#12 Horoscope Kaleidoscope
Details
We are back with our first event for 2026 🎊
⚠️ This is likely the last event published to the Meetup platform, as OWASP is moving away from it. For more, please follow us on LinkedIn (if you haven't already) ⚠️
It's a very auspicious moment because this will be our twelfth event, a number that you see so frequently that you don't even notice it. Eggs, churros, beers... the list goes on 🍺
Our venue is way up there and the sun sets early, so we'll be able to see the stars both outside and inside the venue 🌟
This OWASP Lisboa chapter meetup will be held on February 5th, 2026, at 18:00, and is supported by Devoteam Cyber Trust and AP2SI.
🧭 The meetup will be at Devoteam's office in Torre Fernão de Magalhães. The entrance is between The Fifties Diner and Dote. Go up the stairs to the reception, sign in and proceed to the 9th floor.
Our tentative schedule:
18:25 - Quick intro by the OWASP Lisboa chapter leadership team
18:35 - "Hacking the Portuguese government for fun and no profit" by Mário Lima
19:25 - "Hack Your Agents Before They Hack You: Automated Prompt Injection to Find AI Weaknesses" by Rafael Bosse Brinhosa
20:00 - Dinner & Drinks by Devoteam Cyber Trust
--------------------------
Talks:
--------------------------
Title: Hacking the Portuguese government for fun and no profit
Speaker: Mário Lima
Abstract:
Responsible disclosure is now more important than ever. In this presentation, I'll take you on a five-year journey through my experiences with responsible disclosure in Portugal's public sector. I'll share how I gained access to sensitive government portals like portugal.gov.pt, uncovered massive credential leaks, and successfully navigated the process of responsibly disclosing these vulnerabilities.
I'll also guide you on the tricky path of coordinated responsible disclosure in an attempt to demystify the process!
Bio:
I'm a Red Team engineer at Five9 with eight years of offensive security experience. While my primary focus is infrastructure hacking and occasional malware development, I also enjoy conducting security research and responsibly disclosing unusual findings - particularly those affecting government entities.
👉🏻 https://www.linkedin.com/in/mario-lima-42722317b/
👉🏻 https://one.0day.works
--------------------------
Title: Hack Your Agents Before They Hack You: Automated Prompt Injection to Find AI Weaknesses
Speaker: Rafael Bosse Brinhosa
Abstract:
Modern AI agents are powerful—but also dangerously opaque. In this talk, I show how I systematically pentested multiple agent architectures and built an automated pipeline to uncover real-world security weaknesses before attackers do.
Using a curated and evolving list of offensive prompt payloads, I demonstrate techniques for triggering prompt leaking, MCP tool leaking, user data leaking, and other cross-agent weaknesses that appear when models interact with memory, tools, and external APIs.
I also present payloads designed to test whether AI agents could be coerced into SSRF-like behaviors through web search or “fetch web” capabilities—focusing on detection and prevention.
By the end, you’ll see how automated prompt injection can be used as a responsible and repeatable methodology to pentest AI agents—and why every organization needs to test their own agents before someone else does.
Bio:
Rafael Brinhosa is a seasoned Information Security Architect with over 20 years of experience in security architecture, application security, and pentesting. He specializes in designing bespoke security programs, assessments, and frameworks aligned with risk management and governance practices, aiming to strengthen organizational resilience. His expertise includes both manual and automated security testing, pentesting, DevSecOps, SCA, SAST, and DAST.
Over his career, Rafael has collaborated with leading organizations across sectors: Dell (technology), US Bank (financial services), EDS/HP (IT), Avaya (telecom), and Volkswagen Digital Solutions. He currently serves as Principal Security Architect at Reltio in Lisbon, where he applies his deep technical knowledge to fortify cybersecurity in the data management industry.
Rafael has delivered talks and workshops at leading international and national events.
On GitHub, Rafael leads several open-source projects like Awesome AI Security, APIDetector, a Nuclei templates library, and a curated pentesting toolset for Google Colab. In his spare time, he’s also a bug bounty hunter, having responsibly disclosed multiple vulnerabilities.
👉🏻 https://www.linkedin.com/in/brinhosa/