
Tuesday, June 23, 2026
9:00am	Welcome remarks Dan Boneh
Session 1: Prompt injection session chair: Dan Boneh
9:10am	The Promptware Kill Chain [paper] Ben Nassi, Tel Aviv University
9:40am	The Attacker Moves Second: Stronger Adaptive Attacks Bypass Defenses Against LLM Jailbreaks and Prompt Injections [paper] Milad Nasr, Anthropic
10:10am	Coffee Break
Session 2: Securing agents session chair: Avital Shafran
10:30am	Keynote: Agentic ProbLLMs: What I Learned Exploiting AI Computer-Use and Coding Agents [paper] Johann Rehberger, Embrace The Red
11:30am	Building Secure Personal Agents Illia Polosukhin, Near.ai
12:00pm	Lunch
Session 3: Trojans in machine learning session chair: Roei Schuster
1:30pm	Keynote: The Way Forward: Towards Trustworthy AI Agents Alina Oprea, Northeastern University
2:30pm	Trojans in Artificial Intelligence: Lessons Learned [paper] Kristopher Reese, Hood College
3:00pm	Coffee Break
Session 4: AI on the Web session chair: Florian Tramèr
3:30pm	Fooling AI Agents: Web-Based Indirect Prompt Injection Observed in the Wild [paper] Beliz Kaleli, Palo Alto Networks
4:00pm	BrowseSafe: Understanding and Preventing Prompt Injection Within AI Browser Agents [paper] Kaiyuan Zhang, Perplexity AI and Purdue University
4:30pm	GAVEL: Rule-Based Security over LLM Activations [paper] Yisroel Mirsky, Ben-Gurion University
5:00pm	End of day one
5:00pm	Reception
6:30pm	Evening events: Happy hour hosted by Zenity: sign up here. A dinner hosted by the ARIA Scaling Trust programme: sign up here.

Wednesday, June 24, 2026
Session 5: Countermeasures session chair: Ben Nassi
9:00am	Chimera: Creating Digitally Signed Fake Photos [paper] Seongbin Park, UCLA
9:30am	Fortifying the AI-Integrated Workspace: A Multi-Layered, Adaptive Architecture Against Indirect Prompt Injection Neha Sharma and Nicolas Lidzborski, Google Workspace
10:00am	Coffee Break
Session 6: Reports from the trenches session chair: Nicolas Lidzborski
10:30am	Beyond Prompt Injection: Agentic AI Attacks in the Real World Adrian Spânu and Thomas Shadwell, OpenAI
11:00am	Keynote: AI Agents Enable Adaptive Computer Worms [paper] Nicolas Papernot, University of Toronto
Session 7: Lightning Talks session chair: Vitaly Shmatikov
12:00pm	Lightning Talks Open session (5 minute talks, no slides)
12:30pm	Lunch
Session 8: Automatic Vulnerability Detection session chair: Nicholas Carlini
2:00pm	Do more with less—Uncovering Critical Vulnerabilities in Core Infrastructure via Simple and Affordable LLM-Guided Analysis Quang Luong, Calif.IO
2:30pm	Comparing AI Agents to Cybersecurity Professionals in Real-World Penetration Testing [paper] Neil Perry, Princeton University
3:00pm	Building and Benchmarking Cybersecurity Agents Andy Zhang, UC Berkeley and Stanford
3:30pm	Coffee Break
Session 9: Datasets and Benchmarks session chair: Edoardo Debenedetti
3:50pm	Indirect Prompt Injection in the Wild: An Empirical Study of Prevalence, Techniques, and Objectives [paper] Giancarlo Pellegrino, CISPA
4:20pm	Datasets & Benchmarks: InjectAgent Qiusi Zhan, UIUC
4:35pm	How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition [paper] Xiaohan Fu, Gray swan
4:50pm	End of day two
6:00pm	Evening happy hour hosted by Radware: sign up here

Thursday, June 25, 2026
Session 10: Safety session chair: Ben Nassi
9:00am	Security Guardrails for a Data-Native Coding Agent Anupam Datta, Snowflake
9:30am	LLMs often know when they’re being evaluated [paper] Giles Edkins and Joe Needham, MATS
10:00am	Coffee Break
Session 11: Safety, cont. session chair: Justin Szczepaniak
10:30am	Keynote: The Road to Hell Is Paved with Helpful Agents Vitally Shmatikov, Cornell Tech.
11:30am	New findings in Emergent Misalignment and Subliminal Learning Owain Evans, UC Berkeley / Truthful AI
12:00pm	Deployable defenses for safeguarding language models from jailbreaks Jerry Wei, Anthropic
12:30pm	Lunch
Session 12: Failure modes session chair: Johann Rehberger
2:00pm	Keynote: Open Problems in Security Matt Knight, former CISO of OpenAI
3:00pm	The OWASP Top 10 for Agentic AI: Real-World Failure Modes and Enforceable Defenses John Sotiropoulos, Founder & Principal Consultant, Deep Cyber; Co-Lead, OWASP Agentic Security Initiative
3:30pm	Evaluating and Defending Against Prompt Injection Attacks Edoardo Debenedetti, ETH Zurich / AI Security
4:00pm	Coffee Break
Session 13: The security of plugins and skills session chair: Dan Boneh
4:20pm	When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot Plugins [paper] Yigitcan Kaya, UC Santa Barbara (Postdoctoral Fellow) and Indiana University Bloomington (Incoming Assistant Professor)
4:50pm	The Sorry State of Skill Distribution [paper] Samuel Judson, Trail of Bits
5:20pm	Conference ends ... see you next year