Johnny Xmas
"I don't seek to be well-known, I seek to be worth knowing"
Chicago, Illinois, United States
Actions
Johnny Xmas is the Global Head of Offensive Security for a Fortune 200 manufacturing and agriculture corporation, where he leads a formal offensive security program spanning penetration testing, red teaming, adversarial simulation, and exposure assessment. With 16+ years in Information Security and 26+ years in IT operations, he has spent his career finding the gap between what security claims to do and what it actually detects.
A recognized figure in the Chicago information security community since 2002, Johnny is a board member of BurbSec and co-organizer of BSides312. His past roles include Director of Cyber Training at GRIMM (security research), infrastructure defense at Kasada, Lead Researcher on Uptake's Industrial Cybersecurity Platform, and years as a penetration tester and security engineer for Fortune 500 organizations. He's also earned recognition for exposing critical vulnerabilities in mainstream consumer infrastructure—most notably the TSA Master Key leaks and Venmo stalking vectors.
Today, he applies that same skepticism to enterprise security programs, asking the questions most organizations desperately avoid.
Links
Area of Expertise
Topics
SIEM and the Art of Motorcycle Maintenance
The Art of Proper SIEM and Motorcycle Ownership
Join me, an infamous local SIEM and motorcycle destroyer, as I walk you through the dos and don’ts of SIEM and motorcycle ownership!
A Word of Caution
NOTE: This talk will contain zero information that you have not heard many, many times before. For some reason, however, I see all of it being violated in the most egregious ways at company after company after company.
This has led me to believe that the industry has either:
Never received all of the information all at once, or
Not been given the information in a manner that didn’t immediately induce a deep and lengthy coma (probably the latter).
The Thousand-Foot View
As such, I will be attempting to convey the thousand-foot view of how to (or not to) choose, stand up, and manage a SIEM by wrapping it in thinly veiled metaphors derived from my hobby: propelling myself over (and sometimes at) asphalt at extremely high velocities.
Get ready for an enlightening journey through the world of SIEMs and motorcycles!
Superposition, not Superstition
SUPERPOSITION WITHOUT SUPERSTITION
## Why the foreseeable state of quantum computing is not a nightmare for security practitioners
In this illuminating talk, we’ll cut through the quantum hype to reveal why security professionals can approach quantum computing with informed confidence rather than panic.
While headlines scream about the imminent apocalypse of our cryptographic systems, reality paints a dramatically different picture. This presentation delivers a refreshingly sober analysis of quantum computing’s actual security implications, replacing fear with facts.
Key Insights:
*Reality Check on Timelines*
The horizon for practical cryptographically relevant quantum computers stretches far beyond sensationalist coverage, likely years or even decades before systems capable of breaking RSA or ECC at a meaningful scale materialize. Even then, these systems will initially be massive research facilities accessible primarily to nation-states, not everyday threat actors.
“Unless you’re a high-priority target for these select few actors with nation-state resources, should quantum computing really keep you up at night?”
*Technical Hurdles That Won’t Disappear Overnight*
We’ll dissect the substantial challenges quantum computing still faces, comparable to nuclear fusion energy, where “breakthrough announcements” often represent minimal progress in the greater journey. Error correction requirements, qubit coherence limitations, and scaling challenges aren’t merely engineering problems but fundamental physics puzzles requiring revolutionary solutions.
*The Quantum Security Advantage*
Discover how quantum technologies themselves offer robust security benefits through innovations like Quantum Key Distribution (QKD). Learn how the security community’s decades of preparation have yielded practical post-quantum cryptographic standards and hybrid approaches that organizations can implement today as part of sensible transition strategies.
*Beyond the Hype: Practical Preparation*
Walk away with actionable insights on how to approach quantum-resistant security planning without overinvesting or underestimating. Learn which threats are real, which are exaggerated, and how to communicate quantum risks accurately to stakeholders and executives.
Join us for a reality-based assessment that replaces quantum superstition with quantum understanding, providing security practitioners with a practical perspective on this fascinating technological frontier.
This session is ideal for CISOs, security architects, and security practitioners who need to separate quantum computing fact from fiction.
Travel Hacks for the Traveling Hacker
Work Travel Hacks: Comfort in the Skies, Chaos on the Ground
Whether you’re a seasoned road warrior or just dipping your toes into corporate and conference jet-setting, this session is your carry-on packed with real-world tips to make travel suck a whole lot less.
Join Johnny as he unpacks the art of surviving airports, hotels, and the gastrointestinal distress that all that restaurant food is guaranteed to induce.
What You’ll Learn:
Flight price hacks — including how to score more legroom for free
Status acceleration — because loyalty programs are rigged… until they’re not
Comfort in coach — yes, it’s possible
Bag pack hacks — master the one-bag life
The myths of drugs and hydration — melatonin and electrolyte bro science, debunked
Dodging jetlag — without selling your soul to circadian math
Lightspeed airport traversal — TSA can’t stop you if they can’t catch you
Easily eating healthy — even when trapped between gate C27 and Auntie Anne’s
Hotel selection hacks — comfort, cleanliness, and quiet in a single swipe
You’ll leave with practical, road-tested strategies for maximizing comfort, productivity, health, and personal space—even at 50,000 feet.
Perfect for anyone who wants to make business travel feel less like a chore and more like a first-class hustle (even in seat 48B).
Bring your passport, but gate check your stress.
Ask a (Real) Hacker!
Tired of panels loaded with pre-screened, "safe" questions and guarded responses from corporate suits? We've got the cure for insomnia right here. Johnny Xmas, a hacker familiar with both being on the right side of corporate security and the wrong side of the American legal system, will field any queries you may have been to afraid to ask.
Adversarial mindsets, motivations and money laundering? Tactics, Techniques, and Procedures? NO QUESTION IS TOO ILLEGAL for this stage!
We may wish to gather some questions ahead of time, simply to allow audience members to remain anonymous.
Infosecs and the City
BurbSec Meetup: Exploring the Midwest’s Social InfoSec Scene
A current showrunner of BurbSec meetups will delve into the vibrant social InfoSec community developing across the Midwest. Drawing from real-world experiences and notable success stories, they’ll offer insights into the most productive “CitySec” frameworks in the region. You’ll gain an insider’s look at how these grassroots gatherings have fostered networking, professional development, and knowledge sharing among security enthusiasts at all levels.
By the end of this session, you’ll walk away equipped with the essential knowledge and practical tools needed to launch your own meetup or to breathe new life into an existing one. Whether you’re a seasoned InfoSec professional or just starting out, you’ll discover clear, achievable steps for building a thriving local security community. Join us to learn how to forge meaningful connections and set your “CitySec” initiative on a solid path to success
Poisoning Pidgins in the Park
Discover how a hacker hobbyist—armed only with curiosity and spare time—took on an active supply-chain attack against the popular FOSS communication tool, Pidgin. In this talk, you’ll learn all about the step-by-step incident response process: from spotting red flags in the code to countering advanced social engineering ploys orchestrated by a crafty threat actor across multiple platforms. It’s a real-world example that shows how anyone—even with zero professional security background—can become an effective defender and give back to the community.
If you’ve ever found yourself stuck in the frustrating loop of “How can I get a job if I have no experience because I can’t get a job?”, this session is for you.
Saving Ryan's Privates
The Illusion of Privacy: When Your Intimate Photos End Up Online
You did everything right:
* A long and hard password
* The thing that sends a code to your phone
* You even used a VPN even though you don’t know what it does but YouTube said it keeps hackers away
* Everything, and yet…
There they are: those full frontals you sent to your SO 3 years ago, now splayed across some website with a weird name like “Coomer.party.”
How Did This Happen?
You don’t know, but Johnny does. Come sit in as he discusses:
* The nonexistence of privacy in the digital age
* The most common methods of theft of the most private of photos
* What you can do to protect yourself
Despite strong passwords and MFA use, we'll discover how the world’s most private digital assets are still being stolen and leaked. Join Johnny as he exposes privacy myths, common theft methods, and actionable steps to reclaim control.
5 Lies Enterprise Security Still Tells Itself
Nearly 10 years ago, Johnny quit full-time penetration testing out of sheer boredom. The repetitive nature of finding the same systemic problems at company after company made the gigs not only a cure for insomnia, but also exceptionally frustrating to someone who cares deeply about security.Now he’s back, and wow, is he pissed about what he found. Join him as he rants about the biggest (and most actionable) things Large Enterprises are still doing wrong from a cybersecurity perspective, and presents basic frameworks for fixing them!
Your security program is built on a foundation of convenient lies. Your risk register holds 2014 acceptances. Your asset inventory doesn't exist. Your identity perimeter is a joke. Your vendor controls are theater. And that expensive shelfware? It's never actually alerted on anything you'd care about.
This is not a technical deep-dive. This is a no-bullshit inventory of enterprise security theater — the persistent, systemic failures that breach-tested Fortune 500s keep repeating, slide after slide, hack after hack.
In this talk, Johnny Xmas (Global Head of Offensive Security) walks through:
Why your risk register is a graveyard of zombie acceptances with no expiration date
Why you don't actually have an asset inventory (you have a spreadsheet graveyard)
Why your identity perimeter is blurry by design — and how that becomes Midnight Blizzard's entry point
Why vendor risk is theater backed by questionnaires from salespeople
Why you bought expensive controls that don't detect anything because you skipped the 80% of the work that matters
And the kicker: actionable takeaways you can do RIGHT NOW.
This talk is for security leaders, architects, and anyone who's tired of the annual "we need better security" deck that solves nothing. Expect irreverence, real examples, and a hard look at why the same breaches keep happening.
IC (What you Did There)
For many of us in IT, the thought of moving into management feels like abandoning our true passion—our technical skills. Who wants to trade coding for meetings, or problem-solving for paperwork? But how can we advance our careers and command higher salaries without stepping into management? This session will equip you with the mindset, strategies, and negotiation skills to thrive as a technical expert. Learn how to carve out a rewarding career path that honors your talents, keeps you hands-on, and helps you avoid the management track. Let’s ensure you never have to leave Vim behind!
DefCamp 2025 Sessionize Event
Johnny Xmas
"I don't seek to be well-known, I seek to be worth knowing"
Chicago, Illinois, United States
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top