Black Hat 2025: Exposure Management, AI Defense, but No Donuts

Every Black Hat is a bit of a mirror. It shows you the state of the industry, sure — but if you’re paying attention, it also reflects where you are as a practitioner and a company that’s been doing this long enough to notice the small changes.

This year’s reflection? The hype is settling. Conversations felt less like frantic pitches and more like problem statements with actual paths forward. Two themes stood out on the floor:

1. Exposure management has grown up.
2. AI defense is starting to mean something real.

A focus on what matters has a dark side: I couldn’t find a single booth with free donuts. This is my tenth Black Hat, and I always rely on free vendor donuts and coffee to get me going. Maybe I was looking in the wrong place. I also didn’t see any puppy adoption or goat petting. There’s always next year. At least thanks to Torq, I got to have the surreal experience of seeing the Gravedigger monster truck rolling through the show floor.

Theme 1: Exposure Management Comes of Age

You couldn’t walk ten feet without bumping into a CTEM pitch. Armis, XM Cyber, PlexTrac, Tenable, Nucleus, Axonius, Intel 471, Picus — each with their own flavor, but all circling the same idea: find the exposures, understand them in context, fix what matters.

Why the sudden ubiquity?

• The attack surface isn’t just “bigger” — it’s layered, and every layer is moving. Cloud, IoT, OT, now AI applications.
• Boards and regulators aren’t buying “we scanned it” anymore. They want proof you’re reducing measurable risk, continuously.
• Security teams are done playing whack-a-mole. They want to know which holes in the fence matter before they start patching.

Where ThreatConnect fits in is simple but not small: closing the Exposure Gap.

• Risk Quantifier (RQ) helps you see vulnerabilities and TTPs through the lens of financial impact, so “critical” means something concrete to both the SOC and the board.
• Polarity overlays intel right into the analyst’s line of sight — so you don’t lose minutes (or context) bouncing between tools.
• TI Ops feeds that whole system with curated threat intelligence that’s actually relevant to your environment.

The goal isn’t to find more things. It’s to make the right decisions faster. That’s a different mindset entirely.

Theme 2: AI Defense Gets Real

Last year, it felt like every booth had “AI” slapped on it like a sale sticker, whether or not the product had anything to do with machine learning. This year, the noise has started to clear. The language shifted from “we have AI” to “we help you defend against AI-driven threats and protect your AI assets.” That’s progress.

It’s not theoretical anymore.

• Enterprises are rolling out Copilot, ChatGPT Enterprise, and domain-specific models — and discovering new risks in the process.
• Adversaries are using LLMs to scale social engineering, reconnaissance, and vulnerability discovery.
• Compliance teams are demanding controls around model usage, data handling, and supply chain security.

We’ve been intentional about how AI shows up in ThreatConnect. It’s not decoration — it’s a force multiplier:

• AI-curated intelligence requirements to filter the noise and surface what’s relevant now.
• AI summaries that distill the why and how of an indicator or threat actor in seconds, instead of burning an analyst’s morning.
• Risk-informed ATT&CK threat models that help SOC and hunt teams know exactly where to focus, whether the threat is AI-assisted or not.

It’s not about chasing “AI” as a feature. It’s about defending the systems that use it and the people who rely on it.

The Intersection

Exposure management and AI defense aren’t separate streams. They feed into the same river. Your AI tools are part of your attack surface now. If you’re not monitoring, prioritizing, and defending them as exposures, you’re leaving blind spots. And if you’re securing AI in a vacuum without understanding its broader exposure context, you’re playing a half-game.

That’s where the Intel Hub sits — connecting the dots between context, risk, and action.

• Contextual intelligence so you understand what’s at stake.
• Risk-based prioritization so you act on what matters most.
• Operationalized workflows so your team can do all of this in the tools they already use.

Why We’re Ready for This Moment

Our customers have already proven what happens when you approach defense this way:

• >50% reduction in MTTR.
• 63% fewer false positives.
• Half an analyst’s week freed up to focus on real work.
• Better collaboration between CTI, SOC, IR, and risk teams.

We’re not catching up to these trends, we’ve been building for them. And that matters, because the gap between adversary capabilities and defender capacity isn’t closing on its own.

Final Thoughts

Black Hat 2025 felt like a turning point — less noise, more substance. Exposure management is no longer the niche topic at the corner booth. AI defense is starting to mean something practical.

And yet, I’ll admit… I’m still thinking about the donuts. Maybe it’s because in security, we’re wired to notice what’s missing. Maybe it’s because I believe we do our best work when we balance the grind with moments of delight. Either way, I’ll keep looking — for the donut booth and for ways to make sure the people defending our organizations have the context, clarity, and connection they need to win.

If you want to see how we’re tackling both exposure and AI defense in one place, let’s talk.