2026-05-28 –, Main Stage
Mainframes still underpin critical infrastructure such as banking, airlines, and government systems, yet most modern security teams approach them using assumptions formed around Unix, Windows, and enterprise platforms. These assumptions often fail on z/OS, creating blind spots that are difficult to detect and easy to underestimate.
This talk explains how mainframe security actually works and why familiar concepts such as "root," shells, ports, and lateral movement do not translate cleanly. Focusing on components like JES, JCL, RACF, CICS, and PR/SM, we explore where attackers and defenders truly operate today: transactions, security managers, and management boundaries.
From an offensive perspective, the talk reframes how attackers actually move inside mainframe environments: not through shells or services, but via job submission paths, inherited authority, transaction routing, and security manager behavior. The session highlights concrete failure modes red teams encounter when modern assumptions are applied to z/OS, and how those blind spots are exploited in real assessments.
Using real TN3270 terminal screens and practical examples, attendees will learn a repeatable methodology for assessing mainframe environments and identifying misconfigurations that appear harmless but can have severe impact.
The talk also demonstrates an AI-assisted assessment approach: a local LLM interprets TN3270 screens in real-time, narrates walkthroughs, and tutors interactively; all running 100% offline with no cloud APIs or data exfiltration risk.
No prior mainframe experience is required.
IBM mainframes were designed long before modern operating systems, networks, and security models existed, yet they remain central to some of the world’s most critical environments. As a result, security teams often evaluate them using mental models that simply do not apply.
This talk demystifies how mainframe operating systems enforce trust and privilege, with a practical focus on security-relevant components such as JES, JCL, RACF, CICS, and TMAM. We examine why traditional approaches based on shells, services, and ports break down, and how real-world attackers instead navigate transactions, security definitions, and control boundaries.
Rather than concentrating on legacy exploits, the emphasis is on methodology: how to reason about exposure, privilege, and segmentation within mainframe operating systems designed for batch processing, transaction processing, and long-running workloads. Real TN3270 terminal screens, generated using a custom tool, are used throughout to ground the discussion in real-world systems.
The session concludes with a practical assessment workflow and a demo of an open-source tool designed to help testers and defenders understand TN3270 environments and interpret mainframe screens during security reviews.
Attendees will leave with a clear mental model and a concrete checklist they can apply when assessing or defending mainframe systems.
Adam Toscher is a New York–based security engineer and red team operator with over two decades of experience in offensive security, adversary simulation, and automation. Born in New York City and raised upstate, Adam built his career as an “IT vagabond,” beginning as a freshman IBM intern porting Linux applications to mainframe system. Mainframe work tgrounded him in large-scale computing, operating systems, and complex enterprise environment, before transitioning into offensive security.
He later progressed through senior security roles at Adobe, Optiv, Accenture, IBM X-Force, and NYC Cyber Command, where he focused on realistic adversary emulation and advanced red-team operations.
Most recently, Adam has been working with Cobalt Labs, supporting advanced red-teaming and offensive security engagements for private-sector organizations. Prior to this, he led red-team and adversary simulation efforts in support of critical public infrastructure with NYC Cyber Command and the FDNY.
His work centers on penetration testing, red teaming, adversary emulation, and practical automation across both private-sector companies and government agencies. Outside of security, Adam values balance and lifelong learning, and is an avid reader, runner, swimmer, and gamer.