On September 16–19, 2026, roughly a few hundred of the world’s most selective threat researchers will converge on a resort in the Sonoran Desert to trade findings most of them can’t post publicly — not yet, sometimes not ever. LabsCon 2026 runs September 16-19, 2026, in Scottsdale, Arizona. There is no open registration, no expo floor to wander, no tracks to hop between. You are invited, or you submit a paper and hope it lands. That scarcity is the point.
LabsCon occupies an unusual niche in the cybersecurity conference calendar. It is a vendor-hosted event — SentinelOne runs it through its SentinelLabs research arm — but it operates under research-conference rules. No sales pitches. No product announcements on stage. Talks are short, technical, and tilted toward original discovery: new malware families, unpublished vulnerability chains, nation-state tradecraft, hunting techniques that actually work. For defenders trying to triangulate where the frontier of offensive and defensive research actually sits, LabsCon is one of the signals worth tuning into.
What LabsCon Actually Is
LabsCon is an intimate event for the world’s top cybersecurity minds to gather, share cutting-edge research, and push the envelope of threat landscape understanding, presented by SentinelOne. The branding lines vary year to year, but the shape has held since the inaugural 2022 edition: a four-day gathering at the Omni Scottsdale Resort & Spa at Montelucia, invite-only or peer-reviewed access, and a program weighted toward threat intelligence and vulnerability research.
The conference is organized by SentinelLABS, SentinelOne’s research team. SentinelLABS is described as the elite research team known for uncovering critical vulnerabilities, novel attack techniques, malware families, and emerging threat actors. The team’s public work — tracking North Korean supply chain attacks, analyzing Chinese APT operations, reverse-engineering novel malware — sets the tonal baseline for what gets stage time. LabsCon is, in effect, an extension of that research culture: the kind of event where speakers assume the room already knows what a C2 beacon looks like and can skip the 101 slides.
Format-wise, talks run 20 minutes plus 5 minutes for Q&A, with workshops running 90 minutes long. That compressed talk length forces speakers to front-load findings rather than pad with setup — closer to an academic short-paper session than a vendor keynote. LabsCon is primarily a threat intelligence and vulnerability research conference, though the organizers keep an open mind on scope.
How the Invite Process Works
There are two ways in. First, an invitation — typically extended to researchers, government analysts, and vendor threat teams whose work the organizers already know. Second, the Call for Papers. Submit original findings that pass peer review and your spot is secured. The LabsCon Program Committee, which reviews submissions, includes top threat researchers and cybersecurity experts from Google, DARPA, Netflix, Johns Hopkins University, and SentinelLabs.
That committee composition matters. It’s the mechanism that keeps LabsCon from drifting into a SentinelOne-only echo chamber. Google’s threat analysis group, DARPA program managers, academic researchers from Hopkins, and Netflix’s security team all bring different review lenses — and all have reasons to push back on work that doesn’t hold up. For submitters, the bar is closer to a conference like USENIX Security than a typical industry track.
Sponsorship rounds out the vendor presence. The 2025 edition drew sponsors including Binarly, The Vertex Project, Silent Push, and Aesir Security Consulting, continuing a pattern from prior years that has included Stairwell, Cisco Talos, GreyNoise, HP Wolf Security, Team Cymru, and ReversingLabs. The sponsor list reads like a map of niche threat-intel and research boutiques rather than mainstream enterprise security vendors — consistent with the conference’s researcher-first positioning.
What Gets Presented There
The easiest way to understand LabsCon’s editorial center of gravity is to look at what made the 2025 program and what has surfaced in the post-conference replay series SentinelLabs publishes on its blog. The 2024 and 2025 editions leaned heavily into nation-state activity, novel malware analysis, and increasingly — AI-enabled threats.
The 2025 edition featured speakers from SentinelLABS, Sophos, ESET, Recorded Future, Margin Research and Check Point, covering nation-state threat activity, cyberwarfare, high-profile ransomware, LLM malware, and private sector offensive operations. That last category — private sector offensive operations, meaning the commercial spyware and mercenary hacker ecosystem — is one LabsCon has pushed earlier and harder than most conferences.
Keynote material has trended toward cross-disciplinary work. Lindsay Freeman, Director of the Technology, Law & Policy program at the Human Rights Center at UC Berkeley School of Law, presented on how UC Berkeley researchers used OSINT, AI, and other tools to document the Wagner Group’s crimes in Africa and build a case for prosecution at the International Criminal Court. That’s not a typical security-conference talk. It’s the kind of session that signals LabsCon’s editorial interest extends past pure malware analysis into how research tools get applied to accountability work.
Post-event, talks surface on the SentinelLabs blog as replays. Recent replays from LabsCon 2025 have included sessions on distinguishing hacktivist threat levels by persona characteristics, how Chinese firms running attack-defense exercises fuel state-linked offensive cyber operations, detecting malware that generates code at runtime, AI agents and leaked Russian data from Dreadnode, China’s CTF ecosystem including Ministry of State Security and PLA competitions, and Kryptina RaaS adapted for enterprise attacks. The through-line: research that connects individual artifacts to larger institutional and geopolitical structures.
Why LabsCon Stands Apart From Black Hat and DEF CON
LabsCon is not trying to be Black Hat. Cybersecurity Dive describes LabsCon as SentinelOne’s annual invite-only conference that gathers cybersecurity experts to share cutting-edge research and push the envelope of threat landscape understanding. That framing — invite-only, small, research-forward — defines the contrast against the summer Las Vegas circuit, where scale, spectacle, and commercial pressure are features rather than bugs.
The practical differences cascade from there. Black Hat’s briefings draw thousands and run a sprawling expo floor. DEF CON operates on a hacker-ethos that celebrates openness and public disclosure as moral baseline. LabsCon sits in a third position: small enough that hallway conversations stay substantive, structured enough that talks go through real review, and private enough that researchers can share in-progress or sensitive findings without worrying about them hitting Twitter in real time.
| Dimension | LabsCon | Black Hat USA | RSA Conference |
|---|---|---|---|
| Scale | Hundreds | ~20,000 | ~44,000 |
| Access model | Invite-only / CFP | Paid registration | Paid registration |
| Primary audience | Threat researchers, intel analysts | Practitioners, executives | CISOs, decision-makers |
| Content weight | Original threat research | Technical briefings + training | Strategy, governance, vendor |
| Talk format | 20 + 5 min | 25–50 min briefings | 45 min sessions |
| Expo floor | None | Large | Massive |
The format also makes LabsCon a useful proving ground for work that later lands at bigger venues. Research that gets sharpened by LabsCon Q&A often shows up months later in VirusBulletin papers, Black Hat briefings, or public SentinelLabs write-ups.
The Vendor-Conference Tension
There’s a legitimate question worth addressing head-on: can a vendor-run event be a neutral research venue? LabsCon has spent four years trying to answer yes, and the evidence — speaker diversity, external program committee members, a blog-publishing model that credits non-SentinelOne researchers by name — supports the claim more than it undercuts it. But the tension is structural, not solvable.
SentinelOne benefits commercially from being seen as a serious research shop. That’s the implicit deal: the company underwrites the event, the company’s research team gets reputational proximity to the field’s best, and in exchange the program stays clean of product marketing. Migo Kedem, then VP Growth and Head of SentinelLabs, said at the inaugural event that the goal of LabsCon is to provide a venue for advanced security collaboration and community building, uniting researchers, vendors, and practitioners to strengthen collective understanding of the security landscape.
That bargain holds as long as the editorial wall holds. The sponsor list — a rotation of niche research vendors rather than enterprise security giants — suggests the organizers understand the risk. So does the program committee’s inclusion of Google, academia, and DARPA. Attendees who have been multiple years generally report that the no-pitch rule is enforced in practice. It’s a fragile equilibrium, but an observable one.
FAQ
How do I get invited to LabsCon 2026? Two paths. Submit original research via the Call for Papers when it opens — historically in the spring, with deadlines falling in mid-to-late June. Or get referred by someone already in the community. There’s no public “register here” button, and there won’t be.
Are the talks available afterward? Selectively. SentinelLabs publishes a rolling LabsCon Replay series on its blog, releasing recorded or written versions of selected talks across the year that follows. Not every talk surfaces publicly — some findings stay closed on purpose — but a meaningful fraction do.
How does LabsCon relate to OneCon, SentinelOne’s other conference? They’re different animals from the same parent. OneCon is SentinelOne’s customer and partner conference — the 2026 edition runs October 20–22 at the Aria in Las Vegas. LabsCon is research-focused, invite-only, and deliberately small. Product news goes to OneCon. Zero-day analysis goes to LabsCon.
Does LabsCon have a CTF or villages like DEF CON? No. The format is talks, workshops, and hallway conversations. The deliberate smallness — and the emphasis on research over hands-on competition — is part of what differentiates it from the hacker-convention model.
What LabsCon 2026 Is Worth Watching For
Two storylines carry forward from the 2025 edition into this year’s program. First, AI-enabled offense — the runtime code generation, LLM-integrated malware, and agent-based attack work that dominated the back half of 2025 — is almost certainly going to get a bigger slice of the 2026 agenda. The SentinelLabs replay queue is already tilting that way.
Second, the private-sector offensive ecosystem remains under-covered elsewhere. Commercial spyware vendors, hack-for-hire operators, and the gray-market exploit economy are topics LabsCon has repeatedly chosen to spotlight when other venues have been more cautious. For researchers working in that space, the conference is one of the few places a full, attributed presentation will actually get stage time.
If you’re a defender trying to figure out what to read after the event wraps, watch the SentinelLabs blog for the replay tag starting late fall — that’s where the public version of LabsCon 2026 will land, a talk at a time, through 2027.
