TL;DR: Threat intelligence is increasingly converging with identity, access, and machine-account governance, not just malware analysis, as CrowdStrike’s Day Zero summit on Aug. 30 to Sep. 1, 2026 will bring together threat researchers, reverse engineers, and intelligence leaders for original research on adversary tradecraft, vulnerability exploitation, fraud, and AI-era offensive techniques, according to CrowdStrike.
At a glance
What this is: CrowdStrike’s Day Zero 2026 is an invite-only threat research summit that concentrates on original offensive and defensive research across adversary tradecraft, vulnerability exploitation, fraud, and AI-era attack methods.
Why it matters: For IAM, NHI, and security architecture teams, the agenda is a reminder that identity controls increasingly sit inside broader threat workflows, especially where exposed infrastructure, human review, and agentic tooling intersect.
By the numbers:
- Day Zero will feature about 16 sessions and 25 presenters for 150 invited participants.
- Tickets are priced at $895 per person.
- Day Zero talks will run for 30 or 45 minutes depending on depth and scope.
- The summit limits attendance to approximately 150 highly vetted participants.
👉 Register for CrowdStrike's Day Zero 2026 summit on threat research and adversary tradecraft
Context
Day Zero is an invite-only threat research summit built around original technical research, not product messaging. For identity teams, the signal is broader than threat intel alone: the agenda repeatedly touches the access layer, including exposed infrastructure, social engineering against admins, public research accelerating exploitation, and AI-driven offensive tradecraft.
That matters because modern attack paths often begin where identity, secrets, and operational trust overlap. As adversary methods shift toward credential abuse, delegated access, and automation-assisted intrusion, security programmes that treat identity as a separate domain from threat research will miss how attackers actually move.
Key questions
A: Teams should treat the research as a prioritisation signal, not a generic awareness event. The right response is to validate whether exposed systems, delegated access, or service accounts exist in the same pattern, then tighten revocation, review, and monitoring on the most reachable identities first.
Q: Why do exposed systems matter so much to IAM and NHI programmes?
A: Exposed systems often reveal the identity layer before defenders realise it. Once an attacker can see admin surfaces, keys, tokens, or mis-scoped trust relationships, the intrusion path becomes an access problem as much as a vulnerability problem. That makes exposure management part of identity governance.
Q: How can teams tell whether public offensive research should change their access controls?
A: If the research describes a technique that maps to your actual environment, it should change your controls. The best signal is whether the exploit path can reach a real identity, secret, or delegation mechanism in your stack. If yes, the control gap is already operational.
Q: What should IAM teams learn from AI-assisted offensive tradecraft?
A: They should assume attacker decision loops can accelerate. That means review, approval, and revocation processes need to be fast enough to keep up with automation that iterates on reconnaissance or abuse in near real time, especially where service accounts and delegated access are involved.
Background and context
Exposed infrastructure as a credential discovery surface
When researchers talk about exposed infrastructure, they are usually pointing to systems, services, or artefacts that should have stayed hidden but became discoverable through scanning, indexing, misconfiguration, or operational leakage. In practice, the exposure often becomes a credential discovery problem because tokens, keys, admin panels, and internal metadata are frequently reachable once the surface is visible. That changes the defender's task from perimeter hiding to identity hardening, secret hygiene, and rapid revocation. The security issue is not just that the asset is exposed. It is that exposure can reveal the trust primitives attackers need to pivot into more privileged systems.
Practical implication: inventory externally reachable identity artefacts and treat exposed infrastructure as an access-risk event, not only an asset-management issue.
Why public research speeds vulnerability exploitation
The agenda's emphasis on public research reflects a familiar pattern in adversary behaviour: once a defensive technique, exploit path, or detection clue becomes public, attackers often compress the time between disclosure and operational use. The mechanism is not novelty but scale. Public reporting gives adversaries a tested hypothesis, an exploit chain to validate, and often a list of environment-specific conditions to search for. That is especially relevant to identity and access teams because exposed workflows, third-party trust, and service-account sprawl can be audited quickly once the pattern is known.
Practical implication: shorten validation cycles for high-risk identity exposure paths whenever new public exploit guidance matches your environment.
Agentic weaponization and the AI-era attack surface
Agentic weaponization refers to attackers using AI systems or AI-assisted workflows to make offensive tradecraft faster, more adaptive, or more scalable. The important security question is not whether the model is 'smart', but whether it can independently select actions, chain tools, or execute follow-on steps with enough autonomy to change the attack's pace and shape. That matters for identity because the same access model that governs humans and service accounts may fail when an adversary uses AI to iterate on reconnaissance, phishing, or exploitation decisions in near real time. Identity control boundaries start to blur when tooling can be orchestrated dynamically at runtime.
Practical implication: evaluate whether your monitoring, approval, and revocation processes can cope with AI-assisted attacker decision loops, not just scripted abuse.
NHI Mgmt Group analysis
Day Zero is a threat-research event, but the real identity story is the collapse of the boundary between adversary tradecraft and access governance. Sessions on exposed infrastructure, social engineering, and AI-enabled offensive methods all point to the same problem: attackers increasingly look for identity primitives before they look for payloads. That means threat research and IAM can no longer be treated as separate conversations. Practitioners should read the agenda as proof that identity has become part of the intrusion path, not only part of the defence stack.
Exposed infrastructure now functions as an identity discovery channel. When researchers present on tracking adversaries through exposed systems, the deeper lesson is that visibility gaps often expose more than hosts. They expose secrets, admin surfaces, and trust relationships that were never meant to be public. The practical conclusion is that external exposure management and identity governance are converging, and teams need to think about what an attacker learns from one reachable endpoint.
Agentic weaponization changes the rate at which identity controls are stressed. Even when AI is used as an offensive assistant rather than a fully autonomous actor, it can compress reconnaissance and credential abuse cycles enough to outpace manual review processes. That matters because many IAM and NHI controls still assume a slower adversary. The implication is that governance rhythms built for human-speed abuse will increasingly lag behind AI-assisted tradecraft.
Identity blast radius: the relevant question is no longer whether an identity exists, but how far an attacker can move once they find it. The agenda's mix of threat intelligence, exploitation, and AI sessions reinforces that blast radius is now a cross-domain metric spanning service accounts, admin users, and machine identities. Practitioners should treat privilege scope and discoverability as one combined risk surface.
Threat research communities are becoming governance early-warning systems for identity teams. Conferences like this surface attacker behaviour before it shows up as a formal control requirement. That gives IAM, PAM, and NHI programmes an opportunity to reweight priorities toward exposure, delegation, and revocation speed. The right takeaway is to use threat research as an input to identity roadmap decisions, not as a separate specialist stream.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why exposed infrastructure becomes an identity discovery problem so quickly.
- Read 52 NHI Breaches Analysis for the breach patterns behind credential exposure and delegated access abuse.
What this signals
The practical signal for practitioners is that exposure management and identity governance are converging into one operating model. If your team still treats secrets, service accounts, and external attack surface as separate queues, the response time will stay too slow for the current threat pace.
Identity blast radius: the next maturity question is not how many identities you manage, but how quickly you can limit what an attacker can do after discovering one. That means revocation speed, privilege scope, and external visibility all need to be measured together.
For teams maturing against public offensive research, the useful benchmark is whether the research can be translated into a control test within days, not weeks. That is the point where threat intelligence starts to drive identity change rather than simply document risk.
For practitioners
- Map exposed infrastructure to identity artefacts Review externally visible systems for secrets, tokens, admin consoles, and machine credentials. Prioritise services where exposure could lead directly to privileged access or third-party trust abuse.
- Shorten response time for public exploit signals When a public talk, paper, or disclosure matches your stack, run a fast validation cycle across the relevant identity paths. Focus on service accounts, delegated access, and any credentials that cannot be rapidly revoked.
- Reassess approval workflows against AI-assisted tradecraft Test whether current approvals, logging, and revocation steps still hold when attacker decisions accelerate through AI-assisted reconnaissance or phishing. If the workflow depends on human-speed review, it will likely lag.
- Use threat research to reprioritise identity governance backlog Feed conference themes into your IAM and NHI roadmap, especially around privilege scope, exposure management, and revocation speed. Treat repeated attacker patterns as evidence that governance gaps are becoming operational risks.
Key takeaways
- Day Zero's agenda shows that modern threat research increasingly intersects with identity, secrets, and delegated access, not just malware and payloads.
- Exposed infrastructure matters because it often reveals the identity primitives attackers need, including secrets, admin surfaces, and trust relationships.
- Identity teams should use public offensive research to accelerate validation, shorten revocation cycles, and reassess how fast their controls can respond.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access governance is implicated when exposed infrastructure reveals identity primitives. |
| NIST Zero Trust (SP 800-207) | SC.L1 | The summit's themes reinforce continuous verification and reduced trust in exposed environments. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Identity and secret exposure patterns align with NHI credential lifecycle failure. |
Review exposed secrets and machine credentials against NHI-03 and accelerate revocation where exposure is found.
Key terms
- Exposed infrastructure: Infrastructure that is reachable or discoverable outside its intended trust boundary. In identity programmes, exposure matters because services, consoles, metadata, and secrets can become visible to attackers and used as entry points into privileged access paths.
- Identity blast radius: The amount of damage an attacker can cause after compromising one identity or trust relationship. It reflects privilege scope, delegation depth, and how far access can move across systems before defenders can detect or revoke it.
- Agentic weaponization: The use of AI systems or AI-assisted workflows to increase the speed, scale, or adaptability of offensive operations. In security terms, the concern is not model sophistication alone, but whether runtime decisions can accelerate reconnaissance, abuse, or follow-on actions.
- Delegated access: Access granted through an intermediary identity, application, or service rather than directly to a user. It is central to NHI governance because the original granting decision, the current operator, and the actual blast radius are often different things.
What to expect at the briefing
CrowdStrike's full event page covers the operational detail this post intentionally leaves for the source:
- Full agenda timing across the opening reception, morning keynotes, and parallel afternoon tracks.
- Speaker list and topic pairings for each session, including the threat research and AI security talks.
- Attendance logistics, pricing, and invitation process for the closed-door summit.
- Information about the later Fal.Con access included with Day Zero tickets.
👉 The full CrowdStrike event page covers the agenda, speaker roster, and attendance details.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-09-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org