Everything old is new again: 3 trends from Black Hat USA, BSides LV, and DEF CON 33

As always, the Las Vegas cybersecurity triple-header did not disappoint. I saw old friends, learned about new trends, and (yet again) walked away with more swag than I need after this many years in the industry. While BSides LV, Black Hat USA, and DEF CON are all different events, there were themes that kept popping up. Themes that weren’t new in nature, even if they were new in iteration. Let’s take a look at a few of those trends to see how the more things change the more they stay the same.

The human element is hot again

Exploitation has always balanced between human and technical elements. What was the attacker’s path of least resistance? This year showed a decisive shift toward exploiting the human side. Attackers are bypassing technical defenses like phishing-resistant MFA by targeting the human recovery processes. This is not a new concept. The difference today is the industrialization of this process through AI.

The notorious threat group Scattered Spider served as a primary case study for this trend. They use vishing and sophisticated impersonation techniques to convince IT help desks to reset a target's credentials. Deepfake-as-a-Service (DaaS) has turned voice cloning into a commodity. Any criminal can rent AI tools to generate a hyper-realistic voice of a CEO for a modest cost. This makes sophisticated attacks scalable and accessible to a wider range of adversaries. The result is that the human-gated exception process has become a primary attack surface. The assumption that a trained human can spot a fraudulent request is now fatally flawed in an era of AI-generated deception.

The industry is responding with a shift in focus from training users to hardening processes. Security leaders must invest in modern verification technologies that are resilient to social engineering attacks.

Automation progresses from scripts to strategy (on both sides) and creates new risk

The Vegas conferences showcased a new arms race in which the weapons on both sides mimic human actors. The dominant theme was the rapid deployment of so called agents. On defense vendors are developing agentic AI for alert triage, fixing code, and simulating attacks. On the offensive side researchers demonstrated AI agents that can autonomously handle entire phishing campaigns and create metamorphic malware to evade detection.

For a security veteran this represents a major evolution from past automation efforts. Hackers in the 1990s used Perl scripts to automate network scans. In the 2000s frameworks like Metasploit streamlined exploitation. Agentic AI is different. The fundamental shift is from automating tasks to automating strategy. Agentic malware is not just executing pre-written code. This AI is observing its environment, forming a hypothesis about weaknesses, and writing exploits on the fly.

This much is obvious… it is not obvious that the new defense creates a critical new vulnerability: the agent itself. Since these agents are being granted privileged access to internal tools and sensitive data attackers will target and hijack them. Indirect prompt injection (a malicious instruction hidden within a document or email) can manipulate agents into becoming insider threats. I’m afraid to report that we have witnessed the birth of a new analyst category. Please welcome "Agent Security Posture Management.” We’ve now entered the stage of treating every AI agent as a privileged non-human identity subject to continuous monitoring and governance.

Stagnation, burnout, and blame

Beyond the technology a sense of dissatisfaction was present in Las Vegas. Professional burnout is widespread along with a feeling that defensive advice has grown stale. Mikko Hypponen, a respected veteran and Black Hat 2025 keynote speaker, highlighted the paradox of success in cybersecurity. Effective security leads to a perceived low risk which in turn leads to budget cuts and a boom-bust cycle of investment. He also directly challenged the practice of blaming users for clicking phishing links arguing that it is a failure of security systems to have allowed the malicious email to reach the user's inbox in the first place.

Veterans feel that while burnout has always been an issue the current sentiment is different and more systemic. The industry's defensive playbooks are seen as stagnant and official guidance from government agencies fails to keep pace with innovation. The industry's immune response to new threats has the perception of failing.

While there is no simple solution to address what is a cultural crisis in cybersecurity, it’s something that all security leaders should be cognizant of. I, for one, would be eager to attend a culture success talk in 2026.

See you in 2026

The conferences may have just ended, but I’m already thinking about next year. Wondering what the next big breakthrough will be. Wondering what the next big security concerns will be. Wondering how I’m going to attend to every talk I want to see without bending spacetime.

If you’re in Vegas next year, or at any of the many security events we attend, swing by the Sublime booth and see what we’ve been working on. In the meantime, check out this short recap of Sublime’s Black Hat experience.