AppSec & Cybersecurity Events Calendar 2026: 60+ Conferences, Summits & Meetups by Region and Industry

Last updated: March 2026

Planning a conference budget for a security team means choosing between dozens of events that all sound the same on paper. This calendar makes the choice easier. We went through event websites, agendas, speaker lists, and CFPs to describe what each event covers, who speaks there, and what kind of conversations happen in the room. Regional events, community meetups, industry-specific summits, and the well-known names — organized by region, with a separate section for events tied to specific industries like automotive, healthcare, maritime, and financial services.

 

Europe

OWASP Netherlands Chapter Meetup

Amsterdam, Netherlands | April 16

Evening meetup at the Beyond Republica campus. Speakers apply through an open call, so the program reflects what the Dutch AppSec community is currently working on — past sessions have covered API security testing methods, cloud-native threat modeling, and securing CI/CD pipelines in enterprise environments. The audience is practitioners from Dutch enterprises, startups, and consultancies.

Best for: developers, AppSec engineers, and cloud security practitioners in the Netherlands and neighboring countries.

Registration: owasp.org/www-chapter-netherlands 

 

CYBERUK

Glasgow, Scotland | April 21 - 23

The UK National Cyber Security Centre's flagship event, marking NCSC's 10th anniversary. The 2026 program is structured around six tracks. Plenaries in the 3,000-seat auditorium bring together UK and international cyber leaders — in 2025, NCSC CEO Richard Horne delivered the opening keynote, and Google Cloud led a session on transforming resilience across international partners.

The new Tech Talks track runs in a 600-seat auditorium with in-depth technical sessions across three themes: cyber applications of AI, evidence-based approaches that actually reduce cyber harm, and the evolving threat landscape.

There's an invite-only CISO track with sessions designed by NCSC specifically for that community. Interactive workshops let government and industry teams co-develop defense strategies in real time.

The Spotlight Stage hosts 5-minute lightning talks from delegates throughout the day. On the expo side: a Cyber Den startup competition (winner gets 12 months of NCSC support), a CyberScotland Street showcasing Scottish SMEs, and networking events at Glasgow's iconic venues.

Best for: public sector security leaders, CISOs in regulated industries, security practitioners working within or alongside the UK government cyber ecosystem.

Registration: cyberuk.uk

 

OffensiveCon Berlin

Berlin, Germany | May 15 - 16

Two days, single track — every talk happens in the same room, with no missed sessions. The 2025 keynote by Perri Adams explored the future of AI in exploit development.

The program is exclusively about offensive security: how to find vulnerabilities in production systems, how to build exploits, how to reverse-engineer compiled binaries. Speakers go through dry-run sessions with the CFP committee before presenting, so every talk arrives polished and technically dense.

Training runs in the days before the conference — advanced, hands-on sessions. In 2025, BlackHoodie (a women-in-security initiative) ran a workshop on compiler internals for security engineers — analyzing source code through compilation stages and injecting code at specific compiler passes. The organizers deliberately keep ticket prices low to make it accessible beyond corporate training budgets.

Best for: vulnerability researchers, exploit developers, reverse engineers.

Registration: offensivecon.org

 

AppSec Israel

Tel Aviv, Israel | May 18

Israel's largest application security conference, moving to a bigger venue at Tel Aviv Expo Pavilion 10 for 2026. The 2025 edition drew around 900 attendees; 2026 expects to cross 1,000.

The CFP is vendor-neutral with blinded reviews (completely disconnected from sponsorship). Accepted talk topics span secure coding practices, supply chain security, static analysis, threat modeling, DevSecOps, cloud-native security, mobile and API security, and AI security.

In 2025, speakers included Shira Shamban, Sharon Ohayon, and Ori Troyna presenting on real-world AppSec implementation challenges. The Israeli security community has deep roots in offensive research and military cybersecurity — which shows in the technical depth of the Q&A.

Best for: AppSec engineers, developers, DevOps professionals, cloud security practitioners.

Registration: appsecil.org

 

CyberWiseCon Europe

Vilnius, Lithuania | May 19 - 22

This year's agenda is built around AI-driven threats in production environments. Kalle Sirkesalo (Eficode) presents on AI-powered slopsquatting — how AI coding tools inject malicious dependencies by exploiting developer naming habits. Iva Tasheva demos Confirmate, an open-source tool that automates Cyber Resilience Act conformity assessments for EU SMEs. Eric Filiol (Thales Group) covers advanced threat detection.

Other confirmed sessions: cloud identity misconfiguration in hybrid environments, Zero Trust deployment in legacy and SaaS stacks, building an enterprise-grade open-source SOC, and predictive frameworks for zero-day defense.

Workshops on Day 1 are hands-on — ethical hacking, incident response, cloud security hardening. Registration also gives access to two co-located conferences, DevDays and DevOps Pro, so teams can split across security, development, and operations tracks.

Best for: security engineers, DevSecOps leads, SOC analysts, risk managers.

Registration: cyberwisecon.eu

 

CyCon (Cyber Conflict Conference)

Tallinn, Estonia | May 27 - 30

Run by the NATO Cooperative Cyber Defence Centre of Excellence. The agenda sits at the intersection of technical cybersecurity, international law, and military strategy — you'll hear an international law professor dissect state-sponsored cyber operations attribution in the morning and a military strategist walk through cyber deterrence doctrine after lunch.

Speakers come from NATO member state governments, intelligence agencies, and academic institutions. The discussions here directly influence how governments approach cyber norms, rules of engagement, and cross-border incident response coordination.

Best for: government and defense sector professionals, critical infrastructure security leads, researchers in cyber conflict and international security policy.

Registration: ccdcoe.org/cycon

 

Infosecurity Europe

London, UK | June 2 - 4

Europe's largest cybersecurity exhibition. The expo hall covers hundreds of vendors across the entire security stack, and three days under one roof means teams can walk from a SIEM demo to an IAM vendor to a cloud security startup and compare their approaches back-to-back, instead of scheduling weeks of individual calls. Conference tracks run in parallel — CISOs sharing how they rolled out zero trust across a legacy estate, threat intelligence teams walking through recent campaign analysis, DevSecOps leads explaining what actually changed when they shifted security left in their org.

Best for: CISOs evaluating tooling, security architects doing vendor landscape analysis, procurement teams.

Registration: infosecurityeurope.com

 

Area41

Zurich, Switzerland | June 18 - 19

Held every two years, which concentrates the content — speakers save their best original work for it. The program is entirely practitioner-driven. You'll see a researcher walk through a new exploitation technique they discovered in a production protocol stack, then watch someone else reverse-engineer a malware sample live on stage.

The audience works in security testing, red teaming, and vulnerability research, which means the Q&A goes deep and the hallway conversations go deeper. What gets presented here often shows up in mainstream security coverage half a year later.

Best for: security researchers, penetration testers, reverse engineers, vulnerability analysts.

Registration: area41.io

 

OWASP Italy Day

Cagliari, Sardinia, Italy | June 17-18

Trainings on June 17 include AI security fundamentals with Vandana Verma Sehgal (OWASP Global Board), Android mobile app security based on the OWASP MAS project, and threat modeling for AI agent swarms in decentralized ecosystems.

The conference day (June 18) opens with a keynote by Marco Morana (Field CISO, Avocado Systems) and features talks on secure development, AI security, and DevSecOps. In 2025, sessions covered threat modeling for digital credentials and the intersection of AI and blockchain in cybersecurity. The event runs alongside the APWG.EU Tech Summit on cybercrime research. ISC2 accredited — qualifies for CPE credits.

Best for: AppSec engineers, developers building AI-powered applications, security researchers, students.

Registration: owasp.org/www-chapter-italy/events/OWASPItalyDay2026-06-18

 

Troopers

Heidelberg, Germany | June 22 - 26

Organized by ERNW, one of Europe's most respected independent security consultancies. The training goes deep into specific domains — in past years, topics have included Active Directory attack paths and defense, SAP security assessment, network protocol analysis, and advanced penetration testing techniques.

The conference talks are given by working practitioners presenting original research and real engagement stories.

The venue — Print Media Academy — is deliberately small, which means hallway conversations with speakers happen naturally, and the Q&A after talks gets technical.

Best for: penetration testers, network security engineers, Active Directory and SAP security specialists, security consultants.

Registration: troopers.de

 

OWASP Global AppSec EU

Vienna, Austria | June 22 - 26

Training days feature 14 courses: Adam Shostack's Threat Modeling Intensive, Jim Manico teaching AppSec and AI Security for Developers, Rob van der Veer (founder of OWASP AI Exchange, co-editor of the AI Act security standard) running the Master AI Security course, Tanya Janca on building security champions programs, and a Mobile Playbook covering iOS and Android app security hands-on.

Conference days talks go through blind review — AI-generated or product-pitch submissions get rejected, and repeated content from other conferences gets deprioritized, so the program skews toward original case studies and fresh research.

Tracks include AppSec, DevSecOps, AI security, and a half-day MobileAppSecCon run by the OWASP MAS Project. The Project Demo Room lets attendees try OWASP tools hands-on with the maintainers who built them.

Also: CTF, Meet the Mentor, Women in AppSec breakfast, interactive PODs for small-group discussion.

Best for: AppSec engineers, mobile security specialists, teams evaluating open-source security tools, anyone working on AI application security.

Registration: owasp.glueup.com/event/owasp-global-appsec-eu-2026-vienna-austria-162243/

 

CISO 360 Global Congress

Lisbon, Portugal | June 24 - 26

All sessions run under Chatham House rules — meaning people say what they actually think, not what looks good on a recording. In 2025, speakers included CISOs from Canon Europe, ING, Flight Centre, and the Portuguese securities commission, discussing how they handle AI governance decisions internally, where identity risk management actually breaks down in practice, and how they quantify cyber risk for board conversations.

The congress mixes case stories, fireside chats, think-tank roundtables, and the signature CISO 360 Roundtable. Evenings are designed for the kind of relationship-building that doesn't happen in a conference hall — cultural excursions, curated dinners, the summer garden party at Holland Park in London.

The Pulse team also runs regional roundtable dinners throughout the year, including a cyber risk quantification session at Carlton House Terrace.

Best for: CISOs and senior security leaders who want strategic peer exchange across industries and geographies.

Registration: pulseconferences.com/conference/10th-ciso-360-global-congress

 

OWASP AppSec Days France

Paris, France | September 24

One-day application security conference. Talks cover secure SDLC, vulnerability exploitation, security testing, and governance — and the program welcomes speakers from across the development lifecycle, so the speaker lineup includes developers and testers who have implemented security in their pipelines alongside dedicated AppSec professionals.

Content is vendor-neutral — submissions that pitch products get rejected.

In 2025, sessions covered hands-on AppSec techniques applicable to engineering teams, with Semgrep among the sponsors demoing AI-powered code analysis workflows.

Best for: AppSec practitioners, developers, testers, and security managers in France and across Europe.

Registration: owaspappsecdays.fr/2026/

 

Cyber Security & Cloud Expo Europe

Amsterdam | October 2026

Part of the TechEx series. The expo pass covers sessions on AI-powered threat detection, cloud security architecture, zero trust implementation, and data protection strategies.

What makes it different from a standalone security event is the co-location — the AI, IoT, and cloud computing expos run simultaneously in the same venue. In practice, this is useful when security work touches cloud migration, AI deployment, or IoT environments, and teams need context from those adjacent domains.

Best for: security professionals whose scope extends into cloud infrastructure, AI deployments, or IoT environments.

Registration: cybersecuritycloudexpo.com/europe/

 

Les Assises de la Cybersécurité

Monaco | October 7 - 10

Invitation-only. Pre-scheduled One-to-One meetings between security decision-makers (CISOs, CIOs, CTOs with active investment projects) and solution providers.

The 2025 keynote lineup included Vincent Strubel (Director General of ANSSI, France's national cybersecurity agency), Anthony Belfiore (CSO at Wiz), and Joffrey Célestin-Urbain (President of Campus Cyber).

The content program — keynotes, case studies, workshops, roundtables, elevator pitches from startups — is shaped by a steering committee of practitioners around themes like aligning cybersecurity with business strategy, pragmatic risk management, and building security talent pipelines.

Beyond the main event: "Le Before" runs strategic pre-retreats in Davos and Cannes, and "Le Cercle" hosts quarterly Paris dinners that keep the community active year-round.

Best for: security executives at large French and European organizations, vendors seeking qualified meetings with decision-makers who have active buying mandates.

Registration: lesassisesdelacybersecurite.com/en

 

it-sa Expo&Congress

Nuremberg, Germany | October 27 - 29

Europe's largest IT security trade fair by exhibitor count — in 2025 it drew 993 exhibitors across five halls and over 28,000 visitors from 64 countries. The expo floor covers hardware, software, training, consulting, and Security-as-a-Service.

The real depth is in Congress@it-sa, which starts the day before the expo and runs six specialist forums with over 400 presentations — sessions in 2025 covered building sustainable security culture through gamification and psychological safety, AI-driven defense strategies, zero trust architecture, OT security for industrial environments, and cloud security compliance.

The it-sa 365 platform extends the conversation year-round with on-demand sessions and IT Security Talks between events. When evaluating security solutions for a German or European enterprise, or if selling into the DACH market, this is where procurement conversations happen at scale.

Best for: enterprise security teams operating in the DACH/EU market, security vendors targeting European customers, compliance professionals navigating NIS2, CRA, and GDPR.

Registration: itsa365.de

 

Chaos Communication Congress (38C3)

Hamburg, Germany | December 2026

The annual gathering of the Chaos Computer Club community. The program is selected by the CCC community itself — expect a researcher to demonstrate a new side-channel attack on a hardware token in one room, and in the next room a lawyer explain how a recent EU surveillance regulation will affect encrypted communication. Workshops run in parallel: soldering, hardware hacking, lock-picking, privacy tool development.

The culture here shapes how a significant part of the European security and privacy community thinks about technology, freedom, and accountability.

Past congresses have produced disclosures that made international headlines — from voting machine vulnerabilities to surveillance infrastructure teardowns.

Best for: security researchers, privacy engineers, hardware hackers, digital rights practitioners, anyone working at the intersection of technology and civil liberties.

Registration: events.ccc.de

 

BSides London

London, UK | December 2026

One-day conference at the Novotel London West. Talks are community-selected and cover the full spectrum — application security, threat modeling, AI security, IoT security, cloud security, penetration testing, malware analysis, threat hunting, incident response, cryptography, and career development. Workshops run in parallel.

The 2025 talks are already available on YouTube, to assess the content quality before deciding. Tickets release in waves (September, October, November via Eventbrite) and tend to go fast. The event raises money for Cancer Research UK.

Best for: security practitioners at all levels, students, anyone building a network in the UK security community.

Registration: bsides.london

 

Americas

Après-Cyber Slopes Summit

Park City, Utah | February 25 - 27

About 180 executives — single-track briefings, open panel discussions, off-the-record peer networking at a ski-in/ski-out resort in Canyons Village. The 2026 CFP focused exclusively on 50-minute presentations covering real-world AI deployments in security operations, incident response automation, and governance — aimed at an executive and decision-making audience (CISOs, security directors, founders). The format is deliberately intimate: one track means everyone sees the same content, and the ski resort setting creates unstructured time where the real conversations happen — on the chairlift, at après-ski, over dinner. Attendees are enterprise CISOs, CIOs, heads of compliance, and cybersecurity architects who manage vendor relationships and allocate security budgets.

Best for: CISOs, CTOs, security directors who want strategic conversation in a small-group, relationship-focused setting.

Registration: aprescyber.com

 

SunSecCon

Pasadena, CA | March 5 - 6

In its second year, co-located with SCaLE 23x (North America's largest community-run open source conference) — one ticket covers both events. SunSecCon was created to marry application security, infrastructure security, cloud security, and corporate security teams that usually operate in silos.

Confirmed sessions include Tina Lekshmi Kanth on secure prompt engineering at scale — turning financial event streams into explainable automation. Other talks cover incident post-mortems, cloud and AI workload defense, Linux hardening, and open-source vulnerability analysis. SCaLE 23x keynotes include Cindy Cohn (Executive Director of the EFF) and Mark Russinovich (CTO and Technical Fellow, Microsoft Azure).

The overlap between security and open-source engineering tracks means attendees can sit in an AppSec talk and then walk into a Kubernetes security session or a DevOps pipeline workshop.

Best for: security engineers working across multiple domains, open-source security practitioners, DevSecOps teams on the US West Coast.

Registration: socallinuxexpo.org/scale/23x

 

RSA Conference

San Francisco, CA | March 23 - 26

The 2026 theme: "The Power of Community." The program spans AI-driven threats, supply chain risk, zero trust architecture, identity security, cloud security, and board-level cyber risk communication. CISO Boot Camp runs specialized sessions for security executives. The Innovation Sandbox competition puts ten startups on stage to pitch their approach — a useful barometer for where venture capital thinks security is heading.

The expo floor has 500+ exhibitors. The sheer scale means teams can schedule meetings with vendors, attend analyst briefings, hear research talks, and catch up with peers from across the industry in the same week.

All talks are recorded and many are available through RSAC membership after the event.

Best for: the broadest possible cross-section of cybersecurity professionals — CISOs, practitioners, vendors, investors, policy-makers.

Registration: rsaconference.com

 

OWASP BASC (Boston Application Security Conference)

Boston, MA | April 11

One-day OWASP community conference. Talks are selected through blind review — reviewers can't see speaker names, company affiliations, or podcast associations. AI-generated submissions get flagged and rejected.

The result is a program built on content quality: real-world case studies, new approaches to AppSec problems, and technical depth that comes from practitioners solving actual issues at work. Hands-on training runs in parallel.

The 2026 tracks span beginner to advanced and are structured around specific audience profiles so talks connect directly to what that audience needs on Monday morning.

Best for: AppSec practitioners and software engineers, particularly in the US Northeast.

Registration: basconf.org

 

OWASP SnowFROC

Denver, CO | April 2026

Denver's application security conference, run entirely by volunteers. Expanding to two days in 2026 — training on day one, conference on day two.

The CFP selects speakers based on whether they have something original and practical to teach; vendor pitches don't make it through. Past sessions have covered threat modeling in fast-moving engineering teams, automating security in CI/CD without breaking developer workflows, and cloud-native AppSec patterns. The audience is a mix of security professionals, developers, and researchers from the Mountain and Western US.

Attendees consistently highlight the workshop quality and the networking — the event is small enough that attendees actually talk to the speakers.

Best for: security professionals and developers in the Mountain/Western US looking for practitioner-led AppSec content.

Registration: snowfroc.com

 

CERIAS Security Symposium

West Lafayette, Indiana | April 7 - 8

Hosted by Purdue University's Center for Education and Research in Information Assurance and Security.

The 2025 edition (the 26th) featured Phil Venables (CISO of Google Cloud) keynoting on cybersecurity strategy, followed by a fireside chat with Eugene Spafford (CERIAS founder), Michael Clothier (sector CISO at Northrop Grumman Aeronautics), and Kelley Misata (CEO of Sightline Security, president of the Open Information Security Foundation).

The second keynote covered securing nonprofits in the age of AI. Panels dove into protecting critical cyber-physical systems from cyberattacks (with speakers from Dragos, Oak Ridge National Laboratory, and Lockheed Martin), privacy and digital forensics, smart sensing against physical AI attacks, and the AI-cybersecurity intersection.

The evening poster session showcases graduate student research — a window into what the next generation of security tooling looks like. 20+ talks across two days, with an audience that mixes faculty, PhD researchers, industry R&D teams, and government partners.

Best for: R&D-focused security professionals, academics, CTOs interested in security research at the frontier of academia and industry.

Registration: cerias.purdue.edu

 

IEEE Symposium on Security and Privacy

San Francisco, CA | May 18 - 21

One of the four top-tier academic security conferences (alongside USENIX Security, ACM CCS, and NDSS). Three days of peer-reviewed research presentations, plus a workshop day (May 21) featuring early-stage work on specialized topics — the 2026 workshops include metascience and critical reflections in security research.

Papers presented here set the agenda for the field: new attack classes, new formal verification methods, new approaches to cryptographic protocol design.

The research tends to become industry practice within one to two years — to understand what defense tooling will look like in 2028, the talks here are where it starts.

Best for: security researchers, R&D engineers, CTOs tracking where the field is heading before it gets productized.

Registration: sp2026.ieee-security.org

 

NICE Conference & Expo

Philadelphia, PA | June 1 - 3

Focused entirely on cybersecurity workforce development — how to build hiring pipelines, design training programs, retain talent, and create pathways for underrepresented groups to enter security. Speakers come from education, government agencies, industry, and nonprofits.

For teams struggling to fill open headcount or retain talent, this conference addresses the operational problem that most security events skip.

Best for: CISOs building security teams, HR leaders in tech, cybersecurity educators, workforce development program managers.

Registration: nist.gov/nice/conference

 

Hacker Summer Camp: Black Hat USA + DEF CON 34 + BSides Las Vegas

Las Vegas, NV | August 1 - 9

Three events, one week. Black Hat (Aug 1 - 6): four days of training on topics like advanced red teaming, cloud exploitation, and malware analysis, followed by two days of research briefings where new vulnerabilities and defense techniques get their first public disclosure.

Speakers include researchers from Google Project Zero, Microsoft, and independent labs.

DEF CON 34 (Aug 6 - 9): organized around "villages" — dedicated spaces for IoT hacking, car hacking, lock-picking, social engineering, AI security, aerospace, and more. Attendees watch someone break into a car's CAN bus in one village and learn to pick a high-security lock in the next.

BSides LV runs alongside peer-reviewed community talks and a more collaborative, less corporate atmosphere. Experienced attendees do all three back to back.

Black Hat suits the best: enterprise security teams tracking emerging attack research.

DEF CON suits the best: researchers, red teamers, anyone who wants a hands-on attacker perspective.

BSides LV is best for: community networking, emerging speakers, collaborative workshops.

Registration: blackhat.com & defcon.org

 

USENIX Security Symposium

Baltimore, MD | August 12 - 14

One of the "Top 4" academic security venues. Peer-reviewed papers covering AI/ML security and privacy risks, vulnerability detection methodology, cryptographic weaknesses, system exploits, confidential computing, and production PKI.

In 2025, notable presentations included Bolor-Erdene Jagdagdorj on AI red teaming and societal risks, Shannon Egan on extending confidential computing for AI workloads, and Ross Smith IV from Meta on securing production PKI credentials. Proceedings are published and freely available online — the research published here filters into commercial security products and open-source tools within two to three years.

Best for: security researchers, R&D teams, academics, CTOs following the research that shapes tomorrow's tooling.

Registration: usenix.org/conference/usenixsecurity26

 

LASCON (Lonestar Application Security Conference)

Austin, TX | October 29 - 30

OWASP-associated conference that sold out in 2025 with 800+ attendees and 76 speakers across four parallel tracks. The CFP covers virtually any information security topic — AppSec, pentesting, career development, auditing, DevSecOps — and evaluates proposals blind (biography hidden during review). Past talks have covered OAuth2/OIDC security implementation, Electron app exploitation for RCE, open source dependency risks in hybrid development, and cloud computing security architecture. All talks are recorded and published on the LASCON YouTube channel.

The conference center is designed so hallway conversations happen naturally — speakers report that the "hallway-con" between sessions is as valuable as the talks themselves. Two days of pre-conference training (October 27 - 28) are sold separately.

Best for: web and mobile developers, security engineers, penetration testers, AppSec leads.

Registration: lascon.org

 

Wild West Hackin' Fest

Deadwood, South Dakota | October 2026

Pre-conference training (October 6 - 7) by Antisyphon Training — founded by SANS instructor John Strand, whose courses regularly fill up at SANS events but run here in a smaller, more accessible setting. The conference itself mixes technical talks, workshops, and hands-on exercises. Past topics span ethical hacking, blue team operations, malware analysis, threat hunting, and SOC workflows.

The setting — a frontier town in the Black Hills of South Dakota — creates an atmosphere where speakers hang around after their talks and conversations continue at the saloon next door. Content ranges from beginner to advanced, and the community is particularly welcoming to first-time attendees and speakers.

Best for: security practitioners building offensive and defensive skills, SOC analysts, anyone looking for hands-on technical content in a non-corporate atmosphere.

Registration: wildwesthackinfest.com

 

San Francisco Secure Software & AppSec Summit

San Francisco, CA | 2026 (date TBC)

Single-day, interactive format built around participation rather than passive listening. The audience votes live on propositions — should AppSec teams have blocking power over releases? Should AI agents be part of the security review process? — then debates the results in real time, then votes again to see if perspectives shifted.

Panel sessions cover shift-left implementation, managing accepted risk in engineering organizations that ship fast, automation vs. manual testing tradeoffs, and API security failures.

The keynote explores why APIs remain the #1 breach vector despite years of dedicated tooling and investment.

Best for: AppSec team leads and engineering managers who make security tradeoff decisions daily and want to benchmark their approach against peers.

Registration: clutchevents.co/events/san-francisco-appsec-devsecops-summit-2026

 

CanSecWest / Pwn2Own

Vancouver, Canada | 2026 (date TBC)

Home of Pwn2Own — the competition where researchers demonstrate working zero-day exploits against browsers, operating systems, enterprise software, and now automotive targets, for cash prizes that regularly reach six figures per exploit chain. The exploits demonstrated on stage get reported to vendors immediately, so the Pwn2Own results directly determine what gets patched in the following weeks.

The conference itself is small and technical — talks focus on novel exploitation techniques, defense research, and the state of platform security. The audience is people who break software professionally.

Best for: vulnerability researchers, exploit developers, security teams that track zero-day trends.

Registration: cansecwest.com

 

Ekoparty

Buenos Aires, Argentina + Miami, FL | 2026

Latin America's largest security conference — and in 2026 it's expanding to the US with a first Miami edition (May 21 - 22). The Buenos Aires event features 250+ talks, workshops, and hands-on activities covering offensive security, reverse engineering, exploit development, hardware hacking, and privacy research. The community has its own app (Hacker Tracker) for navigating the parallel tracks.

Ekoparty grew out of the Argentine hacker scene and retains that energy — the talks are technically aggressive, the CTF is competitive, and the hallway conversations are in Spanish and English.

Best for: security researchers, offensive security practitioners, anyone connected to Latin American markets or the LATAM hacker community.

Registration: ekoparty.org

 

SecurityWeek CISO Forum Q2 Update

Online | 2026

Two-hour online roundtable where senior cybersecurity leaders debrief on Q1 — what actually happened, what's shifting, and what to prepare for in Q2. The format is peer-driven discussion, not a passive webinar. Useful for calibrating thinking against how other CISOs are reading the current threat landscape, handling AI governance questions, or dealing with board communication challenges — without committing two days and a flight.

Best for: CISOs and senior security leaders who want a strategic check-in without leaving the office.

Registration: register.securityweek.com/ciso-forum-2026-q2

 

Asia-Pacific

Nullcon Goa

Goa, India | February 25 - March 4

The 16th edition — and the biggest yet, expecting 3,000+ security researchers, hackers, and defenders. Training runs in two batches (Feb 25 - 27 and March 2 - 4), conference days are February 28 - March 1.

New in 2026: Day Zero (February 27), an invite-only leadership forum at BITS Pilani Goa Campus, directly mapped to the conference's technical tracks.

Day Zero speakers include Lt. Gen. (Retd.) Rajesh Pant (former National Cybersecurity Coordinator of India), Sanjay Bahl (Director General of CERT-In), Durga Prasad Dube (Global CISO of Reliance Industries), and Abhishek Singh (Additional Secretary, Ministry of Electronics and IT). Sessions cover structuring security functions across the three lines of defense, quantifying cyber risk in financial terms, CISO burnout as an operational risk, and India's DPDP Act compliance with 72-hour breach response planning.

The main conference features live bug hunting, CTF, a CXO track, and research talks on offensive and defensive security — vulnerability discovery, exploit development, AI security, cloud and infrastructure security.

Best for: security researchers, penetration testers, CISOs and CTOs (via Day Zero), anyone working in or with the Indian and South Asian security ecosystem.

Registration: nullcon.net/goa-2026

 

AppSec & DevSecOps Sydney

Sydney, Australia | February 2026

Co-located with CISO Sydney, Cloud Security, and OT Security events. Sessions cover measuring AppSec program effectiveness, building developer security culture that sticks, securing CI/CD pipelines, and supply chain security.

The format leans toward case studies and roundtables rather than keynote lectures — attendees discuss how they solved specific problems in their environments. ISACA Sydney partnership means CPE credits. The audience skews senior: heads of engineering, AppSec leads, security architects from Australian enterprises.

Best for: AppSec leads, DevSecOps managers, engineering directors in the APAC region.

Registration: appsec-devsecops-syd.coriniumintelligence.com

 

Black Hat Asia

Singapore | April 21 - 24

APAC edition of Black Hat. Training sessions in the first days, followed by research briefings calibrated to the regional threat landscape — attack patterns, regulatory changes, and threat actors operating in Asia-Pacific. Speakers present original vulnerability research and defense techniques relevant to APAC organizations.

The training catalog typically includes courses on cloud exploitation, web application testing, mobile security, and red team operations adapted to the regional environment.

Best for: security teams operating in APAC who need region-specific threat intelligence and hands-on training.

Registration: blackhat.com/asia-26/

 

CISO 360 Asia & Oceania

Singapore | May 13 - 14

All sessions run under Chatham House rules. Attendees are CISOs from Singapore, Malaysia, Australia, New Zealand, the Philippines, and beyond.

The format mixes keynotes, scenario exercises, debates, and curated networking at lunches and evening events. In 2025, the discussions centered on emerging threats specific to APAC — cross-border data regulation, supply chain risks in regional manufacturing, and zero trust implementation in organizations with operations spread across multiple regulatory jurisdictions.

Designed by CISOs, structured around the problems they actually face in the region.

Best for: CISOs and senior security leaders operating across Asia-Pacific.

Registration: pulseconferences.com/conference/5th-ciso-360-asia-oceania/

 

CodeSecCon

Online | August 12

SecurityWeek's online event dedicated to secure software development. Sessions in 2025 covered bridging the gap between security and development teams, reducing vulnerability backlogs at scale, and building DevSecOps culture that engineering organizations actually adopt rather than resist.

The format is designed for people who write or review code — talks focus on practical implementation rather than strategic overview. Recordings are typically available after the event.

Best for: developers, security engineers, DevSecOps practitioners focused on code-level security.

Registration: register.securityweek.com/codeseccon

 

Cyber Security World Asia

Singapore | September 2026

Part of Tech Week Singapore at Marina Bay Sands. Sessions cover cloud security architecture, data protection strategy, network defense, and critical infrastructure resilience. Co-located with AI and cloud computing expos, which makes it efficient for teams whose security work spans multiple technology domains. Registration is open to qualifying professionals at no cost.

Best for: enterprise security teams and vendors operating in or expanding into Southeast Asian markets.

Registration: cybersecurityworldasia.com

 

SecurityWeek Attack Surface Management Summit

Online | September 16

Dedicated to the specific challenge of managing external attack surfaces — asset discovery, shadow IT, unmanaged cloud exposure, third-party risk, and how organizations are adapting to environments that grow and change faster than any team can inventory manually. The discussions focus on what's working in practice: which discovery approaches actually find the things that matter, how teams prioritize what to fix when everything is exposed, and where automation helps vs. where it generates noise.

Best for: security operations teams, vulnerability management leads, CISOs managing uncontrolled exposure growth.

Registration: securitysummits.com/event/attack-surface-management-summit/ 

 

SecurityWeek Cyber AI & Automation Summit

Online | December 8

Focused on where AI and automation are delivering real results in security operations — and where the gap between marketing promises and operational reality remains wide. Sessions cover detection engineering with ML, automated incident response workflows, AI-assisted threat hunting, and the practical challenges of deploying AI tooling in a SOC.

The format encourages debate between practitioners who've actually shipped these systems.

Best for: security operations teams evaluating AI tooling, automation engineers, CISOs making build-vs-buy decisions on AI capabilities.

Registration: securitysummits.com/event/cyber-ai-automation-summit/

 

Sydney Secure Software & AppSec Summit

Sydney, Australia | 2026 (date TBC)

Interactive format: the audience votes live on propositions about AppSec team structure, ownership boundaries, and AI's role in security operations, then debates the results in real time, then votes again to see what shifted.

Panel sessions dig into why APIs remain the leading breach vector despite years of dedicated tooling, how engineering teams manage accepted risk without losing track of what they've accepted, and where automation actually replaces manual testing vs. where it creates false confidence.

Best for: AppSec leads, DevSecOps practitioners, engineering managers in Australia.

Registration: clutchevents.co/events/sydney-appsec-and-devsecops-summit-2026

 

Melbourne AppSec & DevSecOps Summit

Melbourne, Australia | 2026 (date TBC)

Same interactive format as the Sydney edition. Roundtable topics are selected by attendees on the day, so sessions track what the room actually needs to discuss rather than what was programmed months in advance.

Sessions in previous editions covered AI agents in development pipelines, accepted risk management frameworks, and API breach pattern analysis.

Best for: security and engineering leaders in Melbourne/Victoria, product security managers.

Registration: clutchevents.co/events/melbourne-appsec-and-devsecops-summit-2026

 

DevSecOps Live Online Meetups

Online | Ongoing

Run by Practical DevSecOps. Topics rotate through supply chain security, Kubernetes hardening, automated testing with OWASP ZAP, and AI in security workflows. The sessions include browser-based labs — attendees practice tools hands-on during the meetup rather than watching a demo.

Past speakers have included heads of product security at global fintechs and DevSecOps leads from enterprise organizations. No cost, no registration barrier, recordings available.

Best for: practitioners building DevSecOps skills, security engineers looking to stay current on tooling and techniques.

Registration: practical-devsecops.com/devsecops-live-online-meetup/

 

Industry-Specific Events

Most cybersecurity calendars stop at general-purpose conferences. But the threats facing a hospital network, a vehicle manufacturer, a shipping fleet, or a bank are domain-specific — and so are the regulations, the attack surfaces, and the peer conversations that matter.

 

Financial Services

FS-ISAC Americas Spring Summit

Orlando, FL | March 1 - 4

Three tracks: Intelligence, Security, and Resilience. The 2026 theme: "Fortifying Our Trusted Ecosystem." On March 1, a separate half-day tabletop exercise simulates a disruption to undersea communications cables — participants work through business continuity, systemic risk assessment, and cross-firm collaboration under time pressure.

The main program runs March 2 - 4 with presentations, workshops, and panels. Content is member-driven: speakers are practitioners from financial institutions sharing operational experience, not vendors pitching products.

The event also runs a FinCyber Today Canada edition (Toronto, April 13 - 14) and an APAC summit later in the year.

Best for: CISOs, threat intelligence analysts, incident response leads, and business continuity managers at banks, insurers, fintechs, and payment processors.

Registration: fsisac.com/events/2026-americas-spring-summit

 

FS-ISAC EMEA Summit

The Hague, Netherlands | June 15 - 18

European edition, same three-track structure. Speakers include CISOs from major European banks and former intelligence agency leaders — the 2025 program featured the former Director of Cyber at Swift and CISOs from ING and American Express.

Sessions address DORA compliance, NIS2 implications for financial infrastructure, cross-border data flows, and the specific threat actors and fraud techniques targeting European financial institutions.

Best for: financial sector security professionals operating in EMEA.

Registration: fsisac.com/events/2026-emea-summit

 

CSA FinCloud Security Summit

Online | March 6

One-day online summit by the Cloud Security Alliance. Sessions cover secure cloud adoption in banking, AI-driven analytics for fraud detection, regulatory compliance for cloud-hosted financial data, and Zero Trust architecture applied to financial infrastructure. No attendance cost.

Best for: cloud architects, compliance leads, and CISOs at financial institutions navigating cloud migration.

Registration: cloudsecurityalliance.org 

 

Healthcare

HIMSS Global Health Conference

Las Vegas, NV | March 8 - 12

A full-day Healthcare Cybersecurity Forum runs on March 9, with 49 cybersecurity sessions spread across the rest of the week. The FBI presents on industrial espionage targeting healthcare; UC San Diego researchers present ransomware recovery case studies; SANS runs an Executive Cyber Exercise and a Healthcare NetWars Cyber Range on the expo floor.

Sessions cover zero trust in hospital networks, IoMT microsegmentation (with original HIMSS/Elisity market research), OT security for clinical environments, HIPAA compliance updates, AI-driven threats to health systems, and cyber insurance trends. About one-third of attendees hold C-suite positions.

Best for: healthcare CISOs, health IT security teams, medical device security engineers, compliance officers.

Registration: himssconference.com

 

HealthSec Summit USA

Boston, MA | June 9 - 10

Exclusive summit for cybersecurity and health IT leaders from hospitals, health plans, medical device manufacturers, and life sciences companies. Sessions in previous years covered communicating cyber risk to hospital boards, defending against social engineering in clinical settings, and building resilience plans where system downtime directly affects patient safety.

Speakers include CISOs from health networks and life sciences companies sharing implementation stories from their own organizations.

Best for: CISOs and IT directors at healthcare organizations, health plans, and life sciences companies.

Registration: healthsec.cs4ca.com

 

Automotive

escar USA (Embedded Security in Cars)

USA | May 19 - 21

Running since 2003 across Europe, USA, and Asia. The program brings together OEMs, Tier 1/2 suppliers, academia, and government agencies (NHTSA, DHS, DoD) to work through in-vehicle cybersecurity challenges: secure V2X communication, electronic theft protection, post-quantum cryptography migration for vehicle systems, and the cybersecurity implications of software-defined vehicles.

The format emphasizes cross-supply-chain collaboration — security decisions at the component level cascade through the entire vehicle architecture. Welcome reception on May 19, presentations on May 20 - 21.

Best for: automotive security engineers, embedded systems developers, product security teams at OEMs and suppliers.

Registration: escar.info/escar-usa/

 

Automotive Cybersecurity Summit (Automotive IQ)

Ann Arbor, Michigan | 2026

Technical conference covering ISO/SAE 21434 and UN R155/R156 compliance in practice, post-quantum cryptography readiness for vehicles, AI-driven attack detection on in-vehicle networks, SBOM and HBOM management for automotive software, and securing software-defined vehicle architectures. Speakers include technical fellows from major OEMs.

The 2025 audience spanned product/vehicle security, IT/OT security, manufacturing security, and embedded security professionals.

Best for: vehicle security engineers, automotive regulatory compliance teams, AppSec professionals working on automotive software.

Registration: automotive-iq.com/events-automotive-cybersecurity

 

VDI Cyber Security for Vehicles

Munich, Germany | June 9 - 10

Organized by VDI (Association of German Engineers). Sessions cover technical challenges in automotive security, European regulatory compliance (CRA, UN R155/R156), secure OTA update architectures, and intrusion detection for in-vehicle networks. The audience: professionals and executives from OEMs, Tier-1 and Tier-2 suppliers, and IT/software companies working in the European automotive ecosystem.

Best for: automotive security professionals operating in or selling to the European market.

Registration: vdiconference.com/automotive-training/cyber-security-for-vehicles/

 

ICS/OT

S4x26

Miami, FL | February 23 - 26

Three stages, 1,000+ attendees. The program assumes attendees already know ICS/OT security fundamentals and goes straight to leading-edge work: NIS2 and CRA practical implementation challenges, AI in industrial detection and response, and new research on OT protocol vulnerabilities. Keynote on Day 2 by John Hultquist (Mandiant/Google). Sector-specific "Birds of a Feather" meetups run for Manufacturing, Electric, and Oil & Gas — 2.5-hour sessions where practitioners from the same industry compare approaches. The

Day 2 afternoon Cabana Sessions move the conversation poolside for informal peer exchange. The event also runs a fundraiser to build clean water infrastructure — a reminder that critical infrastructure security starts with actual infrastructure.

Best for: OT security leads, ICS engineers, critical infrastructure defenders working at the leading edge.

Registration: s4xevents.com

 

SANS ICS Security Summit

Orlando, FL | May - June 2026

Summit sessions feature case studies and original research from ICS security practitioners, led by SANS Fellows including Tim Conway (co-author of ICS456, ICS310, ICS612) and Robert M. Lee (Dragos CEO, author of ICS515). Content spans introductory ICS/OT security concepts through advanced detection, response, and forensics.

Optional multi-day SANS training courses follow the summit — the combination of summit insights and hands-on course work is what attendees consistently rate highest.

The 2026 edition runs at Disney in Orlando, with discounted park tickets available for attendees traveling with families.

Best for: ICS/OT security professionals from foundational to advanced level.

Registration: sans.org/cyber-security-training-events/ics-security-summit-2026

 

ISA OT Cybersecurity Summit

Prague, Czech Republic | June 18 - 19

Focused on ISA/IEC 62443 standards and conformance, supply chain security for industrial environments, and IoT cybersecurity in manufacturing and energy. Sessions cover leveraging AI and predictive analytics for OT threat detection while maintaining standards compliance.

Post-summit training covers assessing cybersecurity of industrial automation and control systems (IACS). Speakers are OT-centric practitioners and standards committee members.

Best for: OT security professionals working with ISA/IEC 62443, industrial automation engineers, compliance teams in manufacturing and energy.

Registration: otcs.isa.org

 

Maritime

Maritime Risk Symposium

Pasadena, TX (Houston area) | June 2 - 3

The entire first day is dedicated to cybersecurity and AI in the maritime sector. Panels cover shipboard system vulnerabilities, port OT security (SCADA systems, dynamic positioning), new US Coast Guard cyber rules, adversarial AI targeting vessel control systems, and regulatory compliance under IMO MSC.428 and IACS UR E26/E27.

Speakers from Coast Guard, Texas Cyber Command, port operators, shipping company security teams, and academic researchers. Day 2 broadens into maritime risk more generally.

Best for: maritime security professionals, port operators, shipping company CISOs, Coast Guard and government cyber personnel.

Registration: maritimerisksymposium.org

 

Maritime Security West

San Diego, CA | August 31 - September 2

Brings together DoD, DHS, port authorities, state and local law enforcement, and private maritime industry. An OT Cybersecurity Roundtable specifically addresses protecting port operational technologies — SCADA systems, access control, surveillance networks. Other sessions cover unmanned systems security, maritime domain awareness, and US Coast Guard Cyber Command updates.

Exhibitors are integrated into the full program — access to sessions, workshops, meals, and networking, rather than being cordoned off in an expo hall.

Best for: port security directors, maritime OT teams, government agencies covering maritime critical infrastructure.

Registration: marsecwest.com

 

Government / Defense

ENISA Cybersecurity Standardisation Conference

Brussels, Belgium | March 12

Organized jointly by CEN, CENELEC, ETSI, and ENISA. The 2026 edition — the 10th — focuses on where EU standardisation stands in the global ecosystem, the impact of new legislation on standards development, and the journey toward CRA harmonisation.

Panelists include representatives from ETSI, ENISA, CEN-CENELEC, and the European Commission. The session on CRA standards features speakers from ANSSI (France), BSI (Germany), and the Open Source Initiative discussing how open-source projects handle CRA compliance. The LENS — ENISA's cybersecurity standards observatory — gets its official presentation. Hybrid format (on-site + online).

Best for: compliance officers, product security teams navigating CRA/NIS2/Cyber Solidarity Act, standards committee participants, legal and policy professionals.

Registration: enisa.europa.eu/cybersecurity_standardisation_2026

 

ENISA European Cybersecurity Certification Conference

Ayia Napa, Cyprus | April 2026

Organized under the Cyprus Presidency of the EU Council. Sessions cover the evolution of EU cybersecurity certification schemes — including the EUDI Wallet certification and the new Managed Security Services scheme — and how CRA, NIS2, and the Cyber Solidarity Act interact from a certification perspective.

Speakers include ENISA certification leads, ANSSI (France), BSI (Germany), and national accreditation bodies from across the EU debating how to scale certification capacity across member states through 2028. Hybrid format.

Best for: product security and certification teams, CRA compliance managers, conformity assessment bodies, national cybersecurity authorities.

Registration: enisa.europa.eu/events/2026-european-cybersecurity-certification-conference

 

International Conference on the EU Cyber Security and Resilience Acts

Brussels, Belgium | March 24 - 26

Multi-track conference with deep technical and policy sessions on CRA implementation. The 2026 agenda includes Anna Prudnikova (Bureau Veritas) on ICS under the Cyber Resilience Act, sessions on Linux kernel security assessment for CRA compliance, IEC 62443 secure development aligned with CRA requirements, IoT certification schemes for basic products, and panel discussions on CRA standardisation with speakers from ETSI, the Open Source Initiative, and Deutsche Telekom.

The opening keynote is by Thomas Caspers (Vice President of BSI Germany). The only conference entirely dedicated to the practical implementation of the CRA and related EU acts.

Best for: product security engineers, CRA compliance leads, open-source project maintainers affected by EU regulation, legal teams tracking EU cybersecurity legislation.

Registration: eucyberact.org

 

ENISA Telecom and Digital Infrastructure Security Forum

Paphos, Cyprus | May 7

Organized under the Cyprus EU Presidency. Brings together EU telecom regulators, 5G security experts from the NIS Cooperation Group, and industry specialists to discuss espionage in telecom networks, resilience of subsea cables, and security of emerging telecom infrastructure.

The forum operates under a no-streaming, no-recording policy — the discussions are frank and operational. Part of the ECASEC working group framework that has connected national telecom security authorities since 2010.

Best for: telecom security specialists, national regulatory authority staff, 5G security practitioners, digital infrastructure operators.

Registration: enisa.europa.eu/events/enisa-telecom-and-digital-infrastructure-security-forum-2026

 

Billington CyberSecurity Summit

Washington, D.C. | 2026 (date TBC)

The attendance list reads like a directory of federal cybersecurity leadership. The 2025 lineup included Lt. Gen. Paul T. Stanton (Commander of DISA) and Richard Horne (CEO of the UK's National Cyber Security Centre). Sessions cover national cyber resilience strategy, defense cyber operations, critical infrastructure protection, AI in government security, and cybersecurity workforce development at the federal level.

The event bridges government, military, and the private-sector companies that work alongside them.

Best for: government and defense cybersecurity leaders, federal contractors, vendors working with government agencies.

Registration: billingtoncybersecurity.com