OffensiveCon (https://www.offensivecon.org/) is one of a small number of conferences within the niche world of vulnerability research/exploit development which consistently attracts both an exceptionally high standard of presentations and conversations between attendees. The conference took place between the 15th and 16th of May 2026 in Berlin.
Presentations
Whilst the standard of every presentation given was brilliant and it’s one of the conferences where I usually attend every talk, I will give a quick overview of ones I found particularly interesting and overall thoughts. I expect the technical slides/videos to be released soon, and this will do this more justice than what I can recall from notes.
The first talk I attended was the keynote by Ollie Whitehouse (CTO of NCSC), which as you would expect from a keynote talk, provided a higher-level view of why offensive ecosystems are critical to cyber defense and provided insight from a national security perspective. One interesting area was the comments on the control/proliferation of cyber intrusion capabilities and the acquisition of these around world (i.e. 80+ countries purchasing) together with such initiatives such as the Pall Mall process aimed to address irresponsible use (which NCC previously did engage with https://www.nccgroup.com/newsroom/ncc-group-key-signatory-in-the-pall-mall-process-declaration/).
A key theme of several of the talks was the development of 0-click capabilities targeting mobile devices (with this year quite an Android ecosystem focus). This included a great presentation from Benoît Sevens who discussed an Android based exploit targeting Samsung’s Quram image parsing library exploiting issues with DNG format and delivered via WhatsApp to archive RCE. To no-one’s surprise, custom complex image formats often can provide the ability to build weird machines which greatly enable the development of exploit primitives. The DNG format with its opcode list was particularly useful for building out exploit primitives. Google has published a blog in the past https://projectzero.google/2025/12/android-itw-dng.html and has been performing significant research in this area both from Samsung DNG and Adobe https://project-zero.issues.chromium.org/issues?q=%20dng
There was also a second talk about developing 0-click Android capability from Yuval Kaufman which focused more on the exploit delivery mechanisms, covertness and demonstrated weaknesses within Samsung’s Account features which allowed making attack surface (image parsing) accessible again and the ability to prevent a target from obtaining notifications when performing these attacks.
The third Android 0-click talk was from Natalie Silvanovich and Seth Jenkins from Project Zero who discussed how they exploited two vulnerabilities to compromise a Google Pixel 9 remotely, without user interaction. Then how they chained a different privilege escalation vulnerability to exploit the Pixel 10. I can’t really do this talk full justice with a quick summary, and they have previously blogged in this area but it’s well worth a watch when the OffensiveCon video is released.
https://projectzero.google/2026/01/pixel-0-click-part-2.html
https://projectzero.google/2026/01/pixel-0-click-part-1.html
https://projectzero.google/2026/05/pixel-10-exploit.html
Other presentations I found particularly interesting were the one given by Xingyu Jin & Martijn Bogaard on GPU security and novel vulnerabilities which they found and exploited in this area. GPUs are one area of security which I have never looked at in any depth-previously and the classes of vulnerabilities found here were novel (corrupting a GPU stack pointer register as part of the TBDR pipeline, GPU hardware may write vertex / pixel shader to arbitrary pages).
Cristofaro Mune discussed exploiting vulnerabilities within QSEE Vulnerabilities in Google's Wifi Pro which, having performed reviews of certain TEE environment security, was relevant to my interests.
Philipp Mao & Rokhaya Fall discussed turning an arbitrary file write in an Android app into code execution and covered a novel technique for abusing the run-time app image format (.art) to gain code execution when the application restarts.
Finally, a talk on Navigating the MTE Landscape: iOS Memory Protection Deep Dive, which was a great overview of this area in one talk and as of, yet I have not currently tried to write any exploits on devices protected via MTE/Apple’s specific deployment and the challenges which this brings.
Lobbycon
Perhaps one of the most important things of value from attending security conferences is the ability to chat with peers in the industry. Having a beer with old and new friends and discussing future research ideas.
One thing that was on my mind this year, and from the conversations I had with others, was the effect of AI on the security industry (and my specific niche of VR/exploit development). Despite OffensiveCon this year only having presentations on traditional organic human-based vulnerability research and exploitation (perhaps an intentional choice?) it has become clear over the last few years that AI will have noticeable effects in this area.
Whilst change can often be considered scary, the attendees of OffensiveCon are some of the best in the world at what they do and will be able to adapt. Many ideas floating around such as being able to utilize the niche domain knowledge which is held in certain areas in conjunction with state of the art models to enhance VR and exploit development. As a practical example of this, deep browser knowledge (JIT), language internals (Deserialization bugs) were practical examples of where alpha could be gained. To me, it seems like the combination of deep domain knowledge in harnessing, model capability and scaling will be the key going forward. Commercial VR companies have even started building dedicated teams focused specifically on LLM fine-tuning and scaling for vulnerability research / exploit development.
Pwn2own
As someone who has participated in several previous Pwn2Own’s and greatly enjoys competing in the competition, I tried to keep an eye on what was happening whilst in Berlin between talks.
Unfortunately, the entries I attempted to register this year were unable to make it into the competition (due to the mass influx of submissions and the limits on what ZDI could practically run / accept!). However, I think enough has been said about the registration issues on various social media, and I was certainly not alone in this regard. I am sure there will be some practical changes to Pwn2Own going forward, as this year was unprecedented and was not representative of previous events.
On day one there were 22 entries overall across AI databases, coding agents, local inference. There was also the typical drama of last-minute patches (Firefox and ESXi I believe) which disrupted some attempts. There were several wins in the high prize money categories (ESXi, MS Edge, Sharepoint, Exchange) and Devcore showed their impressive skills to win overall Master of Pwn.
It is also good to see familiar names being successful with their entries, as a significant amount of effort is put into the preparation of them and whilst you can do a lot prior to the event, there can always be issues on the day and things you did not predict (and that’s part of pwn2own making it fun!).
It is also probably no surprise to anyone that AI is accelerating both finding and exploiting bugs, which is having a knock-on effect on bug bounty program triage times and the number of issues which programs are having to handle.
Several Pwn2own competitors did note that AI was used within their entries this year (for various things) and a couple of vulnerabilities which I identified during the preparation for Pwn2Own were using human in the loop guidance in conjunction with SOTA models.
I expect to be able to publish more information about coding agents’ security models soon as there are a lot of nuances in the attack surfaces and trust boundaries (by design vs a real vulnerability).