I recently attended BSides in Calgary, Alberta, Canada, which took place from May 25th to May 26th. This was the 10th year of the BSides conference in Calgary, and it was also my second time attending BSides Calgary.
If you’ve never heard of BSides, it is a community-driven cybersecurity conference made by the community, for the community. Each local chapter creates and runs its own BSides conference.
In this post, I will detail my experience at BSides Calgary 2026.
In previous years, BSides Calgary was held at Bow Valley College. This year, the conference was hosted at Contemporary Calgary.
Contemporary Calgary is a really cool venue because it used to be the Centennial Planetarium, which was also the TELUS World of Science. I remember visiting it when it was the TELUS World of Science. It was really cool to see that space again.
Day 1
The day started with registering and picking up my badge.
After registering, it was time for the keynote, hosted by Terry Ingoldsby. In the keynote, Terry spoke about the history of the internet in Calgary. It was really cool to learn that the University of Calgary had access to the DARPA (Defense Advanced Research Projects Agency) version of the internet (at the time, the only version of the internet). Around the same time, Unix was growing in popularity, and CUUG (Calgary Unix User Group) was formed. Eventually, they got a connection from the University of Calgary, making CUUG the second place in Calgary to have internet. One of the things I took away from the keynote is that you shouldn’t look at cybersecurity as just good vs. evil, you should treat it as an engineering problem to solve instead, and just because you are secure doesn’t make you compliant, and just because you are compliant doesn’t make you secure.
The next session I attended was LLM-Assisted Malware Development: Case Study and Defensive Strategies, which was hosted by Kai Iyer. In the session, Kai dissected how the LameHug infostealer malware works. LameHug is really interesting because it is the first known malware to directly integrate AI into its workflow. At its core, it uses the LLM model Qwen 2.5-Coder-32B-Instruct, which Hugging Face hosts. The prompt LameHug sends to Qwen is very innocent, as it simply asks to gather basic system information and place it in a text file, which is no different from what a system administrator would do. Because of the innocent request, Qwen complies and doesn’t flag the prompt as malware.
I also attended the session Cyber Deception 2.0: Adaptive Honeynets for ICS Networks hosted by Peter Morin. In this session, Peter spoke about his open-source honeypot project, AdaptiveGrid. What makes AdaptiveGrid interesting is that Peter spent the time to make it as real as possible. It will mimic many OT systems, such as PLCs and Modbus, to the point where if you modify one of the registers, it will present real-looking information so that the attacker has no idea they are poking at a honeypot.
From what I know about ICS (Industrial Control Systems), I do think AdaptiveGrid will be very useful. Peter will be releasing it to his GitHub very soon https://github.com/petermorin123
The next session I attended was Protecting Critical Infrastructure in an uncertain world hosted by Pam Pouliot. In the session, Pam highlighted some of the differences between IT (Information Technology) and OT (Operational Technology). For example, IT is about keeping everything secure and online, whereas OT is about keeping things safe and working. If an IT system fails, it could cause data loss or business impact, but if an OT system fails, it could result in things blowing up or people dying. Some of the tips Pam gave for IT when talking to OT are to listen to the OT side and hear their concerns before making sweeping changes or recommendations.
Day 2
The second day of BSides Calgary began with a panel of some of the original people who helped turn BSides Calgary into what it is today. The panel consisted of Najo Ifield, Amanda Lockheart, Dallas Bobryk, and Steve Porter, and it was moderated by Doug Leece. The panelists spoke about the challenges they faced when creating a conference and building a local community, and how they overcame them.
After the keynote, I attended the Resilience in Crisis session, hosted by Adam McMath. In the session, Adam spoke about the common hurdles that people face with incident response plans, such as getting stuck in the details. Adam also pointed out that if health care can use a single page for a trauma intake form, there’s no reason you can’t have a single-page incident intake form.
The next session I attended was Living Off The Locker: Using Keys From The Microsoft Keyring to Evade EDR, hosted by Sasha Mozil. In the session, Sasha spoke about how you can use BitLocker as a form of ransomware. Sasha showed how, using standard Windows commands, you can remove existing BitLocker keys, inject your own key, and even change the text on the BitLocker recovery screen to serve as a ransom note. Sasha even showed a demo of it.
This was very cool to see. A while back, I explored the idea of BitLocker as ransomware, but I didn’t go as deep as Sasha did. It was super cool to see how deep Sasha went and everything they learned. Sasha also mentioned that instances of BitLocker being used as ransomware have already been seen in the wild. The ShrinkLocker malware is an example of this.
I also attended the session Demystifying EDR Evasion: A General Methodology for Developing Stealth (TA0005), hosted by Ian Lin. In the session, Ian spoke about how most EDRs use similar methodologies to classify something as malicious or not. The exact details on what each EDR vendor uses for their classifications are not public. A tip Ian gave is that sometimes you can get around EDR or AV by just calling the code differently. For example, if you call shellcode directly, it will trip Windows Defender, but if you load it in sections, you can load it into memory and execute it without tripping Windows Defender. Ian also spoke about using DLLs to side-step the EDR. This made me realize there’s a lot to learn about DLLs.
The next session I attended was Cloaking the C2: Building Resilient, Attribution-Resistant Red Team Infrastructure, which was to be hosted by Christian Ramirez and Asif Khan, but Asif was unable to attend. The session was instead hosted solely by Christian Ramirez. In the session, Christian spoke about how you can hide a C2 by using Cloudflare for all communication. A cool trick Christian showed is that, by using NGINX, you can run more than one C2 on the same server, even a decoy website that normal web traffic would hit, and the C2 would only load if you had a specific user-agent string.
I then attended the session, The Accidental Incident Responder, which was hosted by Vincent Wolfe. This session was actually Vincent’s very first BSides presentation, and he did a really good job. In the session, Vincent spoke about how he was designated as an incident responder when an incident occurred, as he was, on paper, the most qualified. Vincent also spoke about the lessons he learned along the way, such as not confusing confidence with competence, leveling up your skills before you need them, and making sure you take care of yourself. This session really resonated with me as the situations Vincent described were very similar to situations I’ve dealt with in the past. It was really refreshing to learn how other people handled similar circumstances.
The next session was the closing keynote hosted by Chris Roberts. In this session, Chris spoke about how he is leveraging AI and how to better use AI as a colleague rather than just a tool. Chris also mentioned that if you speak conversationally to an AI assistant, you can end up finding more fun rabbit holes to go down. Chris spoke about how he configured his AI assistant named Sid. When Chris built Sid, he decided to take a different approach rather than just feeding Sid a ton of data. He started by training Sid on philosophy first, then everything else. He also configured Sid to be collaborative and made Sid challenge the requests it receives. All of this led to a project Chris is working on called Guardian, an AI you send out to the fires of the front lines that clicks every link and detonates everything to safely see what happens and learn from it. I really think Guardian will be a very useful tool once completed.
After the closing keynote, BSides Calgary 2026 was concluded.
Summary
All in BSides Calgary 2026 was a heck of a lot of fun. It was really great attending the sessions, and I feel like I learned a lot, but I still have so much to learn. I look forward to attending future BSides Calgary events.
If you’re interested in cybersecurity, I highly recommend checking out BSides and seeing if there’s a local BSides chapter in your area. Here are all the current BSides chapters, and here are all the upcoming BSides events. If you are in Calgary check out BSides Calgary.
Daniel Goes Outside Vlog
While attending BSides Calgary 2026, I recorded a new episode of Daniel Goes Outside. Check out the YouTube vlog below.
