Three weeks. Three security conferences. Two continents. One paranoid threat model rebuilt from scratch between each leg. This is what working on the road actually looks like for a SOC analyst who refuses to trust a hotel network and refuses to skip the conferences either.
I started in Panaji, picked up a stamp in Singapore, and finished on the floor of the Las Vegas Convention Center. The trip ran from NullCon Goa in early March to DEF CON in early August in a previous travel cycle, compressed here into a single narrative for clarity. The threat surface at each venue was different. The kit that survived all three was the same.
Key Takeaways
- Conference Wi-Fi is the worst-case threat surface in your year. Assume evil-twin, captive-portal hijack, and SSL-strip attempts are running constantly, because at NullCon and DEF CON they demonstrably are.
- Cross-border data-residency exposure begins the moment you pull a log file from your home SOC over a foreign network. DPDP, GDPR, and CCPA each treat that transit differently.
- The defence-in-depth stack that worked across three venues: hardened travel laptop, controlled mobile data route, hardware-key MFA, full-disk encryption with pre-boot PIN, no synced cloud session on the device.
- A pre-flight checklist matters more than any single tool. Twenty minutes the day before you board is worth four hours of recovery on the conference floor.
- The single largest practical mitigation is to never connect to the venue Wi-Fi at all. Route everything over your own cellular line, then over a VPN, then through your home jump host.
Futuristic gaming chairs with VR headsets and monitors, capturing immersive gameplay in a modern arcade.
Leg 1 — NullCon Goa: The Friendly Venue That Isn’t
NullCon runs at the Taj Hotels & Convention Centre in Panaji, a venue I have worked from three times. The conference itself is excellent. The network around it is not. Conference Wi-Fi, hotel Wi-Fi, and the cafe Wi-Fi across the road are three overlapping SSIDs with three different captive portals and at least one rogue access point active during the run of the show. A friend of mine running passive recon last year logged seventeen distinct beacon frames advertising variants of the conference SSID inside the main hall over a six-hour window. Three of them were legitimate.
The working assumption I bring to NullCon is that any open SSID inside a two-kilometre radius of the venue is hostile until proven otherwise. The reverse assumption, that the conference network is fine because the organisers are reputable, is exactly the assumption attackers expect you to make.
My day-one routine on landing in Goa runs five steps. First, the laptop comes out of the bag in airplane mode and stays there until I have line-of-sight to my own cellular hotspot. Second, the hotspot itself runs off a local Indian carrier line. I keep an active line on Airtel and one on Vi specifically because coverage drops in the Anjuna and Vagator stretches favour one or the other depending on the season. Third, the corporate VPN comes up over that cellular line before the laptop touches anything else. Fourth, MFA is hardware-key only; the authenticator app on my phone is a backup, not a primary. Fifth, no cloud-synced session, neither Google nor Microsoft, is allowed to authenticate on the travel device for the duration of the trip.
The conference itself is the easy part. The harder part is the bar on the third night, when somebody you respect asks you to look at a packet capture on their laptop and you have to remember that their laptop is not your laptop.
Leg 2 — Black Hat Asia in Singapore: The Cross-Border Compliance Trap
Black Hat Asia runs at Marina Bay Sands. The Wi-Fi is operationally better than NullCon’s; the threat surface is differently shaped. The harder problem in Singapore is not the network, it is the law.
A SOC analyst pulling logs from a home tenant over a foreign network is moving personal data across a border, full stop. The DPDP Rules in India, the GDPR in the EU, the PDPA in Singapore, and the various state-level US frameworks each treat that transit differently. The 2026 DPDP Rules raised the bar on cross-border transfer documentation for Indian operators; a SOC analyst pulling Indian customer logs from Singapore-hotel Wi-Fi may well be the data fiduciary’s responsibility under the rule even if the analyst is acting in good faith.
The practical effect is that route matters as much as encryption. A VPN tunnel that exits in Singapore changes the data-residency footprint of every log line you touch. A VPN tunnel that exits in your home region, over a controlled cellular underlay, restores it. The same is true for any consultant pulling client data while abroad. The route is part of the compliance posture, not an afterthought to it.
I spent most of Black Hat Asia keeping a single rule in my head. If the connection home is not auditable, the work waits.
Leg 3 — DEF CON Las Vegas: Hostile by Design
DEF CON is the easiest of the three conferences to write about because the threat model is documented at the door. The Wall of Sheep, the Network Operations Centre’s published shame list, and the social tradition of finding novel ways to compromise unwary attendees are part of the conference’s identity. You arrive expecting hostility. The trick is to arrive having actually prepared for it.
I bring three pieces of hardware to DEF CON I do not bring anywhere else. A travel laptop that has nothing on it I do not want to lose. A burner phone that holds no SIM until I land. A hardware-key kit with two physical tokens in two physical pockets, because losing one in a casino is a real outcome.
The single most useful thing I do at DEF CON is also the most boring: I do not use the conference Wi-Fi for anything. Not for slides. Not for email. Not for the talks app. The phone tethers to a US carrier line, the laptop tethers to the phone, the VPN runs over the tether, and the whole stack stays in airplane mode unless I’m actively working.
The Cross-Border Threat Surface, Mapped
Three conferences, three legal regimes, three different attack profiles, but only one analyst, one device, and one set of credentials moving across them. The threat surface that matters is not the conference network in isolation. It is the cumulative drift of trust assumptions as you move across borders.
Three patterns recur across every venue I have worked from. First, captive portals on hotel and conference Wi-Fi are the single largest source of TLS-stripping opportunities, because users are conditioned to click through certificate warnings to reach the login page. Second, DNS resolution over hostile networks is a quiet exfiltration risk that almost nobody monitors on the road. Third, the gap between “my VPN is connected” and “every process on my laptop is actually using the VPN” is the gap most field compromises live in.
Staying online across the route
A working travel kit needs three layers. Corporate VPN on top, a controlled cellular underlay beneath it, and a documented fallback for when one of those fails in a venue where you cannot afford a quiet hour to debug. The fallback is what most travelling analysts under-invest in. It is also what saves the week.
Local-carrier coverage on the multi-country leg
The cellular leg is the one most field analysts get wrong by treating roaming as the default. International roaming on a single home carrier is expensive, throttled past a soft cap, and routed through paths your security team has no visibility into. The cleaner pattern is a local carrier line at each destination, validated against the corporate VPN before you land. For the Goa → Singapore → Las Vegas route I described above, that means Airtel or Vi in India, Singtel or StarHub in Singapore, and T-Mobile US or Verizon in the United States. Before I boarded the Singapore leg, I had a travel eSIM with coverage on Singtel pre-loaded as HelloRoam’s enterprise travel plan, and it held up cleanly across the Marina Bay convention floor where my home-carrier roaming kept dropping the VPN handshake. The point is not the provider. It is that the secondary line is local, documented, and verified before the trip, not improvised in a hotel lobby.
| Route leg | Local carrier | Signal quality at venue | Notes |
|---|---|---|---|
| Panaji, India | Airtel | Strong indoor at Taj | Vi as backup for Anjuna stretch |
| Marina Bay, Singapore | Singtel | Strong throughout MBS | StarHub viable; M1 patchy in basement levels |
| Las Vegas, USA | T-Mobile US | Strong at LVCC and Strip | Verizon stronger in older casino interiors |
What this looks like in practice
The working stack on each leg is identical. Local cellular line up first, corporate VPN over it, hardware-key MFA, no cloud-synced session on the travel device. The venue Wi-Fi never gets touched. The cellular line is the underlay, not the backup. Treating it that way changes every threat-model calculation downstream.
A Pre-Flight Checklist That Earns Its Keep
The day before each flight, twenty minutes. Full-disk encryption verified with pre-boot PIN. Travel laptop wiped of every credential not needed for the trip. Hardware keys tested against each service. Corporate VPN handshake tested over the cellular line you will actually be using at the destination, not the one you have at home. MFA recovery codes printed and stored separately from the laptop. Burner phone provisioned with the local carrier line, tested, and powered down for transit.
It is not glamorous work. It is the work that turns a hostile network into a survivable one.
FAQ
Is hotel Wi-Fi safe for a SOC analyst pulling client logs? No. Hotel Wi-Fi is a shared broadcast medium with a captive portal that most users authenticate against without certificate scrutiny. Pulling client logs over that path exposes both the credentials in transit and the residency posture of the data you are moving. Route over a controlled cellular line and a corporate VPN instead.
What is the single most common attack at security conferences? Captive-portal hijack on a rogue access point advertising the conference SSID. The attacker presents a plausible portal page, harvests credentials or pushes a malicious certificate, and lets the user pass through. NullCon and DEF CON both see live demonstrations of this attack on attendees every year.
Does the DPDP Rules framework apply to a SOC analyst working from abroad? If the analyst is acting on behalf of an Indian data fiduciary and the personal data being processed is regulated under the DPDP Act, then yes. The cross-border transfer rules apply to the transit path as well as the storage destination. The route the analyst uses affects the fiduciary’s compliance posture.
Should I bring my primary laptop to DEF CON? No. Bring a travel laptop with nothing on it you cannot lose, full-disk encryption, pre-boot PIN, and no cloud-synced sessions. Treat the device as recoverable, not irreplaceable.
Is VPN-over-cellular always faster than venue Wi-Fi? Not always. It is more often more secure, more predictable, and easier to attribute when something goes wrong. Speed is a secondary consideration; route control is the primary one.
