Summer is always such a blur but just like that, once again, hacker summer camp is almost upon us.
Headed to Vegas for Black Hat? Haven’t checked the speaking schedule yet? Like we did for the RSA Conference, we took time to comb through all 118—at last count, at least—sessions, happening over the course of two days at this year’s conference to help narrow down which talks we think you should prioritize.
As usual there’s a handful of specialized talks on niche topics—a wormable AirPlay vulnerability, 5G baseband flaws, securing OAuth architecture, and even hacking smart tractors. It should also come as no surprise there’s also a deluge of AI-adjacent sessions at this year’s conference, including too-many-to-count talks on AI agents and LLMs.
For this list we tried to include a good mix of technical and general sessions that should interest most readers of our blog, especially those who work in detection engineering, malware research, and incident response. Read on for 10 talks that we’d like to catch, along with a brief summary of what we expect the talk to include.
10 Black Hat talks we want to see
I’m in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR
Wednesday, August 6 | 10:20 AM – 11:00 AM PT
Those interested in endpoint telemetry and detection engineering will want to make time for this talk from Olaf Hartong, a defensive specialist and security researcher at FalconForce, on a potentially disruptive technique for both emulating attacks and evading detection mechanisms. Hartong, who’s published a handful of helpful blogs over the years on Sysmon, MITRE ATT&CK, and Microsoft Defender for Endpoint, will show how by injecting telemetry events, leveraging Event Tracing for Windows (ETW), he can trick Defender into disregarding logs, including some from real threats. Defenders looking to build more effective, resilient, and intelligent detection systems should make time for this talk.
Keynote: Chasing Shadows: Chronicles of Counter-Intelligence from the Citizen Lab
Wednesday, August 6 | 1:30 PM – 2:10 PM PT
For years, Ron Deibert has been synonymous with Citizen Lab, the academic research lab he founded and still directs at the University of Toronto’s Munk School of Global Affairs. The lab has uncovered dozens of cyber espionage cases—journalists targeted with spyware, dissidents hit by spearphishing attacks, censorship policies—so many that it shouldn’t be a surprise he has some stories to tell. In this keynote on the conference’s first day—also an adaptation of his recently released book—Deibert will talk through some of these espionage campaigns, including how Citizen Lab researchers discovered Pegasus spyware on a phone used by someone in journalist Jamal Khashoggi’s inner circle in the months before he was murdered.
Death by Noise: Abusing Alert Fatigue to Bypass the SOC (EDR Edition)
Wednesday, August 6 | 1:30 PM – 2:10 PM PT
This talk promises to deliver insight around how detection engineering and automation can help teams investigate overlooked signals—like a flood of medium and low-severity alerts, your usual SOC fodder—at scale. Operating under the assumption that most incidents today stem from ignoring or missing alerts—alert fatigue research carried out by IDC a few years ago estimated that cybersecurity teams ignored 23 percent of their alerts on average—researchers in this talk will give a high-level look at how adversaries can leverage common TTPs to bypass SOC operations, exposing potential blind spots in the process.
From Spoofing to Tunneling: New Red Team’s Networking Techniques for Initial Access and Evasion
Wednesday, August 6 | 1:30 PM – 2:10 PM PT
Malware analysts, threat researchers—anyone interested in learning more about how adversaries gain initial access to systems—may be interested in this one as it will dig further into an emerging avenue for accessing an intranet: through stateless tunnels like GRE and VxLAN, commonly used by Cloudflare and Amazon. The talk will also look at evasion techniques that can take advantage of intranets that fail to implement source IP filtering, something that can ultimately hamper IR teams from being able to intercept the full attack chain. It will also touch on attack vectors that red teamers can exploit after hijacking a tunnel or compromising a router by manipulating the routing protocols.
Pwning User Phishing Training Through Scientific Lure Crafting
Wednesday, August 6 | 2:30 PM – 3:00 PM PT
As we’ve learned time and time again, people will always make mistakes, that includes clicking on phishing links. This talk, via the UC San Diego Center for Healthcare Cybersecurity and cybersecurity company Censys, looks to double down on that idea by sharing how phishing training metrics—usually measured by open rate, click rate, and report rate—can be deceiving. When it comes to phishing training, how easy is it to rig the system? What are you measuring anyways? Will there ever be a world without phishing training, and if so, what will it look like? Come to this talk for answers.
Vulnerability Haruspicy: Picking Out Risk Signals from Scoring System Entrails
Wednesday, August 6 | 2:30 PM – 3:00 PM PT
Similar to the phishing session, this talk by Tod Beardsley, VP of Security Research at runZero poses a lot of questions. Are vulnerability scoring systems—namely CVSS, EPSS, and SSVC—actually helping defenders or adding more confusion when it comes to risk management? While they can benefit organizations, misuse or overreliance on one of these scoring systems can lead to trouble. Instead of treating them like a checkbox for compliance, organizations should be using these frameworks as a tool for decision-making, helping teams prioritize risk effectively—but is that easier said than done? Hot takes incoming, we imagine.
Hackers Dropping Mid-Heist Selfies: LLM Identifies Information Stealer Infection Vector and Extracts IoCs
Wednesday, August 6 | 3:20 PM – 4:00 PM PT
Atomic, Poseidon, Banshee: At Red Canary, we noticed an uptick in infostealer infections across both Windows and macOS platforms last year. We’re not alone. In this talk, researchers with threat intelligence company Flare will share their analysis of more than 30 million stealer logs traded on underground markets in 2024. In analyzing those logs, they looked at screenshots captured during infections to help identify infection vectors and track campaigns. Akin to digital paleontology, the researchers leveraged large language models (LLMs) to extract indicators of compromise (IOCs)—in this case the URLs that led to the download of malicious payloads—that gave them insight to adversary infection vectors, lure themes, and techniques.
Hacking the Status Quo: Tales From Leading Women in Cybersecurity
Wednesday, August 6 | 4:20 PM – 5:00 PM PT
Representation in cybersecurity matters. Operating without it can lead to a lack of missed perspectives, chilled innovation, and a less effective defense against cyber threats. While there’s still a long way to go for equal representation in the industry—according to a recent ISC2 study, women only make up 23 percent of the cybersecurity workforce—a good step towards building a more resilient and inclusive digital future for everyone is listening. This panel, in which four women in cybersecurity will share their journeys, challenges, and triumphs, is a great opportunity to learn from experts in the field.
Advanced Active Directory to Entra ID Lateral Movement Techniques
Wednesday, August 6 | 4:20 PM – 5:00 PM PT
If you’re reading this you may already know that lateral movement is a nearly ubiquitous attack tactic. Adversaries frequently use tools included with Windows like PSExec, WinRM and WMI to move through systems after gaining initial access. Increasingly, adversaries have been looking at the area between Microsoft Entra ID and Active Directory to compromise the cloud. This talk promises to share several new lateral movement techniques that allow for the bypass of authentication, MFA, and the exfiltration of data. Those interested in learning more about shutting down lateral movement and shoring up their Entra ID security will want to make time for this session.
FACADE: High-Precision Insider Threat Detection Using Contrastive Learning
Thursday, August 7 | 10:20 AM – 11:00 AM PT
On the surface, the logline for this talk sounds like it could be an advertisement for Google. But we’ve always been interested when some of the bigger security companies pull back the curtains on some of their security tools and mechanisms; see Ivan Krstić’s standing-room-only 2019 talk behind the scenes of iOS and Mac security. This talk plans to break down Google’s AI system for detecting malicious insiders, FACADE, a.k.a. Fast and Accurate Contextual Anomaly DEtection. The system has been used by the company for the past seven years but little has been said about it publicly aside from a 2024 research paper it published on FACADE. This talk will give attendees a look under the hood and share how organizations can leverage a new, open source version of the technology. Elie Bursztein—previously part of the company’s Anti-Fraud and Abuse Research team, now Google & DeepMind’s AI cybersecurity technical and research lead—is among the presenters for this talk on Black Hat’s second day.
Weaponizing Apple AI for Offensive Operations
Thursday, August 7 | 3:20 PM – 4:00 PM PT
We can debate the pros and cons—the good, the bad, and the scary—of AI for days. Here’s a talk that promises to delve into a new attack technique that could potentially abuse Apple’s AI processing capabilities for bad. Hari Shanmugam—a security researcher and red teamer who specializes in macOS exploitation, adversary tradecraft, and offensive security—plans to discuss MLArc, a CoreML-based command and control (C2) framework that abuses Apple’s AI processing pipeline for payload embedding, execution, and real-time attacker-controlled communication that evades traditional security measures. This is one of the last sessions on the conference’s last day but given the topic, we’re willing to bet it’ll be well-attended.