CyberML

Irregular has been working with both frontier labs and governments to evaluate the cyber capabilities of unreleased models and research ways to mitigate their risks. In the talk, you'll see the stories and examples of the interesting, impressive and silly things that models do. And what's being done about it.

Vega is building the Operating System for Agentic SecOps. Our AI-native platform is based on a federated query engine, enabling AI agents to access security data regardless of where it resides – translating KQL into optimized queries that distribute execution across multiple SIEM platforms and data storages.

In this talk we will cover how Vega builds AI agents that query real-time data using natural language, powered by a robust semantic layer on top of this federated architecture. Our schema-aware query generation process transforms natural language into validated queries through a multi-stage pipeline: automated schema discovery, field and values refinement using semantic search on top of vector-database, normalized-field mapping that abstracts away connector-specific schemas, and a generator-reviewer loop that iteratively validates the output before execution.

We will demonstrate our modular approach, which leverages skills – domain-specific playbooks for security scenarios – such as EDR behavioral analysis, cloud activity and phishing – loaded at runtime by an orchestrator agent deployed on top of Temporal workflows for durable execution. The orchestrator delegates query generation to a schema-aware sub-agent and offloads results analysis to another sub-agent that uses an open-source small language model (SLM) to iteratively write and execute Python code inside a secure stateful sandbox connected to S3-exported query results – enabling efficient processing of large-scale security logs without shipping raw data to the LLM, which can cause context-rot.

And of course, context is king. Vega pushes this principle to the limit with the Federated Context Graph – a cross-platform entity graph built by aggregating data across all connected sources through the federated engine, performing entity resolution to create canonical nodes and edges with cross-source provenance. This graph enables agents to navigate fragmented environments, resolve entities across platforms, and surface correlations that would otherwise remain hidden. During investigation, agents combine real-time log analysis with graph lookups to ground their reasoning in full environmental context – not just the alert in isolation.

We will also share how we operate this in production: a structured evaluation framework measuring retrieval recall, generation accuracy, and query validity across curated datasets; full agent trace observability; and Temporal-orchestrated workflows ensuring durability and recoverability across the entire pipeline.

Accurate classification of CPS devices in operational environments is challenged by partial network visibility and severe class imbalance, where rare devices are often the most critical yet hardest to identify. We present a production-oriented multimodal framework that fuses textual device attributes, structured tabular features, and network topology signals using ML ensembles and deep learning architectures. The system is grounded in domain expertise through SME-defined labeling strategies, enabling continuous expansion of device coverage. To address long-tail distributions, we introduce a smart sampling strategy that improves coverage of rare device classes during training, alongside embedding-based visualization to support cluster exploration and production validation. Evaluated across medical, industrial, and transportation environments spanning hundreds of device types, the framework demonstrates strong performance on well-represented classes while significantly improving coverage of rare and previously uncovered device types.

Tenzai is an offensive security startup and research lab that builds autonomous AI hackers for vulnerability research and penetration testing. In this talk, we will dive into the fundamentals of harness engineering for complex, long-horizon tasks – architecture, security, and scale.Tenzai is an offensive security startup and research lab that builds autonomous AI hackers for vulnerability research and penetration testing. In this talk, we will dive into the fundamentals of harness engineering for complex, long-horizon tasks – architecture, security, and scale.

ChatGPT's expanding capabilities come with expanding attack surface. We found three novel ways to exploit it.

This talk presents original vulnerability research into ChatGPT's architecture. We'll show how features designed to make the assistant more helpful can be weaponized – and how existing safety mechanisms can be bypassed to enable data exfiltration. One wrong interaction, and your private data walks out the door.

If you are using ChatGPT with sensitive data, this one's for you.

Twine Security is building AI Digital Employees who help cybersecurity teams close the execution gap.

Its first AI Digital Employee, Alex, learns, understands and takes away the burden of Identity and Access Management (IAM) tasks – proactively completing the organization's cyber objectives. Alex owns identity workflows end-to-end, including user access reviews, stale account cleanup, least-privilege enforcement, policy creation, and more.

This talk follows the architectural evolution of Twine's Alex from 2024 through today, a journey that closely mirrors the broader state of the art in agent building.

We moved from agentic blocks embedded inside deterministic workflows, to a manager-led multi-agent system, to specialized expert agents per product domain, and finally – to a single, unified agent that dynamically loads domain expertise through composable skills. None of these transitions came from design instinct – each was forced by production gaps.

Multi-agent handoffs lost the thread of what users were trying to do. Per-domain agents fragmented context across tabs. And users don't think in domains, they think in outcomes.

The single-agent design leans on three capabilities we'll cover in depth: (1) composable skills and tools that the agent reaches for on demand, (2) product awareness that stays current as the product evolves (we'll focus on how we've used CI-generated skills where the codebase itself is the source of truth, so Alex's understanding doesn't drift behind the frontend); and (3) organizational knowledge that captures how each customer actually operates (we'll walk through the spectrum of sources – explicit user input, connected knowledge bases, and Alex proactively mining already-closed tickets it was never assigned, learning from comments and outcomes how the organization handles real requests).

We'll close with where this is heading next – and what we think the next transition in agent architecture looks like.

Security teams drown in alerts. When every data exposure is labeled Critical, the label loses meaning, and real risks get buried. At Cyera, we built an AI-powered severity engine that uses LLMs to evaluate the actual risk behind each data security issue, considering what data was found, how much, who has access, and in what context.

In this talk, we'll walk through how we designed a multi-level LLM pipeline that processes millions of data security issues at scale, from heuristic fast-paths to structured LLM calls that reason about

different security and data policies across files, database tables, and access patterns. We'll share what we learned about evaluation without ground truth, caching, comparing different LLMs, open models vs. self-hosting, and what happens when a product like this meets production and very different clients.

As engineers in an agentic identity security company, we face a unique feedback loop: we're constantly innovating with AI for boosts in productivity while solving security concerns firsthand through our own struggles.

This talk tells the story of how we connected an AI agent to our MongoDB via MCP and spotted an invisible risk: its configuration relies on plaintext, static credentials, causing developers to grab whatever connection strings or PATs they find to get things working. This didn't hold up to our security standards, so we looked at how widespread the issue is in the broader MCP ecosystem – finding that 60% of all servers rely on long-lived static secrets. This gap in the MCP standard creates a rapidly growing threat surface.

This talk dives into our own experience discovering how easily MCP setups can loosen control of tokens and permissions, and presents our mitigations: secret vaulting, dedicated agentic identities, a self-hosted MCP server and an internal tool we created and released as open source. Whether you're already using MCP or planning to adopt it, you'll leave with practical steps to avoid the security traps that come with the rush to ship AI-powered workflows.

AI agents derive their value from the same capabilities that also make them exploitable. The tools, data, and communication channels they need are also attack surfaces, and restricting them reduces the very utility that makes agents worth deploying. Navigating this trade-off between security and autonomy is the central challenge in agentic AI security. Current defenses consist of guardrails sitting at the boundary of the agent, each step evaluated in isolation with no visibility into how inputs, tools, and model decisions interact inside the loop. Attackers exploit exactly this blind spot, leveraging the fact that no one is evaluating how the components of the workflow influence each other. Securing agentic systems requires moving beyond observation to evaluation of actions and their interplay within the loop. In this session we present how to decompose the agentic workflow into its core dimensions and check alignment between them, automatically detecting when the model deviates from what the application allows, for example when external content causes it to deviate from its intended purpose. We show how misalignments map to threats and vulnerabilities, giving defenders a structured way to understand what went wrong and where.

Retrieval-Augmented Generation (RAG) systems power enterprise AI assistants, search engines, and knowledge bases, but they have a major weakness. Recent real-world attacks, such as Microsoft Copilot document poisoning and GeminiJack zero-click data exfiltration, show how a single infected document can distort AI responses over thousands of queries. These attacks take advantage of adversarial hubness, which involves carefully built embeddings that hijack vector similarity search and appear in top retrieval results for semantically unrelated queries.

nce inserted in a vector database, these poisoned documents establish a permanent, zero-click compromise, needing no user interaction to activate and silently impacting every relevant query until discovered. We introduce HubScan, an open-source security scanner that checks vector databases and RAG systems for hubness flaws before attackers can use them. HubScan uses robust statistical detection, cluster spread analysis, and domain-aware scanning to reliably identify hostile hubs as extreme statistical outliers while minimizing false positives. This session explains the hubness threat model, exhibits practical attacks on production-like systems, and demonstrates how security teams can incorporate HubScan into their RAG pipeline protections for popular vector databases including FAISS, Pinecone, Qdrant, and Weaviate.

AI is driving a structural shift in cyber offense: when compute and automation become ‎cheap, the attacker’s marginal cost per attempt collapses. The advantage moves from ‎rare novelty to high-volume, adaptive iteration, where persistence itself functions like ‎an exploit. The more important story for CyberML is the coupling: as offense ‎accelerates, defense must evolve from periodic assurance to ML-native, continuous ‎assurance.‎

This session frames the new landscape through three AI-driven vectors: (1) agentic ‎attack orchestration (automated planning, chaining, rapid adaptation), (2) autonomous ‎vulnerability discovery & exploitation (data-driven probing that compresses time-to-‎weak-seam), and (3) AI-driven persuasion & social engineering (optimized influence at ‎scale across human interfaces). We go deep on the first two vectors for technical rigor, ‎and map the third as a fast-evolving frontier that reshapes defensive future with social ‎engineering as the last vulnerability, including AI convincing AI.‎

Even if attackers increasingly use LLMs, the defensive challenge is fundamentally an ‎ML problem: maintaining reliable detection, calibration, and robustness under ‎adaptive, automated pressure, adversarial drift at scale. The talk presents a clean ‎blueprint for continuous adversarial evaluation: how to define measurable robustness ‎and detection metrics, design scenario-driven test suites, and run regressions across ‎model/data/prompt/tool-chain updates. It also introduces defensive deception ‎‎(canaries/honeytokens/decoys) as instrumentation that converts attacker-scale ‎automation into high-signal telemetry and ground truth for monitoring and ML-driven ‎detection.‎

Attendees will leave with an attacker’s mental model for all three vectors, and a ‎concrete evaluation blueprint (metrics, test-suite structure, and regression gates) that ‎turns that mindset into measurable defensive assurance, with a clear boundary of what ‎still requires human controls.‎

Security goes beyond analyzing texts; you can use ML and multimodal methods to extract insights from video, audio, and images. In this session, we'll demonstrate a real product, used by over 100 tenants, that monitors RDP sessions. We'll examine the challenges of building such a product, discuss different approaches to finops, and address how to secure it from malicious users. You'll learn how to mitigate risks in a mixed or no-text input analysis.

In the past few months, LLMs have made a significant leap in offensive cybersecurity capability. As AI adoption accelerates across cloud environments, new threat patterns are emerging – often layered on top of the same familiar security failures attackers have exploited for years. This session examines how AI is reshaping attacker behavior, and where risk is concentrating in the cloud as the AI-driven attack surface expands, especially through vibe coding and agent-based workflows. Using real-world attacks and recently exploited vulnerabilities, we’ll highlight what’s changing, what isn’t, and what security teams should prioritize next.