Standard penetration tests often focus on implementation bugs, but the most critical breaches stem from Insecure Design (OWASP Top 10 A04:2021). This session, presented from the perspective of an active red teamer and adversary simulation specialist, dives into the gap between theoretical threat modeling and real-world attack path exploitation.

We will explore how to translate high-level adversary tactics (like those in MITRE ATT&CK) into proactive design reviews and custom attack scenarios. Learn to move beyond surface-level vulnerabilities by building and leveraging custom tooling and simulation techniques that specifically target design flaws, authentication/authorization logic, and chained architectural weaknesses in modern application environments (e.g., Cloud, Serverless). Attendees will leave with a clear methodology for leveraging an offensive mindset to uncover design-level risks early in the Planning and Design phase, drastically improving the security-by-design posture of their applications.