Char49 at RootedCON Portugal 2026
RootedCON has long been a meeting point for people who care deeply about cybersecurity beyond the surface level: researchers, engineers, practitioners and organisations willing to question assumptions. At RootedCON Portugal 2026, Char49 was represented by David Sopas and Paulo Silva, who delivered two different talks with a shared underlying message: security only improves when it is tested against reality.
Their sessions approached cybersecurity from two complementary perspectives. One looked at the growing role of artificial intelligence in security research workflows. The other examined a real-world vulnerability disclosure case in the context of the NIS2 era, raising difficult questions about accountability, ethics and organisational maturity.
Together, the talks reflected much of what defines Char49’s approach to security research: technical depth, practical experience, responsible disclosure and a clear understanding that security is not achieved through tools, policies or regulation alone.
AI as a Security Research Tool: Useful, Fast and Often Wrong
In his talk, “AI as Security Research tool: Experience, pitfalls and insights,” David Sopas explored what really happens when artificial intelligence is integrated into security research.
AI is often presented in extreme terms. For some, it is a revolutionary replacement for human expertise. For others, it is an unreliable shortcut that introduces more noise than value. The reality, as David argued, is far more nuanced.
Used well, AI can be a valuable assistant in security research. It can accelerate repetitive tasks, help structure hypotheses, summarise large volumes of information, support code review, generate test cases and assist in documentation. In the right context, it allows researchers to move faster and explore more paths in less time.
But AI also has important limitations. It can be confident and wrong. It can miss context. It can hallucinate technical details, suggest irrelevant attack paths or produce output that appears plausible but fails under real validation. In security research, where precision matters and false assumptions can waste hours or distort conclusions, this is not a minor issue.
David’s talk focused on practical experience rather than hype. The key point was not whether AI is “good” or “bad” for security research, but how it should be used. AI is not a replacement for methodology, curiosity or technical judgement. It is a tool that must be guided, questioned and validated.
The lesson is clear: AI can improve a security research workflow, but only when researchers understand where it helps, where it fails and how to keep human expertise at the centre of the process.
Security Circus in the NIS2 Era: When Compliance Is Not Enough
Paulo Silva’s talk, “Security Circus in the NIS2 Era or A Case Study Hacking Ethics and Philosophy,” took the audience into a very different but equally important area: the gap between vulnerability disclosure, organisational response and real security improvement.
The talk was based on a case study involving a Portuguese insurance provider. Acting as both a client and an independent security researcher, Paulo identified critical vulnerabilities in a newly released mobile application. These flaws enabled unauthorised access to arbitrary customer accounts, creating a serious risk to personal data and trust.
The issues were responsibly disclosed and partially addressed. However, the response revealed deeper problems: weak mitigation strategies, limited secure development practices and insufficient incident response maturity.
Months later, a separate feature introduced new vulnerabilities, once again exposing customer data without authentication. The second disclosure process showed many of the same weaknesses: delayed responses, ineffective fixes and prolonged exposure.
This case study raised a difficult question: why do organisations fail to learn, even when vulnerabilities are clearly demonstrated and guidance is provided?
The answer is rarely purely technical. Many organisations still treat security as a reaction, a checklist or a communication problem, rather than a structural responsibility. Fixing a single bug is not the same as addressing the process that allowed it to reach production. Closing a disclosure ticket is not the same as improving security culture.
NIS2 and the Accountability Challenge
Paulo’s talk was especially relevant in the context of the NIS2 Directive and its adoption into Portuguese law. NIS2 introduces stronger expectations around cybersecurity governance, risk management, incident reporting and executive accountability.
This is a necessary step. Regulation can create pressure. It can clarify responsibilities. It can force organisations to take cybersecurity more seriously at management level.
But regulation is not a substitute for security maturity.
One of the central messages of the talk was that compliance does not automatically lead to better security outcomes. An organisation can comply with formal requirements while still lacking the technical discipline, internal processes and cultural readiness needed to protect users effectively.
This distinction matters. Security is not proven by documentation alone. It is proven by how an organisation designs systems, responds to vulnerabilities, learns from incidents and protects the people whose data it holds.
As legal protections for ethical hacking evolve and responsible disclosures become more common, organisations must be prepared to engage with researchers constructively. That means responding quickly, fixing properly, communicating transparently and treating each disclosure as an opportunity to improve.
Two Talks, One Message: Security Must Be Grounded in Reality
Although David and Paulo addressed different topics, their talks converged on a shared idea: cybersecurity must be grounded in real-world practice.
AI can support research, but it cannot replace critical thinking. Regulation can raise standards, but it cannot replace security culture. Vulnerability disclosure can reveal problems, but it only creates value when organisations are willing to learn from it.
For Char49, these are not abstract themes. They are part of the daily reality of security research: testing assumptions, validating findings, working within constraints and helping organisations understand risk beyond compliance.
RootedCON Portugal 2026 provided the right stage for these discussions. In a field often dominated by buzzwords and surface-level narratives, both talks brought the conversation back to practical experience, ethical responsibility and the uncomfortable but necessary work of making systems safer.
Security is not a performance. It is not a checklist. It is not a tool, a regulation or a one-time fix.
It is a continuous process of questioning, testing, learning and improving.
And that is where meaningful security begins.
If your organisation wants to strengthen its security posture, validate its systems or better prepare for today’s regulatory and technical challenges, get in touch with us.