The 20 best cybersecurity conferences in 2019
There’s nothing like a good technology conference to leave even the most jaded cybersecurity professional feeling enthusiastic about the industry all over again. Attendees leave a successful IT security event with a better grasp of the scope of problems, ideas for how to address them using new tricks and tools, and a pile of business cards (or Twitter handles) of new connections made.
Cybersecurity conferences come in many flavors. Some are so big that it’s impossible to walk the length of the exhibit hall—they are jam-packed with competing talks, parties, contests, events, and subconferences in multiple locations. Other events have a single track and limited tickets to ensure a smaller, more intimate crowd. A conference might be highly technical or specifically targeted to subsections of cybersecurity; or it might be open and welcoming to everyone, including beginners.
Some conferences include tech villages, or separate areas focused on specific topics or themes, such as lock picking or biohacking. Technical villages may offer their own speakers and events, space for hands-on hacking and activities (such as soldering), and vendors appropriate to the theme.
How can you possibly choose? I aim to make the decision easier—or at least more organized—by highlighting 2019 computing security events that help IT professionals learn what’s happening in the industry. I include a wide range of conferences, ordered by date, with different locations, price points, schedules, and areas of focus. Despite my best efforts, the list is not comprehensive, as many conferences have not yet selected dates for 2019 or have published little practical information other than dates.
Still, that’s a lot of events! To make your choices a little easier, I flag five conferences with a gold star. These are events that everyone would get something out of and should consider attending at least once. I've attended several of these over the past few years, and they go on my own short list.
FloCon
Twitter: @SEInews (not conference-specific)
Web: https://resources.sei.cmu.edu/news-events/events/flocon/
Date: January 7-10, 2019
Location: New Orleans, LA
Cost: $525–$1,100
Discounts: Early bird, student, government, academic
FloCon, affiliated with Carnegie Mellon University’s Software Engineering Institute, is focused on data analysis in support of security operations. The conference originally was specifically about network flow but has expanded to all types of data analysis.
The 2019 theme is “Using Data to Defend.” Think network defense, encrypted traffic, scalable statistical techniques, threat detection and mitigation, operational data visualization, data fusion, and optimizing analyst workflow. The audience is comprised of operational analysts, tool developers, researchers, and other security professionals from industry, government, and academia—all working on analyzing and visualizing large datasets to protect and defend network systems.
Real World Crypto Symposium
Twitter: @RealWorldCrypto
Web: https://rwc.iacr.org/2019/registration.html
Date: January 9-11, 2019
Location: San Jose, CA
Cost: $135–$270, including IACR membership fee
Discounts: Student, some awards
The goal of the aptly named Real World Crypto Symposium is to strengthen dialogue between security researchers and developers who are implementing cryptography in real-world systems on the Internet, the cloud, and embedded devices. The conference is organized by the International Association for Cryptologic Research, but unlike other IACR events, there are no proceedings or published papers. Past talks have centered around key management systems, cryptocurrencies, attacks, usability, and broken standards.
ShmooCon 
Twitter: @shmoocon
Web: https://www.shmoocon.org/
Date: January 18-20, 2019
Location: Washington, D.C.
Cost: $150
ShmooCon is a small, inclusive, and friendly hacker conference that sells out quickly. It starts with a day of 20-minute speed talks on a track called One Track Mind. The rest of the conference has three tracks running simultaneously with 20- and 50-minute presentations. The tracks are "Build It," which focuses on creating software and hardware; "Belay It," which is about defensive solutions to problems; and "Bring It," a discussion of technology and security topics. Build It and Belay It are demonstration-rich, while Bring It is more discussion-based. In addition to its affordability, ShmooCon attendees often talk about the great culture at the event and the quality people it attracts. Conference organizers focus on tolerance and respect. The conference sells out quickly every year.
Cyber Defence and Network Security
Web: https://cdans.iqpc.co.uk/
Date: January 29-31, 2019
Location: London, UK
Cost: £499–£1,849 (US$640–$2,410), plus a 20 percent UK VAT
Discounts: Early bird, military, government
The Cyber Defence and Network Security conference is geared toward military and government workers who hope to develop a response to defend intended victims from hostile cyber-operators. The conference features briefings from an array of speakers including U.S. and UK military and government heads of national security, as well as industry speakers and analysts. Topics include threat intelligence, incident response, and remote asset protection. Some sessions also assess the merits of disruptive technology such as AI, blockchain, and advance analytics.
Network and Distributed System Security Symposium
Twitter: @NDSSSymposium
Web: https://www.ndss-symposium.org/ndss2019/attend/
Date: February 24-27, 2019
Location: San Diego, CA
Cost: TBD (was $585–$1,100 in 2018)
Discounts: Early bird, student
The Network and Distributed System Security (NDSS) Symposium is intended to foster dialogue and information exchange between researchers and practitioners of network and distributed system security. Participants typically include CTOs, privacy officers, security analysts, sysadmins, operations and security managers, as well as university researchers and educators. Attendance is limited. Presentations—which in 2018 included “Knock Knock, Who’s There? Membership Inference on Aggregate Location Data” and “Automated Attack Discovery in TCP Congestion Control Using a Model-Guided Approach”—are followed by extended Q&A sessions, encouraging debate and dialogue about approaches to security problems.
RSA Conference
Twitter: @RSAConference
Web: https://www.rsaconference.com/events/us19/agenda
Date: March 4-8, 2019
Location: San Francisco, CA
Cost: $675–$2,895
Discounts: Early bird, group, student/faculty, returning attendees
RSA is an enormous conference focused on defending against cybersecurity threats. It draws more than 40,000 attendees each year, who gather for educational sessions, networking, and one-on-one product demos. Each year has a different theme, and 2019’s is “Better,” focusing on better solutions and ideas, and a safer world. RSA’s 2018 conference received some criticism for its lack of diversity, so here’s hoping that 2019 is, well, better.
CanSecWest
Date: March 20-22, 2019
Location: Vancouver, BC, Canada
Cost: $1,900–$2,600 CAD (US$1,480–$2,025)
Discounts: Early bird
CanSecWest is a three-day single-track conference focused entirely on applied digital security. The hour-long talks typically include new material, emergent technologies, and best industry practices. Target areas have not yet been announced for 2019, but 2018 included web browsers, enterprise applications, servers, and virtualization. The conference is preceded by four days of hands-on one-day training programs delivered by industry experts, each limited to 20 people. Tickets include the conference, catered meals, and a reception party pass but do not include the training programs.
InfoSec World Conference & Expo
Twitter: @InfoSec_World
Web: https://infosecworld.misti.com/
Date: April 1-3, 2019
Location: Lake Buena Vista, FL
Cost: $1,795–$4,195
Discounts: Early bird, team
This conference, hosted by the MIS Training Institute, has its attention on the business of security. Sessions focus on not just prevention, detection, and response to cybersecurity threats, but also how to become a better business partner or employee. There are seven tracks, including a tech labs track that includes offensive and defensive simulations. Topics include ransomware, fileless malware attacks, and GDPR. The conference is preceded by training workshops at an additional fee.
CypherCon
Twitter: @CypherCon
Date: April 11-12, 2019
Location: Milwaukee, WI
Cost: $109.99 (early-bird price)
Discounts: Early bird
CypherCon is a small infosec and cryptography-oriented hacker conference with talks, informal discussions, contests and challenges, and villages in a welcoming environment. Presentations cover security philosophy, hardware hacking, forensics, reverse engineering, protocol analysis, cryptographic algorithms, corporate and network security, privacy, and modern exploit techniques. From last year’s show: “Handshakes and Hashes: Plucking Passwords from Thin Air” and “From Crash Override to TRISIS.”
CypherCon does its best to be welcoming to beginners and non-hackers. The committee reviews abstracts without knowing the speaker names, ensuring that the 25- or 45-minute talks are selected strictly based on content.
LocoMoco Security Conference
Twitter: @LocoMocoSec
Date: April 16-19, 2019
Location: Lihue, Hawaii
Cost: $399–$800, with additional costs for training workshops
Discounts: Early bird
The LocoMoco Security Conference takes place on a different Hawaiian island every year. This community-oriented conference focuses on product and web security. Participants include government officials, students, and enthusiasts as well as professionals. Last year’s presentations included “I’m Pwned. You’re Pwned. We’re All Pwned” and “Starting an AppSec Program: An Honest Retrospective.” The goal is for people of different backgrounds to participate in collaborative discussions. Unlike most security conferences, LocoMoco has a single presentation track.
Infiltrate
Twitter: @InfiltrateCon
Web: https://infiltratecon.com/
Date: May 2-3, 2019
Location: Miami Beach, FL
Cost: $1,800–$2,500
Discounts: Early bird rates, group rates, no alcohol/open bar rates, bundle discount if registering for training course as well as conference
The Infiltrate (in) security conference, hosted by Immunity, pays sole attention to offensive security issues, such as computer network exploitation, rootkit and trojan covert protocols, vulnerability discovery, and so forth. The presentations are entirely technical, such as (from last year) “Analyzing and Breaking QNX Exploit Mitigations and Secure Random Number Generators” and “802.11 Protocol Chaos.”
The conference is preceded by four days of training in topics such as Java exploitation, Linux kernel exploitation, web hacking, and applied cryptanalysis, at an extra cost. The first two tiers of Infiltrate sell out quickly, so it’s worth registering early.
THOTCON
Twitter: @thotcon
Web: https://thotcon.org/
Date: May 3-4, 2019
Location: Chicago, IL (event venue disclosed a week before the event)
Cost: $170 (or $350 for a VIP/Donor ticket)
Discounts: Student, early bird, speaker
THOTCON is a low-budget, noncommercial conference. Topics likely to be featured in talks include data visualization, IoT, medical devices, computer/human interfaces, wearable computing, surveillance, and intelligence gathering. No talking is permitted during the presentations, but there are plenty of areas for discussion and various villages. There are also contests for lifetime badges. If you care about security certifications, note that attending THOTCON counts toward CAP, SSCP, and CISSP CPE credits.
RiskSec
Twitter: @SCMagazine
Web: https://risksecconference.com/
Date: May 8, 2019
Location: Philadelphia, PA
Cost: $299–$399
Discounts: Group
RiskSec, organized by SC Media, is a one-day event featuring standard security conference fare—talks, training, networking, and demos—geared specifically toward CISOs and senior IT security leaders. Speakers include CISOs and government execs, speaking on regulatory challenges, threats, and strategies for improvement. Participants can earn nine CPE/CISSP credits to maintain their certification.
Interop ITX
Twitter: @interop
Date: May 20-23
Location: Las Vegas, NV
Cost: TBD. In 2018, full registration was $2,499 to $2,899; single-day and business hall-only passes also available. The super-early-bird rate for the 2019 conference is $2,499.
Discounts: Group, government, education, nonprofit
Interop ITX is a large, independent conference for technology leaders. Tracks include cloud, DevOps, data and analytics, infrastructure, emerging technology, IT strategy, security, professional development, and one tuned for government professionals. The conference includes workshops, hands-on sessions, panels, and keynotes as well as a huge vendor hall. If you’re shopping for security products, it may be worth attending Interop just for the opportunity to get tool demonstrations. In 2018, a two-day DevOps training events took place during the conference; it’s likely that this year, too, will have additional training classes.
CircleCityCon 
Twitter: @CircleCityCon
Web: https://circlecitycon.com/
Date: June 1-3, 2019
Location: Indianapolis, IN
Cost: $75-plus
Discounts: Early bird, volunteers
CircleCityCon is a community-based security conference centered around its community-led training classes offered to all participants. Many of these training sessions are offered for $5. Past classes included Wi-Fi exploits, threat hunting with ELK, social engineering, persuasive communication skills, Splunk, Cuckoo sandboxing, exploit development, memory forensics, and client-side attacks.
The conference also includes three tracks of talks, technical villages, events and contests, and entertainment. In 2018, the conference was preceded by a one-day executive summit in collaboration with InfraGard and ISSA. In my view, this conference is a must-attend because it is inexpensive, accessible, and community-led.
RightsCon 
Twitter: @rightscon
Web: https://www.rightscon.org/
Date: June 11-14, 2019
Location: Tunis, Tunisia
Cost: $400–$1,000 (cost for 2018 in Toronto)
Discounts: Academic, NGO
RightsCon isn’t a security conference per se, but rather focuses on human rights in the digital age. That said, cybersecurity often takes center stage when considering the problems that arise in the intersection of digital technology, privacy, and human rights. RightsCon is organized by Access Now, a nonprofit organization that defends digital rights of at-risk users across the world.
Participants include government representatives, lawyers, technologists, business leaders, and human rights activists. The wide-ranging topic areas include digital security and encryption; cybersecurity policy; privacy and surveillance; AI and algorithmic accountability; biometrics and facial recognition technology; election integrity; data trust and protection; countering online harassment; civic tech and e-governance; Internet shutdowns; and censorship. The conference includes demos and training sessions as well as high-profile speakers.
Its location in Tunisia makes this a tough choice for me. I learned a lot when I attended an earlier conference, but that's an expensive trip from the United States!
Black Hat
Twitter: @blackhatevents
Web: https://www.blackhat.com/
Date: August 3-8, 2019
Location: Las Vegas, NV
Cost: Briefings early registration $2,295, regular $2,495, late $2,795, on-site $2,895. Training passes are sold separately.
Discounts: Early registration, group discounts, and a limited number of student scholarships
Black Hat is DefCon’s corporate older sister, as its price tag would suggest, though there is some overlap. The two-day infosec conference is geared toward security practitioners and executives, as well as vendor company sponsors and academics. It is preceded by four days of technical trainings, which are hands-on courses on subjects such as penetration testing and web exploits. The conference itself features four tracks of briefings, allowing security researchers to share their work. The 2018 presentations included an exploration of the hacking of voting machines; research on hacking self-driving cars from the researchers who famously hacked a Jeep in 2015; and insight into major platform weaknesses from the researchers who discovered the Meltdown and Spectre bugs.
BSides Las Vegas
Twitter: @BSidesLV
Date: August 6-7, 2019
Location: Las Vegas, NV
Cost: Free
Discounts: No discounts for a free event, but since walk-in badges do go quickly, you can secure a spot with a donation of $50 or more.
BSides is a series of volunteer-organized community infosec conferences taking place across the world, from Algiers to Ottawa. I highlight the Las Vegas event because it is part of the Vegas conference trifecta, and because 2019 marks its 10th anniversary. This conference is small, free, and participatory. It is very beginner-friendly and has multiple tracks, including some on nontechnical issues. There’s also a dedicated career track and a mentorship program for first-time speakers.
If your budget is small and travel is challenging, look at the extensive list of locations to see if one is nearby. If you can’t make it in person, several of the sessions are live-streamed and archived under a “Highway to Shell” collection, such as "Your Taxes are Being Leaked."
Def Con
Twitter: @defcon
Date: August 8-11
Location: Las Vegas, Nevada
Cost: $280 (cash only)
Discounts: Volunteers
Def Con is the mother of all hacking conferences, and it gets bigger every year. The four-day event is jam-packed with talks, contests, cybersecurity challenges, informal meetups, music events, and parties. The days before the conference make it seem that the entire Internet is broken, as security researchers around the world release their exploit reports to prepare for their Def Con talks.
The main conference is typically spread out over several Las Vegas hotels, with related events in nearby locations. Four tracks of talks often have long lines, but Def Con also has smaller, more intimate fireside chats, too. The conference also features separate villages focused on specific topics, including lock picking, hardware hacking, soldering, vote hacking, car hacking, cryptography and privacy, and much more. Many of the villages, as well as sub-conferences such as QueerCon and ShabbatCon, have talks and events of their own, which are sometimes in a quieter (or at least less crowded) setting. It's loads of fun, whether you to go watch people participate in a contest or you listen to the big-name security analysts describe upcoming trends.
While videos from most Def Con talks are posted online, the social engineering village does not allow recording due to wiretapping laws. There’s also Skytalks, a sub-conference with a strict no-recording policy. And, of course, Def Con draws in elite hackers to compete in Capture the Flag, where teams compete to solve computer security problems modeled on real-world vulnerabilities.
Def Con is big enough that there’s no way to see it all. The best way to approach it is to study the schedule ahead of time and pick a few must-see talks or meetups. Then, make sure to wander the various villages, vendor areas, and various bars in the hotel lobbies, leaving time for long conversations. This conference is at the top of my own list. Grad school is easier to get through, when I think of it, as just killing time between Def Cons.
GrrCon 
Twitter: @GrrCON
Date: October 24-25, 2019
Location: Grand Rapids, MI
Cost: $50 student, $150 regular admission, corporate/VIP $350
Discounts: Student, early bird
GrrCon has fashioned its conference to prevent what it calls “the elitist ‘Diva’ nonsense.” It’s designed to offer a fun, informative event where CISOs, hackers, researchers, and security practitioners can share ideas and solutions with one another. Added bonus: free food and beer.
In addition to three tracks, the conference includes multiple villages, contests, parties, and events (such as Hacker Family Feud). There’s also a talent accelerator program and a special executive summit geared toward senior leadership. A limited number of seats to hands-on workshops are an additional $5 or so each.
Did we miss anything? Send your recommendations for cybersecurity conferences in 2019 to us at @enterprise.nxt. Happy learning!
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.