Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog News & events

Our favorite talks from fwd:cloudsec 2025

Red Canary’s cloud security enthusiasts left fwd:cloudsec 2025 with some invaluable insights and community connections

The Red Canary Team

In June 2025, the cloud security community converged on Denver, Colorado, for fwd:cloudsec North America 2025, and Red Canary was thrilled to be a sponsor! Hundreds of passionate cloud security practitioners connected and absorbed insights from some of the brightest minds in the field.

The energy at the conference was palpable, and our team returned invigorated and full of new ideas. We’ve compiled their top recommendations and takeaways, which you can read below. You can find full summaries of every talk here.

fwd:cloudsec 2025 watch list

Happy Little Clouds: Painting Pictures with Microsoft Cloud and Identity Data

Matt Graeber, Red Canary

After establishing why detecting attack techniques across Entra ID, Azure, and Microsoft 365 is so difficult, Matt offered a methodology for assessing data source quality and constructing effective threat narratives, addressing critical questions like:

  • where to start
  • what constitutes quality data
  • how to correlate disparate sources (e.g., understanding the relationship between SessionId and UniqueTokenIdentifier)
  • what information is essential for confident incident response

 

Securing Remote MCP Servers

Jake Berkowsky, Snowflake

MCP servers are quickly gaining traction across the industry. If a company doesn’t provide one themselves, then the community will quickly build one. MCP servers have a great potential to introduce significant risk in all environments, and this talk does a great job at giving an overview of the threat landscape.”

Jesse Griggs, Senior Threat Researcher

I SPy: Rethinking Entra ID Research for New Paths to Global Admin

Katie Knowles, Datadog

“Katie presented a systematic method of researching and testing abuse of novel attack paths in Entra ID. What I really liked about it was that she focused less on what she found and more on how she found it. Those interested in pursuing cloud/identity security research would benefit greatly from watching her talk!”

Matt Graeber, Principal Threat Researcher

Defenders hate it! Compromise Vulnerable SaaS Applications With This One Weird Trick

Eric Woodruff, Semperis

“Eric spent time to walk through the n0Auth attack that was discovered in June 2023, explaining it in a way that even I could follow along with, then walked through the timeline following its discovery, including the steps that Microsoft did and did not take to mitigate it. He ultimately pinned responsibility back on the application developers that use it.

This talk was a really balanced look at how a vulnerability may actually be a feature that’s desired by some app developers, and the strange predicament that OIDC providers like Microsoft may find themselves in when blocking a vulnerable workflow may significantly impair some applications that use it.”

Brian Davis, Principal Software Architect

Detecting the Undetectable: Threat Hunting in Appliance Environments

Shahar Dorfman & Sagi Tzadik, Wiz

“Virtual appliances like Ivanti and Fortinet are abused by adversaries because they are difficult to get visibility into (no EDR compatibility, minimal logging, vendor-controlled file system, etc). The researchers at Wiz found a way to take snapshots of the file metadata to identify suspicious changes that could be indicative of adversary activity.”

Alex Berninger, Senior Manager, Intelligence

Patience Brings Prey: Lessons Learned from a Year of Threat Hunting in the Cloud 

Greg Foss & Anthony Randazzo, Datadog

“The speakers presented a good overview of different cloud attack techniques and how they were able to identify their use across their customer environments, along with explaining how their hunt program has evolved over the last year. It was interesting to see how their approach aligns and differs from ours and the types of threads they pulled when investigating anomalous activity before understanding how it played out in various cloud attacks.”

Thomas Gardner, Staff Detection Engineer

 

If you’re serious about cloud security, we can’t recommend fwd:cloudsec enough. It’s a rare opportunity to gather with so many dedicated experts who share your passion. Tickets for fwd:cloudsec Europe will go on sale in August!

 

Red Canary CFP tracker: October 2025

 

Red Canary CFP tracker: September 2025

 

Red Canary CFP tracker: August 2025

 

Red Canary named a Leader in G2’s Summer 2025 MDR Reports — #1 in enterprise customer satisfaction

Subscribe to our blog

Security gaps? We got you.

Sign up for our monthly email newsletter for expert insights on MDR, threat intel, and security ops—straight to your inbox.


 
 
Back to Top