of the InfoSec industry.
The conference will cover all aspects of the industry, ranging from offensive security to defensive security and everything in between.

HackSydney will be held over five days, which will include three days of trainings, followed by by action-packed days of talks that will cover a wide range of topics and will feature some of the best minds in the industry.
The event will be held in the heart of the city of Sydney, Australia.


Simplifying MISP - Threat Intelligence for dummies

Domain Theatre
Threat Intelligence is a key component for DFIR teams. Having a place for tracking IOCs, being able to quickly identify threat actors and their techniques for quick wins and to help guiding the strategy for the investigation is a must. We will discuss the challenges to implement the most simplified use of Malware Information Sharing Platform (MISP) and the lessons learned. Liz and Ben will share real-world examples from their day-to-day cyber security roles in this talk and will take the audience through the steps that they take in order to get the most out of MISP. Both Liz and Ben have many years of experience working on large-scale security incidents and the range of their work experience covers everything from small businesses all the way to some of the biggest enterprises in the world.

The De-RaaS’ing of Ransomware

Domain Theatre
For the last several years, starting with the rise of GandCrab, Ransomware as a Service (RaaS) has been one of the drivers fueling the growth of ransomware. But, that seems to be changing. The high profile exposures of REvil, BlackMatter and Conti have made some affiliates skittish about joining a large RaaS group and they are choosing to “go it alone” instead. This talk will look at the current state of RaaS and the larger ransomware ecosystem and what this change means for defenders.

Hacking Kubernetes: Live Demo Marathon

Domain Theatre
This talk introduces advanced security concepts to guide attendees through the tricky parts of securing Kubernetes clusters with simple demonstrations, views of historical attacks, and the use of modern lightweight threat modelling techniques.
In a live evocation of the recent O’Reilly title Hacking Kubernetes (Martin, Hausenblas, 2021), this ultimate guide to threat-driven Kubernetes defence threat models and details how to attack and defend your precious clusters from nefarious adversaries.

Game hacking like it’s 1999

Domain Theatre
Learn how to hack a classic real time strategy game. The talk will cover reverse engineering the game engine and player structures, hooking functions, performing DLL injection, and ultimately creating a working trainer.
  • Understanding the game
  • Reverse engineering the game
  • Binary patching
  • Memory scanning
  • Player structures
  • Resource hacking
  • DLL injection
  • Working game trainer demo
  • Tropic Troubles: In this Campaign, Your Tool Hacks You

    Domain Theatre
    The talk covers a cluster of activity making use of the Trojan YAHOYAH, as described in Trend Micro’s original report about the “Tropic Trooper” group. It explores, with great caution, the apparently fantastical motive implied by the use of Trojanized “SMS Bomber” Denial-of-Service tools as part of the attack. We delve into the newest escapades of a threat actor with ties to Tropic Trooper, a group documented by Trend Micro that has targeted the Philippines, Hong Kong, and Taiwan. Featuring cursed programming languages that your AV will shoot on sight, bog-standard backdoors that are somehow never done and always need new features, strange homebrew AES, and hacking tools ‘tweaked’ to compromise the unfortunate end user – the details paint a picture of a focused, capable actor, and give us a worrying glimpse into a future of malware hand-crafted to torture malware analysts.

    Pen-testing opensource databases (MySQL and PostgreSQL)

    Domain Theatre
    Are your database(s) secure? No, not the application, the database! Usually, everyone is focused on the application security and consider the database server to be “protected” by the network firewalls. But what if the first layer of defense fails and your database is exposed from the internet or via SQL injection? Will a bad actor be able to escape from the database and get root shell or exfiltrate other database tenants data? Penetration tester’s goal is to pretend to be a “bad actor” and try to find all the week spots in a simulated scenarios. I will show a number of “week spots” when dealing with opensource relational databases (MySQL and PostgreSQL) and how to protect from them.

    Unconventional ways of getting into Cyber Security

    Domain Theatre
    This talk is focussed around some of the different ways of getting into the cyber security industry. I will be covering some of the mentoring programs the industry has on offer and some training options that most people starting out in cyber are not always aware of. I will also be talking about gender diversity within the field over time, with focus on women on security.

    A critical analysis of the Australian cyber security industry

    Domain Theatre
    Cybersecurity strategy will always trump technology. A critical analysis, informed by on the ground reality is needed to make informed decisions.By the end of this talk, attendees will have an appreciation for on the ground cyber security realities to prepare for the foreseeable years ahead. As i find myself and my own business grow and mature, I’ve also found myself regularly analysing the marketplace of an industry I have found a place in over the past 12 years. Every few months there’ll be a proclamation of “{X} {trade} is dead” all the way through to some cryptocurrency washout come thought leader reinventing bug bounties. Having attempted to conduct several qualified assessments of the market and provide commentary on these through a number of mediums, I wanted to take some time out to provide a “strategic overview” with a technological grounding as to where our awesome industry is heading. Fundamentally, Im concern theres a risk of a “dot com” bubble style recession as a result of maligned expectations, growth and lack of necessity. Areas I intend to focus on include:
  • Market and domain overview from a supplier standpoint relative to demand.
  • Vulnerabilities in the internal structure and client processes for delivery.
  • A critical analysis of the skills shortage.
  • Risks of an impending oversupply of capability relative to waning demand.
  • Opportunities to ensure a sustainable, meaningful industry.
  • API Security testing: The good, the bad, the ugly

    Domain Theatre
    The Internet and Pets have an old relationship. It started with the infamous Pets.com. While unfortunately, the business crashed, it established that online was here to stay. To run a business online, we used to buy server hardware for operations. We named these with respect—animals, dragons, star wars, wines, or movie characters. Just like our pets. Fast forward to today, Infrastructure is overwhelmed with pets again. This time around, we are exchanging pet photos and ordering pet supplies. Suddenly, we have a flock of the APIs at our disposal.
    In this talk, we intend to explain the rationale behind integrating API security testing into your Development life cycle to build secure applications and APIs using various OSS and Enterprise tools. We will also discuss some real-world scenarios which will help you solve the ultimate debate on Delivery v/s Security and solve for cascading impacts, ever so common in today’s world of distributed systems.

    Learning from the mistakes of others; preventing and preparing for incident response

    Domain Theatre
    “… learning by the mistakes of others is a far simpler and less expensive process than making them all yourself.” - American Machinist, 1920. Despite being over 100 years old, this quote is still relevant to businesses trying to maintain their security today. So let’s learn from other’s mistakes!
    Join me on a journey through the compromise of a fictitious company, from initial access all the way through to mission complete. We’ll take stops along the way to zoom in on how the attacker did what they did, and discuss what the victim could have done to prevent these actions from being successful. We’ll also talk about steps the victim could have taken to make their environment more “investigation ready”, and highlight that because these steps were not taken, the investigation was not conclusive. Being derived from real-world incident response engagements, you’ll literally be learning from the mistakes of others.

    Keeping Secrets Secret

    Domain Theatre
    Every team can improve their secrets management, but where do we start? This talk discusses the goals of good secrets management and shares the tools and approaches that will help teams improve their secrets management regardless of maturity.
    Having worked with a range of teams and organisations, from serverless startups, to big banks, to scientific organisations - we know there’s no one-size-fits-all approach to secrets management. We also know there are so many code bases out there with API Keys hard coded into them (Olly knows, he's found his fair share!).
    In this talk Olly lays out the fundamentals of good secrets management, identity and access management and the building blocks for workload identity. The talk also introduces some open-source tools and resources that will help enable teams to improve their secrets management with minimal time and effort. Olly answers the question of how do you move from committing keys to source control, to modern secrets management (e.g. HashiCorp Vault) in small, meaningful, approachable steps.

    Throw Away Your Passwords: Trusting Workload Identity

    Domain Theatre
    The move to Cloud has fundamentally changed the way workloads are deployed and managed. What hasn’t changed is the need to secure access to the secrets and services our applications rely on to operate. How can we leverage workload identity to aid us in the struggle against secrets proliferation.
    How can we authenticate access between the workloads that we deploy without an explosion in the number of secrets that we need to manage? How do we effectively protect access to the remaining secrets that we do still need? Wouldn’t that itself require another secret? Can we find a firm footing, a secret zero, or is it really turtles all the way down?
    In this talk Mario aims to demystify workload identity, what it is and how it can be used to address these challenges. By making use of a platform such as Kubernetes as a trusted identity provider workloads can be provisioned with an identity from the outset, halting the infinite regress of secrets needing to be managed. Federation of these identities outside the cluster can also be achieved, extending the trust domain to your Cloud provider and beyond.

    More talks will be announced over the coming days, stay tuned!

    Day 2 Agenda Coming Soon...

    Day 3 Agenda Coming Soon...


    Art Gallery of New South Wales

    The Art Gallery of New South Wales, founded as the New South Wales Academy of Art in 1872 and known as the National Art Gallery of New South Wales between 1883 and 1958, is located in The Domain, Sydney, Australia. It is the most important public gallery in Sydney and one of the largest in Australia.

    HCKSYD 2022 will be held at The Art Gallery of NSW on 21 and 22 November.

    Where to find the Venue

    Art Gallery Road, The Domain, Sydney NSW 2000, Australia. On the eastern side of Sydney’s CBD, next to the Royal Botanic Gardens and the Domain, just down the road from St Mary’s Cathedral.


    Domain Car Park – Book parking in advance via the Wilson Parking website or app. Please note the car-park lift closest to the Art Gallery is currently being repaired and is not operating.

    By Bus

    You can take the bus from the city center to the gallery throughout the day. Bus 441 – Departs from the York Street side of Queen Victoria Building and drops off near the Art Gallery.

    By Train

    St James and Martin Place stations are both about 10 minutes walk. For more information about public transport options, times or disruptions, contact the Transport Infoline on 131 500 or transportnsw.info

    When you arrive

    Landscape works at the front of the Art Gallery of New South Wales are currently underway as part of the Sydney Modern Project. We appreciate your patience and understanding while we work to create exciting new art experiences for everyone to enjoy.

    More Info

    HCKSYD 2022 Trainings

    Kubernetes Security: Learn By Hacking [3 days]
    Combining Red Team and Blue Team approaches for that warm Purple-y feel, information security professionals and engineers will gain an understanding of the attack surface of a cloud native system: from building applications into containers and appraising supply chain vulnerabilities, through runtime detection and monitoring, to evading the system’s defences and popping shells, this course gives you the tools you need to understand how to attack and defend against present and future threat actors.
    [16-18 November 2022]
    Training Details
    Practical Hardware Hacking - Trianing Kit included [3 days]
    With this training kit, you will gain penetration testing capabilities related to IoT devices and improve your existing knowledge. You will have not only talent but also a lot of equipment necessary to perform IoT penetration tests.
    [16-18 November 2022]
    Training Details
    Cloud Security Masterclass: Defender's Guide To Securing Public Cloud Infrastructure [3 days]
    This training focuses on elevating your threat detection, security investigations, and response knowledge into the cloud. This hands-on training built on AWS, with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build defensive guard rails against such attacks by using cloud-native services on AWS. This makes it an ideal class for both red & blue teams.
    [16-18 November 2022]
    Training Details
    Fuzzing Cloud Native Apps: Zero to Hero [2 days]
    Fuzz a python, go, java, or JavaScript app for days but you are not going to find any interesting security vulnerability. Although fuzzing has been very fruitful for detecting severe security vulnerabilities in C or C++ programs, fuzzing seems less efficient against Cloud Native Apps. The good news is, recently, there has been some advancement in fuzzing approaches and has made fuzzing against cloud apps very effective.
    [16-18 November 2022]
    Training Details
    Hacking Modern Web & Desktop apps: Master the Future of Attack Vectors [3 days]
    This course is a 100% hands-on deep dive into the OWASP Security Testing Guide and relevant items of the OWASP Application Security Verification Standard (ASVS), so this course covers and goes beyond the OWASP Top Ten.
    [16-18 November 2022]
    Training Details
    Hacking Android, iOS and IoT apps by Example [3 days]
    Learn about Android, iOS and IoT app security by improving your mobile security testing kung-fu. Ideal for Penetration Testers, Mobile Developers and everybody interested in mobile app security.
    [16-18 November 2022]
    Training Details


    CFT for trainings is now open: Submit your Training
    CFP for presentations is now open: Submit your Presentation

    • Offensive Security
    • Network Security
    • Application Security
    • Incident Response
    • Exploit Dev
    • Secure Coding
    • Threat Intelligence
    • Penetration Testing
    • Hardware Hacking
    • Mobile Security
    • Malware Analysis and Reverse Engineering
    • Digital Forensics

    All other InfoSec topics will also be considered, as long as they are technical, hands-on in nature.
    Trainings: 2-days or 3-days
    Presentations: 45 min (Including Q&A)


    Early Bird

    15 June - 15 July.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag

    General Admission 1


    16 July - 31 October.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag

    General Admission 2

    1 November - 18 November.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag


    20 September - 18 November.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag


    1 September - 18 November.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag


    1 September - 18 November.
    *Full Conference access
    *AfterParty Entry
    *Conference Swag

    Sponsors & Partners

    Platinum Sponsor for 2022