Overview

The USENIX WOOT Conference on Offensive Technologies brings together both academics and practitioners in the field of offensive security research. Occurring annually since 2007, when it was first founded as the Workshop on Offensive Technologies, WOOT has become the top venue for collaboration between academia, independent hackers, and industry participants on offensive research. As offensive security has changed over the years to become a large-scale operation managed by well-capitalized actors, WOOT has consistently attracted a range of high-quality, peer-reviewed work from academia and industry on novel attacks, state-of-the-art tools, and offensive techniques.

WOOT '26 welcomes submissions from academia, independent researchers, students, hackers, and industry. Two different submission tracks are available—an academic "classic" track for those intending to submit complete formal academic papers and an "up-and-coming" track for new or non-academic researchers who may be less familiar with academic procedures and may desire assistance writing a paper or just additional feedback and reviews.

Papers that have been formally reviewed and accepted will be presented during the WOOT conference and published in the formal proceedings. Authors are also expected to plan to publish research artifacts (such as source code and data sets) wherever possible; see further details below. By submitting a paper, you agree that, if the paper is accepted, at least one of the authors will register to attend the conference at full price (i.e., not the student rate) and to present the paper; USENIX members at the Advocate level and higher may apply their membership discounts to their registrations. If an author plans to present more than one paper, one full-price registration will still be required for each paper. If the conference registration fee will pose a hardship for the presenter of an accepted paper, please contact conference@usenix.org.

Topics

Submissions should reflect the state of the art in offensive computer security technology, exposing poorly understood mechanisms, presenting novel attacks, highlighting the limitations of published attacks and defenses, or surveying the state of offensive operations at scale. WOOT '26 accepts papers in both an academic security context and more applied work that informs the field about the state of security practice in offensive techniques. The goal for these submissions is to produce published works that will guide future work in the field. Submissions will be peer-reviewed and shepherded as appropriate.

Submission topics include, but are not limited to, practical attacks on and offensive research into:

Hardware, including embedded devices, physical attacks, cyber-physical systems, the "Internet of Things" and software-based exploitation of hardware vulnerabilities
Web security, as well as browser and general client-side security (such as runtimes, JITs, and sandboxing)
Machine Learning, LLMs, and other artificial intelligence topics with significant security implications
Operating system and hypervisor security
Application security
Network and distributed systems, including virtualization and the cloud
Wireless and applied protocol security
Mobile device security
Malware design, implementation, and analysis, including (de)obfuscation and sandboxing
Mitigations, their weaknesses, and how they can be (automatically) bypassed
Innovative approaches for software security testing, such as fuzzing for novel targets
Security of decentralized finance, smart contracts, and blockchain
Practical attacks on deployed cryptographic systems
Offensive applications of formal methods and program analysis (such as solvers and symbolic execution)

"Systemization of Knowledge" (SoK) papers that evaluate, systematize, and contextualize existing knowledge are also encouraged. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Such papers should be clearly labeled as SoK in their title.

Topic Relevance

We reserve the right to reject papers that fall outside the scope of WOOT or for which the program committee cannot secure adequate expert reviewers. Papers with no clear contributions to applied security will be considered out of scope.

The list of topics above is necessarily incomplete and imprecise. In its ongoing effort to adjust scope, the WOOT Steering Committee has identified a list of topics that are explicitly excluded. Papers whose core contributions are on the following topics are likely to be rejected for reasons of scope:

Papers with contributions primarily in another field: machine learning, AI, etc.
Machine learning and AI papers that only show problems that have been solved before without these methods, meaning that they do not advance the state of security research.
Papers with focus on theoretical cryptography but without implementation or evaluation on real systems.
Papers with focus on mathematical proof without implementation or evaluation.
Papers without any security or privacy contribution.