Top 8 Briefings to Attend at Black Hat 2026

A guide for CISOs and security leaders building cutting edge AI Offensive Security programs.

If a common theme could be painted across the briefing track at Black Hat 2026, it is that AI is rewriting both sides of the fight: expanding the attack surface and arming the people probing it.

Staying ahead means operating like the best hacker and the best defender at the same time. This is the CISO’s guide to the Black Hat 2026 briefings worth prioritizing if you care about the cutting edge of offensive security, AI red teaming, and where penetration testing goes next.

We’ve sorted the briefings most relevant for Offensive Security into two tracks: 

1. Breaking AI Agents and Assistants covers how AI agents, assistants, and the models behind them fail in production, and why the guardrails wrapped around them don’t hold.
2. Exploiting Apps, Protocols, and Infrastructure covers the parser-, protocol-, and platform-level flaws that still lead to full compromise, AI or not. 

Breaking AI Agents and Assistants

1. Trusted Enough to Run: Breaking AI Agents in Official Workflows

Wednesday, August 5 | 3:35 PM–4:15 PM PST

Elad Meged. Founding Team and Security Researcher, Novee Security

Official AI-agent workflows increasingly run as trusted, unattended automation. They’re built from internal stages that each decide what is approved, sanitized, and safe to reuse. Novee founding security researcher Elad Meged runs through the discovery of how one workflow stage marks state as safe, and a later stage interprets it more powerfully than the earlier check ever accounted for. This trust-handoff failure shows up across Anthropic, Google, and OpenAI.

It’s a direct look at the AI attack surface most organizations are deploying faster than they can test it.

2. Bye Bye AI: How We Hacked the AI Shopping Assistant of a Top 3 US Retailer

Wednesday, August 5 | 10:15 AM-10:45 AM PST

Netanel Rubin and Dan Avraham, Rein Security

Rein Security’s Netanel Rubin and Dan Avraham walk through how they compromised the AI shopping assistant of a top-three US retailer, a system built on Vertex AI Search and sitting behind an LLM gateway that was supposed to enforce intent-classification guardrails.

Gateway defenses that only watch prompts and responses miss the part that matters, and securing an AI agent means having visibility into what it actually executes.

3. ChatMate: Remote Prompt Execution on AI Assistants through Sandbox Escaping

Thursday, August 6 | 10:15 AM-10:45 AM PST

Ori Lahav, Security Researcher, Rubrik Zero Labs

Ori Lahav introduces what he calls Remote Prompt Execution, a class where an attacker, much like with remote code execution, gets to run arbitrary prompts inside a victim’s AI chat session.

The final step in the chain is the first demonstrated escape from the Copilot sandbox to the host underneath it: a full session takeover that you trigger by uploading one document, with blast radius across several Azure services.

4. Cost-Effective, Private, Frontier-Grade: AI Agent Exploitation with a Fine-Tuned OSS Model

Thursday, August 6 | 10:15 AM-10:45 AM PST

Bar Lanyado and Eliya Cohen, NVIDIA

NVIDIA’s Bar Lanyado and Eliya Cohen cover how a fine-tuned 30B open-source AI model hit a 56% exploit success rate against agents, edging out much larger frontier models while costing somewhere between 70 and 125 times less to run.

It’s a pointed rebuttal to the idea that you need frontier scale to do serious offensive work, and a good indicator of where purpose-trained offensive models are heading.

Exploiting Apps, Protocols, and Infrastructure

1. Pre-auth RCE in Enterprise Java: When Middleware Becomes the Exploit

Wednesday, August 5 | 11:05 AM–11:45 AM PST

Lidor Ben Shitrit, Assaf Levkovich, and Elad Meged. Founding-team researchers, Novee Security

The plumbing of enterprise software rarely gets a second look, but it’s in the minutiae of platform scaffolding that risk emerges. Enterprise Java platforms still expose critical pre-authentication attack paths through middleware features that were never designed to handle untrusted input. The Novee research team opens with that premise and backs it with real exploits.

They’ll walk through multiple pre-auth remote code execution chains found in widely deployed platforms, reaching internal-only execution surfaces through routing logic, dispatcher behavior, and authentication glue code. 

The session closes by extracting the common pattern behind these bugs and giving practical guidance for finding and fixing pre-auth execution paths buried in middleware: exactly the kind of chained, context-dependent flaw that point-in-time testing routinely misses.

2. Beyond Normalization: The Expanding Unicode Attack Surface

Thursday, August 6 | 3:35 PM-4:15 PM PST

Ryan Barnett, Senior Threat Research Manager, Akamai; Isabella Barnett, Security Researcher

Akamai’s Ryan Barnett and Isabella Barnett pick up their popular 2025 research with a simple argument: Unicode exploitation doesn’t end at normalization.

Unicode has become an architectural attack surface in its own right, far more than the encoding footnote most teams still treat it as.

3. Turning Enterprise Update Servers Into Backdoor Factories (0_o)

Wednesday, August 5 | 10:15 AM-10:45 AM PST

bagelByt3s, Adversary Simulation Consultant, SpecterOps

SpecterOps’ bagelByt3s goes after Windows Server Update Services, the patch-distribution hub that turns into a delivery mechanism for organization-wide implants the moment it’s compromised. Defensive mitigations are part of the talk too, which makes it one of the rare sessions that arms red and blue teams in the same room.

4. Chaos by Design: The Death of Stochastic Race Conditions in HTTP/3

Thursday, August 6 | 11:05 AM-11:45 AM PST

Efstratios Chatzoglou, University of the Aegean/PwC; Vyron Kampourakis, NTNU; Georgios Kambourakis, University of the Aegean; Angelos Stavrou, Virginia Tech

A team spread across the University of the Aegean, NTNU, and Virginia Tech sets out to kill off the idea that race conditions are stochastic and unreliable.

SSRO hits 96.4% precision and triggers 20x transaction-limit violations, and an 87% vulnerability rate across 10,000 top-ranked domains gives you a sense of how far this reaches. Since the vendors are writing this off as “working as intended,” the only defenses on offer are hardened builds and pessimistic locking.

Warm Up (or Cool Down) for the Briefings at the Novee Gym

Before or after the briefings, catch the researchers at the Novee Gym, where our proprietary offensive AI out-benchmarks the competition. Bring your domain name to the gym, and we’ll show you what your environment looks like from an attacker’s perspective. Black-box ⬛ + Black Hat 🎩 = validated AI penetration testing.

Black Hat is where you go to learn how your attackers think. Visit us at Booth #5325 or book a meeting to see what they already know.