Table of contents

    It's cyber week in Las Vegas: Impressions from Black Hat, BSidesLV, and DEF CON

    Earlier this month, Las Vegas was once again flooded with thousands of cybersecurity enthusiasts in black T-shirts and blinking lanyards, attending the three major IT security conferences: Black Hat, BSidesLV, and DEF CON 33. Alongside these flagship events, there were several smaller gatherings, including the AI Summit, the Omdia Analyst Summit, and dozens of meetups covering niche topics and specialized communities.

    Here’s our impression from attending these events.

    First Impressions

    Overall, it was great fun participating in these conferences, meeting people, and listening to technical talks. The networking opportunities and hands-on labs were both entertaining and educational.

    Compared to previous years, attendance seemed slightly lower. This actually had a positive side effect: it was less crowded, which increased the chances of attending talks or joining mini-workshops in the various villages without losing hours in line.

    Highlights

    The dominant themes at Black Hat this year were once again AI - with a focus on agentic AI - alongside application security posture management, authentication in all its variations, insider threats, and browser security. If you couldn’t attend, many of the talks are available online for free (BSidesLV, DEF CON 33 (YouTube), and BlackHat). It’s well worth the time to watch them - you may find the next big idea that shapes your security strategy.

    Social Engineering

    At xorlab we are of course very much interested in social engineering as this is one of the main techniques used in malicious emails. The Social Engineering Village at DEF CON once again proved that a persuasive human can extract a surprising amount of information - simply by asking. The live-call competition against unsuspecting targets showed just how easily people can be convinced to help and inadvertently reveal sensitive information. AI is now joining the game: voice-cloning technology can carry out automated social engineering calls with convincing accents and natural-sounding speech.

    Phishing – Old tactics, new tools

    Traditional email phishing was covered in multiple sessions. One notable DEF CON talk, “Turning Microsoft’s Login Page into Our Phishing Infrastructure”, demonstrated how legitimate Microsoft services can be abused by attackers - highlighting the ongoing risk that trusted platforms can be weaponized and the need to stop suspicious emails before the inbox.

    At BSidesLV, “Automating Phishing Infrastructure Development Using AI Agents” showed how attackers can now automate an entire phishing campaign end-to-end. From generating a target profile via LinkedIn, to registering official-sounding domains, to deploying cloned websites – everything can be done with AI, making attacks faster and more scalable than ever.

    For organizations worried about users falling for phishing sites, “Phish-Back: How to Turn the Problem into a Solution” demonstrated how a cleverly crafted honeypot login page can trick attackers testing stolen credentials. By filtering out the noise from brute-force and credential stuffing attempts, the team isolated fewer than 300 real stolen credential attempts out of billions. This allowed proactive account blocking before attackers could exploit the credentials or sell them to initial access brokers.

    A UCSD study, “Pwning User Phishing Training Through Scientific Lure Crafting”, reinforced that generic awareness training is not enough - technical defenses are still essential.

    Each of these talks highlighted that phishing attacks are still relevant and are still evolving.

    Agentic AI – offense and defense

    AI, in all its forms, was present everywhere. Talks explored both offensive and defensive applications:

    • Blue team: using GenAI and AI agents to speed up malware analysis and identify anomalies in massive log files.
    • Red team: AI-powered penetration testing, with companies like XBOW reporting hundreds of bug discoveries in bug bounty programs - with minimal hallucinations.

    The AI Cybersecurity Challenge (AIxCC) finals were also announced at DEF CON, rewarding AI frameworks capable of finding and patching previously unknown vulnerabilities. The winning team took home $4 million.

    Our own Sr. Security Advocate Candid Wüest presented on the risks of agentic malware at BSidesLV. SC Media published a great summary of the talk, with more details coming in a dedicated blog post soon.

    Other noteworthy topics, beyond phishing and AI, include:

    • Malicious browser extensions
    • 0-click prompt injection in Microsoft Copilot
    • Techniques for bypassing EDRs
    • Infecting USB webcams
    • Leaked attack tools allegedly linked to North Korean hackers

    Conferences like these are invaluable for staying on top of industry trends and seeing the latest research. While none of the trending topics came as a surprise, it’s always reassuring to confirm that our own focus areas align with the wider security community.

    Conclusion

    This year’s Las Vegas cybersecurity week once again proved that these events are more than just a collection of talks - they’re a pulse check on the state of our industry. The rise of agentic AI, the persistent evolution of phishing tactics, and the creativity of the security research community all point to one thing: the threat landscape is moving faster than ever. The underlying message was clear, whether you’re defending networks or probing their weaknesses, continuous learning and adaptation are no longer optional.