Objective:: Comprehensive briefing on the [un]prompted 2026 conference β 60 talks covering AI security, offensive AI, agentic systems, governance, and vulnerability research.
Event:: [un]prompted 2026
Playlist:: https://www.youtube.com/playlist?list=PLjmt1tu85IhAiVPugOjP-7Cy0Oemi3m7z
Talks Processed:: 60
# [un]prompted 2026 β Conference Briefing
## Executive Summary
[un]prompted 2026 is a research-focused AI security conference organized by **Gadi Evron**. The event ran across multiple days with ~800 online participants and featured 55+ talks from practitioners at Google, Anthropic, OpenAI, Meta, Stripe, Salesforce, Trail of Bits, Palo Alto Networks, and many others. The conference explicitly positioned itself against the "typical conference" model β no vendor pitches, deterministic-to-nondeterministic paradigm shift as the framing.
**The conference's core tension:** AI is simultaneously the most powerful offensive tool in a generation AND the most powerful defensive tool β and neither side has figured out the rules yet.
### Top-Level Themes
1. **Offensive AI is real and accelerating.** Multiple talks demonstrated working exploits: LLMs finding kernel zero-days (Carlini), winning Pwn2Own (Georgi G), 200 bugs/week at Trail of Bits (Guido), 12 zero-days in OpenSSL (Krivka/Vlcek). The capability doubling time is ~4 months.
2. **Agent security is the new attack surface.** Prompt injection, tool poisoning, and agent hijacking are not theoretical β Rehberger demoed Agent Commander C2 framework, Zenity found thousands of public agents (Ben Chaim), Stripe red-teamed their own agent (Ring/Peedikayil), and coding IDEs had 37 vulns across 15 vendors (Ryciak).
3. **Governance is lagging but people are trying.** Snowflake, pharma CISOs, Army Cyber, and Google Workspace all presented frameworks β but they're all early. The common pattern: tiered risk assessment, execution authority constraints, human-in-the-loop at decision boundaries.
4. **Evaluation is broken.** Classical ML metrics don't work for agents (Saxe). Most ML vulnerability detection benchmarks are noise (Qu). The field needs rubric-based, capability-centric evaluation (Khurana). Stripe learned this the hard way when vibes-based prompt eval missed a 10% regression (Zhang/Shah).
5. **The "vibe coding" reckoning is coming.** Multiple speakers warned that AI-generated code at scale without security guardrails is creating a new class of infrastructure sprawl risk (Evron Day 2, Ryciak, Gupta, McMillan/Lopopolo).
## Talks by Track
### π€ Keynotes & Opening/Closing
| Talk | Speaker(s) | Key Point |
|------|-----------|-----------|
| [[Evron - Opening Words]] | Gadi Evron | Deterministicβnondeterministic shift; "just try" as antidote to AI anxiety |
| [[Hubbard - Opening Poem]] | Dan Hubbard | LLM-written spoken-word poem; "zero day is vibe at scale" |
| [[Evron - Opening Words Day 2]] | Gadi Evron | Citizen coder sprawl as emerging enterprise risk |
| [[Evron - Closing Words]] | Gadi Evron | ~800 online participants; community formation |
| [[Evron - Final Closing Words and Manifesto]] | Gadi Evron | 90-day obsolescence cycle; 2% uplift call to action |
| [[Lee, Thorpe, Hubbard & Epp - Vibe Coded]] | Rob T. Lee, Glenn Thorpe, Dan Hubbard, Sergej Epp | Four demos: 14-min DFIR, hallucinated apps, phishing clones, 1-day exploits |
### π΄ Offensive AI & Vulnerability Research
| Talk | Speaker(s) | Key Point |
|------|-----------|-----------|
| [[Carlini - Black-Hat LLMs]] | Nicholas Carlini (Anthropic) | LLMs finding Linux kernel heap overflows and blind SQLi; ~4-month capability doubling |
| [[Guido - 200 Bugs Per Week How We Rebuilt Trail of Bits Around AI]] | Dan Guido | 15β200 bugs/week; 5-part AI-native org transformation; $8M/rep sales |
| [[Krivka & Vlcek - AI Found 12 Zero-Days in OpenSSL]] | Adam Krivka, Ondrej Vlcek (Isle Security) | 500 confirmed findings in 6 months; multi-stage progressive refinement |
| [[Georgi G - Prompt2Pwn LLMs Winning at Pwn2Own]] | Georgi G | LangChain/JADX agent pipeline; Samsung Pwn2Own chain; 12+ bugs found |
| [[Girnus & Chen - FENRIR AI Zero-Day Discovery]] | Peter Girnus, Derek Chen (Trend Micro) | Cascaded SAST+LLM triage; 60+ CVEs filed; 3x team productivity |
| [[Gallucci - macOS Vulnerability Research]] | Olivia Gallucci | OSS Sensor tool; diff-to-hypothesis-to-harness pipeline for Apple targets |
| [[Grattafiori & Bingham - Tenderizing the Target]] | Aaron Grattafiori, Skyler Bingham (Nvidia) | Project Marinade: synthetic vulnerability injection into real codebases |
| [[Dolan-Gavitt & Olesen - Auth-by-One Exploits]] | Brendan Dolan-Gavitt, Vincent Olesen | Auth transmogrification for automated authz bypass discovery |
| [[Park - Exploiting AI KYC Pipelines]] | Sean Park | Stored prompt injection in passport images exploiting AI extraction agents |
| [[Behrens & Cassel - Source to Sink LLM Vuln Discovery]] | Scott Behrens, Justice Cassel | Orchestrated source-to-sink tracing: 116/191 TPs vs. solo model's 40/191 |
| [[Epp - 8 Minutes to Admin]] | Sergej Epp | Real wild-caught AI-assisted AWS attack; AI forensic "accent" detection |
### π‘οΈ Agent Security & Prompt Injection
| Talk | Speaker(s) | Key Point |
|------|-----------|-----------|
| [[Rehberger - Your Agent Works for Me Now]] | Johann Rehberger | Agent Commander C2 framework; delayed tool invocation bypass; Google Home takeover |
| [[Ryciak - Vibe Check AI IDE Security Failures]] | Piotr Ryciak | 37 vulns across 15+ IDE vendors; zero-click RCE in Codex and Gemini CLI |
| [[Ring & Peedikayil - Operation Pale Fire]] | Wes Ring, Josiah Peedikayil (Block) | Red team vs. Goose agent: calendar injection β spear phishing; Unicode smuggling |
| [[Evron (Zenity) - PleaseFix]] | Gadi Evron (for Zenity) | Comet browser attacks: calendar invite β filesystem exfil β 1Password compromise |
| [[Ben Chaim - Total Recon Open Agents in the Wild]] | Roey Ben Chaim (Zenity) | Tens of thousands of public agents found; PowerPawn recon tool |
| [[Melo - The Parseltongue Protocol]] | Joey Melo | 82% of 100+ obfuscation methods succeeded; Base64 most effective (~7%) |
| [[Polley - Training BrowseSafe Detecting Prompt Injection]] | Kyle Polley (Perplexity) | BrowseSafe classifier: Qwen 30B fine-tuned, 90.4% F1, sub-second latency |
| [[Sullivan - AI Notetakers Most Important Person]] | Joe Sullivan | AI meeting recorders as security risk; court ruling on Claude privilege |
| [[Reed - Are You Thinking What I'm Thinking]] | Jackson Reed | Reasoning block signatures don't bind to conversations; cross-conversation injection |
### ποΈ Defensive Architecture & Secure Agentic Systems
| Talk | Speaker(s) | Key Point |
|------|-----------|-----------|
| [[Lidzborski - Securing Workspace GenAI at Google Speed]] | Nicolas Lidzborski (Google) | 4-layer structural defense; plan-validate-execute pattern; lethal trifecta |
| [[Adkins & Flynn - Evaluating Threats at Google]] | Heather Adkins, Four Flynn (Google) | Big Sleep (zero-false-positive vuln discovery) and Code Mender (178 autonomous patches) |
| [[McMillan & Lopopolo - Code Is Free Securing Software]] | Paul McMillan, Ryan Lopopolo (OpenAI) | Security expertise encoded as text in codebase; 1M-line product, zero manual lines |
| [[Bullen - Breaking the Lethal Trifecta]] | Andrew Bullen (Stripe) | Prompt injection containment: egress controls, Toolshed MCP proxy, HITL UX |
| [[Maisel - Hooking Coding Agents with Cedar Policy]] | Matt Maisel | Cedar policy engine + agent hooks for deterministic enforcement outside the model |
| [[Niyikiza - Capability-Based Authorization for AI Agents]] | Niki Aimable Niyikiza | Tenur warrant system: cryptographic tokens; 90%β0% attack surface reduction |
| [[McMillin - Building Secure Agentic Systems]] | Brooks McMillin | 19-agent home lab ecosystem; capability bounding; memory namespace isolation |
| [[Shumailov - AI Security with Guarantees]] | Ilia Shumailov | CAMEL architecture: separate instruction from data; 99.999% attack prevention claim |
| [[Gupta - Injecting Security Context During Vibe Coding]] | Srajan Gupta | MCP-delivered security context packs; zero high/critical findings when enabled |
### π Detection, Monitoring & Threat Intelligence
| Talk | Speaker(s) | Key Point |
|------|-----------|-----------|
| [[Rittinghouse & Huang - 1.8M Prompts 30 Alerts]] | Matt Rittinghouse, Millie Huang (Salesforce) | AgentForce behavioral anomaly detection: 1.8M daily prompts β <30 alerts |
| [[Nabeel - Detecting GenAI Threats with Semantic YARA]] | Mohamed Nabeel | SuperYARA: 4-tier semantic detection; LLM cost reduced from $750 to $13.50/10K requests |
| [[Ayenson - Can You See What Your AI Saw]] | Mika Ayenson (Elastic) | Intent attribution failure in EDR for AI agents; OpenTelemetry as fix |
| [[Rudis & Thorpe - Detection and Deception Engineering in the Matrix]] | Bob Rudis, Glenn Thorpe (Grey Noise) | Orbee AI analyst; 12-16 MCP servers; findings validator pattern |
| [[Sun - From OSINT Chaos to Knowledge Graph]] | Dongdong Sun (Palo Alto Networks) | Multi-step LLM extraction from 10K reports/week into traversable knowledge graph |
| [[Hurd - Glass-Box Security Mechanistic Interpretability]] | Carl Hurd | Mechanistic interpretability hooks for behavior-based detection inside model forward passes |
| [[Isak & Gill - AI Fingerprints]] | Natalie Isak, Waris Gill | Binary Shield: PII-redact β embed β quantize β differential privacy; 36x faster matching |
### ποΈ Governance, Policy & Enterprise Adoption
| Talk | Speaker(s) | Key Point |
|------|-----------|-----------|
| [[Norwood - AI Governance Without Stifling Innovation]] | Billy Norwood | $5B pharma CISO: tiered committee structure; Databricks as control plane |
| [[Ramalingam - Enterprise AI Governance at Snowflake]] | Ragini Ramalingam (Snowflake) | Feature-based risk assessment; execution authority as governing principle |
| [[Hasbrouck - Three Phases of AI Adoption]] | Chase Hasbrouck (Army Cyber) | 3-year journey through access, cost, and culture barriers |
| [[Apparao - Kinetic Risk Physical AI Security]] | Padma Apparao | Securing and governing physical AI systems in the wild |
| [[Kovalsky - AI Security Larsen Effect]] | Maxim Kovalsky | Vendor landscape analysis: ~80 AI security vendors mapped against OWASP/NIST/MITRE |
### π§ͺ Evaluation, Benchmarks & ML Science
| Talk | Speaker(s) | Key Point |
|------|-----------|-----------|
| [[Saxe - Measuring Agent Effectiveness]] | Joshua Saxe | Classical metrics broken for agents; rubric-based holistic evaluation needed |
| [[Zhang & Shah - Guardrails Beyond Vibes]] | Jeffrey Zhang, Siddh Shah (Stripe) | LLM-as-judge + golden datasets; eval pipeline caught invisible 10% regression |
| [[Khurana - Rethinking Security Agent Evals]] | Mudita Khurana | CLASP framework: 6 rubrics for reasoning, memory, planning, tool use |
| [[Qu - Why Most ML Vulnerability Detection Fails]] | Jenny Guanni Qu | 3-number baseline achieves AUC 0.779; data quality > architecture |
| [[Mountrouidou - Traditional ML vs LLMs for Classification]] | Xenia Mountrouidou | XGBoost beats LLMs on precision/recall; router/ensemble wins overall |
| [[Brown & Prashant - Trajectory-Aware Post-Training Security Agents]] | Aaron Brown, Madhur Prashant | Open Trajectory Gym: Qwen 3.5-27B lifted from 12.5% to 35% on Cybench |
| [[Datta Gupta & Mukherjee - Security Guidance as a Service]] | Shruti Datta Gupta, Chandrani Mukherjee (Adobe) | RAG-backed centralized security guidance; ~70% code vuln reduction from IDE rules |
### π§ Personal AI & Applied Systems
| Talk | Speaker(s) | Key Point |
|------|-----------|-----------|
| [[Miessler - Anatomy of Agentic Personal AI]] | Daniel Miessler | Open-source PI system: Council (multi-agent debate), Algorithm (ideal state), composable pipelines |
| [[Lee - SIFT DFIR with Claude Code]] | Rob T. Lee | Claude Code on SIFT workstation: full DFIR in 14 minutes; hackathon announced |
| [[Laurie - AI go Beep Boop Hardware Hacking]] | Adam Laurie (Major Malfunction) | 6 weeks of failure β 7 min with ChatGPT; $7 Pico replaces $1,000+ lab gear |
| [[McCarthy - Zeal of the Convert AI for Supply Chain]] | Rami McCarthy | AI-assisted attribution of 2,400+ npm supply chain victims; credulity warning |
| [[Nagarajan - Exploring the AI Automation Boundary]] | Arthi Nagarajan (Datadog) | Hunting Copilot V1βV2: live schema discovery as key reframe |
### β‘ Flash Talks
| Talk | Speaker(s) | Key Point |
|------|-----------|-----------|
| [[Flash Talks - Community Lightning Talks]] | Multiple speakers | Ilia Shumailov on trusted AI, Rob Joyce on agentic red teaming, Chris Blanco on multi-agent gossip problem, + 6 others |
## Key Numbers from the Conference
| Metric | Value | Source |
|--------|-------|--------|
| Bugs/week at Trail of Bits (AI-era) | 200 | Guido |
| Bugs/week at Trail of Bits (pre-AI) | 15 | Guido |
| AI capability doubling time | ~4 months | Carlini |
| Zero-days found in OpenSSL | 12 | Krivka/Vlcek |
| Total confirmed findings (Isle Security, 6mo) | 500 | Krivka/Vlcek |
| CVEs filed via FENRIR pipeline | 60+ | Girnus/Chen |
| IDE security vulns found across vendors | 37 across 15+ | Ryciak |
| Public agents discovered in the wild | Tens of thousands | Ben Chaim |
| Prompt injection obfuscation success rate | 82% of methods | Melo |
| Salesforce daily prompts monitored | 1.8M | Rittinghouse/Huang |
| Alerts generated from 1.8M prompts | <30 | Rittinghouse/Huang |
| Cost reduction via SuperYARA pre-filtering | $750 β $13.50/10K | Nabeel |
| CAMEL attack prevention claim | 99.999% | Shumailov |
| Google Code Mender autonomous patches | 178 | Adkins/Flynn |
| BrowseSafe prompt injection F1 score | 90.4% | Polley |
| Time-to-exploitation trend (2020βnow) | 1+ year β ~1 day | Lee et al. |
## Must-Watch Talks (Pedram's Interest Profile)
Based on overlap with security research, offensive tooling, AI infrastructure, and agent architecture:
1. **[[Guido - 200 Bugs Per Week How We Rebuilt Trail of Bits Around AI]]** β Most substantive org-transformation talk. Directly relevant to how AI changes security consulting economics.
2. **[[Carlini - Black-Hat LLMs]]** β Hard technical evidence of offensive AI capability with minimal scaffolding.
3. **[[Rehberger - Your Agent Works for Me Now]]** β Agent Commander C2 framework. The promptware kill chain is real.
4. **[[Ryciak - Vibe Check AI IDE Security Failures]]** β 37 vulns in the tools we all use daily. Zero-click RCE in Codex.
5. **[[Miessler - Anatomy of Agentic Personal AI]]** β Direct parallel to the Pedsidian architecture. Compare notes.
6. **[[Krivka & Vlcek - AI Found 12 Zero-Days in OpenSSL]]** β Production-grade AI vuln hunting at scale.
7. **[[Lee - SIFT DFIR with Claude Code]]** β Claude Code doing real DFIR work. Rob T. Lee giving it root.
8. **[[Georgi G - Prompt2Pwn LLMs Winning at Pwn2Own]]** β LLMs actually winning Pwn2Own. The future is here.
9. **[[Ring & Peedikayil - Operation Pale Fire]]** β How Block red-teamed their own agent. Practical attack methodology.
10. **[[Behrens & Cassel - Source to Sink LLM Vuln Discovery]]** β Architecture beats raw model power for vuln discovery at scale.
#unprompted #claude