Defcon 33 Afterthoughts | Avery Tan, Security Professional

As August rolled in, Las Vegas once again became the global gathering place for hackers, researchers, and curious minds. Defcon 33 kicked off just as Black Hat wrapped up, bringing together thousands of attendees for a whirlwind of talks, contests, and parties.

This year marked my fourth Defcon — my first being Defcon 27 in 2019.

Humble Beginnings

I can’t quite remember how I first stumbled onto Defcon, but I do know it traces back to Jack Rhysider’s Darknet Diaries podcast sometime in 2019. At the time, I was a fresh graduate returning once again to central British Columbia for what would be my final season of tree planting — my third season of reforestation work.

treeplanting — A view of the planting ‘block’ with my bags and shovel in foreground

I distinctly remember listening to Darknet Diaries episodes during long drives out to the planting blocks. Tales of espionage and sabotage, physical pentesters infiltrating banks and corporate offices filled these long days — and Defcon kept being mentioned. I had taken CMPUT 333: Security in a Networked World during my undergrad so I had some very crude rudimentary knowledge of hashes, ciphers, and cryptography, but nothing close to preparing me for what I would see at my first Defcon.

That first Defcon experience was pretty unforgettable. I shared a room at the LINQ with two other attendees. These were the times before corporate sponsorship would cover and reimburse my travel expenses. The time where Walmart baloney sandwiches in ziplock bags made the bulk of my Defcon diet. Circumstances were a lot more no-frills for me during that first Defcon.

Nonetheless it was an eye-opening affair, one that I do credit being the significant event that marked the historical boundary signaling the start of the ‘cybersecurity era’ for me.

When three or more hack for satan badges are in close proximity, lights flicker in a seance of satanic goodness

In between wandering from village to village and being bombarded with things that looked and sounded like magic, I ended up one evening in some suite at Bally’s for the CONadian party allong with my two attendee roomates. In between drinks at their open bar, a key conversation that night yielded me the start of my personal ‘security roadmap’.

The original plan — My original cyber roadmap

While I never did end up following this original roadmap I set myself all those years ago, I would say Defcon 27 definitely provided me the insight and a trajectory to penetrate the world of hacking. As a result, I’ve always felt a sense of gratitude and high reverance for what Defcon means to me, that lifechanging historical boundary that marked my entrypoint into the world of infosec, and so it only makes sense that I return for Defcon 33!

DEFCON 33

Defcon 33 was held again this year all “under one roof” at the Las Vegas Convention Centre from August 7 to August 10 2025. I lined up for merch about an hour before things opened and was incredibly pleasantly surprised I was able to essential be one of the first 100 people in line! What a surprise and subversion of expectations, especially seeing how I was in line for 4+ hours for merch the last time I was at Defcon.

Unsurprisingly, AI was centre-stage this year. The AIxCC contest continued to expand in size and real estate. This was a contest sponsored by DARPA going into its second year where contestants deploy AI systems that can detect, exploit, and patch vulnerabilities in systems mimicking industrial infrastructure. The activity at other villages were still ever-present, but AI and LLM tooling and discussions dominated the narrative.

A key theme was the use of AI tools, particularly LLMs, and how they democratizing offensive security in ways that outpace their current defensive applications. Hackers demonstrated how AI can compete effectively in CTF-style offensive activities, and the AIxCC contest itself was a strong showcase of this particular trend. I don’t believe this particular emerging trend is a surprise to really anyone that actually uses LLMs in their day-to-day, even for minor troubleshooting or debugging/coding purposes. An obvious consequence of this democratization is that it lowers the barrier of entry for offensive security, both for aspiring whitehacks as well as for cybercriminals, and this trend is already readily showing up in the real world!

LLM helps with hacking — Tricking an LLM into helping with offensive security activites

I also managed to snag a signed copy of ‘Red Teaming AI’ which ended up selling out on the first day of the convention! Definitely the loot highlight of the con for me.

Another highlight for me was the Deepfake demo held at the AI Village. This demo was running the opensource DeepFaceLab and via a personal consumer-grade laptop sporting a gtx 4090. For the cost of a mid range gaming laptop, anyone can create deep fakes. Deep fakes for all!!

Deepfake hardware — Hardware running the deepfake demo

Policy discussions were also dominated by AI, particularly its broad and disruptive impact across domains like application security, privacy, and national security. While the tools evolve rapidly, policymakers are still catching up; tale as old as time.

Other notable highlights were keynotes by the likes of Microsoft, Anthropic, and OpenAI. And stickers, lots of stickers.

Closing Thoughts

Defcon creates this aura and feeling of being enveloped and surrounded in the bleeding edge frontier of cybersecurity. The long-running legend now ingrained in Vegas and Defcon myth of having the ‘most hostile wifi network on earth’ persists and I’ve had a few baristas and ‘civies’, seeing my attendee badge and then remarking, ‘so, I guess I shouldn’t connect to any wifi networks for the rest of the week right?’.

Myths and traditions aside, I had a blast at hacker summer camp this year, and am forever grateful that this event persists year after year, ever evolving with the times, forming a place where the curious and the brightest meet and discuss the latest and greatest.