VulnCon 2026 Recap: Sun, Strategy, and Security!
By Grace Staley, FIRST Events Team
Monday, May 18th, 2026
What happens when you gather hundreds of vulnerability management professionals in the Arizona sunshine for a week of collaboration, workshops, debates, and margaritas? VulnCon 2026: and this year's event was bigger, bolder, and more collaborative than ever.
Hosted by Forum of Incident Response and Security Teams ("FIRST”) and the CVE Program, the third annual VulnCon took over the DoubleTree Scottsdale last month, bringing together 350 in-person attendees and another 130 virtual participants from around the globe. In total, 25 countries were represented onsite, with 17 more joining virtually, proving once again that vulnerability management is truly an international team sport.
The week was packed with sessions tackling some of the industry's hottest and most complex topics. Attendees dug into conversations around AI's growing role in vulnerability management, the evolution of the CVE Program, automation and data modeling, vulnerability record disputes, NVD enrichment efforts, and coordinated messaging from organizations like CISA and ENISA.
There were also thoughtful discussions about vendor bias, governance, and data quality. But VulnCon wasn't just talking about problems, it was about rolling up sleeves and working together towards practical solutions for the community at large.
The conference featured a dedicated workshop day, where attendees moved beyond presentations into action. Participants joined tabletop exercises, explored the complexities of CVE-to-CWE mapping, and participated in a hands-on vulnerability management lab designed to turn theory into practice.
VulnCon also served as the gathering point for the International Coordinators Summit, bringing together the Global Community of Practice on Coordinated Vulnerability Disclosure (CVD-COP) alongside stakeholders from public and private organizations. The mission? Strengthening global cooperation, sharing lessons learned, and harmonizing vulnerability coordination practices worldwide!
Of course, no conference thrives on slide decks alone. VulnCon delivered plenty of opportunities for attendees to connect face-to-face, what FIRST values most. From the Women of FIRST meetup to EPSS SIG gatherings and CVE Program Working Group sessions, the week created space for collaboration both formal and informal.
A margarita social on the beautiful Scottsdale lawn gave attendees the chance to trade stories under the Arizona sunset, while the sponsor social kept conversations flowing long after sessions ended. A highlight of the week was the Wednesday night outing at Western Spirit: Scottsdale's Museum of the West which provided a uniquely Southwestern backdrop, blending finger food discussion with cowboy culture, inspiring Native American art, and a little local history… Because sometimes the best conversations about CVSS scoring take place next to a giant bronze horse statue.
At its core, VulnCon continues to center on one simple idea: collaboration makes the ecosystem stronger. That spirit was reflected throughout the conference, not only in the sessions, but also in the overwhelming support from sponsors. An incredible 34 organizations came together to support the event and invest in advancing vulnerability management practices across the industry. Read more about our 2026 sponsors at: https://www.first.org/conference/vulncon26/sponsors.
What are sponsors are saying:
-
"Security professionals have many conference options in today's market; however, Red Hat continues to get more value out of the presentations and topics at VulCon than any other conference. Topics are vetted very well and are almost always relevant to the work we do as a software manufacturer to both proactively and reactively address vulnerabilities.” - Red Hat (3-time VulnCon sponsor)
-
"What keeps us coming back to VulnCon year after year is the community. The conversations are collaborative, highly technical, and centered around the real challenges vulnerability management teams are facing every day. It's one of the few events where vendors, practitioners, researchers, and industry leaders come together with a genuine focus on improving the ecosystem as a whole.” - Kevin Summer, Account Executive at Nucleus (3-time VulnCon sponsor)
Missed VulnCon 2026?
Good news: you can still catch many of the TLP:CLEAR sessions soon on FIRST's official YouTube channel. Be sure to like and subscribe!
And if this year's recap gave you that conference FOMO, now's the perfect time to mark your calendar: VulnCon Returns in 2027!
Heading back to Scottsdale March 30 - April 2, 2027, we're looking forward to another week of vulnerability management, collaboration, and community-building. The call for speakers is expected to open around December 2026, with sponsorship opportunities becoming available in October.
Whether you're a seasoned vulnerability management veteran, an emerging researcher, a program coordinator, or simply passionate about improving the ecosystem, VulnCon is just the place. See you in Scottsdale!
