Founding Director and Principal Investigator at Pwnshow, and CEO at Zeronomicon
24
Talks Delivered
23
Events Spoken At
17
Countries Visited
10
Years Speaking
24
Total Talks Given
Alfonso De Gregorio is a globally recognised cybersecurity technologist, Founding Director and Principal Investigator at Pwnshow, and CEO at Zeronomicon, Italy. He is a featured speaker at 25+ peer-reviewed international events across 5 continents, such as NATO's Conference on Cyber Conflict, RSA Conference, and the leading hacker conferences. His work focuses on the intersection of artificial intelligence, cyber threats, and regulatory landscapes. High-performance organisations engage him to spearhead relentless innovation across disciplines and fields, accelerate asymmetric advantage, and achieve peak confidence in today's interconnected operational environment—establishing Alfonso as a key figure shaping the discussion and practice of cybersecurity.
Areas of Expertise
Presentation Types
Audience Types
The proliferation of open-weight General-Purpose AI (GPAI) models like Llama, Mistral, and DeepSeek-R1 presents a double-edged sword. While spurring innovation, their release introduces unique cybersecurity challenges, with evaluations like MITRE's OCCULT demonstrating potent offensive capabilities that drastically lower the barrier to sophisticated cyberattacks. This creates a critical "mitigation gap," as traditional security measures relying on API monitoring or downstream control become ineffective once model weights are publicly available.
This presentation moves beyond identifying these challenges to detailing a concrete path forward, informed by direct engagement with EU policymakers. Drawing from first-hand contributions to the European Commission's public consultation on the AI Act, this talk reveals how expert technical feedback has shaped the updated GPAI Code of Practice, making it significantly more effective for the open-weight paradigm.
We will focus on the pivotal clarification successfully advocated for: treating the act of fine-tuning to remove safety features as a "substantial modification." This crucial interpretation shifts legal accountability from the original model provider to the downstream modifier, closing a major loophole and ensuring responsibility lies with the actor in control.
Based on this policy breakthrough, we will outline a pragmatic, multi-faceted strategy for securing the open-weight ecosystem, covering:
This talk provides technical experts, policymakers, and standardisation bodies with a unique insider's perspective on bridging the gap between technical reality and effective regulation, offering actionable recommendations for building a secure and accountable AI future.
Zero-day vulnerabilities - weaknesses in software that are unknown to the parties who can mitigate their specific negative effects - are gaining a prominent role in the modern-day intelligence, national-security, and law-enforcement operations. At the same time, the lack of transparency and accountability in their trade and adoption, their possible overexploitation or abuse, the latent conflict of interests by entities handling them, and their potential double effect may pose societal risks or lead to the breach of human rights. If left unaddressed, these usage-related challenges call into question the legitimacy of zero-day vulnerabilities as enablers of national security and law enforcement operations and erode the benefits that their proportionate use have for the judiciary, defence, and intelligence purposes. This work explores what the private sector involved in the trade of zero-day vulnerabilities can do to ensure the respect human rights and the benign and societally beneficial use of those capabilities. After reviewing what can go wrong in the acquisition of zero-day vulnerabilities, the session will contribute the first code of ethics focused on the trade of vulnerability information, where the author sets forth six principles and eight corresponding ethical standards aimed respectively at guiding and regulating the conduct of this business.
The entire X.509 PKI security architecture falls apart, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Have we sufficient assurance that this did not happen already? This talk explores this scenario from both an experimental and speculative point of view.
From the experimental standpoint, the talk reports on illusoryTLS, an entry to the first Underhanded Crypto Contest. illusoryTLS is an instance of the Young and Yung elliptic curve asymmetric backdoor in RSA key generation. It targets a Certification Authority public-key certificate imported in the certificate store of a pretty standard HTTPS client and TLS server. The security outcome is the worst possible outcome, because the backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to impersonate the endpoints (i.e., authentication failure), tamper with their messages (i.e., integrity erosion), and actively eavesdrop their communications (i.e., confidentiality loss).
illusoryTLS has been shortlisted to the final rounds of the contest, which is still ongoing. Being the backdoored public-key indistinguishable (under the ECDDH assumption) to all probabilistic polynomial time algorithms from genuine public-keys, illusoryTLS is expected to withstand the review and scrutiny of contest judges.
In the Internet X.509 PKI the security impact of such backdoor would extend further; the presence of a single CA certificate with a secretly embedded backdoor in the certificate store renders the entire TLS security fictional. In fact, the current practice of universal implicit cross-certification makes the whole X.509 PKI as weak as its weakest link.
Therefore, when dealing with this class of attacks in the context of X.509 PKIs, it might be not sufficient to avoid outsourcing the key generation. It becomes essential also to have assurance about the security of each implementation of vulnerable key-generation algorithms employed by trusted credential issuers. Have we sufficient assurance about the tens or hundreds CA certificate we daily entrust our business upon?
The entire X.509 PKI security architecture falls apart, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Have we sufficient assurance that this did not happen already? This talk explores this scenario from both an experimental and speculative point of view.
From the experimental standpoint, the talk reports on illusoryTLS, an entry to the first Underhanded Crypto Contest. illusoryTLS is an instance of the Young and Yung elliptic curve asymmetric backdoor in RSA key generation. It targets a Certification Authority public-key certificate imported in the certificate store of a pretty standard HTTPS client and TLS server. The security outcome is the worst possible outcome, because the backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to impersonate the endpoints (i.e., authentication failure), tamper with their messages (i.e., integrity erosion), and actively eavesdrop their communications (i.e., confidentiality loss).
illusoryTLS has been shortlisted to the final rounds of the contest, which is still ongoing. Being the backdoored public-key indistinguishable (under the ECDDH assumption) to all probabilistic polynomial time algorithms from genuine public-keys, illusoryTLS is expected to withstand the review and scrutiny of contest judges.
In the Internet X.509 PKI the security impact of such backdoor would extend further; the presence of a single CA certificate with a secretly embedded backdoor in the certificate store renders the entire TLS security fictional. In fact, the current practice of universal implicit cross-certification makes the whole X.509 PKI as weak as its weakest link.
Therefore, when dealing with this class of attacks in the context of X.509 PKIs, it might be not sufficient to avoid outsourcing the key generation. It becomes essential also to have assurance about the security of each implementation of vulnerable key-generation algorithms employed by trusted credential issuers. Have we sufficient assurance about the tens or hundreds CA certificate we daily entrust our business upon?
Trading vulnerability information or 0-day exploits is considered a risky ordeal. Players in the secretive 0-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.
To alleviate some of these problems, it was suggested to: 1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting; 2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and 3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.
This work presents the first results of an ongoing study on extortion and cooperation in 0-day markets through the lens of game theory. The questions motivating this research are: a. Can the 0-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the 0-day trading strategies applicable to each scenario.
Learn which strategies allows to maximize the profits while trading 0-days in today's marketplaces. Find out how to avoid getting extorted by 0-day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the 0-day markets can achieve efficiency.
This work find application in a number of markets for vulnerability information and 0-day exploits. They range from over-the-counter 0-day trading, to boutique exploit providers offering 0-day vulnerabilities for a subscription fee, to service models for vulnerability research.
Trading vulnerability information or 0-day exploits is considered a risky ordeal. Players in the secretive 0-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.
To alleviate some of these problems, it was suggested to: 1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting; 2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and 3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.
This work presents the first results of an ongoing study on extortion and cooperation in 0-day markets through the lens of game theory. The questions motivating this research are: a. Can the 0-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the 0-day trading strategies applicable to each scenario.
Learn which strategies allows to maximize the profits while trading 0-days in today's marketplaces. Find out how to avoid getting extorted by 0-day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the 0-day markets can achieve efficiency.
This work find application in a number of markets for vulnerability information and 0-day exploits. They range from over-the-counter 0-day trading, to boutique exploit providers offering 0-day vulnerabilities for a subscription fee, to service models for vulnerability research.
Trading vulnerability information or 0-day exploits is considered a risky ordeal. Players in the secretive 0-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.
To alleviate some of these problems, it was suggested to: 1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting; 2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and 3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.
This work presents the first results of an ongoing study on extortion and cooperation in 0-day markets through the lens of game theory. The questions motivating this research are: a. Can the 0-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the 0-day trading strategies applicable to each scenario.
Learn which strategies allows to maximize the profits while trading 0-days in today's marketplaces. Find out how to avoid getting extorted by 0-day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the 0-day markets can achieve efficiency.
This work find application in a number of markets for vulnerability information and 0-day exploits. They range from over-the-counter 0-day trading, to boutique exploit providers offering 0-day vulnerabilities for a subscription fee, to service models for vulnerability research.
The entire X.509 PKI security architecture falls apart, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Have we sufficient assurance that this did not happen already? This talk explores this scenario from both an experimental and speculative point of view.
From the experimental standpoint, the talk reports on illusoryTLS, an entry to the first Underhanded Crypto Contest. illusoryTLS is an instance of the Young and Yung elliptic curve asymmetric backdoor in RSA key generation. It targets a Certification Authority public-key certificate imported in the certificate store of a pretty standard HTTPS client and TLS server. The security outcome is the worst possible outcome, because the backdoor completely perverts the security guarantees provided by the TLS protocol, allowing the attacker to impersonate the endpoints (i.e., authentication failure), tamper with their messages (i.e., integrity erosion), and actively eavesdrop their communications (i.e., confidentiality loss).
illusoryTLS has been shortlisted to the final rounds of the contest, which is still ongoing. Being the backdoored public-key indistinguishable (under the ECDDH assumption) to all probabilistic polynomial time algorithms from genuine public-keys, illusoryTLS is expected to withstand the review and scrutiny of contest judges.
In the Internet X.509 PKI the security impact of such backdoor would extend further; the presence of a single CA certificate with a secretly embedded backdoor in the certificate store renders the entire TLS security fictional. In fact, the current practice of universal implicit cross-certification makes the whole X.509 PKI as weak as its weakest link.
Therefore, when dealing with this class of attacks in the context of X.509 PKIs, it might be not sufficient to avoid outsourcing the key generation. It becomes essential also to have assurance about the security of each implementation of vulnerable key-generation algorithms employed by trusted credential issuers. Have we sufficient assurance about the tens or hundreds CA certificate we daily entrust our business upon?
Trading vulnerability information or 0-day exploits is considered a risky ordeal. Players in the secretive 0-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.
To alleviate some of these problems, it was suggested to: 1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting; 2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and 3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.
This work presents the first results of an ongoing study on extortion and cooperation in 0-day markets through the lens of game theory. The questions motivating this research are: a. Can the 0-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the 0-day trading strategies applicable to each scenario.
Learn which strategies allows to maximize the profits while trading 0-days in today's marketplaces. Find out how to avoid getting extorted by 0-day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the 0-day markets can achieve efficiency.
This work find application in a number of markets for vulnerability information and 0-day exploits. They range from over-the-counter 0-day trading, to boutique exploit providers offering 0-day vulnerabilities for a subscription fee, to service models for vulnerability research.
