In June 2025, the cloud security community converged on Denver, Colorado, for fwd:cloudsec North America 2025, and Red Canary was thrilled to be a sponsor! Hundreds of passionate cloud security practitioners connected and absorbed insights from some of the brightest minds in the field.
The energy at the conference was palpable, and our team returned invigorated and full of new ideas. We’ve compiled their top recommendations and takeaways, which you can read below. You can find full summaries of every talk here.
fwd:cloudsec 2025 watch list
Happy Little Clouds: Painting Pictures with Microsoft Cloud and Identity Data
Matt Graeber, Red Canary
After establishing why detecting attack techniques across Entra ID, Azure, and Microsoft 365 is so difficult, Matt offered a methodology for assessing data source quality and constructing effective threat narratives, addressing critical questions like:
- where to start
- what constitutes quality data
- how to correlate disparate sources (e.g., understanding the relationship between
SessionIdandUniqueTokenIdentifier) - what information is essential for confident incident response
Securing Remote MCP Servers
Jake Berkowsky, Snowflake
“MCP servers are quickly gaining traction across the industry. If a company doesn’t provide one themselves, then the community will quickly build one. MCP servers have a great potential to introduce significant risk in all environments, and this talk does a great job at giving an overview of the threat landscape.”
—Jesse Griggs, Senior Threat Researcher
I SPy: Rethinking Entra ID Research for New Paths to Global Admin
Katie Knowles, Datadog
“Katie presented a systematic method of researching and testing abuse of novel attack paths in Entra ID. What I really liked about it was that she focused less on what she found and more on how she found it. Those interested in pursuing cloud/identity security research would benefit greatly from watching her talk!”
—Matt Graeber, Principal Threat Researcher
Defenders hate it! Compromise Vulnerable SaaS Applications With This One Weird Trick
Eric Woodruff, Semperis
“Eric spent time to walk through the
n0Authattack that was discovered in June 2023, explaining it in a way that even I could follow along with, then walked through the timeline following its discovery, including the steps that Microsoft did and did not take to mitigate it. He ultimately pinned responsibility back on the application developers that use it.This talk was a really balanced look at how a vulnerability may actually be a feature that’s desired by some app developers, and the strange predicament that OIDC providers like Microsoft may find themselves in when blocking a vulnerable workflow may significantly impair some applications that use it.”
—Brian Davis, Principal Software Architect
Detecting the Undetectable: Threat Hunting in Appliance Environments
Shahar Dorfman & Sagi Tzadik, Wiz
“Virtual appliances like Ivanti and Fortinet are abused by adversaries because they are difficult to get visibility into (no EDR compatibility, minimal logging, vendor-controlled file system, etc). The researchers at Wiz found a way to take snapshots of the file metadata to identify suspicious changes that could be indicative of adversary activity.”
—Alex Berninger, Senior Manager, Intelligence
Patience Brings Prey: Lessons Learned from a Year of Threat Hunting in the Cloud
Greg Foss & Anthony Randazzo, Datadog
“The speakers presented a good overview of different cloud attack techniques and how they were able to identify their use across their customer environments, along with explaining how their hunt program has evolved over the last year. It was interesting to see how their approach aligns and differs from ours and the types of threads they pulled when investigating anomalous activity before understanding how it played out in various cloud attacks.”
—Thomas Gardner, Staff Detection Engineer
If you’re serious about cloud security, we can’t recommend fwd:cloudsec enough. It’s a rare opportunity to gather with so many dedicated experts who share your passion. Tickets for fwd:cloudsec Europe will go on sale in August!
Related Articles
Red Canary named a Leader in G2’s Summer 2025 MDR Reports — #1 in enterprise customer satisfaction