Security at Scale: What We Learned at DevConnect & DSS 2025
written by: Tiago Assumpcao
When 20,000+ builders, founders, and security teams all land in one place, you get a rare snapshot of where crypto security is really heading. That’s what DevConnect Buenos Aires and the DeFi Security Summit (DSS) 2025 felt like. It was a week filled with ideas and tools that are going to protect or break the next wave of crypto products.
After the conferences, we hosted a private “ask me anything” (AMA) for Crypto ISAC members to go deeper on the big themes, discussing what actually matters, what’s just noise, and how security leaders can use these lessons to build trust with their internal and external customers, regulators, and partners.
This post is a recap of those conversations for both security teams and business leaders inside crypto companies.
1. “We had an audit” is not a security strategy
One message was loud and clear at DSS. Simply saying “we were audited” doesn’t cut it anymore. The biggest risks are moving away from single smart-contract bugs and toward how your whole system changes over time.
In practice, that means paying attention to things like:
Upgrades and governance – Who can change the code? How quickly? What checks exist before changes go live?
L1/L2 and cross-chain assumptions – Your consensus rules can be sound, but what if the validators or sequencers you rely on fail?
Oracles and infrastructure – A bad data feed, compromised validator, or fragile infra can break a product that otherwise looks “secure.”
For many teams, the real problem is ownership. In the AMA, we talked about how early-stage companies often care deeply about security but don’t have a dedicated leader yet. Work gets spread across founders and engineers, bug bounties run without a clear triage process, and important-but-not-urgent tasks slip.
A minimum viable security program doesn’t mean hiring a huge team. It means:
One person clearly accountable for security decisions
A basic secure software development lifecycle (threat models, code review, security testing)
Defined escalation paths and runbooks for incidents
This is exactly the kind of operational detail Crypto ISAC members trade notes on—what “good enough, right now” looks like at different stages of growth, so you’re not reinventing the wheel alone.
2. Multi-layer and cross-chain systems are powerful—and fragile
Today’s crypto products rarely live on a single, simple chain. You might have:
A main L1
One or more L2s or rollups
Bridges connecting them
Oracles, indexers, and other services plugged in
That stack is great for scale, but it also creates many hidden dependencies. A weak assumption in any layer like a bridge upgrade, a sequencer issue, or an oracle problem can ripple across multiple products and teams.
Zero-knowledge (ZK) systems are a good example. They unlock privacy and scalability, but they also introduce new ways to fail: buggy circuits, misconfigured parameters, or subtle “it compiles, so it must be safe” errors. At DSS, there was a lot of focus on low-level math, compilers, and correctness because if the foundations are wrong, the blast radius is huge.
For business leaders, the takeaway is simple:
When you green-light new products or integrations, you’re not just betting on your own team; you’re betting on an entire stack of partners and protocols.
Inside Crypto ISAC, we see this daily through member reporting and shared incidents. That’s why our threat intelligence intentionally spans both Web2 and Web3: infra providers, chains, wallets, and application teams all share early signals so others can adjust before a small issue becomes a sector-wide problem.
3. Incident response looks like real-time operations
On-chain attacks don’t necessarily unfold over days. They can move from “something looks weird” to “funds are gone” in minutes. At DSS and in our AMA, a big theme was treating incident response like live operations, not just a post-mortem exercise.
A few practical approaches we discussed:
Pre-empt, don’t just react. Members and partners are experimenting with on-chain exploit preemption, including monitoring contracts being deployed, fuzzing calldata, and trying to block or front-run exploits before attackers can execute them.
Combine Web2 and Web3 views. Linking infrastructure data, domains, and wallets can help shut down drainer operations and phishing campaigns faster.
Understand your tools’ limits. Risk-scoring and monitoring platforms are powerful, but they’re not magic. Teams need to understand confidence levels, false positives, and edge cases so they know when to pull the alarm and when not to.
This is where Crypto ISAC’s role as a neutral threat-sharing hub really matters. Our job is to turn member reports, partner feeds, and public-sector intelligence into high-quality, standardized alerts that help the whole ecosystem respond faster and, ideally, prevent incidents entirely.
4. Supply-chain attacks, testing at scale, and what AI is actually good for
A few hard problems aren’t going away any time soon, particularly the challenge of testing complex networks at scale. Since you can’t perfectly simulate mainnet conditions, especially for L1/L2 upgrades and bridges, teams are leaning more on integration tests and keen coordination with key stakeholders when upgrading.
On AI, the tone was refreshingly grounded. No silver bullets—but also no denial:
AI already helps skilled reviewers find subtle issues faster and automate repetitive checks
It works best when humans stay firmly in the loop, for example, using AI to speed up review, not replace it
Formal verification, static analysis, and fuzzing are all improving, but they’re still resource-intensive. Teams are reserving them for areas where the “blast radius” really justifies the cost, including blockchain runtimes, consensus code, or high-value contracts
For Crypto ISAC members, these topics often turn into very concrete follow-ups: “Which supply-chain mitigation frameworks are actually worth the effort?” “How did you structure your bounty program?” “Where did formal methods pay off and where did they not?” That peer-to-peer detail is hard to get from talks alone.
5. The human layer still matters most
DevConnect itself was designed like a unified campus with talks, coworking spaces, expo zones, and live music stages all in one place. The result was a week where wallet teams, exchanges, L1/L2 project teams, auditors, and infrastructure providers constantly bumped into each other and solved real problems together.
The highest-bandwidth conversations often happened in smaller, invite-only gatherings—security dinners, side events, and private meetups where teams shared sensitive lessons learned and compared notes on incident handling, data sharing, and collaboration with public-sector partners.
Crypto ISAC exists to make that kind of trusted, cross-company collaboration happen every week, not just once a year at a conference. As an industry-run, vetted community, we help members:
Share threat intelligence in a structured, secure way
Coordinate with other private-sector companies and government where appropriate
Show customers and regulators they take security seriously and are plugged into sector-wide defenses
6. Why this matters for your organization
If you’re responsible for security, risk, or a product line in crypto or TradFi, the message from DevConnect, DSS, and our member AMA is straightforward:
3rd-party audits and tools are necessary, but not enough
Stack and governance choices matter as much as contract code
Real-time incident operations and high-quality threat sharing are now table stakes
Trust is built not just by what you ship, but by who you learn from and collaborate with
Crypto ISAC is a place where exchanges, wallets, L1 and L2 projects, DeFi teams, custodians, analytics firms, and others pool their visibility and experience to protect both their own users and the wider ecosystem. Membership signals that your organization isn’t trying to solve these problems alone and that you’re contributing back to sector-wide resilience.
Tiago Assumpcao is Technical Director at Crypto ISAC, where he leads efforts in threat intelligence engineering and collaborative defense to strengthen trust and security across the crypto ecosystem.
About Crypto ISAC
The Crypto ISAC is a member-driven, not-for-profit organization that works together to curb malicious actors, address vulnerabilities, share intelligence, and move security forward to protect the crypto ecosystem. We are founded by leading crypto organizations and designed for cryptosecurity experts to address the security and trust challenges that face crypto today and shape the crypto ecosystem of tomorrow.
