The honest version: Most cloud security professionals attend two or three conferences a year, and which two or three depends entirely on what you're trying to get out of it. RSA is for industry pulse-taking. DEF CON is for technical depth and the hacker culture you can't get from a webcast. Cloud-specific events like fwd:cloudsec are smaller and far more practitioner-dense. The regional BSides circuit is free or near-free and disproportionately valuable. Don't sleep on the international scene either — Troopers, CCC, and OffensiveCon often surface research months before it lands in the US.
If a conference isn't here, that's not a value judgment — there are hundreds globally and we focus on the ones that come up in our Friday Zoom sessions. Suggest additions via GitHub.
🏟️ The Big Three (US)
The conferences everyone in the field has an opinion about. If you only ever attend industry events, you'll attend at least one of these.
RSA Conference
San Francisco, late spring. The biggest commercial cybersecurity event on the planet — 40,000+ attendees, ~600 vendors, the floor where enterprise budgets get committed.
Unique value: RSA is where the industry meets itself — CISOs, board members, vendors, analysts, and reporters in the same hallway. If you need to know what your CISO will be asked about in their next QBR, RSA is where that narrative gets set.
Pros: Unmatched networking; one-stop product comparisons; major announcements you'll hear about for months. Cons: $2,000+ pass; many talks are thinly veiled product pitches; deeply commercial — you'll get hammered by SDR follow-ups for weeks.
DEF CON
Las Vegas, early August. Started in 1993 as a phone-phreak meetup; now 30,000+ attendees and the closest thing the field has to a cultural homecoming.
Unique value: The villages — Cloud, Hardware, AppSec, Lockpicking, Social Engineering, AI, Voting, ICS, Aerospace, Packet Hacking. Each is essentially a mini-conference of its own with workshops, CTFs, and resident experts you can just walk up to.
Pros: Affordable (cash at the door, ~$500 in 2025); the technical content is unfiltered; the badge alone is a year of side projects. Cons: Vegas in August; 30k people is a lot; corporate attendance can feel performative; most photographers/recorders are unwelcome — pay attention to the badge color rules.
Black Hat USA
Las Vegas, the week before DEF CON. Founded by DEF CON's Jeff Moss as the corporate-friendly counterpart; now owned by Informa.
Unique value: Peer-reviewed briefings (the CFP is genuinely competitive) and the gold-standard four-day technical trainings. Many of the year's most cited research papers — Spectre, Heartbleed, Meltdown, Microsoft Storm-0558 follow-ups — debuted here.
Pros: Briefings quality is consistently high; trainings are excellent (and CPE-eligible); fits cleanly with DEF CON for a single Vegas trip ("Hacker Summer Camp"). Cons: $2,500+ briefings pass; trainings are $4–6k each; vendor floor is closer to RSA than DEF CON in feel.
☁️ Cloud-Specific
Smaller, denser, more useful per-day than anything on the general circuit if you actually work in cloud security.
fwd:cloudsec
Anaheim (June, paired with AWS re:Inforce) plus Europe and Asia chapters. Run by cloud-security practitioners, for cloud-security practitioners.
Unique value: The only conference where you'll find a room full of people who can actually argue about IAM trust policies, IMDSv2 enforcement, and Snowflake/UNC5537 forensics in the same hour. Single track means no FOMO; talks are deeply technical and almost always vendor-neutral.
Pros: Highest practitioner-density of any cloud-security event; talks consistently surface in our Friday recaps; affordable (~$500); zero vendor pitches. Cons: Sells out fast; small enough that breakout conversations are gold but you can miss them if you're not deliberate; not the place for breadth — focused on AWS/Azure/GCP cloud-native, less on K8s or AppSec.
AWS re:Inforce
US, June. AWS's only security-dedicated event.
Unique value: Direct access to AWS security PMs and engineers — GuardDuty, Security Hub, IAM Access Analyzer, Inspector, Detective, KMS — under one roof. Chalk talks and builders' sessions get you whiteboard-deep with the people who actually built the service.
Pros: Roadmap previews; certifications offered on-site; the AWS Identity team is unusually generous with their time. Cons: Single-vendor view of the world; many talks are intro-level; if you're not on AWS, almost none of the content transfers.
AWS re:Invent
Las Vegas, December. AWS's massive (60,000+) general conference.
Unique value: The security track here is where the year's biggest AWS security announcements land — every IMDSv2 default, every IAM Access Analyzer feature, every encryption-at-rest default has been announced here first.
Pros: Most security sessions are recorded and on YouTube within days, so you can skip the trip and still get the content; co-located fwd:cloudsec equivalent events sometimes run nearby; certification on-site. Cons: 60k people across the Strip — logistics nightmare; the security sessions are a small slice of a huge agenda; expensive if you actually attend.
KubeCon + CloudNativeCon
Three editions a year (NA, EU, Asia). The Kubernetes / CNCF event.
Unique value: The maintainers of Falco, Cilium, Tetragon, OPA, Kyverno, and basically every other K8s security project are on stage and in the hallway. Co-located CloudNativeSecurityCon (typically the day before) is the densest deep-dive on K8s security available.
Pros: Unmatched access to project maintainers; recordings appear on YouTube quickly; CNCF-led so vendor noise is bounded. Cons: Schedule is enormous and overwhelming for first-timers; security content is one stream among many; if you're not running K8s, much of it won't apply.
Microsoft Ignite
US, November. Microsoft's flagship event.
Unique value: Where Defender for Cloud, Sentinel, Entra, Purview, and Microsoft 365 security announcements land first — and where the SC-100 / AZ-500 study material reflects the new reality fastest.
Pros: Heavy presence from Microsoft Security Research and the MSRC team; valuable if Microsoft 365 / Entra / Defender are your daily reality; certs on-site. Cons: Single-vendor lens; lots of marketing-flavored sessions; if you're AWS/GCP-only, low ROI.
Google Cloud Next
Las Vegas, April. Google's flagship cloud event.
Unique value: Google's security story unifies GCP-native (SCC, Chronicle), Mandiant threat intel, and the Gemini AI-security narrative — Next is where those streams come together annually. The Mandiant / TAG presence is the real draw.
Pros: Smaller than re:Invent or Ignite, so security sessions are far less of a scrum; Mandiant briefings are routinely the best threat-intel content of any cloud-vendor event. Cons: GCP's market share is smaller, so attendance and vendor diversity reflect that; less content for AWS/Azure-primary practitioners.
🌍 Major International
The international circuit punches way above its weight on technical content. Talks here often appear at US events months later.
Black Hat Europe / Asia / MEA
London (December), Singapore (April), Riyadh (November). The Black Hat franchise's regional editions.
Unique value: Black Hat-quality peer review on a regional speaker pool — researchers based in Europe, Asia, and the Gulf often debut work here months before it shows up at Black Hat USA. Tickets are noticeably cheaper than the US flagship.
Pros: Smaller and more accessible than BH USA; European/Asian/Gulf researcher rosters; trainings often at lower regional pricing. Cons: Smaller vendor floor (a feature, but limits product comparisons); MEA is in Saudi Arabia, which is a personal call for many practitioners; Asia edition rotates cities/themes year to year.
CCC — Chaos Communication Congress
Hamburg, between Christmas and New Year. Europe's preeminent hacker conference, run by the Chaos Computer Club since 1984.
Unique value: The political engagement is the differentiator — talks routinely cross security with civil liberties, surveillance accountability, and digital rights, in a way no commercial event would touch. The talk recordings on media.ccc.de are a year-long study course on their own.
Pros: World-class technical content; the recordings are free, immediate, and DRM-free; vendor-pitch-free. Cons: In-person tickets are scarce and hard to get; held during the Christmas/New Year holiday window; the politically-engaged framing isn't every employer's comfort zone for travel approval.
Troopers
Heidelberg, June. Long-running, run by ERNW.
Unique value: The best Active Directory and Entra ID security content on the calendar — Dirk-jan Mollema, the SpecterOps team, and the ERNW researchers consistently debut Microsoft-identity research here. The "TROOPERS Active Directory Security" track is borderline canonical.
Pros: Genuinely deep; small enough that hallway conversations with speakers actually happen; the round table tradition lets you ask follow-ups directly. Cons: Heidelberg is charming but logistically a haul; ticket prices are mid-tier-EU; the focus has historically been Microsoft identity, so cloud-native AWS/GCP attendees see less direct content.
HITB — Hack In The Box
Amsterdam (April), Phuket (August), and rotating Asian cities. Asia's longest-running hacker conference, founded in Malaysia in 2003.
Unique value: The bridge between Asian and European research scenes — you'll see Korean, Chinese, Japanese, and SE-Asian researchers presenting alongside Europeans, with a heavier mobile / low-level / firmware lens than US events.
Pros: The on-site CTF (CommSec / HITB Pro CTF) is excellent and live; mobile and embedded research is unusually deep; Phuket is, by global-conference standards, a delightful logistics decision. Cons: Less cloud-native focus than fwd:cloudsec; rotating geography makes year-on-year continuity harder; trainings are pricey for Asian travelers.
NULLCON
Goa (March) and Berlin (September). India's flagship security conference, founded in 2010.
Unique value: Strong international speaker line-up with a culture of mentorship for new researchers — many young researchers' first international talk is at NULLCON Goa. The Berlin edition is the cloud-heaviest of the two.
Pros: Approachable and friendly atmosphere; affordable by US/EU standards; surprisingly strong cloud track in recent years (2024 onward); off-site venue (Goa beachfront) is exactly as nice as it sounds. Cons: Travel from US/EU is a commitment; some sessions skew intro-level for the local audience; the two editions have different vibes and skipping one means missing distinct content.
CanSecWest
Vancouver, March. ~600 attendees, single-track, run by Dragos Ruiu since 2000.
Unique value: Hosts the original Pwn2Own — the live browser/OS exploitation contest where fully-patched Chrome, Firefox, Safari, Edge, and OSes get popped on stage for cash. The talk schedule is curated to within an inch of its life; there's no filler.
Pros: Single-track means no FOMO; Pwn2Own results drive vendor patches for months; small enough to actually meet every speaker. Cons: Tickets are limited; almost exclusively offensive / kernel / exploit-development; not the place for cloud-native or detection-engineering content.
🥷 Hardcore Technical
Smaller events focused on cutting-edge offensive research, hardware hacking, and exploitation craft. High signal, low noise.
OffensiveCon
Berlin, May. Two-day, single-track, exclusively offensive research.
Unique value: The CFP only accepts deep technical work — typically browser/kernel exploitation, hypervisor escapes, fuzzer internals, and embedded research that took months or years. No vendor talks, no intro material. The bar is high enough that getting in is itself a credential.
Pros: Among the highest signal-to-noise of any conference on Earth; small enough that you'll talk to every speaker; trainings are world-class. Cons: Tickets sell out in minutes; almost no defensive / cloud-native / posture content; if your work is application-layer or cloud config, you may feel out of place.
Pwn2Own
Multiple editions a year — Vancouver (browsers/OSes), Tokyo (automotive), Ireland (mobile/IoT). Run by Trend Micro's Zero Day Initiative.
Unique value: The competition turns 0days into public disclosures on a fixed timeline — researchers earn cash + Master of Pwn points; vendors get pre-disclosed bugs to fix on a 90-day clock. Pwn2Own outputs reshape browser, OS, and increasingly automotive security every year.
Pros: Live-stream is free and watching is its own education; the post-event ZDI advisory series is a year of reading; brings disclosure discipline to spaces (cars, ICS) that historically lacked it. Cons: A spectator event for almost everyone — competing requires a research budget most people don't have; vehicle/ICS editions are very narrow specializations.
Hexacon
Paris, October. Founded 2022. Single-track, exclusively offensive research.
Unique value: Already in the same conversation as OffensiveCon for talk quality despite being newer. Strong representation from French and European research teams (Synacktiv, Quarkslab, Reverse Tactics) who tend to debut work here.
Pros: Recordings appear on YouTube quickly; smaller than OffensiveCon, so logistically easier; Paris in October is a solid travel sell. Cons: Same narrow focus as OffensiveCon (offensive research only); newer conference means the track record is shorter; tickets, while easier than OffensiveCon, still go fast.
Hardwear.io
The Hague (October) and Santa Clara (June). The dedicated hardware-security conference.
Unique value: The only conference fully dedicated to hardware — chip-level reverse engineering, fault injection, side channels, secure-element analysis, embedded firmware. The trainings get cited in CV/job listings the way SANS courses do.
Pros: The room is full of people who actually own oscilloscopes; the trainings are unmatched for hardware skills; small and focused. Cons: Almost zero cloud relevance unless you work on confidential computing or HSMs; trainings are expensive; not the place for someone exploring whether they like hardware.
DEF CON CTF
Las Vegas, August (at DEF CON). The de facto world championship of attack-defense CTF.
Unique value: Year-round qualifiers feed into a finals where the best teams (Maple Mallard Magistrates, Plaid Parliament, OOO, Mystiz, others) play live for the title. Watching the scoreboard area in person is the closest thing the field has to spectator sports.
Pros: Free to spectate at DEF CON; the qualifier challenges are world-class training material; teams release writeups after each year. Cons: Competing requires a serious team commitment year-round; finals environment is closed-network and intentionally adversarial — not a learning environment for newcomers.
Real World CTF
Beijing, January (online qualifier; on-site finals). Run by Chaitin Tech.
Unique value: Challenges built around real product CVEs and modern cloud/container scenarios — Kubernetes escape, container breakout, cloud-IAM abuse — rather than synthetic toy challenges. The qualifier is a strong self-assessment for offensive cloud work.
Pros: Challenges age extremely well as study material; one of the few CTFs with explicit cloud-native problem sets; the qualifier is online and free to play. Cons: Finals are in Beijing, which is a travel-policy question for some; Chinese-language elements occasionally creep into the framing; less name recognition with US-focused hiring teams than DEF CON CTF.
🤝 Community & Free / Low-Cost
Where most practitioners actually start — accessible, welcoming, and frequently better technical content per dollar than the marquee events.
BSides (everywhere)
Hundreds of editions, every continent except Antarctica. Started in 2009 from rejected Black Hat CFP submissions; now a global, decentralized, volunteer-run network — BSides SF, Las Vegas, NYC, London, Berlin, Amsterdam, Singapore, Cape Town, Tel Aviv, Augusta, Knoxville, Manchester, Munich, Athens, Toronto, Sydney, hundreds more.
Unique value: The default place for first-time speakers, regional communities, and "deeply technical work that doesn't fit a vendor narrative." Each edition has its own personality — BSides SF is research-heavy; BSides Las Vegas runs alongside Hacker Summer Camp and is a pilgrimage in its own right; BSides London is one of Europe's largest community events; BSides Charm/Knoxville/Augusta carry strong regional culture. Find your nearest at securitybsides.com.
Pros: Almost always free or under $50; the speaker bar is "interesting and well-prepared," not "famous"; the friendliest entry point into the speaker circuit; volunteer-run, so no shareholders. Cons: Quality varies by edition (you're trusting the local organizers); BSides Las Vegas tickets sell out in literal seconds; venues are sometimes scrappy; quality of recordings is editor-dependent.
ShmooCon
Washington DC, January. Run by The Shmoo Group since 2005. The 20-year run was announced as winding down with the 2025 edition — check the site for what's next.
Unique value: The DC location pulls a heavily-government, heavily-cleared crowd, which gave talks a unique flavor — incident response from people who actually responded to nation-state intrusions, forensics from people who actually subpoena evidence. Also famously the source of "Shmooballs" — squishy projectiles thrown at speakers who deserve it.
Pros: Tight community feel; DC government / IC perspective you don't get elsewhere; affordable. Cons: Tickets historically sold out in literal seconds (3 lottery rounds); winding down — long-term plans uncertain; January in DC weather is what you'd expect.
SAINTCON
Provo, Utah, October. Run by UtahSAINT.
Unique value: Famous for some of the most elaborate hardware badges in the entire conference scene — multi-board, multi-week-of-side-quests stuff that becomes its own community. Strong Mountain West attendance with deep enterprise IT and SaaS-security representation.
Pros: Affordable (under $200 typically); very welcoming to first-time conference attendees; the badge alone justifies the trip for hardware-curious folks; LDS-Utah cultural context means the after-parties are different from Vegas/DC. Cons: Less name recognition outside the Mountain West / enterprise IT circuit; cloud-native content is solid but not the focus.
Wild West Hackin' Fest
Deadwood, SD (October) and a Way West edition in San Diego (March). Run by Black Hills Information Security.
Unique value: Probably the most "deliberately welcoming" conference in the US — explicit emphasis on first-timers, mentorship, and pen-tester / blue-team practitioner content over research showmanship. The Deadwood venue (Old West theme + Black Hills surroundings) is unique on the calendar.
Pros: Genuinely friendly culture (not as marketing slogan, as design choice); good entry point if other cons feel intimidating; trainings are well-priced; offensive + defensive content roughly balanced. Cons: Deadwood is a long flight + drive for most US attendees; vibe is more "small-town family reunion" than "research debutante ball" — that's a feature for some, drawback for others.
THOTCON
Chicago, May. "0xC" indicates the year (in hex). Long-running Midwest hacker conference.
Unique value: Hard "no vendors, no marketing" stance — the closest US event to the European hacker-con ethic. Heavy on practitioner and red-team war stories. The badge is a notorious puzzle.
Pros: No vendor noise at all; affordable; strong Midwest practitioner community. Cons: Tickets are scarce and capacity-limited; doesn't suit attendees looking to evaluate products; smaller speaker pool than coastal events.
LayerOne
Pasadena, May. Long-running Southern California hacker conference.
Unique value: The hands-on hardware vibe — soldering villages, lockpicking, tamper-evident-seal workshops, capture-the-signal SDR contests. The kind of con where someone teaches you to read PCB schematics over lunch.
Pros: Affordable; unpretentious; you'll come home with a working hardware project; LA logistics are easy if you're West Coast. Cons: Less talk-driven than the marquee cons (this is a feature for some); cloud-native content is light; smaller scale means fewer headline speakers.
🧭 How to pick one
If you're trying to decide where to spend a limited training budget — or which one to attend on your own dime — here's the honest matrix:
- You want to take the temperature of the industry / talk to vendors: RSA. Once.
- You want technical depth and hacker culture: DEF CON. Hit the villages, not just the main track.
- You want a small, dense cloud-security crowd: fwd:cloudsec — and join us at Friday Zoom the week before, since fwd:cloudsec talks usually surface in our recap.
- You want the cutting edge of offensive research: OffensiveCon, Hexacon, CCC, or CanSecWest.
- You're new and have $0: The nearest BSides. Then, if you're enjoying it, your local ISC2/ISACA/OWASP chapter, then a regional con (SAINTCON, ShmooCon, WWHF).
- You work in Kubernetes / cloud-native: KubeCon (any region), plus the co-located CloudNativeSecurityCon.
- You're a developer-leaning AppSec person: the OWASP Global AppSec series and DEF CON AppSec Village.
Whichever you pick: budget time for the hallway track. Plan to lose at least one talk slot per day to a conversation that pays for the trip. And come back with at least one specific thing you'll change at work. If you do attend, share what you saw with the community in the next Friday Zoom.
📜 Honorable mentions & historical
A non-exhaustive sample of conferences worth knowing about — some retired, some niche, some on our list to add:
- DerbyCon (Louisville, retired 2019) — beloved, blue-team-leaning, the prototype of the modern community con.
- SOURCE Boston (Boston) — long-running policy + technical event.
- Kernelcon (Omaha) — small, technical, wicked badge designs.
- CactusCon (Phoenix) — Arizona's main security con, growing fast.
- SecTor (Toronto) — Canada's largest, paired with Black Hat franchise programming.
- POC (Seoul) — Korea's flagship offensive-research con.
- Code Blue (Tokyo) — Japan's international security conference.
- BSidesLV — calling out the Las Vegas BSides specifically because it's the Hacker Summer Camp third leg, alongside DEF CON and Black Hat.
- The Diana Initiative (Las Vegas) — community for women, non-binary, and underrepresented practitioners; runs alongside Hacker Summer Camp.
- SANS summits — vendor-neutral, topic-focused (DFIR, Cloud, ICS), heavy on practitioner war-stories.
Have one we should add? Open an issue or mention it in the Friday Zoom.
Going to one of these?
Drop a note in our Friday Zoom — there are usually a handful of CSOH members at each major event. Several of us also write up the talks we attend in the meeting recaps; happy to coordinate coverage if you're attending and want to share what you saw.