"Think Like an Attacker: Automating Red Team Simulations and AI Testing"
A presentation on the intersection of AI, automation, and security for the Right of Boom 2026 conference in Las Vegas. Delivered by Tim Fournet (Rewst) and Roddy Bergeron (Sherweb).
# Install Node.js if needed
winget install OpenJS.NodeJS.LTS
# Then run
npm install
npm run devnpm install
npm run dev| Key | Action |
|---|---|
→ Space |
Next slide |
← |
Previous slide |
B |
Show break slide (from anywhere) |
N |
Toggle presenter notes |
T |
Start/stop timer |
R |
Reset timer |
D |
Toggle demo mode |
Esc |
Close overlays / exit demos |
PageDown |
Force next slide (skips demo steps) |
| Command | Description |
|---|---|
npm run dev |
Start dev server on port 2026 |
npm run build |
Production build to dist/ |
npm run preview |
Preview production build |
npm run pdf |
Generate PDF (requires Puppeteer) |
Resources are in public/resources/ (served at /resources/ when running).
See REWST.md for full import instructions.
| Resource | Description |
|---|---|
| Endpoint_Posture_Checks.bundle.json | Endpoint posture validation workflow |
| CA Policy Changes Crate | Rewst Marketplace crate |
| Script | Description |
|---|---|
| Invoke-SafeEndpointValidation.ps1 | Main endpoint validation script |
| Invoke-SafeEndpointValidation-Wrapper.ps1 | Wrapper for Rewst integration |
| endpoint-collector.ps1 | Endpoint data collection |
| rewst-oneliner.ps1 | Quick Rewst deployment one-liner |
| Script | Description |
|---|---|
| setup-lab-vm.ps1 | Set up lab VM |
| stage-gaps.ps1 | Stage security gaps for testing |
| teardown-lab-vm.ps1 | Clean up lab VM |
| Template | Description |
|---|---|
| safe-sweep-aggregate.jinja | Jinja template for aggregating results |
| safe-sweep-email-template.jinja | Email report template |
| safe-sweep-narrative-prompt.jinja | AI narrative generation prompt |
| Report | Description |
|---|---|
| safe-sweep-report-example.html | Example Safe Sweep HTML report |
All incidents and statistics cited in the presentation are from verified sources.
| Incident | Date | Sources |
|---|---|---|
| Arup Engineering Deepfake ($25M) | Jan 2024 | CNN, Bloomberg |
| Samsung → ChatGPT data leak | Apr 2023 | Bloomberg, TechCrunch |
| Chevrolet Chatbot ($1 car) | Dec 2023 | AI Incident Database #622 |
| DPD Chatbot (swore at customers) | Jan 2024 | TIME |
| Bing "Sydney" | Feb 2023 | Wikipedia |
| Mata v. Avianca (fake cases) | Jun 2023 | Wikipedia, Reuters |
| Air Canada Chatbot liability | Feb 2024 | CBC News |
| NYC MyCity Chatbot | Mar 2024 | The Markup |
| Statistic | Source |
|---|---|
| 73.8% workplace ChatGPT accounts are non-corporate | Cyberhaven Shadow AI Report 2024 |
| 28% of organizations have formal AI policy | ISACA AI Pulse Poll 2024 |
| $670K extra cost per shadow AI breach | IBM Cost of a Data Breach 2025 |
| 258 days average breach lifecycle | IBM Cost of a Data Breach 2024 |
| NAIC AI Model Bulletin (24 states) | NAIC 2024 |
| ISACA insurance guidance | ISACA 2025 |
| Reference | Source |
|---|---|
| Shadow AI real-world example | r/msp discussion |
| Framework | Link |
|---|---|
| NIST AI RMF | nist.gov/itl/ai-risk-management-framework |
| ISO 42001 | iso.org/standard/81230.html |
| CIS Controls | cisecurity.org/controls |
| OWASP Agentic AI Top 10 | genai.owasp.org |
| MITRE ATT&CK | attack.mitre.org |
| Atomic Red Team | atomicredteam.io |
| AI Incident Database | incidentdatabase.ai |