9:00 AM PT

Opening Perspectives on Cyber Risk

Cybersecurity thought leader and co-founder of Hacker Valley Media, Ron Eddings will open the session with a welcome and set the stage for a forward-looking conversation on redefining cyber risk in the age of AI. Drawing on insights from his work with global security leaders, Ron will frame the key themes shaping today’s risk landscape and prepare the audience for an engaging executive dialogue.

9:15 AM PT

Rethinking Cyber Risk in the Age of AI

Cybersecurity leaders are under increasing pressure to translate technical exposure into business impact. As AI accelerates innovation—and expands the attack surface—the conversation must shift from vulnerability counts to measurable risk.

Join Sumedh Thakar, CEO of Qualys, and Professor Dan Hagman for a candid fireside chat exploring how organizations can operationalize cyber risk in a world defined by AI, automation, and increasing regulatory scrutiny. They’ll examine how to align security strategy with business priorities, quantify risk in financial terms, and build a more resilient enterprise through data-driven decision-making.

Expect an engaging discussion that bridges academic insight with real-world execution—offering practical perspectives for CISOs, risk leaders, and boards navigating the next era of cyber risk management.

9:45 AM PT

Turning Vulnerability Intelligence into Measurable Risk Reduction

In this Cyber Risk Series session, Patrick Garrity and Saeed Abbasi take a practical look at what exploitation trends are really telling us—and why simply “prioritizing by severity” doesn’t cut it anymore.

Building on recent research findings and a large dataset of newly issued CVEs, they’ll dig into how fast vulnerabilities move from disclosure to active exploitation, where remediation efforts stall, and why certain technologies especially network edge and end-of-life devices continue to show up in breach headlines.

Most importantly, the session connects research to reality. By pairing external threat intelligence with real-world detection and remediation data, Patrick and Saeed will show how to separate theoretical risk from exploitable risk. You’ll walk away with practical ideas for sharpening your focus, improving scoring and categorization, and turning vulnerability management into something measurable: real, provable risk reduction.

10:30 AM PT

Root Cause: Why Exploitable Vulnerabilities Still Ship in 2026 and What Secure by Design Means for the Industry

Exploitable vulnerabilities are being weaponized faster than organizations can patch them. Yet many security teams are still overwhelmed by vulnerability lists that don’t clearly indicate real risk. Why does exploitable software continue to ship—and what must change to stop it? In this panel, security leaders examine the root causes behind persistent vulnerabilities and discuss how exploit validation, smarter prioritization, and Secure by Design practices can help organizations focus on what actually matters: confirming and reducing real-world risk before attackers do.

11:00 AM PT

Are We Exposed: An Executive Playbook for Answering the Question That Keeps Leadership Awake at Night

It’s 6:47 AM. Your phone lights up with a text from the CEO: “Are we exposed?”

It’s a three-word question. The answer requires everything your security program is — or isn’t — built to deliver.

SolarWinds SUNBURST. Log4Shell. MOVEit Transfer. Ivanti VPN. XZ Utils. The names are different. The morning is always the same. In each case, a critical vulnerability emerged — often already under active exploitation before the advisory was even published.  IT and Security leaders across every industry have faced the identical moment: three simultaneous, urgent questions from leadership arriving before the coffee was made. Do we have the software? Are we patched? Were we compromised?

This session approaches IT risk management from the seat where it matters most – the executive chair. Rather than focusing on any single event, we use a cross-section of the most consequential zero-days of the past five years as a mirror: what did these crises reveal about organizational readiness, and what separated the teams that answered with confidence from those still searching for the answer two weeks later?

We will examine four critical challenges every security executive faces when a high-profile CVE breaks. We’ll also deliver with three concrete, time-bounded actions every attendee can execute immediately – not a roadmap, not a maturity model, but three things you can start this week that will meaningfully improve your organization’s ability to answer the CEO’s next 6:47 AM text.

11:30 AM PT

Bridging the Gap Between Probability to Confirmed Exploitability

Risk-based vulnerability prioritization is a powerful filter, but it has a hard ceiling because it estimates likelihood rather than certainty. A vulnerability that scores critical may be entirely unreachable behind your deployed controls; a medium-severity finding may be trivially exploitable.

This session will highlight how closing that gap requires moving from probability to proof through exploit-based validation that deterministically confirms whether a vulnerability is actually exploitable within your specific environment. The speakers will also discuss how autonomous validation agents take this further by operationalizing confirmation at scale, continuously probing across dynamic environments, respecting safety guardrails to prevent disruption, and feeding confirmed findings directly into remediation pipelines. The result is a remediation posture grounded in evidence, not assumption.