There’s a certain energy around Black Hat each year, that sense that the industry is gathering not just to trade knowledge but to reckon with the uncomfortable realities shaping cybersecurity. The 2025 edition in London feels especially sharp. Four keynote speakers — each coming from wildly different corners of the cyber ecosystem — are set to frame the conversation in ways that cut through marketing narrative and force attention back where it belongs: threat evolution, responsibility, accountability, and the unanswered questions sitting beneath the surface of cyber defense.
The program opens on December 10 at 9:00 AM with Max Smeets bringing a keynote titled Inside the Ransomware Machine. His work over the years — from ETH Zurich to Stanford — has chipped away at the romanticized or exaggerated narratives surrounding cyber gangs. Here, the focus isn’t just scare-level analysis but a look into the operational realities of the ransomware economy. Drawing on unique access to leaked data and years of analysis, he is set to unpack what really keeps the ransomware ecosystem running, and more importantly, what might finally disrupt it. The question quietly humming beneath it: can ransomware be dismantled structurally, or are we stuck waiting for the next evolution?
Later that day at 1:30 PM, Linus Neumann takes the stage with a keynote that — judging from the title alone — will sting a bit: CYBER! Please Check All Boxes Before You Get Pwned. Neumann, Head of Security Strategy at Security Research Labs and a long-time spokesperson of the Chaos Computer Club, has earned credibility through years of exposing brittle systems masquerading as “secure enough,” especially in something as politically sensitive as election software. In London, his focus turns to corporate security cultures that lean too heavily on compliance checklists, mistaking certifications and neatly completed forms for actual resilience. It’s the kind of talk that will probably make some attendees squirm and others nod like they’ve been waiting for someone to say it out loud.
The next morning, Thursday at 9:00 AM, BBC Cyber Correspondent Joe Tidy brings a keynote that feels more human than technical: From Script Kiddie to Cyber Kingpin: Preventing the Predictable Progression. Tidy has spent years covering the world’s biggest cyberattacks and following the stories behind the headlines, and he’s seen how many major attackers don’t start as masterminds — they start as bored teenagers with access to tools they don’t fully understand. Using the Vastaamo hack and the story of Julius Kivimaki as a lens, he will explore how teenage experimentation, online subculture, and weak early intervention can harden into serious, organized cybercrime. If Smeets exposes the mechanics of cybercrime markets, Tidy examines the psychology and social pipeline that feeds them — and what might actually break that cycle before it solidifies.
The final keynote arrives on December 11 at 1:30 PM with Louise Marie Hurel presenting Who Gets to Point Fingers? Technical Capacity and International Accountability. Hurel, a researcher at the Royal United Services Institute (RUSI), works at the intersection of cyber diplomacy, attribution, and state responsibility. Her talk spotlights a question that has been sitting in the background of cyber geopolitics for years: who gets to define “truth” when it comes to naming and shaming states for cyberattacks? Attribution frameworks have largely been shaped by well-resourced Western nations, but Global South countries are increasingly challenging that center of gravity. Hurel will unpack what happens when states with limited technical infrastructure still need to attribute attacks, how they navigate dependence on external private-sector or foreign intelligence, and what the wider industry can learn from their perspectives on responsibility and fairness in cyberspace.
Black Hat Europe 2025 is supported by a sponsor ecosystem that mirrors today’s security landscape. At the Titanium level sit Broadcom, Google, and ThreatSpike Labs, underscoring the importance of cloud-scale platforms and large-scale enterprise security stacks. Diamond Sponsors include names such as Black Duck, Clover, KnowBe4, OX Security, Push Security, runZero, ThreatLocker, and TuxCare — a mix that spans software supply chain risk, human-layer security, asset visibility, and modern endpoint and workload protection. Around them, Sustaining and Global Partners such as Armis, Cisco, CrowdStrike, Cyera, Google, ManageEngine, Qualys, SentinelOne, Sophos, Tenable, ThreatLocker, Trend Micro, Varonis, Wiz, Censys, Concentric AI, Corellium, Fortra, Huntress, HackerOne, and wolfSSL reflect how broad the current security stack has become, from IoT and identity to cloud posture management and offensive testing.
As the industry heads toward London this December, there’s a sense that this year’s edition isn’t just about unveiling new tools or zero-days. It feels more like a checkpoint — a moment to question long-standing assumptions about how we defend, who we trust, and who gets to speak with authority in global cybersecurity. Maybe that’s the real theme this time: confronting the hard questions before the next wave of reality forces everyone’s hand.
Leave a Reply