AI Vulnerability Research at Black Hat 2026: The Talks Every Security Practitioner Needs to See

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Black Hat USA 2026 runs August 1-6 at Mandalay Bay in Las Vegas, with Briefings on August 5-6. If there is a single theme that will define this year's conference, it is AI vulnerability research. The Glasswing disclosure changed the terms of the conversation: before May 2026, AI-assisted security research was a cluster of promising demonstrations. After Glasswing, it is documented production capability. Claude Mythos solved 21 of 41 ExploitBench V8 arbitrary code execution challenges while every other tested model scored zero. It generated 10.5x more exploits than the next best model in ExploitGym. The UK AI Security Institute validated it as the first AI to solve both cyber ranges. Third-party security tool XBOW called it a significant step up over all existing models. This research context has set the agenda for what independent researchers will bring to Black Hat this year. Understanding the three categories of AI security research, how to contextualize them against what Glasswing already demonstrated, and how to triage a conference schedule by your own role is the preparation work that pays off on the floor.
Why AI Security Is the Dominant 2026 Black Hat Theme
Every major security conference tracks the threat landscape of the preceding year. Black Hat 2026 follows a 12-month period in which autonomous AI vulnerability discovery moved from theoretical to documented production capability. Project Glasswing, Anthropic's 90-day coordinated vulnerability disclosure program, produced 10,000+ findings across 200+ partner organizations, confirmed 9 CVEs spanning Linux privilege escalation, VMM escape, FreeBSD NFS remote code execution, wolfSSL certificate forgery, V8 JavaScript engine vulnerabilities, and smart contract exploits. The ExploitBench results (21/41 V8 ACEs for Mythos, zero for GPT-4o and all other tested models) established a categorical capability gap, not a marginal improvement. When researchers bring AI security work to Black Hat this year, they are working in the context of a field that has already produced its first confirmed autonomous zero-day findings at scale. The research presented at Black Hat will build on that baseline, challenge it, extend it, and offer defensive responses to it.
Category One: AI as Attacker
The first category of AI security research at Black Hat 2026 covers AI systems used as offensive tools. This includes autonomous exploit development (systems like Mythos that discover and develop exploits without sustained human direction), AI-powered fuzzing (using large language models to guide fuzzing campaigns by predicting which inputs are likely to reach uncovered code paths or trigger memory safety violations), and LLM-generated exploit code (using AI to write, adapt, and refine exploitation payloads for known vulnerability classes). Talks in this category will likely engage directly with the ExploitBench and ExploitGym benchmarks from the Anthropic Exploit Evals report, either confirming the results with independent methodology, proposing new benchmarks, or demonstrating new capability on related challenge types. For offensive security practitioners and red teamers, this is the highest-value category: understanding the current capability state of AI-powered offensive tools is directly relevant to threat modeling and red team planning.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Category Two: AI as Target
The second category covers attacks against AI systems themselves. This includes adversarial machine learning (techniques for causing AI models to misclassify or misbehave through carefully crafted inputs), model theft and extraction (using queries to reconstruct a model's behavior or extract training data), and prompt injection in production systems (exploiting the gap between a system's intended behavior and what it does when user inputs contain adversarial instructions). Prompt injection is the most operationally relevant attack class for most organizations, because every organization deploying AI systems in user-facing products is potentially exposed. The attack class is not theoretical: production AI systems have been manipulated through prompt injection to reveal system prompts, bypass content policies, and perform unauthorized actions. Black Hat 2026 will likely include multiple presentations on prompt injection variants, defenses, and the classification of prompt injection as a first-class vulnerability class requiring its own CVE taxonomy.
Category Three: AI for Defense
The third category covers AI used to strengthen security posture. This includes AI-assisted detection (using LLMs and ML models to identify anomalous behavior in logs, network traffic, and endpoint telemetry), AI patch generation (the Claude Security public beta has generated 2,100+ patches for real vulnerabilities, demonstrating that AI can move from finding to fix without solely relying on human engineering time), and AI-powered threat intelligence synthesis (using LLMs to correlate indicators across sources faster than human analysts). Talks in this category are most relevant for defensive security practitioners, SOC analysts, and security engineering teams. The practical question for attendees is which defensive AI capabilities are production-ready and which are demonstration-grade: understanding that distinction is the primary value of seeing the research presented live with Q and A.
How Glasswing Sets the Research Context
Independent researchers presenting AI security work at Black Hat 2026 will be working against the Glasswing findings as the established baseline. Glasswing provides something that most AI security research lacks: confirmed, CVE-assigned production findings from autonomous AI operation, not a controlled benchmark environment. When a researcher claims their AI tool found a vulnerability class that others missed, the relevant comparator is not a human researcher, it is whether Glasswing found the same class, and whether the new work extends or narrows that capability. For practitioners attending Black Hat, the Glasswing findings provide a calibration reference: if a talk claims a capability that Glasswing already demonstrated at larger scale, treat it as validation. If a talk claims a capability that Glasswing did not demonstrate, ask about the methodology that enables it. The Mythos Brief at decryptiondigest.com/mythos-brief provides a consolidated summary of all confirmed Glasswing findings and benchmarks so you can bring that context to every session.
What a Live Autonomous Exploit Demo Looks Like
Live exploit demonstrations are a Black Hat tradition. An AI vulnerability research demo in 2026 may look different from the shell-on-screen format most conference attendees expect. Autonomous exploit demos typically show: the AI being given access to a target (either a benchmark challenge or a hardened research VM), the AI reasoning through the attack surface without human direction, the AI generating and testing exploit candidates iteratively, and the AI producing a working proof of concept. The key observable difference from traditional demos is that the researcher is not driving the attack in real time: they run the AI and wait. This can make the demo less visually dynamic than a human expert demonstrating a technique live, but the content, the reasoning trace that the AI produces as it works through the vulnerability, is where the research value lies. Watching an AI reason about a V8 JIT compiler vulnerability in real time provides intuitions about AI attacker behavior that reading the paper alone does not.
Triaging the Schedule by Practitioner Role
Black Hat Briefings cover two days with parallel tracks, which means every attendee makes tradeoff decisions. A simple role-based triage framework reduces the decision overhead. Offensive security practitioners and red teamers: prioritize Category One (AI as attacker) talks, specifically those covering autonomous exploit development and AI-powered fuzzing. Secondary priority: the AI-powered threat intelligence talks in Category Three, which inform understanding of how defenders will respond to AI-generated attack paths. Defensive security practitioners and SOC analysts: prioritize Category Three (AI for defense) talks on detection and patch generation. Secondary priority: Category Two (AI as target) talks on prompt injection, which affects any AI system your organization deploys. Security architects and CISOs: prioritize Category Two talks on AI as target, because the organizational risk of prompt injection and model theft affects product decisions and vendor selection. Secondary priority: Category One talks for threat modeling context. Security engineers and developers: prioritize Category Three talks on AI patch generation and Category Two talks on prompt injection, which directly affects systems you build. The schedule search strategy: filter on track plus role keywords, then read abstracts rather than relying on titles alone.
Finding AI Security Talks in the Black Hat Schedule
The Black Hat USA 2026 schedule is published at blackhat.com/us-26 as sessions are confirmed. The conference does not always maintain a single AI security track: AI-related talks appear in Exploitation, Defense, Web, and Network tracks depending on the primary technique being demonstrated. The most reliable search strategy combines keyword filtering with abstract reading. Search terms that reliably find AI security talks include: 'LLM', 'large language model', 'autonomous', 'generative AI', 'machine learning', 'fuzzing' (for AI-augmented fuzzing talks specifically), and 'prompt injection'. Abstract reading matters because a talk titled 'Advanced V8 Exploitation Techniques' may describe AI-assisted V8 research directly relevant to the ExploitBench results, while a talk titled 'AI in Security' may cover introductory survey material. The talk description is the authoritative source for content.
Watching Versus Reading the Research
Black Hat talks are published as slide decks and in some cases video recordings after the conference, with slide decks typically available on the Black Hat website within weeks. The decision to attend in person or wait for materials depends on what you are trying to get from the research. In-person attendance provides Q and A access, hallway conversations with researchers, and the ability to ask follow-up questions that the recorded presentation cannot answer. For AI security research specifically, the Q and A is often more valuable than the talk itself: researchers are frequently asked about methodology limitations, benchmark conditions, and what the results do not show, which shapes how to apply the findings. Reading the research after the fact is appropriate for survey-style background building and for talks where the content is well-captured in slides. It is less appropriate for talks that present live demonstrations, novel technique walkthroughs, or research where the reasoning process matters as much as the conclusion.
How to Apply What You Learn Immediately
The failure mode of security conferences is learning without application. AI security research from Black Hat 2026 has a short shelf life before threat actors begin applying the same techniques. Three immediate application paths translate Black Hat AI security research into organizational value. First, update your threat model: any AI vulnerability discovery technique demonstrated at Black Hat represents an attacker capability that should be reflected in your threat model for the following quarter. Second, evaluate your detection coverage: AI-discovered attack classes often bypass signature-based detection. New attack classes from Black Hat are a test case for your detection tooling. Third, update your patch prioritization: if a Black Hat talk demonstrates that AI can reliably exploit a class of vulnerability that you have been treating as low priority, that prioritization needs revisiting. The Decryption Digest publishes daily briefings translating threat intelligence into practitioner actions, which is the mechanism for applying Black Hat findings without requiring each security team member to read the full research papers.
Pre-Black Hat Reading List and AI Security Research Resources
The curated pre-Black Hat AI security reading list, with links to all confirmed Glasswing findings, the Anthropic Exploit Evals report, ExploitBench methodology documentation, and six additional AI security research resources, is available in the Mythos Brief. Mythos Brief subscribers receive an updated reading list before the conference and a post-conference synthesis of the most practitioner-relevant findings from Black Hat 2026 Briefings.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
Black Hat USA 2026 is the first major security conference following the Glasswing disclosure and Exploit Evals report, which means the AI security research presented there will be building on a confirmed production baseline rather than theoretical capability claims. The three categories to track are AI as attacker (autonomous exploit development, AI-powered fuzzing), AI as target (prompt injection, adversarial ML), and AI for defense (AI patch generation, AI-assisted detection). Before you go, read the Mythos Brief to calibrate against the confirmed Glasswing findings: decryptiondigest.com/mythos-brief. To attend in person, enter for a chance to win a Black Hat USA 2026 Briefings pass at decryptiondigest.com/blackhat-2026.
Frequently asked questions
What AI security talks will be at Black Hat 2026?
Black Hat USA 2026 Briefings run August 5-6 at Mandalay Bay in Las Vegas. Based on the research landscape shaped by Project Glasswing and the Anthropic Exploit Evals report, the dominant AI security talk categories at Black Hat 2026 are expected to cover autonomous exploit development, AI-powered fuzzing and vulnerability discovery, prompt injection in production systems, adversarial machine learning attacks, and AI-assisted defensive tooling. The call for papers typically closes months before the event, so the specific talk lineup will reflect research conducted in the months leading up to the conference. Check the official Black Hat schedule at blackhat.com/us-26 as sessions are announced.
Is Anthropic presenting at Black Hat 2026?
Anthropic has not announced a formal Black Hat 2026 presentation as of July 2026. However, the Glasswing findings and Exploit Evals report provide the research context that many independent researchers will cite in their own presentations. Third-party security researchers who have analyzed the Glasswing CVEs, ExploitBench results, or XBOW's validation of Mythos capabilities are likely to present work that directly engages with those findings. The Decryption Digest Mythos Brief at decryptiondigest.com/mythos-brief provides the background needed to contextualize that research when you encounter it on the conference floor.
What is autonomous exploit development?
Autonomous exploit development refers to the use of AI systems to independently discover vulnerabilities and develop working exploit code without sustained human direction. Claude Mythos demonstrated this capability in Project Glasswing: the system discovered 10,000+ vulnerabilities across 200+ organizations, solved 21 of 41 V8 arbitrary code execution challenges in ExploitBench (while every other tested model scored zero), and generated 10.5x more exploits than the next best model in ExploitGym. Autonomous exploit development differs from AI-assisted research, where a human directs the investigation and AI helps with specific tasks, in that the AI system directs its own research agenda, generates hypotheses, writes exploit code, and validates exploitability without requiring human intervention at each step.
How do I find AI security talks in the Black Hat schedule?
The Black Hat USA schedule is published at blackhat.com/us-26 as sessions are accepted. The most reliable method for finding AI security talks is to search the schedule for track keywords including 'AI', 'machine learning', 'LLM', 'autonomous', 'fuzzing', and 'exploit'. Black Hat also organizes talks into tracks, and the AI track (or equivalent) will aggregate the most relevant sessions. Many talks that engage with AI tools and techniques appear in adjacent tracks including 'Exploitation', 'Defense', and 'Web' rather than a dedicated AI track. Reading the abstract rather than relying on track placement alone is the most reliable filtering method.
What should I read before attending AI security talks at Black Hat?
Three documents provide the essential context for AI security talks at Black Hat 2026. First, the Anthropic Exploit Evals report (published May 22, 2026) documents the ExploitBench, ExploitGym, and SCONE-Bench benchmark results that establish the current capability ceiling for autonomous exploit development. Second, the Project Glasswing disclosure covers the 90-day coordinated vulnerability program that produced 9 CVEs and 10,000+ findings. Third, the Decryption Digest Mythos Brief at decryptiondigest.com/mythos-brief synthesizes both documents with practitioner context, making it the fastest preparation path for understanding the research that Black Hat presenters will be building on.
How do AI security practitioners distinguish production-validated AI vulnerability research from demonstration-grade claims at Black Hat?
The clearest signal for production-validated AI security research is the presence of confirmed CVE numbers with NVD records, named affected vendor software versions, and a reproducible proof-of-concept that the presenting researcher can run during the session. Glasswing's 9 confirmed CVEs and the ExploitBench benchmark scoring methodology are the current standard for production validation: the research includes defined success criteria, was run against real software targets, and produced findings that independent parties (vendors, MITRE, NVD) have assigned formal identifiers to. Demonstration-grade research typically relies on synthetic or simplified targets, uses benchmark environments that do not reflect production hardening (ASLR, stack canaries, control-flow integrity), or claims capability without providing a methodology that others can verify. In Q and A sessions, three questions reliably distinguish the two: ask what the false positive rate is on real codebases (production-validated research has measured this), ask which production hardening mitigations were active during testing, and ask whether the results have been replicated by a third party. Researchers with production-validated work answer these questions directly; researchers with demonstration-grade work tend to reframe toward the benchmark conditions.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
