Another year, another Black Hat USA. And what a show it was as thousands descended on the Entertainment Capital of the World. The conference returned to the Mandalay Bay Convention Center in Las Vegas with a packed six-day program, kicking off with four days of specialized cybersecurity trainings, followed by the main expo on August 6-7. Featuring 120 security briefings showcasing the latest cybersecurity research and trends, dozens of tool demos, and countless parties, one of the hardest things about the conference was whittling down which talks and events to attend.
Amid the energy and excitement, a few key themes emerged as the focal points of this year’s conference. The event was once again dominated by discussions on AI & data-driven security, which continue to redefine both offensive and defensive strategies. Another hot topic was software supply chain risk, with speakers highlighting growing vulnerabilities in third-party code and the urgent need for robust security measures to protect the integrity of software pipelines. Cloud security also took center stage as organizations grapple with the complexities of securing multi-cloud environments.
AI Continues to Reign Supreme… But At What Cost?
It comes as no surprise that Artificial Intelligence was the talk of the show. From hands-on tools, to product launches, to instructor-led talks, you couldn’t escape the impact of AI on defenders—and, more concerningly, attackers. This also happened to be the same week that that OpenAI unveiled GPT-5, its “smartest, fastest, most useful model yet”, and Anthropic announced new security-focused features designed to make Claude stand out in an increasingly crowded GenAI coding landscape.
Acknowledging that “AI isn’t just a tool; it’s the cornerstone of advanced cyber defense and, paradoxically, a potential weapon in the hands of threat actors,” Black Hat hosted a dedicated in-conference AI Summit to underline the importance of AI-powered remediation.
There was no shortage of industry buzz on the topic, with vendors leveraging the conference to announce their own new AI tools and automation capabilities. Against this backdrop, we published our inaugural GenAI Code Security Report—an in-depth analysis of more than 100 large language models (LLMs) to determine if the most advanced AI systems can write secure code. The results call into question the safety of AI-generated code: nearly half the code samples failed security tests and contained OWASP Top 10 security vulnerabilities. With vibe coding on the rise and 83% of organizations using AI for software development, Gizmodo’s warning to “Read This Before You Trust Any AI-Written Code,” which spotlights our research, is a timely caution.
Citing Veracode’s research in her keynote talk, bestselling author and former lead cybersecurity reporter at The New York Times, Nicole Perlroth, also shared, “Despite my best hopes, it’s becoming clear AI will give offense the advantage.”
The key takeaway: the adoption of AI is not going away. As long as LLMs continue to write vulnerable code, Veracode will continue to transform its output into secure, enterprise-ready software—in real time and at scale. To help teams navigate this shift, we’ve published a new guide: Navigating Vibe Coding & Application Security.
Supply Chain Security: The Achilles’ Heel of Modern Software
There was a strong focus on securing the software supply chain. Increasingly at risk from emerging threats, compromised components, and malicious actors, the supply chain is more vulnerable than ever. According to Gartner, software supply chain attacks are expected to triple in cost from $46 billion in 2023 to $138 billion by 2031. With 61% of apps containing open-source dependencies, many Black Hat speakers made it their mission to highlight the challenges associated with open-source software and AI.
At our booth, Veracode’s Threat Research Team shared expert guidance on how organizations can safeguard their codebases, defend against malicious packages and emerging threats, and ensure robust security across the entire software supply chain. The team recently uncovered a persistent North Korean cryptocurrency theft operation, blocking 12 malicious packages with different obfuscation strategies—only possible with automated monitoring delivered by Veracode Malicious Package Detection. As explained in this GBHackers article which covered our threat research: “This tactic exploits trust in the hiring process to deploy payloads that exfiltrate cryptocurrency wallet data, browser extension credentials, and other sensitive files from developers’ machines, potentially enabling corporate network breaches.”
From Reactive to Proactive: Mastering Cloud Security and ASPM
Cloud security was also a key theme, with speakers warning how easy it is for LLMs to compromise and hijack an organization’s cloud. This necessitates centralized risk governance and continuous monitoring across LLMs and third-party contributors. With a major shift to Application Security Posture Management (ASPM), we released Veracode Risk Manager (VRM) last year and announced its latest enhancements right before Black Hat. VRM goes beyond traditional ASPM to eliminate the most risk with the least effort, resulting in a 10X increase in remediated issues and 50+ integrations.
Ahead of Black Hat and during the conference itself, we also announced cutting-edge ASPM integrations with Wiz and Palo Alto Networks that empower customers to tackle risk with a prevention-first approach. Incorporating Wiz’s and Palo Alto’s cloud security findings into VRM provides even broader visibility, context, and prioritization to customers, enabling them to eliminate security blind spots from code to cloud.
How Veracode Helps
It’s safe to say Black Hat 2025 delivered. The industry’s biggest meeting of the best minds in security was another roaring success. Cybersecurity practitioners came away with critical insights to help them prevent, detect, and respond to the ever-growing threat landscape.
Veracode was proud to be an integral part of the show once again, helping visitors navigate an increasingly complex digital ecosystem. With our in-depth research and the latest product innovations for advanced software security, we aim to provide assurance, context, and continuity across the entire software development lifecycle. Our expertise is your competitive advantage.
