Still reflecting (and recovering) from Black Hat in Vegas. This year it felt different, more energetic and the conversations - more meaningful, practical, honest. Here’s what I took away albeit seeing things through my Vectra AI green colored glasses:
1. AI is now both weapon and target. Agentic AI—autonomous systems—are being hijacked to do recon, exfiltrate data, and even help attackers evade detection. No malware required. If the AI defenders use isn’t purpose-built to think like attackers—think and move as fast as attackers move across network, identity, and cloud… the time to attack vs the time to defend will widen.
2. The truth is in the packet. We saw research on tunneling into private networks. Once inside, attackers blend into “normal” traffic, hide in encrypted flows, and stay invisible. This is why coverage across east-west and north-south traffic isn’t optional—it’s foundational.
3. Identity is the bullseye. Token theft, federated trust abuse, and privilege escalation in the cloud are the new normal. Attackers don’t hack in—they log in. And if you’re not watching identity activity in real time, you’ll miss it.
4. Converged risk is real. Network, Identity, Cloud, SaaS, IoT, OT—security sees multiple attack surfaces, attackers see one giant attack surface (we call it the modern network). All modern attackers need is a way in (Identity) and once in, they blend in, hide and move without friction. Begging the question: should we be looking at posture post-compromise (detection) as much as we do pre-compromise (prevention)?
Maybe its me and my biases—hearing what I want to hear, but I can't help but walkaway from Black Hat believing the problem to solve is: modern networks, modern attacks, and defending against them comes down to 3 simple questions:
1. Can we see them? (Coverage)
2. Can we stop them? (Control)
3. How fast can we see them and stop them? (Clarity)