Nullcon’s 16th Goa edition closed on March 1 with registrations hitting 3,000 — a 25% jump over the 2,400 who showed up in 2025, and a strong signal that Asia’s hacker-first conference is still the regional anchor for offensive security research. The event ran February 28 through March 1 at the BITS Pilani K K Birla Goa Campus, flanked by two training batches (February 25–27 and March 2–4) and a new invite-only executive forum called Day Zero on February 27.
The 2026 agenda was built around a single argument: the attack surface is no longer simply expanding, it’s learning. LLM-assisted coding pipelines, autonomous agents, and AI orchestration layers inside enterprise environments are shipping faster than the controls meant to guard them. Nullcon’s technical program responded by pushing AI exploit research to the center of the conference floor while keeping the traditional pillars — infrastructure compromise, cloud red teaming, reverse engineering, IoT and firmware hacking — intact. For anyone tracking where Indian and broader Asian security research is headed, this edition is the reference point.
What Nullcon Is and Why Goa Matters
Nullcon is an annual security conference held at BITS Pilani’s Goa campus, founded on the premise of surfacing original research and practical offensive technique rather than vendor marketing. Organized historically by the Payatu-linked team and now operated in partnership with Information Security Media Group (ISMG), it runs two Goa editions and smaller regional editions through the year. The Goa flagship is the one that matters — it’s where the CFP is competitive, the trainings are priced as professional instruction, and the corridor conversations involve government officials alongside independent researchers.
The 2026 edition marked a structural expansion. Alongside the two-day main conference and the training weeks on either side, Nullcon introduced Day Zero on February 27 — a dedicated invite-only forum for CISOs, CIOs, CTOs, and senior security leaders. The program covered board-level oversight of exploit life cycles, AI-enabled attack simulations including deepfake scenarios, post-quantum transition planning, and cross-functional crisis exercises. It’s a recognition that the people who decide how research gets operationalized increasingly need their own track, not a watered-down general pass.
The Opening Keynote and the Geopolitics Frame
The main conference opened with a joint keynote from two of India’s most senior national security voices: Vinai Kumar Kanaujia, joint secretary of the National Security Council Secretariat, and Sanjay Bahl, director general at CERT-In. Their pairing wasn’t ceremonial. Nullcon has historically kept government presence at arm’s length while amplifying practitioner voices; putting the NSCS and CERT-In on the same stage on day one signaled that the organizers see cyber risk as inherently geopolitical in 2026, not something that can be framed purely through a vendor-vs-attacker lens.
Rahul Neel Mani, director at Nullcon, framed the 2026 thesis plainly in conference communications: “We are operating in an environment where AI generates code, autonomous agents execute workflows and identities function as control planes.” The attack surface, he argued, is expanding and becoming intelligent — and the conference exists to examine that reality candidly.
The AI Security Anchor
The defining structural addition in 2026 was live bug hunting running across both conference days, with researchers competing in real time to identify vulnerabilities in AI systems benchmarked against the OWASP Top 10 for LLM Applications. This turned the show floor into an active research arena — not a passive track of slides. Top performers were recognized for measurable impact, which matters because it gives the live-hacking format the same prestige Nullcon attaches to its CFP-accepted talks.
The AI security program wasn’t cosmetic. Talks and workshops covered LLM manipulation and adversarial reasoning, identity impersonation in SPIFFE/SPIRE environments, HTTP/3 and QUIC protocol fuzzing, supply chain propagation models, and Windows 11 attack chains. Nikhil Joshi‘s “AI Security: Terminating The Terminator” was among the headline AI-track talks; the training side added an Advanced Hands-On AI Security Workshop running across both batches.
The choice of the OWASP LLM Top 10 as the benchmarking framework is significant. Unlike ad-hoc jailbreak demos that dominated AI security talks through 2023 and 2024, scoring real exploits against a recognized taxonomy — prompt injection, insecure output handling, training data poisoning, model denial of service, sensitive information disclosure, and the rest — produces research that defenders can actually map back to their own stacks.
The Training Catalogue
Nullcon’s trainings are priced as professional instruction and fill quickly; they are typically more competitive to get into than conference-only passes. The 2026 catalogue ran across both pre- and post-conference batches and covered the full offensive stack.
Instructor names worth knowing: Madhu Akula continued to anchor the Kubernetes hardening course, a long-running fixture of the Nullcon catalogue. Manish Gupta, CEO of CyberWarFare Labs, led the AdversaryOps red-team course. Riddhi Shree ran the firmware security labs. Abizer Naseem and Prathamesh Patil from Payatu handled the EDR evasion and phishing bootcamp. Sebastian Neef — known in bug bounty circles as gehaxelt and ranked on both Bugcrowd and Detectify — taught the advanced infrastructure assessment course and has been contributing to the HackIM CTF for over three years.
HackIM, Winja, and the Competitive Surface
The HackIM CTF remains Nullcon’s flagship competitive format, organized by ENOFLAG. The 2026 online qualifier ran from February 7 at 08:30 UTC to February 8 at 08:30 UTC — a standard 24-hour jeopardy-style format, with tickets to the Goa conference on the line for top finishers. Writeups landed on community sites within days, including a collection from the RedAlert team and contributions from team Olympus.
Alongside HackIM, Nullcon continued to run Winja CTF (a diversity-forward competition tied to its broader Winja initiatives) and a SCADA CTF focused on industrial control systems. A live private bug bounty program operated during the conference itself, rewarding attendees for vulnerabilities discovered in scoped assets during the event. For serious practitioners, this combination — jeopardy qualifier into in-person CTFs plus a live bounty surface — is a more meaningful credential stack than most regional conferences offer.
Day Zero: The Executive Forum That Actually Talks Technique
Executive tracks at security conferences are usually where technical content goes to die. Day Zero’s framing pushed against that pattern. Rather than a parallel program of governance abstractions, the agenda was built around specific operational scenarios: board-level oversight of exploit life cycles, deepfake-assisted attack simulations, post-quantum cryptographic transition planning, and cross-functional crisis exercises.
The invite-only framing matters here. Limiting the room to CISOs, CIOs, CTOs, and equivalents lets sessions reference live incidents and ongoing response work that wouldn’t be discussable on a public stage. It also positions Nullcon as the venue where Indian enterprise security leadership coordinates with government — the NSCS and CERT-In keynote on the main-conference day was explicitly designed to feed context into the Day Zero conversations.
What the Research Tracks Covered
The two-day main conference kept its reputation for technical depth. The research program spanned areas that genuinely move the state of the art rather than recycled vendor positioning.
The SPIFFE/SPIRE identity impersonation work is worth flagging specifically. As workload identity frameworks take over from static credentials in Kubernetes and service mesh environments, the attack surface on the identity-issuance layer itself becomes the next frontier. Research that demonstrates impersonation paths against SPIFFE workload APIs lands directly on the roadmaps of every large cloud-native security team.
The HTTP/3 and QUIC fuzzing track reflects a similar shift. With HTTP/3 adoption climbing through 2025 and early 2026 across major CDNs and load balancers, protocol-level bugs in QUIC implementations are a real class of vulnerability that hasn’t yet produced its canonical breach. Getting this research into practitioner hands before the canonical breach is Nullcon’s historical pattern.
Beyond the Main Tracks
Nullcon’s supporting programming has built out significantly from earlier editions. The Resume Clinic continues to offer one-on-one career reviews from industry reviewers. Hack Young and CTF For You target students and newcomers with lower-barrier formats. The Con-Trollers volunteer program — applications open for just 48 hours each year — gives early-career participants insider access to conference operations in exchange for staffing. The Winja initiatives keep diversity programming structural rather than bolted-on, running mentorship tracks and panels alongside the CTF.
The CXO Track, broadened in 2026 through Day Zero, sits at the opposite end of that seniority range. Between them, Nullcon is one of the few conferences in the region where a first-year student and a Fortune 500 CISO plausibly end up in adjacent sessions during the same week.
The ISMG Partnership and What It Changes
Nullcon’s 2025 and 2026 editions have been produced in partnership with Information Security Media Group (ISMG), the global cybersecurity media organization, operating through their joint venture. The partnership brought more coordinated press coverage, tighter executive programming, and expanded international marketing — visible in the 25% attendance jump between 2025 and 2026 and in the geographic spread of the speaker roster.
The tradeoff to watch is whether the commercial scale-up pressures the hacker-first ethos that made Nullcon what it is. The 2026 edition’s live bug hunting, the OWASP LLM Top 10 benchmarking, the depth of the training catalogue, and the presence of working researchers over product pitchmen all suggest the organizers have held the line. Next year’s CFP decisions will be the clearer test.
Frequently Asked Questions
Is Nullcon Goa worth it for someone outside India? Yes, especially for researchers working on Asian threat landscapes, cloud-native security, or AI exploitation. The speaker roster is international, and the conference is one of the few in Asia with HackIM-caliber CTF infrastructure and a live bounty program. Flight and accommodation costs in Goa run below comparable European or US conferences.
How competitive are the trainings to get into? Trainings fill earlier than conference-only passes, particularly the AI security and Kubernetes hardening courses. Class sizes are capped to keep the hands-on labs functional. Plan to register when the catalogue opens rather than closer to the date.
Can students attend? Yes — Hack Young, CTF For You, the Resume Clinic, and the Con-Trollers volunteer program all target student and early-career participants specifically. The BITS Pilani campus venue is itself a university, which keeps the student presence high.
How does Day Zero actually work? Day Zero is invite-only for senior security leadership (CISOs, CIOs, CTOs and equivalents) and runs on February 27, the day before the main conference opens. It’s not a paid upgrade — organizers curate the invite list to keep the room coherent for the executive-level discussions on exploit lifecycle oversight, post-quantum planning, and crisis response.
The Verdict
Nullcon Goa 2026 held its line on technical depth while scaling into new territory. Live AI bug hunting scored against the OWASP LLM Top 10, a senior-government keynote that acknowledged cyber as geopolitical rather than purely technical, and a Day Zero forum that treats executives as an audience for operational substance rather than boilerplate — these are all signs of a conference that knows what it is and is pushing the format rather than drifting.
For practitioners planning their 2027 calendar, the question isn’t whether Nullcon Goa is still the Indian flagship. It’s whether the research tracks keep surfacing work that ends up cited in the following year’s CVE disclosures and breach post-mortems. On the 2026 evidence — SPIFFE/SPIRE impersonation research, HTTP/3 fuzzing, Windows 11 attack chains, OWASP-benchmarked live LLM exploitation — the answer is yes. Register early, pick a training that pushes rather than confirms your current stack, and come ready to work. The Goa sunshine is a bonus, not the point.
