When the Cloud Native Computing Foundation announced the lineup for KubeCon + CloudNativeCon Europe 2026 in London, one co-located event stood out for its ambition and scope: Open Source SecurityCon. Scheduled as a full-day program running alongside the main conference, the event signals that open-source software security has moved well beyond the domain of engineering teams and into the strategic planning conversations of enterprise leadership worldwide.
The event, set for the week of April 1, 2026, at ExCeL London, represents a significant expansion of the CNCF’s commitment to security-focused programming. According to the CNCF’s official blog post, Open Source SecurityCon will feature a curated track of talks, panels, and workshops designed to address the most pressing security challenges facing organizations that rely on open-source infrastructure. The event is organized by the OpenSSF (Open Source Security Foundation), which operates under the Linux Foundation umbrella and has become the de facto coordinating body for open-source supply chain security initiatives.
A Response to Escalating Software Supply Chain Threats
The timing of SecurityCon’s expanded presence is no accident. Over the past several years, high-profile incidents—from the SolarWinds compromise to the Log4Shell vulnerability and the XZ Utils backdoor attempt discovered in 2024—have demonstrated that open-source software supply chains represent both a critical dependency and a significant attack surface for modern enterprises. Governments on both sides of the Atlantic have responded with regulatory frameworks, including the European Union’s Cyber Resilience Act (CRA), which imposes new obligations on manufacturers and distributors of products containing software, including open-source components.
Open Source SecurityCon’s programming directly addresses these regulatory shifts. Sessions planned for the London event cover topics including software bill of materials (SBOM) generation and consumption, supply chain integrity verification using frameworks like SLSA (Supply-chain Levels for Software Artifacts), and practical guidance for complying with the CRA’s requirements. The CNCF noted in its blog announcement that the European venue makes this regulatory content especially timely, as many attendees will be grappling with CRA compliance timelines that begin taking effect in 2027.
From Niche Gathering to Must-Attend Event
SecurityCon has grown considerably since its origins as a modest half-day track at KubeCon. The event now draws hundreds of dedicated attendees, including CISOs, platform engineers, security architects, and open-source maintainers. Its evolution mirrors the broader professionalization of cloud-native security, a field that barely existed a decade ago and now supports a multi-billion-dollar market of vendors, consultancies, and managed service providers.
The 2026 edition features content organized around several thematic pillars. These include vulnerability management and disclosure practices, runtime security for containerized workloads, identity and access management in distributed systems, and the emerging challenge of securing AI and machine learning pipelines that depend heavily on open-source frameworks. The inclusion of AI security content reflects the rapid adoption of tools like Kubernetes-based inference serving platforms and the growing recognition that AI supply chains carry many of the same risks as traditional software supply chains—and some novel ones besides.
The OpenSSF’s Growing Influence on Industry Standards
The OpenSSF, which serves as the organizing force behind SecurityCon, has expanded its influence considerably since its founding in 2020. The foundation now oversees projects including Sigstore (a free code-signing service for open-source developers), Scorecard (an automated tool for assessing the security posture of open-source projects), and the GUAC project (Graph for Understanding Artifact Composition), which aims to make SBOM data queryable and actionable at scale.
Several of these projects will feature prominently at SecurityCon Europe 2026. According to the CNCF’s event overview, workshops will provide hands-on experience with Sigstore integration, SBOM tooling, and vulnerability scanning pipelines. The emphasis on practical, implementable guidance distinguishes SecurityCon from more academic security conferences and reflects the engineering-first culture of the KubeCon community.
Enterprise Adoption Drives Demand for Hardened Open-Source Infrastructure
The growth of events like SecurityCon reflects a fundamental tension in enterprise technology: organizations have become deeply dependent on open-source software—by some estimates, open-source components constitute 70% to 90% of modern application codebases—yet many lack mature processes for tracking, updating, and securing those components. The consequences of this gap have been laid bare repeatedly, most recently in incidents where known vulnerabilities in widely used libraries went unpatched for months in production environments at major corporations.
KubeCon itself has become one of the largest open-source technology conferences in the world, regularly drawing more than 10,000 attendees to its European edition. The co-located event model allows specialized communities to convene under the same roof, and SecurityCon’s placement alongside other co-located events—including AppDeveloperCon, BackstageCon, and OpenTofu Day—creates opportunities for cross-pollination between security practitioners and the developers and platform engineers whose work they aim to secure.
Key Sessions and Speakers to Watch
While the full schedule had not been finalized at the time of the CNCF’s announcement, the organization indicated that the call for proposals attracted a record number of submissions for the security track. Past SecurityCon events have featured talks from engineers at Google, Microsoft, Red Hat, Chainguard, and other organizations with significant investments in open-source security tooling. The 2026 event is expected to include sessions on post-quantum cryptography readiness for cloud-native systems, a topic gaining urgency as NIST finalizes its post-quantum cryptographic standards and organizations begin planning migration timelines.
Other anticipated topics include the security implications of WebAssembly (Wasm) workloads running on Kubernetes, advances in eBPF-based runtime security monitoring, and case studies from organizations that have implemented end-to-end supply chain security using OpenSSF tools. The CNCF’s blog post emphasized that the program committee prioritizes talks that share real-world implementation experiences over product pitches, a curation philosophy that has helped SecurityCon maintain credibility with its technically demanding audience.
The Regulatory Dimension: Europe as a Proving Ground
Hosting SecurityCon in London places it at the intersection of multiple regulatory regimes. The UK’s own post-Brexit cybersecurity framework, the EU’s Cyber Resilience Act, and the broader push toward software transparency requirements in government procurement all create a complex compliance environment for organizations operating across borders. SecurityCon sessions addressing regulatory topics are expected to draw significant attendance from legal and compliance professionals in addition to engineers—a shift that would have been unthinkable at a KubeCon co-located event just a few years ago.
The CRA, in particular, has generated intense debate within the open-source community. While the final text includes exemptions for non-commercial open-source development, the boundaries of those exemptions remain subject to interpretation, and organizations that package or distribute open-source software commercially face new documentation and vulnerability handling requirements. SecurityCon’s European edition is positioned as a venue where these ambiguities can be discussed among practitioners, legal experts, and policymakers.
What This Means for the Broader Cloud-Native Community
The elevation of security programming at KubeCon reflects a maturation of the cloud-native community itself. In the early years of Kubernetes adoption, the primary concerns were operational: how to deploy, scale, and manage containerized workloads reliably. Security was often treated as an afterthought, bolted on after architectures were already in production. The prominence of SecurityCon at KubeCon Europe 2026 suggests that this phase is ending. Security is increasingly treated as a foundational requirement, integrated into CI/CD pipelines, platform engineering practices, and organizational governance structures from the outset.
For industry participants planning their conference schedules, Open Source SecurityCon at KubeCon Europe 2026 represents one of the year’s most significant gatherings of cloud-native security expertise. Registration details and the final program schedule are expected to be published on the CNCF’s website in the coming weeks. The event takes place during the first week of April at ExCeL London, with SecurityCon running as a full-day co-located event on the opening day of the broader KubeCon + CloudNativeCon program.