After a whirlwind week at Infosecurity Europe 2025, I had the chance to reconnect with Ken Munro from Pen Test Partners — a longtime friend, hacker, and educator who brings cybersecurity to life in the most tangible ways. From car hacking escape rooms to flight simulators in pubs, we talked about why touching tech matters, how myth-busting makes us safer, and how learning through play might just be the key to securing our increasingly complex world. Tune in, and maybe bring a cocktail.
Title: "Catching Up With Ken Munro After Infosecurity Europe 2025 — Hacking the Planet, One Car, One Plane, and One System at a Time"
A Post–Infosecurity Europe 2025 Conversation with Ken Munro
Guests
Ken Munro
Security writer & speaker
https://www.linkedin.com/in/ken-munro-17899b1/
Hosts
Sean Martin, Co-Founder at ITSPmagazine
Website: https://www.seanmartin.com
Marco Ciappelli, Co-Founder, CMO, and Creative Director at ITSPmagazine
Website: https://www.marcociappelli.com
___________
Episode Sponsors
ThreatLocker: https://itspm.ag/threatlocker-r974
___________
After a whirlwind week at Infosecurity Europe 2025, I had the chance to reconnect with Ken Munro from Pen Test Partners — a longtime friend, hacker, and educator who brings cybersecurity to life in the most tangible ways. From car hacking escape rooms to flight simulators in pubs, we talked about why touching tech matters, how myth-busting makes us safer, and how learning through play might just be the key to securing our increasingly complex world. Tune in, and maybe bring a cocktail.
⸻
There’s something special about catching up with someone who’s not just an expert in cybersecurity, but also someone who reminds you why this industry can — and should — be fun. Ken Munro and I go back to the early days of DEFCON’s Aviation Village, and this post-Infosecurity Europe 2025 chat brought all that hacker spirit right back to the surface.
Ken and his crew from Pen Test Partners set up shop next to the main Infosecurity Europe venue in a traditional London pub — but this wasn’t your average afterparty. They transformed it into a hands-on hacking village, complete with a car demo, flight simulator, ICS cocktail CTF, and of course… a bar. The goal? Show that cybersecurity isn’t just theory — it’s something you can touch. Something that moves. Something that can break — and be fixed — before it breaks us.
We talked about the infamous “Otto the Autopilot” from Airplane, the Renault Clio-turned-Mario Kart console, and why knowing how TCAS (collision avoidance) works on an Airbus matters just as much as knowing your Wi-Fi password. We also dug into the real-world cybersecurity concerns of industrial systems, electronic flight bags, and why European regulation might be outpacing the U.S. in some areas — for better or worse.
One of the biggest takeaways? It’s time to stop fearing the hacker mindset and start embracing it. Curiosity isn’t a threat — it’s a superpower. And when channeled correctly, it leads to safer skies, smarter cars, and fewer surprises in the water we drink or the power we use.
There’s a lot to reflect on from our conversation, but above all: education, community, and creativity are still the most powerful tools we have in security — and Ken is out there proving that, one demo and one pint at a time.
Thanks again, Ken. See you at the next village — whichever pub, hangar, or DEFCON corner it ends up in.
⸻
Keywords: cybersecurity, ethical hacking, pen testing, Infosecurity Europe, embedded systems, car hacking, flight simulator, ICS security, industrial control systems, aviation cybersecurity, hacker mindset, DEFCON
___________
Resources
Learn more and catch more stories from Infosecurity Europe 2025 London coverage: https://www.itspmagazine.com/infosec25
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
___________
Marco Ciappelli:
Look at that technology, Ken — I was pushing a button, a virtual one, and nothing was happening. You know, I miss the old play button from the Walkman and all that kind of stuff. That’s why I talk about it all the time.
Anyway, the red light is on — we’re recording. This is a post–Infosecurity Europe 2025 conversation.
I’m still in Europe — that one was in London — and we’re connecting with the UK again, with a good friend: Ken Munro. Welcome.
Ken Munro:
Hey, thanks so much for the invite.
Marco Ciappelli:
Ah, always good to see you. Unfortunately, we didn’t get to hang out much when we were in London because you were busy. I think we walked in on the last day — the DJ was going, people were having a good time, we got a beer (Sean and I, so that’s always a plus), and we got to see you for a couple of minutes. But I felt like it wasn’t enough, and I really wanted to catch up with you and hear what’s been going on there with RANT and all the villages.
When I think about you, I think about DEFCON — that’s where we met years ago. So give us a little intro for those who don’t know who you are and what you do. Then we’ll dive into what happened in London two weeks ago.
Ken Munro:
So my name’s Ken Munro and I work for a firm called Pen Test Partners.
The clue’s in the name — we’re pen testers. But we’re particularly into embedded systems as well as broader red teaming. Our real joy is looking at things you can touch — and hack.
Marco Ciappelli:
There you go. That sounds fun. And you’re not just talking about little things — you’re talking about cars, airplanes, and boats. I’m wondering — where is the inflatable captain that you usually have with you?
(Inside joke, I guess — for those who can’t see — but it’s real. The movie Airplane.)
Ken Munro:
You know what? I hosted an event on a retired airplane — an old 747 — a few years ago. The owner had the famous autopilot from Airplane — Otto — remanufactured. They had a spare, and I bought it the moment I saw it. We take Otto everywhere we go.
It blows my mind how much people love Otto. Everyone wants a photo with him.
Marco Ciappelli:
A selfie, right?
Ken Munro:
Yeah! And the bit that made me chuckle — it was custom manufactured, and the guy who made it put the inflation valve in the crotch… just like in the movie.
So, yes, there are lots of funny photos of me trying to inflate the autopilot.
Marco Ciappelli:
I’ve seen those! A lot of fun.
But it’s not all fun and games — although, what I like about what you guys do (and I want to go back to when we met at DEFCON years ago — I believe it was at the Aerospace Village, or maybe before it was even called that)…
Ken Munro:
Yeah, it was the Aviation Village back then. Oh my gosh — was that 2019? Maybe 2018? We helped get it started.
It was a really cool team of pilots, cybersecurity consultants, and others with aviation expertise. The idea was to connect researchers with industry and to dispel some of the myths around airplane hacking.
Marco Ciappelli:
I still remember that moment — probably 2019 — when a group of government folks came through the village, getting an explanation of what was going on. I feel like that was a pivotal moment for the industry. CISA started getting more involved, and things shifted.
We’ll come back to that — but first, tell me about what you guys did in London. It felt like a mini DEFCON to me.
Ken Munro:
That’s what I love about DEFCON — the sense of community, of collaboration, of providing a platform for research and learning.
That’s what we tried to replicate with the Fox Pub venue next to Infosecurity Europe this year. We brought that DEFCON energy — with education, hands-on experience, collaboration.
We set up multiple little villages with things to see and do — mini CTFs.
We had a car demo to teach people how CAN works, and show how to analyze it and do something fun with it. It makes security real. It makes it something you can touch.
Marco Ciappelli:
Exactly. It’s not theoretical anymore. It’s something you see, touch — which is the key to educating people, even with things like using 2FA or understanding that a car is just a bunch of computers on wheels.
Ken Munro:
Yes, and there’s a barrier. Someone might understand networks, firewalls, traffic… but then they get into a car or ICS and it’s a whole new set of protocols.
We want to bridge that gap.
Marco Ciappelli:
So walk me through what the setup was like. You had the car, maritime stuff, a flight simulator, and industrial control systems — right?
Ken Munro:
Yeah. We had about 4,000 square feet of space — in a pub, of course. We cleared the furniture but left the bar!
We invited folks to come over after the main show — something a bit more hands-on, more educational.
Front and center was our demo car. We showed how easy it is to get onto the CAN network and analyze that data. One of my team would walk people through it with CAN tools — then you’d do something fun.
Last year, we locked people in the car and made them intercept and replay the unlock message — an escape room vibe.
This year, we did something different: we intercepted messages for steering angle, throttle, and brake — and fed that into Mario Kart. So by understanding CAN data, you could play Mario Kart using a 15-year-old Renault Clio.
Marco Ciappelli:
That’s amazing. Most Americans won’t even know what a Renault Clio is — it’s a tiny, utilitarian car.
So the crowd — we’re not talking about the general public, right? These are folks in the industry?
Ken Munro:
Right. Developers, engineers, CISOs, CTOs.
We also invited industry groups — like the automotive ISAC — and some OEMs came by.
It’s about showing how easy it is to get started in vehicle security — and how we can all help improve it.
Marco Ciappelli:
Now tell me about the bigger stuff — aviation and control systems.
Ken Munro:
Sure. From DEFCON, you’ll know we have a full Airbus A320 cockpit simulator.
We use it to help cyber professionals understand aviation-specific protocols and challenges.
This year we demonstrated how collision avoidance systems (TCAS) work — especially after misinformation around an incident at Reagan National involving an airplane and a helicopter.
We wanted to dispel myths and also let people learn from qualified pilots about how those systems actually work.
Marco Ciappelli:
That’s so important — and I know Rob Black from RANT was involved too.
He brought great people to the table. We talked a lot about simulation and gamification as a way to train new cybersecurity talent — and bridge that infamous skills gap. It’s not just about coding. It’s about applying diverse skills, and learning through doing.
Ken Munro:
Exactly. In industries like aviation — where safety is critical — safety sometimes unintentionally gets in the way of cyber.
A good example: those tablets pilots use — electronic flight bags.
We might say, “Use Face ID” for security. But if a pilot’s wearing mirrored sunglasses, Face ID doesn’t work.
So bringing safety folks and cyber folks together in spaces like this helps build mutual understanding.
Marco Ciappelli:
Right — I had the same issue with my Top Gun shades!
Let’s switch to what may sound more complex to the general public: infrastructure — water, electric grids, city systems. It doesn’t get headlines like a plane crash, but it’s just as serious.
How do you make that accessible?
Ken Munro:
These systems often run on really old protocols and fragile hardware. Security testers have to be careful.
That creates barriers — and limited knowledge.
So we created a mini CTF with industrial controllers — people could explore safely, learn protocols, reprogram, and even hack them.
The fun part? The controllers drove pumps that made cocktails.
If you hacked them wrong, your cocktail was too strong or too weak. But again — it was about breaking down barriers in a fun way.
Marco Ciappelli:
That’s brilliant. You could’ve wired it to a beer tap too — but that might get messy!
Let’s zoom out. You and I were reminiscing about DEFCON 2018/2019. Since then — government, private sector, public — are we more secure? Less secure? What’s your sense?
Ken Munro:
I think collaboration and mutual understanding can only help.
Back then, Boeing was dealing with a tough situation, and CISA stepped in. Since then, Boeing has become a leading example of collaboration in cybersecurity. That’s a win — especially for the traveling public.
Marco Ciappelli:
Do you see improvement across regions? The EU seems more proactive with regulation — what’s your take?
Ken Munro:
I tend to lean free-market, but cyber is tricky. Consumers can’t easily assess security at purchase.
You don’t know if your smart device is secure — or if an airline does cyber better than another.
That’s where regulation can help.
The EU might be ahead in some areas — for instance, how they regulate those pilot tablets.
In the US, oversight is lighter. That allows for more innovation, but also creates risk.
One example: those flight bags calculate how much engine power to use for takeoff — based on data like weight, runway length, weather.
Using less than full power saves wear and fuel — but it has to be precise.
We’ve found and disclosed vulnerabilities in those calculators that could make the runway look longer than it is.
Manufacturers fixed them — but it shows how vital cyber is even in places people don’t think about.
Marco Ciappelli:
That’s such a great insight.
People wonder why planes don’t just “go faster” if they’re delayed — but now we know it’s not that simple.
Everything’s calculated — and that tablet contains a lot more than just maps.
Cybersecurity matters there, too.
And the lesson is: the work you do — surfacing these issues before they become disasters — that’s where the value is.
Better to fix it before we’re hitting our heads on the wall.
Ken Munro:
Exactly. My team and I are naturally curious — we want to understand how things work… and how they don’t work.
If we find issues that get fixed? Great. Everyone’s safer.
Marco Ciappelli:
That’s the hacker mindset I love. Not cybercriminals — real hackers.
The ones who question things. We need more of that — in tech and in life.
That’s a conversation for another podcast.
Ken, this was fantastic. I really enjoyed it.
I hope the audience got value from it too.
You said you won’t be in Las Vegas this year — we’ll be there for Black Hat and DEFCON.
There will be other opportunities, and you’re always welcome on the show — with me, Sean, or both.
Ken Munro:
Great speaking with you, Marco.
Marco Ciappelli:
Appreciate it.
To everyone listening: stay tuned. This is probably one of the last beats from Infosecurity Europe 2025 — and now we pivot to Vegas.
It’s not London — I don’t go to Vegas for fun (despite how it sounds), but I’ll be there for Black Hat, DEFCON, and everything else happening.
Subscribe, stay tuned — and Ken, again, thank you so much. It was awesome.
Ken Munro:
Thanks so much.