13. April 2026 | Print article |

Conference Radar 2026: Where CISO Budgets Meet Substance

6 min read

Security conferences in 2026 will operate as a two-tier system. On one side, events delivering hard-hitting substance for engineers and CISOs: verified zero-days, clean detection-engineering tracks, peer-level exchanges. On the other, formats whose agendas barely differ from vendor roadshows. Both will cost five-figure sums per attendee in 2026—flights, hotels, tickets, and lost work time included. Anyone signing off on travel budgets needs a clear-eyed radar.

Key Takeaways

  • RSAC 2026 runs 23–26 March in San Francisco—moving from its traditional April slot (source: RSA Conference, Moscone Center).
  • it-sa Expo & Congress takes place 27–29 October in Nuremberg—the DACH compliance must-attend for security teams (source: NürnbergMesse).
  • Black Hat Europe returns 7–10 December in London—training remains the real draw, while the Business Hall has lost much of its substance by 2026.
  • DEF CON 34 lands 6–9 August in Las Vegas—Village focus eclipses Main Stage; attendees who only catch keynotes miss the conference.
  • Regional and niche events (OffensiveCon Berlin, Troopers Heidelberg, FIRSTCON) are gaining market share in 2026—smaller crowds, higher signal density.

RelatedCopilot security risk 2026: prompt injection & oversharing under DSGVO scrutiny   /  Claude myth debunked: situational awareness for security teams

What makes a robust CFP process?

A Call for Papers (CFP) is a conference’s open invitation to researchers to submit talks. The deciding factor for quality is who evaluates the submissions. A technical review board comprises active security researchers who vet entries for originality, reproducibility, and relevance—and reject submissions whose core claims have already been published or whose methodology is unsound. Conferences without a visible review board, without a published rejection rate, and without named reviewers are not operating under this quality-control mechanism. That is the single most important indicator of a publication’s editorial standard.

As of April 2026, the major security conferences (RSAC, Black Hat, DEF CON) publish the names and roles of their review-board members. Those that do not have the burden of proof reversed.

Guardrails: When an Event Really Pays Off

The first question before any booking isn’t “who’s speaking there” but “what will I take away operationally.” Security events add up by a simple formula: learning effect plus reliable contact, divided by total cost per attendee. Everything else is travel-expense prose.

Three guardrails separate must-attend from nice-to-have. First: does the conference run a CFP process whose review board consists of practicing security researchers? Second: are there technical tracks without sponsor keywords in the title? Third: does the exchange happen in small formats (villages, workshops, birds-of-a-feather) or only in expo halls?

If two of the three answers are no, it’s likely a marketing fair with a security label. That isn’t inherently bad—such formats can suit vendor screening or analyst talks—but the travel-cost application should then be justified accordingly.

3
Key questions before every conference booking: technical review board, sponsor-free tracks, small formats
SecurityToday editorial heuristic 2026

The Big Must-Attend Events – Where Substance Still Holds

Four dates in 2026 sit on the calendars of most CISO teams. They aren’t automatically relevant every year, but each edition delivers at least two tracks that justify the travel effort.

RSAC in San Francisco runs from 23–26 March 2026—three weeks ahead of the traditional April slot. Anyone who habitually books flights and hotels late should adjust their calendar early. RSAC remains the go-to event for strategy, analyst meetings, and international peer exchanges. Technical content is broad; those seeking depth should aggressively filter for the Cryptographers’ Track and Implementer Sessions.

it-sa Expo & Congress in Nuremberg, 27–29 October, is the DACH anchor. It’s a trade fair, not a conference—keep that in mind. Yet across three days it gathers nearly every relevant German security vendor under one roof, flanked by Congress tracks on NIS2, KRITIS, and BSI baseline protection. For procurement decisions and compliance orientation, the format is hard to beat.

Black Hat Europe in London, 7–10 December, delivers substance mainly in trainings and briefings, less on the Business Hall. If you’re only walking the expo floor, skip the ticket. The trainings—Red Team operations, reverse engineering, cloud attack paths—are at a level many internal programs can’t match, and that part pays for itself.

DEF CON 34, 6–9 August in Las Vegas, remains the hacker conference that cares least about corporate agendas—and that’s its value. Taking the villages seriously (ICS Village, AppSec Village, AI Village) yields insights you won’t see on any vendor stage. Main-stage keynotes are window dressing. If you’re sending SOC or Red Team staff, set clear learning goals per village—or it becomes expensive entertainment.

Overrated Formats: Where ROI Has Shifted

Without naming names: a number of second-tier European security events lost editorial substance noticeably in 2025 and 2026. Agendas now lean toward sponsor keynotes, unmoderated panels, and executive roundtables that essentially qualify leads.

That’s not a verdict on the organizers—exhibitor business is a legitimate model—it’s a verdict on the benefit for technical security teams. When more than 60 % of the agenda consists of vendor slots and independent researchers make up less than 10 %, the learning density a conference day needs is simply missing.

Practical takeaway: such formats work as a one-day scouting visit for marketing, not as a three-day technical deep dive. Shift budgets accordingly.

Must-Attend or Opportunistic: What Separates the Categories

Mandatory events

  • CFP with Technical Review Board
  • Practitioner-level training
  • Peer exchange in small formats
  • Independent research tracks
  • Documented zero-days or new techniques

Opportunistic

  • Sponsor-heavy agenda (>60 percent)
  • Panels without moderated Q&A
  • Executive roundtables without Chatham House rules
  • Keynotes focused on strategy narratives
  • Analyst briefings behind closed doors

The table is not meant as a quality judgment. Some opportunistic formats are ideal for market observation or nurturing existing vendor relationships. They simply shouldn’t be booked under training budgets.

Smaller formats with substance – the 2026 winners

Two years of data reveal a clear pattern: specialized and regional conferences are gaining ground, while mega-shows grow broader and shallower. Three formats stand out for 2026.

OffensiveCon Berlin has long been the European gathering place for exploit developers and vulnerability researchers. Small, expensive per attendee, yet editorially unmatched. Anyone serious about offensive security keeps OffensiveCon on their radar.

Troopers in Heidelberg remains one of Europe’s few conferences that consistently prioritizes depth over breadth. Tracks on Active Directory security, industrial-control systems and cryptographic engineering reach a level rarely seen at large expos.

FIRSTCON, the annual conference of the Forum of Incident Response and Security Teams, is the most relevant international event for CERTs and SOC leads. Rotating venues each year complicates planning, but the content justifies the effort.

NULLCON in Goa, the traditional Asian counterpart to OffensiveCon, stays on the radar for 2026 as a spring event with a strong research focus. Only approve travel budgets if your team includes researchers whose work will resonate there.

Event calendar 2026: verified dates

23–26 March
RSAC 2026 – San Francisco, Moscone Center. Strategy talks, analyst meetings, international peer networking.
6–9 August
DEF CON 34 – Las Vegas Convention Center. Villages, hands-on labs, hacker community.
27–29 October
it-sa Expo & Congress 2026 – Messe Nürnberg. Essential DACH stop for procurement and compliance.
7–10 December
Black Hat Europe 2026 – ExCeL London. Training and briefings are the real value, not the expo floor.
Spring 2026
NULLCON – Goa. Annual spring event; confirm exact dates via official sources.

Sources: RSA Conference, NürnbergMesse, Black Hat (Informa), DEF CON. Status April 2026.

Consequences for Budget Planning

The sober calculation for 2026: two mandatory global appointments per CISO per year (RSAC plus either Black Hat Europe or DEF CON), plus it-sa as the DACH anchor and one specialized conference per core topic (OffensiveCon, Troopers or FIRSTCON). This covers strategy, procurement, technology and community engagement—without burning the conference budget on events whose learning impact is questionable.

When sending team members, brief them with clear learning objectives per track and require a short report. Three pages suffice: which techniques are new, which vendor claims can be independently verified, which contacts are relevant. This disciplines selection and turns conference travel into verifiable professional development.

A second lever: rotate attendance. If three team members take turns going to RSAC instead of always sending the same person, knowledge transfer to the team increases. Otherwise, conference insights remain trapped with one individual and never reach the operational level. Adding internal 30-minute debriefs per returnee further multiplies learning impact—at no extra cost.

A third lever: deliberate abstinence. Not every conference must be attended every year. If in 2026 you skip a large trade show and instead send two team members to OffensiveCon or Troopers, you invest the same budget for a markedly higher learning yield. The assumption that you “had to be there” is usually habit, not a decision.

Virtual, hybrid or in-person—what works in 2026

Many organizers in 2026 offer hybrid formats with cheaper online tickets. For pure lecture consumption this works—talks can often be viewed weeks later in the media library at a fraction of the cost. What online cannot replace is corridor exchange: the chance encounters between sessions that, in an SOC team, often deliver more value than the booked track itself.

A pragmatic split: senior roles travel on-site where networking and peer conversations justify the expense; junior roles use online tickets strategically for selected tracks, supplemented by team-based review of the media library. This combination frequently out-performs the traditional “everyone attends” approach economically.

As of April 2026 a pattern emerges: conferences that make their media library available quickly and completely signal confidence in their content. Those that artificially restrict or delay access often have less substance than their on-site marketing suggests.

Bottom line for the current year: the security-conference market is differentiating itself more sharply than in previous years. With clear criteria, explicit learning goals and rotating attendance, you extract far more substance from the same travel budget. The rest is calendar management.

Frequently Asked Questions

How do you realistically assess the ROI of a security conference?

A robust approach sets concrete learning objectives before registration, documents implemented insights after the event, and compares effort (ticket, travel, work time) against operational outcomes within the team. Not every conference must yield measurable output every year, but without this discipline the line between professional development and calendar maintenance blurs.

How can you tell substance from marketing theatre?

Look for technical depth in the program, practical demos instead of keynote slides, and speakers who come from day-to-day operations. A strong signal is when the media library is made available promptly and in full after the event. If organizers ration or delay recordings, their content is often weaker than the outward presentation suggests.

When do smaller, specialized formats pay off?

When your team needs to build or deepen expertise in a specific domain (red teaming, cloud security, OT). Events like OffensiveCon, Troopers or similar deliver more hands-on takeaways than a broad trade show. The audience is narrower, but the per-participant benefit is typically higher.

What should you do with vendor halls if you’re not buying anything new?

Structured market intelligence is a legitimate goal: walking the floor with clear questions (current roadmap, integration depth, support quality) gives you a snapshot of the state of the art that informs RFPs and architecture decisions. Without guiding questions, the vendor hall quickly becomes a collection of swag.

How to prioritise travel budgets when funds are tight

Invest in senior roles on-site, where peer exchange and networking justify the expense. Allocate junior travel to targeted online ticket tracks, followed by team debriefs. Attend major trade shows on a rotation basis rather than every year. This blend often delivers more substance for the same budget than the usual “everyone goes.”

Editor’s Reading Picks

More from the MBF Media Network

Source of header image: Pexels / Luis Quintero (px:2833037)

Print article
Benedikt Langer

About the author: Benedikt Langer

More articles by

Also available in

FrançaisEspañolDeutsch
A magazine by Evernine Media GmbH