Beneath the Hat: My Black Hat 2025 Takeaways, Including the AI Imperative

As I write this from the airport, the desert heat of Las Vegas is finally fading and I’m reflecting on the whirlwind that was Black Hat USA 2025. For me, this conference is always about two things: the people and the ideas. We hosted our annual Customer Appreciation Night and ran a Pentest Reporting Bootcamp, so I spent a lot of time catching up with teammates and customers, and I unexpectedly bumped into old colleagues I haven’t seen in years (the conference hallways are a treasure trove of reunions). Networking events were everywhere—and yes, the swag was plentiful—but what really stuck with me were the conversations about where our industry is heading.

Here are my top takeaways.

As expected, you cannot take two steps anywhere without hearing a conversation about AI or seeing products touting their AI-native or AI-powered capabilities. Last week there were three focus areas related to AI from my discussions and observations:

AI

Companies are expecting products to have AI as part of their solution. Many companies are even setting expectations for vendors that their products will not be considered without some form of AI. AI is rapidly transitioning from a novel add-on to an expected, integrated feature within products. 

However, many security professionals are tired of hearing about what AI could do versus what it will do for them. The key takeaway here is that the promise of AI is known and people are growing tired of simply hearing about the hype. There’s a clear demand to shift from discussing its potential to demonstrating its tangible value. Many feel that the winners will be those products and solutions where AI is focused on solving their daily problems and truly adding value.

As AI continues to become ubiquitous, concerns around its attack surface continue to grow. AI is still a black box to many people but its use is propagating very quickly across all products and organizations. As such, organizations are having deep conversations around how to implement risk mitigations, test AI systems, and gain enhanced visibility into the inner workings of models and protocols like MCP.

There is continued emphasis on AI security research. Within the offensive security space there is a strong focus on hacking AI systems as well as using AI to hack.

Regarding the plethora of AI companies that have recently emerged out of stealth or announced funding rounds, there is a sense that there will be some consolidation in the space over time.

Exposure Management

Exposure management is continuing to grow as a trend. The main talking points relate to overhauling the traditional vulnerability management techniques and focusing on the identification of the most serious vulnerabilities. Traditional vulnerability management is beginning to be seen as a box checking activity and organizations are looking to offensive security activities like penetration testing to provide the identification of the most critical exposures.

Upon identification, the conversation shifts to accurately representing the prioritization of these exposures and facilitating a streamlined remediation process.

Cyber Insurance

The cyber insurance industry is going to continue to drive priorities for security teams. Most, if not all, businesses are going to have some form of cyber insurance even if they are not beholden to other regulatory or compliance frameworks. There is an emphasis on what vulnerability insurance carriers care about when it comes to loss claims. 

Insurance carriers will start deploying more modern approaches to assessing risk of policyholders and will continue to focus on collecting more actuarial data related to claims.

Exposure management will play a large role in how organizations will identify and prioritize those exposures. 

Conversations, Calluses, and the Call for AI

By the time I boarded my flight home, my step count for the week was north of 70,000, my brain was full, and my voice was hoarse. What keeps me coming back to Black Hat each year, though, isn’t just the cool demos or the swag, it’s the relationships and the insights. This year left me encouraged that the security community is moving past buzzwords and toward practical, integrated solutions. AI is now table stakes, but its real value will be judged by how well it helps us reduce risk. Exposure management is becoming the lens through which we prioritize, and cyber insurance is quickly shaping the conversation. Amidst it all, let’s not forget to look after ourselves and each other. Until next year, Black Hat!

Dan DeCloss PlexTrac Founder/CTO Dan has over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program. Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications.