fwd:cloudsec Europe 2025

Call for Participation (CFP)

fwd:cloudsec Europe 2025

After a successful first foray into Europe in 2024, fwd:cloudsec is back! This year, we’ll be in Berlin, for a two-day cloud security extravaganza. As before, this will be an independent, practitioner-focused event covering the realities on the ground. We want to hear the results of novel research, new challenges and opportunities, new angles on unsolved problems, and experience gained the hard way trying to wrangle the sharp edges of cloud security.

Content relevant to this event includes security-focused content on both public cloud infrastructure providers, such as AWS, Azure, Google Cloud, and cloud native technologies such as Kubernetes. AI-related content will be considered where there is a clear tie-in to our core theme of cloud security, but this is not the event for pure AI/LLM security content.

Topics and Themes

This year for fwd:cloudsec Europe, we’re running three core themes:

In addition to the core themes, we’re also interested in European-focused cloud security topics. This could include things like the effect EU-specific regulations are having on cloud security in the European technology sphere, or the challenges of managing the varying adoption rates and maturity levels across the nations of Europe. Please submit any such content into whichever of the tracks listed below you think is most appropriate.

Tales from the Trenches

The cloud providers and the software stacks offer a wide variety of tools and controls for organizations to use to ensure the security of their cloud workloads. These are often far from straightforward in practice, and even where they are, wrangling them at scale in a large, complex organization brings all kinds of challenges. That’s before we introduce the complexities of defending a large cloud estate against modern, sophisticated attackers.

While much of this has been discussed at length in the Well Architected Frameworks and various other standards, in this track we’re interested in lessons learned engineering and securing complex workloads and organisations out in the real world. In this category, we’re interested in:

Whispers from the Wild

Keeping up with threat actors, TTPs and attack techniques seen out in the wild is always a challenge in the fast-moving world of cloud security, and this track is where we take the opportunity to educate the audience on the up-to-the minute latest threats and risks. Here, we’re specifically looking for content on threats and attacks seen in the wild, being exploited by real world threat actors, and vulnerabilities discovered in cloud providers’ production infrastructure.

Topics of interest here include:

Novel TTPs developed for penetration testing, red teaming and similar to, but not derived from, activity seen in the wild belong in Fables from the Frontier.

Fables from the Frontier

Members of the fwd:cloudsec community are always pushing the boundaries of the cloud security world in new and interesting ways, and this is the track where such content belongs. If you’ve been investigating ways an attacker might use and abuse cloud systems to effect an attack against an organization that haven’t been seen in the wild yet, discovered strange or unexpected behaviour in cloud services, or if you’ve taken a deep dive into a very specific niche in the cloud security world, this is where such content belongs! Some examples include:

… And the Rest

If you’ve got interesting cloud security content that you’re not sure where it belongs, don’t worry - put it in anyway, and pick whichever track tickles your fancy. The review board will consider it on its merits just as any other submission.

Birds of a Feather

This year, we’ll be running the usual Chatham House Rule Birds of a Feather discussion sessions at the end of each day of the conference. Attendees will be able to suggest topics during the morning, and then vote for their preferences during the afternoon. The winning 4 BoF topic suggestions will be selected, and the suggestors will facilitate the sessions with the help of members of the organising committee.

Given the above, we’re not soliciting topics for BoF sessions at this time. Please bring the ideas with you to the event, and put them forward on the day!

Who Should Submit

As a conference specifically focused on the independent cloud practitioner community, we’re particularly interested in presentations that don’t fit neatly into the main tracks of other cloud conferences.

We’re looking for talks from any practitioner who is responsible for securing a cloud service or service provider. The definition of “practitioner” here is deliberately vague - and definitely encompasses more than just “engineer” or “security consultant”. If you’re involved in cloud security, at any level from deep in the technical trenches up to cloud security grand strategy, we’re interested in what you have to say. The program committee specifically encourages novice speakers, or those who’ve never spoken at a significant conference before, to submit; some of our most memorable hallway conversations come from bringing together speakers of different backgrounds and experience levels. As a result, we reserve time during reviews to provide feedback, and to develop and highlight the work of others.

Conference Format

Most talks are expected to be 20-minute talks on a single topic. It has been our experience that 20 minutes is enough time to deliver a focused talk to other experienced practitioners on most topics. There are a very limited number of 40-minute slots available for more in-depth discussions. If you’d like to propose a 40-minute talk, please be sure to include a clear justification of what would merit the additional time.

We keep fwd:cloudsec small and approachable to encourage attendees to interact in real-time. We’re looking for talks that inspire others to ask questions and build together. We expect that presenters will attend the conference to deliver their content in-person. As with fwd:cloudsec North America, we will be live-streaming the sessions and hosts will be soliciting questions from the in-person audience, Cloud Security Forum Slack and social media in real-time.

What Not to Submit

All experience levels are welcome, but fwd:cloudsec attendees will typically have hands-on experience with cloud engineering and security. Introductory-level talks on broadly-deployed technologies, vendor presentations, or purely theoretical architecture talks will not be accepted and may not even be referred to the whole review board for review.

Content that is not focused on the security of public cloud or cloud native workloads will also not be accepted. This includes general content on the use and operation of the various cloud providers or kubernetes, or security content focused on other topics, such as web application or API security.

As a smaller conference, we’re particularly looking for talks that spark discussion, challenges and hallway exchanges — not just lectures expected to be taken as gospel.

We will not accept sales pitches for products or services, or talks that seem to us as though they may be thinly-veiled sales pitches. If you’re employed by an organisation that focuses on the topic you’d like to speak about, it’s important that you explain in your submission how the content you’re presenting is independent of your products or services. In addition, both speakers and reviewers are expected to disclose conflicts of interest. If research was paid for by a particular vendor, that’s not disqualifying (and is in fact common amongst our speakers), but the chairs would like to know to ensure we can remain impartial and independent.

We want you to be selective in what you submit, so we are putting a few restrictions in place:

Diverse and First-Time Speakers

We especially encourage first-time speakers and those who are part of under-represented minorities in the security industry (by gender, race, background or other circumstance) to present at fwd:cloudsec. First pass reviews by our committee members are performed blind (without author information attached), though as we approach final selections we strive to build a balanced program and are proud to have a review committee comprised of many different backgrounds.

If you’re new to the industry and/or a novice speaker, and have never spoken at a major conference before, we’re especially interested in hearing from you and want to help you find the best fit talks. If you submit by the 30th of May, we’ll share review committee feedback in depth and provide you a point of contact on the review committee who can offer suggestions to improve your talk for the fwd:cloudsec audience. Please do not select this box if you’re an industry veteran with years of experience - we appreciate that everyone would like feedback on their submissions, and we’d love to provide it, but the review board is time limited and we’d like to focus our feedback efforts where it’s most needed.

While all talks are to be presented in English, we are aware that not everyone is a native speaker. The review board will do their best to take that into consideration when we assess submissions.

Submission Tips and Advice

Infosec conference submissions can be a bit of a black art, and it’s not always obvious from the outset how to put a winning submission together. Nick Jones posted I Reviewed 180 fwd:cloudsec Submissions, These Are My Key Takeaways based on his experiences reviewing for the US event in 2024, which covers many of the positive themes and common mistakes across the submissions seen. There’s also a set of further links to submission guidance from other CfP review board members from other conferences, which may be of interest.

Disclosure Policy

We support responsible disclosure. As an independent conference, that does not mean giving vendors a veto over all possible presentation topics. Submitters should inform vendors of any discovered vulnerability as early as possible to give them a chance to patch the issue, and we won’t accept any talks that have not made good-faith efforts to work through their vulnerability disclosure processes.

Beyond that - we admire the work Project Zero has done here: 90 days from notification is generally a reasonable time to patch an issue, plus 30 days to coordinate disclosure. After that time has elapsed, it may be more important to let the public know than to continue to keep the issue under wraps. If you still have disagreements as to whether a vulnerability should be presented, reach out to Nick Jones or Christophe Tafani-Dereeper in the Cloud Security Forum Slack workspace, and let’s talk through options.

Our AI Policy

We commit to reading every submission fully and personally, and we will not be selecting talks based on an AI generated summary or ranking. We highly recommend taking a similar approach when writing your proposal. We appreciate that AI is a useful tool to support composing submissions, especially when English is not your native language, but you should ensure that you present your unique view, voice and insights in both the talk proposal and presentation.

Timeline

How to submit

Most talks are expected to be 20-minute lightning talks on a single topic. There are a limited number of 40-minute slots available, so when proposing a 40-minute talk, please be sure to include an agenda that explains how you will use the additional time. We may (and probably will) ask you to shorten your talk before it can be accepted.

Submissions must include:

Remember: The detailed description is for the review committee only. The more detail you include, the better the committee can judge your submission. An abstract is fine to tease the audience, but the detailed description needs to include the punchline.

Submit your proposal

Proposals can be submitted via PreTalx.