Conference Radar 2026: Where CISO Budgets Meet Substance

6 min read

Security conferences in 2026 have become a two-tier system. On one side are events delivering hard-hitting substance to engineers and CISOs: verified zero-days, clean detection engineering tracks, peer-level exchange. On the other, formats whose agendas barely differ from vendor roadshows. Both cost five figures per person in 2026—flight, hotel, ticket, and work hours included. Anyone allocating travel budgets needs a clear-eyed radar.

RelatedCopilot Security Risks 2026   /  Claude Myth: Situation Assessment for Security Teams

What is a robust CFP process?

A Call for Papers (CFP) is a conference’s open invitation for researchers to submit presentations. The key to quality lies in who evaluates these submissions. A technical review board consists of active security researchers who assess submissions for originality, reproducibility, and relevance—and reject proposals whose core findings have already been published or whose methodology doesn’t hold up. Conferences without a visible review board, without a stated rejection rate, and without named reviewers lack this quality control. This is the single most important indicator of an event’s editorial standard.

As of April 2026, major security conferences (RSAC, Black Hat, DEF CON) publish the names and roles of their review board members. Those that don’t carry the burden of proof.

Guidelines: When an Event Is Truly Worth It

The first question before any booking isn’t “who’s speaking there,” but “what operational value do I gain.” Security events make sense according to a simple formula: learning impact plus verifiable contacts, divided by total cost per attendee. Everything else is just travel expense prose.

Three guidelines separate essentials from luxuries. First: Does the conference have a CFP process whose review board consists of practicing security researchers? Second: Are there technical tracks without sponsor keywords in the title? Third: Does knowledge exchange happen in small formats (villages, workshops, birds-of-a-feather), or only in exhibition halls?

If two out of three questions are answered with “no,” it’s likely a marketing fair with a security label. That’s not inherently bad—such formats can work well for vendor screening or analyst discussions. But then the travel expense request should reflect that purpose.

The Must-Attend Events – Where Substance Still Delivers

Four dates are already on the calendars of many CISO teams in 2026. They aren’t automatically relevant every year, but each delivers at least two tracks per edition that justify the travel effort.

RSAC in San Francisco is scheduled for March 23–26, 2026—three weeks earlier than its traditional April slot. Those who habitually book tickets, flights, and hotels late should adjust their calendars early. RSAC remains mandatory for strategy discussions, analyst meetings, and international peer conversations. Technical content is widely scattered; those seeking depth should aggressively filter for the Cryptographers’ Track and Implementer Sessions.

it-sa Expo&Congress in Nuremberg, October 27–29, is the anchor event for the DACH region. It’s a trade show, not a conference—this distinction matters. But for three days, nearly every relevant German security vendor is under one roof, complemented by congress tracks on NIS2, KRITIS, and BSI-Grundschutz. For procurement decisions and compliance orientation, this format is hard to beat.

Black Hat Europe in London, December 7–10, delivers substance primarily through its training sessions and briefings, less so in the Business Hall. Anyone attending only the expo floor could save their ticket. The trainings—Red Team Operations, Reverse Engineering, Cloud Attack Paths—reach a level many internal training programs fail to match. That part pays off.

DEF CON 34, August 6–9 in Las Vegas, remains the hacker conference that cares least about corporate agendas. That’s its value. Those who take villages seriously (ICS Village, AppSec Village, AI Village) gain insights unavailable on any vendor stage. Main-stage keynotes are secondary. When sending SOC or Red Team staff, define clear learning objectives per village—otherwise, it becomes expensive entertainment.

Overrated Formats: Where ROI Has Shifted

Without naming names: Several mid-tier European security events noticeably lost editorial substance in 2025 and 2026. Agendas increasingly consist of sponsor keynotes, unmoderated panels, and executive roundtables that are essentially lead-generation exercises.

This isn’t a judgment on organizers—exhibition business is a legitimate model. It’s a judgment on usefulness for technical security teams. When more than 60 percent of the agenda consists of vendor slots and the share of independent researchers drops below ten percent, the learning density required for a full conference day simply isn’t there.

Pragmatic consequence: Such formats are suitable as one-day scouting visits for marketing teams, not as three-day technical training. Adjust budgets accordingly.

Mandatory or opportunistic: What sets the categories apart

The table is deliberately not a quality judgment. Some opportunistic formats are ideal for market observation or nurturing existing vendor relationships. They just shouldn’t be booked under your training budget.

Smaller formats with substance – the 2026 winners

A clear pattern has emerged over the past two years: specialized and regional conferences are gaining ground, while the biggest trade shows are becoming broader and more superficial. Three formats stand out for 2026.

OffensiveCon Berlin has long been the European hub for exploit developers and vulnerability researchers. Small, pricey relative to attendance, but editorially unmatched. If you’re serious about offensive security, OffensiveCon is on your radar.

Troopers in Heidelberg remains one of the few European conferences that consistently prioritizes depth over breadth. Tracks on Active Directory security, industrial control systems, and cryptographic engineering are at a level rarely seen at major expos.

FIRSTCON, the annual conference of the Forum of Incident Response and Security Teams, is the most relevant international event for CERTs and SOC leads. The rotating location makes planning trickier, but the content justifies it.

NULLCON in Goa, traditionally the Asian counterpart to OffensiveCon, stays on the radar for 2026 as a spring event with a strong research focus. Only approve travel budgets for it if your team includes researchers whose work will resonate there.

Event Calendar 2026: Verified Dates

Sources: RSA Conference, NürnbergMesse, Black Hat (Informa), DEF CON. As of April 2026.

Budget Planning Implications

The sober calculation for 2026: two global must-attend events per CISO each year (RSAC plus either Black Hat Europe or DEF CON), plus it-sa as the DACH anchor, and one specialised conference per core topic (OffensiveCon, Troopers, or FIRSTCON). This covers strategy, procurement, technical insights, and community engagement—without burning your budget on events with questionable learning outcomes.

If you send team members, brief them with clear learning objectives per track and require a concise report. Three pages are enough: which techniques are new, which vendor claims can be independently verified, and which contacts are relevant. This discipline sharpens event selection and turns conference trips into measurable professional development.

A second lever: rotate attendance. If three team members take turns attending RSAC instead of sending the same person every year, knowledge transfer improves. Otherwise, conference insights stay trapped in one person’s head and never reach the operational level. Adding 30-minute internal debriefings for each returnee multiplies the learning effect—at no extra cost.

Third lever: strategic abstinence. Not every conference needs to be attended every year. If you skip one major event in 2026 and instead send two team members to OffensiveCon or Troopers, you invest the same budget for a significantly higher learning return. The assumption that you “have to be there” is often just habit—not a deliberate decision.

Virtual, hybrid, or in-person – what works in 2026?

By 2026, many organisers will offer hybrid formats with more affordable online tickets. For pure lecture consumption, this works well – talks can often be watched in the media library weeks later, at a fraction of the cost. What online can’t replace is the hallway exchange: those chance conversations between sessions that often prove more valuable to a SOC team than the booked track itself.

A pragmatic split: senior roles attend in person, where networking and peer discussions justify the effort. Junior roles use online tickets selectively for specific tracks, supplemented by team-based media library reviews. This combination often delivers clearer economic benefits than the familiar “everyone attends” approach.

As of April 2026, a pattern is emerging: conferences that make their media libraries available quickly and in full signal confidence in their content. Those who artificially restrict access or delay releases for months often have less to offer than their on-site marketing suggests.

Key takeaway for the year: the security conference market is diversifying more sharply in 2026 than in previous years. Teams that set clear criteria, define learning objectives, and rotate attendance will extract far more value from the same travel budget. The rest is just calendar management.

Frequently Asked Questions

How do you realistically assess the ROI of a security conference?

A robust approach involves setting concrete learning goals before booking, documenting implemented insights post-event, and comparing costs (ticket, travel, working time) against operational outcomes for the team. Not every conference needs to deliver measurable output every year, but without this discipline, the line between professional development and calendar management blurs.

How can you spot substance over marketing hype?

Look for technical depth in the programme, practical demos instead of keynote slides, and speakers who operate in the field. A strong indicator is a media library made promptly and fully accessible after the event. Conferences that artificially restrict content or focus solely on executive panels often have less to offer than their outward branding implies.

When do smaller, specialised formats pay off?

When a specific technical topic (Red Team, Cloud Security, OT) needs to be established or expanded within a team. Events like OffensiveCon, Troopers, or similar formats provide more actionable takeaways than broad-based trade fairs. The audience is narrower, but the value per attendee is typically higher.

What’s the best approach to vendor halls if you’re not buying?

Structured market research is a valid goal: approaching vendors with clear questions (current roadmap, integration depth, support quality) yields a snapshot of the state of the art—useful for tenders and architecture decisions. Without a plan, the vendor hall quickly becomes a collection of freebies.

How should you prioritise travel budgets when funds are tight?

Prioritise in-person attendance for senior roles, where peer exchange and networking justify the spend. Junior roles can target online tickets for specific tracks, supplemented by team-based reviews. Rotate attendance at major trade fairs instead of blanket participation every year. This approach often delivers more substance for the same budget than the default “everyone attends” model.

Source: Pexels / Luis Quintero (px:2833037)

About the author: Benedikt Langer

More articles by Benedikt Langer