Attack Surface Management Summit

Vulnerability management is one of the oldest practices in security, yet it remains one of the most frustrating. The legacy model of scan-and-patch has stalled, leaving defenders buried under incomplete inventories, endless patch cycles, and rigid scoring systems that don’t reflect the messy reality of modern networks. Security teams now lean heavily on endpoint agents as the only workable solution, but agents cover barely half the problem; leaving unmanaged systems, shadow IT, and entire unknown networks in the dark. 

This session examines why traditional approaches keep failing and why vendor hype and competing frameworks only add to the noise. Drawing on real-world lessons and attacker perspectives, it maps out the current coverage landscape, explains how detection methods differ, and explores the trade-offs between established tools and emerging techniques. Attendees will leave with a pragmatic vision for the next generation of exposure management; a hybrid model that meets you where you are by combining cutting-edge research with open source innovation.

While organizations race to deploy generative AI, they are introducing a new and poorly understood attack surface ripe for exploitation. This technical deep-dive moves past theory to detail the actual vulnerabilities and attack paths Cobalt pentesters are discovering in genAI systems today. What You Will Learn: 

• Quantify the AI security blind spot with new data from the 2025 State of Pentesting Report, which shows a mere 21% of serious AI-related vulnerabilities are ever remediated. 
• Get the details and technical nuances of these attacks, including Prompt Injection and Insecure Output Handling, that consistently bypass automated scanners and require human creativity to uncover. 
• See how these novel vulnerabilities allow attackers to manipulate model behavior, leak sensitive data, and gain unauthorized access to underlying systems. 
• Learn how to proactively protect your attack surface from these attacks and drive down risk for your business.

Vulnerability scoring frameworks promise clarity but often deliver confusion. CVSS (Common Vulnerability Scoring System) bends messy math into neat curves, EPSS (Exploit Prediction Scoring System) leans on opaque models, and SSVC (Stakeholder-Specific Vulnerability Categorization) relies on structured intuition. This talk explores the strengths and flaws of these systems, asking whether they improve risk decisions or simply rationalize them. You can expect smart analysis, best practices (and astrology jokes!) along the way.

Please visit our sponsors in the Exhibit Hall and explore their resources. They're standing by to answer your questions.

APIs are the backbone of modern applications, but without proper security, they are vulnerable to DDoS attacks, data exfiltration, and business disruption. In this talk, we’ll explore key OWASP API security vulnerabilities, real-world breaches caused by misconfigured APIs, and mitigation strategies through proper security configurations.

We'll cover critical concepts like Broken Object Level Authorization (BOLA), Broken Function Level Authorization (BFLA), infrastructure security, and the importance of using Identity Providers (IDPs) instead of building custom authentication systems. Through live code examples, we’ll demonstrate common vulnerabilities and how to remediate them using robust validation and access control mechanisms.

AI systems are the newest and fastest growing part of the attack surface and also the least understood. In this talk, I’ll pull back the curtain on real-world adversarial campaigns against large language models and AI applications, showing how attackers use prompt injection, data poisoning, and model manipulation to bypass guardrails, leak sensitive data, and subvert business logic. I’ll share lessons from building and running the largest generative red teaming platform to date along with practical strategies for finding, prioritizing, and hardening AI attack surfaces so security teams can stay ahead of threats. You will leave with a clear framework for adding adversarial AI testing into your attack surface management program and a plan for protecting your platforms, your business, and your customers as AI becomes mission critical.

As AI and machine learning systems become integral to critical infrastructure in finance, healthcare, and energy sectors, they present unique security challenges that extend far beyond traditional application security. This presentation examines the specific threat landscape facing AI-driven data pipelines and provides actionable strategies for implementing security controls that satisfy both regulatory compliance and robust defense-in-depth principles.

AI systems in regulated industries process highly sensitive data while operating under strict compliance frameworks like GDPR, HIPAA, and PCI DSS. However, these systems introduce novel attack vectors including model poisoning, adversarial inputs, data exfiltration through model inference, and supply chain vulnerabilities in ML libraries and pre-trained models. With healthcare data breaches increasing 55% year-over-year and financial services facing an average of 700 security incidents annually, securing AI pipelines has become mission-critical.

This talk will cover comprehensive security strategies for AI data pipelines, including secure model training environments, encrypted data processing workflows, access control mechanisms for ML operations, and monitoring systems designed to detect both traditional security threats and AI-specific attacks. We'll explore techniques for implementing zero-trust architectures in ML workflows, securing model deployment pipelines, and maintaining audit trails that satisfy regulatory requirements while preserving operational efficiency.

Real-world case studies will demonstrate practical implementations, such as a healthcare organization that prevented a potential model poisoning attack through anomaly detection in their training pipeline, and a financial institution that implemented secure federated learning to improve fraud detection while maintaining customer privacy and regulatory compliance. Attendees will leave with practical knowledge of threat modeling methodologies specific to AI systems, implementation strategies for secure ML operations (MLSecOps), and frameworks for balancing security requirements with the operational needs of AI-driven business processes in highly regulated environments.

runZero delivers the fastest, most complete security visibility possible across all of your assets (including IT, OT, IoT) across your entire internal and external attack surfaces, so you can mitigate exposures before they can be compromised and stay compliant. This interactive demo explores how runZero can help you address specific challenges and use cases with our interactive demos.

In an era of rapid development, security teams can no longer rely on slow, traditional testing methods to manage their expanding attack surface. The Cobalt Offensive Security Platform delivers fast, human-led pentesting on-demand so you can innovate securely without sacrificing speed. See how you can build a programmatic and continuous offensive security program that keeps pace with your business. In this session, you will learn how to: 

• Launch a comprehensive pentest in 24 hours to secure new releases and meet tight deadlines.
• Leverage real-time collaboration with expert pentesters to act on critical findings while testing is still in progress.
• Gain continuous coverage and confidence year-round with automated scanning between deep-dive pentests.
• Integrate seamlessly with your dev tools such as Jira, GitHub and Slack, pushing critical findings directly into your team’s backlog to remediate and retest faster.

Please visit our sponsors in the Exhibit Hall and explore their resources. They're standing by to answer your questions.

runZero delivers the fastest, most complete security visibility possible across all of your assets (including IT, OT, IoT) across your entire internal and external attack surfaces, so you can mitigate exposures before they can be compromised and stay compliant. This interactive demo explores how runZero can help you address specific challenges and use cases with our interactive demos.

In an era of rapid development, security teams can no longer rely on slow, traditional testing methods to manage their expanding attack surface. The Cobalt Offensive Security Platform delivers fast, human-led pentesting on-demand so you can innovate securely without sacrificing speed. See how you can build a programmatic and continuous offensive security program that keeps pace with your business. In this session, you will learn how to: 

• Launch a comprehensive pentest in 24 hours to secure new releases and meet tight deadlines. 
• Leverage real-time collaboration with expert pentesters to act on critical findings while testing is still in progress.
• Gain continuous coverage and confidence year-round with automated scanning between deep-dive pentests. 
• Integrate seamlessly with your dev tools such as Jira, GitHub and Slack, pushing critical findings directly into your team’s backlog to remediate and retest faster.