Hacking Big Iron: When Modern Security Assumptions Fail on Mainframes

Mainframes still underpin critical infrastructure such as banking, airlines, and government systems, yet most modern security teams approach them using assumptions formed around Unix, Windows, and enterprise platforms. These assumptions often fail on z/OS, creating blind spots that are difficult to detect and easy to underestimate. This talk explains how mainframe security actually works and why familiar concepts such as "root," shells, ports, and lateral movement do not translate cleanly. Focusing on components like JES, JCL, RACF, CICS, and PR/SM, we explore where attackers and defenders truly operate today: transactions, security managers, and management boundaries. From an offensive perspective, the talk reframes how attackers actually move inside mainframe environments: not through shells or services, but via job submission paths, inherited authority, transaction routing, and security manager behavior. The session highlights concrete failure modes red teams encounter when modern assumptions are applied to z/OS, and how those blind spots are exploited in real assessments. Using real TN3270 terminal screens and practical examples, attendees will learn a repeatable methodology for assessing mainframe environments and identifying misconfigurations that appear harmless but can have severe impact. The talk also demonstrates an AI-assisted assessment approach: a local LLM interprets TN3270 screens in real-time, narrates walkthroughs, and tutors interactively; all running 100% offline with no cloud APIs or data exfiltration risk. No prior mainframe experience is required.

Presented at Security Fest 2026.

About Adam Toscher

Adam Toscher is a New York–based security engineer and red team operator with over two decades of experience in offensive security, adversary simulation, and automation. Born in New York City and raised upstate, Adam built his career as an "IT vagabond," beginning as a freshman IBM intern porting Linux applications to mainframe system. Mainframe work tgrounded him in large-scale computing, operating systems, and complex enterprise environment, before transitioning into offensive security. He later progressed through senior security roles at Adobe, Optiv, Accenture, IBM X-Force, and NYC Cyber Command, where he focused on realistic adversary emulation and advanced red-team operations. Most recently, Adam has been working with Cobalt Labs, supporting advanced red-teaming and offensive security engagements for private-sector organizations. Prior to this, he led red-team and adversary simulation efforts in support of critical public infrastructure with NYC Cyber Command and the FDNY. His work centers on penetration testing, red teaming, adversary emulation, and practical automation across both private-sector companies and government agencies. Outside of security, Adam values balance and lifelong learning, and is an avid reader, runner, swimmer, and gamer.