Last year at DEF CON 33, I ran a 4-hour workshop on browser defenses. The response afterwards was incredibly motivating. Many participants told me two things: this was the kind of training they wished had existed earlier in their careers; and the material content is so up-to-date some stuff discussed was just a few weeks old.
Over the following months I began building two full training programmes. In August 2025 I blogged about that I was working on a new course. What I did not expect was what happened next.
Both of my submissions were accepted as official trainings at Black Hat USA 2026.
That created a rather nice problem to have. Instead of wondering whether I would be able to present the material, I suddenly had to figure out how to schedule two different trainings across the four training days from August 1â4, 2026.
Two Trainings, Two Perspectives on Modern Application Security
At Black Hat USA 2026 I will be teaching two different courses that approach application security from different angles.
Both trainings focus on a problem many experienced security engineers encounter: how to move beyond individual vulnerabilities and instead design systems that eliminate entire bug classes at scale.
The two courses focus on different layers of this challenge.
- A 2-day Core Training focused on designing security controls that scale across platforms and engineering teams.
- A 1-day Elective Training that focuses on modern browser security mechanisms and how they can be used to eliminate common client-side vulnerability classes.
Topics include and are all coming with hands-on labs exercises:
- Secure-by-design architecture patterns
- Platform security engineering
- Eliminating vulnerability classes
- Measuring adoption in large organizations ecosystems
- Enforcing secure defaults at scale
A new 1-day workshop concept at Black Hat and Elective / Core Trainings
Black Hat is running in 2026 the first time a new format with dedicated 1-day workshops alongside the traditional trainings, and they now distinguish between Core and Elective trainings.
Core trainings represent the flagship knowledge of a topic area. They focus on the essential skills practitioners should know and usually attract a broad audience. These courses are designed to be repeatable across events, evolving over time as techniques and tooling change.
Elective trainings are more specialized. They are designed for attendees who want to go deeper into a particular area, explore emerging techniques, or focus on more niche topics. Rather than replacing the core material, they complement it and allow practitioners to expand their expertise beyond the fundamentals.
Details for both Trainings
- Proactive Security Engineering: Building Secure-by-Design Architectures That Scale
- 2-day Training (one session only) – Core Training
- Dates:
- Advanced Web Security: Scaling CSP & Cutting-Edge Browser Defences for Bug Class Elimination
- 1-day Training (2 dates, choose one) – Elective Training
- Dates:
Registration is now open.
Optimising Your Hacker Summer Camp Schedule for 2026
You can attend both trainings because they complement each other well. You can also choose to attend only one. The 1-day training is not a shortened version of the 2-day training. They cover different material.
At Black Hat, most 2-day trainings are offered twice: once on SaturdayâSunday and again on MondayâTuesday. My 2-day training will only run once because I am also running the 1-day workshop. If you want to attend my 2-day training, you would book the SaturdayâSunday session.
This schedule also leaves MondayâWednesday free, which allows you to attend BSidesLV at the Tuscany for the full Hacker Summer Camp 2026 experience. BSidesLV runs on August 3rd, 4th, and 5th.
Your schedule could look like:
- the 2-day Core Training (SaturdayâSunday)
- the 1-day Elective Training (Monday or Tuesday)
- BSidesLV at the Tuscany Suites (August 3â5)
- Black Hat Briefings (August 5-6)
- DEF CON 34 (August 7-9)
If you have any questions, feel free to email me, or DM me via LinkedIn.
Why I Built These Trainings
In recent years, Iâve invested a lot of time in secure design patterns – even attending a fantastic custom training on secure design patterns – and I also teach the Proactive Controls during hackathon-style classes at DHBW University. Pulling all of that together, I realised I could create something new: hands-on, proactive training focused on scale and eliminating entire bug classes, covering the most modern security concepts, shaped by my experience working at Sage.
Working in a large-scale environment for the past six years has shaped this perspective. At one point I nearly hit a wall, which forced me to refocus on what truly matters: platform-based security engineering and impact at scale. Iâve helped write secure coding standards before, but standards alone donât change behaviour – they donât scale, and they arenât proactive.
Thatâs why I believe 2025 is the year of scale (see my article here). Professionals with 5+ years of experience in product security are eager to level up – yet most training out there still caters to beginners. Whereâs the training for those who already know the fundamentals, whoâve been coding, pentesting, or building security engineering practices, and want the next level?
Thatâs exactly what I’ve built: a fully hands-on, lab-driven training, shaped by the same energy as my DEFCON workshop, but with the depth that experienced practitioners have been waiting for.