Speaking

CloudTrail events, resource tags, monitoring alerts, and pipeline output all flow through trusted cloud channels into AI agent context windows — bypassing every model-layer defense because they arrive as internal, trusted data. This talk demonstrates that a single crafted CloudTrail entry, a poisoned AWS resource tag, or a compromised runbook indexed into a RAG pipeline can redirect an agent with IAM credentials to take destructive actions against its own infrastructure. The fix isn't in the model — it's in the cloud configuration. Attendees leave with a new threat model for cloud-native AI deployments and five concrete AWS and Azure controls that eliminate the most impactful attack paths.

The Model Context Protocol has become the de facto standard for connecting AI agents to tools and data. It has also become the fastest-growing attack surface in enterprise AI deployments. This talk walks through three real attack patterns — tool poisoning, meta-context injection, and cross-server hijacking — with live code demonstrations and direct mappings to documented breaches from 2025–2026. Attendees leave with a concrete threat model and a prioritised list of controls they can implement before their next sprint ends.

The OWASP Agentic Top 10 exists. Most teams have read the summary. Almost none have mapped it to their actual systems. This talk takes each of the ten risk categories from abstract definition to concrete attack chain — using real incidents, reproducible lab scenarios, and the specific architectural decisions that made each one possible. It closes with a defensive framework grounded in least agency, strong observability, and human-in-the-loop design. Practical, evidence-based, no vendor agenda.

Traditional red teaming methodologies break against agentic AI systems. The attack surface is non-deterministic, execution paths are emergent, and blast radius crosses tool boundaries, memory stores, and inter-agent communication channels simultaneously. This talk presents a structured red teaming methodology for agentic AI — covering goal hijacking, tool chain weaponization, identity spoofing, memory poisoning, and cascading failure induction — built from direct adversarial testing with PyRIT, Promptfoo, and Garak against locally deployed agent architectures.

Single-agent security is hard enough. Multi-agent systems — where agents delegate tasks to other agents, pass credentials through chains, and trust messages without authentication — introduce an entirely different class of failure. This talk examines the trust assumptions embedded in today's agent frameworks, maps them to documented incident patterns, and makes the case for treating inter-agent communication with the same skepticism we apply to untrusted API calls. Includes a live demonstration of an identity spoofing attack across a three-agent pipeline.

2025 was the year AI agents moved from demos to production — and the year the first serious wave of agentic AI incidents landed. Tool poisoning, credential theft via cloud-connected agents, cascading failures triggered by a single poisoned document. This talk synthesises the key lessons from that first year: which threat categories materialised, which mitigations actually worked, and what the arrival of the OWASP Agentic Top 10, EU AI Act enforcement, and NIST CAISI mean for security teams trying to keep pace. Framed for decision-makers, grounded in technical evidence.