The second half of 2026 is the part of the year defenders actually plan their travel around. Spring belongs to the strategy crowd and the vendor floor at RSAC; the back half belongs to the people who break things and the people who have to fix them. If you only get budget for one or two trips, the choices below are where the real research lands, the tools drop, and the conversations that shape next year's threat models happen in hallways rather than on stage.
A quick honesty note before the calendar: this is a preview written in June 2026. Everything here is dated and forward-looking. We have not seen the talks, we do not know who wins the CTFs, and we are not going to pretend otherwise. Where a date is confirmed by the organizer, we say so. Where it is our read on what the agenda will emphasize, we label it as a prediction, not a recap.
The Las Vegas Anchor: Black Hat USA and DEF CON 34
The center of gravity for H2 is still the same week in Las Vegas that the community calls Hacker Summer Camp. The two flagship events run back to back.
Black Hat USA 2026 is expected the first week of August at the Mandalay Bay Convention Center, on its usual pattern of roughly August 1 through 6. Trainings occupy the front half of the week, Saturday August 1 through Tuesday August 4, with the main Briefings and Business Hall on Wednesday August 5 and Thursday August 6. Black Hat is where you go for peer-reviewed offensive research and the vendor floor, and where a single well-aimed Briefing can reset how an entire class of product gets defended.
DEF CON 34 follows immediately, typically starting the day Black Hat ends and running the weekend, at its Las Vegas venue. DEF CON is the rawer, community-run counterpart: villages, badge hacking, the CTF finals, and talks that are less polished and often more dangerous to a vendor's marketing department. If Black Hat tells you what the industry wants you to worry about, DEF CON tends to show you what you should actually worry about.
Both events have historically run this same week in early August, so check the organizers' sites for the exact 2026 dates before you book. The practical advice has not changed in a decade: book lodging early, plan your trainings against the Briefings schedule, and accept that the best value is in the conversations between sessions, not the sessions themselves.
One structural note worth planning around. Because the two events typically overlap on the handoff day, you cannot fully do both at depth. Black Hat's final Briefings compete directly with DEF CON's opening, and the crowd, the heat, and the logistics of moving between Mandalay Bay and the Convention Center are real costs. Decide which event owns your Thursday before you book flights, not after.
The Academic Counterweight: USENIX Security
A week or so after the Vegas crowd disperses, the next USENIX Security Symposium is expected in mid-August; check the organizer for the confirmed dates and venue. USENIX is the academic and research-heavy counterweight to the commercial energy of Black Hat. It is where a lot of the foundational work — the attacks that become product categories three years later — gets its first rigorous airing.
For anyone building or buying AI security tooling, USENIX matters more than its lower profile suggests. The measurement papers, the adversarial-ML work, and the systems research that show up here are exactly the kind of evidence that should inform whether a vendor's claims hold up. We would rather read a USENIX paper that quietly demolishes a popular assumption than sit through ten keynotes that confirm one.
What Will Actually Be On the Agenda
This section is a prediction, not a report. We have not seen the accepted talks. But the submission climate and the past two years of disclosures make a few themes near-certain.
Expect agentic AI security to dominate. The move from chatbots to AI agents that take actions — calling tools, writing and merging code, touching production systems — has opened an attack surface the industry is still scrambling to define. Prompt injection stopped being a parlor trick the moment an agent could act on the injected instruction. We expect a meaningful share of the AI-track Briefings and several DEF CON village talks to focus on agent hijacking, tool poisoning, and the trust boundaries between a model, its tools, and the data it ingests. Shadow AI — agents and copilots running without security's knowledge — will show up in the governance and blue-team tracks.
Expect software supply chain attacks to stay front and center. Compromised packages, malicious maintainer takeovers, and poisoned build pipelines have been a steady drumbeat, and CI/CD security and provenance will get serious airtime. The harder question the better talks will ask is not "was this package malicious" but "could you prove what went into your build at all." That is a question most organizations still cannot answer cleanly.
Expect the AI-and-supply-chain themes to converge. The interesting frontier is what happens when an AI agent has commit access, or when a model is itself a dependency in your product with no bill of materials describing it. Model poisoning, the integrity of training data, and the absence of an AIBOM for most deployed systems are the kind of unglamorous problems that make for the best, most uncomfortable talks. We will be looking for research that treats a model as a supply chain component rather than as magic.
Quantum readiness and post-quantum cryptography will get its annual block of attention too, though our honest read is that it remains more roadmap than incident. Crypto-agility — the ability to swap algorithms without re-architecting — is the genuinely useful framing, and the long shadow of the so-called 2030 deadline keeps it on CISO slide decks. But it belongs on your multi-year plan; it is unlikely to be the thing that ruins your week in 2026, and we would be skeptical of any vendor on the floor selling quantum panic as this year's emergency.
A word on what we do not expect: a clean, decisive answer to any of these. Conferences are good at surfacing problems and prototyping attacks. They are bad at proving that a defense works at scale. The talks that age best are usually the ones that show a credible exploit and then admit, plainly, what they could not get to. Treat the confident ones with more suspicion than the careful ones.
How to Get Value Without Burning Your Budget
A few opinions, since a calendar without judgment is just a list. Send practitioners to DEF CON and USENIX, and send the people who own vendor relationships to Black Hat's Business Hall. Do not send everyone to everything. Decide in advance what question you want answered — "how do we secure our internal coding agents," say — and route your attendees toward the talks and villages that touch it. And treat vendor claims you hear on the floor as hypotheses to verify against the research down the hall, not as conclusions. The whole reason these events sit a week apart is that the marketing and the measurement rarely agree on the first pass.
How Safeguard Helps
The themes driving these agendas — agentic AI risk, model integrity, and supply chain provenance — are exactly what Safeguard is built to verify. Our Multi-Agent TAOR Deep Think AI engine and Griffin AI run verification and orchestration above the model, so reliability does not depend on any single vendor's claims; OpenAI Daybreak or Anthropic Mythos plug in as bring-your-own-model components, and multi-agent cross-checking is what cuts the false positives that make AI findings untrustworthy. We generate an AIBOM and ML-BOM alongside your software SBOM, enforce policy gates with provenance and attestation, and run vendor scorecards and TPRM workflows so the supply chain questions raised on stage have answers in your dashboard. If you want to compare notes before or after the conference circuit, reach out.