Toronto Cybersecurity Conference

APIs power every click, swipe, and login. That silent, lightning-fast conversation between services is under siege, and most security leaders can’t even see the battlefield. Attackers have industrialized API attacks, yet visibility into API activity and risk remains dangerously low.

This session pulls back the curtain on the API threat landscape. You’ll see the data, understand why traditional security tools often fail to identify API risks, and learn how to discover, inventory, and protect your API ecosystem. But APIs don’t just move requests, they move sensitive data. We’ll explore how organizations can better protect PII, payment information, intellectual property, and other critical data flowing through APIs.

We will also examine real-world examples of API vulnerabilities and data exposure, including an exposed GraphQL endpoint leaking customer records and a misconfigured REST API handing out administrative credentials. You’ll learn how to identify potential data leakage and security gaps before attackers exploit them. Don’t defend blind. Come see the siege, then learn how to stop it.

As organizations race to deploy AI agents, training pipelines, and autonomous workflows, a critical foundation is playing catch-up: identity. Without a unified, cryptographically backed identity framework—one that extends seamlessly across humans, AI agents, CI/CD pipelines, and arbitrary workloads—every layer of the AI lifecycle is exposed to unauditable, ungovernable risk.

This talk argues that cryptographic identity is not merely a security best practice but the essential building block for trustworthy AI. From model training environments where data provenance and access control determine integrity, to production systems where autonomous agents act on behalf of users and organizations, the ability to authenticate, authorize, and audit every actor in the chain is what separates experimentation from enterprise-grade AI. We will explore how a unified identity plane eliminates the fragmented, secret-laden approaches dominating today’s infrastructure and why organizations that solve identity first will unlock AI’s full potential: securely, at scale, and with confidence.

Application security has become a forecasting exercise.

We rely on CVEs, scanners, and severity scores to predict what might go wrong. But in an AI-driven world, where code ships faster and attacks move faster, prediction is no longer enough.

Forecasts don’t tell you what’s being exploited. They don’t tell you what’s reachable. And they don’t tell you what’s under attack right now.

This talk shows why forecast-only security breaks down in the machine-speed-era, and what replaces it.

You’ll see how runtime visibility changes application security from a guessing game into an operational discipline – revealing real attack paths, reducing noise, and enabling teams to detect and stop attacks in production.

AI coding assistants promise massive productivity gains, but recent academic research shows they also introduce instability, security weaknesses, and developer overconfidence. In this talk, I present data from large-scale studies demonstrating how AI-generated code affects delivery performance, vulnerability rates, and developer decision-making. I then outline a practical, end-to-end approach for reducing AI-induced risk while preserving the benefits of AI-assisted development.

The traditional security perimeter has dissolved into a series of invisible conversations. As organizations move to autonomous AI workflows, we have entered the era of the “Agentic Web” where AI doesn’t just answer questions, it reads our emails, browses our web pages, and calls our APIs.

From “unintended leaks” where well-meaning employees accidentally feed corporate strategy into personal AI tools, to “Indirect Prompt Injection” where an AI agent is hijacked by a malicious email it was simply trying to summarize, the attack surface is now probabilistic, not just deterministic. We will explore how to regain control using a unified architecture of Zero Trust and AI Gateways that verifies the identity of the user, audits the intent of the machine, and redacts sensitive data in real-time before it ever leaves your control.