Appearances
Conference talks, panels, and podcasts on AI agent security, prompt injection, LLM defense, and the practical work of shipping secure AI systems.
What I talk about#
My talks tend to live at the intersection of three uncomfortable truths: large language models are now writing meaningful portions of the code we ship; the agentic systems we are building around those models can take real actions in the world; and prompt injection — the foundational attack on this stack — is not a problem we are going to solve cleanly. Most of my appearances try to take that honestly rather than catastrophically, and walk through what defensive engineering looks like when you can't trust the model's intent and you can't realistically slow the rollout down.
A lot of what I cover is grounded in production work at Dropbox: how to sandbox autonomous agents so the blast radius stays small when something goes wrong, how to design tool interfaces (including MCP servers) that don't quietly hand attackers a foothold, and what OAuth, token lifecycle, and least-privilege access really need to look like when an agent — not a human — is the principal making the request. I also spend time on the human side of the problem: how security teams should engage with AI features before they ship, and how to give engineers patterns that raise the floor without slowing the work.
Recurring topics#
- Agent security and sandboxing — runtime monitoring, permission models, and the design choices that decide whether a compromised agent is a near-miss or an incident.
- Prompt injection in depth — why direct, indirect, and tool-chained variants demand different mitigations, and where defense-in-depth actually pays off.
- MCP and tool-use protocols — building tool surfaces that resist over-eager LLMs and don't leak privilege across boundaries.
- OAuth and identity for AI — what token lifecycle and revocation look like when an agent is acting on a user's behalf across services.
- Securing LLM-generated code — making model output safer by default rather than relying on humans to catch every mistake in review.
Where you'll find me#
I speak at security and AI-focused conferences (Cackalackycon, CactusCon, Lakera AI), on industry podcasts and livestreams (Defense in Depth, Unprompted, Off By One Security), and occasionally on company-hosted panels and webinars. The list below covers the public appearances I can talk about — most include video, slides, or both. If you're organizing a conference, panel, or podcast on AI security, agent safety, or production LLM defense, reach out — I'm happy to talk about new formats and audiences.
Joining Stephen Sims on Off By One Security to walk the attack surface of a typical MCP deployment, then wire in the OAuth defenses one layer at a time using mcp-authflow.
Attacking AI code review pipelines. How the defensive layers around LLM-generated code (context files, AI reviewers, agent runtimes) become their own attack surface, and what defenses actually hold in 2026.
Real lessons from building specialized agents on shared infrastructure. Covers capability bounding, prompt injection detection, memory isolation, and OAuth device flow.
LLMs Will Never Be Fully Secure
podcastA discussion on malicious MCP servers and common AI security mistakes. Plus why prompt injection sticks around and how to deploy AI safely.
A security audit of MCP servers and their OAuth setups. 90% of the bugs are old problems. AI agents just amplify them.
A three-layer framework for catching LLM security mistakes before they reach production.
Panel discussion on how AI-driven threats evolved in 2025 and what defenders should prepare for in 2026
Technical deep-dive on implementing LLM security controls at scale using Lakera Guard for Dropbox's AI features