2026-03-23 –, WORKSHOPS
Victims see the real site; you see everything. C.A.R.P. gives each visitor an isolated Firefox container that loads the actual target URL (Gmail, banks, SSO), no fake login page, just the real site in a browser you control. Passwords, 2FA codes, and session cookies are all captured allowing sessions to be hijacked in real time. Combine C.A.R.P. with ARP and DNS spoofing on the local network, and victims who type real URLs or use bookmarks can be silently redirected into your controlled browser.
David Porcello (aka grep8000) is an independent security researcher, consultant, pentester, instructor, course developer, OSCP certificate holder, founder of Pwnie Express, and creator of the award-winning Pwn Plug and other penetration testing devices featured in Wired, Ars Technica, PC Magazine, Forbes, and Mr. Robot. Over the years, David has built covert hacking devices for DARPA, hosted workshops at Defcon, authored the Pentester's Handbook GitHub book, and built the tech behind NPR’s Project Eavesdrop.
Rob Wright (aka eth0.rwx) got his start in security in 1997, back when exploits were traded on mailing lists and vulnerability databases were just being invented. He founded Security-Source, one of the first online vulnerability databases, and spent years in offensive security before stepping away in 2002. Returning in 2022, he now works in vulnerability management focused on automation, remediation, and closing real risk in production environments.
He brings an attacker’s perspective to defensive security, with a focus on how things actually break and how to fix them at scale.