AI is no longer experimental; it’s quickly becoming the digital backbone of modern enterprise. As generative and agentic AI accelerate innovation, they’re also redefining the threat landscape in real time. In this new era, reactive defense is no longer enough. CISOs must lead a shift toward proactive, autonomous cybersecurity that keeps pace with AI’s velocity.This keynote will introduce a strategic framework for that shift, grounded in the architecture of modern AI itself. We’ll explore how mastering the three foundational layers - data, intelligence, and agentic - enables security to scale alongside AI, rather than lag behind it. Far from theoretical, these layers are fueling real-world innovations like digital twins and turning defense into a predictive, preemptive force.To bring these concepts to life, we’ll showcase how Trend Micro, Dell, and NVIDIA are collaborating to build Secure AI Factories - enterprise-grade platforms that transform data into intelligence and action across cloud, edge, and on-premises environments. These factories aren't just technical constructs, they are strategic assets that empower organizations to move from experimentation to resilient, real-world AI deployment.Whether you’re navigating early AI adoption or driving toward enterprise-wide scale, this session will equip you with the vision, partnerships, and playbook to secure your AI future confidently, proactively, and at scale.

Founding a cybersecurity startup can be exhilarating, but it’s not for the faint of heart or the risk-averse: less than 25% of venture-backed companies return capital to their investors, and fewer than 5% of founders ever realize a meaningful financial outcome. Drawing on decades of founding, scaling, and investing in successful cybersecurity companies, Jeremiah Grossman presents a proven playbook for improving the odds. How to identify security problems that truly matter, design solutions customers immediately value, build go-to-market strategies that drive growth and rigorously challenge assumptions at every step. Leveraging real-world case studies and practical lessons learned, this session delivers actionable guidance for founders who want to build cybersecurity companies that don’t just survive - but win.

In this session, we explore a novel and stealthy approach to malware behavior modulation: using WiFi SignaltoNoise Ratio (SNR) as a passive environmental signal. Traditional malware often relies on system time, input activity, or internet connectivity for behavioral cues. However, SNR a physicallayer metric reflecting realtime signal quality offers a new channel for adapting malware execution based on environmental context, such as human proximity or physical interference.Attendees will gain insight into how electromagnetic signal behavior can be exploited by malware to make execution decisions such as delaying payloads in sandbox environments, triggering actions only in the presence of humans, or using ambient wireless changes to avoid detection. The talk will include a working proof of concept demonstrating how SNR can be captured on Linux systems using real hardware and how malware logic can be gated by real-time signal analysis.We will also discuss the implications for cybersecurity defense, particularly the challenges in reproducing physical RF environments within sandboxes and virtual machines. This session is particularly relevant to those working in offensive security, malware analysis, threat intelligence, and IoT security.By the end, participants will leave with a deeper understanding of how signal aware malware can evolve, why traditional defenses may fall short, and how this unconventional technique can be both a risk and an opportunity in future cyber operations.

Operational Technology (OT) environments, which are critical to industrial, manufacturing, and infrastructure functions, are rapidly emerging as the premier target for sophisticated cyber adversaries. This presentation analyzes this year’s critical pivot observed in both hacktivist and financially motivated ransomware groups, detailing their evolution from traditional Information Technology (IT) targeting to more advanced OT compromises. We will explore the primary driving forces behind this shift and its consequences.

This session explores a different approach to red teaming: conducting full-scale operations without malware. Instead of building or deploying implants, we rely on proxies, tunnels, and legitimate remote-access tools to execute tactics, techniques, and procedures (TTPs). By using SOCKS proxies, Chisel, AnyDesk, RDP, and even Windows-native administrative tooling, attackers can seamlessly pivot, persist, and exfiltrate while blending in with everyday IT traffic.We will demonstrate how malwareless operations not only reduce detection risk, but also eliminate the heavy cost of malware R&D. Attendees will see real-world examples from threat actors and red teams, including how APT groups alike have leveraged tunnels and RMMs to achieve stealth and resilience.

In today’s high-stakes environment, sustainable security isn’t just about compliance - it’s about cultivating a culture where trust, resilience, and innovation thrive. This presentation reveals how leading institutions win competitive partnerships and protect their reputation by empowering people, embedding security into daily habits, and driving measurable results. Discover actionable strategies to transform security from a checklist into a strategic advantage, positioning your organization for enduring success in the digital age.

Security teams drown in signals while attacks move across cloud infrastructure. This hands-onArsenal Lab turns that reality into a capture-the-flag challenge on a live AWS environmentrunning Amazon EKS. Participants will use an AI investigation agent - backed by Multiple MCP(Model Context Protocol) tool servers to triage Falco runtime detections, correlate Kubernetesaudit events, map AWS-side activity, and reconstruct the attack path. The CTF simulates arealistic intrusion (Ports scanning -> vulnerability/misconfiguration exploit -> lateral movement ->data exfil), and the agent guides each step by orchestrating queries against the tool stack,explaining reasoning, and generating next-best actions. The top 3 scorers win prizes.

3 main risk areas that cybersecurity teams are probably numb to.1) Idle and unlocked sessions, where GPO fails to lock it due to overrides (like a youtube video, or video ad in browser, music playing, presenting to a projector....etc).We have all seen it almost everywhere. You go to a hospital, and computers left right, and center are unlocked, with no one attending to the session. Statistics say GPO fails at least once a day per employee due to GPO lock policy overrides. And current tools are failing short.How to protect, secure and manage those sessions, without giving up user convenience while maintaining a tight grip over securing those sessions.2) Forgotten Browser Extensions.In July, 2025, over 200 browser extensions were discovered to be part of a webscraping botnet. Do you have one installed in your organization? How to always on top of it?3) Unmanaged/poorly managed local administration accounts.Local administrator is a god send when things go wrong. But it's password is either static where the entire organization uses it, or it is a scheduled randomization based on expiry which is usually a long window of password reuse attack. Our current tools fail to protect us, and we need to be careful to avoid data spills.

In this session, we will explore how Linux namespaces can be leveraged for stealthy persistence and isolation. You will learn how processes can operate in isolated environments without leaving traditional artifacts, how user namespaces allow controlled root access inside containers, and how memory-only footholds can maintain a persistent presence on a host.

In a fast-evolving threat landscape, multi-year cybersecurity roadmaps age quickly. This keynote shows how a lean strategy - continuous learning, rapid iteration, and measurable value - keeps organizations ahead of adversaries and business change. Drawing on Harvard Business Review and Harvard Kennedy School research on agile leadership and adaptive strategy, we’ll cover how high performers achieve up to 30% faster decision-making, 40% greater operational resilience, and 20% higher ROI by prioritizing flexibility over rigidity. We’ll translate these principles into practice for cybersecurity teams to modernize governance, streamline investments, and deliver outcomes aligned with both security and business agility.

This presentation outlines the evolution from static detection models to AI agentic intelligence in security operations. Mohammad Al Taher highlights current attack scale, alert noise, and investigation delays across modern SOCs. He explains how AI driven intelligence, infrastructure-placed traps, log-based learning, RAG enrichment, and evidence correlation improve threat signal quality. The talk covers real risk vectors including credential theft, cloud access paths, AI powered automation in attacker tooling, and secure agent integration across endpoints and directory environments. It also highlights practical controls to validate AI decisions, enforce identity boundaries, raise detection fidelity, and reduce uninvestigated alerts using a threat-aligned framework.

This session is part of our Daily Wrap-Up Live series, taking place every day at 4:00 PM at The Back Room Live. Join Devon Bryan and Nicole Dove as they reflect on the day’s standout moments, audience energy, key insights, and everything that made Day 1 of Black Hat MEA come alive. A relaxed, unscripted conversation capturing the pulse of the conference.

This session examines how deepfake technology is used in cyber fraud. Khaled Abushaghbab outlines the main attack methods, recent incidents, and the tools that enable realistic audio and video manipulation. The talk highlights key warning signs, common exploitation patterns, and the defensive measures that help reduce exposure to these attacks.

A rare convergence of global cyber authorities - examine how power, money, and crime intersect in cyberspace, and what control looks like in today’s contested digital landscape.

As geopolitics bleeds into cyberspace, providers and customers must plan for scenarios that can abruptly sever access to outside SaaS: undersea cable sabotage, sanctions, or political decisions that weaponize service access. At the same time, regulatory fragmentation accelerates, but industry discourse often conflates two distinct concerns: infrastructure sovereignty (can the service operate when cut off?) and data sovereignty (who can lawfully access what data, under which jurisdiction?).This briefing delivers a practitioner design framework spanning people, technical, and legal dimensions so SaaS (especially cybersecurity) providers—and their multinational customers—can design for both infrastructure sovereignty and data sovereignty without losing market access or operational continuity. Using the backdrop of operating a parallel, globally reachable multi‐tenant deployment in a new geography, we present concrete questions and decision points: technical dependencies on external services and their impact if cut off (none / partial / complete degradation); kill‐switch exposure; software distribution and versioning; client routing vs. centralized traffic steering; and domain/namespace choices. We pair these with people requirements (independent local operators) and legal mechanisms (code and domain/url escrow, compelled‐action mitigations, SLA patterns, fiduciary/security duties, and sanctions screening).We also include a case study of a national, multi‐tenant secure communications deployment in Iceland that addressed local infrastructure risks while enabling MNCs to meet data obligations across jurisdictions—within a single tenant—without duplicative infrastructure.Attendees leave with a checklist‐driven framework and implementation patterns they can apply immediately, plus a roadmap to iterate with their counsel and engineering teams.

Advanced Threat Detection in Telecom Networks Session will explore how telecom networks—despite being the backbone of global communications—remain vulnerable to advanced persistent threats (APTs) and sophisticated malware campaigns. Recent high-profile incidents underscore this risk: SK Telecom in South Korea was targeted by sophisticated telecom-specific malware, while the LightBasin campaign against U.S. telecom providers demonstrated how adversaries weaponize signaling protocols and backdoor management interfaces to conduct long-term espionage. These campaigns highlight that attackers understand telecom architectures deeply and exploit weaknesses in signaling, mediation, and interconnect layers.Unlike enterprise IT, telecom infrastructure was originally designed for availability rather than security. Many network elements lack compatibility with modern Endpoint Detection and Response (EDR) solutions, leaving critical systems exposed.This session introduces a modern threat detection framework tailored for telecom environments. It highlights how EDR can be adapted for supported network elements, while Network Detection and Response (NDR) provides visibility and protection for legacy or unsupported nodes. The talk will cover deployment challenges, policy considerations, and real-world integration lessons, closing with recommendations for how security vendors, telecom OEMs, and regulators must collaborate to build a globally resilient telecom security posture.

In this Arsenal session, we will showcase a new framework: SkyEye - The First Cooperative Multi-Principal IAM Enumeration Framework for AWS CloudSkyEye Framework proposed and developed two novel models: CPIEM and TCREM. Unlike conventional tools and frameworks, SkyEye is able to synchronize reconnaissance across multiple user and role sessions, dynamically chaining and merging their vantage points to unravel the full spectrum of permissions, resource authorizations, and hidden escalation paths. This methodology exposes not only what each principal can see, but also what they can achieve in combination, uncovering hidden attack vectors and privilege escalation paths invisible to traditional IAM enumeration.

A look at how synthetic and AI-forged identities are reshaping fraud, risk, and trust - and what security teams must do to detect, prevent, and respond.

Smithy is an open-source framework designed to supercharge your AppSec automation using AI-driven orchestration. In this Arsenal session, we’ll showcase how Smithy helps security teams build and scale intelligent workflows that unify tools, triage results, and automate actions—all without writing brittle glue code.

Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape

Join Cybersecurity expert Trina Ford, CISO at iheartmedia, to explore how modern security challenges require the right balance of strong leadership, creative use of tech innovation and fresh thinking.

For decades, the Security Operations Center has been the nerve center of cybersecurity—yet its focus has remained reactive, alert-centric, and overloaded. With AI-driven threats, identity abuse, supply chain attacks, and cloud complexity increasing exponentially, SOCs are no longer sufficient for enterprise-scale risk governance.This session introduces the Risk Operations Center (ROC)—a new operational paradigm designed for the AI era. Powered by autonomous agents, continuous controls testing, risk quantification engines, and data-driven prioritization, the ROC shifts the mission of cybersecurity from detection to proactive risk elimination.We demonstrate how AI agents can evaluate posture drift, validate remediation, automate evidence collection, reduce alert fatigue, and deliver business-aligned risk intelligence. Real-world architectures from multi-cloud environments show how organizations are building X-ROCs that integrate SOC, GRC, IAM, CSPM, and TPRM into a unified risk telemetry layer.Attendees will learn how to design, staff, and operationalize a next-generation X-ROC that improves enterprise resilience while reducing operational overhead by up to 60%.Three Key Takeaways1.Why SOC models cannot scale to AI-driven threats—and how X-ROC architecture solves this gap.2.How AI agents automate posture testing, evidence validation, remediation workflows, and risk scoring.3.Operational blueprint to build an enterprise-grade Risk Operations Center in 12–18 monthIdeal For: CISOs, Risk Officers, SOC Team, Security Architects, CTOs, Organizations planning consolidated security and risk operations