DEFCON 2026

As connected systems become increasingly software-defined, security teams face growing challenges understanding what is actually deployed, identifying which vulnerabilities are operationally relevant, and responding quickly across complex software supply chains.

At DEF CON, those conversations move beyond theory. Offensive researchers, red and blue teams, embedded security practitioners, and product security engineers are focused on how systems fail in practice, where visibility breaks down, and how exploitability differs from vulnerability volume.

Finite State helps teams cut through fragmented tooling and incomplete visibility by transforming firmware, binaries, source code, supplier SBOMs, and third-party outputs into a continuous, artifact-backed security workflow grounded in what actually ships.

By unifying firmware and source intelligence in minutes, Finite State enables teams to prioritize reachable and relevant vulnerabilities, accelerate impact analysis, maintain traceable VEX decisions, and continuously generate audit-ready security outputs across evolving products and releases.

🎯 Join Finite State at AppSec Village at DEF CON

This year at AppSec Village, Finite State is bringing a hands-on incident response challenge designed around realistic operational technology (OT), connected device, and software supply chain security scenarios.

Factory Floor MVP Incident Response Challenge

Game Session 1: Friday, August 7, 1:00–3:00 PM
Game Session 2: Saturday, August 8, 1:00–3:00 PM

Step into the role of a defender responsible for protecting a modern manufacturing environment as you investigate active cyberattacks across industrial control systems, engineering workstations, sensors, historians, and connected infrastructure.

Working as a team, participants will analyze indicators of compromise, investigate suspicious activity, uncover attacker actions, and make incident response decisions before operational disruption or safety impacts occur.

Designed for the DEF CON community, the challenge blends offensive security concepts, incident response, supply chain security, firmware analysis, and practical investigative techniques into a collaborative experience grounded in real-world scenarios. Participants will explore how vulnerabilities actually manifest in deployed systems while evaluating exploitability, attack paths, reachability, and operational risk.

What You'll Experience

• Investigating attacks across OT and connected device environments
• Discovering adversary activity spanning initial access, persistence, lateral movement, and actions on objectives
• Analyzing firmware, SBOMs, threat intelligence, and forensic evidence
• Balancing security decisions against operational and safety requirements
• Applying practical incident response workflows used in modern manufacturing environments

Built for offensive security researchers, product security engineers, red and blue teams, incident responders, embedded security practitioners, and anyone interested in how systems fail in the real world, this challenge emphasizes hands-on learning, collaborative problem solving, and realistic security tradeoffs.

Following each session, teams will participate in a facilitated debrief examining attack paths, visibility gaps, operational impacts, and opportunities to improve resilience across connected systems and software supply chains.

Stop by AppSec Village at DEF CON and put your investigation skills to the test.

🔎 Visit Finite State at DEF CON to See:

Live demos of artifact-backed security workflows

• Unified product intelligence
  Analyze and connect firmware, binaries, source, and supplier inputs into a complete, continuously updated system of record grounded in what actually ships
• Exploitability-based prioritization
  Focus on real exposure using reachability and context, with defensible rationale for what matters and what does not
• New CVE to impacted products
  Move from vulnerability disclosure to impact analysis quickly, with consistent VEX decisions and traceable outputs across builds
• Design-to-deployment traceability
  Connect architecture, threats, risks, and requirements directly to deployed software, and keep them aligned as systems evolve
• Continuous compliance outputs
  Automatically generate SBOM, VEX, traceability, and audit-ready reports that stay current across releases

📅 Meet with the Team

Talk with Finite State about practical approaches to connected device security, firmware analysis, vulnerability prioritization, and operational product security workflows.

Meet with our team to:

• Transform firmware and software artifacts into a continuous, audit-ready assurance workflow
• Unify firmware, binary, and source intelligence across products and environments
• Reduce vulnerability noise with reachability-based prioritization
• Accelerate response from new CVE to stakeholder-ready outputs
• Improve collaboration between offensive security, product security, PSIRT, and engineering teams
• Maintain defensible security evidence and continuous compliance outputs across releases

🛡️ Why Finite State?

Finite State is the Product Security Automation Platform for connected devices. The platform unifies firmware, binary, and source intelligence, transforming product artifacts into a continuous system of record and audit-ready assurance.

By prioritizing real exposure with reachability and context and continuously generating SBOM, VEX, traceability, and compliance-ready outputs, Finite State helps security teams reduce manual effort, accelerate vulnerability response, and maintain defensible proof across modern software-driven systems and connected device ecosystems.

🎯 Key Takeaways

Connect with our team at DEF CON for practical guidance on firmware-grounded product security, exploitability-driven vulnerability prioritization, and understanding how modern connected systems actually fail in operational environments.

Secure every release. Prove compliance continuously.

We will be at DEF CON. Will you?