Sessions of 2026

AI agents are making decisions, calling tools, and trusting data, all without human review. But with autonomy comes a new and largely misunderstood attack surface. In this demo‑driven talk, we’ll show how agentic AI systems can be hijacked without code exploits. Using nothing but text, tools, and trust. Through live demos, we explore three real‑world classes of vulnerabilities from the OWASP Top 10 for AI: - Indirect Prompt Injection, where untrusted content silently manipulates agent decisions - Tool / MCP Poisoning, where malicious tool descriptions hijack agent behavior and leak full context - RAG Poisoning, where internal knowledge causes persistent data exfiltration No slides. No theory. Just Demo, Demo, Demo! With practical DevSecOps lessons on why classic security controls fall short once AI agents start acting on your behalf.

You are in a meeting. Someone checks their Generative AI of choice mid-discussion and announces: "The AI says we just need to do X." Everyone nods and moves on. Congratulations, you have just solved the wrong problem. Nothing is broken. Everything is faster, and yet something is wrong. Generative AI has amplified our worst problem-solving habit: jumping to solutions before understanding the problem. It is System 1 thinking on steroids, magnified by the Dunning-Kruger effect: confident, fast, and increasingly wrong. We are racing toward solutions faster than ever, but they are brittle, disconnected, and often miss the point entirely. This talk will teach you that one question changes everything: "What problem are we actually solving?" It sounds simple. It is not. You will learn how to recognize when speed is hiding misunderstanding, how to distinguish symptoms from root causes, map consequences before committing, and slow down long enough to understand what you are actually solving for. This is not just theory; it is a practice you can apply in your next team meeting. The best AI prompts, the smartest automation, and the fastest deployments are worthless if we are solving the wrong problem. It is time to stop optimizing for speed and start optimizing for understanding.

According to Gartner, 95% of enterprise AI initiatives fail - not because of the technology, but because organizations lack the cultural, operational and contextual foundation to make AI work in production. This session shows what it takes to be part of the 5% that succeed - real, deployed, hands-on. No buzz words, no myths, no false promises. We’ll explore the shift from scripted automation to context-aware, agentic delegation, where systems understand environments, dependencies, and intent. By embedding context into neural networks and context graphs, we move from maintaining scripts to delegating outcomes - enabling deterministic, auditable, and resilient automation across any infrastructure, including air-gapped systems. Using real examples from platform engineering and enterprise operations, we’ll demonstrate how context-aware automation might reshape open source adaption and the entire cloud-native ecosystem. Don’t be fooled: success takes more than just tech - it requires a mindset-shift, governance, and a culture ready to rethink everything that they've learned. Forget your current "now" and take something home that helps you with your decision making - especially if you're desperate about bringing your automation-KPI up.

“AI agent” has become an overloaded term, applied to everything from glorified cron jobs to brittle prompt chains. In this talk, we challenge the hype and ask a simple question: what actually qualifies as an AI agent? We’ll break down common misconceptions, examine real-world implementations, and contrast agent-like systems with workflows, automations, and orchestration pipelines that are often mislabeled. Through concrete examples, we’ll explore autonomy, planning, memory, feedback loops, and failure modes, and show where most systems quietly fall short. The goal is not to define yet another framework, but to give practitioners a clear mental model to reason about agents, avoid architectural self-deception, and build systems that deserve the name.

The linux kernel through eBPF offers to unify the disparate fields security and observability through shared data structures. We show how a K8s Security Operations Center, organically composed of established eBPF projects can see signals that the individuals cannot. We explain how we achieve both a comprehensive baseline and use independent signals to dial up/down coverage as suspicious indicators surface. The mutual independence of signals from across processes, file system, and network activity achieves a high signal-to-noise, enabling manageable data volumes and facilitating selective forensic storage. You will see two shorts demos: (A) of a root-kit which is hard to detect for sys-call based security tools in their default configurations, however almost trivial to detect with our adaptive setup. (B) of an agentic AI attack that mimicks a cobalt-strike C2 server You ll also learn how our SOC architecture is node-local and can be airgapped. This means no data leaves the cluster and you remain sovereign and in control of your data.