October 22, 2025

Access Everywhere: Notes on Cyber Security from DEF CON 33

Submitted by Dynamics Insights
Reading time: 1 minute

The 2025 DEF CON hacker conference, officially DEF CON 33, took place last August in Las Vegas with the theme, “Access Everywhere”. The event drew more than 30,000 cybersecurity professionals, researchers, and enthusiasts for presentations, workshops, networking, and competitions.

DARPA’s AI Cyber Challenge

The centerpiece of this year’s event was the conclusion of the AI Cyber Challenge (AIxCC) — a two-year, $20 million competition led by the U.S. Defense Advanced Research Projects Agency (DARPA) and Advanced Research Projects Agency for Health (ARPA-H). The competition was aimed at advancing AI-driven vulnerability discovery and patching.

Teams built AI-powered systems that scanned, exploited, and repaired flaws in massive codebases. The competitors analyzed 54 million lines of code, and identified 54 synthetic vulnerabilities, and patched 43 of them, while also uncovering 18 real-world vulnerabilities that were then disclosed to open-source maintainers.

Team Atlanta, a coalition including Georgia Tech, Samsung Research, KAIST, and POSTECH, claimed first place and a $4 million prize, followed by Trail of Bits and Theori.

Their success showcased the promise of blending LLMs, symbolic execution, and fuzzing — an early look at how generative AI can supercharge secure coding in the years ahead.

Using ethical hacking to protect public utilities

Another major story was a volunteer effort that went beyond DEF CON’s walls. A team of ethical hackers partnered with small U.S. water utilities in Indiana, Oregon, Utah, and Vermont to help them strengthen their defenses against cyberattacks. This type of work is especially important because small utilities often lack internal cybersecurity resources yet are increasingly targeted by global threat actors.

These volunteers helped change default passwords, enable multi-factor authentication, and segment operational technology networks. It’s a small but powerful example of how hackers are serving the public good by protecting the very infrastructure people depend on.

The CVE Program debate: who owns vulnerability disclosure?

Discussions around the Common Vulnerabilities and Exposures (CVE) program had panelists warning that its funding and governance model may be unsustainable, threatening one of cybersecurity’s most important public databases of known vulnerabilities.

Experts called for more diversified funding and possibly a hybrid public–private structure to ensure transparency and continuity. Without a stable CVE registry, they argued, vulnerability management tools, SOC automation, and patch pipelines worldwide could falter.

This debate reflects a growing awareness that cybersecurity isn’t just a technical challenge — it’s also a question of policy and long-term governance.

The promise and pitfalls of AI in red teaming

AI’s role in both offense and defense was also a major topic. Researchers demonstrated how large language models can accelerate reconnaissance and exploit development, performing much of the grunt work that junior penetration testers once did.

But experts were quick to temper expectations. Models still produce false positives, hallucinate code, and misjudge context. So, while AI can handle about 60 percent of a penetration tester’s workload, it should not be used to replace the human element.

The consensus was that AI should augment, not replace, human expertise. When used responsibly, AI can help defenders test systems faster, train new analysts, and model complex threat scenarios that would be impossible to simulate manually.

A new energy among blue-team defenders

DEF CON 33 also marked a cultural shift. Once known primarily for Red Team attackers, the conference now draws thousands of Blue Team professionals intent on sharing tools, telemetry, and real-world lessons.

The Blue Team Village was packed, and the conversations there were less about breaking things and more about building resilient systems. Participants traded incident-response playbooks, shared open-source detection scripts, and discussed how to harden endpoints using zero-trust frameworks.

Key Takeaways

DEF CON 33 reflected a maturing cybersecurity ecosystem:

AI is transforming vulnerability discovery, from autonomous patching to enhanced red teaming.
Defenders are organized and energized, no longer playing catch-up.
Collaboration matters. Hackers, researchers, and civic volunteers are working together on public-interest security.
Policy and funding stability, from CVE governance to open-source maintenance, are becoming as important as technical innovation.

Perhaps most importantly, the community is redefining what it means to be a hacker.

Contact ArcherPoint by Cherry Bekaert to learn more about how you can improve your company’s data and cybersecurity.

Stay Informed

Choose Your Preferences

"*required" indicates required fields

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Blog