As Large Language Models (LLMs) like GPT, Claude, and Gemini become embedded in everything from customer support agents to autonomous cybersecurity tools, they bring with them a radically new attack surface—one shaped not by traditional code execution, but by language, intent, and contextual manipulation. This talk is for the red teamers, hackers, and curious minds who want to pull back the curtain and see how these so-called “intelligent” systems can be broken, hijacked, and subverted.

In this session, we’ll begin by demystifying LLMs—how they work, what they actually do under the hood, and why they behave more like improv actors than deterministic programs. From there, we’ll dive into the meat of the talk: practical, offensive security techniques that exploit the quirks, limitations, and architectural oversights of LLM-powered systems.

You’ll learn how prompt injection works—and why it’s way more than just asking the AI to “ignore previous instructions.” We’ll show real-world examples of jailbreaks that bypass filters, inject unintended commands, and even exfiltrate private data across session contexts. We'll cover improper output handling that turns trusted AI responses into cross-system attack vectors, and explore the fragile security assumptions in API-integrated LLMs that allow privilege escalation, function abuse, or total system compromise.

But we’re not stopping at prompts. We’ll go deeper into the AI development lifecycle—unpacking supply chain attacks on model fine-tuning, vulnerabilities in prompt engineering frameworks, and the risks of deploying autonomous LLM agents with too much agency and not enough oversight. If you've ever wondered whether a chatbot could trigger an internal API call that deletes your database, you're in the right place.

This talk doesn’t require a PhD in machine learning—just a hacker mindset and a willingness to explore the limits of emerging tech. Attendees will walk away with a red team–ready methodology for testing LLM systems, a mental map of their weak points, and a toolkit of real tactics that go beyond theoretical risks into practical exploitation.

Building on this foundation, the session will transition into an in-depth examination of emerging threats and offensive techniques targeting LLMs in real-world environments. Attendees will explore:

Prompt Injection: Techniques for manipulating model prompts to subvert expected behavior, including direct injection, indirect (latent) prompt manipulation, and prompt leaking.

Jailbreaking: Advanced methods for bypassing model safety layers and restriction policies, allowing unauthorized actions or outputs.

Output Handling Vulnerabilities: Common failure points in downstream systems that trust LLM outputs without proper validation or sanitization.

LLM API and Deployment Security: Attack vectors exposed by insufficient authentication, poor input/output filtering, and insecure API integrations.

Supply Chain Risks: Threats targeting the LLM development lifecycle—including poisoned datasets, backdoored fine-tuning checkpoints, and compromised third-party tools.

Autonomous Agent Overreach: Risks arising from LLMs with agency, including goal misalignment, unchecked tool usage, and recursive decision-making loops.

Resource Abuse Scenarios: Tactics for exploiting LLM endpoints via prompt amplification, looped interactions, and denial-of-service through compute exhaustion.

Through a blend of real-world examples, technical deep dives, and hands-on offensive demonstrations, attendees will gain a red team–oriented perspective on securing LLMs.