It’s almost that time of year, when the security industry begins its annual migration to the Nevada desert. Vendors pack up their marketing departments, researchers polish their slide decks, recruiters sharpen their LinkedIn pitches, and hackers start looking for hotel rooms that don't require a second mortgage.
Black Hat USA returns to Mandalay Bay in Las Vegas from August 1–6, 2026, and as usual it serves as the opening act for what many people have affectionately labeled Hacker Summer Camp. Black Hat ends just as DEF CON begins, and BSidesLV is somewhere in the middle, add in dozens of ancillary events like r00tparty, w00C0n, Queercon, The Diana Initiative, and many others. Not to mention vendor parties and private get togethers and you have a glorious week plus where more security knowledge, ego, caffeine, and questionable life choices are concentrated into a few square miles.
Remember Why You're There
The first mistake many attendees make is treating Black Hat like a traditional trade show. Yes, there will be hundreds of vendors. Yes, there will be enough branded socks, T-shirts, stickers, and stress balls to survive a small apocalypse, just like every other trade show. But Black Hat's value has always come from the research.
This year's conference features more than 100 peer-reviewed briefings and trainings, over 80 Arsenal demonstrations, and a full schedule of specialized Summits. The challenge isn't finding something interesting: it’s deciding what you have to miss.
My advice is simple: prioritize original research over marketing.
The best Black Hat talks are the ones where somebody spent months or years digging into a system and discovered something genuinely new. A new attack style, a new vulnerability class, a new hardening technique. Those are the talks that get remembered years later.
Talks I'd Circle Immediately
If you're heading to Black Hat, here are the things I will be putting on my calendar. Looking through the published Briefings schedule, several presentations stand out.
Christopher Domas: “C and Its Consequences: The Source Is Just a Suggestion”
Wednesday 11:05am Oceanside A
Whenever Christopher Domas appears on a conference schedule, pay attention.
Domas has a long history of making audiences rethink assumptions about processors, compilers, and low-level computing. This year's talk title alone suggests one of those presentations that will leave half the audience excited and the other wondering what they have been doing with their life.
James Kettle: “Can AI Do Novel Security Research? Meet the HTTP Terminator”
Wednesday 12:00pm Oceanside A
AI security hype is everywhere right now, most AI talks aren’t worth your time. But if you attend Christopher Domas talk above you don’t even need to change your seat because James Kettle’s is in the same room right after. James has a reputation for producing substantive web security research. If he's asking whether AI can perform genuinely novel security research, that's a question worth hearing explored by someone who actually understands offensive security.
Chris S. Lin + Yuqin Yan: “GPUBreach: Rowhammer Comes for GPUs”
Wednesday 12:00pm SouthSeas CDF
Remember earlier when I said the challenge was having to choose what talks to miss? Well here is your first hard choice because this talk is happening at the same time as James Kettle’s, above.
This talk checks several important boxes. It involves hardware. It involves memory attacks. It involves making hardware do things its designers didn't intend. Historically, these ingredients produce some of the most interesting research presented at Black Hat.
Frank Wu + xia0o0o0o: “Burning Tears of PHP's Memory Hardening”
Wednesday 11:05am South Seas ABE
The title alone of this talk wins the award for title most likely to make developers nervous before the speaker even reaches slide two. Application security, exploit development, and language internals remain fertile ground for research. This looks like one to watch.
Olivia Gallucci: “When Queues Become Vulnerabilities: Reverse Engineering GCD, XPC Races, and macOS Detection Engineering”
Wednesday 10:15am South Seas ABE
The session on reverse engineering Grand Central Dispatch and XPC race conditions in macOS stands out because it combines operating system internals with practical detection engineering. The intersection between offensive research and defensive operations often generates some of the most useful takeaways. And I have always had a soft spot for MacOS vulns.
Don't Sleep on Arsenal
Many attendees spend all their time in Briefings and completely overlook Arsenal. That's a mistake. Arsenal is where developers and researchers demonstrate open-source security tools. Unlike many conference sessions, Arsenal gives you direct access to the people who built the thing.
Want to know why a feature works the way it does? The devs are right there, ask them. Want to understand the limitations of a specific tool? Ask. Want to discover the tool before everyone else starts talking about it on social media six months later? Arsenal is where you do that. (And then you can brag, ‘I knew them before they were famous.’)
Black Hat expects more than 80 Arsenal demonstrations this year. If I had to choose between a mediocre conference talk and a good Arsenal demo, I'd choose Arsenal.
The New Summits Are Worth a Look
Black Hat's Summit Day on August 4 has expanded into six specialized events focused on specific sectors and technologies. The AI Summit will probably attract enormous attention given the current state of the industry. The Financial Threat Summit and Healthcare Summit are also likely to feature highly practical discussions because both industries continue to be prime targets for attackers. The Innovators & Investors Summit may not sound exciting to hardcore hackers, but understanding where money is flowing often provides clues about where security technology is heading next.
Visit the Business Hall… Strategically
Yes, I know. The Business Hall isn't why most hackers come to Las Vegas. Still, there's value if you approach it correctly. Personally, it’s one of my favorite parts of the con. And if your company can’t or won’t foot the bill for a full conference pass this may be the only part of the conference you can access.
Do not wander around randomly collecting swag in a huge bag. The vendors see you coming and they know who you are. But hey, if you're not actually in the industry and need toys for your kids and brought an extra suitcase, you do you.
Instead, identify technologies you actually use or want to understand. Go talk to engineers rather than salespeople whenever possible. (Yes, engineers do exist on the show floor.) Ask hard questions. See product demos. Find out what problems vendors are trying to solve and whether they're succeeding. And just look at the booths, see who is spending big or spending small, identify trends… it becomes real easy real fast to separate the marketing hyperbole from the nuts and bolts.
Don’t forget there are actually some talks you can see with just an Expo Hall pass. To be fair, these are sponsored talks and are often just marketing fluff but there is some wheat amongst the chaff. Specifically, Drew Dennison's talk “Using SAST + Mythos To Shift Left” on Thursday Aug 6 at 3:15pm on Pulse Stage 4.
While you are walking the Business Hall keep an eye out for in-booth talks. Yes, they are often hard to hear, don’t have enough seating, and are sometimes just marketing hype, but occasionally you will find an engineer giving a quick deep dive into an interesting bit of technology that you would have otherwise missed. No Briefings pass needed.
The Business Hall also opens earlier this year, beginning on Summit Day, which may make it easier to have actual conversations before the crowd density reaches DEF CON badge-line levels. Be sure to stop by the Semgrep booth (Booth #4943) for a deep dive demo of a fast, static analysis tool used to find bugs, enforce coding standards, and detect security vulnerabilities in source code.
.jpg)
