The next great hacker may not be human.
For decades, cybersecurity has depended on researchers who must think like the people attacking computer systems to successfully defend them. Now, a growing number of those “attackers” aren’t people at all. They’re artificial intelligence, or AI, agents. Capable of discovering software security vulnerabilities and generating harmful exploits, these agents don’t need to eat, sleep or log off for a break. They can work endlessly, targeting power grids, internet infrastructure, hospitals and more.
This knowledge led Yan Shoshitaishvili to an unsettling realization: The next researchers who stop these autonomous agents might not be human either.
Shoshitaishvili is an associate professor of computer science and engineering in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University. He and his team in the Center for Cybersecurity and Trusted Foundations, or CTF, have organized the Conference of Synthetic Security Research, or SynSec, hailed as the first national opportunity for academia and industry to explore what happens when AI agents become the researchers.
“Like it or not, agentic AI is here,” Shoshitaishvili says. “The real question isn’t whether we should engage with it, but how quickly and rigorously we understand its impact on system security. Attackers won’t hesitate to harness it for their gain, so if we’re not exploring those same areas in academic research, we’ll be left behind.”
So what happens when AI begins to take on a larger role in how research itself is done?
On October 22–23, 2026, cybersecurity experts across industry and academia will converge at ASU SkySong in Scottsdale, Arizona, to answer that question. At SynSec, they will stress-test computer security research conducted, evaluated and even presented by AI with minimal human involvement.
The conference’s format is intentionally provocative. In its primary track, AI must be listed as the first author on submitted papers. In some cases, the AI will also generate the conference talk.
Adapting to an autonomous adversary
Shoshitaishvili has spent years preparing for this moment. A thought leader in ethical hacking and cybersecurity education, he has built a career around the idea that the best way to defend systems is to understand how they break.
It’s an ethos he once traced back to Eugène-François Vidocq, the 18th-century criminal-turned-detective who trained former thieves to catch thieves. That philosophy powers pwn.college, the globally used cybersecurity training platform Shoshitaishvili co-founded with Fulton Schools Associate Professor Adam Doupé. The platform blends coursework, capture-the-flag hacking challenges and community collaboration, giving students a hands-on way to think like adversaries.
Shoshitaishvili and Doupé, who also serves as director of CTF, have carried that same mindset into ASU’s presence at DEF CON, the world’s largest hacking conference, where they have led initiatives like the DEF CON Academy, an open-access training ground designed to introduce ethical hacking and make the intense event more accessible to cybersecurity newcomers.
SynSec, in many ways, is the next logical step for a team always pushing forward.
“The malicious actors we’re up against aren’t slowing down,” Doupé says. “If AI enables them to move faster or scale what they’re doing, then we need to be just as relentless about understanding how to best leverage AI to give defenders the advantage instead.”
But the conference isn’t about novelty. It’s about measurement. At its core, SynSec is an experiment in how knowledge is produced. Papers and submitted materials must explicitly document what the AI did, what humans contributed and how the collaboration worked. The goal is not to celebrate automation for its own sake, but to understand its implications for the future of science.
That includes the peer-review process itself. In a move that pushes the concept even further, SynSec will deploy a fully AI-driven technical program committee to evaluate submissions. A parallel “shadow” committee of human experts will review the same papers to provide a benchmark for comparison. Accepted work will be shared openly online, including paper sources, evaluation artifacts and even the reasoning processes of AI reviewers.
Redefining the role of the researcher
The scope of the conference is intentionally broad, spanning everything from cryptography and systems security to machine learning safety and hardware attacks. But the real shift isn’t in what’s being studied. It’s in how. Instead of simply using AI as a tool, the researchers will hand over larger parts of the discovery process itself, letting systems decide what experiments to run on their own. That possibility — of machines not only assisting research but actively driving it — is what makes SynSec feel both groundbreaking and, to some, a little unnerving.
But that may be the point.
“I don’t see a future where this doesn’t become more and more relevant,” Shoshitaishvili says. “As AI systems take on more responsibility, the role of human researchers may shift from direct problem-solving to orchestration, interpretation and supervision. SynSec is an early attempt to map that shift in real time.”
For Professor Gail-Joon Ahn, global cybersecurity pioneer and the associate director of research in the School of Computing and Augmented Intelligence, the bigger picture is about shaping how the field responds to a rapidly accelerating future.
“SynSec isn’t meant to settle the question of AI in cybersecurity; it’s meant to force the conversation,” Ahn says. “As the pace of AI-augmented discovery, attack and defense continues to accelerate, the researchers who show up in October won’t just be studying the shift. They’ll be helping define how the field, and the role of AI agents within it, evolves to keep up. In addition, it will help articulate a blueprint for how emerging advances in AI agents will transform both security and business operations.”
