fwd:cloudsec Europe 2025
Call for Participation (CFP)
fwd:cloudsec Europe 2025
After a successful first foray into Europe in 2024, fwd:cloudsec is back! This year, we’ll be in Berlin, for a two-day cloud security extravaganza. As before, this will be an independent, practitioner-focused event covering the realities on the ground. We want to hear the results of novel research, new challenges and opportunities, new angles on unsolved problems, and experience gained the hard way trying to wrangle the sharp edges of cloud security.
Content relevant to this event includes security-focused content on both public cloud infrastructure providers, such as AWS, Azure, Google Cloud, and cloud native technologies such as Kubernetes. AI-related content will be considered where there is a clear tie-in to our core theme of cloud security, but this is not the event for pure AI/LLM security content.
Topics and Themes
This year for fwd:cloudsec Europe, we’re running three core themes:
- Tales from the trenches
- Whispers from the wild
- Fables from the frontier
In addition to the core themes, we’re also interested in European-focused cloud security topics. This could include things like the effect EU-specific regulations are having on cloud security in the European technology sphere, or the challenges of managing the varying adoption rates and maturity levels across the nations of Europe. Please submit any such content into whichever of the tracks listed below you think is most appropriate.
Tales from the Trenches
The cloud providers and the software stacks offer a wide variety of tools and controls for organizations to use to ensure the security of their cloud workloads. These are often far from straightforward in practice, and even where they are, wrangling them at scale in a large, complex organization brings all kinds of challenges. That’s before we introduce the complexities of defending a large cloud estate against modern, sophisticated attackers.
While much of this has been discussed at length in the Well Architected Frameworks and various other standards, in this track we’re interested in lessons learned engineering and securing complex workloads and organisations out in the real world. In this category, we’re interested in:
- Real-world experiences and hard-learned lessons of architecting and engineering securely in fast-moving cloud environments
- Novel, engineering-focused and business-enabling approaches to governance and risk management for organizations moving at speed in the cloud
- Practical advice from real-world experience on defining and implementing Identity and Access Management, just-in-time administrative access, non-human identities and other identity-related topics
- Lessons from the trenches on security monitoring, threat hunting and attack detection & response on cloud-native workloads
- The sharp edges and problems encountered while implementing cloud security strategies and controls inside large, complex organisations.
- This could be technical challenges, or organisational and regulatory challenges.
- Content related to EU-specific regulatory challenges such as DORA, NIS2, the AI Act, GDPR etc is particularly welcome
Whispers from the Wild
Keeping up with threat actors, TTPs and attack techniques seen out in the wild is always a challenge in the fast-moving world of cloud security, and this track is where we take the opportunity to educate the audience on the up-to-the minute latest threats and risks. Here, we’re specifically looking for content on threats and attacks seen in the wild, being exploited by real world threat actors, and vulnerabilities discovered in cloud providers’ production infrastructure.
Topics of interest here include:
- Up-to-date threat intelligence focused on cloud and cloud-native workloads, or approaches to gathering, working with/using and sharing such threat intelligence
- Case studies on incident response in the cloud, and new techniques and novel approaches
- Vulnerability research into cloud and cloud-native systems
- Cloud security control bypasses and “insecure-by-default” discoveries
Novel TTPs developed for penetration testing, red teaming and similar to, but not derived from, activity seen in the wild belong in Fables from the Frontier.
Fables from the Frontier
Members of the fwd:cloudsec community are always pushing the boundaries of the cloud security world in new and interesting ways, and this is the track where such content belongs. If you’ve been investigating ways an attacker might use and abuse cloud systems to effect an attack against an organization that haven’t been seen in the wild yet, discovered strange or unexpected behaviour in cloud services, or if you’ve taken a deep dive into a very specific niche in the cloud security world, this is where such content belongs! Some examples include:
- Cloud and cloud-native logging and monitoring failures, bypasses and detection avoidance techniques
- Cloud attack surface mapping and reconnaissance, identifying and exploiting publicly exposed resources in novel ways and so on
- Penetration testing and red teaming approaches, lessons learned and war stories focused on modern, fast-moving cloud and cloud-native estates
- Advanced talks on specific weird, wonderful and interesting topics within cloud security that don’t seem to fit anywhere else
- Novel use of AI and ML to enable better cloud security
- Security of emerging application architectures such as confidential compute, edge computing, training and inference engines etc
… And the Rest
If you’ve got interesting cloud security content that you’re not sure where it belongs, don’t worry - put it in anyway, and pick whichever track tickles your fancy. The review board will consider it on its merits just as any other submission.
Birds of a Feather
This year, we’ll be running the usual Chatham House Rule Birds of a Feather discussion sessions at the end of each day of the conference. Attendees will be able to suggest topics during the morning, and then vote for their preferences during the afternoon. The winning 4 BoF topic suggestions will be selected, and the suggestors will facilitate the sessions with the help of members of the organising committee.
Given the above, we’re not soliciting topics for BoF sessions at this time. Please bring the ideas with you to the event, and put them forward on the day!
Who Should Submit
As a conference specifically focused on the independent cloud practitioner community, we’re particularly interested in presentations that don’t fit neatly into the main tracks of other cloud conferences.
We’re looking for talks from any practitioner who is responsible for securing a cloud service or service provider. The definition of “practitioner” here is deliberately vague - and definitely encompasses more than just “engineer” or “security consultant”. If you’re involved in cloud security, at any level from deep in the technical trenches up to cloud security grand strategy, we’re interested in what you have to say. The program committee specifically encourages novice speakers, or those who’ve never spoken at a significant conference before, to submit; some of our most memorable hallway conversations come from bringing together speakers of different backgrounds and experience levels. As a result, we reserve time during reviews to provide feedback, and to develop and highlight the work of others.
Conference Format
Most talks are expected to be 20-minute talks on a single topic. It has been our experience that 20 minutes is enough time to deliver a focused talk to other experienced practitioners on most topics. There are a very limited number of 40-minute slots available for more in-depth discussions. If you’d like to propose a 40-minute talk, please be sure to include a clear justification of what would merit the additional time.
We keep fwd:cloudsec small and approachable to encourage attendees to interact in real-time. We’re looking for talks that inspire others to ask questions and build together. We expect that presenters will attend the conference to deliver their content in-person. As with fwd:cloudsec North America, we will be live-streaming the sessions and hosts will be soliciting questions from the in-person audience, Cloud Security Forum Slack and social media in real-time.
What Not to Submit
All experience levels are welcome, but fwd:cloudsec attendees will typically have hands-on experience with cloud engineering and security. Introductory-level talks on broadly-deployed technologies, vendor presentations, or purely theoretical architecture talks will not be accepted and may not even be referred to the whole review board for review.
Content that is not focused on the security of public cloud or cloud native workloads will also not be accepted. This includes general content on the use and operation of the various cloud providers or kubernetes, or security content focused on other topics, such as web application or API security.
As a smaller conference, we’re particularly looking for talks that spark discussion, challenges and hallway exchanges — not just lectures expected to be taken as gospel.
We will not accept sales pitches for products or services, or talks that seem to us as though they may be thinly-veiled sales pitches. If you’re employed by an organisation that focuses on the topic you’d like to speak about, it’s important that you explain in your submission how the content you’re presenting is independent of your products or services. In addition, both speakers and reviewers are expected to disclose conflicts of interest. If research was paid for by a particular vendor, that’s not disqualifying (and is in fact common amongst our speakers), but the chairs would like to know to ensure we can remain impartial and independent.
We want you to be selective in what you submit, so we are putting a few restrictions in place:
- Any author may only submit up to two talks. If you submit more than two talks, all of them will be rejected. Where multiple authors are speaking together, an author may be listed on only two talks or all of their talks may be rejected. If you want community feedback on half-formed ideas before submitting: many prior year attendees, speakers and review team members are still active in the #fwdcloudsec channel in the Cloud Security Forum slack.
- Talks must be submitted by the author / speaker, and not by PR agencies or marketing teams on the speaker’s behalf. Any session submitted by someone other than the presenter will be rejected.
Diverse and First-Time Speakers
We especially encourage first-time speakers and those who are part of under-represented minorities in the security industry (by gender, race, background or other circumstance) to present at fwd:cloudsec. First pass reviews by our committee members are performed blind (without author information attached), though as we approach final selections we strive to build a balanced program and are proud to have a review committee comprised of many different backgrounds.
If you’re new to the industry and/or a novice speaker, and have never spoken at a major conference before, we’re especially interested in hearing from you and want to help you find the best fit talks. If you submit by the 30th of May, we’ll share review committee feedback in depth and provide you a point of contact on the review committee who can offer suggestions to improve your talk for the fwd:cloudsec audience. Please do not select this box if you’re an industry veteran with years of experience - we appreciate that everyone would like feedback on their submissions, and we’d love to provide it, but the review board is time limited and we’d like to focus our feedback efforts where it’s most needed.
While all talks are to be presented in English, we are aware that not everyone is a native speaker. The review board will do their best to take that into consideration when we assess submissions.
Submission Tips and Advice
Infosec conference submissions can be a bit of a black art, and it’s not always obvious from the outset how to put a winning submission together. Nick Jones posted I Reviewed 180 fwd:cloudsec Submissions, These Are My Key Takeaways based on his experiences reviewing for the US event in 2024, which covers many of the positive themes and common mistakes across the submissions seen. There’s also a set of further links to submission guidance from other CfP review board members from other conferences, which may be of interest.
Disclosure Policy
We support responsible disclosure. As an independent conference, that does not mean giving vendors a veto over all possible presentation topics. Submitters should inform vendors of any discovered vulnerability as early as possible to give them a chance to patch the issue, and we won’t accept any talks that have not made good-faith efforts to work through their vulnerability disclosure processes.
Beyond that - we admire the work Project Zero has done here: 90 days from notification is generally a reasonable time to patch an issue, plus 30 days to coordinate disclosure. After that time has elapsed, it may be more important to let the public know than to continue to keep the issue under wraps. If you still have disagreements as to whether a vulnerability should be presented, reach out to Nick Jones or Christophe Tafani-Dereeper in the Cloud Security Forum Slack workspace, and let’s talk through options.
Our AI Policy
We commit to reading every submission fully and personally, and we will not be selecting talks based on an AI generated summary or ranking. We highly recommend taking a similar approach when writing your proposal. We appreciate that AI is a useful tool to support composing submissions, especially when English is not your native language, but you should ensure that you present your unique view, voice and insights in both the talk proposal and presentation.
Timeline
- May 5th - Call for Participants opens
- May 30th - ROUND ONE SUBMISSIONS CLOSE at 23:59 Central European Summer Time (GMT+2)
- June 20th - First time speakers who requested feedback and meet the submission criteria will receive feedback on how to improve during the second round.
- July 11th - FINAL ROUND SUBMISSIONS CLOSE at 23:59 Central European Summer Time (GMT+2)
- July 25th - Final acceptance, alternate and rejections are sent out
- August 1st - Speakers must confirm attendance and hotel benefits (if applicable) by this date
- August 4th - Schedule published to https://fwdcloudsec.org/
- September 15th-16th - fwd:cloudsec held in Berlin, Germany and virtually
How to submit
Most talks are expected to be 20-minute lightning talks on a single topic. There are a limited number of 40-minute slots available, so when proposing a 40-minute talk, please be sure to include an agenda that explains how you will use the additional time. We may (and probably will) ask you to shorten your talk before it can be accepted.
Submissions must include:
- Speaker name(s) and contact information
- Presentation title
- Preferred talk length — 20-minute or 40-minute
- Abstract (will be shown on the schedule); please do not include identifying information in your abstract. Your abstract should focus on your content, not your bio, to support blind reviews
- Speaker bio(s), limited to 100 words; this will be shown on the schedule but not used during selection.
- A detailed description of the talk: explain what you are presenting, and how you intend to cover the topic. Do you intend to include a demo or release code? Here is a good place to include that information. In particular your detailed description should answer:
- What is already known about this topic?
- What is added by this talk?
- What are the implications for Cloudsec practitioners?
- How can the audience benefit from watching your talk live? Will there be Q&A, live demos, or cans of Milo for great questions?
- Other venues this talk has been presented or submitted. If the talk was given previously, what new information will be presented?
- Any special presentation facilities that may be required (aside from power, projector, sound and Internet connectivity)
- Any concerns with having your talk recorded for future open access
- If your topic relates to a tool or code you’ve written, is that tool or code open-source, or will it be made open-source by the end of the conference?
Remember: The detailed description is for the review committee only. The more detail you include, the better the committee can judge your submission. An abstract is fine to tease the audience, but the detailed description needs to include the punchline.
Submit your proposal
Proposals can be submitted via PreTalx.