Qasim Ijaz
Cybersecurity leader and educator
Rochester, New York, United States
Actions
Qasim is the Director of Cybersecurity at a leading healthcare organization, overseeing detection, incident response, vulnerability management, purple teaming, and cybersecurity engineering. With a strong background in offensive security and risk management, he has helped organizations strengthen their defenses against evolving threats. He is also a dedicated educator, mentoring professionals and sharing his expertise at conferences such as BSides and Black Hat. Committed to advancing cybersecurity in healthcare, he drives innovation in proactive defense and risk management.
Area of Expertise
Topics
What the Scope? Sh** my Consultant | Client Says
Together, we’ll break down the myths, misunderstandings, and misguided security decisions that plague real-world engagements. More importantly, we’ll provide actionable solutions—how both sides can work together to create realistic scopes, conduct meaningful testing, and drive security outcomes that actually matter.
Agenda:
It’s not in PCI Scope
Can you please disable the EDR?
We have a WAF
850 findings, 150 critical, couldn’t gain access
We have MFA
Can you pentest at night?
Spilling the Beans: How to Spot a Bad Pentest
Ever wondered what the magic is behind a penetration test? Did you receive a pentest report that does not line up with your expectations? Do you want to get more out of your consulting partners or want to know the secret to landing that job at a consulting firm? Come join us as we spill the beans and disclose how the (halal) sausage is made. We will discuss pentesting from the perspective of both the client and the consultant. If you're looking to land a job at a consultancy, this talk is for you too. As we peel the curtain and talk through real-world examples, everyone walks out with the magic sauce.
Practical AI Governance for Sentients
“AI to manage my inbox”, “AI to handle purchasing”, “AI to schedule CEO’s flights”, “AI to ….” - FFS! Artificial Intelligence is being baked into all kinds of products. Companies are selling mediocre and often badly developed products with “AI will solve” taglines. Sometimes it feels like us in Security teams are using duct tape to patch Hoover dam. So, what do we do?
This talk is a culmination of notes I’ve taken over past year trying to help govern AI onslaught at my day job and in non-profits I consult with. I will offer practical insights via storytelling. You will walk away with realistic view of AI’s capabilities and risks and talking points needed to address its adoption in your organization. The goal of my talk isn’t to help you stop AI adoption. I find AI to be extremely helpful when used to its fullest potential. My goal is to help prepare you for AI enablement in a mature secure manner.
Penetration Testing for Systems and Network Admins
The objective of this Capture-the-Flag style class is to take students with existing networks or systems administration experience and teach them how to:
1. Perform a comprehensive penetration test against Active Directory environments.
2. Spot a bad penetration test.
We understand that not everyone taking a pen test class will want to be a penetration tester. Hence, we have organized this class to be a well-rounded experience, allowing both aspiring red teamers and blue teamers to get the most out of it. This class will provide students with hands-on experience with all phases of a penetration test, from information gathering to reporting.
Students will need to bring their own laptop with Kali Linux installed and will be provided VPN access to a lab environment for a full week.
Instructions for participants:
The class VM image can be downloaded here: https://box.bluebastion.net/index.php/s/TQFN3dQYzLJiJsp
It is Kali Linux VM built for VirtualBox.
Please download and configure this ASAP. It is a large image (11.5GB) and can take a few hours to download.
If you’re not familiar with VirtualBox, use the following link for instructions on how to import an OVA: https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
If you'd like to use your own Kali Linux VM, please ensure it has the following tools installed and pre-configured:
- Proxcychains
- Crackmapexec,
- Impacket framework
- Bloodhound and Python-Bloodhound ingestion script
- John the Ripper (Hashcat if you prefer and have GPU)
- Evil-WinRM
VPN Profile, lab manual, and slide deck will be made available during class.
Just a reminder, this is not an entry-level IT/Tech class. Penetration testing is a specialization within technology fields. You are expected to be comfortable with Linux and Windows to do well in this class. We will be using Kali Linux as our primary attack platform. You will be navigating the filesystem using command line, installing software using apt-get and Python-pip, cloning GitHub repositories using git, etc. On the Windows side, you will be attacking an Active Directory environment and exploiting configurations, not missing patches. So, it will help to be familiar with Active Directory user and device management. Should you need some resources to help you prepare, please let me know and I will be happy to recommend them.
I generally find https://tryhackme.com/ has useful resources around preparing for a penetration testing class or role. I specifically like the following:
- https://tryhackme.com/path/outline/presecurity Sections 2 (Networking Fundamentals), 3 (How the Web Works), 4 (Linux Fundamentals), and 5 (Windows Fundamentals)
- https://tryhackme.com/room/activedirectorybasics
Pivot Into Penetration Testing
SHORT COURSE ABSTRACT
Challenge yourself in attacking a fully simulated enterprise environment, complete with domain services, security controls, misconfigurations, and vulnerable applications. You will learn to effectively create devastating attack paths to gain access to the target environment’s “crown jewels” and demonstrate the impacts of a breach. This fast-paced course, led by highly skilled, recognized names in penetration testing, will teach you how to leverage penetration testing toolsets utilized by our team during hundreds of engagements. You will learn how to conduct effective, in-depth penetration tests, focused on demonstrating risks posed by modern attackers.
In this course you will:
• Perform a comprehensive, operationally focused penetration test against a modern Windows network
• Learn and execute the latest attack techniques
• Use open-source penetration tools to efficiently assess internal networks
• Apply practical skills following numerous exercises; including identifying vulnerable services, exploiting end users and host systems, and pivoting throughout a modern enterprise environment
• Participate in team-based capture the flag events, simulating successful attack paths
Five Questions to Ask Your Pentest Partner
I've been on the consulting and receiving end of penetration testing services. I've seen how the sauce is made and have been a consumer of this elusive sauce. Over the past decade, I've seen both good and bad penetration tests, and I'm here to tell you it doesn't have to be like this. We, as an industry, can do better. You, as clients, can hold us accountable. This talk consists of five questions that can be asked to start a better evaluation of your penetration testing partners. This is not a complete recipe. Instead, this will serve as a starting point for a larger conversation before the contract is signed.
Hack, Slash, and Learn: Adventures in Security
Join us for an engaging panel discussion where our seasoned cybersecurity professionals reveal the war stories from the front lines of cyber security. With over a decade of red teaming, GRC, and blue teaming experience under our belts, we’ll share riveting real-life accounts that illuminate both our triumphs and pitfalls. This session is designed not only to entertain but also to educate—providing clear pathways for aspiring security professionals, demonstrating best practices that bolster defenses, and exposing common pitfalls to avoid. Through candid storytelling, our panelists will discuss how they navigated complex security landscapes, leveraged creative attack strategies, and learned invaluable lessons from unexpected failures, all in a friendly and accessible format.
Feature or a Vulnerability? Tales of an Active Directory Pentest
This talk is a summation of stories from my recent penetration tests inside Active Directory networks. I will use this time to discuss common methods I have used to obtain initial access inside Active Directory environments, the features that paved the way to lateral movement, and vulnerabilities that escalated me to Domain Admin. This talk is laid out in a way that benefits both entry-level and experienced penetration testers. The content is for both blue and red teamers looking to better understand common Active Directory configurations that can lead to compromise. It has everything from memes to kerberoasting, with a pinch of humor (no dad jokes, I promise).
BSides SLC Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top