BSides Nashville 2026 Recap: 5 Cybersecurity Trends Security Leaders Can't Ignore

I spent Friday on the floor at Marathon Music Works.

If you've never been to BSides Nashville, here's the picture: a music venue turned conference hall, two tracks split between Marathon Music Works and The Foundry across the street, a CTF running all day in the back, no big sponsor stages, no badge scanners herding you into demos. Just talks, hallway conversations, and a coffee bar that didn't quit until the regular bar opened at 2.

Sasha and I came in expecting hallway conversations. We left with five patterns I think every security leader should be paying attention to. Writing them down before the impressions blur.

Here's what stuck.

1. Attack surface is growing faster than visibility — and practitioners know it

Ben Sadeghipour, better known as NahamSec, opened the day with the keynote. If you don't know his work: he's found more than 1,000 vulnerabilities at companies like Apple, Amazon, Airbnb, and Snapchat. He's a co-founder of HackingHub.io and advises Caido. He talked about attack surface management the way a hunter talks about the woods — with detail, patience, and a frankness most vendors can't fake.

The takeaway I wrote down twice in my notebook: most teams don't have an attack surface problem. They have a knowing what they have problem.

That tracks with what I heard at the booths and in the hallway. Security teams aren't asking for another scanner. They're asking how to figure out which assets actually exist, which actually matter, and which actually got worse since last quarter. The "what do we have" question keeps coming up because nobody's solved it cleanly. Cloud sprawl, shadow IT, AI tools spinning up new endpoints every week. The perimeter isn't dissolving. It's multiplying.

Why this matters for security leaders: every quarter you spend without a clean asset inventory is a quarter where your control coverage numbers are a guess. The pen testers know it. Your auditors are starting to know it. Your customers' security teams already know it, which is why their security questionnaires keep getting longer.

2. The vendor-pitch era is over (at least in this room)

BSides Nashville is explicit about this. No vendor talks. No vendor labs. From their published CFP: "We focus on education, not product pitches." That's not marketing copy. It's enforced. Speakers present live with no recordings, and any session that drifts into product theater gets called out from the audience.

I'm a founder. I run two companies. I noticed.

What it signals is bigger than one conference. Practitioners trust their peers more than they trust analyst rankings, more than paid placements, more than the dashboards at major expos. The signal-to-noise ratio at vendor events has collapsed. BSides isn't growing because it's free. It's growing because it's credible.

Security leaders I talked to said the same thing in different ways. They're getting hit with 8 to 10 cold pitches a week. They've stopped responding. They're going to where the conversation is honest, even if it's smaller. If you're a vendor — and I am — the only way back through the door is to show up like a peer, not a sponsor.

3. Agentic AI is moving from demos to dirty work

There's an inflection happening with agentic AI security and I felt it in the hallway more than on the stage.

A year ago "AI in security" meant a sidebar in your SIEM that summarized alerts. Now it means something different. I heard practitioners talking about workflows where an AI agent does the boring 70% of the work — the parsing, the lookups, the cross-referencing — and the human analyst makes the call. Vulnerability triage. Phishing review. Compliance evidence collection. Security questionnaire response.

The shift isn't "AI replaces the analyst." It's "AI replaces the parts of the analyst's day they hate."

That's a useful frame for security leaders to hold. The teams winning with agentic AI right now aren't chasing autonomous SOCs. They're chasing time back. Our customer Augment Code is a good example: 743 hours of legal and security work saved across 155 contracts last year. The framing they liked best wasn't a productivity slide. It was we got our deals out the door faster.

If you're a CISO sitting on a budget conversation, that's a frame worth stealing. Agentic AI doesn't have to be sci-fi. It has to remove a specific kind of toil.

4. The tool sprawl backlash is real — and it's coming for compliance next

I lost count of how many times I heard some version of: "We don't need another tool, we need fewer tools that do more."

The average mid-market security team is running 30 to 50 vendors. Half are point solutions that solved one problem in 2022 and now sit there generating tickets nobody triages. CISOs are doing rationalization passes. Not because they want to save money, though they do, but because the cognitive load of running that many integrations is breaking their teams.

Compliance and GRC was the next domain people pointed at. One person I won't name (the hallway is the hallway) said their team uses four separate platforms just to handle SOC 2 Type 2 evidence collection, security questionnaires, third party risk management, and contract review. Four platforms. Four logins. Four renewals.

This is where I think the next consolidation wave hits. Security questionnaires, due diligence questionnaires, vendor risk reviews, and AI contract redlining are all the same fundamental workflow: prove your security posture to someone who's about to send you money or send their data to you. Treating that as four separate products is a 2020 idea. Practitioners are over it.

5. The certified-to-deal-ready gap is the real bottleneck

This is the pattern I came in looking for, and BSides confirmed it.

Most security teams I talked to are SOC 2 Type 2 certified. They have ISO 27001 in motion or done. They have policies, evidence rooms, the works. By any standard framework, they're compliant.

And they're still bleeding two to six weeks per deal on security review.

Why? Because certified and deal-ready aren't the same thing. Being certified means an auditor signed off. Being deal-ready means you can prove your security posture, in detail, in the format the buyer's procurement team wants, in the timeline their legal team wants, with the contract terms their counsel will accept — and you can do it without pulling your CISO into every conversation.

That's the gap stalling deals. Nobody at the big compliance vendors is solving it, because their business model is selling you the certification, not closing the loop after it.

Security questionnaire automation is one piece. Due diligence automation is another. AI contract redlining is the third. A Trust Center that actually answers the most common questions before procurement has to ask them is the fourth. Put those together and you're not selling "compliance software." You're selling a deal accelerator.

That's the thing we're building at Cyberbase. And BSides Nashville made me more sure of it than I was Thursday night.

What I'm taking back to the team

A few practical notes, mostly for our roadmap but maybe useful for yours:

• We're going deeper on the asset inventory question. Even our customers with clean compliance posture are guessing on coverage. That's a wedge nobody's closed.
• We're leaning harder into peer-led content. Vendor whitepapers are not the future. Practitioner-authored writing with hard numbers is.
• Agentic AI investment continues, framed around hours saved and deals shipped. Not autonomy theater.
• The Trust Center matters more than I thought in March. Half the conversations I had at BSides involved someone asking how to expose their posture without exposing their secrets.

If you were at BSides Nashville and saw something different, I'd love to hear it. Email me, DM me on LinkedIn, or grab 15 minutes on my calendar. The hallway track isn't over until the conversation stops.

Until next year, Nashville.

— Jon