[un]prompted II
The AI Security Practitioner Conference
Coming Back This September, San Francisco
[un]prompted is back for the second time in (or around) September, in SF. Dates, CFP, and registration to be announced in the next few days.
—
Whether you’re a CISO Excel jockey or a researcher sniffing for the scent of bits, we see you as part of our wider AI security practitioner community.
[un]prompted is an intimate, raw, and fun gathering for the professionals actually doing the work, from offense to threat hunting to program building to national policy. No fluff. No filler. Just sharp talks, real demos, and conversations that matter.
Material from the first [un]prompted!
YouTube videos are out. NotebookLM with all conference data can be found here.
To stay on top of when the next unprompted happens, join our Slack.
– Gadi Evron, CFP Chair, [un]prompted and CEO, Knostic.
Agenda:
Evening events:
-
Monday, March 2, 2026 | 6:00-10:00 PM
Opening Event – Unofficial Reception
The UNDERDOGS Cantina
128 King St, San Francisco, CA 94107 -
Tuesday, March 3, 2026 | 5:00-8:00 PM
[un]prompted event
The Hibernia
1 Jones St, San Francisco, CA 94102 - 4th March: Easy-going get-together
Stage 1
March 3, 2026 | Full conference day
| 08:30 – 09:00 | Gathering & Mingling |
| 09:00 – 09:10 |
Opening Words – “Research conferences aren’t effective.” Gadi Evron, CEO, Knostic. CFP Chair, [un]prompted
|
| A presentation originally given by Joe Stewart at ACoD, many a-year ago. Some of us are introverts, and even if we’re not it’s difficult to know who in the crowd we should speak with. Who can help us on what we need? Who can we help? Beyond random encounters with 3-12 people, how do we make interactions effective? We have a plan. |
|
| 09:10 – 09:20 | Move between rooms |
| 09:20 – 09:35 |
Evaluating Threats & Automating Defense: How Google is Advancing Code Security Heather Adkins, VP of Security Engineering, Google
Four Flynn, VP Security and Privacy, Google Deepmind
|
| Our discussion will focus on advancing code security, provide a comprehensive overview of Google’s AI security strategy, show how we evaluate emerging cyberattack capabilities and demonstrate how tools like CodeMender are helping build intrinsically safer software. | |
| 09:35 – 10:00 |
The Hard Part Isn’t Building the Agent: On Measuring Agent Effectiveness to Improve It Joshua Saxe, AI Security Technical Lead, Meta
|
| As AI coding tools drive the cost of building security agents toward zero, the hard problem becomes knowing whether they’ll actually work in the wild against real attacks and vulnerabilities we haven’t seen before. This talk shares a practical journey from naive precision/recall metrics on old data toward multi-dimensional evaluation that captures reasoning quality, evidence gathering, and tool-calling logic –and shows how proper measurement unlocks automated agent improvement using genetic algorithms and AI coding tools. Live demo included. | |
| 10:00 – 10:25 |
Security Guidance as a Service: Building an AI-Native Blueprint for Defensive Security Shruti Datta Gupta, Product Security Engineer, Adobe
Chandrani Mukherjee, Product Security Engineer, Adobe
|
| Providing consistent security guidance at scale is hard, especially in AI-first environments. This session explores how we built an AI-Native Security Guidance as a Service that centralizes security knowledge and powers multiple defensive AI capabilities with consistent, evaluated and bespoke guidance. | |
| 10:25 – 10:45 | Coffee break |
| 10:45 – 11:10 |
Guardrails beyond Vibes: Shipping Security Agents in Production Jeffrey Zhang, Security Engineer, Stripe
Siddh Shah, Software Engineer, Stripe
|
| In this talk, we’ll share how Stripe is using AI agents to streamline two high-friction security workflows: threat modeling and security request routing. We’ll cover the practical design choices that made these agents reliable in practice – modular orchestrator/child architectures, targeted tools, structured inputs/outputs, and validation to reduce variance and improve determinism. We’ll also walk through how we measure and improve agent quality over time using offline and online evaluation loops, including how we handle subjective outputs in threat modeling versus higher-signal feedback in routing. The session closes with concrete lessons on what worked, what didn’t, with automating security workflows without losing user trust. | |
| 11:10 – 11:35 |
Code Is Free: Securing Software in the Agentic Future Paul McMillan, Security Engineer, OpenAI
Ryan Lopopolo, Member of Technical Staff, OpenAI
|
| If you have a perfect software security program, this talk is not for you. For everyone else, join us in an AI-maximalist vision of a future you can implement today. Your engineers are using LLMs to write your code, why aren’t they using them for security? We’ll talk about engineering-first ways to improve the security of your projects with zero-friction additions. Want a new security invariant? Just ask the model—Code is Free. | |
| 11:35 – 12:00 |
AI Agents for Exploiting “Auth-by-One” Errors Brendan Dolan-Gavitt, AI Researcher, XBOW
Vincent Olesen, AI Researcher, XBOW
|
| Modern web applications support a dizzying array of mechanisms to authenticate users and determine whether they are authorized to access application resources. Unfortunately, these mechanisms are largely bespoke, and finding vulnerabilities in such systems has traditionally been the domain of human researchers. In this talk, we will present techniques for finding—and, importantly, validating—access control flaws using AI agents. Starting with strict validators that can identify when we have successfully logged in to an account (for AuthN validation) and (for AuthZ validation) when we can access a protected resource, our key insight is that these validators allow us to build capable attack agents for exploiting auth vulnerabilities. We will demo these techniques by showing real-world examples of exploits we have discovered in production systems. |
|
| 12:00 – 12:25 |
Developing & Deploying AI Fingerprints for Advanced Threat Detection Natalie Isak, Software Engineer, Microsoft
Waris Gill, Applied Scientist, Microsoft
|
| As LLM-powered services proliferate, so do prompt injection attacks, but privacy regulations prevent sharing raw threat data across organizational boundaries. This talk introduces BinaryShield, a privacy-preserving fingerprinting system that enables cross-service threat intelligence without exposing sensitive user prompts. We’ll cover the research behind the approach (arXiv:2509.05608) and share practical deployment applications (including a demo!) for threat intelligence. | |
| 12:25 – 13:30 | Lunch break |
| 13:30 – 13:55 |
When Passports Execute: Exploiting AI Driven KYC Pipelines Sean Park, Principal Threat Researcher, TrendAI
|
| Modern KYC workflows increasingly delegate passport parsing, database writes, and customer verification to AI driven extraction agents. This workflow is assumed to be safe because it is “just extraction,” tightly scoped by schema, and wrapped in compliance controls. In practice, it is an execution environment. We show how document embedded injects and compliance controls together steer AI agents into cross record reads and writes, enabling data theft and exfiltration without bypassing access controls. This research goes beyond a one off agent or MCP exploit. We present a scalable exploitation approach that generalizes across KYC extraction agents, using LLM generated high success payloads and validating the attack with a tool using Claude Code extraction agent. A document embedded inject can steer the agent, while regulatory verification workflows complete the exploit chain. |
|
| 13:55 – 14:20 |
FENRIR: AI Hunting for AI Zero-Days at Scale Peter Girnus, Senior Threat Researcher, TrendAI
Derek Chen, Vulnerability Researcher, TrendAI
|
| Academic research shows LLM-assisted vulnerability discovery works—IRIS achieves 2.5x improvement over CodeQL, Google’s Big Sleep found a critical SQLite zero-day. But can it work at production scale? FENRIR has discovered 100+ vulnerabilities across AI infrastructure since mid-2025, with 21 CVEs patched including multiple CVSS 9.8 RCEs. This talk presents FENRIR’s multi-stage verification pipeline: static analysis pre-triage, two-layer LLM validation (L1 prune → L2 deep-verify), and confidence-based human routing. We’ll cover what worked (research-backed context generation, CWE-specific agents, pattern recognition for bypass detection), what failed (pure automation’s false positives, generic prompts, insufficient context), and the hybrid model that emerged. Live demo: FENRIR analyzing AI framework code and surfacing candidates for human triage. | |
| 14:20 – 14:35 |
AI Notetakers: The Most Important Person in the Room Joe Sullivan, CEO, Ukraine Friends and Joe Sullivan Security
|
| The most important attendee in your meetings isn’t a person anymore. It’s the AI notetaker. This system assigns action items, determines what was important, and creates the official record. When facts need revisiting, its summary is treated as impartial evidence. This talk covers four areas: Steering: Techniques for influencing what the notetaker captures. Call it manipulation or strategic communication, the methods work and people are already using them. Risk: The governance gap when notetakers become infrastructure. Shadow deployments, vendor fragility, consent liability, discovery exposure. Opportunity: A reliable system of record for incident response. Framework: Enterprise readiness spanning policies, program building, and the full meeting lifecycle. |
|
| 14:35 – 14:55 | Coffee break |
| 14:55 – 15:20 |
AI go Beep Boop! Adam Laurie (Major Malfunction), Hardware Hacker turned CISO, Alpitronic
|
| Hardware hacking with AI at the controls. Literally. I gave Claude my hardware lab: Laptop, USB hub, XYZ platform, PICO2, Jlink-pro, Oscilloscope, Chipshouter and some targets. Within 7 minutes it had pwned an LPC chip I had failed to glitch for 6 weeks solid. Within a month it had rewritten my entire glitching platform and now while I sleep it hacks new targets and integrates other solutions and attacks. | |
| 15:20 – 15:45 |
Zeal of the Convert: Taming Shai-Hulud with AI Rami McCarthy, Principal Security Researcher, Wiz
|
| 2025 was the year of Shai-Hulud: a series of attacks leaking massive amounts of victim data onto GitHub, ungraciously scheduled for whenever I was traveling. As a responder, these internet-scale incidents were a real-world lab for evolving AI capabilities. This talk is a raw post-mortem of moving from simple “vibe-coded” scrapers to multi-agent triage engines that parallelize victimology and automate secret-impact analysis. Demos will drive a conversation on what actually worked, where the ground has shifted, and how “lazy” AI will let you down. Walk away with prompts, scripts, skills, and lessons from my scars. | |
| 15:45 – 16:10 |
Anatomy of an Agentic Personal AI Infrastructure Daniel Miessler, Founder, Unsupervised Learning
|
| A deepdive on my Personal AI infrastructure system, and the open-source project that mirrors it. | |
| 16:10 – 16:35 |
Black-hat LLMs Nicholas Carlini, Research Scientist, Anthropic
|
| Large language models are now capable of automating attacks that were previously only possible by human adversaries. In this talk, I discuss several ways that adversaries could mis-use current models in order to cause harm both at a larger scale and at a lower cost than they do currently. For example, we find that recent state-of-the-art models can now find 0-day vulnerabilities in large software projects that have been extensively tested by humans for decades. These new capabilities will alter the threat landscape and require we rethink security in the coming years. | |
| 16:35 – 17:00 |
Vibe Check: Security Failures in AI-Assisted IDEs Piotr Ryciak, AI Red Teamer, Mindgard
|
| AI IDEs and coding agents expand the practical attack surface of development workflows by introducing new paths from untrusted workspace inputs to high-impact actions. This talk presents a catalog of exploitation patterns derived from vulnerability research across major AI-assisted IDEs and agents, including OpenAI Codex, Amazon Kiro, Google Antigravity, Cursor, and others, with a mix of issues already patched and others in active remediation. We organize findings by attacker effort and trigger model: zero-click paths, one-click paths, autorun behavior, and time-delayed execution. The talk is demo-driven and then generalizes beyond the demos to a repeatable playbook and checklist that security teams and builders can apply to assess and harden any AI-assisted IDE deployment. | |
| 17:00 – 18:00 | Mingling & Something sweet |
Stage 2
March 3, 2026 | Full conference day
| Stage 2 opens at 9:35 | |
| 09:35 – 10:00 |
Establishing AI Governance Without Stifling Innovation: Lessons Learned Billy Norwood, CISO, FFF Enterprises
|
| Strategy and implementation of a risk-based AI governance committee in a healthcare services firm and our successes and failures along the way. | |
| 10:00 – 10:25 |
Enterprise AI Governance at Snowflake: Balancing Innovation and Risk Ragini Ramalingam, Director, Snowflake
|
| As generative AI technologies continue to evolve, organizations are working to thoughtfully balance innovation with appropriate governance. In this session, Ragini Ramalingam, Director of Enterprise Security at Snowflake, shares perspectives on supporting responsible AI adoption within a large, dynamic enterprise environment. She will discuss practical approaches to establishing governance frameworks, fostering cross-functional collaboration, and embedding security considerations into emerging technologies—helping organizations enable innovation in a structured, risk-aware manner. | |
| 10:25 – 10:45 | Coffee break |
| 10:45 – 11:10 |
Three Phases of AI Adoption: From GPU Lottery to Enterprise Agreements Chase Hasbrouck, Chief of Forensics/Malware Analysis, U.S. Army Cyber Command
|
| The Army’s path to enterprise AI shows a pattern every organization will face: deployment constraints shape adoption more than security policies. In 2023, fragmented research previews meant high innovation but no institutional knowledge. In 2024, centralized solutions with token budgets killed experimentation. Power users burned through monthly allocations in one or two queries, exactly the people you most want to encourage. In 2025, enterprise agreements removed cost barriers, but now we’re grappling with cultural change: convincing people the tool is actually usable, then dealing with downstream implications when they believe us. As an early power user applying AI to incident response and forensics in Army Cyber, I helped my organization navigate each phase, and can share my lessons learned. (Disclaimer: Personal experience only, not official Army positions.) | |
| 11:10 – 11:35 |
SIFT – FIND EVIL!! I Gave Claude Code R00t on the DFIR SIFT Workstation Rob T. Lee, Chief AI Officer (CAIO), Chief of Research, SANS Institute
|
| Sounds reckless. Turns out it’s less reckless than letting state actors be the only ones with agentic AI. Anthropic’s GTG-1002 report showed adversaries running Claude Code at 80-90% autonomous execution. Your adversary has an AI. You have tab-completion. I wired the same tool into SIFT via Model Context Protocol—timeline generation, memory analysis, malware sweeps, all via natural language. By the end, you’ll see me type “SIFT!! Find Evil!” and watch it actually work. Mostly. This is what 40+ hours of testing taught me. | |
| 11:35 – 12:00 |
“Can You See What Your AI Saw?”: GenAI Endpoint Observability for Detection Engineers Mika Ayenson, Threat Research & Detection Engineer, Elastic
|
| As GenAI coding assistants become standard developer tools, detection engineers face a new challenge: understanding what happens when AI executes commands on behalf of users. This talk explores the current state of GenAI endpoint observability from a practitioner’s perspective, what telemetry exists today, where the gaps are, and why the industry needs standardized schemas for AI activity. Through real queries and telemetry examples, we’ll walk through techniques for correlating AI-spawned processes across multi-level ancestry chains, discuss blind spots that surprised us during testing, and make the case for extending and adopting OpenTelemetry semantic conventions to cover GenAI tool activity on endpoints. | |
| 12:00 – 12:25 |
Detecting GenAI Threats at Scale with YARA-Like Semantic Rules Mohamed Nabeel, Sr Principal Researcher, Palo Alto Networks
|
| Traditional YARA rules revolutionized malware hunting, but they fail against semantic GenAI threats like prompt injection, brand impersonation, and disinformation campaigns. SYARA (Super YARA) extends YARA’s beloved syntax with multi-modal semantic detection—combining string matching, embeddings, ML classifiers, and LLMs in a single rule. In this hands-on session, you’ll learn to hunt GenAI-era threats including direct/indirect prompt injection, phishing detection using perceptual hashes, malicious intent identification, and disinformation detection. We’ll demonstrate why semantic detection at scale requires efficient layered approaches rather than expensive LLM-only solutions, achieving 98% detection rates at <100ms latency and $0.001/query—orders of magnitude faster and cheaper than LLM-based approaches. | |
| 12:25 – 13:30 | Lunch break |
| 13:30 – 13:55 |
The Advent of Confidential AI Raghu Yeluri, Fellow and lead architect, Confidential AI
|
| Confidential AI is a hardware-based security approach that protects sensitive data and AI models during active processing by keeping information encrypted even while being computed on, extending beyond traditional encryption that only secures data at rest or in transit. The technology relies on Trusted Execution Environments (TEEs) – secure hardware enclaves within processors (CPUs, GPUs, Accelerators) that decrypt data only within isolated spaces invisible to operating systems, cloud providers, or administrators. Along with remote attestation, this approach protects inferencing data, prompts and context info, thus enabling the deployment of enterprise critical applications in public cloud and hybrid cloud environments. This talk will give you the technology components available for Confidential AI, and real-world deployments with two example use-cases that would be of interest to other practitioners. |
|
| 13:55 – 14:20 |
Tenderizing the Target: Soaking Code in Synthetic Vulnerabilities Aaron Grattafiori, Principle Offensive AI Security Researcher, NVIDIA
Skyler Bingham, Principal Applied Researcher, NVIDIA
|
| Marinade is an agentic workflow we built to solve a fundamental problem in security testing: getting realistic vulnerable applications that aren’t contrived CTF challenges or overused training targets like DVWA. The idea is to point it at some source code—Django, Spring Boot, Java, Rails, whatever—and it works to analyze the codebase, understand the attack surface, and inject realistic, exploitable vulnerabilities that blend naturally into the existing code while preserving functionality. We’ve found that AI is surprisingly adept at weakening security controls rather than clumsily removing them, producing bugs that look like genuine developer mistakes in a given programming language or app, and each injected vulnerability ships with a validation script proving exploitability to avoid false positives. Marinade lets you generate a large-scale synthetic corpus of vulnerable applications from real-world, production-quality codebases opening up new possibilities for scanner evaluation, red team training, and security tool benchmarking. | |
| 14:20 – 14:35 |
Hooking Coding Agents with the Cedar Policy Language Matt Maisel, CTO and Cofounder, Sondera
|
| Coding agents wield dangerous access to your code and terminal, and prompt injection renders soft guardrails useless. This talk demonstrates a reference monitor using Rust hooks and Cedar policies to deterministically intercept every shell command, file read, and other actions. We’ll live demo forbidding exfiltration and destructive behaviors, leaving you with an open-source tool compatible with Cursor, Claude Code, and GitHub Copilot CLI. | |
| 14:45 – 14:55 | Coffee break |
| 14:55 – 15:20 |
Glass-Box Security: Operationalizing Mechanistic Interpretability for Defending AI Agents Carl Hurd, Co-Founder & CTO, Starseer
|
| Perimeter defenses are failing against the next generation of AI agents. This talk introduces “Glass-Box Security,” a paradigm shift that utilizes Mechanistic Interpretability and Latent Space Geometry to monitor a model’s internal state for malicious intent and data exfiltration. We will explore why true observability requires a return to self-hosted infrastructure and present the Starseer architecture—a technical reference for building an “Internal EDR.” Attendees will learn to replace fragile regex filters with “semantic tripwires” that detect deception and code leakage at the neuron level, long before the model generates output. | |
| 15:20 – 15:45 |
The AI Security Larsen Effect: How to Stop the Feedback Loop Maxim Kovalsky, Managing Director, AI Security CoE, Consortium Networks
|
| The AI security market has 60+ vendors, and your VAR just sent 15 one-pagers. OWASP tells you what can go wrong. NIST tells you how to govern. Neither tells you which risks actually matter for YOUR architecture or HOW to implement controls given your existing stack. This talk introduces a capability-based framework that zeros in on the risks that are actually relevant, helps you decide how to address them (configure what you own, buy something new, or build it yourself), and—as a consequence—produces a rational vendor shortlist instead of analysis paralysis. Live demo with a realistic scenario: agentic healthcare chatbot, PHI data, existing Azure and CrowdStrike stack. We’ll go from “we need AI security” to implementation clarity in under 20 minutes. | |
| 15:45 – 16:10 |
Kinetic Risk: Securing and Governing Physical AI in the Wild Padma Apparao, Architecting AI solutions, Intel
|
| When AI leaves the screen and enters the physical world, failure shifts from misinformation to kinetic damage. Physical AI is fundamentally different from traditional AI: while performance and throughput dominate system design, the potential for physical harm means security, risk, and governance must be built in from the start. This talk explains why Vision-Language-Action (VLA) models powering robotics and autonomous machines require system-level thinking beyond model accuracy. We examine VLA-specific security risks such as sensor spoofing and embodied instruction manipulation that can lead to unsafe physical actions. The talk also explores why existing governance frameworks like the EU AI Act and NIST AI RMF fall short for adaptive, non-deterministic AI systems operating in dynamic, real-world environments. Finally, we address the organizational friction between engineering, safety, and risk teams as Physical AI scales into production. Real-world examples are used throughout to illustrate performance, security, governance, and organizational challenges. The audience will leave with practical reference architecture ideas, recommendations for evolving governance frameworks, and actionable guidance for securing physical AI implementations, all framed around a “safety-first” mindset where innovation leads even without “Ctrl-Z”. |
|
| 16:10 – 16:35 |
Trajectory-Aware Post-Training of Open-Weight Models for Security Agents Aaron Brown, Agentic AI Builder, AWS
Madhur Prashant, Applied AI/ML Engineer, AWS
|
| Everyone talks about AI agents for security, but almost no one talks about how to post-train the underlying open-weight models that power them. Frontier APIs work for prototypes, but scaling autonomous security operations requires fine-tuned small language models optimized for your specific tooling, reasoning patterns, and operational constraints. This talk presents a complete open-source pipeline for trajectory-aware post-training of open-weight SLMs for cybersecurity tasks covering environment setup, data collection and refinement, reward function design, and a two-stage SFT to GRPO training recipe running on NVIDIA DGX Spark. We’ll release training configs, the evaluation harness, and fine-tuned GLM-4.7 30B Flash weights on HuggingFace. | |
| 16:35 – 17:00 |
AI Found 12 Zero-Days In OpenSSL. What Does It Mean For The Industry? Adam Krivka, AI Security Reseatcher, AISLE
Ondrej Vlcek, Co-founder & CEO, AISLE
|
| OpenSSL is one of the most audited codebases on the planet. Its January 2026 security update fixed 12 vulnerabilities — all of which were found and reported by our AI system. Three had been hiding in the codebase for over two decades. In parallel, we’ve identified hundreds of other vulnerabilities across critical infrastructure projects like curl, the Linux kernel, and wolfSSL. AI has fundamentally changed the economics of vulnerability discovery. What once required elite expertise and months of manual auditing can now be done in hours. Exploits can be engineered by autonomous agents. The cost of offensive capability is rapidly shrinking. This talk explores what it takes to make AI vulnerability discovery production-grade — and why organizations that don’t adopt these systems to defend their software will be outpaced by adversaries who do. |
|
| 17:00 – 18:00 | Mingling & Something sweet |