- First hand of the week: Find us at BSides
- Workshop: Burp But Yours, with Hannah and Tib3rius
- Center stage: Visit us at Black Hat USA – Booth #5342
- Lightning talks at the booth
- Catch our researchers' briefings sessions
- Can AI Do Novel Security Research? Meet the HTTP Terminator
- CSS: The Bomb Inside Your Inbox
- Then it's on to DEF CON
- But that's not all…
- C-Vision cocktail hour
- Vulnerability Vibes
- CISO Poker
- Oh, and one more thing…
- We'd love to see you there
- What happens in Vegas… Stay on your socials.
Fran Hutchings |
Thursday, 9 July 2026 at 09:20 UTC
PortSwigger is heading to Las Vegas for one of the biggest weeks in the cybersecurity calendar.
Across Black Hat USA, BSides Las Vegas, DEF CON, and a number of fringe events throughout the week, you’ll find us sharing new research, running hands-on sessions, catching up with the Burp Community, and talking all things Burp Suite.
Whether you want to say hello to the team, connect with our Burp Ambassadors, get practical Burp tips, or hear about new exciting product development, read on to see how to find us.
First hand of the week: Find us at BSides
Kicking off the week, PortSwigger will have a table at BSides Las Vegas throughout the event.
Stop by to meet the team, ask questions, grab some swag, and talk about how Burp Suite can support your security testing and AppSec workflows. BSides is always one of our favourite parts of the week, and we’re looking forward to connecting with the community there.
Workshop: Burp But Yours, with Hannah and Tib3rius
BSides also kicks off our flagship workshop, Burp But Yours: Hands-on Extension and Bambda Development, this extended 4-hour session co-presented by Hannah from the PortSwigger team and Tib3rius, one of our Burp Ambassadors.
With double the time of the standard session running later in the week, this BSides edition goes deeper: more guided exercises, more free build time, and the chance to get Tib3rius’ real-world bug bounty perspective alongside Hannah’s view from inside the Burp Suite team. By the end, you’ll be able to:
- Identify and explain the different extensibility options in Burp
- Write a functional Bambda
- Write a functional extension
- Know how to share your work with the wider community
Expect to leave with something you actually built yourself – whether that’s a Bambda that finally cuts through the noise in your testing, or the start of an extension solving a problem only you’ve run into.
Bring a laptop with the latest Burp Suite installed, a Java IDE, such as IntelliJ IDEA or similar, and a portswigger.net account for the Web Security Academy labs.
Seats are limited, so get there early if you want a spot.
Center stage: Visit us at Black Hat USA – Booth #5342
From the show floor at Black Hat USA 2026, you can find the PortSwigger team at booth #5342 all week.
Come by to meet the team, get hands-on with what’s new in Burp Suite, and chat about web security, offensive testing workflows, AppSec programs, and everything in between.
Want to make sure you actually catch us between briefings? Request a meeting slot with the team in advance, and we’ll set aside time to talk through whatever’s on your mind – Burp Suite, your testing workflow, or where AppSec is heading next.
Lightning talks at the booth
The booth isn’t just for swag and small talk – we’re turning it into a mini stage. Throughout Black Hat, we’re running a packed schedule of lightning-style talks, featuring members of the PortSwigger team alongside some of our Burp Ambassadors.
These sessions are short, sharp, and built for the show floor: 10-15 minutes, no fluff, straight into the good stuff. Expect live demos of modern web vulnerability discovery, hands-on Burp Suite tips you can use the second you get back to your desk, and real-world testing techniques from Burp Ambassadors who use Burp every day in the field. Drop by the booth to see the full lineup.
Catch our researchers’ briefings sessions
This year, PortSwigger is bringing not one but two original PortSwigger Research briefings to the Black Hat main stage. Led by our world-leading Research team, these sessions showcase cutting-edge research at the forefront of web security innovation – one rethinking what AI can do to your infrastructure, and the other rethinking what a stylesheet can do to your inbox.
Can AI Do Novel Security Research? Meet the HTTP Terminator

Wednesday, 5th August. At 12pm. Location: Oceanside A
James Kettle (@albinowax), Director of Research Black Hat USA 2026 – Wednesday 5 August
We all know AI can find bugs. After a decade of research, James asked a harder question: can an autonomous system invent new attack techniques, and use them to hack live websites at scale?
Building this sounded like a bad idea. He did it anyway. It worked.
James will unveil an arsenal of new HTTP desync triggers, gadgets, and exploits that compromised banks, security vendors, and government infrastructure, then trace each discovery chain back through the HTTP Terminator itself – showing how to turn your own intuition into an autonomous research weapon, and the dark arts required to make it lethal. He’ll also share discoveries from beyond the autonomy horizon: a powerful undisclosed recon technique, and anomalies hinting at entirely new attack classes that AI alone couldn’t reach.
And yes – he’s open-sourcing the HTTP Terminator.
CSS: The Bomb Inside Your Inbox

Thursday, 6th August. At 2:35pm. Location: South Seas CDF
Gareth Heyes (@GarethHeyes) Black Hat USA 2026
You might think it’s safe to open an email in 2026. After all, it’s only HTML, right?
Turns out, we forgot about CSS.
Gareth will introduce a set of novel techniques for compromising email accounts using nothing but CSS and HTML – weaving vectors straight past CSS sanitization, hardened CSP, and the HTML filtering library everyone trusts. He’ll open with an attack that deanonymizes users of a “privacy-first” encrypted email provider, then escalate to full end-to-end account takeovers on multiple major webmail providers, including an enterprise giant. He’ll close with an alternative line of attack against third-party websites, turning a classic non-issue into a genuine threat – regardless of which webmail the victim is using.
These are both must-see sessions for anyone interested in the latest thinking from PortSwigger’s research team.
Then it’s on to DEF CON
The week closes out at DEF CON 34, where the research keeps coming and the workshop schedule wraps up.
James will be bringing his Black Hat research to DEF CON, giving the community a second chance to catch the HTTP Terminator takeover in person. Exact timings are still to be confirmed, so keep an eye on our social channels for the drop.
Hannah is also closing out Burp But Yours: Hands-on Extension and Bambda Development with two sessions at DEF CON – one in the AppSec Village, and one in the Bug Bounty Village. These will be the same hands-on format as Hannah’s extended workshop at BSides earlier in the week.
PortSwigger is proud to sponsor this year’s DEF CON Bug Bounty Village. Our team will be there handing out stickers and catching up with the community – be sure to swing by and say hello!
But that’s not all…
Outside the main conference halls, you’ll also find us taking part in several fringe events across the week. These events are a great chance to meet the PortSwigger team in a more informal setting, talk about the challenges facing security teams today, and connect with others across the security community.
C-Vision cocktail hour
- When: Wednesday, 5th August. 5-9pm.
- Where: The Hakkasan Lounge, MGM Grand.
- Why we’re attending: C-Vision brings together senior security and technology leaders for focused discussions on the challenges shaping modern AppSec. It’s an opportunity for us to meet customers and partners, exchange ideas on securing web applications at scale, and discuss how organizations are evolving their security testing programmes.
Vulnerability Vibes
- When: Wednesday, 5th August. 6-10pm.
- Where: BrewDog Las Vegas.
- Why we’re attending: Vulnerability Vibes brings together researchers and the offensive security community to discuss the latest vulnerability research and exploitation techniques. As a company built around web security research, it’s a natural place for the PortSwigger team to meet fellow researchers, exchange ideas, and support the wider community.
CISO Poker
- When: Wednesday, 5th August. 4pm.
- Where: The Wynn Poker Room
- Why we’re attending: CISO Poker provides a more relaxed networking environment where security leaders can connect.
Oh, and one more thing…
If you caught our recent post on what’s next for AppSec after Mythos, you already know where this is heading: your judgement as a pen tester, amplified by agentic AI, kept safe inside a proper governance layer – so power doesn’t have to mean losing control.
We will be talking about some exciting new product development! Come and find us at booth #5342 to see it live, get hands-on, and be among the first to talk it through with the team who built it.
We’d love to see you there
It’s going to be a busy week, and we’d love to connect with our community.
Find us at:
- BSides Las Vegas: PortSwigger table, plus the 4-hour “Burp But Yours” workshop with Hannah and Tib3rius.
- Black Hat USA 2026: Booth 5342, lightning talks, James and Gareth’s briefings sessions.
- DEF CON 34: James’ research, plus extensibility workshops with Hannah in the AppSec Village and Bug Bounty Village.
- Fringe events: C-Vision, CISO Poker, and Vulnerability Vibes.
Want guaranteed face time with the team at Black Hat? Request a meeting slot now and skip the queue at the booth.
What happens in Vegas… Stay on your socials.
Whether you’re joining us in Las Vegas or following from around the world, we’ll be sharing the best of the week as it happens. Expect live updates from the show floor, photos from our booth, and highlights from each event.
Follow us on your favourite social channels to stay up to date, and if you spot the team while you’re there, don’t forget to tag us!


