For one week in March 2026, I had the privilege of attending the Global Cybersecurity Camp (GCC) 2026, held in Ho Chi Minh City, Vietnam. GCC is an annual, week-long international cybersecurity camp that brings together approximately 50 of the top young security talents from countries such as Japan, Singapore, Taiwan, Thailand, Vietnam, Malaysia, Indonesia, India, and Romania. The camp offers hands-on training led by industry professionals and researchers from around the world.
The application process for GCC is highly competitive, involving a rigorous screening that evaluates both technical background and community involvement, followed by an interview with a panel from SherpaSec.
I am honored and grateful to have been selected as one of four students representing Malaysia, alongside Chai Cheng Xun, Ruhan, and Han Ming. I would also like to express my appreciation to SherpaSec for their sponsorship, as well as Ryan and Chang Shiau Heui for their support in managing logistics.
Throughout the week, we participated in technical lectures, hands-on workshops, and group projects. We also had the opportunity to connect with talented and like-minded participants from different countries, exchanging cultures and learning from one another. This made the camp not only immersive, but also a meaningful journey of growth and connection.
Day 1
Our flight from Kuala Lumpur to Ho Chi Minh was 9AM and touch down around 10:30AM. Upon arriving, we are greeted by staff member of VNSEC. His name is Nho and he brought us to a restaurant for a Vietnamese lunch. We had Vietnamese minced rice dishes which often refer to Cơm Tấm (broken rice). Thanks for the treat Nho.
After the lunch, we proceed back to the hotel and check in and meet my Japanese roommate, Masamune Shinya
Day 2
The first day of the camp kicked off with ethics tranining session conducted by Thanh Nguyen and Thinh Hoang from VNSEC foundation. This session teaches the ethical responsibilities that come with offensive security skills when comes to handling criticial vulnerabilities under real-world pressure. Understanding how governance and laws plays a part in offensive security along with looking at case studies and firsthand disclosure experience.
Next session was about group assignments which is sponsored by Quokka and it has to completed throughout the week. The assignment was designed to foster cross-border collaboration and was split into two core tasks. First, we conducted a deep-dive analysis of mobile apps to identify security vulnerabilities. Second, we developed an automated tool to detect potentially malicious applications. We were evaluated on detection effectiveness, automation reliability, and the quality of our final presentation. To support our research, we were granted access to the Quokka Q-MAST platform, which provided the necessary APIs for our technical implementation.
After lunch, Mars Cheng from TXOne Networks led a comprehensive workshop on IoT and Industrial Control System (ICS) Security. We learned that ICS environments, such as power plants and smart factories, have unique attack surfaces compared to traditional IT. A major takeaway was the firmware analysis lifecycle, where we practiced extracting filesystems using Binwalk and performing static analysis to find hardcoded credentials or insecure services. Next, Mars discussed the Purdue Model of ICS architecture and how air-gapped systems are increasingly being bridged by insecure IoT “ecosystem” interfaces, creating new risks for critical infrastructure. The hands-on labs challenged us to simulate real-world tactics used in industrial attacks, bridging the gap between theoretical threats and physical-world consequences
Day 3
In the morning, the first session was Practical Binary Hardening with Control-flow Enforcement (CET) conducted by Michael and Kento Oki. Intel introduced CET as a hardware-based mitigation that is designed to kill off exploit chains such as ROP and JOP. During the session, we learned how shadow stack able to provides a hardware-guarded copy of return addresses to prevent a backward-edge hijacking, while Indirect Branch Tracking (IBT) ensure forward-edge jumps only land on valid ENDBR instruction. A fascinating learning point was the compatibility struggle that shows why CET breaks software like VMProtect which uses push/ret sequences that deviate from standard call conventions.
After lunch, the session continues with Hypervisors for Hackers with Satoshi Tanda. A central learning objective is exploring how hypervisors can mitigate kernel-level vulnerabilities which is demonstrated through the exploitation and subsequent prevention of the capcom.sys driver exploit—by enforcing protections like CR4.SMEP (Supervisor Mode Execution Prevention) to block the execution of user-mode memory from the kernel.. Using Intel VT-x and Rust, we built a lightweight hypervisor capable of running Windows 11. We explored how a hypervisor can enforce SMEP (Supervisor Mode Execution Prevention) at the hardware level, preventing the kernel from being tricked into executing malicious code in user-mode memory. This session was a masterclass in “security from the hardware up,” showing how hypervisors can serve as a snapshot engine for fuzzing or as a final barrier against powerful kernel exploits
Day 4
Shenghao Ma led an intensive full-day workshop titled “Super Hat’s Kernel Trick,” focusing on how to “social engineer” the layers of AV/EDR protection. We learned that while modern EDRs use Kernel Callbacks — such as PsSetCreateProcessNotifyRoutineEx and Minifilter IRP filters — to monitor system activity, they often rely on trust assumptions that can be manipulated at the kernel data structure level. We dove deep into Direct Kernel Object Manipulation (DKOM), practicing how to locate the _EPROCESS structure in memory using WinDbg without triggering alerts, understanding how every running process is represented by this structure in the kernel.
The most significant knowledge gain was mastering Token Stealing techniques. Every process carries a TOKEN object containing privilege bitmasks, group SIDs, and lineage information. By walking the kernel process list to find the System process (PID 4) and overwriting our own process’s token pointer with System’s token address inside _EPROCESS, we achieved Local Privilege Escalation (LPE). We also explored token forgery via the WinTCB privilege — which allows crafting fake tokens with arbitrary Service SIDs — a technique used to impersonate trusted identities like WinDefend and interact with protected services.
We also dissected the “three walls” of EDR self-protection: real-time scanning via kernel callbacks, anti-tampering through locked DACLs and service watchdogs, and Protected Process Light (PPL), whose entire protection level is encoded in a single byte (_EPROCESS.Protection). Using an arbitrary kernel write primitive obtained through a vulnerable driver (BYOVD), we learned how to null out ObRegisterCallbacks entries, silently blinding the AV/EDR to handle operations and zero out the PPL protection byte to enable credential dumping from LSASS. It was an eye-opening look at how understanding Windows internals allows an attacker to dismantle multi-layered defenses by abusing the very mechanisms the OS uses to manage process identity and security — without ever “hacking” anything in the traditional sense.
Day 5
The first session focused on Entra ID Attack Chains with Jimmy Su and John Jiang. We explored the “Entra Joined” device architecture, learning that approximately 90% of Fortune 500 companies now rely on this cloud-native identity system. The core of our learning was the Primary Refresh Token (PRT), which acts as the “Golden Ticket” for cloud SSO. We practiced extracting PRTs and session keys from LSASS memory on non-TPM machines and learned how to use roadtx to replay these tokens in an attacker’s browser, effectively bypassing MFA. We also simulated lateral movement using “Pass-the-Cert” and established persistence by injecting backdoors into Service Principals.
In the afternoon, Kar Wei Loh introduced Agentic AI for Offensive Security. This was a forward-looking session on transforming LLMs from chatbots into autonomous pentesting agents. We utilized the Model Context Protocol (MCP) to securely connect AI agents to external tools, allowing them to autonomously run Nmap scans and parse CVE data. We learned to build “agentic workflows” where the AI reflects on its findings and iteratively fixes exploit scripts—such as resolving syntax errors or version mismatches—before execution. This session highlighted that the future of pentesting lies in programmatic, autonomous loops that can scale offensive operations far beyond manual capabilities.