Every year, the SANS "Five Most Dangerous New Attack Techniques" session at RSA Conference draws standing-room-only crowds -- and every year, Ed Skoudis and his panel raise the stakes. This year, for the first time in the session's ten-year run on the main stage, AI is woven into every single topic on the list, signaling not a trend but a fundamental shift in how attacks are built, launched, and scaled.
For ten years, Ed Skoudis has curated one of the most anticipated sessions at RSAC Conference: SANS' "Five Most Dangerous New Attack Techniques: Crucial Tips for Defenders." The session has always been a hit -- standing room only on the main stage -- but this year, Ed says something has changed. Not one or two topics with an AI component. All five.
Ed is deliberate about how the session comes together. He starts with people, not topics. He builds the panel around SANS instructors who bring front-line insight, and he starts the process six months out. This year's panel features returning panelist Heather Mahalik, Rob Teeley back for his second year, Joshua Wright in his second year -- this time carrying two topics and eight minutes instead of six -- and, making his first appearance on this stage, Robert M. Lee of Dragos, one of the world's foremost voices on ICS and OT security.
The addition of "Crucial Tips for Defenders" to the title this year was intentional. Ed pushed every panelist to move beyond naming threats and toward prescribing action -- practical, implementable steps that a CISO can hand down and a practitioner can execute the next morning. For topics where prevention is impossible, the mandate shifted to detection and response. SANS publishes session notes to their website within minutes of the talk ending.
The backdrop this year is a warning Ed calls unlike anything in his 30 years of attending RSA and DEF CON. At a recent AI cybersecurity conference in San Francisco, presenters from Google and Anthropic outlined what Google termed the "vuln apocalypse" -- an imminent surge in AI-discovered zero-day vulnerabilities at a scale and pace that patching pipelines are not designed to handle. Ed's own team at Counter Hack has already experienced this firsthand: a frontier AI model identified a critical zero-day in a widely used open source project in a matter of hours. The Anthropic presenter's claim was blunt: within months, AI will surpass all human vulnerability researchers combined.
All of this lands at the center of what the RSAC session is designed to address -- not as a theoretical exercise, but as a set of actions defenders can take right now. The session runs Tuesday, March 24th at 3:55 PM on the main stage, with an interactive follow-on session Wednesday morning where attendees can go deeper with individual panelists. For anyone who wants to understand where the threat landscape is actually heading and what to do about it, Ed says this is the year you cannot afford to miss it.
Ed Skoudis, President, SANS Technology Institute; Founder & CEO, Counter Hack | On LinkedIn: https://www.linkedin.com/in/edskoudis
Sean Martin, Co-Founder at ITSPmagazine, Studio C60, and Host of Redefining CyberSecurity Podcast & Music Evolves Podcast | Website: https://www.seanmartin.com/
SANS Institute | https://www.sans.org
RSA Conference 2026 is taking place April 28 - May 1, 2026 | Moscone Center, San Francisco -- Follow our coverage: https://www.itspmagazine.com/rsac-2026-conference-san-francisco-usa-cybersecurity-event-infosec-conference-coverage
The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/
More Redefining CyberSecurity Podcast episodes | https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube | https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ed skoudis, sean martin, sans institute, sans technology institute, counter hack, rsac 2026, rsa conference, five most dangerous attack techniques, ai in cybersecurity, vulnerability research, zero-day vulnerabilities, patch management, penetration testing, defender tips, ics security, ai-powered attacks, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
When AI Touches Everything: Operationalizing the Five Most Dangerous New Attack Techniques at RSAC 2026 | A Redefining CyberSecurity Podcast Conversation with Ed Skoudis, President of SANS Technology Institute and Founder & CEO of Counter Hack
[00:00:00] Sean Martin: Hello everybody. You're very welcome to a new on location, even though I'm remote, conversation for RSAC Conference. It's the 2026 version. A few conferences have come and gone. This one's coming up around the corner and I'm thrilled to have Ed Skoudis on. Ed, how are you?
[00:00:20] Ed Skoudis: I'm doing great. How are you, Sean?
[00:00:21] Sean Martin: Good. Great as well. And yeah, this has become a tradition to have a chat with you and talk about all the cool stuff that you're doing at RSA with respect to SANS. This is a session that's a hit every year. It's first come, first served, standing room only. And yeah, it's one you don't wanna miss. I'm always thrilled and honored to have you on to talk about all the good stuff you're doing with the team there. I'm always appreciative of the work you do for the community. So for folks who don't know you -- and I don't know how they don't -- if you can just tell folks a few words about who you are, what you're up to, the work you do, stuff with SANS you have going on.
[00:01:04] Ed Skoudis: I often don't wear my hat for these kinds of interviews. It's a controversial thing. I could go get it, but I think we're good. Sometimes I wear a Santa hat around December. Sometimes I wear my white hat. I sometimes speak with my hat on, but usually not.
[00:01:20] Sean Martin: There's a good chance they might see you at the conference with the hat. But anyway, my point is if they don't know you, they should meet you and say hi. And for now, if you can just tell folks a few words about who you are, what you're up to, the work you do, stuff with SANS you have going on.
[00:01:44] Ed Skoudis: Yep. So I am Ed Skoudis. I'm the President of the SANS Technology Institute. I've been with SANS 27 years now. I was a SANS instructor for 21 years. I wrote the number one selling SANS course, which is SANS Security 504 on incident handling and hacker attacks -- that is associated with the GCIH certification. I also wrote SANS' premier class on network penetration testing, SANS Security 560, which is the one associated with GPEN. I run the team that builds cyber ranges for SANS, including NetWars, as well as our free Holiday Hack range. In addition to that, I also have a company called Counter Hack. We build those ranges for SANS, but we also do penetration testing. I have 18 penetration testers who work for me, and we work on trying to be the best pentest company we can be -- the best pentest in the world is what we're aiming for. I'm also serving on the board of a couple of charities and our local bank, Manasquan Bank. It's been great and it's great to talk with you again every year, Sean.
[00:02:49] Sean Martin: I appreciate it, Ed. The purpose of this is twofold. It's a session that I think folks should attend, which is why I love having you on. And the content is great, which is why it's a good session to attend. The title of the session is The Five Most Dangerous New Attack Techniques: Crucial Tips for Defenders. It's that last part that I'm really interested in. But first, I'm gonna try to twist your arm to say what the five are.
[00:03:21] Ed Skoudis: We are under an embargo. RSAC as well as SANS has a strict media embargo on what the top five are -- until we stand up on stage, they wait five minutes and then it all gets released. We wanna build some excitement and want people to actually attend to hear it live and hear the questions and answers. But I can talk about general trends. I can talk about how we put the panel together and what we take into account. There's just so much going on in our industry and it's super exciting. These four panelists are absolutely brilliant. They've got their finger on the pulse of where things are headed. It is an honor to be able to host them. They're all amazing SANS instructors. I just can't go over the specifics. I will tell you this: we have five topics, we got four panelists, so that means somebody gets to do two -- and this year it will be Joshua Wright.
[00:04:20] Sean Martin: There you go. Well, even though we can't talk about the five, there's so much to talk about. Let's talk about how you pull the five together. What is the catalyst behind something landing on the top five list?
[00:04:41] Ed Skoudis: I start with who and not what. Who's really got some good and interesting things to say? Who can really help people? Who has access to lots and lots of SANS authors, instructors, students? I like to have people on stage that you could take a class from. So we go through who and we brainstorm -- who's done it in the past, we try to get some new blood in there, but we also like to have folks you've seen before. For the first time on this stage with this SANS panel, it's gonna be Robert M. Lee from Dragos. He's amazing -- one of the best ICS people in the world. Rob Teeley is coming back. Heather's been there about 10 years now with us. Joshua Wright last year was his first year, so this would be his second year. We start with who, then we brainstorm, and we start this six months in advance. They come to me with ideas, they bounce ideas off each other. There's a little bit of infighting -- your topic's too close to mine, you're stepping on my toes. And I added 'Crucial Tips for Defenders' to the title this year to push the panelists to say: it's fun and interesting to talk about attacks, but we have to be practical. What are crucial tips people can directly apply? We want the problem, what the attackers are doing with it, how it's evolving, where it's headed, and practical tips for defenders that appeal from individual practitioner up to the CISO level. That's all I asked for -- and you've got six minutes.
[00:07:14] Sean Martin: Easy task.
[00:07:15] Ed Skoudis: And then we refine and refine and juggle. It was even just two weeks ago that we had two of the panelists' talks that were so similar we had to figure out a way to make them individual trends and separately actionable. I also like it when there's contradiction on the panel -- somebody says X, somebody else says Y. You might say, well SANS, get your act together. Is it X or Y? And the truth is there's an argument for both. We'll try to make them at least consistent so you can address both. But we have an advocate for X and an advocate for Y. And I tell the panelists: if you disagree with something someone else says, you can respectfully respond. It's gotta be respectful -- we're all friends -- but that makes for great TV and great intellectual discourse. Josh had a topic where he said: this is a really big problem, it's really bad, but I don't have any practical solutions. So we brainstormed. Sometimes there's no prevention technique for something, but there's a detection and response set of actions you could take. You can't stop it from happening, but if it does happen, here's how you can figure out that it is happening and stop it fast. RSAC pushes us on that too -- there can't just be intellectual navel-gazing. People have to come back with actionable things. I always take notes. I tell the audience to take notes. We publish a summary at the SANS website within 10 or 15 minutes of the event itself. We've been 10 years on the big stage. We don't wanna take it for granted. We want it to be practical, interesting, and valuable -- all rolled into 45 minutes. I've seen the topics, I've seen the presentations. They're trying to take it to a whole new level this year -- you're gonna see some video animation. The topics are ultimately what matters, the great presenters are very important, but then there's the production quality. RSAC is top notch when it comes to producing a high-value show. Giant screens on stage -- I don't know what that costs, probably five or ten million bucks. Behind the stage there's a small city of producers switching the screens, and a stage manager who is just an incredible person. But fundamentally it's the content that matters and that's what we produce and are responsible for.
[00:11:10] Sean Martin: I love it. Can you give some color on the flow of the conversation to help people get a sense of what they'll see?
[00:11:26] Ed Skoudis: We've got five topics, four presenters. It starts with me for about 90 seconds setting the frame. We then introduce each of the panelists. Each panelist speaks for six minutes -- the attack, why it's a concern, where it's headed, the damages that can be caused, and then what you can do about it, at both the industry and practitioner level to engage a CISO down to practitioner. Now, I gave Josh Wright eight minutes because he's doing two topics. So with my two minutes upfront plus eight minutes of Josh Wright, that's ten. Then three six-minute talks, that's 18. So we're 28 minutes in. The rest -- about 17 minutes -- is for Q&A. The Q&A is my favorite part. I tell the panelists: I want you commenting on what each other says, and it's okay if you contradict each other respectfully. Then we finish up and thank everybody and walk off the stage. We're doing something new this year the following morning -- Tuesday, March 24th at 3:55 PM on the main stage, and then Wednesday morning around 8:30 AM we're getting the team together for a kind of affinity session. If you want to talk about these topics in more depth, they're giving us a big room. Each panelist will be there for interactive sessions. The room seats 80 or 100 people. We'll divide into four sections, one for each speaker, and you can talk with them about their topic in depth. It's an experiment.
[00:13:06] Sean Martin: And the Q&A is audience driven, right?
[00:13:08] Ed Skoudis: It is. We try to get really meaningful stuff. We don't want light, fluffy questions -- we want to get to the heart of the things. There is one other part: I try to give everybody one minute at the end, and we go backwards. Just: if you had to leave one thing with the audience, what would that be? It might be from your topic or maybe more general. Then we thank everybody and we're done. And I should remind people on Tuesday: if you really like us and want to meet these folks individually, come to the Wednesday morning session.
[00:15:24] Sean Martin: There you go. If we can dig up that link before this gets produced, I'll include it. So let's wrap with this, Ed. Ten years -- is there one thing that strikes you from this year's content that looks or smells different from the last ten years?
[00:16:01] Ed Skoudis: It is AI. And let me tell you why. Go back to November 2022 -- OpenAI introduced ChatGPT, and that really shocked us all. In spring 2023 RSAC, people were saying it's gotta have some AI. So there was one topic that had AI. Then 2024 there were one or two. Then 2025 it was two topics. Now here's the deal: all of our topics involve AI this year. And here's the thing -- if I were to tell you there's a major trend happening in cybersecurity and there wasn't an AI aspect to it, I would be lying to you. AI is involved in some way in the attacker's craft in refining it. Everything touches on AI and AI touches on everything. Some of the topics are not directly AI, but we are gonna talk about how AI is accelerating that topic because that's the way it works. And one other area worth keeping in mind is AI specifically for vulnerability research and discovery of zero-day flaws in code. I was at a conference last week in San Francisco called Unprompted -- great conference for AI cybersecurity practitioners -- and there was a presentation by Google and a presentation by Anthropic. They talked about how in the near term they're expecting a huge number of vulnerabilities like we've never seen in this industry. This will be my 30th RSAC conference, my 30th DEF CON coming up this summer. But the point of these presenters from Google and Anthropic is: we've never seen anything like this for vulnerabilities. Google was talking about how short-term it's gonna be pretty bad, and long-term much more safe and secure from a software perspective. Anthropic said it's gonna be really bad really soon -- lots more vulnerabilities than we've ever seen, zero-days in critical things. We're optimized so that maybe you get one or two zero-days a month that you need to patch quickly. Imagine if you have four of them on Monday, then Tuesday you've got ten, Wednesday you've got thirteen, Thursday's a quiet day with only two, and then Friday they hit you with twenty because they rested on Thursday. The ability to use AI to analyze source code and find flaws was what Google's talk was on. They haven't posted the talks publicly yet, but they will. I encourage everybody to watch both the Google talk and the Anthropic talk from Unprompted. Google referred to it as the 'vuln apocalypse.' And the Anthropic presenter said: right now, AI when analyzing source code is as good a vulnerability researcher as the best human vulnerability researchers on the planet. And soon -- in a matter of months -- AI vulnerability research using source code to find flaws will be better than all human vulnerability researchers together. I also saw a tweet from Phil Venables -- many know Phil, he's been a CSO for many years, he's now an investor. He said he's never been more optimistic in the long term about having good secure software, and at the same time never more pessimistic in the short term about how tough things are gonna get in the next year or so. And in my own company, we are using frontier AI models to analyze source code and finding all kinds of zero-days. One of my team members just two days ago found a zero-day in a pretty major piece of open source software -- contacted the team, they said it's a critical bug, they're issuing a patch in two weeks. That was just feeding a frontier model with clever prompting and source code, and boom, it found the thing.
[00:21:24] Sean Martin: And then smart people validating.
[00:21:27] Ed Skoudis: Smart people validating, with the help of the AI. Hey, can you create an exploit for this? And it does. So this is something people need to be aware of -- they need to up their patching game better than ever. The Anthropic presenter said: everybody's talking post-quantum, post-quantum this, post-quantum that. Everybody's spending a lot of money on post-quantum. The government says by 2030 you've gotta be ready. And he said: that is a problem, that is a concern, and the industry is responding smartly. But that's a problem that may or may not be five, ten, or fifteen years from now -- we don't really know exactly when quantum crypto analysis will get good enough to blow away our common crypto algorithms. What we do know is that this vulnerability analysis capability will be available in AI models used by us and our enemies in the next year or less, and organizations are not ready to roll patches quick enough.
[00:22:46] Sean Martin: That's mind blowing. I'm gonna bring it back to your session -- do the tips from each of the four across the five topics include AI?
[00:23:01] Ed Skoudis: They do, both on the offense and the defense. You're gonna see very unique takes from each of our four panelists. And sometimes they have slight disagreements and contradictions with each other -- you're gonna see that in what you could do with AI and how you can leverage it. That's good because it'll make everyone who sees this session more well-informed about where things are, where they're headed, and what the debate is all about.
[00:23:41] Sean Martin: So good, Ed. I think the title for this is gonna be something like: you're tired of hearing about AI, but you want to hear this topic about AI.
[00:23:54] Ed Skoudis: It'll be a very different take. Yeah.
[00:23:56] Sean Martin: Ed, it's always good to see you, my friend. I'm looking forward to catching up with you in person in San Francisco and to catching the keynote stage -- The Five Most Dangerous New Attack Techniques: Crucial Tips for Defenders, Tuesday, March 24th, 3:55 PM. Don't miss it. It's a good session and a good group of people. Ed, thanks so much for taking the time to share and have this chat about the session and more. And thanks everybody for listening -- please do stay tuned, itspmagazine.com/rsac for all of our coverage. There's gonna be a ton. Thanks everybody.
[00:24:42] Ed Skoudis: Bye.