What Two BSides Conferences Taught Us About the Future of Security Compliance

I will be honest. I did not expect to come home from April with this many notes.

Jon and I packed our schedules tight this month. BSides Salt Lake City on April 9–10, then straight into BSides Oklahoma on April 24–25, where Cyberbase was a Silver sponsor. Two different cities, two different communities, and yet the hallway conversations sounded almost identical. Security teams are tired. Not tired of security work — tired of the paperwork surrounding it. Tired of tools that promise automation but really just give you a fancier interface for the same manual grind.

That probably sounds familiar if you work in GRC. It definitely sounds familiar to us.

For anyone who has not been to a BSides event, a little context. These are not your typical vendor-heavy mega-conferences. BSides events are community-organized, volunteer-run, and deliberately free or low-cost. No massive expo floors. No corporate keynotes built around a product launch. The whole movement traces back to 2009 when a bunch of solid talks got rejected from Black Hat — not because the talks were bad, but because there were too many submissions. So a group of people rented a house in Las Vegas, invited about 200 folks, and ran their own event. They called it "Security BSides," a nod to the B-side of a vinyl record. Less commercial, but often way more interesting.

That scrappy energy still runs through every BSides event I have attended. And it is exactly the kind of environment where you hear what people really think — not what they say on a webinar.

Salt Lake City: conversations that do not fit on a slide

BSidesSLC happened at the Karen Gail Miller Conference Center in Sandy, Utah. The organizers — BSides Utah Cybersecurity Society, a 501(c)(3) non-profit — run the whole thing under a tagline that tells you everything: "For the People, By the People."

Day one was workshops and hands-on training. Day two was talks — red teaming, blue teaming, cloud security, AI and security, GRC, privacy, threat detection, career development. All the topics you would expect. But what actually got my attention happened mostly off-stage.

The Women in Tech Luncheon was a highlight. Dr. Shalini Kesar — she is a Professor of Cybersecurity at Southern Utah University and the founder of Women in Cybersecurity Utah — led a session on being K.I.N.D. About 40 people in the room, and the conversation went places you rarely get to in a conference setting. We talked about empathy, about leadership under pressure, about what happens to teams when compliance demands outpace the humans handling them. Not a single vendor pitch in sight. Just people being real about the work.

And then the hallway conversations. I lost count of how many people told me some version of the same story: "We are buried in questionnaires. Our GRC analyst quit. We are three months behind on DDQ responses and every deal is slowing down because of it."

One guy — security lead at a mid-size SaaS company — pulled up his inbox and showed me 14 open DDQ requests. Fourteen. His team is two people. He laughed when he said it, but it was not a happy laugh.

Those are the conversations where you realize the problem is not theoretical. It is sitting in someone's inbox right now.

BSidesSLC also had some fun community touches I want to mention. Custom Meshtastic-enabled electronic badges, fully hackable and open-source. CTF tournaments running alongside main sessions. A CyberPassport Challenge using LilyGo T-Dongle S3 hardware. The whole thing felt like the cybersecurity community at its best — people learning, tinkering, and sharing what they know without any strings attached.

Oklahoma: one talk that said the quiet part out loud

BSidesOK landed two weeks later at the Cox Business Convention Center in Tulsa. Cyberbase was a Silver sponsor, which meant we had a booth and a chance to talk with attendees all day. The event draws people from Oklahoma, Kansas, Arkansas, Texas, Missouri — a big regional pull for a free conference. Day one was training (web app pentesting, network pentesting with tools like Chisel and Ligolo-ng, SOC fundamentals, detection engineering labs). Day two had three concurrent talk tracks plus an AI Security Summit, a Student Day, and a Tech Village.

Good stuff across the board. FBI Special Agent Camron Borders walked through Operation Moonlander — the FBI and Dutch National Police dismantling the Anyproxy/5socks Botnet. Geoff Wilson did a sharp session mapping this year's most interesting breaches to real controls. J Fridley presented a community-driven Application Attack Matrix with contributors from Mandiant, Microsoft, AWS, and Meta.

But the talk I keep coming back to is Ian Anderson's:

"The Adversary Doesn't Care About Your Compliance Score."

Anderson leaned on Cyber Persistence Theory to make a point that resonated with basically everyone I talked to afterward. Adversaries run continuous campaigns. They adapt, they persist, they evolve. And while they are doing that, defenders are pouring enormous resources into achieving compliance scores that measure whether you followed a process — not whether you can actually withstand an attack.

I want to be clear: nobody at BSidesOK (or BSidesSLC, for that matter) was arguing that compliance does not matter. SOC 2 matters. ISO 27001 matters. Thorough due diligence matters. What people are frustrated with is the volume of manual labor compliance demands when you do not have the right tools. Answering the same questions across dozens of DDQs. Redlining the same contract clauses by hand. Rebuilding trust documentation from scratch every quarter.

That frustration is the reason Cyberbase exists. Jon and I did not start this company because we thought compliance was pointless. We started it because we watched security teams at companies of every size lose hundreds of hours to paperwork that should not require a human in the loop at all.

Burnout is not just an HR problem

Stephen Engler's BSidesOK talk — "Burned-Out Admins: Your Most Exploitable Vulnerability" — landed hard.

Here is the thing about burnout in security: it does not just make people miserable. It makes organizations vulnerable. Fatigued analysts miss alerts. Overloaded GRC teams cut corners on questionnaire responses. People who are running on empty make mistakes they would never make at full capacity.

The numbers back this up. Seventy-six percent of cybersecurity professionals report burnout, according to a Sophos survey of 5,000 people across 17 countries. Sixty percent of teams manage five or more compliance frameworks at the same time. The global cybersecurity workforce gap is 4.8 million people. That gap is not closing — and the compliance workload keeps growing.

When I hear those numbers, I do not think "we need to hire more people." I think "we need to stop asking people to do work that machines should handle." Not the strategic work. Not the judgment calls. The repetitive paperwork. The DDQs with 200 questions that are 80% identical to the last DDQ. The contract redlines where you are flagging the same indemnification clause for the fortieth time this quarter.

That is where AI-native automation earns its place. And I do mean AI-native — not a chatbot stapled onto an existing GRC platform. There is a real difference, and practitioners at BSidesOK could tell.

The agentic AI conversation is getting serious

BSidesOK ran an AI Security Summit alongside the main tracks, and it reflected something Jon and I are seeing industry-wide. Agentic AI — autonomous systems that can plan, adapt, and execute multi-step operations on their own — is the cybersecurity topic of 2026, on both the offensive and defensive sides.

Andre Piazza showed how criminals use AI to spin up scam campaigns around breaking news and natural disasters. Andy Lewis explored attacks on machine learning models through Python pickle files (his talk title, "Death By (Python) Pickle: 'Betrayal ML'," was arguably the best talk title of the whole event). And on the defense side, speakers dug into how AI-native architectures can handle alert triage, autonomous threat blocking, and GRC workflow automation at a scale that human teams simply cannot match.

What I kept hearing in the room — and in the conversations afterward — is that security teams are past the "can AI do this?" phase. They are in the "which AI architecture actually works?" phase. They have tried the bolt-on tools. They have seen the generic LLM wrappers that hallucinate policy details and get compliance answers wrong. They want something purpose-built.

That is why we invested so heavily in the Context Engine at Cyberbase. It continuously indexes your security policies, SOC 2 reports, compliance certifications, and previous questionnaire responses. When a new DDQ lands, the AI does not guess. It pulls from what your organization has actually documented and committed to. When a contract needs redlining, it checks against your approved playbook. The accuracy comes from the context — and the context has to be real, current, and specific to your company.

Three patterns that showed up at both events

I spent a lot of time at our BSidesOK booth just listening. Between that and the hallway conversations at BSidesSLC, three themes kept surfacing.

People want to kill the paperwork, not manage it better. Nobody asked us for a prettier dashboard or a more sophisticated workflow. They asked: "Can you make this go away?" The team at Augment Code had the same reaction — they were buried under 155 contracts and hundreds of DDQ questions before they started using Cyberbase. They got 743 hours back and a 13:1 return on investment. Not because the compliance requirements disappeared. Because the manual labor did.

Trust is becoming a revenue accelerator. Multiple speakers at both events framed security posture as a sales advantage, not just a risk mitigation exercise. Enterprise buyers run third-party risk assessments earlier in the sales cycle than they used to. If your trust documentation is easy to find and easy to verify, deals close faster. If it is locked behind a sales call or buried in a PDF, you lose momentum. That is why our Trust Portal is free forever. Competitors charge $6,000 to $15,000 a year for what amounts to a documentation hosting page. We think every company — regardless of size or budget — should be able to share their security posture publicly without paying a toll.

The "AI-native versus bolt-on" debate is settled among practitioners. A year ago, people were skeptical about AI in security workflows. Now the skepticism has shifted. Nobody doubts AI can help. The question is whether the AI was designed for this from the start, or whether it was grafted onto a platform that was built for a different era. Cyberbase was AI-first from day zero — not a legacy tool with AI features tacked on later. We use Anthropic's ISO 42001-certified models under commercial terms that prohibit training on customer data. The architecture matters because practitioners can feel the difference when accuracy and context are baked in rather than bolted on.

So what now?

I walked away from two BSides conferences in one month with a notebook full of scribbles and a stronger conviction about the direction we are heading.

The cybersecurity community does not need another tool that adds work. It does not need another platform that requires three months of onboarding before you see value. What it needs is software that eliminates the busywork so security teams can focus on the stuff that actually reduces risk — threat detection, incident response, architectural improvements, the work they got into this field to do.

Jon and I built Cyberbase out of our own frustration. We run YSecurity, a cybersecurity consulting firm, and we saw the compliance paperwork problem firsthand with every client engagement. Jon dealt with it at Apple. He dealt with it at Robinhood. We talk about it constantly on The Security Podcast of Silicon Valley. It is the problem that never goes away — unless you build something that finally solves it.

BSides conferences represent the best of our industry. Practitioners sharing real knowledge. Building real relationships. Demanding real solutions, not marketing. We were proud to be part of both BSidesSLC and BSidesOK this year, and we are taking every conversation back to our product team.

If we connected at either event — thank you. If we missed you, reach out. I genuinely want to hear what your team is dealing with.

And if your team is losing too many hours to security questionnaires, contract reviews, or cobbling together a trust presence from scratch — let us show you what it looks like when the paperwork actually goes away.

Sasha Sinkevich is the Co-Founder of Cyberbase and YSecurity. He co-hosts The Security Podcast of Silicon Valley and has spent his career building enterprise security products for cloud-native and hybrid environments.