Comprehensive Security Conference Talks & Research Guide

A practitioner’s reference for the global security conference circuit — where research is published, which venues matter for which subject areas, how to pick talks, and how to submit your own. Compiled from 35 research sources in raw/Talks/.

Table of Contents

  1. Fundamentals: Why Conferences Matter
  2. The Major Conferences
  3. Regional & Community Conferences
  4. Academic & Research Venues
  5. OWASP Ecosystem
  6. Industry-Specific Events
  7. Notable Research Areas & Talk Themes
  8. Trend Timeline (2020-2026)
  9. Key Researchers & Speakers to Follow
  10. CTFs, Villages & Workshops
  11. CFP Process & Speaker Track
  12. Recordings, Slides & Archives
  13. Attendee Planning Playbook
  14. Quick Reference: Calendar by Month
  15. Further Reading

1. Fundamentals: Why Conferences Matter

Security conferences are the primary publication venue for offensive research, new tooling, and post-incident retrospectives that don’t fit the academic paper format. Unlike peer-reviewed journals, conference talks serve four roles simultaneously:

RoleDescriptionExample venue
Research disclosureFirst public drop of a 0-day, technique, or toolingBlack Hat USA Briefings, OffensiveCon
Community knowledge transferPractitioners teaching practitionersBSides, OWASP chapters
Industry marketingVendor announcements, product launches, analyst briefingsRSA Conference, Infosecurity Europe
Networking and recruitingHallway track, villages, afterpartiesDEF CON, Troopers

Rule of thumb: If you want to publish breakers work, target Black Hat / DEF CON / OffensiveCon / USENIX Security. If you want to publish builders work, target OWASP Global AppSec, QCon, or NDC Security. If you want academic credibility, target IEEE S&P, NDSS, USENIX Security, CCS, or ACSAC.

Three classes of event:

ClassDescriptionExample
Industry mega-conference10k+ attendees, expo hall dominatesRSAC, Black Hat, Infosecurity Europe
Hacker/research conTechnical single/dual track, small venue, deep Q&AOffensiveCon, Troopers, Area41
Community conVolunteer-run, pay-what-you-can, localBSides (any city), OWASP chapter meetups

2. The Major Conferences

Black Hat USA

When/where: Early August, Mandalay Bay Convention Center, Las Vegas. Attendance: ~20,000. Format: 4 days of Trainings → Summit Day → 2 days of Briefings + Arsenal + Business Hall. URL: blackhat.com

Black Hat USA is the closest thing the industry has to a flagship research disclosure venue. It sits at the intersection of enterprise cybersecurity and offensive research. Passes are expensive (Trainings can run $5k-$8k, Briefings passes $2k+), and the audience skews enterprise — CISOs, vendor engineers, consultants.

Key components:

  • Trainings — 2 or 4-day hands-on courses. Often the highest-value portion of the conference for practitioners; topics range from Active Directory attack paths to iOS exploitation to cloud red teaming.
  • Briefings — The main 50-minute research talks. All Briefings passes include 30 days of on-demand recording access.
  • Arsenal — Open-source tools demoed by their creators. Historically where tools like BloodHound, Burp extensions, and Metasploit modules first appeared.
  • Summits — Topic-specific sub-conferences on Tuesday (AI Summit, CISO Summit, Supply Chain Summit, Industrial Controls Summit).
  • Business Hall — ~400 vendor booths, a dedicated AI startup area in recent years.

2024 highlights (from source articles): CrowdStrike outage retrospective and secure-by-design discussions, election security, generative AI dual-use (offense + defense), doxing and privacy research. Major vendor moves from Cisco, Fortinet, Infoblox, Wiz, Splunk.

2025 highlights: AI Summit expansion, Palo Alto Networks’ CyberArk acquisition dominated the floor, SentinelOne acquired Prompt Security, Noma Security raised $100M just before the event. AI red teaming emerged as the standard framing for testing AI model security. Startups coalesced around “Exposure Management.”

Gotcha: Business Pass Only, Virtual, and On-Demand passes do NOT qualify for the DEF CON ticket add-on — you must hold an in-person Briefings, Summit, or Trainings pass.

DEF CON

When/where: Immediately after Black Hat, Las Vegas Convention Center West Hall (recent years). Attendance: ~30,000. Format: 4 days of talks + villages + contests + parties. URL: defcon.org

DEF CON predates Black Hat and is still organized around the hacker ethos of “testing boundaries of systems.” Founded and run by Jeff Moss (“Dark Tangent”). Walk-up admission is cash-only, no badge photo, no real-name requirement.

DEF CON is organized around villages — topic-specific volunteer-run zones with their own talks, workshops, and CTFs. DEF CON 32 had 32 specialized villages including:

  • Aerospace Village
  • Telecom Village
  • Biohacking Village
  • Lockpicking Village
  • Hardware Hacking Village
  • Car Hacking Village
  • AI Village
  • ICS Village
  • Voting Village
  • Cloud Village
  • Packet Hacking Village
  • Red Team Village
  • Recon Village
  • Blue Team Village
  • Social Engineering Village
  • Crypto & Privacy Village

Tickets: When bought through Black Hat registration, DEF CON tickets are ~$540 (up from $480 in 2024). They’re non-refundable, non-transferrable, with a “DEF CON symbol” printed on the Black Hat badge. On-site pickup is hole-punched at Mandalay Bay Ballroom Foyer on Thursday. Alternatively, buy cash at the door during the DEF CON ticket window.

Recent standout research from source material:

  • DEF CON 32 (2024): SquareX’s demonstration of 25 methods to bypass Secure Web Gateways via browser “last-mile reassembly” attacks. Real-time deepfake demos using DeepFaceLive. The AI Cyber Challenge (AIxCC) semi-final round — seven teams each got $2M and advanced to 2025 finals.
  • DEF CON 33 (2025): AIxCC final (DARPA/ARPA-H) concluded with a $4M first prize and $15M+ total prize pool. Event notable for Dark Tangent sharing a stage with retired General Paul Nakasone, signaling policy-sector engagement.

Black Hat + DEF CON Satellite Events (“Hacker Summer Camp”)

Running the same week in Las Vegas as “Security Summer Camp”:

  • BSides Las Vegas — community-run, accessible pricing, strong talks.
  • The Diana Initiative — focus on diversity in security.
  • Splunk AfterParty (and countless vendor parties).
  • Queercon, Goon Night, Hacker Jeopardy, DEF CON Shoot — culture events.

RSA Conference (RSAC)

When/where: Late April / early May, Moscone Center, San Francisco. Attendance: ~44,000 (2025). Format: Keynotes, tracks, Innovation Sandbox, expo hall.

Enterprise-heavy and vendor-heavy. Reference point for industry sentiment and M&A activity, less so for novel offensive research. If you need to understand budget-holder priorities for the year, RSAC is where that conversation happens.

USENIX Security Symposium

Academic-oriented research venue. Rigorous peer review, pre-prints archived on the USENIX site post-publication. Strong record on systems/crypto/measurement research.

IEEE Symposium on Security and Privacy (Oakland)

When/where: May, typically in the San Francisco Bay Area. URL: ieee-security.org/TC/SP2026

Arguably the top academic security venue. Accepts systems, crypto, formal methods, ML security, and measurement papers. Artifact evaluation track is rigorous — accepted papers typically come with reproducible artifacts.

NDSS (Network and Distributed System Security)

Top-tier academic venue run by the Internet Society. Strong on network protocol research, DNS, BGP, TLS, web security.

ACSAC (Annual Computer Security Applications Conference)

Run by: IEEE Computer Society. URL: acsac.org

Applied security research — the “applications” in the name matters. Industry + academia mix, more approachable than the top-4 academic venues, and accepts case study papers and artifact submissions. Strong venue for research with practical deployment stories.

CCS (ACM Conference on Computer and Communications Security)

The ACM top-tier security venue. Pairs with USENIX Security and IEEE S&P / NDSS as the “Big 4” academic security conferences.

Chaos Communication Congress (CCC / rC3)

Run by the Chaos Computer Club in Germany at the end of December. European hacker culture, strong on policy + privacy + hardware research. Recordings are published on media.ccc.de shortly after the event — one of the best free archives of security talks anywhere.

Troopers

When/where: Heidelberg, Germany (annual). Run by: ERNW. URL: troopers.de

Small, deep, technical. Venue (Print Media Academy) deliberately kept intimate so hallway conversations flow naturally. Historically strong on Active Directory, SAP security, IPv6 security, and network protocol analysis. Trainings are some of the most respected in Europe.

OffensiveCon

When/where: Berlin, Germany, typically mid-May. Format: Two days, single track. URL: offensivecon.org

Explicitly and exclusively offensive research: vulnerability discovery, exploit development, reverse engineering. Every talk goes through CFP committee dry-run sessions. The 2025 keynote from Perri Adams covered the future of AI in exploit development. BlackHoodie (a women-in-security initiative) ran a workshop on compiler internals. Ticket prices are kept deliberately low — one of the highest signal-per-dollar events on the calendar.

3. Regional & Community Conferences

North America

EventWhen/WhereFocus
AppSec CaliforniaJanuary, Santa MonicaBuilder-focused AppSec, DevSecOps
ShmooConJanuary, Washington DCEast-coast hacker culture, policy + tech
Converge/BSides DetroitSpring, DetroitMidwest AppSec + DFIR
THOTCONSpring, ChicagoSmall hacker con
CactusConSpring, PhoenixSouthwest community
LASCONFall, AustinLonestar Application Security — OWASP Austin chapter’s flagship
DerbyCon (retired) / GrrCONFall, MichiganMidwest research
SAINTCONFall, UtahCommunity con
KernelconSpring, OmahaLow-level, offensive
GPSECRegional chaptersExecutive-focused networking

LASCON (Lonestar Application Security Conference) specifically deserves the call-out: OWASP Austin has been running it for over a decade, and the speaker roster rotates through serious AppSec practitioners with a training day ahead of the conference. lascon.org

AppSec California has been the launch point for a number of AppSec narratives — the “Security Phoenix” talk by Francesco Cipollone (NSC42) at AppSec California 2020 is a representative example of the venue’s appetite for DevSecOps maturity-model talks that don’t fit Black Hat’s Briefings format.

Europe

EventWhen/WhereFocus
FOSDEMFebruary, BrusselsOpen source, includes a security devroom
OffensiveConMay, BerlinOffensive research (see section 2)
CYBERUKApril, GlasgowNCSC flagship, public sector, 6 tracks
AppSec IsraelMay, Tel AvivLargest AppSec con in Israel, 900-1000 attendees
CyberWiseCon EuropeMay, VilniusAI threats, DevOps crossover (runs alongside DevDays, DevOps Pro)
CyConMay, TallinnNATO CCDCOE — cyber conflict, international law, military strategy
Infosecurity EuropeJune, LondonLargest European expo/vendor floor
Area41Biennial, June, ZurichPractitioner-driven, deep technical
OWASP Italy DayJune, CagliariAI security, APWG.EU co-located
TroopersJune, HeidelbergSee section 2
NDC SecurityVarious European citiesSoftware-developer audience, AppSec focus
44CONSeptember, LondonUK’s longest-running hacker con
BruCONOctober, GhentBelgian technical con
Hack.luOctober, LuxembourgCIRCL-run, threat intel and research
HITBMultipleRegional deep-tech con
CCC Congress / rC3December, GermanySee section 2

Asia-Pacific

EventWhen/WhereFocus
Black Hat AsiaApril, SingaporeAPAC mirror of Black Hat USA
HITCONJuly/August, TaipeiTaiwanese hacker con, strong CTF
CODE BLUEOctober/November, TokyoJapanese offensive research
ROOTCONOctober, ManilaPhilippine hacker con
POC (Power of Community)November, SeoulKorean offensive con
NullconMarch, GoaIndian security con

BSides (Global)

BSides is a franchise: any community can run a BSides as long as they follow the core guidelines (open CFP, community-driven, affordable). There are 100+ BSides events per year globally; the big ones are BSidesLV, BSides London, BSides SF, BSides Vancouver, BSides Munich, BSides Berlin.

BSidesLV is the Summer Camp community alternative to paid Black Hat. The CFP track is genuinely open, and the atmosphere is closer to DEF CON than Black Hat.

4. Academic & Research Venues

The “Big 4” academic security conferences:

VenueScopeAcceptance rateStyle
IEEE S&P (Oakland)Broad systems + ML + crypto~15%Flagship, rigorous
USENIX SecuritySystems, measurement, usable security~18%Strong on applied work
ACM CCSBroad, heavy crypto + systems~19%ACM flagship
NDSSNetwork + systems~16%Internet Society, strong on network/DNS/TLS

Second-tier strong venues:

  • ACSAC — applied, practitioner-friendly, accepts case studies
  • RAID — intrusion detection, malware
  • DIMVA — German IMVA sister to RAID
  • AsiaCCS — Asia-Pacific arm of CCS
  • WOOT (USENIX Workshop on Offensive Technologies) — co-located with USENIX Security, purely offensive research
  • SOUPS (Symposium on Usable Privacy and Security)
  • PETS / PoPETs (Privacy Enhancing Technologies Symposium)

Why academic venues matter to practitioners:

  1. Pre-prints and artifacts are public and permanent.
  2. Many industry-impactful techniques (Spectre/Meltdown, Heartbleed analysis, TLS vulnerabilities, side-channel attacks) first appeared at Oakland/USENIX Security.
  3. If you need a citation for a security architecture decision, these are where it lives.

5. OWASP Ecosystem

OWASP (Open Worldwide Application Security Project) runs a tiered event structure — global flagships, regional events, and local chapter meetups. All events lean “builder” (developers, AppSec engineers) more than “breaker.”

OWASP Global AppSec

Two flagships per year: one in North America, one in Europe.

  • Global AppSec USA 2025 — Washington, D.C. Flagship US event.
  • Global AppSec EU 2025 — Barcelona (CCIB), May 26-30, 2025. 700+ attendees. Six tracks: OWASP Projects, Builders, Developers, Breakers, Defenders, Manager/Culture. Strong GenAI Security Project presence with three dedicated sessions covering the project’s work on secure AI adoption, agentic security risks, and scaling community-driven initiatives.
  • Global AppSec 2026 — annual cycle continues.

OWASP Regional Events

  • OWASP BASC (Boston Application Security Conference) — community-run, open CFP.
  • OWASP Italy Day — Cagliari, June — two days (training + conference). 2025 included threat modeling for digital credentials and AI+blockchain sessions.
  • OWASP Netherlands Chapter Meetup — Amsterdam, April, evening meetups at Beyond Republica campus.
  • OWASP AppSec Days Developer Security Summit — developer-focused, virtual-friendly.
  • OWASP 25th Anniversary Virtual Conference (Feb 2026) — retrospective + community celebration, open CFP for speakers.

OWASP GenAI Security Project

Noted in source material as growing from zero to 10K+ members in under two years. OWASP’s fastest-growing sub-project and the primary home of the OWASP LLM Top 10 and emerging frameworks for agentic AI security. Key people: Scott Clinton (Board Member & Co-chair), John Sotiropoulos (Kainos, Agentic Security Initiative Co-lead).

OWASP Videos

OWASP maintains a public archive of recorded talks across all chapters and global events. This is the single largest free archive of AppSec content. Searchable by year, chapter, and project — check the OWASP YouTube channel and the chapter-specific pages.

OWASP Projects that Drive Conference Content

ProjectRelevance
OWASP Top 10Still cited at virtually every AppSec talk
OWASP ASVSApplication Security Verification Standard
OWASP MASVS / MASMobile app security standard, training at Italy Day 2026
OWASP SAMMSoftware Assurance Maturity Model
OWASP LLM Top 10GenAI Security Project output
OWASP NettackerAutomated vulnerability scanner, OWASP project spotlighted in chapter meetups

6. Industry-Specific Events

Certain verticals have their own conference circuit that rarely overlaps with the mainstream:

IndustryEventsNotes
Automotiveescar USA/EU, Auto-ISAC SummitECU/CAN/telematics/OTA research
HealthcareHIMSS Cybersecurity Forum, H-ISACHIPAA, medical device, patient data
ICS/OTS4 (Miami), SANS ICS Summit, Black Hat ICS SummitSCADA, PLCs, critical infrastructure
AerospaceAerospace Village (DEF CON), Space ISAC SummitSatellites, GPS, space systems
FinancialFS-ISAC Summits, FSISAC-co-hosted eventsFraud, payments, high-frequency infra
MaritimeMTS-ISAC, NMIO conferencesPort/vessel systems
TelecomTelecom Village (DEF CON), MWC security tracksSS7, Diameter, 5G core
AI/MLThe Elephant in AppSec, AI Village (DEF CON), MLSec ConModel security, prompt injection, agents

“The Elephant in AppSec” is an emerging virtual conference specifically focused on the AI/AppSec intersection, sitting in the space where OWASP LLM Top 10 meets traditional SAST/DAST tooling.

AI Agent Security Masterclass — source material references an “Attacking and Defending Autonomous AI Systems” masterclass by Abraham Aranguren and team, indicative of a new training track that didn’t exist before 2024.

7. Notable Research Areas & Talk Themes

The following are the dominant research themes observed across the source material, with the venues where each theme has the strongest historical presence.

7.1 AI / LLM / Agent Security

Dominant venue: DEF CON AI Village, Black Hat AI Summit, OWASP GenAI Security Project sessions, The Elephant in AppSec.

Hot sub-themes (2024-2026):

  • Prompt injection (direct + indirect, image-based, tool-call-based)
  • Agentic security — autonomous agents with tool use and long-running memory
  • AI red teaming standardization — the industry is coalescing around this as the canonical testing approach
  • Model supply chain — Hugging Face pickle deserialization, model poisoning
  • AIxCC (AI Cyber Challenge) — DARPA/ARPA-H competition for autonomous vulnerability discovery and patching. $29.5M total prize pool at DEF CON 32 semifinals, concluded with $4M first place and $15M+ total at DEF CON 33.
  • Slopsquatting — Kalle Sirkesalo (Eficode) at CyberWiseCon Europe 2026 on how AI coding tools inject malicious dependencies by exploiting naming habits.

7.2 Browser & Web Security

  • Secure Web Gateway bypass — SquareX’s DEF CON 32 talk demonstrating 25 methods for bypassing SWGs via “last-mile reassembly” attacks in the browser. Notable because LLMs make exploitation easier.
  • Browser-as-endpoint / governing the browser — emerging as a platform category, covered at Black Hat 2025.
  • Client-side supply chain — dependency confusion, CDN hijacking.

7.3 Cloud & Exposure Management

  • Exposure Management was the coalescing term at Black Hat 2025 (Wiz, Qualys, others rolled out offerings).
  • Cloud identity misconfiguration in hybrid environments — CyberWiseCon 2026 track.
  • Zero Trust deployment in legacy and SaaS stacks.

7.4 Offensive Research & Exploitation

  • OffensiveCon is the purest venue for this work.
  • Troopers covers Active Directory attack paths, SAP security, IPv6 network analysis, advanced pentest techniques.
  • Black Hat Briefings is where most novel exploitation research is disclosed publicly.

7.5 Mobile Security

  • Hacking Android and iOS Apps by Example — training by Abraham Aranguren, Abhishek J M, Aniruddha, representative of the hands-on mobile training circuit.
  • OWASP MAS (Mobile Application Security) — taught as a track at OWASP Italy Day 2026 Trainings.

7.6 DevSecOps & AppSec Maturity

  • “Security Phoenix” (Francesco Cipollone, AppSec California 2020) — representative AppSec California talk on DevSecOps evolution into DEV-SEC-OPS-BIZ-RISK-GOV. Covers maturity matrix, scanner triage, visibility problems, and the “cake and traceability problem.”
  • Shift-left is now table stakes; most 2025 talks focus on developer experience and signal-to-noise on scanner output.

7.7 Election & Public Sector Security

Election integrity was a dominant Black Hat 2024 theme due to the 2024 US presidential cycle. DEF CON’s Voting Village continues to produce annual public reports on voting machine security.

7.8 Deepfakes & Media Integrity

DEF CON 32 featured real-time deepfake demonstrations using DeepFaceLive to illustrate the detection asymmetry. Detection tooling remains behind generation capability.

7.9 Privacy, Doxing & OSINT

Black Hat 2024 featured research on personal information exposure reduction and both digital + physical privacy practices.

7.10 Cyber Policy, Norms & International Law

  • CyCon (Tallinn) — the canonical venue, run by NATO CCDCOE.
  • CCC / rC3 — strong on EU privacy and surveillance policy.
  • CYBERUK — UK government and public sector focus.

8. Trend Timeline (2020-2026)

Themes that dominated each year, synthesized from source material:

2020

  • Pandemic pivot — almost every conference went virtual or hybrid.
  • AppSec California 2020 — DevSecOps maturity, “Security Phoenix” style talks on moving past pure DEV-OPS into integrated security, business, risk, and governance.
  • CI/CD security emerges as its own track.

2021-2022

  • SolarWinds retrospectives — supply chain attacks become the dominant narrative post-2020.
  • Log4Shell (late 2021) — drives 2022’s Java / dependency security talks.
  • Kubernetes security matures as a track.
  • SBOM (Software Bill of Materials) enters the vocabulary at RSAC, Black Hat, and OWASP Global AppSec.

2023

  • LLM security emerges — ChatGPT-driven, prompt injection becomes a talk topic at DEF CON AI Village.
  • OWASP LLM Top 10 drafts.
  • Kubernetes, eBPF, and cloud-native dominate the builder side.

2024

  • AI everywhere — Black Hat 2024 has AI in roughly every track; the AI Summit launches.
  • CrowdStrike outage (July 2024) reframes talks around secure-by-design and cyber resilience.
  • Election security is the second biggest theme.
  • AIxCC semi-finals at DEF CON 32 ($2M per team, seven teams advance).
  • SquareX’s SWG bypass research at DEF CON 32.
  • Browser governance enters the platform conversation.

2025

  • AI red teaming becomes the coalescing term for model security testing.
  • Agentic security becomes its own sub-track (John Sotiropoulos, OWASP GenAI).
  • “Exposure Management” replaces “Attack Surface Management” in vendor language.
  • Palo Alto Networks acquires CyberArk (dominates Black Hat 2025 floor talk).
  • SentinelOne acquires Prompt Security.
  • Noma Security raises $100M just ahead of Black Hat.
  • GPT-5 disappointment shifts research attention toward neuro-symbolic AI and bounded-rationality approaches.
  • Quantum security remains relatively absent from show floors — prioritized as “important but not urgent” relative to AI.
  • AIxCC final at DEF CON 33, $4M first prize, $15M+ total.
  • OWASP GenAI Security Project crosses 10,000 members.

2026

  • Slopsquatting (CyberWiseCon Europe).
  • EU Cyber Resilience Act conformity automation (Iva Tasheva’s Confirmate tool).
  • OWASP 25th Anniversary Virtual Conference in February.
  • CYBERUK 10th anniversary (NCSC).
  • Black Hat USA 2026 continues the global startup competition format introduced in 2025.
  • Agentic AI SOC workflows dominate defender tracks.

9. Key Researchers & Speakers to Follow

Names surfaced across the source material — not an exhaustive list, but a reasonable starting set of people whose talks are worth tracking:

Conference organizers and long-time community figures

NameRoleWhere
Jeff Moss (“Dark Tangent”)Founder, DEF CON and Black HatLas Vegas
Perri AdamsOffensiveCon 2025 keynote — AI in exploit developmentOffensiveCon
Scott ClintonOWASP GenAI Security Project Board Member & Co-chairOWASP Global AppSec
John SotiropoulosHead of AI Security at Kainos, Agentic Security Initiative Co-leadOWASP Global AppSec
Vandana Verma SehgalOWASP Global Board, AI security trainerOWASP Italy Day
Francesco Cipollone (@FrankSEC42)NSC42, CSA UK Chair, DevSecOps researcherAppSec California, UK community
Marco MoranaField CISO, Avocado Systems; threat modelingOWASP Italy Day
Abraham Aranguren7ASecurity, mobile + AI agent security trainerGlobal circuit
Abhishek J MCo-trainer, Android/iOS securityGlobal circuit

Research analysts / journalists covering the circuit

  • Fernando Montenegro (The Futurum Group, VP Cybersecurity & Resilience) — publishes annual Black Hat/DEF CON recaps.
  • Splunk SURGe Security Research Team — publishes the Threat Hunter’s Cookbook, runs research programs aligned with Black Hat.

Independent consultancies producing public research

  • ERNW — runs Troopers, publishes Active Directory and IPv6 research.
  • NCC Group, Trail of Bits, Doyensec, GitHub Security Lab, Google Project Zero — regular Black Hat / OffensiveCon speakers (not directly in source material but industry-standard).

Community initiatives

  • BlackHoodie — women-in-security reverse engineering initiative, runs workshops at OffensiveCon and other European venues.
  • The Diana Initiative — runs alongside Hacker Summer Camp, diversity in security focus.

10. CTFs, Villages & Workshops

Capture the Flag Competitions

CTFs are the primary hands-on learning format at hacker cons. Major CTFs:

CTFVenueFormat
DEF CON CTF FinalsDEF CONQualifiers worldwide + finals at DEF CON. The world championship of jeopardy + attack/defense CTF.
DEF CON Village CTFsDEF CON villagesEach village runs its own — Car Hacking, Aerospace, IoT, Red Team, etc.
HITCON CTFHITCON TaipeiStrong Asia CTF, qualifier for DEF CON finals historically.
AIxCC FinalDEF CONAutonomous cyber reasoning systems, $15M+ total prizes (DARPA/ARPA-H).
CSAW CTFNYU, multi-siteAcademic, entry-friendly.
BSidesSF CTFBSides SFCommunity CTF, beginner-friendly.
Google CTF, Facebook CTFOnline + in-person finalsCorporate-run, strong problems.

Villages (DEF CON and elsewhere)

Villages are the best place at DEF CON for hands-on practical learning. Each village has its own schedule separate from the main con.

VillageFocus
Hardware Hacking VillageSoldering, chip-off, JTAG, glitching
Lockpicking VillagePhysical security
Car Hacking VillageCAN bus, ECUs, infotainment
Aerospace VillageAvionics, satellite, GPS
ICS VillageCritical infrastructure, SCADA
Voting VillageVoting machine analysis
AI VillagePrompt injection, model attacks, ML red teaming
Biohacking VillageMedical devices, bioinformatics
Social Engineering VillageVishing contests
Packet Hacking VillageWall of Sheep, CTFs
Red Team VillageOffensive skill-building
Blue Team VillageDefender skill-building
Recon VillageOSINT

Workshops & Trainings

Most major conferences offer paid training days before the main event:

  • Black Hat Trainings — 2 or 4 days, typically $4k-$8k, highest budget tier.
  • Troopers Trainings — deeply respected, AD/SAP/protocol focus.
  • OffensiveCon Trainings — low-price philosophy, hands-on offensive.
  • SANS (adjacent circuit) — runs training tracks at many conferences under its own brand.
  • OWASP Global AppSec Trainings — builder-focused, DevSecOps, threat modeling, secure code review.
  • 7ASecurity’s Hacking Android and iOS Apps by Example — traveling training on the community circuit.

11. CFP Process & Speaker Track

CFP basics

Most conferences open a Call for Papers / Call for Presentations (CFP) 4-9 months before the event. A competitive CFP submission has these elements:

FieldWhat to write
TitleClear, specific, no clickbait. Max ~80 chars.
Abstract (public)150-300 words. What, why, so-what. Goes in the program if accepted.
Detailed outline (reviewers only)Section-by-section, with timings. This is where you win or lose the review.
Novelty statementWhat’s new here? Compare to prior work.
Demo / PoCDo you have working code? Will you release it?
Speaker bio1-2 paragraphs, prior talks, credibility.
A/V and hardware needsFlag anything unusual (live hardware, RF, etc).

Which CFPs are competitive

TierVenuesAcceptance rate (approx)
Most competitiveBlack Hat USA, USENIX Security, IEEE S&P10-18%
Very competitiveDEF CON main track, OffensiveCon, NDSS, CCS15-25%
CompetitiveBlack Hat EU/Asia, Troopers, OWASP Global AppSec, RSA25-40%
AccessibleBSides (most), OWASP chapter meetups, LASCON, regional40-70%
OpenMost village CFPs, community BSides60-90%

CFPs currently referenced in source material

  • OWASP 25th Anniversary Virtual Conference (Feb 2026) — CFP open for speakers.
  • OWASP BASC 2026 — Call for Speakers open.
  • OWASP Global AppSec USA 2025 (Washington, D.C.) — CFP (now closed).
  • OffensiveCon — CFP opens winter, closes early spring, requires committee dry-run before final acceptance.
  • Black Hat USA — CFP opens around February, closes ~April for August event.

Private / invite-only presentations

Source material includes a “Private Presentation” reference — some venues use closed-door tracks:

  • CISO Tracks at CYBERUK, Black Hat, RSAC — invite-only, designed for executive candid conversations.
  • Vendor CAB (Customer Advisory Board) sessions — not technically public talks but produce influential output.
  • Closed bug-bounty LiveHack events (H1-XXX, Bugcrowd Levels) — disclosed work often ends up at conferences later.

Speaker economics

  • Black Hat typically comp passes travel support for Briefings speakers (but historically does not pay honoraria).
  • DEF CON traditionally does not comp travel — speakers are expected to be there anyway.
  • OWASP Global AppSec comps conference passes and sometimes travel for keynotes.
  • OffensiveCon keeps ticket prices low partly because speakers are largely volunteering their work.
  • Academic venues (USENIX, IEEE S&P, NDSS) don’t pay speakers; the publication itself is the payment.

12. Recordings, Slides & Archives

Where to find the material after the event:

VenueArchive
Black Hatblackhat.com/html/archives.html — PDFs of slides + whitepapers, plus YouTube channel for recent videos. On-demand access for 30 days included with Briefings pass.
DEF CONmedia.defcon.org — full video, slides, and whitepaper archive by year. One of the best free archives online.
USENIXusenix.org/conferences — papers, videos, artifacts all free post-publication.
IEEE S&P / OaklandPapers on ieee-security.org; videos on the IEEE Computer Society YouTube channel.
NDSSPapers and videos on ndss-symposium.org.
ACSACFull proceedings and videos on acsac.org.
OWASPOWASP YouTube channel + chapter-specific playlists. Global AppSec recordings published 2-4 weeks post-event.
CCC / rC3media.ccc.de — the gold standard for free conference video archives, includes historical talks back to 1984.
OffensiveConYouTube channel with most talks from 2018 onward.
TroopersYouTube channel with talks + some trainings.
InfoCon.orgCommunity-maintained mirror across many conferences.

Finding specific talks

  • YouTube search with the conference name + year works for most modern cons.
  • Sched.com hosts the program for many conferences (you can find the talk titles even if you weren’t there).
  • Conference archival at archive.org — older conferences (early 2000s) often only exist on the Internet Archive.

13. Attendee Planning Playbook

Budget tiers (USD, approximate)

TierIncludesExample annual budget
Community2-4 BSides + 1 OWASP chapter + local meetups$500-$1,500
Practitioner1 mid-tier con (Troopers/OffensiveCon) + DEF CON + BSidesLV$3,000-$6,000
Researcher1-2 academic venues + DEF CON + 1 regional$4,000-$8,000
EnterpriseBlack Hat USA + RSAC + 1 executive summit$8,000-$15,000+
Training heavyBlack Hat Trainings + Troopers Trainings + SANS$15,000-$25,000

Las Vegas (Black Hat + DEF CON) logistics

From the Splunk attendees’ guide:

Hotels sorted by tier:

TierProperties
LuxuryThe Venetian/Palazzo, The Wynn/Encore, Aria, Bellagio, Cosmopolitan, Four Seasons
Happy mediumMGM Grand, Mandalay Bay, The Westin, The Renaissance, Marriott’s Grand Chateau, Caesars Palace
Wallet-friendlyHyatt Place, Hilton Garden Inn, Hilton Vacation Club Desert Retreat, Homewood Suites, New York – New York

Black Hat has designated Convention Housing Partners as the official housing company. Book early — room blocks fill fast.

Transportation:

LegOptions
Airport to hotelUber/Lyft/Taxi (most convenient), rental car, airport shuttle (cheapest if you have time), luxury car service
On the StripWalking, Uber/Lyft, Las Vegas Monorail (7 stops down the Strip), occasional free casino trams

The Las Vegas Monorail is the best-kept secret for getting between the Convention Center and Strip-side hotels — you can buy a multi-day pass via lvmonorail.com.

Schedule conflicts

During Summer Camp week, Black Hat Briefings and DEF CON main stage talks overlap on Thursday:

  1. Use Sched.com for both events to pre-plan.
  2. Identify “must see live” talks vs. “will watch on YouTube” talks.
  3. Black Hat Briefings pass includes 30 days of on-demand — don’t sacrifice a DEF CON village talk that won’t be recorded.
  4. Villages rarely record — prioritize them live.

Village vs. main stage prioritization

If you’re going to DEF CON for the first time, lean into villages. The main stage is recorded; villages often are not. The depth-of-Q&A and hands-on access is where the real learning happens.

Networking strategy

ActivityWhy
Walk the Black Hat expo hallIdentify which vendors are actually shipping vs marketing
Hallway track at OffensiveCon/TroopersSmall venues mean speakers are actually accessible
DEF CON village volunteerFastest way to be embedded in a specialist community
OWASP chapter meetupsLow pressure, local, cadence for follow-ups
Conference afterpartiesSplunk AfterParty, Queercon, vendor events — often where jobs get offered
BSides lunch/dinner mixersSmaller community, easier to meet people

Nightlife in Vegas

Beyond the scope of this guide, but: Allegiant Stadium for the Splunk AfterParty (Raiders’ home), hotel bars for sponsor events, and the Linq/Fremont Street for off-Strip hacker culture.

14. Quick Reference: Calendar by Month

MonthEvents (sample)
JanuaryShmooCon (DC), AppSec California (Santa Monica), REAL WORLD CRYPTO
FebruaryFOSDEM (Brussels), OWASP 25th Anniversary Virtual Conference, NDSS
MarchNullcon (Goa), DjangoCon Security, IEEE S&P submission deadlines
AprilRSAC (San Francisco, late April), Black Hat Asia (Singapore), CYBERUK (Glasgow), OWASP Netherlands Chapter Meetup
MayOffensiveCon (Berlin), AppSec Israel (Tel Aviv), CyberWiseCon Europe (Vilnius), CyCon (Tallinn), OWASP Global AppSec EU (varies), IEEE S&P (Oakland/SF), THOTCON (Chicago)
JuneInfosecurity Europe (London), Area41 (Zurich, biennial), OWASP Italy Day (Cagliari), Troopers (Heidelberg), Gartner Security Summit
JulyHITCON (Taipei), SANS summits, Recon (Montreal)
AugustHacker Summer Camp — Black Hat USA, DEF CON, BSidesLV, Diana Initiative, USENIX Security (Anaheim/Philly/etc)
September44CON (London), SEC-T (Stockholm), DerbyCon successors, LASCON (Austin)
OctoberBruCON (Ghent), Hack.lu (Luxembourg), GrrCON, CODE BLUE (Tokyo), ROOTCON (Manila), ACM CCS, OWASP Global AppSec USA (varies)
NovemberPOC (Seoul), Ekoparty (Buenos Aires), Black Hat MEA (Riyadh), BSides Munich, ACSAC
DecemberChaos Communication Congress (Germany), Kiwicon (New Zealand)

15. Further Reading

Source references used for this guide (from raw/Talks/)

The following 35 clipped articles informed this guide:

  1. AI Agent Security Masterclass (Attacking and Defending Autonomous AI Systems) — Abraham Aranguren et al.
  2. AppSec & Cybersecurity Events Calendar 2026 (derscanner.com) — 60+ conferences, regional breakdown
  3. Black Hat (conference) — Wikipedia overview
  4. Black Hat 2025 & DEF CON 33: The Attendees’ Guide (Splunk)
  5. Black Hat 2025, Def Con, And Others (Futurum Group) — Fernando Montenegro recap
  6. Black Hat 2025 Latest news and insights
  7. Black Hat Conference: Cutting-Edge Cybersecurity Insights (Concise AC)
  8. Black Hat USA 2024, BSidesLV and DEF CON 32: Hacker Summer Camp guide
  9. Black Hat USA 2024 — official DEF CON registration page
  10. Black Hat USA 2025 — official DEF CON registration page
  11. Black Hat USA 2026 — official page
  12. Cybersecurity Conferences 2026-2027: Over 3.4K Events (Concise AC)
  13. defcon.org — DEF CON homepage
  14. Events and Conferences (Approov)
  15. GPSEC Cybersecurity Conference
  16. Hacking Android and IOT Apps by Example — Aranguren/J M/Aniruddha training
  17. IEEE Annual Computer Security Applications Conference (ACSAC)
  18. IEEE Symposium on Security and Privacy 2026
  19. Introducing the OWASP Nettacker Project
  20. LASCON — Lonestar Application Security Conference
  21. NDC Security 2026 — Security Conference for Software Developers
  22. OWASP 25th Anniversary Virtual Conference (Feb) — CfP Call for Speakers
  23. OWASP 2025 Global AppSec USA (Washington, DC)
  24. OWASP AppSec Days Developer Security Summit
  25. OWASP BASC 2026 Call for Speakers
  26. OWASP Global & Regional Events (OWASP Foundation)
  27. OWASP Global AppSec EU 2025 — GenAI Security Project sessions
  28. OWASP Global AppSec EU 2025 (The OWASP Foundation Inc.)
  29. OWASP Global AppSec USA 2025 — CFP (Washington, D.C) Call for Speakers
  30. OWASP Videos — OWASP video archive reference
  31. OWASP Videos (dated index)
  32. Private Presentation
  33. The Best Security Conferences & Events 2026 (Splunk)
  34. The Elephant in AppSec Conference — AI/AppSec virtual conference
  35. The security phoenix — from the ashes of DEV-OPS (AppSec California 2020, Francesco Cipollone)

External archives worth bookmarking

  • media.ccc.de — CCC talk archive
  • media.defcon.org — DEF CON archive
  • usenix.org/conferences — USENIX papers + videos
  • blackhat.com/html/archives.html — Black Hat archive
  • ieee-security.org — IEEE S&P publications
  • ndss-symposium.org — NDSS papers + videos
  • InfoCon.org — community-maintained cross-conference mirror
  • OWASP YouTube channel — chapter and global event talks
  • ../SSRF/ssrf_guide.md — SSRF technique reference, many techniques first disclosed at Black Hat / OffensiveCon
  • (Other AppSec/ subject guides referenced from conference research)

This guide is a research reference. It is not an endorsement of any specific venue, sponsor, or vendor. Conference dates, locations, and programming change year-over-year — always verify with the official event website before booking.