Black Hat USA is the premier annual cybersecurity conference, held from August 2-7 this year at the Mandalay Bay Convention Center in Las Vegas. Our IT Director, Lоuіs Kоhman, attended the event. As someone who oversees internal and client systems, AI software integration, and more, he found the conference essential for staying ahead of evolving threats. He also extended his visit to DEF CON 33, which provided a more informal environment with hands-on activities in villages like the Aerospace Village and contests emphasizing “Access Everywhere” as the theme. Both events highlighted the dynamic nature of cybersecurity, offering him valuable insights to enhance his knowledge and skillset.
Black Hat USA 2025 featured a structured agenda: trainings from August 2-5 for skill-building across levels, a Summit Day on August 5 with specialized sessions like the AI Summit, and the main conference on August 6-7 with over 100 briefings, Arsenal tool demonstrations, and networking in the Business Hall.
Keynotes included Mikko Hyppönen’s reflective session on three decades of cybersecurity history, which resonated deeply, and a closing Locknote on August 7 by the Black Hat Review Board discussing pressing InfoSec issues.
Themes centered on AI integration, supply chain vulnerabilities, regulatory changes, and the human element in security, aligning with the challenges Lоuіs and cybersecurity professionals around the world face in their roles.
The Evolution of Malware: From Brain Virus to Covert Operations
One of the standout reflections from the conference echoed the keynote on cybersecurity’s history: malware has transformed dramatically since the early days. The Brain virus, the first PC virus from 1986, was seen as being more as a prank or nuance than what we consider a threat now. Today, as discussed in various briefings during the convention, malware is a sophisticated beast focused on stealth and monetary gain rather than widespread disruption. Automatic scaling worms like those in the past have become somewhat rare as attackers today prioritize covert operations. A mainstream outbreak, like the infamous WannaCry in 2017, signals failure for modern cybercriminals – they aim to stay hidden to maximize profits.
WannaCry, propagated via an SMB exploit allegedly discovered by the U.S. and later leaked, was attributed to North Korea as a means to collect Bitcoin amid budget deficits. Sessions on historical exploits revisited this, emphasizing how nation-state actors blend cybercrime with geopolitics. The shift from flashy infections to silent exfiltration means we must invest in endpoint detection that catches subtle anomalies, not just big bangs.
Supply chain Attacks: Lessons from GitHub and Beyond
Supply chain security emerged as a critical focus, with sessions examining vulnerabilities in platforms like GitHub. One technique involved double Base64 encoding, where attackers hide payloads that GitHub renders as plaintext, evading scans. This connects to wider risks in open-source ecosystems.
For agencies abroad, dependent on third-party ad and analytics tools, this prompts stricter vendor assessments. The session also shed light on diverse approaches to deploying proactive alert mechanisms, such as Honeytokens (fake credentials to trap intruders). These “canaries” in our systems could alert administrators to unauthorized access before data is exfiltrated.
Regulatory Shifts: EU’s CRA and Global Implications
The European Union’s new Cyber Resilience Act (CRA) was a recurring theme in Black Hat USA 2025, especially in policy-oriented briefings. Enforced to enhance software security, it mandates manufacturers to ensure products are secure by design, with reporting obligations for vulnerabilities. For businesses operating in the EU market, this may mean reevaluating software stacks – from SaaS tools to custom apps – to comply and avoid fines.
Sessions noted how trade disruptions exacerbate vulnerabilities, making on-prem solutions brittle amid shortages. With DEF CON taking place immediately after, Black Hat CEO Jeff Moss also mentioned a situation that occurred that made it challenging to get DEF CON badges delivered on time (which they ultimately were) due to a Tsunami that took place, flooding the factory, followed by an ongoing trade war that impacted supply chains (e.g. costs increasing by up to 20% within a certain timeframe, with companies pushing to get goods shipped quickly, this left challenges in the form of there being no pallet space for hardware).
China was also mentioned specifically across various sessions. China’s cyber law adds another layer of complexity and required forethought. It compels reporting of intelligence, including academic insights, directly to the Chinese government. This could accelerate zero-day exploitation, as seen in mandatory disclosures. For businesses and public institutions, this means reassessing international collaborations involving Chinese entities, implementing robust data localization and sharing restrictions to prevent inadvertent intelligence leaks, diversifying supply chains to minimize dependencies on potentially compromised vendors, and enhancing internal vulnerability disclosure processes to stay ahead of state-sponsored threats that could weaponize unreported zero-days.
AI in Cybersecurity: Hype vs. Reality
AI dominated the agenda, with the AI Summit and Arsenal demos showcasing tools from autonomous penetration testing to automated threat cataloging. Attack surfaces now span enterprise IT (SaaS, cloud, on-prem), vibe-coded apps, data leakage to LLMs, suppliers, and distributors.
One eye-opener on the penetration testing side was the mention of a test on GOAD HARD – a Game of Active Directory lab that takes experts 12-16 hours to conquer manually. With a certain AI tool that was given the challenge, the total conquest time dropped to just under 15 minutes, proving humans are the bottleneck. Yet, caveats abounded consistently across speaking sessions pointing to the same conclusion: AI isn’t ready for prime time. LLMs are conceptually weak, and the systems don’t truly know secure code, they rely on mimicry rather than understanding.
Neurosymbolic AI, blending neural networks with symbolic reasoning (like GPS algorithms), was pitched as a step forward; however, agents backed by LLMs lack reliability – verifiability is key, perhaps via other systems. The term “sloppers” emerged for those who can’t decide without consulting ChatGPT, risking cognitive atrophy in spatial memory and critical thinking.
Keynotes echoed this: Despite Claude winning hacking competitions (Anthropic’s model excelling in CTFs), AI falls short. Organizations that scaled down dev teams with “vibe coding” (AI-assisted coding) gaining popularity, quickly rehired entry-level positions, realizing the tech isn’t mature. Another interesting briefing highlighted a university study that showed mixed results in anti-phishing training specifically – some real-world orgs saw improvements, others the opposite, highlighting AI’s unreliability in simulating human gullibility.
Personal Reflections from Black Hat USA 2025
Lоuіs described that the events, overall, stressed adaptation in an era of AGI pursuits and stealthy threats. The risks of inaction are too great to not leverage proper cybersecurity measures and tools. Cybersecurity is a marathon, not a sprint – as threats evolve, so must we. Professionals in InfoSec should consider attending future iterations to benefit from discovering the latest strategies and tools used to navigate cybersecurity’s complexities.