Vulnerability management is one of the oldest practices in security, yet it remains one of the most frustrating. The legacy model of scan-and-patch has stalled, leaving defenders buried under incomplete inventories, endless patch cycles, and rigid scoring systems that don’t reflect the messy reality of modern networks. Security teams now lean heavily on endpoint agents as the only workable solution, but agents cover barely half the problem; leaving unmanaged systems, shadow IT, and entire unknown networks in the dark. 

This session examines why traditional approaches keep failing and why vendor hype and competing frameworks only add to the noise. Drawing on real-world lessons and attacker perspectives, it maps out the current coverage landscape, explains how detection methods differ, and explores the trade-offs between established tools and emerging techniques. Attendees will leave with a pragmatic vision for the next generation of exposure management; a hybrid model that meets you where you are by combining cutting-edge research with open source innovation.

While organizations race to deploy generative AI, they are introducing a new and poorly understood attack surface ripe for exploitation. This technical deep-dive moves past theory to detail the actual vulnerabilities and attack paths Cobalt pentesters are discovering in genAI systems today. What You Will Learn: 

• Quantify the AI security blind spot with new data from the 2025 State of Pentesting Report, which shows a mere 21% of serious AI-related vulnerabilities are ever remediated. 
• Get the details and technical nuances of these attacks, including Prompt Injection and Insecure Output Handling, that consistently bypass automated scanners and require human creativity to uncover. 
• See how these novel vulnerabilities allow attackers to manipulate model behavior, leak sensitive data, and gain unauthorized access to underlying systems. 
• Learn how to proactively protect your attack surface from these attacks and drive down risk for your business.

Vulnerability scoring frameworks promise clarity but often deliver confusion. CVSS (Common Vulnerability Scoring System) bends messy math into neat curves, EPSS (Exploit Prediction Scoring System) leans on opaque models, and SSVC (Stakeholder-Specific Vulnerability Categorization) relies on structured intuition. This talk explores the strengths and flaws of these systems, asking whether they improve risk decisions or simply rationalize them. You can expect smart analysis, best practices (and astrology jokes!) along the way.

Please visit our sponsors in the Exhibit Hall and explore their resources. They're standing by to answer your questions.

APIs are the backbone of modern applications, but without proper security, they are vulnerable to DDoS attacks, data exfiltration, and business disruption. In this talk, we’ll explore key OWASP API security vulnerabilities, real-world breaches caused by misconfigured APIs, and mitigation strategies through proper security configurations.

We'll cover critical concepts like Broken Object Level Authorization (BOLA), Broken Function Level Authorization (BFLA), infrastructure security, and the importance of using Identity Providers (IDPs) instead of building custom authentication systems. Through live code examples, we’ll demonstrate common vulnerabilities and how to remediate them using robust validation and access control mechanisms.

AI systems are the newest and fastest growing part of the attack surface and also the least understood. In this talk, I’ll pull back the curtain on real-world adversarial campaigns against large language models and AI applications, showing how attackers use prompt injection, data poisoning, and model manipulation to bypass guardrails, leak sensitive data, and subvert business logic. I’ll share lessons from building and running the largest generative red teaming platform to date along with practical strategies for finding, prioritizing, and hardening AI attack surfaces so security teams can stay ahead of threats. You will leave with a clear framework for adding adversarial AI testing into your attack surface management program and a plan for protecting your platforms, your business, and your customers as AI becomes mission critical.

runZero delivers the fastest, most complete security visibility possible across all of your assets (including IT, OT, IoT) across your entire internal and external attack surfaces, so you can mitigate exposures before they can be compromised and stay compliant. This interactive demo explores how runZero can help you address specific challenges and use cases with our interactive demos.

In an era of rapid development, security teams can no longer rely on slow, traditional testing methods to manage their expanding attack surface. The Cobalt Offensive Security Platform delivers fast, human-led pentesting on-demand so you can innovate securely without sacrificing speed. See how you can build a programmatic and continuous offensive security program that keeps pace with your business. In this session, you will learn how to: 

• Launch a comprehensive pentest in 24 hours to secure new releases and meet tight deadlines.
• Leverage real-time collaboration with expert pentesters to act on critical findings while testing is still in progress.
• Gain continuous coverage and confidence year-round with automated scanning between deep-dive pentests.
• Integrate seamlessly with your dev tools such as Jira, GitHub and Slack, pushing critical findings directly into your team’s backlog to remediate and retest faster.

Please visit our sponsors in the Exhibit Hall and explore their resources. They're standing by to answer your questions.

runZero delivers the fastest, most complete security visibility possible across all of your assets (including IT, OT, IoT) across your entire internal and external attack surfaces, so you can mitigate exposures before they can be compromised and stay compliant. This interactive demo explores how runZero can help you address specific challenges and use cases with our interactive demos.

In an era of rapid development, security teams can no longer rely on slow, traditional testing methods to manage their expanding attack surface. The Cobalt Offensive Security Platform delivers fast, human-led pentesting on-demand so you can innovate securely without sacrificing speed. See how you can build a programmatic and continuous offensive security program that keeps pace with your business. In this session, you will learn how to: 

• Launch a comprehensive pentest in 24 hours to secure new releases and meet tight deadlines. 
• Leverage real-time collaboration with expert pentesters to act on critical findings while testing is still in progress.
• Gain continuous coverage and confidence year-round with automated scanning between deep-dive pentests. 
• Integrate seamlessly with your dev tools such as Jira, GitHub and Slack, pushing critical findings directly into your team’s backlog to remediate and retest faster.