Cyber Security Magazine
Four days inside the world’s largest internet infrastructure event. A cybersecurity programme with sessions on AI hacking and live MFA bypass. A Capture the Flag competition. And one number that kept coming up before the doors even opened: 82% of cloud workloads are vulnerable. Here’s what I saw and what it actually means.
I want to start with that number, because CloudFest didn’t bury it. They led with it. The official blog published a piece before the event titled “82% of Cloud Workloads Are Vulnerable — Are You a Sitting Duck?” Not accidental. It was a deliberate signal that set the tone for everything that followed at Europa-Park in Rust, Germany, March 23-26, 2026.
This was my second CloudFest in a row. In 2025, I attended as a media partner from MonetizeBetter. In 2026, I came as a delegate and strategic advisor, doing four days of back-to-back meetings, main stage sessions, an afternoon inside the HackerSpace, and the kind of conversations that only happen when 10,000 infrastructure professionals share an amusement park for a week.
I’m writing this two days after getting back to Bucharest. Here’s my honest take, including one thing that genuinely frustrated me.
Jump to: What is CloudFest? · Key Takeaways · Official Theme · Main Stage Speakers · HackerSpace · Security Exhibitors · Floor Intelligence · 2025 vs 2026 · Implications · FAQs
What is CloudFest?
CloudFest is the world’s largest annual gathering for the internet infrastructure industry, held each March at Europa-Park in Rust, Germany. Cloud providers, hosting companies, domain registrars, MSPs, SaaS founders, and hardware vendors from 80+ countries spend four days in a working theme park, with the rides open throughout.
Deals happen on roller coasters. Partnerships form in hotel lobbies at 2 AM. It sounds like a gimmick until you’re in it, and then it makes complete sense. The setting strips away the formality that makes most conference conversations useless.
For cybersecurity professionals specifically, this event matters because the people in those rooms are making purchasing and infrastructure decisions that directly affect the security posture of millions of websites and cloud workloads. It’s not a security conference. It’s where the buyers and builders of the infrastructure that underpins security gather.
Key Cybersecurity Takeaways: CloudFest 2026
- The official 2026 theme was “The Sustainability of Everything,” with a dedicated Cybersecurity and Compliance track running across the event
- The HackerSpace (March 24, Hotel Santa Isabel, sponsored by Patchstack) ran a full afternoon of named security sessions: AI hacking agents, live MFA bypass by a Microsoft security researcher, and behavioral intelligence for hosting providers
- A live Capture the Flag (CTF) competition ran alongside the sessions, open to every registered attendee at no extra cost
- Main stage security speakers included Radia Perlman (Dell Technologies), David Cattler (former NATO intelligence chief), and Sebastian Schreiber (SySS GmbH)
- WithSecure, Monarx, and Sectigo were among the official security-focused exhibiting partners
- CloudFest’s 82% vulnerability stat framed almost every security conversation I had all week, but the number deserves scrutiny, not blind repetition
- NIS2, data sovereignty, and AI-powered attack surfaces dominated the Cybersecurity track and kept spilling into conversations that had nothing to do with compliance
- Providers who can’t credibly speak to security are losing enterprise deals. I watched it happen in real time. This isn’t a trend; it’s the new baseline.
The Official CloudFest 2026 Theme
Many event previews described CloudFest 2026 as organized around subthemes such as “AI x Cloud” or “Cybersecurity in a Distributed World.” That was early pre-event positioning. The actual official theme was: “The Sustainability of Everything.”
When I first read that, I was skeptical. But the organizers were deliberate about it. Sustainability here means systems that stay reliable over time, teams that don’t burn out, and infrastructure decisions that don’t accumulate into security debt. For a cybersecurity audience, that framing is more honest than most conference themes. It treats security as a structural property of a working system, not a layer you bolt on afterward.
Five official topic tracks ran across the event:
- AI-Powered Cloud Solutions
- Cybersecurity and Compliance
- Corporate IT Evolved
- Data Sovereignty
- Finding the Future
A Note on the 82% Figure
I used this statistic heavily in my pre-event writing. Now that I’ve spent four days in rooms where practitioners were actually discussing it, I want to give it proper context.
CloudFest cited the figure without publishing the full methodology, and the reaction on the floor was nuanced. Most practitioners agreed it felt directionally correct. But “vulnerable” is doing a lot of work in that sentence. Vulnerable to what? Detected by which tooling? Under what conditions?
The most useful framing I kept hearing: the specific number matters less than the structural reality it reflects. Most cloud workloads in production were built faster than they were secured by teams without security depth, using tools that prioritize deployment over defense. Whether the real figure is 82% or 67% is almost beside the point. The structural problem is real, and CloudFest 2026 was the first edition where I felt the whole room had genuinely accepted that.
“The number is probably right, or close enough. The question people aren’t asking is: what does it take to get out of the 82%? The answer is a lot more uncomfortable than a statistic.” Infrastructure CTO, CloudFest floor, March 24
Main Stage Security Speakers Worth Knowing
The HackerSpace gets the security spotlight, but the main stage had several speakers directly relevant to anyone in cybersecurity.
- Radia Perlman (Fellow, Dell Technologies), the inventor of Spanning Tree Protocol, was a headline speaker. Her work on network resilience and trust is more relevant to modern cloud security architecture than most people in the room probably realized.
- David Cattler (Founder and Principal, Ironhelm Works), a former senior NATO intelligence official, brought a perspective on threat intelligence and geopolitical risk intersecting with cloud infrastructure that you rarely hear at infrastructure events. The room paid attention.
- Sebastian Schreiber (Managing Director, SySS GmbH), one of Germany’s most established penetration testing companies, brought a practitioner’s view of offensive security directly to the infrastructure provider audience.
- Brewster Kahle (Founder, Internet Archive) connected questions of digital preservation and institutional memory to the data integrity and sovereignty debates running through the Cybersecurity track.
The CloudFest 2026 HackerSpace: Full Programme
The HackerSpace is CloudFest’s dedicated cybersecurity programme, featuring technical sessions and a live Capture the Flag competition, included with the standard pass at no extra cost.
In 2026, it ran on March 24, 2:00-7:30 PM, in the Convento Room at Hotel Santa Isabel inside Europa-Park, sponsored by Patchstack. I stayed for the full afternoon. These were not vendor pitches dressed up as thought leadership. The speakers had things worth saying.
Full HackerSpace Schedule: March 24, 2026
| Time | Session | Speaker(s) | Format |
|---|---|---|---|
| 2:00 PM | Warm-Up & Meet Your Rivals | All attendees | Networking |
| 2:30 PM | “Hacking Hollywood” | Ralph Echemendia, Founder, The Ethical Hacker | Keynote |
| 3:00 PM | Capture the Flag: Kickoff & How to Play | Oliver Sild, CEO, Patchstack & Siobhan McKeown, COO, Patchstack | CTF |
| 3:15 PM | “I’m in Your Browser, Eating Your Cookies (…and Bypassing Your MFA)” | Miriam Wiesner, Sr. Security Research Program Manager, Microsoft | Keynote |
| 3:45 PM | “Hackian: An AI Agent That Can Hack” | Pedro Conde, AI Scientist, Ethiack & André Baptista, Co-founder & CTO, Ethiack | Keynote |
| 4:25 PM | “Beyond the Signature: Why Modern Hosting Needs Behavioral Intelligence” | Salvador Aguilar, Threat Research Manager | Keynote |
| 4:55 PM | “Future of Web Security When Code Is AI Generated” | André Baptista (Ethiack), Miriam Wiesner (Microsoft), Oliver Sild (Patchstack) | Panel |
| 5:40 PM | “Threat Intelligence Across Generations: Lessons from the Front Lines” | Jesse Tuttle, Hacker, AP2T Labs & Reese Tuttle, Threat Researcher, AP2T Labs | Keynote |
| 6:10 PM | Capture the Flag: Awards | Oliver Sild & Siobhan McKeown (Patchstack) | CTF Awards |
| 6:30 PM | HackerSpace Networking | All attendees | Networking |
Session Highlights
Ralph Echemendia (The Ethical Hacker): Hacking Hollywood
Ralph is one of those people who can make a room genuinely uncomfortable in the best possible way. His point keeps getting ignored: the way security is portrayed publicly, in films, in board presentations, in vendor marketing, actively shapes how organizations hire, budget, and respond to real threats. The gap between the Hollywood version and operational reality isn’t just annoying; it’s dangerous. It creates board-level blind spots with real consequences.
Miriam Wiesner (Microsoft): MFA Is Not the Finish Line
This was the session people were still talking about at dinner. The title told you everything: “I’m in Your Browser, Eating Your Cookies (…and Bypassing Your MFA).”
Wiesner, Senior Security Research Program Manager at Microsoft, demonstrated live how browser-resident session tokens can be extracted and used to bypass MFA entirely, without ever touching the authentication mechanism itself. The auth worked perfectly. The attacker was already inside.
For hosting providers still leading with “we support MFA” as a security differentiator, this session was a direct challenge. Session management, token lifetimes, and browser security hygiene are now baseline expectations, not advanced features.
Pedro Conde & André Baptista (Ethiack): An AI That Hacks
The Hackian demo was the most forward-looking thing I saw all week. Ethiack built an AI agent that autonomously finds and exploits vulnerabilities. Not a scanner. An agent that reasons, adapts, and acts.
If offensive AI is already operational, periodic pen testing and annual threat modeling aren’t a security programme anymore. It’s a compliance ritual. The panel that followed made it worse: most production environments today run code that was partly written by AI, partly reviewed by humans, and deployed faster than either could be properly audited. AI attackers operating against AI-generated attack surfaces are a problem the industry is only beginning to confront.
Salvador Aguilar: Beyond Signatures
Aguilar said out loud what practitioners know but rarely tell customers: signature-based detection doesn’t work well enough for modern hosting threat environments. Behavioral intelligence, flagging meaningful deviations from what normal looks like, is where serious hosting security needs to move. It’s operationally complex at scale, but it’s no longer optional. Most of that 82% won’t be caught by signature matching.
Jesse & Reese Tuttle (AP2T Labs): Two Generations, One Room
I wasn’t sure what to expect from a father-and-daughter hacker keynote. Jesse Tuttle and Reese Tuttle from AP2T Labs delivered one of the better closing sessions I’ve attended at any event this year. The core message: the adversarial mindset hasn’t fundamentally changed across decades. The surface area has. Organizations that treat security as a rotation assignment rather than a craft will keep losing, not because of any single vulnerability, but because institutional security knowledge compounds, and those who don’t build it start from scratch every time.
The CTF itself, run by Oliver Sild and Siobhan McKeown of Patchstack, put experienced ethical hackers in the same room as hosting engineers who had never played a CTF before. Everyone was forced to think like an attacker. That’s genuinely useful, and you don’t get it at most infrastructure events.
Security Exhibitors and Partners at CloudFest 2026
A few things stood out from a security perspective across the 150+ official partners.
- WithSecure (formerly F-Secure Business) appeared as an official exhibiting partner. Endpoint protection and MDR are now actively targeting the cloud and hosting provider channel. A few years ago, dedicated security vendors didn’t treat CloudFest as a primary channel event. That has clearly changed.
- Patchstack sponsored the HackerSpace. Their focus on WordPress plugin vulnerability management and responsible disclosure is directly relevant to the hundreds of managed hosting providers and agencies in the room.
- Monarx had two speakers on stage: CEO Luke Langford and VP of Product Aaron Campbell. Web server malware detection at the hosting infrastructure layer is a real operational problem for shared and managed hosting providers, and Monarx is squarely positioned to fill that gap.
- Sectigo had two speakers: Director of Product Management Peter Roybal and Director of Sales Engineering Stephen Nyhan. Certificate management at hosting scale is an underappreciated security surface.
- CloudLinux and SySS GmbH were also present, reflecting ongoing conversations on kernel-level isolation and offensive security practices, respectively.
The broader partner list (Verisign, Elemento, StorPool, Firstcolo Datacenters, Synology, Western Digital, Toshiba Electronics Europe, Kingston Technology, Micron, Arrow ECS, TD SYNNEX, Stefanini, hosted.ai, Bytestock, 10Web) reflects the infrastructure stack that security has to integrate with, not just sit on top of.
What I Actually Heard on the Floor
The real intelligence from CloudFest comes from unscheduled conversations, what people say when the recording isn’t running and the second drink is in hand. I spent four days pitching AI Visibility audits and partnership solutions to hosting and infrastructure providers, which led to many conversations that started as introductions and went somewhere more interesting.
Here are the five signals that consistently came up.
1. NIS2 Has Crossed from Legal Concern to Sales Filter
At CloudFest 2025, NIS2 was a compliance concern for the team. At CloudFest 2026, it was showing up in the first five minutes of enterprise sales conversations, before pricing, before technical considerations, before anything else.
Providers who have documented controls, incident notification procedures, and supplier risk assessments are advancing in deals. Those who haven’t are being filtered out before the commercial conversation starts. I watched a mid-sized European provider lose a meaningful enterprise deal specifically because their incident response documentation didn’t meet the buyer’s NIS2 audit requirements. This isn’t hypothetical anymore.
2. Sovereign AI Is a Product, Not a Pitch
Last year, private LLM deployments and data sovereignty were side meeting topics. This year, they were centre stage with real customers and case studies behind them.
The security story is non-negotiable: the value of sovereign AI infrastructure depends entirely on proving specific facts about where data lives, who can access it, how keys are managed, and the integrity of the inference environment. Providers who can’t put that in writing are losing Data Sovereignty track deals to those who can.
3. European Cloud Providers Are Winning on Compliance Credibility
The European cloud alternative story has been around since GDPR. What’s different now is that commercial execution is catching up. I spoke with multiple enterprise procurement contacts who had recently moved workloads to European providers, not because they were cheaper or faster, but because of the quality of NIS2 compliance documentation and willingness to make contractual security commitments in a framework their procurement teams actually understand.
4. DDoS, DNS Security, and AI Resilience Are Table Stakes
These are no longer differentiators. Providers who can’t document their DDoS mitigation architecture, DNS security posture, and AI workload hardening are being knocked out of enterprise procurement before pricing is even discussed. This threshold was crossed in the enterprise last year. It’s working down to mid-market now.
5. AI-Generated Code Security Is a Crisis Nobody Is Discussing Loudly Enough
The Hackian demo and the closing panel gave formal structure to something I had been hearing all week informally. Production environments are running code that was partly written by AI, partly reviewed by humans, and often deployed faster than either could be properly audited. If an autonomous hacking agent is already scanning that codebase for vulnerabilities, the exposure window is much shorter than most organizations are treating it as.
One Honest Criticism
The HackerSpace ran in parallel with several main stage sessions I wanted to attend. That scheduling conflict created genuine friction for people trying to get the full picture. For an event that’s now explicitly leaning into cybersecurity as a core track, the programme architecture should reflect that. The HackerSpace deserves better integration into the main schedule, not a parallel slot that forces a binary choice. That’s fixable, and I hope the organizers address it for 2027.
CloudFest 2025 vs 2026: How the Security Conversation Has Matured
Having attended both editions, the contrast is worth documenting clearly.
| Dimension | CloudFest 2025 | CloudFest 2026 |
|---|---|---|
| Security track | Informal, embedded in infrastructure sessions | Dedicated HackerSpace with a formal programme and named sponsors |
| NIS2 in sales conversations | Compliance team concern | First-five-minutes qualifier in enterprise deals |
| AI and security | Conceptual: “AI will change threat landscapes.” | Operational: live AI hacking agent demos, real sovereign AI deployments |
| Security vendors present | Security as a feature of infrastructure products | Dedicated security vendors (WithSecure, Monarx, Sectigo, Patchstack) as named partners |
| MFA maturity | MFA as a selling point | MFA bypass demonstrated live on stage; session management is now the real baseline |
| European cloud narrative | Aspiration | Execution: providers winning deals on NIS2 compliance documentation |
| CTF competition | Not present | Live CTF with prizes, run by Patchstack, open to all attendees |
What was theoretical in 2025 is operational in 2026. Security has stopped being a conversation topic at CloudFest and started being a commercial requirement. That shift happened in twelve months.
What Else Happened
A few other things running alongside the main programme are worth noting.
- The CloudFest Hackathon attracted open-source developers building on cloud infrastructure, with projects increasingly touching security-adjacent problems: access control, audit logging, and monitoring automation.
- MSP Global 2026, CloudFest’s sister event for managed service providers, had registration open during the event week. If your security vendor or advisory business has a managed services component, it’s worth knowing about—registration at mspglobal.com.
- OpenClaw, an AI agent for cloud operations, announced at CloudFest, is worth tracking from a security perspective. Autonomous AI agents operating on cloud infrastructure are exactly the kind of threat surface the industry doesn’t yet have good frameworks for.
- CloudFest Village, a new feature for 2026, added significantly more informal space: expanded seating areas, the Street Food Festival, and increased side-event capacity. My most substantive security conversations all week happened there and at the evening events, not in session rooms. Build time there into your schedule if you go.
What CloudFest 2026 Means, Depending on Who You Are
🔐 If you sell security solutions to cloud and hosting providers
CloudFest is now a qualified channel, not a nice-to-have. The appetite for NIS2 compliance tooling, behavioral intelligence platforms, and AI security at hosting scale is real and growing. Patchstack sponsored the HackerSpace; WithSecure, Monarx, and Sectigo were named partners. If you’re still treating this audience as secondary, you’re behind the curve.
🏢 If you’re a CISO buying cloud or hosting services
The 82% figure demands a supply chain response. Ask your providers for actual documentation: controls, evidence, incident-detection timelines, patch cadence, access-control architecture, and supplier risk assessments. NIS2 gives you a legal hook; use it. And if Miriam Wiesner’s session taught us anything, your providers’ “we support MFA” checkbox is worth a lot less than their session management and token rotation policies.
🔬 If you’re a security researcher or practitioner
The HackerSpace is worth your time. MFA bypass at the session layer, autonomous AI hacking agents, behavioral anomalies in shared hosting: these attack surfaces are live in production today, across infrastructure serving millions of sites. Research that reaches this audience gets deployed, not filed.
📋 If you work in policy or compliance
NIS2 is generating real operational pain for smaller European providers, and the risk is that it becomes a paperwork exercise rather than a genuine security improvement. The hosting industry is building practical implementation guidance through trade bodies and vendor coalitions right now. That guidance needs security depth to stay technically honest. The window to influence it is open, but not indefinitely.
CloudFest 2026 Cybersecurity: Frequently Asked Questions
What was the cybersecurity programme at CloudFest 2026?
The programme included six keynotes and one panel: Ralph Echemendia (The Ethical Hacker) on “Hacking Hollywood”; Miriam Wiesner (Microsoft) on live MFA bypass via session token extraction; Pedro Conde and André Baptista (Ethiack) presenting their autonomous AI hacking agent Hackian; Salvador Aguilar on behavioral intelligence for hosting providers; a panel on “Future of Web Security When Code Is AI Generated” (Wiesner, Baptista, Oliver Sild of Patchstack); and Jesse Tuttle and Reese Tuttle (AP2T Labs) on generational threat intelligence. A live Capture the Flag competition ran throughout. Access was included in the standard CloudFest pass at no additional cost.
What was the official theme of CloudFest 2026?
Which cybersecurity companies exhibited at CloudFest 2026?
What is Hackian, the AI hacking agent from CloudFest 2026?
What did Miriam Wiesner demonstrate at CloudFest 2026?
Where does the 82% cloud workloads vulnerability figure come from?
Was NIS2 a major topic at CloudFest 2026?
What is the CloudFest HackerSpace and do you need a separate ticket?
How did CloudFest 2026 compare to CloudFest 2025 on cybersecurity?
When and where is CloudFest 2027?
Final Thought
I’ve been to a lot of events. CloudFest 2026 was the first one where I left thinking the security community is genuinely underrepresented, not because there wasn’t security content, but because the decisions made in those rooms over four days shape the actual security of millions of websites and cloud workloads in ways that most dedicated security conferences never get close to.
The HackerSpace alone was worth the trip. The floor conversations, the NIS2 pressure in every enterprise sales discussion, the sovereign AI product launches, the EU cloud providers winning on compliance credibility, the Ethiack demo that showed offensive AI is already operational, and yes, the honest frustration that the HackerSpace and main stage still conflict in scheduling when they should be better integrated.
CloudFest 2027 is March 15-18. I’ll be there. If you’re going, reach out beforehand. Happy to connect, swap notes, or find time on the floor. And if you want to continue the conversation on a roller coaster, I’ve done it before, and I’ll do it again.
Disclosure: The author attended CloudFest 2026 as a delegate. No editorial content was commissioned or reviewed by CloudFest organizers, Patchstack, WithSecure, Ethiack, Monarx, Sectigo, Microsoft, AP2T Labs, The Ethical Hacker, SySS GmbH, or any other company named in this article. All session details and speaker affiliations verified against the official CloudFest programme and speakers page at cloudfest.com.
