---
title: "Three Booths That Told the Whole Story"
date: 2026-03-26
description: "At BSides SF 2026, fifty sponsors lined the floor. But three booths — Socket, DryRun Security, and C|Side — mapped the entire modern security stack from package registry to browser tab."
tags: ["security","bsides-sf","supply-chain","conference-recap"]
readingTime: "12 min read"
url: https://alexmoening.com/dev-thoughts/three-booths-that-told-the-whole-story.html
markdownUrl: https://alexmoening.com/dev-thoughts/three-booths-that-told-the-whole-story.md
---

# Three Booths That Told the Whole Story

[← Back to /dev/thoughts](/dev-thoughts/)

<p class="lead">I walked into BSides SF 2026 — theme: "The Musical" — expecting stickers and war stories. I walked out with a thesis: three booths — one Gold, one Silver, one Bronze — mapped the entire modern security stack from package registry to browser tab.</p>

### The Musical

<p class="section-summary">BSides SF 2026 drew 139 sessions, 155 speakers, and 50+ sponsors to City View at Metreon — and sold out every sponsorship tier.</p>

BSides San Francisco runs the weekend before RSA Conference, and it's the anti-RSA in the best way. Where RSA costs $3,000 and fills Moscone with enterprise sales theater, BSides costs $100 and fills the Metreon with people who actually break and build things. The 2026 theme was "The Musical" — talks framed as performances, the evening party leaning into the metaphor.

The floor was dense. Fifty-plus sponsors across Gold, Silver, Bronze, and category tiers. Sticker tables you could spend an hour at. A 48-hour CTF sponsored by Upwind. Graphic recordings by Webflow capturing talk highlights in real-time. Calming kits from Embed Security for neurodiversity. It was a community event — volunteer-organized, non-profit, and somehow still landing speakers from Anthropic, Netflix, OpenAI, Cursor, Google, and the EFF.

I spent two days walking the floor, photographing booths, sitting in talks, and talking to anyone who'd let me record them. Out of everything I saw, three conversations crystallized a thesis about the modern security stack.

### Socket: The Package Registry Guardian

<p class="section-summary">Socket's threat engine catches malicious packages within minutes of publication across 10+ ecosystems. $65 million in funding, 10,000+ organizations, and the Lazarus Group on their radar.</p>

I stopped at the Socket booth on Saturday. They were a Gold sponsor with a prime spot inside City View at Metreon, and the rep walked me through their platform for nearly eight minutes while I recorded.

Socket's pitch starts where traditional SCA tooling stops: known vulnerabilities. Their engine goes after the unknowns — malicious packages, typosquats, supply chain attacks that haven't been CVE'd yet — across ten-plus ecosystems including npm, PyPI, Maven, Go, Ruby, Cargo, and NuGet. AI plus deterministic rules checking 70-plus behavioral signals on source code and metadata the moment a package is published. Their engine flags a malicious package within two to six minutes of upload. When Socket researchers documented the StegaBin campaign — 26 malicious npm packages using steganography and Pastebin for payload delivery — they flagged the first package within two minutes of publication.

<table class="data-table">
    <thead>
        <tr>
            <th>Capability</th>
            <th>How It Works</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>Threat Engine</td>
            <td>Real-time analysis across 10+ ecosystems — 70+ behavioral signals via AI + deterministic rules on source and metadata</td>
        </tr>
        <tr>
            <td>Socket Firewall</td>
            <td>Ephemeral proxy on developer machines — intercepts package downloads, blocks known malware before installation</td>
        </tr>
        <tr>
            <td>Reachability</td>
            <td>Reduces CVE noise 80-90%+ by identifying which vulnerabilities are actually callable in your app (powered by Coana acquisition)</td>
        </tr>
        <tr>
            <td>Socket Patches</td>
            <td>For CVEs with no upstream fix — patches the vulnerability without changing package functionality</td>
        </tr>
    </tbody>
</table>

The Socket Firewall caught my attention. It spins up an ephemeral proxy that intercepts all dependency requests — including transitive dependencies — and checks each one against Socket's threat feed before installation. Pull a flagged package — even minutes after the malicious version was published — and the proxy blocks the download. npm, Claude Code, Cursor, doesn't matter. The proxy intercepts before the package reaches your machine.

I asked about the most common attack vector. Without hesitation: **typosquatting**. Socket's own research has traced hundreds of malicious packages to the Lazarus Group — North Korean actors publishing packages with names nearly identical to popular libraries, sometimes using Unicode tricks impossible to spot visually. Socket has 80-plus alert types, but typosquatting is number one.

Then the rep mentioned something I hadn't heard as a formal category: **protestware**. Packages that write political messages to user machines. A maintainer decides their open source library should now protest a war or a political party. Socket flagged these packages — npm removed the destructive versions but let the message-only packages stay. They didn't violate registry policy.

No credential theft, no cryptojacking — but a hostile takeover of your users' screens for political messaging. A business risk that no organization wants, and the registries treat it as free expression.

Socket counts Anthropic, Figma, OpenAI, and Vercel as customers — protecting over 10,000 organizations and 750,000 repositories. Fortune 100 deployments happen in minutes via a GitHub app. They've raised $65 million across three rounds — with a16z, Bret Taylor, and ex-GitHub CEO Nat Friedman on the cap table. This is supply chain security operating at a scale and speed that didn't exist two years ago.

### DryRun Security: The Code Review Layer

<p class="section-summary">DryRun processes 250,000 code reviews monthly, claims an 88% SAST benchmark detection rate, and lets you write security policies in plain English.</p>

I tried to record an interview at DryRun's booth — met both co-founders, James Wickett and Ken Johnson — but the file came back corrupted. Doesn't matter. I grabbed their holographic sticker — the best conference swag I collected — and stayed for a demo that did all the talking the recording couldn't.

Wickett and Johnson are both DevSecOps veterans with deep roots in the AppSec community. Their thesis: with AI generating more code than ever, traditional SAST tools can't keep up. Static analysis rules were written for human coding patterns. AI-generated code looks different, and it breaks different.

Their answer is a Contextual Security Analysis engine — AI-native, designed to understand not just the syntax of code changes but their behavior and execution context. According to DryRun's own benchmarks (internally tested, not independently audited), their engine hits an **88% vulnerability detection rate** — tested against four traditional SAST tools: Semgrep, Snyk Code, CodeQL, and SonarQube. The closest competitor caught 46%. They process over 250,000 code reviews monthly.

The feature that stopped me was **Natural Language Code Policies**.

Instead of writing regex-based SAST rules or learning a vendor's DSL, you write security policies in plain English. "No API endpoint should accept user-controlled input without authentication checks." "All database queries must use parameterized statements." DryRun's engine enforces these across every pull request. Security teams skip the SAST rules and write what they actually mean.

Two other things stood out. First, their **Code Insights MCP** — an MCP server that embeds DryRun's security intelligence directly into AI coding agent workflows. When Claude Code or Cursor generates code, DryRun's security context is available as a tool the agent can call. The agent checks its own work against your security policies before it even opens the PR. This is the kind of agent-native integration I wrote about in [The Night Agents Took the Stage](the-night-agents-took-the-stage.html) — not an afterthought, but a first-class participant in the AI-assisted development loop.

Second, their **DeepScan Agent**, launched in February 2026. Full-repository application security reviews that complete in hours instead of the weeks a manual assessment would take. The founders told me the standard platform runs per-seat pricing; DeepScan adds a usage-based consumption model on top. All of this on roughly $11 million in total funding, per the founders.

And the timing is sharp. Two weeks before BSides, DryRun published their Agentic Coding Security Report — testing Claude, Codex, and Gemini building real applications. The finding: **87% of AI-generated pull requests introduced at least one vulnerability**. Broken access control was the most universal issue. If you needed a thesis for why AI-native code review matters, DryRun wrote it.

The dual sponsorship — Silver booth plus lanyard — is a serious community investment for an early-stage company. But when your product is "security review for every PR," a conference full of security engineers wearing your brand around their neck is exactly the right play.

### C|Side: The Last Mile

<p class="section-summary">C|Side is a JavaScript hypervisor — a proxy layer that intercepts every third-party script before it reaches the browser. VPN detection, agent detection, PCI DSS automation, all on $7.7 million.</p>

I caught C|Side founder Simon at their booth in the sponsor hall. They were a Bronze sponsor — small booth, small team, about two years old. But the technical depth of what they're building is disproportionate to their size.

Simon Wijckmans founded C|Side (cside.dev) after managing client-side security products at Cloudflare, where he watched Magecart attacks evolve faster than the tools built to stop them. He's Belgian, under 30, and on the Forbes 30 Under 30 Europe list.

Simon walked me through the architecture at the booth, starting with a name that stuck: a JavaScript hypervisor. C|Side's core is a proxy-based interception layer. A single script tag loads first in your HTML head. It rewrites every third-party script URL to route through C|Side's proxy infrastructure. Before any script reaches the browser, C|Side's self-hosted LLMs analyze the payload — deobfuscating it, classifying intent, and flagging anything malicious. The proxy adds 8-20ms of latency for dynamic scripts; static scripts are cached at their edge. The result, per C|Side's own documentation: complete visibility into what your users actually receive.

The PCI DSS angle is what makes this enterprise-ready. PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 — mandatory since March 2025 — require complete script inventories on payment pages, integrity verification for every script, and change-and-tamper detection at least weekly. C|Side automates all of it and goes further: continuous monitoring instead of weekly scans, plus tracking 14 security-impacting HTTP headers when visitors hit payment pages.

What surprised me was the VPN detection. Most VPN detection services maintain lists of known exit node IPs and check against them. C|Side does multi-layered analysis across OSI layers 3, 4, and 7 — browser fingerprints, device characteristics, network packet behavior, and timing discrepancies. They look for the actual indicators of VPN infrastructure within the request itself, not just known IP addresses.

"It's not a list," Simon told me. And given that any motivated user can spin up a fresh VPN endpoint not on any list, that distinction matters.

The most interesting part of the conversation was about strategy, not technology. I mentioned that putting detection on a WAF makes it obvious to attackers when they're caught — leading to the eternal cat-and-mouse game of rotating fingerprints and IPs.

<blockquote class="pull-quote">"If you make it a quiet, silent failure somewhere in the app — or it's a signal to your fraud detection in the backend — you tend to have better results."</blockquote>

Instead of throwing a 403 and telling the attacker exactly what caught them, you let the request proceed into a dead end. The attacker thinks they succeeded. Your fraud system has already flagged them. No arms race. No fingerprint rotation. Just a quiet signal and a closed door. C|Side is architecturally fail-open by design — if their proxy goes down, scripts load directly from their original sources. Their tooling never becomes the reason a site breaks.

<table class="data-table">
    <thead>
        <tr>
            <th>C|Side Capability</th>
            <th>How It Works</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>JavaScript Proxy Layer</td>
            <td>Rewrites third-party script URLs through C|Side's edge — self-hosted LLMs analyze every payload before it reaches the browser</td>
        </tr>
        <tr>
            <td>PCI DSS Automation</td>
            <td>Script inventory, integrity verification, continuous change detection — requirements 6.4.3 and 11.6.1 (mandatory since March 2025)</td>
        </tr>
        <tr>
            <td>VPN Detection Engine</td>
            <td>Multi-layered analysis across OSI layers 3, 4, and 7 — fingerprints, device characteristics, packet behavior, timing</td>
        </tr>
        <tr>
            <td>Agent Detection Toolkit</td>
            <td>Identifies agentic browsers (Comet, ChatGPT Atlas, Manus) via timing patterns, fingerprint mismatches, and known LLM platform signals</td>
        </tr>
        <tr>
            <td>Fail-Open Architecture</td>
            <td>If the proxy goes down, scripts load directly from original sources — 99.99% uptime SLA</td>
        </tr>
    </tbody>
</table>

C|Side launched their AI Agent Detection Toolkit in February 2026 — purpose-built for the agentic browser threat that most security tools aren't designed for. Simon's philosophy: "Agents aren't inherently bad — bad *actions* are bad." The toolkit classifies intent, not just identity. Their engineering team includes alumni from the Servo browser engine project, which explains the depth of their browser-level analysis. All of this on $7.7 million in total funding from a fully remote team.

### The Stack

Three companies. Three distinct layers. Each one operating at a different point in the same continuous attack surface.

<table class="data-table">
    <thead>
        <tr>
            <th>Layer</th>
            <th>Company</th>
            <th>What They Watch</th>
            <th>Sponsor Tier</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>Package Registry</td>
            <td>Socket</td>
            <td>Open source packages at install time</td>
            <td>Gold</td>
        </tr>
        <tr>
            <td>Code Review</td>
            <td>DryRun Security</td>
            <td>Pull requests and AI-generated code</td>
            <td>Silver + Lanyard</td>
        </tr>
        <tr>
            <td>Browser Runtime</td>
            <td>C|Side</td>
            <td>Client-side scripts, bots, and VPNs</td>
            <td>Bronze</td>
        </tr>
    </tbody>
</table>

Registry. Review. Runtime. One continuous security surface. And the common thread: **AI agents are both the tool and the threat**. Socket's Firewall protects developers using Claude Code. DryRun's MCP server makes security intelligence available to Cursor. C|Side detects agentic browsers that are, themselves, AI-powered.

### The Floor

Beyond my three-booth thesis, BSides SF 2026 had patterns worth noting.

**The AI agent security pivot is real.** Tailscale announced Aperture for AI Agents — an open alpha that routes AI API calls through Tailscale's identity infrastructure. Nudge tracks 1,300 unique GenAI tools adopted outside IT, up from 75 two years ago. PromptFoo, the LLM red teaming platform, was acquired by OpenAI less than two weeks before BSides — raising questions about independent AI security testing.

**The startup density was remarkable.** SubImage (YC W25, ex-NSA/Anthropic founders) is building an open-core Wiz alternative. Clover, backed by Wiz co-founders, is pursuing "design-led product security." Spektrum Labs emerged from stealth five months ago. Many Bronze sponsors are less than two years old. The security startup ecosystem is visibly in a growth cycle.

**The keynotes went big.** Katie Moussouris argued that AI automation is threatening security researcher jobs — security is the "canary in the coal mine" for broader knowledge worker displacement. Ziyad Edher from Anthropic dismantled air gap assumptions with "So You Think You Can Airgap? (No.)" — a systematic walk through covert channel research. A Wiz researcher walked through the North Korean TraderTraitor / Bybit $1.5 billion heist investigation.

**And Google closed the $32 billion Wiz acquisition ten days before BSides** — then both companies showed up as separate Silver sponsors. The organizers presumably printed the signage before the deal closed.

### The Close

BSides SF costs $100. RSA costs $3,000. The insight density per dollar isn't close.

I recorded a bunch of interviews, photographed seven talks, and collected enough holographic stickers to wallpaper a bathroom. But what I'm taking away is simpler than all that: the modern application security stack has three distinct layers, and I happened to meet the companies watching each one.

Socket catches the threat before a package lands on your machine. DryRun catches it when a human — or an AI — writes it into a pull request. C|Side catches what reaches the browser anyway. And increasingly, AI agents are on both sides of every layer — writing the code, reviewing the code, and attacking the code.

"The Musical" was a fitting theme. Security has always been a performance — the question is whether you're directing the show or getting played off stage.

---

*BSides San Francisco 2026 ran March 21-22 at City View at Metreon and AMC Metreon 16 in San Francisco. 139+ sessions, 155+ speakers, 50+ sponsors. Organized by ~200 volunteers and chaired by Reed Loden. Next BSides SF runs the weekend before RSA Conference 2027.*

---

### Postscript: March 24

Two days after BSides ended, a researcher at FutureSearch watched his machine lock up. An MCP plugin running inside Cursor had pulled `litellm` as a transitive dependency — and the latest version on PyPI wasn't the one LiteLLM's maintainers had published. A `.pth` file in the package was spawning subprocesses on every Python interpreter startup. His machine crashed. That crash was the first signal.

The attack chain traced back days. A threat actor called TeamPCP had compromised Aqua Security's Trivy — a widely used security scanner — through a misconfigured GitHub Actions workflow. From there, they pivoted into LiteLLM's CI/CD pipeline, extracted its PyPI publishing credentials, and used them to push two backdoored versions — 1.82.7 and 1.82.8 — directly to the Python Package Index. The malware harvested SSH keys, cloud credentials across AWS, GCP, and Azure, Kubernetes configs, API keys, and cryptocurrency wallets. LiteLLM serves approximately 95 million downloads per month. The exposure window was roughly five hours before PyPI quarantined the package. CrewAI, Browser-Use, DSPy, and most of the major agentic AI frameworks were in the blast radius. Andrej Karpathy called it publicly: "Supply-chain attacks like this are basically the scariest thing imaginable in modern software."

The attack landed while I was still writing this piece. The three-layer stack I'd sketched at BSides — package registry, code review, browser runtime — mapped onto the incident almost structurally.

<table class="data-table">
    <thead>
        <tr>
            <th>Layer</th>
            <th>How the LiteLLM Attack Touched It</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>Package Registry</td>
            <td>Backdoored package published directly to PyPI — the install-time interception point</td>
        </tr>
        <tr>
            <td>Code Review / CI</td>
            <td>Entry point was a compromised security scanner (Trivy) inside the CI/CD pipeline</td>
        </tr>
        <tr>
            <td>Agent Runtime</td>
            <td>Discovered when an MCP plugin in Cursor pulled the poisoned package as a transitive dependency</td>
        </tr>
    </tbody>
</table>

The stack I walked on Saturday wasn't theoretical. It was a weekend ahead of schedule.

---

## Navigation

- [Home](/)
- [About](/about.html)
- [Projects](/projects.html)
- [Contact](/contact.html)
- [/dev/thoughts](/dev-thoughts/)

*Copyright 2026 Alex Moening. Opinions expressed are my own.*