Across the threat landscape, in this moment, one pattern sits at the center of the story: threat actors are following trust.
They are not only looking for vulnerable systems, but rather targeting the software, services, identities, tools, developer workflows, and AI systems that organizations already depend on.
A package can become a distribution path. A build pipeline can become an access path. A trusted tool can become or expand an attack surface. An AI agent with the wrong access can become a new way to reach code, data, or infrastructure.
While the surfaces may change, the goal for the majority of threat actors remains the same: find what is trusted, abuse it, and scale the impact.
At Black Hat USA 2026, Microsoft Security will walk through how we are seeing this shift unfold, how security teams can look for it earlier, and how threat intelligence, expert-led response, and security operations need to work together when campaigns move across software, identity, cloud, data, and AI systems.
On Wednesday, August 5, 2026, the day begins with David Weston’s keynote, The End of Rare: Defending When Offense Is Cheap, which looks at what defense requires when offensive capability becomes easier to access, automate, and scale. Later that afternoon, Aarti Borkar and Tanmay Ganacharya will resume the main stage for Poisoned at the Source: Inside the Hunt for Supply Chain Attacks, which offers a closer look at how Microsoft Threat Intelligence is hunting attacks across software ecosystems, developer workflows, and trusted services. This includes details into the ongoing attacks on npm (Node package manager).
Together, these sessions frame the challenge security teams are facing now: when offensive capability becomes easier to scale, security teams need to understand the trust paths threat actors can abuse before those paths become open doors for attacks.
At our booth, we’ll also showcase Microsoft Defender Experts Threat Intelligence, a new expert-led service delivering continuous, curated intelligence tailored to your organization, and Microsoft Defender Experts MDR, now extended with third-party and multicloud coverage.
From August 4 to 6, 2026, at Mandalay Bay in Las Vegas, you’ll find Microsoft Security on the Business Hall floor at booth #2144, and on Wednesday evening, join us at the Microsoft Security reception at Swingers at Mandalay Bay.
At 9:15 AM PT on Wednesday, August 5, 2026, David Weston, CVP of Agentic Security, will examine what changes for security teams when offensive capability becomes easier to access, automate, and scale.
The keynote sets up one of the central questions security leaders are facing now: how does the security operations center (SOC) and analysts adapt when threat actors can move faster, test more often, and reuse trusted paths across software, identity, cloud, and AI systems? Join the keynote Wednesday, August 5, 2026, then continue the conversation with Microsoft Security at booth #2144.
That same intelligence-to-action challenge is at the center of our main stage session at Black Hat.
On Wednesday, August 5, 2026, from 2:30 PM PT to 3:00 PM PT, Aarti Borkar, Corporate Vice President (CVP), Microsoft Security, and Tanmay Ganacharya, Vice President of Microsoft Security Research and Threat Intelligence, will share intelligence and insights into the ongoing supply chain campaigns impacting all areas of the threat landscape. The talk, Poisoned at the Source: Inside the Hunt for Supply Chain Attacks, will walk through Microsoft Threat Intelligence’s investigations into the ongoing npm supply chain attacks targeting software ecosystems, developer workflows, trusted services, and how organizations are handling the challenges associated with npm packages.
Microsoft Security researchers will also present peer-reviewed technical research in the Black Hat Briefings. These sessions go deep into cloud, mobile, and software supply chain defense.
GitHub Can Tell You’re Being Hacked. You’re Just Not Listening: Building EDR for GitHub from Its Own Event Stream
One Click to System: Exploiting Bixby’s Trust Model for Full Device Compromise
Handle With Care: Chaining Azure Automation Flaws for Cross-Tenant Identity Takeover
Check the official Black Hat schedule for final room assignments and any timing updates.
Microsoft experts will also lead sessions that give you a closer look behind the scenes, including:
Mind the Gap: Turning Threat Intelligence into Decisive Action with Expert-Led Defense
These sessions extend the main stage story into practitioner decisions: how teams move from intelligence to action, how defenders test their judgment under pressure, and how AI and agents are changing security workflows.
This year we are transforming the Microsoft Security booth into a community center. Click here to jump to the full schedule.
If the keynote and main stage sessions frame the largest challenges across the threat landscape, booth #2144 is where you can directly explore the workflows behind it: threat intelligence, incident response, AI security, security operations, partner solutions, and hands-on practice.
You will find:
Short-form conversations with practitioners and experts on threat intelligence, incident response, AI security, identity, data protection, and security operations. If you swing by when the expo area opens, we’ll also fuel you up so you can skip the food court.
At Black Hat 2026, the Microsoft booth will feature 13 partners from the Microsoft Intelligent Security Association (MISA) who will showcase solutions built with Microsoft Security technology. Security Insider Conversations will feature MISA partners Critical Start (August 5, 2026, at 3:30 PM PT) and Huntress (August 6, 2026, at 2:00 PM PT) alongside Microsoft Security experts. Additionally, thank you to our Microsoft Security VIP Mixer sponsors: Ascent Solutions, Avertium, Devicie, Huntress, Illumio, Maureen Data Systems, and Security Risk Advisors.

Explore connected experiences across defending with AI, securing AI, strengthening posture for AI adoption, using security intelligence in investigations and response, working with trusted partners, and connecting with Microsoft Defender experts.
Spend some time with us at the experience we built around the booth and you’ll earn tokens that can be exchanged for custom patches and hats (because security experts have to wear many hats). Your favorite paperclip may be among the patches. Maybe.
The biggest Microsoft Security community moment of the week is our reception at Swingers at Mandalay Bay, hosted by Aarti Borkar.
Join us Wednesday, August 5, 2026, from 6:00 PM PT to 9:00 PM PT for food, drinks, mini golf, partner activations, and time with the Microsoft Security team away from the show floor.
Come compare notes with peers, meet Microsoft researchers and responders, and connect with the broader Microsoft Security community.
Space is limited, so reserve your spot early.
You can find Microsoft Security at booth #2144 during Business Hall hours:
Stop by early to see the booth schedule, find upcoming AMAs and connection circles, and plan which live sessions and hands-on experiences you want to attend.
You do not need to be in Las Vegas to take part in the broader Microsoft Security Black Hat experience.
The Microsoft Black Hat Skilling Challenge begins July 20, 2026, and will help defenders build hands-on skills across Microsoft Defender, Microsoft Sentinel, and Microsoft Security Copilot. Attendees can use the challenge to prepare before the event, then bring questions to on-site experts and community sessions. Remote participants can follow along through Microsoft Tech Community, AMAs, recaps, and post-event resources.
Threat actors are adapting around the systems organizations already trust. Security teams need to understand those trust paths before they become attack paths.
At Black Hat USA 2026, Microsoft Security will bring the research, expert perspective, and hands-on experiences to help practitioners see where attacker behavior is moving and how defense can adapt.
Add Poisoned at the Source to your schedule. Visit us at booth #2144. Join the skilling challenge. And register for the Microsoft Security reception on Wednesday night.
| Time | Title |
|---|---|
| 5:00 PM PT to 6:00 PM PT | How Practitioners Build Effective Security Playbooks |
| 6:00 PM PT to 7:00 PM PT | Agentic Security: What’s Next |
| Time | Title |
|---|---|
| 9:00 AM PT to 9:30 AM PT | Security Communities Meet Up |
| 10:00 AM PT to 10:30 AM PT | Using Offensive Security Research to Advance AI Security |
| 10:30 AM PT to 11:00 AM PT | The Confused Deputy Strikes Back: How AI Agents Turn Into RCE Proxies |
| 12:00 PM PT to 12:30 PM PT | Hunting in the Gray: When Nation-States and Cybercrime Collide |
| 12:30 PM PT to 1:00 PM PT | AI in Security Operations: What Actually Works and What Doesn’t |
| 1:00 PM PT to 2:00 PM PT | AI in the SOC: Lessons Learned from the Front Lines |
| 2:30 PM PT to 2:30 PM PT | Microsoft Defender Challenge |
| 2:30 PM PT to 3:00 PM PT | From Alert Fatigue to Action: How Practitioners Prioritize What Matters |
| 3:00 PM PT to 3:30 PM PT | Agents in the Flow of Work: From Signals to Action |
| 3:30 PM PT to 4:00 PM PT | Will It Hold Up in Court? Forensic Defensibility of Microsoft 365 Evidence |
| 5:00 PM PT to 6:00 PM PT | Zero Trust for the Agentic Era: An Interactive Discussion for Securing AI |
| Time | Title |
|---|---|
| 9:00 AM PT to 9:30 AM PT | The Future of Microsoft Security and How Communities Can Support You |
| 10:00 AM PT to 10:15 AM PT | Quantum Is Here: What Practitioners Must Do Now |
| 11:00 AM PT to 12:00 PM PT | The Next Era of Cyber Defense: Clarity, Control, and Response at Scale |
| 12:00 PM PT to 12:30 PM PT | Lessons from the Field: What to Do When You’re Under Attack |
| 12:30 PM PT to 1:00 PM PT | When Browsers Become Agents: The Emerging Security Risks of AI‑Powered Browsers |
| 2:30 PM PT to 3:00 PM PT | Social Engineering Always Matters |
| 3:00 PM PT to 3:30 PM PT | AI Runs on Data: Securing the Foundation of AI Adoption |
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.