The most dangerous attack on your systems will never show up in a penetration test report. It will pass your internal validation. It will pass third-party auditing. It will perform flawlessly in production — until a specific, precisely engineered trigger is met. Then it will fail in a targeted, controlled way. Against a specific target. On command. With no trace.

This session presents original research into how hidden backdoors are planted during the customization phase of enterprise software — and survive every form of testing organizations currently rely on. The backdoor is invisible during normal operation. It wakes up only when a specific combination of conditions appears in an ordinary-looking request. Nothing in standard security tooling catches it.

This is not an exotic edge case. It describes exactly how most organizations are building and deploying these systems right now: a company takes an off-the-shelf base product, trains it on proprietary internal data to customize it, runs their standard checks, and ships it to production. The Sleeping Pill is planted during that customization step — through a compromised data source, a malicious insider with access to the training environment, or a third-party vendor handling the customization work — and then it waits.

The consequences are concrete. The system steers a specific financial transaction toward fraud, but only when a specific account triggers it. It leaks proprietary information to an outside destination, but only when the request comes from a specific location. It produces outputs that violate regulatory requirements, but only in specific jurisdictions, on command.

The live demonstration in this session shows the full attack chain — how the backdoor survives compression, security review, and standard red-team testing — and what it looks like when it activates. The second half presents a practical defense framework: what your current tooling can and cannot catch, which monitoring approaches provide real coverage, and a pre-deployment checklist that meaningfully reduces your exposure without requiring a specialist team to implement it.

Learning Objectives

Understand how a hidden backdoor planted during the customization of a system survives the entire deployment process — including testing and auditing — and arrives in production undetected
Identify the specific points in your organization's build and deployment process where this kind of tampering can be introduced
Apply a pre-deployment checklist that goes beyond standard security testing to surface dormant, trigger-based behavior before it reaches production
Build a monitoring approach that creates visibility into whether your systems are behaving consistently — or selectively failing under specific conditions
Evaluate third-party vendors who handle system customization or training against a concrete set of supply chain security criteria.

Note: his talk has not been presented at any prior event