Welcome ro ROCon 2026!

Federal and defense organizations face persistent nation-state threats, expanding attack surfaces, and increasingly AI-enabled adversaries. While compliance remains necessary, it was never designed to reflect real-time operational risk. Agencies are now at an inflection point where cybersecurity must move beyond periodic compliance and reactive incident response toward a continuous, mission-aligned risk model that prioritizes prevention and security by design. This keynote will outline the next evolution of federal cyber operations through the Federal Risk Operations Center (ROC) and a shift from SOC-centric response to unified risk operations. The session will explore how agencies can integrate visibility, telemetry, threat intelligence, and compliance data into a continuous decision-making model that enables proactive prevention, measurable security outcomes, and reduced mission risk, and will introduce the Federal ROC White Paper and practical steps to begin this transition.

As adversaries move at machine speed, federal agencies must rethink how cyber risk is managed and reduced, while also addressing various compliance mandates. In this session, Qualys CEO Sumedh Thakar will share a vision for the Risk Operations Center (ROC), a model that unifies asset and exposure data, validates threats, quantifies mission risk, and accelerates remediation to match the speed of detection. Powered with agentic AI to scale teams, the ROC represents a new approach to helping agencies continuously identify, prioritize, and eliminate cyber risk in a fast, accurate, and cost-effective way.

Artificial intelligence is reshaping the cyber landscape, accelerating both offense and defense and raising new questions about autonomy, speed, and control. This session will examine how federal leaders are preparing for AI-enabled adversaries while thoughtfully evaluating the role of agentic AI and autonomous capabilities in cyber defense. The conversation will explore where these technologies create real operational advantage, the governance challenges they introduce, and how agencies are balancing innovation with trust, accountability, and mission assurance.

Many agencies have taken the first steps on their Zero Trust journeys, but moving from initial adoption to sustained operational maturity introduces a new set of challenges. This session will explore how federal organizations are advancing Zero Trust across complex enterprise environments, including cloud and hybrid systems. Leaders will share how real-time defense, governance, and attack surface management are evolving, along with emerging considerations such as cryptographic agility and post-quantum readiness as agencies work to secure the future enterprise.

The cyber threat landscape has fundamentally shifted. The use of advanced AI models, such as Mythos, is accelerating both vulnerability discovery and exploitation, so attackers can now weaponize vulnerabilities at unprecedented speed and scale.

This session is designed for security leaders and practioners navigating a new normal: if operating as business as usual, security organizations will likely be overwhelmed by the need to apply patches and respond to AI-discovered vulnerabilities, exploits, and autonomous attacks. We’ll discuss the importance of taking a mission-driven approach to cyber risk management to respond to the onslaught of vulnerabilities. Panelist will share what it takes to close confirmed risk before attackers act on it and will cut through the noise on autonomous remediation, exploring what it takes to deploy it safely and how to earn the trust of mission leaders in machine-speed patching.

Federal agencies are navigating a growing web of cybersecurity mandates and frameworks while still being expected to deliver mission outcomes at speed. In this session, leaders will discuss how they are turning initiatives such as SWFT, CSRMC, CDM 2.0, FISMA M-24-04, and Continuous Authority to Operate (cATO) models into practical, operational programs. The conversation will highlight lessons learned from bridging policy and execution, automating compliance where possible, and aligning governance requirements with the realities of managing risk in live environments.

As federal agencies accelerate cloud adoption and modern application development, cyber risk is increasingly embedded inside the software supply chain itself. From open-source dependencies to container images and automated CI/CD pipelines, adversaries are exploiting the earliest stages of development to gain downstream access to federal environments. Securing software can no longer be an afterthought or a final gate. It must be continuous, automated, and integrated across the entire development lifecycle. This session will explore how federal leaders are operationalizing Software Bills of Materials (SBOMs), strengthening pipeline security, and protecting cloud and containerized workloads as part of a modern, end-to-end software security strategy. Panelists will discuss how agencies are embedding security into DevSecOps, gaining visibility into components and dependencies, and reducing supply chain risk without slowing mission delivery.

Ransomware and disruptive cyber incidents continue to test how quickly and effectively federal organizations can respond under pressure. This session will examine how agencies are improving response velocity under Emergency Cyber Directives, strengthening coordination across organizations, and adapting incident response models for high-stakes operational environments. Leaders will share lessons learned from recent incidents and discuss how preparedness and resilience are evolving across critical sectors.

Securing the Defense Industrial Base is fundamental to national security and mission readiness. This closing session will explore how federal and defense leaders are strengthening DIB cybersecurity through CMMC 2.0, SBOM adoption, and scalable approaches to third-party risk management. The discussion will focus on balancing accountability with feasibility across both large primes and small contractors, and how unified cyber risk management is shaping the future of defense acquisition and resilience.

Thank you for joining us!