Presenting a workshop at DEF CON is a significant achievement for anyone who has ever considered themselves a hacker.
But once you’ve presented a workshop (like one of our guys did), what’s next?
Run a course…of course.
This year, we are proud that a SECFORCE red teamer, Dimitri Di Cristofaro, and his fellow hacker, Giorgio Bernardinetti, are running a full 16-hour training course on advanced antivirus (AV) evasion and malware execution at DEF CON 33.
We spoke to Dimitri about why they’re running a course at DEF CON, what participants can expect, and whether hackers should share offensive security techniques at all.
Building On a Sold-Out DEF CON Course In 2024
At DEF CON 32 (2024), Dimitri and Giorgio ran a 4-hour, one-way presentation focused on evasion theory.
They presented the most advanced techniques they knew for bypassing antivirus (AV) and endpoint detection and response (EDR) tools and executing code on a target device.
Evading detection from AV and EDR tools is a fascinating topic for most hackers, but what made the workshop especially interesting (enough to sell out) was the fact that the team didn’t just give the audience a plug-and-play solution.
“It’s pointless [to do that],” Dimitri explains. He says that even if a hacker were to show someone the absolute state-of-the-art methodology for malware evasion, it wouldn’t mean it's the best way to do it.
“Maybe tomorrow, there will be another better way to do that. But if you understand the process that leads you to that, you can easily do your [own] research, he says.
With this in mind, in 2024, the guys wanted to show their audience how to break down goals, such as injecting shellcode to hide malware execution, into fundamental building blocks (aka “primitives”), like API unhooking and direct syscalls.
The concept for the workshop was that once someone knows how to go from goal to primitive to code (and back again), they can more easily adapt to new techniques and tools.
“You have to find primitives,” Dimitri says. “You need to think in terms of what actions you want to achieve, then break that down into something codable.”
The guys also used this mindset to introduce people to using tools like debuggers (which Dimitri calls ”very obscure and nasty”) that allow people to read machine code - a seriously intimidating task for many hackers.
“[Using a debugger] scared me as well, [...] back in the day,” Dimitri admitted. “Now I know how to do that. It’s [...] learning how to use a tool and then learning how to search the stuff, and when you understand how to search the stuff, using the tool is kind of the easy part because then it’s just a tool. It’s not something that gives you the solution. It’s something that you use with your brain to get the solution.”
From 4 Hours to 16: Dodging the EDR Bullet: A Training On Malware Stealth Tactics
This year, Dimitri and Giorgio are diving deeper into the concepts and lessons from last year's four-hour workshop in a full-blown two-day (16-hour) interactive course with live exercises.
Dimitri describes the difference between their 2025 DEF CON course and the 2024 DEF CON workshop as being about information flow.
Last year, he says, was a “one-way” experience, more like a college lecture. “We gave them the code, we explained the stuff.”
Going to DEF CON 33 and want to learn about EDR evasion?
Book the workshop with a 30% discount using the code DCTLV2025GBDDC here.
In 2025, they want to make learning about evasion a two-way experience.
With 16 hours (spread over two days), there is enough space for Dimitri and Giorgio to:
a) Explain how different evasion techniques and tools work.
b) Share with participants an incomplete version of the code to use in an exercise that incorporates those techniques and tools and help them work out a solution.
The core goal of the workshop remains the same as last year: to teach the latest techniques for bypassing security tools. But the outcome is designed to be much more profoundly useful. Attendees will learn how evasion happens from 0 to total compromise.
This means the participants will understand the evasion process from the level of Windows internals all the way (via techniques like memory allocation, process injection, and kernel-space evasion) to writing their own malicious tools.
Learning the “why” of bypass techniques matters because, as Dimitri says, that's also how cutting-edge hacking happens in the real world. Hackers think through problems at the lowest level possible (even understanding machine code), look at known solutions, and make them better.
One section of the workshop even includes a problem Dimitri and Georgio themselves couldn’t fully solve: “That’s part of the learning process.”
From Lockdown Project to DEF CON Course
How does a full-time red teamer end up running a DEF CON workshop?
Like many ideas, it started during the COVID-19 lockdown, which had most of the world, including Dimitri and Giorgio, stuck indoors. However, instead of learning how to make sourdough bread, the guys started researching how to make existing malware strains less detectable to antivirus scanners.
They came up with a tool that took an existing (detectable) strain of malware as an input and then spat out a functionally identical strain that was not detectable by scanners. The functionalities stayed the same, but the signatures were invisible. You can read some of their early research here.
The tool worked well enough to present at an online red teaming conference, so they continued improving it out of personal interest and momentum.
However, Dimitri and Giorgio soon realized a key limitation: packing someone else’s malware (e.g., Cobalt Strike) meant inheriting its flaws. Meaning that if a built-in function triggered detection, their packed version would too. They could control the wrapper (i.e., how it appeared to scanners) but not the signature of the malware package itself.
As a result, they decided to shift focus to building original malware components for full flexibility and developed a structured methodology for evasion and execution techniques.
They wrote blog posts and academic papers and eventually chose to develop the ideas they started exploring in 2020 and 2021 into a full course.
Ethics: Why Share Offensive Security Research at All?
The techniques and toolkit that Dimitri and Giorgio will share at DEF CON 33 for bypassing the latest security controls are essentially a nightmare scenario for a blue team. In the wrong hands, these kinds of skills could do a lot of damage.
There’s always debate about whether this kind of information should be shared openly.
Dimitri acknowledges this risk but still thinks red teamers should share insights. He believes defenders have the most to gain from red team workshops like this because they offer a unique opportunity to see how advanced attacks could happen.
But there’s another reason for the course.
Dimitri (like many hackers in the community) is motivated by the idea of giving back to the community.
For him, it's an unwritten rule of being a hacker that when you arrive at a level where you have something to share, you share it. This is because, as Dimitri says, “that's how the [hacking] community works.”
That’s also why, even though red teamers are cautious about sharing complete tools, they are keen to share ideas. This course is part of that work.
Training the Next Generation of Red Teamers
At SECFORCE, we believe that open sharing drives innovation and improves security for everyone.
Our red teamer Dimitri lives by that philosophy. He sees offensive security as a community effort built on exchanging ideas and pushing boundaries together.
As he says, “It's a cat and mouse game. The smart people that defend know that, so they tend to talk with us and share stuff, and we do too because, in that way, everyone improves.”
If you’re attending DEF CON 33 and want to become part of this knowledge-sharing process, this is the course to attend.
