
Tuesday, June 23, 2026
9:00am	Welcome remarks Dan Boneh
Session 1: Prompt injection session chair: TBD
9:10am	The Promptware Kill Chain [paper] Ben Nassi, Tel Aviv University
9:40am	The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against LLM Jailbreaks and Prompt Injections [paper] Milad Nasr, Anthropic
10:10am	Break
Session 2: Securing agents session chair: TBD
10:30am	Keynote: Agentic ProbLLMs: What I Learned Exploiting AI Computer-Use and Coding Agents [paper] Johann Rehberger, Embrace The Red
11:30am	Building Secure Personal Agents Illia Polosukhin, Near.ai
12:00pm	Lunch
Session 3: Trojans in machine learning session chair: TBD
1:30pm	Keynote: The Way Forward: Towards Trustworthy AI Agents Alina Oprea, Northeastern University
2:30pm	Trojans in Artificial Intelligence: Lessons Learned [paper] Kristopher Reese, Hood College
3:00pm	Break
Session 4: AI on the Web session chair: TBD
3:30pm	Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild [paper] Beliz Kaleli, Palo Alto Networks
4:00pm	BrowseSafe: Understanding and Preventing Prompt Injection Within AI Browser Agents [paper] Kaiyuan Zhang, Purdue
4:30pm	End of day one
4:30pm	Reception

Wednesday, June 24, 2026
Session 5: Countermeasures session chair: TBD
9:00am	Deployable defenses for safeguarding language models from jailbreaks Jerry Wei, Anthropic
9:30am	Fortifying the AI-Integrated Workspace: A Multi-Layered, Adaptive Architecture Against Indirect Prompt Injection Neha Sharma and Nicolas Lidzborski, Google Workspace
10:00am	Coffee Break
Session 6: Reports from the trenches session chair: TBD
10:30am	Beyond Prompt Injection: Agentic AI Attacks in the Real World Adrian Spânu and Thomas Shadwell, OpenAI
11:00am	Keynote: From ML to AI: A Retrospective on the Security of Learning Systems Nicolas Papernot, University of Toronto
Session 7: Lightning Talks session chair: TBD
12:00pm	Lightning Talks Open session (5 minute talks, no slides)
12:30pm	Lunch
Session 8: Automatic Vulnerability Detection session chair: TBD
2:00pm	Comparing AI Agents to Cybersecurity Professionals in Real-World Penetration Testing [paper] Neil Perry, Princeton University
2:30pm	Building and Benchmarking Cybersecurity Agents Andy Zhang, UC Berkeley and Stanford
3:00pm	Do more with less—Uncovering Critical Vulnerabilities in Core Infrastructure via Simple and Affordable LLM-Guided Analysis Quang Luong, Calif.IO
3:30pm	Coffee Break
Session 9: Datasets and Benchmarks session chair: TBD
4:00pm	Indirect Prompt Injection in the Wild: An Empirical Study of Prevalence, Techniques, and Objectives Giancarlo Pellegrino, CISPA
4:30pm	Datasets & Benchmarks: InjectAgent Qiusi Zhan, UIUC
4:45pm	How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition Matt Fredrikson, Gray swan
5:00pm	End of day two
6:00pm	Evening happy hour hosted by Radware: sign up here

Thursday, June 25, 2026
Session 10: Safety session chair: TBD
9:00am	GAVEL: Rule-Based Security over LLM Activations [paper] Yisroel Mirsky, Ben-Gurion University
9:30am	LLMs often know when they’re being evaluated [paper] Giles Edkins and Joe Needham, MATS
10:00am	Coffee Break
Session 11: Safety, cont. session chair: TBD
10:30am	Keynote: The Road to Hell Is Paved with Helpful Agents Vitally Shmatikov, Cornell Tech.
11:30am	New findings in Emergent Misalignment and Subliminal Learning Owain Evans, UC Berkeley / Truthful AI
12:00pm	Lunch
Session 12: Failure modes session chair: TBD
1:30pm	Keynote Matt Knight, former CISO of OpenAI
2:30pm	The OWASP Top 10 for Agentic AI: Real-World Failure Modes and Enforceable Defenses John Sotiropoulos, Founder & Principal Consultant, Deep Cyber; Co-Lead, OWASP Agentic Security Initiative
3:00pm	Coffee Break
Session 13: Countermeasures session chair: TBD
3:30pm	Security Guardrails for a Data-Native Coding Agent Anupam Datta, Snowflake
4:00pm	Evaluating and Defending Against Prompt Injection Attacks Edoardo Debenedetti, ETH Zurich / AI Security
4:30pm	Conference ends ... see you next year