The 20 best cybersecurity conferences in 2019

There’s nothing like a good technology conference to leave even the most jaded cybersecurity professional feeling enthusiastic about the industry all over again. Attendees leave a successful IT security event with a better grasp of the scope of problems, ideas for how to address them using new tricks and tools, and a pile of business cards (or Twitter handles) of new connections made.

Cybersecurity conferences come in many flavors. Some are so big that it’s impossible to walk the length of the exhibit hall—they are jam-packed with competing talks, parties, contests, events, and subconferences in multiple locations. Other events have a single track and limited tickets to ensure a smaller, more intimate crowd. A conference might be highly technical or specifically targeted to subsections of cybersecurity; or it might be open and welcoming to everyone, including beginners.

Some conferences include tech villages, or separate areas focused on specific topics or themes, such as lock picking or biohacking. Technical villages may offer their own speakers and events, space for hands-on hacking and activities (such as soldering), and vendors appropriate to the theme.

How can you possibly choose? I aim to make the decision easier—or at least more organized—by highlighting 2019 computing security events that help IT professionals learn what’s happening in the industry. I include a wide range of conferences, ordered by date, with different locations, price points, schedules, and areas of focus. Despite my best efforts, the list is not comprehensive, as many conferences have not yet selected dates for 2019 or have published little practical information other than dates.

Still, that’s a lot of events! To make your choices a little easier, I flag five conferences with a gold star. These are events that everyone would get something out of and should consider attending at least once. I've attended several of these over the past few years, and they go on my own short list.

FloCon

Twitter: @SEInews (not conference-specific)

Web: https://resources.sei.cmu.edu/news-events/events/flocon/

Date: January 7-10, 2019

Location: New Orleans, LA

Cost: $525–$1,100

Discounts: Early bird, student, government, academic

FloCon, affiliated with Carnegie Mellon University’s Software Engineering Institute, is focused on data analysis in support of security operations. The conference originally was specifically about network flow but has expanded to all types of data analysis.

The 2019 theme is “Using Data to Defend.” Think network defense, encrypted traffic, scalable statistical techniques, threat detection and mitigation, operational data visualization, data fusion, and optimizing analyst workflow. The audience is comprised of operational analysts, tool developers, researchers, and other security professionals from industry, government, and academia—all working on analyzing and visualizing large datasets to protect and defend network systems.

Real World Crypto Symposium

Twitter: @RealWorldCrypto

Web: https://rwc.iacr.org/2019/registration.html

Date: January 9-11, 2019

Location: San Jose, CA

Cost: $135–$270, including IACR membership fee

Discounts: Student, some awards

The goal of the aptly named Real World Crypto Symposium is to strengthen dialogue between security researchers and developers who are implementing cryptography in real-world systems on the Internet, the cloud, and embedded devices. The conference is organized by the International Association for Cryptologic Research, but unlike other IACR events, there are no proceedings or published papers. Past talks have centered around key management systems, cryptocurrencies, attacks, usability, and broken standards.

ShmooCon

Twitter: @shmoocon

Web: https://www.shmoocon.org/

Date: January 18-20, 2019

Location: Washington, D.C.

Cost: $150

ShmooCon is a small, inclusive, and friendly hacker conference that sells out quickly. It starts with a day of 20-minute speed talks on a track called One Track Mind. The rest of the conference has three tracks running simultaneously with 20- and 50-minute presentations. The tracks are "Build It," which focuses on creating software and hardware; "Belay It," which is about defensive solutions to problems; and "Bring It," a discussion of technology and security topics. Build It and Belay It are demonstration-rich, while Bring It is more discussion-based. In addition to its affordability, ShmooCon attendees often talk about the great culture at the event and the quality people it attracts. Conference organizers focus on tolerance and respect. The conference sells out quickly every year.

Cyber Defence and Network Security

Web: https://cdans.iqpc.co.uk/

Date: January 29-31, 2019

Location: London, UK

Cost: £499–£1,849 (US$640–$2,410), plus a 20 percent UK VAT

Discounts: Early bird, military, government

The Cyber Defence and Network Security conference is geared toward military and government workers who hope to develop a response to defend intended victims from hostile cyber-operators. The conference features briefings from an array of speakers including U.S. and UK military and government heads of national security, as well as industry speakers and analysts. Topics include threat intelligence, incident response, and remote asset protection. Some sessions also assess the merits of disruptive technology such as AI, blockchain, and advance analytics.

Network and Distributed System Security Symposium

Twitter: @NDSSSymposium

Web: https://www.ndss-symposium.org/ndss2019/attend/

Date: February 24-27, 2019

Location: San Diego, CA

Cost: TBD (was $585–$1,100 in 2018)

Discounts: Early bird, student

The Network and Distributed System Security (NDSS) Symposium is intended to foster dialogue and information exchange between researchers and practitioners of network and distributed system security. Participants typically include CTOs, privacy officers, security analysts, sysadmins, operations and security managers, as well as university researchers and educators. Attendance is limited. Presentations—which in 2018 included “Knock Knock, Who’s There? Membership Inference on Aggregate Location Data” and “Automated Attack Discovery in TCP Congestion Control Using a Model-Guided Approach”—are followed by extended Q&A sessions, encouraging debate and dialogue about approaches to security problems.

RSA Conference

Twitter: @RSAConference

Web: https://www.rsaconference.com/events/us19/agenda

Date: March 4-8, 2019

Location: San Francisco, CA

Cost: $675–$2,895

Discounts: Early bird, group, student/faculty, returning attendees

RSA is an enormous conference focused on defending against cybersecurity threats. It draws more than 40,000 attendees each year, who gather for educational sessions, networking, and one-on-one product demos. Each year has a different theme, and 2019’s is “Better,” focusing on better solutions and ideas, and a safer world. RSA’s 2018 conference received some criticism for its lack of diversity, so here’s hoping that 2019 is, well, better.

CanSecWest

Web: https://cansecwest.com

Date: March 20-22, 2019

Location: Vancouver, BC, Canada

Cost: $1,900–$2,600 CAD (US$1,480–$2,025)

Discounts: Early bird

CanSecWest is a three-day single-track conference focused entirely on applied digital security. The hour-long talks typically include new material, emergent technologies, and best industry practices. Target areas have not yet been announced for 2019, but 2018 included web browsers, enterprise applications, servers, and virtualization. The conference is preceded by four days of hands-on one-day training programs delivered by industry experts, each limited to 20 people. Tickets include the conference, catered meals, and a reception party pass but do not include the training programs.

InfoSec World Conference & Expo

Twitter: @InfoSec_World

Web: https://infosecworld.misti.com/

Date: April 1-3, 2019

Location: Lake Buena Vista, FL

Cost: $1,795–$4,195

Discounts: Early bird, team

This conference, hosted by the MIS Training Institute, has its attention on the business of security. Sessions focus on not just prevention, detection, and response to cybersecurity threats, but also how to become a better business partner or employee. There are seven tracks, including a tech labs track that includes offensive and defensive simulations. Topics include ransomware, fileless malware attacks, and GDPR. The conference is preceded by training workshops at an additional fee.

CypherCon

Twitter: @CypherCon

Web: https://cyphercon.com/cyphercon-4-0/

Date: April 11-12, 2019

Location: Milwaukee, WI

Cost: $109.99 (early-bird price)

Discounts: Early bird

CypherCon is a small infosec and cryptography-oriented hacker conference with talks, informal discussions, contests and challenges, and villages in a welcoming environment. Presentations cover security philosophy, hardware hacking, forensics, reverse engineering, protocol analysis, cryptographic algorithms, corporate and network security, privacy, and modern exploit techniques. From last year’s show: “Handshakes and Hashes: Plucking Passwords from Thin Air” and “From Crash Override to TRISIS.”

CypherCon does its best to be welcoming to beginners and non-hackers. The committee reviews abstracts without knowing the speaker names, ensuring that the 25- or 45-minute talks are selected strictly based on content.

LocoMoco Security Conference

Twitter: @LocoMocoSec

Web: https://locomocosec.com/

Date: April 16-19, 2019

Location: Lihue, Hawaii

Cost: $399–$800, with additional costs for training workshops

Discounts: Early bird

The LocoMoco Security Conference takes place on a different Hawaiian island every year. This community-oriented conference focuses on product and web security. Participants include government officials, students, and enthusiasts as well as professionals. Last year’s presentations included “I’m Pwned. You’re Pwned. We’re All Pwned” and “Starting an AppSec Program: An Honest Retrospective.” The goal is for people of different backgrounds to participate in collaborative discussions. Unlike most security conferences, LocoMoco has a single presentation track.

Infiltrate

Twitter: @InfiltrateCon

Web: https://infiltratecon.com/

Date: May 2-3, 2019

Location: Miami Beach, FL

Cost: $1,800–$2,500

Discounts: Early bird rates, group rates, no alcohol/open bar rates, bundle discount if registering for training course as well as conference

The Infiltrate (in) security conference, hosted by Immunity, pays sole attention to offensive security issues, such as computer network exploitation, rootkit and trojan covert protocols, vulnerability discovery, and so forth. The presentations are entirely technical, such as (from last year) “Analyzing and Breaking QNX Exploit Mitigations and Secure Random Number Generators” and “802.11 Protocol Chaos.”

The conference is preceded by four days of training in topics such as Java exploitation, Linux kernel exploitation, web hacking, and applied cryptanalysis, at an extra cost. The first two tiers of Infiltrate sell out quickly, so it’s worth registering early.

THOTCON

Twitter: @thotcon

Web: https://thotcon.org/

Date: May 3-4, 2019

Location: Chicago, IL (event venue disclosed a week before the event)

Cost: $170 (or $350 for a VIP/Donor ticket)

Discounts: Student, early bird, speaker

THOTCON is a low-budget, noncommercial conference. Topics likely to be featured in talks include data visualization, IoT, medical devices, computer/human interfaces, wearable computing, surveillance, and intelligence gathering. No talking is permitted during the presentations, but there are plenty of areas for discussion and various villages. There are also contests for lifetime badges. If you care about security certifications, note that attending THOTCON counts toward CAP, SSCP, and CISSP CPE credits.

RiskSec

Twitter: @SCMagazine

Web: https://risksecconference.com/

Date: May 8, 2019

Location: Philadelphia, PA

Cost: $299–$399

Discounts: Group

RiskSec, organized by SC Media, is a one-day event featuring standard security conference fare—talks, training, networking, and demos—geared specifically toward CISOs and senior IT security leaders. Speakers include CISOs and government execs, speaking on regulatory challenges, threats, and strategies for improvement. Participants can earn nine CPE/CISSP credits to maintain their certification.

Interop ITX

Twitter: @interop

Web: https://www.interop.com/

Date: May 20-23

Location: Las Vegas, NV

Cost: TBD. In 2018, full registration was $2,499 to $2,899; single-day and business hall-only passes also available. The super-early-bird rate for the 2019 conference is $2,499.

Discounts: Group, government, education, nonprofit

Interop ITX is a large, independent conference for technology leaders. Tracks include cloud, DevOps, data and analytics, infrastructure, emerging technology, IT strategy, security, professional development, and one tuned for government professionals. The conference includes workshops, hands-on sessions, panels, and keynotes as well as a huge vendor hall. If you’re shopping for security products, it may be worth attending Interop just for the opportunity to get tool demonstrations. In 2018, a two-day DevOps training events took place during the conference; it’s likely that this year, too, will have additional training classes.

CircleCityCon

Twitter: @CircleCityCon

Web: https://circlecitycon.com/

Date: June 1-3, 2019

Location: Indianapolis, IN

Cost: $75-plus

Discounts: Early bird, volunteers

CircleCityCon is a community-based security conference centered around its community-led training classes offered to all participants. Many of these training sessions are offered for $5. Past classes included Wi-Fi exploits, threat hunting with ELK, social engineering, persuasive communication skills, Splunk, Cuckoo sandboxing, exploit development, memory forensics, and client-side attacks.

The conference also includes three tracks of talks, technical villages, events and contests, and entertainment. In 2018, the conference was preceded by a one-day executive summit in collaboration with InfraGard and ISSA. In my view, this conference is a must-attend because it is inexpensive, accessible, and community-led.  

RightsCon  

Twitter: @rightscon

Web: https://www.rightscon.org/

Date: June 11-14, 2019

Location: Tunis, Tunisia

Cost: $400–$1,000 (cost for 2018 in Toronto)

Discounts: Academic, NGO

RightsCon isn’t a security conference per se, but rather focuses on human rights in the digital age. That said, cybersecurity often takes center stage when considering the problems that arise in the intersection of digital technology, privacy, and human rights. RightsCon is organized by Access Now, a nonprofit organization that defends digital rights of at-risk users across the world.

Participants include government representatives, lawyers, technologists, business leaders, and human rights activists. The wide-ranging topic areas include digital security and encryption; cybersecurity policy; privacy and surveillance; AI and algorithmic accountability; biometrics and facial recognition technology; election integrity; data trust and protection; countering online harassment; civic tech and e-governance; Internet shutdowns; and censorship. The conference includes demos and training sessions as well as high-profile speakers.

Its location in Tunisia makes this a tough choice for me. I learned a lot when I attended an earlier conference, but that's an expensive trip from the United States!

Black Hat

Twitter: @blackhatevents

Web: https://www.blackhat.com/

Date: August 3-8, 2019

Location: Las Vegas, NV

Cost: Briefings early registration $2,295, regular $2,495, late $2,795, on-site $2,895. Training passes are sold separately.

Discounts: Early registration, group discounts, and a limited number of student scholarships

Black Hat is DefCon’s corporate older sister, as its price tag would suggest, though there is some overlap. The two-day infosec conference is geared toward security practitioners and executives, as well as vendor company sponsors and academics. It is preceded by four days of technical trainings, which are hands-on courses on subjects such as penetration testing and web exploits. The conference itself features four tracks of briefings, allowing security researchers to share their work. The 2018 presentations included an exploration of the hacking of voting machines; research on hacking self-driving cars from the researchers who famously hacked a Jeep in 2015; and insight into major platform weaknesses from the researchers who discovered the Meltdown and Spectre bugs.

BSides Las Vegas

Twitter: @BSidesLV

Web: https://www.bsideslv.org

Date: August 6-7, 2019

Location: Las Vegas, NV

Cost: Free

Discounts: No discounts for a free event, but since walk-in badges do go quickly, you can secure a spot with a donation of $50 or more.

BSides is a series of volunteer-organized community infosec conferences taking place across the world, from Algiers to Ottawa. I highlight the Las Vegas event because it is part of the Vegas conference trifecta, and because 2019 marks its 10th anniversary. This conference is small, free, and participatory. It is very beginner-friendly and has multiple tracks, including some on nontechnical issues. There’s also a dedicated career track and a mentorship program for first-time speakers.

If your budget is small and travel is challenging, look at the extensive list of locations to see if one is nearby. If you can’t make it in person, several of the sessions are live-streamed and archived under a “Highway to Shell” collection, such as "Your Taxes are Being Leaked."

Def Con

Twitter: @defcon

Web: https://www.defcon.org/

Date: August 8-11

Location: Las Vegas, Nevada

Cost: $280 (cash only)

Discounts: Volunteers

Def Con is the mother of all hacking conferences, and it gets bigger every year. The four-day event is jam-packed with talks, contests, cybersecurity challenges, informal meetups, music events, and parties. The days before the conference make it seem that the entire Internet is broken, as security researchers around the world release their exploit reports to prepare for their Def Con talks.

The main conference is typically spread out over several Las Vegas hotels, with related events in nearby locations. Four tracks of talks often have long lines, but Def Con also has smaller, more intimate fireside chats, too. The conference also features separate villages focused on specific topics, including lock picking, hardware hacking, soldering, vote hacking, car hacking, cryptography and privacy, and much more. Many of the villages, as well as sub-conferences such as QueerCon and ShabbatCon, have talks and events of their own, which are sometimes in a quieter (or at least less crowded) setting. It's loads of fun, whether you to go watch people participate in a contest or you listen to the big-name security analysts describe upcoming trends.

While videos from most Def Con talks are posted online, the social engineering village does not allow recording due to wiretapping laws. There’s also Skytalks, a sub-conference with a strict no-recording policy. And, of course, Def Con draws in elite hackers to compete in Capture the Flag, where teams compete to solve computer security problems modeled on real-world vulnerabilities.

Def Con is big enough that there’s no way to see it all. The best way to approach it is to study the schedule ahead of time and pick a few must-see talks or meetups. Then, make sure to wander the various villages, vendor areas, and various bars in the hotel lobbies, leaving time for long conversations. This conference is at the top of my own list. Grad school is easier to get through, when I think of it, as just killing time between Def Cons.

GrrCon  

Twitter: @GrrCON

Web: http://www.grrcon.com/

Date: October 24-25, 2019

Location: Grand Rapids, MI

Cost: $50 student, $150 regular admission, corporate/VIP $350

Discounts: Student, early bird

GrrCon has fashioned its conference to prevent what it calls “the elitist ‘Diva’ nonsense.” It’s designed to offer a fun, informative event where CISOs, hackers, researchers, and security practitioners can share ideas and solutions with one another. Added bonus: free food and beer.

In addition to three tracks, the conference includes multiple villages, contests, parties, and events (such as Hacker Family Feud). There’s also a talent accelerator program and a special executive summit geared toward senior leadership. A limited number of seats to hands-on workshops are an additional $5 or so each.

Did we miss anything? Send your recommendations for cybersecurity conferences in 2019 to us at @enterprise.nxt. Happy learning!