Digital Supply Chain Security: Software, Cryptography, AI, and Vendor Risk - Anant Shrivastava & Sunil Yadav - DCTLV2026 **1-day Course - Friday**
Name of Training: Digital Supply Chain Security: Software, Cryptography, AI, and Vendor Risk
Trainer(s): Anant Shrivastava and Sunil Yadav
Dates: August 7, 2026 **1-day course**
Time: 8:00 am to 5:00 pm
Venue: Las Vegas Convention Center
Cost: $1,500
**Please note: This one-day training will be held Friday, August 7. Participants will receive a DEF CON Human Badge with their registration**
Short Summary:
This course takes practitioners inside real supply chain attack chains, from compromised packages to tampered upstream artifacts to abused third-party integrations, and teaches how to technically verify what upstream dependencies actually ship. Students will work hands-on with provenance verification, runtime detection, inherited risk analysis, and practical defense implementation to develop skills that go beyond policy documents and questionnaires.
Course Description:
Supply chain attacks succeed because they exploit trust: in packages, in integrations, and in the assumption that upstream components are safe. This course breaks down how those attacks work at a technical level, using real case studies including SolarWinds, xz Utils, Log4Shell, and 3CX to reconstruct how small trust failures chain into full organizational compromise. Each attack is examined not just for what happened but for where verification would have caught it. Throughout the course, demos and guided exercises reinforce each module: writing detection rules against real malicious packages, analyzing a third-party software delivery to find undisclosed dependencies and inherited cryptographic weaknesses, and deploying runtime detection to catch anomalous behavior from supply chain components.
This is not a risk management or governance course. It is built for security practitioners who need to technically verify supply chain components and build detection capabilities in their own environments.
Course Outline:
Module 1: Anatomy of Supply Chain Attack Chains
How real supply chain compromises unfold end-to-end. Technical reconstruction of major incidents: SolarWinds (build pipeline injection leading to signed malicious updates), xz Utils (long-term social engineering into maintainer trust leading to backdoored compression library), Log4Shell (transitive dependency exploitation at internet scale), and 3CX (multi-stage supply chain compromise through a compromised upstream vendor). For each case, we map the kill chain, identify where trust was abused, and pinpoint where technical verification would have broken the attack. Students reconstruct attack chains using build logs and artifact signatures, and build a supply chain attack taxonomy they reference throughout the course.
Module 2: Package Ecosystem Attacks and Detection Engineering
Deep technical dive into how attackers weaponize package ecosystems. Covers typosquatting, dependency confusion, namespace hijacking, maintainer account takeover, and hidden capability abuse in legitimate-looking packages. For each attack pattern, students learn the corresponding detection approach: behavioral analysis of package capabilities, pattern-based rules for identifying malicious install scripts, permission analysis to flag over-privileged dependencies, and monitoring techniques for spotting outbound communication, filesystem access, and credential harvesting during package installation. Students write detection rules and test them against a curated set of real malicious packages, then build a detection pipeline that flags suspicious package behavior during installation.
Module 3: Inherited Risk Analysis — What Upstream Software Actually
Hands-on verification of what upstream dependencies and third-party software actually deliver versus what is claimed. Students work with real software inventories to identify vulnerable, abandoned, or undisclosed transitive dependencies. They analyze cryptographic configurations to find inherited weaknesses such as deprecated algorithms, weak key lengths, and hardcoded secrets. They examine AI component metadata to trace model provenance, dataset lineage, and hidden upstream dependencies. Students take a real third-party software delivery, identify undisclosed transitive dependencies, score its inventory quality, detect tampering, and cross-reference contents against known vulnerability databases to produce a gap analysis between what is claimed and what is actually shipped.
Module 4: Building Supply Chain Defenses That Work
Putting detection and verification into practice. Covers provenance verification to validate that upstream artifacts have not been tampered with between source and delivery. Covers runtime behavioral monitoring to detect anomalous behavior from supply chain components in production, including unexpected network calls, filesystem access, and privilege escalation from third-party code. Students implement provenance verification workflows, set up admission controls that gate deployments on verified attestations, build package governance policies that enforce capability restrictions, and design monitoring for secrets exposure during build and deployment. Students deploy runtime detection rules to catch supply chain anomalies in a running container, configure admission controls to block unverified artifacts, and assemble these into a technical supply chain defense playbook that connects package analysis, inherited risk verification, and runtime detection into a continuous verification workflow.
Difficulty Level:
Intermediate - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.
Suggested Prerequisites:
- Basic understanding of security concepts like vulnerabilities, access control, and how the internet works
- Comfortable using the command line on any platform
- GitHub or Bitbucket account (free, instructions sent before class)
What Students Should Bring:
- A laptop with a modern web browser
- Reliable internet access with standard web access available
- Administrative access to the laptop in case troubleshooting is needed
- The ability to temporarily disable host controls such as HIDS or host firewall software if they interfere with labs
- A free GitHub or Bitbucket account, if requested in pre-class instructions
What the Trainer Will Provide:
- Live documentation portal during class with exercise details and step-by-step instructions
- Slide deck covering all modules
- Post-class reference pack including the risk taxonomy, xBOM audit checklist, and vendor capability assessment template
- Browser-based lab environment and guided demonstrations
Trainer(s) Bio:
Anant Shrivastava is the founder of Cyfinoid Research and a long-time offensive security practitioner with a focus on application, cloud, and supply chain security. He has delivered trainings and talks at Black Hat USA, Black Hat Europe, Black Hat Asia, Nullcon, c0c0n, BSides, Rootconf, and other events. He also runs projects such as Hacking Archives of India, with a strong focus on documenting and highlighting real work from the security community. His courses are built from consulting, red team, and research experience, with an emphasis on attack chains that show up in real environments and defenses teams can apply immediately.
Sunil Yadav is the founder and head of cybersecurity at X-Biz TechVentures. He has spent nearly two decades in cybersecurity across offensive security, application security, product security, and research. He has trained audiences on advanced web hacking and application security at Black Hat USA, Black Hat Europe, OWASP AppSec, and DEF CON. He has published CVEs, built AI-driven cybersecurity and computer vision products, and worked across areas such as supply chain security, attack surface management, API security, vulnerability management, compliance, fraud detection, AI document systems, and secure payments. He is also actively involved in shaping approaches around XBOMs and third-party risk management.
Proficiency Exam Option:
This course has the option for a proficiency certificate add-on.
Proficiency is evaluated through a CFT-Style exam. Students must extract flags and submit them to gain points, earning at least 70% to pass.
Please reach out to training@defcon.org for any questions related to the proficiency exam and certificate option.
Registration Terms and Conditions:
Trainings are refundable before July 11, 2026, minus a non-refundable processing fee of $250.
Between July 11, 2026 and August 5, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.
All trainings are non-refundable after August 5, 2026.
Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.
DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.