C1b3rwall: LLMs as a new criminal surface
I gave a talk at C1b3rwall 2026 — "Security in LLMs: the new criminal surface." Some notes on what the room already feared, and what surprised it.
The premise was simple: every time we hand a language model more reach — tools, memory, the ability to act — we also hand attackers a surface that didn't exist a year ago. Not a metaphorical one. A real, reproducible, exploitable surface, with its own bestiary of techniques.
What a security audience already expects to hear is "prompt injection." They've read the headlines. What tends to land harder is the second step: an injected instruction isn't interesting because it makes the model say something rude — it's interesting because the model can do things. Read a file. Call an API. Trust the wrong document. The danger scales exactly with the autonomy.
The model isn't the vulnerability. The vulnerability is everything you let the model touch on your behalf.
Three things that surprised the room
- How little it takes. A poisoned web page or a crafted document is often enough — no exotic exploit, just text in the right place at the right time.
- How familiar the defenses feel. Least privilege, input validation, separating data from instructions, never trusting the client — the classics, wearing new clothes.
- How quickly "the AI did it" becomes an accountability gap. If a system can take consequential actions, "the model decided" is not an answer an investigator accepts.
The part I cared most about getting across is that this isn't a reason to stop. It's a reason to design. The same care that makes a SOC trustworthy makes an agent trustworthy: explicit goals, verified actions, hard limits on what can be touched, and evidence left behind. The attack surface is new. The discipline isn't.
Thanks to everyone who came, asked sharp questions, and stayed afterwards to argue. That's the part you can't get from a slide deck.