Episode 4: Navigating the best cybersecurity conferences worldwide | The Job Security Podcast

Introduction

Welcome to The Job Security Podcast, where we explore the people, practices, and technologies shaping the future of cybersecurity. In this episode, we’re tackling a challenge every security professional faces: navigating the overwhelming world of cybersecurity conferences and events.

Our guest, Martín Villalba, is the founder and director of InfoSecMap, a comprehensive open-access platform that catalogs InfoSec events, CTFs, meetups, and community gatherings from around the globe. With over 15 years of industry experience as an application and product security consultant, Martín also runs C13 Security, specializing in secure SDLC, penetration testing, and vulnerability management. He’s an active OWASP volunteer and B-Sides community supporter who recognized a critical gap in how security professionals discover and plan their conference attendance.

In this conversation, Dave Johnson and Martín discuss the origin story of InfoSecMap, the unique culture of the InfoSec community, and practical strategies for identifying the best cybersecurity conference for your specific goals. They explore everything from massive vendor showcases to intimate local meetups, revealing how different events serve different purposes and why staying connected with the community matters more than ever in today’s rapidly evolving threat landscape.

The origin story of InfoSecMap: solving a universal frustration

Every security professional has experienced it—planning an expensive cross-country trip to a major conference, only to discover afterward that a valuable local meetup happened the same week. Or traveling to Europe for business and wanting to connect with the local InfoSec community, but finding the information too scattered across websites, Discord servers, and chat applications to track down efficiently.

Martín Villalba: “I simply got tired of wasting a lot of time searching online, spending a lot of time and finding only a handful of events and still missing a lot. The information is just too scattered all over the place—different websites, some chat applications, Discord servers. It’s impossible to keep up with everything.”

InfoSecMap was born from this frustration in 2020, during the early months of the pandemic. Martín seized the unexpected time at home as an opportunity to build something the community desperately needed. What started as a side project quickly evolved into a serious undertaking requiring a dedicated team of six to seven people—half working full-time—to curate and maintain the vast amount of data flowing through the platform.

The platform’s growth trajectory surprised even its creator. While Martín initially expected rapid adoption, it took nearly two years to reach a few thousand monthly visitors. However, recent months have seen explosive growth, jumping from 10,000 unique monthly visits to over 23,000—a 130% increase driven by organic word-of-mouth, strategic partnerships, and the undeniable value of having all InfoSec event information in one searchable location.

Building credibility through community partnerships and OWASP collaboration

One of InfoSecMap’s key differentiators is its commitment to remaining a community-first project rather than a commercial venture. This philosophy has opened doors to strategic partnerships that enhance both credibility and reach within the InfoSec ecosystem.

The platform’s official partnership with the OWASP Foundation represents a significant milestone. Star Brown from OWASP recognized the value InfoSecMap provides to the security community and established a collaboration that includes cross-promotion through OWASP’s social media channels and newsletters. This partnership didn’t happen by accident—it built on Martín’s nearly decade-long volunteer work with OWASP, including leading the Santa Barbara chapter since 2018 and helping organize OWASP AppSec California conferences.

Martín Villalba: “This partnership gives credibility to the project. It’s different to be on your own than to have the OWASP Foundation backing you up. It’s not only coming from the fact that the foundation recognized the value of the project, but it also goes back to my almost 10 years of volunteering for the OWASP Foundation.”

Beyond OWASP, InfoSecMap has established partnerships with B-Sides Security at both global and local levels, along with numerous individual conference organizers worldwide. These partnerships typically revolve around cross-promotion and mutual support—organizers add InfoSecMap as a community partner on their websites and distribute promotional materials at events, while InfoSecMap provides targeted visibility for conferences struggling with call for papers submissions, sponsor recruitment, or volunteer engagement.

This collaborative approach ensures that all events listed on the platform are manually curated, eliminating spam and vendor pitches that plague other event aggregation sites. The result is a trusted resource where security professionals can find legitimate, community-focused events rather than thinly veiled product promotions.

The power of comprehensive filtering: finding your ideal security event

With potentially 7,000 to 10,000 InfoSec events happening globally each year, discovering the best cybersecurity conference for your specific needs requires more than a simple list. InfoSecMap’s filtering capabilities transform overwhelming options into actionable intelligence.

The platform allows users to filter by dates, regions, topics, event types, and even specific opportunities like open calls for papers, sponsors, or volunteers. This granular approach enables security professionals to answer questions like “What’s happening in my city this weekend?” or “Which upcoming conferences focus specifically on application security and are currently seeking sponsors?”

For marketing teams in cybersecurity companies, the call for sponsors page effectively serves as a directory of grassroots marketing opportunities. Rather than spending hours tracking down events that align with their target audience, marketing professionals can filter for conferences matching their product focus—whether that’s AI and automation in security operations, cloud security, or application security—and immediately see which events are actively seeking sponsorship partnerships.

Martín Villalba: “When you’re looking for open call for sponsors, then you can also apply all the other filters—dates, regions, even all the way down to topics. If a company has an AppSec product, they can filter for call for sponsors specifically from upcoming conferences that have a major focus on AppSec. That’s pretty valuable for a marketing team.”

The platform also tracks CTF (Capture the Flag) competitions, providing aspiring security professionals with hands-on opportunities to demonstrate their skills. For educators, this represents a valuable resource for connecting students with practical learning experiences that go beyond textbook theory.

Past event data adds another dimension of value, allowing organizations to research historical trends, identify recurring regional events, and understand the conference landscape when planning their annual participation strategy.

Manual curation ensuring quality over quantity in event listings

In an era where AI and automation dominate technology discussions, InfoSecMap’s commitment to manual curation might seem counterintuitive. However, this human-centered approach has proven essential to maintaining the platform’s accuracy, relevance, and trustworthiness.

Every event added to InfoSecMap undergoes manual review to ensure it meets community standards. This process filters out spam, vendor pitches disguised as community events, and non-InfoSec content that dilutes the value for security professionals. Other platforms have attempted automated approaches, often resulting in listings for crypto conferences, blockchain events, and whatever trending technology happens to be popular at the moment—none of which serve the InfoSec community’s specific needs.

Martín Villalba: “It is that manual work that has helped us achieve this level of accuracy in the information. We update the listings as a daily task, so we don’t end up with any spam. We don’t publish any vendor pitches. We don’t have any non-InfoSec events like other websites have done in the past, just adding whatever was trendy at the time.”

The team is currently exploring AI and automation to scale their operations more efficiently, particularly for routine tasks like event tagging and initial data gathering. However, automation represents an enhancement to human curation rather than a replacement. Early experiments with AI have produced mixed results, reinforcing the value of human judgment in determining what qualifies as a legitimate, community-focused InfoSec event.

InfoSecMap expects to add more than 5,000 listings by the end of 2025, primarily consisting of new events while maintaining existing groups and communities. This growth trajectory requires balancing automation efficiencies with the quality standards that have made the platform a trusted resource.

The unique culture of the InfoSec community and why conferences matter

Behind the metrics, partnerships, and filtering capabilities lies a deeper truth about why conferences matter so profoundly to cybersecurity professionals. The InfoSec community possesses distinctive characteristics that make in-person gatherings particularly valuable for career development and professional fulfillment.

Martín’s first major conference experience—OWASP Global AppSec USA in New York in 2013—left an indelible impression not because of specific talks or technical content, but because of the community itself. The welcoming atmosphere, generous knowledge sharing, and willingness of experienced professionals to help newcomers without expecting anything in return created a sense of belonging that kept him engaged with InfoSec for over a decade.

Martín Villalba: “The InfoSec community is very special in regards to certain aspects. It’s very welcoming. There’s a ton of knowledge sharing. There are a lot of people willing to give you a hand, not expecting anything in return. From what I hear, that’s pretty particular about the InfoSec community that you don’t find very often in many other communities or industries.”

This community-first culture explains why even massive events like DEF CON and Black Hat maintain grassroots elements alongside vendor exhibitions. It’s why B-Sides conferences—typically smaller, more intimate gatherings organized by local volunteers—hold special appeal for many security professionals seeking substantive conversations over polished presentations.

For organizations building security operations capabilities, understanding this community dynamic matters. The best security talent often emerges from these collaborative environments where knowledge sharing supersedes competitive secrecy. Companies that support employee conference attendance and community participation tend to build stronger, more innovative security teams.

The platform intentionally lists events of all sizes, from five friends meeting biweekly to tackle Hack The Box challenges to conferences drawing thousands of attendees. Smaller events often benefit most from InfoSecMap’s visibility, as they lack the marketing budgets of major conferences but offer equally valuable networking and learning opportunities.

Strategic conference selection: matching events to professional goals

Not all conferences serve the same purpose, and identifying the best cybersecurity conference depends entirely on what you’re trying to achieve. A senior security architect seeking cutting-edge research will have different needs than an early-career analyst building foundational skills or a CISO evaluating vendor solutions.

Large vendor-focused conferences like RSA Conference excel at providing broad overviews of industry trends, facilitating vendor evaluations, and offering networking opportunities with peers facing similar organizational challenges. These events suit security leaders researching solutions for specific problems or seeking to understand how emerging technologies might impact their security programs.

Technical deep-dive conferences like Black Hat and DEF CON cater to practitioners seeking hands-on learning, exploit demonstrations, and research presentations at the cutting edge of security. These events attract researchers, penetration testers, and technical specialists who want to understand attack techniques and defense mechanisms at a granular level.

Regional and local B-Sides conferences offer intimate environments for building authentic relationships, presenting research without the pressure of major conference acceptance, and connecting with the local security community. These events often feature more experimental talks and encourage first-time speakers, making them ideal for professionals developing their public speaking skills.

Specialized conferences focusing on specific domains—application security (OWASP events), cloud security, industrial control systems, privacy, or incident response—provide targeted learning for professionals working in those areas. The focused content and attendee base facilitate more substantive conversations than general security conferences.

For professionals using InfoSecMap to plan their conference calendar, Martín suggests thinking strategically about objectives. Are you seeking technical skills development? Vendor research? Career networking? Speaking opportunities? Each goal points toward different types of events, and InfoSecMap’s filtering capabilities help identify the right matches.

Maximizing conference value through preparation and engagement

Attending a conference represents a significant investment of time and money, whether you’re paying out of pocket or your organization is sponsoring your attendance. Getting maximum value requires more than showing up and collecting vendor swag.

Martín’s approach emphasizes active participation over passive attendance. He’s not only attended numerous conferences but also volunteered extensively with OWASP, helped organize major events, and now promotes InfoSecMap at conferences through presentations and partnerships. This level of engagement has built a professional network that extends globally and opened opportunities that wouldn’t exist through passive attendance.

For professionals newer to the conference circuit, Martín’s journey offers a roadmap. Start by attending events in your area to understand the format and culture. Consider volunteering, which provides behind-the-scenes access and deeper connections with organizers and speakers. When you’ve developed expertise in a specific area, submit talk proposals to share your knowledge—many smaller conferences actively seek new speakers and provide supportive environments for first-time presenters.

The InfoSecMap platform itself aids preparation by allowing you to research events in advance. Read about past iterations, understand the typical attendee profile, and identify specific talks or speakers you want to see. Many conferences publish their call for papers topics months in advance, giving you a preview of the content themes.

Beyond the formal conference programming, hallway conversations and social events often provide the most valuable connections and insights. Martín met Dave at B-Sides Las Vegas not during a presentation but through a casual interaction about InfoSecMap stickers. These serendipitous moments happen when you’re open to engagement rather than rushing between scheduled sessions.

The future of InfoSecMap: podcasts, sustainability, and community expansion

InfoSecMap’s roadmap reflects both pragmatic sustainability concerns and ambitious expansion plans. Having grown beyond the proof-of-concept stage, the platform now faces the challenge of ensuring long-term viability while staying true to its community-first mission.

Immediate priorities include eliminating single points of failure. Currently, if Martín or certain key team members were unavailable, the project would cease functioning—an unsustainable situation for a platform serving tens of thousands of users monthly. The solution involves duplicating critical roles and documenting processes so the platform can continue regardless of individual availability.

Financial sustainability represents another crucial consideration. Martín has personally covered operational costs since inception, but long-term success requires the platform to become self-sustaining without compromising its free access for the community. The approach involves offering paid services to companies wanting to highlight their community-focused events, while keeping all basic functionality free for individuals and organizers.

Martín Villalba: “I do want to make it self-sustainable. I intend to try to get this money from the companies and not the community. The site is free and open for everyone, and even listing your own event—it doesn’t matter if you have a huge budget, it’s still free for you.”

On the feature development side, InfoSecMap is launching an InfoSec podcast directory—appropriately announced for the first time on this podcast. The new section will track security-focused podcasts with filtering options by platform (audio versus video), topics, and other criteria. Given that many conference-organizing groups also run podcasts, this expansion feels like a natural evolution of the platform’s mission.

Additional features are in development but remain under wraps until closer to launch. Martín’s cautious approach to announcements reflects hard-won lessons about managing expectations and ensuring quality before public release.

The ultimate goal remains straightforward: every InfoSec professional should know about InfoSecMap and use it regularly. With thousands of conferences happening annually and organic growth accelerating, that vision seems increasingly achievable.

Frequently asked questions about finding the best cybersecurity conferences

What is the best cybersecurity conference for someone new to the industry?

For newcomers to InfoSec, B-Sides conferences represent an ideal starting point. These community-driven events are welcoming, typically more affordable than major conferences, and focus on substantive content rather than vendor pitches. They provide excellent networking opportunities with local security professionals who are genuinely interested in helping newcomers learn and grow. Additionally, many B-Sides events actively seek first-time speakers, making them great venues for developing presentation skills.

How many cybersecurity conferences happen worldwide each year?

Based on InfoSecMap’s data covering well-documented regions like the Americas and Western Europe, there are likely 7,000 to 10,000 InfoSec events globally each year. InfoSecMap itself tracks over 5,000 events annually and continues expanding coverage into regions where information has historically been harder to find. This number includes everything from major conferences drawing thousands of attendees to local monthly meetups with dozens of participants.

What’s the difference between technical conferences and vendor-focused security events?

Technical conferences like Black Hat and DEF CON emphasize hands-on learning, exploit demonstrations, cutting-edge research, and practitioner-level content for security professionals seeking to understand attack techniques and defense mechanisms. Vendor-focused events like RSA Conference prioritize product showcases, industry trend discussions, and networking opportunities for security leaders evaluating solutions. Both serve important purposes depending on your professional goals—practitioners typically prefer technical conferences while decision-makers often find vendor events more useful for solution research.

How can organizations find cybersecurity conferences seeking sponsors?

InfoSecMap’s call for sponsors filter provides a comprehensive directory of conferences actively seeking sponsorship partnerships. Organizations can combine this filter with topic-specific filters to identify events matching their product focus or target audience. This approach saves marketing teams significant time compared to manual research and helps identify grassroots sponsorship opportunities that might otherwise remain hidden. Many smaller conferences offer excellent sponsorship value despite lacking the visibility of major industry events.

Why is attending cybersecurity conferences important for career development?

The InfoSec community’s culture of knowledge sharing, mentorship, and collaboration makes conferences uniquely valuable for professional growth. Beyond technical learning from presentations and workshops, conferences provide networking opportunities with peers facing similar challenges, exposure to emerging technologies and threats, and chances to establish professional relationships that can span entire careers. Many security professionals credit conference connections with job opportunities, mentorship relationships, and collaborations that significantly advanced their careers.

How do I choose which cybersecurity conference to attend?

Start by clarifying your objectives—are you seeking technical skills, vendor research, networking, speaking opportunities, or exposure to specific domains like application security or cloud security? Use tools like InfoSecMap to filter events by topic, location, and date, then research past iterations to understand the typical content and attendee profile. Consider starting with local or regional events before investing in expensive travel to major conferences. Many professionals find value in mixing large industry events with smaller community-focused gatherings throughout the year.

This transcript has been edited for clarity and readability.

For more cybersecurity insights and industry perspectives, subscribe to The Job Security Podcast on Apple Podcasts, Spotify, or your app of choice. Visit expel.com/blog for the latest in security news, tips, and threat intelligence, or explore how Expel’s managed detection and response services can strengthen your organization’s security posture.