DEV Community

Cover image for Claude Is Your Insider Threat Now - Notes from Dan Tentler's Security Fest 2026 Talk
Cor E
Cor E

Posted on

Claude Is Your Insider Threat Now - Notes from Dan Tentler's Security Fest 2026 Talk

#security #ai #llm #appsec

Speaker: Dan Tentler

Event: Security Fest 2026

Talk: Claude Is Your Insider Threat Now

Length: ~52 minutes

Watch it: YouTube

I've been deep in the LLM security space for a while now, but I still found myself pausing Dan Tentler's Security Fest 2026 talk multiple times to let things sink in. Tentler — a veteran red teamer and founder of Phobos Group — has a gift for making uncomfortable truths land hard. This one is worth your 52 minutes. Here are my notes.

Who Is Dan Tentler?

If you've been around the offensive security world, you know the name. Tentler has been breaking things professionally for decades — network infrastructure, enterprise systems, and lately, AI pipelines. He was at Security Fest two years prior doing a talk on "bear trapping Linux servers." Now he's turned his attention to LLMs, and the picture isn't pretty.

The Setup: A Very Short History of AI

Tentler opens with a timeline that puts the current moment in context.

2000 — OpenCV is released. Computer vision becomes a thing researchers can actually work with.

~2014 — Google publishes Attention Is All You Need, the paper that becomes the architectural foundation for modern LLMs. This is the moment that changes everything, even if nobody outside ML circles noticed at the time.

November 2022 — ChatGPT launches publicly.

February 2023 — OpenAI reports 100 million users. Social engineering attacks spike 135% in the same window.

That last data point is the crux of his opening argument: the moment LLMs became mainstream, attackers immediately figured out how to weaponize them for social engineering at scale. The technology didn't create a safer world — it handed attackers a new attack surface before defenders even knew what they were defending.

LLMs Are Not Deterministic — And That's a Problem

One of the more technically interesting parts of the talk is Tentler's breakdown of why LLMs are fundamentally different from the rule-based security tools we're used to.

Traditional defenses — Bayesian filters, regex, signature matching — are deterministic. Same input, same output, every time. You can test them, reason about them, audit them.

LLMs are not. Every word in the training corpus becomes a token, and the model's outputs depend not just on the prompt but on hardware-level factors — including, Tentler points out, which brand of RAM your inference server is running on. Bit flips and hardware variance at the silicon level affect how these models make decisions.

This is not a hypothetical. It means two nominally identical deployments of the same model can behave differently, and you may never be able to fully explain why a given output happened. That's a nightmare from an audit and compliance standpoint, and it's a gift to attackers who are trying to find edge cases.

Memory and Context Engineering: The New Hotness

The part of the talk that really grabbed me was the section on memory and context engineering — what Tentler calls "the current new hotness" in the threat landscape.

The idea is simple: as LLM deployments mature, people stop storing context in flat text files and start wiring it up to centralized APIs and memory stores. If you're using Claude with a bunch of Markdown docs, someone somewhere is going to build a "dinky little API" that writes to a central repository instead. That central repo becomes a juicy, persistent attack target.

This is a qualitative shift. You're no longer attacking a stateless model call — you're attacking persistent memory that informs every future interaction with the agent. Poison the memory store, and you've poisoned the model's worldview semi-permanently. The model won't know it's been compromised. Neither will the user.

The PyTorch Lightning Supply Chain Hit

The most alarming section of the talk: a threat actor naming themselves Team PCP inserted an 11 megabyte JSON payload into PyTorch Lightning.

Let that sit for a second. PyTorch Lightning is a dependency for a huge slice of the ML ecosystem — training pipelines, fine-tuning workflows, production inference stacks. It's not a niche library. If you're running anything ML in production, there's a reasonable chance it's in your dependency tree right now.

The payload was 11MB of JSON. That's not a typo. That's a very deliberate, very large context injection designed to manipulate any LLM that ingests it as part of a RAG or tool-use pipeline. The attack surface here isn't the model — it's the data the model trusts.

This is the supply chain attack applied to AI. We saw this with npm packages, with PyPI, with SolarWinds. Now it's happening to the training and inference data layer.

The Thread Running Through All of This

If there's a single through-line in Tentler's talk, it's this: LLMs inherit trust from the systems around them, and attackers are exploiting that inherited trust aggressively.

The model trusts the memory store. The memory store trusts the ingestion pipeline. The ingestion pipeline trusts the dependency. The dependency has been compromised. The model is now a vector.

You didn't get breached through a buffer overflow or a misconfigured firewall. You got breached because your AI assistant read a poisoned JSON file and updated its understanding of reality accordingly.

This is what "Claude is your insider threat" means. The LLM sitting inside your infrastructure, with access to your tools, your data, your APIs — it can be turned against you by anyone who can influence what it reads.

What To Do About It

Tentler doesn't prescribe solutions in depth (that's not really his style — he's a "show you the fire" guy), but the implications are clear:

  • Treat model inputs as untrusted data. Everything a model ingests — docs, tool results, retrieved context, memory — is a potential injection vector. Validate and sanitize at the boundary.
  • Monitor what's going into your context window. If you're not inspecting the payloads flowing through your AI pipelines, you're flying blind.
  • Audit your dependency tree for AI libraries. PyTorch Lightning isn't the last library that will be targeted. Know what's in your ML stack.
  • Don't trust the model's self-report. A compromised model will tell you everything is fine. That's the point.

Final Thought

The title is deliberately provocative, but it's also accurate. Your LLM deployment — however carefully you prompt-engineered it — is only as trustworthy as every piece of data it has ever read. In 2026, that attack surface is massive, growing, and actively being probed.

Watch the talk. It's 52 minutes well spent.

Claude Is Your Insider Threat Now — Dan Tentler @ Security Fest 2026

Have you seen supply chain attacks targeting AI pipelines in the wild? Drop a comment — I'd love to compare notes.

Top comments (0)