Watch the stream
GitHub gives attackers something they love: a place where identity, automation, and production changes meet. Once they’re in, the path from “read access” to “shipping malicious code” can be disturbingly short.
In this talk, we walk through realistic attack paths into GitHub organizations, starting with initial access techniques like device-code phishing and the abuse of trusted GitHub Apps (including the GitHub CLI). From there, we explore how different credential types enable access long-lived Personal Access Tokens that often persist on developer machines, and short-lived automation credentials like GITHUB_TOKEN that can still leak through logs, artifacts, or misconfigured workflows and then be leveraged to move laterally or expand privileges.
We highlight tactics we’ve developed and researched post-initial access: how you can abuse sensitive workflows, exploit approval and review dynamics, and find paths around policy guardrails like “protected” pipelines and code-signing rulesets. We’ll also discuss tradeoffs attackers make to reduce forensic visibility and delay detection in environments where GitHub’s native telemetry is limited.
We close with practical defender takeaways: detection strategies and response playbooks focused on the signals that matter and how to improve monitoring coverage in the places GitHub is hardest to observe.
Attendees will leave with a shared framework that’s useful on both sides of the table. Defenders will get a checklist for reducing risk across identities, tokens, integrations, and Actions workflows plus concrete ideas for building higher-signal detection and response in places where visibility is lacking. Red teams will gain a realistic map of where GitHub controls tend to break down in practice, along with a set of hypotheses to test during assessments that go beyond “find a secret in a repo.” The goal is to walk out with sharper intuition for how small weaknesses chain into meaningful impact, and practical ways to either validate that risk (red teams) or eliminate it (blue teams) without grinding delivery to a halt.
Andrew Buchanan Senior Red Team Operator, Figment
Andrew is a Senior Red Team Operator at Figment, the world’s leading independent staking infrastructure provider. With over six years of Red Team experience, Andrew brings deep expertise across offensive security, adversary simulation, and real-world attack execution.
Prior to joining Figment, Andrew held cybersecurity roles at one of Canada’s largest financial institutions, conducting advanced red team engagements and security assessments across highly complex enterprise environments.
At Figment, Andrew plans and executes red team operations, penetration tests, and targeted security assessments with a focus on initial access, execution, cloud attack surfaces, and social engineering. As an initial access and social engineering specialist, he has designed and delivered numerous successful campaigns that closely mirror real-world threat actors. Andrew’s work helps ensure Figment continuously tests and strengthens its defences ensuring that Figment's institutional customers can trust they're using the most secure staking product on the market.
Max CM Security Architect and Red Team Lead, Figment
Max Courchesne-Mackie is a cyber security professional with over a decade of experience spanning defense, red teaming, and blockchain security. Max currently serves are a Security Architect at Figment, the leading independent staking infrastructure provider globally. He began his career in the defense industry focused on offensive security, a discipline that remains his core passion and informs his pragmatic approach to risk. Today, Max designs and reviews secure systems for the blockchain industry - an environment facing relentless, rapidly evolving threats. He partners with engineering and product teams to harden architectures, pressure-test assumptions, and translate attacker tradecraft into practical controls. Max's recent work centers on threat modeling for decentralized systems, secure key and wallet management, and building detection/response mechanisms that assume breach.
Connor Laidlaw Senior Application Security Engineer, Figment
Connor is a Senior Application Security Engineer at Figment, the world's leading independent staking infrastructure provider. His career spans a diverse range of security domains, including low-level vulnerability research, offensive security for ticket scalping operations, and engineering defenses to protect applications from abuse.
At Figment, Connor serves as the security subject matter expert for all customer-facing applications. He proactively identifies security concerns at every stage of the software development lifecycle and partners with engineering teams to architect robust solutions. Connor is also spearheading an initiative to integrate AI into Figment's security program, including the development of highly specialized offensive security agents powered by deep contextual awareness of Figment's environment—ensuring that Figment's institutional customers can trust they're using the most secure staking product on the market.