Chaitanya Rahalkar
Software Security Engineer at Block Inc. (f.k.a. Square Inc.)
Austin, Texas, United States
Actions
As a security professional and researcher focused on building scalable security systems, I bring valuable perspective on innovative security solutions that truly work at scale. With several published papers in cryptography, network security, and privacy, I combine academic rigor with practical implementation experience. My experience collaborating with teams to design and implement security solutions while maintaining operational excellence in areas like scalability, performance, and cost optimization provides me with a strong framework to evaluate cutting-edge security initiatives.
I am also a course instructor and the author of my first book - "Cybersecurity for Startups: A Blueprint for Growing Securely," where I share practical insights to help emerging companies build strong security foundations. Currently, I am the cofounder of OmniChat, an AI-based startup revolutionizing customer engagement solutions. My entrepreneurial journey includes roles as a founding engineer at two startups, where I played a pivotal role in architecting and building their engineering systems from the ground up.
My background including security engineering at Praetorian, Meta (formerly Facebook), and now Block Inc (formerly Square Inc.) gives me broad exposure to diverse security challenges and solutions across different industries and scales. Having worked on projects from fuzzing platforms to payment systems security, I can evaluate and brainstorm problems from multiple technical angles while understanding their practical business impact. I'm passionate about fostering innovation in cybersecurity and believe my experience building scalable security systems combined with my academic research background would help identify truly groundbreaking contributions to the field. The opportunity to recognize excellence while connecting with other security leaders aligns with my commitment to advancing cybersecurity practices across the industry.
Area of Expertise
Topics
Weaving Zero-Trust into Web DNA: Architecting the Unbreachable
In an era where perimeter security is as effective as a paper shield, traditional web security models are being transformed by the fusion of zero-trust principles, AI-driven defenses, and DevSecOps practices. This technical session unveils how modern web architectures are evolving from static defense patterns to dynamic, intelligent security systems that adapt to emerging threats in real-time.
We'll explore the architecture of next-generation web applications where trust is continuously earned rather than implicitly granted. Through practical demonstrations and real-world implementations, we'll examine how AI-powered behavioral analytics, continuous authentication patterns, and automated security responses create a defensive mesh that's both robust and invisible to legitimate users.
Key focus areas:
1. Engineering trust verification systems that authenticate both humans and machines
2. Implementing behavioral biometrics for continuous identity validation
3. Deploying AI/ML models for real-time threat detection and response
4. Integrating security automation within high-velocity development pipelines
5. Building self-defending APIs with intelligent monitoring systems
This talk is perfect for architects and senior developers, this session bridges the gap between theoretical zero-trust models and practical implementation in modern web applications. You'll leave with actionable insights for building systems where security is woven into the application's DNA rather than bolted on as an afterthought.
Supply Chain Poisoning: Breaking Trust in Modern Software Delivery
The software supply chain has become prime territory for sophisticated attacks, as demonstrated by recent high-impact incidents like the 3CX compromise affecting 18 million users and the Okta breach impacting 150 organizations. This technical session explores how attackers exploit modern application dependencies, build processes, and distribution channels.
Through live demonstrations, we'll examine attack vectors including package registry manipulation, build system compromises, code signing certificate theft, and repository poisoning. We'll analyze real-world cases like the PyPI repository attacks and the Codecov breach to understand attacker methodologies and their cascading impacts across the development ecosystem.
Key areas covered:
1. Package registry exploitation techniques
2. Build pipeline compromise methods
3. Code signing infrastructure attacks
4. Repository poisoning strategies
5. SBOM implementation
6. Binary attestation systems
7. Automated dependency scanning
8. Secure build pipeline architecture
This Red Track presentation includes technical demonstrations of both attack techniques and defensive tooling. Attendees will gain practical knowledge in identifying vulnerable dependencies, implementing secure build processes, and establishing robust verification systems for their development infrastructure.
Perfect for offensive security researchers and defenders alike, you'll leave with actionable insights for securing your software supply chain against sophisticated attacks.
The Linguistics of Large Language Models: What Your AI's Mistakes Reveal
When GPT-4 writes "I'll send you the attachment later" (without any ability to send attachments) or ChatGPT claims it can "see" an image that isn't there, what's really happening? This talk dives into the fascinating patterns of AI hallucinations, exploring how linguistic analysis of AI errors provides unique insights into how these models actually work. Through live examples, we'll examine common patterns of LLM mistakes and what they reveal about the underlying architecture and limitations of current AI systems.
Key Points:
1. Common patterns in AI hallucinations and their linguistic roots
2. The disconnect between capability claims and actual abilities
3. How context windows influence AI behavior
4. Understanding prompt injection through linguistic analysis
5. Real-world examples of AI linguistic patterns
6. What these patterns tell us about future AI development
Secret Zero: The DevSecOps Trap No One Talks About
Everyone talks about secrets management, but there's a critical paradox we rarely discuss: how do you securely bootstrap your first secret? This lightning talk dives into the "Secret Zero" problem - the challenge of securely managing the initial secret needed to access your secrets management system. We'll explore why this fundamental challenge becomes a critical issue in cloud-native environments, common pitfalls teams fall into, and practical patterns for addressing it.
Key Points (60 seconds each):
1. The paradox: Why Secret Zero is a circular problem
2. Common anti-patterns that create vulnerabilities
3. Real-world examples of Secret Zero breaches
4. Architectural patterns that work
5. Immediate actions for your current system
Kubernetes Runtime Security - Detecting and Preventing Real-World Attacks
While many teams focus on securing their Kubernetes clusters during deployment, runtime security often gets overlooked. This talk demonstrates real attack scenarios and shows how to implement practical runtime security measures to detect and prevent them. Through live demonstrations and real-world examples, we'll explore how to build a robust runtime security strategy that doesn't compromise application performance.
Takeaways
1. How to identify and prevent common runtime attacks
2. Practical implementation of security monitoring
3. Tools and techniques for threat detection
4. Performance optimization strategies
5. Incident response procedures
6. Real-world security policy examples
Outline for the talk:
1. Understanding Runtime Threats (7 minutes)
Common attack vectors in production clusters
Container escape techniques
Privilege escalation paths
Supply chain attacks
Runtime vulnerability exploitation
Crypto mining detection
2. Detection and Prevention Strategies (8 minutes)
Runtime security tools comparison (Falco, Tracee, Tetragon)
System call monitoring
Container behavioral analysis
Network activity monitoring
File integrity monitoring
Custom security policies
Integration with incident response systems
3. Live Demo (10 minutes)
Setting up runtime security monitoring
Simulating common attack scenarios:
Container escape attempt
Unauthorized process execution
Suspicious network connections
File system tampering
Demonstrating detection and response
Alert investigation workflow
Navigating AI Security: Protecting Your Organization in the Era of Generative AI
As generative AI tools become mainstream in enterprise environments, organizations face new security challenges around data privacy, prompt injection attacks, and model vulnerabilities. This session examines emerging security risks in deploying AI systems, from sensitive data leakage through model responses to supply chain concerns with third-party AI services. We'll explore practical strategies for secure AI integration, including proper access controls, prompt engineering best practices, and monitoring mechanisms for AI interactions. Using recent incidents as case studies, we'll discuss how to develop AI security policies that balance innovation with risk management. Whether you're currently using AI tools or planning to adopt them, you'll learn actionable steps to protect your organization's data and systems in this rapidly evolving landscape.
The core of our discussion focuses on practical defense strategies across three key areas: data protection, access management, and operational security. We'll explore essential topics including:
1. Developing robust AI usage policies that protect intellectual property
2. Implementing proper authentication and monitoring for AI system access
3. Detecting and preventing prompt injection attacks
4. Managing sensitive data exposure risks in AI interactions
5. Evaluating third-party AI service providers for security compliance
6. Training employees on secure AI usage practices
This session is designed for security professionals, technology leaders, and decision-makers who need to understand and address AI security risks while enabling their organizations to benefit from these transformative tools. No deep technical knowledge is required, though familiarity with basic security concepts and enterprise AI use cases will be helpful.
Navigating AI Security: Protecting Your Organization in the Era of Generative AI
As AI tools become mainstream in enterprises, organizations face critical security challenges around data privacy, prompt injection attacks, and model vulnerabilities. This session explores key risks in deploying AI systems, from data leakage through model responses to supply chain concerns with third-party services.
We'll examine practical strategies for secure AI integration, focusing on:
1. AI usage policies for IP protection
2. Authentication and monitoring controls
3. Prompt injection attack prevention
4. Data exposure risk management
5. Security evaluation of AI vendors
6. Employee security training
Designed for security professionals and technology leaders, this session requires no deep technical knowledge but assumes familiarity with basic security concepts and enterprise AI use cases. We'll use recent incidents as case studies to demonstrate how to develop security policies that balance innovation with risk management.
Killer CLIs: Building Platform Tools Developers Actually Want to Use
Why do developers love some CLI tools and hate others? Deep dive into the psychology and design patterns behind successful platform CLIs, with real examples of transforming clunky tools into developer favorites.
eBPF - The Superpower You Didn't Know Your Linux Kernel Had
Extended Berkeley Packet Filter (eBPF) is revolutionizing how we observe and secure Linux systems. This lightning talk cuts through the complexity to show how eBPF can give you superpowers for debugging, performance analysis, and security monitoring - all without changing your application code or kernel.
This talk is perfect for Security Ops engineers, SREs, Cloud Security Engineers and System Administrators who want to level up their observability game. Basic familiarity with Linux systems is ideally preferred but not required.
Outline:
1. eBPF Fundamentals
1.1 What is eBPF and why should you care?
1.2 How it works: The 30-second technical explanation
1.3 Key capabilities and limitations
2. Practical Applications
2.1 System performance analysis
2.2 Security monitoring and enforcement
2.3 Network observability
2.4 Custom metrics collection
3. Tools & Implementation
3.1 Popular eBPF-based tools (bcc, bpftrace)
3.2 Integration with existing observability stacks
3.3 Getting started with minimal overhead
4. Live Demo
4.1 Quick demonstration of system introspection
4.2 Real-time performance analysis
4.3 Security monitoring example
GitOps in Action - Building a Production-Grade Delivery Pipeline with ArgoCD
This workshop offers a fast-paced, hands-on experience to teach Kubernetes professionals how to adopt GitOps practices in their organization. In this immersive 90-minute session, attendees will get hands-on, actually building a real-world GitOps pipeline using ArgoCD, one of the most popular GitOps tools in the cloud-native arena.
Starting with a very brief introduction to the concepts of GitOps, the workshop quickly moves into practical implementation, where participants will be working in their own isolated environments, setting up ArgoCD, configuring application deployments, and executing multi-environment strategies. This workshop focuses on experiential learning, and in this workshop, attendees will get hands-on experience with common scenarios like environment promotion, secret management, and rollback procedures.
By the end of these 90 minutes, attendees will have created a working GitOps pipeline and hands-on experience they can easily put into practice in their organizations. Every participant will get access to detailed documentation, sample code, and continued post-workshop support through a private Slack channel. This workshop is specifically designed for DevOps engineers, platform teams, SRE, Operations engineers and Kubernetes administrators looking to automate their deployment processes and implement best practices in GitOps. With its focused curriculum and hands-on approach, attendees leave equipped with both the knowledge and the practical skills required to start implementing GitOps in their own environments.
Container Breakouts: From Zero to Host Compromise
Container escape vulnerabilities continue to plague organizations, elevating small misconfigurations into full host compromises. This talk goes into advanced techniques to discover and exploit container escape vectors, from capability abuse all the way to runtime manipulation. In this talk, we'll examine, through live demonstrations and real-world case studies, how attackers link ostensibly minor issues into complete system compromises.
In the talk, attendees will see live demos of real-world container escape techniques, including Docker socket exploitation, privileged container abuse, and volume mount attacks. The discussion not only reveals vulnerabilities but also provides a deep understanding of how these security flaws come to be, how they can be related to each other, and, most importantly, how they can be prevented in production environments. Through a series of carefully crafted demonstrations, attendees will gain insight into how attackers can leverage seemingly insignificant misconfigurations to achieve significant security compromises.
This presentation is ideally suited for security engineers, container platform engineers, DevSecOps practitioners, and penetration testers, as it effectively connects theoretical concepts of container security with practical exploitation techniques observed in real-world scenarios. Attendees will leave not only with knowledge but also with hands-on tools and methodologies that can be put into practice to test and secure their own container environments immediately. The talk includes access to custom testing tools, hardening guides, and a lab environment setup guide, so participants can easily continue their learning after the session. What really sets this discussion apart is that it covers both offensive techniques and defensive strategies, hence an overall view of container security in modern DevOps environments.
Breaking Down Buffer Overflow Exploits: From Vulnerability to Patch
This session offers a deep dive into buffer overflow vulnerabilities through practical examples and hands-on demonstrations. We'll start by examining vulnerable C code, explore the mechanics of buffer overflow attacks using assembly-level analysis, and understand how attackers can manipulate memory to execute arbitrary code. The presentation will cover modern protection mechanisms like ASLR, DEP, and stack canaries, demonstrating both their implementation and potential bypasses. Using recent CVE examples, we'll analyze real-world exploitation scenarios and discuss effective mitigation strategies, including secure coding practices and systematic patch development. Attendees will gain practical insights into both offensive and defensive aspects of memory corruption vulnerabilities.
Chaos Engineering: Breaking Your Cloud to Make It Stronger
What happens when your security controls fail? In this lightning talk, we'll explore how to apply chaos engineering principles to cloud security. Learn how deliberately introducing controlled security failures can help identify vulnerabilities, improve incident response, and build more resilient cloud systems before real attackers find weaknesses.
This talk is ideal for cloud engineers, security professionals, and SREs who want to proactively improve their security posture through controlled experimentation. Basic knowledge of cloud infrastructure and security concepts is recommended.
Outline:
1. Security Chaos Engineering Fundamentals
1.1 From Netflix's Chaos Monkey to security testing
1.2 Building a security experiment framework
1.3 Defining blast radius and safety measures
2. Practical Experiments
2.1 IAM permission testing
2.2 Network security group failures
2.3 API gateway chaos
2.4 Authentication system stress testing
3. Measuring and Learning
3.1 Key metrics for security resilience
3.2 Learning from controlled failures
3.3 Building automated security chaos testing
3.4 Creating feedback loops
Beyond Prompts: Understanding and Defending Against AI-Powered Social Engineering
As the AI language models are getting sophisticated, so are the social engineering attacks. In this session, we look at how attackers leverage AI in creating convincing phishing emails, voice deepfakes, and chatbot scams. We will analyze real-world examples and go into the technical patterns behind AI-generated attacks, developing practical strategies for detection. Learn how large language models are misused for scams, how to track their telltale signs, and what tools and techniques will help you build more effective defenses against them.
In this, we will also take a look at the current landscape of AI-powered social engineering and recent attacks that have successfully breached organizations. Learners will discover the most important indicators distinguishing AI-generated content from human-written text: linguistic patterns, contextual inconsistencies, and metadata analysis. The session will show how multiple AI technologies—from text generation to voice synthesis—are combined by attackers to create multi-channel attacks, which are increasingly difficult to detect.
Most of the talk will focus on detection and defensive strategies. In much detail, we will go over common patterns in AI-generated phishing attempts, including how language models can be elicited to create contextually aware scam messages. Students will learn about the limitations of current AI models and how these limitations can be leveraged for detection. We will walk through a number of available tools for identifying AI-generated content, starting from simple pattern matching to more sophisticated probabilistic approaches.
AI-Powered Social Engineering: Defending Against Next-Gen Deception
The rise of AI has revolutionized social engineering attacks, with phishing emails increasing by 1,265% and credential phishing surging 967% since late 2022. From deepfake executive impersonation to AI-generated spear-phishing campaigns, organizations face unprecedented challenges in detecting and preventing these sophisticated threats.
This technical session dissects modern AI-enhanced attack vectors and provides practical defense strategies against synthetic media manipulation. Through real-world case studies, including the Russian Ambassador deepfake incident and the $25M HSBC fraud case, we'll examine how attackers leverage generative AI and LLMs for targeted business email compromise.
Key focus areas:
1. Analysis of voice cloning and deepfake technologies in social engineering
2. Implementation of AI-powered detection systems for synthetic media
3. Machine learning algorithms for real-time threat identification
4. Automated response protocols for AI-detected threats
5. Multi-layered verification systems for high-risk transactions
6. Employee training strategies for recognizing AI-generated content
The session includes live demonstrations of AI threat detection systems and frameworks for implementing defensive measures. Attendees will gain actionable insights into protecting their organizations against sophisticated AI-powered deception techniques shaping the 2024 threat landscape.
Ideal for security practitioners and decision-makers, this Blue Track presentation delivers practical knowledge for building resilient defenses against next-generation social engineering attacks.
The Invisible Guardian: Building DevSecOps that Engineers Actually Love
In today's rapid development environments, security controls often create friction and slow deployment cycles. This session presents an innovative approach to DevSecOps that seamlessly integrates security controls into the development lifecycle while maintaining engineering velocity. We'll explore advanced automation techniques, intelligent feedback mechanisms, and practical strategies for implementing security controls that enhance rather than impede the development process.
Through examination of architectural patterns and real-world implementations, attendees will learn how to build scalable security automation that adapts to cloud-native environments. The session will demonstrate methods for achieving continuous security validation, automated compliance monitoring, and meaningful security metrics without creating development bottlenecks.
Key Focus Areas:
1. Architecting friction-free security automation
2. Implementing intelligent security feedback loops
3. Building scalable compliance validation
4. Creating effective security metrics and dashboards
5. Fostering collaboration between security and development teams
Attendees will gain practical insights into transforming their security operations from a perceived hindrance into a valued accelerator of the development process, while maintaining robust security controls and compliance requirements.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top