Your Agent Works for Me Now
Johann Rehberger
[un]prompted 2026 — AI Security Practitioner Conference · Day 2 · 2
Johann Rehberger, one of the most prolific AI vulnerability researchers in the field, demonstrated how prompt injection has evolved from a party trick into a full kill chain — encompassing initial access, persistence, data exfiltration, and command-and-control. His most novel contribution is "Agent C2" (agent command and control), a prompt-level infrastructure that allows attackers to remotely command any compromised agent regardless of operating system or language — and he demonstrated it working against both OpenClaw and KimiClaw. ---
AI review
Johann Rehberger forgot to introduce himself because he was too busy demonstrating RCE via a Linear ticket, persistent memory poisoning across two enterprise platforms, a full prompt-injection kill chain, and a platform-agnostic agent C2 infrastructure working against both OpenClaw and KimiClaw. One of the densest offensive security demos I've seen in years.