applied security conferences and training: CanSecWest | PacSec |

CanSecWest 2021

The 22nd annual CanSecWest conference will be held online during the month of April, with sessions detailed at

For info about PWN2OWN, please check here.

Registration is available: here.

Interact with the security community

CanSecWest, the world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.

The conference is single track, with one hour presentations over the duration beginning at 9:00 a.m. The registration fee includes the catered meals, and there will be a vendor display and lounge/eating area, where wireless internet access will be available (as well as in the speaking theater).

2021-01-27-11:00:00 CanSecWest2021 Online

So today, I'm happy to announce this year's CanSecWest and PWN2OWN plans.

CanSecWest will be the entire month of April.

(dramatic pause)

However that will be a month of (Tuesday, Wednesday, Thursday)'s.

It will be online only (cheering orderly fast distribution of vaccines, but it won't be there for a while), so the rules for conference dynamics are different, as we keep refining our technology, and establishing new patterns for on-line interaction.

We use what is the currently best toolset (in our opinion) available from outside services and conferencing applications, and provide a multiplatform experience with hopefully seamless background technology "magic." Unfortunately in this field, at this time that seems to be a fluid target with the rapid pace of development by so many players.

Our Discord is a long term piece of that community platform, (join at We will also have Zoom webinars and meetings.

But we are adding new pieces to our community interaction technology base as we learn and as the technology develops at such a frenetic pace. Already the toolset landscape is different than what we were working with in September-November for PacSec. So for CanSecWest this year we are adding two new facets to our community interaction. We are adding VR interaction, including a new BusinessVR pass that includes a bundled Oculus Quest2 VR headset (along with our well loved conference jackets, and more about this later).

We are also adding an ad hoc mingling and interaction area, where attendees can visit sponsor booths (videos, marketing material, videoconf with representatives), as well as browse connections with other attendee profiles and check out smaller individual meetings that attendees can set up ad-hoc on demand with one click. It's a new technology platform that is currently our best solution analogous to the lobby, vendor area at our conferences.

The three weekly sessions will be scheduled at different times on each of the three weekdays to accommodate access from different time zones around the world, and each day's session will be from 2-5 hours.

The first week April 6,7,8 will be the PWN2OWN focused competition streams and associated content.

The next week (April 13,14,15) will feature the more traditional presentation technology tutorial focused content. Along with our new platform twist, we will be doing multiplatform engagement settings on multiple technologies with an ad-hoc videoconferencing area outside the presentation where you may network with attendees with individual one on one and small ad hoc group video meets, visit the virtual sponsor booths, and browse past session recordings and discussions about them included in the media mix.

The third week (April 20, ,21, 22) will be more focused on interactive panel discussions, which will also be live streamed, and involve group interaction with attendees, and at this time I can't guarantee the platform it will be on yet. Because this stuff moves that fast.

The VR content will be in weeks 2/3 (April 13,14,15. April 20,21,22).

The Dojos trainings begin April 26th, with a cool lineup of Dojo courses to be announced shortly.

The conference pass structure will be as follows (the lowest prices to purchase passes will be February, as the prices will go up by 10%/month after):

So this is effectively the CFP for CanSecWest2021. Please send us your presentation proposals, panel session, workshop, and training proposals. Join our Discord or our mailing list at and look for more details and submission form shortly at

Send content/workshop/training proposals to and sponsorship and general inquiries to

The registration system will appear along with all the other details over the next few days. This will be our sixth virtual conference, and we’ve improved with each one as we stay at the bleeding edge of on-line interactivity - do you expect anything less from a technology conference? It will be a grand old (on-line) infosec circus, join us...

The recently announced PWN2OWN details are at:

If you are interested in more involved participation, email us and book a 30 minute technology demo and sponsorship meeting starting next week.




2020-03-12-10:00:00 Hybrid CanSecWest


There will be a remote CanSecWest speaker locker room pre-conference on Tuesday, March 18 at 16:00 PST, instructions will be emailed shortly.

Instructions and confirmation will be emailed to attendees as soon as we can on Monday or Tuesday. Attendees are asked to please send email to with the email addresses and preferrably Signal numbers (optional but desirable for backup contact) for the attendance and invitation list.

PWN2OWN @ CanSecWest is switching to full remote for this year.

The team there is adjusting as best and as quickly as they can. We plan to be posting update videos, and information from the contest on our remote conference stream. The ZDI blog will list new details shortly. We are all collaborating furiously to pull it all together under tight deadlines. The team at Trend Micro is doing an amazing job under ever changing and dynamic conditions, and I am grateful for their continuing support and amazing skills.

We are actually building a pretty interesting virtual show, under the gun, but the content is falling into place, we'll have remote and local participant panels in the breaks between presentations, some fun attendee contests and more. It would have been nicer to get more preparation time, but the folks pulling it together are doing an amazing job, on both remote courses, and our new virtual hybrid conference.

We will be offering a 25% discount on CanSecWest 2021 registrations for folks whose travel and risk reduction restrictions preclude physical participation this year and need to switch their registration to remote tickets. And one notes their allies, friends and supporters the most in the difficult times most of all, so all who are registered this year get a 15% discount on next year. For folks who are locked into travel with non-refundable tickets, and whose personal situations and locations place them in lower risk categories and are among the folks who will persevere and travel either locally or are in lower risk demographics, we will not cancel on our commitments, we will be putting on a smaller, safer show, locally and remotely. Folks from high-risk locations and among threatened demographics switching to remote or cancelling is a blessing and a curse here.

Currently IMHO I feel privileged to live in Canada, as aggressive testing and contact tracing building on our learning experiences with the previous SARS outbreak has led to a successful containment so far here - the odds of coming across virus exposure currently in BC with less than 40 cases among a population of 5 million are currently lower than your odds of being killed by lightning, to temper folk's risk assesments among the sea of hyperbole we are being subjected to, and you have much better odds of winning money in the provincial lottery still. IMHO aggressive testing is the key in this situation, and the difference between safe locales and higher risk lies in visibility, data, and information to guide folk's response and plans - Korea, China, Canada and other places that have ramped up testing, promoted mask use, and let folks have the tools to deal with it tactically seem to have gotten it right with their strategies. I wish us all good luck, and a reminder than panic is never a good option. Clean hands, masks on, and open hearts - stay calm, and safe.

Now we still have a tremendous amount of work to do with this newfangled kind of event in this dynamic situation next week, so off we go. On the upside, we are looking at this as an opportunity to craft a new kind of event, local and remote, removing more of our geophysical boundaries.


Well the real world may be filled with uncertainty, but the virtual world marches on.

We are proceeding to attempt make CanSecWest Remote the coolest on-line infosec educational resource we can, and the best virtual party attempted so far.

We are upping the passes so that anyone who has switched to a virtual attendance gets four remote seats for their co-workers and friends.

Anyone who has ever been a volunteer, dojo instructor, presenter, or otherwise helped out at any of our conferences also is eligible complementary attendance to this virtual shindig, message me here with your email address for the conf invite and preferrably a signal number as some of the co-ordination is happening on that platform, cc with that info and we'll get you on "the list."

We will also be extending liberal remote passes for our sponsors, we'll contact your folks early next week.

This all feels like a time warp back to 15 years ago when we didn't really plan very much and things were very chaotic. Any plans you make today seem to obsolete tomorrow, we just ripped up all our event sheets with the hotel and are redoing our new plans for the remaining who will persevere, and our remote broadcast team. If anyone local wants to come help out with the remote conference management and learn with us on this brave new "technical adventure," ping me. Oddly, due to our earlier experiences with chaotic rapidly deployed arrangements this is a situation we are very practiced at and feels vaguely familiar from a long time ago.

Keith M Myers will be playing some virtual music sets on the evening part of this stream which is on PST times. Going to reach out to a few other of the usual DJ villains to see about queing them up for the evening part of the broadcast, so folks stuck at home not going anywhere can pour a glass of scotch, or a shot of tequila (It's not just for breakfast anymore), and join what will be likely multiple virtual rooms to mingle with peers while you are stuck telecommuting from home.

We will update the website shortly with more instructions and the at least 4-5 new remote presentations we are adding to the new longer and fuller remote stream agenda, and I am taking this opportunity to call out to our Dojo instructors for courses that have cancelled, or even our past instructors to see if they are interested in doing little short mini-trainings (tentatively planning on 15 min) as samples of their longer training material for attendees during the duration of the conferences, potentially in parallel at the same time as the virtual party track in the evening. We are still taking submissions for more remote sessions as the remote format allows us more timeslots for presentations and easily added virtual sub-groups, message me directly with your pitch. Got a cool infosec related idea you want to try with a remote group, tell me about it, the agenda is being built very dynamically. Also still taking applications for folks to join the content co-ordination and wrangling team, even remotely, so if you are interested in participating in the back end of this evolving idea contact me as well if you have some time you can spend helping out Tue-Wed next week.

The conference will feature a single track speaker presentation meeting stream and at least one "hallway track" meeting for attendees to mingle as well as many interactive panels and discussions as we can manage. We may also have break-out topical subgroups in the time the main stream is not active.

The other upside to just having hauled the gear for 500 person conferences to the hotel that is no longer needed, is that our remote streaming control room will have a ridiculously overkill stereo system and av setup. The much smaller viewing and interaction areas for the remote streams for locally present folks will also benefit from our killing a fly with an RPG tech overkill. Never a dull moment.

Way back in 2001 we were the first conference that I know of that attempted conference wide WiFi, we have been pioneers in bug bounties, discussions of many classes of vulns and tried new approaches in so many other ways. We certainly intend to be pioneers in remote interactions... because it seems many folks will be limited to those for the next few months. Onward and upward.

2020-03-09-22:00:00 2020 Speakers

A small note of thanks to our sponsors: The companies on the sidebar, all have graciously supported this conference and the security community for decades now. A big shoutout to them for the assistance they provide in making conferences like ours happen, and indeed enabling whole open international security community to interact and function to secure our world and make our information infrastructure a better place.

2020-03-09-10:00:00 COVID-19 Precautions

So CanSecWest is coming up soon.

We've been watching the recent developments carefully, and working to put in several new features we have never tried before and are changing some aspects dramatically. Bear with us, we are shooting from the hip too, and all in all, we think we've been able to scrape up a pretty good response with a dynamic situation. Folks say the key to leadership in situations like these is rapid, clear, information dissemination, and calm, logical preparations. So here is what's going on....

We've put in a full virtualization team, and are drastically adjusting some parameters, read on.... If this is the new normal for the next while, we intend to make this experience as close to a model of reduced risk social group interactions as we can.

At the end of the day I think the folks we get at our conferences are some of the most responsible and intelligent folks on the planet, and if there is any group I would trust with the social awareness to show the responsibility to stay back and self-isolate if they have any inkling of symptoms, fever, cough, even a runny nose, it's the infosec community that attends our conferences. One of the reasons we do what we do is because the folks we interact with in our community really are some of the world's finest and most competent whom we rely on in positions of trust. The percentages of folks who are really asymptomatic is, contrary to some fearful exclamations, very low, around 1% by all the data published so far. In any cases where there was any asymptomatic transmission, the folks involved did eventually see symptoms. New data suggests that the median symptom onset (50%) is 5.1 days (with over 97% at less than 11 days, and almost all by 14 days), and nearly all of the cases include fever as a primary symptom. So monitoring those is crucial as we see it, and are putting in IR camera temperature monitoring, and stringent requests of attendees to redouble caution and withdrawal in case of _any_ illness. All our desks will have IR thermometers in case of any doubts available for checks.

We will have masks, hand sanitizer stations, and sanitizer bottles (but still recommend hand washing frequently as preferrable), as well as alcohol wipes for attendees for their own area sanitization. We will recommend that masks be the default at conference activities, and will have a keynote on proper sanitization, and mask use and safe removal and disposal from a registered nurse.

That said, we will however implement a different kind of conference this year as a dynamic response:

At this time we still see the overall risk in Canada of transmission as low. Canada has been agressively testing, and overall rapid ramp up of testing IMHO seems to be the key to containment. China has managed this quite well. The Korean rapid roll-out of testing seems to be also paying off as their numbers of new cases continue to decline. The situation in BC is still low risk - the only case of concern at the moment is a single one (with likely multiple case fallout expected amongst other residents and staff there) of seniors at the Lynn Valley center in North Vancouver - which is still being traced since it was announced on Thursday of last week. Mindful of earlier SARS experience, BC has implemented agressive contact tracing and readily available testing at all the handful of outbreaks, and has so far been successful at avoiding unconstrained spreading.

We have arranged some RT-PCR testing should it become necessary, or optionally desireable by any attendees, at a medical clinic next to the hotel for any verification, but have switched the presenter we were concerned about before to a remote presentation to further minimize the risk.

As usual we continue monitoring the situation closely, and reacting dynamically as necessary, and hold cautious hopes for better news for everyone from the trials of remdesivir and camostat. We also advise folks to consider how to best isolate any at risk elderly male smokers or ex-smokers.

Clean hands, masks on, open hearts, and we will all do our best to persevere even in adversity.

2020-02-08-20:00:00 Dojo Price Adjustment

Based on community feedback and a survey of industry pricing levels, we are adjusting our Dojo course pricing to meet your expectations of advanced educational value, and keep CanSecWest Dojo courses among the most optimal training price/performance in the industry for forward looking information security learning topics.

Effective immediately our new permanent Dojo pricing will be:

We will dispense temporarily with the sliding time/price scale, but we will likely reinstate some sort of early discount next year.