TBA

More talks to come. Reviewed by a peer-review board of practising researchers. Click any talk for details — share the link with a colleague.











It started with the obvious: Prompt injection. Feed a chatbot malicious instructions via unexpected channels, watch it forget its system prompt, make it say things it should not. Cheap, reliable, and for a while that felt like the whole game. Yet the same trick that leaks a chatbot's data turns into code execution once the model sits inside a tool.
This talk shows my rollercoaster ride: from making chatbots spill their context, to indirect prompt injection that reaches RCE in VSCode, makes GitHub Copilot inject malicious code into pull requests, and up to the point where we stopped attacking other people's agents and built our own, and had to watch where they break. On the AI level and the infrastructure level - Starlette's BadHost and LiteLLM, the perfect couple for RCE ever after!
What I found is that attacking AI in 2026 is not clearly defined bug classes in the classical way. Agentic workflows harvest untrusted data and act on it iteratively, with no clean boundary between what they read and what they execute. Context is the new attack surface, and context can be poisoned. You do not need to talk to the agent. You leave clues where it will find them, and it does the rest.
I will also explain why attacking these systems increasingly requires AI of your own. The targets are non-deterministic, the recon is too large for a human to drive by hand, and the only thing that scales against an agent is another agent.
We conclude the talk by giving an outlook on what lies ahead, security is changing but the underlying paradigms didn't change yet, their importance is just more visible while our technical debt is being dragged into the daylight by automated bug finding machines at scale!

Markus Vervier is CEO of Persistent Security and Director at X41 D-Sec GmbH, a specialized application security, penetration testing, and red/purple-teaming provider. Over the past 18 years he has worked as a security researcher, code auditor, and penetration tester. His work includes security analysis and reverse engineering of embedded firmware for mobile devices, discovering vulnerabilities in Signal Private Messenger (with JP Aumasson), and finding a remote vulnerability in libOTR. He is currently active in the development of offensive security tooling and platforms that break AI security defenses.