Vienna International Ethical Hacking Boot Camp
4th Edition - 2026
What is the Bootcamp?
From July 2–5, 2026, TU Wien will host the fourth edition of the International Ethical Hacking Bootcamp — an intensive, practice-oriented training event focused on cybersecurity fundamentals, ethical hacking techniques, and real-world attack scenarios. Designed for students, young professionals, and cybersecurity enthusiasts, the program offers hands-on experience in areas such as penetration testing, vulnerability assessment, and defensive strategies.
Around 150 participants are expected, including national teams from Austria, Croatia, Czech Republic, Denmark, Hungary, Kosovo, Romania, Slovakia, Slovenia, Serbia, Switzerland, and Italy.
Led by a distinguished lineup of international experts—including sessions on hardware hacking, reverse engineering, mobile and web security, and digital forensics—the event fosters joint learning, practical skill development, and cross-border networking. A Capture The Flag (CTF) exercise on the second day will emphasize collaborative problem-solving over competition.
The bootcamp continues to strengthen Vienna’s role as a hub for cybersecurity training, research, and international collaboration.
Program Overview
Day 1 - Friday, 3rd July
Day 3 - Sunday, 5th July
Participants
Workshops
Building AI agents for hacking
>be me >400mg caffeine/day >Web main @ organizers, Swiss team ECSC 2022->2024, ICC 2025 >Worked a year for Zellic web2/web3 >AI sounds funny >Started playing with agents for hacking >Left uni and Zellic to do an AI startup >Startup gets acquired by Aikido Security >Now working at Aikido to make sure we keep winning
Topic: AI for security Workshop level: beginner You will learn how AI agents for hacking work, the patterns and anti-patterns to be aware of, different approaches to orchestration, strategies to deal with false-positives, different ways of improving the performances, and most importantly, how to build your own AI agents to hack an application using OpenRouter free models to solve a slopped AI-only CTF training range. Requirements: - laptop - Python - good night of sleep - don't forget to drink water
.jpeg)
Tales from the V8 VRP - A Post-Mortem
[RERUN OF MidnightSun 2026 TALK] A look back at the "good old days" of the V8 VRP from an independent bug hunter; a guided tour through old, stale bugs, techniques, and a notoriously complex codebase. We'll take a look around what was once an intriguing (and financially lucrative) target for offensive security researchers, diving deep into a few of the bugs I found during my tenure (CVE-2024-8904, CVE-2025-0291, and others). Additionally, we will go over some of the principles and tips & tricks that guided my own professional VRP work.Part write-up, part broader retrospective, part informal speculation, this talk offers a snapshot of the JavaScript runtime vulnerability research scene of days past. It gives attendees a candid look at why the Chromium VRP once held the prominent position it did - until the recent rise of AI, and the drastic program changes that followed, reshaped the landscape.
Matthias Pleschinger (Popax21) is an independent cybersecurity researcher specializing in complex low-level systems. He has found several critical vulnerabilities in the V8 JavaScript engine, leading to remote code execution in Chromium's renderer process. Outside of his VRP work, he has competed as part of Team Austria at ECSC in 2024 and 2025 (winning the associated openECSC solo competition both years) and as part of Team Europe at ICC in 2025.
.jpeg)
Hardware Hacking 101
The workshop is focused on hardware analysis. The idea is to give the basis on how to approach hardware starting from the analysis of the physical PCB, how to interact on the physical interfaces (SPI/JTAC/I2C) discuss how to extract and analyze firmwares to very quick introductions to advanced attacks like CPA/DPA. The general topics are the following. Since the time will be limited, i will probable remove some of the "base" topics depending on the skill of the participants. • PCB anatomy • Disassemble a device • Chip reconnaissance • Communication interfaces • Firmware extraction • Static analysis of a firmware • Some hardware attacks • Hands on The workshop will also have a practical part with hands on on the hardware and offline challenges (like protocol decoding/analysis, firmware to analyze) since providing the proper hardware for all the participants is not always possible. There are no software pre-requisites for the workshop, they will install the necessary tools depending on the challenges (e.g., Logic Analyzer software)
CTF player with mhackeroni and Tower of Hanoi. Penetration tester specialized in HW hacking and reverse engineering
.jpeg)
Hacking with Style - Breaking the Web Without JavaScript
Everyone learns XSS first. This workshop is about what you do once that's blocked, whether by a sanitizer like DOMPurify, a strict CSP, or a framework that escapes output. You can still attack a page with nothing but HTML, CSS and fonts. We start with HTML injection: what an attacker can do with markup alone, including dangling markup, form hijacking and redirects, and where modern browsers have closed these down. Then CSS, in two halves: first how much it can actually do (people build games and even a CPU emulator in pure CSS), then turning those same primitives offensive to leak CSRF tokens and other secrets with attribute selectors, :has(), @import chaining and :valid/pattern tricks. Finally fonts as programs (a whole game lives inside a single font file), combined with CSS into Fontleak, which reads text off a page by encoding each character as a measurable glyph width and reading it back with a CSS container query. No JavaScript runs on the victim page, and every technique is tested in current Chrome. Format: a talk with live demos, plus hands-on practical exercises so attendees try the techniques themselves. Requirements: a laptop with a recent Chrome or Firefox. Exercises will be self-contained, so there's nothing to preinstall.
Security researcher and CTO of aisafe.io. 5x ICC champion with Team Europe, 1x as coach. 1x ECSC champion with Team Romania. Google CTF and DEF CON CTF finalist. CTF player with WreckTheLine.
.jpeg)
Linux Kernel Exploitation
Introduction into Linux kernel exploitation: + important tooling (bata gef, cscope, keap template, etc.) + how to approach + common vulnerabilities / targets (Stack, Heap, eBPF, Hardware Bugs) + how to get Flag / PrivEsc / Escape jails + using linux exploits IRL (kernelCTF) + Example challenges deployed somehwere lets see Partiticipants should have a linux setup with a working compiler (preferable cross-arch with x86_64 and aarch64) and gdb. Also qemu-system for x86_64 and aarch64 Also I got basically got forced by Marco todo this, will try my best though... ._.
playing CTFs (w0y & KuK)
Logistics
Organizing Team
Joe Pichlmayer
Founder of ACSC
Manuel Reinsperger
(aka neverbolt)
Coach Team AT
Marco Squarcina
(aka lavish)
Coach Team AT
With support from
Gallery (2025)
