2025-10-20

Daniel Roethlisberger

About

Daniel is a seasoned security practitioner, who has spent most of his career defending national critical infrastructure in Switzerland. He's currently leading Swisscom's internal Cyber Threat Intelligence, Detection Engineering, Threat Hunting, Red Teaming and Security Engineering functions.

Daniel also has a security and systems software engineering background, having worked on XNU and the Endpoint Security API at Apple, as well as on various open source projects, including FreeBSD, strongSwan, ZMap and Nmap.

On the side, Daniel is a Research Fellow with the University of Toronto's Citizen Lab, where he contributes to research on targeted threats against civil society, and a part-time lecturer on Security Incident Management at BFH. He's a former member of the TF-CSIRT Steering Committee, and a member of the board of DEFCON Switzerland.

Socials

Talks

  • A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit, REcon Montréal, 2025
    [Video] [Description]
  • Scanning the Internet in under 5 minutes, on a budget, BSides Ljubljana, 2024
    [Video] [Slides] [Description]
  • What's new in Endpoint Security, Apple Worldwide Developers Conference (WWDC), 2022
    [Video]
  • Side-effects of publishing security research, Lightning Talk, BSides Ljubljana, 2019
    [Video] [Description]
  • Monitoring macOS for Malware and Intrusions, Area41 Zürich, 2018
    [Video] [Slides]

Publications

  • Predator in the Wires: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions, The Citizen Lab, 2023
    [Lab Report]
  • Exhumation of a Slovenian Death Pit: Jama pod Macesnovo Gorico and the Right to a Grave, Anthropology Now, 2023
    [Visual Essay]
  • CSIRT Services Framework, Version 2, Forum of Incident Response and Security Teams (FIRST), 2019
    [Standard]

Open source software and other content

  • xnumon, security monitoring agent for macOS.
  • acefile, read/test/extract ACE 1.0 and 2.0 archives in pure python.
  • SSLsplit, transparent and scalable SSL/TLS interception.
  • Nmap SCTP Stream Control Transmission Protocol port scanning.
  • FakeIKEd is a fake IKE daemon for attacking vulnerable-by-design PSK + XAUTH IPsec VPN setups (group password phase 1 authentication).
  • ASPSMS command line client and ruby library for sending SMS through the ASPSMS gateway XML interface.
  • RoseFS, an encrypted passthrough filesystem in userspace.
  • FreeBSD Contributions, including cmx(4), the Omnikey CardMan 4040 driver.
  • FreeBSD Ports which I used to maintain or otherwise worked on.
  • Security Advisories on security vulnerabilities I discovered before Bug Bounties became a thing.