[un]prompted Conference — March 3–4, 2026
Two-day single-narrative practitioner conference, San Francisco, March 3–4, 2026. CFP Chair: Gadi Evron (CEO, Knostic). Format: “intimate, raw, fun” — practitioner-only, sharp talks plus live demos.
Naming
The source page (unpromptedcon.org as captured 2026-02-14) carries the headline “[un]prompted II … Coming Back This September” and the body text “[un]prompted is back for the second time in (or around) September, in SF”. Read literally, the September event is [un]prompted II and this March 3–4, 2026 agenda is the prior conference. The page also references “Material from the first [un]prompted!” with YouTube videos already published. Because the iteration count is ambiguous on the source itself, this wiki uses date-based slugs (
unprompted-conference-march-2026) instead of roman numerals. The September 2026 event, when its agenda is published, will live at its own date-slugged page.
This page is the full talks catalog with presenter, organization, and notable data points (incidents, capability claims, scale evidence). For the relevance ranking against this wiki’s RA and CMM, see [[unprompted-march-2026-talks-vs-ra-cmm|[un]prompted March 2026 Talks — Relevance to RA + CMM]].
Conference logistics
- Stage 1 + Stage 2 running in parallel both days (Stage 2 opens later — 09:35 on Day 1, 09:10 on Day 2).
- Evening events: Mar 2 unofficial reception at The UNDERDOGS Cantina; Mar 3 official event at The Hibernia; Mar 4 easy-going get-together.
- Materials from “the first [un]prompted” (per the source’s own phrasing): YouTube channel
@un_prompted; conference NotebookLM atnotebooklm.google.com/notebook/78ee3710-1741-488d-af06-159f518e9510. - Detailed agenda:
docs.google.com/spreadsheets/d/1J0ZbIvR5H7mAp43Io-xff_00EkX6evawPCbpTNqrRo0.
Day 1 — Stage 1 (Tuesday, March 3, 2026)
| Time | Talk | Speaker(s) / Org | Notable data points |
|---|---|---|---|
| 09:00 | Opening Words — “Research conferences aren’t effective” | Gadi Evron, Knostic | Format pitch: structured matchmaking over random encounters; nods to Joe Stewart’s ACoD talk |
| 09:20 | Evaluating Threats & Automating Defense: How Google is Advancing Code Security | Heather Adkins, Google (VP Security Engineering) | CodeMender (Google’s AI-driven code security tool); Google’s full AI security strategy |
| 09:35 | The Hard Part Isn’t Building the Agent: On Measuring Agent Effectiveness | Joshua Saxe, Meta (AI Security Tech Lead) | From naive precision/recall to multi-dim eval (reasoning quality, evidence gathering, tool-calling); genetic algorithms + AI coding tools for automated agent improvement; live demo |
| 10:00 | Security Guidance as a Service: AI-Native Blueprint for Defensive Security | Shruti Datta Gupta + Chandrani Mukherjee, Adobe | Centralized security knowledge powering multiple defensive AI capabilities; “consistent, evaluated, bespoke guidance” |
| 10:45 | Guardrails Beyond Vibes: Shipping Security Agents in Production (ingested 2026-05-03) | Jeffrey Zhang + Siddh Shah, Stripe | Threat modeling + security request routing agents in production; modular orchestrator/child sequential pipeline; golden-standard + LLM-as-a-Judge offline eval; phased rollout to all Stripe devs; AlphaEvolve prompt evolution failed at cost constraints; five concrete learnings |
| 11:10 | Code Is Free: Securing Software in the Agentic Future | Paul McMillan + Ryan Lopopolo, OpenAI | ”Engineering-first, zero-friction” security via LLM-authored invariants; the “Code is Free” thesis |
| 11:35 | AI Agents for Exploiting “Auth-by-One” Errors | Brendan Dolan-Gavitt + Vincent Olesen, XBOW | AuthN + AuthZ validators as the unlock for autonomous exploit agents; real-world examples discovered in production |
| 12:00 | Developing & Deploying AI Fingerprints for Advanced Threat Detection | Natalie Isak + Waris Gill, Microsoft | BinaryShield — privacy-preserving prompt-injection fingerprinting for cross-org threat intel; arXiv:2509.05608 |
| 13:30 | When Passports Execute: Exploiting AI-Driven KYC Pipelines | Sean Park, TrendAI (Principal Threat Researcher) | Document-embedded injects in KYC extraction agents; cross-record reads/writes via compliance verification chain; LLM-generated high-success payloads validated with a Claude Code extraction agent |
| 13:55 | FENRIR: AI Hunting for AI Zero-Days at Scale | Peter Girnus + Derek Chen, TrendAI | 100+ vulns since mid-2025; 21 CVEs patched incl. multiple CVSS 9.8 RCEs; multi-stage pipeline (static pre-triage → L1 LLM prune → L2 LLM deep-verify → confidence-based human routing); cites IRIS 2.5× over CodeQL, Big Sleep SQLite zero-day |
| 14:20 | AI Notetakers: The Most Important Person in the Room | Joe Sullivan, Ukraine Friends / Joe Sullivan Security | Steering the AI notetaker as governance risk and IR opportunity; consent + discovery exposure |
| 14:55 | AI go Beep Boop! | Adam Laurie (“Major Malfunction”), Alpitronic (CISO) | Claude pwned an LPC chip in 7 minutes that the speaker had failed to glitch in 6 weeks; in <1 month rewrote his whole glitching platform |
| 15:20 | Zeal of the Convert: Taming Shai-Hulud with AI | Rami McCarthy, Wiz | Shai-Hulud (2025) post-mortem — internet-scale GitHub data leaks; from vibe-coded scrapers → multi-agent triage engines for victimology + secret impact |
| 15:45 | Anatomy of an Agentic Personal AI Infrastructure | Daniel Miessler, Unsupervised Learning | Personal AI infra deepdive + companion open-source project |
| 16:10 | Black-hat LLMs | Nicholas Carlini, Anthropic (Research Scientist) | “Recent SOTA models can find 0-day vulns in large software extensively human-tested for decades”; threat-landscape revision |
| 16:35 | Vibe Check: Security Failures in AI-Assisted IDEs | Piotr Ryciak, Mindgard (AI Red Teamer) | Catalog of exploitation patterns across OpenAI Codex, Amazon Kiro, Google Antigravity, Cursor, others; zero-click / one-click / autorun / time-delayed trigger taxonomy |
Day 1 — Stage 2 (Tuesday, March 3, 2026)
| Time | Talk | Speaker(s) / Org | Notable data points |
|---|---|---|---|
| 09:35 | Establishing AI Governance Without Stifling Innovation | Billy Norwood, FFF Enterprises (CISO) | Risk-based AI governance committee in healthcare services; successes + failures |
| 10:00 | Enterprise AI Governance at Snowflake | Ragini Ramalingam, Snowflake (Director, Enterprise Security) | Cross-functional governance framework, embedding security into emerging tech |
| 10:45 | Three Phases of AI Adoption: GPU Lottery → Enterprise Agreements | Chase Hasbrouck, U.S. Army Cyber Command (Chief of Forensics/Malware Analysis) | 2023 fragmented research previews / 2024 token budgets killed experimentation / 2025 enterprise agreements remove cost barriers; cultural change as the constraint |
| 11:10 | SIFT — FIND EVIL!! I Gave Claude Code R00t on the DFIR SIFT Workstation | Rob T. Lee, SANS Institute (CAIO; Chief of Research) | Cites Anthropic GTG-1002 report: adversaries running Claude Code at 80–90% autonomous execution; SIFT + Claude Code via MCP; “SIFT!! Find Evil!” demo; 40+ hours of testing |
| 11:35 | Can You See What Your AI Saw?: GenAI Endpoint Observability for Detection Engineers | Mika Ayenson, Elastic | Telemetry gaps + correlation across multi-level ancestry chains; case for extending OpenTelemetry semantic conventions to GenAI tool activity |
| 12:00 | Detecting GenAI Threats at Scale with YARA-Like Semantic Rules | Mohamed Nabeel, Palo Alto Networks (Sr Principal Researcher) | SYARA — YARA syntax + multi-modal semantic detection (strings + embeddings + ML + LLMs); 98% detection at <100ms, $0.001/query |
| 13:30 | The Advent of Confidential AI | Raghu Yeluri, Intel (Fellow) | TEE-based confidential AI for inferencing data + prompts + context; remote attestation; two real deployments |
| 13:55 | Tenderizing the Target: Soaking Code in Synthetic Vulnerabilities | Aaron Grattafiori + Skyler Bingham, NVIDIA | Marinade — agentic workflow that injects realistic exploitable vulnerabilities into Django/Spring Boot/Java/Rails codebases; preserves functionality; ships per-vuln validation script |
| 14:20 | Hooking Coding Agents with Cedar ✅ ingested | Matt Maisel, Sondera (CTO/Cofounder) | Rust hooks + Cedar policies as a deterministic reference monitor for shell, file, and tool actions; open-source; Cursor + Claude Code + Gemini CLI; four-type trajectory event model (action/observation/control/state); IFC taint tracking across turns; policy agent for Cedar generation + formal validation over MCP |
| 14:55 | Glass-Box Security: Operationalizing Mechanistic Interpretability for Defending AI Agents ✅ ingested | Carl Hurd, Starseer (Co-Founder/CTO) | “Glass-Box Security” paradigm — forward-pass hooks + cosine similarity (intent) + scalar projection (strength); behavior-based detection rules in YARA-style AI modules; canary-model pattern for frontier-model coverage; argues for sovereign infra; semantic traceability vs syntactic traceability for agent trust |
| 15:20 | The AI Security Larsen Effect: How to Stop the Feedback Loop | Maxim Kovalsky, Consortium Networks (MD, AI Security CoE) | “60+ vendors, 15 one-pagers”; capability-based framework that decides configure/buy/build; live demo with agentic healthcare chatbot + PHI + Azure + CrowdStrike |
| 15:45 | Kinetic Risk: Securing & Governing Physical AI in the Wild | Padma Apparao, Intel | Vision-Language-Action (VLA) models in robotics/autonomy; sensor spoofing + embodied instruction manipulation; argues NIST AI RMF + EU AI Act fall short for non-deterministic embodied AI |
| 16:10 | Trajectory-Aware Post-Training of Open-Weight Models for Security Agents | Aaron Brown + Madhur Prashant, AWS | Open-source pipeline (env setup, data collection, reward function design, two-stage SFT→GRPO) on NVIDIA DGX Spark; releases configs, eval harness, fine-tuned GLM-4.7 30B Flash weights on HuggingFace |
| 16:35 | AI Found 12 Zero-Days in OpenSSL. What Does It Mean For The Industry? | Adam Krivka + Ondrej Vlcek, AISLE | OpenSSL Jan 2026 update: 12 vulns found and reported by AISLE’s AI; 3 hidden 20+ years; hundreds more across curl, Linux kernel, wolfSSL |
Day 2 — Stage 1 (Wednesday, March 4, 2026)
| Time | Talk | Speaker(s) / Org | Notable data points |
|---|---|---|---|
| 09:00 | Opening Words | Gadi Evron, Knostic | — |
| 09:10 | 200 Bugs/Week/Engineer: How We Rebuilt Trail of Bits Around AI | Dan Guido, Trail of Bits (CEO) | 200 bugs/week/engineer claim; AI-native consulting “operating system” of incentives + defaults + guardrails + verification; internal/external skills repos; opinionated config baselines; sandboxing; pricing/staffing model changes |
| 09:35 | 8 Minutes to Admin. We Caught It in the Wild. Welcome to VibeHacking | Sergej Epp, Sysdig (CISO) | Two AI-assisted campaigns — (1) 8-minute AWS escalation stolen creds → full admin; (2) EtherRAT — fileless Node.js implant using Ethereum smart contracts for C2; behavioral attribution methodology |
| 10:00 | macOS Vulnerability Research: Augmenting Apple’s Source Code + OS Logs with AI Agents | Olivia Gallucci, Datadog | AI for triage of open-source diffs, exploit-potential identification, fuzz-target prioritization on shared macOS/iOS open-source code |
| 10:55 | Promp2Pwn — LLMs Winning at Pwn2Own | Georgi G, Interrupt Labs (Director of Research) | Agentic AI bug-hunter for Pwn2Own; found a vulnerability in Samsung Bixby |
| 11:20 | Breaking the Lethal Trifecta (Without Ruining Your Agents) | Andrew Bullen, Stripe (Head of AI Security) | Stripe’s containment architecture for Lethal Trifecta: Smokescreen egress proxy + agent-tag CI gate; Toolshed central MCP + ToolAnnotations; queued/batched/optimistic confirmations; coins the Lethal Bifecta for sensitive writes. Slides + transcript ingested. |
| 11:45 | Building Secure Agentic Systems: Lessons from Daily-Driver Agents (ingested 2026-05-03) | Brooks McMillin, Dropbox (Infrastructure Cloud Security Engineer) | Per-agent MCP tool scoping (73-tool fleet); memory isolation by class-name namespace (cross-agent leakage failure + fix); context-aware security-event pinning (N-token attack-hiding pattern); LLM firewall over-tuning lessons; delegation chains named as open gap. Slides + transcript ingested. |
| 12:10 | Rethinking How We Evaluate Security Agents for Real-World Use | Mudita Khurana, Airbnb (Staff Security Engineer) | Capability-centric framework; the find → confirm exploit → patch → validate workflow; observability into planning, reasoning, tool-use, context |
| 13:30 | Securing Workspace GenAI at Google Speed: Surviving the Perfect Storm (ingested 2026-05-03) | Nicolas Lidzborski, Google (Principal Engineer, Workspace Security) | “Perfect Storm” = sensitive data + untrusted content + external command execution; calendar invitation as agent-hijack vector; defense-in-depth blueprint for Gemini + Workspace; introduces Prompt as Code, Agency Gap, Orchestration Hijacking, Recursive Prompt Injection (and Semantic Gaslighting), Plan-Validate-Execute Pattern, Sentinel Tokens (Prompt Delimitation) |
| 13:55 | Operation Pale Fire: How We Red-Teamed Our Own AI Agent | Wes Ring + Josiah Peedikayil, Block | Red-team of goose (Block’s open-source AI agent) |
| 14:20 | Training BrowseSafe: Lessons from Detecting Prompt Injection in Production Browser Agents | Kyle Polley, Perplexity | BrowseSafe in production protecting browser agents; fine-tuned MoE Qwen-30B; F1 ~0.91 at sub-100ms; BrowseSafe-Bench w/ high-entropy realistic HTML; data flywheel from production feedback |
| 15:05 | Exploring the AI Automation Boundary for Threat Hunting at Datadog | Arthi Nagarajan, Datadog | Single agent → orchestrator-subagent system; hypothesis-driven query gen, iterative refinement, evidence narrowing |
| 15:30 | Detection & Deception Engineering in the Matrix | Bob Rudis + Glenn Thorpe, GreyNoise Labs | Orbie — agent over internet-scale honeypot data; emergent threats, campaigns, detection rules; “domain expert knowledge in tooling > model choice” |
Day 2 — Stage 2 (Wednesday, March 4, 2026)
| Time | Talk | Speaker(s) / Org | Notable data points |
|---|---|---|---|
| 09:10 | Total Recon: How We Discovered 1000s of Open Agents in the Wild | Avishai Efrat + Roey Ben Chaim, Zenity | 1000s of exposed agents (copilots, custom agents, AI middleware) reachable + enumerable + over-permissioned; releases PowerPwn recon tool |
| 09:35 | Your Agent Works for Me Now (ingested 2026-05-03) | Johann Rehberger (Red Team Director) | Promptware = engineered prompts that act like malware; delayed tool invocation bypasses Google’s Workspace tool deactivation control; Agent Commander prompt-level C2 with zero-click Gmail enrollment; previously undisclosed exploits against Gemini, Copilot, Xcode, OpenClaw, KimiCloud |
| 10:00 | Capability-Based Authorization for AI Agents — Warrants That Survive Prompt Injection ✅ ingested | Niki Aimable Niyikiza, Founder @ Tenuo / SE @ Snap | Cryptographic Tenuo Warrants (Macaroons/UCAN/Biscuits/CaMeL lineage) — six properties: signed, scoped, ephemeral, holder-bound, verifiable offline, delegation-aware. Monotonic attenuation across hops freezes the blast radius. 4 deployment modes; ~55μs auth / ~200ns deny; 53/53 violations rejected on 5,700 fuzz probes; baseline 90%→0% multi-agent ASR on custom harness; live LangGraph demo with 4 enforcement scenarios |
| 10:55 | Injecting Security Context During Vibe Coding | Srajan Gupta, Dave (Sr Security Engineer) | MCP server that injects threat models + security requirements + OWASP guidance into the AI coding loop pre-generation; verifies output post-generation |
| 11:20 | Source to Sink: How to Improve LLM First-Party Vuln Discovery | Scott Behrens + Justice Cassel, Netflix | ”Mass-closed 200 AI-generated findings” therapy; agentic pipeline that thinks before it screams |
| 11:45 | The Parseltongue Protocol: A Deep Dive into 100+ Textual Obfuscation Methods | Joey Melo, CrowdStrike (AI Red Teaming Specialist) | 100+ encoding/encryption techniques × 9 leading AI models × 17,000+ malicious prompts; safety-system gaps |
| 12:10 | Why Most ML Vulnerability Detection Fails (And What Actually Worked for Kernel Bugs) | Jenny Guanni Qu, Pebblebed (AI Researcher) | 125K Linux kernel commits; “hard negatives” hurt; subsystem boundaries are where bugs hide; average kernel security bug survives 2.1 years undetected |
| 13:30 | 1.8M Prompts, 30 Alerts: Hunting Abuse in a User-Defined Agent Ecosystem (ingested 2026-05-03) | Matt Rittinghouse + Millie Rittinghouse, Salesforce | Agentforce defense at scale — 12,000+ unique daily agents across 55,000 orgs, ~1.8M daily prompts; three-level ensemble model (user/agent/org); <30 high-fidelity daily alerts; ratio ~60,000:1; 12–24 hr batch detection; roadmap to hot-path auto-containment |
| 13:55 | AI Security with Guarantees | Ilia Shumailov, AI Sequrity Company (CEO) | Security guarantees for modern AI agents incl. computer use |
| 14:20 | From OSINT Chaos to Knowledge Graph: Production-Scale AI-Powered Threat Intel | Dongdong Sun, Palo Alto Networks | Production AI pipeline from millions of threat reports → queryable knowledge graph |
| 15:05 | Beyond the Chatbot — Delivering an Agentic SOC for Real-World Defense (stub-summary 2026-05-07) | Peter Smith + Ravi Kiran Sharma, Salesforce | Polyphonic (Supervisor-Worker) architecture — moves past monolithic black-box copilots |
| 15:30 | Are Your LLM’s Safety Mechanisms Intact? Detecting Backdoors with White-Box Analysis | Akash Mukherje, Realm Labs (Co-Founder) | White-box safety-signal analysis — backdoors that selectively weaken refusal but pass black-box eval; refusal-correlated internal signals |
Notable data points (incidents + capability evidence)
Headline numbers worth quoting
- AISLE — 12 OpenSSL 0-days fixed Jan 2026, 3 hiding 20+ years; hundreds more across curl / Linux kernel / wolfSSL.
- TrendAI FENRIR — 100+ vulns since mid-2025, 21 CVEs incl. multiple CVSS 9.8 RCEs.
- Sysdig — 8-minute AWS escalation caught in the wild; EtherRAT fileless Node.js with Ethereum smart-contract C2.
- Adam Laurie / Alpitronic — Claude glitched an LPC in 7 minutes vs human 6 weeks.
- Salesforce Agentforce — 1.8M prompts/day reduced to <30 high-fidelity alerts.
- CrowdStrike Parseltongue — 17,000+ malicious prompts × 100+ obfuscation methods × 9 leading models.
- Pebblebed — avg kernel security bug undetected for 2.1 years; 125K-commit training set.
- Perplexity BrowseSafe — F1 ~0.91 at <100ms latency, fine-tuned Qwen-30B MoE.
- PAN SYARA — 98% detection at <100ms / $0.001/query.
- Mindgard — exploit catalog across Codex, Kiro, Antigravity, Cursor.
- Zenity — 1000s of exposed agents in the public internet; PowerPwn recon tool.
- SANS / Rob T. Lee cites Anthropic GTG-1002 — adversaries running Claude Code at 80–90% autonomous.
- Carlini / Anthropic — recent SOTA models finding 0-days in extensively-tested software.
- Trail of Bits — claims 200 bugs/week/engineer in their AI-native operating model.
Recurring patterns across the agenda
- Production agent containment is now the practitioner topic. Stripe (×2), Google Workspace, Block, Perplexity, Dropbox, Salesforce (×2), Airbnb, and Snap all present production-agent defenses, not lab work.
- Agentic vuln discovery is a category. AISLE, TrendAI FENRIR, XBOW, Interrupt Labs, NVIDIA Marinade, Datadog/macOS, Pebblebed, Netflix, Carlini/Anthropic — all describe AI agents as production vuln finders.
- Reference-monitor-by-policy is a concrete pattern. Sondera (Cedar), Snap (capability warrants / UCAN), Dave (MCP context injection), Stripe (CI-time tool annotations), Trail of Bits (sandboxing) — converging on policy-evaluated tool calls.
- Observability is glass-box, not black-box. Starseer (mechanistic interp), Realm Labs (white-box backdoor analysis), Elastic (OTel for GenAI), Salesforce (behavioral baselines), GreyNoise (Orbie) — model internals + behavioral telemetry > output filters.
- Browser + IDE agents are the new attack surface. Perplexity BrowseSafe, Mindgard (Codex/Kiro/Antigravity/Cursor), Stripe (lethal trifecta), Google Workspace (calendar injection), Johann Rehberger (Gemini/Copilot promptware).
- Governance talks are operational, not aspirational. Snowflake, FFF Enterprises, US Army, Trail of Bits — describe the failure modes of governance, not the framework checklists.
Cross-references in this wiki
- Architecture & CMM: Agentic AI Security Reference Architecture (2026) · Agentic AI Security Capability Maturity Model — A 2026 Practical Proposal · Agentic AI Security CMM — Standards Crosswalk Matrix
- Concepts called out by name: Lethal Trifecta (Stripe Bullen) · Indirect Prompt Injection (TrendAI Park, Google Workspace) · MCP Security (SANS, Dave) · Non-Human Identity (NHI) (Snap warrants, Stripe) · Guardian Agent · Oversight Layer (PDP + PEP for Agentic AI) · Agent Observability (Starseer, Realm, Elastic, Salesforce) · Shadow Automation (Hasbrouck) · Supply Chain Security for Agentic AI (Wiz Shai-Hulud, Mindgard, AISLE)
- Practices that map to talks: Prompt Injection Containment for Agentic Systems · RAG Hardening · Credential Proxy Pattern for AI Agents · Agent Sandboxing
Companion analysis
Talks vs RA + CMM relevance ranking — sorts every talk by relevance to this wiki’s reference architecture and capability maturity model.