Supply chains have become the largest attack surface in cybersecurity — yet many organisations still rely on static, compliance-driven third-party risk management approaches that fail to reflect how modern ecosystems actually operate.

This session explores the shift towards Active Supply Chain Security (ASCS) — a continuous, network-driven model designed to deliver real-time visibility, proactive risk response, and collective defence across interconnected supplier ecosystems. Learn how organisations are moving from fragmented, point-in-time assessments to a collaborative approach that uncovers systemic risk, reduces supplier fatigue, and strengthens resilience across every link in the chain.

Key takeaways from the session:

• Why traditional TPRM no longer works: Static, compliance-driven approaches fail to address the complexity, speed, and interconnected nature of modern supply chains — leaving organisations exposed to systemic and nth-party risks.
• What Active Supply Chain Security looks like in practice: A shift towards continuous visibility, network-driven insight, and collaborative defence that enables organisations to detect emerging threats and respond proactively.
• How organisations can strengthen resilience across the ecosystem: Standardisation at scale, shared supplier intelligence, and collective action reduce supplier fatigue while giving CISOs and security teams a clearer, real-time view of risk across every link in the chain.

Security awareness often ends up as a poster on the wall or a piece of mandatory training that people forget. It is frustrating when you put in the effort and the behaviour you hoped to influence doesn’t shift. Many teams feel stuck at this point, unsure how to make their programme truly matter.

TBA

TBA

TBA

TBA

TBA

TBA

A brief overview of the key changes to Cyber Essentials scheme from April 2026, including the introduction of mandatory Multi-Factor Authentication (MFA) and a 14-day patching rule. The talk will also cover clearer scoping rules, and stricter processes for CE Plus assessments, ensuring greater consistency and accuracy in compliance.

While cyber security awareness is now important for almost everyone, it is often presented in a manner that struggles to engage a wider audience, with an uphill battle to promote a topic that they don’t necessarily want to know about in the first place. One means of addressing this is through gamifying the experience. However, while various cyber security games have been created, they sometimes require an investment of time that many people don’t have and/or need prior cyber knowledge to play or facilitate them.  What may be preferable are short-form activities that can provide a foundation for later discussion. This session describes and demonstrates interactive activities that have been designed to provide such a provocation of interest, helping to make initial cyber engagement and awareness more fun. These include the fairground-style Hacker Whacker and the adversarial game of Cyber Defence Dice. The session will explain and demonstrate the games … and may even let you play them.

The threat landscape has evolved, and backup alone is no longer enough. Today’s cyberattacks are faster, more targeted, and costlier than ever. Organisations need to move beyond reactive strategies and embrace a full-circle approach to security: Detection, Protection, and Recovery, all unified in one platform.
 
The value of cyber resilience is no longer just about data recovery, it’s about business continuity and risk mitigation in real-time.

The question is whether it’s still changing behaviour, or just generating better metrics.

In this session, Neil Frost, CEO of Bob’s Business, shares hard-earned lessons from two decades at the frontline of security awareness. Not tools. Not theory. Patterns.
Neil will explore why mature programmes often plateau, how box-ticking quietly replaces judgement, and what genuinely high-performing security cultures do differently once the basics are “done”.

This is a candid session for security teams who already know awareness matters and want it to actually hold up over 20 years.

In Gray zone Warfare: From IT Systems to OT Effects, Ian Thornton‑Trump CD examines how modern cyber conflict operates in the space “between peace and war,” where adversaries pursue strategic advantage without crossing traditional thresholds of armed conflict. Using his established insights into hybrid warfare and cyber‑physical risk, Thornton‑Trump reveals how attacks that begin in enterprise IT environments increasingly cascade into operational technology (OT), critical infrastructure, and industrial control systems. This session presents cyber incidents as components of intentional Gray Zone campaigns that blend espionage, disruption, economic coercion, and psychological pressure. Thornton‑Trump demonstrates how weaknesses in identity systems, supply chains, governance, and security visibility are exploited to bridge IT and OT, turning digital access into real‑world consequences—including safety risks, service disruption, and national‑level instability. Ultimately, this presentation challenges leaders and security professionals to view cyber defence as a matter of operational safety and geopolitical reality—recognizing and countering Gray Zone activity before IT compromise becomes irreversible OT impact.

Before you invest further, ensure you’re extracting the full potential from what you already have.

In this session, Tom Morgan, co-founder of Morgan Cyber Solutions, guides IT leaders through the critical layers of the networking stack. He will explain, in clear, non-technical terms, how correct configuration genuinely protects and empowers business. This is not a technical deep-dive; it is a leadership checklist designed to help you challenge assumptions, unlock return on existing investments, and reduce risk.

You will leave empowered to:

• Recognise the overlooked fundamentals that most commonly lead to security breaches, outages and wasted investment.
• Ask the right questions and set clear expectations so your teams deliver secure and reliable infrastructure with a measurable ROI.
• An understanding of the S.U.R.E methodology and how it is used during project planning, execution and operations.

Recent developments in cyber security policy, including new Codes of Practice, updated frameworks and the Cyber Security and Resilience Bill, reflect a growing emphasis on resilience, governance and risk management. As regulatory expectations continue to evolve, what are the implications for the sector? This panel will explore the practical and strategic impacts of recent policy developments and consider how organisations can position themselves to respond effectively to the future direction of cyber policy.

In this session, we'll discuss the security implications of browser use and how Kasm Workspaces can make those issues a thing of the past.

This session looks at how changes in cyber law, the use of AI, emerging quantum technologies, and growing demands around digital sovereignty are starting to impact UK organisations in day-to-day decision-making. Drawing on experience working directly with boards, it highlights where senior leaders are increasingly accountable, where existing governance arrangements are under strain, and why these issues now sit firmly outside the IT function. The aim is to create an informed and practical discussion about what needs attention now to safeguard data, protect organisational credibility, and remain resilient in an increasingly complex operating environment.

A talk about physical tools on unattended networks, which will lead to analogic access that escalates directly to the cloud.

When a cyber breach hits, the difference between control and chaos is measured in seconds.

Drawing on frontline investigative experience and surviving the 2004 Asian tsunami, this talk reveals how the same crisis behaviours that determined survival in the Indian Ocean determine outcomes when your business is on the line.

Modern application security programmes still rely heavily on reactive scanning, manual triage, and late-stage validation. While “shift left” has become widely adopted in principle, most tooling still operates as pattern-matching engines rather than contextual security testers. This talk explores how agentic AI changes that model. Instead of signature-driven scanning, autonomous agents can reason about application behaviour, model intent, adapt to responses, and pursue exploit paths in a goal-driven manner. This enables continuous offensive validation earlier in the SDLC, reducing feedback loops and surfacing real, reproducible risk rather than theoretical findings.

Attendees will learn:
•    Why traditional DAST and SAST approaches struggle to truly shift left
•    What “agentic” testing means in practical AppSec terms
•    How autonomous reasoning differs from payload spraying and rule matching
•    Where AI excels in early lifecycle testing
•    Where human testers remain essential
•    How to safely operationalise AI-driven testing in CI/CD pipelines
•    Governance considerations when deploying autonomous offensive systems

The session will include real-world testing examples, detection comparisons, and a practical framework for integrating agentic AI into modern AppSec workflows without increasing noise or operational risk.

AI is transforming the way we work, defend, attack, and innovate - but without the right guardrails, it can just as easily become our biggest liability. Join me for a fast‑paced, myth‑busting session that cuts through the hype and exposes the real security risks hidden behind the AI revolution. We’ll explore why good governance isn’t a blocker but the secret sauce for safe, scalable AI adoption. Whether you’re a techie, a business leader, or an academic, you’ll walk away with fresh insights, practical takeaways, and a few laughs - plus a sharper view of how to stay ahead in the age of intelligent machines.

- Mainframe history, prevalence, and status as critical national infrastructure silently powering the UK economy
- High-level overview of the mainframe attack surface
- Insight into common risks and impacts discovered as part of mainframe testing
- Suggestions for risk reduction via enhanced, comprehensive mainframe assessment regimens

Compliance shouldn’t feel like speed‑dating for security standards, yet most organisations are juggling ISO 27001, Cyber Essentials, NIST, SOC 2, PCI, and whatever new acronym appeared last Tuesday.

The result?

Confusion, duplicated effort, and a security team quietly questioning their life choices.

In this talk, we cut through the chaos. I’ll show you how all these standards overlap far more than they admit, how to stop treating them like Pokémon you have to collect, and how choosing one well‑designed framework can simplify everything.

You’ll leave with a clear, practical method for mapping requirements, reducing workload, and building a security baseline that actually works, without needing a second coffee just to read the guidance.

Jake lifts the lid on the darker side of artificial intelligence, taking you deep into the criminal underworld powered by today’s most advanced technology. In the name of research, he used AI driven face-swapping tools to pass a live video job online interview under a completely false identity.

Not once, but repeatedly. Through these real-world experiments, Jake reveals how powerful AI tools are already being weaponised by criminals to infiltrate organisations from the inside, bypassing traditional security and exploiting human trust. But it doesn’t stop there. With the same tools now widely available, Jake demonstrates how AI can clone voices, generate convincing documents and create fake identities in seconds, giving cybercriminals everything they need to scale deception like never before. Nothing is real anymore.

The question is, would you spot it?

Traditional cyber security tools cannot keep up with today’s threats. We will explore why layered products fail – and how a unified platform, built on zero trust, least privilege and AI-powered automation, redefines modern defence. Learn how seamless access control, real-time threat response and machine-level protection come together to secure every user, device and session.

As cyber threats evolve at unprecedented speed, the greatest vulnerability - and the greatest opportunity - remains the human layer. This panel brings together leaders in security, workforce development and organisational culture to explore how the industry can overcome the persistent talent gap and build a resilient, future-ready workforce. 

The discussion will examine the full talent pipeline: from inspiring early-career entrants and upskilling mid-career professionals to retaining experienced specialists in an increasingly competitive marketplace. Panellists will address the barriers preventing new talent from entering the sector, the skills most needed for tomorrow’s threat landscape, and the practical steps organisations can take to embed continuous learning.

Crucially, the session will shine a spotlight on culture - how businesses can foster environments that encourage curiosity, psychological safety and shared responsibility for security. With human behaviour often the deciding factor in breach prevention, the panel will explore why culture is not just a “nice to have”, but a foundational pillar of effective cyber resilience.

The pace of change is rapid, breaches can go from one user to a business wide security risk in a matter of moments. This session challenges leaders to rethink how leaders today must evolve their incident response strategies to keep up with the pace of modern threats, and the role of proactive penetration testing plays in exposing hidden attack paths, including how AI is redefining the way bad actors move through organisations.

Supply chain pragmatic security: why the common sense approach is lacking and how to make changes to improve both sides of the equation.

Explore how the adoption of artificial intelligence is reshaping DevSecOps practices across the software development lifecycle. From automated code analysis and vulnerability detection to intelligent threat modelling and real-time incident response, AI is changing how security is embedded into development and operations. A look at how AI-driven tools can accelerate deployment, reduce human error, and improve security outcomes, as well as the new challenges they introduce around governance, trust, skills, and accountability.

Small businesses are buying security tools at an astonishing rate- EDR, SIEM, MDM, email filters, threat intel feeds, and anything else a vendor can demo in under 20 minutes.

But more tools don’t automatically mean more security. In fact, over‑tooling often creates the opposite: desensitisation, budget drain, no integration, analysis paralysis, and a false sense of safety.

This talk explores why so many organisations end up with a sprawling toolset that nobody has the time, skills, or processes to manage, and how to break that cycle. We’ll look at the common pitfalls, how to invest smartly, and how to ensure every tool you buy actually delivers value. Most importantly, we’ll explore a practical alternative: understanding your risks, assets, and requirements first, so you only buy tools that genuinely solve a problem.

Honest, practical, and free of sales buzz words, this session will help you get more security from fewer tools.

In a sector as competitive as cyber, technical expertise alone isn’t enough. Leaders need to communicate with clarity, build trust quickly, and stand out in a crowded marketplace. Yota’s talk shows cyber professionals how to leverage personal branding as a strategic business tool, one that drives visibility, strengthens client relationships, and opens doors to new opportunities.

Arup experienced a deepfake social engineering attack in 2023 which lead to the loss of 25 million GBP. In this session, learn about the incident at a high level and how it occurred. You can also learn about the key steps of the attack and how Arup responded, as well as an outline of what was learned and how others can learn from the mistakes made.