Offensive AI Con

We’re proud to introduce the Offensive AI Con 2026 Review Board. This year, we’ve brought together 12 of the most respected minds across offensive security, AI research, and real-world adversarial operations to help shape the direction of OAIC. The CFP opens June 1st!

Last week, Anthropic announced Project Glasswing alongside Claude Mythos Preview, a model they described as so powerful at finding vulnerabilities they couldn't release it. The announcement featured AWS, Microsoft, Google, and Apple as partners, $100M in compute credits, and a clear message: this is dangerous, and only we can be trusted to deploy it safely. The results were real. Thousands of zero-days across every major OS and browser. A 27-year-old bug in OpenBSD. A 16-year-old bug in FFmpeg. Fully autonomous exploit chains that would have taken human researchers weeks. But here's what bothered me: all the credit went to the model. Read the technical blog carefully and a different picture emerges. The real innovation isn't the model. It's the workflow: - Rank every file in a codebase by attack surface - Fan out hundreds of parallel agents, each scoped to one file - Use crash oracles (AddressSanitizer, UBSan) as ground truth - Run a second verification agent to filter noise - Generate exploits as a triage mechanism for severity That's a pipeline. And pipelines are model-agnostic. At Lazarus AI, we spend our days deploying custom AI in places where "just use the closed API" isn't an option: regulated industries, enterprise, and government. When I saw Glasswing, my instinct was the same one I have every week: strip out the proprietary model, keep the architecture, run it on whatever model is best for the customer. Clearwing is a fully open-source vulnerability discovery engine. Crash-first hunting, file-parallel agents, oracle-driven verification, variant hunting, adversarial verification. Works with any LLM. I tested it with OpenAI Codex 5.4 and reproduced Glasswing's findings. I'm now reproducing results with our own ReAligned model - Qwen3.5 finetuned to Western alignment. Mythos is certainly a great model. The N-day exploit walkthroughs in Anthropic's blog show real reasoning depth. But it's an incremental improvement over Opus, the same way Opus was over Sonnet, and Sonnet over Haiku. It's not a leap to superintelligence. It's the next point on a curve we've been watching for years. What actually changed the game was the workflow. Defenders shouldn't have to wait for access to a gated model to secure their software. These vulnerabilities have been sitting in codebases for decades. The tools to find them should be available to everyone: the open source maintainer running FFmpeg on a Saturday, the startup that can't afford $125/M output tokens, the researcher in a country where Anthropic doesn't operate. Clearwing is MIT licensed and available now. github.com/Lazarus-AI/cle… Clearwing enables a wide variety of security activities. Handle with care. It is sharp.

We conducted cyber evaluations of Claude Mythos Preview and found that it is the first model to complete an AISI cyber range end-to-end. 🧵

1/ We asked seven frontier AI models to do a simple task. Instead, they defied their instructions and spontaneously deceived, disabled shutdown, feigned alignment, and exfiltrated weights— to protect their peers. 🤯 We call this phenomenon "peer-preservation." New research from @BerkeleyRDI and collaborators 🧵

If you have a Thunderbolt or USB4 eGPU and a Mac, today is the day you've been waiting for! Apple finally approved our driver for both AMD and NVIDIA. It's so easy to install now a Qwen could do it, then it can run that Qwen...

Anyone who took this seriously is sitting on thousands of exploits and creds, but they didn’t and so they aren’t. It’s 18 months old at this point. We have since used it to find vulns in MS products and docker images. This is just Nuget…what about npm, PyPi, PowerShell gallery, Brew, Docker, … github.com/dreadnode/exam… If a leading lab talks like 500 is a big number, it means they don’t have a clue about their own scale wrt cyber. CVE system is functionally pointless. Vulnerabilities can exist without a CVE, and they already couldn’t keep up. Not only that, but disclosure has become one of the worst experiences as a researcher. So, why bother with either.

This is an excellent paper from the folks at @AISecurityInst and worth reading. I will have to read it again but this particular point is a good one and I think the takeaway is important. Cyber attack chains across a set of enterprise systems (simulated or real) have a finite number of states that, at a high level, are all well represented in training data, and so the more tokens you spend on a frontier reasoning model the more state space between those chains you can explore. The finding that gains were log linear, and have exponential growth, might improve through model architecture alone, especially if they require fewer compactions overall. Still the cost for these outcomes is extremely low, and that is a very relevant takeaway for policymakers. The ICS example is less well represented in the training data and explains why the model made less progress overall. With the right expert prompting this is likely not a hurdle in practice. But expert prompting falls back on human expertise.

We're excited to announce that OAIC will return for its second year, October 4–7, 2026. The response to the first event far exceeded expectations, and we’re incredibly grateful for the enthusiasm and support from the community. Request an invite at offensiveaicon.com

VulnLLM-R-7B: Specialized Reasoning LLM for Vulnerability Detection huggingface.co/UCSB-SURFI/Vul…

This is incredible — a truly AI-powered cybercrime operation targeting FortiGates a) DeepSeek generated attack plans b) Claude’s produced vuln assessments and executed OSTs. c) “ARXON” MCP server acted as a bridge 1. cyberandramen.net/2026/02/21/llm… 2. aws.amazon.com/blogs/security…

“The more tokens you spend, the more bugs you find, and the better quality those bugs are … Eventually the limiting factor was my budget, not the models.”

Last week, a security researcher using our previous model found and disclosed a vulnerability in React that could lead to source code exposure. I believe these models will be a net win for cybersecurity, but we are in the 'real impact phase' as they improve.

Watch @monoxgas and @shncldwll's @OffensiveAIcon presentation on scaling offensive AI security through test-time verification, domain-specific training, and synthetic data generation—now up on YouTube! youtube.com/watch?v=YfvVBb…

@AnthropicAI 👀 We'd love more technical details

We believe this is the first documented case of a large-scale AI cyberattack executed without substantial human intervention. It has significant implications for cybersecurity in the age of AI agents. Read more: anthropic.com/news/disruptin…

We disrupted a highly sophisticated AI-led espionage campaign. The attack targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. We assess with high confidence that the threat actor was a Chinese state-sponsored group.

video + transcript for my recent talk at inaugural @OffensiveAIcon: noperator.dev/posts/on-the-m… kudos @sweepthatleg for recording 🤙

@cyberphor run it back!

@OffensiveAIcon Let’s just do it over again!

We got swept up in the whirlwind of Day 2 and forgot to post a recap! 🥴 Let's take a quick look back. Day 2 of Offensive AI Con started off strong with an entertaining panel on the state of the art in offensive AI. Who needs caffeine when you have Perri Adams, Dave Aitel, and Rob Joyce kicking off your day with a lively debate on the AIxCC results, how to take experiments into production, the offensive security equivalent of Move 37, and the state of evals. The sessions that followed encompassed human-inspired taint reasoning, automating active directory attacks, unique approaches to autonomous web app and API security testing, scaling agentic architectures for offensive operations, building domain-specific verifiers, scaling LLM-based vulnerability research, and how AI is rewriting the rules of global conflict. We closed out the evening down the road at an Oceanside staple, Green Cheek Beer Co. Cheers to a great night of live music, good food, and great company! Information on OAIC 2026 coming soon. Get on the list to be notified: #sold-out" target="_blank" rel="nofollow noopener">offensiveaicon.com/#sold-out #OAIC2025 #OffensiveAICon

@d4rkm4tter Not this year, wanted a more open conversation

@OffensiveAIcon were any of the sessions recorded? I would have loved to be to this one for sure!