James Kettle upcoming talks & research portfolio

Bio

James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best known for pioneering novel web attack techniques, and publishing them at major conferences like Black Hat USA, at which he's presented for nine consecutive years.

He also loves exploring and advising on innovative tool concepts for security professionals, many of which have since become industry standard. Examples include introducing OAST via Burp Collaborator, bulk parameter discovery via Param Miner, billion-request attacks with Turbo Intruder, and human-style scanning with Backslash Powered Scanner.

His best-known research is HTTP Desync Attacks, which popularised HTTP Request Smuggling. Other popular attack techniques that can be traced back to his research include web cache poisoning, the single-packet attack, server-side template injection, and password reset poisoning. He's also the designer behind many of the topics and labs that make up the Web Security Academy, and serves on the Black Hat Europe review board.

Can AI Do Novel Security Research? Meet the HTTP Terminator

This August, at Black Hat USA 2026. Other conferences pending.

We all know AI can find bugs. After a decade of research, I asked a harder question: can an autonomous system invent new attack techniques, and use them to hack live websites at scale? Building this sounded like a bad idea, so I did it.

It worked - I'll share an arsenal of new HTTP desync triggers, gadgets, and exploits that compromised banks, security solutions, and government infrastructure. Then I'll trace each discovery chain back through the HTTP Terminator, showing how to turn your personal expertise into an autonomous weapon - and the dark arts required to make it lethal.

I'll also share discoveries from beyond the autonomy horizon - some only reachable with a tight human/AI research loop, and others beyond AI's reach entirely. These include a powerful undisclosed recon technique, and anomalies that hint at new attack classes offering alternative paths to critical impact. I'll analyze the discovery process, sharing detailed experiments that probe the boundaries of what AI can and can't discover.

You'll leave with new exploits from desync triggers to undisclosed attack classes, and a blueprint for turning your instincts into an autonomous research cascade. And yes, I'll open-source the HTTP Terminator.

Show/Hide past presentations Show/Hide past presentations

Past presentations

Black Hat USA 2025 - HTTP/1.1 must die! The desync endgame
DEF CON 33 - HTTP/1.1 must die! The desync endgame
RomHack 2025 - Keynote: HTTP/1.1 must die! The desync endgame
Black Hat USA 2024 - Listen to the whispers: web timing attacks that actually work
DEF CON 32 - Listen to the whispers: web timing attacks that actually work
Nullcon Goa - Smashing the state machine: the true potential of web race conditions (updated)
DEF CON 31 - Smashing the state machine: the true potential of web race conditions
Black Hat USA 2023 - Smashing the state machine: the true potential of web race conditions
DEF CON 30 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
Black hat USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
NULLCON Berlin 2022 KEYNOTE - Hunting evasive vulnerabilities: finding flaws that others miss
BlackHat EU 2021 - HTTP/2: The Sequel is Always Worse (in-person)
DEF CON 29 - HTTP/2: The Sequel is Always Worse
BlackHat USA 2021 - HTTP/2: The Sequel is Always Worse
BlackHat USA 2020 - Web Cache Entanglement: Novel Pathways to Poisoning
BlackHat EU 2019 - HTTP Desync Attacks: Request Smuggling Reborn
OWASP Global AppSec - HTTP Desync Attacks: Request Smuggling Reborn
DEF CON 27 - HTTP Desync Attacks: Smashing into the Cell Next Door
BlackHat USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door
ekoparty 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable' (updated)
BlackHat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'
BlackHat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
PHDays 7 - Backslash Powered Scanner: Automating Human Intuition
NorthSec 2017 - Backslash Powered Scanner: Automating Human Intuition
AppSec EU 2017 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
AppSec USA 2016 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
BlackHat EU 2016 - Backslash Powered Scanner: Hunting Unknown Vulnerabilities
44Con 2015 - Hunting Asynchronous Vulnerabilities
BlackHat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App
OWASP AppSec EU 2014 - ActiveScan++: Augmenting manual testing with attack proxy plugins
...and every BSides Manchester 2014-2019

James Kettle

Bio

Can AI Do Novel Security Research? Meet the HTTP Terminator

Past talks

Past presentations

Research Portfolio

HTTP Request Smuggling

Web Cache Poisoning

Tools & automation

Other highlights

How I approach research

Misc