Black Hat USA returns to the Mandalay Bay Convention Center in Las Vegas from August 1 to 6, 2026, marking another year for one of the industry's longest-running security conferences. This is a preview, written in June, weeks before the doors open. We are not recapping talks that have not happened, and we are not naming winners that have not been chosen. What we can do is read the program structure, the call for briefings, and the direction the field has been moving, and tell you honestly where we think the signal will be.
The shape of the week is familiar. Trainings run August 1 through 4, a full day of Summits lands on Tuesday, August 4, and the peer-reviewed Briefings fill Wednesday and Thursday, August 5 and 6. The program again pairs a deep slate of peer-reviewed Briefings with the Arsenal tool demos, the Business Hall, the keynotes, and the closing Locknote. One scheduling note worth circling: DEF CON traditionally runs in Las Vegas the same week, overlapping the back end of Black Hat. If you are flying in for both, plan the back half of your week accordingly and confirm the exact dates.
Agentic AI Security Is No Longer the New Topic
A year ago, agentic AI was the breakout theme at Black Hat. The conversation had shifted from "could an AI agent do security work" to "what happens when it does, and who is liable when it gets it wrong." In 2026, that conversation is no longer novel. It is the baseline.
Expect the agentic AI security track to mature from demos into adversarial reality. The interesting questions are not whether agents can triage alerts or write detections. They demonstrably can. The interesting questions are about the failure modes: what does prompt injection look like when the target is an autonomous agent with tool access and a credential, rather than a chatbot? How do you contain an agent that has been steered into exfiltrating data through a tool it was legitimately granted? What does an audit trail even mean when the actor is non-deterministic?
We would watch for research on tool poisoning, on agent-to-agent trust, and on the blast radius of a compromised agent inside a CI/CD pipeline. The honest take is that most organizations deployed AI agents faster than they built the controls to govern them. Black Hat is where that gap gets demonstrated on stage, in public, with a proof of concept. If you run agents in production, that is the room to sit in.
There is also a quieter sub-theme worth tracking: the AI-powered SOC. Vendors have spent two years promising autonomous detection and response, and 2026 is the year those claims start meeting adversarial scrutiny. The useful research will not be the demo that works; it will be the demo of how an attacker manipulates the agent doing the detecting. Shadow AI, the unsanctioned models and agents employees wire into corporate data without telling anyone, belongs in the same conversation. You cannot defend an attack surface you have not inventoried, and most organizations have not finished inventorying theirs.
The Software Supply Chain Keeps Earning Its Spot
Supply chain risk has been a fixture at Black Hat for years, and 2026 will not break the streak. Last year's program leaned hard into third-party code risk and non-human identities, and the underlying problem has only gotten worse: the average enterprise pulls in thousands of transitive dependencies it has never read, signed by maintainers it has never met.
The new wrinkle is AI-generated code. "Vibe coding" produced a flood of software written by people who could not necessarily audit what their assistant emitted, pulling in packages the assistant suggested. That is a supply chain attack surface waiting to be characterized, and we would not be surprised to see it dissected in a briefing or two. Watch also for fresh work on provenance and attestation, on compromised package campaigns, and on the AIBOM, the bill of materials for AI components, which is finally getting treated as a first-class artifact rather than a slideware idea.
The thing to keep in mind as a reader: a flashy supply chain proof of concept on stage is a demonstration of what is possible, not a measurement of what is happening in the wild. Both matter. Do not let the theater of a live exploit substitute for asking whether your own dependency graph is actually exposed.
Post-Quantum Readiness Moves From Theory to Deadline
Post-quantum cryptography has lived in the "important but not urgent" bucket for most security teams. That is changing, and Black Hat tends to track the change. With migration guidance now concrete and the long-discussed 2030-era timelines for deprecating vulnerable algorithms feeling closer, crypto-agility is becoming an operational problem rather than an academic one.
The realistic framing here is "harvest now, decrypt later." An adversary does not need a working quantum computer today to benefit from stealing your encrypted traffic today and decrypting it once one exists. We expect talks that move past the scary headline and into the unglamorous engineering: how do you inventory every place your organization uses cryptography, and how do you swap algorithms without breaking everything. That is the question worth your time. Be skeptical of any session that sells panic without a migration path.
Arsenal, the Business Hall, and the Hallway Track
The Briefings get the headlines, but two other parts of the week often deliver more practical value. Arsenal is where researchers demo open-source tools you can actually take home and run, and it is consistently one of the highest-density-per-minute parts of the show. Check the schedule for when the Business Hall opens relative to Arsenal so you can plan a longer window to work the floor.
A word of caution about the vendor floor: every booth this year will have "AI" on the banner, and a meaningful fraction of it will be a feature, not a product. The useful filter is to ask vendors what their tool does when the model is wrong. If the answer is a shrug or a slide, keep walking. The teams worth your time can describe their verification layer, their false-positive handling, and what a human reviewer actually sees. And do not underrate the hallway track. The unscheduled conversations between sessions are frequently where the real intelligence-sharing happens.
How Safeguard Helps
The throughline across every theme above is the same problem we built Safeguard to solve: AI can now find and fix security issues at scale, but raw model output is noisy, and noise is expensive. Our Multi-Agent TAOR Deep Think AI Engine and Griffin AI put verification and orchestration above the model, so multiple agents cross-check findings before anything reaches a human, which cuts false positives and lets us measure value as cost per verified finding rather than cost per alert. We are model-agnostic by design: bring your own model, and components like OpenAI Daybreak or Anthropic Mythos plug in underneath, while reliability stays in the layer we control. For the supply chain and agentic risks Black Hat will spotlight, our AIBOM and ML-BOM, policy gates, vendor scorecards, and provenance and attestation give you the controls to govern what your agents and your dependencies are actually doing. If you are heading to Mandalay Bay and want to compare notes, reach out.