OWASP Global AppSec EU 2026 Vienna

Last year at OWASP Global AppSec Barcelona, we showed how to break and defend LLM-integrated apps: (indirect) prompt injection, jailbreaks, data poisoning. And what practical controls actually worked in production. But the game has changed.

This follow-up talk picks up where we left off, focusing on the next generation of LLM-driven systems: agentic AI and e.g. MCP (Model Context Protocol) & A2A (Agent2Agent). These systems combine LLMs with tools, memory, plugins, APIs, and planning loops, making them far more powerful, and also far more fragile.

We’ll walk through how this new architecture has shifted the attack surface, and why last year’s defences (input validation, injection prevention) don’t hold up anymore. Expect real-world attack paths: memory poisoning, tool misuse, and agent goal hijacking. Then we’ll show you what works: “Zero Trust”-style isolation, sandboxing tool execution, runtime plan validation, and defence patterns that are actually deployable.

This is not a theoretical talk. It’s a two-speaker format - builder and breaker - based on real-world incidents, internal and external red teaming, and live demos. If you’re building, securing, or reviewing AI-driven systems that do more than just chat, this is the session to see what’s coming and how to stay ahead.