Published on September 11, 2024 – On the heels of two first place wins in the 2024 Atlantic Council’s Cyber 9/12 Strategy Challenge (Austin and Washington D.C.), Duke Cyber Club is kicking off its sixth academic year on a very high note. In addition to monetary awards, eight club members received free tickets to Black Hat, one of the most respected cybersecurity events in the world. Our participants’ reflections on the event are noteworthy, especially as the challenges in cybersecurity continue to grow in scope and complexity around the world.
The Duke Cyber Club student-led organization began as a small team of dedicated individuals and has grown campus-wide to include undergraduate and graduate students from all disciplines and interests. The Club offers students opportunities to learn from each other, engage with cybersecurity practitioners in the government and private sector, hone their policy and technical skills in practice sessions and participate in competitions hosted by Duke as well as nationally recognized organizations.
Long-time Duke Cyber Club coach and mentor, Kim Kotlar, said, “Working with the students and seeing how much fun they have learning about some of today’s most vital policy and technical challenges is awesome.” She added that everyone is so grateful for the support from American Grand Strategy (AGS), Sanford School of Public Policy, Duke’s Student Organization Finance Committee, Pratt’s Cybersecurity Master of Engineering Program, the Pratt Engineering Alumni Council, and Duke’s CISO Office among others. For more information or to join the Club visit: https://duke.campusgroups.com/dukecyber/home/.
One of the highlights for the club this year was students attending the Black Hat Conference in August 2024 for the first time. Attendees agreed this was an amazing learning experience. Here are some of their reflections, in their own words:
Peter Banyas (Electrical and Computer Engineering, 2026): Black Hat was a mix of thrills and terrors. We learned about cutting-edge cyber exploitation techniques that destroy our fundamental assumptions of security. In the briefings, I was in awe as presenters demonstrated how answering an innocuous video call on your phone can allow attackers to steal your data. The mere latency of your internet connection can allow observers to discern what website you’re on. It gets even more fundamental: the time it takes for variables to be called from your computer’s memory vs cache can be exploited to infer the state of variables in compartmented processes. And beyond the lectures, it was wonderful to meet with innovators and experts in the field — especially some startup founders who shared fascinating visions with me. Black Hat was an incredible experience, and I’m incredibly grateful to Duke and Cyber 9/12 for making it possible for us to attend.
Alex Mages (Computer Science, 2027): It was a great experience, both technically and professionally. The number of attendees shocked me; I’d always thought of security as some nascent profession composed of burnt-out developers, people who thought IT wasn’t stressful enough, and managers who insist their sysadmin should be able to secure the entire product suite by Monday, but Black Hat made me reconsider—cybersecurity’s everyone’s problem now. It was fascinating to learn about others’ research outside of a PDF, and Las Vegas was arguably more perspective-shifting than the conference itself. My impressions were overwhelmingly positive, with one specific exception: if you smile and rephrase the question enough times, you don’t actually have to answer it.
Audrey Link (Electrical and Computer Engineering & Computer Science, 2026): Attending Black Hat with Duke Cyber was a great capstone to my summer, allowing me to see a wide array of work on-going in the field. One of the highlights for me was a briefing with the National Cyber Director Harry Coker Jr., which gave insight into how the national government approaches cybersecurity. It was interesting to see someone at his level come and speak directly to the people tackling these kinds of challenges. I also loved seeing different security researchers techniques and findings in the more technical briefings, as well as the wide array of targets they were researching.
Shristi Sharma (Computer Science, 2025):
It’s been my dream to attend Black Hat since I was in high school, and I was so grateful for the opportunity to finally be able to attend this year thanks to the Atlantic Council! From star speakers such as the Director of the Cybersecurity and Infrastructure Security Agency to keynotes from the founder of Signal, we got to learn from industry, government, and international experts about the current challenges and newest developments in cybersecurity. I was most impressed by Black Hat’s Network Operations Center (NOC) where they managed the conference’s own network so as to not burden the conference venue’s WiFi with heavy traffic and attendees trying out the new hacking tools they were learning!
Isabella Paliotta (Computer Science + Philosophy, 2026):
Following the Black Hat Cyber Security Conference, I left with three favorite takeaways. First, I learned through a talk from a Microsoft security researcher how companies like Microsoft and Intel proactively red team each other’s products before release, often revealing zero-days and giving dev teams time to patch before their product is ever put into production. This collaborative approach to product security was reassuring and underscored the importance of adversarial testing, like red-teaming. Second, the evolution of phishing techniques, from traditional wide-net phishing to highly targeted spear phishing now enhanced by AI, was both alarming and intriguing. The sophistication of these attacks, driven by AI’s ability to tailor messages to individuals and craft convincing narratives, highlighted the growing challenges in cybersecurity. I watched a handful of talks about these new campaigns, and often left with an uneasy feeling, as many of the scenarios felt like ploys I would fall for, even as someone who’s keenly aware of phishing. Lastly, the rise of generative AI has introduced new attack vectors, and it was interesting to observe how different speakers had varying perspectives on how to secure against these emerging AI threats. Some speakers implored that we not fight AI with AI, as the issues present in the products we attempt to secure would also be present in the security solutions, while others took the perspective that AI security products are the only match for an adversary equipped with AI. The diversity of opinions emphasized the complexity and unchartedness of addressing AI-related security challenges.
Lucas Wagner (Math & Economics, 2027) had three major take-aways:
- Zero-Day Exploits:
I learned that zero-day vulnerabilities aren’t just for seasoned professionals to find — students with a strong technical foundation and curiosity can also discover them. By participating in bug bounty programs, seeking academic incentives, or staying active in cybersecurity communities, even newcomers can make meaningful contributions.
- AI and Cybersecurity:
AI is dramatically reshaping cybersecurity as a business, offering blue-teamers powerful tools for threat detection and automated response. However, it also introduces new risks, as attackers are increasingly using AI to create more sophisticated and elusive threats (particularly at the level of social engineering).
- Cybersecurity Startups:
Startups are gaining lots of attention in cybersecurity innovation, particularly in areas like cloud security, threat intelligence, and zero-trust architectures. The conference emphasized that agility and niche problem-solving are key for new companies to succeed, but I’m still somewhat skeptical about how much value-added some startups are creating. It often seemed as though some created problems for themselves to solve rather than addressing real market needs.
Atharva Vispute (Computer Science & Chemistry, 2025):
Black hat was amazing!! I learned a ton and I’m so grateful that I had the chance to go (thank you Atlantic Council!!). The following are just a couple of the many things I learned. First, the world is huge! There are so many amazing things going in cybersecurity and there’s an endless plethora of things that can be hacked, demonstrating just how meticulous companies have to be when creating products. Second, I learned a lot about how to give presentations. There were some really fantastic presentations (especially the keynote from Signal’s founder on the second day) that were phenomenal for keeping an audience engaged. Finally, I learned about a lot of the smaller technical vulnerabilities that we have to be aware of when developing code. I’m now much more cautious of writing code that is memory-safe and free from Bluetooth and WiFi vulnerabilities. While it’s not something that I’m specifically asked to pay attention to, it’s great to keep an eye on while I do my own work.
