Cyber Security Magazine
Four days inside the world’s largest internet infrastructure event. A cybersecurity programme with sessions on AI hacking and live MFA bypass. A Capture the Flag competition. And one number that kept coming up before the doors even opened: 82% of cloud workloads are vulnerable. Here’s what I saw — and what it means.
I want to start with that number, because CloudFest didn’t bury it. They led with it. The official blog published a piece before the event titled “82% of Cloud Workloads Are Vulnerable — Are You a Sitting Duck?” That’s not accidental positioning. It was a signal that set the tone for everything that followed during four days at Europa-Park in Rust, Germany, March 23–26.
This was my second CloudFest in a row. In 2025, I attended as a media partner. This year, I came as a delegate and strategic advisor for four days of back-to-back meetings, sessions on the main stages, and a few hours inside the HackerSpace that I’ll get to in detail below.
I’m writing this two days after getting back to Bucharest. The conversations are still fresh. Here’s my honest take.
| Metric | Figure |
|---|---|
| Attendees | 10,000+ |
| Speakers | 250+ |
| Official Partners / Exhibitors | 150+ |
| Countries represented | 80+ |
| Cloud workloads reported as vulnerable* | 82% |
*Per CloudFest pre-event industry intelligence, March 2026
Key Cybersecurity Takeaways — CloudFest 2026
- The official 2026 theme was “The Sustainability of Everything,” with a dedicated Cybersecurity and Compliance track running across the event
- The HackerSpace (March 24, Hotel Santa Isabel, sponsored by Patchstack) ran a full afternoon of named security sessions: AI hacking agents, live MFA bypass, behavioral intelligence for hosting providers
- A live Capture the Flag (CTF) competition ran alongside the sessions, open to every registered attendee
- WithSecure was among the official exhibiting security partners on the floor
- CloudFest’s 82% vulnerability stat wasn’t a throwaway number — it framed almost every security conversation I had all week
- NIS2, data sovereignty, and AI-powered attack surfaces dominated the Cybersecurity and Compliance track and kept spilling into conversations that had nothing to do with compliance
- Providers who can’t credibly speak to security are losing deals. I watched it happen. This isn’t a trend — it’s already the new baseline.
First, Let’s Clear Up the Theme
Many event previews (including some of my own) described CloudFest 2026 as organized around sub-themes such as “AI x Cloud” or “Cybersecurity in a Distributed World.” That was based on early positioning. The actual official theme was something broader: “The Sustainability of Everything.”
When I first read that, I was skeptical. It sounds like something that ends up meaning nothing. But the organizers were deliberate about it: sustainability here means systems that stay reliable over time, teams that don’t burn out, and infrastructure decisions that don’t quietly accumulate into security debt.
For a cybersecurity audience, that framing is actually more honest than most conference themes. It treats security as a structural property of a working system, not a layer you bolt on afterward.
The event ran across five topic tracks:
- AI-Powered Cloud Solutions
- Cybersecurity and Compliance
- Corporate IT Evolved
- Data Sovereignty
- Finding the Future
Cybersecurity and Compliance was the one people kept gravitating back to, not because it was the flashiest, but because NIS2 deadlines are real, enterprise procurement requirements are tightening, and that 82% number was still in everyone’s head.
“82% of cloud workloads are vulnerable.” CloudFest surfaced this before the event opened. Nobody on the floor disputed the number. The debate was about what to actually do about it — and how fast.
The HackerSpace
If you’re reading this publication, the HackerSpace is the part of CloudFest 2026 you need to know about in detail.
It ran on March 24, 2:00–7:30 PM, in the Convento Room at Hotel Santa Isabel, inside Europa-Park. Sponsored by Patchstack. The format was a technical session stage running in parallel with a live Capture the Flag competition, and unlike many “security tracks” at infrastructure events, the content had genuine depth. These were not vendor pitches rebranded as thought leadership. The speakers were practitioners with things worth saying.
Here’s the full programme:
Full HackerSpace Schedule — March 24, 2026
| Time | Session | Speaker(s) | Format |
|---|---|---|---|
| 2:00 PM | Warm-Up & Meet Your Rivals | All attendees | Networking |
| 2:30 PM | “Hacking Hollywood” | Ralph Echemendia, Founder | Keynote |
| 3:00 PM | Capture the Flag — Kickoff & How to Play | Oliver Sild, CEO (Patchstack) & Siobhan McKeown, COO | CTF |
| 3:15 PM | “I’m in Your Browser, Eating Your Cookies (…and Bypassing Your MFA)” | Miriam Wiesner, Sr. Security Research Program Manager | Keynote |
| 3:45 PM | “Hackian: An AI Agent That Can Hack” | Pedro Conde, AI Scientist & André Baptista, Co-founder & CTO (Ethiack) | Keynote |
| 4:25 PM | “Beyond the Signature: Why Modern Hosting Needs Behavioral Intelligence” | Salvador Aguilar, Threat Research Manager | Keynote |
| 4:55 PM | “Future of Web Security When Code Is AI Generated” | André Baptista (Ethiack), Miriam Wiesner, Oliver Sild (Patchstack) | Panel |
| 5:40 PM | “Threat Intelligence Across Generations: Lessons from the Front Lines” | Jesse Tuttle, Hacker & Reese Tuttle, Threat Researcher | Keynote |
| 6:10 PM | Capture the Flag — Awards | Oliver Sild & Siobhan McKeown | CTF Awards |
| 6:30 PM | HackerSpace Networking | All attendees | Networking |
Let me walk through the sessions that actually moved the needle.
Ralph Echemendia — Hacking Hollywood
Ralph is one of those people who can make a room genuinely uncomfortable in the best way. His point is simple and keeps getting ignored: the way security is portrayed publicly — in films, in press releases, in board presentations — actively shapes how organizations hire, budget, and respond to threats.
The gap between the movie version and the operational reality isn’t just annoying. It’s a structural liability. For a room full of infrastructure CTOs and hosting engineers, that framing hit differently than it does at a traditional security conference.
Miriam Wiesner — MFA Is Not the Finish Line
This was the session people were still talking about at dinner. The title alone told you where it was going: “I’m in Your Browser, Eating Your Cookies (…and Bypassing Your MFA).”
Wiesner showed, live, how browser-resident session tokens can be extracted and used to bypass MFA entirely — without ever touching the authentication mechanism itself. The auth worked perfectly. The attacker was already inside.
This matters specifically in the cloud and hosting market because providers have been leaning hard on MFA as a selling point. That pitch just got significantly more complicated. Session management, token lifetimes, and browser security hygiene now need to be part of the conversation — not as advanced features, but as baseline expectations.
Pedro Conde & André Baptista (Ethiack) — An AI That Hacks
The Hackian demo was the most forward-looking thing I saw all week. Ethiack built an AI agent that can autonomously find and exploit vulnerabilities. Not a scanner. An agent that reasons, adapts, and acts.
The implication is asymmetric and uncomfortable: if offensive AI is already here, the conventional model of periodic pen testing and annual threat modeling isn’t a security program anymore. It’s a compliance ritual. The panel that followed — on AI-generated code and web security — pushed this further. Most production environments now run AI-generated code that nobody has fully reviewed. That combination of AI attackers and AI-generated attack surfaces is a problem the industry doesn’t yet have good answers for.
Salvador Aguilar — Beyond Signatures
Aguilar made the case that practitioners already know but rarely say out loud to customers: signature-based detection doesn’t work well enough anymore. Behavioral intelligence, which means understanding what normal looks like and flagging deviations, is the direction serious hosting security needs to move.
The challenge is operational complexity at scale. But that complexity is no longer optional. Most of the 82% of vulnerable workloads won’t be caught by signature matching. Something has to change.
Jesse & Reese Tuttle — Two Generations, One Room
I’ll be honest — I wasn’t sure what to expect from a father-and-daughter hacker session. What I got was one of the better closing keynotes I’ve seen at any event this year. The through-line was simple: the adversarial mindset that makes a good security practitioner hasn’t fundamentally changed in decades. The surface area has. Organizations that treat security as a temporary assignment rather than a craft will keep losing.
What Was on the Exhibition Floor
150+ partners across four days give you a lot of signal about where money is moving in this industry. A few things stood out from a security perspective.
- WithSecure appeared as an official exhibiting partner, specializing in endpoint protection and managed detection and response, targeting the hosting and cloud-provider channel. That’s significant. A few years ago, dedicated security vendors didn’t see CloudFest as a primary channel event. That’s now changing.
- Patchstack sponsored the HackerSpace, which made sense — their entire business revolves around WordPress plugin vulnerability management and responsible disclosure. For the hundreds of WordPress hosting providers and managed hosting agencies in the room, they were perfectly aligned.
- CloudLinux was also present, reflecting the ongoing discussion about hardened OSes for shared hosting that has been gaining traction in managed hosting communities.
The rest of the partner list — Verisign, Elemento, StorPool, Firstcolo Datacenters, Synology, Western Digital, Toshiba Electronics Europe, Kingston Technology, Micron, Arrow ECS, TD SYNNEX, Stefanini, hosted.ai, Bytestock, 10Web — reflects the broader infrastructure stack that security increasingly has to integrate with rather than sit on top of.
What I Actually Heard on the Floor
Beyond the sessions, here are the five things that came up again and again in my own conversations throughout the week. These weren’t panel topics — they were what people said when the recording wasn’t running.
1. NIS2 Has Crossed from Legal to Sales
At CloudFest 2025, NIS2 was a concern for the compliance team. At CloudFest 2026, it was showing up in the first five minutes of enterprise sales conversations.
Customers are asking for documented controls, incident notification procedures, and supplier risk assessments before they even get to price. Providers who have built that infrastructure are moving forward in deals. Providers who haven’t are getting filtered out early. I watched this happen in real conversations, not hypotheticals.
2. Sovereign AI Is No Longer a Pitch — It’s a Product
Last year, private LLM deployments and data sovereignty were topics people discussed cautiously in side meetings. This year, they were centre stage with real case studies and actual customers.
The security story here is non-negotiable: the value of sovereign AI infrastructure depends entirely on proving — not claiming — specific facts about where data lives, who can access it, and how the inference environment is protected. Providers who can’t put that in writing are losing the Data Sovereignty track deals to those who can.
3. European Providers Are Winning on Compliance Credibility
The European cloud alternative story has been around since GDPR. What’s different now is that the commercial execution is catching up to the narrative. I spoke with four enterprise procurement contacts this week who had recently moved workloads to European providers — not because they were cheaper or faster, but because of the quality of NIS2 compliance documentation and the willingness to make contractual security commitments in a legal framework procurement teams actually understand. That pattern is going to accelerate.
4. DDoS, DNS, and AI Resilience Are Now Table Stakes
These aren’t differentiators anymore. Providers who can’t document their DDoS mitigation architecture, DNS security posture, and AI workload hardening are being knocked out of enterprise procurement before pricing is even discussed. The threshold was crossed in the enterprise last year. It’s working its way down to mid-market now.
5. AI-Generated Code Is a Security Crisis Nobody’s Talking About Loudly
The Hackian demo and the closing panel gave formal structure to something I had been hearing all week informally. Production environments are running code that was partly written by AI, partly reviewed by humans, and often deployed faster than either could be audited properly. If an autonomous hacking agent is already looking for vulnerabilities in that code, the exposure window is much shorter than most organizations treat it as.
“CloudFest published that 82% number before the event even opened. By day four, nobody was arguing about whether it was accurate. Everyone was arguing about what to do about it — and how fast.” — Daniel Stanica
What This Means, Depending on Who You Are
If you sell security solutions to cloud and hosting providers
CloudFest is now a qualified channel, not a nice-to-have. The appetite for NIS2 compliance tooling, behavioral intelligence platforms, and AI security that can operate at hosting scale is real and growing. Patchstack figured this out and sponsored the HackerSpace. If you’re still treating this audience as secondary, you’re behind.
If you’re a CISO buying cloud services
The 82% figure demands a supply chain response. Ask your providers for documentation—not one-pagers, but actual controls and evidence. NIS2 gives you a legal hook: your providers now have notification obligations. But those obligations are only worth something if your providers have the monitoring infrastructure to back them up. Ask specifically about incident detection timelines, patch cadence, access control architecture, and how they manage supplier risk.
If you’re a security researcher
The HackerSpace is worth your time. The attack surfaces being discussed — MFA bypass at the session layer, autonomous AI hacking, behavioral gaps in shared hosting — are live in production across infrastructure that serves millions of sites. Research that reaches this audience doesn’t sit in a journal. It gets deployed.
If you work in policy or compliance
NIS2 is generating real operational pain for smaller European providers, and the risk is that it becomes a paperwork exercise rather than a genuine security improvement. The industry is starting to build practical guidance through trade bodies and vendor coalitions. That guidance needs people with security depth in the room to ensure technical honesty. The window to influence it is now.
FAQs about CloudFest 2026 and Cybersecurity
What was the cybersecurity programme at CloudFest 2026?
What was the official theme of CloudFest 2026?
Which cybersecurity companies were at CloudFest 2026?
Where does the 82% cloud vulnerability figure come from?
What is the HackerSpace, and do you need a separate ticket?
When is CloudFest 2027?
Final Thought
I’ve been to a lot of events. CloudFest 2026 was the first one where I left thinking the security community is genuinely underrepresented — not because there wasn’t security content, but because the decisions being made in those rooms over four days are shaping the actual security of millions of websites and cloud workloads in ways that most security conferences never get close to.
The HackerSpace alone was worth the trip. The floor conversations, the NIS2 pressure in every sales discussion, the sovereign AI product launches, the EU cloud providers winning on compliance credibility, and this is an event security professionals should treat as a primary intelligence venue, not a field trip.
CloudFest 2027 is March 15–18. I’ll be there. If you’re going, reach out beforehand. Happy to connect, swap notes, or find time on the floor. And yes — if you want to continue the conversation on a roller coaster, I’ve done it before, and I’ll do it again.
Disclosure: The author attended CloudFest 2026 as a delegate. No editorial content was commissioned or reviewed by CloudFest organizers, Patchstack, WithSecure, Ethiack, or any other company named in this article. All session details were verified against the official CloudFest programme at cloudfest.com.
